REP. PUTNAM: So it's so bad that three times a judge has ordered them to disconnect?
MR. DACEY: Not speaking to an individual case, but there is a legal case in dispute and the judge, in ruling on that and protecting the liability of certain data that related to the Indian Affairs, said that they're concerned about people being able to get in. In fact, I believe in the first floor round when they were removed, the court had hired an ethical hacking group to participate and they in fact had broken into their systems, and I believe it was reported they created fictitious accounts in the Indian Affairs systems. And that became the concern, that they needed to protect access from outside into this data and this financial information related to that.
I would note that Interior, though, even on the measures that are in OMB's scorecard pretty much consistently, except for one area, was below the average of other federal agencies and, as you said, got an F in their grade. So there is a challenge there I think in information security.
REP. PUTNAM: I'd say so. Mr. Dacey, you mention in your report the CIOs don't control mission systems, and I believe I read in Ms. Evans' testimony that in fact 65 percent of IT is mission related activities. I thought FISMA put CIOs in the position of responsibility for all agency systems. Could you clarify that?
MR. DACEY: I guess-I think our reference was actually to what OMB had said, so I'll let Ms. Evans take care of that. But at the same time I think it's important to note that-and I don't have an exact count, but one of the challenges is also making sure that authority goes with that responsibility. I know increasing numbers of agencies have clearly given their CIOs the authority to enforce security standards throughout the agency. I don't have numbers, but I do believe that some do not have that authority. In fact, I know when we've been doing some of these audits we found that in fact the CIO at the agency didn't always have control over what the individual bureaus did, which could endanger security of the entire agency if not properly controlled. So I think that's one aspect. But, again, Ms. Evans might want to talk more about the specific numbers.
MS. EVANS: Do you want to understand how it worked, or --
REP. PUTNAM: Are CIOs responsible for the mission related activities or not?
MS. EVANS: They're responsible from a strategic standpoint and from a corporate standpoint, which means that when an agency is divided off or a department is divided off and has the auspices within it, you get the guidance from headquarters so to speak, and so the CIO is responsible for formulating what is that overall guidance, what is that policy to ensure the cyber security going forward for that department?
When the program office-and in this case we're talking agency senior officials. When they send their investment plans for it and they have an operational aspect of what they're doing within their program offices, they have to adhere to those policies and guidelines. And then the CIO, if they have an operational aspect, can assure that they're conforming to the policy. Sometimes some CIOs only have a policy aspect. If they have a policy aspect then they're involved through the budget process to ensure all of these other things that we're talking about, that the investment has adequate cyber security based into its lifecycle, that they do have plans that are in place that continue to, you know, measure what is going on within their program offices. So they do it from a corporate perspective.
If they have an operational perspective, that's an additional authority because normally what they do is they control infrastructure as well as, you know, telecommunications, all those types of things. So they control the big network. So they can put policies in place that say, if you don't meet this certain threshold of security or if you are not certified and accredited, you cannot hook up to departmental resources. And that's usually where most program offices need to go in order to be able to go out to get onto the Internet, to be able to reach, you know, big financial management types of systems, H.R. systems. And so the CIOs do have the authority to be able to do that if they manage the corporate assets.
REP. PUTNAM: Have you had an opportunity to read the GAO report that they released today, Ms. Evans?
MS. EVANS: Well, we were glancing at it today.
REP. PUTNAM: The breakdown of all the different information security measures and their taxonomic chart is pretty darn good. You came from Energy and from Justice as a CIO. You understand the challenges both from your current level and from the agencies' level perspective. And we're going to photocopy two portions of that GAO report. We're going to take the blue binder off, because with a blue binder nobody is going to read it. So we've got to really kind of break it down into the easy to understand T-charts that Mr. Dacey put together.
If you were going to send it to somebody in the agency to bring about change, who would you send it to? The CIOs already know that stuff. I mean, they could have written it. So who-I mean, when you're talking about something that's kind of an easy to use, easy to read user's guide, who would you send it to to really have an impact on behavior and understanding of what we're talking about in making systems more secure?
MS. EVANS: In this particular case, if I put it in easy to read T-charts off of here, we work-the initiative owners through the President's Management Agenda work very closely with the President's Management Council. So I would send it out through the President's Management Council, say, "Here's a guide of here's what you need to look at as technologies are coming up," because the CIO advises that person as the chief operating officer of the agency. Most times it's the deputy secretary of the department that participates in the President's Management Council.
REP. PUTNAM: And that's the person who also makes the decisions about what budget request to send to you about whether we're going to buy this system or that system, and we're going to have a firewall or a VPN? Or who --
MS. EVANS: They review-deputy secretaries review the budget as they come up. Most agencies have hearings in the summer based on the guidance that goes out, and the key officers, just like a CIO, have input into how the program office is put together, how the budget is put together, recommendations. And so if there are issues-say, for example, based on my days at Energy, if there were issues with a specific program officer we felt really wasn't, you know, pulling their weight as far as cyber security was concerned, when these reviews would occur the deputy secretary would get key questions to ask that assistant secretary during the review.
You know, one question could be, "How well are you working with your CIO?" You know, "Do you have everything in place?" You know, "Are you ensuring that cyber security is being adequately addressed within your program office?" And so something like this, if it was dealing with investment decisions, and these would be key points, those would be like key questions that you would ask them so that they could ask to ensure that their portfolio, when it comes forward, meets those criteria.
REP. PUTNAM: Thank you.
Mr. Wu, FISMA maybe made NIST responsible for issuing a fair amount of guidance, guidance that is essential to securing the information systems in the federal government. Could you comment on the-and you did somewhat in your opening statement. Could you elaborate on the resources that are necessary to provide that guidance?
MR. WU: Well, certainly at Department of Commerce and also at NIST there is an understanding of the importance of NIST's role in implementing FISMA and how the technical standards are developed, created and the key role NIST plays as a lynchpin, as a first domino in a sense, for FISMA to be implemented very effectively.
And so there is a priority placed within the Computer Security Division and within our Information Technology Laboratory to make sure that we meet all the mandates and requirements of FISMA.
The challenge is-I alluded to in my testimony and Bob referenced in his, is that at least for this fiscal year NIST did not receive the president's budget request for '04. Congress was unable to provide that. And as a consequence, there is a fear that we may not be able to move forward in some of the research that will be required for some of the more emerging technologies.
For example, as we focus on a very real and immediate near term need for guidance under FISMA, we're not keeping up with the rapid advances in technologies like RFIDs, or radio frequency identification devices, which is a very key component to some of these emerging technologies for communications that, unfortunately, under our funding situation we may not be able to put resources in there for-certainly for '04 we had to delay it for '05, depending on how the congressional appropriations may look.
So there is a fear and a concern within the laboratory within the department that we may not be able to be as aggressive as we'd like to be in our efforts on research. But in terms of meeting the FISMA responsibilities, NIST is committed to doing that.
REP. PUTNAM: And the guide that you're creating for FISMA I would imagine is pretty helpful guidance outside the government as well. Does NIST have an ability or a system to allow people to download that guide or to have access to that guide, to request it, so that there can be a wider distribution?
MR. WU: Well, information dissemination is critical to make sure that the work that NIST does is brought out to the federal agencies, as well as to the private sector. But it does have a cost as well. We hope to work very closely with OMB as well as with NTIS, which is also part of the Department of Commerce, for information dissemination so that we can have the information placed in as many hands as possible. And also NIST will, of course, make it available on its website.
REP. PUTNAM: FISMA also requires agencies to develop policies governing configuration, so if someone sets up a server they know what security controls they'd have to set. And NIST has developed that guide as well. What is the status of that?
MR. WU: I don't-I'm not quite sure which-are you referring to a specific publication or a specific-or a publication number? But we can clearly provide that for you.
REP. PUTNAM: Thank you.
MR. WU: But, as I said, right now NIST has met its timeliness requirements for its publications, and we look forward to completing those either in-right now they're available in a public draft, or available in terms of full report.
REP. PUTNAM: Ms. Evans, is there a, for lack of a better term, a rapid response team of professionals who can move into a situation like this Department of the Interior issue and work to resolve it on an emergency type basis in recognizing in addition to a terribly embarrassing-it has cost people money and defrauded the government and everything else. The fact that it happened three times, what's OMB's role in a situation like that?
MS. EVANS: Well, each agency is responsible for having a computer assistance type team, incident response team. However, through the new work that is going on now over at DHS-my office works very closely with DHS, especially in the area of implementation of the national cybersecurity strategy and so, with working with the particular office over there under IAIP and working with these groups, there are several resources that they put in place that work very closely in conjunction with the CIO Council. So in a particular situation like this, we could make recommendations as well as DHS could make recommendations of getting specific assistance through the resources that are available at DHS.
MR. WU: Mr. Chairman, if I may. I was just handed some information. As Ms. Evans mentioned about DHS, we both have been working with DHS and regarding your question about comprehensive security checks working benchmarks, DHS has been partnering with NIST in this regard and we will be able to maintain a web-based portal with the checklist and we hope to have that available in FY 2005 and years after as well.
REP. PUTNAM: Very good.
Mr. Dacey, would you comment on the 2003 FISMA report, the areas that strike you as being the most important improvement, the most important efficiencies and your evaluation of the progress overall?
MR. DACEY: I think, in my oral statement, I raised some of the concerns. I know there has been progress. We've seen evidence of that through increases in the measures but we've also seen that through looking at a whole series of audits that have taken place both in respect to financial audits and other audits that the IGs have performed and GAO has performed. So there are improvements. I would itemize an heightened awareness as well-continued heightened awareness by agencies for a couple of reasons: (a) we are not going away. This is an annual event. In fact, now four of them are reporting to OMB. I think that's an important issue. So there is a recognition that things are going to be watched and of course, the involvement of this committee is an important element in that as well.
In terms of the areas that are concerns, I guess, or some of the areas of concern would be trying to make sure that some of these percentages keep increasing and the pace of that is a good question. How that pace can increase, I can't tell you but certainly, they have been improving over the years but the areas that are concerns most in my mind will be the certification and accreditation and the control testing because that's where you're going to identify whether there are additional weaknesses and vulnerabilities in your system if that's done correctly. I wouldn't say most important but certainly a key because that may unveil additional weaknesses that need to be addressed that have not been identified yet.
In terms of the contingency planning, I spoke about that in my statement as well. That's a critical area and we have again less than half of the agencies with tested plans. And NASA actually has had quite a bit of success in their reporting of that measure. If you exclude NASA, I think it's around 38 percent, 40 percent of agencies that have tested plans. The rest is federal government. So I think that's an important area because, as we have increased exposure to viruses, worms and other kinds of malicious attacks, you really need a contingency plan in place because I'm not sure you can anticipate everything that might happen to your system, particularly when we're getting to a time when it's conceivable that an attack could be launched before vulnerabilities are notified and identified in the public and patches even made available.
And that is definitely a trend. So I think that's another area of importance. Some of the agencies are literally, I think, at zero percent on their contingency plan testing and some are very low. So I think those are some areas that kind of jump out in my mind when I look at the FISMA reports.
Again, in the progress area, I think it's important to keep having OMB managing and monitoring the process, Congress involved, the IGs involved. There are a lot of players. I think the other key area would be to have agencies make sure they have the processes in place to manage this on an ongoing basis. Two or three years ago, I'm not sure anybody really had a whole lot of processes in place when we had the first GISRA report. It was extremely ad hoc reporting that was coming in to the agencies and they were reporting it all together, and Karen can speak to that, how it was at Energy.
But it was not a pretty process and as time has gone on, some of the agencies have developed more routine processes to get that information to manage it day-to-day, not just for FISMA reporting purposes or GISRA but actually to use it from a management standpoint. I think that's going to be a critical role in changing this whole dynamic and moving to a more sustainable progress because --
REP. PUTNAM: That has been one of the complaints, that agencies and their CIOs, in preparing their report, they are only just trying to meet the requirements of FISMA and they are not actually improving their role in information security. And I suppose that gets to your earlier point, Ms. Evans, about the next level which is making them more meaningful and more mature as you put on the requirements.
Did you want to add anything in terms of your evaluation of the scores on progress, efficiencies, thoughts?
MS. EVANS: Well, again, I would just like to say that we are making progress. I mean, we couldn't even give you-even though we don't have a real good solid way of doing the inventory, we couldn't even give you these numbers previously. We would be debating on what is the system and how to move forward. So I think the government has made huge progress and although we are looking at these reports, I think you can also demonstrate, based on the results, that the government is moving forward and that is our ability to repel attacks as they are coming about and to deal with those as viruses are occurring.
Two or three years ago, when you looked at what we were doing when Code Red came out and Melissa, many of the agencies' systems went down. They were all finding out that they hadn't had contingency plans and everything else. But now with the viruses that appear to be coming out sometimes hourly, the agencies are being able to sustain their business and being able to go forward because these processes are in place. They are looking at things that may not be the best. There is a lot more that we can do but we have made progress.
REP. PUTNAM: Am I overemphasizing the inventory issue? I mean, in terms of the big scheme of things and government information security, am I too hung up on that? In terms of the priorities, of the problems that are out there?
MR. DACEY: I don't think you are too hung up on it. There are several reasons. First of all, I mean, because it can affect some of the measures because the denominator is going to change particularly when DOD's numbers come into play. It will change dramatically. But the issue is how to manage the systems. I think there are a lot of cascading effects.
I know when we started looking at some of the patch management practices, one of the challenges in doing that was even identifying the systems they had so they could figure out, well, does this patch applies to me? A lot of agencies defaulted to system administrators individually having to try to deal with that and I know we had the issue with PADC and tried to put up something at a federal level to help agencies at least notify them.
But the lack of a real complete inventory was a challenge because we have several agencies that said we want PADC for every system administrator because otherwise we don't know what to put at the top, what all our systems are and you're going to have to deal directly with them. But also it affects configuration management. I don't know how you manage your configuration if you don't know what all your pieces are.
There's a lot of additional cost and cascading effects. So, no, I don't think it is a light issue. I think it's a serious issue. Again, maybe only because it relates to these other areas, it really can't be performed well or efficiently without it.
REP. PUTNAM: There are a lot of ifs. How much difference is there within the F category? Are there some that are on the way out of the F category? I mean, are all the Fs grouped together or are there some that are just off the chart bad? Like Interior. I mean three judges' orders to shut down the Internet is pretty-I would think, would be about as bad as it gets. Maybe it really is worse, I don't know. I don't know the answer.
MR. DACEY: I mean, one thing that we're also trying to look at in the analysis of information was across the seven performance measures that are detailed in OMB's report is our agency is doing relative to the average for those measures. How are they doing? And we found there were-let's see, one, two, three, four-seven agencies that were below in all seven measures or at least one measure, maybe one measure was above six below. So there are some agencies where there is a pretty consistent below average score across those measures and I think that carries into some of the other things that are fitted in your grades as well.
At the same time, there are people at the top level too that are consistently-you have eight agencies that are above average in all categories or but one. So you've got a lot of players at both ends and then you got a whole bunch of agencies in the middle. So I think it is a mixed story and even within some agencies, they might have several above and several below. So it's not an even kind of process for bringing them up necessarily.
REP. PUTNAM: How many-in that lower category, how many below average grading did the Department of Defense have?
MR. DACEY: The Department of Defense, based on the information I have, exceeded the average in five of the seven categories.
REP. PUTNAM: But still exceeded NIST?
MR. DACEY: Yeah. There is a general correlation between the seven measures against the average and the grades. There are few anomalies because the grades the subcommittee gave included a consideration of a variety of other FISMA indicators that weren't part of these seven factors. So there are some. But in general, they tended to be in the same relative range.
REP. PUTNAM: And DOD was allowed to report on a subsection of their system. Correct?
MR. DACEY: That's correct.
REP. PUTNAM: Is any other agency given that consideration?
MR. DACEY: Other than the stipulation that a lot of agencies don't have complete inventories, which is obviously a problem.
REP. PUTNAM: (Cross talk.) All but five are reporting on a portion of their system.
MR. DACEY: They are the only agency that has reported or acknowledged that they are only reporting on a subset of their full systems. I think they have three or four thousand systems in --
REP. PUTNAM: And next year, they will be required to report on all.
MR. DACEY: I'll defer to Ms. Evans. That's what was in her report.
MS. EVANS: Right. And on the scorecard-going forward on the scorecard which we're referring back to, they are required to in order to be able to move. If they want to move to green like all agencies, they are required to report on all and we're holding to that criteria.
REP. PUTNAM: But, I mean, other than not being a green in the president's management report?
MS. EVANS: Well, you have to look at this. This is still a management issue. These are highly competitive folks and this gets back into-you know, when the scorecard gets published and it's just like this scorecard here. I mean, nobody wants to be in that and so you're either going to rationalize why you're doing badly or you just are going to improve your processes overall and move forward. The whole purpose of the president's management agenda is to achieve results and the president is very committed to that and this administration is very committed to that.
This is a piece of that agenda and so we are committed to achieving the results and the results are to ensure that we have a good cybersecurity pass for going forward. So that's how we intend to hold the agencies accountable.
REP. PUTNAM: Well, I hope you're right.
MR. WU: Mr. Chairman, at the Department of Commerce, we, as Ms. Evans has indicated, are striving to try to reach green and it is a federal process. Secretary Evans has made that a priority and I suspect all the other secretaries have as well. We haven't quite reached it yet but we are making strides and we do want to do that. There is a commitment to do that and we are following the guidance of OMB and Ms. Evans.
REP. PUTNAM: Well, I hope NIST got a good score.
MR. WU: Well, NIST is part of the Department of Commerce.
REP. PUTNAM: It's not Commerce yet. I don't have it in front of me.
MS. EVANS: (Inaudible.)
MR. WU: No, I think we did well. I also talked to our inspector general.
REP. PUTNAM: We got to see.
MR. WU: I'll talk to Tony Fraser (ph) and see how much better --
REP. PUTNAM: C for Commerce. (Laughs.) All right. Any other comments from our first panel before we move into the second half of the hearing? I want to thank all of you for your participation and your ongoing efforts to improve this. It's a long hard struggle and I know most of you have been in it for a whole longer than I have and I tip my hat to you and I wish you the best as we continue to move forward and we certainly offer the resources and the ability of this subcommittee to help you help them do a better job. Thank you very much and we will stand in recess for a couple of minutes till we can set up the second panel.
(Recess.) REP. PUTNAM: The subcommittee will reconvene. We've seated panel two. As is the custom with this subcommittee and the full committee, I'd ask the witnesses and anyone accompanying them who will be providing information to please rise and raise your right hand. Do you solemnly swear the testimony you will give before this subcommittee will be the truth, the whole truth and nothing but the truth, so help you God?
WITNESSES: I do.
REP. PUTNAM: Let the record note that all four witnesses responded in the affirmative. We've had a request from the NRC to use a photographer. Since they're one of only two who got an A, they can have whatever they want. Come get a picture of this big smile. We'll begin our testimony.
First witness is Paul Corts. Paul R. Corts was sworn in as assistant attorney general for Administration in November of 2002. Prior to entering government service, he served as president of Palm Beach Atlantic University for 11 and a half years. He also served as president of Wingate University in North Carolina and has held administrative and teaching positions at Oklahoma Baptist University and Western Kentucky University. As assistant attorney general for Administration, Dr. Corts oversees the department's Justice Management Division and is the chief financial officer. Welcome to the subcommittee. You're recognized for five minutes.
MR. PAUL CORTS: Mr. Chairman, I appreciate the opportunity to appear before you today to discuss the department's efforts in the areas of information technology security and the actions underway within the department to institutionalize the daily management of information security risks and to implement the requirements of FISMA. And I want to commend you and the committee for your past and current efforts to shine the spotlight on federal agencies' security performance.
I certainly want to emphasize that the Department of Justice embraces the importance of IT security. Our senior management is committed to protecting the department's IT assets from the tax and vulnerabilities. And we've clearly identified responsibility for IT security with the CIO. IT is key to the department's success in meeting our strategic goals. We place a very high value on the availability and the integrity of the information in our systems, along with confidentiality and privacy concerns, and the nature of our work in Justice requires a highly robust security for our IT.
As reported in the OMB Security Act report for '03, we reported 253 IT systems, 24 programs, 35 contractor operations and facilities. All of our programs in 206 systems were reviewed in accordance with FISMA guidance, provided by OMB and NIST. The department incorporates IT security requirements in all of our contracts, and we perform security reviews on half of the contract operations and facilities during the fiscal year. In addition, over 90 percent of our IT systems have been assessed for risks, and over 80 percent have been fully certified and credited to date.
In the past, the department operated in an extremely decentralized fashion, and that really contributed to IT and the computing environment being highly fragmented. This is a major concern with our inspector general during the past years, and since we joined the department it is a concern that the CIO and I share. Furthermore, we are fully aware of your concerns with our progress in information security and we take these very seriously as well.
Since I arrived at Justice 16 months ago, the department has taken a number of actions that not only reflect the commitment of senior management to correcting past deficiencies, but also establish a solid foundation for sustained future progress, and many of the IG's recommendations have been accomplished or initiatives are underway that will provide for improved performance in the coming year. Through the IG's leadership and vision, I think we've come a long way toward a more centrally coordinated department, and NIST has made a lot of progress and a very positive impact on our IT efforts.
Specifically, we've clarified our CIO position in term of the Clinger-Cohen Act responsibilities. We've implemented a web-based computer security awareness training tool. We've train 77 percent of our employees so far on that, with the goal of 95 by summer. Implemented a computer emergency response team. Integrated IT security with a capital investment process. Some other actions that are underway to remedy deficiencies. The department's senior management team is committed to ensuring that these activities are underway, and we've got the planned to correct both past efficiencies and be sure that we integrate these into an institutionalized kind of environment.
We've reorganized the office of the CIO and named a chief information security officer. We've developed a department-wide IT security program. We've established IT security program goals. We have approved a policy for 17 information security standards, charted an IT security council and six project teams, integrated IT security with enterprise architecture and investment management process, developed system risk assessment and a test plan tool, provided for CIO collaboration in review of component corrective action plan, continued development of a public key infrastructure capability, continued development of a unified financial management system throughout the department, provided resources to assist components in assessing their systems, implemented a monthly report card, which you see here, this is the age of the report card, so we've come up with a report card, a sample there that is done on a monthly basis to let the individual components know how they're doing in the area of IT security.
So the accomplishments and initiatives we have underway address many of the IG's recommendations and will provide for improved performance in the coming year. We've acknowledged a need to do more. It's a matter of continuous improvement that we are committed to, while at the same time we're working to reduce risks associated with our IT assets. And I want to thank you and the committee for the focus that you're giving to this, and we pledge to you our cooperation and support.
REP. PUTNAM: Thank you very much, Mr. Corts.
The next witness is Jeffrey Rush, Jr. Mr. Rush was sworn in as the inspector general for the Department of the Treasury in July of 1999. Prior to that, he served as the inspector general at the U.S. Agency for International Development and as the acting inspector general of the Peace Corps. Mr. Rush also served for 23 years in the U.S. Department of Agriculture. Welcome to the subcommittee. You're recognized for five minutes.
MR. JEFFREY RUSH, JR.: Thank you, Mr. Chairman. In your letter of February 26, you asked me to address three points in my statement: one, a summary of the state of information security at Treasury. Two, the methodology used to audit Treasury and the resources available to my office. And finally, the circumstances that led to the delay in our reporting of results under FISMA.
First, although we have been reporting on serious information security weaknesses since 1998, I will limit my testimony only to the work done in the last three years. Our reporting in Fiscal Years 2001 and 2001 was under the Government Information Security Reform Act, GISRA. This most recent job was done under FISMA. All three assessments, as well as management's own assessment have identified serious deficiencies in information security throughout the department.
Let me summarize just what we consider the important deficiencies to be.
First, most of the systems have not been certified or accredited. Second, Treasury has been unable to provide an accurate inventory year-to-year of systems to be certified and accredited. Third, Treasury's plans of action and milestones for fixing serious security weaknesses are not complete and are inconsistent. Four, Treasury does not fully comply with the reporting of security incidences. Fifth, Treasury did not use the National Institute of Standards and Technology guidance for all of its programs. Sixth, interdependencies and relationships of critical operation have not been fully identified. And finally, Treasury has not provided sufficient information technology and security training for the majority of its employees.
Second, in conducting our FY 2003 evaluation of Treasury's information security program and practices, we followed the guidance issued by the Office of Management and Budget on August 6th, 2003. I've attached a copy of that guidance to the statement. The guidance prescribed a set of questions to be answered by both agency management and by the Offices of Inspectors General. In this regard, OIGs work to evaluate our representative sample of all of the types of agency systems.
One area that was to be emphasized this year in OIG's assessment was against specific criteria which the agency developed, implemented or was managing in agency-wide plans of action and milestones process. The plans of action and milestones process is key to effective remediation of IT security weaknesses and instrumental for the agency to get green under the expanding e-government scorecard of the president's management agenda.
Finally, as background for the reason for our delay in FISMA reporting, through March 2003 we divested approximately 70 percent of our staff to the Department of Homeland Security Office of Inspector General, pursuant to the Homeland Security Act. Our audit staff was reduced from 165 to 62 during the last six months of the fiscal year. Our annual audit plan had to be completely revised, as divestiture and subsequent attrition reduced our IT audit group from 14 to five.
With our much reduced staffing, we determined we could not complete FISMA on schedule and sustain an accelerated audit of the department's FY 2003 financial statements. In consultation with the department and the Office of Management and Budget, priority was given to the audit of the department's FY 2003 Performance and Accountability Report, and we committed to issue the FISMA report within 30 days of that day. And accordingly, the financial statement audit was completed on an accelerated basis on November 14 of 2003, and we issued our FISMA report on December 15 of 2003.
But let me stop and make clear to you-I probably owe you an apology. If not, I will give you one anyway. As early as July of 2003, apparently everyone but this committee was informed of the decision to concentrate on completing the accelerated financial statement, clearly putting FISMA at a second priority, thus the late report that was due in September.
Considering our current staffing levels and looking forward, we have not been able to and do not anticipate being able to hire additional IT auditors in the near future. Thus we plan to contract for the FISMA evaluation for the non-national security systems for Fiscal Year 2004. We will perform the FY 2004 FISMA evaluation for Treasury's national security systems with our own staff. That concludes my statement.
REP. PUTNAM: Thank you very much, Mr. Rush.
The next witness is Ellis Merschoff. Mr. Merschoff is the chief information officer of the Nuclear Regulatory Commission. Prior to serving as CIO, Mr. Merschoff was the director of the Western Region for the NRC. He has worked at NRC in various capacities since leaving the United States Navy in 1980. He was awarded the presidential distinguished executive award in 2000, and is a licensed professional engineer. Welcome to the subcommittee. You're recognized for five minutes.
MR. ELLIS W. MERSCHOFF: Thank you, Mr. Chairman. I appreciate this opportunity to testify with regard to the activities of the U.S. Nuclear Regulatory Commission as they relate to the Federal Information Security Management Act.
The mission of the NRC is to regulate the nation's civilian use of byproduct, source, and special nuclear material to ensure protection of public health and safety to promote the common defense and security and to protect the environment. Our headquarters is located in Rockville, Maryland, with regional offices located in Pennsylvania, Georgia, Illinois and Texas. We have a technical training center located in Tennessee and resident inspector sites located at 70 nuclear power plants and fuel cycle facilities around the country.
Although I've been the NRC's chief information officer for only nine months, I've been with the NRC, as you stated, for 24 years. Of those 24 years, I was an NRC line manager for 18 years, and served as a regional administrator for six years. I understand the operational and business needs of the NRC, which allows me to contribute a perspective that enables the agency to effectively apply information technology to meet the business needs of the NRC, while achieving the appropriate level of computer security for the agency.
As an agency we have 4,000 interconnected computers that exchange approximately 100,000 e-mail messages and receive another 40,000 e- mail messages from the Internet every day. On a daily basis, we experience 500 attempts at reconnaissance of our system, strip out 3000 suspicious e-mail attachments, identify 100 attempts at denial of service attacks, and isolate 10 virus occurrences. The NRC has identified all major operational applications and support systems, each of which has been certified and accredited. Outstanding findings from risk assessments and other evaluations are entered into a tracking system, monitored and closed out when resolved. We review the security controls for each of these systems on an annual basis, using the self-assessment process provided by NIST, and benefit from a strong working relationship with NRC's office of the inspector general.
The NRC emphasis computer security awareness at all levels in the organization, from senior management to the individual employee of contract. We require that each employee take an annual computer security awareness course, which is available online to ensure accessibility at the employee's desktop. The NRC holds an annual observance of International Computer Security Awareness Day, which has grown in participation over the past 10 years. In November 2003, close to half of our headquarters' population attended this event.
Like all federal agencies, the NRC must contend with viruses and other malicious software. We download new virus definitions to our desktops and deploy relevant security patches as soon as testing ensure compatibility with the NRC's mission-related software. The NRC also utilizes announcements to notify staff about viruses, hoaxes, spam and scams that might affect our staff. Ask Cyber Tyger is a regular column in the NRC's newsletter that seeks to answer employees' computer security questions. Our computer security staff created Cyber Tyger about eight years ago to act as a spokesman and a logo character to convey our computer security message.
The NRC is the only federal agency with a comprehensive electronic document management system, known as ADAMS, for which the agency received the Archivist of the United States Achievement Award. ADAMS supports the creation, storage, retrieval and management of documents and records related to the NRC's core business function. The system stores the agency's record copy in electronic form for efficient transfer to the National Archives & Records Administration. Users can search for, view the image of, and print documents at their workstations, regardless of geographic location. ADAMS software identifies and authenticates users and applies access controls to ensure that each document is viewed or modified only by appropriate individuals.
In summary, the NRC operations with offices across the nation. We take computer security requirements very seriously and work towards a seamless integration of computer security in our day-to-day operations. The NRC's computer security challenge has continued to evolve, and we continue to revise our program to address these new requirements. I appreciate the opportunity to appear before you today and would be pleased to answer any questions you may have.
REP. PUTNAM: Thank you very much, Mr. Merschoff.
Our fourth witness for the second panel is Kerry Weems. Mr. Weems is in his 23rd year of federal employment, 21 of those being at the Department of Health and Human Services.
In 1998, Mr. Weems left the Social Security Administration and began work for the Budget Office in the Office of the Secretary, Department of Health and Human Services. Since then he has served in a variety of capacities, ranging from senior analyst, to branch chief and division director. In June of 20002, he became deputy assistant secretary for Budget, and since January of 2003, has served as acting assistant secretary for Budget, Technology and Finance. You're recognized for five minutes. Welcome to the subcommittee.
MR. KERRY WEEMS: Thank you, Mr. Chairman. It's a pleasure to be here and thank you for inviting me today. Today I'd like to describe to you the extensive efforts HHS has undertaken to improve the security posture of our agency and to comply with federal legislative and regulatory directives.
In its most recent FISMA report, HHS reported 222 systems, 13 programs and 77 contractor operations and facilities, all of which require information technology protection. I'd first like to summarize the current state of information technology security within HHS, and the actions underway to address identified weaknesses and improvements that are currently underway. I'm pleased to report that improvements are being made in the management of information security at HHS. We've built a solid foundation policy and procedures for IT security operations and management, including a series of supporting guides to assist personnel throughout HHS in understanding and implementing security policies and guidance.
These policies and guides form a common baseline for standard IT security throughout the department, which our operating divisions can exceed if their business operations require stronger protections. Updates were also made on previous policies to meet new guidance from OMB, specifically in the areas of privacy impact assessment, plan of actions and milestones, security performance measures and metrics, security program reviews, and self-assessment. Additional updates were made to address newly emergent technologies.
In addition to these efforts, the secretary launched Secure One HHS, a comprehensive program that blends targeted IT security technical support and assistance with managerial and operational changes designed to improve the methods and practices of all personnel with IT security responsibilities throughout the department. This program provides the framework for adequately securing our information systems. In fulfilling this initiative, HHS has demonstrated its commitment to protect the health and welfare of the American public.
Key focus areas of Secure One HHS currently include critical infrastructure protection, system and program level security development, FISMA compliance, which includes numerous sub-components, such as certification and accreditation, incorporation of plans of action and milestones as a management tool. In less than a year, HHS has made major progress in employing an extensive security program and increasing the level of security throughout HHS. It has taken decisive steps to remediate the weaknesses identified in the FISMA report, drafted a new policy and issued new guidance considering integration of security into the system development lifecycle. We've linked IT security with capital budgeting by improving and integrating IT security elements into the Exhibit 53 and 300 submissions required by OMB. We've augmented our procedures for the IT Investment Review Board to ensure that IT security is addressed before new investments are made. We have implemented a streamlined yet very intensive support structure that provides our operating division with automated tools that improve and centralize data collection and reporting FISMA plans of action milestones.
HHS has also licensed an automated NIST self-assessment tool to standardize and facilitate the department-wide utilization of NIST guidance. These tools are supplemented by extensive support and monthly plans of action and milestone review meetings with the Information Security Officer of each operating division. HHS has also drafted guidance concerning security certification and accreditation and developed remediation plans for ensuring certification and accreditation of all appropriate systems.
C&A compliance has increased in the last six months and is well on its way to exceeding the goal of 90 percent. As of today -- 90 percent by June 30th of this year-as of today, we have achieved nearly 60 percent with a goal of 70 percent for the end of this month. The systems that have not completed C&A, each system has a specific remediation plan targeting their path towards certification.
Recently, security remediation plans have been expanded to track privacy impact assessments as well as linkages between system security and capital planning relationship. The chief information security officer has conducted reviews of the training and awareness policies and practices currently in place and issued guidance regarding the management of mandatory annual use of security awareness training.
Lastly, HHS is developing a departmental Security Operations Center that will significantly improve our incident response capabilities and institutionalize a more rigorous defense against malicious hackers and other threats.
Thank you. That ends my testimony.
REP. PUTNAM: If you have a wrap-up statement, you're welcome to make it.
MR. WEEMS: Okay. I'll be happy to do that. We've made significant progress toward implementing IT security programs. We recognize that a program and a strategy calls for the institutionalization of sound IT security practices that are essential to the safeguarding of information entrusted to HHS by the citizens of the country. We remain committed to this role as we continue to implement the Secure One HHS program. Thank you.
REP. PUTNAM: I thank you for your sensitivity to the little red light. Some people keep right on going.
MR. WEEMS: Mr. Chairman, I've sat behind many secretaries who've had to watch the red light.
REP. PUTNAM: It could be intimidating. When I was in the state legislature, I had to testify before my first subcommittee and it freaked me out when it went yellow, much less red.
Mr. Merschoff, you're the teacher's pet of the panel. Your agency received an A. So we're given you all the first questions and then we're going to let you off the hook, I guess. Relative to some of the other agencies and department, the NRC is relatively small. How much of your success was determined by your size and how much of your success is scaleable in that it could be equally replicated in a large organization?
MR. MERSCHOFF: I'd say size is a function of the timeliness of accomplishment and not the accomplishment itself. We are a full scope agency. We develop new IT applications. The item that I discussed is the first in terms of an electronic records management system. We're developing another one for an electronic courtroom for the high level waste hearing. So what we do is difficult but being smaller allows to proceed at a pace that's easier to maintain than in a large agency. In terms of scaleable, I believe it probably is