S. Hrg.

111662

MORE SECURITY, LESS WASTE: WHAT MAKES

SENSE FOR OUR FEDERAL CYBER DEFENSE

HEARING
BEFORE THE

FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT

INFORMATION, FEDERAL SERVICES, AND
INTERNATIONAL SECURITY SUBCOMMITTEE
OF THE

COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
OF THE

ONE HUNDRED ELEVENTH CONGRESS

FIRST SESSION

OCTOBER 29, 2009

Available via http://www.gpoaccess.gov/congress/index.html

Printed for the use of the
Committee on Homeland Security and Governmental Affairs

(
U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON

53852 PDF

2010

ph44585 on D330-44585-7600 with DISTILLER

For sale by the Superintendent of Documents, U.S. Government Printing Office,

http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Printing Office. Phone 2025121800, or 8665121800 (toll-free). E-mail, [email protected].

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00001

Fmt 5011

Sfmt 5011

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan
SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii
TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware
JOHN MCCAIN, Arizona
GEORGE V. VOINOVICH, Ohio
MARK PRYOR, Arkansas
JOHN ENSIGN, Nevada
MARY L. LANDRIEU, Louisiana
LINDSEY GRAHAM, South Carolina
CLAIRE MCCASKILL, Missouri
JON TESTER, Montana
ROBERT F. BENNETT, Utah
ROLAND W. BURRIS, Illinois
PAUL G. KIRK, JR., Massachusetts
MICHAEL L. ALEXANDER, Staff Director
BRANDON L. MILHORN, Minority Staff Director and Chief Counsel
TRINA DRIESSNACK TYRER, Chief Clerk

SUBCOMMITTEE ON FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT

INFORMATION, FEDERAL SERVICES, AND INTERNATIONAL SECURITY
THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan
JOHN MCCAIN, Arizona
TOM COBURN, Oklahoma
DANIEL K. AKAKA, Hawaii
GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas
JOHN ENSIGN, Nevada
CLAIRE MCCASKILL, Missouri
ROLAND W. BURRIS, Illinois

ph44585 on D330-44585-7600 with DISTILLER

BRYAN

JOHN KILVINGTON, Staff Director

ERIK HOPKINS, Professional Staff Member
PARKER, Staff Director and General Counsel to the Minority
DEIRDRE G. ARMSTRONG, Chief Clerk

(II)

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00002

Fmt 5904

Sfmt 5904

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

CONTENTS
Opening statement:
Senator Carper .................................................................................................
Prepared statements:
Senator Carper .................................................................................................
Senator McCain ................................................................................................

Page

1
31
34

WITNESSES
THURSDAY, OCTOBER 29, 2009
Hon. Tom Davis, former U.S. Representative from the State of Virginia ..........
Vivek Kundra, Federal Chief Information Officer, Administrator for Electronic
Government and Information Technology, U.S. Office of Management and
Budget ...................................................................................................................
Gregory C. Wilshusen, Director, Information Technology Security Issues, U.S.
Government Accountability Office ......................................................................
John Streufert, Chief Information Security Officer, and Deputy Chief Information Officer for Information Security, Bureau of Information Resource
Management, U.S. Department of State ............................................................
ALPHABETICAL LIST

OF

4
12
14
16

WITNESSES

Davis, Hon. Tom:

Testimony ..........................................................................................................
Prepared statement ..........................................................................................
Kundra, Vivek:
Testimony ..........................................................................................................
Prepared statement ..........................................................................................
Streufert, John:
Testimony ..........................................................................................................
Prepared statement ..........................................................................................
Wilshusen, Gregory C.:
Testimony ..........................................................................................................
Prepared statement ..........................................................................................

4
36
12
39
16
51
14
45

APPENDIX

ph44585 on D330-44585-7600 with DISTILLER

Questions and responses for the Record from:

Mr. Kundra with attachments .........................................................................
Mr. Wilshusen ...................................................................................................
Mr. Streufert .....................................................................................................
Charts (2) provided for the Record .........................................................................

58
84
92
99

(III)

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00003

Fmt 5904

Sfmt 5904

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00004

Fmt 5904

Sfmt 5904

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

MORE SECURITY, LESS WASTE: WHAT MAKES

SENSE FOR OUR FEDERAL CYBER DEFENSE
THURSDAY, OCTOBER 29, 2009

U.S. SENATE,
SUBCOMMITTEE ON FEDERAL FINANCIAL MANAGEMENT,
GOVERNMENT INFORMATION, FEDERAL SERVICES,
AND INTERNATIONAL SECURITY
OF THE COMMITTEE ON HOMELAND SECURITY
AND GOVERNMENTAL AFFAIRS,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:33 p.m., in room
SD342, Dirksen Senate Office Building, Hon. Thomas R. Carper,
Chairman of the Subcommittee, presiding.
Present: Senator Carper.
OPENING STATEMENT OF SENATOR CARPER

Senator CARPER. Good afternoon, everyone, and especially good

afternoon, Congressman Tom Davis, whose sister, niece, and nephews live in the State of Delaware. We are grateful to you for coming today and sharing with us your advice and counsel.
The issue du jour is cyber warfare. It isnt science fiction. It is
reality. Over the past few years, we have heard alarming reports
that criminals, hackers, even foreign nations have deeply penetrated our governments most sensitive networks, including the offices of some of us right here in Congress.
In fact, just last week, the Congressionally-established U.S.China Economic and Security Review Commission reported that
China is strategically developing offensive capabilities that could be
used against us in a future military conflict. Further, there have
been reports that some of the previously successful cyber attacks
against agency networks may have left behind what is commonly
known as a back door, essentially a technological means for the bad
guys to get back into our networks without anyone ever knowing
about it.
These vulnerabilities could be used against us by those who
might want to do us harm by stealing sensitive information stored
on our military networks or by shutting down critical networks just
when we need them the most. Imagine the terrifying scenario of a
hacker creating uncertainty as to the validity of the data residing
on the Federal Aviation Administrations (FAA) air traffic control
systems. That is exactly the kind of scenario I hope our hearing
today prevents.
But the threat of a cyber attack isnt something new. In fact, in
2002, Congress passed what is known as the Federal Information
ph44585 on D330-44585-7600 with DISTILLER

(1)

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00005

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

2
Security Management Act (FISMA), to help prevent many of the
problems that we are going to be discussing today. That legislation
brought greater attention to the issue of cyber security and it
helped to establish greater accountability within agencies. Overall,
I think we would agree that it is a step in the right direction.
However, some 7 years after the passage of FISMA and approximately $40 billion later, I am troubled to learn that the Office of
Management and Budget (OMB) does not track how much agencies
spend on cyber security, nor does the agency measure those expenditures and whether those expenditures actually resulted in improved security. Even more troubling, agencies may be constrained
from implementing the most basic cyber security best practice because of inflexible requirements.
Now, allow me to put this into perspective. Federal agencies have
spent more on cyber security than the entire gross domestic product of North Korea, who some have speculated is maybe involved
with some of those cyber attacks. That is unacceptable.
Some of the problems with FISMA implementation are a direct
result of OMBs decisions over the years, while others are due to
agency neglect. Still other problems lay at the feet of those of us
here on Capitol Hill. In essence, there is blame enough to go
around for all.
However, at todays hearing, we have an opportunity to discuss
some concrete ways to correct some of those wrongs, and that is
what we are going to do.
For example, one wasteful and ineffective area that OMB and
agencies can target is what is known as the certification and accreditation process. The certification and accreditation process is
essentially a process whereby agencies evaluate every 3 years what
defense security protections are in place to prevent attacks on their
systems. The process costs taxpayers about $1.3 billionthat is billion with a bevery year, and it produces a good deal of paperwork that ends up stored in binders in some clutter-filled rooms.
In fact, those rooms look a lot like this one. In fact, that is one of
them. There are, I think, others that look like it.
But we can see 3 years worth of reports from the Department
of State, just one department, which cost them a total of $38 million. These reports would be worth the price tag if the tactics that
hackers used were as static as the words typed on a piece of paper.
But hackers change how they attack us daily and their numbers,
unfortunately, continue to grow.
And yet it seems like OMB thinks that a snapshot of agency preparedness every 3 years will somehow defend our critical networks.
But instead, billions of dollars are spent every year on ineffective
and useless reports, similar to the chart pictured here.1 Meanwhile,
we continue to get attacked.
However, testifying today will be a representative from the Department of State on our second panel who saw an opportunity to
spend his agencys cyber security budget more wisely. Instead of
spending money on ineffective paper-based reports, the State Department decided to focus on developing a system that monitored
their global networks on a continuing basis.
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

chart referred to appears in the Appendix on page 99.

Jkt 053852

PO 00000

Frm 00006

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

3
If you take a look at the second chart that has just been put up,1
we can see the results of the hard work at the Department of
State. According to that Department, they were able to reduce the
amount of risk to their agency by 90 percent in a single year. I am
told that this was achieved by developing a system that makes
sense, uses effective metrics, and holds people accountable. In essence, the Department of State can prove that they have better security at a fraction of the cost that they were previously paying.
So as we progress through this hearing, I would like our witnesses to keep in mind that moving to a model more like the one
at the Department of State requires no new legislation, costs less
than or the same as the current paperwork-laden method, and will
better protect our country. That is the kind of cyber security that
makes sense to me, and I suspect that is the kind of cyber security
that would make sense to most people in this country.
In fact, my colleagues and I introduced a bill last session, and
we have introduced it again this year, which would require all
agencies to move to a proactive approach like the one that the Department of State has taken.
In addition to requiring continuous monitoring of security controls and putting a strengthened Chief Information Security Officer
in each agency, our bill would enhance the role of the Department
of Homeland Security in cyber security. The Department would
share information with agencies on where cyber attacks have been
successful so that they can better prioritize their security enhancements.
Further, our bill would require agencies to use their enormous
purchasing power to persuade vendors to develop and sell more secure IT products and services in the first place.
Again, our thanks to each of our witnesses. We certainly look forward to what you have to say, share with us, and to responding
to our questions.
We will be joined as the afternoon goes on by others on our Subcommittee, but rather than sit here waiting for them for hours, we
are going to dive right in with our first panel. As I telegraphed earlier, we will receive our testimony from former Congressman Tom
Davis, who represented, I think, a Congressional district in the
Northern part of Virginia, a State where I grew up. His service in
the U.S. House of Representativeshow many terms did you serve
there?
Mr. DAVIS. Seven.
Senator CARPER. Seven terms. Did it seem like eight?
Mr. DAVIS. It seemed like 20 at the end. [Laughter.]
Senator CARPER. Congressman Davis was the principal author of
a number of pieces of legislation, but he was also the principal author of the Federal Information Security Management Act of 2002,
lovingly called FISMA, which is the subject that we are going to
be discussing here today.
He also held numerous oversight hearings on the implementation
of FISMA and is considered an expert on the issue. I would like
for the record to show that my name and the word expert have
almost never been used in the same sentence. [Laughter.]
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

chart referred to appears in the Appendix on page 100.

Jkt 053852

PO 00000

Frm 00007

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

4
We are pleased to have Mr. Davis with us, who is certainly an
expert on this issue and very knowledgeable about a bunch of other
things. It is a real pleasure to work with him. We are trying to
make some progress on, among other issues, figuring out a path
forward for the U.S. Postal Service.
But I understand that we will hear where you believe improvements can be made with the agency implementation and perhaps
with the language itself, so we thank you for your previous service
to our country and for your willingness to be of service again here
today.
You are recognized to proceed for the next half hourno, I will
ask you to keep it fairly close to 5 minutes, but if you run a little
over that, it is not going to trouble anybody too much. So thanks
so much for coming, and your entire statement will be made part
of the record.
TESTIMONY OF HON. TOM DAVIS,1 FORMER U.S.
REPRESENTATIVE FROM THE STATE OF VIRGINIA

Mr. DAVIS. Thank you, Chairman Carper. I really appreciate

your efforts to improve information security and I am grateful for
the opportunity to testify here today.
For 14 years, I represented the 11th District of Virginia, the
home of the Internet. I would note for the record that I retired
undefeated and unindicted.
Senator CARPER. That is quite an accomplishment. [Laughter.]
Mr. DAVIS. I was also honored to serve as a member of the House
Committee on Oversight and Government Reform, first as the
chairman of the District of Columbia Subcommittee, the least
sought after Subcommittee chairmanship in the House, then as
chairman of the Technology and Procurement Policy Subcommittee,
then 4 years as chairman and my last 2 years as the ranking member. My Congressional service coincided with the proliferation of
the Internet and the explosion of new capabilities that came along
for both the public and the private sector.
It was clear the revolution in interconnectivity had the potential
to fundamentally change governmental operations and service delivery. However, it also created a new form of vulnerability, one in
which traditional protections of geographic distance and physical
strength were irrelevant.
For these reasons, I made information technology management
and security a focus of my work in Congress. Federal agencies
needed to take this threat seriously and ensure proper procedures
and tools were in place to protect information systems. Similarly,
Congress needed a clear picture of the information security posture
of the Federal Government in order to conduct effective oversight.
FISMA, which I championed in 2000 and 2002 and which had
the concurrence from this Committee, was intended to help provide
such a framework. FISMA required Federal agencies under the direction of the Office of Management and Budget to create a comprehensive risk-based approach to information security management. It further requires annual IT security reviews, reporting, and
remediation planning at Federal agencies. These requirements
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

prepared statement of Mr. Davis appears in the Appendix on page 36.

Jkt 053852

PO 00000

Frm 00008

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

were based on best practices, and in addition to safeguarding information were intended to make security management an integral
part of an agencys operation.
At the time FISMA was enacted, no coordinated priority existed
to address the threat of cyber attacks. Technology was evolving
rapidly. Rather than taking a prescriptive approach, we believed
agencies needed to walk before they could run, and putting procedures and protocols in place was an important first step in protecting governments critical infrastructure.
Since its enactment, FISMA has undoubtedly served to elevate
the importance of information management and information security in government, and I am proud of the progress we have made.
That said, there is room for updates and improvement, and your
legislation, I think, is a very positive step in that direction. It is
time to really take FISMA to the next level.
While I believe the requirements listed in FISMA would be components of any sound information security plan, the need at
present is to operationalize its implementation. This would involve
tools such as Red Team penetration tests. It would also require appropriate performance measures and, as the time between a penetration and detection, the time to deploy a security patch once it
has been released, and the time to complete a root cause analysis
when a security breach does occur, I am pleased your language references both penetration tests and performance measures.
Three other key ingredients: Responsibility, Authority, and Accountability.
Chief Information Security Officers (CISOs), may be responsible
for overall information security planning, but they cant be just the
bad men when things go wrong. Responsibility for an information
security program permeates an organization, from the head of the
agency to every employee. Most of the security breaches that have
grabbed headlines in recent years arent the result of some evil
cyber genius but Federal employees failing to adhere to basic security protocolsa lost laptop, a stolen Blackberry, computers never
returned when an employee leaves an agency. These can result in
the personal information of untold thousands being put at risk.
CISOs might have to come up with the protocols, but the rank
and file have to adhere to them. As Congress looks at information
security issues, it might be wise to consider uniform procedures,
training, and penalties to reduce theft, loss, or other adverse
events. I might add, in the private sector, training is very critical
in these areas and it is drummed into employees at every level.
Your language gives CISOs authority to development, implement, and enforce security measures. That is important. There also
have to be consequences, good and bad, for failures and successes.
That is one aspect of the accountability component. The private
sector provides some models. For example, the payment card industry mandates compliance with standards set by the PCI Security
Standards Council. Failure to adhere to these standards results in
a business losing the ability to conduct transactions with payment
cards. Now, that exact example isnt going to fit the Federal system, but we need carrots and we need sticks that promote compliance and punish negligence.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00009

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

Another aspect of accountability deals with funding. Federal Government spending has risen sharply in recent years, but to what
end? We have to link performance in this specific instance, performance of information security products and services, with spending decisions. Simply asking for more or providing more isnt going
to fix the problem, nor is it going to serve the interest of the American people.
In closing, I would like to reiterate my appreciation for the work
you are doing on information security. The information age is indeed a strange new world in which a mischievous teenager could
be just as dangerous as a terrorist organization or malevolent government. I am committed to helping however I can to make sure
our Federal systems are up to the task and that our oversight
mechanisms are commensurate to the need, and I think your legislation is a good step forward. Thank you.
Senator CARPER. Thank you very much, Congressman.
I dont know if you have ever done this, but one of the things I
have done for a number of years as a new Senator here, whenever
it is one of my colleagues birthdays, I actually call them on the
phone if we are not in session and just wish them a happy birthday, track them down wherever they are, around the country or
really around the world. Those are calls that I enjoy, and I think
my colleagues do. I do the same thing with members of my staff,
former members of my staff and just family and friends.
I dont know if this is true, but it is in my briefing notes so it
must be truebut I am told that today happens to be the birthday
of the Internet, and I was thinking about maybe just sending an
e-mail out and seeing how well it can get around and cover as
much of the Internet as we could [Laughter.]
But I understand that 40 years ago, Im told, in 1969, the first
message was sent out on the Internet, and I understand that the
message also ended up crashing the Internet. [Laughter.]
So todays hearing is timely.
I would just ask, Congressman Davis, as one of the principal authors and Congressional overseers of the FISMA legislation, you
know all too well that there have been some successes and some
challenges since its adoption. For example, it seems that OMB has
historically focused on agency compliance rather than on agency
outcomes. And I must say, we are real good at focusing on process
and compliance rather than outcomes.
Arne Duncan was just in Delaware, the Secretary of Education,
and he spent a fair amount of time at the University of Delaware
2 days ago talking about the need for us in education to focus not
on process, but on outcomes. It turns out that is not just in education, but it is in this regard, as well.
Could you take a few minutes maybe and explain to us where
you think there are opportunities to improve agency cyber security?
It seems like the sophistication of the attacks dramatically evolves
every year. We just met with an agency head in the current Administration who shared with us just how many cyber attacks are occurring every day on his agency, on the agency that he leads. It
is alarming. But this training has led to a huge increase in the
number of reported breaches by agencies.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00010

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

As you know, I have been trying to lead the effort to reform

FISMA and really strengthen it to make it the legislation that I
think you, as its principal author, hoped it would be so that agencies focus their limited resources on improving security rather than
just producing the kind of paperwork that we see over here to my
right.
Some of the improvements that we have been suggesting, such
as continuous monitoring, seem like they make a lot of sense, and
the best part of this idea is that it doesnt require a bill to be
passed by Congress. However, the previous Administration didnt
seem all that interested in making any changes to the current reporting structure, at least not during their final year. I think they
just said, we will let the new folks take care of that.
So that is a big way of leading me to this question, and I would
just ask, Congressman Davis, what are your thoughts on this idea,
and are there other opportunities that either us on this Committee,
Subcommittee, or the Administration should be looking into?
Mr. DAVIS. Well, thank you. That is a pretty broad range, but let
me take a stab. Let me note first that in your second panel, you
look at the State Department and what they have done. This is an
agency that has paid careful attention to not just compliance, but
also operationally what to do, and I think you are going to get some
glimpse of some of the things that can be done across other agencies when they give it the appropriate attention.
You know, it is hard to legislate priorities. It has really got to
come from the Executive Branch, because our managers have so
many different things to do, so many boxes to check, that at the
end of the day, they make everything a priority and nothing becomes a priority. And that is one of the difficulties. This legislation
will help, but if an administration or an agency head doesnt buy
into this, it is difficult to make it really as operational as we would
like it. Anybody can check a box. That is not hard to do. But making this a priorityand you will hear in the next panel, I think,
some good ideas on this.
You cant just involve the heads of the agencies or the CISOs, as
I have noted before. You need to get a buy-in at all levels. This has
to be part of what every employee does. It has to be drilled into
them through training. They have to understand, anybody that
deals with any entry point, any secure network, that they have to
really be on top of that 24 hours a day.
A lot of our problems result from just plain negligence, people
that didnt take this seriously. It wasnt drilled into them as part
of their jobs. It means everybody has to be trained, that really, our
whole systems are vulnerable at our weakest point, and our weakest point is any entry point, and frankly, any employee.
I like the certification process you talk about in this bill. I like
the idea that using the purchasing power of the government to not
just drive down costs, but you can get a congruity of products that
way. One of the difficulties in government is we are so stovepiped.
We have agencies even within agencies that arent talking with
each other. I think using that purchasing power, maybe allowing
the Group 70 Schedule in GSA to be utilized by States and locals
well, not just Group 70, the schedules for any cyber products to be
included in that could be helpful in getting the same kind of prod-

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00011

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

ucts that everybody is using appropriately certified. There is just

a lot of room here if we will make it a priority, and I think you
have included some of those in the bill.
Finally, the carrots and sticks are tough in government. How do
you reward? How do you punish the people that arent doing this?
You can always do it through bonuses and you can do it through
promotions and those kind of things, but that has to come from
management. It has to come from a buy-in from the top.
And you are right. We banged our head in the previous Administration trying to take this to a different level and get their interest
in it. But what so often happens with administrations, they have
so many different things to do and different agency heads, that
without a lot of additional money, this doesnt become the priority.
They want to make sure that they are advancing their mission and
they will take a chance of a cyber attack hoping it doesnt occur on
their watch and spend the money in other areas.
Senator CARPER. I appreciate the kind words you have had to say
about the legislation we have reintroduced this year. If you were
on this side of the dais, where you sat for many years, and had an
opportunity to contribute to the legislation, to amend it, to make
better what we have introduced, any thoughts of what you would
do, or what you would have us do, to strengthen it further?
Mr. DAVIS. I alluded to one part in my testimony and that is the
fact that we are losing a lot of information and a lot of secure information just by employees and contractors mishandling this information, taking computers home. In the case of the Veterans Administration, the employee that took this home that had his computer stolen, it wasnt even encrypted. We have now changed that
through protocols.
But we are stillwe have lost Census information, we have lost
hand-helds. We have people leaving with their computers from government and sensitive information and nobody has bothered to get
it back. I think writing that into law would be very helpful in
terms of those kind of protections and making sure that at least
we are not being careless about this. If we are going to get penetrated and hit, make them earn it. Dont make it easy. And I think
sometimes, as I said, any careless employee can lose confidential
information if it is not handled right. I think that ought to be written into this.
Senator CARPER. Alright. Thank you.
I suspect you have been following the current debate about
whether there ought to be a cyber coordinator, which is supposed
to help prioritizing and align agency efforts. As you know, FISMA
clearly gives the responsibility for coordinating the Federal Governments cyber security to OMBs Administrator for EGovernment.
However, I am concerned that the people who work in that office
may not have the cyber security qualifications that are needed or
necessary to make sure that agencies are cost-effectively securing
their networks. In fact, I am even more troubled that OMB has
never asked, apparently, how much money they spend on cyber security.
What are your thoughts on the role of the EGovernment office
in the larger cyber security discussion, and what do you believe

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00012

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

should be the role of that office in overseeing agency cyber security?

Mr. DAVIS. Well, you are going to hear from Vivek Kundra, who
is very able. He will have a perspective on that now, having come
to the Federal Government. He used to be with the Commonwealth
of Virginia, where he did an outstanding job. I am glad the Administration has recognized his capability. So he may have a little bit
different perspective.
But coming from the legislative perspective on this, I think you
are spot on. The EGovernment is the head of that area. It may
not have expertise in this particular area. Even more important, I
think, is navigating the land mines of getting a consistency across
government in terms of how this is going to be implemented.
OMB, Homeland Security, I dont know how you want to pick
this. A Cyber Czar, though, or someone who has that particular expertise and can navigate this so the Administration can get everybody kind of marching to the same protocols, using the same systems, instead of having it so stovepiped and factionalized as it is
now, is just a very important part of solving this problem.
Senator CARPER. Alright. Thanks.
Let me just follow up on that with another question that relates
to this. I understand that you have been briefed on some of the
benefits that the State Department has been able to achieve with
their new system. I was just wondering if there were any risks associated with following that model. Sometimes, as a recovering governor, we used to say that what would work in Delaware may not
work in Virginia. It may not work in Missouri. It may work in
Texas, but it works in Delaware. But in some cases, there is one
model that will serve in a variety of different States, and in this
case, agencies. But I wonder if there are any risks with following
the model that they have pursued at the State Department? What
do you see are some
Mr. DAVIS. Well, I am not surefirst, I think State has done just
an outstanding job, and what they have done is they have paid attention. They have taken the legislation seriously and you have a
dedicated cadre up there at the top that have driven this.
What works at State may not work at Commerce. It may not
work in intelligence. I am not probably smart enough to know that.
But the one thing State has shown us is that when you get agency
officials that take this seriously, they can make a huge difference.
And, of course, State has been vulnerable to a number of attacks,
which I think has heightened their awareness of this. I hope it
doesnt take cyber attacks in some of these other agencies to get
them to up their awarenessbut it is just a good model of how you
have people sitting around a room thinking about what are their
possible vulnerabilities and coming up with a program to combat
that.
Again, I dont know if I am qualified to talk about what would
work at different agencies and what the vulnerabilities are, but
that is just a good example. Their FISMA grade has been excellent,
not just because they checked the right boxes, but because they
have been operational in what they have done, as well.
Senator CARPER. OK. One of the things we are trying to encourage agencies to do more of is this notion of continuous monitoring,

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00013

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

10

ph44585 on D330-44585-7600 with DISTILLER

rather than just taking a snapshot every 3 years, but to focus on

this and monitor every day. Are there any pitfalls with that that
come to mind?
Mr. DAVIS. Well, the one pitfall when you are not just monitoring
it but when you are testing these is you run into the Freedom of
Information Act (FOIA) situation. You dont want everybody to
know what your vulnerabilities are. I think you need to keep a cap
on that so that you can make the appropriate corrections.
The other thing I would add is there is a lot we can learn from
the private sector. The private sector has had to deal with these
issues even more than government, the banking system, in particular, with the kind of penetrations that they are getting, the hits
they are getting. Opening up that dialogue with the private sector
is important to understand what they have gone through and some
of the innovations that they have made. The difficulty comes in the
FOIA laws. It comes with antitrust. It comes from tort law and
their ability to share that information with us, and that is a dialogue, I think, that needs to continue. But they can be a part.
There is a lot of expertise out there in the private sector we want
to harness and bring into government.
Senator CARPER. Two more questions and I am all done. In the
Federal Information Security Management Act (FISMA) bill that
you helped to create, the Inspectors General are required, I believe
it is annually, to evaluate whether agencies are doing the kind of
security that they say they are doing in this regard. For example,
the Inspectors General use paperwork from the certification and accreditation process to evaluate whether agency security is really effective.
I understand that if all the agencies moved to an approach like
the one they have over at State, not much paperwork is going to
be produced. In fact, it seems to me that an Inspector General
could come at any time during the year, see whether the agencys
security is actually effective. I dont know if this is a question you
would be prepared to answer, but do you think that is true, and
what should be the role of the IGs in this?
Mr. DAVIS. Well, the IGs are independent. I mean, that is the
one reason that I think they are equipped to do this as opposed to
someone else who could be under the thumb of the agency. You
really want an independent to look at that. Now, the IGs operate
differently in different departments. They have different burdens
that they have to meet. But they bring an independence to this
which I think is critically important.
Senator CARPER. And finally, you served on the House Committee on Oversight and Government Reform for, I think you said,
maybe 14 years, as Chairman for 6 years, as Ranking Member for
another 2 years, and during that time, you and I were able to work
together to identify a couple of potentially wasteful practices in the
Federal Government, and I think in one or two cases, we actually
made some positive changes.
What do you see as the greatest opportunity for improving the
efficiency of cyber security spending in the Federal Government?
Mr. DAVIS. Well, I think contracting. All this really comes down
to contracting, and when it is done ad hoc in stovepipes by different
agencies, not sharing information, not building it together, you get

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00014

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

11

ph44585 on D330-44585-7600 with DISTILLER

a lot of systems that, at the end of the day, some are better than
others. They dont talk to each other. It has to get coordinated.
One of the things I like about this bill is you use our purchasing
power together to drive those products and I think that will bring
it together much better than we have today. We spend a lot of
money. We dont always get what we want in government contracting across the board. But in this particular case, I thinkI
like your concepts that you have in this bill, government using its
power. I think that will drive a congruity of products that is absolutely necessary in this case to get this solved.
Senator CARPER. Alright. Well, those are my questions. Some of
my colleagues who are waiting back in the anteroom until you
leaveno, they are not, but when some of my colleagues show up,
whether they show up or not, some of them are going to have some
questions that they would like to send along
Mr. DAVIS. You can always get them to me. We are happy to respond. You have a great second panel, as well, and thanks for allowing me to share my views.
Senator CARPER. It is great to see you. Thanks so much for your
previous service to our country, and not just for the folks in Virginia, but also in Delaware and the other 48 States.
Mr. DAVIS. Thank you.
Senator CARPER. Good luck. Take care.
The second panel is welcome to approach the table and take your
seats. Gentlemen, welcome. It is good to see you all, and thank you
for taking the time to be with us today.
I understand from Erik Hopkins, who has worked on this legislation for a couple of years now, that we have on a dolly up here
some of the paperwork that kind of flows fromis it just one agency? Not just from one agency, but from one system, is that right,
one system within one agency, their paperwork from their certification and accreditations. If that is just one system and one agency, I hate to think what would be the case for the whole government.
Be careful, Mr. Streufert. You are not going to have a place to
sit here very soon. Well, that gives us some idea. That is a fair
amount of paperwork. And again, that is one system and one agency. We wouldnt be able to see you guysyou probably wouldnt be
able to get in the roomif we had all of them gathered here today.
Let me make some introductions to kick off our second panel. We
are going to hear from Vivek Kundra, who was appointed Federal
Chief Information Officer of the United States by President Obama
in March of this year. We are glad to see you are still able to sit
up and take nourishment and to be here with us today. You look
none the worse for wear.
As Congressman Davis mentioned earlier, prior to his taking his
current position, Mr. Kundra served in Mayor Fentys cabinet as
the Chief Technology Officer for the District of Columbia and in
Governor Kaines cabinet as Assistant Secretary of Commerce and
Technology for the Commonwealth of Virginia. You are great to be
here and we appreciate your service and thank you for your presence.
Our next witness is no stranger before our Subcommittee. Mr.
Wilshusen. He is the Director of Information Security Issues at the

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00015

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

12
Government Accountability Office. We are told today by our chaplain, Chaplain Barry Black, Chaplain for the U.S. Senate, he said
the words that people most enjoy hearing in their lives is the sound
of their own name. Among the words that they least like to hear
are their own name mispronounced, so we will try to get your
names right. But I will say, none of your parents made this easy
for a guy like me. [Laughter.]
So please bear with me. But I am told you have over 28 years
of auditing, financial management, information systems experience
starting at the age of 12, and you have been at it for quite a while.
Before joining GAO in 1997, Mr. Wilshusen held a variety of public
and private sector positions, so we thank you for coming back
today.
Our last witness is John Streufert. Your name doesnt look like
Stroy-fert, but it is, isnt it? I bet it has been mispronounced once
or twice, hasnt it?
Mr. STREUFERT. Yes. Every day.
Senator CARPER. You are the Chief Information Security Officer
at the Department of State. You are like our hero here today, and
we are here to celebrate what you have done and to try to find out
if it is something we can replicate in other agencies.
I am told that since starting your current job, you have been recognized for outstanding leadership and improving cyber security at
both the Department of State and the U.S. Agency for International Development (USAID). In fact, Mr. Streufert was a recipient of the Distinguished Presidential Rank Award in 2004 for his
work at USAID, and I understand that you will show us once again
how we can improve cyber security, so good for you.
With that having been said, we will turn to Mr. Kundra as our
first witness and ask you to proceed. Your statements will be made
part of the record, so feel free to summarize as you wish. But you
are recognized. Thank you.
TESTIMONY OF VIVEK KUNDRA,1 FEDERAL CHIEF INFORMATION OFFICER, ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, U.S. OFFICE
OF MANAGEMENT AND BUDGET

Mr. KUNDRA. Good afternoon, Chairman Carper. Thank you for

the opportunity to testify on the Federal Information Security Management Act and information security posture of the U.S. Government.
Our Nations security and economic prosperity depend on our digital infrastructure. The Presidents Cyberspace Policy Review stated that cyber security threats are some of the most significant economic and national security challenges of the 21st Century.
The groups of State and non-State actors that target U.S. citizens, businesses, and Federal agencies is growing exponentially.
Daily, there are millions of attempts to attack open ports and vulnerable applications across our government.
The Federal Governments current security posture does not adequately confront the real-time threat factors that we face on a daily
basis. Hiring challenges, a focus on compliance, and cumbersome
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

prepared statement of Mr. Kundra appears in the Appendix on page 39.

Jkt 053852

PO 00000

Frm 00016

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

13

ph44585 on D330-44585-7600 with DISTILLER

reporting have inhibited effective cyber security management. The

Federal Information Security Management Act of 2002 raised
awareness across the Federal Government regarding information
security, yet significant progress is essential when it comes to execution.
To advance the Federal Governments security posture, the Administration is taking steps in key areas, such as human capital
management, performance management, cost analysis, and risk
management. For example, in the area of human capital management, we expedited the hiring authority for up to 1,000 cyber security professionals across the Department of Homeland Security.
This will enable DHS to recruit skilled cyber analysts, developers,
and engineers to secure our country by securing our Nation against
cyber attacks.
To enhance the performance monitoring, last week, we actually
launched CyberScope, an online platform for agencies to submit security information that will allow us to analyze and monitor the
Federal Governments security posture in a comprehensive manner.
Prior to 2009, it took three full-time employees to compile hundreds
of spreadsheets that were e-mailed to OMB by agencies in response
to FISMA reporting requirements. This laborious, unsecure process
inhibited insight into the security posture of the government. The
threats we face change daily, yet our legacy reporting processes
have been tied to manual, annual, and quarterly processes to
evaluate how secure we are.
The CyberScope platform will be leveraged to develop a cyber security dashboard that will unlock the value of agencies submissions when it comes to FISMA reporting and also the real-time posture across the Federal Government. Just as the IT dashboard took
us from a static, paper-based environment to a dynamic, digital environment, the new cyber security dashboard will provide the government with a real-time view of threats facing us and our
vulnerabilities.
For example, the State Department is supplementing its FISMA
reporting with a risk-scoring program that you alluded to that
scans every computer and server connected to its network at least
36 hours on multiple security factors. Rather than just conducting
certifications and accreditations every 3 years, continued monitoring must be the norm across the government.
To enable effective security cost analysis, we are asking agencies
for detailed security cost information for the first time. We recognize that the best security is baked into the systems and the architecture and investments that agencies are making. Therefore, we
see this as the beginning of the process of obtaining relevant data.
In the coming years, detailed cost data combined with performancebased metrics will allow OMB and agencies to effectively manage
and make informed decisions when it comes to risk.
To better manage risk, OMB has established a task force that
was launched last month to develop forward-leaning metrics and
making sure that those metrics are actually focused on outcomes
rather than process. To solicit the best ideas, we have reached out
across the Federal community as well as the private sector. OMB
plans to release the metrics for fiscal year 2010 along with a road
map of how we are going to move from a culture of compliance to

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00017

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

14
a culture of outcomes in the first quarter of 2010. What gets measured gets done.
The threats we face are numerous, evolving faster than our cyber
defenses, and they have the potential to do great harm to our cyber
infrastructure. From the launch of CyberScope to the hiring of up
to 1,000 new DHS cyber security experts, the Administration is
committed to strengthening our cyber defense. A secure, trusted
computing environment in the Federal Government is the responsibility of everyone involved, from agency heads to those charged
with oversight. It entails employees, contractors, and the American
people all working together.
This will not be easy, nor will it occur overnight. Our current actions represent important steps toward a strong cyber defense and
begin the shift from a culture of compliance to one focused on real
security to protect the digital infrastructure that is so vital to our
economic prosperity and national security.
Thank you for the opportunity to testify. I look forward to your
questions.
Senator CARPER. You bet. It is I who thank you.
Mr. Wilshusen, please proceed. Thank you, and welcome back.
TESTIMONY OF GREGORY C. WILSHUSEN,1 DIRECTOR, INFORMATION TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

Mr. WILSHUSEN. Mr. Chairman, thank you for the opportunity to

participate in todays hearing on how agencies can establish cost effective cyber defense.
FISMA, which was enacted in 2002, was intended to provide a
comprehensive framework for ensuring the effectiveness of security
controls over information resources that support Federal operations
and assets. It also requires agencies and OMB to annually report
on the adequacy and effectiveness of agency information security
programs and compliance with the provisions of the Act. To help
meet these requirements, OMB established a uniform set of information security measures that all Federal agencies report on annually.
Mr. Chairman, in light of questions about whether agencies are
measuring the right things in securing their systems, you requested that GAO examine how organizations develop and use
metrics to assess the performance and effectiveness of their information security activities. In a report being released today, we describe the key types and attributes of information security performance measures and the practices of leading organizations in developing and using them, and compare those measures and practices
with those used by 24 major Federal agencies and OMB.
Leading organizations and experts identified measures that generally fell into three major types: Compliance, control effectiveness,
and program impact. They stressed the importance of developing
and using different types of measures to ensure the measurement
process is comprehensive and useful in achieving their information
security goals. They also reported that all such measures generally
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

prepared statement of Mr. Wilshusen appears in the Appendix on page 45.

Jkt 053852

PO 00000

Frm 00018

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

15

ph44585 on D330-44585-7600 with DISTILLER

have certain characteristics or attributes. These attributes include

being measurable, meaningful, repeatable, and actionable.
Further, these organizations and experts indicated that the successful development of measures depends on adherence to a number of key practices, including focusing on risks, involving stakeholders, assigning accountability for measures, and linking them to
business goals.
Mr. Chairman, we have determined that Federal agencies have
not always followed these key practices. While agencies have developed measures that generally fall into each of the three major
types, on balance, they rely primarily on compliance measures,
which have a limited ability to gauge program effectiveness. Agencies stated that, for the most part, they predominately collected
measures on compliance because they were focused on measures
associated with OMBs FISMA reporting requirements.
In addition, while most agencies have developed some measures
that include the four key attributes identified by leading organizations, these attributes were not always present in all agency measures. Further, agencies have not consistently followed key practices
in developing measures, such as focusing on risks.
Last, the measures established by OMB for FISMA reporting
purposes are primarily compliance-based. They focus on whether
control activity was implemented, not how well or how effectively
that control was implemented. Consequently, OMBs report to Congress provides limited information about the effectiveness of agencies information security programs and the security posture of the
Federal Government.
In our report, we recommended that OMB provide direction and
guidance to agencies in developing and using measures that better
address the effectiveness of their information security programs.
We also recommended that OMB revise its annual FISMA reporting guidance to require reporting on a balanced set of performance
measures, including measures that focus on effectiveness of control
activities and program impact, and to revise its annual report to
Congress to better provide information on the effectiveness of agency security programs, the extent to which major risks are being addressed, and progress that has been made in improving the security posture of the Federal Government.
OMB has generally agreed with our recommendations. Implementing these recommendations will help to focus attention on activities that will enhance the effectiveness of security controls and
improve the cyber defense of Federal computer systems and information.
Mr. Chairman, this concludes my statement. I would be happy
to respond to any questions that you may have.
Senator CARPER. Good. Thank you so much. Mr. Streufert, you
are number four.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00019

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

16
TESTIMONY OF JOHN STREUFERT,1 CHIEF INFORMATION SECURITY OFFICER AND DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION SECURITY, BUREAU OF INFORMATION RESOURCE MANAGEMENT, U.S. DEPARTMENT OF
STATE

Mr. STREUFERT. Good afternoon, Chairman Carper. I am pleased

to have this opportunity to testify before the Subcommittee regarding the Department of States capabilities for securing its global information and technology infrastructure.
The Department serves as the diplomatic front line in over 270
overseas posts by serving its 70,000 users with the Worldwide Network and mission essential software applications. The foreign policy mission makes an inviting target for attack by highly-skilled
cyber adversaries. However, the Departments layered approach to
risk management allows multiple levels of protection.
In my role as the Chief Information Security Officer, I have become intimately familiar with the benefits, shortcomings, and
promising opportunities to build upon the current Federal Information Security Management Act of 2002. Our goal is to ensure system security for diplomacy while continuously improving the return
on investment for each dollar spent.
The passage of FISMA served as a game-changing event for the
Federal agency community. FISMA applies to all information used
on behalf of Federal departments and agencies on behalf of American citizens. It established a holistic information security program
and also the responsibility of accounting to oversight entities, including Congress. Together, these served as valuable checks in determining the health of an agencys information security program.
However, the Federal cyber landscape has changed in the past
5 years. The implementation of Federal cyber security has been
typically undertaken through manual processes and compliance
checks, like in conducting an annual inventory of systems, testing
security not less than annually, reporting quarterly on weaknesses
to OMB and performing certification and accreditation studies
every 3 years.
Our cyber problems, though, have dramatically escalated in severity and frequency. In a typical week, the Department of State
blocks 3.5 million spam e-mail and intercepts 4,500 viruses and detects over a million external probes to our network. Of that number, in the past 2 years, the percentage of malicious code attacks
recorded at the Department of State on trouble tickets has jumped
from 38 percent in the year ending August 2008 to 79 percent just
12 months later for that same period. The volatility of changes to
security-sensitive changes has been equally problematic.
Ongoing demands for certification and accreditation studies similar to this single system that I have shown the documentation for
here, amounted over 6 years to the expenditure of $133 million,
amassing a total of 50 shelf feet, or 95,000 pages for just the 150
major information systems that we were monitoring to this degree.
This does not include the databases for tracking system inventory
or tracking the plans of action and milestones to resolve the pending weaknesses. This equates to the cost of the CSA report, not inph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

prepared statement of Mr. Streufert appears in the Appendix on page 51.

Jkt 053852

PO 00000

Frm 00020

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

17
cluding the related products, like the security plans, of roughly
$1,400 per page.
And indeed, if there is any particular problem with this, it is not
the content of the report, it is the fact that you could get a false
sense of security that these snapshots produce results on paper
that are extraordinarily accurate but out of date within days of
being published, in fact, perhaps out of date even in the time that
it took to print these 2,000 pages.
In contrast, this month, the Office of Management and Budget
launched CyberScope, a secure streamlined interactive data collection platform far more efficient in allowing and also allowing research and analysis across Federal agencies. The U.S. Chief Information Officer has similarly and in support of this formed an interagency task force charged with developing outcome-focused metrics
for information security performance by all Federal agencies and
departments, including the Department of State. Final metrics
based on this work are expected to be released later this fiscal
year.
For its part, the Department began supplementing its FISMA
compliance reports and studies with a risk scoring program that
scanned every computer and server connected to its network not
less than every 36 hours on eight factors and twice a month for
safe configurations with software. This risk scoring program utilizes best practices, such as the Consensus Audit Guidelines, which
was a collaborative effort between government and industry.
To assess the vulnerabilities, we use the Common Vulnerability
Scoring System of the National Institute of Standards and Technology and the Department of Homeland Security, where scanning
tools tag specific risks with point values between zero and 10, with
10 being the highest vulnerability. When the problem is resolved
in this method, risk points are deducted and a better score comes
to the technical team and organizations. This computation occurs
no matter where they are located across the world.
Since mid-July, overall risk on the Departments key unclassified
network, measured by the Risk Scoring Program, has been reduced
by 90 percent in overseas sites and 89 percent at domestic sites,
as the chart indicates.1 These methods have allowed one critical
piece of the Departments information security program to move
from snapshots in time to a program that scans for weaknesses
continually, identifies weak configurations each 15 days, recalculates the most important problems to fix in priority order on a
daily basis, and issues letter grades of A-plus through F monthly
to managers so that accountability for progress can be taken for
every organization as experience has indicated for them over the
past 30 days. The various score reports tabulate risk scores by region, compare progress overseas to our domestic sites, and creates
enterprise-wide summaries for senior management.
In short, these details empower administrators with targeted
daily attention to conduct remediation and offer summaries to empower experts to our executives to oversee the most serious problems.
ph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

chart referred to appears in the Appendix on page 100.

Jkt 053852

PO 00000

Frm 00021

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

18
Mr. Chairman, I want to conclude by emphasizing that the Departments policies, technologies, business processes, and partnerships in place continue to evolve and continue to meet the challenges as the threats change in the cyberspace environment. I
thank you and the Subcommittee for this opportunity to speak before you today and would be pleased to respond to any of your
questions.
Senator CARPER. Thanks, Mr. Streufert, for that testimony.
Thanks for being a good role model over at the State Department
and USAID for the rest of us.
I just want to start with this chart,1 and it looks like a reduced
risk of cyber vulnerabilities, about 89 percent at the State Department headquarters from July 2008 to July 2009, and 90 percent
abroad. Did you anticipate this kind of progress in a year when you
were getting into this? Did you anticipate this kind of a record of
achievement?
Mr. STREUFERT. At the Agency for International Development
(AID), we had a similar progress, a two-thirds reduction in a 6month period, so we had a feeling that it was possible but had not
yet tested this on the scale of an organization the size of the State
Department. We were certainly very pleased, and at that point, we
began discussing what had been found with our colleagues.
Senator CARPER. You mentioned this in your testimony. I want
you to go back. Kind of walk us through again why were you so
successful at the State Department and at AID before that? What
were the key elements again, please?
Mr. STREUFERT. This is an instance where support beneficially
comes from many parts of the organization. It begins, as Congressman Davis indicated, with strong support at the top, and I am
pleased to say that the senior leadership of the State Department
has been very supportive at each step on the way.
Senator CARPER. When you say senior, how senior? What are we
talking about?
Mr. STREUFERT. Under Secretary for Management Patrick Kennedy, and he has assembled an EGovernment Oversight Board for
the Department of State. I have been able to speak on progress before this group twice in the last year. So there has been strong involvement from the top of the organization.
The next beneficial thing that one needs is the coordination
and
Senator CARPER. Why do you suppose the folks at the top were
so supportive?
Mr. STREUFERT. Well, we understand that strong information security is essential for our mission. We are spread in 24 time zones.
The ability to send and receive information in support of American
citizens services, and in support of the passport and visa process
are vital to our mission. We understand that we depend on the information systems, and therefore the security related to them.
Senator CARPER. OK. Other than support at the top, what were
the other key elements in your success?
Mr. STREUFERT. We brought together a coalition of 11 different
organizations inside the State Department that worked on techph44585 on D330-44585-7600 with DISTILLER

1 The

VerDate Nov 24 2008

11:34 Oct 25, 2010

chart referred to appears in the Appendix on page 100.

Jkt 053852

PO 00000

Frm 00022

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

19

ph44585 on D330-44585-7600 with DISTILLER

nology matters, and that set the template where we could begin
our regular scanning. And after that point, when we deployed the
system, the fact that the individuals at each of the embassies and
consulates and headquarters organizations could understand exactly what they needed to fix, it was of substantial benefit to them
to get some of the positive reductions in risk points that the chart
and our experience indicates.
Senator CARPER. Now, talk to us about other agencies being able
to replicate the success that you enjoyed at the State Department.
Other than cloning you, moving the agency heads from State over
tocloning them and moving them into the other agencies, how
transferrable is this to other agencies? What do you think might
transfer and what might not?
Mr. STREUFERT. One item that we always mention in discussion
with other cabinet departments is that we used information that
was already being collected in our organization for other purposes,
including producing the certification and accreditation reports.
Eighty percent of the information, as an example, was an outgrowth of what we needed to manage our servers and personal
computers already. So it was simply a question of lifting that data
up and out of where it was at the local level and then putting it
in the security warehouse. Once there, our dashboard calculates
grades and shows the most serious problems that need to be
worked on.
Since many of the other parts of the Federal Government have
this software, the primary things to work on are assuring that all
of the networks are connected and that they have the support
structures in place in order to put the security information out to
the managers who want to make the changes. And I should hasten
to add, the progress at the State Department came from thousands
of individuals that were working every day on their most serious
problems, and that is where the progress indeed came from.
Senator CARPER. Let me ask, first, Mr. Kundra, and then Mr.
Wilshusen about replicating this kind of success. How do we go
about doing that? In fact, it may be something you have already
begun. I dont know.
Mr. KUNDRA. Yes. We started talking about this back in April,
and within the Federal CIO Council, Susan Swart, who is the CIO
at the State Department, has been sharing this approach with our
colleagues. But if you look at what we are doing across the Federal
Government, CyberScope is the first step in that direction in terms
of if you looked at the previous approach, it was manual, it was
based on a lot of paperwork and didnt really produce meaningful
insight where we could slice and dice information across the Federal Government so we could compare what was happening at
Health and Human Services versus State versus DOD versus Department of Energy. The first step is to make sure that we are getting data and information so we could get meaningful insight.
The second part of that, which is the task force that we are
spending a lot of energy and we would love to share the metrics
with you and get feedback from the Congress at the end of November, and these metrics are essentially going to be focused on game
changing ways where we can address real security. So not necessarily asking the question, do you have a patch management pro-

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00023

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

20

ph44585 on D330-44585-7600 with DISTILLER

gram, but getting to the point which is how long does it take you
to actually patch those systems.
And thinking about the Red Teams, it is not enough to just say
we have this file room that you pointed to. I talk about how the
files you see in that room are actually far more secure than the
very systems they are supposed to protect. So how do we get Red
Teams to validate that the information that is out there, we are
testing it against what we know in terms of agencies and it makes
it really difficult right now across the Federal Government to spot
patterns. So if we see a threat vector that may start at the State
Department, how do we know we dont have the same threat vector
at Health and Human Services?
So we are in the early phases in terms of deploying a Federal
Government-wide approach. But the key here, as Congressman
Davis said, is to move away from this culture of compliance and
really move towards execution. How do we get these things done
and how do we apply some of these methodologies? And I know
that DHS and the National Institute of Standards and Technology
(NIST) are actually working with the State Department to think
through how this can be scaled across other Federal agencies.
Senator CARPER. Mr. Wilshusen, same question in terms of
replicability. What do you think we ought to be able to replicate
and why not?
Mr. WILSHUSEN. Well, I had the privilege of Mr. Streufert giving
me a presentation of his system last week, and so I cant really attest to the accuracy of the data that he presents, but a couple of
things
Senator CARPER. Would you say that the accuracy is probably
pretty skeptical?
Mr. WILSHUSEN. Well, I just dont have data or evidence to show
that it is accurate. I cant say one way or the other. We just havent
done the tests on that.
But what his system shows is a lot of promise. With regard to
replicability, one of the key aspects that it relies upon is the ability
to have automated tools in place that have the capability to reach,
touch, and then scan each of the devices that are covered under
this particular system. Now, the Department of State has, according to their system, about 30,000 devices that are covered by this
particular system.
It does at the present, as I understand it, cover Windows
workstations and servers. And so presumably, it might be able to
be replicated at other agencies to address those particular servers
if those other agencies allow a central point to be able to go out
and reach all those devices throughout the entire organization, and
that may or may not be the case. I just dont know.
Senator CARPER. Erik Hopkins, sitting right behind me, just
handed me a note that says, Agencies are making the decision
right now to spend another $1.3 billion to produce the paperwork
we see here. Is there anything we can do about that? It is a pretty
good question.
Mr. WILSHUSEN. It is, indeed. Certainly, as you know, FISMA requires that agencies implement cost-effective solutions to mitigate
their risks, and one has to make the assessment, is spending this

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00024

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

21

ph44585 on D330-44585-7600 with DISTILLER

amount of money on preparing presumably the certification and accreditation documents appropriate?
If it is just to prepare paperwork, that is not really cost-effectivethe agency would not be receiving the true value of the execution of the underlying processes that are represented by that paperwork. Primarily, are they assessing the risks? Are they developing and documenting controls that mitigate those risks? And
then are they providing the training to staff, to implement those
controls, testing and evaluating those controls to make sure that
they are operating as intended and are effective? And then remediating deficiencies as those become known?
Those are all activities that are required under FISMA with regard to agencies information security programs and some of the activities that are required in order to go through the certification
and accreditation process. So if the process is just to check off
boxes on paperwork, then that is not very useful. The important
part is that the agencies are effectively performing these processes
in order to implement controls that effectively protect their systems.
Senator CARPER. Mr. Kundra.
Mr. KUNDRA. If I can add to that, I want to make sure as we look
at the paperwork that we are seeing here in systems that the State
Department is talking about and other agencies, I agree in terms
of the fact that the pendulum has definitely swung too much towards a paperwork exercise. But I also want to caution that some
of these systems have very sensitive information regarding the personal information of the American people, Social Security numbers,
and the processes conducted on these systems are also very sensitive.
So although I recognize that there is a lot of paperwork here, it
is very important to make sure that this is also a process that ensures accountability for the business owners in terms of making
sure that before a system goes online, have they done a risk assessment? Have they thought about all the risks? Do they have the
right controls in place in terms of running the system? Have they
made sure that they have back-ups and thought through the processes required to connect this to other systems?
But what has happened, unfortunately, is a lot of agencies are
also treating this as a paperwork exercise rather than saying, look,
just like if an airplane were to take off, the first flight, you would
go through a number of checks, but after it takes off, you need to
make sure that you are monitoring all the dials and the gauges to
understand where you are in the air. What has happened is, unfortunately, a lot of agencies are substituting and are looking at these
processes as a 3-year exercise rather than saying, what do we do
on an ongoing basis after the system goes live? What do we do to
make sure that we are monitoring risk on a real-time basis?
Senator CARPER. Alright. Mr. Wilshusen, did you want to add
anything else?
Mr. WILSHUSEN. Yes, I did. I would just echo what Mr. Kundra
mentioned is the fact that it is critical that agencies provide a monitoring capability and test and evaluates the effectiveness of their
controls on a regular, current basis, because the threats change,
the vulnerabilities change daily. Waiting every 3 years at specific

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00025

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

22

ph44585 on D330-44585-7600 with DISTILLER

points in time is not adequately addressing those risks and threats.

That is one of the benefits of what Mr. Streufert has done at the
Department of State. As he mentioned, he is scanning his systems
every 2 weeks to look for certain weaknesses and configuration
changes and that is an important control.
Senator CARPER. When there is a penetration, sometimes whoever the penetrator is leaves a back door to allow somebody to
come back in later on and create mischief. In a case where that has
happened, they have left a back door open. How would your continuous monitoring and updating at the State Department solve that
problem, Mr. Streufert?
Mr. STREUFERT. This is a very critical question in Congressman
Daviss testimony as well as your own. The problem is that there
are back doors and then the action step of deploying the Red
Teams that do penetration tests trying to break into the systems.
We believe this concern and the practice of penetration tests is so
good and worth continuing all across the government and expanding it, as your bill indicates, is that when we did this at the State
Department, we found that 80 percent of the successful attacks
which were modeled in the penetration test were ethical hacking,
as it is called. We invite people to break in, though a surprise to
us, but with our understanding that it would be done. Eighty percent of the successful attacks were based on known vulnerabilities.
Senator CARPER. Known to whom?
Mr. STREUFERT. Known to the National Institute of Standards in
this National Vulnerability Database that we use for scoring. And
so we know those problems are there. I would liken it unto a burglar that can kick through a screen door to get into a system and
cause mischief, and once inside, what the penetration tests show is
that known vulnerabilities and weak configurations, both referenced by Mr. Wilshusen in his remarks, can allow lateral movement inside the networks.
So it is not that we will be able to prevent every attack. It is that
the higher that the risk score is by these methods the National Institute of Standards and DHS have provided to us, the more likely
that we will be exposed to a very easy attack. If it is within our
control to change, and, in fact, we prove that it is possible at the
Department of State over a period of just 12 months to have a significant effect, we should do it as part of our responsibilities of protecting the systems of the government.
Senator CARPER. Alright. Thank you.
Mr. WILSHUSEN. This is consistent with the results of our audits
that we conduct at various different Federal agencies in that we
often find deficiencies that are related to unpatched systems and
other known vulnerabilities that have not been corrected by the
agencies. There have been a number of other reports by private organizations that have consistently reported that many successful
attacks are based upon known vulnerabilities for which patches
have been available, some for 6 months or more. And so it is imperative that agencies take appropriate steps to immediately address
those vulnerabilities and mitigate them before they can be exploited.
Senator CARPER. Alright. Thank you.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00026

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

23

ph44585 on D330-44585-7600 with DISTILLER

I should have asked this question sooner, but I didnt. I will go

back to it now. Something that you said, Mr. Streufert, kind of triggered this for me. When you look back to Congressman Daviss
presentation, some of the comments that he made, is there anything there that you would want to go back and kind of underline
as especially important and noteworthy, or something maybe you
disagreed with?
Mr. KUNDRA. I think the approach of Red Teams, essentially
making sure that the government is focused on constantly trying
to find and penetrating our national infrastructure so that we can
get ahead of some of these threats, recognizing that if we take an
offense when it comes to our defense, we will be in a much better
situation than just having a strategy that focuses on defense.
Senator CARPER. OK. Mr. Wilshusen.
Mr. WILSHUSEN. I would agree with Mr. Kundras remarks. I
would also agree with Mr. Daviss remarks related to having an
independent evaluation of agencies information security programs
and that it is essential to have IGs be able to examine and review
the controls in the programs at their particular agency. Having an
independent evaluation is critical, and in my mind, there are opportunities to improve the effectiveness of those evaluations by assuring that they are being performed in accordance with Generally
Accepted Government Auditing Standards and that they do, in fact,
include testing of the systems on a regular, frequent basis.
Senator CARPER. OK. In other discussions we have had on the
issue of cyber security attacks and being ready for them and being
able to deter them or turn them back, some of the experts we talk
with have suggested that we simply need to do a better job in contracting to make sure that the systems that we are buying as a
government, whether it is by agency or Federal Government-wide,
that they are better technology, just better able by virtue of the
way they are made and provided to the agency to turn back attacks. I wonder to what extent did that play a role in the State Department in terms of replicating, if there are any lessons that we
can take from that for the rest of our government.
Mr. STREUFERT. I think that there are many ways that the acquisition process could support this effort, and as we are just in the
beginning of the continuous monitoring phase of our security programs in the government, we would want to take note and try to
get it right the first time.
One thing that the Department of State has already begun implementing is the idea of associate contractor agreements when we
go out and compete our technical services work. This idea was first
employed in the Department of Defense with the B1B bomber,
and the idea was that it was functionally necessary for that airplane to hire many different contractors that did the different parts
of the airplane. But the question was, would they be invited to
work together, and so a clause with associate contractor agreements was placed in the overall contract and all of the subcontractors that they would work together. We believe that this is one of
the factors at the State Department that, over time, we will be able
to improve by making awards and asking the contractors to work
together.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00027

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

24

ph44585 on D330-44585-7600 with DISTILLER

The second element under acquisition, the 20 most important

controls or consensus audit guidelines, is a view that many key
government and industry professionals in the security field believe
that we need tools around each of the 15 of the 20 categories that
are susceptible to automated verification at the State Department.
Our programs currently only implement about four or five of the
15 areas that are under the continuous evaluation and grading program. So if we awarded a contract that had multiple providers for
those 15 tools, then the most compelling and innovative ways that
industry would give to the government would be regularly refreshed. So I think a multiple-award contract would be very helpful.
Senator CARPER. Mr. Kundra.
Mr. KUNDRA. The other area I would like to add is as we think
about the public-private partnership, it is very important to recognize that we need to approach cyber security from an ecosystem
perspective, thinking about what technologies are we buying, how
are we buying them, and what are the default settings in a lot of
the software and hardware that we procure.
An example would be what we are doing with Microsoft in terms
of an operating system strategy, which is that if you look at a Federal desktop core configuration, by fundamentally changing the default settings, because most software companies are going to design
software and operating systems and have the default settings so
they are extremely easy to use, yet from a public sector perspective,
there are a lot of things that we need to change to make sure that
we are leaning towards greater security to protect the privacy and
security of the American people.
So through this strategy, we have partnered with Microsoft and
we actually create a model configuration that prevents a majority
of the attack vectors that are out there. And especially as we move
towards a new platform with Windows 7, we are working closely
with Microsoft through NIST and DOD to make sure that their
core configuration is a secure one before we even deploy it across
the Federal Government.
Senator CARPER. Alright. Thank you. Mr. Wilshusen.
Mr. WILSHUSEN. I would just like to add that the U.S. Government spends about $70 billion a year on IT products and services.
I think that is the correct number. So there is a certain leverage
that the Federal Government has when it procures these products
and services to require certain minimum security requirements.
Certainly that will help potentially enhance the security features
on products that it buys and that could also apply to other marketplaces, as well.
Having standard settings and standard requirements can also
potentially lead to cost savings, as well. One of the benefits that
we looked at when we had our review on Federal encryption efforts
was the Smart Buy program over at GSA in which agencies were
able to buy cost-effective encryption technologies at almost pennies
on the dollar, not quite, but at a huge cost savings because they
were able to take advantage of volume discounts. So there are advantages to leveraging the Federal procurement dollar and its acquisition policies.

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00028

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

25

ph44585 on D330-44585-7600 with DISTILLER

Senator CARPER. In a day and age when we have seen in the first
8 years of this decade, we literally doubled our Nations debt, we
ran it up by another $1.4 trillion last year, and likely even more
this year, every time we can save some pennies on the dollar, that
is good. It sounds like in this case it is quarters on the dollar,
which is even better.
A couple more questions and then we will wrap it up. This would
be a question really for the entire panel. In the current FISMA legislation that we have drafted, Inspectors General must evaluate
whether agencies are securing their systems like they say that they
are securing them. That means that agencies are spending $1.3 billion to produce the paperwork that the IGs use to evaluate agency
effectiveness. IGs then must spend even more time and more
money, perhaps another $1 billion or so, to see whether the paperwork was accurate. So the government ends up spending maybe
over $2 billion, maybe it is $2.3 billion or so, on a process that is
basically flawed. It doesnt make a lot of sense to me, and I dont
think to others, as well.
Could each of you just take a couple of moments and tell us what
you think the role of the IG should be in cyber security? And
maybe better yet, how do we make the partnership between an
agency and that agencys IG more proactive, more collaborative, so
that we arent wasting or they arent wasting so much money? Do
you want to go first, Mr. Streufert?
Mr. STREUFERT. Yes, Senator Carper. This is a key question. The
first thing we might say is that these products in the three-ring
binders here, a systems security plan, a contingency plan, testing
plans, test results, these are all important things to do. What the
finding of the State Department is, that with the modern tools that
are increasingly available since FISMA was put into law, we can
do that 72 times more frequently than the 3-year standard of producing these binders.
So the first thing to say is that as we look at the possibility for
continuous monitoring, the discussions between the departments
and the OIGs could be on data that was as fresh as 15 days old,
as opposed to what I will have to do unless there is an adjustment.
It will take me a full 8 months to produce these 2,000 pages for
the third time when I know that many elements of that data I am
already collecting every 2 to 15 days.
I would say that our conversations with the OIG would be
stronger if we had common measuring sticks for security, not just
in the vulnerability area, which we have already done very well,
but many other parts of our security program. And if we had an
agreement between the parties that managed the security program
of what were the criteria for evaluation in advance, not just within
an individual cabinet department but across the entire government, we would be able to compare the relative security between
one cabinet department or agency and another.
I think the worst mistake of all we could make, even though the
dramatic nature of some of our expenditures of C&As, is to make
the mistake of doing less than we are currently doing. So notwithstanding, I would be the first person to say that we should try to
use automated means rather than paper. We want to make sure
before we set aside the paper methods that we would do our very

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00029

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

26

ph44585 on D330-44585-7600 with DISTILLER

best to make sure we have a stronger system than the one that we
just left behind.
Senator CARPER. Mr. Wilshusen.
Mr. WILSHUSEN. And I would also agree to a large extent with
what Mr. Streufert said, in that many of these documents that are
being prepared are not being prepared just for the benefit of the
auditor, but, in fact, are being prepared in order to adequately protect the systems that are being covered by those documents.
Now, having said that, certainly auditors have a responsibility to
review the effectiveness of security controls, and that includes testing a subset of systems. In our examinations, while we do look at
certain documents that are the products or byproducts and artifacts of agency processes, we are also looking at how systems are
actually configured and testing the effectiveness of those controls.
So it is more than just reviewing documents. It is actually doing
a more in-depth review, and that is what IGs are doing and should
be doing, as well, in addition to reviewing some of the artifacts that
are generated from agency security processes.
Senator CARPER. Alright. Mr. Kundra, you get the last word on
this question, and then I have one more separate question for you
and we will call it a day.
Mr. KUNDRA. I think it is impossible to confront a real-time
threat, such as cyber warfare or adversaries and State actors and
organized crime that are actively trying to hack into our systems,
with a process that is built around annual reporting, quarterly reporting, or whether you do it on a monthly basis. What needs to
happen in terms of the relationship between the IGs and the CIOs
is that they need to have greater transparency into the same data
and moving toward a real-time platform so they could both see
what is happening on a real-time basis and constructively move the
security posture of the U.S. Government rather than relying on reports that are created.
By the time that report is printed and handed over to the IG,
there is already a new threat factor that is created on a real-time
basis. The velocity at which these threats come and the frequency
cannot be addressed with a filing cabinet like this.
Senator CARPER. Good point. Thank you.
And the last question, I think I will direct it just to Mr. Kundra
unless other panelists think he mis-answers the question, then you
can correct him. In your current position, how do you like what you
are doing? Are you enjoying it? Is it challenging? Do you ever get
to go home at night?
Mr. KUNDRA. It is great. Very little sleep, but it is an enormous
opportunity to serve the country and to advance the Presidents
technology agenda.
Senator CARPER. Alright. Good. In your current position, I think
you are maybe the person responsible for overseeing the effectiveness of our Federal Governments cyber defense, and that is a government, as we know, that is composed of hundreds, maybe thousands of different systems. I am told that you have relatively few,
if any, cyber security experts that work for you and I find that of
concern, maybe even troubling.
But I find it even more troubling that OMB, which is known for
their budget prowess, has never asked for a detailed accounting of

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00030

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

27

ph44585 on D330-44585-7600 with DISTILLER

what an agency spends on cyber security. I dont know if that is

true, but if it is true, why do you think it has been the case? Why
hasnt OMB, as far as I know, ever said, well, what are you all
spending for cyber security? And to follow up, if that is true, are
you going to do anything to correct that situation?
Mr. KUNDRA. Sure. So that was actually one of the most shocking
things when we tried to do analysis as far as cyber security was
concerned. One was that the information that was being submitted
to OMB was being submitted in these spreadsheets, hundreds of
spreadsheets that were being mailed in.
Two was, from a cost perspective, what was being collected was
aggregate security information. So what we did immediately is for
the 2009 report, we are getting to the detailed cost allocation when
it comes to information security, so we know where is the government spending when it comes to products, human capital, and specifically computer network attacks (CNAs). And unfortunately, with
a lack of that information, what we arent able to do is effective
comparative analysis between one agency and another, and more
importantly, a deeper understanding of how do our investments
line up with our vulnerabilities and where do we need to make
those appropriate investments.
But we are working very closely with DHS and the U.S. Computer Emergency Readiness Team (US-CERT) specifically, and as
part of the FISMA reporting requirements in CyberScope, we are
going to be collecting all that data.
Senator CARPER. If you will all just bear with me for one moment, please.
[Pause.]
Senator CARPER. I know I said the last question was the last
question. I am going to try to squeeze one more in here before we
let you go. Again, this is for Mr. Kundra, and if others want to
chime in, go ahead.
I think OMB has the ability to ask agencies if they would follow
a model similar to that of the Department of State. Do you think
that conducting a pilot, or maybe having a number of agencies basically say, we want you to follow something similar, do you think
that is a good idea? Maybe it is something you have given some
thought to, or maybe you are planning on doing it, or maybe you
dont think it is a good idea, but would you just think out loud for
us on that?
Mr. KUNDRA. Sure. I actually think it is a great idea. That is one
of the reasons the State Department is actually talking to the Veterans Administration. It is making the tool, the software actually
available to NIST and DHS, also, to figure out how can that be
scaled, recognizing that across Federal agencies, HHS is going to
have a very different environment. But what is going to be common
is they all have desktops, certain network infrastructure, from
routers to switches, and figuring out how can we make sure that
we are not duplicatively spending money and creating new tools if
we can leverage best practices across a Federal Government.
From an OMB perspective, it is very important for us to get the
threat matrix across the entire Federal Government. So how do we
roll up this information at a DHS level so we get a real-time posture from a security perspective?

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00031

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

28

ph44585 on D330-44585-7600 with DISTILLER

Senator CARPER. OK. Do you all want to comment at all on what

Mr. Kundra said? You dont have to, but if you would like to, you
are welcome to do so. Did he do OK?
Mr. STREUFERT. Yes. We very much appreciate the leadership of
Mr. Kundra and OMB on the issues of CyberScope to make our reporting more efficient, and his very early willingness to look at
issues like dashboards. I think that our collective commitment
should be to one of continuous improvement. The State Department
has some ideas on this and we have worked on it some. We want
to share that with others. But I believe what will happen is Vivek
invites, and he already has done so, conversations more widely in
government that good ideas will come from all of the cabinet departments that we will be well served to fold in and come up with
the strongest possible product as a government together.
Senator CARPER. OK. I think we will wrap it up at this point. I
have another hearing that started at 9:30 this morning that is still
going on on climate change legislation. It will be a full day.
A couple of thank yous. One to Mr. Streufert, to you and your
colleagues. I know you said it is not just you, there are a lot of people involved at the State Department that are responsible for the
progress that is being made there and for the example that you are
able to provide for other Federal agencies. But thank you for your
leadership, and our commendation is to you and to your colleagues.
As we used to say in the Navy, Bravo Zulu.
I want to thank Mr. Wilshusen for the report that we received
from you and your colleagues on cyber security metrics. It is one
I requested, I believe last year, but thanks for that report.
And Mr. Kundra, thank you for taking on this responsibility and
giving it 110 percent, maybe more than that.
We are going to stay on this. We are going to push forward on
the legislation and get it enacted if we can. I know the Chairman
and Ranking Member of the full Committee on Homeland Security
and Governmental Affairs are interested in passing even more comprehensive legislation on cyber security, and there is some discussion of folding our piece into that, or maybe moving what we are
doing on its own if we want to try to get it out there and moving
along.
But thank you for helping inform our legislative path just a little
bit better today. I would encourage, Mr. Kundra, for you and our
friends at OMB to use this model that works and other models that
work and to replicate that success.
But maybe one or two points that I will make, and maybe I am
being redundant, but I will go ahead and make them anyway. I
think repetition can be helpful.
But the first point is we are spending way too much money on
a process that is flawed from the beginning. That is not to take
anything away from Congressman Davis and others who were involved in the FISMA legislation from 2002, but it is a process that
is flawed. Writing a report about security is not the same as investing in security, and with so much at stake, we should be doing a
much better job.
The irony of it is, we had a luncheon speaker at our weekly caucus luncheon today who runs a big Federal agency and he shared
with us just some up-to-date information about the kind of attacks

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00032

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

29

ph44585 on D330-44585-7600 with DISTILLER

that are underway every day, every hour, every minute. It really
puts this in real time and with a real sense of urgency.
My next point is the fact that OMB is, I think, the only one who
really can make this happen absent Congress passing a bill. I
would again say, Mr. Kundra, actually take a hard look at what
you can do, and I sense that you are already doing that, to make
sure that we dont waste another year, another $1 billion, if not
more, to do something that doesnt work very well.
My last point is the fact that, obviously, that we all need to work
together. I am pleased to see with the three of you here before us,
it is a pretty good model of how we can cooperate and I hope that
we are part of that, as well. But technology changes so fast that
without a partnership betweennot just among agencies, but also
between the Legislative Branch and the Executive Branch, Americans, unfortunately, are going to end up on the losing end, and we
dont want that to happen.
I am going to ask, I think, for you all to come back to me, I will
put this in writing, but to come back to us in maybe 2 weeks with
opportunities that you believe will lead to efficiencies in defending
our networks. If you do that, I would be grateful. If you get any
other questions from my colleagues, then if you would respond to
those within 2 weeks, that would be terrific.
Thank you all very much for coming today, for your testimony,
and for the work that you are doing. I would encourage you to continue on and we will do our best to have you back. Thank you.
And with that having been said, this hearing is adjourned.
[Whereupon, at 4:07 p.m., the Subcommittee was adjourned.]

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00033

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

ph44585 on D330-44585-7600 with DISTILLER

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00034

Fmt 6633

Sfmt 6633

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

APPENDIX

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00035

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.001

ph44585 on D330-44585-7600 with DISTILLER

(31)

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00036

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.002

ph44585 on D330-44585-7600 with DISTILLER

32

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00037

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.003

ph44585 on D330-44585-7600 with DISTILLER

33

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00038

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.004

ph44585 on D330-44585-7600 with DISTILLER

34

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00039

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.005

ph44585 on D330-44585-7600 with DISTILLER

35

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00040

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.006

ph44585 on D330-44585-7600 with DISTILLER

36

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00041

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.007

ph44585 on D330-44585-7600 with DISTILLER

37

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00042

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.008

ph44585 on D330-44585-7600 with DISTILLER

38

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00043

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.009

ph44585 on D330-44585-7600 with DISTILLER

39

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00044

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.010

ph44585 on D330-44585-7600 with DISTILLER

40

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00045

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.011

ph44585 on D330-44585-7600 with DISTILLER

41

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00046

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.012

ph44585 on D330-44585-7600 with DISTILLER

42

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00047

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.013

ph44585 on D330-44585-7600 with DISTILLER

43

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00048

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.014

ph44585 on D330-44585-7600 with DISTILLER

44

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00049

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.015

ph44585 on D330-44585-7600 with DISTILLER

45

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00050

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.016

ph44585 on D330-44585-7600 with DISTILLER

46

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00051

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.017

ph44585 on D330-44585-7600 with DISTILLER

47

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00052

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.018

ph44585 on D330-44585-7600 with DISTILLER

48

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00053

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.019

ph44585 on D330-44585-7600 with DISTILLER

49

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00054

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.020

ph44585 on D330-44585-7600 with DISTILLER

50

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00055

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.021

ph44585 on D330-44585-7600 with DISTILLER

51

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00056

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.022

ph44585 on D330-44585-7600 with DISTILLER

52

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00057

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.023

ph44585 on D330-44585-7600 with DISTILLER

53

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00058

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.024

ph44585 on D330-44585-7600 with DISTILLER

54

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00059

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.025

ph44585 on D330-44585-7600 with DISTILLER

55

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00060

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.026

ph44585 on D330-44585-7600 with DISTILLER

56

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00061

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.027

ph44585 on D330-44585-7600 with DISTILLER

57

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00062

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.028

ph44585 on D330-44585-7600 with DISTILLER

58

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00063

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.029

ph44585 on D330-44585-7600 with DISTILLER

59

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00064

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.030

ph44585 on D330-44585-7600 with DISTILLER

60

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00065

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.031

ph44585 on D330-44585-7600 with DISTILLER

61

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00066

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.032

ph44585 on D330-44585-7600 with DISTILLER

62

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00067

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.033

ph44585 on D330-44585-7600 with DISTILLER

63

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00068

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.034

ph44585 on D330-44585-7600 with DISTILLER

64

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00069

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.035

ph44585 on D330-44585-7600 with DISTILLER

65

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00070

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.036

ph44585 on D330-44585-7600 with DISTILLER

66

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00071

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.037

ph44585 on D330-44585-7600 with DISTILLER

67

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00072

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.038

ph44585 on D330-44585-7600 with DISTILLER

68

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00073

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.039

ph44585 on D330-44585-7600 with DISTILLER

69

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00074

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.040

ph44585 on D330-44585-7600 with DISTILLER

70

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00075

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.041

ph44585 on D330-44585-7600 with DISTILLER

71

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00076

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.042

ph44585 on D330-44585-7600 with DISTILLER

72

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00077

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.043

ph44585 on D330-44585-7600 with DISTILLER

73

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00078

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.044

ph44585 on D330-44585-7600 with DISTILLER

74

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00079

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.045

ph44585 on D330-44585-7600 with DISTILLER

75

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00080

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.046

ph44585 on D330-44585-7600 with DISTILLER

76

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00081

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.047

ph44585 on D330-44585-7600 with DISTILLER

77

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00082

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.048

ph44585 on D330-44585-7600 with DISTILLER

78

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00083

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.049

ph44585 on D330-44585-7600 with DISTILLER

79

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00084

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.050

ph44585 on D330-44585-7600 with DISTILLER

80

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00085

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.051

ph44585 on D330-44585-7600 with DISTILLER

81

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00086

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.052

ph44585 on D330-44585-7600 with DISTILLER

82

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00087

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.053

ph44585 on D330-44585-7600 with DISTILLER

83

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00088

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.054

ph44585 on D330-44585-7600 with DISTILLER

84

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00089

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.055

ph44585 on D330-44585-7600 with DISTILLER

85

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00090

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.056

ph44585 on D330-44585-7600 with DISTILLER

86

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00091

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.057

ph44585 on D330-44585-7600 with DISTILLER

87

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00092

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.058

ph44585 on D330-44585-7600 with DISTILLER

88

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00093

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.059

ph44585 on D330-44585-7600 with DISTILLER

89

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00094

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.060

ph44585 on D330-44585-7600 with DISTILLER

90

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00095

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.061

ph44585 on D330-44585-7600 with DISTILLER

91

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00096

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.062

ph44585 on D330-44585-7600 with DISTILLER

92

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00097

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.063

ph44585 on D330-44585-7600 with DISTILLER

93

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00098

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.064

ph44585 on D330-44585-7600 with DISTILLER

94

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00099

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.065

ph44585 on D330-44585-7600 with DISTILLER

95

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00100

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.066

ph44585 on D330-44585-7600 with DISTILLER

96

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00101

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.067

ph44585 on D330-44585-7600 with DISTILLER

97

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00102

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.068

ph44585 on D330-44585-7600 with DISTILLER

98

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00103

Fmt 6601

Sfmt 6601

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.069

ph44585 on D330-44585-7600 with DISTILLER

99

100

VerDate Nov 24 2008

11:34 Oct 25, 2010

Jkt 053852

PO 00000

Frm 00104

Fmt 6601

Sfmt 6011

P:\DOCS\53852.TXT

SAFFAIRS

PsN: PAT

53852.070

ph44585 on D330-44585-7600 with DISTILLER