STATEMENT OF

EUGENE K. TAYLOR, JR., ACTING CHIEF INFORMATION OFFICER

US DEPARTMENT OF TRANSPORTATION

BEFORE THE

COMMITTEE ON GOVERNMENT REFORM

SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,

FINANCIAL MANAGEMENT, AND INTERGOVERNMENTAL RELATIONS

U.S. HOUSE OF REPRESENTATIVES

November 19, 2002

 

Good morning, Mr. Chairman and Members of the Committee. On behalf of the US Department of Transportation (US DOT) let me thank you for this opportunity to appear before you to discuss our IT Security Program. For the purposes of today’s hearing, I will provide the Committee with an overview of US DOT’s Information Technology (IT) Security Program, our progress in FY2002, and our plans for improvements in Fiscal Year 2003. Before I begin, I would like to first acknowledge the role you have played in the last decade on IT Security issues. Through your attention to this issue we have all witnessed a substantial increase in attention and efforts to improve visibility of the IT Security problem. While we still have some challenges to overcome within the US Department of Transportation, I am pleased to report today that we are demonstrating progress. We believe we now have a sound cyber security strategy to guide the department and to prioritize our activities. We also believe that we have made solid progress during 2002. That said, we are fully aware that this "Rome" will not be built in a day. We have an aggressive program for 2003, and we are laying the groundwork for efforts that will take additional years and resources to fully address the cyber security challenge facing our department and our nation. Therefore, I am pleased to report today that we are demonstrating progress due in large part to your leadership

Background

The US Department of Transportation (US DOT), based on the leadership and commitment of Secretary Mineta, has made significant efforts to improve our IT Security program over the past several years. The enactment of the Government Information Security Reform Act of 2000, along with the events of September 11, 2001, have resulted in a renewed priority and focus on this program. In particular, GISRA has provided insightful guidance and a performance-based reporting process that has assisted us in making IT Security a top priority in the Department. In 2001, US DOT demonstrated a commitment to the IT Security program by hiring a Senior Executive, selected from a pool of over 60 applicants representing IT Security experts in both Government and Industry, to lead the US DOT IT Security Program. She has an extensive background in IT Security. She has served as a US Army Military Intelligence Officer, as a Director and Vice-President in various IT Security consulting firms, and as a Senior Manager with Ernst & Young LLP, and has over 16 years of experience in designing IT Security programs and solutions for both Government agencies and financial services institutions. In conjunction with her hiring, the Department embarked on a thorough assessment, using the NIST 800-26 standards, of the IT security posture of our 15 Operating Administrations (OA) [1] to identify and assess our IT Security risks as a part of both the FY2001 and the FY2002 GISRA process. As you know, the breadth of our Information Technology portfolio is vast, consisting of thousands of systems supporting mission critical safety, security, and economic mobility business operations. Consequently, this assessment was a substantial accomplishment for the Department, and allowed us to recognize a baseline from which to begin implementing change. Based on the weaknesses identified during these reviews by the US DOT Office of the Chief Information Officer (OCIO), the Operating Administrations, the US DOT Inspector General, and the General Accounting Office, and feedback from OMB, US DOT developed and gained executive approval to execute an enterprise-wide, comprehensive FY 2002 Agency Security Plan that was embraced by all Operating Administrations. This was the cornerstone of our strategy to improve IT Security – ensuring that the previously divergent Operating Administrations collaborated to jointly develop and execute this plan. Within the department, our Operating Administrations philosophically converged and committed to a shared vision and set of goals for improving the IT Security program in FY2002. In fact, the Federal Aviation Administration (FAA) assumed a key leadership role on behalf of the Department by leading an IT Security subcommittee under the Department’s CIO Council to establish these goals. Additionally, the DOT OCIO and the Inspector General formed a collaborative relationship that contributed to identifying the weaknesses in our program, and establishing the strategy for improvements. The consensus goals for the FY 2002 US DOT IT Security Program were to: Increase senior executive visibility and commitment to the IT Security program; Establish a comprehensive Performance Measurement Program that mapped IT security program performance to the President’s Management Agenda; Conduct specialized training for personnel performing IT Security duties; Integrate IT Security into the Capital Planning and Investment Control (CPIC) process; Establish a comprehensive incident reporting program; and Focus on implementing network and perimeter security controls. The Department has accomplished the following in FY 2002 as a result of executing this plan, which was driven by accomplishing the first goal: gaining a renewed executive commitment to the US DOT IT Security Program from the Secretary, his staff, and the Heads of our Operating Administrations. The Secretary personally designated May, 2002 as the Department’s First Annual Computer Security Month, established awards for achievements in IT Security for individuals, and supported attendance at a scheduled awareness event for the executive staff. The second goal accomplished by the US DOT was the development of a comprehensive IT Security Performance Measurement (IT SPM) program to identify and track quantifiable results related to key IT security metrics. The results from our FY2001 and FY2002 GISRA assessments served as the baseline from which progress was measured. The results of this program indicated that in FY2002, the Department made noteworthy improvement in reducing IT security program related weaknesses and by reducing vulnerabilities, and thus risks, in our primary demilitarized zone (DMZ). Our third goal was to institute a robust training and awareness program, focused on developing and providing specialized training to IT security personnel. Based on this program, US DOT provided awareness training to the majority of our employees, and provided specialized training in certification and accreditation (C&A) and network security to the majority of the Agency-level Information Systems Security Officers (ISSO). Additionally, the program provided a specialized, hands-on 5-day training course to more than 74 departmental systems administrators. Our fourth goal was to develop and began implementing a comprehensive policy for integrating IT security into the CPIC process. The policy, effective June 2002, prescribed that Agency ISSOs participate as members of the CPIC review board; the policy also outlined the requirements for IT security in each phase of the CPIC and the system development life cycle, and it stipulated a methodology for estimating security costs. The implementation of this policy began with the FY 2004 budget process, where all applicable programs incorporated security percentages. Our fifth goal was to develop and execute an Incident Reporting Policy Memorandum and begin reporting incidents on a weekly basis to the Federal Computer Incident Response Center (FedCIRC), the National Infrastructure Protection Center (NIPC) and other law enforcement agencies as required. In addition, the Department continued to implement intrusion detection systems (IDS) at critical access points throughout the US DOT backbone and on the local area network of the National Highway Traffic Safety Administration (NHTSA), Research and Special Programs Administration (RSPA) and the FAA. Although the focus in FY2002 was network/perimeter security, DOT/FAA continues to certify and authorize mission critical systems deployment while addressing these new, complex cyber threats at the electronic boundary of the DOT enterprise. The Department published comprehensive network security guidelines and began a Web server vulnerability testing program in the US DOT DMZ. Based on this program, vulnerabilities decreased by a large percentage. In addition, the Department continuously looked for opportunities to leverage a “buy once, service many” philosophy. For example, the US DOT established a contract for an enterprise-wide vulnerability scanning tool that was made available to all Operating Administrations. This contract was the result of an FAA product testing effort, and provided all Operating Administrations with an effective, low cost, cross cutting solution for vulnerability identification, management and risk tracking, and remediation. Although we made great progress in FY2002, US DOT also acknowledges several areas as opportunities for continuous improvement in the IT Security Program. IT funding must be prioritized to ensure that IT security weaknesses are appropriately funded. In addition, these weaknesses also illustrate a requirement to focus our attention from improving perimeter and network security to a more system-centric approach in the FY 2003 Agency Security Plan. Increased emphasis needs to be placed on program integration and resulting system-level reporting and control effectiveness, including the development of an improved system inventory methodology, Certification and Accreditation guidance, and improved levels of reviews of mission critical IT systems. Although process improvements have been made in vulnerability testing, US DOT will be expanding this program to include all Web servers and to internal systems in the upcoming year, and to conduct periodic compliance reviews. External connections, including dial-up, need to be thoroughly reviewed and secured, and contracts must be modified to specify that Application Service Providers and other partners must meet US DOT personnel and IT security policy and guidance prior to connecting to or hosting a US DOT site. Although there have been improvements in US DOT’s Incident Reporting and Response Program, additional guidelines will be implemented to ensure consistency in the process. Based on the identification of the weaknesses indicated above, US DOT has established the following goals and objectives for FY 2003–2004. US DOT plans to develop and implement a standard methodology for IT system inventory and implement an established system review process. Additionally, by the end of FY 2003, US DOT plans to have completed system reviews for an increased number of US DOT mission critical IT systems. US DOT is also implementing consistent incident detection and reporting capabilities Department-wide, and through the FAA is collaborating with FedCIRC and other leading agencies on methods to more rapidly share incident and cyber-threat data. US DOT will also be designing a common access control architecture to improve system-level access controls in collaboration with the government-wide e-Authentication initiative. With the adoption of the enterprise-wide tool, vulnerability testing and reporting will be expanded to a larger percentage of US DOT IT systems. US DOT is also planning on completing integration with the Enterprise Architecture process and incorporating process improvements into the CPIC based on lessons learned from the FY 2004 budget process. US DOT will continue to participate in Project Matrix and the upcoming FedCIRC patch management system. The Department also looks forward to continued participation in the Executive Branch Information Systems Security Committee (EBISS) and the e-Authentication initiative, and in other opportunities where the Federal Government can obtain performance and cost efficiencies through collaborative projects. While many improvements have been made in our IT Security program over the past year, the fact is that systemic improvements will only occur if IT resources for security are appropriately prioritized and integrated into systems and programs. The department acknowledges that effective management, IT capital planning integration, strategic planning, and identification of security gaps is the baseline for establishing a solid IT Security program.

I trust that you will derive from my remarks an understanding of the efforts the US DOT has taken to improve our IT Security program, and the commitment of Secretary Mineta to continue to focus on this critical program. We appreciate your leadership, and that of the Committee, for helping us achieve our goals and allowing us to share information that we feel is crucial to the protection of our Department’s information technology resources.