Federal News Service March 16, 2004 Tuesday
Copyright 2004 The Federal News Service, Inc.
Federal News Service
March 16, 2004 Tuesday
HEADLINE: HEARING OF THE TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS AND THE CENSUS SUBCOMMITTEE OF THE HOUSE GOVERNMENT REFORM COMMITTEE SUBJECT: INFORMATION SECURITY IN THE FEDERAL GOVERNMENT: ONE YEAR INTO THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT
CHAIRED BY: REPRESENTATIVE ADAM H. PUTNAM (R-FL)
WITNESSES: PANEL I: ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY ISSUES, UNITED STATES GENERAL ACCOUNTING OFFICE; KAREN EVANS, ADMINISTRATOR, ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, OFFICE OF MANAGEMENT AND BUDGET; BENJAMIN WU, DEPUTY UNDER SECRETARY FOR TECHNOLOGY, DEPARTMENT OF COMMERCE;
PANEL II: PAUL CORTS, ASSISTANT ATTORNEY GENERAL FOR ADMINISTRATION, DEPARTMENT OF JUSTICE;
JEFFREY RUSH, JR., INSPECTOR GENERAL, DEPARTMENT OF TREASURY; ELLIS W. MERSCHOFF, CHIEF INFORMATION OFFICER, NUCLEAR REGULATORY COMMISSION; KERRY WEEMS, ACTING ASSISTANT SECRETARY FOR BUDGET, TECHNOLOGY AND FINANCE, DEPARTMENT OF HEALTH AND HUMAN SERVICES
LOCATION: 2247 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C.
REP. ADAM H. PUTNAM (R-FL): Well, good afternoon. A quorum being present on this rainy Tuesday and the sound system back up and running, the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census will come to order.
Good afternoon and welcome to another important hearing on cyber security. This is the first oversight hearing conducted by the subcommittee on IT security this year. Last year we learned a great deal about threats, vulnerabilities, new technologies and new strategies for addressing the important issue of information security. Since our last hearing on this topic the only thing that has really changed is the urgency of the threat.
While I believe it may be fair to say that there might be more discussions taking place about these issues, the time for discussion and debate now yields to a more important requirement for action. Every month virus and worm attacks are becoming more prevalent and more malicious. A recent report placed the worldwide mitigation costs for the month of February 2004 at $83 billion. Some might say that number is over inflated, some might say that it's off by half, that's still a staggering number.
The cyber threat poses some very unique and difficult challenges. Our infrastructure and government systems can be attacked from anywhere at any time. We know that various terrorist groups are sophisticated and becoming more so each day, not to mention government sponsored attacks. Our government has taken dramatic steps to increase our physical security, but protecting our information networks has not progressed commensurately either in the public or the private sectors.
DHS is really just getting its feet on the ground in this arena and while I acknowledge the efforts of the National Cyber Security Division, I will reiterate my concern that we are collectively not moving fast enough to protect the American people and the U.S. economy from the very real threats that exist today. The privacy and security of the public remain at risk. The economic damage being done to our economy is significant. The magnitude of this clearly is what makes this hearing so important, because government wide we are still failing to adequately secure our networks. Government must be the leader, we must set the standard and we must do it now.
The oversight by this subcommittee will be commensurate with the threat: every increasing and aggressive. In December of last year the subcommittee released the 2003 Federal Computer Security Scorecard. It was the fourth year that federal agencies were graded following by the process begun by former Congressman Steve Horn. This past scorecard for the first time based grades on the criteria established by the Federal Information Security Management Act, the FISMA. Chairman Davis, through his FISMA legislation as part of the E-Government Act of 2002, laid the groundwork for better security and better reporting for the government computer system. This year's grades were based on the FISMA compliance reports that the agencies provided to Congress and OMB in September of last year.
OMB has worked hard to advance computer security at all the federal agencies. I would also like to thank the GAO for their invaluable help in preparation of these grades. This year is an important grading year because for the first time we can accurately compare the agencies to a previous year because the grading elements provide an apples to apples comparison. This year overall the federal government received a grade of D. That's a modest increase over the F the government received last year.
For the first time two agencies, the Nuclear Regulatory Commission and the National Science Foundation, received As. Fourteen agencies have increased their grades this year, although a couple actually slid backward. Only five agencies in the federal government have completed reliable inventories of their critical IT assets, leaving 19 without reliable inventories. This is troubling considering we are four years into this process and we still have far too many agencies with incomplete inventories. How can you secure what you don't know you have? How can you claim to have completed a certification and accreditation process absent a reliable inventory of your assets?
The IGs of three agencies, DOD, Veterans Affairs and Treasury, did not submit independent reports in a timely manner. This represents a serious problem. I must stress the I.G. component of this equation is critically important. The independent verification is vital and particularly in light of the fact that there were significant differences between many of the agencies and their IGs. Seven agencies had differences of two grades or more with their IG. Fourteen agencies are still below a C and eight received failing grades.
As we worked on these grades there were some overriding themes that became apparent for the agencies with good grades versus those with poor grades. A full inventory of their critical IT assets, they identified critical infrastructure and mission critical systems, a strong incident identification and reporting procedure, tight controls over contractors, strong plans of actions and milestones that serve as guides for finding and eliminating security weaknesses.
The Nuclear Regulatory Commission and the National Science Foundation should be commended for their outstanding scores, as well as the Society Security Administration and the Department of Labor for their B pluses. And while DHS had a failing grade this year, we recognize the difficult reorganization that took place and we expect a significant improvement next year. To assist agencies, I've requested that each of the 24 graded agencies come to meet with staff to discuss their grade. So far staff has met with 14 and the results are very encouraging.
We've seen a great deal of enthusiasm and willingness to do the work necessary. The agencies have also expressed gratitude for the opportunity to discuss the work they are doing and the grades with the subcommittee. I'm encouraged that OMB in a recently released FISMA report and during Clay Johnson's testimony two weeks ago, stressed that there is an increased determination to hold agencies accountable for implementing FISMA.
There is some clarification that I will seek today of something that was written in the OMB report. The report on page 13 says the following, quote: "While awareness of IT security requirements and responsibilities has spread beyond security in IT employees, more agency program officials must engage and be held accountable for ensuring that the systems that support their programs and operations are secure. This issue requires the federal government to think its security in a new manner. The old thinking of IT security as the responsibility of a single agency official or the agency's IT security office is out of date, contrary to law and policy, and significantly endangers the ability of agencies to safeguard their IT investments," close quote.
While I agree that IT security is a collective responsibility, the language I referred to seems to indicate that no one person will be held accountable. I disagree. This chairman and this subcommittee will seek accountability of the highest agency official responsible for information technology investment to ensure that IT security is baked in to the investment decision making process, consistent with the law established in the Clinger-Cohen Act. I've already initiated a process, working with Chairman Davis, to amend Clinger-Cohen Act to explicitly identify information security as a required element of the IT investment management oversight and decision making process within every agency of the federal government. The grade of D for the federal government simply is not acceptable.
Frankly, one of the continuing obstacles to progress is that too many people still view information security as a technology issue. This is a management and governance issue and must be accounted for in every business case and in implementation of a federal enterprise architecture. This is the responsibility of all stakeholders and the silo walls must come down with this and other transformation efforts to employ collaborative solutions that will provide increased safety and protection for the American people and the U.S. economy.
I welcome and applaud the increased oversight being employed by the Office of Management and Budget for the use of existing tools and business case evaluations. I particularly applaud the recent announcement that OMB will not approve agency expenditures for IT development and modernization projects until they have sufficiently demonstrated that their existing information technology assets are secure. Working together as partners in progress, we will continue to be vigilant in our efforts to achieve the security of the information networks that support the mission activities of the federal government and protect the information aspects they contain.
Many cyber security technologies offered in today's marketplace can serve as safeguards and countermeasures to protect agencies' IT infrastructures. To assist agencies in identifying and selecting such technologies, I've asked GAO to categorize specific technologies according to the functionality they provide and describe what the technologies do, how they work and their reported effectiveness. GAO is releasing this report today and I want to thank them for their work and effort in producing this document. I read it on the plane up here and it's outstanding. It is information security for dummies, congressmen and bureaucrats and I found it extremely helpful. Had I had that GAO report when I first became chairman it would have knocked the learning curve down a little bit. But it was very helpful.
I would like to welcome all of our witnesses here today. I want to thank you for your time and I look forward to your testimony. I ask unanimous consent to insert in the record the statement of my ranking member, the gentleman from Missouri, Mr. Clay. Without objection, show it done. And we will move directly into the testimony. All of you are old hands at this. You understand the light process and we certainly appreciate your summarizing your statements. Please rise and raise your right hand.
Note for the record that all of the witnesses responded in the affirmative. I'd like to introduce our first witness, Robert Dacey. Mr. Dacey is currently director of Information Security Issues at the U.S. General Accounting Office-I thought we'd changed that. Has that passed the Senate yet? Don't you have a new name?
MR. ROBERT F. DACEY: I'm not sure quite yet.
REP. PUTNAM: All right. Everybody's waiting on the Senate. His responsibilities include evaluating information systems security in federal agencies and corporations, assessing the federal infrastructure for managing information security, evaluating the federal government's efforts to protect our nation's private and public critical infrastructure from cyber threat, and identifying best practice-best security practices at leading organizations and promoting their adoption by federal agencies.
You're always a great asset as a witness to this subcommittee. You're recognized.
MR. DACEY: Mr. Chairman, I am pleased to be here today to discuss the federal government's efforts to implement FISMA. As you requested, I will briefly summarize my written statement. Since 1997 we have identified information security as a government wide high risk issue. Congress has demonstrated their concern through ongoing hearings on information security and enactment of reform legislation. The subcommittee has played a very active role in addressing federal information security challenges, including the grades you referred to in your opening statement which are based on a broad range of information included in the FISMA reports.
Based on our recent analysis of audit results and on reported FISMA information for 24 of the largest agencies, the federal government has made progress but continues to face significant information security risks to its critical operations, information and assets. First year FISMA reports provide important comparative data on information security performance measures and certain new information. The reports identify progress and highlight several challenges, including the following.
Number one, while reported performance measures generally increased, there continued to be a wide variance among the agencies. Two, IGs reported less than half of the agencies had complete system inventories now required by FISMA. Three, reported systems with certifications and accreditations continued to increase to 62 percent, and systems with controls tested to 64 percent. However, both IG evaluations and our own ongoing review have identified deficiencies in the C&A processes such as lack of control testing and outdated risk assessments. Also, as additional systems are certified and accredited and controls tested, it is likely that additional deficiencies would be identified.
Four, over half of agency systems do not have tested contingency plans, an essential step in ensuring that critical systems can continue to operate in the event of unexpected interruptions such as a cyber or physical attack. Five, as a result of new OMB reporting requirements, IGs identified challenges in agencies' processes for remediating identified deficiencies which are key to ensuring that significant weaknesses are addressed in a timely manner and receive appropriate resources. And sixth, we noted opportunities to improve the usefulness of reporting measures included in FISMA reports, including independent validation of reported information to ensure that such information is reliable.
In its Fiscal Year 2003 report to Congress, OMB concluded the federal government has made significant strides in identifying and addressing longstanding problems, but that challenging weaknesses remain. In particular, the report notes several government wide findings such as progress against milestones and lack of clear accountability for ensuring security of information systems. The report also presents a plan of action that OMB is pursuing with agencies to close the gaps and to improve security.
NIST also has taken a number of actions to develop FISMA required system risk levels and corresponding minimum security standards to improve federal information security. However, according to NIST the current and future funding constraints could negatively impact NIST's work in this area. Further, Mr. Chairman, as you noted in your opening statement, we released today our report on current cyber security technologies that are available for federal agencies.
In summary, through the continued emphasis on information security by the Congress, the administration, agency management and the audit community, the federal government has seen improvements in its information security, achieving significant and sustainable results will likely require agencies to institutionalize programs and processes that prioritize and routinely monitor and manage their information security efforts and provide information to facilitate day-to-day management of information security throughout the agencies, as well as verify the reliability of reported performance information. Mr. Chairman, this completes my statement. I'd be happy to answer any questions.
REP. PUTNAM: Thank you very much.
The next witness is Karen Evans. In September of 2003 Karen Evans was appointed by President Bush to be administrator of the office of Electronic Government and Information Technology at the Office of Management and Budget. Prior to joining OMB, Ms. Evans was chief information officer at the Department of Energy and served as vice chairman of the CIO Council, the principal forum for agency CIOs to develop IT recommendations. Previously she served at the Department of Justice as assistant division director for Information and Management. She is doing a great job over at OMB and we're always delighted to have you join us and share your expertise with us. You're recognized.
MS. KAREN EVANS: Good afternoon, Mr. Chairman. Thank you for inviting me to speak about the status of the federal government's efforts to safeguard our information and systems. My remarks will focus on the findings of the OMB FY 2003 FISMA report and the next steps to address our IT security challenges.
Earlier this month OMB issued our third annual report to Congress on agency compliance with IT security requirements in law and policy. FISMA, like its predecessor the Government Information Security Reform Act, continues to be a valuable tool in improving the state and federal IT security, both the security of systems and the promoting of protecting of information. The OMB FISMA report identifies IT security progress and weaknesses in Fiscal Year 2003. The report summarizes progress such as federal performance against three government wide goals identified in the president's FY 2004 budget.
Agencies reported their progress against a key set of IT security performance measures. These measures reveal areas of the progress from Fiscal Year 2001 through 2003, as well as weaknesses. Agency IG reports verified some of this progress and in other instances called into question the quality of some of the work. For example, while there are notable increases in the percentage of systems with security plans, many federal systems still do not have contingency plans in place to ensure continuity of operations. IG reports also continued to identify a number of troubling government wide issues and trends such as reoccurring IT security weaknesses, some of which are repeating material weaknesses. Far too many systems continue to operate with serious weaknesses.
Another area highlighted in OMB's report was the need for improved accountability within agencies. The law is very clear on this issue. The agency head is ultimately responsible for the security of their information and systems and is charged with ensuring agency senior officials and the agency CIO fulfill their specific IT security responsibilities. Agency senior officials are responsible for providing security for the information and the systems which support their operations and assets. In fact, the majority of IT spending within agencies is not on IT infrastructure and networks traditionally owned and operated by the CIOs, but rather on mission IT and investment. It is within these systems that many weaknesses reoccur.
To address these problems and others, OMB will continue to engage management and leverage the budget processes. While IT security clearly has a technical component, at its core is an essential management function. Most of the federal government's IT security weaknesses can be resolved through better management and accountability. Through the budget process, OMB requires agencies to incorporate IT security through the lifecycle of all investments. Failure to appropriately incorporate security could see investment at a considerable risk.
To enforce this requirement, OMB notified those agencies with significant information and systems security weaknesses through budget guidance to remediate operational systems with weaknesses prior to spending FY 2004 IT development or modernization funds. As additional resources are needed to resolve those weaknesses, agencies are to use those FY 2004 IT funds originally sought for new development. Additionally, OMB continues to import IT security through the president's management agenda under the E-Gov scorecard.
Agencies may not get to green under E-Gov unless they fully meet specified IT security criteria, including 90 percent of the systems being certified and accredited and that their IG has verified the agency has a plan of action and milestones process in place which meets the OMB criteria. The PMA enables OMB to hold agencies, their senior agency officials and the CIO accountable for IT security performance.
Finally, as we move into the fourth year of these annual IT security requirements, our goal is to improve FISMA reporting instructions so that we more clearly calculate results and performance measures continue to mature to focus on key IT security areas. This is actively working on the development of new guidelines required under FISMA which will play a significant role in evaluating technical implementation of agency IT security efforts.
In particular, as part of the development of OMB's FY 2004 FISMA guidance we are focusing on the following three areas. One, evolving the IT security performance measures to move beyond guidance reporting to also identify the quality of work done. Two, the independent evaluations by the IGs continue to be a source of indispensable information, and further targeting of the IG efforts to assess the development, implementation and performance of key IT security processes are invaluable. And, three, providing additional priorities to certain definitions to eliminate interpretation differences within agencies and between agencies and the IG.
In conclusion, I would like to acknowledge the significant work of the agencies and IGs in conducting the annual review and evaluation. It is this effort which gives OMB and the Congress much greater visibility into the agency IT security establishment progress. While notable progress can result in resolving IT security weaknesses as they're made, problems continue and new threats and vulnerabilities continue to materialize. Much work remains and OMB will continue to work with agencies, GAO and Congress to promote appropriate risk based and cost effective IT security programs, policies and procedures to adequately secure our operations and assets. I'd be glad to take any questions at this time.
REP. PUTNAM: Thank you, Ms. Evans.
Our third witness is Benjamin Wu. Ben Wu was sworn in as deputy undersecretary for Technology, U.S. Department of Commerce in November of 2001. In this capacity he has supervised the policy development, direction and management at the Technology Administration, a bureau of over 4,000 employees that includes the National Institute of Standards and Technology. Prior to joining Commerce, Mr. Wu held senior staff positions in the United States Congress, where he led on issues affecting the United States technology and competitiveness policy. You are, I believe, an alumni of this subcommittee?
MR. BENJAMIN WU: Yes, sir, I did work very closely with the subcommittee and Government Reform Committee. But actually I was an employee of the Committee on Science.
REP. PUTNAM: Okay. He worked in Congress from 1998, serving as counsel to Congresswoman Connie Morella, and on the Science Committee. Welcome back and you're recognized.
MR. WU: Well, thank you, Mr. Chairman. It's a pleasure to be back. And I thank you for the opportunity to appear before you today again. As you mentioned, when I worked in the House I also was the lead committee staff on the House Y2K Task Force, and in that vein we had an opportunity to work very closely with GAO and also former Congressman Steve Horn as he developed the grades for assessing the agencies' involvement and their participation in Y2K activities. And it's since evolved into computer security and I congratulate you for your efforts in continuing that leadership that's so needed on cyber security. Back then we partnered with GAO and as you talk about this partnership for progress to move forward on cyber security, GAO again is proving to be an excellent partner. And also, under Karen's guidance, OMB is as well, and we see NIST also playing a very important role-a very important partnership role in that partnership for progress.
I want to thank you for the opportunity to testify about the NIST contributions to strengthen our information security in the federal government. I want to focus my remarks on the NIST effort to implement our assignment under FISMA and some of the challenges that we're facing, confronting. FISMA's enactment reinforced the longstanding NIST national responsibilities for security research, for developing federal information standards and guidelines. With FISMA, Congress gave NIST a vote of confidence about its ability to work and further this research, and we do appreciate that recognition.
NIST standards and guidelines form the basis of the federal government's ability to improve cyber security and our work-and our security work at NIST is being done at our Information Technology Laboratory, which develops test metrics as well as guidance for building trust and confidence in IT systems that are now so pervasive in our nation's economy. And behind me is Susan Zevin, who is the leader of our Information Technology Laboratory, and also Ed Roback, who is the head of the Computer Security Division at NIST. And those two and their teams at NIST help build the trust of users of IT systems, concentrating on techniques and tools to manage, to use and improve IT systems. And NIST's success really relies on its status as an objective third party working with private sector vendors, standards development organizations and consortia.
Mr. Chairman, I want to give you a status report on where NIST is in terms of its FISMA responsibilities. The general responsibilities that were assigned to NIST under FISMA included developing IT standards, identifying information security vulnerabilities, assessing private sector policy, assisting the private sector as well, and also evaluating security policy. And FISMA also contained a number of specific assignments to NIST and they include development of standards development and guidelines, recommended types of information systems, as well as minimum information security requirements and incident handling guidelines and security performance indicators, as well as annual reports to the committee.
And I'd like to summarize the progress that we've made since FISMA became a law December 17, 2002. Significant progress has been made on the specific assignments and many have been completed. They include the FIPS Publication 199, which was completed in January 2004, the NIST Special Publication 860 which is to be completed this summer and a draft is now available. The NIST (SP) 800-53 is also ready for completion in December 2005 and a public draft is available. The NIST (SP) 800-55 to be completed in July 2003 (sic), the NIST (SP) 800-59 to be completed in August 2003 (sic), and also the NIST (SP) 800-61 which we just completed this past January.
But as Bob mentioned, we are concerned because Congress was unable to meet the presidential budget request for the NIST Cyber Security Division in the FY 2004 appropriation. And as a consequence, Mr. Chairman, although we continue to give FISMA activities priority in our budgeting process, the guidelines, the standards and related research in the following areas may not be able to be accommodated within our FY 2004 funding level and have to be scaled back. They include guidelines on archiving and disposal information, checklists and guidelines, new security protocols, operating our computer security expert assistance team, supporting the NIAP, minimizing the-or minimum security recommended requirements, as well as some of our implementations for IPv6.
At our current level of funding we've also had to delay a number of other activities which I won't list in total. But let me clear. You know, due to the prioritization within the Computer Security Division, none of the specific tasks that have been assigned to us under FISMA are affected now that they're proceeding as scheduled as best as we can within the timeframes allowed under the legislation. But we feel that NIST is so uniquely poised to do so much more, and we're limited really only by our budget constraints. And before Congress now is the president's Fiscal Year 2005 budget request that includes a proposed increase of $6 million for NIST to address the key national needs in cyber security. And with the proposed increase of the $6 million for '05 with the current level funding --
REP. PUTNAM: Did you say million or billion? I'm sorry to interrupt.
MR. WU: Million, million. No. We'd love for it to be billion, but we also understand the constraints in the federal budget. But coupled with the current $10 million that NIST has for its efforts, we believe that NIST can work more effectively with industry and government agencies to facilitate solutions to critical cyber security issues.
Additionally, this would include costs that would allow us to work together with the Homeland Security Department, Science and Technology Directorate, as well as the Information Analysis and Infrastructure Protection Directorate, National Federal Security Division. We also would like to see if we can continue to provide other agency reimbursable work and partner with other federal agencies so we can have people tap into the NIST expertise, and also allow for other agencies to meet their FISMA responsibilities.
So in conclusion, Mr. Chairman, the standards and guidelines produced by NIST are key to the federal government's ability to improve cyber security. NIST's impact reaches far beyond just the federal systems, and the NIST guidelines are also used by state and local government as well as often adopted by the private sector, domestically as well as internationally. And NIST takes its cyber security role very seriously and will work with the committee to ensure that we are able to carry out our mandate to work with industry, with academia and standards development organizations to ensure the sure flow of vital and sensitive information throughout our society.
We applaud the committee for its leadership and also for detailing a specific leadership role for NIST to play in supporting that effort. And the FISMA activities, those already accomplished as well as those currently underway, will lead to a more consistent risk based and cost effective IT security at all federal agencies, and we work very closely-we look forward to working very closely with you, OMB as well as GAO. Thank you, Mr. Chairman.
REP. PUTNAM: Thank you very much.
Ms. Evans, in your 2003 FISMA report you say that ensuring the security of most agency information and systems is not the total responsibility of the agency CIO. While I can understand where you're coming from that, you know, everybody has a role to play in their piece of the agency or department, there is an old saying that everyone's responsibility is no one's responsibility. So how do you see increasing the awareness of all employees to their information security responsibilities while still having some accountability built in to the system?
MS. EVANS: I believe that there is accountability built into the system, and the way that that is is that FISMA is very clear that it holds the agency head responsibility for the cyber security posture of the agency. That agency head then manages what risk do I want it to go forward with? And there is a tiered approach into this where the CIO manages from an enterprise perspective. And so based on policies and guidelines that come out from OMB and from Congress that the CIO then manages across the enterprise or through the corporation, so to speak.
But then as that then goes down, each then program office-or in this case the way that we refer to this as agency senior officials because it could be a staff office, it could be assistant secretary, is responsible for ensuring their portion of that cyber security posture. The agency head determines what risk are they willing to live with, and then they move down through the structure to ensure that the accountability is built into that. So the point of the report is to say that not-although the CIO puts together the enterprise solution, so to speak, and the policies and the procedures, the CIO also then ensures that investments that are occurring within those program offices will meet that risk posture that the secretary wants to have as a whole.
So we believe that it's clear, but we also need to articulate that it's important that everybody has to do their portion of what is responsible here, from the very first employee when they come onboard to being aware that maybe I shouldn't put a disc into my computer that I brought in from home, to the agency head, the secretary, who has to manage all of the output.
REP. PUTNAM: Well, what has-what negative consequences have there been to the agency to receive failing grades, or even backslid in their scores and things like that? What action has been taken to demonstrate accountability?
MS. EVANS: We have been working through a series of processes that we have in place. First off there's the President's Management Agenda scorecard, and the E-Gov scorecard manages the progress of the agencies going forward and cyber security is a major portion of that. There's a quarterly grade that we give to each agency, which clearly holds again the agency head responsible, as well as going down through the agencies because it recognizes that within there everyone has to play a part in the cyber security piece.
But it also additionally-through the budget process this year we went forward and cyber security is an important issue for this administration and so we gave specific guidance to the agencies through the budget process of how we wanted to ensure that they were taking and looking at what they needed to do to secure their assets. So they were given specific guidance through the budget guidance that said you have to turn in a plan and that this plan is specifically focused on certification and accreditation, which really deals with the business process and how you manage cyber security across your enterprise. And they were given specific timeframes to turn those plans in to us, and the cost associated with making that happen so that we can achieve the goals that we have set out for ourselves, which we didn't achieve, that we had laid out in the FY '04 budget. And so we're now in the process of looking at these plans and working with the budget side as well as the management side within OMB and then each of the agencies to make those plans a reality and to ensure that we go forward and we secure those systems.
REP. PUTNAM: Well, in reading your testimony you indicate 12 agencies have a remediation process verified by their IGs as meeting the necessary criteria. Do you know the agencies who did not have a remediation process? You're only batting 500.
MS. EVANS: Yes, I know. It's not a very good grade. And I can give you the specific agencies, it's in the report. But --
REP. PUTNAM: Are they the big boys? That's what I really want to know.
MS. EVANS: It's a mixture of agencies. But the remediation process is dealing with-that's an IG verified-we have the IG verify that process. That deals with that they have a process in place that ensures that as they go forward and they purchase new types of things, or that a new vulnerability comes up or that-you know, that they have a process in place that allows them to remediate that weakness. That includes things like configuration management and those types of processes to go forward. We gave 18 agencies additional guidance through the budget process to deal with certification and accreditation, so that gets to the issue of ensuring that they really have identified what their system inventory is and that they are going through and they have a process in place that allows them to certify and accredit these systems, which really then gets the discipline in place for you to really evaluate as you go forward.
REP. PUTNAM: I'm looking back to my opening statement. Only five agencies have completed reliable inventories. That's correct, right? And we've been doing this for four years.
MS. EVANS: Yes, sir.
REP. PUTNAM: And so you're saying that your budget guidance language tells them what they need to do to get right. But did anything actually happen? I mean, if only five have done it, the other 19 are saying, well, we're in pretty good company.
MS. EVANS: Are you asking what specific actions we have taken since the budget guidance has been issued to the agencies?
REP. PUTNAM: I guess I'm asking if there's been anything other than guidance?
MS. EVANS: Oh, sure. I mean, as part of that guidance process and as we go forward in this we've outlined previously there are tools that are available to us at OMB such as the portion in a fund which-the budget guidance is very clear. When a budget guidance goes out and we tell the agencies, you can't fund new development dollars in this area because they've been categorized as new development dollars, that's just not us saying you can't spend it. It's the OMB budgeting arm that is working with us that there is a process that we have in place within OMB that doesn't allow those dollars to be released to the agency. So dollars are not moving out and so we have these plans and we feel comfortable that the agencies are really looking at this.
And to get to your issue about inventory, we really believe that it is tied to the management of the portfolio as well as investment. You really have to know what you have to be able to come forward with a good business case to say, for example, I have a modernization plan. Here is my architecture. Here is my "as is" architecture, here's the (TV ?). Do our efforts on the architecture as well as managing the portfolio and the business cases, this will really make the agencies really have a good process in place that really will identify the inventory so that we can say there's so many servers, there's so many of these, there's so many of those. This is the cost that it will take to upgrade that and here is the benefit associated with that.
So we think through the combination of all these management practices it will get to the heart of the issue of what do we own, you know, how are we going to secure it, how are we moving forward with the modernization plan? And we believe that the federal enterprise architecture and the architecture efforts of the agencies really lend to that and really are assisting the agencies to be able to put all that discipline in place.
REP. PUTNAM: Can you tell me how many dollars and how many specific modernization or development requests have been apportioned pending the successful completion of a reliable inventory?
MS. EVANS: Well, I have gone back based on the previous hearing-and if you haven't gotten this answer I can give it to you now. There is $9.97 billion associated with office automation, telecommunications and infrastructure. That's total, so that includes development and steady state dollars. We are working with each agency. I can take that back and find out specifically if we can release that information to you. But we have apportioned agencies. We really would like to work with the agencies in a positive way to be able to move forward, and not necessarily single out one agency over another. I think it's pretty obvious, based on your scorecard of going through, what agencies we're really working with very closely. As well as agency IG reports and the FISMA report itself you can see the variance in the systems and you can see how the statistics are, that you know pretty much what agencies we're working with.
REP. PUTNAM: It just seems to me that the new dollars for upgrades to systems and purchase of new systems and development would just come to a screeching halt if you really had to be compliant with FISMA before you got anything new?
MS. EVANS: Well, it would depend on what your plan is also going forward. Some of the systems-and if you look at the technologies that are outlined in the GAO report that they're releasing today, some of those do require a certain technodule-technic-technology-whoa boy, sorry-solution there, which will require a purchase. But it may not necessarily be the same purchase that you were intending to do, for example, for a business systems upgrade.
You may then say, okay, I'm the assistant secretary in charge of this particular office. I have a huge program that really has a risk that is being imposed over here on all the rest of the assets within the department and I'm the one who doesn't have a good plan in place. You know, I haven't certified and accredited my system. I'm not the one-you know, I'm the one who is holding the department back. So then the CIO, with their technical staff, would talk with that and work with that assistant secretary, but they would make those decisions based on the priorities of where they want to be.
And so if it's a choice between upgrading a financial management system where we're saying, this is what you have to do, they put a plan in place in order to execute what we're saying they have to do. It's to their advantage to do it in the most cost effective way because if they really need that financial system upgraded, which I'm just using as an example here, then they would do this in an expeditious way so that they could still use those development dollars.
REP. PUTNAM: Well, I think that you're making progress generally across the board. You've got an 80 percent goal to integrate security in new investments and you're up to 78 percent. I mean, that's pretty good stuff. That's kind of hard to argue with. But it's also hard to get around the fact that only five agencies know what they own. And everybody is held accountable for their inventory. I mean, even in a little old congressional office you can't get rid of a VCR that's 12- years-old without taking it off your inventory and all this kind of stuff.
And it just seems like it's a basic-a very, very basic thing that these agencies ought to be able to get their arms around and then be able to say, well, we have 15 systems-or 15 desktops that are unaccounted for and they're, you know, on average 13-years-old. They probably got thrown out a long time ago. I mean, it's probably a safe bet that they're unaccountable because they were thrown out. If it's a secure computer at the Department of Energy it might be a different issue. But just knowing what you have seems to be, to me, the basic criteria before you can do any of the other stuff. I mean, you can't secure what you don't know you have, you can't certify or accredit what you don't know you have. And it just seems like-you know, above and beyond the scorecard and the grades and the Fs and the As and all that, the fact that only five agencies really know what they own is very troubling.
MS. EVANS: And I would say that I agree with you, sir, in that we're working and continue to work with the agencies and we believe that some of the programs that we've moved forward on, things such as Smart Buy and those types of initiatives, through several of these processes will get the agencies really focused on asset management, software management, inventory control, those types of things. Technology continues to evolve and many times if we make it very onerous that work can't get done, people have a tendency to bypass that security as well. And, you know, there are a lot of technologies out there that make use of wireless technology so that they can put their own network in place because the CIO becomes so oppressive that they can't get their work done. So it's a balance of being able to go forward and having good security, but also, as you said, to have good inventory control and have good business processes in place so that we're totally accountable for our dollars.
REP. PUTNAM: You said in your testimony as well that it is important that FISMA reporting instructions mature. What do you mean by that?
MS. EVANS: Well, and I would-pretty much you hit the issue on the head. It is that we are going through a process right now where we have matters where the agencies are self-reporting. And so when we say, well, we have a goal of 80 percent of the systems being certified and accredited and then we have a percentage of -- 52 percent of the systems being certified and accredited, it's really what is the validity of that number because the basic premise of the inventory is faulted.
But we also believe that because of the reporting that we have and the oversight, and this is three years going into the fourth year, that we can now, because the baseline is there, really start dealing with more mature aspects like the quality of verification and accreditation. You know, what can we do to help the agencies get good inventory control and process, so that we can then say what is the system and have a clearer definition of what is the system so that when I put an inventory control process in place, I can give you a clear answer and then you can compare for sure agency to agency, system to system, inventory to inventory.
REP. PUTNAM: But you don't necessarily recommend legislative changes to the FISMA reporting requirements?
MS. EVANS: I would say at this particular point, based on what we have, that is correct.
REP. PUTNAM: You also say that the independent evaluations by the IGs are indispensable, and I would agree with that. What do we do about the IGs who don't report, which is something that we found here, or those who reported late, some of them almost three months late? And the situation where IGs are commenting or evaluating on an entirely different subsection than what the agency is reporting on. Is that something that is problematic to OMB? It was problematic for us in preparing our scores.
MS. EVANS: We are working with the IGs. There is an IG Council similar to the CIO Council, which my boss Clay Johnson also is the chair of. We have started meetings with the IGs to actually deal with a lot of those types of issues about resolving what are the differences in the interpretation of the way that certain things are written in there, so that when you get a report again how an IG is evaluating it, it would be consistent. And it gets back to the same issues of their interpretation of the metric and the agency's interpretation of the reporting as well. Those meetings have begun. We are working to get their input into this process so that when we issue the FISMA guidance for this year, we hope to bring clarity to those issues so that there will be more level, so to speak, between the IGs.
REP. PUTNAM: That would be very helpful.
Mr. Dacey, what are your thoughts on that discrepancy between the IG reports and the agency reports? Has GAO made any recommendations on how we can improve the audit process?
MR. DACEY: Well, there are a couple of things I think that need to be considered moving forward. And I would agree too that the measures need to evolve-I'm not saying the measures that are here, but additional information perhaps is a better way to describe it, that may be helpful to interpret the progress of agencies in information security.
When FISMA was set up I think an important part of that was to have the IGs as an integral part of the process for a couple of reasons. First of all, I think they provide a valuable independent check on the security of the systems. In other words, if we're looking at a system as we do-GAO, when we look at systems we may identify vulnerabilities and the first question we ask is, well, have these been picked up by the agency's C&A process, if there was a C&A done? Have they been picked up in the planned actions and milestones, and things of that nature? And if we find they haven't then we know something is broken and something isn't working right. Kind of definitive proof that at the end of the day the process wasn't working. So I think that's an important role.
The role that I think needs to evolve, though, is to get the IGs more involved in looking at the processes by which the agencies develop these numbers and the way they report them. I think if they do that and there is a process that's relatively reliable in bringing those numbers forward-and I focus on that too because oftentimes the numbers aren't available until the very end, so auditing the numbers themselves may be a challenge. But I think the IGs can look at the process and match that up again when they're doing their audits. If they're auditing a system and it hasn't been C&A'ed properly but yet the agency is counting it in their C&A tally, then that's a problem. So I think you need to work to keep that going but, again, kind of increase the IGs' role to look at the processes and match that up against what they're finding in the individual systems that they do audit.
REP. PUTNAM: Ms. Evans, there's an article in today's Washington Post where a federal judge has ordered the Interior Department to shut down most employees' Internet access and some of the public websites, quote, "after concluding that the agency has failed to fix computer security problems that threaten millions of dollars owed to Native Americans," close quote. I understand that this is an ongoing issue, but if you would like to comment on it, I'd like to give you that opportunity.
MS. EVANS: Well, my only comment would be is that Interior, just like any other department, that we continue to work with them to assist them in addressing what their cyber security issues are through our processes, like the President's Management Agenda, the scorecard, as well as the budget process that we just recently talked about and that guidance.
REP. PUTNAM: What did Interior get? What is their score, their grade?
MS. EVANS: They're an F?
MR. : An F.
MS. EVANS: An F.
REP. PUTNAM: An F. Is there any other department that-I mean, when we talk about computer security sometimes we get off in the weeds and it almost becomes an academic discussion.
I mean, I've never heard of a judge ordering somebody to disconnect from the Web. Has that ever happened before, Mr. Dacey?
MR. DACEY: This is actually the third time for Interior, I believe, that an order has been issued by the court. That's the only one I'm familiar with at a federal agency where there's actually been a court involvement in the process.