[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
CDM: GOVERNMENT PERSPECTIVES ON SECURITY AND MODERNIZATION
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY
AND INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
and the
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
MARCH 20, 2018
__________
Serial Nos. 115-55 and 115-69
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.govinfo.gov and
http://oversight.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
30-791 PDF WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Sheila Jackson Lee, Texas
Mike Rogers, Alabama James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania William R. Keating, Massachusetts
John Katko, New York Donald M. Payne, Jr., New Jersey
Will Hurd, Texas Filemon Vela, Texas
Martha McSally, Arizona Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York J. Luis Correa, California
Mike Gallagher, Wisconsin Val Butler Demings, Florida
Clay Higgins, Louisiana Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
Brendan P. Shields, Staff Director
Steven S. Giaier, Deputy Chief Counsel
Michael S. Twinchek, Chief Clerk
Hope Goins, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION
John Ratcliffe, Texas, Chairman
John Katko, New York Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania Val Butler Demings, Florida
Don Bacon, Nebraska Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Kristen M. Duncan, Subcommittee Staff Director
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
Trey Gowdy, South Carolina, Chairman
John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland,
Darrell E. Issa, California Ranking Minority Member
Jim Jordan, Ohio Carolyn B. Maloney, New York
Mark Sanford, South Carolina Eleanor Holmes Norton, District of
Justin Amash, Michigan Columbia
Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts
Blake Farenthold, Texas Jim Cooper, Tennessee
Virginia Foxx, North Carolina Gerald E. Connolly, Virginia
Thomas Massie, Kentucky Robin L. Kelly, Illinois
Mark Meadows, North Carolina Brenda L. Lawrence, Michigan
Ron DeSantis, Florida Bonnie Watson Coleman, New Jersey
Dennis A. Ross, Florida Raja Krishnamoorthi, Illinois
Mark Walker, North Carolina Jamie Raskin, Maryland
Rod Blum, Iowa Jimmy Gomez, Maryland
Jody B. Hice, Georgia Peter Welch, Vermont
Steve Russell, Oklahoma Matt Cartwright, Pennsylvania
Glenn Grothman, Wisconsin Mark DeSaulnier, California
Will Hurd, Texas Stacey E. Plaskett, Virgin Islands
Gary J. Palmer, Alabama John P. Sarbannes, Maryland
James Comer, Kentucky
Paul Mitchell, Michigan
Greg Gianforte, Montana
Sheria Clarke, Staff Director
William McKenna, General Counsel
Troy Stock, Subcommittee Staff Director
Meghan Green, Counsel
Sharon Casey, Deputy Chief Clerk
David Rapallo, Minority Staff Director
------
SUBCOMMITTEE ON INFORMATION TECHNOLOGY
Will Hurd, Texas, Chairman
Paul Mitchell, Michigan, Vice Chair Robin L. Kelly, Illinois, Ranking
Darrell E. Issa, California Minority Member
Justin Amash, Michigan Jamie Raskin, Maryland
Blake Farenthold, Texas Stephen F. Lynch, Massachusetts
Steve Russell, Oklahoma Gerald E. Connolly, Virginia
Greg Gianforte, Montana Raja Krishnamoorthi, Illinois
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on Cybersecurity
and Infrastructure Protection:
Oral Statement................................................. 1
Prepared Statement............................................. 2
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity and Infrastructure Protection:
Prepared Statement............................................. 7
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 8
The Honorable Gerald E. Connolly, a Representative in Congress
From the State of Virginia, and Vice Ranking Member,
Subcommittee on Infomration Technology:
Oral Statement................................................. 4
Prepared Statement............................................. 5
Witnesses
Mr. Max Everett, Chief Information Officer, U.S. Department of
Energy:
Oral Statement................................................. 10
Prepared Statement............................................. 11
Mr. Scott Blackburn, Executive in Charge, Office of Information
and Technology, U.S. Department of Veterans Affairs:
Oral Statement................................................. 14
Prepared Statement............................................. 16
Mr. David Garcia, Chief Information Officer, U.S. Office of
Personnel Management:
Oral Statement................................................. 23
Prepared Statement............................................. 24
Mr. Kevin Cox, Program Manager, Continuous Diagnostics and
Mitigation, Office of Cybersecurity and Communications,
National Protection and Programs Directorate, U.S. Department
of Homeland Security:
Oral Statement................................................. 26
Prepared Statement............................................. 28
Appendix
Question From Chairman Will Hurd for Max Everett................. 45
Questions From Ranking Member Cedric L. Richmond for Max Everett. 45
Questions From Ranking Member Bennie G. Thompson for Max Everett. 46
Question From Chairman Will Hurd for Scott Blackburn............. 46
Question From Ranking Member Cedric L. Richmond for Scott
Blackburn...................................................... 46
Questions From Ranking Member Bennie G. Thompson for Scott
Blackburn...................................................... 47
Questions From Honorable James R. Langevin for Scott Blackburn... 47
Question From Chairman Will Hurd for David Garcia................ 48
Questions From Ranking Member Cedric L. Richmond for David Garcia 48
Question From Ranking Member Robin L. Kelly for David Garcia..... 48
Questions From Ranking Member Bennie G. Thompson for David Garcia 48
Questions From Chairman John Ratcliffe for Kevin Cox............. 48
Questions From Chairman Will Hurd for Kevin Cox.................. 50
Questions From Ranking Member Cedric L. Richmond for Kevin Cox... 51
Questions From Ranking Member Robin L. Kelly for Kevin Cox....... 51
Questions From Ranking Member Bennie G. Thompson for Kevin Cox... 52
Questions From Honorable James R. Langevin for Kevin Cox......... 52
CDM: GOVERNMENT PERSPECTIVES ON SECURITY AND MODERNIZATION
----------
Tuesday, March 20, 2018
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity and
Infrastructure Protection, joint with the
Committee on Oversight and
Government Reform,
Subcommittee on Information Technology,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:38 p.m., in
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, Hurd, Katko, Donovan,
Fitzpatrick, Bacon, Jackson Lee, Langevin, Lynch, Demings,
Connolly, and Krishnamoorthi.
Mr. Ratcliffe. The Homeland Security Subcommittee on
Cybersecurity and Infrastructure Protection and the Committee
on Oversight and Government Reform Subcommittee on Information
Technology will come to order. The subcommittees are jointly
meeting today to receive testimony regarding the Department of
Homeland Security's continuous diagnostics and monitoring
program. I now recognize myself for an opening statement.
This is the second hearing this year that the Subcommittee
on Cybersecurity and Infrastructure Protection has held on the
Continuous Diagnostics and Mitigation, or CDM, Program. That is
because I see real value in the goals of CDM, not only for
cybersecurity but also for improving the efficiency of the
information technology across the board. To that end, I am
pleased to be holding this hearing today jointly with my good
friend from Texas, Congressman Will Hurd, who will be joining
us shortly and who has been a leader on IT modernization issues
as the Chairman of the Subcommittee on Information Technology.
I welcome our friends from the Oversight Committee to the CDM
conversation today.
I believe that DHS's CDM Program has great potential to
drive progress on a number of cybersecurity issues, from
network visibility to data-centric security and from the role
of increased automation of security tasks to the role of
artificial intelligence. So the question that I have for this
panel today is what can Congress do to make sure CDM
capabilities are being rolled out to keep pace with the
evolving threat landscape?
The Government has a pretty checkered past when it comes to
IT investments and the ability of Federal agencies to provide
effective cybersecurity. While CIOs are the point of
accountability on all things IT at their respective agencies,
every stakeholder has to recognize their role in supporting
CIOs. But this is a hearing about finding solutions and
ensuring that the Federal Government is on the right track.
I think every agency represented today has some IT
investment or application that did not produce the kind of
results the American people, the American public needs and
deserves from their taxpayer dollars. That is not to mention
the profoundly damaging data breaches that have plagued Federal
agencies.
We simply have to get a handle on the cyber threats we are
facing. I believe that CDM is part of that solution. This
hearing is about learning from the initial roll-out and
progress of CDM phase 1, plans to move through phase 2, and,
perhaps most importantly, what is and what should be the long-
term vision of CDM?
Obviously, part of today's hearing will involve a
discussion about the resources necessary to invest in top-of-
the-line security technologies, but at its core, cybersecurity
is more than an issue of technology; it is an issue of
governance, of process, and leadership. We have to get the
strategies and vision for CDM right so that our investments
don't throw good money after bad. To that end, I intend today's
hearing to include a robust conversation about the metrics
necessary to measure not only the implementation of CDM but
also the effectiveness of the program as well. CDM is about
maintaining more secure systems and a better understanding of
the risk posture of the Federal enterprise, but it also
represents a continuing mission and establishes the kind of
structure necessary for us to evolve.
To that end, I welcome your thoughts, not only about the
CDM capabilities but also about the ultimate goal of providing
network and system defenders with the data and tools necessary
to do their jobs well and at the pace to combat the threats
that they face. What is CDM's value-add to the people on the
lines of this conversation? It is the Federal agencies' CIOs
that are ultimately accountable for bad investments or data
breaches. So this is really about getting you the authorities,
tools, and resources that you need to get the job done.
As we continue this conversation, I look forward to hearing
from stakeholders, as we did at last month's hearing, as we
will continue to make sure that we are getting CDM right. CDM
is an ambitious program that I believe has the framework of
providing the kind of cybersecurity that the American people
deserve from a Government that they entrust with their most
valuable personal and, in some cases, irreplaceable
information.
I want to thank the witnesses for their time, and I look
forward to your testimony today.
[The statement of Chairman Ratcliffe follows:]
Statement of Chairman John Ratcliffe
March 20, 2018
This is the second hearing this year that the Subcommittee on
Cybersecurity and Infrastructure Protection has held on the Continuous
Diagnostics and Mitigation or CDM program. That is because I see real
value in the goals of CDM not only for cybersecurity, but also for
improving the efficiency of information technology across the board.
To that end I am pleased to be holding this hearing today jointly
with my good friend from Texas, Mr. Hurd--who has been a leader on IT
modernization issues as the Chairman of the Subcommittee on Information
Technology.
We welcome our friends from the Oversight Committee to the CDM
conversation.
I believe that DHS's CDM program has great potential to drive
progress on a number of cybersecurity issues--from network visibility
to data-centric security and from the role of increased automation of
security tasks to the role of artificial intelligence.
So the question I have to this panel today is--what can we as
Congress do to make sure CDM capabilities are being rolled out to keep
pace with the evolving threat landscape?
The Government has a checkered past when it comes to IT investments
and the ability of Federal agencies to provide effective cybersecurity.
And while CIO's are the point of accountability on all things IT at
their respective agencies, every stakeholder has to recognize their
role in supporting CIOs.
But this is a hearing about finding solutions and ensuring the
Federal Government is on the right track.
I think every agency represented today has some IT investment or
application that did not produce the kinds of results the American
public needs and deserves for their taxpayer dollars. And that is not
to mention the profoundly damaging data breaches that have plagued
Federal agencies.
We have to get a handle on the cyber threats we are facing and I
believe CDM is part of the solution.
This hearing is about learning from the initial rollout and
progress of CDM phase 1, plans to move through phase 2, and perhaps
most importantly what is and should be the long-term vision of CDM.
Obviously, part of today's hearing will involve a discussion about
the resources necessary to invest in top-of-the-line security
technologies.
But at its core cybersecurity is more than an issue of technology,
it is an issue of governance, process, and leadership. We have to get
the strategies and vision of CDM right, so that our investments don't
throw good money after bad.
To that end, I intend today's hearing to include a robust
conversation about the metrics necessary to measure not only the
implementation of CDM but the effectiveness of the program as well.
CDM is about maintaining more secure systems and a better
understanding of the risk posture of the Federal enterprise. But it
also represents a continuing mission and establishes the kind of
structure necessary to evolve.
To that end I welcome your thoughts not only about the CDM
capabilities, but also about the ultimate goal of providing network and
system defenders with the data and tools necessary to do their jobs
well and at the pace to combat the threats they face.
What is CDM's value-add to the people on the lines of this
conversation?
It is the Federal agency CIO's that are ultimately accountable for
bad investments or data breaches, so this is really about getting you
the authorities, tools, and resources you need to get the job done.
As we continue this conversation I look forward to hearing from
stakeholders as we did at last month's hearing, and what we will
continue to do to make sure we are getting CDM right.
CDM is an ambitious program that I believe has the framework of
providing the kind of cybersecurity the American people deserve from a
Government they entrust with their most valuable, personal, and in some
cases, irreplaceable information.
I want to thank the witnesses for their time and I look forward to
their testimony.
Mr. Ratcliffe. Other Members of the committee are reminded
that opening statements may be submitted for the record.
We are pleased to have a distinguished panel of witnesses
before us today on this very important topic. Mr. Max Everett
is the chief information officer for the Department of Energy.
Mr. Everett held a variety of information technology leadership
positions in Government and the private sector before joining
DOE in June 2017.
We certainly look forward to your perspectives today, sir.
Mr. Scott Blackburn is the executive in charge of the VA's
Office of Information and Technology and has served in that
capacity since October 2017. Prior to joining the VA, Mr.
Blackburn served in the Army until 2003.
Thank you for that service as well, sir, and thanks for
being here.
Mr. David Garcia is the chief information officer for the
Office of Personnel Management. Mr. Garcia previously served as
the chief information officer for the State of Maryland.
Sir, thank you to being here with us today.
Finally, Mr. Kevin Cox is the program manager for CDM in
the National Protection and Programs Directorate at the
Department of Homeland Security. Before joining DHS, Mr. Cox
was the deputy chief information security officer at the
Department of Justice. We look forward to gaining your insights
on your interagency experiences.
Mr. Connolly. Mr. Chairman.
Mr. Ratcliffe. Yes, sir.
Mr. Connolly. I serve as the Vice Ranking Member of the
Oversight and Government Reform Committee. In the absence of
Mr. Cummings, I do have an opening statement I would like to
read.
Mr. Ratcliffe. I recognize the gentleman for his opening
statement.
Mr. Connolly. I thank the Chairman for his courtesy. I want
to thank you and Chairman Hurd for holding today's hearing to
examine the status of the Department of Homeland Security's
Continuous Diagnostics and Mitigation Program.
Initiated in 2013 by the Department of Homeland Security,
the CDM Program provides other Federal agencies hardware,
software, and services through contracting vehicles to
strengthen the security of Federal networks. As you indicated,
Mr. Chairman, desperately needed.
CDM has great potential to help agencies secure networks by
providing data to agencies on their attack surface, who has
access to their networks, and how users access those networks.
This will eventually allow agencies to monitor their traffic
and network activities and identify areas of concern.
Just this week, we were reminded, albeit in the private
sector, of additional Russian attacks on our grid. So we know
the attack--or the threat is real. However, the lack of
adequate funding for CDM has impeded full deployment of the
program. The President's budget for fiscal year 2019 requested
$237 million for the CDM Program as part of an $815 million
request for cybersecurity funding at DHS.
As in previous years, the $237 million is not just for DHS
to oversee the procurement and operations associated with CDM
but also for individual agencies to implement activities
related to the program, and so it gets disbursed pretty
quickly.
When funding from DHS does not completely cover the costs
to agencies implementing CDM, agencies are left to find funding
among other information technology priorities. However, at a
time when so much of Federal IT spending is simply to operate
and maintain legacy systems, it will continue to be a challenge
for agencies to find the money for net new investment in CDM,
which is certainly something we support on a bipartisan basis.
The MGT Act we just passed into law, and I was proud to be
an original Democratic co-sponsor, may help agencies with
funding challenges by allowing agencies to establish working
capital funds to reinvest IT savings in the enterprise and to
transition to cloud computing and other innovative technologies
and to enhance cybersecurity. The MGT Act also authorized the
centralized technology modernization fund at $250 million for
each of fiscal years 2018 and 2019, for a total of $500
million. Once the TMF is funded, agencies can borrow from that
fund to finance large IT modernization projects and enhance the
CDM process.
I was happy to join with Chairman Hurd in a letter to the
Appropriations Subcommittee on Financial Services and General
Government Subcommittee last week to support appropriating the
total $250 million for TMF for fiscal year 2019. Congress and
this administration must recognize that, unless there is a
significant amount of money agencies can use to upgrade old IT
systems that are critical for their mission and that can be
encrypted--that is to say new investments that can be
encrypted--agencies will not only be able to address the low-
hanging fruit and will not be incentivized to take on the
larger projects that are complicated, take a long time, and
could be prone to cyber attack.
The shortage of qualified Federal employees to work on IT
and cybersecurity has also hindered DHS and agency efforts to
implement CDM. While agencies are working to attract the
talented individuals they need to upgrade their IT systems and
to defend against malicious cyber intrusions, the
administration and some in Congress are taking actions that I
think will make it more difficult to recruit and retain the
skilled work force of the future. Disparagement of the work
force, freezing salaries, extending probationary periods for
new hires from 1 to 2 years--these are not helpful, especially
if we are targeting the millennial generation that expects so
much more in the workplace. So I would hope we keep that in
mind too, because that is part and parcel of what we are
talking about here.
So I certainly welcome this hearing. I think we have put
some legislative tools in place that we think can create a
structure that will foster CBM at DSH and elsewhere. We
certainly look forward to hearing the testimony today about how
we can do that better.
Thank you, Mr. Chairman.
[The statement of Ranking Member Connolly follows:]
Statement of Ranking Member Gerald E. Connolly
March 20, 2018
Thank you Chairman Hurd and Chairman Ratcliffe for holding today's
hearing to examine the status of the Department of Homeland Security's
Continuous Diagnostics Mitigation (CDM) program. Initiated in 2013 by
the Department of Homeland Security (DHS), the CDM program provides
other Federal agencies hardware, software, and services through
contracting vehicles to strengthen the security of Federal networks.
CDM has great potential to help agencies secure their networks by
providing data to agencies on their attack surface, who has access to
their networks, and how users access those networks. This will
eventually allow agencies to monitor their traffic and network
activities and identify areas of concern.
However, the lack of adequate funding for CDM has impeded full
deployment of the program. The President's budget for fiscal year 2019,
requested $237 million for the CDM program as part of an $815 million
request for cybersecurity funding at DHS. As in previous years, the
$237 million is not just for DHS to oversee the procurement and
operations associated with CDM, but also for individual agencies to
implement activities related to the program. When funding from DHS does
not completely cover the cost to agencies of implementing CDM, agencies
are left to find funding among other information technology (IT)
priorities. However, at a time when nearly 80 percent of Federal IT
spending is on operations and maintenance of legacy IT systems, it will
continue to be difficult for agencies to find money for CDM among other
IT projects.
The MGT Act may help agencies with funding challenges by allowing
agencies to establish working capital funds to reinvest IT savings to
retire legacy IT systems, transition to cloud computing or other
innovative technologies, and enhance cybersecurity. The MGT Act also
authorized a centralized Technology Modernization Fund (TMF) at $250
million for each of fiscal years 2018 and 2019, for a total of $500
million. Once the TMF is funded, agencies can borrow from the fund to
finance large IT modernization projects. I was happy to join Chairman
Hurd on a letter to the House Appropriations Subcommittee on Financial
Services and General Government Subcommittee last week in support of
appropriating the total $250 million to the TMF for fiscal year 2019.
Congress and this administration must recognize that unless there is a
significant amount of money agencies can use to upgrade old IT systems
that are critical to their mission, agencies will only be able to
address the ``low hanging fruit'' and will not be incentivized to take
on the larger projects that are complicated and prone to a cyber
attack.
The shortage of qualified Federal employees to work in IT and
cybersecurity areas has also hindered DHS and agency efforts to
implement CDM. While agencies are working to attract the talented
individuals they need to help upgrade their IT systems and defend
against malicious cyber intrusions, the administration and the Majority
in Congress are taking actions that make it difficult for Federal
agencies to compete with the private sector in recruiting and retaining
skilled cybersecurity and IT professionals. In the administration's
budget proposal for fiscal year 2019, the President is seeking a pay
freeze for all civilian Federal employees. The administration also
proposed reducing retirement benefits for current and future Federal
employees, changing how the Government contribution to health plans are
calculated, and amending how paid leave is determined. Last year, the
House of Representatives passed legislation to increase the
probationary period for Federal employees from 1 year to 2 years.
It is no wonder why agencies not only have trouble recruiting the
IT and cyber workforce they need, but why they are also losing
employees to the private sector. Many seeking to enter public service
understand that the Government cannot pay as much as the private
sector, but reducing retirement benefits, instituting a short-sighted
pay freeze, and increasing trial periods for a highly sought-after
workforce is counterproductive and only makes it harder to implement
the ``sweeping transformation of the Federal Government's technology''
promised by the President.
Mr. Ratcliffe. I thank the gentleman.
Again, I remind other Members of the committee that they
may submit opening statements for the record as well.
[The statements of Ranking Members Thompson and Richmond
and Honorable Jackson Lee follow:]
Statement of Ranking Member Bennie G. Thompson
March 20, 2018
The Continuous Diagnostics and Mitigation (CDM) program is a key
part of our National approach to secure Federal networks, which
Americans rely on to store some of our most sensitive National data--
from health records and Social Security Numbers to the holdings of
critical infrastructure owners and operators and National security
documents.
Over the past decade, we have seen the number of cyber attacks
against Federal agencies rise exponentially. According to the
Government Accountability Office cyber attacks have risen by more than
1,000 percent since 2006.
The Office of Management and Budget reports that Federal agencies
endured more than 35,000 cybersecurity incidents last year alone.
Some of the officials testifying on today's panel know all too well
how much damage can flow from a high-profile breach.
For instance, the Veterans' Affairs Department reported in 2013
that its databases had been hacked by no less than eight foreign
governments.
And in 2015, the Chinese government infiltrated the Office of
Personnel Management's systems and accessed the personal information of
more than 22 million past and present Federal employees.
Last week, we turned our attention to bold attacks carried out by
the Russian government in 2016 to access and gain control of the
central command centers that support our electrical grid, nuclear power
plants, and our water supply.
Even the Secretary of Energy admitted that he was ``not confident''
in the ability of the Federal Government to counter foreign adversaries
in cyber space.
These hackers show no signs of slowing down. Instead, they have
only grown more aggressive and more sophisticated.
Federal agencies need robust cybersecurity now more than ever--and
CDM has the potential to be an important line of defense.
Through the CDM program, DHS works with Federal agencies to procure
cybersecurity tools and services to fend off cyber attacks.
The program works in tandem with EINSTEIN to keep out unauthorized
traffic, continuously monitor for threats, improve visibility of
network assets, and prioritize efforts to correct vulnerabilities.
Unfortunately, Federal agencies have been slow to adopt and fully
deploy CDM technologies.
In a hearing earlier this year, we learned that agencies and CDM
vendors are struggling to compensate for a lack of cyber expertise
among agency personnel.
The witnesses told us that these employees need to be better
trained on how to use CDM tools in order to reap all the security
benefits they provide.
We also heard that, after 5 years, agencies still do not have a
full accounting of all the devices connected to their networks.
Agencies need this visibility, since they cannot protect what they
do not know they have.
These obstacles are compounded by the staggering number of cyber
vacancies throughout the Federal Government, both for rank-and-file
civil servants, as well as key leadership positions.
Far too many agencies are still operating without a permanent chief
information officer in place.
We need to understand the challenges agencies are facing when it
comes to purchasing, installing, and deploying CDM capabilities, and we
need to make sure you have the resources, support, and statutory
authority necessary to continue moving forward.
______
Statement of Ranking Member Cedric L. Richmond
March 20, 2018
The Continuous Diagnostics and Mitigation (CDM) program is a key
component of the Department of Homeland Security's (DHS) overall effort
to protect the ``.gov'' domain. Through CDM, DHS works with agencies to
procure cybersecurity tools and services that will enable them to
identify and defend against attacks. These tools are increasingly
important in today's security environment.
Every year, Federal networks get hit by tens of thousands of
attempted intrusions--many of them highly sophisticated, state-
sponsored attacks. According to the Office of Management and Budget,
Federal agencies endured over 35,000 cybersecurity incidents in fiscal
year 2017, which is higher than previous years. As initially
envisioned, CDM would provide Federal agencies with the information and
tools necessary to protect their networks, including:
What devices and assets are on an agency's network?
Who has access to an agency's network, including those parts
of the network reserved for privileged users?
What happens on the network, and how data is stored and
protected?
Unfortunately, agencies have been slow to realize the potential
benefits of CDM due to unanticipated implementation challenges. For
example, Federal agencies struggled to complete the difficult task of
identifying all of the devices, assets, and endpoints on agency
networks. Moreover, when the Cybersecurity and Infrastructure
Protection Subcommittee held a hearing with CDM contractors in January,
witnesses observed that many agencies lack personnel with the
appropriate training and expertise to reap the full value of CDM tools,
particularly the dashboards.
This subcommittee has repeatedly examined cyber workforce
challenges throughout the Federal Government, and our witnesses in
January reminded us that there is no silver bullet technology can
replace human capital. We also learned that, although the CDM program
has been in place for 5 years, agencies still do not have full
visibility into the IT assets on their networks. Without this
visibility, it is impossible for agencies to know who has access to
their networks, and what exactly they need to protect. Today's
witnesses can provide an important and informed picture of how CDM
tools and services are being adopted and deployed at their respective
agencies.
I am interested in knowing not only the status of implementation,
but also how these agencies are working with the Department of Homeland
Security, and how effectively the Department has been able to respond
to agency needs. I also hope to hear what Congress can do to make sure
CDM is an effective tool for raising the bar on cybersecurity
throughout the Federal Government.
Last week, the Department of Homeland Security and the FBI issued a
technical alert on the Russian government's efforts to use cyber tools
to target U.S. Government entities. These cyber attacks were carried
out over the course of 2016, and parallel Russia's attacks on our
electoral system and democratic institutions. It is clear that the
Kremlin will continue to be relentless in its assault on our Federal
networks, and the networks that support our Nation's critical
infrastructure. And, we know that China, Iran, and North Korea are
sophisticated cyber actors that are constantly working to build a more
robust cyber ``arsenal'' that could be used against our Federal
networks. We must remain vigilant in protecting the .gov, and do
everything in our power to ensure the Federal Government has the
resources needed to act quickly to protect itself.
______
Statement of Honorable Sheila Jackson Lee
March 20, 2018
Chairman John Ratcliffe and Ranking Member Cedric Richmond, of the
House Homeland Committee's Subcommittee on Cybersecurity and
Infrastructure Protection; and Chairman William Hurd and Ranking Member
Robin Kelly of the House Government Reform's Subcommittee on
Information Technology thank you for today's joint hearing on ``CDM:
Government Perspectives on Security and Modernization.''
On January 17, 2018, the Homeland Security Committee's Subcommittee
on Cybersecurity and Infrastructure Protection held a hearing on ``CDM:
the Future of Federal Cybersecurity.''
That hearing engaged non-Government stakeholders who provided
Members of the subcommittee on Homeland Security with the opportunity
to learn more about the Continuous Diagnostics and Mitigation (CDM)
program, a key component of the Department of Homeland Security's (DHS)
overall effort to protect Federal network.
Today's hearing will give Members an opportunity to hear agency
perspectives on the Continuous Diagnostics and Mitigation (CDM)
program.
Our witnesses will provide valuable insight into the civilian
agency experience with the rollout of CDM throughout the Federal
Government:
witnesses
David Garcia, Chief Information Officer, Office of Personnel
Management;
Max Everett, Chief Information Officer, Department of
Energy;
Scott Blackburn, Executive in Charge, Office of Information
Technology, Department of Veterans Affairs; and
Kevin Cox, Program Manager, Continuous Diagnostics and
Mitigation, Office of Cybersecurity & Communications,
Department of Homeland Security (Democratic Witness).
The Continuous Diagnostics and Mitigation program is an active
approach to fortifying the cybersecurity of Government networks and
systems.
The security of Federal agency networks has been a major concern of
mine since I chaired the Subcommittee on Transportation Security, which
at that time had jurisdiction over cybersecurity issues.
Earlier this year, the House passed H.R. 3202, the Cyber
Vulnerabilities Disclosure Act, which I introduced to address the need
for effective and aggressive action to deal with the threat of Zero Day
Events.
H.R. 3202 requires the Secretary of Homeland Security to submit a
report on the policies and procedures developed for coordinating cyber
vulnerability disclosures.
I have also introduced last Congress and again this Congress a bill
to address the cybersecurity workforce shortage in the Federal
Government.
The bill H.R. 1981, Cyber Security Education and Federal Workforce
Enhancement Act, which will establish the process for looking outside
of DHS and within its ranks to solve the shortage of cybersecurity
professionals.
The solution is making sure that from early childhood education
through University programs young people are prepared with the
fundamentals needed to excel in course work associated with computing
security degrees or certification.
The need for a strong cybersecurity posture for our Nation's
Federal civilian agency computing networks is essential to a healthy
National security posture.
This month, the Office of Management and Budget (OMB) reported that
``[Federal] agencies endured 35,277 cybersecurity incidents in fiscal
year 2017, a 14 percent increase over 30,899 incidents that agencies
reported in fiscal year 2016, with five of the fiscal year 2017
incidents reaching the threshold of `major incident' due to their
impact.''
The Continuous Diagnostics and Mitigation or CDM provides Federal
departments and agencies with the tools needed to identify
cybersecurity risks on an on-going basis, prioritize these risks based
upon potential impacts, and enable cybersecurity personnel to mitigate
the most significant problems first.
The Congress established the CDM program to provide adequate, risk-
based, and cost-effective cybersecurity and more efficiently allocate
cybersecurity resources.
It is true that each Federal agency is responsible for protecting
its own information systems; however, some agencies, including DHS,
play a larger role in Federal network security.
Under the Federal Information Security Modernization Act, DHS is
required to deploy technologies to continuously diagnose or mitigate
cyber threats and vulnerabilities and make such capabilities available
to agencies upon request.
The law essentially codified the CDM program, which DHS is
implementing.
DHS entered into partnership with GSA in 2013 to meet the statutory
obligation of the Federal Information Security Modernization Act, which
facilitated agencies purchase of consistent, compliant technologies
that offered ``Information Security Continuous Monitoring Mitigation''
(ISCM).
The first contract was awarded on August 12, 2013, to 17 companies,
supported by 20 subcontractors, that received awards under a $6
billion, 5-year companion Continuous-Monitoring-as-a-Service to deliver
diagnostic sensors, tools, and dashboards to agencies.
CDM is an essential part of the Department of Homeland Security's
overall effort to protect the civilian Federal network.
Implementation of CDM is being phased in under the process
established by DHS using several contractors and subcontractors.
There have been a number of challenges to the process of
implementing a Federal-wide CDM program.
DHS encountered a number of unexpected challenges during the
rollout of Phase 1.
For example, neither DHS nor the customer agencies anticipated how
difficult it would be to identify all the hardware and software assets
associated to a network and grossly underestimated the number of
agency-connected devices, which delayed the purchase and installation
of the necessary sensors.
In May 2016, GAO reported that most of the 18 agencies covered by
the CFO Act that had high-impact systems were in the early stages of
CDM implementation, and many were proceeding with plans to develop
their own continuous monitoring strategies, independent of CDM.
Further, only 2 of the 17 agencies reported that they had completed
installation of agency and bureau or component-level dashboards and
monitored attributes of authorized users operating in their agency's
computing environment.
Due to these unexpected challenges the early estimates of
completing Phase 3 by 2017 were not met.
These issues as well as the urgency of protecting Federal agency
networks makes it imperative that we have DHS before the committee to
provide an update on the CDM program.
I look forward to hearing the testimony from today's witnesses.
Mr. Chairman, I yield back.
Mr. Ratcliffe. Having already introduced our distinguished
panel, I now ask the panel to stand. Raise your right hand so I
can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
have answered in the affirmative. You all may be seated.
The witnesses' full written statements will appear in the
record.
The Chair now recognizes Mr. Everett for 5 minutes for his
opening statement.
STATEMENT OF MAX EVERETT, CHIEF INFORMATION OFFICER, U.S.
DEPARTMENT OF ENERGY
Mr. Everett. Good afternoon, Chairman Hurd, Chairman
Ratcliffe, Ranking Member Connolly, Ranking Member Richmond,
and the rest of the distinguished panel. On behalf of Secretary
Perry and Deputy Secretary Brouillette, I appreciate the
opportunity to come and talk to you today about CDM and
modernization and our implementation at the Department of
Energy.
Chairman Hurd, we talked last November at a hearing, and
you asked me a very pointed question: Do I know everything that
is on all of our viewing networks? My blunt answer had to be
no. While that is still the case, I am happy to be here to talk
a little more about some of the work and efforts we are making
so I can change that no into a yes.
First, as the Department CIO, I report directly to the
Secretary and deputy secretary, which I think is a critical,
critical thing for all CIOs in government. I think it is also
important because our Secretary and deputy secretary have made
cybersecurity a priority, not only for our internal networks
but also in our role as a sector-specific agency to the energy
sector, and I think that is critical. Our Secretary and deputy
secretary understand very well the importance of knowing
everything that is on our network as a first step to having
basic cybersecurity.
The Secretary and deputy secretary fully support our
enterprise plan of action and have directed me to move with all
due haste in rolling out CDM capabilities across our networks
where we have many gaps, including at our National labs, our
sites, and at the Power Marketing Administrations. In both the
public sector and private sector, one of our challenges is,
frankly, we are moving to a new model. The old model was staff
augmentation. The old model was counting contractors. We are
moving to a new model, and that new model is around managed
services and automation. That is a significant challenge
because most of us in Government and, frankly, even many in the
beltway vendor community have not really caught up yet. That is
an on-going challenge for us. I know it very well as a former
Federal contractor.
In the Federal work force, I need people not only with the
technical skills to use all these new tools, but I also need
people who have customer service ability. I need people who can
understand organizational management, people that understand
business process. We've got to find, as you spoke about
Congressman Connolly, we've got to have a new model to bring in
the talent that we need to achieve the goals that we're talking
about.
I believe that CDM and modernization go hand-in-hand.
Chairman, as you talked about earlier, CDM actually can be a
great driver for modernization, the information and the data we
get from that can help us in prioritizing what we modernize and
putting those priorities out front. In turn, I believe
modernization sets out the platforms that will allow us to do
the automation that makes CDM more and more valuable as we go
along.
It is essential for the incentives for both the CDM Federal
contracts folks, as well as the vendors, to be aligned to the
right goals. I think that's one of our other critical elements
here, is to make sure that we have incentivized folks to go for
our goals. Our goals are not how many tools we have placed in
the environment or necessarily the time lines; our goals are to
provision and provide secure and efficient capabilities to meet
our missions. So we've got to find some ways to make sure that
our incentives match that goal.
I do want to mention, while we are here, I want to thank
Kevin Cox, one of my fellow panelists, as well as and Mark
Kneidinger at DHS. I've had multiple opportunities to interact
with them and their teams. My team meets regularly with them. I
want to give them kudos because, very frankly, this program
been around for a few years, and really and especially in the
last year, they've done significant work in making the program
more collaborative. I think we need to continue that process of
collaboration. One of the challenges, to be very frank with
you, about CDM is that many departments have perceived this as
a program being done at them rather than with them. I think
Kevin and Mark Kneidinger and their team have done a lot to
reverse that viewpoint.
I want to mention that, again, visibility that CDM brings
is only the first step. It's going to require action. We need
to focus on making sure that the things we get out of CDM at
the Federal level and the Departmental level are actionable
information that we can move forward with. We've got to do
that, and we know that you're going to hold us accountable for
doing that.
I want to give you a quick example: One my labs used a CDM-
like capability last year to help them find some unmanaged
cloud services in their environment and the steps they took
around customer service admission resulted in provisioning new,
better, and more secure capabilities and removing those things
which were a management risk out of the environment. We want to
find more opportunities to do exactly that kind of thing across
the Department and across the Federal enterprise.
Finally, I do want to mention the MGT Act. The tools--the
technology management fund as well as the working capital
fund--are critical tools for all of us in the CIO community.
I'm happy to report that I've had a lot of progress talking to
our CFO shop, and we put in five proposals to OMB for using the
technology management fund and are very hopeful that that will
be fully funded very soon by Congress.
I want to thank you again for the opportunity to come and
talk about this. It is an important issue, and it is a critical
tool for us across Government and look forward to answering
your questions.
[The prepared statement of Mr. Everett follows:]
Prepared Statement of Max Everett
March 20, 2018
Good afternoon Chairmen Hurd and Ratcliffe, Ranking Members
Connolly and Richmond, and distinguished Members of the committees. On
behalf of the Secretary and deputy secretary of Energy, I thank you for
inviting me to testify about the Department of Energy's (DOE or
Department) experience with Continuous Diagnostics and Mitigation (CDM)
capabilities and tools.
doe priorities
As the Department's chief information officer (CIO), I report
directly to the Secretary and deputy secretary, properly positioning me
to ensure that decision-making processes across the Department factor
in Information Technology (IT) and cybersecurity considerations from
the outset. The Secretary and deputy secretary have repeatedly
emphasized to senior Departmental leadership the importance of weaving
cybersecurity into the fabric of DOE policy and operations. They
understand that the first step toward protecting information and
systems is to have visibility into what is connected to and runs on DOE
networks.
Chairman Hurd, at the Federal Information Technology Acquisition
Reform Act (FITARA) 5.0 hearing this past November, you asked me
whether I could say that I knew everything that was connected to DOE
networks. My response then was blunt: I said I could not. Today, 4
months later, while that message has not changed, I am pleased to talk
about the work we are doing to be able to answer that question with an
emphatic ``yes.'' The lack of fidelity and visibility about what is
connected to DOE's networks raises our cybersecurity risk profile to an
unacceptable level; urgent action is needed.
The Secretary and deputy secretary are aware of this issue and
fully support our enterprise-wide plan of action to obtain fidelity and
visibility, enabling DOE to properly protect its networks. We know that
CDM tools and capabilities are essential to providing visibility into
the content and connectivity of our networks. That is why the Secretary
and deputy secretary have given me clear direction to implement CDM as
swiftly as possible where gaps exist across the DOE enterprise,
including at the National Nuclear Security Administration (NNSA) and
its National Laboratories, the Office of Science National Laboratories,
the Power Marketing Administrations, plants, and sites. We also
recognize that CDM capabilities and automated data collection and flow
will enhance DOE's Integrated Joint Cybersecurity Coordination Center
(iJC3)--which provides cybersecurity threat analysis, tracks advanced
persistent threats, and distributes automated threat information--by
providing additional visibility into the network enterprise-wide.
Furthermore, CDM will accelerate the availability of the more detailed,
relevant, and reliable data necessary to better inform our Enterprise
Risk Management processes.
Implementation of CDM Phase 1 and 2 has been accomplished for DOE
Headquarters. This is approximately 8 percent of the Department's
networked endpoints. I am pleased to report that the Department is
looking forward to deploying the common elements of the CDM platform
across the DOE enterprise to fill gaps in current capabilities. The
Department developed a 180-day strategy to identify and address gaps in
CDM Phase 1 and 2 capabilities and to plan implemention of Phase 3
capabilities. This, in combination with mutually reinforcing, on-going
IT modernization efforts, will be calibrated to ensure DOE's continued
mission success throughout the enterprise.
cdm status
The Department recognizes that sound and comprehensive
vulnerability detection requires a multi-dimensional approach involving
asset management, automated tools, monitoring of communication
channels, and human analysis. We believe that implementing CDM
capabilities will play a key role in this multidimensional effort.
Unfortunately, we are still in ``catch-up'' mode with
implementation of CDM enterprise-wide. The Department took a scaled
approach to CDM Phases 1 and 2. Before embarking on the larger-scale
deployment of CDM across the DOE enterprise, DOE first piloted tools
and sensors on the Energy Information Technology Services (EITS)
network, which is the network the Office of the CIO directly manages.
We fully implemented CDM Phase 1 tools and sensors across EITS, and
successfully tested data transfers with the Department of Homeland
Security (DHS). Further, we procured the tools to implement CDM Phase 2
for EITS and are working with a vendor on that implementation. We
estimate completion in November 2018.
cdm next steps
While we are taking measured, prioritized actions to meet our
goals, we appreciate the cooperation and collaboration of our DHS
partners. In partnership with DHS, we will conduct a CDM Phase 3 needs
assessment--enterprise-wide--to identify and address gaps for the
remainder of the Department, including NNSA and its National
Laboratories, the Office of Science National Laboratories, the Power
Marketing Administrations, plants, and sites. I am pleased to report
that we have a high level of confidence in our gap analysis
methodology, cost estimates, and due diligence.
In the coming weeks, we intend to utilize the CDM Dynamic and
Evolving Federal Enterprise Network Defense (DEFEND) Request for
Service (RFS) Process to address Phase 1 and 2 gaps in deployment in
addition to Phase 3 and 4 Planning and Implementation requirements. We
have incorporated lessons learned from our EITS pilot to streamline the
Department's approach and planning as we progress through CDM Phases 3
& 4 with DHS.
My assessment is that CDM capabilities will complement and enhance
DOE's IT modernization efforts by helping us identify and prioritize
legacy systems in need of remediation. OCIO recognizes that it is not
prudent to apply CDM to failing network infrastructures or outdated
systems that use legacy software, some of which are no longer
supported. While this change will be uncomfortable at first,
streamlined and prioritized IT modernization efforts that are fully
informed by CDM will, in turn, lay a foundation for further security
upgrades, including the components of CDM Phases 3 and 4, and should
result in better network security and cost savings through operating
efficiencies.
opportunities for improving cdm
Opportunities exist for additional streamlining and acceleration of
the CDM implementation process. We will make the most progress when we
lead with the areas where shared platforms hold the most obvious and
direct opportunities for improved visibility, awareness, and on-going
mutual benefits between DOE and Federal agencies. On the other hand,
where we have exceptions that require special considerations due to
unique environments and mission requirements, we are committed to
finding ways to account for their presence on the network, as well as
identifying opportunities to adapt or upgrade those systems to make
them compatible with enterprise-wide CDM.
We encourage DHS to continue to work actively and collaboratively
with their counterpart departments and agencies to develop the CDM
dashboard and associated metrics, which need to be usable and
actionable by providing relevant threat and vulnerability information.
I am confident that the CDM dashboard will provide significant value to
the Department as CDM is implemented across the enterprise. The value
of the CDM dashboard will be the extent to which it allows us
visibility into the networks while providing actionable information and
intelligence that can drive real-time decisions that result in
increased protection for DOE systems and information. Establishing a
credible feedback loop that takes into account the customers'
requirements across the Federal enterprise is essential.
We also encourage DHS to continue to actively work with DOE and
other departments and agencies in the decision-making processes around
the maturation of the CDM program, particularly with regard to
contracts, metrics, priority data, and parameters. To have a truly
shared platform, we need the information to flow in both directions.
Collaboration and cooperation are key to mission success Government-
wide. Having a genuine shared platform means having a shared
responsibility for the information that we feed into the system, as
well as for the information we will receive and use for threat analysis
and incident response.
workforce
At DOE, our people are the key to and foundation of our mission
success. We are focused on developing our employees' expertise,
expanding our talent pool, and working to optimize the integration of
automated systems, such as CDM, to find ways for systems to conduct the
automated tasks and large-scale processing for which they are best
suited.
Further, we must attract and retain a world-class cybersecurity
workforce that has the skills necessary to successfully broker and
oversee cloud and managed-services solutions, and make key decisions
about how best to use new and rapidly-changing information both
tactically and strategically.
cdm and digital transformation
In addition to implementing CDM, DOE is conducting a range of IT
modernization efforts that are mutually reinforcing with CDM's
enhancements to network security. As we continue to implement CDM, it
will generate data and visibility that will accelerate these
modernization efforts, and the modernization projects will, in turn,
provide a robust infrastructure for the deployment of additional tools
and capabilities, including CDM.
DOE is currently developing a Digital Transformation Strategy
(Strategy), which will provide an enterprise plan of action and include
a mechanism to measure results through enterprise requirements for the
Department. In addition, we are developing an Enterprise Architecture
and Roadmap tied to our Strategy.
Our Strategy will be built on a ``Cloud First'' policy to
transition from service owner to service broker. Consistent with the
President's direction in the IT Modernization Report, the Cloud First
policy fosters innovation, reduces costs, improves interoperability,
scales capacity to match demand, lowers operational costs, and
establishes the bedrock for future enterprise capabilities.
We have initiated seven Digital Transformation Work Streams to
define enterprise requirements and develop further recommendations for
modernization. These are: Trusted Internet Connection, Collaboration
Tools and Services, Directory Services, Data Center Optimization,
Email, Network Transport, and Mobility.
The Department's Data Center Optimization Work Stream is expected
to identify multiple opportunities for IT Modernization from
consolidation, virtualization, and cloud migration. Our goal is to move
IT workloads to the cloud, maximize virtualization, meet data center
closure targets, and retrofit the remaining data centers for optimal
energy efficiency while reducing costs.
We also have efforts under way to modernize DOE Headquarters
networks to a level consistent with the capacity, agility, and
resiliency of modern enterprise networks. This will establish the base
for commercial/managed-service implementations of services with
engineered and inherent cybersecurity capabilities, such as
Infrastructure-as-a-Service and Platform-as-a-Service in support of the
Data Center Optimization Initiative, and Enterprise Software-as-a-
Service solutions like cloud email and Desktop-as-a-Service, while
providing foundational requirements for enhanced cybersecurity tools,
products, and capabilities.
conclusion
Enterprise-wide CDM is a high priority for DOE, because of the
range of benefits we expect to see from its full implementation. CDM
will assist us with other critical and long-overdue efforts, such as IT
Modernization, while also providing us with timely, actionable
information to help us secure DOE information and systems.
I appreciate the committees' interest in this important topic, and
I look forward to continuing to work with our partners in Congress, as
well as our colleagues at DHS and across the Federal Government, to
achieve our shared goals. It has been my distinct honor to testify
before you today, and I would be pleased to address your questions.
Mr. Ratcliffe. Thank you.
The Chair now recognizes Mr. Blackburn for 5 minutes.
STATEMENT OF SCOTT BLACKBURN, EXECUTIVE IN CHARGE, OFFICE OF
INFORMATION AND TECHNOLOGY, U.S. DEPARTMENT OF VETERANS AFFAIRS
Mr. Blackburn. Good afternoon, Chairmen Ratcliffe and Hurd,
and Congressman Connolly, and Members of the subcommittees.
Thank you for the opportunity to discuss the progress VA is
making toward its deployment of the Continuous Diagnostics and
Mitigation Program as well as our information and
modernization--information technology modernization effort.
Behind me today are Mr. Dominic Cussatt, chief information
security officer, and Mr. Gary Stephens, deputy CISO, who
oversees the VA CDM Program.
As a proud Army veteran, VA's sacred mission is personal to
me. I am a user of VA services. In January, the Baltimore VA
operated on my back. I am currently receiving physical therapy
at the Washington VAMC. I received part of my care through the
Veterans Choice Program. I'm a graduate of the vocational rehab
program. I use VA's on-line scheduling tools. I am one of five
siblings who have served in uniform. My father, like
Congressman Fitzpatrick, was a career FBI agent.
I left the business world in November 2014 to join VA
because I didn't believe VA was delivering on its promise to
veterans and I wanted to do something about it. I'm very proud
of the progress VA has made in this time. Since December 2015,
we have increased veteran trust by 22 percentage points from 47
percent to 69 percent.
For the past 6 months, I've been honored to lead the on-
going transformation in IT. It is an exciting time in VA IT. We
are replacing VistA with a modern electronic health record that
will achieve interoperability within VA, between VA and DOD,
and ultimately with community providers in the private health
care system. We have not signed the final deal yet with Cerner
Corporation, but we hope to be making an announcement soon.
Two weeks ago, we launched a beta version of our Lighthouse
Lab, VA's application programming interface, or API, management
platform that lets developers build out some standard set of
APIs. Lighthouse, formerly known as digital veteran platform,
or DVP, will be the API gateway that connects our disparate
systems, allowing information exchange and innovation.
Earlier this month, we announced the VA open-API pledge
that 11 major health care systems have signed encouraging
health care providers to commit to work together with VA to
accelerate the mapping of health data to industry standards. We
are expanding telehealth and self-service options to include
on-line scheduling to improve the veteran experience. We are
supporting priorities efforts in the benefits space to include
Appeals Modernization and Forever GI bill. We are pushing
aggressively on our buy-first strategy to use commercial off-
the-shelf solutions to replace expensive and outdated systems.
Next week, we'll launch our new cloud-based software as a
service IT management tool, which will streamline internal
processes and provide a better end user experience for our
employees, allowing them to focus on serving veterans.
We are continuing our data center consolidation to be
compliant with FITARA. In fiscal year 2017, we closed 47 data
centers, and fiscal year 2018, we are in the process of closing
68 more. Of course, underpinning all of this is improving our
cybersecurity through our Enterprise Cybersecurity Strategy
Program to guard against cyber threats moving from reactive
posture to a proactive, threat-based computer network defense
approach.
With cybersecurity in mind, we are committed to protecting
veteran information such as mine and limiting access to only
those with proper authority. I am proud of the accomplishments
and how we are securing VA's IT infrastructure. As of December
2017, we have secured 92 percent of medical devices with
vulnerabilities. We have increased PIV enforcement from
unprivileged users from 12 percent in 2016 to 91 percent. We've
achieved 100 percent enforcement of two-factor authentication
for privileged users. We have reduced our unadjudicated
software by 94 percent. We have blocked 7.5 billion malware
attempts over the past 2 years, and we monitor more than 45
billion emails daily. Through our Enterprise Cybersecurity
Strategy Program, ECSP, we managed cybersecurity risk to
protect VA information systems. This includes embarking on a
change in mindset of how we manage cyber risk. VA's CDM Program
is a piece of that larger VA information security continuous
monitoring strategy covering 15 continuous diagnostic
capabilities which are distributed across its four phases. We
can elaborate further on those phases during the course of the
hearing.
As part of the CDM effort, we are also documenting and
defining existing network hardware application, security
products, and configuration control settings currently deployed
across the agency to further understand the activity across the
network.
Thank you again for the opportunity to discuss our
cybersecurity and IT modernization efforts. Ensuring a safe and
secure environment for veteran information and improving their
experience is our goal. I look forward to your questions.
[The prepared statement of Mr. Blackburn follows:]
Prepared Statement of Scott Blackburn
March 20, 2018
Good afternoon, Chairmen Ratcliffe and Hurd, Ranking Members
Richmond and Kelly, and distinguished Members of the subcommittees.
Thank you for providing me with this opportunity to discuss the status
and progress that VA's OIT is making toward its deployment of the
Federal Government's Continuous Diagnostics and Mitigation (CDM)
Program and our Information Technology (IT) modernization effort. I am
pleased to be joined today by Mr. Dominic Cussatt, chief information
security officer, and Mr. Gary Stevens, (acting) deputy CISO, executive
director policy and strategy.
The health, safety, welfare, and prosperity of our Veterans are our
highest priorities at VA. As one of five siblings who is either a
Veteran or still serving in uniform and are all at least the fourth
generation of U.S. military Veterans in our family, I take personal
pride every day in fulfilling VA's sacred mission, and believe in
making VA the best choice for Veterans. We want all Veterans to choose
VA like I have, not because it is their only choice, but because we are
the best at what we do.
It is an exciting time to be leading OIT with all of the
significant strides we are making in information technology. VA is
making progress in its cybersecurity and modernization initiatives as
well as with Federal Information Technology Acquisition Reform Act
(FITARA) and Federal Information Security Management Act (FISMA)
compliance. We have announced our intention and will soon be moving
forward to replace our decades-old VistA platform with a modern
Electronic Health Record (EHR) that will achieve full intra-VA and VA-
Department of Defense (DoD) interoperability. The new EHR will also
provide the capability for much improved interoperability with
community partners. This will be an important development since over 30
percent of our care is currently done outside the Veterans Health
Administration (VHA) system in the community.
VA recently announced the launch of a ``beta'' version of its
Lighthouse Lab, a computer platform offering software developers access
to tools for creating mobile and web applications that will help
Veterans better manage their care, services, and benefits. Eleven
leading health care systems have agreed to sign a VA Open Application
Programming Interface (API) pledge to accelerate the mapping of health
data to industry standards, including the current and future versions
of Fast Healthcare Interoperability Resources (FHIR).
VA is continuing to expand telehealth and self-service options,
such as on-line scheduling, to improve the Veterans experience. We are
pushing aggressively on our ``buy first'' strategy using commercial
off-the-self solutions to replace expensive and outdated systems. Next
week, we will launch a new cloud-based, Software as a Service (SaaS) IT
service management tool, which will standardize the delivery of IT
services and provide our employees with an efficient and consistent
end-user experience.
This is the second time in the past several months OIT leadership
has appeared before the House Oversight and Government Reform IT
Subcommittee. On December 7, 2017, we discussed the progress VA was
making toward its transformation efforts, notably our IT modernization
effort; FITARA and FISMA compliance; the Electronic Health Record
Modernization (EHRM) initiative; and Enterprise Cybersecurity Strategy
(ECSS). My testimony today will cover some of those topics with a
specific emphasis on the status and progress of the CDM rollout and our
IT modernization efforts.
enterprise cybersecurity strategy program (ecsp)
VA, our core constituents, and our external partners are subject to
a wide range of cyber threats. Given the high degree of connectivity,
interdependence, and reliance on integrated open platform technology,
meeting cybersecurity challenges requires strategic attention and
collaboration across the VA ecosystem.
Within OIT, we are committed to protecting Veteran information and
VA data, as well as limiting access to only those with the proper
authority. This commitment requires us to think agency-wide about
security holistically. To achieve this end, VA Office of Information
Security (OIS) manages cybersecurity risk through VA's ECSP to enable
VA to securely fulfill our mission and protect VA information systems.
As part of the ECSP, VA's Enterprise Cybersecurity Strategy is
being refreshed to reinforce VA's strategic goals and objectives that
inform cybersecurity behaviors at VA. Our principles include, but are
not limited to, protection of VA data and Veteran information, evolving
VA's resiliency to better adapt to advanced cyber threats,
identification and strengthening mission critical systems and
infrastructure, modernizing IT, overseeing a secure operational
environment, and the recruitment, development, and retention of a
talented cybersecurity workforce.
With the establishment of ECSP, we are embarking on a change in
mindset of how to manage cyber risk. Through ECSP, we will make
prioritized, defensible decisions related to the implementation of
cybersecurity projects (that may be technical or procedure-based),
align programmatic activities with the National Institute of Standards
and Technology Cybersecurity Framework (NIST CSF), and create an
integrated and transparent program across each level of the program,
which includes Government-wide statutory requirements, VA policy and
implementation guidance, organizational cybersecurity capabilities,
mission/business processes, and the information system level.
We have recently focused on the following:
Plans of Action created in response to the fiscal year 2015
Office of Inspector General FISMA audit, which have been closed
as of December 31, 2017.
Eight Strategic Domains created as a result of VA's 2015
Enterprise Cybersecurity Strategy following the release of the
Office of Management and Budget (OMB) Cybersecurity
Implementation Plan on October 30, 2015.
VA's ECSP is another step forward in VA's commitment to
safeguarding Veteran information and VA data within a complex
environment. Our strategy establishes an ambitious, yet carefully
crafted approach to cybersecurity and privacy protections that helps VA
to execute its mission of providing quality health care, benefits, and
services to Veterans, while delivering on our promise to keep Veteran
information and VA data safe and secure.
va information security continuous monitoring (iscm) and continuous
diagnostics and mitigation (cdm)
ISCM at VA
In the fall of 2017, we approved our VA ISCM Strategy and the
associated ISCM Integrated Project Team (IPT) Charter. The ISCM
Strategy and IPT Charter guides VA's continuous monitoring program
moving forward detecting and safeguarding systems and data, patient
safety, and assisting Veterans after their military career.
Our ISCM program supports a comprehensive VA organizational risk
management program. Aligning ISCM to VA's IT risk management program
and, in turn, the enterprise risk management program, will provide
cost-effective risk management across the organization. ISCM IPT will
pursue the following actions to realize this objective:
Align ISCM activities with risk management activities to
provide VA with comprehensive awareness of the security posture
and IT infrastructure, assets, and data.
Align ISCM activities with the on-going authorization
process as it is developed, so information systems security
controls are evaluated with data to maintain their on-going
authorization status.
Implement a process to identify and prioritize critical ISCM
data to collect and monitor, and allow ISCM data to support
security control assessments.
Validate that the ISCM strategic planning process is
adequately documented. The ISCM strategic planning process
should be transparent and communicated to ISCM stakeholders.
OIT will integrate the current and upcoming ISCM capabilities to
effectively evaluate VA's information system posture across the agency.
This is accomplished through developing and deploying an end-to-end
architecture. ISCM capabilities are being automated to the extent
possible by leveraging the Department of Homeland Security (DHS) CDM
program, while recognizing some security controls cannot be monitored
by automated means. Integrating CDM capabilities into the overall ISCM
capabilities and augmenting as necessary with automated and manual
monitoring will give VA the ability to meet Veteran and operational
needs. As ISCM evolves, the frequency of monitoring security controls
and collecting measurement data stated in VA policy and procedures will
be reviewed and revised.
VA's ISCM strategy outlines processes for updating VA directives,
handbooks, and standard operating procedures accordingly to align to
the ISCM strategy. VA's strategy will be enacted through updates to VA
Handbook 6500, Risk Management Framework for VA Information Systems, VA
Handbook 6500.3, Assessment, Authorization, and Continuous Monitoring
of VA Information Systems, and associated ISCM procedures. These
documents provide ISCM policy and procedures, in accordance with the
NIST Special Publications (SP) 800-137, Information Security Continuous
Monitoring for Federal Information Systems and Organizations. VA
Handbook 6500.3 was created to establish requirements and
responsibilities for VA to confirm compliance with Assessment and
Authorization and continuous monitoring requirements for VA information
systems as required by FISMA.
Monitoring tools used for ISCM, CDM, and legacy controls are
integrated to achieve data synchronization, elimination of data error,
and minimization of human interaction. OIT deploys a variety of tools
to maintain situational awareness of VA's security posture. Integrating
these monitoring tools across VA is the initial action in automating
the monitoring, reporting processes. One of the goals of VA's ISCM
strategy is to integrate existing and planned ISCM capabilities in
order to form a monitoring solution for VA. This includes integrating
existing capabilities such as the VA Cyber Security Operations Center
Security Incident and Event Manager and the VA Governance, Risk
Management, and Compliance tool into CDM dashboards, as part of Phase 1
of CDM development at VA. Integrating these capabilities and others
will inform data analysis and reporting on the effectiveness of VA's
ISCM program.
The VA ISCM strategy incorporates a variety of performance measures
designed for evaluating the effectiveness of our program. Our program
measurement sources include:
FISMA ISCM Program Maturity Model.--Summarizes the status of
the ISCM program and its maturity based on a five-level scale.
Fiscal Year 2017 Chief Information Officer FISMA Metrics.--
Used to assess Federal cybersecurity programs on the progress
of their program implementation.
NIST CSF.--Provides guidance on cybersecurity metrics and
measurements.
VA Enterprise Security Architecture.--Informs ISCM measures
regarding the maturity of current capabilities.
Looking forward, we are seeking additional stakeholders across OIT
to join our ISCM IPT to provide insight into how VA currently tracks
and reports ISCM-related data. Our IPT stakeholders will assist in the
identification of existing ISCM tools, capabilities, and projects to
provide a clear indication of how VA currently monitors its network.
Ultimately, a more diverse set of stakeholders across our ISCM IPT will
enable various groups across VA to work in concert on future ISCM
efforts, while also providing varied inputs in order to confirm we are
weighing multiple options when our IPT comes to key decision points.
CDM at VA
CDM is a dynamic effort and the needs of different agencies vary.
VA's CDM program is a piece of the larger VA ISCM strategy. The VA CDM
program covers 15 continuous diagnostic capabilities, which are
distributed across its four phases:
Phase 1.--Identify assets on VA network.
Phase 2.--Identify and monitor users on the network.
Phase 3.--Identify what is happening on the network as well
as ways to protect it.
Phase 4.--Identify risks on an on-going basis, prioritize
risks based on potential impacts, and enable cybersecurity
personnel to mitigate the most significant problems first.
VA would like to provide a more in-depth breakdown of where we are
within Phase 1 of our CDM program:
Hardware Asset Management (HWAM)--We are currently
implementing HWAM tools and integrating these tools to assist
in identifying Internet Protocol addresses across the VA
network and is intended to assist in the classification of
systems and provide reports to our central dashboards. This
work covers approximately 2,500 facilities including hospitals,
Benefit Centers, Information Technology Centers, VA Central
Office, Data Centers, and others.
Software Asset Management (SWAM)--We are currently
implementing our SWAM tool, which is designed to inventory
software used in the agency and report the information to our
central dashboards. Our team is creating lessons learned from
HWAM and analyzing them prior to rolling these tools out.
Configuration Settings Management (CSM)--Our team is
currently analyzing existing systems. We are identifying
security configuration benchmarks that exist for each IT asset
type.
Vulnerability Management (VUL)--We are currently
implementing our Dashboards, so we can eventually feed into the
DHS Federal Dashboard.
We are also documenting and defining existing network hardware,
applications, security products, and configuration control settings
currently deployed across the agency in order to further understand the
activity across the network. OIT is in the midst of providing
visibility into the reporting endpoints and depicting them on a CDM
dashboard to assist in vulnerability management.
The central dashboards will provide actionable information from
HWAM, SWAM, and other security tools for timely remediation of known
vulnerabilities as well as transmit data to a DHS Federal dashboard.
OIT documents and provides DHS and OMB its decision on the
implementation of any whitelisting applications under the DHS CDM
Program, as well as identifies a time line for its implementation. If
VA chooses a non-DHS whitelisting solution, VA delineates the solution
selected, the associated time line for its implementation, and the
integration mechanism for the CDM Agency Dashboard. The agency also
lists milestones for improving VA's performance in detecting and
blocking unauthorized devices and software.
Apart from the updates on Phase 1, we would also like to touch upon
our progress in implementing Phase 2 of our CDM Program.
VA conducted requirements sessions with VA Stakeholders, based on
the guidance provided by DHS, in order to prepare the CDM Phase 2
Business Requirements Document (BRD). The CDM Phase 2 BRD has been
developed and is currently under review. VA has identified the
following authoritative data sources to support the four core CDM
functions within the agency.
We will continue to collaborate across VA, with DHS, and with our
partners across the Federal Government in order to progress ISCM and
CDM at VA. We will leverage lessons learned and update our strategies
and policies in order to remain in lockstep with Federal statutes and
guidance. We will look to use the latest advancements in technology,
while also prioritizing security, in order to protect VA data and the
Veteran.
ois policy milestones
Recently, we have achieved various policy milestones on the path to
further advancing the VA cybersecurity program. These updates in policy
allow VA to strategically leverage technologies, which will better
serve the Veteran, while also confirming security is prioritized in
order to protect the Veteran and VA data.
Cloud activity continues to grow across Federal agencies. In order
to prioritize security and allow our stakeholders to use the latest
technologies, we have established the following:
Cloud Security Framework.--The use and adoption of cloud
computing provide great benefits to our mission of serving our
Veterans. VA's cloud security framework defines comprehensive
and synchronized capabilities to identify and manage cloud
security risks, protect access to our cloud environment,
protect cloud applications and data, secure cloud network
configuration and connectivity, oversee the physical
environment security, monitor the cloud environment, and
provide the ability to rapidly respond and recover from a
cybersecurity event. These cloud security capabilities address
security concerns, and allow VA to capture benefits from cloud
computing to serve the Veteran while protecting Veteran and VA
data.
Cloud Security Guidance.--Our Cloud Security Guidance, which
aims to provide guidelines and the minimum requirements, is
intended to mitigate the risk associated with increased attack
surface for cloud-based systems. Cloud Service Providers are
especially vulnerable to attackers due to the value and
quantity of data being stored in the cloud. Multi-tenancy
increases this risk as VA will not have control of or insight
into the security posture of other tenants. Due to lack of
familiarity with cloud, misconceptions about the shared
responsibility model, and a history of breaches in Government
cloud systems due to their misconfiguration, VA shall employ
cloud-centric defense-in-depth to help reduce these risks.
We have instituted VA Handbook 6500.11, VA Firewall Configuration,
a firewall policy to cover new technologies in coordination with the
Office of Cybersecurity Policy and Compliance. This policy reflects
firewall configurations, which are required to comply with the
provisions of FISMA and other related information security requirements
promulgated by NIST and OMB. We have published VA Directive and
Handbook 6513: Secure External Connections, which governs the process
for managing and continuously monitoring VA connections.
it modernization
Foundation of Modernization
Secretary Shulkin is committed to this vision and making VA a
world-class organization. Whether it is from silos to collaboration, or
from process to Veteran outcomes, or from guarded to transparent, we
are changing the culture at VA. For OIT, that means we must innovate
and modernize to provide the best services possible. Modernizing our
technology plays a huge role in helping us achieve this objective. That
means looking differently at how we provide services to Veterans
insofar as how we streamline our approach to take advantage of new
technology and industry best practices; improve the ways we deliver
care, benefits, and services to Veterans; and how we embrace change and
refocus on why and how we serve Veterans.
VA OIT Modernization Strategy
The mission of VA OIT is to collaborate with our business partners
to create the best experience for all Veterans. OIT's three goals--
Stabilize and Streamline Processes; Eliminate Material Weaknesses; and
Institutionalize New Capabilities--drive our strategy and outcomes.
They are enduring and will continue to frame our plans for 2018 and
beyond. VA OIT approaches everything through our core values of
transparency, accountability, innovation, and teamwork. Values we seek
to embody, every day, in every project, and for every Veteran.
OIT is committed to VA's I-CARE (Integrity, Commitment, Advocacy,
Respect, and Excellence) values and the underlying responsibility to
provide the best level of care and services to our Veterans. We expect
nothing less and will not tolerate employees who deviate from those
core values.
Our comprehensive IT Plan is the foundation for reducing our
reliance on legacy systems, and creating new capabilities for a modern
VA by leveraging cloud, digital platforms, while incorporating other
modern and innovative technologies such as expanded telehealth,
robotics, Artificial Intelligence, mobile devices, machine learning,
Blockchain, and digital services to increase access, engagement, and
interoperability. Through this plan, we will stop or migrate 240 of our
299 projects over the next 18 months, and leverage a buy-first
strategy--getting us out of the software development business and
ensuring we are positioned to manage the influx of new technologies. We
will ensure that we have end-user accessibility of these systems to be
Section 508-compliant.
VA is investing in innovative solutions and industry best practices
to build a stronger; more advanced IT backbone to better serve Veterans
with a focus on Managing Data, Migrating to the Cloud, Improving
Cybersecurity, Digitizing Business Processes, and Decommissioning
Legacy Systems. OIT's five modernization priorities are built on
transformation. They facilitate a modern IT infrastructure that
supports OIT's vision of becoming a world-class organization that
provides a seamless, unified Veteran experience through the delivery of
state-of-the-art technology.
The Path Forward
We are plotting a path forward for a modern VA that seamlessly
connects Veterans with the care, benefits, and services they have
earned. In OIT, we are committed to investing in new and emerging IT
solutions such as artificial intelligence, robotics, and self-service
tools that revolutionize the way Veterans and VA employees interact
with our digital framework. This commitment enables VA to continue to
provide high-quality, efficient care, and services that keep up with
the latest technology solutions and standards of care. The future of
VA's IT modernization is rooted in eight of our key initiatives: EHRM,
enterprise-wide API Management Platform, Financial Management Business
Transformation, cybersecurity, scheduling enhancements, telehealth
expansion, legacy system modernization, and data center consolidation.
First and foremost is our EHRM initiative. On June 5, 2017,
Secretary Shulkin announced his decision to adopt the same Electronic
Health Records (EHR) technology as DoD. This transformation is about
improving VA services and significantly enhancing the coordination of
care for Veterans who receive medical care not only from VA, but DoD
and our community partners. We have a tremendous opportunity for the
future with EHRM to build transparency with Veterans and their care
providers, expand the use of data, and increase our ability to
communicate and collaborate with DoD and community care providers. In
addition to improving patient care, a single, seamless EHR environment
will result in a more efficient use of VA resources, particularly as it
relates to health care providers. This new EHR system will enable VA to
keep pace with the improvements in health IT and cybersecurity, which
the current system, VistA, is unable to do. Moreover, the acquisition
of the same solution as DoD, along with the added support of joint
interagency governance and support from National EHR leadership
including VA partners in industry, Government, academic affiliates, and
integrated health care organizations, will enable VA to meaningfully
advance the goal of providing a single longitudinal patient record that
will capture all of a Servicemember's active duty and Veteran health
care experiences. It will enable seamless care between the Departments
without the additional step of exchanging and reconciling data between
two systems that are not integrated and operate in separate
environments. To that end, the Secretary has insisted on high levels of
interoperability and data accessibility with our commercial health
partners in addition to the interoperability with DoD. Collectively,
this will result in better service to Veterans since transitioning
Servicemembers will have their medical records made available to VA
without any intervention.
Our second initiative supports VA's commitment to leverage our
community partners and innovative technologies to give Veterans a
digital experience in line with what they receive from the private
sector through APIs. VA's strategic open API program called Lighthouse
that adopts an outside-in, value-to-business-driven approach to create
APIs that are managed as products to be consumed by developers internal
and external to VA. Such an approach serves as a change catalyst, which
will allow VA to decouple systems and continue to leverage its
investment in various digital assets, support application
rationalization, and allow it to absorb new, commercial SaaS to replace
home-grown, outdated systems. This strategy calls for a clearly-defined
operating model for managing the complete life cycle of APIs and will
include the planning, design, implementation, publication, maintenance,
and retirement of APIs as well the operation of the API Gateway
platform on a VA private cloud.
The API Gateway leverages FHIR so as to enable enhanced data
interoperability between both internal and external systems. API-
enabled and FHIR-based solutions are easier for developers to implement
as it makes use of modern web standards and RESTful architectures with
more easily understood specifications. By liberating data and enhancing
interoperability with FHIR, VA will be able to shift ownership of the
data to Veterans and make that data more readily available for whom it
is necessary. Additionally, these resources will allow for more
powerful solutions to be developed which will allow for a more seamless
patient and provider experience.
We released our developer sandbox in beta 2 weeks ago. We are
looking for a small, initial-user group to join our developer community
to make sure we follow industry best practices around tools,
documentation, governance, and support workflows. As this community
grows and VA releases more APIs, Lighthouse will serve as the ``front
door'' to VA's vast data stores--giving developers access to
standardized data sets they need to build mobile and web apps for our
Veterans.
As part of VA's commitment to promoting interoperability and
standardized data sharing through Lighthouse, Secretary Shulkin
announced VA's Open API Pledge, which reaffirms VA's commitment to
giving developers access to our systems through standards-based APIs so
that they can build Veteran and clinician-designated applications. In
exchange, we are asking health care providers to sign a pledge to work
with VA to accelerate the mapping of health data to industry standards,
including the current and future versions of FHIR.
Our third initiative supports VA's back-end systems and reduces our
reliance on outdated legacy systems, so our clinicians and employees
have the modern tools and IT support they need. VA's Financial
Management Business Transformation effort is currently under way and
will positively impact the delivery of all health and benefits by
standardizing and improving accounting and acquisition activities
across VA's enterprise. VA has an urgent need to address multiple
legacy platforms used today in our finance and accounting mission
critical functions. We are working to adopt and implement a commercial,
cloud-hosted integrated financial and acquisitions system. This
transformation effort will increase the transparency, accuracy,
timeliness, and reliability of financial information. The result will
be improved fiscal accountability to American taxpayers and improved
care and services to our Veterans as well as transforming the
Department from numerous stovepipe legacy systems to a proven,
flexible, shared service business transaction environment.
Our fourth initiative focuses on bolstering our enterprise
cybersecurity framework to proactively respond to emerging data threats
and the evolving cybersecurity landscape. VA's Enterprise Cybersecurity
Strategy will ensure that Veteran data are secure, available, and safe
from cyber threats. Safeguarding Veteran information and VA data is
essential to providing quality health care, benefits, and services to
our Nation's Veterans.
Our fifth initiative extends to modernizing and enhancing the
Department's scheduling systems. As a patient who receives treatment at
both the Washington, DC, and Baltimore VA Medical Centers, enhanced
scheduling is something I am very passionate about. We are launching
new digital tools that enable Veterans to schedule appointments on-
line, use mobile applications to manage prescriptions, and participate
in video conferences with their care providers as needed. We are also
investing in solutions that give our providers a more seamless
experience with the back-end scheduling tools they need to serve our
Veterans. We have made strides in our scheduling tools, but we still
have a long way to go. We now have VistA Scheduling Enhancement (VSE)
upgrades fully implemented in 158 of 160 sites improving the interface
for the schedulers so they easily view appointment times and reduce
scheduling errors. Any person can now conduct their Scheduling
activities at those sites using VSE. Some sites have greater
utilization than others based on the level of training of users per
site, which is increasing daily. We have seen on-line scheduling
increase 5 times due to recent improvements; this capability is
currently in place at more than 100 sites. The Medical Appointment
Scheduling System is being piloted in Columbus, Ohio, and the Faster
Care for Veterans Act test installs have been successfully completed in
Minneapolis, Minnesota; Salt Lake City, Utah; and Bedford,
Massachusetts. Last year, the Secretary launched a new access and
quality tool, known as ``Access to Care.'' This web-based site was
developed for Veterans and their families to see in real time the wait
times at local VA facilities, VA hospital ratings, and comparisons with
private hospitals in their area. This information empowers Veterans to
choose the time and place they receive their care. Not only will this
website take in and process complex data, but it will make the data
transparent to Veterans. We will continue improving transparency via
the Access to Care site as we receive feedback from Veterans,
employees, Veterans Service Organizations, and Congress.
In addition to scheduling enhancements, VA and OIT are making
strides in our telehealth programs. We are expanding telehealth
capabilities with hubs around the country to better service Veterans
who live in rural communities or have challenges accessing VA medical
centers due to their mobility. More Veterans have access to tele-
mental, tele-urgent, and tele-specialty care. On March 6, 2018, the
Secretary announced VA's plan to launch a Nation-wide telehealth
program to help Veterans dealing with post-traumatic stress disorder
(PTSD). The pilot program will connect 12 community-based outpatient
clinics (CBOC) across the Nation with Veterans in need of treatment for
PTSD. This program will help greater numbers of Veterans living in
rural areas and will save them time and effort to travel to a VA
facility that is far from their homes.
Another significant VA and OIT initiative is Legacy Systems
Modernization. We are moving critical functions from outdated and
difficult to sustain platforms into more modern systems that operate at
lower maintenance costs. Our planned IT investments prioritize the
development of replacements for specific mission-critical legacy
systems, such as the Benefits Delivery Network, as well as operations
and maintenance of all VA IT infrastructures essential to deliver
medical care and benefits to Veterans. Investments in IT will also
support efforts and initiatives that are directly Veteran-facing, such
as mental health applications to support suicide prevention,
modifications of multiple programs to accommodate special requirements
of the community care program, Veteran self-service applications
(Navigator concept), education claims processing integration
consolidation, and benefit claim appeals modernization.
OIT continues its Data Center Consolidation effort to merge and
close data centers at VA facilities Nation-wide. During fiscal year
2017 the team closed 24 data centers. The team plans to close another
91 by the end of fiscal year 2018. The benefits of the Data Center
Consolidation effort include increased system security, reliability,
and efficiency; enhanced cybersecurity; and the opportunity to
introduce innovative and cost-saving technological advances to VA
systems. These improvements will allow VA employees to spend less time
managing the infrastructure and more time on customer-focused
activities that better serve Veterans. As OIT continues to make
progress in data center consolidation, VA will remain a Government
leader in compliance with FITARA.
We are on an ambitious journey to become the No. 1 customer service
agency within the Federal Government. By investing in innovative
solutions--from technology to new ideas--we are on the right trajectory
to advance toward our modernization goals and to make VA a greater
choice for all Veterans.
conclusion
Thank you again for the opportunity to appear before you today to
address the status and progress that the VA OIT is making toward its
deployment of the CDM Program and our IT modernization efforts.
Throughout this modernization, our No. 1 priority has and will be
always the Veteran. Ensuring a safe and secure environment for their
information and improving their experience is our goal. I look forward
to answering your questions.
Mr. Ratcliffe. Thank you Mr. Blackburn.
The Chair now recognizes Mr. Garcia for 5 minutes.
STATEMENT OF DAVID GARCIA, CHIEF INFORMATION OFFICER, U.S.
OFFICE OF PERSONNEL MANAGEMENT
Mr. Garcia. Thank you, Chairman Ratcliffe, Chairman Hurd,
and distinguished Members of the subcommittees who are engaging
in this important discussion. I appreciate the opportunity to
appear before you here today.
Although I am new to OPM, I am pleased with the
transformative activities that my office is already
undertaking. Since arriving, I have worked with senior staff to
identify key priorities to drive our efforts to build
governance processes to support our work. We recognize that OPM
is an organization made up of terrific people with the mission
to serve not just the Federal work force but also the American
people. To successfully meet this important mission, OPM will
continue to bring to the Federal Government agile, modern IT
solutions that reflect its needs and leverage forward-leaning
capabilities. The Department of Homeland Security's CDM Program
is an important element to assist us with this goal.
As the former CIO for the State of Maryland and as an
executive with over 20 years private-sector experience, I look
at OPM's current posture through both a private and public-
sector viewpoint. There are two main points that I think are
critical to the context of the conversation we are having here
today. First, you must understand that CDM is a broad approach
and is continuously evolving. Every day, the malicious actors
around the globe, who are equivalent to military-grade
adversaries, are adapting. Therefore, as Federal agencies, we
need to have the flexibility to adapt rapidly.
Second, we must strive to have CDM and similar future
programs reduce the time required for the public sector to
procure technological solutions. As an entrepreneur and small
business owner and like our private-sector industry partners, I
had the flexibility to procure and implement solutions to
mitigate zero-day threats and vulnerabilities without delay.
However, as a CIO for a Federal agency, I do not have that same
flexibility. CDM can be tuned to enhance the abilities of
agencies to procure the needed cyber defenses as quickly as
possible. I feel this provides agencies the best fighting
chance to stay ahead of possible threats.
As you may know, OPM is one of first agencies to fully
implement CDM, and OPM completed implementation of phase 1 with
the CDM dashboard fully populated in the spring of 2017. This
phase focuses on managing what is on the network, to include
management and control of devices, software, security
configuration settings, and software vulnerabilities. For OPM,
this has meant gaining greater insights to connection points
within our network.
In addition, OPM has made use of CDM technologies to
identify and strategically resolve potential vulnerabilities,
which has resulted in better overall risk management and
response. OPM is on track to complete implementation of phase 2
in the summer of 2018, ahead of the scheduled fall 2018 target.
Phase 2 focuses on the management and control of user access
privileges. Phase 2 has allowed OPM to standardize the access
assistance so that management of all accounts is unified and
controlled through an agency governance process. Reducing the
volume and scope of user access also helps OPM identify
anomalies related to possible insider threat activities and
prevent data loss. This is especially critical in the context
of the events of 2015 because it will add additional two-factor
authentication requirements to address long-standing audit
findings.
OPM has been successful in the implementation of phase 1
and phase 2 due to the alignment of the technology with the
agency technology strategy and life-cycle management. The use
of CDM has set the stage for OPM to move into a continuous
monitoring approach that enhances OPM's ability to manage its
systems and continually evolve its systems to secure in real
time.
Looking forward, the future should allow CIOs and CISOs the
ability to move as quickly as new technologies and threats
evolve. Due to the asymmetric nature of attacks, we need to
consider security risks related to the increasing use of
artificial intelligence, AI, by our adversaries. For CDM to be
successful in the long term, it will need to continue to
evolve, including the use of new ideas and concepts, such as
the use of AI within the Federal networks.
I accepted the position at OPM because I truly believe in
the mission of OPM because it is an agency in which great
success can be achieved and demonstrated. The people of OPM are
dedicated. New technology is being implemented and the agency
is committed to supporting all the Federal employees who devote
their lives to serving the American people.
I look forward to working with the Members of these
subcommittees to continue our efforts at modernization and the
evolution of the CDM Program so that it will remain a
successful resource for Federal agencies.
Thank you for the opportunity to testify before you today.
I look forward to answering any questions you may have.
[The prepared statement of Mr. Garcia follows:]
Prepared Statement of David Garcia
March 20, 2018
Thank you Chairman Ratcliffe, Chairman Hurd, Ranking Member
Richmond, Ranking Member Kelly, and Members of the subcommittees for
engaging in this important discussion. I appreciate the opportunity to
appear before you today.
Although I am new to the U.S. Office of Personnel Management (OPM),
having only been at the agency for about 6 months, I am pleased with
the transformative activities that my office has already undertaken.
Since arriving, I have worked with senior staff to identify key
priorities to drive our efforts and to build governance processes to
support our work. We recognize that OPM is an organization made up of
terrific people with a mission to serve not just the Federal workforce,
but also the American people. To successfully meet this important
mission, OPM will continue to bring to the Federal Government agile,
modern Information Technology (IT) solutions that reflect its needs and
leverage forward-leaning capabilities. The Department of Homeland
Security's Continuous Diagnostics and Mitigation (CDM) Program is an
important element to assist us with this goal.
As the former chief information officer (CIO) for the State of
Maryland, and with over 20 years of private-sector executive
experience, I look at OPM's current posture through both a private- and
public-sector viewpoint. There are two main points that I think are
critical to the context of the conversation we are having today
regarding CDM. First, we must understand that CDM is a broad approach
and is continuously evolving. Every day the malicious actors around the
globe, who are equivalent to military-grade adversaries, are adapting.
Therefore, as Federal agencies, we need to have the flexibility to
adapt. Second, we must strive to have CDM and similar future programs,
reduce the time required for the public sector to procure technological
solutions compared to the time it takes in the private sector, which
contributes to a gap in preparedness. As an entrepreneur and small
business owner in the private sector, I had the flexibility to procure
and implement a solution to mitigate a zero-day threat or vulnerability
immediately; however, as the CIO for a Federal agency, I do not have
that same flexibility to get needed tools on our network in real time.
While CDM has certainly reduced the procurement time frame for
cybersecurity technology, a goal should be to continue to enhance the
ability for agencies to procure what they need to maintain the
appropriate cyber defenses as quickly as possible. The faster agencies
can procure technology, the faster technology can be implemented--which
gives agencies the best chance to stay ahead of possible threats that
continue to evolve and become more sophisticated.
Since coming to OPM, I have developed a vision of the top five
priorities the CIO must address to successfully support OPM. Those
priorities are: (1) Continue to fully mature the Risk Management
Program by building on OPM's cybersecurity success to date, applying
new technologies and techniques, and implementing the best practice
recommendations from the Department of Homeland Security, the
Government Accountability Office, and OPM's Inspector General, as
appropriate; (2) work with stakeholders to provide new and innovative
customer experiences through the latest technology; (3) utilize
technology to reduce the investigation inventory; (4) create IT
financial transparency through implementation of a standardized
technology with the ability to develop a sustainable, transparent, and
repeatable financial model; and (5) align the CIO organization to
better meet the needs of OPM by providing a foundation for current and
efficient services that will last longer than the life span of a server
and that can be leveraged for the long term.
CDM supports these priorities and OPM will continue to build off of
its successful implementation of CDM's Phase 1 and the continued
implementation of Phase 2. As you may know, OPM is one of the first
agencies to fully implement CDM, and we have benefited from the
enhanced visibility into who and what is on our network so that we can
more accurately and rapidly respond to potential risks. OPM completed
implementation of CDM Phase 1 with the CDM dashboard fully populated in
the spring of 2017 using the CDM sensors we've been deploying since
2015. This phase focuses on managing ``what is on the network,'' to
include the management and control of devices, software, security
configuration settings, and software vulnerabilities. For OPM, this has
meant gaining greater insights into connection points within our
network, which provides us with the ability to better regulate devices
connecting to the environment as well as a better understanding of what
should actually be on the network. In addition, OPM made use of CDM
technologies to identify and strategically resolve potential
vulnerabilities, which has resulted in better overall risk management
and response.
OPM is on track to complete implementation of CDM Phase 2 in the
summer of 2018, ahead of the scheduled fall 2018 target for the Federal
Government. Phase 2 focuses on the management and control of user
access privileges. Phase 2 has allowed OPM to standardize the access of
systems so that the management of all accounts is unified and
controlled through an agency governance process. Reducing the volume
and scope of user access also helps OPM identify anomalies related to
possible insider threat activities and prevent data loss. Access for
privileged users, which are users that have some administrative access
to systems or data, is being enforced through a separate login
mechanism. Our next step toward completion of CDM Phase 2 is to
activate additional two-factor authentication enforcement features.
This is especially critical in the context of the events of 2015
because it will add additional two-factor authentication requirements
to address long-standing audit findings.
OPM has been successful in the implementation of Phase 1 and 2 of
CDM due to the alignment of the technology available through CDM with
agency technology strategy and life-cycle management. The use of CDM
has set the stage for OPM to move into a Continuous Monitoring approach
that enhances OPM's ability to manage its systems and continually
evolve to secure its systems in near-real time.
I am also pleased with how CDM Phase 3 has evolved from offering
very specific software or capabilities within certain National
Institute of Standards and Technology control families to a ``buffet''-
style offering with software and capabilities supporting the necessary
agility that Federal agencies require to meet the unique needs and
goals related to their specific operations. Looking forward, OPM will
increasingly leverage CDM for our procurement needs to meet new
challenges. We will prioritize our risk management needs and align the
new technologies offered by CDM to meet our highest risks in a
continuous effort to reduce vulnerabilities.
I see Phase 4 of CDM transitioning into an on-going and continuous
monitoring effort that will allow OPM and other agencies to keep pace
with malicious actors. For agencies to be successful, Phase 4 should
allow the Federal Government the ability to move as quickly as new
technologies and threats evolve. This can be accomplished through an
offering of tools and services that meet the specific goals and needs
of agencies and through agile procurement capabilities that allow
agencies to change and adapt their tools in real time. Following best
practices in Government procurement, coupled with a continued effort to
survey what capabilities are available throughout the private sector,
will help keep the Federal Government informed and on pace. For CDM to
be successful in the long term, it will need to continue to evolve,
including the use of new ideas and concepts, such as the use of
Artificial Intelligence (AI), for immediate identification, response,
and updates to threats. Due to the asymmetric nature of attacks, we
also need to consider security risks related to the increasing use of
AI by our adversaries across all sectors and how that may impact the
kinds of cyber defense and tools we need.
I accepted the position of CIO at OPM because I truly believe in
the OPM mission and because it is an agency in which great success can
be achieved and demonstrated. The people at OPM are dedicated, new
technology is being implemented, and the agency is committed to
supporting all the Federal employees who devote their lives to serving
the American people. Although there may be bumps in the Federal
Government's journey to keep pace with potential cyber threats, I am
confident we have an incredible opportunity to make strides toward a
successful future. I look forward to working with the Members of these
subcommittees to continue our efforts of IT modernization and the
evolution of the CDM Program so that it will remain a successful
resource for Federal agencies.
Thank you for the opportunity to testify before you today. I look
forward to answering any questions you may have.
Mr. Ratcliffe. Thank you, Mr. Garcia.
Mr. Cox, you are recognized for 5 minutes.
STATEMENT OF KEVIN COX, PROGRAM MANAGER, CONTINUOUS DIAGNOSTICS
AND MITIGATION, OFFICE OF CYBERSECURITY AND COMMUNICATIONS,
NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT
OF HOMELAND SECURITY
Mr. Cox. Thank you, Chairman.
Chairman Ratcliffe, Chairman Hurd, distinguished Members of
the committees, thank you for today's opportunity to discuss
the Department of Homeland Security's effort to secure Federal
networks. I want to begin my testimony by thanking Congress for
its work on the Cybersecurity and Infrastructure Security
Agency Act of 2017. If enacted, this legislation will
streamline the organization where I work, the National
Protection and Programs Directorate, or NPPD. It will also
rename our organization to clearly reflect our mission. The
Department strongly supports this effort and appreciates the
focus of these committees on seeing it enacted.
DHS serves a critical role in safeguarding and securing
cyber space, a core Homeland Security mission. Cyber threats
remain one of the most significant strategic risks for the
United States, threatening our National security, economic
prosperity, and public health and safety.
Over the past year, Federal network defenders saw the
threat landscape they face grow more crowded, active, and
dangerous. While, in many cases, our defenses have been
successful in mitigating these threats, we must do more to
ensure our cyber defenses keep pace of technological change and
the evolving risks.
Last year, the President signed an Executive Order on
strengthening the cybersecurity of Federal networks and
critical infrastructure. Cybersecurity is an important
component of the administration's IT modernization efforts and
the administration is committed to securing the Federal
enterprise from cyber-related threats.
One of the capabilities MPPD leverages to assist Federal
agencies with their cybersecurity and MPPD with its mission of
protecting the Federal enterprise is through a program I
manage, the Continuous Diagnostics and Mitigation Program, CDM.
CDM provides cybersecurity tools and integration services to
Federal agencies. CDM is helping us achieve three major
advances for Federal cybersecurity. First, agencies are gaining
continuous visibility into the extent of cybersecurity risks
across their entire network. This allows prioritization of
cybersecurity actions.
Second, with the Federal dashboard, MPPD will be able to
operationalize this visibility initially through improved
vulnerability management. Prior to CDM, MPPD often tracked
Government-wide programs in implementing critical patches via
agency self-reporting and manual data calls. CDM is changing
this model, enabling MPPD to immediately view the prevalence of
a given software product or vulnerability across the Federal
Government. All Cabinet-level agencies have their agency
dashboards in production with additional assets being added on
a daily basis. Additionally, the Federal dashboard currently
has a quarter of Federal assets reporting to it. It is
anticipated that the remaining in-scope Cabinet-level assets
will be reporting by the end of April 2018.
Third, through the CDM Program, DHS is building important
partnerships with other Federal agencies, including GSA, and
industry to directly address the nation-state and criminal
threats against our critical data in Federal networks. In the
first phase of CDM, MPPD is helping Federal agencies better
understand what is on their networks and better manage the
cybersecurity of those assets. IT assets combined with their
vulnerabilities and misconfigurations represent a significant
attack surface that our adversaries target.
Another fundamental principle of CDM is to understand who
is on the network. By learning who has access to agency
networks, including those individuals with privileged user
access, agencies can begin to appropriately restrict network
access and ensure the principle of least privilege is being
followed.
The next phase seeks to understand what is happening on the
network. By strengthening network protections and providing
expanded visibility to the cloud and mobile devices, agencies
will gain a more robust understanding of the events occurring
on their networks and help them standardized incident
reporting. The program is also beginning to plan for enhanced
data protections in Federal agency high-value environments from
information rights management to micro segmentation. These
phase 4 initiatives will help agencies secure their most
sensitive data, regardless of where it is located on the
network.
Moving forward, the new CDM DEFEND acquisition strategy
incorporates lessons learned from earlier stages of the CDM
Program. CDM DEFEND contracts will support longer periods of
performance with higher contract ceilings to provide
significant flexibility.
In closing, I want to assure these committees that DHS is
embracing our statutory responsibility to administer the
implementation of Federal agency cybersecurity processes,
policies, and practices. The overarching goal of Federal
cybersecurity is to ensure that every agency maintains an
adequate level of cybersecurity commensurate with its own risk
and with those of the Federal enterprise.
Thank you for the opportunity to testify. I look forward to
the questions you may have.
[The prepared statement of Mr. Cox follows:]
Prepared Statement of Kevin Cox
March 20, 2018
Chairman Ratcliffe, Chairman Hurd, Ranking Member Richmond, Ranking
Member Kelly, and Members of the subcommittees, thank you for today's
opportunity to discuss the state of Federal cybersecurity. The
Department of Homeland Security (DHS) serves a critical role in
safeguarding and securing cyber space, a core homeland security
mission. The National Protection and Programs Directorate (NPPD) at DHS
leads the Nation's efforts to ensure the security and resilience of our
cyber and physical infrastructure. This past December, the House voted
favorably on H.R. 3359, the ``Cybersecurity and Infrastructure Security
Agency Act of 2017.'' If enacted, this bill would mature and streamline
NPPD, renaming our organization as the Cybersecurity and Infrastructure
Security Agency to clearly reflect our essential mission and role in
securing cyber space. The Department strongly supports this much-needed
legislation and encourages swift action by Congress to complete its
work on this legislation.
NPPD is responsible for collaborating with Federal agencies to
protect civilian Federal Government networks, as well as with the
intelligence community; law enforcement; State, local, Tribal, and
territorial governments; and the private sector to defend against cyber
threats. We endeavor to enhance cyber threat information sharing across
the globe to stop cyber incidents before they start and help businesses
and Government agencies to protect their cyber systems and quickly
recover should such an incident occur. By bringing together all levels
of Government, the private sector, international partners, and the
public, we are taking action to protect against cybersecurity risks,
improve our whole-of-Government incident response capabilities, enhance
information sharing on best practices and cyber threats, and strengthen
resilience.
cybersecurity priorities
This administration has prioritized protecting and defending our
public and economic safety from the range of threats that exist today,
including those emanating from cyber space. Last year, the President
signed Executive Order (EO) 13800, on Strengthening the Cybersecurity
of Federal Networks and Critical Infrastructure. This Executive Order
set in motion a series of assessments and deliverables to understand
how to improve our defenses and lower our risk to cyber threats. This
order also emphasized the importance of accountability--clarifying that
agency heads are responsible and will be held accountable for the
security of their networks and systems. NPPD plays an important role in
providing capabilities, services, and direction to Federal agencies.
Although Federal agencies have primary responsibility for their own
cybersecurity, DHS, pursuant to its various authorities, provides a
common set of security tools across the civilian executive branch and
helps agencies manage their cyber risk. NPPD's assistance to Federal
agencies includes:
providing tools to safeguard civilian executive branch
networks through the National Cybersecurity Protection System
(NCPS), which includes ``EINSTEIN'', and the Continuous
Diagnostics and Mitigation (CDM) programs;
measuring and motivating agencies to implement policies,
directives, standards, and guidelines;
serving as a hub for information sharing and incident
reporting; and
providing operational and technical assistance, including
threat information dissemination and risk and vulnerability
assessments, as well as incident response services.
Today, my testimony will focus on one of the capabilities NPPD has
to assist Federal agencies with their cybersecurity and DHS with
protecting the Federal enterprise--the Continuous Diagnostics and
Mitigation (CDM) program. CDM provides cybersecurity tools and
integration services to all participating agencies to enable them to
improve their respective security postures by reducing the attack
surface of their networks as well as providing DHS with enterprise-wide
visibility through a common Federal dashboard.
In the first phase of CDM, the National Protection and Programs
Directorate (NPPD) is helping Federal agencies better understand what
is on their network and better manage the cybersecurity of those
assets. CDM works to ensure that agencies know what IT assets they
operate and how well those assets are configured and patched. IT
assets, combined with their vulnerabilities and misconfigurations,
represent a significant attack surface that our adversaries target.
Through better patching and configuration, agencies are able to reduce
the likelihood of successful compromise against the evolving threat.
This is one of the key objectives of CDM.
Another fundamental principle of CDM is to understand who is on the
network, which we address through Phase 2. By learning who has access
to agency networks, including those individuals with privileged user
access, agencies can appropriately restrict network access and ensure
the principle of least privilege is being followed. This second phase
of CDM is a significant step forward in managing cyber risk.
CDM is helping us achieve three major advances for Federal
cybersecurity.
First, agencies are gaining continuous visibility, often for the
first time, into the extent of cybersecurity risks across their entire
network. With enhanced visibility, they can prioritize the mitigation
of identified issues based upon their relative importance.
Second, with the Federal dashboard, the NCCIC will be able to
operationalize this visibility, initially through improved
vulnerability management. For example, the NCCIC currently tracks
Government-wide progress in implementing critical patches via agency
self-reporting and manual data calls. CDM will transform this, enabling
the NCCIC to immediately view the prevalence of a given software
product or vulnerability across the Federal Government so that the
NCCIC can provide agencies with timely guidance on their risk exposure
and recommended mitigation steps.
Third, through the CDM program, the DHS is building important
partnerships with the General Services Administration (GSA), other
Federal agencies, and industry to directly address the nation-state and
criminal threats against our critical data and Federal networks.
Effective cybersecurity requires a robust measurement regime, and
robust measurement requires valid and timely data. CDM will provide
this baseline of cybersecurity risk data to drive improvement across
the civilian executive branch.
Moving forward, the new CDM DEFEND Acquisition Strategy, developed
in partnership with GSA, incorporates lessons learned from the
Continuous Monitoring as a Service Blanket Purchase Agreements that
were used in the early stages of the CDM Program. CDM DEFEND contracts
have longer periods of performance with higher contract ceilings
providing agencies more flexibility. This flexibility will allow
agencies to modernize and standardize their security capabilities in a
way that meets the CDM requirements and makes the most sense for each
organization. CDM DEFEND will also support legacy and new
infrastructure requirements such as cloud and mobile and will allow
agencies to procure cybersecurity tools and services separately or
together.
conclusion
In the face of increasingly sophisticated threats, NPPD supports
the Federal Government's efforts to defend our Nation's Federal
networks and critical infrastructure from cyber threats. Our
information technology is increasingly complex and dynamic with
interdependencies that add to the challenge of securing and making it
more resilient. Technological advances have introduced the ``internet
of things'' (IoT) and cloud computing, offering increased access and
streamlined efficiencies, while increasing our footprint of access
points that could be leveraged by adversaries to gain unauthorized
access to networks. As our Nation continues to evolve and new threats
emerge, we must integrate cyber and physical risk in order to
understand how to effectively secure it. Expertise around cyber-
physical risk and cross-sector critical infrastructure
interdependencies is where NPPD brings unique expertise and
capabilities.
Thank you for the opportunity to testify, and I look forward to any
questions you may have.
Mr. Ratcliffe. Thank you, Mr. Cox.
The Chair now recognizes the Chairman of the Subcommittee
on Information Technology, Mr. Hurd, for 5 minutes.
Mr. Hurd. Thank you, Chairman Ratcliffe.
I appreciate the manner in which we are able to pursue
these important issues and not worry about that silly word
``jurisdiction'' that I know bothers both of us.
Mr. Cox, I think DHS is doing a great job. I think you
all--this is why we passed the Cybersecurity Act of 2015. This
is why we made you all the bellybutton of protecting the dot-
gov domain and coordinating with the private sector.
I have some basic questions. These aren't trick questions,
but when it comes to the actual implementation, DHS has the
tools that you are helping to implement on some of these other
agencies. Is that correct?
Mr. Cox. Yes. Through a series of mechanisms, contracting
processes that we build with GSA----
Mr. Hurd. Sorry to interrupt. I'm going to try to use my
time judiciously. So an agency, do they have to pay you?
Mr. Cox. It is through the budget that is allocated to DHS
that we work with the agencies to fund the efforts to deploy
the CDM capabilities.
Mr. Hurd. So phase 1 implementation of CDM is basically
free to those agencies?
Mr. Cox. The idea is that we fund the foundational year,
the base year of the licensing plus the first maintenance year,
and then we transition the maintenance of those tools over to
the agencies. In those first 2 years, we also provide
integration support to help with the deployment of those tools.
Mr. Hurd. Gotcha. So, basically, they are getting this for
2 years, and they have got to figure out to transition this to
the O&M on their budget.
Mr. Cox. That's correct. Yes, sir.
Mr. Hurd. So, to me, this is ridiculous if there's any of
the agencies that are not taking advantage of this in trying to
implement this. So, once it's implemented and you're paying for
the licenses, why would phase 2 cost money to the agency?
Mr. Cox. It follows--phase 2, as well as our future phases,
follow the same model. So we provide base year plus a
maintenance year and then the cost to transition off for O&M to
the agency, and there is integration support included in that.
Mr. Hurd. So, Mr. Garcia, let me transition to you, since
you have implemented phase 1 of this. What is your phase 2
cost?
Mr. Garcia. To be entirely candid, I don't know the entire
cost off the top of my head.
Mr. Hurd. In general, what are you having to pay for?
Because you've implemented software, right? You're just using
that software in a different way. So you're using that
software, first, to understand all the different nodes that you
have on that network. Then, second, you're trying to figure out
basically the access and credentials process and who has access
to various things on that network. So it's not like you're
having--nobody is implementing any new software. So my question
is: If you have people on your team that are managing the CDM
tools, what is the cost to going to--from phase 1 to phase 2?
Mr. Garcia. So, when we transitioned, we had other tools in
place, and we basically sunset the tools that we had in place
and adopted them. So, for OPM, it was rather seamless. We were
doing the work already coming out of the 2014-, 2015-era stuff.
So the costs were minimal, I mean, additional about what we
were already doing.
Mr. Hurd. I just want to confirm that point. So my question
is for Mr. Blackburn and Mr. Everett: If you have a DHS that
has the ability to fund the first 2 years of this and that this
is a cost that should be taken over by your existing
infrastructure and people, why is there any hesitancy of not
accepting or implementing the other elements of phase 1, or why
is phase 2 so difficult, because the cost is negligible?
Mr. Everett. Well, the phase 2 are some new tools that
people are bringing in. So, look, we're a poor example,
because, frankly, we're behind. We----
Mr. Hurd. That's what I always liked about you, Mr.
Everett; you're always straight, straight to the point. I
appreciate that.
Mr. Everett. I don't like to second-guess because I wasn't
there. I presume that my predecessors acted with the resources
and direction they had. We're behind because we focused on a
very small part of the Department. We are a large and diverse
Department. So phase 1 and phase 2 were some different tool
sets. On a small part of the Department, phase 1 is done. We
have gone back and again at the direction of our Secretary and
deputy secretary, and we are looking to cover all of phase 1
and then phase 2 for the entire Department.
Much like Mr. Garcia, a number of areas in our Department,
they have CDM capabilities. What I mean by that is they have
got tools that do those capabilities that we talk about in the
phases. They may or may not be necessarily the tools that are
part of those procurements. So, much like Mr. Garcia, our role
right now is we are filling all those gaps, and then my goal
over time would be to sunset some of those existing tools as we
can, but integrate all the data back into our dashboard, which
then goes back up to DHS.
But, very frankly, to get to your question, we're starting
to look at right now--I think we figured we're working with
DHS. We figured out the cost of filling our gaps. Then we're
estimating right now--I think the number I had was a little
over $8 million a year for the outyear M&O. Some of that may be
absorbed because it will displace existing tools. Some of it is
gaps in tools, in which case it is a new cost to us. So I'm
working right now to make sure in our outyear budget, because
we do have the time to put it in there, that we pay for that as
a Department so that it doesn't become all the little ticky-
tack stuff, but that we pay for it as a Department because it
is a Departmental tool. Much like, again, the DHS approaches
this as a Federal tool for the Federal enterprise, that is the
direction we're trying to go.
Mr. Hurd. Mr. Chairman, I apologize. I yield back the time
I do not have.
Mr. Ratcliffe. The Chair now recognizes the gentleman from
Virginia.
Mr. Connolly. Thank you, Mr. Chairman.
I do see votes have been called. We have one vote. Some of
us are going to be going in and out.
Thank you all for your testimony.
Mr. Garcia, you're new, as you point out, but our committee
certainly had--the head of OPM at the time of the breach
testified before our committee, and she lost her job, frankly,
over that incident. Coming in, looking at the situation, this
was I think the largest Federal cyber breach ever, and it
compromised somewhere between 24- and 28 million Americans'
personal data. How confident are you that we've come a long way
and that that kind of breach is unlikely to happen today? Are
the vulnerabilities fundamentally still there?
Mr. Garcia. To answer your question directly, I'm very
confident.
Mr. Connolly. You are very confident.
Mr. Garcia. I'm very confident we know who and what is on
our networks. Am I 100 percent? I don't think you can ever get
to 100 percent as the landscape, when it changes, changes
rapidly. But I'm as confident as I can be in the defenses we've
put in place, and a large portion of that, quite honestly, has
been hand-in-glove with the CDM Program.
Mr. Connolly. Do you believe if the CDM Program had been in
place, we would have--could have avoided or preempted that
cyber attack?
Mr. Garcia. So I thought about that question a lot, and I
am not trying to evade here, but I don't know if I'm fully
qualified to say that, not having been here during that time
and understanding some of the complexities that were involved
with my predecessors.
Mr. Connolly. One of problems that we had at OPM at the
time was duplicative--I'm sorry--systems that couldn't talk to
each other, multiple systems, old systems, unencrypted systems.
By and large, has that been addressed to your satisfaction as
the new CIO?
Mr. Garcia. By and large, I would say, yes. Could we get
better? Yes. We have 100 percent PIV authentication for network
access. We have micro segmentation. You can't get on OPM's
networks unless we know you're on and have a valid PIV
credential. Again, I think a lot of that work that we've done
and what we see from the dashboard is again from the tools from
CDM.
Mr. Connolly. Let me just say to you: I hope part of your
mission will be to continue to care for the people who had
their data compromised because, as you know, that kind of data
available, it could be years before someone decides to do
something bad and your credit rating is damaged or someone gets
into your financial accounts. So I do believe we have a sacred
obligation to those people on-going to make sure they are
protected, and I know you share that view.
Mr. Garcia. I concur.
Mr. Connolly. I thank you.
Mr. Blackburn, welcome again. Thank you for your service.
It is always fascinating to hear your story about you're a
customer. We've seen some reports in the press recently that
the new electronic system has created more than glitches in
some cases, denial of care, mess-up of identity, drug
protocols, and has actually interfered with urgent care or
specialized care that our veterans need. Could you elaborate on
that? I mean, how concerned are you about that? Is this
something to be expected that is going to be ironed out, or do
we have yet another fundamental flaw in a major investment in
terms of veterans or Active-Duty health care?
Mr. Blackburn. So I'm very, very concerned and that--what
you mentioned specifically was with the DOD's rollout of MHS
GENESIS out in the Pacific Northwest, and I've been working
very closely with that team. Stacy Cummings, who leads that
team, she and I talk very frequently. We are monitoring that
very, very closely to make sure we--when VA gets ready to
launch our pilots, after we sign the contract with Cerner, that
we won't be making the same mistakes. So there's a number of
things that are going well with that, but there's also the
things that you mentioned that are not going well, and we are
working with----
Mr. Connolly. I'm going to invite you to submit--certainly
to our committee and I assume this committee as well. Mr.
Ratcliffe, I don't mean to presume some reports on that
because, obviously, we are concerned, and we have had some
history. In the brief period of time I have left--thank you--
Mr. Everett, we just had some public reports about Russian
cyber attacks on our grid and power system, very alarming in
terms of what it could do, and we previously had attacks on the
nuclear power system and other systems around the country. Do
you believe CDM is a tool that can help prevent that or detect
that or preempt it? How worried should we be about the
vulnerability especially of our grid?
Mr. Everett. Obviously, we take that very seriously. We
work with our partners, the FBI and DHS, on ensuring that we
work very well with the electric sector on those issues.
Obviously, we have had a lot of briefings over even the last
week. It is of special concern to me, of course, because we
have our Power Marketing Administrations, which, for those who
are not familiar, the Department of Energy, they are directly
involved in provision of electricity for millions of Americans
throughout the West and Northwest. So--that is one of reasons
we are working with them to fill--they have a number of tools.
We work very closely with them as part of Department. We are
working to make sure anywhere that they do have gaps in the CDM
capabilities that are out there, that we are working to fill
them. In fact, I just had some of their folks in this morning
and meet with them again, depending on snow, tomorrow. I will
tell you they have a number of systems in place, and they are,
very frankly, a bit of a challenge because they have industrial
control systems and SCADA systems, which are bit unique. That's
one of the areas we want to work with DHS, because you will
always have those unique challenges, as broad as the Federal
enterprise is, that we want to have them. But I absolutely
believe the CDM tools, because they give you the visibility of
what's on your network and who is on your network, absolutely
will help you in that type of security.
Mr. Connolly. Thank you.
Thank you, Mr. Chairman.
I do want to congratulate Mr. Blackburn for making progress
on data center consolidation. We want to see more progress at
DHS, and we want see that scorecard, FITARA scorecard, move up.
Thank you all so much for being here.
Thank you, Mr. Chairman.
Mr. Ratcliffe. I want to advise the witnesses that votes
have been called, but we are going to continue the hearing. So
I am going to proceed with questions. I want to let Ms. Jackson
Lee know that the hearing will continue if she wants to go vote
and return, and actually, I think I'll take advantage of that
myself and see you all shortly.
It looks like we are going to have to recess the hearing
temporarily, very shortly, for a quick vote.
[Recess.]
Mr. Ratcliffe. I am calling the subcommittee hearing back
to order. I appreciate the witnesses' indulgence. Obviously,
the vote schedule is beyond our control.
Having said that, I recognize myself for 5 minutes.
Mr. Everett, so DOE has its CDM dashboard up and running.
Can you give us a sense of what the value is of the data that
you're now realizing from Phase 1 CDM, what the capabilities
are? What's different now that that's operational?
Mr. Everett. So we're just starting to pull the value out
of that. We've got our IGC-3, which is essentially sort-of our
enterprise SOC. Again, very frankly, one of our challenges is
our scope of where we have CDM installed is limited at this
point. It gives me visibility in--the services I traditionally
have provisioned that are primarily to all our Federal
employees is what it covers.
What it's doing is it is starting to give us the picture
of, again, what our internal vulnerabilities look like, you
know, as Kevin talked about, our actual vulnerability in patch
management, start to give us a picture of what our
prioritization should be about not only patching but about
which systems are going to be no longer supported, which
systems are out-of-date, some of those things.
The real value for us, frankly, is as we start to expand it
across our enterprise to the PMAs and other folks. Again, many
of our labs and sites already have the capabilities; we have
not tied them together as an enterprise.
Mr. Ratcliffe. OK. So are you lacking any authorities that
would have allowed you to do that faster that you need now to
sort-of roll it out on a more expedited--and take advantage of
it on a more expedited basis?
Mr. Everett. So I think, for me, I can say, very
fortunately, the answer is no.
At this point--you know, again, I report directly to the
Secretary and deputy secretary, and that was changed right
after I came on in August. That's been a huge improvement. I
have their direct, firm push that we need to do this. They
understand very well that we've got to know what's on our
networks. That's the first step in some basic cybersecurity
hygiene.
Mr. Ratcliffe. OK.
Mr. Everett. So I've got that full authority.
Mr. Ratcliffe. So then let me shift to you, Mr. Garcia,
because you're a little further along the curve. So, same
question regarding the new data or better data that CDM is
providing.
Mr. Garcia. So, again, just to echo what Mr. Everett said,
was we were able to see across the spectrum. We can see end-of-
life systems out there. We can see items that are requiring
patches. We can see operating systems that are end-of-life. We
can see the progress we make with our patch updates as well.
Mr. Ratcliffe. OK.
So, in addition to your current role, you have pretty
considerable private-sector experience. We're always trying to
leverage what innovative companies are doing. Are there any
short-term recommendations that you would make or could make
from that experience that might speed up the deployment of CDM
capabilities?
Mr. Garcia. That's a great question. Since I've been with
OPM, since October, I've been trying to think, how do we
expedite things, how do we move things faster? I feel like
we're always kind-of behind the eight-ball in Government
deployment.
I think a lot of it has to do with the bureaucracy and
trying to navigate that. I understand there's a balance that
has to be reached and the need to be fully accountable for
taxpayer dollars. But, at some point, I think there's got to be
mechanisms that we can strike a balance that will enable us to
move faster on some of these.
Mr. Ratcliffe. So what would those milestones be that are
out there that we can look for to know that we're on track,
that we're getting--that we're making progress, you know, with
respect to an effective structure for, you know, defending the
Federal IT infrastructure?
Mr. Garcia. Quite honestly, I think that CDM does provide
that. If you look at Phase 1 and Phase 2, they're addressing a
lot of the NIST controls that are in place. Phase 3 is moving
toward that more agency focus, with the goal in Phase 4 to move
into that continual monitoring of the network. I think those
are good mile markers.
Mr. Ratcliffe. OK.
So let me roll that into a question for you, Mr. Cox, we
all want CDM to be a force multiplier for network defenders.
What's the 3-year plan to get there? How do we know that we're
getting there? What can I look at, as a Member of Congress with
oversight, to say, hey, we're on track, or we're not on track,
and hold you accountable?
Mr. Cox. Certainly. I'll take that as two questions.
First, in terms of what we're looking at over the next 3 to
6 years is, with our CDM DEFEND contracting mechanism, we have
the flexibility built in to work with the agencies to see what
their priorities are at that point in time, be able to get
teams in from the integrator that owns the contract, to help
get the solutions deployed more quickly and being more nimble
in terms of what the agency's needs are.
In terms of metrics, really looking at what we've
accomplished so far and what we will be moving toward, is, to
this point, getting the visibility across the networks,
starting out looking at the numbers of assets that were
reported manually. We found a 75 percent increase in terms of
the total number of assets once we got automated tools into the
environment. From a cost-savings standpoint, by being able to
do volume purchasing of the tools, we found that we achieved
savings upwards of 70 percent off of IT Schedule 70.
In terms of where we're headed in being able to measure the
mission impacts of CDM, we want to be able to get full
visibility both at the agency level for the agencies as well as
at the Federal level; and then be able to see what their
overall cyber hygiene is, their security posture; and
ultimately be able to help manage, for the agencies at the
agency level and us at the Federal level, the risk across the
Federal enterprise.
Mr. Ratcliffe. Terrific. Thanks very much.
My time has expired. The Chair now recognizes the
gentlelady from Texas, Ms. Jackson Lee, for 5 minutes.
Ms. Jackson Lee. Mr. Chairman, thank you. Thank you for
this joint hearing.
I thank the witnesses for being instructive and insightful.
I think we have a lot on our plate. Certainly, Mr. Cox, the
areas that you deal with is of particular concern, and
certainly the Office of Personnel Management. We're delighted
that Veterans Affairs is getting on track.
But let me recite what I've done for a number of years.
Just a historical perspective. This committee was included in
something called Transportation Security and Infrastructure, so
we began talking about these issues almost a decade ago. We're
probably behind, but I'm glad to see where we are today. So
I'll pose some questions initially and then--some pointed
questions, but I think we've made great strides.
I emphasize a point that I wanted to make, is that we have
a small percentage of the cyber, and most of it is in the
private sector. A lot of that impacts Government agencies. I
think that the more we are engaged--I introduced legislation
that was passed--and I thank the committee--that dealt with
zero-day events. Part of it was the consulting with the private
sector on what might be helpful to them and what might be
helpful to you that may be Classified.
So I would ask this question. As you know, one of the
challenges with Federal cybersecurity is that new technologies
are being developed much faster than the Federal procurement
cycle allows. What should we be doing to make sure that the CDM
Program is flexible and agile enough to keep pace?
Why don't I--and I'd appreciate pithy answers. I'm trying
to get to all of you. Why don't I start with Mr. Cox and then
go to Mr. Garcia with OPM because of the unfortunate major
snafu impacting our Federal employees.
Mr. Cox.
Mr. Cox. Yes, Congresswoman. We've approached the ability
to bring on new technologies, new innovations more quickly in
two ways.
First, through the CDM DEFEND task order. By awarding a
long-term task order of 5 to 6 years, it enables us to continue
to issue requests for service to that integrator for different
types of technology, different types of need more quickly,
rather than having to recompete a new contract.
Second, through our approved products list, we have
accelerated the pace at which vendors, industry can submit new
products to the approved products list. On a monthly basis,
vendors can submit those to us. Working with our staff, we
assess those quickly, and then, if the products meet the
criteria, they're quickly added. That enables agencies to get
to those products more quickly.
Ms. Jackson Lee. Mr. Garcia.
Mr. Garcia. Thank you for the question.
So I think the focus for us in coming out of the events of
2014 and 2015 was, how do we--if we need to buy something to
address a zero-day event, we need a vendor, we need a service,
we need software, we need hardware, how do we shorten the
procurement time to bring these tools to bear as quickly as
possible?
Ms. Jackson Lee. Absolutely.
Mr. Garcia, I've got you right on the spot here. Does this
either flexibility or attentiveness to moving forward include
and embrace small, minority-, and women-owned businesses in the
context of how the Federal Government utilizes so they're not
shut out of the door because of their size?
Mr. Garcia. That's a great question. So, as a former 8(a)
program member, I would say ``absolutely'' to that question.
Ms. Jackson Lee. That they have the opportunity?
Mr. Garcia. Absolutely.
Ms. Jackson Lee. Let me go right to Mr.--for the Veterans
Affairs, Mr. Blackburn. Thank you for your service.
We lived in a nightmare as our veterans were either dying
or not being able to get served. We know that it is certainly
an old agency, and it deals with older patients who deserve our
honor and respect.
What have you been able to do to cure that devastating
experience that veterans have had, languishing in hallways
waiting on doctors or not getting their doctor appointments?
Mr. Blackburn. Well, that nightmare is why I joined after
2014. I was as shocked and disgusted as anybody.
We've really pushed hard on shortening the wait times so
that we now have same-day access in all of our sites. We've
really doubled down on customer service, self-service tools
for--I schedule my appointments now using an on-line tool.
So we're using technology. We're staffing. We're focusing
on the biggest problems to make sure that that never happens
again.
Ms. Jackson Lee. Two last questions, which I'd like all of
you to answer, is: What do you view as the greatest promise on
the CDM for the Federal network?
But as you answer that, please--I've introduced another
piece of legislation to improve the cyber professional staff
for the Federal Government. If that would be helpful to you,
you might acknowledge that.
But the final question--that question is No. 1, about
what's the greatest promise. The other one is, in the backdrop
of this hearing, we have an unfortunate discovery of the entity
with Facebook, Cambridge, and the misuse of millions of emails
or data of Americans.
My question would be--we don't want to be in that position.
What relationship should the Government have?
We use these tools--Facebook, Google. I would hope we never
acknowledge that they've gotten bigger than us, in terms of
being able to overrun what are legitimate responsibilities of
the Government to protect the American people.
So if you would answer how our interface would be with
these giants. Because we have the most and highest
responsibility, and that is to the American people.
Do you want to start, Mr. Everett?
Mr. Everett. Yes, ma'am.
I think, on your first question, aside from just the value
of the tools themselves, I think one of the greatest promises,
long-term, for the CDM Program ultimately should be the ability
for us at the Federal enterprise level to start to share
information together. I think that's just an opportunity that
we have not taken full advantage of.
I understand it's part of the purpose of DHS being given
that role as a coordinator that we as a Federal--you know, that
we're all seeing different perspectives of the cyber threat,
and I think that CDM, longer-term, provides an avenue that we
can share that information across the entire Federal enterprise
to help protect each other.
As to your other question, I would just say I think that's
a challenge not just for us in Government but certainly
culturally, is helping people understand the privacy issues and
how that ties into our security.
You know, as somebody who did this and used to talk to
people in the private sector and try and give some training,
most of us, even as professionals in this, very often don't
really think about the implications of some of the tools we use
on our privacy and then what, in turn, that does to our
security.
So I think that probably takes longer, looking at across
the Federal enterprise and making sure that privacy is a part
of our discussion of security. Because they do--you know, the
bad guys typically want to misuse those kind of tools to get
into our networks and do other things. So we need to tie those
together.
Ms. Jackson Lee. Thank you.
Mr. Blackburn.
Mr. Blackburn. To me, the promise of CDM, it's really
moving from a reactive posture to a proactive posture.
A little less than a year ago, the WannaCry virus targeted
us as well as many others, and we, luckily, had the patches in
place and fared well, but the U.K. health care system, for
example, not so much. We don't know what the next threats are
going to be. We have to stay on top of that, proactive, and
find those before they hurt us.
On the second question, I agree completely with Mr.
Everett. What I would add on to that is, you know, the
relationship with those giants--the Facebooks, the Googles--and
making sure that we are constantly sharing the best practices
and making sure that we are incorporating those things. But
also, to your other point that you made a little bit earlier,
which is, those companies were small and innovative. A lot of
the great companies that have created such great platforms have
come out of that small, agile, innovative--so make sure that
we're also providing opportunities for those types of
companies, as well, to induce, like, the best practices.
Ms. Jackson Lee. Yes? Mr. Garcia again.
Mr. Ratcliffe. The gentlelady's time has expired, but, Mr.
Garcia and Mr. Cox, weigh in very quickly, if you can.
Ms. Jackson Lee. Thank you, Mr. Chairman, for your
indulgence.
Mr. Garcia. So, to the first question, promise, I'd have to
agree with my colleagues. I think sharing, along with
reciprocity and interagency agreements, if we could standardize
these things, I think it would do a great value to the Federal
Government.
As to the second question, I feel a bit uneasy to answer
the question due to the fact I'm not fully aware of what's
Facebook's public data policies with their open data and what
agreements they had in place. I don't know that it's really
fair for me, as an OPM and representative of the Government, to
really--to comment on that without that knowledge.
Ms. Jackson Lee. Thank you.
Mr.----
Mr. Cox. Yes, Congresswoman. What the real key for us, to
echo what Mr. Blackburn said, is to get from a reactive stance
to a proactive. We want to get out in front of the threat. We
want to take the low-hanging fruit out of the equation and be
able to enable these agencies, as well as all agencies, with
the visibility of their networks, to be able to see where the
threat is and shut it down.
Again, like Mr. Garcia said, I don't feel that I'm in a
good position to comment specifically on the Facebook case. But
I would say that it is important for us to continue to build
our partnerships with industry, to interact with them, learn
what they're doing. We can share our lessons as well. We, as a
Nation, continue to get better.
Thank you.
Ms. Jackson Lee. I yield back the time. Thank you, Mr.
Chairman.
The Chairman. I thank the gentlelady.
The Chair now recognizes the gentleman from Nebraska, Mr.
Bacon.
Mr. Bacon. Thank you, Mr. Chairman. I appreciate it.
Thanks for being here.
I've got a question for Mr. Cox.
The CDM, will you be looking at it at DHS from an
enterprise-wide DHS, or will it be all the sub-agencies doing
CDM? How do you integrate that? So I'm sort-of nosy on that.
Mr. Cox. Certainly. The idea is that each component or
operational division in each agency will be able to have the
visibility for their particular mission area and their
particular component.
So, specifically with DHS, we're working--our program
office is working with the DHS Office of the CIO, similar to as
we work with the agencies here, to help them get the solutions
out, help them build the partnerships with the components, so
that they, the CIO's office, get the visibility across DHS, but
at the same time the components within DHS get that same
visibility for their component space.
Mr. Bacon. Uh-huh. Will you have enterprise-wide visibility
and see the integration or get the synergy out of that?
Mr. Cox. That's correct. So, while each component will have
visibility for their component, that information is aggregated
up at the object level, so the Office of the CIO will be able
to see individual devices, individual systems.
Mr. Bacon. Right.
Mr. Cox. Then what we're doing from the agency level up to
the Federal level is summarizing that data. So, at the Federal
level, what we're seeing is a summary view but with enough
information that we can work with the agencies to respond to
particular issues or incidents.
Mr. Bacon. Does this take advantage of commercial off-the-
shelf technology pretty readily?
Mr. Cox. It does. That's a core principle of the program.
We didn't want to do a lot of customized builds here. We wanted
commercial off-the-shelf, that the product could be put in
place quickly, the agency could learn it quickly and be able to
get value from it immediately.
Mr. Bacon. Right.
One question for you, but it may be applicable for
everybody, but I'll just get your perspective. Will the
automation help you reduce some manpower requirements by this?
Do you get some savings where you can redirect people?
Mr. Cox. That's exactly right. That's the idea, is that we
change these manual processes that we've followed for so long,
get automated data so we can make better decisions more
quickly. Then those folks that were doing that manual
assessment work before, we can reassign those efforts to
security operations and being able to help identify the threat
and get in front of it.
Mr. Bacon. This next question really is for you and Mr.
Everett. One of the things that disturbs me most--and I'm not
sure how applicable right now it is to CDM, but I'm going to
give you a chance to touch on it--is the vulnerability of our
energy grid. I'm not sure which portfolio that falls in.
I was afraid to talk about it too much until yesterday.
Now, all this data has been released saying just how vulnerable
our energy grid is.
I mean, it was thought, because there's so many--you know,
it's such a fragmented system out there, how would the Russians
and Chinese devote the manpower to get in there and really
attack this? But with yesterday's release, we see they are
trying to do that.
How does CDM help either one of you go after this huge
threat? Does it facilitate or--does it directly help or
indirectly?
Mr. Cox. I'll start and provide the program's perspective
and then turn it over to Mr. Everett.
Our idea is that we want to provide Mr. Everett and the
rest of the agencies the visibility of their network, be able
to get vulnerabilities quickly patched, get the systems
properly configured to reduce the likelihood that an adversary
can easily get into that system.
We then want to help the agencies get visibility across
their network so that they can detect any attacks to their
network, any threats in their network, and address them
quickly.
Mr. Bacon. But we wouldn't be able to help if the Russians
or Chinese were attacking our energy grid separate from the
network right now. Would that be--is that an accurate
statement?
Mr. Cox. The idea is that, if any adversary is trying to
get in on the network, that we want to be able to ensure the
agencies have full visibility of their network to see where
that attack might be coming in. Even if it's coming in from a
third party, we want to be able to see where that interface
from that third party is coming into the agency network so that
the agency can properly respond and quickly respond to shut it
down.
Mr. Bacon. Thank you.
Mr. Everett.
Mr. Everett. So I think I'll actually start--obviously, our
Department is very focused on that. As a sector-specific
agency, we work very closely with our colleagues at DHS. You
know, while my focus is primarily our internal cybersecurity,
the fact is I have part of the electric sector and the electric
grid in our Department through our Power Marketing
Administration. So it is very critical to us, and we try and
leverage that understanding and knowledge in our work with the
sector.
I'll tell you, frankly, almost even a little more
practically, one of the values of things like CDM is our
credibility with the sector only goes as far as our actual
capability. So, to the degree that we're doing it well as a
Federal Government, then we have a leg to stand on when we go
and talk to the sector and other folks. To the degree we don't,
they're likely not going to take us very seriously.
That's really how we're trying to approach it at DOE, is
that we're trying to make sure that if we're doing it well,
then we have something to say and something of value to bring
out to the private sector, which is important. So that's one of
several reasons that we take this very seriously.
We think that our experience with tools like CDM, we want
to be able to then sit at the table with them and share that.
Because we do think tools like CDM, they are relevant to the
private sector, maybe not as to the program itself, but the
capabilities, the practices, and experience are very relevant,
and we think they'll help.
Mr. Bacon. Right.
I'll just close, because I know we're out of time, and just
say I've known about this for a while, the vulnerability of our
energy grid, and I think it's very alarming. I think it's--the
next December 7 won't be airplanes with torpedos coming at
Pearl Harbor. It's going to be triggered with an attack on our
energy grid, with rolling blackouts and chaos.
So I just--you've got a tough job, but I look forward to
supporting you in this effort, because we've got to start
working on the resilience of our energy grid. So I appreciate
hearing the connection with CDM and this threat to us.
Thank you.
Mr. Ratcliffe. I thank the gentleman.
The Chair now recognizes the gentleman from Rhode Island,
Mr. Langevin, for 5 minutes.
Mr. Langevin. Thank you, Mr. Chairman.
I want to thank our witnesses for your testimony here
today.
Mr. Cox, if I could start with you, the report to the
President on IT modernization notes that CDM has not sought to
address cloud-hosted systems and that a challenge in
implementing CDM capabilities in a more cloud-friendly
architecture is that security teams and security operations
centers may not necessarily have the expertise available to
defend the updated architecture.
Do you view CDM as having applicability to cloud
architectures, or will it continue to focus on on-premise
networks?
Mr. Cox. Congressman, yes, indeed, we want to be able to
ensure the agencies have visibility, wherever their data is, to
that data, how it's being used, how it's being protected. So,
as we move into Phase 3 of CDM in understanding what's
happening on the network, we want to ensure we're providing the
agencies capabilities to not only get on-premise visibility of
their data and their networks, but wherever that data is,
whether it's out in the cloud, whether it's on a mobile device,
wherever it's stored or used. So we want to bring that
visibility into their dashboard visibility as well as at the
Federal level.
Mr. Langevin. OK. Thank you.
So there have been many reports about sluggish adoption of
CDM tools and capabilities.
Mr. Cox, what are the persistent obstacles to agency
adoption of CDM, and what is DHS doing to overcome those
obstacles?
Mr. Cox. Yes, sir. One of the things we saw with the Phase
1 and Phase 2 task orders is that we built those with very
defined runways. In the case of Phase 1, it was a 3-year task
order. In the case of Phase 2, it was a 2-year task order.
What we saw coming in and working with the agencies is that
we were coming in and they had other priorities on their plate,
and so we had to, within the bounds of our task order, work to
get our tasks scheduled really quite quickly. So it was a
burden on the agency to make adjustments, get the resources out
to get the work done.
As you can see, we've made significant progress working
with the agencies to get the work done, but we've learned from
that lesson. So, as we've built out our new contracting
approach, CDM DEFEND, we've worked to build in longer runways,
we've worked to build in more flexibility, keeping things
focused on a requirements basis, and then working with the
agencies to look at different ways to meet those requirements,
whether it was through the deployment of a new technology or
perhaps with a technology they already have in place, where we
can bring the visibility into their dashboard.
Mr. Langevin. OK. But are there additional authorities that
you need or additional assistance required from OMB to
effectively implement the program?
Mr. Cox. Yes, we're working with OMB quite closely, taking
a look at the OMB memorandum that was put in place in support
of CDM. They are working to update that. So they are supportive
of the program and continuing to move it forward. So I think
we've got a good direction there.
Mr. Langevin. OK. That's good to know.
I appreciate the conceptual approach of CDM's phases.
However, can I ask, is there a reason they aren't being pursued
in parallel? For instance, it seems that Phase 4, focusing on
data protection, could be implemented at the same time as Phase
3. Is there any technical or programmatic reason beyond budget
and human resources why it's not being pursued in parallel?
Mr. Cox. It's a good point. The way we've constructed CDM
DEFEND, it's so that different tasks can occur in parallel,
whether they be Phase 3, Phase 4, whether it be bringing some
additional things that were out of scope in Phase 1 and 2 into
scope and making sure that that can be done.
Why we focus now on Phase 3 is we've been building up the
programmatics around that. We are currently working with our
sister staff, Federal Network Resilience, to do proofs of
concept of the Phase 4 technologies, working with the high-
value asset environments. Then our aim is to quickly benefit
from the outcome of those proofs of concept so we can begin the
Phase 4 work in parallel to Phase 3.
Mr. Langevin. Phase 4 is only a pilot, from what I
understand. Is that right?
Mr. Cox. At this point. Then we will work----
Mr. Langevin. Why is that?
Mr. Cox. We have certain programmatic actions we need to
take within our Department to present the life-cycle cost
estimates for the program, other important programmatic
capabilities around showing that we're ready and able to fund
and execute Phase 4 work.
So we're currently working that, with the idea that by the
end of the summer we will go through that programmatic review
within the Department.
Mr. Langevin. OK.
I'm having technical difficulties with the mike here, but I
also serve on the Armed Services Committee and have seen DOD's
attempts to implement enterprise-wide cybersecurity acquisition
programs.
How are you coordinating best practices with them, and what
lessons have you learned from their attempts and newer
programs, such as DOD Endpoint Security Solutions and Comply to
Connect?
Mr. Cox. We are currently working with our colleagues
within DOD. We have a meeting scheduled next week, we've had
conversations prior, to able to share our lessons learned on
the capabilities that we're deploying, similar to what they're
looking at, learning the lessons from the Comply to Connect
implementations within DOD. That's part of the innovation, new
technology we want to look at across the Federal Government--
the Comply to Connect technologies, software-defined
networking, zero trust networks, et cetera.
So we are building that partnership up so that we can share
back and forth our best practices, lessons learned, et cetera.
Mr. Langevin. Very good.
Thank you all. I appreciate the answers.
I have some additional questions that I'll likely submit
for the record unless we do a second round, but other than
that, Mr. Chairman, I yield back the balance of my time.
Mr. Ratcliffe. I thank the gentleman.
I want to thank Chairman Hurd and Ranking Member Kelly from
the Oversight and Government Reform Subcommittee on Information
Technology for conducting this joint hearing with us.
I want to thank, certainly, all of the witnesses for your
very insightful and valuable testimony today.
I want to thank the Members for their questions.
As you just heard, some Members of the committee will have
additional questions for some of the witnesses, and so we'll
ask you to respond to those in writing. Pursuant to committee
rule VII(D), the hearing record will be open for a period of 10
days.
Without objection, the subcommittees stand adjourned.
[Whereupon, at 4:16 p.m., the subcommittees were
adjourned.]
A P P E N D I X
----------
Question From Chairman Will Hurd for Max Everett
Question. Once maintenance costs transition from DHS to your
agency, how much do you anticipate spending per year to sustain CDM?
Answer. The 2019 budget includes $185,712 for the Department's CDM
maintenance costs at the current level of maturity. The Department is
working to catch up with CDM Phase 1 and 2 requirements. The Department
will update operations and maintenance cost estimates during the DHS
CDM DEFEND Request for Service (RFS) processes, which commenced with a
recent kick-off meeting.
Questions From Ranking Member Cedric L. Richmond for Max Everett
Question 1. In January, we held a hearing with CDM contractors, who
told us that one of the challenges with implementation was the lack of
dedicated personnel with the expertise necessary to use CDM
technologies and take full advantage of their benefits. Is there a need
within your agency for more training or more cyber personnel to deploy
CDM tools?
Answer. Training and skill levels for cybersecurity staff are
significant issues across both the Federal enterprise and the private
sector, and this is particularly challenging with CDM. We are working
aggressively to develop the means to better recruit and retain skilled
cybersecurity Federal employees and contractors, both internally and in
coordination with the administration's cybersecurity workforce efforts.
We believe we will continue to face cybersecurity staffing challenges
because of the high market demand for cyber resources in general, as
well as the higher salaries available in the private sector. In concert
with training and recruiting, we believe our path forward must focus
on:
a. Automation--CDM and other automated tools let machines help
lessen the requirement for manual intervention, allowing for
the more efficient allocation of cyber resources.
b. Modernization--Cybersecurity must be built in from the moment
the planning and implementation process for any new system or
program begins, and it must be incorporated at every level,
from the design to the user interface.
Question 2. Last week, DHS and the FBI released an alert describing
an extremely sophisticated, deliberate, and successful operation by the
Russian government to hack into the industrial control systems of
energy providers. In your testimony, you mention some fairly alarming
``gaps'' that ``exist across the DOE enterprise,'' including the
National Nuclear Security Administration, the National Labs, and
individual plants and sites.
How do you reconcile this, in light of what we know about how
forcefully foreign actors like Russia are targeting U.S. energy?
Answer. The Department and our National Labs were very familiar
with the information released, which we had previously shared with the
private energy sector in our role as Sector-Specific Agency.
The Department has initiated a broad, comprehensive, and multi-
phase review of the Operational Technology cyber strategy and
capabilities across the Department. This approach is designed to
leverage resources from across the Department's program offices and
labs to identify gaps and implement requirements for improvements to
monitoring and response to attacks on these systems, which will inform
both the defense of our Federal systems and our ability to inform and
support the energy sector. Additional phases will address the broader
need for a strategic approach to advanced operational technology
security solutions across the hardening, detection, and response
functions.
The Department is diligently working to identify and remediate gaps
that exist in our capability to detect and defend against hostile
actors. We are pursuing a number of avenues in this regard, including
implementation of CDM tools; focusing our integrated Joint
Cybersecurity Coordination Center (iJC3) efforts to provide better
enterprise-wide cybersecurity information sharing; building enterprise
incident response teams capable of responding to threats that include
the Operational Technology in place at our Power Marketing
Administrations and other sites; and enhancing and implementing more
mature enterprise risk management to facilitate prioritization of our
cybersecurity efforts based on metrics. We believe the Department's
capability to execute a best-in-class cybersecurity program will
enhance our ability to work with and support the energy sector in the
face of expanding threats.
Questions From Ranking Member Bennie G. Thompson for Max Everett
Question 1a. For your agency, is there any senior cybersecurity
leadership positions that remain unfilled?
Question 1b. If so, how has that complicated your ability to move
forward with CDM and other information security initiatives?
Answer. The Office of the Chief Information Officer currently has
only a small number of positions unfilled. At this time, the Deputy CIO
for Cybersecurity position is occupied in an acting capacity--but that
has only been the case for approximately 1 month and we are actively
recruiting to fill that position. In addition, we are coordinating with
other offices across the enterprise to assist with their hiring efforts
to fill cyber leadership positions, including to meet new requirements
that are forthcoming from the planned Office of Cybersecurity, Energy
Security, and Emergency Response (CESER).
Despite the limited number of unfilled roles, I have determined in
my 9 months as CIO that there are staffing challenges my office faces
as we work to mature and expand our enterprise cybersecurity program.
We are now in the process of identifying additional Federal positions
to provide the customer service, oversight, and accountability
necessary to ensure a sustainable cybersecurity posture for the
Department. In some cases, critical roles have been filled by
contractors that I believe Federal employees should occupy. Contractors
provide flexibility and access to unique and changing subject-matter
expertise, but in certain cases a Federal employee is needed to provide
customer service, oversight, and accountability to critical activities.
Additionally, given the diverse missions and locations of critical
Departmental offices and functions, the IT leadership and cybersecurity
staff in the Department's program offices and sites are often even more
critical to our cybersecurity efforts. I am working to ensure that
these other cybersecurity professionals have an appropriate reporting
structure across the Department's program offices.
Question From Chairman Will Hurd for Scott Blackburn
Question. Once maintenance costs transition from DHS to your
agency, how much do you anticipate spending per year to sustain CDM?
Answer. CDM Phase 1 and 2 capabilities are scheduled to be fully
operational by 3d Qtr. of fiscal year 2019. VA just began participation
in CDM Phase 3. CDM-related costs in 2019 are estimated at $48.6
million to support licensing, maintenance, and operations of deployed
equipment. The exact cost is still being confirmed as DHS continues to
fund various aspects of the CDM program, including hardware, software,
and operations and maintenance support. The details for the long-term
operation and transition costs associated with Phase 2 and 3
capabilities are still being determined.
Question From Ranking Member Cedric L. Richmond for Scott Blackburn
Question. In January, we held a hearing with CDM contractors, who
told us that one of the challenges with implementation was the lack of
dedicated personnel with the expertise necessary to use CDM
technologies and take full advantage of their benefits. Is there a need
within your agencies for more training or more cyber personnel to
deploy CDM tools?
Answer. VA continues to deploy CDM Phase 1 and 2 capabilities using
VA and DHS resources. Final implementation is currently scheduled for
3d Quarter fiscal year 2019. As appropriate, VA personnel receive
training to perform their designated role and function. Once trained,
the DHS contractor and VA transition functions in a manner that
minimizes operational impacts. VA is also participating in the Phase 3
tasks, with plans to participate in Phase 4. Throughout VA's CDM
experience, we have managed resourcing requisite to the requirement and
trained staff as required. If available, VA could benefit from
additional training techniques and services to further augment existing
training efforts and to fill CDM supporting positions in support of all
CDM Phased deployments.
Questions From Ranking Member Bennie G. Thompson for Scott Blackburn
Question 1a. For your agency, is there any senior cybersecurity
leadership positions that remain unfilled?
Question 1b. If so, how has that complicated your ability to move
forward with CDM and other information security initiatives?
Answer. At this time, a key role in cybersecurity leadership that
is currently unfilled is the Deputy Chief Information Security Officer
for Policy & Strategy which is held by an acting official. VA is
currently reviewing candidates to select a permanent official for this
role, however, this selection process is in the early stages of review.
VA remains committed to implementing the CDM program activities. The
CDM program has continued to be a priority of the agency and
implementation activities have continued while those leadership roles
have been held by acting officials. The CDM program has remained a top
priority by coordinating with relevant leaders across participating
agencies and support resources to make sure the CDM mandate is
satisfied.
Questions From Honorable James R. Langevin for Scott Blackburn
Question 1. How extensive are the cybersecurity staff and skills
shortfalls at your agencies, and how are they affecting your
implementation of CDM?
Answer. VA is currently in the process of transitioning
responsibilities for CDM services, either through existing VA staff or
other support resources. With the on-going transition, VA is still in
the process of confirming gaps in cybersecurity staff skills necessary
to sustain and operate the CDM capabilities that are implemented. VA is
developing a plan to address those gaps while working on the transition
from DHS to VA.
Question 2. One of CDM's objectives is to replace manual, periodic,
and time-intensive system authorizations with an on-going process for
automated assessments and continuous authorization. Is that process
working, and are manual authorization processes truly going away?
Answer. VA deployed a commercial Governance, Risk, and Compliance
tool during fiscal year 2013 that initiated automated assessments and
supported automatic reviews for continuous authorization. VA was able
to move a purely manual assessment process to one that allowed for the
automatic collection of data through tools, services, and capabilities
already deployed in VA that report back compliance deficiencies and
vulnerabilities across millions of VA assets. In order to expand the
effectiveness of the continuous authorization capabilities, VA will
deploy the Enterprise Mission Assurance Support Service (eMASS) tool
used by the Department of Defense (DoD). eMASS will not only allow
greater delivery of automated assessment and authorization processing,
but will expand visibility for both VA and DoD into joint and partnered
systems' authorizations by each respective agency.
Manual processes, to the extent possible, will be replaced by
better use of compliance data, aggregated enterprise-level control
reviews, and the ability to provide enhanced system-level reporting at
an enterprise view. While some manual processes cannot be completely
eliminated, VA will always look for automated processing capabilities
where possible to replace manual requirements.
Question 3a. CDM represents a large investment of dollars and time.
I would like to understand how we will know that investment has been
successful, in terms of improved security across the dot-gov domain.
What metrics are you using to measure whether your cybersecurity
programs have actually improved your agency's security posture?
Answer. CDM automates the scanning of VA's infrastructure to
identify any hardware or software that is outside the National
Institute of Standards and Technology (NIST) and VA security standards,
that is, any vulnerability. The control values that alert the dashboard
to any such vulnerability are those standards and are built into the
tool. Those are the metrics that measure VA's security posture. As
vulnerabilities are identified, VA implements plans of actions and
milestones to remedy them. Therefore, it is the CDM dashboard itself
that will report VA's progress to improve the agency's security
posture.
Question 3b. How are you employing red teams to test the successful
implementation of your cybersecurity defenses?
Answer. VA has been leveraging DHS, National Cybersecurity
Assessments and Technical Services (NCATS) team for the past 2 years in
conducting an annual Offensive Security Assessment (OSA) of VA's
implementation of cybersecurity defenses. The assessment gives the
organization the ability to respond to a real-world attack in a
controlled manner, with limited number of VA trusted agents aware of
the full attack details. The OSA assesses VA's people, processes, and
technology by emulating various Advanced Persistent Threats (APTs) and
measures our cybersecurity response.
Question From Chairman Will Hurd for David Garcia
Question. Once maintenance costs transition from DHS to your
agency, how much do you anticipate spending per year to sustain CDM?
Answer. OPM anticipates initially spending approximately $8 million
annually to sustain the CDM Phase 1 capabilities, once the maintenance
costs are transitioned from DHS.
Questions From Ranking Member Cedric L. Richmond for David Garcia
Question 1. In January, we held a hearing with CDM contractors, who
told us that one of the challenges with implementation was the lack of
dedicated personnel with the expertise necessary to use CDM
technologies and take full advantage of their benefits. Is there a need
within your agencies for more training or more cyber personnel to
deploy CDM tools?
Answer. OPM has dedicated personnel with the expertise necessary to
use CDM technologies. However, as threats continue to evolve this will
present additional challenges and agencies will need to make certain
that the Federal technology and cybersecurity workforce is available
and properly trained to meet such challenges.
Question 2a. The DHS Inspector General recently released a report
finding a number of information security vulnerabilities at DHS,
including some NPPD systems that were operating without proper
authorization. What is the status of DHS's own implementation of CDM?
Has the Department fully deployed Phase 1 technologies?
Answer. OPM defers to DHS to discuss its own implementation of CDM.
Question 2b. Might CDM adoption have been easier or more efficient
with a Department-wide cybersecurity strategy in place, as was required
under legislation I authored in 2016?
Answer. OPM defers to DHS to discuss its own implementation of CDM.
Question From Ranking Member Robin L. Kelly for David Garcia
Question. During Phase 1 implementation of CDM, many Federal
agencies discovered that they had greatly underestimated the number of
devices on their network and, as a result, the planned-for CDM
deployments would be inadequate to service their larger networks.
Indeed, DHS has publicly acknowledged that it identified 44 percent
more devices on Federal civilian networks than originally projected,
leading to significant gaps in coverage. Filling these gaps should be a
significant priority for DHS and its civilian agency partners as CDM
proceeds. What risk does the current level of coverage present and how
soon will the identified gaps be filled?
Answer. OPM accurately estimated the number of devices on the OPM
network during Phase 1 implementation of CDM. In addition, OPM is
working with DHS to improve and enhance the end-to-end protections
where gaps were identified in the overall solution.
Questions From Ranking Member Bennie G. Thompson for David Garcia
Question 1a. For your agency, is there any senior cybersecurity
leadership positions that remains unfilled?
Question 1b. If so, how has that complicated your ability to move
forward with CDM and other information security initiatives?
Answer. Currently, there are no senior cybersecurity leadership
positions that remain unfilled at OPM. OPM was one of the first
agencies to fully implement CDM Phase 1 with the CDM dashboard fully
populated in the spring of 2017 using the CDM sensors we've been
deploying since 2015. In addition, we are finalizing the implementation
of CDM Phase 2.
Questions From Chairman John Ratcliffe for Kevin Cox
Question 1a. What is the time line for the CDM program office to
produce the capability requirements for Phase 4?
Answer. The Continuous Diagnostics and Mitigation (CDM) Program is
developing the Phase 4 capability requirements and expects to have them
completed by the first quarter of fiscal year 2019.
Question 1b. When is the earliest an agency could have moved
through all CDM phases?
Answer. The program is beginning Phase 3 and starting Phase 4
pilots in fiscal year 2018. Phase 3, which includes cloud and mobile
continuous visibility, is expected to run through fiscal year 2021.
Phase 4 will be focused on providing enhanced data protection for high-
value asset (HVA) environments and is expected to run through fiscal
year 2023. The date by which an agency could move through all CDM
phases is dependent on the size of the agency, its total number of
HVAs, its readiness and prioritization for CDM solution deployment, and
overall funding. We plan to begin deployment of Phase 4 data protection
capabilities in fiscal year 2019 for an initial set of agencies who are
ready for the capabilities and fall within our budget. The time line to
fully deploy Phase 4 is dependent on the agency's specific
requirements, readiness, and CDM funding.
Question 1c. What is beyond Phase 4?
Answer. The CDM program includes activities required to keep pace
with technology advances over the life of the program. The Department
of Homeland Security (DHS) is still developing the future strategy for
the CDM program to ensure that the program evolves after the currently
defined four capabilities are deployed. The most appropriate path
forward is to stay in front of the cybersecurity threat and support the
agencies as threats and technology evolve. As part of this
consideration, the program is now transitioning from the phase model to
a capabilities-based model that anticipates threats. By shifting to a
capabilities focus, the program can address specific new cybersecurity
capabilities as they develop throughout the life cycle of the program.
Question 1d. Are there plans for a long-term strategy to ensure CDM
is a platform for an effective cybersecurity posture in the next 3 to 5
years?
Answer. In the fiscal year 2018 President's budget, additional
funding was given to the program to speed up the deployment of mobile
asset tracking and cloud asset tracking--both previously defined as
Phase 3 activities starting in fiscal year 2019 and fiscal year 2020.
Funding, however, is not the only factor in the speed at which CDM is
deployed. DHS is actively working with agencies to identify where Phase
3 efforts can be adopted more quickly based on agency readiness and
where Phase 4 pilot efforts can be accelerated.
Question 1e. Has DHS considered accelerating the roll-out and
adoption of the capabilities in Phases 3 and 4, similar to what was
done with the Einstein E3A initiative?
Answer. Response was not received at the time of publication.
Question 2a. How can CDM be leveraged to better understand the
security posture of High-Value Assets?
Answer. When and where possible, the Continuous Diagnostics
Mitigation (CDM) Phase 1 tools are deployed in the High-Value Asset
(HVA) environments to gain continuous visibility of the HVA cyber
hygiene. Similarly, CDM Phase 2 Manage Privilege and Accounts
(PRIVMGMT) and Manage Credentials and Authentication (CREDMGMT)
capabilities are deployed to better understand the users who have
access to the HVA. CDM Phase 3 includes event management capabilities
as a requirement. Getting audit logs from HVAs to an event management
system will help agency security operations personnel monitor for
system and network anomalies. Finally, Phase 4 capabilities, once
deployed, will help agencies ensure the data associated with the HVA is
protected.
Question 2b. Is it worth prioritizing High-Valued Assets for
speedier roll out of CDM capabilities?
Answer. The Department of Homeland Security (DHS) believes that it
is worth prioritizing High-Value Assets for deployment of CDM
capabilities. While many CDM deployment activities can run in parallel,
it will not be possible to deploy all Phase 3 and 4 capabilities to
HVAs at one time. As such, prioritization of HVAs will help agencies
manage risk and identify where it should be tackled first.
Question 2c. Is it worth considering High-Value Asset data
differently in measuring the cybersecurity risk posture of a Federal
agency?
Question 2d. Can such a measurement be reflected on the CDM
dashboard--both at the agency level and the Federal enterprise
dashboard?
Answer. DHS believes that it is worth considering High-Value Asset
data differently in measuring the cybersecurity risk posture of a
Federal agency. The CDM Program is planning to identify HVAs in the
Agency and Federal Dashboards. This identification will enable the
Department of Homeland Security and the agencies to assign specific
measurements to HVAs that aren't assigned to other non-HVA systems.
Additionally, through the implementation of the Agency-Wide Adaptive
Risk Enumeration (AWARE) risk measurement algorithm that will be
deployed in the summer 2018, DHS will be able to assign different
weights to systems and vulnerabilities to draw attention to the most
critical issues.
Question 3a. The CDM program is reliant upon system integrators to
roll out the solutions of each phase, can you compare the success of
each integrator?
Answer. With our partner the General Services Administration (GSA),
the Continuous Diagnostics and Mitigation (CDM) Program regularly meets
with and monitors the performance of each integrator. Each year, we
also complete a Contractor Performance Assessment Report (CPAR) for
each integrator. Under our current task orders awarded off the original
CDM Blanket Purchase Agreement (BPA), the CPARs are the best way to
compare the success of the integrators. Under the new CDM DEFEND
acquisition strategy, task orders are being awarded as ``cost plus
award fee''. With these task orders, the program and GSA will be
evaluating each integrator semi-annually to measure integrator
performance and determine the appropriate award fee level for that half
year.
Question 3b. Is there a comparable level of success across the
board or do CDM integrators vary in their consistency?
Answer. While the program and GSA have had to address some
performance issues with some of the integrators at different points,
the integrators are ultimately measured on achieving the objectives of
each task order. In that regard, each integrator is making progress
toward the successful completion of the task order. With CDM DEFEND,
the program will be able to track the performance of each integrator
more granularly over the life of each task order.
Question 3c. If so are there any broad lessons learned about
managing or choosing integrators?
Answer. One of the key lessons learned throughout the CDM program
thus far is the importance of closely monitoring risk for each task
order and quickly escalating if the risk increases or becomes an issue.
The faster problems can be identified and addressed, the better off all
parties will be and the more quickly progress can be made.
Question 4. How has the Information Security Continuous Monitoring
(ISCM) strategy been aligned with CDM capabilities and the phased roll-
out to ensure an efficient use of taxpayer dollars?
Answer. The Continuous Diagnostics and Mitigation (CDM) Program is
the core of the Information Security Continuous Monitoring (ISCM)
strategy and the phased roll-out of the program was developed to help
reach realization of ISCM. In CDM Phase 3, the program is tackling on-
going assessments to help automate the assessment of as many
cybersecurity controls as possible with the Phase 1 and 2 tools, as
well as those of future phases. The automated controls will then serve
as input into the development of on-going authorization, a chief aim of
the ISCM strategy.
Questions From Chairman Will Hurd for Kevin Cox
Question 1a. In the Continuous Diagnostics and Mitigation Update
dated December 15, 2017 (provided by DHS to the committee), the Phase
Two PRIVMGMT Implementation Tracker indicates certain implementation
activities are deemed ``out of scope for period of performance due to
agency not being ready/interested in participating.'' Are these
agencies not interested in implementing CDM privilege management tools
in the future?
Answer. Ultimately, all agencies will need to report their PRIVMGMT
and CREDMGMT requirements data into the Phase 2 master user record
(MUR) that will be a core component of the agency dashboards. For
agencies that have or already are deploying PRIVMGMT tools that meet
the CDM data requirements, the program did not need to invest further
resources in those efforts. In other cases, agencies were focused on
other priorities, but intend to participate in the future task orders.
Question 1b. Or, are there plans to move forward with complete
implementation that occur after this period of performance (ending 07/
11/2018)?
Answer. The CDM DEFEND acquisition strategy was developed so that
work for all phases of the CDM Program can occur through each task
order. Therefore, the program will be able to work with the agencies
and integrators to add new agency requirements when they arise.
Question 1c. Please provide the names of all agencies that have
indicated they do not plan to participate in full Phase 2
implementation, meaning complete implementation of PRIVMGMT and
CREDMGMT capabilities.
Answer. Because CDM DEFEND will allow the program to work with the
agencies and integrators to integrate capabilities as new agencies sign
up for CDM or expand their requirements, we do not anticipate at this
time that there will be any agencies that do not plan on participating
fully in Phase 2 implementations. That being said, the program will
inform the committee if any agencies indicate that they will not be
participating fully in Phase 2.
Questions From Ranking Member Cedric L. Richmond for Kevin Cox
Question 1. In January, we held a hearing with CDM contractors, who
told us that one of the challenges with implementation was the lack of
dedicated personnel with the expertise necessary to use CDM
technologies and take full advantage of their benefits. Can DHS do
anything to address this, perhaps by adding training and labor into
contracts for integration services?
Answer. The need for additional training and to help agencies
obtain expertise to manage the Continuous Diagnostics and Mitigation
(CDM) tools was one of the lessons learned from the original CDM task
orders. As a result, the program built mechanisms into the CDM DEFEND
acquisition strategy to allow agencies to obtain more subject-matter
expert training on the CDM tools. Agencies can also place their own
funding on the DEFEND contract if they want to obtain additional
training. Additionally, the agencies can use the CDM DEFEND vehicle to
obtain additional life-cycle support for their current and future CDM
technologies.
Question 2a. The DHS Inspector General recently released a report
finding a number of information security vulnerabilities at DHS,
including some NPPD systems that were operating without proper
authorization. What is the status of DHS's own implementation of CDM?
Answer. The Department of Homeland Security (DHS) Office of the
Chief Information Officer continues to make progress in the
implementation of Continuous Diagnostics and Mitigation (CDM)
throughout the organization.
Question 2b. Has the Department fully deployed Phase 1
technologies?
Answer. DHS is in the process of fully deploying Phase 1
technologies. By the end of the task order period of performance on
June 15, 2018, we expect DHS to be at a 95 percent completion level for
all networks/components originally scoped for the first DHS Phase 1
contract. The remaining 5 percent included in the original contract
scope will be addressed in the follow-on CDM DEFEND contract that was
just awarded in May 2018.
Question 2c. Might CDM adoption have been easier or more efficient
with a Department-wide cybersecurity strategy in place, as was required
under legislation I authored in 2016?
Answer. In November 2013, the Acting Deputy Secretary for DHS
issued the ``One DHS'' Deployment of CDM Capability memo to all
component heads, noting the Department's commitment to a leadership
role in the Federal Government with regards to cybersecurity. The memo
directed DHS components to standardize as much as possible around the
common security controls being deployed by CDM and that memo supported
CDM deployment throughout the agency. In addition, Secretary Nielsen
has signed out the DHS Cybersecurity Strategy, as called for in the
2016 legislation, and places a priority on protecting Federal
networks--including DHS's networks.
Question 3a. It looks like DHS has made a lot of progress in
getting the so-called ``CFO Act agencies'' to move forward with CDM
adoption, but smaller, non-CFO Act agencies have been more of a
challenge. How many of these non-CFO Act agencies is DHS currently
working with on CDM?
Answer. The Continuous Diagnostics and Mitigation (CDM) Program
currently has memorandums of agreement (MOAs) in place with 56 non-CFO
Act agencies. The CDM Shared Service Platform for the non-CFO Act
agencies received its authority to operate in March 2018 and the CDM
Program is now deploying the CDM Phase 1 and 2 capabilities to these
agencies in multiple waves. The CDM Program is currently reaching out
to the remaining non-CFO agencies to establish signed MOAs with them to
include them as participants in the program.
Question 3b. What tactics can DHS use to grow participation?
Answer. Through our outreach, the program is finding that the non-
CFO Act agencies want to participate in the CDM program and get the
benefits. When an agency is uncertain, Department leadership is able to
engage to help address any concerns and answer any remaining questions.
Questions From Ranking Member Robin L. Kelly for Kevin Cox
Question 1. What is the time line to roll out Phase 4 data-level
protection capabilities as called for in the President's IT
Modernization Report and fiscal year 2018/2019 CDM budget requests (see
attached)?
Question 2. Have DHS and GSA considered accelerating the adoption
of phase 4 capabilities for all .gov agencies?
Answer. Continuous Diagnostics and Mitigation Phase 4 will focus on
enhancing data protections for agency high-value assets (HVAs). The
program is starting a series of Phase 4 pilots in fiscal year 2018 and
is looking to increase Phase 4 efforts in fiscal year beyond what was
originally planned in the program's life-cycle cost estimate.
Questions From Ranking Member Bennie G. Thompson for Kevin Cox
Question 1a. For your agency, is there any senior cybersecurity
leadership positions that remain unfilled?
Question 1b. If so, how has that complicated your ability to move
forward with CDM and other information security initiatives?
Answer. The National Protection and Programs Directorate has
individuals in the senior cybersecurity leadership positions.
Question 2a. As you know, there is a great deal of diversity among
agencies--in terms of their size, structure, and management culture.
How is your experience different working with large CFO Act agencies,
versus small and micro agencies?
Answer. The largest CFO Act agencies tend to be federated amongst
their components and Operational Divisions (OpDivs). This federation
introduced challenges in Phase 1. Communication and collaboration were
key in overcoming these challenges. With the small- and medium-sized
agencies, federation was not as big of an issue. The Continuous
Diagnostics and Mitigation (CDM) program still experienced some delays
with these agencies due to solution alignment issues within the agency,
but the delays tended not to be as prolonged as we saw in the larger
agencies.
Question 2b. Are there ways the CDM program could be more
responsive to the needs of small- and medium-sized agencies?
Answer. With all sized agencies, communication is a key for
success. Through sustained communication with the agencies, the CDM
program is able to better understand the agency needs and unique
requirements. The program can then work with the integrator to shape
the CDM solution appropriately for each agency. Good, sustained
communication takes work, but offers a good pay-off.
Questions From Honorable James R. Langevin for Kevin Cox
Question 1. NPPD's Congressional Justification for its fiscal year
2019 budget request does not describe any efforts by CDM to provide
asset management, identity management, network monitoring, or data
protection capabilities for cloud-based services. Cloud security is not
mentioned in the CDM Technical Capabilities documents published by GSA
(Volumes One and Two). On March 20, you testified that your intention
with CDM Phase 3 was to provide agencies with ``visibility of their
data and their networks . . . wherever that data is, whether it's out
in the cloud, whether it's on a mobile device, wherever it's stored or
used.'' What tools and services will CDM provide to Federal agencies to
secure their cloud services?
Answer. The Continuous Diagnostics and Mitigation (CDM) Technical
Capabilities documents are updated at least annually. Cloud, mobile,
and many of the other Phase 3 efforts will be addressed in the next
update. As for the CDM approach for cloud, the program is working to
develop the appropriate approach for continuous monitoring in the
cloud. Given the differences between on-premise and cloud
architectures, the CDM program will not be able to approach cloud
environments the same way we did for on-premise networks (e.g., we
won't be deploying individual sensors on each Virtual Machine (VM) in
the cloud, as these VMs can change frequently). Rather, we are looking
to achieve continuous monitoring in the cloud through multiple
mechanisms that are in the process of being developed. These may
include a network security stack in front of the cloud environment,
data interfaces to the security controls provided by the cloud service
providers (CSPs), and visibility into data from other security
capabilities provided either by the CSP or a third-party entity.
Question 2. As we know from the critical infrastructure community,
cybersecurity must extend beyond desktop computers. Within DHS, for
example, Border Patrol, TSA, and FEMA agents employ diverse sensors and
communications systems that don't run on Windows. What tools and
services will CDM provide to Federal agencies to help protect mobile,
operational, or other networked devices with uncommon operating
systems?
Answer. Many of the Continuous Diagnostics and Mitigation (CDM)
Phase 1 tools provide continuous visibility for many versions of Unix/
Linux and MacOS. However, not all operating systems are covered by all
tools. Where we have identified gaps, we plan on working with the CDM
DEFEND integrators to identify the best technology to help fill those
gaps. This will be an on-going effort, particularly as more Internet of
Things devices come on-line. As for mobile, we will interface with each
agency's Enterprise Mobility Management (EMM) system to gain visibility
into the devices and mobile apps in use in the environment. If an
agency does not have an EMM, we will work with the agency and the
integrator to identify the optimal EMM solution for the agency.
Question 3. The DEFEND contract moved CDM away from implementing
identical tools and toward helping agencies procure a variety of tools
and services from an approved list. This flexibility will likely result
in unique cybersecurity implementations, making it more difficult to
share and reuse collected data, and increasing the cost of integrating
new tools in the future. What guidance is DHS providing to agencies to
encourage reuse, sharing, and interoperability of cybersecurity data
and tools?
Answer. The key to making the additional flexibility work is to use
technologies from vendors that participate in and use common data
interface standards. The Continuous Diagnostics and Mitigation (CDM)
program is building these into our requirements. As long as a product
meets these standards, gaining access to the data that fulfills the CDM
requirements is a pretty direct process. We know from experience that
this can work based on the many different CDM technologies in use
today. Based on our experience so far, we expect most agencies will
settle on a single tool throughout their agency for each respective CDM
capability. The flexibility gains a lot of value when agencies are able
to use existing tools already in place to meet future CDM data
requirements, as long as we can establish an interface to the data. The
benefits include more willing agency participation, potential cost
savings, and fewer scenarios where agencies must remove existing tools
and replace with CDM tools.
Question 4. What metrics are you collecting to demonstrate that CDM
has successfully improved cybersecurity in the adopting agencies?
Answer. The Continuous Diagnostics and Mitigation (CDM) Program has
developed a series of metrics demonstrating cost savings compared to
General Services Administration IT Schedule 70, significant asset and
user discovery improvements, and millions of assets now having near
real-time cybersecurity sensors in place. We are continuing to build on
these to show how the agencies are starting to use the CDM tools to
reduce their attack surface and improve their overall cyber hygiene.
During the summer of 2018, the CDM program is also introducing the
Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm that will allow
agencies to compare their security posture over time against their
original baseline. It will also give Federal leadership a tool to
measure agency cybersecurity performance. The AWARE algorithm will be
implemented by late fiscal year 2018 and will be operationalized
through fiscal year 2019.
Question 5. CDM represents a large investment of dollars and time.
I would like to understand how we will know that investment has been
successful, in terms of improved security across the dot-gov domain.
How extensive are the cybersecurity staff and skills shortfalls in your
program, and how are they affecting your ability to execute the
program?
Answer. The key to showing the success of the investment is through
metrics like the Agency-Wide Adaptive Risk Enumeration (AWARE)
algorithm. By baselining agencies at the start, it gives us a way to
measure improvement over time. The Continuous Diagnostics and
Mitigation program can already show that success today through metrics
like the significant asset discovery improvements and the total number
of assets reporting to the Federal Dashboard that have security sensors
in place that can report the near real-time vulnerability and
configuration state of each asset. The AWARE algorithm will pull all of
the various measures into a singular score that will be standardized
and allow for comparisons between agencies.
In regards to staff in the CDM Program, we have a skilled,
dedicated team of 40 people and are in the process of hiring and
performing security clearances on an additional 14. Through recent
staffing planning, the estimated personnel needs are known for the work
associated with Phases 3 and 4 and included in the life-cycle cost
estimates of the program used to inform future year budget requests.