[House Hearing, 107 Congress]
[From the U.S. Government Printing Office]
COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 9, 2001
__________
Serial No. 107-115
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
U. S. GOVERNMENT PRINTING OFFICE
82-173 WASHINGTON : 2002
___________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
------ ------ (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DAN MILLER, Florida MAJOR R. OWENS, New York
DOUG OSE, California PAUL E. KANJORSKI, Pennsylvania
ADAM H. PUTNAM, Florida CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
J. Russell George, Staff Director and Chief Counsel
Elizabeth Johnston, Professional Staff Member
Justin Paulhamus, Clerk
David McMillen, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on November 9, 2001................................. 1
Statement of:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office.................................. 5
Forman, Mark A., Associate Director, Information Technology
and E-Government, Office of Management and Budget.......... 33
Letters, statements, etc., submitted for the record by:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office, prepared statement of........... 8
Forman, Mark A., Associate Director, Information Technology
and E-Government, Office of Management and Budget, prepared
statement of............................................... 38
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?
----------
FRIDAY, NOVEMBER 9, 2001
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representative Horn.
Staff present: Russell George, staff director and chief
counsel; Bonnie Heald, deputy staff director; Elizabeth
Johnston, Darren Chidsey, and Earl Pierce, professional staff
members; Jim Holmes and Fred Ephraim, interns; David McMillen,
minority professional staff member; and Jean Gosa, minority
assistant clerk.
Mr. Horn. The Subcommittee on Government Efficiency,
Financial Management and Intergovernmental Relations is now in
order. In the aftermath of the terrible events of September
11th, the Nation has prudently focused on its computer security
vulnerabilities. Most of this examination has been focused on
the risks to the country's physical infrastructure. However, as
the oversight conducted by this subcommittee during the last 6
years has shown, the Nation cannot afford to ignore the risks
associated with cyberattacks.
Federal agencies rely on computer systems to support
critical operations that are essential to the health and well-
being of millions of Americans. National defense, emergency
services, tax collection, and benefit payments all rely on
automated systems and electronically stored information.
Without proper protection, the vast amount of sensitive
information stored on executive branch computers could be
compromised and the systems themselves subject to malicious
attack. As the recent spate of computer viruses and worms have
shown, cyberattacks have the potential to cause great damage to
the Nation.
It is imperative that the public and private leaders of
this Nation know where weaknesses exist in their organizations
so they can effect corrective action.
With that in mind, I am releasing an assessment of how
Federal agencies rate in their computer security efforts. This
is the second year that we have issued a grade on the subject.
It is a disappointing feeling to announce that the executive
branch of the Federal Government has received a failing grade
for its computer security efforts.
Last year Congress passed the Government Information
Security Reform Act which was intended to ensure that Federal
agencies establish agency-wide computer security programs that
adequately protect the systems that support their missions.
Based on the requirements of that law, the subcommittee has
assessed the progress of 24 major executive branch departments
and agencies in reaching the goals of enhanced computer
security. Overall, the Federal Government received an F in this
effort. The Office of Management and Budget [OMB], has set the
standard. The staffs of the General Accounting Office and our
subcommittee staff review the OMB inventory. Agency Inspectors
General and Chief Information Officers and Chief Financial
Officers have been very helpful in this.
Two thirds of the agencies failed completely in their
computer security efforts: The Department of Defense, whose
computers carry some of the Nation's most sensitive secrets, F.
The Department of Energy, along with the Nuclear Regulatory
Commission which oversees the Nation's nuclear facilities and
other programs, F. The Department of Transportation, which
includes the Federal Aviation Administration, an F. The
Department of Health and Human Services, which holds personal
information on every person who receives Medicaid and Medicare.
In all, 16 Federal agencies failed this examination completely.
Five other agencies managed to keep their heads above
water, but just barely. The Federal Emergency Management
Agency, the General Services Administration, Environmental
Protection Agency, and the Department of Housing and Urban
Development at the Department of State all earned Ds.
The National Aeronautic and Space Administration did
slightly better, scoring a C-minus. The Social Security
Administration, which performed an admirable job of preparing
for Y2K, earned only a C-plus on its computer security program.
And the National Science Foundation's B-plus was the highest
grade awarded this year.
All of us in Congress are well aware that the Nation is in
a state of war. It is not anyone's intention to place this
great land at further risk of attack. It is, however, very
important that the new administration take heed of the sobering
assessment the subcommittee is providing and work expeditiously
to address this most important need.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] 82173.001
[GRAPHIC] [TIFF OMITTED] 82173.002
Mr. Horn. And we have two excellent witnesses today, and
that is Robert F. Dacey, Director, Information Security, U.S.
General Accounting Office. We also have Mark A. Forman,
Associate Director, Information Technology and E-Government,
Office of Management and Budget.
Gentlemen, as you know, we swear in witnesses here and your
staff that have accompanied you, and the clerk will keep tabs
of who the staff are and so forth and put it in the hearing
record. So if you will stand and raise your right hands.
[Witnesses sworn.]
Mr. Horn. The clerk will note that we have six witnesses
and supporters.
And our first witness is Robert Dacey, the Director,
Information Security U.S. General Accounting Office. Welcome.
STATEMENT OF ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY,
U.S. GENERAL ACCOUNTING OFFICE
Mr. Dacey. Thank you. Mr. Chairman, I am pleased to be here
today to discuss our recent analysis of information security
audits and evaluations of unclassified computer systems at 24
major departments and agencies. As you requested, I will
briefly summarize my written statement.
Overall, the audit shows that significant pervasive
computer security weaknesses continue to place Federal assets
and operations at risk. As with other large organizations,
Federal agencies rely extensively on computerized systems and
electronic data to support their missions. If these systems are
inadequately protected, resources such as Federal payments and
collections could be lost or stolen. Computer resources could
be used for unauthorized purposes or to launch attacks on
others.
Sensitive information such as taxpayer data, Social
Security records, medical records, and proprietary business
information could be inappropriately disclosed or browsed or
copied for purposes of espionage or other crimes. Critical
operations such as those supporting national defense and
emergency services could be disrupted. Data could be modified
or destroyed for purposes of fraud, deception or disruption,
and agency missions could be undermined by embarrassing
incidents that result in diminished confidence in the Federal
Government's ability to conduct its business in a secure
manner.
Further, these risks are rapidly increasing. Greater
complexity and interconnectivity of systems including Internet
access are providing additional potential avenues for
cyberattack.
Second, more standardization of systems hardware and
software is increasing the exposure to commonly known
vulnerabilities.
Third, the increased volume, sophistication and
effectiveness of cyberattacks, combined with readily available
intrusion, or hacking tools, and limited capabilities to detect
cyberattacks.
And, fourth, other nations, terrorists, transnational
criminals, and intelligence services are developing cyberattack
capabilities. The threat of cyberattacks can also arise from
hackers and others. For example, the disgruntled organization
insider is a significant threat, since such individuals often
have knowledge that allows them to gain unrestricted access and
inflict damage or steal assets.
Given these risks, I would like to turn to the status of
Federal agency information security. Our most recent analysis
of reports published from July 2000 to September 2001 continue
to show significant weaknesses in Federal unclassified computer
systems that put critical operations and assets at risk.
We have reported the potentially devastating consequences
of poor information security since September 1996 and have
identified information security as a governmentwide high-risk
area since 1997, and most recently in January 2001. As the body
of audit evidence continues to expand, it is probable that
additional significant deficiencies will be identified.
Weaknesses continue to be reported in each of the 24
agencies included in our review, and they covered all six major
areas of general controls which are those policies, procedures,
and technical controls that apply to all or most of computer
processing and help ensure their proper operation.
This chart illustrates the distribution of weaknesses for
the six general control areas across the 24 agencies. As we
have reported in the past, information security problems
persist in a large part because agency managers have not yet
established comprehensive security management programs.
As further evidence of vulnerabilities, the Inspectors
General reported significant deficiencies in agency-critical
infrastructure protection efforts. During the past 2 years, a
number of improvement efforts have been initiated. For example,
several agencies have taken significant steps to redesign and
strengthen their information security programs. In addition,
the Federal Chief Information Officer or CIO Council has issued
a guide for measuring agency progress which we assisted in
developing. And the President issued a national plan for
information systems protection in January 2000.
More recently, partially in response to the events of
September 11th, the President created the Office of Homeland
Security with duties that include coordinating efforts to
protect public and private information systems in the United
States from terrorist attack. The President also appointed a
special advisor for cyberspace security to coordinate
interagency efforts to secure information systems and created
the President's Critical Infrastructure Protection Board to
recommend policies and coordinate programs for protecting
critical infrastructure. The Board is to include a standing
committee for executive branch information systems security,
which is to be chaired by an OMB designee.
These actions are laudable. However, given recent events
and the reports that critical assets and operations continue to
be highly vulnerable to computer-based attacks, the government
still faces a challenge in ensuring that risks from
cyberthreats are appropriately addressed in the context of the
broader array of risks to the Nation's welfare.
Accordingly, it is important that Federal information
security be guided by a comprehensive strategy for improvement.
As the administration refines its strategy that it has begun to
lay down in recent months, it is imperative that it take steps
to ensure that information security receives appropriate
attention and resources and that known deficiencies are
addressed.
First, it is important that Federal strategy delineate the
roles and responsibilities of the numerous entities involved in
Federal information security and the related aspects of
critical infrastructure protection. Further, there is a need to
clarify how these activities of these many organizations
interrelate, who should be held accountable for the success and
failure, and whether they will effectively and efficiently
support national goals.
Second, more specific guidance to agencies on controls that
they need to implement could help to ensure adequate
protection. Currently agencies have wide discretion in deciding
what computer security controls to implement and the level of
rigor with which they enforce these controls.
Third, there is a need for effective agency monitoring to
determine if milestones are being met and testing to determine
if policies and procedures are operating as intended. Routine
periodic audits such as those required in recent government
information security reform legislation would allow for more
meaningful performance measurement.
Fourth, the Congress and the executive branch can use audit
results to monitor agency performance and take whatever action
is deemed advisable to remedy identified problems. Such
oversight is essential for holding agencies accountable for
their performance, as was demonstrated by the OMB and
congressional efforts to oversee the year 2000 computer
challenge.
Fifth, agencies must have the technical expertise they need
to select, implement, and maintain controls to protect their
systems. Similarly, the Federal Government must maximize the
value of its technical staff by sharing expertise and
information.
Sixth, agencies can allocate resources sufficient to
support their computer security and infrastructure protection
activities. Some additional amounts are likely to be needed to
address significant weaknesses and new tasks. OMB and
congressional oversight for future spending on computer
security will be important to ensuring that agencies are not
using the funds they receive to continue ad hoc piecemeal
security fixes that are not supported by strong agency risk
management process.
And, last, expanded research is needed in the area of
information security protection. While a number of research
efforts are underway, experts have noted that more is needed to
achieve significant advances.
Mr. Chairman, this concludes my statement. I will be
pleased to answer any questions that you have at this time.
Mr. Horn. Well, thank you Mr. Dacey.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] 82173.003
[GRAPHIC] [TIFF OMITTED] 82173.004
[GRAPHIC] [TIFF OMITTED] 82173.005
[GRAPHIC] [TIFF OMITTED] 82173.006
[GRAPHIC] [TIFF OMITTED] 82173.007
[GRAPHIC] [TIFF OMITTED] 82173.008
[GRAPHIC] [TIFF OMITTED] 82173.009
[GRAPHIC] [TIFF OMITTED] 82173.010
[GRAPHIC] [TIFF OMITTED] 82173.011
[GRAPHIC] [TIFF OMITTED] 82173.012
[GRAPHIC] [TIFF OMITTED] 82173.013
[GRAPHIC] [TIFF OMITTED] 82173.014
[GRAPHIC] [TIFF OMITTED] 82173.015
[GRAPHIC] [TIFF OMITTED] 82173.016
[GRAPHIC] [TIFF OMITTED] 82173.017
[GRAPHIC] [TIFF OMITTED] 82173.018
[GRAPHIC] [TIFF OMITTED] 82173.019
[GRAPHIC] [TIFF OMITTED] 82173.020
[GRAPHIC] [TIFF OMITTED] 82173.021
[GRAPHIC] [TIFF OMITTED] 82173.022
[GRAPHIC] [TIFF OMITTED] 82173.023
[GRAPHIC] [TIFF OMITTED] 82173.024
[GRAPHIC] [TIFF OMITTED] 82173.025
[GRAPHIC] [TIFF OMITTED] 82173.026
[GRAPHIC] [TIFF OMITTED] 82173.027
Mr. Horn. We now go to Mark A. Forman, Associate Director,
Information Technology and E-Government, Office of Management
and Budget. Welcome here.
STATEMENT OF MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION
TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET
Mr. Forman. Thank you, Mr. Chairman. Thank you for inviting
me here to discuss the administration's efforts in the areas of
computer security. Before getting to the substance of my
testimony, I would like to commend you and the committee for
your past and current efforts to shine the spotlight on Federal
agency security performance. I believe that only by keeping the
pressure on this issue will we get the improved performance,
will we be able to achieve and sustain the targets that we are
all searching for achieving.
As you know, the President's given a high priority to the
security of government assets including information systems and
the protection of our Nation's critical information assets. The
President has taken a number of steps to address these risks.
Last month the President signed Executive Order 13228 which
established the Office of Homeland Security and the Homeland
Security Council.
The Executive order provides for the implementation of a
comprehensive national strategy for detecting, preparing for,
preventing, protecting against, responding to and recovering
from terrorist threats and attacks within the United States to
work with Governor Ridge on issues related specifically to the
topic of today's hearing--that is, the security of information
systems--the President appointed Richard Clarke as Special
Advisor for Cyberspace Security and issued Executive Order
13231, ``Critical Infrastructure Protection in the Information
Age.''
The President has made OMB a member of both the Homeland
Security Council and the Critical Critical Infrastructure
Protection Board. We will help identify resource shortfalls and
duplication and ensure that funding requests are included in
the President's budget, as necessary, and properly managed when
appropriated by Congress.
OMB's presence on both organizations also reflects our
statutory role regarding the security of Federal information
systems. Now, over the last 3 years, Congress has passed two
laws that have helped to shape our current efforts in security.
In 1998 the Government Paperwork Elimination Act, GPEA was
passed. GPEA addressed OMB and agency responsibilities for
conducting business in an electronic environment and recognized
that improved government performance demands an ability to
broadly accept authenticated electronic business transactions.
Last year, through passage of the Government Information
Security Reform Act, which we will refer to as the ``Security
Act,'' Congress strengthened the legal framework for the
executive branch to address computer security needs.
Working within this legal framework, OMB is to continuously
improve Federal security programs. Our guidance ensures that
agency senior managers devote greater attention to security;
requires agencies to tie security to their capital planning and
investment control process and to their budget as required
under the Clinger-Cohen Act, the Security Act, and indeed by
our policy. It helps agencies get user buy-in for security
control and processes to ensure that they enable business
operations. It requires that security is part of agency program
management. And it makes adequate security a condition for
funding by requiring that security controls and their costs be
explicitly identified.
The agencies have reported that for fiscal year 2002 they
are investing approximately $2.7 billion for security and
critical infrastructure protection. Of course, there are
embedded security elements such as software and protocols
within our overall IT spending. So this is buried within a
total information technology budget for 2002 of approximately
$45 billion.
But a high dollar figure says little about effective
security. In fact, we have done some analysis on our evaluation
of the 2002 reports and we found there is no significant
relationship between the percent of IT spending on security to
the security performance of that agency.
Now, as you know, several of your ratings, based on our
staff discussions, are a little tougher than ours. Some of
yours are a little lenient. If we were to add in your ratings
though, I have no doubt that would show a negative relationship
between IT spending and their security performance. So----
Mr. Horn. Let me just ask for a fact here, to get it in the
record. Is that figure you gave us $2 billion, was that it?
Mr. Forman. $2.7 billion.
Mr. Horn. $2.7. Does that include the intelligence
hardware, software?
Mr. Forman. It would for the Defense Department, but not
for Intelligence Community spending.
Mr. Horn. OK. Because I think some of that needs to be
carved out before we look at the 24 agencies, minus one or two.
Go ahead.
Mr. Forman. In essence, we don't believe that simply adding
more money will solve the problems. It has not worked for IT in
general. It shifts attention away from effective management and
investment of existing resources, and we don't believe it will
work for IT security.
To ensure that security is addressed both in apportionment
of the 2002 agency funds and in their 2003 budget request, we
have established four criteria: First, agencies must report
their security costs for each measure and significant IT
systems. Systems that fail to document their security costs
will not be funded.
Second, agencies must document in their capital asset plans
that adequate security controls have been incorporated into the
lifecycle planning and funding for each system.
Third, agency security reports and corrective action plans
are presumed to reflect agencies' security priorities and thus
are a central tool that we are using in prioritizing funding
for systems at the agencies.
And, four, agencies must tie their corrective action plans
for a system directly to the capital asset plan for that
system, thereby establishing the audit trail that we know that
the actions are underway.
In September we began to receive the agency reports as
required by the Security Act. We are reviewing them now because
we know that there will be much consultation with the agencies
regarding their submissions. It is too early to make public our
specific findings regarding any particular agency. I will point
out at this point that we do see the Defense Department is
operating a significantly higher level of performance in
security than your ratings would suggest. But later I will
provide you some broad observations.
First I want to talk about our process and how we have gone
significantly further than the law requires insofar as
reporting and follow-up. As you know, the Security Act's
reporting requirements are relatively narrow, requiring only
that the agency Inspectors General submit an annual independent
evaluation to OMB. But because security is a high priority for
this administration, we have expanded the Security Act's
reporting requirements. We have issued guidance throughout the
year on meeting these requirements, including detailed
instructions to agencies on how to report the results in an
executive summary. To ensure that reporting does not devolve
into a paper drill, we are also requiring that agencies produce
for their own use and send to us copies of corrective action
plans and milestones for each weakness found by an IG
evaluation, a program review, or any other review conducted
throughout the year including GAO audits. These plans bring a
discipline to the process and make tracking progress much
easier for all involved.
We will also seek brief quarterly certifications that
corrective actions are on track. We intend to use the security
reports from the agencies, the information we have gathered
from meetings with the agencies on integrating security into
their capital planning process and in budget submissions with
other sources to determine whether OMB must take steps to
assist agencies in quickly correcting the most serious
weaknesses.
In general, based on the security reports, we found across
the 24 CIO agencies that the most common problems involved
inadequate compliance with existing OMB security policies and a
failure to follow the implementing guidance for the Security
Act.
Based on our preliminary findings, agencies have to do a
better job testing and evaluating the basic security controls;
improve the ongoing maintenance of system security; greatly
improve employee training and awareness programs; do a better
job integrating security into their capital planning and
budgeting process; recognize greatly increased risk of
interconnection; require that every system supporting
operations and their assets are reviewed annually as part of
the program review; install readily available patches for
commonly known vulnerabilities. As you know this is a chronic
problem identified by GAO, the IGs, and most any security
program in view.
It's also commonly reported from FedCIRC and others as the
cause of some 90 percent of the successful attacks on the
agency. This list represents what I would call the blocking and
tackling, and not the policy gaps, but the details of what
needs to be done in the agencies.
The reporting requirements of the Security Act have given
us a starting point to measure the performance, a baseline. And
this is our first opportunity to analyze the comprehensive
information from agencies, and from this we can move forward on
resolving the security concerns.
I would also like to take a moment to update you on two
other security-related initiatives we are working on. The first
involves our E-Government initiatives. We are currently working
with agencies on a number of high-payoff, cross-agency E-
Government initiatives. All of these initiatives will address
security within their business cases as we're requiring a
detailed business case be made for each of them.
Additionally, we have three specific initiatives that deal
with security issues.
First, E-authentication, ensuring that parties to a
transaction are authorized to participate, and it would ensure
the integrity of the transaction.
Second, the wireless networks initiative, ensuring
effective and interoperable communications between public
safety officials throughout all levels of government, Federal,
State and local, before, during and after the response to an
emergency.
And, third, disaster assistance and crisis response,
providing a one-stop portal containing information from all
public and private organizations involved in disaster
preparedness response and recovery.
A second major issue on another front is that we are
directing large agencies under a Project Matrix view. Project
Matrix identifies the critical assets within an agency,
prioritizes them, and then identifies interrelationships within
that agency and beyond into the enterprise architecture. Fiscal
year 2002 funds will be re-allocated to provide for Matrix
review. Once the reviews have been completed at each large
agency, OMB will identify cross-government activities and the
associated lines of business. In this way, we will have
identified both the vertical and the horizontal critical
operations; in other words, within an agency or department and
between agencies and department, and the assets and the
relationships beyond government; in essence the government's
critical enterprise architecture.
I'd just like to sum up with a few comments. We are
planning to engage the agencies in a number of ways to address
the problems that have been identified. We are going to be
emphasizing both the responsibilities and the performance of
agency employees, in addition to accountability for exercising
those responsibilities, and consequences for poor performance.
At the same time, we are going to focus on achieving sustained
senior management attention at the agencies. In the past this
has been a chronic problem that we at GAO and others have found
over the years to be the underlying cause for poor security
performance.
And, Mr. Chairman, as you know, I worked for many years on
the Senate Governmental Affairs Committee. Computer Security
Act oversight was part of my portfolio. And we have a chronic
issue of getting department secretaries and agency heads to
focus on this. I am quite pleased this year that in the agency
it gives a report, it is a Security Act report. We had many
agency heads and secretaries signing-off on the report. So I am
pleased that we are finally starting to get the senior
executive view in this important issue.
In discharging our responsibilities under the Security Act,
the director will be communicating with the appropriate agency
heads to impress upon them the true improvement in security
performance that has to come out of external oversight from
OMB, the IGs and GAO. Congressional committee is insufficient.
It's got to come from within the agencies. So we're impressing
upon them the importance of holding agency employees, including
the CIOs and program officials, accountable for fulfilling
their responsibilities under the Security Act. There have to be
consequences for inadequate performance. We will also
underscore an essential companion to that accountability, the
clear and unambiguous authority to exercise those
responsibilities.
Again, I want to thank you and the committee for your help
and continued focus on this important area. It's vital that we
all work together to maintain this as a priority issue, and
thus promote a more secure government. Thank you.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] 82173.028
[GRAPHIC] [TIFF OMITTED] 82173.029
[GRAPHIC] [TIFF OMITTED] 82173.030
[GRAPHIC] [TIFF OMITTED] 82173.031
[GRAPHIC] [TIFF OMITTED] 82173.032
[GRAPHIC] [TIFF OMITTED] 82173.033
[GRAPHIC] [TIFF OMITTED] 82173.034
[GRAPHIC] [TIFF OMITTED] 82173.035
[GRAPHIC] [TIFF OMITTED] 82173.036
[GRAPHIC] [TIFF OMITTED] 82173.037
Mr. Horn. Thank you, Mr. Forman. Both you and Mr. Dacey
have fine careers in the private sector as well as the public
sector, and I guess I would ask you if you looked at these
charts and the subcommittees charts, what would you do if you
were still in the private sector?
Mr. Forman. Well, I have two----
Mr. Horn. Would there be a new computer director?
Mr. Forman. I have two views on this. No. 1, I would and I
will, as well as the Director of OMB, use your data and our
data in communications as part of the 2003 budget process. That
will go back to the hill.
And as I indicated in our testimony, we have authorities on
the apportionment of funds in 2002. I think we have made clear
that we're not going to fund systems that don't meet the
requirement of what we require to be a valid business case, and
computer security at the heart of that.
The second thing that I think we all need to be cognizant
of, the reports, as I read the evaluation, are based on
valuation of agency reports, you know, whether from the IGs and
GAO, or from the agency themselves. And I don't believe we have
the data that we need into the details, so if I go into a
server form or a data center have they been pulling down, for
example, the IIS patches that they need to deal with Red Worm?
We put out a call via FedCIRC to get the CIOs to ensure that
indeed this was occurring. And what we found out is, yes, it
had occurred. There were no issues in many of the agencies.
What we found out in some other agencies, this was not on the
platter of some of the CIOs. So when we get into the details I
think we are going to find a mixed bag, and I think that is
where we need to go over this next year.
Mr. Horn. Mr. Dacey, you have a similar career in the
private and public sector. What would you do if you had this
bunch of grades dumped on your desk some morning?
Mr. Dacey. Well, I think the first step is along the lines
of what Mark had said. I think you really need to take an
assessment of really how bad or good is your security, what's
working good and what's working bad. Since we started doing
work probably in 1996, generally in connection with the CFO Act
and other congressional requests, we have gained a lot more
information as the years have gone on and continued to find
significant weaknesses in computer systems. But I don't think
that we have an end-all analysis at the type of detail level
that Mark referred to.
So I would suggest the first thing to do which is
contemplated by the GISRA legislation is to go out and ensure
that you really understand the nature of those vulnerabilities
and weaknesses. I think, again, that needs to be done. We have
not had time to really analyze the GISRA reports to see how
much additional work has been completed beyond what was done
before GISRA. But I think that is an important area.
Second, I think it is important to realize that what needs
to be incorporated is really an acknowledgment that computer
security is part of your basic operations. It's really a
responsibility of everyone in the agency, and you really need
to put in place reasonable and adequate computer security
management programs to ensure that. I think it is very
important for management to have some regular analysis of their
systems as well in order to manage and maintain some level of
accountability and performance measurement. I think those are
important aspects of the GISRA legislation as well because we
do have an annual accounting now, at least for the 2 years that
the law currently covers, to address that issue, and then,
given the identification of these weaknesses, really setup a
very active plan to address them, including looking at ways to
benefit from what is being done across other agencies.
What I see now a lot is each agency trying to address their
computer security, setting up what they believe to be an
adequate security process. Even within agencies, bureaus within
agencies are setting up sometimes vastly different levels of
security based upon their judgments. I think there needs to be
a coalescing of some of that information, establishment of some
common level of controls, at least a baseline, to tell people
here's what you really need to have, and not have each agency
try to figure out on their own how they get to that point in
time. Those are the kind of things I think I would suggest from
a private sector approach to try to address a problem of this
magnitude.
Mr. Horn. The chief information officers have a council,
and they have subcommittees and committees within that council.
Are you both members of that, or at least Mr. Forman for the
administration?
Mr. Forman. I serve as the director for the council.
Mr. Horn. Yeah. Now, do you think they take this seriously,
or is this just regarded by either OMB or this subcommittee
that they say, oh, just another piece of paper we've got to
fill out; how are we going to solve that problem and get them
involved to really know it's serious?
Mr. Forman. I think that they do take this seriously. As
you know, we have reorganized the council and haven't
completely finished the deployment of that. Security is one of
the areas that we are working through a number of options. But
we have chosen to disband for now the Security Committee, and I
think it is important to understand why. We've got a good best
practices guide out of that committee. We had many members on
that committee who are in key agencies. We do not see any
correlation based on the data between membership on that
committee and either your scores or our scores of success. We
need to get into the nitty-gritty details.
We have a Work Force Committee. There are two key elements
of the workforce that we and the CIOs need insight on. No. 1,
what are the standards of performance for security personnel?
What types of skills should we be looking at, both in terms of
who we're hiring and who are in those positions within the
government. And I'm forever cognizant of the fact that 80
percent of our IT work force is through contractors. So what
are the basic skills and capabilities we need? We need more
insight on that and then we need to hold the agencies
accountable. That task was given to the Work Force Committee.
The second type of work force skills, Web masters, Web
designers, virtually everybody, every career field in IT, now
has some aspect of security. So clarifying those
responsibilities, those knowledge requirements and skill
requirements, is the other thing that the Work Force Committee
is doing.
The Best Practices Committee will continue to focus on best
practices. We have chosen to give National Institute for
Standards and Technology a higher role in this arena as a
source not only of the Federal information processing
standards, but also a terrific source of best practices.
The third area in this is the architecture area. We have an
Architecture Committee. We have to get agreement among the CIOs
of some of the common best practices as they relate directly to
the architectural elements. So it is my intent to force that
debate and that consensus building that we need via that
committee.
Now we are looking at how do we best drive the cross-cut
across all the CIO agencies. And to date, quite frankly, I've
been fighting the maintenance of a committee just to talk about
this, because we do not see that correlation between committee
membership and success.
With that said, we have some other options. Do we appoint a
couple of people, CIOs that basically marshal across the other
standing committees to focus on security and ensure that it's
getting out to all the other CIOs? We had a roundtable
discussion a couple of weeks ago, a 2-hour discussion where the
CIOs to a ``T'' were either there in person or there with their
deputy CIO. So I believe they are very focused on this issue.
And we have a 5-page list of ideas we need to focus on and
alternative ways to handle that. We are pulling that material
together now. We will have another meeting and discussion of
this at the CIO Council coming up next month to make some
choices on how we'll proceed.
Mr. Horn. Were you at OMB when the argument--I don't know
whether you have it an argument or what--between the council
and OMB as to what kind of questions ought to be used to look
at what the hardware and software are with these computer
operations? And were you there when this particular group--and
this grading thing we have done is really just look at what OMB
did, send out to 24 of the major agencies and departments, and
that's all we did. Do you think we have been unfair in reaction
to these grades?
Mr. Forman. I am not quite sure I understand the question,
but let me try.
Mr. Horn. Well, were you around when this particular
inventory, let's say, was sent out by OMB, and we simply--and
GAO--simply said OK, they put the questions to them and let's
see if it works?
Mr. Forman. It actually occurred just before I came on
board, the original criteria were sent out.
Mr. Horn. So you're innocent so far.
Mr. Forman. No. Hold me accountable. Let me give you my
view on this.
Mr. Horn. Yeah.
Mr. Forman. Accountability and authority go hand-in-hand
for me. If you hold me accountable, I have a way to hold the
agency accountable.
Mr. Horn. Good. We'll do that. Maybe we'll see you a few
months from now. And one of my friends in the Cabinet on the
Y2K thing simply took our grades and put it on his door, so
every time a civil servant went in to see him, that grade was
right in their face. And he said it helped, a little bit of--
that grading got them moving. So what else can we do? What else
can you do? You're the one now on the frying pan.
Mr. Forman. As I mentioned, in preparation of the fiscal
year 2003 budget, we have got some rather strong action that we
intend to take as part of the past act, discussions that I hope
will lead to reconciliation of gaps that we see and will
address, some of the poor grades that you see as part of the
2003 budget submission. You will see that result, I hope,
coming back very well in the President's budget submission.
Second, as I mentioned, we intend to use the Clinger-Cohen
Act authorities on basically the apportionment process. So what
I would ask is your cooperation, because I am sure that there
may be other agencies or vendors that come to the Hill and talk
about how unfair that is. That will take persistence and
backbone by all of us to be true to these ideals.
Mr. Horn. How would the government have fared if, on
September 11th, a cyberattack accompanied the physical attacks
on the Nation? Would that have got them moving on such things
as security? Or is it just, as I said earlier, well, let's see
the paper, OMB. We have been around here a long time and it's
the same old game. So what do you think?
Mr. Forman. I think things have clearly shifted, and I
would daresay that it may not be as press-worthy. But if you
look at the worms that came out this summer, that our battle in
the computer security arena really started in perhaps the July
timeframe when the first of the worms started to hit. So I know
from OMB's standpoint all the way up to the director, this is,
believe it or not, the type of thing that we would talk about
at these staff meetings. We are very focused on this. And it
started in July.
Mr. Horn. Well, when you provide us with examples of
agencies whose requests will not be funded because they've
failed to document their security costs, that would be an
example of getting their attention. Is that what you're
planning to do?
Mr. Forman. Well, we hope that we will be able to----
Mr. Horn. Or are you being Mr. Nice Guy?
Mr. Forman. At some point, I'm sure that I'll appreciate
the time when somebody calls me Mr. Nice Guy, after we go
through this budget process. We hope that based on the feedback
that we're giving to the agencies and will continue to give
with the agency in preparation for the 2003 budget, that we
will reconcile these issues. Obviously, if we are unable to
reconcile the issues, that list will be in the budget.
Mr. Horn. Do you agree with GAO's recommendation to
establish mandatory standards for Federal agencies?
Mr. Forman. I think it is a question of the details on the
standards. I think we have laid out some fairly clear standards
in both the requirements for the government information
Security Act reporting and within the guidelines of what we put
into my testimony. I think a little bit more specific
standards. The standards that we have been promulgating along
the lines of how do you hold the agency accountable and link
that to funding are actually in both A-130 and the A-11, our
basic budget documentation. So I think that is consistent with
what GAO is proposing.
I actually think there is another set of standards that get
down to the real technology. When do certain data elements have
to have a security wrapper, which with XML technology is
currently available. When do certain elements of transactions
or certain uses of virtual private networks have to have
encryption or other types of security? It's those standards
that I want to get the agreement via the CIO Council
Architecture Committee, and that is the process I would like to
pursue for buy-in purposes.
Mr. Horn. Mr. Dacey, let me ask you on the September 11th
question, how would the government have fared if on September
11th a cyberattack accompanied the physical attacks on the
Nation? How would GAO feel about that?
Mr. Dacey. Well it's difficult to speculate what would have
happened. I know on the physical side we had disruptions in
communications and other areas. Fortunately at this point in
time, we haven't suffered from disastrous effects of a
cyberattack. As in our testimony we stated, though, there are
signs that things are getting more serious, more sophisticated,
that it could really be a serious issue. Particularly when you
look at how dependent we, the Federal Government, are on
computer technology and communications channels being available
to do our business on a day-to-bay basis. So I think when you
look at those things, you have to start analyzing what could go
wrong.
And in terms of the critical infrastructure, I think that's
one of the areas that Mr. Forman refers to needs attention and
has been given attention, and, through Project Matrix, has
really had to identify what those critical areas are so they be
protected adequately; at least focus the priority on protecting
those first to ensure they are protected.
But I think that is an exercise that needs to be done,
certainly in the Federal Government. And then as part of the
overall CIP structure, consideration of what needs to be done
or what is being done in the private sector. There's a private
sector partnership here, because a lot of the critical
infrastructures that even the Federal Government depends on for
communication, electricity, and others are all controlled by
the private sector, mostly controlled by private sector
interests. So I think it is important that those be dealt with,
too.
So I think we have, certainly, challenges ahead of us to
make sure our systems are secure before something happens that
is more disastrous. Again, we've had a lot of attacks, it's
cost a lot of money; I don't want to diminish the fact that
they haven't been serious, because they have. A lot of
productivity, a lot of money has been lost. We had the
testimony before this committee out in California in the field
hearing and talked a little bit more about that along with the
other witnesses, but I think it is an issue that just needs to
be addressed now; and again in an organized fashion, not to say
that it isn't, but it needs to go forward, again, with really a
strategic plan. And I think some of those things we're starting
to see at this point in time.
Mr. Horn. Well, the General Accounting Office has been
reporting on many security weaknesses in the Federal systems
for--as your testimony just notes--Federal systems for several
years. Yet based on today's grades, agencies don't appear to be
making any progress in strengthening their security. Do you
agree?
Mr. Dacey. Well, I think we are seeing not necessarily
every agency, but many are making some significant progress in
improving security. We talked about a couple of those
certainly. We had the issue to report earlier this year on the
electronic filing system, and IRS had taken extreme efforts to
make sure that was secure for this last filing season. We have
had a lot of improvement to the Department of Defense as well,
although they continue to face challenges in putting together a
security management program, they do have some of the basic
elements in place at this point in time. So there have been
improvements. What is really challenging I think in this
environment is that the pace of these risks is increasing
extremely rapidly. Some of the factors that make it more of a
risk are increasing at a fast pace, so we are not dealing with
a static target that we need to hit. I think the target's
moving perhaps more quickly than we are at this point. I'm not
saying it is, but I'm just saying that's the challenge to keep
up with that.
So I think in terms of perspective, again, a lot has
happened. Probably if you want to secure the systems, the pace
may need to be stepped up a bit from what it has been to catch
up.
Mr. Horn. Do you feel any of these grades are being easy on
people or being too tough on people? What's your thinking on
that?
Mr. Forman. I'm concerned just about some of the
discrepancies. You have a couple of grades that are easier than
ours. We're going to hold the agencies accountable, I think,
for the harder grades in those cases. The Defense Department is
the big gap that we see between our grades and where you graded
it harder than we have. I suspect that is because they came
over and presented much more material to us than your staffs
had access to. You know, I don't know that would change
necessarily the grades that you give them. But that would be
the only discrepancy, major discrepancy I would say.
Mr. Horn. Which grades would be easier?
Mr. Forman. I'm probably not willing to get into that at
this point. We're going to reserve that for the directors'
communications with the agency heads.
Mr. Horn. So you've got sort of several professors down
there that are putting different kinds of grading or what? Or
can you agree on what an F means or an A means? Or is this the
60's, anybody down there in the 60's? Because if there are, you
know, what the heck, it's just give everybody pass/fail.
Mr. Forman. No, there aren't that many discrepancies. There
are very few discrepancies. Please let me leave it at that.
Mr. Horn. OK. We'll see what happens in about 2 or 3 months
from now, see if we've made some real progress. And I am
curious, Mr. Forman, while I understand the government
information security reform requirements do not establish a
date by which OMB must submit its required reports to Congress,
when will OMB submit this report?
Mr. Forman. Our intent is to submit it with the budget. If
it is not with the budget, it will be very near to that
submission. And of course that goes along with the basic
enforcement mechanism that we are pursuing.
Mr. Horn. Well, that's--I'm glad to hear because we were
wondering where that was. You're OMB's associate director for
IT and E-Government, don't agencies' security weaknesses as
indicated by the deplorable grades we assigned today, post a
formidable obstacle to implementing more E-Government
initiatives? How does OMB and E-Government strategy explicitly
address computer security? Are we on the wrong thing, or how
much of that, if you will look at all of the inventory and the
form, that was sent out by OMB, is this a 5 percent or is it a
25 percent? Do they take it--how do they take it? That's what
I'm after, in terms of percentage, that they worry about and
try to do something about.
Mr. Forman. Well, I think for each of the E-Government
initiatives it is a 100 percent, because we made very clear
that we are going to use the A-11 guidance in putting together
the business case for each of these E-Government initiatives.
In doing the work of our quicksilver task force, our E-
Government strategy team, we identified several cross-cutting
barriers. Of course, as you would anticipate and as you pointed
out, there are a number of security-related items that came out
of that. And indeed, that is this E-authentication initiative
that we've begun. That's going to have a business case as well.
Now, we have included that in any one of the customer segments,
the bulk of our initiatives focus on a customer segment
government, citizen government, and business etc. The security
initiative is a cross-cutting initiative. It relates to agency-
to-agency or within-agency transactions as well as interactions
between Federal, State and local governments, governments and
businesses, and government and citizens.
That business case, as all the business cases, will have to
report not just to me but to a steering group. The steering
group will in most of the initiatives be comprised of the
different management councils, CIO Council, etc. In this case,
the steering group we're going to use is that Architecture
Committee of the CIO Council. So when we come to resolution on
authentication and digital signature and E-signature elements,
which we found is the most critical element for the E-
Government initiatives, that agreement has to get the support
of all of the CIOs because it has to be embedded across the
department and agencies.
There is another infrastructure issue that came out of the
task force, which basically I refer to as the business
architecture analysis. And integrating that with the Project
Matrix data at each department as we look across the business
architecture, all the agency-to-agency interactions, is another
level of analysis that we'll continue to do coming out of the
task force.
Mr. Horn. Let me ask Mr. Dacey. In your testimony, you
state the number of incidents are increasing, yet one agency,
OPM, reported that during the past year it only experienced one
security incident which involved limited infection by the ``I
Love You'' virus. How do you react to this statement?
Mr. Dacey. Well, I think one of the challenges that we have
is twofold. First of all, one of the basic premises on security
is to have the first adequate level of security in place,
particularly at your perimeters, for people to get into your
systems, but security, as good as it can be, is never going to
be foolproof. So there is always going to be opportunities for
people to breach that, even in a good security situation.
So you really need to have effective incident detection
processes in place to identify when that has happened and to
really identify unusual or anomalous activities. I think what
we are finding, both in the Federal agencies as well as the
challenge in the private sector, is the identification of that
type of intrusion. I know one of the parts of the GISRA
legislation is that agencies have effective incident detection
systems in place. In working and discussing things with the
CERT Coordination Center, which is funded heavily by the
Federal Government and receives a lot of information from both
private and public sector in terms of incidents, they said
their information indicates that as many as 80 percent of
incidents are not detected, and that is across the board. So I
think we have a tremendous challenge. That is in fact one of
the areas that research and development could really help to
identify better techniques, because we do have a ways to go to
really develop more effective mechanisms to identify those.
The volume of scans and activities coming into any agency
is phenomenal. We have a rather small laboratory that we use to
help do the work that we do. We've gotten 3 million or so scans
of our system within 3 years, and that is something that is not
well advertised, even our address. I know even at home
personally, when I go online, my firewall is picking up three
or four incidents an hour of someone trying to get access to my
system. So activity is happening out there. We just need to
have a better system to figure out what is valid and what is
not valid in those systems, and it is going to be a challenge.
Mr. Horn. Along this line, the subcommittee based its
grades on information submitted to OMB by the agency CIOs and
IGs in their reports on the annual agency security program
reviews required by the Government Information Security Reform
Act passed last year as part of the fiscal year 2000 Defense
Authorization Act.
Now, how do you account for the substantial discrepancies
that we noted in several cases between the CIOs report and
those of the Inspectors General? Are some agencies' CIOs
underreporting their vulnerabilities?
Mr. Dacey. Well, I think one of the challenges as part of
this process--again, not having fully analyzed what was
reported--is to really get in place a mechanism whereby there
can be some agreement on whether the security controls are
effective or not. What we have seen in the past is that a lot
of the analysis and actual testing of those systems is being
done by the Inspectors General, and although we note some
activity by managers actually testing their own systems, we
haven't seen a lot of that happening to date. So what I think
you have oftentimes are situations where the ID is actually
going out as we do, trying to break into systems, trying to
really analyze those controls, and I think what we need to do,
which has started to happen with GISRA, is say, managers--
program managers, you're the ones responsible for security.
It's not the GAO or the IG coming in every once in a while and
doing a testing of this system or that system. Management
really needs to put in place procedures and processes to
monitor their own systems on an ongoing basis regularly, which,
again, GISRA facilitates that through annual reporting
processes.
So I think there are bound to be some difference, at least
initially. I would hope that over time, though, that if the
agency manages to actively test their own system, which is a
very important piece of the legislation, that they will find
similar types of weaknesses, and you'll reach some conversions.
There's always going to be some differences in judgment, of
course, but I think overall that is the biggest difference now,
is the methods by which maybe that management was obtained. A
lot of this information from the management side may have been
through just various means, assessments, questions that went
out to the field and talked about whether the security is
adequate and what they have done. I don't know.
Mark may be able to shed some more light, because we
haven't been privy to all the detailed information, but again,
that would be one potential area as to why there are some
differences and how those two might converge in the future.
Mr. Horn. When we went through the Y2K situation, Mr.
Koskinen was the Deputy Director for Management. Nothing much
happened, and he retired, and then the President very well
called him back, and he was a friend of the President's, and
much like Governor Ridge, that--he's got Mr. Clarke, a lot of
respect for both the Governor and Mr. Clarke on these matters.
If I were a Deputy Secretary or something, I'd sure want to
please him. So the question is, is he the Lone Ranger that
comes in across the prairie and you guys are just waiting for
him to do your jobs? How do they think about that at OMB?
Mr. Forman. First of all, in both Executive orders, it is
very clear that OMB maintains its role for the oversight and
management, if you will, of agency security. So while we're
disbanding the CIOs Council Security Committee, under the
Executive order in the Critical Infrastructure Protection
Board, OMB does chair a security committee that has been
created for Federal infrastructure. So the linkage and the
working relationship will be very good, I think.
Not at all would I say that we're going to toss our
responsibility up the hill. This will be another area where we
hope to be held accountable for the work, but I want to build
on something that Mr. Dacey said. You know, when we look at
this, ultimately it's got to be built into--we've got to have
security built into the actual programs. GAO several years ago
laid out how do you manage capital investments in general. Our
focus on the business case process is, I believe, the
appropriate focus that we should move forward. So in the
capital planning process, the first step is make sure security
is part of the business case, and that is essentially the phase
that we're in now in driving into the agencies. I think by us
saying we're simply not going to fund the business case that
does not incorporate the appropriate security controls,
complies with that first phase of GAO's three-part practice.
The next phase is the actual program control. Is it
actually being built in? Are the agencies and are the program
managers working on the security components or modules as they
execute that program? The third phase is the followup, and it
is not just lessons learned and best practices. I think that's
exactly as Mr. Dacey has said, we've got to have the
affirmative testing, that in fact the security is break-proof
at that point.
The difficulty is every time you move forward in
preventative approaches for security, the hackers move forward
in a way to break through that. So we're dealing a little bit
with the moving target. We have to make sure that is integrated
and updated, and I'm a big fan of maintaining the business
cases and controls over those business cases. So I believe that
the approach that's been laid out for capital investment
management is the same that we should be employing here.
Mr. Horn. Are you seeing any changes or new computer
security initiatives within the agencies since September 11th?
Mr. Forman. Absolutely. We have much help from our friends
on the Hill. As you know, we have at least one bill suggesting
that we spend $1 billion more on computer security. We
appreciate the cooperation and the focus on security. Clearly,
more money is not the issue. Focus is, and the details, as I
think you've focused on in your scores where we need to look.
Mr. Horn. And you're saying how much do you think you can
get out of them this time? Because I went around last year with
the number of things the executive branch wanted, and some of
them got it and some of them didn't. It was a little haphazard.
So it is nice for OMB and you to get it moving. And how much do
you think you can get from them?
Mr. Forman. In terms of focus on this, I have to say based
on the reports that have been submitted--and, again, I'm quite
impressed with this--this is the first time that I have seen
Secretary level or agency head level focus on this issue. And
so I think that occurred before September 11th. This was--the
reports came in September 10th, and it's just I think after
that become all the more important and it's recognized. I hope
we get full compliance by the Secretaries. Our intent is in the
process between now and the final submanagers of the budget,
that we will have that communication at the level of the OMB
Director to the Secretaries of the agencies.
Mr. Horn. Mr. Forman, we discussed that OMB and CIOs and
IGs and their reports, and that those were required by the
Government Information Security Reform Act passed last year as
part of the fiscal year 2000 Defense Authorization Act, and I'd
like it on the record, is OMB satisfied with the quality of
these reports and how do you account for the substantial
discrepancies that we noted in several cases between the CIOs
reports and those of the IGs and are some agency CIOs
underreporting their vulnerabilities?
Mr. Forman. When you say are we satisfied with the quality
of the reports, are we satisfied with the quality of the
content or the completeness of the reports, I guess would be my
question? I think that in both cases, we'd say we're not fully
satisfied. So let me explain that a little bit. This is the
best set of information that we've had so far going back to
1987 in the Computer Security Act on agency assessments. We
want more. That's the bottom line.
In some cases, the agencies have come back afterwards and
provided us the additional information, in many cases. Are we
satisfied with the content? There are clear examples of
dramatic progress versus the information that we had received
before. I would say that the high--areas where you have given
agencies higher grades are not an area where we are seeing any
of the agencies. So my answer would be, as has been said before
I believe before this committee, I don't do C work. I don't
want the agencies to do C work. I'm not satisfied.
Mr. Horn. Good. Glad to hear it. How long will it take you
to turn them around?
Mr. Forman. I don't know the answer to that. I'd like to be
able to come before you a year from now and to say that we've
got a substantial amount of Bs. That clearly is where we'd like
to go. On the other hand, as I've said before, there's another
level of details associated with what we've got to get across
the CIOs. The work force skills and the compliance with those
skills that may not show up in the reports, the agreement on
some of these security protocols and standards and so forth,
that I believe is a critical element of how you should hold me
accountable. But again, that won't show up in these reports. So
I've got a lot to do, and I don't know if I can get to that
level of B in a year from now.
Mr. Horn. To what degree does the President and OMB and all
of those who see the retiring situation in the bureaucracy and
how we replace it with very committed people and have
understanding of the new world that they didn't come out of 20,
30 years ago? So are we going to get some incentives of getting
new people into the government where we need them badly and get
people to go around to the State universities in particular, I
would think, and--but I'm a bias there. And those are the
people that stay with it, when I looked at them in a study 30
years ago, and it still seems to be true. So what's the plan?
Mr. Forman. Absolutely, on the work force we're taking a
number of initiatives, and, again, I'd say that these are in
two prongs. One, the types of security personnel or computer
security, cybersecurity personnel that we're hiring, their
skill-sets, how we build their competencies and indeed the
training program. The second is in a number of other job
categories, Web masters, Web applications designers, the skills
to do object-oriented architectures and so forth. So we have to
ramp-up those skills.
Now, one point that I have to make here is that the vast
majority of our work force are not Federal employees. I think
we've made tremendous progress with the CIO Council Workforce
Committee, under Gloria Parker and Ira Hobbs, to move forward
on a curriculum. You may be familiar with the CIO university
concept that basically lays out a curriculum for graduate
school and related training. What we're finding is that as much
or more contractor personnel are going through this course work
than Federal employees. So we're making--which should be, you
know, given the ratio of our work force, Federal versus
contractor, we should be seeing that. We're making that
progress, and I will continue to push forward in that arena.
Mr. Horn. Well, thank you very much. It's been a useful
situation of going through these things, and I think 1 year is
too much to wait, and we're going to have to think about it in
maybe a month and a half and 2 months and a half to get, and I
would hope OMB would say, get with it, and then we don't have
to give Fs. So--and as you say, you don't want to have a C
student there either. Often they're the ones, however, that are
hiring people of a grant and what not and get rather rich in
Silicon Valley.
So anyhow, we thank you for coming, and I want to thank the
staff here that helped put it all together and worked with us
in terms of the grading situation. Russell George, staff
director and chief counsel; Bonnie Heald, the deputy staff
director; Elizabeth Johnston to my left, professional staff;
Darren Chidsey, professional staff, Earl Pierce, professional
staff, and Jim Holmes and Fred Ephraim, interns. We're glad to
have them, and on the minority side, David McMillen,
professional staff; Jean Gosa, minority clerk; and our faithful
court reporters are Christina Smith and Michelle Bulkley. So
thank you.
And with that, we're adjourned.
[Whereupon, at 11:12 p.m., the subcommittee was adjourned.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] 82173.038
[GRAPHIC] [TIFF OMITTED] 82173.039
[GRAPHIC] [TIFF OMITTED] 82173.040
[GRAPHIC] [TIFF OMITTED] 82173.041
[GRAPHIC] [TIFF OMITTED] 82173.042
[GRAPHIC] [TIFF OMITTED] 82173.043
[GRAPHIC] [TIFF OMITTED] 82173.044
[GRAPHIC] [TIFF OMITTED] 82173.045
[GRAPHIC] [TIFF OMITTED] 82173.046
[GRAPHIC] [TIFF OMITTED] 82173.047
[GRAPHIC] [TIFF OMITTED] 82173.048
-
�