[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
NIST'S PHYSICAL SECURITY VULNERABILITIES:
A GAO UNDERCOVER REVIEW
=======================================================================
JOINT HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT &
SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
October 11, 2017
__________
Serial No. 115-31
__________
Printed for the use of the Committee on Science, Space, and Technology
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://science.house.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
27-178 PDF WASHINGTON : 2018
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma EDDIE BERNICE JOHNSON, Texas
DANA ROHRABACHER, California ZOE LOFGREN, California
MO BROOKS, Alabama DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois SUZANNE BONAMICI, Oregon
BILL POSEY, Florida ALAN GRAYSON, Florida
THOMAS MASSIE, Kentucky AMI BERA, California
JIM BRIDENSTINE, Oklahoma ELIZABETH H. ESTY, Connecticut
RANDY K. WEBER, Texas MARC A. VEASEY, Texas
STEPHEN KNIGHT, California DONALD S. BEYER, JR., Virginia
BRIAN BABIN, Texas JACKY ROSEN, Nevada
BARBARA COMSTOCK, Virginia JERRY MCNERNEY, California
GARY PALMER, Alabama ED PERLMUTTER, Colorado
BARRY LOUDERMILK, Georgia PAUL TONKO, New York
RALPH LEE ABRAHAM, Louisiana BILL FOSTER, Illinois
DRAIN LaHOOD, Illinois MARK TAKANO, California
DANIEL WEBSTER, Florida COLLEEN HANABUSA, Hawaii
JIM BANKS, Indiana CHARLIE CRIST, Florida
ANDY BIGGS, Arizona
ROGER W. MARSHALL, Kansas
NEAL P. DUNN, Florida
CLAY HIGGINS, Louisiana
------
Subcommittee on Oversight
HON. DRAIN LaHOOD, Illinois, Chair
BILL POSEY, Florida DONALD S. BEYER, Jr., Virginia,
THOMAS MASSIE, Kentucky Ranking Member
GARY PALMER, Alabama JERRY MCNERNEY, California
ROGER W. MARSHALL, Kansas ED PERLMUTTER, Colorado
CLAY HIGGINS, Louisiana EDDIE BERNICE JOHNSON, Texas
LAMAR S. SMITH, Texas
------
Subcommittee on Research and Technology
HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma DANIEL LIPINSKI, Illinois
RANDY HULTGREN, Illinois ELIZABETH H. ESTY, Connecticut
STEPHEN KNIGHT, California JACKY ROSEN, Nevada
DARIN LaHOOD, Illinois SUZANNE BONAMICI, Oregon
RALPH LEE ABRAHAM, Louisiana AMI BERA, California
DANIEL WEBSTER, Florida DONALD S. BEYER, JR., Virginia
JIM BANKS, Indiana EDDIE BERNICE JOHNSON, Texas
ROGER W. MARSHALL, Kansas
LAMAR S. SMITH, Texas
C O N T E N T S
October 11, 2017
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Darin LaHood, Chairman, Subcommittee
on Oversight, Committee on Science, Space, and Technology, U.S.
House of Representatives....................................... 4
Written Statement............................................ 8
Statement by Representative Donald S. Beyer, Jr., Ranking Member,
Subcommittee on Oversight, Committee on Science, Space, and
Technology, U.S. House of Representatives...................... 10
Written Statement............................................ 12
Statement by Representative Barbara Comstock, Chairwoman,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 14
Written Statement............................................ 16
Statement by Representative Daniel Lipinski, Ranking Member,
Subcommittee on Research and Technology, Committee on Science,
Space, and Technology, U.S. House of Representatives........... 18
Written Statement............................................ 19
Statement by Representative Lamar S. Smith, Chairman, Committee
on Science, Space, and Technology, U.S. House of
Representatives................................................ 20
Written Statement............................................ 21
Statement by Representative Eddie Bernice Johnson, Ranking
Member, Committee on Science, Space, and Technology, U.S. House
of Representatives............................................. 23
Written Statement............................................ 24
Witnesses:
Ms. Lisa Casias, Deputy Assistant Secretary for Administration at
U.S. Department of Commerce
Oral Statement............................................... 25
Written Statement (Joint statement with Dr. Kent Rochford)... 27
Dr. Kent Rochford, Acting Under Secretary of Commerce for
Standards and Technology and Acting Director at National
Institute of Standards and Technology
Oral Statement............................................... 34
Written Statement (Joint statement with Ms. Lisa Casias)..... 27
Mr. Seto Bagdoyen, Director, Audit Services at U.S. Government
Accountability Office
Oral Statement............................................... 35
Written Statement............................................ 38
Discussion....................................................... 50
Appendix I: Answers to Post-Hearing Questions
Ms. Lisa Casias, Deputy Assistant Secretary for Administration at
U.S. Department of Commerce, and Dr. Kent Rochford, Acting
Under Secretary of Commerce for Standards and Technology and
Acting Director at National Institute of Standards and
Technology..................................................... 70
Mr. Seto Bagdoyen, Director, Audit Services at U.S. Government
Accountability Office.......................................... 72
NIST'S PHYSICAL SECURITY VULNERABILITIES:
A GAO UNDERCOVER REVIEW
----------
Wednesday, October 11, 2017
House of Representatives,
Subcommittee on Oversight and
Subcommittee on Research and Technology
Committee on Science, Space, and Technology,
Washington, D.C.
The Subcommittees met, pursuant to call, at 10:14 a.m., in
Room 2318 of the Rayburn House Office Building, Hon. Darin
LaHood [Chairman of the Subcommittee on Oversight] presiding.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. The Subcommittee on Oversight and the
Subcommittee on Research and Technology will come to order.
Without objection, the Chair is authorized to declare
recesses of the Subcommittee at any time.
I want to welcome everyone to today's hearing titled
``NIST, the National Institute of Standards and Technology,
Physical Security Vulnerabilities: a GAO Undercover Review.'' I
have a few brief remarks before we move into opening
statements.
Committee Members and staff just viewed three short videos
produced by GAO. At the request of the Department of Commerce,
these videos have been labeled law enforcement sensitive, which
means the agency has determined that they contain sensitive but
not classified information. I remind Members that while they
may ask questions today concerning GAO's investigation,
witnesses may respond but there are answers that can only be
addressed in a closed, non-public setting. Please be mindful of
this fact here today.
I would like to instruct the witnesses to answer to the
best of their ability, but should an answer call for sensitive
information, it may be addressed when we move into executive
session at the end of the hearing.
We will now vote to authorize the Subcommittees to enter
into executive session at the end of the hearing.
The Clerk. Mr. LaHood.
Chairman LaHood. Pursuant to House Rule 11(g)(2), I move
that upon completion of all present members' questions under
the five minute rule, the remainder of the hearing be closed to
the public because the disclosure of the testimony to be heard
may compromise sensitive law enforcement information. The clerk
will call the roll.
The Clerk. Mr. LaHood?
Chairman LaHood. Yes.
The Clerk. Mr. LaHood votes aye.
Mrs. Comstock?
Mrs. Comstock. Aye.
The Clerk. Mrs. Comstock votes aye.
Mr. Lucas?
[No response.]
The Clerk. Mr. Hultgren?
[No response.]
The Clerk. Mr. Posey?
[No response.]
The Clerk. Mr. Massie?
[No response.]
The Clerk. Mr. Knight?
[No response.]
The Clerk. Mr. Loudermilk?
Mr. Loudermilk. Aye.
The Clerk. Mr. Loudermilk votes aye.
Mr. Abraham?
[No response.]
The Clerk. Mr. Webster?
[No response.]
The Clerk. Mr. Banks?
Mr. Banks. Aye.
The Clerk. Mr. Banks votes aye.
Mr. Marshall?
Mr. Marshall. Aye.
The Clerk. Mr. Marshall votes aye.
Mr. Higgins?
Mr. Higgins. Aye.
The Clerk. Mr. Higgins votes aye.
Mr. Norman?
Mr. Norman. Aye.
The Clerk. Mr. Norman votes aye.
Mr. Beyer?
Mr. Beyer. Aye.
The Clerk. Mr. Beyer votes aye.
Mr. Lipinski?
Mr. Lipinski. Aye.
Mr. Lipinski votes aye.
Ms. Bonamici?
Ms. Bonamici. Aye.
Ms. Bonamici votes aye.
Mr. Bera?
[No response.]
The Clerk. Ms. Esty?
Ms. Esty. Aye.
The Clerk. Ms. Esty votes aye.
Ms. Rosen?
[No response.]
The Clerk. Mr. McNerney?
Mr. McNerney. Aye.
The Clerk. Mr. McNerney votes aye.
Mr. Perlmutter?
[No response.]
The Clerk. Mr. Chairman, 12 Members voted aye. No Members
voted nay.
Mr. Perlmutter. Aye.
The Clerk. Mr. Perlmutter votes aye. Thirteen Members voted
aye. No Members voted nay.
Chairman LaHood. There being 13 ayes and zero nos, the
motion is agreed to.
Once Members have finished their questioning under the five
minute rule, the clerk will clear the room. Only Members of
Congress, their staff, and the witnesses may remain in the
hearing room.
At this time I recognize myself for five minutes for an
opening statement.
Again, good morning and welcome everyone to today's joint
subcommittee hearing titled ``NIST's Physical Security
Vulnerabilities: A GAO Undercover Review.''
Today we intend to discuss and evaluate GAO's report on its
assessment of the physical security program at NIST, the public
version of which is being released in conjunction with this
hearing. We will hear from GAO about the questions it sought to
answer in undertaking its assessment, as well as the methods it
used to assess the current physical security program at NIST.
We will also look at GAO's findings and the recommendations it
has made with respect to the physical security program, and the
steps NIST management must take to satisfy these
recommendations and fortify its physical security.
Finally, as part of today's hearing, we will examine
specific instances where physical security at NIST has failed,
specifically, an explosion that occurred in July 2015 at the
NIST campus in Gaithersburg, Maryland, which was caused by a
security officer's attempt to illegally manufacture
methamphetamine inside a NIST laboratory, and served as the
catalyst for the Committee's investigation of physical security
at NIST.
However, before we get to that discussion, in light of
transparency, I would like to describe briefly for the public
what occurred during the closed portion of today's hearing.
Prior to gaveling into this open session, Members of the
Committee examined video evidence of recent physical security
breaches at NIST campuses. These videos, captured as part of
GAO's covert vulnerability testing, reveal NIST employees
failing to adhere to established physical security policies.
One video in particular shows an undercover GAO agent
subverting detection by security personnel by employing very
basic espionage techniques. The evidence produced in these
videos shines a light on the porous nature of NIST's physical
security, and are particularly concerning to the Committee,
especially in light of the fact that the July 2015 meth lab
explosion served to put NIST on notice that its physical
security program was flawed.
While all of this is discussed in the sensitive version of
GAO's report, it is discussed only briefly in the public
version being released today, and while certain information is
undoubtedly sensitive and must remain concealed from those who
would use it for nefarious purposes, nothing I just explained
rises to that level. In fact, I believe that this information
is vital to ensuring that such breaches are prevented in the
future at NIST and other federal agencies.
Before concluding, I would like to focus briefly on some
positive aspects of GAO's report. Specifically, the report
indicates that the Commerce Department agreed with all of GAO's
recommendations, which is the first step toward implementation.
Additionally, the report emphasized that NIST has taken some
steps to further notify and improve its physical security
program. Specifically, GAO found that NIST management had three
independent assessments of its physical security program
conducted following the July 2015 incident, and that NIST has
current plans to implement new physical security policies and
procedures as the result of those assessments.
The work that NIST performs is extremely valuable to our
Nation. From development of the Cyber Framework to standards
used throughout industry and academia alike, NIST's work must
continue to thrive. In doing so, however, we must ensure the
safety and security of those endeavoring to carry out the NIST
mission, just as we must ensure the protection of physical and
intellectual assets entrusted to NIST's care.
I look forward to hearing from our witnesses about the
status of these new policies and procedures, steps taken toward
their implementation, and what NIST and the Department of
Commerce intend to do in order to carry out GAO's
recommendations.
[The prepared statement of Chairman LaHood follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. I now recognize the Ranking Member, the
gentleman from Virginia, for his opening statement.
Mr. Beyer. Thank you very much, and thank you, Chairman
LaHood and Chairwoman Comstock for calling this meeting. Thanks
to all of you for being here.
The National Institute of Science and Standards and
Technology is a vital federal science agency that for more than
a hundred years has helped push American innovation in areas as
diverse as computer chips, nanoscale devices, the smart
electric power grid, and earthquake-resistant skyscrapers. The
advanced technologies being developed and pioneering research
being conducted at NIST makes security of its facilities and
technologies critically important.
Unfortunately, security at NIST at both the Gaithersburg,
Maryland, and Boulder, Colorado, campuses has been a struggle.
As Chairman LaHood pointed out, in July 2015, a NIST police
officer attempting to brew methamphetamine in a little-used
laboratory on the Gaithersburg campus was injured in an
explosion. He was subsequently arrested, fired, and is
currently serving a 41-month prison sentence. In April 2016, a
non-NIST employee gained access to a secure lab on NIST's
Boulder, Colorado, campus. In May 2017, a paraglider landed on
the grounds of the Colorado campus, and in June 2017 a member
of NIST's police force was arrested and charged with first- and
second-degree assault by the Frederick County Sheriff's
Department in Maryland.
Today, we'll discuss the GAO's recent security review at
both campuses, and this showed significant issues with NIST's
security structure, operating procedures, and performance.
Security awareness training for NIST employees should be
increased, and the agency's guard force must improve their
attentiveness to potential threats, the effectiveness of NIST's
security procedures must be thoroughly assessed, and a
comprehensive communication strategy that can help identify and
resolve potential security threats should be implemented.
My biggest concern regarding security at NIST is the
security structure. It's fragmented, inefficient and in some
cases inadequate. The Department of Commerce oversees the
security personnel at NIST who implement physical security
policies, for example, while NIST manages access control
technologies and other physical security countermeasures. This
security structure violates best practice for security, which
calls for centrally managing physical security assets and
operations. Without a cohesive organizational structure, it
seems inevitable that gaps in security will continue to emerge,
and the management of NIST's security will be inefficient and
potentially ineffective.
GAO in its review pointed out further problems with NIST
security management that we'll hear about, but it's also worth
noting the positive stuff, that NIST has made positive
commitment to improving security. Seventy-five percent of NIST
staff surveyed by GAO believed that NIST's leadership places a
great or very great importance on security issues, and this
commitment to security is really encouraging, but I expect the
leadership at the Department of Commerce and NIST to work
together to fully and quickly address the issues outlined.
You know, the science and technology research and programs
carried out at NIST helps U.S. businesses grow, it strengthens
the U.S. economy, and expands our scientific and technical
knowledge. So we in Congress and the public expect NIST to not
only protect their vital resources, and in some cases hazardous
materials, from potential threats, but also to protect NIST's
employees, visiting scientists and others from physical
security risks.
I'd like to point out that the Acting Director, Dr. Kent
Rochford, only stepped into this role in January, so thank you
for being here today and helping tell us how you plan to
address these issues.
And finally, I'd like to note my disappointment, the
disappointment of our Minority team with the Department of
Commerce and NIST for their late submittal of the testimony
less than 24 hours ago, despite a 48-hour deadline. And both
Majority and Minority I think were surprised that the joint
written testimony came from both Commerce and NIST, and perhaps
you can talk about that in your testimony.
So Chairman LaHood, thank you very much for calling this
meeting. Thank you to all of our witnesses, and we look forward
to a productive meeting.
[The prepared statement of Mr. Beyer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Beyer.
I now recognize the Chairwoman of the Research and
Technology Subcommittee, Ms. Comstock, for her opening
statement.
Mrs. Comstock. Thank you, Mr. Chairman.
This Committee has a strong record of bipartisan support
for the National Institute of Standards and Technology (NIST).
NIST promotes U.S. innovation and competitiveness by advancing
measurement science, standards, and technology.
Today, we will be discussing a handful of dangerous
physical security breaches at NIST's two campuses in
Gaithersburg, Maryland, and Boulder, Colorado. Unfortunately,
this isn't the first hearing we have held on this subject, but
we certainly hope that it will be the last and certainly hope
we can identify how can we move forward on improvements.
Lack of security at NIST facilities is a direct, serious
threat to the safety and well-being of thousands of federal
workers, a steady stream of scientists and technologists who
visit NIST facilities every day, and sizable populations of
people who live and work near the NIST facilities.
NIST's campus security has been a growing concern of the
Committee since the July 2015 explosion at NIST's Gaithersburg
facility, which revealed a NIST police officer, a former acting
chief of NIST police, was operating an illegal meth lab at a
NIST building. This event was the catalyst for bringing to
light other security breaches at the Gaithersburg campus. Not
quite one year later, in April 2016, another, no less serious
incident occurred in Boulder, Colorado. A man without
identification walked onto the NIST campus and was able to
enter a building and laboratory where hazardous chemicals were
stored. Fortunately, this man wasn't intent on playing around
with laboratory chemicals and equipment or causing other
damage. He instead roamed about the building and made himself
at home.
Fortunately, the meth lab at the NIST Gaithersburg campus
exploded on a weekend evening, not that it's fortunate but at
least it was a weekend when NIST staff and visitors weren't
there. But luck does run out.
We are going to hear this morning from NIST and Department
of Commerce witnesses who will describe steps that were taken
to shore up physical security after these two incidents. We are
also going to hear about the results of a GAO investigation
conducted at our Committee's request, which reveals that there
are still serious, unaddressed security problems at NIST's
Maryland and Colorado facilities. What we are going to hear
today from GAO is serious enough that the Department may not
allow certain details to be included in the public record.
NIST must learn from its past and do its best to ensure
proper security is implemented, and obviously we all here in
the Committee want to make sure that's the case. This is
critical for the safety of NIST campuses, its employees,
visitors, and the surrounding community.
It is also important not to jeopardize NIST's mission to
promote U.S. innovation and industrial competitiveness.
Physical insecurity at NIST's two locations obviously
jeopardizes the important work done by the agency. Even more
important, what seems to be huge, unfixed holes in security
threaten the safety and well-being of approximately 3,000 NIST
employees, 3,500 visiting professionals government agencies.
The safety of our people should be the number-one concern.
Safety is certainly the number-one concern for this Committee.
I trust this hearing today will mark the end of the
measures that haven't been successful and the beginning of
swift, uncompromising action by NIST and the Department of
Commerce.
Thank you.
[The prepared statement of Mrs. Comstock follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Chairwoman Comstock.
I now recognize the Ranking Member of the Research and
Technology Subcommittee, Mr. Lipinski, for his opening
statement.
Mr. Lipinski. I'll start by also thanking Chairman LaHood,
Chairwoman Comstock, Chairman Smith for calling this hearing,
and thank the witnesses for being here. I'll keep this brief as
my colleagues have stated many of the issues and concerns that
I also have.
The National Institute of Standards and Technology is a
national treasure. I know of no other agency that has such a
widespread impact with so modest a budget: Nobel Prize-winning
research, leadership standards development benefiting every
sector of our economy, acceleration of advanced manufacturing
on U.S. shores, and improvement of cybersecurity in both the
government and the private sector. NIST's leadership in
measurement science and their work in cybersecurity and so many
other important areas of technology is unimpeachable.
Today, however, we will learn in some detail about how NIST
has not applied the same rigor and discipline to the physical
security of its facilities. A new report from GAO, being
released with this hearing, identifies several weaknesses in
NIST's policies and procedures for physical security. The GAO
report further discusses the challenges caused by the
fragmentation of oversight of NIST security between NIST and
its parent agency, the Department of Commerce. GAO makes a
number of recommendations to both NIST and Commerce on how to
improve physical security on the two NIST campuses in
Gaithersburg, Maryland, and Boulder, Colorado. Those
recommendations are not prescriptive; rather they lay out or
reference a clear process for the development of action plans
and timetables to address each identified weakness in current
policies and procedures.
While it is premature to ask NIST and Commerce for detailed
plans, I expect to hear from them today how they plan to
proceed in addressing each of GAO's recommendations, and what
steps they have already taken.
I want to thank each of the witnesses for being here this
morning. This hearing is not as fun for anyone as the science-
and-technology-focused hearings that we're more used to in the
Research and Technology Subcommittee, but it is certainly no
less important. I take our oversight responsibilities
seriously, and I believe the agencies before us take their
security seriously. I look forward to learning more about the
agencies' security plans going forward.
I yield back the balance of my time.
[The prepared statement of Mr. Lipinski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Lipinski.
I now recognize the Chairman of the full Committee, Mr.
Smith, for his opening statement.
Chairman Smith. Thank you, Mr. Chairman.
The GAO conducted a comprehensive review of NIST's physical
security posture. They used covert tactics and they found
gaping holes in the agency's ability to protect their campuses.
Undercover agents succeeded in breaching numerous checkpoints.
Today, I want to thank the GAO for their work. Their
findings are alarming and confirmed our worst suspicions: NIST
campuses are sieves.
On July 22, 2015, this Committee launched an investigation
of NIST's security in the wake of chemical--of a chemical
explosion and fire at the Gaithersburg, Maryland, campus. On
July 18, 2015, the acting chief of the police services group,
or ``PSG,'' attempted to manufacture the illegal drug meth in
one of NIST vacant laboratories. The local Gaithersburg,
Maryland, police and fire departments responded to the scene
and began a criminal investigation.
On January 7, 2016, this high-ranking PSG officer was
sentenced to three and a half years in jail for manufacturing
meth. Slowly we learned this was only the tip of the iceberg.
According to a July 2016 Department of Commerce Office of
Inspector General's report, the very officer who caused the
explosion on NIST's campus also had committed time and
attendance fraud by claiming hours that he did not actually
work. He was not the only officer engaged in this misconduct.
The final straw for the Committee was the April 2016
incident in Boulder, Colorado, where an unknown individual was
found wandering in a NIST building. After this incident, we
contacted GAO and asked them to investigate. While law
enforcement personnel has stepped in and handled many of these
incidents, and the GAO has disclosed their findings to the
Department and NIST, I'm not convinced that NIST will actually
achieve the necessary goal: a secure NIST compound at
Gaithersburg and Boulder.
GAO, as I understand it, remains concerned that the Police
Services Group and the security structure within NIST has not
received proper scrutiny, a concern that is bolstered by the
revelation that GAO agents successfully penetrated NIST
campuses in 15 out of 15 attempts during their covert
vulnerability testing. By the way, that is just incredible: 15
out of 15. Not much security there.
Now we have a new Administration in place, a pending
nominee for NIST Director, and GAO's recommendations, I urge
NIST and the Department to work together for comprehensive
security reform.
Thank you, Mr. Chairman. I'll yield back.
[The prepared statement of Chairman Smith follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Chairman Smith.
I now yield to the Ranking Member of the full Committee,
Ms. Johnson, for her opening statement.
Ms. Johnson. Thank you, Mr. Chairman.
Thank you very much, Mr. Chairman, and good morning.
Welcome to our witnesses. I'd like to thank you and Chairman
Comstock for holding this important hearing on the state of
physical security at the National Institute of Standards and
Technology (NIST).
NIST has had a number of serious problems with physical
security in recent years. A rogue NIST police officer injured
himself and damaged a NIST building in Gaithersburg while
attempting to manufacture methamphetamines.
Additionally, there was a troubling incident of an
unauthorized individual wandering around a supposedly secure
building at the NIST Boulder campus.
These events spurred the Department of Commerce and NIST to
review NIST's security practices and attempt to improve
physical security at the NIST facilities. NIST requested
independent assessments and developed an Action Plan based on
those assessments.
Under the current Acting Director, Dr. Rochford, NIST has
continued to focus on improving its security culture. While
there may have been improvements to NIST's security culture,
there appears to be plenty of room for additional improvements.
We learned from GAO's just-released report that the GAO
agents were recently able to gain unauthorized access to areas
of both the Gaithersburg, Maryland, and Boulder, Colorado, NIST
campuses. It is particularly troubling that GAO's efforts were
so successful even after NIST had taken steps to improve
security. I look forward to hearing today from Acting Director
Rochford about how NIST plans to respond to the GAO
recommendations, including specific corrective actions and
approximate timelines for improving and implementing those
actions. I look forward to hearing from Ms. Casias about the
Department of Commerce's plan to address the bifurcated
organizational structure of NIST physical security programs. I
would also like to know what actions the Department of Commerce
plans to take to ensure NIST security services operate at
maximum effectiveness.
The protection of federal facilities, employees,
contractors, and guests is of the utmost concern to me and this
Committee. NIST specifically has valuable research and
technology that must be protected as well. I look forward to
hearing from our witnesses about how NIST security services can
better meet its mission.
I thank you, and yield back.
[The prepared statement of Ms. Johnson follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Ms. Johnson.
Let me now introduce our witnesses. Our first witness today
is Ms. Lisa Casias, Deputy Assistant Secretary for
Administration at the Department of Commerce. She previously
served as the Deputy Chief Financial Officer and Director for
Financial Management at the Department. Ms. Casias received her
bachelor's of business administration in public accounting from
Pace University.
Our second witness today is Dr. Kent Rochford, Acting Under
Secretary of Commerce for Standards and Technology, and Acting
Director of the National Institute of Standards and Technology
(NIST). He previously served as the Director of NIST Boulder
Labs and Communications Technology Laboratory headquartered in
Boulder, Colorado. Dr. Rochford received his bachelor's degree
in electrical engineering at Arizona State University, his MBA
from the University of Colorado, and his Ph.D. in optical
sciences from the University of Arizona.
Our third witness is Mr. Seto Bagdoyan, Director of
Forensic Audits at the U.S. Government Office--Accountability
Office (GAO). Mr. Bagdoyan has previously served as the GAO
Acting Director for Strategic Issues and as the Assistant
Director for Congressional Relations at GAO. Mr. Bagdoyan
received his bachelor's degree in international relations and
economics from Claremont McKenna College and his MBA in
strategy from Pepperdine University.
I now recognize Ms. Casias for five minutes to present her
testimony.
TESTIMONY OF MS. LISA CASIAS,
DEPUTY ASSISTANT SECRETARY
FOR ADMINISTRATION AT
U.S. DEPARTMENT OF COMMERCE
Ms. Casias. Thank you, Chairman LaHood, Ranking Member
Beyer, Chairman Comstock, Ranking Member Lipinski, and
distinguished members of the Subcommittees.
I am Lisa Casias, the Deputy Assistant Secretary for
Administration at the U.S. Department of Commerce. In this
role, I oversee the Department's Office of Security and its
functions and personnel. I appreciate the opportunity to appear
before you today to discuss the Department's response to the
Government Accountability Office report titled ``Physical
Security: NIST and Commerce Need to Complete Efforts to Address
Persistent Challenges.''
Let me first thank GAO for its important work, which we
will use to help strengthen security at NIST. I want the
Committee to know that the Department of Commerce shares the
GAO's and this Committee's concerns about physical security at
NIST. The Department is proud of NIST's mission to promote U.S.
innovation and industrial competitiveness through advancing
measurement science, standards, and technologies in ways that
enhance economic security and improve our quality of life.
However, our highest priority is the safety of all of our
staff, guest workers, and visitors. We have carefully reviewed
the draft report, and I can tell you that the findings revealed
shortcomings that are absolutely unacceptable, and I know that
Dr. Rochford agrees. We take the GAO's findings seriously, and
both the Department and NIST have agreed with all of the
recommendations set forth in the report. NIST and the
Department have already taken a number of steps to address the
concerns raised in the report, and we are together planning
more actions in the near and long term to close the gaps in
security identified in the report.
For example, the Department's Office of Security has
already implemented a requirement that all security specialists
conducting facility security assessments be certified in
Interagency Security Committee Risk Management Process, or
``RMP standard.'' To date, 19 of our security specialist staff
have successfully completed the ISC's RMP standard training and
all security specialists will be trained in early fiscal year
2018. We have also scheduled new facility security assessments
using those trained personnel at both campuses this fiscal
year.
Additionally, OSY has completed a draft chapter for the
Department's Manual for Security Policies and Procedures that
will align with the Department's Risk Management Plan with the
ISC's RMP standard. This chapter is currently in the review
process within the Department. In addition to aligning the
Department's Risk Management Plan with ISC's RMP standard, this
update incorporates all the recommended elements from the GAO
report related to campus facility Security Committee's risk
decision documentation and alternative countermeasure
recommendations.
We are also, as the GAO has recommended, reviewing the
security structure at NIST. This review involves all aspects of
the relationship between OSY and NIST related to personnel
assets and security, and as part of a coordinated effort
between the Department and NIST to determine the best approach.
While there is no one-size-fits-all standard, we are reviewing
all options available to us. These are only a few of the
actions we have taken and are taking to ensure our campuses and
facilities are secure and safe for our employees, guests, and
others.
I wanted to reiterate my appreciation to GAO for their
thoughtful and thorough report. The Secretary and the
Department are committed to ensuring that our actions in
response to it are appropriate, effective, and correct. The
security and safety of all of NIST's and the Department's
employees are of paramount importance to all of us.
Thank you for this opportunity to address the report, and I
look forward to answering your questions.
[The prepared statement of Ms. Casias and Dr. Kent Rochford
follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you.
Dr. Rochford.
TESTIMONY OF DR. KENT ROCHFORD,
ACTING UNDER SECRETARY OF COMMERCE
FOR STANDARDS AND TECHNOLOGY AND
ACTING DIRECTOR AT NATIONAL INSTITUTE
OF STANDARDS AND TECHNOLOGY
Dr. Rochford. Chairman LaHood, Ranking Member Beyer,
Chairwoman Comstock, Ranking Member Lipinski, and members of
the Subcommittee, I'm Kent Rochford, the Acting Under Secretary
of Commerce for Standards and Technology, and the Acting
Director of the National Institute of Standards and Technology,
or ``NIST.'' Thank you for the opportunity to appear before you
today to discuss NIST's and the Department's response to the
recently released report by the GAO on physical security at
NIST.
I share the Subcommittees' concerns about physical security
at our campuses, and I thank you for your comments. I also
appreciate your kind words about our programmatic successes, so
thank you for that.
I also appreciate the Subcommittees' support of NIST's
efforts to improve our security practices and to fully
implement the recommendations in the report, with which we
agree. NIST and the Department of Commerce are working to
foster a positive security culture at both of our campuses, and
the written testimony outlines the steps that we've already
taken or plan to take to improve NIST's security posture and
ensure the successful implementation of the report's
recommendations.
The world-class research conducted at NIST needs world-
class facilities to conduct that mission, but just as
important, NIST needs robust, consistent adherence to standards
for safety and physical security to ensure our people work in a
safe environment and that our assets are protected. I am
committed to working with our partners at the Department to
achieve this goal.
As the Acting Director, it's my job to ensure the safety
and security of our personnel, facilities, property,
information, and assets, and I take that responsibility very
seriously, and that's why we are working together with the
Department's Office of Security to ensure the security of NIST
staff, that my co-workers, can work safely and securely, and
for establishing local campus security procedures designed to
protect NIST assets.
Moreover, NIST continues to work with the Department's
Office of Security to strengthen the security culture at NIST.
The GAO notes that we have already had some success but we also
acknowledge there is still more work to be done. The GAO's
report made four recommendations. NIST and the Department agree
with the full extent of these recommendations.
Upon becoming Acting Director in January of this year, one
of my first actions was to build on the foundational work
started by Dr. May and the Department's Office of Security and
prioritize our activities through a Security Sprint. I
considered it critically important to take the existing
information we had, the knowledge we'd gained during the
previous year, and prioritize our activities to move forward
with implementation plans.
The GAO pointed out the importance of improved
communication with staff concerning physical security
requirements, and what should be expected of each employee.
NIST agrees, and we have taken steps to improve our internal
communications. We've developed an improved set of security
requirements designed to provide an unambiguous understanding
of the security responsibilities of all individuals who work at
NIST.
Last month, I met with senior NIST leadership and the
Department's Office of Security to ensure that these
requirements and expectations were fully understood. This
afternoon, we will meet with the full complement of NIST
management and supervisors to ensure that these security
requirements and expectations are fully understood by all NIST
leaders. And following that, I will hold all-staff meetings to
roll out these responsibilities and expectations and training
requirements that all staff must meet.
I also initiated the inclusion of a security element and
all-employee performance plans for this fiscal year, ensuring
that security is afforded the same high level of importance in
one's job performance as other elements. My intent is to work
with OSY to drive a change towards a positive security culture.
These efforts and others will help drive that change.
Mr. Chairman, NIST has a history of tackling tough problems
from research challenges like developing the world's most
atomic clock to internal challenges such as addressing our
safety culture. The dedicated people at NIST have committed
themselves to working toward a common goal of achieving NIST's
mission. We along with OSY are now in the midst of such an
effort for physical security. I appreciate the Subcommittees'
interest in our ongoing work to improve the physical security
of our campuses, and I welcome your questions. Thank you.
Chairman LaHood. Thank you, Dr. Rochford.
Now we'll move to our third witness, Mr. Bagdoyan.
TESTIMONY OF MR. SETO BAGDOYEN, DIRECTOR,
AUDIT SERVICES AT U.S. GOVERNMENT
ACCOUNTABILITY OFFICE
Mr. Bagdoyan. Thank you, Mr. Chairman. Chairman Smith,
Ranking Member Johnson, Chairman LaHood, Chairwoman Comstock,
Ranking Members Lipinski and Beyer, and members of the
Subcommittees, I'm pleased to appear before you today to
discuss GAO's October 2017 report on NIST's physical security
program. In recent years, incidents at each of its campuses in
Gaithersburg and Boulder have raised questions about security
vulnerabilities and NIST's ability to secure its facilities and
the human, physical, and intellectual capital assets.
In fiscal year 2017, NIST spent over $600 million on its
campus laboratories that perform vital work in measurements,
calibrations, and quality assurance techniques that help
underpin much of U.S. commerce. Accordingly, this morning I'll
highlight three of our principal takeaways regarding NIST's
security at its campuses.
First, we found that efforts to transform the physical
security program at NIST have incorporated some key practices,
particularly with regard to leadership commitment to
organizational change. For example, though assessments in 2015
found issues with NIST's security culture, we estimate that
about 75 percent of personnel we recently surveyed believe that
NIST leadership places great or very great importance on
security issues. However, our agents gained unauthorized access
to various areas at NIST campuses in Gaithersburg and Boulder.
We can provide details about our unauthorized access efforts
and certain survey results only during a closed session of this
hearing.
Additionally, our survey results showed personnel awareness
about security responsibilities varied, in part because of the
limited effectiveness of NIST's security-related communication
efforts. By incorporating elements of key practices including a
comprehensive communications strategy, interim milestone dates
to measure progress, and measures to assess effectiveness, NIST
will be in a better position to address the security
vulnerabilities caused by the varied levels of security
awareness among employees.
Second, management of NIST's physical security program is
split between Commerce and NIST. This is inconsistent with the
federal Interagency Security Committee's physical security best
practices, which encourage agencies to centrally manage
physical security. Commerce is responsible for overseeing
personnel who implement physical security policies while NIST
manages physical security countermeasures such as access
control technology leading to fragmentation in
responsibilities.
Before implementing the current organizational structure in
October of 2015, neither Commerce nor NIST assessed whether it
was the most appropriate way to fulfill NIST's physical
security responsibilities. Without evaluating management
options, the current organizational structure may be creating
unnecessary inefficiencies, thereby inhibiting the
effectiveness of the security program overall.
Third, to help federal agencies protect and assess risks to
their facilities, ISC developed a Risk Management Process
standard, also known as the ``RMP standard,'' with which
federal agencies including Commerce generally must comply.
Commerce and NIST most recently completed risk management steps
for NIST campuses in 2015 and 2017 but we found that their
efforts did not fully align with the standard. Neither Commerce
nor NIST use the sound risk assessment methodology, fully
documented key risk management decisions or appropriately
involved stakeholders, partly because these requirements were
not in existing policy.
Further, we found that Commerce and NIST had overlapping
risk management activities potentially leading to unnecessary
duplication. According to officials, Commerce and NIST are
separately drafting new risk management policies without
ensuring that one, these policies aligned with the RMP
standard, and two, that NIST policy contains a formal mechanism
to coordinate with Commerce future risk management activities
may be limited in their usefulness and potentially duplicative.
In closing, I'd underscore that this is essential for
Commerce and NIST to place a high policy and operational
priority on deploying preventative security controls to help
mitigate the vulnerabilities we identified. Otherwise, should
these vulnerabilities be exploited, NIST's human, physical, and
intellectual capital will remain at risk. Fully and timely
implementing our report's four recommendations in addition to
any other actions Commerce and NIST are taking independently
would be vital in this regard. To its credit, as both witnesses
from Commerce have mentioned, the Department has agreed to
implement all of our recommendations.
Chairman LaHood, Chairwoman Comstock, Chairman Smith, and
Ranking Member Johnson, this concludes my remarks. I look
forward to the Subcommittees' questions.
[The prepared statement of Mr. Bagdoyan follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman LaHood. Thank you, Mr. Bagdoyan, and I want to
thank all the witnesses for your valuable testimony here today.
The Chair recognizes myself for five minutes of
questioning.
I guess I want to first start off and say that I've had the
opportunity to watch the three videos a couple times now, and
watching them and observing them, my reaction is disturbing,
alarming, particularly when you think about the work that goes
on at the NIST campus in Boulder and in Gaithersburg, the
sensitive work, the strategic work, the proprietary nature of
what goes on at these facilities, much of what relates to
national security, and so when I think about what procedures
are being put in place now, I'm anxious to hear today those,
and Mr. Bagdoyan, I was going to start with you.
After learning of the incident involving the meth lab in
2015, you would think that there would be measures put in place
that would prevent something like that or vulnerabilities from
occurring. Today after hearing what steps have been implemented
in your recommendations, what can you tell us to assure the
public that these vulnerabilities have been taken care of? And
then secondly, are you confident that if you were to do another
undercover operation in the next month here, that those would
fail?
Mr. Bagdoyan. Mr. Chairman, thank you for your questions.
I'll take the first one obviously first.
Based on what Dr. Rochford and Ms. Casias have mentioned, I
think they are taking this seriously. That's good to know, and
we look forward to receiving more details about what they plan
on doing in response not only to our recommendations but also
the incident you mentioned. There's going to be a long-term
effort. I think what they both described are promising first
steps. We are probably playing a long game here in terms of
getting things done. So that would be for the first question.
The second question, it would definitely be speculative on
my part to say whether or not anything that would be put in
place would work, so I'll defer answering that one.
Chairman LaHood. And what about reassurances that you can
give to the public that this has been remedied?
Mr. Bagdoyan. Well, I can't say that it has been remedied.
As I mentioned, these are first steps. They are promising. They
are in the right direction. I'll hold the witnesses to their
word that they are taking this seriously. They both outline
various steps that they are taking. Management attention and
priority is key, as Dr. Rochford mentioned. Training is an
absolute must. To have a security culture, you have to train
your people to take it seriously. So that would be my answer.
Chairman LaHood. Thank you.
Dr. Rochford, similar to you, give us your assessment on
what reassurances you can give to the American people here
today that you've taken these recommendations into account and
that you're implementing them and that the vulnerabilities are
no longer there.
Dr. Rochford. I agree with the Committee that these
breaches are unacceptable, and I do share your very, very deep
concern. I also agree with my colleague from GAO. This is going
to require a culture change. We have the responsibility--I have
the responsibility for keeping NIST staff safe and secure, and
we have a responsibility, as you noted, to secure the
substantial investment that the taxpayers have made to build
NIST what it is today.
This breach, I agree, demonstrates the need for clear
requirements, clear training, greater accountability, and we
are undertaking all those steps.
Last month, I met with all senior leadership for a two hour
security summit where we described the needs for
accountability. Today, later today, I actually meet with all
managers at NIST, and then we're going to have all-hands-staff
security summits on both campuses that I will personally lead.
We've developed training, and we'll have mandatory training,
for all 3,500 and the several thousand associates. So I do
agree, this is a bit of a long game. It's going to take time to
have all this training done. But we will do it, and then I will
personally ensure that the training is taken, and we will
consider taking measures so we can understand the impact and
the improvement in our security culture.
As mentioned, we did undertake a Security Sprint that has
developed a number of prioritized activities, some of which I
can mention here, some we can discuss in closed session, but we
do have an action plan to address a number of issues at NIST.
Chairman LaHood. Can you talk a little bit about what you
just mentioned there?
Dr. Rochford. The Security Sprint?
Chairman LaHood. Yes.
Dr. Rochford. What it did is, it certainly pointed out that
we have a leadership issue. Culture is driven by leadership,
and I need to take that responsibility to change the culture.
So we are developing training. We have what we call baseline
requirements, which will be our first training set. We then
have additional training for things like criminal behavior,
action plans, training for active shooter, other potential
security issues. We have work where we're going to develop a
Security Advisory Board. We're going to have an executive
security committee so we can engage leadership on programmatic
changes to ensure the culture sticks. We've taken some specific
engineering and access controls that I can talk about in closed
session, perhaps. We have a range of activities that we'll be
undertaking over the year.
When the new confirmed NIST Director is on the job and
starts, one of my first actions is my intent to brief him on
these issues, show him the plans that we've undertaken, and
with his permission continue these actions.
Chairman LaHood. Thank you, Dr. Rochford.
I now recognize Mr. Beyer for his questions.
Mr. Beyer. Thank you, Chairman LaHood, very much.
Mr. Bagdoyan, in the GAO report you write about the
fragmented approach to security, which as a person interested
in management and leadership for a long time, seems pretty
nonsensical, too many cooks in the kitchen. You've got big
Commerce responsible for the outside piece, NIST responsible
for the cameras and the locks, and how did this divided
approach come about and what can we do to fix it?
Mr. Bagdoyan. Thank you for your question, Mr. Beyer. I
think in the first part, it originated back in late 2015, I
believe, once NIST received, or Commerce received delegated
authority for NIST police to act as federal law enforcement
agents. So that was delegated by the Federal Protective
Service. And then in 2017, the American Innovation and
Competitiveness Act essentially directed Commerce to have an
overall role in setting security policy and practice but also
NIST maintained its ability to perform its security-related
duties as it saw fit consistent with its culture that it was
trying to build at that time. So in a very high level, that's
the origin of the split.
I would agree with you that having a split situation like
this is not really consistent with best practice according to
federal standards, and it does lead to inefficiencies,
especially when the two parties really don't coordinate or
collaborate. Sometimes it's fine to have two distinct streams
of oversight over a major program like this, but if they don't
talk with each other, they end up doing separate risk
assessments and so forth. That is definitively
counterproductive and hinders effectiveness overall.
Mr. Beyer. In your perception, we'd probably need to amend
that Act in order to be able to centralize the security?
Mr. Bagdoyan. Well, that certainly would be one option.
That would be up to Congress. It's certainly not for me to
prescribe but I think in the past it has been noted that in
order to fix this, I believe one of the assessments that NIST
did pointed out that the only remedy was a statutory fix. On
the other hand, we know of no plans to pursue such a fix at the
Department level.
Mr. Beyer. Very good. Thanks.
Dr. Rochford, I was in an embassy overseas for four years,
and every night the Marines would go office to office and look
at the stuff on everyone's desk, and if somebody had classified
material out, there was a report the next morning, and the
very--and no one wanted to have a report which came back to
Washington. Is there any reporting program like that at Boulder
or in Gaithersburg, where it's a guard who lets somebody in who
shouldn't have been let in with a bad badge or papers left out
on desks that shouldn't have been let out?
Dr. Rochford. We do have incident reporting on both
campuses that then bubble up through our police staff, which
are managed by OSY to the Director's office. For example, I
know that in Boulder, the doors are checked nightly and they
provide a report of any issues that then can be addressed
either through maintenance or through personnel action.
Mr. Beyer. When you mentioned that you built security into
the employee performance plans----
Dr. Rochford. Yes.
Mr. Beyer. --is this tied to incident reporting then?
Dr. Rochford. Right now it addresses the baseline security
requirements. The baseline security requirements do address
reporting incidents of tailgating, piggybacking, things of that
nature.
Mr. Beyer. Have you figured out a way to keep paragliders
from landing on your campuses?
Dr. Rochford. That might have some technology solutions
that we've not addressed.
Mr. Beyer. And Ms. Casias, in your oversight role, do you
envision a way for you at OSY to be able to provide the
necessary oversight of the security that NIST provides without
necessarily having to own half of it directly?
Ms. Casias. Congressman, we recognize, and Dr. Rochford and
I have talked about this, we recognize that the security
management structure does require some evaluation, and we agree
with GAO. We've accepted their recommendation. So I think we do
have work in that area. We've already started some steps. We've
identified executive sponsors, myself and Dell Brocket, the
Associate Director for Management Resources at NIST. We'll lead
that endeavor. We've selected internal teams. We're also
looking at using outside security experts such as folks from
the ISC to help us in that matter. In our review, we'll be
looking at roles, responsibility and accountability and how
that impacts security.
So I think there's a mix. There's not one-size-fits-all,
and we know that the Boulder campus is different from the
Gaithersburg campus, so we will be working jointly but we do
agree that this is an item that we do need to look at and is a
serious item that needs attention immediately.
Mr. Beyer. Thank you, Mr. Chairman.
Chairman LaHood. Thank you, Mr. Beyer.
I now recognize the Chairman of the full Committee, Mr.
Smith, for his questions.
Chairman Smith. Thank you, Mr. Chairman.
Mr. Bagdoyan, let me address my first question to you, and
that is, how much confidence do you have that the GAO's
recommendations will be implemented by NIST?
Mr. Bagdoyan. Good question. I really believe this. I am
confident that based on what I've heard this morning certainly
in its official response to our draft report that Commerce and
NIST are taking this seriously and they'll take the necessary
action.
Chairman Smith. I mentioned in my opening statement that
unauthorized access was attempted by the GAO at both campuses
15 times, and 15 times they were successful. It just seems
incredible that that would be the case, but to what do you
attribute that other than just lax security? And is there any
excuse for that? I don't know where to----
Mr. Bagdoyan. I take your point, Mr. Chairman. I'll
probably be best served to respond to that in a closed session.
Chairman Smith. And as I understand it, it's the Department
of Commerce that came up with the designation ``law enforcement
sensitive.'' Is that right?
Mr. Bagdoyan. That's correct. They are the marking agency
in this case.
Chairman Smith. Ms. Casias, I'd like to ask you about that
designation, ``law enforcement sensitive.'' Why did you choose
to apply that to the three videos that members saw in closed
session before we opened it up for this hearing?
Ms. Casias. We believe in viewing the videos, which I have
viewed and so has Dr. Rochford, that there are security
vulnerabilities that other folks could look at and use those
vulnerabilities within our facilities or other federal
facilities. In addition, I'd be more than happy in any closed
session that we could get into that in a little more detail
so----
Chairman Smith. What is the definition of ``law enforcement
sensitive''?
Ms. Casias. The definition is that it's the sensitivity if
that came out would cause some issues with security within our
campuses.
Chairman Smith. Okay. Can you give me--do you happen to
have the exact definition with you?
Ms. Casias. I do not have that with me but I can get that
for you.
Chairman Smith. If you can get that fairly quickly, that
would be helpful.
My suspicion is that you all maybe overly cautious. Having
seen the videos, they're pretty obvious as to what might cause
breaches and what did cause breaches in this case, and I don't
think it's revealing much to acknowledge that. In fact, it may
even be helpful. So I'd like to see the exact definition and
see what the rationale was for applying it in these cases.
Ms. Casias. Absolutely.
Chairman Smith. And I might even ask you to go back and
take another look because while you want to err on the side of
caution, you also don't want to prevent information that can
and should be seen by others from being considered by others as
well.
Let me go to Director Rochford and ask you a couple
questions to the extent that you can answer them, and that is,
just generally what can be done to prevent some of these
unauthorized accesses? I know you responded to the Chairman
generally. If you want to elaborate on that, I think that would
be helpful.
Dr. Rochford. So if we're talking about the specifics in
the video, I mean, generally, we see security as a layered
approach so we need to have both improved training and
improvement in our security force that does their checks, but
the other layer is the employees, and part of what I need to do
is make sure that NIST staff have a much greater awareness
about these concerns, know at some level how these things can
be spoofed, for example, and through training and I think this
awareness, we can have them also do a better job of making the
appropriate checks to ensure security and avoid breaches.
Chairman Smith. And I assume improvements have been made to
security in the last several weeks?
Dr. Rochford. When I started, the security plan actually
became operational over the last couple months so we have
developed training materials. We have video training materials.
We have a number of things that I'll be launching very soon. So
yes, we're ready to----
Chairman Smith. Would the security measures that have been
implemented recently have prevented the unauthorized access
that has occurred in the past?
Dr. Rochford. I think the training is going to be a key
part of that, and the training is going to take some time. So
we have not put in place something that would cause 100 percent
improvement.
Chairman Smith. What has been put in place that you guess
would prevent most of the unauthorized access from occurring?
Dr. Rochford. There are some items that I could discuss in
closed session.
Chairman Smith. I'm not asking you what those items are.
I'm just asking you generally to say whether or not you feel
that what's already been implemented would prevent most of the
unauthorized access that has occurred in the past.
Dr. Rochford. I think we've put things in place to improve
the situation.
Chairman Smith. Okay.
Dr. Rochford. I do not have confidence that I could say we
have 100 percent----
Chairman Smith. Thank you very much.
Thank you, Mr. Chairman.
Chairman LaHood. Thank you, Chairman Smith.
I now recognize the Ranking Member, Mr. Lipinski.
Mr. Lipinski. Thank you.
Ms. Casias, your office overseas the Commerce Office of
Security, which manages the Police Services Group. The Director
of Security for NIST provided a letter to the Science Committee
on September 14 of this year that the Police Services Group in
both Colorado and Maryland had a total of 41 authorized staff
with five current vacancies under the existing operating
budget. Can you tell us what sort of impact you believe current
budget constraints have on NIST's security posture, and what
can we in Congress do to help in that regard?
Ms. Casias. Congressman, thank you for that question. As we
said, security is not one-size-fits-all, and while we have our
police force, our Police Services Group, we also have
contracted staff which we have supplemented that workforce
with. At this point I believe looking at our risks and our
vulnerabilities, we are working within our budget and believe
that we have adequate funding. As we work through the
evaluation and look at the different responsibilities between
NIST and the Department, if there is anything there we'll
identify and work with this Committee on those findings.
Mr. Lipinski. Let me ask Dr. Rochford or Mr. Bagdoyan, do
you agree with that in terms of having enough resources?
Dr. Rochford. At this point we've gone through our Security
Sprint and have identified a number of activities that we can
make. I currently believe I have the resources to take on that
first tranche of activities. So at this time I believe we have
the resources.
Mr. Lipinski. Mr. Bagdoyan, do you have any thoughts on
that?
Mr. Bagdoyan. Yes. Thank you, Mr. Lipinski. I would answer
in terms of the resourcing level as a function of the risk and
the countermeasures already in place and anticipated, so a
precise number that would drive a budget is obviously a
function of that, and I would defer to the Department on that
matter.
Mr. Lipinski. Thank you. Mr. Bagdoyan, part of the GAO
examination of NIST security included a survey of NIST
employees which you had talked about in your testimony. My
understanding is that the sample for that survey was
exclusively technical and scientific staff. Is that true, and
if so, why were other staff omitted from the survey pool?
Mr. Bagdoyan. Yes, that is correct, Mr. Lipinski. We
surveyed approximately 500, which is a projectable sample, and
a determination of what to include and what not to include was
essentially a methodological one. We can provide you with
additional detail separately if you like in terms of how we
arrived at that.
Mr. Lipinski. Was there a reason that the administrative
staffers were not included in that?
Mr. Bagdoyan. Well, I don't recall the specifics but I
would say that we chose to focus on people who would likely
encounter potential intruders and others during the course of
their duties.
Mr. Lipinski. But it would seem like anyone coming in to
the gate would be someone who potentially would have the
possibility of letting someone in who shouldn't be in there.
Mr. Bagdoyan. Yeah, I take your point but we just chose
what we chose, and I can certainly provide a more detailed
explanation on the methodology separately.
Mr. Lipinski. Okay. You said 75 percent in the survey said
that they take security--I forget, what were the exact----
Mr. Bagdoyan. Yes. Let me look at my cheat sheet here. It
says about three-quarters of scientific and technical employees
believe that NIST leadership places great or very great
importance on physical security issues.
Mr. Lipinski. Is that 75 percent enough?
Mr. Bagdoyan. Well, optimally you would want it to be 100
percent. That was--that goes back to my earlier point that if
you want the culture to improve, the awareness to improve, and
be optimal, you really need to be at a very, very high level
for this to work. Otherwise a single weak point, a single
individual who might not get it is a potential vulnerability.
Mr. Lipinski. It sounds like there's good work being done.
We certainly need to follow up, and the culture I think is
certainly going to be a big issue.
Just very briefly, do you think there's any--is it possible
that the type of people who would be working, the technical
people who would be working at NIST are people who are used to
more open circumstances, campuses, things like that that do not
require the type of security and that could be a reason why?
Mr. Bagdoyan. It's certainly a possibility but again, with
proper training, leadership emphasis, you move the needle in
the direction it needs to go, and awareness is key.
Prioritization from leadership is key as is getting
stakeholders, for example, on the Boulder campus. There are
other agencies that share the space to get them involved as
well because their culture would be also impacted, and that's a
key point.
Mr. Lipinski. Thank you.
I yield back.
Chairman LaHood. Thank you, Mr. Lipinski.
I now recognize Mr. Marshall of Kansas for his questions.
Mr. Marshall. Thank you, Chairman LaHood.
First question for Mr. Rochford. In the military or in
business when we have a big goal, a big vision, we typically
set out a timeline with major events, major milestones, so our
goal here obviously I would assume we have all the same goal:
better security in these facilities. Do you have a timeline?
Where are we on that timeline? Where's it going?
Dr. Rochford. Our Security Sprint did set out a timeline
for phase I for this training, this outreach, the
accountabilities. That timeline has various things happening
that I've mentioned with our goal to have complete mandatory
training, for example, by the end of the calendar year.
Mr. Marshall. Can we have access to that, perhaps? Would
that be a reasonable question?
Dr. Rochford. That's to the----
Mr. Marshall. To the timeline or----
Dr. Rochford. Certainly. I don't have it with me but I can
provide that.
Mr. Marshall. Okay. Thanks.
I want to go back to the plutonium incident at the NIST
facility in Boulder, Colorado. I guess that's several years
ago. Obviously it created some significant challenges to not
just the facility but the surrounding people as well. And now
we're aware of another incident at the same facility. Do you
feel like you've done everything possible to shore up that
situation there for such another dangerous event? Obviously
there's some pretty toxic things going on there.
Dr. Rochford. Plutonium was a wake-up call for NIST. That
was the moment we realized that our safety culture was not what
it needed to be. In the past we've worked on what is considered
an expert culture where we trusted our highly trained
individuals to take on safety. What we recognized is, we needed
to take this more deeply. We needed to have specific training,
specific processes, specific access controls and procedures. As
a result, I could state that we have a very assertive safety
culture now, and in fact, that's what I'm modeling our changes
in the security culture towards. In fact, that specific event
we basically met all the Nuclear Regulatory Commission's
requirements satisfactorily. We've made great strides in our
safety program both in radiation--radioactive materials and
safety in general, and I think yes, our safety program is much
more robust.
Mr. Marshall. I'm just curious. The people that are doing
the research are scientists. Are they the ones ultimately in
charge of the security, figuring out what--I mean, I'm guessing
it's two different people. My doctors are not real--the
surgeons are not real good at figuring out what to do in the
ER. So I'm hoping it's different people than the scientists
trying to figure out a security program for the facility.
Dr. Rochford. No. So the way we operate is, we obviously
have a management structure. I as the Acting Director have
responsibility for security. We can gather scientific input. So
for example, when we assess a space, as the Chairman had
mentioned, we may have proprietary information, we may have
other information. We gathered that from the scientists so we
can understand what sort of safety and/or security protocols to
put in place. Those then are developed in programs that follow
guidelines created by both the Department's Office of Security
and then the local controls that we have in place.
Mr. Marshall. Okay. My last question. Going back to
Boulder, there's still no external barrier in Boulder as I
understand it. Do you feel like that's a problem, and what are
we--why isn't--I mean, that would seem to me to be more of an
immediate solution to unauthorized access to restricted areas
or some type of a physical external barrier. Do you think it's
necessary? Why haven't we done it, or is that a waste of time
and effort and money?
Dr. Rochford. I would not characterize it as a waste of
time and effort. When I started in January and undertook the
Security Sprint, my goal was to be able to get quick wins, to
be able to do things that we could take action on quickly. A
fence in Boulder, it's going to be a multi-stakeholder process.
There's a number of factors and considerations including both
the city, the neighbors, local government, issues of that
nature. There are environmental aspects. It's something that
will take a longer time.
Mr. Marshall. That just drives me crazy to think about
that, that here's an immediate danger and we're not--and the
process, the rules, the regulations, and again, having built a
hospital facility, I know what it's like. It just takes months
and years to go through the process, and in the meanwhile, we
can't get to the real solution.
So I look forward to going through those weeds as quick as
you can and making these places secure.
Thank you, and I yield back.
Chairman LaHood. Thank you, Mr. Marshall.
I now yield to the Ranking Member, Ms. Johnson, for her
questions.
Ms. Johnson. Thank you very much, Mr. Chairman.
It's rather puzzling to me when you put everything on
training, what was the initial training when people were hired?
Do you have any standards, ethical standards for them to have a
commitment? Yes?
Dr. Rochford. We do have onboarding training. In
retrospect, onboarding training has been rather simplistic--
wear your badge. What I need to do is develop--and we have done
this--a training that's very explicit, very unambiguous, and
actually includes various scenarios so people know precisely
what we mean and what we expect. So I think in the past we just
had not done training that was sufficiently detailed, and that
is being remedied.
Ms. Johnson. You know, I'm having a hard time. I fully
support the work of NIST, and I looked at the recommendations
that GAO has recommended, and I'm having a very hard time
understanding what changes were made or what kind of approaches
did you make after these incidences. It seems very, very loose
to me in a very important area. Do you feel capable of running
this agency and keeping the activities at a professional level?
Dr. Rochford. Yes, I do. I've been in this role since
January so I've had a limited span here that I can do these
things. Since 2015, we have added several engineering access
controls. We did increase security staffing. We did establish
this NIST Security Advisory Board. But there is more to do, and
that's what I've been working on over the last many months, and
I'm confident when our new Director joins us that he'll be
interested in moving this forward as well.
Ms. Johnson. When you say there's much more to do, give me
an idea what else that you have in mind to do.
Dr. Rochford. In addition to training--this is a culture
change, in my opinion, so it requires a leadership commitment
that's consistent and persistent, right? We need to continually
meet with staff. We need to demand that the training
requirements are met. I need to hold my management accountable.
My management needs to hold the employees accountable. We
basically have to change an attitude so that we're doing this
in the best possible way. We've done it in safety. We know how
to do this, but we also know it takes time and it takes real
commitment. So I have the commitment. We just need some time.
Ms. Johnson. Okay. Ms. Casias, do you have any comments?
Ms. Casias. Yes. I agree with Dr. Rochford that it is a
culture change, but I also believe as we're working together we
need to look at the management structure. That is a priority
for us. We also--as I stated, we now have all of our staff
trained on the ISCR RMP standards, and I think looking and
working with those facility assessments and getting those
relooked at this year, redone, and looking at that jointly, I
think it really is critical that we have that open
communication and working together, and I believe we do. We've
talked about a lot of trainings today, and those are not just
the NIST folks working on that. Our Director of Security, who
is on campus at NIST, has been working, and yesterday just had
one of the security days with a fabulous turnout from the
staff, and that was a joint effort and working together and
looking at what we need to do.
So there's more to do than training, and I believe we're on
that path and we're working towards that, and I'm confident
that our partnership together we will get there.
Ms. Johnson. Have you looked at these? Are you following
the recommendations of GAO?
Ms. Casias. Absolutely. We have already started. As I
noted, we've already put together--both myself and Dell
Brocket, who's in the room, we're going to be spearheading this
and the executive sponsors. We've actually worked on other
projects in the Department before this, and we've been
successful, and I know that we'll be successful in this one,
and it's a priority. Security is a priority for the Department,
for our people, for our assets and our information.
Ms. Johnson. Well, thank you. I know that security is very
important but I'm talking about the ethical behavior of the
people within a security measure as well.
Ms. Casias. I agree, and I think looking--and there's been
some steps of initiating some security measures in people's
performance plans, but we are looking into the incidents that,
you know, folks have seen on the videos and determining--we've
done appropriate counseling to date and we're working with the
appropriate offices on what other steps we need to take.
Ms. Johnson. Thank you very much.
Chairman LaHood. Thank you, Ms. Johnson.
I now recognize Mr. Norman from South Carolina.
Mr. Norman. Thank you.
Dr. Rochford, I guess as a follow-up to Chairman Smith's
question about the 15 attempts and you had 15 breaches, and you
mentioned that if they occur today, you couldn't give 100
percent guarantee that be--it would prevent it. What percentage
would you give?
Dr. Rochford. That would be difficult to assess. At this
point because we haven't rolled out the training, I don't think
some of the early steps that need to be taken have occurred.
The training, I will have the meetings with management this
afternoon, and again, these have been planned for some time.
I'll have meetings with all staff. At that point we'll roll out
the required training. My belief is as people take the training
and we're holding them accountable, we'll see improvements.
Mr. Norman. Okay. Now, I also understand that the
Gaithersburg, Maryland, campus has a nuclear reactor on site.
Is that true?
Dr. Rochford. That's correct.
Mr. Norman. NIST stores caches of radioactive material for
testing. Is that true?
Dr. Rochford. Testing and standards, measurement standards,
correct.
Mr. Norman. Do you realize you can google this and get this
on site? You don't see this as a security risk?
Dr. Rochford. Some of this will be known because of Nuclear
Regulatory Commission postings so, yes, it is known. In
addition, our nuclear reactor is a center for neutron research,
which is a center that uses neutrons to do measurements and
therefore we interact with industry and academia so they do
know about it as well.
Mr. Norman. And another question, Doctor. According to the
Washington Post, in August of this year a NIST employee was
exposed to unsafe dose of radiation, and according to this
article, as of September 27, it's still unknown how the
container of the radioactive material was compromised. Have
they found anything out on that?
Dr. Rochford. Yes, yes. We've learned a great deal in that
incident. The material is known as americium. It was held in a
small 50-milliliter ampoule. We received it from an energy lab
about 17 years ago. It was in solution, and as the
radioactivity occurred, these decayed particles caused what
they call radiolysis, created a gas, and over time the gas
overpressured and the ampoule exploded. So what in fact
happened was not a mishandling event but we keep these in these
lead storage containers, and the material burst. We found it
during a routine radiation testing, a survey program that we
have where we look at these spaces weekly, and then when we
found it, we could put controls in place, and then we had to
test all the individuals who had been in contact with the
material before the breach or before the dispersion was noted.
We're very aggressive in our reporting in safety, so we
immediately went to the Nuclear Regulatory Commission, and we
provided a notification that had worst-case scenarios. What
we've learned since as we've been able to do more testing both
of the material and the bioassay, we believe that the
individuals involved have not had exposures above the
regulatory limits, that they've actually been below the
regulatory limits. These measurements are actually quite
difficult. These are alpha emitters, which are very, very
faint. It also took some time for us to get the measurements.
But we have engaged with the Nuclear Regulatory Commission at
great length and with the Department of Energy, and in fact,
the 30-day report to the NRC went out Saturday, so that's a
public document.
Mr. Norman. Okay. You know, I join in Congressman Johnson I
guess and the concern I have is that you all were taking it
seriously and particularly with the taxpayer dollars that are
going toward this that it's--I see it's a leadership problem
but still there's got to be some consequences to it, so I would
ask you to put this at the top of your list to get fixed, and
not just addressed but to get fixed because 15 of 15 breaches
is not--is unacceptable in my mind.
Dr. Rochford. I agree.
I yield.
Chairman LaHood. Thank you.
I now recognize Ms. Bonamici of Oregon, please.
Ms. Bonamici. Thank you very much, Mr. Chairman.
Dr. Rochford and Ms. Casias, NIST now has, it's my
understanding, your full-time equivalent police officers, about
28 in Maryland and 13 in Colorado, but you also use contract
protective security officers. So can you talk a little bit
about what they do, where are they stationed, at the gates, at
the doors, and what training do they get and what is the
turnover among those contracted protective security officers?
Ms. Casias. Thank you for your question. I will have to get
back to you on the turnover. I don't have that information with
me immediately. But all of our contractors are required to have
certain standards. We do provide training, and I can tell the
folks on this panel that we have provided training since the
penetration issues that we've had, and we'll continue to have
that training with those folks.
Ms. Bonamici. How does their training compare to the, for
example, police officer training?
Ms. Casias. I would have to get back to you on the exact
distinctions between the both, but in the case of providing the
security services, both parties, the Police Services Group and
the officers, the contract force, receive the same training,
and everyone that is responsible for that understands that it
is totally unacceptable with the breaches and what has
happened.
Ms. Bonamici. Thank you. I would appreciate the follow-up
on the turnover among those contracted officers.
The 2015 incident, which we've all heard about with the
NIST employee who was a NIST police officer trying to make
meth, now that of course is a rare type of situation but what
recommendations are you making now that would have prevented
that particular incident as opposed to your recommendations to
keep out unauthorized access? This person was a NIST employee,
so what specific recommendations would have prevented that? Ms.
Casias or Dr. Rochford?
Ms. Casias. I obviously was not in my position when that
occurred but I know we have put more--instituted more, looked
at how we're using rovers, how we're using our police force and
our guards and our actual police force that's on site.
Ms. Bonamici. But he was a police officer, so what----
Ms. Casias. I agree.
Ms. Bonamici. What would have prevented that at the time?
What are you doing now that would have prevented that?
Ms. Casias. I believe how we are running our shifts and
looking at our shifts, that may have prevented it. I'll have to
get back to you, you know, on exact measures that we may have
taken.
Ms. Bonamici. Thank you.
Mr. Bagdoyan, the GAO report notes inefficiencies, plural,
that arise from the fragmented organizational structure of NIST
security. An example mentioned in the report was that NIST is
responsible for procuring and placing the security cameras but
the Department of Commerce is overseeing the police personnel
and the facilities, and that led to some of the security
cameras being placed in locations that weren't particularly
useful or helpful for the police. So what are--number one, what
are some of the other inefficiencies, because you said
inefficiencies, and that was one example? And then also, how
could that have been prevented. It seems like maybe a simple
phone call could have said--could have remedied by saying, you
know, the cameras aren't in the right place. So how did that
happen? And maybe I can get Ms. Casias and Dr. Rochford to
respond as well.
Mr. Bagdoyan. Sure. I'll let my fellow panelists here
respond from their perspectives.
In terms of placement of equipment and so forth, I
certainly wouldn't venture there in an open hearing, but in
terms of other inefficiencies, you have risk assessments that
are done separately, for example, so that is a core function
that at least should be coordinated, if not collaborated on.
Ms. Bonamici. And I see Dr. Rochford nodding his head so
I'm assuming that NIST agrees with that.
Mr. Bagdoyan. Right. So that's--right. So I would just
leave it at that. That's a key inefficiency.
Ms. Bonamici. Thank you.
Mr. Bagdoyan. And also crafting different policies at
times. Parallel security policy is another area of inefficiency
that at a minimum should be much more closely coordinated if--
--
Ms. Bonamici. Thank you, and I don't want to interrupt but
I want Dr. Rochford and Ms. Casias to respond to the, how could
that have been remedied? Is there some channel for--a better
channel for communication where if the cameras are put in the
wrong place, why weren't they--why wasn't that immediately
fixed?
Dr. Rochford. That should have been immediately fixed. I
don't know what line of communication dropped and why that
didn't occur. On our campuses, our cameras and other access
controls are not used purely for security as well. We do have
some that are put in for safety reasons, and it could be that
security personnel were concerned that they may not have had
appropriate access but those were done for programmatic
reasons.
As far as coordination, our Security Advisory Board does
have our local OSY Director of Security at NIST on that board,
so when we do develop local policies, this individual is
involved and weighs in. So we have worked to coordinate to
ensure that we have the right amount of overlap.
Ms. Bonamici. Thank you, and I see my time is expired. I
yield back. Thank you, Mr. Chairman.
Chairman LaHood. Thank you. I now yield to Mr. Loudermilk
of Georgia for his questions.
Mr. Loudermilk. Thank you, Mr. Chairman, and I thank the
panelists for all being here today.
As has been mentioned I'm sure many times in the last few
months and even here today, the incident with the police
officer who was cooking meth in one of the laboratories, it's
interesting, it was last year or in the last Congress I was
Chair of the Oversight Subcommittee, and we were investigating
this instance, and it was during that investigation when we
actually uncovered the plutonium incident. In fact, it was an
email. The question was, why wasn't Congress notified of the
meth explosion, and an email we uncovered between two senior-
level people was well, we didn't notify Congress about the
plutonium incident either, and it was a thousand times worse.
So I'm just bringing that up to say I hope that the
communications with Congress would--is going to drastically
improve with instances.
But I want to direct my questions to our response,
Congress's response, regarding security issues that have
transpired at NIST. Last year I sponsored the NIST Campus
Security Act, which ultimately was incorporated into the
American Innovation Competitiveness Act, which was signed into
law back in January. Now, according to GAO report, physical
security at NIST was split between the Office of Security and
NIST, and the American Innovative Competitiveness Act directs
the Secretary of Commerce to oversee law enforcement at NIST by
establishing the NIST Director of Security. I understand that
has been fulfilled, that position. How--are we seeing that with
this new position, the new Director is closing the gaps that
existed in security between the two offices, Dr. Rochford?
Dr. Rochford. Yes, I would agree, and I think one activity
is the Security Advisory Board in which he works. We also have
weekly meetings between the Office of Security, Director of
Security of NIST and our Emergency Services Office Director
every week so we can make sure that day-to-day issues are dealt
with.
I would like to note in terms of the plutonium incident, I
wasn't in this job.
Mr. Loudermilk. Yes, I understand.
Dr. Rochford. However, NIST would never keep things from
the Oversight Committee, and that incident in fact did have
extensive hearings at the time, so we were very forthcoming and
did inform Congress during that incident as well.
Mr. Loudermilk. Mr. Bagdoyan, I know that the bill that I
was referencing assigns GAO to conduct a study evaluating the
performance of NIST Police Service Groups. Have you been able
to assess the improvements or the performance that we've seen
out of security since the new Director has been put into place?
Mr. Bagdoyan. Well, not really. I mean, basically what our
work consisted of was testing what was in place at the time.
Obviously having a Director in place is important but what
we're testing is the reality on the ground so the Director has
to make things happen on the ground for us to be able to go
back at some point, Congressional direction, of course, to take
another look and see how things have changed.
Mr. Loudermilk. Now, of course we don't want to get into
areas that are sensitive to reveal----
Mr. Bagdoyan. Of course.
Mr. Loudermilk. --anything in this session but I don't know
the exact time frame of the videos that we saw earlier.
Mr. Bagdoyan. Sure.
Mr. Loudermilk. But if those occurred within the past year,
I still have concerns that we have not made strides in the
right direction.
Mr. Bagdoyan. Right.
Mr. Loudermilk. Is there still a lot of improvement that
needs to be done?
Mr. Bagdoyan. Yes, we can certainly try and address that
point, Mr. Loudermilk, in a closed session.
Mr. Loudermilk. Okay. Thank you.
Dr. Rochford, do you agree that we still have a lot of area
that needs to be covered?
Dr. Rochford. Absolutely.
Mr. Loudermilk. Okay.
Dr. Rochford. And as I'd mentioned, a lot of this is driven
by culture, and that we can change.
Mr. Loudermilk. Thank you.
Since I have a few more seconds, Mr. Bagdoyan, in your
testimony you described overlapping risk management activities.
To what extent did you witness duplicative activities and what
are the consequences of such duplication?
Mr. Bagdoyan. Well, witnessing obviously is performing the
assessments themselves, then devising security policies that
are at least in part derived from those assessments. If they're
not sufficiently coordinated and essentially collaborated on,
then you might end up having two different lines of thinking in
terms of what is risky and what the countermeasures are and
what resources are needed to be devoted to those
countermeasures.
Mr. Loudermilk. Thank you. And Dr. Rochford, this--you're
inheriting a lot of the problems that existed, and just my
final question, do you have a plan in place to reduce the
duplication between the two?
Dr. Rochford. Yes. In fact, much of what I think was seen
as duplication was in fact coordination. We've often started
our work using from documents derived from the Office of
Security. As a manager I do have to make some resource
allocation decisions so clearly those are things I can do in
conjunction with the Office of Security. But we do that through
coordination with our Security Advisory Board, which does have
OSY and its personnel.
Mr. Loudermilk. Thank you. I yield back.
Chairman LaHood. Thank you.
At this time we recognize Mr. Perlmutter for his questions.
Mr. Perlmutter. Thank you, Mr. Chair.
Mr. Bagdoyan, how often does the GAO conduct kind of
investigations like this where you do, I mean kind of sting
operations, if you will? I'm familiar with TSA operations where
sometimes you go in and see if you can sneak through the
security there. How often do you guys do this?
Mr. Bagdoyan. Well, they do take a lot of time to develop
and implement. Of course, all of our investigative work is
derived from Congressional requests so we do get them
periodically. You're absolutely right about TSA and the
transport sector overall. We have done, as you may know, in the
past work looking at the Affordable Care Act and its enrollment
controls. I testified on that on several occasions in recent
years. We most recently completed work on the FCC's lifeline
program where we used undercover resources to attempt to enroll
into the program, and we were mostly successful. So it
basically runs the gamut. Again, it's driven by Congressional
interest and request so we play in various different spaces,
and I would point out that no one investigation is the same as
another. They're all very unique.
Mr. Perlmutter. Thank you.
So Dr. Marshall is from Kansas, and he has questions, Dr.
Rochford, about the Boulder campus and putting up a fence. So
just listening to this, I think you've got to bifurcate between
safety and security. They're two different things. So the
plutonium was a safety issue. It wasn't like somebody was
stealing it. But the security issue is, you have a guy roaming
around the campus through an open window, for goodness sakes,
for hours before anybody discovered him. So I don't know about
putting a fence up in Boulder. That's going to take forever to
get something like that done, but you certainly can harden the
security for each building. What steps are you taking on that?
Dr. Rochford. That's absolutely correct, and we have taken
a number of steps in that regard. We've added additional
engineering controls at the perimeters of the buildings. We've
improved internal alarming in areas where we have windows of
that nature. In fact, it wasn't an open window. What it was,
was a temporary window in which we were doing laser experiments
on the mesa, so it was easily broken. Now that's----
Mr. Perlmutter. That's been fixed?
Dr. Rochford. There's other things we can--yes, that's been
fixed, and we can talk about details.
Mr. Perlmutter. All right. Let's talk about the plutonium
for just a second, and obviously in our area, we've dealt with
issues pertaining to plutonium with Rocky Flats and all of
that. I guess just as a neighbor of this laboratory, I wasn't
aware that you guys were a storage facility. You're a
laboratory. And to the degree that you are a storage facility,
I hope that that's part of the approach you're taking, and I'd
say to Commerce as well, that should be going to the Department
of Energy or somebody else. You can react to that if you will.
Dr. Rochford. So in fact, we are not a storage facility. In
that particular incident, we had an exceedingly small quantity
of plutonium that was being used to measure sensors and
detectors that were going to be used for non-proliferation
activities. However, there is no exceedingly small amount of
plutonium, so we had to manage it very carefully. Since then we
have only in Boulder used what are known as sealed sources.
Now, in Gaithersburg, we have a radiation physics division.
We do have a number of sources, and these are used as
measurement standards to calibrate things as diverse as
radionuclides for medicine to things for non-proliferation for
other activities.
Mr. Perlmutter. So I just--now I'm going to get on my
political high horse for a second. I mean, obviously I'm
listening to my friends on the Republican side of the aisle
talk about radiation and these small amounts and the danger
that comes from it, and I would just say as I just did in the
Financial Services Committee, the President just openly talking
about nuclear arms and building of stockpiles and all of that
stuff, there's real danger there, and we all know that, and
that rhetoric is dangerous, and so with that I yield back to
the Chairman.
Chairman LaHood. Thank you, Mr. Perlmutter.
I now recognize Mr. Higgins of Louisiana for his questions.
Mr. Higgins. Thank you, Mr. Chairman.
Mr. Bagdoyan, as Director for the GAO's Forensic Audits and
Investigative Services, I thank you for your service to your
country, sir.
Mr. Bagdoyan. Thank you.
Mr. Higgins. Looking at your bio, you have an extensive
background of security, critical infrastructure protection,
risk management, and homeland security. Would you concur that
you're an accomplished investigator?
Mr. Bagdoyan. I would like to think so.
Mr. Higgins. One would like to think so. My background is
in law enforcement, sir. Would you also agree that it's just
human nature that over time if there's been no critical
incident, there develops sort of a relaxed culture of security
at entry and perimeter security? Would you concur that that's
generally true and----
Mr. Bagdoyan. Yes, it's possible that over time that
happens----
Mr. Higgins. Thank you.
Mr. Bagdoyan. --if you don't pay attention.
Mr. Higgins. However, given the incidents of July of 2015
and April of 2016, those security breaches, wouldn't as an
experienced and accomplished law enforcement professional and
security expert, wouldn't you concur that the heightened
awareness should have existed by the time your agents began
your undercover probes?
Mr. Bagdoyan. That would be a logical response, yes.
Mr. Higgins. And it was your team that conducted the
security evaluation of NIST. Is that not--is that correct?
Mr. Bagdoyan. Yes. My investigative colleagues performed
that work.
Mr. Higgins. How many individuals made up the team of GAO
undercover staff?
Mr. Bagdoyan. That I will defer answering until a closed
session.
Mr. Higgins. I understand. Was there more than one agent?
Mr. Bagdoyan. I'll reserve on that one. Thanks.
Mr. Higgins. Your one or potentially more than one were
quite successful though, were they not?
Mr. Bagdoyan. That's what the record shows, yes.
Mr. Higgins. At any point during the course of your
undercover investigation did the GAO agents have potential
access or were they in a close vicinity of a NIST computer?
Mr. Bagdoyan. I'll have to defer answering that, sir,
sorry.
Mr. Higgins. Were they in a building where computers
existed?
Mr. Bagdoyan. Same answer.
Mr. Higgins. Would your staff have had the opportunity to
insert a thumb drive on one of these perhaps nonexistent
computers----
Mr. Bagdoyan. I'll----
Mr. Higgins. --thereby infecting the system with a virus?
Mr. Bagdoyan. I'll defer answering that.
Mr. Higgins. Did your staff have access to laboratories?
Mr. Bagdoyan. Same answer.
Mr. Higgins. So in these buildings that your staff was able
to enter, is it reasonable to presume that there were offices
with computers and perhaps laboratories, given the fact that
that's why these buildings exist?
Mr. Bagdoyan. That's what NIST exists for so that's a safe
assumption.
Mr. Higgins. It would be a reasonable presumption, would it
not?
Mr. Bagdoyan. Yes, sir.
Mr. Higgins. Isn't it true that a deranged individual
wandered around the Boulder, Colorado, NIST campus and required
medical attention because he accessed an area which houses
toxic chemicals?
Mr. Bagdoyan. That's my understanding of the incident. I
don't know whether he was deranged or not but he certainly
didn't belong where he was.
Mr. Higgins. Is the Boulder facility fenced?
Mr. Bagdoyan. It is not.
Mr. Higgins. Thank you. Were there any mechanisms in place
to warn the guards that this individual was present, an alarm
system or something of that nature?
Mr. Bagdoyan. I don't know.
Mr. Higgins. Did the folks on the ground at Boulder know
how long this gentleman, what was the duration of time that he
wandered undetected?
Mr. Bagdoyan. I don't know, Mr. Higgins.
Mr. Higgins. Mr. Chairman, we have reviewed videos of the
GAO undercover staff conducting testing of the physical
security of these campuses, and I respectfully submit that the
Department has considered this sensitive information and not
appropriate for the public to see. But as an experienced former
law enforcement officer, these videos do show evidence of
repetitive failures of the security in place at these
facilities and the need for substantial improvement from NIST
and the Department, and I respectfully submit that these videos
should be made public so that NIST be held accountable by the
broader public, by we, the people, and by the taxpayers that we
represent as opposed to just the members of this Committee, and
with that, I respectfully yield back, Mr. Chairman.
Chairman LaHood. Thank you, Mr. Higgins, for your
questions, and I think that concludes all the questions from
Committee members at this time.
Let me just in closing thank you for being here and for
your valuable testimony. I think collectively both Republicans
and Democrats here today have expressed concern for what went
on here with these three breaches and are going to be watching
and monitoring to make sure that the implementation of the
suggestions are put through and that we do everything we can to
make sure that these facilities are secure and safe moving
forward.
I would also ask that there was a number of requests made
by members here today, that those be followed up by the
witnesses. The record will remain open for two weeks for
additional comments and written questions from members.
Pursuant to House Rule 11(g)(2) and the previous vote of
the Subcommittees, the remainder of the hearing will be closed
to the public because of the disclosure of the testimony that
may be heard may compromise sensitive law enforcement
information. The clerk will clear the room. Only Members of
Congress, their staff, and witnesses may remain in the room.
Once that's done, we'll begin the executive session.
[Whereupon, at 11:24 a.m., the Subcommittees proceeded in
closed session.]
Appendix I
----------
Answers to Post-Hearing Questions
Answers to Post-Hearing Questions
Responses by Ms. Lisa Casias and Dr. Kent Rochford
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Responses by Mr. Seto Bagdoyen
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]