[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
FEDERAL IT SECURITY: A REVIEW OF H.R. 4791
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON INFORMATION POLICY,
CENSUS, AND NATIONAL ARCHIVES
and the
SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
ORGANIZATION, AND PROCUREMENT
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
ON
H.R. 4791
TO AMEND TITLE 44, UNITED STATES CODE, TO STRENGTHEN REQUIREMENTS FOR
ENSURING THE EFFECTIVENESS OF INFORMATION SECURITY CONTROLS OVER
INFORMATION RESOURCES THAT SUPPORT FEDERAL OPERATIONS AND ASSETS, AND
FOR OTHER PURPOSES
__________
FEBRUARY 14, 2008
__________
Serial No. 110-72
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
U.S. GOVERNMENT PRINTING OFFICE
44-178 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
HENRY A. WAXMAN, California, Chairman
EDOLPHUS TOWNS, New York TOM DAVIS, Virginia
PAUL E. KANJORSKI, Pennsylvania DAN BURTON, Indiana
CAROLYN B. MALONEY, New York CHRISTOPHER SHAYS, Connecticut
ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania
WM. LACY CLAY, Missouri CHRIS CANNON, Utah
DIANE E. WATSON, California JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio
BRIAN HIGGINS, New York DARRELL E. ISSA, California
JOHN A. YARMUTH, Kentucky KENNY MARCHANT, Texas
BRUCE L. BRALEY, Iowa LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina
Columbia VIRGINIA FOXX, North Carolina
BETTY McCOLLUM, Minnesota BRIAN P. BILBRAY, California
JIM COOPER, Tennessee BILL SALI, Idaho
CHRIS VAN HOLLEN, Maryland JIM JORDAN, Ohio
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
------ ------
Phil Schiliro, Chief of Staff
Phil Barnett, Staff Director
Earley Green, Chief Clerk
David Marin, Minority Staff Director
Subcommittee on Information Policy, Census, and National Archives
WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky BILL SALI, Idaho
PAUL W. HODES, New Hampshire
Tony Haywood, Staff Director
Subcommittee on Government Management, Organization, and Procurement
EDOLPHUS TOWNS, New York, Chairman
PAUL E. KANJORSKI, Pennsylvania BRIAN P. BILBRAY, California
CHRISTOPHER S. MURPHY, Connecticut TODD RUSSELL PLATTS, Pennsylvania,
PETER WELCH, Vermont JOHN J. DUNCAN, Jr., Tennessee
CAROLYN B. MALONEY, New York
Michael McCarthy, Staff Director
C O N T E N T S
----------
Page
Hearing held on February 14, 2008................................ 1
Text of H.R. 4791................................................ 5
Statement of:
Evans, Karen S., Administrator for Electronic Government and
Information Technology, Office of Management and Budget;
Gregory C. Wilshusen, Director, Information Security
Issues, Government Accountability Office; Alan Paller,
director of research, the Sans Institute; Bruce W.
McConnell, president, McConnell International, LLC; and Tim
Bennett, president, Cyber Security Industry Alliance....... 23
Bennett, Tim............................................. 93
Evans, Karen S........................................... 23
McConnell, Bruce W....................................... 82
Paller, Alan............................................. 65
Wilshusen, Gregory C..................................... 33
Letters, statements, etc., submitted for the record by:
Bennett, Tim, president, Cyber Security Industry Alliance,
prepared statement of...................................... 96
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 3
Davis, Hon. Tom, a Representative in Congress from the State
of Virginia:
Letter dated July 27, 2007............................... 104
Prepared statement of.................................... 108
Evans, Karen S., Administrator for Electronic Government and
Information Technology, Office of Management and Budget,
prepared statement of...................................... 26
McConnell, Bruce W., president, McConnell International, LLC,
prepared statement of...................................... 84
Paller, Alan, director of research, the Sans Institute,
prepared statement of...................................... 67
Wilshusen, Gregory C., Director, Information Security Issues,
Government Accountability Office, prepared statement of.... 35
FEDERAL IT SECURITY: A REVIEW OF H.R. 4791
----------
THURSDAY, FEBRUARY 14, 2008
House of Representatives, Subcommittee on
Information Policy, Census, and National
Archives, joint with the Subcommittee on
Government Management, Organization, and
Procurement, Committee on Oversight and
Government Reform,
Washington, DC.
The subcommittees met, pursuant to notice, at 11:30 a.m.,
in room 2154, Rayburn House Office Building, Hon. Wm. Lacy Clay
(chairman of the Subcommittee on Information Policy, Census,
and National Archives) presiding.
Present: Representatives Clay, Davis of Virginia, and
Platts.
Staff present from the Information Policy, Census, and
National Archives Subcommittee: Darryl Piggee, staff director/
counsel; Jean Gosa, clerk; and Adam Bordes, professional staff
member.
Staff present from the Government Management, Organization,
and Procurement Subcommittee: Mike McCarthy, staff director;
Velvet Johnson, counsel; Bill Jusino, professional staff
member; and Kwane Drabo, clerk.
Mr. Clay. Good morning. This hearing of the Oversight and
Government Reform Committee is being held this morning by the
Information Policy, Census, and National Archives Subcommittee,
which I chair, and the Subcommittee on Government Management,
Organization, and Procurement, chaired by Congressman Ed Towns
of New York, who is under the weather this week and is not in
town. But we will proceed without Mr. Towns.
This hearing will now come to order. Today's hearing will
examine the important topic of Federal information security.
Our subcommittees are holding this hearing because security is
both a management and technology challenge.
Without objection, the Chair and ranking minority member
will have 5 minutes to make opening statements, followed by
opening statements not to exceed 3 minutes by other Members who
wish to seek recognition.
Without objection, Members and witnesses may have 5
legislative days to submit a written statement or extraneous
materials for the record.
Briefly, I would like to discuss some of the challenges
that I see, and then I will yield to anyone else that shows up
for comments.
Let me say that today's joint subcommittee hearing on the
Current State of Federal Information Security and Legislation
to Strengthen the Federal Information Security Management Act,
I am especially pleased to be teaming up with the Subcommittee
on Government Management, Organization, and Procurement,
chaired by Mr. Towns, for this critical issue.
For fiscal year 2009, the President's budget proposes
spending of roughly $70 billion on information technology
products alone. Yet according to OMB's 2006 FISMA report to
Congress, agency efforts to implement effective information
security programs are inconsistent throughout Government. These
problems go beyond isolated data breaches and have exposed
systemic information security vulnerabilities that have gone
unmitigated by our agencies and the IT contracting community
that serves them.
Having experienced 5 years of detailed OMB reporting
through the FISMA process, I am certain that some real progress
has been made in securing our agencies' IT assets. What I am
unsure of, however, is whether our current requirements and OMB
policies under FISMA are providing us enough tools to effective
identify the inherent vulnerabilities in our systems, now or in
the future.
With this in mind, I, along with Chairman Towns and
Chairman Waxman, have put forward a bill that would move us
toward more rigid security requirements for agency systems
while staying with in the current FISMA framework. Furthermore,
our bill will add consistency and robustness to the current
program performance evaluation process by requiring an annual
audit of agency programs. Last, this legislation begins to
recognize the duty of care responsibilities that must be shared
between both Federal agencies and the contracts providing
services to them.
As technology evolves and the perimeters of IT enterprises
expand, we must have a flexible security framework to harness
such advances while ensuring that our networks remain secure. I
am hopeful that our witnesses today will be ale to address
these issues through the context of their experiences, and I
look forward to their testimony.
[The prepared statement of Hon. Wm. Lacy Clay and the text
of H.R. 4791 follow:]
[GRAPHIC] [TIFF OMITTED] T4178.001
[GRAPHIC] [TIFF OMITTED] T4178.002
[GRAPHIC] [TIFF OMITTED] T4178.003
[GRAPHIC] [TIFF OMITTED] T4178.004
[GRAPHIC] [TIFF OMITTED] T4178.005
[GRAPHIC] [TIFF OMITTED] T4178.006
[GRAPHIC] [TIFF OMITTED] T4178.007
[GRAPHIC] [TIFF OMITTED] T4178.008
[GRAPHIC] [TIFF OMITTED] T4178.009
[GRAPHIC] [TIFF OMITTED] T4178.010
[GRAPHIC] [TIFF OMITTED] T4178.011
[GRAPHIC] [TIFF OMITTED] T4178.012
[GRAPHIC] [TIFF OMITTED] T4178.013
[GRAPHIC] [TIFF OMITTED] T4178.014
[GRAPHIC] [TIFF OMITTED] T4178.015
[GRAPHIC] [TIFF OMITTED] T4178.016
[GRAPHIC] [TIFF OMITTED] T4178.017
[GRAPHIC] [TIFF OMITTED] T4178.018
[GRAPHIC] [TIFF OMITTED] T4178.019
[GRAPHIC] [TIFF OMITTED] T4178.020
Mr. Clay. We will now receive testimony from the witnesses
before us today. On today's panel, the subcommittees are
pleased to have the following witnesses: Karen Evans,
Administrator for the Office of E-Government and Information
Technology. Ms. Evans is an experienced IT professional and
leads the administration's programs on information security.
Welcome back to the committee, Ms. Evans.
We also have Greg Wilshusen, Director for Information
Security Issues at the Government Accountability Office. Mr.
Wilshusen is also a long-time expert and has testified on this
topic before the Information Policy Subcommittee several times.
Thank you for being here.
Alan Paller is the director of research at the SANS
Institute and is responsible for overseeing all research
projects. Mr. Paller founded the CIO Institute and earned
degrees in computer science and engineering from Cornell and
MIT. Welcome to the committee hearing.
Bruce McConnell, the president and founder of McConnell
International. Prior to his current position, Mr. McConnell was
chief of information and technology policy at the White House
Office of Management and Budget, where he led several IT and
security initiatives. Thank you for being here, too, Mr.
McConnell.
Rounding us out is Tim Bennett, president of Cyber Security
Industry Alliance. Mr. Bennett served as the vice VP of the
American Electronics Association and worked in senior roles
within the Office of the U.S. Trade. Thank you also, Mr.
Bennett, for coming today.
I thank all of you for appearing before the subcommittee.
It is the policy of the committee to swear in all witnesses
before they testify, so I will ask you to please rise and raise
your right hands.
[Witnesses sworn.]
Mr. Clay. Thank you, and let the record reflect that the
witnesses answered in the affirmative.
I ask that each witness now give a brief summary of their
testimony and to keep the summary under 5 minutes in duration.
Bear in mind your complete written statement will be included
in the hearing record. I will let you know if you go over the
5. We will start with Ms. Evans. You may proceed.
STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR FOR ELECTRONIC
GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND
BUDGET; GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION SECURITY
ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE; ALAN PALLER, DIRECTOR
OF RESEARCH, THE SANS INSTITUTE; BRUCE W. MCCONNELL, PRESIDENT,
MCCONNELL INTERNATIONAL, LLC; AND TIM BENNETT, PRESIDENT, CYBER
SECURITY INDUSTRY ALLIANCE
STATEMENT OF KAREN S. EVANS
Ms. Evans. Good morning, Chairman Clay. Thank you for
inviting me to speak about the status of the Federal
Government's efforts to safeguard our information and systems.
My remarks today will highlight a few of the initiatives
underway to manage the risk associated with our Government
services in this ever-changing IT environment. The details are
included in my written statement. I will conclude with our
thoughts on your proposed bill, H.R. 4791.
Information security and privacy are extremely important
issues for the administration. On March 1st, the Office of
Management and Budget [OMB], will provide our fifth annual
report to Congress on the implementation of the Federal
Information Security Management Act [FISMA], which will detail
our improvements and remaining weaknesses for both security and
privacy.
Over the past year, departments and agencies continue to
improve their security programs, manage their risks and become
more fully compliant with FISMA. To enhance information
security programs, OMB continues to use the oversight
mechanisms to improve performance, including the President's
management agenda score card and the agencies' capital planning
processes. We are also engaging agencies in a variety of
information security and privacy initiatives to close any
remaining performance gaps.
Over the past year, in collaboration with the National
Institute for Standards and Technology [NIST], the Department
of Defense, the National Security Agency, and Microsoft, we
have developed a set of information security controls to be
implemented on all Federal desktops, which are running
Microsoft Windows XP or Vista, known as the Federal Desktop
Core Configuration [FDCC]. By implementing a common
configuration, we are gaining better control of our Federal
desktops, allowing for closer monitoring and correction of
potential vulnerabilities. We are also working with the vendor
community to make their applications safer.
NIST has developed testing tools for use both by the
Federal agencies and the vendors and three independent
laboratories have been accredited by NIST's National Voluntary
Laboratory Accreditation Program, to provide the validation
testing. We are very optimistic this program will greatly
enhance the security of our Federal desktops and applications.
To help agency procurement officers with the validation
requirement, we are working with the Federal Acquisition
Council to incorporate language into the Federal Acquisition
Register. Agencies connect to the internet to develop timely
information and to deliver services to the public. However, our
Government systems are continuously operating under increasing
levels of risk. Through the Trusted Internet Connections
Initiative, we are working with agencies to reduce the overall
number of external Federal connections to manage risk in a more
cost-effective and efficient manner, while providing better
awareness of our environment. Agencies turned in plans of
action and milestones to fully optimize agency connections with
a target completion date of June 2008.
Recently, we provided the opportunity for all departments
and agencies to review the proposed legislation, H.R. 4791. The
bill contains several provisions which aim to enhance the
protection of Federal information and personally identifiable
information, as well as several provisions that propose changes
to FISMA. While we strongly support enhancing protections for
such information, we share several concerns expressed across
the Federal agencies about the effect of this legislation.
The administration believes the foundation and the
framework established by FISMA is sound and also believes there
is still much we can accomplish to improve the security and
manage the risk associated with our information and information
services. Nonetheless, we are concerned with the unintended
consequences of the proposed change which would seriously
impact established agency security and privacy practices, while
not necessarily achieving the outcomes of improved privacy or
security.
While we understand technologies which are improperly
implemented introduce increased risk, we recommend any
potential changes to the statute be technology-neutral. We
recognize that the IT landscape is ever-changing. As we deploy
common, Government-wide solutions, departments and agencies
increasingly are requiring services instead of procuring
infrastructure.
We welcome the opportunity to further discuss potential
gaps which may need to be addressed through future FISMA
enhancements if appropriate. We look forward to discussing our
ongoing information security and privacy activities in greater
detail. We feel our current activities and initiatives as
included in my written statement already are beginning to close
performance gaps H.R. 4791 attempts to address.
I would be happy to answer questions at the appropriate
time.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] T4178.021
[GRAPHIC] [TIFF OMITTED] T4178.022
[GRAPHIC] [TIFF OMITTED] T4178.023
[GRAPHIC] [TIFF OMITTED] T4178.024
[GRAPHIC] [TIFF OMITTED] T4178.025
[GRAPHIC] [TIFF OMITTED] T4178.026
[GRAPHIC] [TIFF OMITTED] T4178.027
Mr. Clay. Thank you, Ms. Evans.
Mr. Wilshusen, you may proceed.
STATEMENT OF GREGORY C. WILSHUSEN
Mr. Wilshusen. Mr. Chairman, I am pleased to be here today
to testify on FISMA and the state of Federal information
security. Rarely has the need for the Federal Government to
implement effective controls over its information systems and
information been more important. Virtually all Federal
operations are supported by automated systems and electronic
information, and agencies would find it difficult, if not
impossible, to carry out their missions and account for their
resources without them.
At the same time, Federal systems and critical
infrastructures are increasingly being targeted for
exploitation by a growing array of adversaries, including
criminal groups, foreign nation states, hackers, terrorists and
disgruntled insiders. Thus, it is imperative that agencies
safeguard their systems to protect against such risks as loss
or theft to resources, disclosure or modification of sensitive
information, including national security, law enforcement,
proprietary business and personally identifiable information
and disruption of critical operations.
Today, I will summarize agency progress in performing key
information security control activities, the effectiveness of
information security at Federal agencies, and opportunities to
strengthen security. In fiscal year 2007, the Federal
Government reported improved security performance relative to
key performance metrics established by OMB for FISMA reporting.
For example, the percentage of certified and accredited systems
Government-wide reportedly increased from 88 percent to 92
percent. These gains continue a historical trend that we
reported on last year.
Despite reported progress, 20 of 24 major Federal agencies
continue to experience significant information security control
deficiencies. Most agencies did not implement controls to
sufficiently prevent, limit or detect access to computer
networks, systems or information. Moreover, agencies do not
always configure network devices to prevent unauthorized access
and ensure system integrity, patch key servers and workstations
in a timely manner, and maintain complete continuity of
operations plans for key information systems.
An underlying cause for these weaknesses is that agencies
have not fully or effectively implemented the agency-wide
information security programs required by FISMA. As a result,
Federal systems and information are at increased risk of
unauthorized access to and disclosure, modification or
destruction of sensitive information as well as the inadvertent
or deliberate disruption of system operations and services.
Such risks are illustrated in part by an increasing number of
security incidents reported by Federal agencies.
Nevertheless, opportunities exist to bolster information
security. Federal agencies could implement the hundreds of
recommendations made by GAO and agency IGs to resolve
previously reported control deficiencies and information
security program shortfalls.
In addition, OMB and other Federal agencies have initiated
several Government-wide initiatives that are intended to
improve security over Federal systems and information. For
example, OMB has established an information systems security
line of business to share common processes and functions for
managing information system security across Federal agencies,
and it has directed agencies to adopt the security
configurations developed by NIST, DOD and DHS for certain
Windows operating systems. Consideration could also be given to
enhancing policies and practices related to security control
testing and evaluation, FISMA reporting and the independent
annual evaluations of agency information security programs
required by FISMA.
In summary, although Federal agencies report performing key
control activities on an increasing percentage of their
systems, persistent weaknesses in agency information security
continues to threaten the confidentiality, integrity and
availability of Federal systems and information. Until Federal
agencies resolve their significant deficiencies and implement
effective security programs, their systems and information will
remain at undue and unnecessary risk.
Mr. Chairman, this concludes my statement. I would be happy
to answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED] T4178.028
[GRAPHIC] [TIFF OMITTED] T4178.029
[GRAPHIC] [TIFF OMITTED] T4178.030
[GRAPHIC] [TIFF OMITTED] T4178.031
[GRAPHIC] [TIFF OMITTED] T4178.032
[GRAPHIC] [TIFF OMITTED] T4178.033
[GRAPHIC] [TIFF OMITTED] T4178.034
[GRAPHIC] [TIFF OMITTED] T4178.035
[GRAPHIC] [TIFF OMITTED] T4178.036
[GRAPHIC] [TIFF OMITTED] T4178.037
[GRAPHIC] [TIFF OMITTED] T4178.038
[GRAPHIC] [TIFF OMITTED] T4178.039
[GRAPHIC] [TIFF OMITTED] T4178.040
[GRAPHIC] [TIFF OMITTED] T4178.041
[GRAPHIC] [TIFF OMITTED] T4178.042
[GRAPHIC] [TIFF OMITTED] T4178.043
[GRAPHIC] [TIFF OMITTED] T4178.044
[GRAPHIC] [TIFF OMITTED] T4178.045
[GRAPHIC] [TIFF OMITTED] T4178.046
[GRAPHIC] [TIFF OMITTED] T4178.047
[GRAPHIC] [TIFF OMITTED] T4178.048
[GRAPHIC] [TIFF OMITTED] T4178.049
[GRAPHIC] [TIFF OMITTED] T4178.050
[GRAPHIC] [TIFF OMITTED] T4178.051
[GRAPHIC] [TIFF OMITTED] T4178.052
[GRAPHIC] [TIFF OMITTED] T4178.053
[GRAPHIC] [TIFF OMITTED] T4178.054
[GRAPHIC] [TIFF OMITTED] T4178.055
[GRAPHIC] [TIFF OMITTED] T4178.056
[GRAPHIC] [TIFF OMITTED] T4178.057
Mr. Clay. Thank you so much, Mr. Wilshusen.
Mr. Paller.
STATEMENT OF ALAN PALLER
Mr. Paller. Thank you, and thank you for having me.
I have been to St. Louis a bunch of times, first with
McDonnell Douglas and later with Boeing. It is a wonderful,
high-tech city.
Mr. Clay. Thank you so much.
Mr. Paller. It is very impressive. Actually, what we are
talking about today directly affects Boeing, too, so it is not
just a Federal discussion because of the change that our other
witnesses mentioned.
I am just going to tell you a couple of stories. First of
all, I am the research director at SANS, so we have about
68,000 people who are alumni who actually run security at most
large organizations. Their job is almost completely impossible.
It just isn't out in the public, but we are losing this war
against cyber-crime at an accelerating rate, meaning we are
falling farther behind every week.
What we are talking about today actually will make a
difference. It is not something nice to do for Federal
agencies, it actually is a major war, it is involving
espionage, it is involving a lot of things that deserve to be
treated with more attention. I am here actually with the hope
that you can do that by making the Federal Government lead by
example. So where the Federal Government uses its procurement,
you mentioned in your opening statement $70 billion, that is
enough to do an amazing amount of good in security. You don't
actually spend the money on security, you use the leverage of
the Federal procurement to make the change.
Just to clarify how FISMA became a compliance exercise
instead of a security exercise, it wasn't the way the law was
intended. It actually was a mistake that was made in GISRA
before it became FISMA, the original law that got changed, it
was written in the Senate and got changed into FISMA. What
happened was that NIST wrote a catalog of things that every
agency had to do. They don't even call it a road map or a blue
print. They wrote a catalog. And then the IGs and others said,
well, now you have to do everything in the catalog. And the
problem is, if you had a catalog of things your kids had to do,
and one of them was finish their homework and another one was
check on the dog, but they were graded on how many things they
did, they are going to do all the check on the dogs quick,
because the do your homework is hard. And that is what happened
with FISMA, because they got graded on how many things they did
instead of the important things.
So the leaders are smart, you guys, between Karen and the
Hill, you guys made it impossible for them not to do
everything. They got Fs on all their report cards. And because
of that, they are smart enough to know, they have to get you
off their back. So the CIO said, I don't care what you need to
do for security, you have to get those reports done, because I
have to go see Clay Johnson in the White House and he is going
to--well, what they said isn't public. But he will do bad
things to me if I don't get all my systems certified.
So the key change, it is a very small change, I have
provided your staff with some language that might be better, it
will be made better by your people. But the key change is to
prioritize. If homework is more important than checking on the
dog, don't say you are going to do these 500 things, say, do
your homework. Then if you get your homework done, then do
these other things and we will give you bonuses for the other
things. But let's make sure we prioritize the actions.
That is what the companies that do security well do. It is
all attack-based. They find out where the attacks are coming
in, then make sure their defenses can stop those attacks. We
don't do that in the Federal Government. So I put all that in
the statement.
I want to tell you one more story, because it is a ``Karen
is a hero'' story, and it is really quite a good story. It is
the other half of what you can do. John Gilligan was the CIO at
the Air Force, he got up in front of 200 people and said, we
can't secure our Windows boxes. In fact, we spend more money to
clean up after the mess than we do to buy this stuff in the
first place, and I am going to change that. He took $500
million over 7 years, so it is not much per year. That is
relative to your $70 billion you are talking about. This is the
example of how your money makes a difference, $500 million over
7 years.
He said to Microsoft, hey, we want you to configure the
system securely when you sell it to us instead of selling it to
us open and making every one of our people try to do it after
we buy it. And he got it done. Over 400,000 systems now are out
of the box secure. The key is, they just reported this, they
cut the patching time from 7 weeks to 3 days. And all the
attacks come out in the first few days. So if you don't get it
done fast, you might as well not patch at all. And they saved
tens of millions of dollars. It is the only example where you
save money and you improve security. It is what you can do with
the leverage you have in your money.
So I am happy to answer questions about any of this. Thank
you for letting me come.
[The prepared statement of Mr. Paller follows:]
[GRAPHIC] [TIFF OMITTED] T4178.058
[GRAPHIC] [TIFF OMITTED] T4178.059
[GRAPHIC] [TIFF OMITTED] T4178.060
[GRAPHIC] [TIFF OMITTED] T4178.061
[GRAPHIC] [TIFF OMITTED] T4178.062
[GRAPHIC] [TIFF OMITTED] T4178.063
[GRAPHIC] [TIFF OMITTED] T4178.064
[GRAPHIC] [TIFF OMITTED] T4178.065
[GRAPHIC] [TIFF OMITTED] T4178.066
[GRAPHIC] [TIFF OMITTED] T4178.067
[GRAPHIC] [TIFF OMITTED] T4178.068
[GRAPHIC] [TIFF OMITTED] T4178.069
[GRAPHIC] [TIFF OMITTED] T4178.070
[GRAPHIC] [TIFF OMITTED] T4178.071
[GRAPHIC] [TIFF OMITTED] T4178.072
Mr. Clay. Thank you so much for that enlightening report.
Mr. McConnell.
STATEMENT OF BRUCE W. MCCONNELL
Mr. McConnell. Thank you, Mr. Chairman and members of the
subcommittees for the privilege and opportunity to testify
today on Federal information security.
The jurisdiction of this committee is so broad and its work
is so important to the critical functioning of our Federal
Government, it is a real pleasure.
I am here today bringing you the perspective of 20 years of
work in information policy and technology, including 15 years
at OMB, serving 3 Presidents. I am also on a commission for
cyber security for the 44th Presidency, which has been co-
chaired by Congressman Jim Langevin and Congressman Michael
McCaul. I am not speaking on behalf of that commission.
You asked in your invitation that I provide policy
recommendations for potential legislative consideration and to
comment on the state of FISMA compliance and the provisions of
H.R. 4791. I have done that in my written statement.
But in my oral remarks, I wish to focus in on what I
consider to be the most significant development in Federal
information security in many years. My analysis is based solely
on information that is in the public domain.
On January 8th, President Bush issued a new National
Security Homeland Security directive. This order establishes a
comprehensive national cyber-security initiative. The issuance
of this national security order shows that information security
is receiving serious attention at the highest levels of the
executive branch. I believe this is good news.
The so-called Cyber Initiative recognizes the serious
threats to the Nation's information infrastructure coming from
State and non-State actors, including sophisticated criminals.
It lays out the need to take proactive measures in cyberspace
to detect and prevent intrusions from whatever source in real
time before they can do significant damage. These tenets are
important, and while the details are not yet public, they
clearly include an increased role for the intelligence
community, in particular the National Security Agency [NSA], in
protecting Federal systems.
Let me explain why I believe this expanded NSA role is
germane to this committee's work. The Cyber Initiative relates
directly to two statutes under your jurisdiction: FISMA and the
Privacy Act. When this committee wrote FISMA's predecessor, the
Computer Security Act of 1987, you vested the National
Institute of Standards and Technology [NIST], with primary
authority in the security of civilian agency information
systems. You also explicitly limited the role of NSA with
respect to civilian agency systems. There were several reasons
for this differentiation of responsibilities.
Foremost in the mind of Congress was the potential chilling
effect on the free flow of information between Government and
the public, including the information technology industry, if a
military agency became too closely involved with civilian
agency systems. As the committee's report in 1987 notes,
``Since it is a natural tendency of DOD to restrict access to
information through the classification process, it would be
almost impossible for the Department to strike an objective
balance between the need to safeguard information and the need
to maintain the free exchange of information.''
Civilian agency missions, such as those at the Census
Bureau, the Internal Revenue Service and the Centers for
Medicare and Medicaid Services, depend on the trust of the
American people to operate successfully. These missions require
the free and efficient flow of information to and from the
public in order to deliver important public benefits and
programs.
In addition to the potential chilling effect on information
flows, the statute also reflected potential concerns about
privacy and civil liberties. This statutory framework
separating civilian and military systems has been confirmed and
strengthened three times in the last two decades.
Now, Mr. Chairman, it may be that the world has changed so
much that this historic distinction between civilian agency
systems and national security systems no longer serves the
Nation's interest. Certainly the current computer security
regime in Government is not working adequately. There is a big
gap between what the agencies need and what they are getting.
The gap extends beyond Government systems to the U.S.
information infrastructure.
Therefore, there is a substantial argument that you need to
put resources from the intelligence community against this
problem, because that is where the most resources are on the
Federal side. Of course, there is also substantial resources in
the private sector in this area.
So what is really needed is a partnership of trust between
the Government and the private sector to address the Nation's
information security needs. Many of the information security
professionals I talk to suggest that this trust is at a
relatively low point in our history and it needs to be
strengthened if we are going to be able to address this
critical issue. We need to determine who in the Government can
most effectively foster trust and cooperation with industry and
with the American people.
So I encourage the committee to look at these roles and
responsibilities in the context of FISMA and the Privacy Act.
Thank you, sir.
[The prepared statement of Mr. McConnell follows:]
[GRAPHIC] [TIFF OMITTED] T4178.073
[GRAPHIC] [TIFF OMITTED] T4178.074
[GRAPHIC] [TIFF OMITTED] T4178.075
[GRAPHIC] [TIFF OMITTED] T4178.076
[GRAPHIC] [TIFF OMITTED] T4178.077
[GRAPHIC] [TIFF OMITTED] T4178.078
[GRAPHIC] [TIFF OMITTED] T4178.079
[GRAPHIC] [TIFF OMITTED] T4178.080
[GRAPHIC] [TIFF OMITTED] T4178.081
Mr. Clay. Thank you so much, Mr. McConnell. Our final
witness will be Mr. Bennett. Mr. Bennett, you may proceed.
STATEMENT OF TIM BENNETT
Mr. Bennett. Thank you, Mr. Chairman, Congressman Davis.
Thank you for the opportunity to share the views of the Cyber
Security Industry Alliance on improvements in FISMA.
CSIA is a group of leading security technology vendors that
are dedicated to ensuring the privacy, reliability and
integrity of information systems through public policy,
technology, education and awareness. It is our belief that a
comprehensive approach for enhancing the security and
resilience of information systems is fundamental to economic
security.
Mr. Clay. Excuse me, Mr. Bennett, is your microphone on?
Mr. Bennett. Allow me to commend this subcommittee and its
parent committee for the sustained attention that has been
given in recent years to the critical objective of
strengthening information security within the Federal
Government. As we have painfully learned and heard from a
couple of the other witnesses this morning, Federal systems are
frequently vulnerable to cyber attacks, and the oversight of
this subcommittee and full committee are an important element
in holding Federal agencies accountable for improved
information security as well as highlighting ongoing challenges
and vulnerabilities.
The 110th Congress now has an important opportunity to
amend FISMA to improve the information security climate at our
Federal Government agencies. Even though the last few years
have yielded a number of successes, there are certain
weaknesses in our Government's critical infrastructure which
still urgently need to be addressed.
It has become clear that the infiltration of Federal
Government networks and the possible theft and/or exploitation
of information are among the most critical issues confronting
our Federal Government. While progress has been made, much work
remains to be done in order to truly secure our Government's IT
infrastructure.
FISMA has been fairly successful at getting agencies in
general to pay closer attention to their information security
obligations. Before FISMA, information security was not a top
priority at Federal agencies. FISMA has been successful in
raising awareness of information security in the agencies and
also in Congress.
However, Federal agencies scored an average grade of C
minus in 2007's Information Security Report Card. Some argue
that FISMA does not adequate measure information security. A
high FISMA grade doesn't mean the agency is secure and vice
versa. That is because FISMA grades reflect compliance with
mandated processes. They do not measure how much these
processes have actually increased information security.
In particular, the selection of information security
controls is subjective and not consistent across Federal
agencies. Agencies determine on their own what level of risk is
acceptable for a given system. They can then implement the
corresponding controls, certify and accredit them and thus be
compliant and receive a high grade regardless of the level of
risk they have deemed acceptable.
Certainly we want to avoid a check the box mentality and
don't want FISMA to be reduced to a largely paperwork drill
among the departments and agencies, consuming an inordinate
amount of resources for reporting progress while yielding few
genuine security improvements. Unfortunately, in some cases,
that is what it has become.
Some Federal agency chief information security officers are
measured on their compliance scores with FISMA, not on whether
they have adequately assessed risk in their respective agency
or prevented breaches of sensitive information. Instead, we
want agencies to actively protect their systems instead of just
reacting to the latest threat with patches and other responses.
With the benefit of 5 years' experience under FISMA and several
insightful reports by the U.S. Government Accountability
Office, it is now possible to identify possible improvements
that can address those weaknesses in FISMA implementation that
have now become apparent.
With global attacks on data networks increasing at an
alarming rate and in a more organized and sophisticated manner,
there is precious little time to lose. Faced with this urgent
need, we applaud the bill that you have introduced, H.R. 4791.
We strongly support this bill. It would undertake the important
step of codifying many of the recommended steps that OMB took
in a series of memos to Federal agencies after a series of
significant data breaches in recent years. The legislation
provides much-needed common sense obligations to require
agencies to develop policies and plans to identify and protect
personal information, develop requirements for reporting data
breaches and report to Congress a summary of information
security breaches reported by Federal agencies.
We recommend that the proposed legislation also include
language requiring that data breaches of information systems
maintained by contractors and other sources working on Federal
projects be promptly notified to the Secretary and the CIO of
the contracting agency. Federal contractors are responsible for
many of the data breaches that agencies reported. CSIA believes
that it is important to reaffirm that FISMA applies to Federal
contractors.
We also commend the chairman for having the insight to
incorporate language into this legislation requiring that
Federal Government agencies encrypt or make unusable and
unreadable personal data and to establish minimum requirements
for protection of information or mobile devices. H.R. 4791 also
prudently establishes security requirements for peer-to-peer
networks. We believe that agencies should be required to
develop a plan to protect against the risks of peer-to-peer
networks and provide detailed technology and the policy
procedures they should take.
To assist further consideration of this bill, we offer
additional recommendations. One, align responsibilities and
authorities to vest the CIO and CISO with specific power over
information security. The current authority of agency CIOs to
ensure should be the power to enforce cost effective measures
of security.
Two, require improvements to assessment, continuous
monitoring and remediation in order to develop a comprehensive
approach to information systems security. Three, mandate
preparation of the complete inventory of all Federal agency IT
assets by a certain date. Four, improvement performance
measurement and provide incentives to agencies that give
information security a high priority. Five, institutionalize
security within Federal agency culture. Six, increase Federal
agency IT security funding. Seven, reaffirm objective
assessments of commercially available information technologies.
And eight, narrow the scope of the privacy definition provided
for in the proposed legislation.
In closing, I commend the subcommittee for highlighting the
importance of information security, for examining how we can
improve FISMA and Federal agency information security practices
going forward. The overriding objective should be to move
Federal agencies to act in a manner that equates strong
information security practices with overall mission
accomplishment. We all know what is at stake.
Thank you, Mr. Chairman.
[The prepared statement of Mr. Bennett follows:]
[GRAPHIC] [TIFF OMITTED] T4178.082
[GRAPHIC] [TIFF OMITTED] T4178.083
[GRAPHIC] [TIFF OMITTED] T4178.084
[GRAPHIC] [TIFF OMITTED] T4178.085
[GRAPHIC] [TIFF OMITTED] T4178.086
[GRAPHIC] [TIFF OMITTED] T4178.087
Mr. Clay. Thank you, Mr. Bennett. I thank the entire panel
for their testimony today.
Now we will proceed under the 5-minute rule to questions
for the panel. I will recognize the ranking minority member of
the full committee, from Virginia, my good friend, Tom Davis.
Mr. Davis.
Mr. Davis of Virginia. Thank you, Chairman Clay. I want to
thank you for holding this important hearing.
We are here to talk about information security from the
Federal perspective. But these are issues and challenges we
face at all levels of Government and even as individuals.
Secure information is the lifeblood of effective Government
policymaking, good program management and a thriving economy.
Protecting that information has to be a priority, not an after-
thought.
The evolving nature of cyber threats requires constant
vigilance. The Federal Government's information security
program should be proactive, not reactive. If we keep chasing
yesterday's problems, we will never be able to stop tomorrow's
sophisticated challenges.
When it comes to information security, all it takes is one
weak link to break the data chain. One successful cyber attack
could strike a stunning blow to an agency's operations and
damage citizens' trust in electronic Government initiatives.
Continued vulnerability puts personal information at risk.
The loss of Blackberry service a few days ago reminded us of
our dependence on IT, how difficult it is for us to function
without it, and how fragile some key systems remain.
One of the best ways to defend against attacks is to have a
strong and yet a very flexible protection policy in place, not
overly prescriptive. We want agencies to active protect their
systems, instead of simply reacting to the latest threat with
patches and other responses.
On the Government Reform Committee, I focused on
Government-wide information management and security for many
years. The Privacy Act and the E-Government Act of 2002
outlined the parameters for the protection of personal
information and the Federal Information Security Management Act
[FISMA], requires each agency to create a comprehensive risk-
based approach to agency-wide information security management
through preparedness, evaluation and reporting requirements. It
is intended to make security management an integral part of an
agency's operation and to ensure that we are actively using
best practices to secure our systems.
Certainly, FISMA has its critics. We have heard from some
of them today. But I think we also will hear that it still
provides the necessary tools to secure our information, and has
made information security a priority mention at agencies. We
want to avoid that check the box mentality that has been
criticized, and we need to incentivize strong information
protection policies. We need to pursue a goal of security
rather than compliance.
Nearly 5 years after FISMA was enacted, there is always the
risk of complacency. The basic FISMA concept and process
remains sound. But we should ask if we can make it better. I
think we can.
As a start, I introduced legislation requiring timely
notice be provided to individuals whose sensitive personal
information could be compromised by a breach of data security
at a Federal agency. Despite the volume of sensitive
information held by agencies, there is no current requirement
for citizens to be notified if their information is
compromised. This legislation passed the House during the 109th
Congress. I continue to urge Chairman Waxman to make it a
priority this year. I would ask that the two letters I have
sent to Chairman Waxman be included in the record, Mr.
Chairman.
Mr. Clay. Without objection, so ordered.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T4178.088
[GRAPHIC] [TIFF OMITTED] T4178.089
[GRAPHIC] [TIFF OMITTED] T4178.090
Mr. Davis of Virginia. Each year, I have released Federal
Agencies Information Security score cards. Despite some
improvements, scores for many departments remain unacceptably
low. By the way, a lot of the scoring is done by GAO and OMB.
It is not just done by our whim.
The Federal Government overall received a C minus, a slight
improvement over prior years. I know some don't like to be
graded. I have actually had Cabinet secretaries call me to
lobby about their grades. And others don't see the value.
But I think most of us agree 5 years later that information
security should be a priority at Federal agencies. This is how
it should be. The Federal Government has sensitive personal
information on every citizen, from health records to tax
returns to military records. We need to ensure that the public
knows when its sensitive personal information has been lost or
compromised. Public confidence in Government in this area is
essential.
As we discuss Federal information security, we should focus
on the most pressing issues and threats, remain technology-
neutral and take care not to disrupt the progress we have made
or the progress already underway. Not being technology-neutral,
I think, siphons a lot of innovation from this area. That is a
major concern with being overly prescriptive, something we have
to balance.
In the end, the public demands effective Government and the
future of effective Government and security information depends
more than ever on a successful future for FISMA.
Thank you, Mr. Chairman.
[The prepared statement of Hon. Tom Davis follows:]
[GRAPHIC] [TIFF OMITTED] T4178.091
[GRAPHIC] [TIFF OMITTED] T4178.092
[GRAPHIC] [TIFF OMITTED] T4178.093
[GRAPHIC] [TIFF OMITTED] T4178.094
[GRAPHIC] [TIFF OMITTED] T4178.095
Mr. Clay. Thank you, and would the ranking member care to
ask questions?
Mr. Davis of Virginia. Ms. Evans, let me ask you, the
administration has focused unprecedented attention on the
mundane but the very essential tasks of improving Federal
management practices, including a focus on expanding electronic
Government. The President's management agenda rates agencies'
efforts on E-Gov initiatives, OMB requires quarterly reports,
yet we still have a long way to go before things are secure.
Do you have any advice or recommendations for the next
administration of things they should prioritize?
Ms. Evans. I have a lot of advice. But in particular, I
think that the areas that we focused on and the specific
processes are good foundational activities that I think any
administration would want to continue. For example, on the
score card, one of the things that we look at, and on a
quarterly basis as required by the guidance that has been
outlined in FISMA, is the plan of actions and milestones which
really is the constant assessment of risk.
If an agency is in the check the box mentality, then we are
going to get the results that the other panelists, my
colleagues, have talked about. But if the agency head and the
CIO are really evaluating the new technologies, the services
that they have, that process, that monthly looking at things,
the daily looking at things and then making sure that you have
an adequate way to then address it I think is a good practice
to carry forward. We call it certification and accreditation
overall, we call the quarterly reports, plan of actions and
milestones, but what it really is is getting to the culture of
managing the risk.
Mr. Davis of Virginia. Have you found any agencies that
just check the box and literally don't have the substance
behind checking it?
Ms. Evans. I think that there are mixed results, as we have
said in our reports in the past. I work very closely with all
the agencies, especially through the CIO council. I do and am
concerned that we balance the compliance aspect of this
legislation and any legislation that we have against achieving
the actual results. So I would say there are mixed results and
it depends on the leadership and the CIO in particular of how
they are managing that information security program within the
department.
Mr. Davis of Virginia. The report cards are not perfect,
but right now, nobody else is keeping track, at least up here,
over what is happening. If you don't give a report card or at
least give some public embarrassment, there is no
appropriations penalty to be paid or anything else. Ultimately
it has to be directed from OMB. The executive branch doesn't
need us involved in a perfect world. We have to make this a
priority.
But managers down below, given limited funds, generally
want to accomplish their mission first. Many of them would just
as soon take the risk of a data breach to be able to accomplish
things, and if something happens, hopefully it won't happen on
their watch. That is one of our concerns.
Ms. Evans. And I would agree with you and I think that is
what we have done through the criteria that we manage and look
at on a quarterly basis through the E-Government Score Card on
the President's management agenda. It is looking at all and
everything that takes into consideration for a good information
technology program in a department. If you master those
management skills, then you have the foundation to go forward
to support any program.
All of this is about getting good program results and
making sure that you have public confidence in your services.
So you have to do many things in order to do that in this
environment. The way to provide those services is through the
use of information technology.
Mr. Davis of Virginia. Mr. Paller, part of your testimony
approaches Federal IT from an international perspective. How do
we rank when you compare us with government IT security in
other countries?
Mr. Paller. First, the breach bill that you talked about,
this is going to do a lot of good. Because people respond when
they have to make something public in ways they don't even
think about.
Mr. Davis of Virginia. No question. The tendency is to
sweep it under a rug, fully investigate, make sure you get your
spin on it. That is just natural. We do the same, by the way,
we are no different than the executive agencies.
Mr. Paller. In almost all areas, we are stronger than other
governments. The one place we fall way behind is in information
sharing. The British figured out how to do that. They actually
copied something we had called the NSIE, and spread it and we
didn't copy what we had and we built this thing called ISACS
that just don't work. So they are way ahead on information
sharing.
But in terms of actually securing Government systems, we
are not way behind anyone.
Mr. Davis of Virginia. We are also more of a target than
most government systems, aren't we?
Mr. Paller. We are getting hurt more, the British equally,
the Australians, too. These nation-state attacks are enormous.
the head of MI-5 actually just did a letter that it is all
spreading to businesses now. If you do business in China, you
are being just destroyed with cyber attacks.
Mr. Davis of Virginia. I hope we can sit down and work some
language out that and can all agree on this. Because a cyber
Pearl Harbor or something of that nature would just be awful.
And at that point, you would say, where have we all been on
this. And a lot of us have been working on this for a long
time. It is not easy.
Can I just ask one other question? Mr. Wilshusen, some have
suggested that standardizing IG audits, their practices in the
area of information security, would help reduce the discrepancy
between the agency grades, their compliance with the act and
their information security practices. Is it feasible to
standardize audit practices? Do you agree with that proposal?
Mr. Wilshusen. I think audits and in particular, with the
independent IG evaluations, we have noted in the pst that they
have been inconsistent, the scope and methodology of their
evaluations vary across agencies. And the form and content of
the reports differs significantly from just repeating or
presenting the information on the FISMA template that OMB has
established to coming up with real conclusions and findings and
issues on these security deficiencies at those agencies.
So by having these evaluations of performance in accordance
with Government auditing standards, for example, that could
elevate and raise consistency in the content of those
evaluations.
Mr. Davis of Virginia. Thank you.
Mr. Clay. Thank you, Mr. Davis.
Mr. Paller, I am very interested in your testimony's
support of prioritizing the testing and evaluation activities
that are carried out by agencies on a regular basis. Thus, I
have a few practical questions on how would you get there. Does
current guidance from NIST, such as S.P. 853, provide a blue
print for adequate security and should this guidance simply be
made mandatory and binding on agencies?
Mr. Paller. No, and hell, no. It is a catalog of everything
anybody ever thought of that might help security, 853. Not even
the audit guide, this is it. There is a parallel in the
commercial world that is what you actually have to do to secure
all the credit cards. Because the credit card industry says, we
are going to stop losing it. This looks smaller. And this one,
in all of this, firewalls are a really important part of
security, lock the door, firewalls the door. In all of this,
one-200th of it talks about firewalls. In the real one, one
eighth. So 12\1/2\ percent talks about it.
If you know security, you actually know security, not know
about writing about security, but actually doing it, no, 853 is
silly.
Mr. Clay. How can new guidance or security controls be
added in a real-time environment?
Mr. Paller. I think again, the payment card industry does
it. These are updated regularly. There is a massive new attack
on Web applications. They used to go against Windows and the
other things. Now they are going against every Web site.
Well, this has nothing, it tells you nothing about doing
that. But this one is updated very regularly, almost quarterly.
It is not hard. All you do is you set up a council of the
people who actually have to protect systems, say, what are you
doing and then get them to agree, 10 or 12 of them, they agree
and you write it up. It really isn't impossible. It is not
easy, but it isn't impossible.
Mr. Clay. You also referred to the Air Force contracting
which had required vendors to deliver minimum security
configurations for a system. Should a contractual mandate along
these lines, with requirements defined by OMB and the Federal
Acquisition Council be required under FISMA?
Mr. Paller. That is actually Karen's, she has done a lot of
wonderful things. Taking what the Air Force did and making it a
Federal mandate is the biggest, single biggest thing in
improving security we have ever done as a country.
Mr. Clay. Is that what Ms. Evans is pushing?
Mr. Paller. Yes, what Ms. Evans has done.
Mr. Clay. Would we have the problem of technology moving
ahead too quickly for regulations to keep up?
Mr. Paller. No. The Air Force, for example, has this
absolute mandate. You have to do it this way. And if you
compare the Air Force's new computers with every other agency,
they are ahead of the other agencies. So you can't say they are
behind technologically when they actually have the most
advanced technology and yet they are meeting the standard. It
is because they do it together that they get all the advanced
technologies.
Mr. Clay. Thank you for that response.
Let me ask Mr. McConnell, can you tell us how laws like
FISMA and Clinger-Cohen have altered the information security
landscape over the past decade, and if there areas in which we
should try to harmonize the provisions in order to improve
security?
Mr. McConnell. Yes, sir. I think there have been three
beneficial effects of FISMA and Clinger-Cohen. They have
increased the level of attention that is paid to information
security, they create a management structure that can be used
to manage it, and they have encouraged integrating security
into the overall program management. So you have a well-managed
program that includes good security.
I think what is needed at this point is for the executive
branch to take full advantage of the authorities and structure
that you have provided. I have seen that work in the past
across administrations. The Clinger-Cohen bill set out
authorities in a management structure that was passed during
the Clinton administration. And now the current administration
has really exercised those authorities in a significant way.
I think as far as harmonization, the law that is probably
the most in need of harmonization and updating that is under
this committee's jurisdiction is the Privacy Act. That is the
Privacy Act of 1974. And that as you can imagine, there is much
that could be done to harmonize that with other things that
have happened.
Mr. Clay. Can you explain in further detail why an
independent audit would hinder agency efforts to root out
security vulnerabilities? Isn't one of the problems with FISMA
related to the current evaluations having little consistency or
applicability across agencies, making it a paperwork exercise?
Mr. McConnell. I would agree that the current evaluations
are inconsistent and that they often focus on paperwork. But I
don't think those two aspects are necessarily connected. You
have inconsistency because you have inconsistent evaluation
criteria and processes. Whereas the paperwork is looking at a
compliance, box checking, rather than on operational security,
as Mr. Paller was saying, let's just get the stuff done.
So you could have consistent processes, but still have the
paperwork focus. The concern that I have about the mandatory
audit is that you just exacerbate the compliance mentality.
Everybody at that point is in a CYA thing, trying to make the
audit right. So I think you need to have consistent evaluation
criteria, independent evaluation criteria, but I don't
recommend making it an audit.
Mr. Wilshusen. Mr. Chairman, may I please comment?
Mr. Clay. Sure.
Mr. Wilshusen. One thing, and i Just want to make sure that
we are clear on if we are talking about the annual independent
IG evaluation or audit, if that is the change in H.R. 4791,
versus the testing that may be done by the agencies. One thing
that is important, if we go to an audit by the IG as part of
the annual evaluation, is to make sure that the audit focuses
on and the auditors conclude on the effectiveness of the
information security controls, rather than making it merely
compliance with the provisions of the act.
And so it is important to direct the focus of the audit
toward evaluating effectiveness as the IGs and auditors do as
part of the consolidated financial statement or the audits of
the agencies' financial statements. And that is why you have a
disparity between why certain agencies are reporting increased
performance versus the various metrics established by OMB for
FISMA reporting versus those audit results of the effectiveness
of controls.
So there is a distinction there to try to make the annual
IG evaluation by making it in accordance with audit standards
and assuring that the auditors conclude on the effectiveness of
controls, not merely compliance with the act.
Mr. Clay. And these should be independent audits?
Mr. Wilshusen. Absolutely.
Mr. Clay. Yes.
Mr. Wilshusen. And that is separate from the agencies that
are also required under FISMA to test and evaluate the
effectiveness of their controls. And that would be all their
controls, management, operational, technical controls, on a
frequency based on risk. We have found problems with that
process being implemented by the agencies. But those are two
separate issues, once performed independently by the IG or
other auditors, others. The security tests and evaluations
required as part of an agency information security program is
performed by agency personnel or their contractors.
Mr. Clay. Thank you for that response.
Mr. Bennett, a critical element of FISMA is for agencies to
develop a risk assessment of their systems in order to develop
or integrate effective security policies and applications for
them. With this in mind, please characterize the vendors' roles
and responsibilities in developing and implementing secure
networks and applications throughout an agency.
Mr. Bennett. Yes, Mr. Chairman. The vendor should be
responsible for understanding the agency's enterprise
architecture and the operating environment to assure that their
solutions will not disconnect or break the systems that are
currently in place. While Government and their contractor
personnel, support personnel are ultimately responsible for the
support and operation of the infrastructure, only the vendors
of these enterprise solutions really understand the protocols
and underlying infrastructure requirements that will allow
these products to work securely and as designed.
This means that implementation, testing and integration of
cyber security and risk in the mission achievement is the
responsibility of the vendor in the larger context of the
agency framework and budget.
Mr. Clay. Is the mitigation of risk a shared duty or
responsibility between both agency personnel and the vendor
community?
Mr. Bennett. Yes, absolutely it is a shared responsibility,
to the extent that the vendors' products should work as
advertised. The agency is solely responsible for the
determination of how much risk they are willing to take and
NIST guidelines do provide some guidance in this area.
But once mitigation plan has been decide, the agency should
have every expectation that the solutions that have been
purchased performed as advertised.
Mr. Clay. In actuality, and anybody on the panel can answer
this, how does it actually work between vendor community and
agency? Is it pretty seamless? Is it a turf war? What have you
found? Ms. Evans, you can start.
Ms. Evans. I would like to take the opportunity to first
talk about that. I applaud the answer of my colleague at the
other end of the table. But when it ultimately comes down to
it, the agency head is ultimately responsible for the services
that they procure and the contracts that they let. So it is the
responsibility of the CIO, which is outlined in the statute, to
ensure that we manage that risk appropriately.
So you have to have very clear and open communications. You
have to make sure that the contact is very clear as to what the
roles and responsibilities are. But when it is said and done,
the American people hold us, the executive branch, accountable
for our actions and for our services. So I believe that what
the administration has done with our policies and the actions
that we are taking is trying to make that very clear and using
the tools that we have in place to leverage our buying power,
so that it is clear to us and clear to those who choose to
provide the services for us what those expectations are, what
the risks are and how those products need to work in our
environment.
Mr. Clay. Thank you.
Mr. Wilshusen.
Mr. Wilshusen. I would just like to add, FISMA requires
that the agency is responsible for the security over the
systems that are operated on its behalf by third parties and
contractors. It should be an integral part of the agency's
information security program.
However, we have found in our report that we issued back
in, I think it was April 2005, that many of the agencies did
not have adequate policies or actually monitoring the
effectiveness of security over systems operated by contractors.
So Ms. Evans is absolutely correct, it is important that
contracts be, or that the requirements for information security
be specified in the contracts, so that the contractors know
what to do. But there is also that other side of the agency
taking responsibility to assure that the contractors are
upholding their end of the bargain and implementing the
security in accordance with the contract requirements and
Federal requirements.
Mr. Clay. Thank you.
Mr. Paller.
Mr. Paller. We train 14,000 people a year. Lots of them are
Federal people, lots of them are contractors, lots of them are
Boeing people. They can't figure this out on the fly. What Ms.
Evans is talking about, contracting for what you want, the fact
that we don't do that today is one of the two biggest flaws in
all of our Federal security. What we do is we throw it over the
wall to these contractors. And then when we find out there was
something extra we needed to do for security, they say, well,
that is another $100 million. Then we have to make choices
between spending the extra money or not.
We have to change the way we buy products, to buy it with
security baked in, rather than getting caught. That happens
with our third party, our software. Right now, if somebody does
a software development for us and we find a major security flaw
in it, we have to pay them to now go and we have to negotiate
with them and now they are busy and they have something else to
do. The whole contracting mechanism is, give it away and then,
oh, shoot, security, we should have asked you for that. So what
Ms. Evans is talking about is not a lightweight thing. It
actually matters.
Mr. Clay. Do you think in the President's proposed $70
billion budget for IT, do you think there are some built-in
protections for that, for that security element?
Mr. Paller. No, the contracting officers don't like this
topic. So when the guys want to put it into contacts, am I
being bad?
Ms. Evans. No, you go ahead. [Laughter.]
Mr. Clay. You are doing fine. Please proceed.
Mr. Paller. The contracting officers don't like it and so
when the technical person who knows what he wants goes to the
contracting officer and says, can we put that in, he says,
well, you are not being specific enough. And then it is gone.
Ms. Evans. But I have good news. I bring good news, which
is, we have, as I stated in my testimony, we have been working
with the Federal Acquisition Council to make modifications to
the FAR to do things like what we have done with the Federal
Desktop Core Configuration. So the FAR will be amended to then
include the common security configurations, which makes it a
mandatory clause. That clause, that language is to be published
in the Federal Register no later than Tuesday.
So we understand where the performance gaps are. We know we
have to follow through in our contracts to ensure that we can
hold ourselves as well as the contractors accountable. So if
you follow this example through, we gave agencies guidance last
year, last June. All new contracts were to have this language
in it if you were providing these types of operating systems or
you were going to provide products that were going to operate
on these operating systems.
What we are following through now is making sure that we
will be successful in spite of ourselves, because this will be
in the FAR. It will go forward that way. So a lot of these
things are now coming into place where the vendors now are
like, OK, so what does this mean that I have to provide
certification? That is the point of what NIST has done by
having this program out which is dealing with--the acronym is
S-CAP, but in essence what it does is validate that those
security settings stay set when you bring them into your
environment.
So a vendor, when you bring in new tooling to your
environment or a new application or anything, you run this
tool. And it is going to tell you, against those 700 settings,
what changes and what didn't. It gives you a percentage. We are
talking 100 percent right now. We told the agencies that they
had to comply with this. There is no, like, give me 80 percent
or so. It is zero or 100.
Then we thought, OK, from that perspective, how would that
really go forward. We have agencies that can tell you exactly
how many desktop have these operating environments and out of
the 700, 5 are problematic and they know exactly now what
applications that affects.
We couldn't do that before. So now when you know what that
is, you can now put in compensating controls. These lay the
good foundations for an information management program. But the
key was to ensure that the procurement cycle, and as these
products and applications come into our environments, that they
too are aware and that they are certifying against that
environment.
Mr. Clay. Will you provide us with the language?
Ms. Evans. Absolutely.
Mr. Clay. Thank you so much.
Mr. McConnell, did yo have anything to add?
Mr. McConnell. I think this has been pretty well discussed,
sir.
Mr. Clay. Mr. Bennett, one final question. You mentioned
incentives for agency security performance in your testimony. I
would like to explore that idea of a carrot and stick approach.
Would incentives such as permitting agencies that receive an
unqualified or clean independent audit to be audited only every
other year be appropriate, and conversely, would penalties for
an agency such as losing procurement funding until deficiencies
are remedied be an effective tool?
Mr. Bennett. Yes, Mr. Chairman. I think that might work and
should be given serious consideration and should be counter-
balanced by the concept that if there is inadequate
performance, that the frequency of audits should be increased
so that it works both ways and truly becomes a carrot with also
a stick.
Mr. Clay. Thank you so much.
Do any other panelists have anything to add?
Mr. Paller. I just wanted to connect the dots to Boeing.
Everything we are talking about, about compliance, spending all
this money, not doing security, I am getting calls all the
time, they are just discovering it, does this really mean us,
too? So everything we are talking about, about cleaning it up,
is about to come back across the entire Defense industrial
base, because a few months ago, they found out that the Chinese
had gotten deeply into most of their computers as well. So they
are now part of the game, and they are subject to all of this
and people saying, well, let's make the FISMA-compliant, and
all this discussion about paperwork and money wasted, it is all
about what we are going to do to the contractors.
Mr. Clay. So they are watching with a keen eye?
Mr. Paller. They are going to scream when it hurts.
Mr. Clay. They are going to scream when it hurts.
Thank you so much, Mr. Paller. Ms. Evans.
Ms. Evans. On the evaluations or audits, or whatever we end
up calling it, I do think that it is important, again, that it
is a balance of what we are looking at and the carrot and stick
approach. This is something that in my own position that I am
sure you guys manage with, as I do, is that we need to be
careful about the compliance versus the actual results that we
are trying to achieve. Putting timeframes on these things also
could drive certain behavior that we may not necessarily want
either.
I really believe it gets down to, it is a culture of
constantly evaluating the risks associated with the information
that you have. And you know, to take away procurement authority
or to take away money in some cases you might have to add money
in order to fix these types of activities, because it is so
pervasive.
I really believe the way the administration puts together
the budget, how we evaluate the capital planing, how we send
this stuff forward, really allows the agencies to focus on
managing that on a daily basis. It is not a time, it is not a
quarter, it is not a year, it is not biannually. Agencies have
to do this on a daily basis. It has to be a culture of managing
risk on a daily basis.
Mr. Clay. Thank you so much for that response, Ms. Evans.
Let me thank the entire panel for today's hearing and your
testimony. We certainly appreciate your participation in this
hearing.
That concludes this hearing. Hearing adjourned.
[Whereupon, at 12:40 p.m., the subcommittees were
adjourned.]
�