STATEMENT
OF THE HONORABLE CLAY JOHNSON III
DEPUTY DIRECTOR FOR MANAGEMENT
OFFICE OF MANAGEMENT AND BUDGET
BEFORE THE COMMITTEE ON GOVERNMENT REFORM
U.S. HOUSE OF REPRESENTATIVES
June 8, 2006
Good morning,
Mr. Chairman and Members of the Committee. Thank you for inviting me to speak
about the adequacy of existing laws, regulations, and policies regarding privacy,
information security, and data breach notification.
Unfortunately,
I am here today in the wake of an unprecedented security breach causing the
loss of personal data concerning millions of people. Clearly we have
a problem. Losing any type of government data is bad enough, but losing
personal data is especially troubling as it undermines the public’s trust
and confidence in our ability to protect them as individuals and keep them
from harm.
As your invitation requested, I will describe our review of existing laws
and policies, the lessons we have learned from the recent incident and steps
for improving our response in the future. You will note the steps we
are taking include a focus on better understanding how security programs are
actually performing to help avoid breaches in the first place.
Over the past several weeks since the incident, we have reexamined the law
and policies designed to prevent problems such as this. We have looked
for weaknesses in the policies themselves and in our oversight and measurement
of agency performance in implementing them. While we believe the law
and policies are generally sound and this incident would not have occurred
had elementary and long-standing security procedures been followed, this is
a hollow victory and we are left with the same unacceptable results – a
breach placing the data concerning millions of people at risk and from which
each individual may have to recover.
Our review
has identified four specific, but related issues. First, the recent
incident makes painfully obvious a long-known security risk – a single
trusted individual can mistakenly or intentionally and very quickly, undo all
of the sophisticated and expensive controls designed to safeguard our information
and systems from attack. To safeguard against this risk, the agencies
themselves must be held accountable for implementing existing policies such
as segregating personnel duties so one person cannot cause such damage.
Second,
good security and privacy are shared responsibilities. As you know, within
a framework of laws developed by Congress and through direction from the President,
the Office of Management and Budget (OMB) develops policies for and oversees
agencies’ programs to protect security and information privacy. Agencies
are responsible for implementing the policies based upon the risk and magnitude
of harm that would result from a breach in their security, ensuring their programs
are managed to maintain risk at an acceptable level, and Inspectors General
must independently evaluate effectiveness. Each individual, from rank
and file employees and their supervisors to independent evaluators and overseers,
must be held accountable for performing their assigned responsibilities. The
American public expects and deserves positive results from all of us.
Third,
while we have seen significant improvements in agency security planning – more
than 80% of government systems are certified and accredited, 17 Inspectors
General rate agency planning processes as satisfactory or better and 12 Inspectors
General indicate their agency has put this planning into practice improving
their security performance – our view of the state of government security
is much the same as reflected in your Committee’s annual security report
card – it is not nearly where it must be.
Of course
we all know good planning is not enough. Plans must be executed and agency
employees must be instructed in clear and unambiguous terms on how to use them,
the rules they must go by, and what will happen if the rules are not followed. Equally
and perhaps more importantly, managers must oversee execution, ensure their
employees are in fact doing what the plans say must be done, and continually
monitor operational effectiveness in an ever-changing risk environment. Finally,
as the Federal Information Security Management Act says, Inspectors General
must independently evaluate their agencies’ programs. To get a
better picture of how agencies are executing their plans, I am directing each
agency head to describe in their annual Federal Information Security Management
Act report the specific actions they take to ensure their plans are in fact
being implemented.
Fourth,
security and privacy are commonly seen as separate responsibilities and programs. They
are not. We see them as separate pieces of the same puzzle – personally
identifiable information is an example of what to protect, while security is
a program for how to protect it. At least in part due to this program
separation, agencies also characterize differently how and when to report incidents
and breaches involving privacy and security. There are also differences
in how agencies characterize and report incidents and breaches stemming from
physical or cyber incidents.
Correcting this problem involves both near and mid-term efforts. We
have begun reviewing these issues using both the Identity Theft Task Force
established by Executive order on May 10, 2006, and an OMB-led working group
of agency privacy experts. Additionally, we will begin working with the
Department of Homeland Security, designated by law as the government’s
central cyber incident coordination organization, to combine incident reporting. Without
prejudging the results of these efforts, we will remove any artificial and
unnecessary barriers or differences between various reporting practices for
security and privacy incidents, and make clear to all agency employees what
they must report, to whom, and within what specific timeframe.
In taking these actions, we will certainly continue to apply our current policy
of immediate reporting of the highest-impact incidents such as the recent loss
of personally identifiable information. We will also see if revisions
are needed to the current reporting requirements and schedules for lower impact
incidents. Also, to ensure a more timely picture of all agencies’ operational
security, I have directed my staff to work with the Department of Homeland
Security, the Chief Information Officers Council, and Senior Agency Officials
for Privacy to identify the appropriate level of detail and a schedule for
distributing a periodic government-wide incident report to agency officials,
Inspectors General, and other interested parties such as the Government Accountability
Office. This may be a quarterly report – our current annual report
to Congress is not timely enough.
At my direction, Senior Agency Officials for Privacy are now reviewing the
effectiveness of their security programs and will report to OMB their findings
early this fall with their agency’s annual reports under the Federal
Information Security Management Act. These reports will help us identify
the extent to which additional actions are necessary.
I also
would like to mention longer-term steps we are taking to increase the security
of our sensitive information, computer systems, facilities, and employees. In
response to an August of 2004 Presidential directive, OMB led the development
of a common identification standard for several million Federal employees and
contractors. This directive requires all Executive branch agencies to
conduct background checks on their employees and contractors before issuing
them permanent government identification. The agencies are now conducting
these checks and in October of this year, will begin issuing new identification
cards. These cards have built-in security features to control access
to government computer systems and the government’s physical facilities.
I have outlined
above a number of actions we are taking to demonstrate the Administration takes
its information privacy and security responsibilities very seriously. These
will help prevent a recurrence of an incident such as we just experienced,
permit us to better respond if prevention fails, and provide us a more complete
and timely view of the security performance of the agencies. Agencies
spend more than $4.5 billion each year on controls to protect information and
computer systems and we will use the budget process to ensure this money is
wisely spent and re-emphasize new spending on information technology will not
be approved if sound security is not already in place for existing systems
and programs. We are prepared to take more action as necessary and I
look forward to working with you to improve our security and privacy programs
and welcome any suggestions you have.