REP. PUTNAM: Now that you're on top, how institutional are your changes? Do you perceive remaining an A virtually indefinitely? What types of changes do you have to make on an ongoing basis to continue to meet those top standards for your A rating?
MR. MERSCHOFF: As Lewis Carroll in "Alice in Wonderland", you have to run really fast in this world to just stay where you are or words to that effect. The bar is being raised continuously by OMB. So it will be harder this year to be an A than it was last year. We have areas we continue to work on. Two that you have addressed already, in terms of contingency plans and inventories, are areas we have work to do. So there is important work that remains to be done relative to our agency.
We have-I have an outstanding staff and I have the support of the senior management within the agency to maintain computer security. So I anticipate we will be able to meet the new challenge.
REP. PUTNAM: How have you implemented the accountability within all of your managers and program directors? How is that effective and how have you helped them make information security of their everyday life?
MR. MERSCHOFF: We've established the corporate level procedure that governs the IT system, chief of which is the capital planning and investment control process. We've integrated security into the development of new systems so a business line can't develop a new system without the approval of the office of the CIO and embedded in that approval is working hand in hand with us with security. So we have confidence that each new security system we bring on line is robust in a security sense and being a peer to the other business line managers, they seek our help and we provide it in terms of current operating systems.
REP. PUTNAM: Your background is not technical in nature as in IT. You're an engineer, I believe. Do you think that that has helped you in understanding the importance of this and sharing it with others? Do you think that you have more credibility with your peers as an engineer as opposed to being an IT specialist?
MR. MERSCHOFF: I would take issue with my background not being technical. I'm an aerospace engineer, a mechanical engineer.
REP. PUTNAM: Information technical.
MR. MERSCHOFF: I'm not an IT professional.
REP. PUTNAM: Right.
MR. MERSCHOFF: I think that's helped what I believe agencies need at the CIO level. It is an executive that can hold people and programs accountable to achieve certain goals. Engineering, as a discipline, is one that IT in general can benefit from. Engineers look at redundancy and reliability and bring a rigorous disciplined thought process to systems development that matches nicely with IT development and systems development. So the direct answer to your question in terms of credibility, I believe it helps a great deal. Having been a peer to the senior business line managers in the agency, there is a trust in the budgeting process and there is a trust in terms of the service delivery process that I think helps us progress.
REP. PUTNAM: Thank you.
Mr. Rush, could you please elaborate on the additional financial reporting requirements that took priority and pushed FISMA into a secondary position, that you referred to in your opening statement?
MR. RUSH: Yes, sir. In Fiscal Year 2002, we were the first Cabinet level agency at Treasury to accelerate our financial reports to the shortened deadline of November 15th. Under Secretary Paul O'Neill, much effort was expended to demonstrate that financial reports had to be timely to be useful to managers. As we approached 2003, it was clear to OMB that that was an important goal for all of the CFO agencies.
Thus, by late spring, early summer and immediately following the divestiture of a lot of our resources, I met with the assistant for Management and we consulted with the comptroller of the United States, Linda Springer, and made clear that we couldn't meet the accelerated deadline for 2003 and meet our other requirements given the resources that we had lost. We were clearly able to produce one of those jobs but not both of them by the deadline.
So the decision was that the IRS, the bureaus, the Treasury, IT for tax administration, the department would prepare their report and send it to OMB on time and then the IG work that my office does to bring FISMA to conclusion would be followed within 30 days of any successful accelerated financial statement report. Those discussions went on for a couple of weeks and, as I indicated to you in my letter, when I distributed the report to you, I apologized for the first time.
We did not think to notify the subcommittee because we assumed that having coordinated with OMB, that information might have been made available. I regret that. That was my responsibility and I'm here to accept that responsibility. But, as between the two important jobs that we were facing as we went into the fall, it was clear that the accelerated financial report was the priority for Secretary John Snow and for the administration.
REP. PUTNAM: Is contracting out an option-I assume it will be based on your earlier remarks, is it going to be your option in the future to contract out the preparation of the FISMA report?
MR. RUSH: It will have to be for the foreseeable future because, again, we're not moving our resources up. The president's budget request for 2005 gives us a substantial plus-up over 2004. Our office had almost recovered from some of the divestitures but the problem here is timing. As we found last summer, as we faced the decision of financial statement reporting, FISMA reporting, if you can't make these decisions early enough in the audit cycle, you can't get a contract out there. Our problem was that we were going into this audit period anticipating using our own resources to do the work and when we had this trade-off decision, we found ourselves in a position where it was too late to bring a contractor in because you still have to supervise the contract.
This year, we're starting off with a better understanding of our resources. We're going to do more contract work for our financial reporting and we intend to use a contractor for most of our FISMA work. We will not do it for the national security systems that we report on to you and others. That's a classified report.
REP. PUTNAM: You went from 155 to 62 staff in the IG's office?
MR. RUSH: That's just the audit staff.
REP. PUTNAM: Audit staff. Is that proportional to the amount of the department that was transferred to the Department of Homeland Security?
MR. RUSH: Well, after careful study of our audit program for the three years prior to divestiture, we identified a need to transfer somewhere between 30 and 35 percent of our staff to Homeland to accompany the work that was associated with the Customs Service, the Secret Service, the Federal Law Enforcement Training Center and that part of the Bureau of Alcohol, Tobacco and Firearms that went to the Justice Department. But, for reasons still not clear to me, we were cut 70 percent rather than 35 percent and we've been playing catch-up.
That decision was made and clearly people were trying to do the right thing to establish the Department of Homeland and I don't doubt that the people that we contributed to that IG office over there have made a difference in the Department of Homeland Security. But we had to actually go out and pick out about 12 people for the financial statement audit cycle and detail them into our office to get that audit done and we are struggling.
REP. PUTNAM: The IRS and Bureau of Public Debt, those audits were conducted by you or by GAO?
MR. RUSH: Well, the IRS is done almost-well, entirely by GAO and part of Public Debt is done by GAO. And we rely on those reports to prepare the consolidated. We're responsible for the consolidated audit and the Bureau level audit and special audits. As you know, Treasury has, right now, about eight different standalone audits, everything from the Gold & Silver Reserve to special accounts. The recovery in DC pushed the pension funds from DC into Treasury. So we have to manage an account for those funds and do a financial statement on retirement for judges and teachers and police officers.
We do standalone audits for the Office of Comptroller of Currency, Supervisor of National Banks, the Office of Thrift Supervision, supervisor of Savings and Loans industry. We do standalone audits of other entities, including the Financial Management Service, the check writer and cash manager for the government.
REP. PUTNAM: I can hear where you're coming from on the reasons for the delay. At the end of the day, the score was a D and probably the input of the IG's report, had it been on time, would have remained an F, the same score received in 2002. In your testimony, you attribute a fair amount of that to the IRS. Could you elaborate on that?
MR. RUSH: Well, the IRS is the largest bureau of Treasury. Treasury right now has about 115,000, 116,000 people.
A hundred thousand are in IRS. IRS has gone through major systems modernization for the last four or five years and into the foreseeable future. Their inability to accurately identify the number of systems that they have really changes all of the numbers for Treasury. It's either a miscount or undercount of systems and a failure to develop plans consistent with all of those systems.
But I don't want to make that totally an IRS problem. Treasury, in every level and every bureau, has very serious information security problems.
REP. PUTNAM: But to your credit, you are very blunt and candid in your opening testimony and your submitted testimony to that fact. And it is, considering the nature of Treasury and the information it handles and the privacy issues surrounding-people are sensitive about what they pay in taxes and what they have, I would think you would be on the shortlist of folks that we would really want to get it right. And so it's important that Treasury improve.
Mr. Weems and Mr. Corts, both of you are responsible both for financial management and budget as well as technology in your agencies. Is that correct?
MR. : Right.
REP. PUTNAM: And one of the most common complaints that we hear is that component levels of departments don't follow a department-wide policy on information technology and don't feel compelled to do so. Do you find the same resistance when you correct budget and fiscal policy for the department and why is there a lesser standard of accountability or of responsiveness on issues related to information technology?
Mr. Weems and then Mr. Corts.
MR. WEEMS: The hammer of the budget produces usually the quickest results. If nothing else, it quickly gets the attention of the component heads and it produces an appeal to the secretary to me to somebody else who then can have a reasonable discussion about it. Many times, things in other areas seem a bit too esoteric to be able to have that kind of discussion. That's why we have undertaken in HHS to link these things together. Investments in our budget process that do not have proper security simply won't go forward and the agency head or agency official will be in the posture of having to appeal, having to have a discussion and also having to explain why they are trying to move information technology investment that does not have security sufficient to the standard.
REP. PUTNAM: Mr. Corts.
MR. CORTS: You know, there's always a certain amount of pushback. I think that the Department of Justice was really the decentralization of the department because the bureaus, especially the large bureaus, really take on a persona of their own and perhaps pushback in both budget and IT are stronger in those kinds of situations. But I believe, over the last couple of years, with the emphasis on unity at the department, we are seeing a great deal of lessening of that. The CIO Council that operates within the department occasionally will drop in on their meeting. There seems to be a good spirit there and a real desire to try to work together.
The way we're organized, it does allow the CIO to be very involved in the budget process and I believe it is becoming well recognized throughout the department that the CIO has a significant role with respect to budgetary issues. So the point that Mr. Weems was making where the budget is such a readily identifiable hammer, if you can tie that to IT, I think you've got an additional kind of a hammer to use. So I believe that the role that the CIO is playing in budget decisions, the CIO's involvement in our management team is giving the CIO additional strength and a way to deal with this pushback issue.
REP. PUTNAM: This is the fourth year in a row that Justice has had an F score. What are some things that you can identify as barriers to breaking into that D category or something better than four years of an F?
MR. CORTS: Well, frankly, we have a lot of organizational programs, as I described in the testimony, and not the least of which was a clear identification of who was in charge of IT security. Again, I came to the department about 16 months ago, and quite frankly, I was quite surprised at what I found with regard to IT and IT security. But I think we're making big strides, and one of those issues was a clear identification as to who was going to have IT security, because it had previously in the department been kind of jury-rigged, I guess, somewhat split between the department security officer and the CIO. And there was a lot of struggle over the issue of naming one single person the ultimate person responsible for it. But we've crossed that bridge and that's really helping us to move forward, and very quickly on the heels of that, the appointment of a chief information security officer, a person who came with a lot of skill and background and is just really making giant strides for us in these last months but aren't showing up on scorecards yet because, you know, the scoring took place before some of these things happened. This is a very dynamic thing for us and it's on the move and I think is on the move in the right direction.
REP. PUTNAM: Well, I'm glad to hear that it is on the move now and I hope that that stays true. You know, I was on the Horn Subcommittee and we've heard from other folks about changes in personnel, changes in priorities, changes in leadership, changes in policies, and we have to institutionalize something that will outlast you, it will outlast me and your attorney general and this president and everything else to get serious about this.
Mr. Weems, your testimony indicated a number of excellent sounding initiatives, Secure One, among others. Your department actually slid backwards from a D to an F. What happened and what can we expect to see happen next year?
MR. WEEMS: Well, Mr. Chairman, I work for Secretary Thompson, and on this scale here there's only one passing grade and NRC has it, so yes, we did slide backwards, but our goal is an A, and the secretary has made that very clear to me. The scores last year were-we were scored before Secure One HHS was launched. In looking back over that report and what happened-I certainly don't want to sound like the dog ate my homework sort of excuse here-we do have deficiencies in HHS, but one of those deficiencies was documentation. If we had had sufficient documentation for some of our procedures, our grade would have been higher. So there may be a difference between the way that we are evaluated and the way the security works in the real world.
Having said that, we are striving to do, as you said, which is to institutionalize security into HHS, largely through the budget process but also through clear lines of responsibility emanating from my office through our various operating division, so we'll make it clear who is responsible for what and along what timeline.
REP. PUTNAM: Your budget has, I believe, increased substantially since the creation of the Department of Homeland Security. Is that correct?
MR. WEEMS: Yes. Just a few items went to the Department of Homeland Security, but our budget for bioterrorism, which is a substantial piece, has gone from about $300 million to about $4.1 billion in the Fiscal 05 budget.
REP. PUTNAM: And since your profile has been raised as a result of the department's role in the anthrax investigation and ricin and your secretary's launch of his war room, as well as just the increased awareness in the nature of bio-threat, has your attempted hacks and attacks on your information system increased as your profile has been raised?
MR. WEEMS: We have noticed some increase there. One of the things that I think would be helpful and I believe that this subcommittee has pointed out would be uniform standards for reporting of those. As you know, HHS reported a substantial number of incidences, but since they're not measured consistently across all departments, it's difficult for us to be able to determine our posture with respect to other agencies which may report one, for instance, over a year.
With the growth of our bioterrorism efforts, that is a place where we have been very careful to make sure that we have sufficient security and not just cybersecurity but also physical security. You can see that at the NIH campus in CDC, NIH campus for the National Institute of Health in Bethesda, and the CDC campus down in Atlanta.
REP. PUTNAM: Mr. Rush, now that FISMA is permanent and we're working on our second year using the same scoring standards, do you anticipate a change in resource allocation, either for the purpose of contracting or a shift in staffing similar to that that was caused by the CFO Act that would allow you to have the tools you need to be in compliance with FISMA?
MR. RUSH: We're going to have the tools we need this year, because the deputy secretary is taking over supervision of the CIO operations, and there's going to be a concerted effort to see some improved performance from management that has to be matched by what we do, not only in the content of that work but the timeliness of the work. So I think we're in good shape for 2004. We're going to be meeting as early as next week to try to try to bring that to conclusion.
But long term, I think we have to come to grips with jobs that are process jobs for IGs. These are compliance type jobs for IGs. And while I'm not here to speak on behalf of that community as one who's been in that community a long time, we can meet the deadline, but we need to begin to rationalize some things. I, for one, have complained to OMB that the timing didn't make a lot of sense. Notwithstanding our resources, it made no sense to me to be reporting in September on FISMA when we operate on a fiscal year that ends September the 30th and we have financial reporting that starts as early as November the 15th. Trying to bring some of these deadlines and due dates into sync makes a lot more sense for folks like me who have to audit.
Second, the act didn't have a date. It merely said that OMB could establish a date. So we thought it fair for them in the future to consider a different reporting date in September 15. That's not a date that's particularly useful for management, by the way. It's completely out of context with their own mission and performance reporting. So there's a lot to be done as we look out at FISMA 2005 and 2006. But for 2004, I think we're just going to knock along and get the job done.
At Treasury I think you'll see some improved performance. I'm very impressed with Deputy Secretary Sam Bodman. He's only been in the department about two months. He comes to us from the Commerce Department, where he had real impact on the department's operations, and we hope that he will bring that to Treasury.
REP. PUTNAM: Those are very interesting suggestions of yours on the reporting deadlines, and Mr. Weems' suggestion on the consistent measurement of incidents.
Mr. Merschoff, do you have any thoughts on ways that we can improve what is measured, how it's measured? Is it relevant? Is the benchmark appropriate. Your thoughts?
MR. MERSCHOFF: I agree with Mr. Weems. It's important to be able to compare your organization to other organizations, the benchmark to understand if you're doing something substantially different that needs to be addressed. In our case, we reported 67,000 incidents last year to FedCert. Some report one or two or three. And so it's absolutely impossible --
REP. PUTNAM: Do you know who?
MR. MERSCHOFF: Who?
REP. PUTNAM: HUD only had one attempted-only one incident. So I guess nobody's interested in breaking into HUD information security or something. Quite remarkable.
MR. MERSCHOFF: If we are to get better, the CIO Council working together with benchmarking across the entire spectrum of what we do will help us realize where we're performing at a level less than the rest of the government and where to seek help, and also to provide that help to others.
REP. PUTNAM: Mr. Corts, you're relatively new to this ballgame. You came from the academic world. What are your thoughts on the benchmark and the appropriateness of the standard?
MR. CORTS: Well, I would certainly agree with the consistency issue and I think the definitional issue. I mean, you've got to get a clear understanding that everybody's talking in the same language and comparing apples to apples. And I think-you know, I do think this is still a pretty nascent operation, and as it matures I think so will the language that Karen Evans was using, we're going to see-things will coalesce better there in terms of agreement about terms and manners of reporting and so forth, which will be to the benefit of all of us from the point of view of benchmarks. And in the accreditation work that I'm familiar with from academe, those are crucial. I mean, it's just a crucial part of the accreditation process.
REP. PUTNAM: When is your-what's your deadline for your budget submission, I guess, Mr. Rush, since you raised the issue of deadlines? My understanding is that OMB sets the date for FISMA reporting to coincide with your budget submission. Is that correct?
MR. RUSH: That may have been their judgment. It did not match with the submission. The submission process for the fiscal year actually spilled over into late October. We've had reclama as late as November. The president's budget was not-the appeals for the president didn't occur until December, as I recall, this past year, and the president submitted his budget the first of February.
REP. PUTNAM: So what --
MR. RUSH: So I don't see a connection between the budget process and FISMA reporting. If there's supposed to be one, and I'm not going to object to that, it doesn't mean-it doesn't give September the 15th a particular value as a date.
REP. PUTNAM: What date would be more appropriate, in your view?
MR. RUSH: We invest so much in financial systems reporting because of the Chief Financial Officers Act and GMRA. It would be useful if we were able to tie our FISMA reporting, which often relies on the EDP control audit work in the big financial systems to do it at about the same time or within 30 days. And I don't-I'm not making that recommendation for all IGs. I can say from Treasury's standpoint, if we could rely upon the important IT audit work that's part of our consolidated financial statement audit, we would be able to get that report out, and I think you get a better product. It's late, but I think you get a better product.
MR. WEEMS: Mr. Chairman, perhaps I can answer that, at least from the standpoint of HHS. Our budget deliberations internally inside the Office of the Secretary typically are in July. So if we were in possession of the FISMA report in advance of July, we certainly could consider that as part of our budget deliberations. Typically August is spent trying to complete the necessary documentation to send in a budget to OMB, which is due usually right after labor day. So, in fact, I believe this year we had submitted our budget document to OMB before the FISMA report was complete.
Also, as Mr. Rush has noted, we were in similar throes of trying to complete our own audit, which took an awful lot of my time and time of other departmental officials, beginning-you know, it doesn't begin just at the end of the fiscal year, especially the last quarter of the fiscal year and then the report going 45 days to get to the November 15th audit report date consumes an awful lot of time on the financial side and a tremendous amount of the leadership's time as well. So I would say from our standpoint, FISMA report being available on a contemporaneous basis in June or May would be really important to our budget process.
REP. PUTNAM: Well, that's very helpful, and I appreciate your suggestions on ways that we can perhaps make FISMA even more meaningful, the information from the reports more actionable. But three of the four of you don't have a whole lot of credibility on making recommendations for changes to this thing. And some folks have figured out how to do it. And, you know, there are-it's really kind of a unique thing to government that there is this kind of flexibility. I mean, there's a lot of things going in February and March, but you still have to pay your taxes on April 15th. There isn't any-you know, I mean, you get the extension-you get the extension, but you've still got to pay the man.
And, you know, people have to file all kinds of reports to be in compliance with the government.
And your agencies, your departments and all the other ones aren't nearly as understanding as OMB has been, and frankly even as Congress has been about people who just don't do it, or they do it three months late, or they do it whenever they get around to it. And so we'll take these under advisement, but the last thing I want to do-I mean, I don't want to cut off my nose to spite my face and avoid making solid commonsense changes that you guys recommend that might make sense.
I don't want, you know, to ignore good suggestions, but what I do not want is for there to be yet another reason why people aren't scoring particularly well because we changed the rules on them, and we have once again given them a whole new set of standards by which they're supposed to play ball. And the one thing about this year's score is that it's the first time that we have back-to-back years that actually are comparable, apples-to-apples comparisons to really major progress. And all the frustrations and all the timing issues and the inconsistent reporting issues, particularly as it relates to incidents affect everyone the same way.
So, you know, the A guys are dealing with the same lack of clarity on that as the F guys. And so if it's off, it's consistently off throughout the government and it's still relatively correct. So we'll take your point under advisement as we review this, but the last thing I want to do is provide another reason why people can come back and say, well, you know, we were all geared up for that 2004 structure, but then the 2006 they kind of-you guys moved the yardsticks on us. And so we would have been there but we were prepared for the old standards.
I would give all of you the opportunity to provide any closing remarks, and then we will adjourn the hearing. So, Mr. Weems, if you'd like to offer any thoughts, things that you wish had come out, suggestions, and we'll move on down the line.
MR. WEEMS: Nothing else, Mr. Chairman, except we look for a better grade, and if you're looking for a responsible official in HHS, that's me. Thank you.
REP. PUTNAM: Thank you.
MR. MERSCHOFF: Yes, Mr. Chairman. I'd like to recognize two reasons for our success. One is the computer security staff. They're dedicated, they're motivated, they're competent, they're capable, and they're the engine behind our success. The second is the Office of the Inspector General. We have a good and productive partnership, a dynamic tension with that group where we can disagree with them, they can criticize us, we listen to each other and recognize that sometimes we're wrong and sometimes we're right. And I think that's helped us a lot in terms of improving. That concludes my remarks.
REP. PUTNAM: Thank you very much.
MR. RUSH: I just want to be sure that I close by making clear to you that the problem with timeliness was the problem with the Office of the Inspector General, it's not the Treasury Department, it's not IRS, it was not my partner, the Treasury inspector general for Tax Administration. Each of those three partners of mine did their work on time, met the standard and get their word product at OMB. The only delinquency of Treasury came out of my office, and I regret that.
REP. PUTNAM: Well, thank you for your candor and for your suggestions as well. They were really good.
MR. CORTS: Back to your point about the time that you do this and the consistency and so forth. There is a lot of value, I think, in being able to-even if the date might not be where everybody wants it, you keep that date, you keep the standards, so you've got the measurement going forward two years in a row now. It would be great to see it another year. What's the right time? You know, I'm sure we could debate that around because it could serve all of us at different times, it would serve all of us maybe better than-any one of us better than another date. But I do think there's a lot of value in the consistency, and I know that we look for that in terms of benchmarking.
And, finally, Mr. Chairman, I just want you to know that the Department of Justice does consider this matter to be of the highest priority for us. We fully intend to improve our mark and we don't intend to be here and look forward to giving you a better report in the future.
REP. PUTNAM: Thank you very much.
I want to thank all of our witnesses from both panels for their contribution to our oversight effort. As we face almost daily reports of IT vulnerabilities, the federal government really must be a shining example of IT security. I also want to mention that I will be meeting with the Federal CIO Council, again, to express my commitment to this issue, as well as to hear their feedback on why so many agencies have not produced better progress and perhaps to solicit more suggestions, as you just provided, on ways that we can improve the process.
In the event that there may be additional questions we did not have time for today, the record will remain open for two weeks for submitted questions and answers. Thank you all very much. The subcommittee is adjourned.