Testimony of Mark A. Forman

STATEMENT OF
MARK A. FORMAN
ASSOCIATE DIRECTOR FOR ELECTRONIC GOVERNMENT
AND INFORMATION TECHNOLOGY
OFFICE OF MANAGEMENT AND BUDGET
BEFORE THE
COMMITTEE ON GOVERNMENT REFORM
SUBCOMMITTEE ON TECHNOLOGY, INFORMATION POLICY, INTERGOVERNMENTAL RELATIONS, AND THE CENSUS
U.S. HOUSE OF REPRESENTATIVES

April 8, 2003

Good morning, Mr. Chairman and Members of the Committee. Thank you for inviting me to discuss the status of the Federal government’s IT security. Through the requirements of the Government Information Security Reform Act (GISRA) and now the recently enacted Federal Information Security Management Act (FISMA), Federal agencies, OMB, the Congress, and the General Accounting Office (GAO) are able for the first time to clearly understand the Federal government’s IT security strengths and weaknesses. For the purposes of today’s hearing, I will provide the Committee with an update on both the government-wide progress realized in fiscal year (FY) 2002, and areas of continuing concern as well as the next steps OMB is undertaking with agencies to continue IT security performance gains.

I also wanted to inform you of a noteworthy E-government milestone. The March 17th Nielsen//NetRatings report which found that more than one-third of all Internet users visited a Federal government site in February. This finding is a clear indicator of the Federal government’s commitment to maximizing the Internet to communicate with and provide services to Americans. The challenge that the Committee highlights at today’s hearing is ensuring that the information and services are also appropriately secure.

As you know, GISRA has been instrumental in guiding Federal agencies toward greater IT security performance. Through GISRA and accompanying OMB guidance we have established a clear process to ensure effective management of IT security, sound implementation and evaluation of programs, procedures, and controls, along with appropriate and timely remediation of IT security weaknesses. OMB oversees and enforces these requirements through traditional management and budget processes discussed later in my testimony.

Government Information Security Reform

GISRA brought together existing IT security requirements in previous legislation, namely the Computer Security Act of 1987, the Paperwork Reduction Act of 1995, and the Information Technology Reform Act of 1996 (Clinger-Cohen), improving upon these existing requirements. Additionally, GISRA enacted in statute existing OMB IT security policies found in OMB Circular A-130 on IT management and OMB budget guidance in Circular A-11. As a result, GISRA both integrated and reinforced long-standing IT security requirements. GISRA also introduced new review and reporting requirements and defined a critical role for agency Inspectors General (IGs) to play in independently evaluating agency IT security. Agency Chief Information Officers (CIOs) and program officials are responsible for conducting annual IT security reviews of their programs and the systems that support their programs. Agency IGs must perform annual independent evaluations of the agency’s IT security program and a subset of agency systems. The results of these reviews and evaluations are reported annually to OMB and are the basis of OMB’s annual report to Congress.

In July 2002, OMB provided instructions for Federal agencies’ reporting the results of their annual reviews and evaluations. Agencies’ FY 2001 reports established a baseline of agency IT security status. The FY 2001 and FY 2002 reporting instructions are nearly identical and are closely aligned with the requirements listed in GISRA. Additionally, as part of the FY 2002 guidance, OMB, working with the agencies, took steps to provide the Congress and GAO with additional information from agency POA&Ms. As a result, the combination of the GISRA reporting requirements, OMB’s reporting instructions, and agency plans of action and milestones (POA&Ms) have resulted in a substantial improvement of the accuracy and depth of information provided to Congress relating to IT security. In addition to IG evaluations, agencies are now providing the Congress with data from agency POA&Ms and agency performance against uniform measures.

 

Measuring Performance

The most significant difference in the FY 2002 reporting guidance compared to the FY 2001 was the introduction of government-wide IT security performance measures. Consistent with GAO’s findings, measures were incorporated within the existing instructions, requiring agencies and IGs in some instances to report the results of their reviews against the measures. Through these performance measures, the Federal government has a clear picture for the first time of IT security status and progress. From agency responses, areas of progress as well as areas of problems are evident. As a result, the FY 2002 reports clearly identify Federal agency’s FY 2002 status and identify both progress made from their FY 2001 benchmark as well as new and remaining weaknesses.

I am pleased to report to you today that the Federal government has made substantial improvements in securing its information and information systems. OMB’s annual report to Congress will provide more details but I would like to provide you with some examples of progress. For example:

  • In FY 2001, only 40% of Federal systems had up-to-date system security plans. In FY 2002, that percentage increased to 61%.

  • Similarly, the number of Federal systems certified and accredited increased from 27% in FY 2001 to 47% in FY 2002.

Table 1 below provides additional information on the Federal government’s progress and is a subset of what we expect to include in the annual OMB report.

Table 1. FY 2002 Government-wide IT Security Performance

Total Number of Systems Percentage of systems assessed for risk and assigned a level of risk Percentage of systems that have an up-to-date IT security plan Percentage of systems authorized for processing following certification & accrediation Percentage of systems with a contingency plan
FY01
FY02
FY01
FY02
FY01
FY02
FY01
FY02
FY01
FY02
7282
7957
44%
64%
40%
61%
27%
47%
30%
53%

While these measures reveal in some cases over 50% performance improvement from the FY 2001 baseline and confirm the value of the review and reporting process in place, they also identify the magnitude of work yet to be done. The Federal government is heading in the right direction but the numbers are still too low.

Agency GISRA reports and IT budget materials provide an update on IT security spending. Federal agencies plan to spend $4.25B in FY 2003 on IT security, roughly 7% of the Federal government’s overall IT budget, and a 57% increase from the $2.7B identified in FY 2002. As FY 2002 was the first budget year in which IT security costs were reported, this increase is largely attributed to improved reporting as well as a general increase in IT security. From the FY 2004 IT budget materials, agencies plan to spend $4.7B on IT security or 8% of the Federal government’s overall IT budget of $59B, representing an 11% increase from FY 2003.

The FY 2002 GISRA reports also identify a number of other positive outcomes: 1) More Departments are exercising greater oversight over their bureaus; 2) At many agencies, program officials, CIOs, and IGs are engaged and working together; 3) IGs have greatly expanded their work beyond financial systems and related programs and their efforts have proved invaluable to the process; and 4) More agencies are using their POA&Ms as authoritative management tools to ensure that program and system level IT security weaknesses, once identified, are tracked and corrected.

Six Common Government-wide IT Security Weaknesses From FY 2001

In the FY 2001 summary report to Congress, OMB identified six common government-wide weaknesses based on our review of agency and IG reports. A year later, progress is clearly evident across these six areas and while additional efforts are still warranted, the Federal government is heading in the right direction.

1. Increasing agency senior management attention to IT security. At the end of each fiscal year, agency heads now submit the security program review to OMB. The conditional approval or disapproval of agency IT security programs is directly communicated between the OMB Director and each agency head. In addition, OMB used the President’s Management Agenda Scorecard to focus attention on serious IT security weaknesses. Through the scorecard, OMB and senior agency officials monitor agency progress on a quarterly basis. As a result, senior executives at most agencies are paying greater attention to IT security.

2. Development of IT security performance measures. The absence of government-wide IT security performance measures was addressed in the FY 2002 reporting instructions. These high-level management performance measures assist agencies in evaluating their IT security status and the performance of officials charged with implementing specific IT security requirements. Agencies reported the results of their security evaluations and their progress implementing their corrective action plans according to these performance measures. These measures are mandatory and help to ensure that accountability follows authority.

3. Improving security education and awareness. Through the Administration’s “GoLearn” e-government initiative on establishing and delivering electronic training, IT security courses were available to all Federal agencies in late 2002. Initial courses are targeted to CIOs and program managers, with additional courses to be added for IT security managers, and the general workforce. Additionally, NIST has developed and issued for review guidance to agencies on building an IT security awareness and training program.

4. Increasing integration of security into capital planning and investment control. OMB continues to aggressively address this issue through the budget process, to ensure that adequate security is incorporated directly into and funded over the life cycle of all systems and programs before funding is approved. Through this process agencies can demonstrate explicitly how much they are spending on security and associate that spending with a given level of performance. OMB also provided agencies guidance in determining IT security costs of their IT investments. As a result, Federal agencies will be far better equipped to determine what funding is necessary to achieve improved IT security performance.

Agencies have made improvements in integrating security into new IT investments. However, significant problems remain in regards to ensuring security of legacy systems.

5. Working toward ensuring that contractor services are adequately secure. Through the Administration's Committee on Executive Branch Information Systems Security of the President’s Critical Infrastructure Protection Board, an issue group was created to review this problem and develop recommendations for its resolution, to include addressing how security is handled in contracts themselves. This issue is currently under review by the Federal Acquisition Regulatory Council to develop, for government-wide use a clause to ensure security is addressed as appropriate in contracts.

6. Improving process of detecting, reporting, and sharing information on vulnerabilities. Early response for the entire Federal community starts with detection of threats, vulnerabilities and attacks by individual agencies who report to incident response centers at the Department of Homeland Security (DHS), DOD, or elsewhere. While it is critical that agencies and their components report all incidents in a timely manner it is also essential that agencies actively install corrective patches for known vulnerabilities. To further assist agencies in doing so, the Federal Computer Incident Response Center (FedCIRC) awarded a contract on patch management. Through this work FedCIRC will be able to disseminate patches to all agencies more effectively. To date, 19 of the 24 Chief Financial Officer Act agencies have established patch authentication and distribution accounts. There are currently 176 active users in these agencies, and that number is increasing steadily as this new service continues to be implemented.

In addition, FedCIRC has implemented a 7X24 emergency notification process to rapidly alert agency CIOs to emerging cyber threats and critical vulnerabilities. CIOs are notified of specific actions needed to protect agency systems and agencies must then report to OMB on the implementation of the required countermeasures. The emergency notification and reporting process has been used three times since the beginning of the year – first for the Slammer Worm and then for the Sendmail and IIS vulnerabilities. As a result of these early alerts, agencies have been able to rapidly close vulnerabilities that otherwise might have been exploited. As FedCIRC and related organizations have moved to DHS, additional progress is being made on sharing information needed for Federal agencies to respond to vulnerabilities and cyber threats.

IT Security and E-government Initiatives

OMB’s work on Expanding E-Government under the President’s Management Agenda identifies IT security as a key issue. Two of the initiatives, E-Training and E-Authentication, provide significant opportunities for leveraging the Federal government’s resources to improve IT security. The benefits of the E-Training initiative were identified above. Through the E-Authentication e-government initiative, the Administration deployed and tested a prototype e-Authentication capability in September. Applications are in the process of being migrated to this service, which will allow for the sharing of credentials across government and allows for secure transactions, electronic signatures, and access controls across government. The full capability is expected in September 2003.

Improvements in Critical Infrastructure Protection and Federal Incident Response

Experts agree that it is virtually impossible to ensure perfect security of IT systems. Therefore in addition to constant vigilance on IT security we require agencies to maintain business continuity plans. OMB directed all large agencies to undertake a Project Matrix review to ensure appropriate continuity of operations planning in case of an event that would impact IT infrastructure. Project Matrix was initially developed by the Critical Infrastructure Assurance Office (CIAO) of the Department of Commerce. As you know the CIAO and its functions were transferred to DHS. A Matrix review identifies the critical assets within an agency, prioritizes them, and then identifies interrelationships with other agencies or the private sector.

Coordination of the Federal government’s cyber security and critical infrastructure protection efforts continues under the leadership of the new Homeland Security Council’s (HSC) Special Assistant to the President for Critical Infrastructure Protection, and the Assistant Secretary for Infrastructure Protection at DHS (who is responsible for cybersecurity coordination within DHS), in partnership with OMB. OMB works with the HSC and DHS, and all Federal agencies to ensure that through IT security policy and management and budget processes, our critical operations and assets are appropriately identified along with the resources necessary to secure them. We are also working with DHS to improve the Federal government’s response to cyber attacks, and vulnerabilities. The integration of FedCIRC, the National Infrastructure Protection Center (NIPC), and the CIAO under one Department, partnering with the Science and Technology directorate on research and development needs, presents an opportunity for the Administration to strengthen government-wide processes for intrusion detection and response through maximizing and leveraging the important resources of these previously separate offices.

Continuing Efforts to Improve IT Security

Budgeting for IT Security

All Federal systems require security. To identify the appropriate security controls, agencies must first assess the risks to their information and systems. Security must be incorporated into the life-cycle of every IT investment. As part of the IT business case (Form 300) for major systems, agencies report on that risk as well as their compliance with security requirements, i.e., development of security plans and certification and accreditation. Failure to appropriately incorporate security in new and existing IT investment automatically requires it be scored as “at-risk”. As a result, that system is not approved to proceed for the fiscal year in which the funds were requested until the security weaknesses are addressed. As of the submission of this report, there are approximately 700 systems in the FY 2004 budget, totaling nearly $19 billion, at-risk either solely or in part due to IT security weaknesses. Additionally, many agencies are not adequately prioritizing their IT investments and therefore are seeking funding to develop new systems while significant security weaknesses exist in their legacy systems. OMB will assist agencies in reprioritizing their resources through the budget process.

Government-wide IT Security Milestones

OMB set targeted milestones for improvement for some of the critical IT security weaknesses and included them in the President’s FY 2004 budget. Targets for improvement include:

  • More agencies must establish and maintain an agency-wide process for developing and implementing program and system level plans. Plans of action and milestones must serve as an agency’s authoritative management tool, to ensure that program and system level IT security weaknesses, once identified, are tracked and corrected. By the end of 2003, all agencies shall have an adequate process in place.

  • Many agencies find themselves faced with the same security weaknesses year after year. They lack system level security plans and certifications. Through the budget process, OMB will continue to assist agencies in prioritizing and reallocating funds to address these problems. By the end of 2003, 80 percent of Federal IT systems shall be certified and accredited.

  • While agencies have made improvements in integrating security into new IT investments, significant problems remain in ensuring security of new and in particular, legacy systems. By the end of 2003, 80 percent of the Federal Government’s FY 2004 major IT investments shall appropriately integrate security into the lifecycle of the investment.

Department-wide Plan of Action and Milestone Process

Clearly, the more reviews agencies and IGs conduct, the more weaknesses they will find. As a result agency and IG reports are identifying an increased number of IT security weaknesses. To ensure that appropriate and timely corrective actions are taken, OMB guidance directs Federal agencies to develop POA&Ms for every program and system where an IT security weakness has been found. POA&Ms must serve as an agency’s authoritative management tool, to ensure that program and system level IT security weaknesses, identified by the agency, IG, GAO, or OMB, are prioritized, tracked, and corrected. These plans must be developed, implemented, and managed by the agency official who owns the program or system (program official or CIO depending on the system) where the weakness was found. System-level POA&Ms must also be tied directly to the budget request for the system through the IT business case. This is an important step that ties the justification for IT security funds to the budget process.

Expanding E-Government under the President’s Management Agenda

To ensure successful remediation of security weaknesses throughout an agency, every agency must maintain a central process through the CIO’s office to monitor agency compliance. OMB’s draft FY 2003 guidance to agencies for reporting under FISMA will direct agency IGs to verify whether or not an agency has a process in place that meets criteria laid out in OMB guidance. OMB has and will continue to reinforce this policy through the budget process and the President’s Management Agenda Scorecard. An IG approved agency-wide POA&M process is one of a number of milestones necessary for agencies to improve their status on the Expanding E-Government Scorecard.

IT Security Performance Measures

OMB will also incorporate the performance measures I discussed earlier into the quarterly POA&M reporting, coinciding with the Scorecard assessment. Agencies will report each quarter on their progress, by bureau, against those measures.

Conclusion

GISRA has clearly had a tremendous impact on the state of Federal IT security. The framework and processes in law and OMB policy have reinforced the importance of management, implementation, evaluation, and remediation to achieving real IT security progress. Due to the significant work of Federal agencies and IGs, along with the Congress and GAO, we are able to point to real advancement in closing the Federal government’s IT security performance gaps. With all of that progress, we still have a long way to go to appropriately secure our information and systems. Many pervasive IT security weaknesses remain, leaving the Federal government with unacceptable risks. OMB will continue to work with agencies, Congress, and GAO to ensure that appropriate risk-based, and cost-effective IT security programs, policies, and procedures are in place to secure our operations and assets.