[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                  CYBERSECURITY FOR THE NEW FRONTIER:
                   REFORMING THE FEDERAL INFORMATION
                        SECURITY MANAGEMENT ACT

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                          OVERSIGHT AND REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            JANUARY 11, 2022

                               __________

                           Serial No. 117-59

                               __________

      Printed for the use of the Committee on Oversight and Reform
      

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]      


                       Available on: govinfo.gov,
                         oversight.house.gov or
                             docs.house.gov
                             
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
46-680 PDF                 WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------   
                             
                   COMMITTEE ON OVERSIGHT AND REFORM

                CAROLYN B. MALONEY, New York, Chairwoman

Eleanor Holmes Norton, District of   James Comer, Kentucky, Ranking 
    Columbia                             Minority Member
Stephen F. Lynch, Massachusetts      Jim Jordan, Ohio
Jim Cooper, Tennessee                Virginia Foxx, North Carolina
Gerald E. Connolly, Virginia         Jody B. Hice, Georgia
Raja Krishnamoorthi, Illinois        Glenn Grothman, Wisconsin
Jamie Raskin, Maryland               Michael Cloud, Texas
Ro Khanna, California                Bob Gibbs, Ohio
Kweisi Mfume, Maryland               Clay Higgins, Louisiana
Alexandria Ocasio-Cortez, New York   Ralph Norman, South Carolina
Rashida Tlaib, Michigan              Pete Sessions, Texas
Katie Porter, California             Fred Keller, Pennsylvania
Cori Bush, Missouri                  Andy Biggs, Arizona
Shontel M. Brown, Ohio               Andrew Clyde, Georgia
Danny K. Davis, Illinois             Nancy Mace, South Carolina
Debbie Wasserman Schultz, Florida    Scott Franklin, Florida
Peter Welch, Vermont                 Jake LaTurner, Kansas
Henry C. ``Hank'' Johnson, Jr.,      Pat Fallon, Texas
    Georgia                          Yvette Herrell, New Mexico
John P. Sarbanes, Maryland           Byron Donalds, Florida
Jackie Speier, California            Vacancy
Robin L. Kelly, Illinois
Brenda L. Lawrence, Michigan
Mark DeSaulnier, California
Jimmy Gomez, California
Ayanna Pressley, Massachusetts

                      Russ Anello, Staff Director
                         Emily Burns, Team Lead
                       Elisa LaNier, Chief Clerk

                      Contact Number: 202-225-5051

                  Mark Marin, Minority Staff Director
                                 ------                                
                        
                        C  O  N  T  E  N  T  S

                              ----------                              
                                                                   Page
Hearing held on January 11, 2022.................................     1

                               Witnesses

Ms. Jennifer R. Franks, Director of Information Technology and 
  Cybersecurity, Government Accountability Office
    Oral Statement...............................................     8
Mr. Grant Schneider, Senior Director of Cybersecurity Services, 
  Venable Federal Chief Information Security Officer, Office of 
  Management and Budget (2018-2020). Senior Director for 
  Cybersecurity Policy, National Security Council (2017-2020)
    Oral Statement...............................................    10
Mr. Ross Nodurft, Executive Director, Alliance for Digital 
  Innovation Chief, Office of Management and Budget Cybersecurity 
  Team (2015-2018)
    Oral Statement...............................................    11
Ms. Renee Wynn, Chief Executive Officer, RP Wynn Consulting LLC, 
  Chief Information Officer, National Aeronautics and Space 
  Administration (2015-2020)
    Oral Statement...............................................    13
Mr. Gordon Bitko, Senior Vice President of Policy, Public Sector, 
  Information Technology Industry Council Chief Information 
  Officer, Federal Bureau of Investigation (2016-2019)
    Oral Statement...............................................    15

 Opening statements and the prepared statements for the witnesses 
  are available in the U.S. House of Representatives Repository 
  at: docs.house.gov.

                           INDEX OF DOCUMENTS

                              ----------                              

The documents listed below are available at: docs.house.gov.

  * Scorecard; submitted by Chairwoman Maloney.

  * Statement for the Record; submitted by Rep. Brown.


 
                  CYBERSECURITY FOR THE NEW FRONTIER:
                   REFORMING THE FEDERAL INFORMATION
                        SECURITY MANAGEMENT ACT

                              ----------                              


                       Tuesday, January 11, 2022

                  House of Representatives,
                 Committee on Oversight and Reform,
                                                   Washington, D.C.
    The committee met, pursuant to notice, at 10:02 a.m., in 
room 2154, Rayburn House Office Building, and on Zoom; Hon. 
Carolyn B. Maloney [chairwoman of the committee] presiding.
    Present: Representatives Maloney, Norton, Lynch, Cooper, 
Connolly, Krishnamoorthi, Raskin, Mfume, Tlaib, Porter, Brown, 
Davis, Wasserman Schultz, Welch, Speier, Kelly, DeSaulnier, 
Comer, Foxx, Hice, Grothman, Cloud, Gibbs, Sessions, Keller, 
Mace, Franklin, LaTurner, Fallon, and Donalds.
    Chairwoman Maloney. I want to start this hearing with an 
announcement we just received.
    CISA, the FBI, and the National Security Agency are, as we 
speak, releasing a new joint cybersecurity advisory on 
mitigating Russian state-sponsored cyber threats to U.S. 
critical infrastructure. It provides information on 17 
vulnerabilities to help organizations reduce the risks 
presented by the Russian state-sponsored cyber actors.
    I applaud this action and convene today's hearing to 
discuss how to reduce these kinds of state-sponsored 
cybersecurity risks for the Federal Government, which is so 
important to our national security.
    [Gavel sounds.]
    Chairwoman Maloney. The committee will come to order.
    Without objection, the chair is authorized to declare a 
recess of the committee at any time.
    I now recognize myself for an opening statement.
    Today, we are discussing the urgent need to improve the 
Federal Government's defenses against cyber attacks. Over the 
past year, we have seen devastating cyber attacks against 
Federal agencies, state and local governments, and businesses. 
These attacks have caused real-world damage like stolen 
intellectual property, hundreds of millions of dollars paid in 
ransoms, and even shutdowns of critical infrastructure like oil 
pipelines.
    Many of these attacks were carried out by America's 
geopolitical adversaries. Last January, a group of Chinese 
hackers unleashed a massive cyber attack that ripped through 
computer networks around the globe through Microsoft, a 
software. The attack spread to as many as 60,000 U.S. 
organizations, including businesses, hospitals, schools, and 
city governments, and posed a grave risk to Federal agencies.
    According to FBI Director Christopher Wray, economic 
espionage from China is ``the greatest long-term threat to our 
Nation's information and intellectual property and to our 
economic vitality.'' Director Wray has explained that this 
information theft amounts to ``one of the largest transfers of 
wealth in human history.''
    Federal agencies are also still reeling from the SolarWinds 
breach in which Russian actors infiltrated and roamed the 
networks of at least 9 agencies and 100 private companies for 
months. And today, we are dealing with the fallout from the 
Log4j software vulnerability, which the Director of CISA, Jen 
Easterly, described as the most serious vulnerability she has 
seen in her decades-long career.
    The mounting attacks by China, Russia, and other bad actors 
are constantly changing. They are as dynamic as they are 
diabolical. Today, we will be discussing how the Federal 
Government can protect itself against these threats.
    The Federal Information Security Management Act, commonly 
known as FISMA, establishes a cybersecurity framework for the 
Federal Government. It is the best defense our Federal 
information networks and supply chains have against cyber 
attacks, but the reality is that it is simply not enough to 
protect us in its current form.
    Threats have transformed dramatically since FISMA was last 
updated in 2014 and in ways that were unimaginable when the law 
was first written 20 years ago. Now it is no longer enough to 
guard our networks at their perimeters, as was the focus in the 
past. Today, we must also guard within the perimeter, 
continuously monitoring for the smallest trace of abnormal 
activity that might signal an intruder.
    Modernization cannot wait because our adversaries certainly 
won't, and we are already woefully behind. Congress must reform 
FISMA and create a cutting-edge, whole of government approach 
to meet the challenge of the constantly evolving cyber 
frontier. That is why today Ranking Member Comer and I are 
releasing a discussion draft to modernize FISMA called the 
Federal Information Security Modernization Act of 2022.
    The bill would improve the cybersecurity of Federal 
networks through a risk-based approach that uses the most 
advanced tools, techniques, and best practices. It would also 
clarify and streamline the responsibilities of Federal entities 
so that they could respond quickly and decisively to breaches 
and major cyber incidents.
    By modernizing the law and focusing it on the most 
important security outcomes, we can ensure that Federal 
agencies are better equipped to combat the evolving threats 
they face. Our bill contains key similarities to the companion 
legislation in the Senate, which was introduced by our 
counterparts, Chairman Gary Peters and Ranking Member Rob 
Portman. I applaud their bipartisan leadership on this critical 
issue.
    Our committee has a strong bipartisan track record of 
shining the light on the country's cybersecurity challenges and 
fighting to improve Federal information technologies. Last year 
alone, we held hearings on ransomware attacks, the SolarWinds 
breach, and the hundreds of open recommendations by the 
Government Accountability Office to improve cybersecurity in 
the Federal Government. Our committee was also instrumental in 
creating the role of the National Cyber Director, who serves as 
the President's top adviser on cybersecurity and has a crucial 
role to play in the FISMA framework.
    I also want to recognize our Government Operations 
Subcommittee chairman, Mr. Connolly, for his crucial work to 
improve Federal IT, including through his seven years of 
biannual FITARA hearings. In addition, he has led the charge on 
H.R. 21, the FedRAMP Authorization Act, which will enhance 
security and modernize cloud computing Government wide. That 
bill passed the House on suspension last year, and Chairman 
Connolly has my full support in encouraging the Senate to pass 
it so it can reach the President's desk as soon as possible.
    I want to extent my thanks to the witnesses for being here 
today and to Ranking Member Comer for his partnership and 
diligence in working on the discussion draft we are releasing 
today. We are committed to perfecting the bill together, and I 
am confident that today's hearing will help our bipartisan, 
bicameral coalition get this priority across the finish line 
this year.
    I now recognize Mr. Connolly for an opening statement.
    Mr. Connolly. Madam Chair, were you recognizing me or the 
ranking member?
    Chairwoman Maloney. You, first.
    Mr. Connolly. Ah, OK. Thank you so much, Madam Chairwoman, 
and thank you for elevating this issue to the full committee 
level. It is that important. And frankly, as we learned during 
the pandemic, information technology platforms undergird 
everything we do, and they have to help the Government deliver 
services, be efficient, effective, but also be cybersecure.
    Over the past several years, we have witnessed the 
consequences of vulnerable cybersecurity infrastructure across 
the Federal Government. Poor cyber hygiene leaves sensitive IT 
systems and data susceptible to cyber attacks by criminals, 
prompting significant disruption and high cost. This hearing 
will examine the urgent need to reform FISMA and evolve the 
Federal Government's approach to cybersecurity.
    Seven years ago, the Office of Personnel Management 
suffered a massive data breach that completely disrupted the 
operations of OPM and affected more than 20 million Americans, 
including contractors, family members, others who had undergone 
background checks for Federal employment, as well as Members of 
Congress. Since then, cyber incidents have continued to grow in 
frequency and sophistication. Fiscal year 2020 alone, Federal 
agencies reported more than 30,000 cybersecurity incidents.
    The SolarWinds, as you mentioned, Madam Chairwoman, and the 
Microsoft Exchange hacks demonstrated the unique patience, 
sophistication, and aggressiveness of our adversaries. More 
recently, on December 9, a vulnerability was discovered in 
freely available and widely used open-source software provided 
by the Apache Foundation called Log4j, which has been used to 
build a vast array of Web services for over a decade.
    Ensuring the cybersecurity of our Nation is critical, 
protecting taxpayer data and dollars. In its 2021 High Risk 
List, the GAO says that the Federal agencies and other entities 
need to take urgent action to implement a comprehensive 
cybersecurity strategy, perform effective oversight, secure 
Federal systems, and protect critical infrastructure, privacy, 
and sensitive data.
    The foundation of the Federal Government's cybersecurity 
posture relies on modernized, nimble technology systems that 
bake in security from the outset. A fundamental component of 
this security is FISMA, which was first signed into law, as you 
indicated, Madam Chairwoman, back in December 2002 and was last 
updated in 2014. The law requires each Federal civilian agency 
to establish an agency-wide program to ensure the security of 
the agency's information systems.
    Despite FISMA's positive contributions to improving Federal 
cybersecurity, Government officials have cited FISMA 
requirements as sometimes onerous and overly focused on 
compliance rather than on mitigating potential cyber threats. 
Further, when FISMA first passed, many of today's key cyber 
stakeholders had not yet been established, like the 
Cybersecurity and Infrastructure Security Agency and the 
National Cyber Director. We must take more proactive cyber 
measures that ensure the Government runs on modern, well-
designed IT.
    For example, I have long advocated for the codification of 
FedRAMP, the Federal Risk and Authorization Management Program, 
which you very generously mentioned and very much we welcome 
your support in our endeavor to get that into law. For the past 
five years, we have worked to improve and make permanent the 
FedRAMP program.
    And by the way, it has passed the House four different 
times, four different times in two Congresses. It has never 
passed the Senate. And it has finally come out of the Senate 
committee, but we believe, frankly, that the House has clear 
providence, and we want to make sure it gets passed.
    The future of Government IT is paramount to effectively 
serving the public. That future should involve an agile Federal 
work force that can respond quickly, relying on technology and 
supply chains to deliver results.
    I was thrilled to see that President Biden made Federal 
cybersecurity a priority early in his administration. His 
executive order on improving the Nation's cybersecurity ensures 
agencies are adapting and adopting best practices of secure 
cloud services, zero trust architecture, and multifactor 
authentication and encryption.
    But today's hearing reminds us more must be done, and 
Congress has a critical role in ensuring that laws evolve to 
accommodate and anticipate new realities. I look forward to 
working with you and the ranking member on the draft 
legislation, Madam Chairwoman, and I thank you for your 
leadership in holding today's very critical hearing.
    I yield back.
    Chairwoman Maloney. I thank you for your statement, and I 
now recognize the distinguished ranking member, Mr. Comer, for 
his opening statement.
    Mr. Comer. Thank you, Chairwoman Maloney, for holding this 
hearing to examine a central law governing Federal 
cybersecurity, the Federal Information Security Modernization 
Act.
    Prior Congresses have not encountered the same array or 
frequency of cybersecurity threats that we face today. Last 
year's breach against SolarWinds exposed weaknesses throughout 
multiple Federal agencies and throughout the private sector. 
Just last month, we learned of a new vulnerability infecting an 
Internet tool called Log4j. Some estimate that this is used in 
nearly a third of all websites, impacting Government agencies 
and businesses large and small.
    These incidents highlight why FISMA, a law which assigns 
cybersecurity roles and responsibilities for the protection of 
Federal information systems, is a critical component in our 
cyber defense arsenal. Public and private sector entities 
continue to play whack-a-mole while hackers take advantage of 
every possible weakness in information systems. A modern uptake 
to FISMA will ensure Federal agencies, in coordination with the 
private sector and Government contractors, can better protect, 
disrupt, and deter damaging digital intrusions.
    The Federal Government maintains extensive public records, 
which contain sensitive information on all Americans and the 
private sector businesses and institutions that drive our 
economy and civil society. Congress and the executive branch 
must be smart and diligent stewards of this sensitive and 
valuable information.
    In examining FISMA, we need to clearly understand the full 
scope and evolving nature of cybersecurity challenges our 
Government faces before enacting systematic changes. Recently, 
the Senate and the administration addressed FISMA reform 
through legislation and executive guidance. These are important 
steps, ones that the chairwoman and I hope to buildupon to 
ensure reforms not unnecessarily impose restrictive burdens, 
duplication, or complications.
    FISMA reform must provide agencies with the authority to 
effectively address threats with speed and precision while also 
freeing time to continuously monitor new and emerging threats 
as they arise. To get this right, we must understand a core 
principle of cybersecurity--that it is impossible to have a 
completely secure system.
    As technology continuously evolves, our systems and 
networks will become more interconnected, allowing bad actors 
to continue to discover or engineer new methods of attack. Any 
reform must enable Federal agencies to respond to an incident 
in real time to mitigate damage, fix the problem, and 
effectively share critical information about the attack so it 
does not happen again.
    Burdensome red tape requirements for coordination and 
outdated compliance checklists cannot remain significant 
hurdles when responding to major cyber incidents. Nor should 
Congress be subjected to delayed and disjointed agency 
briefings following major incidents.
    That said, we also recognize the cyber expertise and 
knowledge housed within the executive branch, along with 
Government contractors performing valuable cybersecurity 
services. We have listened to these experts. We have accounted 
for their advice and guidance in drafting House companion 
legislation. We greatly appreciate OMB's technical assistance 
and have honored an overarching request to avoid imposition of 
overly burdensome bureaucratic reporting and compliance 
controls, which hamper agencies from addressing daily 
cybersecurity challenges.
    I also want to thank the chairwoman and her staff for 
working diligently to incorporate this feedback. I encourage 
our members to support a streamlined legislative product the 
chairwoman and I are crafting, which adheres to a risk-based 
cybersecurity model. We are confident our approach gives more 
flexibility to our Federal agencies and private sector partners 
to address a quickly evolving threat landscape.
    We are also focused on offering statutory authority 
enabling agencies to take proactive steps to harden our 
Nation's cyber defenses. I am confident that cybersecurity 
modernization is largely achievable through carefully balanced 
FISMA reform.
    I look forward to hearing from our witnesses, each of whom 
have a unique perspective in working in the cyber arena. 
Together, I hope our collective efforts in reform will place 
the Federal Government on a solid security footing for years to 
come, improve coordination, and present a united front in 
deterring and defeating cybersecurity threats.
    Now I would like to yield to the distinguished ranking 
member Mr. Hice, who is no doubt an expert in this area.
    Mr. Hice. I thank the ranking member. Appreciate that very 
much.
    And if I could, just as a point of personal privilege, just 
give a great shout-out and congratulations to the Georgia 
Bulldogs for a great win last night. It is my honor to 
represent Athens and the University of Georgia, and we are 
thrilled with the win that they brought home last night.
    But with that, listen, I appreciate a hearing to examine 
the potential updates to FISMA. The Federal cybersecurity 
issue, of course, is an extremely important issue, but I must 
admit that I am confused, and I am sure some of my other 
colleagues also share in some of my confusion, as to 
specifically why the majority has failed to invite the 
administration witnesses to testify concerning their experience 
operating on the cyber front lines.
    No doubt we have an esteemed group of witnesses who are 
with us here today, and they have a lot of Federal years of 
experience. But nonetheless, the agency operators currently 
battling threats from our adversaries are inexplicably absent, 
and I am sure it is because, quite frankly, they were not even 
invited to be a part of today's hearing. But if Congress is to 
examine the modern cyber threat environment fruitfully, we must 
hear from the very administration officials who understand why 
we are falling short in cybersecurity preparedness.
    It is no secret that our Federal cyber apparatus is a 
massive bureaucracy, and it has grown exponentially since the 
last revamp of FISMA in 2014. And yet it is no question, a 
reality--and a legitimate question to ask does anyone--does 
anyone believe that our Nation's cybersecurity has improved at 
the same pace as the bureaucracy? The answer, of course, is no.
    Our adversaries, particularly China and Russia, continue to 
exploit our weaknesses, weaknesses that are born from 
bureaucratic layers, from misaligned roles and 
responsibilities, and the failure to exhibit strength. When our 
Government fails to address cybersecurity weaknesses, what is 
at stake? What is at risk? Literally reams of sensitive 
information that the administrative state has amassed on 
American citizens.
    Malicious actors and America's enemies know our cyber gaps, 
and they target them. They do so accordingly. Just this past 
year, they targeted infrastructure like meat production, our 
oil pipelines, and ubiquitous software supply chains. And the 
list goes on and on and on. We are vulnerable.
    Cyber attacks are no longer merely a product of war games. 
They are genuine threats to our American livelihoods. They are 
a threat to our daily digital interactions and the numerous 
Government and private sector services.
    The Government Operations Subcommittee, understanding this 
threat, we have worked hard to improve the adoption of modern 
secure technology in Federal agencies through initiatives like 
FedRAMP and IT Modernization Centers of Excellence. And I 
believe our efforts to adopt modern cloud technology solutions 
will similarly help deliver efficient, effective, and secure 
Government services.
    My hope, my hope sincerely is that FISMA reform will spur 
further migration to the cloud, to transition spoken of 
optimistically in the aftermath of SolarWinds for improving the 
Federal Government's cybersecurity posture. I am hopeful that 
eventually we will actually have discussions with 
administrative witnesses that will allow us the opportunity to 
explore ways to further the Government's effective utilization 
of its IT assets by moving away from legacy insecure 
technologies, consolidating and optimizing the use of existing 
data centers, improving agency inventories of their IT systems, 
and focused defense of critical data assets are always that 
FISMA reform in our upcoming hearing regarding FITARA can 
contribute to better Federal cybersecurity.
    And I hope we will go down these paths with genuineness in 
the days, weeks, and months to come. And with that, I yield 
back.
    Chairwoman Maloney. The gentleman yields back, and I thank 
him very much for his comments and particularly the ranking 
member and his staff for working in such a positive way to 
confront what is a national security threat to our country.
    Earlier, we had several months back in October a hearing 
with the Government cybersecurity experts. We had the Director 
of Cybersecurity, newly appointed, a representative from CISA, 
the FBI. We also consulted with representatives of the Biden 
administration and the Government, Government professionals on 
the drafting of this bill. They were deeply involved in all of 
it. We can have another hearing on it.
    This hearing focuses on the private sector, which is an 
important part of our country. We need to hear what their 
challenges are and what they are doing. We have already heard 
from Government. We can have them in and hear again, or we can 
have just a panel and a committee discussion.
    But we have already consulted them, and they were consulted 
deeply and effectively and many times. We were partners in 
drafting this legislation along with the Senators that were 
involved.
    I would now like to introduce our witnesses.
    Our first witness today is Ms. Jennifer Franks, who is the 
Director of Information Technology and Cybersecurity at the 
Government Accountability Office.
    Then we will hear from Mr. Grant Schneider, who is a Senior 
Director of Cybersecurity Services at Venable. He previously 
served as the Federal Chief Information Security Officer at OMB 
and as the Senior Director for Cybersecurity Policy at the 
National Security Council.
    Next, we will hear from Mr. Ross Nodurft, who is the 
executive director of the Alliance for Digital Innovation.
    Next, we will hear from Ms. Renee Wynn, who is the CEO of 
RP Wynn Consulting. Previously, she served as the Chief 
Information Officer at NASA, which always is a target of cyber 
theft.
    Finally, we will hear from Mr. Gordon Bitko, who is a 
Senior Vice President of Policy at the Information Technology 
Industry Council and was previously the Chief Information 
Officer at the FBI.
    The witnesses will be unmuted so we can swear them in. 
Please raise your right hands.
    Do you swear or affirm that the testimony that you are 
about to give is the truth, the whole truth, and nothing but 
the truth, so help you God?
    [Response.]
    Chairwoman Maloney. Let the record show that the witnesses 
answered in the affirmative.
    Thank you. Without objection, your written statements will 
be part of the record.
    With that, Ms. Franks, you are now recognized for your 
testimony.

         STATEMENT OF JENNIFER R. FRANKS, DIRECTOR OF 
        INFORMATION TECHNOLOGY AND CYBERSECURITY, U.S. 
                GOVERNMENT ACCOUNTABILITY OFFICE

    Ms. Franks. Chairwoman Maloney, Ranking Member Comer, and 
members of the committee, thank you for inviting GAO to 
contribute to this important discussion about FISMA reform.
    As you know, IT systems supporting Federal agencies are 
inherently at risk. The protection of these systems is vital to 
public confidence, safety, and national security. Without 
proper safeguards, computer systems are increasingly vulnerable 
to attack. As such, GAO has designated cybersecurity as a 
governmentwide high-risk area for the last 25 years.
    As the cyber threat landscape has significantly evolved, it 
is important for Federal agencies to ensure that their 
information security programs under FISMA can mitigate the risk 
and impact of threats to their data, systems, and networks. 
Today, I will focus on the key preliminary results from our 
ongoing reviews of agencies' FISMA implementation.
    Our ongoing review highlights the reported effectiveness of 
Federal agencies' implementation of cybersecurity policies and 
practices and the extent to which relevant officials at Federal 
agencies consider FISMA to be effective at improving the 
security of agency information systems. Our preliminary results 
indicate varied levels of effectiveness of Federal agencies' 
implementation of FISMA requirements.
    For example, IGs identified uneven implementation of 
cybersecurity policies and practices across the Federal 
Government. For Fiscal Year 2020, IGs concluded that only 7 of 
the 23 civilian CFO agencies had effective agency-wide 
information security programs.
    Specifically, most agencies continued to struggle in the 
security core functions to identify, protect, detect, and 
recover. On a positive note, more agencies were, indeed, 
meeting the cybersecurity goal of taking appropriate actions 
needed to respond to a cybersecurity incident.
    In responding to our questionnaire and interviews regarding 
the effectiveness and usefulness of FISMA, cybersecurity 
officials at the 24 CFO agencies highlighted the benefits of 
FISMA, identified impediments to implementing FISMA 
requirements, and made suggestions to improve FISMA and the 
annual reporting process.
    Regarding the benefits of how FISMA helped improve their 
agencies' security posture, agency officials identify 
standardized security program requirements, justifiable 
cybersecurity requests to management, establish agency metrics 
to track performance of the security program, and establish 
responsibilities and authorities related to the cybersecurity 
program, among others.
    In terms of the impediments, agency officials identified a 
number of barriers to their agencies' implementation of FISMA. 
The most cited were a lack of resources, that annual reviews 
focused more on compliance with the law than on the 
effectiveness of cybersecurity programs, and that there was 
insufficient time to implement new requirements and/or 
remediate findings identified in the annual FISMA reviews 
before the next review season begins.
    With respect to the suggestions, most agencies did not 
identify legislative changes to FISMA nor the need for 
additional authorities. Specifically, seven agencies made 
suggestions on reducing the frequency of the FISMA IG reviews. 
Other suggestions were related to the consistency of IG 
evaluations, IG reviews focusing more on risk as opposed to 
compliance, and the advancing of data automation.
    In summary, the risks to IT systems supporting the Federal 
Government are increasing, and the tactics and techniques of 
cyber criminals are constantly evolving around the globe. 
Further, high-profile events, such as the SolarWinds and 
Microsoft Exchange Server incidents, demonstrate the need for 
further attention and improvements to agency cybersecurity 
capabilities. This means that Federal agencies need to continue 
to build stronger cybersecurity programs through more effective 
FISMA implementation, which could better protect against 
increasing cyber threats.
    This concludes my remarks, and I look forward to answering 
any questions you may have.
    Thank you.
    Chairwoman Maloney. Thank you.
    Mr. Schneider, you are now recognized for your testimony.

STATEMENT OF GRANT SCHNEIDER, SENIOR DIRECTOR OF CYBERSECURITY 
 SERVICES, VENABLE, FORMER FEDERAL CHIEF INFORMATION SECURITY 
                      OFFICER, OFFICE OF 
                     MANAGEMENT AND BUDGET

    Mr. Schneider. Thank you very much.
    Chairwoman Maloney, Ranking Member Comer, members of the 
committee and your staff, thank you for the privilege to appear 
before you today.
    I've spent my entire 30-year career focused on our Nation's 
security. This includes over 20 years at the Defense 
Intelligence Agency, seven of which as the Chief Information 
Officer. I then spent six years within the Executive Office of 
the President, involved with all aspects of Federal and 
critical infrastructure cybersecurity.
    As mentioned, I served as a Senior Director for 
Cybersecurity Policy on the National Security Council staff and 
most recently as the Federal Chief Information Security Officer 
working with agencies to secure Federal systems.
    For the past 16 months, I have been a Senior Director for 
Cybersecurity Services at the law firm Venable, where I help 
our clients, both large and small from across all sectors, 
enhance their cybersecurity programs through the development 
and implementation of risk management strategies, as well as 
assisting with the preparation, response, and recovery from 
various cybersecurity incidents, including ransomware attacks.
    I want to thank the committee for taking up the very 
important issues related to the security of our Nation's 
Federal information and information systems. Over the years, 
FISMA legislation has focused agencies' attention on 
cybersecurity and made them more secure. However, FISMA must 
evolve, just as the threats and the nature of our information 
technology environments continue to evolve.
    The threat surface for Federal agencies and private sector 
organizations increases as organizations interconnect systems 
and move more sensitive information and transactions online. 
This started well before the global pandemic and has only 
accelerated over the past two years. To be clear, these digital 
enhancements increase productivity, increase convenience, and 
increase access to services.
    At the same time, malicious cyber actors have increased 
their capabilities and demonstrated a willingness to exploit 
any system to achieve their objectives, whether they be 
monetary gain, espionage, or some form of activism. Most 
recently, public and private sector organizations have been 
responding to the exploitation of the Log4j vulnerability. Over 
the past year, organizations have responded to the attack on 
SolarWinds, the Microsoft Exchange Server incident, and 
countless ransomware attacks, including the one involving the 
Colonial Pipeline. These are but a few of the many incidents 
highlighting the importance of cybersecurity for both public 
and private institutions.
    FISMA is focused on directing Federal agencies to develop 
and implement risk management programs to secure Federal 
information and information systems. As you consider updates to 
this keystone piece of legislation, I encourage you to address 
five key areas.
    First, clarify Federal cybersecurity roles and 
responsibilities. Since the last update to FISMA, Congress has 
established the Cybersecurity and Infrastructure Security 
Agency, as well as the National Cyber Director. These are 
important additions to the Federal cybersecurity ecosystem. 
However, they also require clarification of the roles and 
responsibilities with respect to Federal cybersecurity. I 
recommend Congress clarify the roles and responsibilities at a 
high level and then direct the President to clarify them in 
more detail.
    Second, codify the role of the Federal Chief Information 
Security Officer as a Presidentially appointed position within 
the Office of Management and Budget with appropriate budget and 
oversight authorities, including approval of CISA's budget and 
approval of agency cybersecurity budgets.
    Third, as part of risk management programs, require 
agencies to have greater situational awareness of their 
technology environments. This includes inventories of hardware 
and software, supply chain assessments of those inventories, 
understanding the actions being performed within their 
environment, and fully inspecting network sessions to identify 
and mitigate techniques used to compromise systems.
    Four, hold OMB accountable to maintaining the definition of 
a major incident to ensure that the right level of information 
is being reported to Congress.
    And five, require greater alignment of core cybersecurity 
requirements based on the National Institute of Standards and 
Technology guidance for both national security systems and non-
national security systems.
    Thank you again for the opportunity to speak with you 
today, and I look forward to your questions.
    Chairwoman Maloney. Thank you very much.
    Ms. Wynn, you are now recognized for your testimony.
    Oh, no, no. It should be Mr. Nodurft. You are now 
recognized for your testimony. Mr. Nodurft?

        STATEMENT OF ROSS NODURFT, EXECUTIVE DIRECTOR, 
         ALLIANCE FOR DIGITAL INNOVATION, FORMER CHIEF,
       OFFICE OF MANAGEMENT AND BUDGET CYBERSECURITY TEAM

    Mr. Nodurft. Thank you, Chairwoman Maloney, Ranking Member 
Comer, and members of the committee, for holding this hearing 
on FISMA reform.
    My name is Ross Nodurft. I'm the executive director of the 
Alliance for Digital Innovation. It's a coalition of innovative 
commercial companies whose mission it is to bring IT 
modernization and emerging technologies to Government.
    ADI engages with policymakers and thought leaders to break 
down bureaucratic, institutional, and cultural barriers to 
change and to enable Government access to secure, modern 
technology that can empower a truly digital Government.
    ADI focuses on four key areas in our advocacy efforts. One, 
accelerating technology modernization in Government. Two, 
enabling acquisition policies that facilitate greater use of 
innovative technologies. Three, promoting cybersecurity 
initiatives to better protect the public and private sectors. 
And four, improving the Federal Government's technology work 
force. Each of these areas must work closely with each other to 
allow for Government mission owners to partner with industry to 
build a modern digital Government.
    My experience prior to taking on the role of executive 
director at ADI includes both operational and strategic roles 
in the Government and the private sector focused on 
cybersecurity. More specifically to today's discussion, I led 
the Office of Management and Budget's cybersecurity team, 
reporting to the Federal CISO and CIO. During my time, my team 
was responsible for drafting the annual FISMA report to 
Congress, developing and reporting the FISMA metrics, writing 
and implementing Government-wide cybersecurity policies, 
aggregating and producing the annual cybersecurity budget, and 
managing the team that conducted oversight of the Federal 
civilian agencies' cybersecurity programs.
    Since leaving Government, I've worked closely with many 
companies to build, expand, and institutionalize their own 
cybersecurity programs and to develop an approach to 
cybersecurity risk management that effectively uses resources 
to buy down and manage enterprise risk. Since joining ADI, I've 
worked closely with some of the leading technology 
cybersecurity professional services providers to the public 
sector.
    The technologies and services delivered by ADI member 
companies underpin the Federal Government's modernization 
efforts and provide the backbone for many agencies' zero trust 
architectures and cybersecurity plans. Given the roles that 
many of our member companies play in the Federal cybersecurity 
and technology ecosystem, ADI appreciates the committee's focus 
on this important topic.
    With the spate of cybersecurity incidents and 
vulnerabilities over the last several years, the need for 
continued oversight and support from Congress is necessary to 
combat the constantly evolving threats facing the Federal 
departments and agencies. The proposed FISMA legislation that 
was recently approved in the committee in the Senate contains 
several important changes but could be more comprehensive in 
its handling of cybersecurity as a holistic public sector 
priority.
    As Congress considers an update to FISMA, ADI encourages 
this committee and others in the House and Senate to also look 
to update other key laws dealing with Government information 
technology policy acquisition and governance. Updating the E-
Government Act, the Clinger-Cohen Act, the Federal Information 
Technology Acquisition Reform Act--which you guys have a 
hearing on coming up--and aligning proposed legislation such as 
the House-passed FedRAMP Authorization Act would enable 
agencies, as well as the oversight entities and program offices 
that govern Federal IT policy, to modernize and secure their 
environments more quickly.
    On the topic of FISMA reform, ADI believes there are 
several important areas that warrant attention from the members 
of this committee. These include the need to update and align 
cybersecurity roles and responsibilities so changes to FISMA 
should reflect the new roles and authorities of the National 
Cyber Director, as well as the responsibilities of the Federal 
CISO at OMB and the Director of the Cybersecurity and 
Infrastructure Security Agency.
    Another area that warrants the committee's attention is the 
need to address incident response, breach notification, and 
vulnerability management. Given the proliferation of incidents, 
breaches, and vulnerabilities, updated FISMA legislation should 
codify practices and policies that keep Congress informed in a 
way that will allow for effective oversight while giving the 
departments and agencies the flexibility and time to respond 
and report these incidents, breaches, and vulnerabilities 
without disrupting or impacting those responses.
    Another area is to reinforce Government shift to commercial 
technologies through use of automation and focus on meaningful 
reciprocity. As the Government's information technology 
ecosystem shifts to more modern cloud-based solutions, agencies 
should embrace technologies and services that enable security 
in these zero trust environments and leverage best-in-class 
industry partners to assist with the buildout of those 
environments.
    This bill should make it easier for agencies to issue 
authorizations to operate through strategies that include use 
of automation and offer reciprocity across agencies and across 
compliance regimes.
    Effectively budget--another area to look at is to 
effectively budget for cybersecurity and invest in risk 
management. Securing large enterprises, especially those that 
have legacy technology and modernization backlogs, can be 
expensive. Congress must encourage agencies to budget for 
technology and services that can effectively buy down the risks 
to their environments. As agencies continue to modernize their 
systems, agencies should pivot their cybersecurity spend to 
move toward tools and services that enable zero trust 
environments.
    And finally, a final area that warrants the committee's 
attention, to modernize and standardize cybersecurity 
performance metrics and measurements. As agencies modernize 
technology and move toward cloud-based environments, take steps 
to enhance security, and migrate to zero trust architectures, 
oversight offices must also modernize the measurements used to 
track agency progress and measure security. Successful 
cybersecurity must be defined through outcomes, and those 
outcome-driven, risk-based metrics must be consistent across 
all the oversight entities.
    Thank you again to the committee for this opportunity to 
discuss the important topic, and I look forward to your 
questions.
    Chairwoman Maloney. Thank you so much.
    Ms. Wynn, you are now recognized for your testimony.

 STATEMENT OF RENEE WYNN, CONSULTANT, FORMER CHIEF INFORMATION 
     OFFICER, NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

    Ms. Wynn. Good morning, Chairwoman Maloney, Ranking Member 
Comer, and distinguished members of the committee.
    I am honored to testify today on the importance of 
cybersecurity and examine the transformation of the cyber 
threat landscape since the Federal Information Security 
Management Act, FISMA, was created. Now is the ideal time to 
update this law to meet the evolving cyber threats.
    My recommendations are based upon 30 years of Federal 
service, 10 of which were spent as a Deputy Chief Information 
Officer or the Chief Information Officer at two Federal 
agencies--the Environmental Protection Agency, EPA, and the 
National Aeronautics and Space Administration, NASA.
    The implementation of information security laws of 
yesterday and today are dependent upon Government employees and 
contractors. Their leadership to address cybersecurity risks 
should be lauded, and they are the reason the Federal 
Government has made so much progress. I am proud of the 
progress achieved by the teams I led at both the EPA and NASA.
    The original FISMA of 2002 set the Federal Government on 
the path to strengthen its approach to information security, a 
bold and necessary move. The act recognized the importance of 
information security to our economic and national security 
interests and the importance of protecting individuals' data.
    In 2014, Congress updated FISMA through the Federal 
Information Security Modernization Act to address the rapidly 
evolving information security threat landscape. Continuing to 
upgrade information security laws, regulations, and policies 
for the Federal Government is a must if we are to maintain our 
economic position in the world and national security.
    As the refresh just contemplated, I urge you to continue a 
risk-based approach that emphasizes all types of technology--
information technology, or IT; operational technology, or OT; 
and the fastest-growing segment, Internet of Things, IoT. All 
of these elements of technology are used by the Federal 
Government to improve mission effectiveness, efficiencies, and 
the customer experience.
    There are several FISMA areas ripe for refresh. Some areas 
for your consideration, cyber aspects of supply chain risk 
management, the interconnectivity of Government operations, and 
the IoT.
    The Federal Government must assess the potential risks 
posed through IT and OT and IoT supply chain prior to 
purchasing and deploying on Federal networks. There are well-
resourced nation state cyber threat actors that intentionally 
target all tiers of the technology supply chain by embedding 
malicious functionality.
    The Federal Government relies upon networks and devices 
that are interconnected between departments and agencies. There 
are only a few service centers for processing Federal payments. 
Thus, every department and agency are connected. These points 
of connection, if not properly upgraded, managed, and 
monitored, create greater cyber risk, including the easy 
transmission of malicious code. Also, the data while in transit 
are at risk of compromise if poor cybersecurity practices are 
employed.
    Technological advances have provided opportunities for 
Government operations to be more effective and efficient. These 
advances increase complexity and risk, including cybersecurity 
risk. For example, the growth of telehealth and the Internet of 
Things medical devices such as heart and glucose monitors. This 
growth, especially during the pandemic, has allowed medical 
services to be delivered during a trying time, but they add 
risk.
    The next iteration of FISMA must mandate Federal Government 
buy, use, and manage secure IoT. The adoption of technology has 
provided and will continue to provide opportunities to better 
serve the public. This adds cyber risk. Congress must continue 
to ensure that our Nation's laws keep pace with these advances.
    Finally, and in addition to legislative changes, Congress 
must continue to hold the heads of departments and agencies 
accountable for addressing cybersecurity risks. This is about 
ensuring a culture attentive to cybersecurity risks. Please 
consider asking cybersecurity questions during all budget 
authorization and program hearings.
    Thank you for the opportunity to appear before the 
committee today and testify on the changing cyber threat 
landscape and modernizing FISMA to meet this challenge. I stand 
ready to answer your questions.
    Chairwoman Maloney. Thank you.
    Mr. Bitko, you are now recognized for your testimony.

  STATEMENT OF GORDON BITKO, SENIOR VICE PRESIDENT OF POLICY, 
             PUBLIC SECTOR, INFORMATION TECHNOLOGY 
       INDUSTRY COUNCIL (ITI), FORMER CHIEF INFORMATION 
            OFFICER, FEDERAL BUREAU OF INVESTIGATION

    Mr. Bitko. Thank you, and good morning, Chairwoman Maloney, 
Ranking Member Comer, and distinguished members of the 
committee. Thank you for holding this hearing today.
    A recently released Harris and MITRE survey showed that 
more than 75 percent of U.S. residents are concerned about 
cyber attacks. Given the effect on Government operations of 
incidents like Log4j and SolarWinds, they have good reason to 
be concerned, and it's critical that we discuss here what can 
be done.
    I'm currently the Senior Vice President for Public Sector 
Policy at ITI, the Information Technology Industry Council. 
Previously, I was the FBI's Chief Information Officer, and I 
have more than 25 years of experience with technology and 
policy issues across the public and private sectors.
    At ITI, I work on behalf of 80 of the world's leading IT 
and cybersecurity companies. We believe that in an increasingly 
digital world, it's never been more important for Government to 
work with industry to promote effective, reliable, and secure 
Government services.
    2021 began with the Federal Government responding to the 
SolarWinds cyber attack, a very sophisticated nation state 
supply chain exploitation that's one of the most widespread and 
damaging cyber intrusions ever. Only a year later, 2022 is 
beginning with the Federal Government responding to yet another 
cyber incident, a widespread vulnerability in Log4j, a very 
commonly used piece of open-source software. Log4j is so widely 
used that this vulnerability is one of the most significant 
cyber threats of at least the past decade.
    In both cases, Government operations suffered serious 
adverse impact. Systems and capabilities had to go offline to 
limit the risk. Extensive manual work, including searching deep 
into logs and source code, was needed to find evidence of 
intrusions, and IT specialists had to test fixes to deploy them 
safely while minimizing impact on all the other interconnected 
systems.
    There's a huge opportunity cost to doing such recovery work 
instead of planned activities such as system upgrades, which 
had to be delayed or even deferred.
    Those major events bookended countless other major cyber 
attacks on critical industries, service providers, the defense 
industrial base, governments around the world, and other 
victims. Some widely reported, but others not. They show the 
need for new cyber policies that place continuous risk 
management at the forefront of the enormous demand for digital 
services and data.
    Today, many Federal agencies struggle with cybersecurity 
stemming from three FISMA issues that prevent effective risk 
management decisionmaking. First, the law is overly focused on 
process and compliance rather than on outcomes. FISMA requires 
careful implementation of processes like inventories of 
systems, the use of approved security measures, and annual 
cybersecurity program reports. But it doesn't look at the real-
time effectiveness of those processes, and therefore, it 
doesn't promote real risk management.
    Second, FISMA creates duplication of effort across 
agencies. Today, each agency is individually obliged to develop 
its own information security programs with little incentive for 
leveraging shared services, sharing information, or accepting 
security assessments or best practices from other agencies. 
This can lead to considerable redundancies as agency security 
officials are frequently unable or simply unwilling to use the 
good work already done elsewhere in the Government.
    And third, a comprehensive lack--a lack of comprehensive 
real-time information. Too much cybersecurity information 
collection comes from manual processes, annual updates, and 
according to agency-unique definitions. As a result, it's 
nearly impossible to obtain a clear, timely view of the state 
of information security across the whole of the Federal 
enterprise.
    FISMA modernization must enable and promote continuous 
assessment of cyber risk. Better risk management, along with 
improved collaboration and communication, will enable Federal 
network defenders to have a more comprehensive view of all 
Federal IT infrastructure while allowing for increased 
efficiency and better outcomes.
    In my full written testimony, I offer six recommendations 
as necessary steps to improve FISMA, reduce compliance burdens, 
and better protect our Federal networks and systems. Two key 
elements are the shift to managing risk based on measuring and 
evaluating security outcomes and breaking down across 
governmental barriers through increased sharing of security 
information and increased reciprocity across Government.
    These recommendations and others are discussed in detail in 
my written testimony. While no recommendations can offer 
complete, ironclad protection against every newly discovered 
vulnerability or zero-day, an improved FISMA that includes 
these measures will help ensure Government is well prepared to 
prevent attacks and quickly respond even in the worst cases.
    These improvements will help ensure agencies have a 
thorough understanding of the risks and invest resources 
appropriately, will increase confidence in the effectiveness of 
cyber defenses and response preparations, and ensure that 
Federal organizations coordinate and contribute to the whole of 
government cybersecurity. As well, these principles help to 
guarantee that CISA and OMB have the visibility they need 
without manual data calls. They help codify consistent 
cybersecurity strategy that enables the Government to deliver 
services more securely to its constituents while raising 
preparedness and the ability to respond to global threats.
    Thank you again for inviting me. I look forward to your 
questions.
    Chairwoman Maloney. I now recognize myself for five minutes 
for questions.
    The SolarWinds and Microsoft Exchange Server attacks show 
just how vulnerable the Federal Government is to sophisticated 
attacks from nation states such as Russia and China. 
Unfortunately, OMB and DHS did not have the full picture when 
assessing these attacks. They had to issue multiple calls for 
data from agencies, and some of the information they collected 
was incomplete.
    Mr. Schneider, how did these weaknesses in data collection 
impact the Federal Government's response to the SolarWinds 
attack?
    Mr. Schneider. Chairwoman, thank you for the question.
    I think, and from my perspective--and I wasn't in the 
Government at the time when the Government was responding to 
those. But I think in general, the lack of having and agencies 
having accurate situational awareness of their environments 
slows down any response activity. And so when OMB and CISA need 
to issue a data call and agencies need to go hunt for and 
search for the information just to understand where their 
vulnerabilities may lie and where their potential exposure is 
to a particular incident, such as SolarWinds or the Exchange 
Server incident, they're already behind the eight ball.
    And so, it just slows down any activity that they have to 
actually be able to respond and recover appropriately to such 
an incident.
    Chairwoman Maloney. And Mr. Schneider, what are the biggest 
problems with the current version of FISMA that was exposed by 
the SolarWinds attack?
    Mr. Schneider. So, I think, and Gordon mentioned, the 
overly focus on compliance and on process. And I think a lot of 
compliance activities are necessary, but not sufficient for 
cybersecurity. They can be helpful. However, I really do think 
and agree with Gordon that if we have a FISMA, as we look at 
updates, that is more focused on agencies' risk management 
programs and their ability to, you know, protect wherever 
possible. But I think more and more we have to be in a position 
of presuming that a compromise either exists or is going to 
happen, be able to quickly detect those compromises and 
incidents, and be able to respond and recover to them, you 
know, swiftly and adequately is going to be an approach that 
will be more successful for Federal security.
    Chairwoman Maloney. Well, one of the weaknesses to me was 
the fact that once they got in, they could roam through nine 
different agencies. Seems to me we would want to ward off 
certain agencies from allowing them to roam and went massively 
through the private sector.
    Is there any way we could sort of block off or protect that 
information? You don't have to answer now. Maybe we can talk 
about it later. But that seemed to me outrageous that they 
could gain so much information from one breach. They were able 
to get throughout America in so many areas gathering 
information.
    Mr. Schneider. Yes, and----
    Chairwoman Maloney. The discussion--yes. Yes, Mr. Grant--
Mr. Schneider?
    Mr. Schneider. I mean, quickly, there are techniques to 
kind of minimize lateral movement once someone gets in while 
you're trying to deal with it. And we can certainly work with 
your staff on some ideas around those.
    Chairwoman Maloney. I would like to hear them.
    The discussion draft that Ranking Member Comer and I 
released today would enhance information sharing on cyber 
attacks. This bill would also promote another important tool 
called endpoint detection and response. This tool uses data 
from every endpoint in an organization's network to 
automatically detect and block threats.
    Mr. Nodurft, is it possible that endpoint threat detection 
would have made a difference if it had been adequately in place 
during the SolarWinds attack, and how would it protect against 
future attacks?
    Mr. Nodurft. Yes, ma'am. Thank you for the question.
    So, absolutely, endpoint detection and response 
capabilities can identify supply chain attacks and certain 
other attacks depending on the configuration setting if--EDR 
works if you have an understanding of the endpoints, and have 
it deployed across your environment in a way that allows you to 
track ongoing behavior.
    I think the EDR deployed across the Government, to your 
question, would have been helpful against SolarWinds attack, 
and it's very important. That said, it has to be part of a 
larger solution set that fits into the broader zero trust 
architecture, which your bill also does. And I think it's 
important not to lose sight of that.
    EDR is one aspect. We also need strong identity solutions. 
We need best in breed networking solutions. We need to have 
encryption across all of our networks.
    That, combined with EDR, would be--would create a robust 
environment that really could help prevent future attacks that 
are similar to or even threats that we can't even--we don't 
even know about right now.
    Chairwoman Maloney. Thank you.
    China has been trying to steal American intellectual 
property and trade secrets and health secrets for many years to 
support its own economy.
    Ms. Wynn, as you know, NASA has been a repeated target of 
Chinese cyber criminals and other nation state actors desperate 
for American intellectual property. How have these attacks 
evolved in recent years, and what updates to FISMA would be 
most important to address these kinds of attacks?
    Ms. Wynn. Thank you for the question.
    Yes, NASA, like other scientific agencies, certainly see 
its fair share of attacks. There are several things within 
FISMA that will help, but to be brief, I want to emphasize the 
identity management piece. When you collaborate across the 
globe with your allies, it creates a very challenging and 
complex cybersecurity threat landscape. So, we do have to take 
hold and get to a better method for identification, matching 
who somebody is physically with who they are logically.
    And then I want to emphasize the remarks regarding zero 
trust networks. If the networks that are used across the U.S. 
Government really say that I should never be let in until there 
is an appropriate handshake, that better protects us as 
individuals, as well as protecting the mission and the 
intellectual property created across the U.S. Government on a 
daily basis, and you have considered this.
    And my final add to this one, to stay brief, is supply 
chain risk. Certain companies are targeted for insertion of 
malware, and the U.S. Government uses these companies on a 
regular basis. Taking a hard look at what we use in the United 
States Federal Government and making sure it's appropriate to 
use prior to deployment are ways that should help strengthen 
the network security as well as the identity necessary for us 
to do work with those that we want to collaborate with. And 
FISMA proposes many changes that help advance this area--these 
areas.
    Chairwoman Maloney. Thank you. I have many more questions, 
but my time has expired.
    Attacks like SolarWinds underscore how quickly cyber 
threats evolve. Our bill, our bipartisan bill, the FISMA Act of 
2022, will help the Federal Government stay ahead of the curve. 
I look forward to working with the ranking member to move this 
legislation forward.
    I now yield to the gentleman from Georgia. Mr. Hice, you 
are now recognized for five minutes. Mr. Hice?
    Mr. Hice. Thank you so much, Madam Chair.
    And I want to thank all our witnesses for being here and 
for the testimony that each of you have provided.
    Ms. Franks, I would like to begin with you. Next week, we 
will be having a hearing dealing with the latest installment of 
the FITARA scorecard, and I guess I just would like to hear 
from you, in your opinion, does the cyber--the current cyber 
assessments that are required by FITARA, does that give 
Congress an adequate and accurate view of agencies' 
cybersecurity posture and security?
    Ms. Franks. So, unfortunately, the short answer is no. 
There are some significant gaps in the scorecard metrics that 
would make it a little bit challenging for those sensitive 
cybersecurity details to be shared.
    Presently, the scorecards' data is all available publicly 
and is accessible by anyone that needs to kind of pull and 
review that context of data. But a lot of the work we do at GAO 
and even the other agencies with their IGs are investigating 
specific security controls that provide those necessary 
cybersecurity protections for those various unique 
environments. And oftentimes, even for our own reports, we have 
to go through sensitivity reviews, given the context of what 
we've seen and what we've done.
    So, if going toward a scorecard where you're identifying 
some of the needed cybersecurity controls, some kind of 
bringing some light to them, it's going to have to be an effort 
where the committee works with the executive committee's 
leadership to look at what types of information would be best 
suited for a publicly available report. And absolutely, GAO can 
assist in that effort as well.
    Mr. Hice. Thank you very much for that answer.
    Mr. Nodurft, let me swing over to you. Do you believe, as 
we are talking about FISMA legislation, are there parts of this 
or similar legislation that you believe should sunset in order 
to prevent current reforms from becoming outdated or even 
counterproductive as the threat landscape changes, as we all 
know, with technology?
    Mr. Nodurft. Absolutely, Congressman. Thank you for the 
question.
    Look, FISMA went for 12 years without a legislative update, 
followed by another seven years without a legislative update, 
eight--will be eight. So, I think that the frequency in 
changing of technology and the frequency in changing of tactics 
and threats that attack that technology is moving at a 
blistering pace. So, I think we need to take a very hard look 
at the legislation in its entirety on a more regular basis.
    So, I think that sunsetting the legislation is 
extraordinarily important. I think that there are certain 
provisions that probably could stand longer than some other 
periods. But I do think that it is important for Congress to 
really take a hard look at how we're approaching security 
holistically over this piece of legislation and, like I 
mentioned in my testimony, several others to include FITARA, 
which you guys are going to cover, earlier on a more frequent 
basis and really consider how these pieces of legislation that 
were built around legacy technology, that were insular, that 
were at different departments and agencies, that were built on 
mainframes and closets, how this has evolved to--to--and look 
at the laws that are governing these new systems, these cloud-
based environments and figure out how the laws interact with 
each other.
    So, yes, I think some of these provisions could sunset, and 
I think that this is an opportunity for you guys to really 
consider how to drive good, secure policy for the next five 
years.
    Mr. Hice. Well said. And I agree with you.
    Let me ask you just one more question, and I will yield 
back. In your experience, are there any Government procurement 
or contracting rules that potentially could hinder the 
strengthening of our cybersecurity that needs to be addressed 
in the FISMA legislation?
    Mr. Nodurft. So, yes, I appreciate that question as well.
    I think that there are--I think when you look at 
procurement policy, it's not so much the procurement 
legislation as it is the compliance that underpins the 
procurement. And you know, Gordon covered it earlier. I think 
we'll hear about it some more. But I really think it's 
imperative that we take a hard look at what the compliance is 
for the security parameters that we've defined.
    So, we've set the standards. We've said you--agencies, you 
need to--you need to make sure that your vendors that you bring 
in are maintaining the standards. But what we see sometimes, 
and whether it's because the work force is stretched too thin 
or people don't understand the systems, there is an 
overemphasis on compliance as opposed to doing the hard work to 
say, OK, here is my risk. Here is the security that meets my 
risk, and therefore, I can bring in more technology faster. 
So----
    Mr. Hice. Well, you--just for example, you mentioned a 
moment ago the cloud. All right? So, here we go. We have a 
broad, wide Federal adoption of a more secure and modern cloud 
protection. But it is so--it is so broad. Does that type of 
requirement in procurement or contracting, does that hurt us? I 
mean, what needs to be done to help in that area?
    Mr. Nodurft. Well, honestly, I think the bill that you guys 
have passed recently, the FedRAMP, to modernize the way that 
the FedRAMP process is working really pushed that forward and 
can do yeoman's work into bringing the compliance process 
forward that will allow more innovative technologies to enter 
the marketplace.
    That said, what we need to do is we need to really elevate 
the compliance policy that we're getting behind and drive 
reciprocity across the other compliance regimes that we have. 
We've got some different compliance regimes over at DOD. We've 
got different compliance regimes for on-prem and hybrid 
systems.
    The companies that are trying to bring their technology to 
bear want to be able to come in, prove that they're doing what 
they need to do to be secure, and then be able to leverage that 
one set of proof across all these agencies and across all these 
compliance regimes. So, I think the start with FedRAMP is great 
and looking forward to working with you more on that.
    Mr. Hice. Very good. I yield back, Madam Chair. Thank you.
    Chairwoman Maloney. Thank you. The gentlelady from the 
District of Columbia, Ms. Norton, is recognized for five 
minutes.
    Ms. Norton. Thank you, Chairwoman Maloney, for this 
important hearing, and I thank all the witnesses.
    I was here when the 2015 data breach occurred. Twenty-one--
the personally identifiable information of 21 million people 
was breached. As a result, I have repeatedly introduced 
legislation that will require OPM to make permanent free 
identity protection coverage that Congress required OPM to 
provide for only--excuse me, for only 10 years.
    Mr. Schneider, I believe you were involved in OPM's 
response to the 2015 breach. How long after the breach was 
discovered were congressional leaders notified?
    Mr. Schneider. Ma'am, thank you for the question.
    I was. I went over to OPM shortly after the breach was, I 
guess, notified to the White House. I was working at the Office 
of Management and Budget at the time. As I tell people, I went 
to OPM for three days and got to leave nine months later.
    I don't have a specific answer. I don't recall the answer 
because I wasn't there on the timeline between when it was 
identified and when--when the notification took place.
    Ms. Norton. So, you don't have any idea how long--how long 
individuals, it took to notify individuals as well?
    Mr. Schneider. So, the individual notifications, there were 
broad notifications put out publicly that of the fact once--you 
know, after Congress was notified, the White House was 
notified, and Congress was notified, there were broad 
notifications put out in the media of the incident.
    The individual notification, the letter that probably many 
of the people here received from OPM that was many months 
later, after extensive forensics work and research into 
identifying who was impacted.
    Ms. Norton. Yes, that is the point I am trying--that is 
really the point I am trying to make.
    Mr. Schneider. Yep.
    Ms. Norton. Public notification is an important component 
of the response to any Government data breach. That was why I 
asked that question.
    Now, Mr. Schneider, the chairwoman, Chairwoman Maloney, the 
legislation she and the ranking member have introduced would 
clarify requirements for notification of both the public and 
appropriate Government entities. So, how would the requirement 
in the chairwoman's draft bill improve public trust--that is my 
interest, public trust--that they will be notified in a timely 
manner in the event of another data breach?
    Mr. Schneider. Yes. And my recollection from looking 
through the House discussion draft last night is that I think 
the congressional notifications would have to take place within 
72 hours of when an agency had determined a major incident. So, 
I think, you know, that's a much accelerated--currently, the 
FISMA 2014 legislation is seven days. So, that accelerates that 
significantly.
    It also puts in, and I believe it was a 45-day timeline, to 
begin the individual notifications in the event that an agency 
had determined that, you know, notifications of breach is 
necessary to individuals. And so, I think from a public 
confidence standpoint, certainly as a citizen being on the 
receiving end of that, that is a much more aggressive timeline, 
and I think that will increase public confidence in, you know, 
the notification.
    Obviously, your confidence is low any time you learn that 
your data has been breached. But understanding how that's being 
handled and how it's being dealt with can help to, you know, 
re-establish some of the credibility with the public during 
those times.
    Ms. Norton. Well, several months went by before cyber 
attacks were able--went by before they were detected, the cyber 
attacks were detected, presumably increasing the amount of data 
they were able to access.
    Ms. Wynn, how would you characterize the ability of agency 
Chief Information Officers to perform ongoing monitoring of 
cyber threats today?
    Ms. Wynn. In my assessment and experience, those agencies 
that either embrace continuing diagnostic and mitigation 
programs or had already deployed tools on their network to 
answer two important and basic questions regarding network 
management. Who is on your network, and what is on your 
network? And when the Chief Information Officers, in 
partnership with the heads of agencies and the Chief 
Information Security Officers, took very seriously the 
responsibility of monitoring, you see the ability to respond 
decrease, which is the right thing that you want to do.
    When you don't monitor your systems or have poor monitoring 
systems or don't look at the data on a regular basis by using 
artificial intelligence, robotics, and other tools available to 
you, then you increase the likelihood of significant damage, 
and it--because it takes you so much longer to respond, and 
therefore, you can't inform those that have been impacted by 
that breach.
    Ms. Norton. Ms. Franks, because GAO is auditing FISMA 
implementation of Government by interviewing cyber experts 
across the agencies, my question to you is what has the 
feedback from agencies been regarding the guidance pursuant to 
FISMA about continuous monitoring and how best to access the 
security of their systems? Ms. Franks?
    Chairwoman Maloney. The gentlelady's time has expired. The 
gentlewoman may respond, but her time has expired.
    Thank you.
    Ms. Franks. I can certainly respond. For GAO, the ongoing 
review, we didn't get into the details of the CDM process with 
FISMA implementation. But the new legislation that's being 
proposed does cover increased data automation, and as Ms. Wynn 
just discussed, increased data automation comes from CDM 
implementation.
    There are certainly other tools and technologies out there, 
as well as the guidance from the binding operational 
directives, as well as OMB, who have already kind of 
distributed the guidance to the Federal agencies as to what 
they should be doing and how they should be acquiring those 
tools and then identifying what's needed specifically for their 
various unique environments.
    We did do a CDM tailored review. That report came out 
August 2020. And in that review, we did a case study of three 
agencies, and all of the agencies had acquired the necessary 
tools for continuous monitoring services in their environment. 
Where they lacked was in the implementation.
    And this FISMA reform effort will cover all of those lack 
of compliance, lack of assessment that were needed to be 
complete to make that CDM process whole.
    Chairwoman Maloney. Thank you.
    Ms. Franks. You're welcome.
    Chairwoman Maloney. All right. The gentleman from 
Wisconsin, Mr. Grothman, is recognized for five minutes.
    Mr. Grothman. Thank you. And thank you for having this 
hearing.
    I got a couple of questions for Mr. Nodurft. OK, the first 
one. What do you think the current status of the Federal 
Government's software supply chain--how does the current status 
of the Federal Government's software supply chain place 
agencies at risk?
    Mr. Nodurft. Thank you for the question, Congressman.
    I think that we have it's across Federal departments and 
agencies as well as most IT ecosystems, we are at the stages 
where we don't have a robust software development lifecycle 
process fully implemented across Federal departments and 
agencies. And I think that as NIST is developing those 
requirements, we--we--the Government needs to do a better job 
of recognizing where and how they need to implement those 
software development lifecycle processes and to govern their 
supply chain risks more broadly.
    Mr. Grothman. If you wanted to grade us between an A to an 
F, how you would grade us right now?
    Mr. Nodurft. I think it depends on the agency, Congressman, 
to be perfectly honest with you. I think some agencies that I 
have interacted with are doing a very, very good job of it, and 
some agencies right now are at their infancy stage.
    Mr. Grothman. OK. To what do you attribute the difference?
    Mr. Nodurft. It's resourcing is one. I think maturity in 
thinking, frankly. I think what you tend to find or what I've 
tended to find in my previous role is that some of the agencies 
whose missions are core and foundational around security tend 
to have a more forward-leaning security mindset, whereas others 
who are less focused on that tend to not.
    Now that's not a conclusive statement. There may be some 
agencies that have moved forward, but I would say that in 
general, it's--some of it's core to certain agencies' DNA, and 
then other ones that have more resources tend to do a better 
job.
    Mr. Grothman. OK. How have agencies successfully 
implemented FISMA lines of authority in responding to 
cybersecurity threats?
    Mr. Nodurft. I'm sorry, Congressman. I couldn't catch that. 
Could you say that one more time?
    Mr. Grothman. How, in your opinion, have agencies 
successfully implemented FISMA lines of authority in responding 
to cybersecurity threats?
    Mr. Nodurft. I think--so agencies have--I would say over 
the past 5 to 7 years, we have seen agencies move their FISMA 
slowly away from some of the compliance-based efforts and 
started to invest in more risk-based approaches to security. I 
would say that a lot of that has to do with investments in 
cloud technology and investments in some of the zero trust 
technologies that have really helped drive some of the 
modernization efforts that help them comply with the FISMA 
risk-based outcomes that they're looking for.
    Mr. Grothman. OK. I will give you one more question. I 
think that is going to be all we have time for.
    Some companies offer services that provide a unified view 
of an organization's devices and digital infrastructure and, 
thus, a clearer picture of potential areas of risk and 
vulnerabilities. Why is it that there remains broad ignorance 
on the full scope of vulnerabilities posed by disparate systems 
and hardware used within many organizations when widely adopted 
private sector management tools are available to offer such 
insight?
    Mr. Nodurft. Yes, and Congressman, I think that's a great 
question, and I think your point is well taken. We are--the 
Government right now is at a turning point, and it needs to 
shift the way that it invests and partners with the private 
sector to leverage some of the technologies that are out there 
to enable broader access.
    I think the work that the committee is doing on the bill 
today is going to really push the ball forward and enable 
agencies to focus on some of the technologies like what we 
covered with EDR and like some of these zero trust technologies 
that are going to enable access.
    What I would--what I would double down on here is that we 
have an--or the committee has an opportunity to open the 
aperture for how we do compliance, security compliance, and 
make sure that we are removing as many barriers as possible so 
that these innovative technology companies can come in and 
provide their services across agencies and across compliance 
regimes. ``Check once, do many'' type approach.
    Mr. Grothman. Thank you very much.
    Mr. Nodurft. Thank you.
    Chairwoman Maloney. Thank you. The gentleman from 
Massachusetts, Mr. Lynch, is now recognized for five minutes. 
Mr. Lynch?
    Mr. Lynch. Thank you very much, Madam Chair, and I thank 
the ranking member.
    Before we go into zero trust principles and architecture, I 
do have a question about where we are with the Log4j software 
vulnerability. We have a great group of witnesses. Can anybody 
tell me where we are in terms of patching that vulnerability?
    I understand that that code is ubiquitous. It is very, very 
widespread. Do we have a sense on where we are in patching that 
vulnerability, both Government side and also private sector? 
Anybody?
    [No response.]
    Mr. Lynch. Yes, OK. That is what I was worried about. I do 
realize that is no easy task. So, it would be helpful, Madam 
Chair, if we could get somebody to give us a read on that.
    Let us talk about zero trust architecture and the 
principles that are contained in the ranking member and the 
chair's draft legislation. Now zero trust principles require 
that users be continually validated so that we don't have to 
run the risk that a bad actor is actively engaged in one of 
our--one of our programs.
    But I know that several of you, several of our witnesses 
have expressed a little bit of concern about whether or not our 
Federal employees and the users of zero trust technology and 
architecture could adopt that quickly. I think, Ms. Franks, you 
might have said it is going to take--it is going to take a 
change in lifestyle and patterns of behavior in order to adopt 
that. Could you elaborate on that? Are we going to have 
problems in moving to that type of architecture?
    Ms. Franks. Yes, absolutely. I do believe I have said that 
several times in recent settings.
    So, the fundamental problem across Federal agencies, and I 
have been with GAO since 2006, and I've audited several 
agencies at this point--Government-wide reviews, agency-
specific reviews--and the fundamental problem across the 
agencies is identifying what's in your inventory of systems. 
So, with zero trust architecture, knowing what you have before 
you can even protect it is key. That's going to be your No. 1.
    And with agencies unable to really give us a firm 
attestation as to the inventory of their major information 
systems and then the data that resides on those systems, we're 
going to have difficulty preventing those that may need access 
or may not need access to those systems and services. How will 
we protect? How will we be assured that the adequate 
protections are in place to prevent certain situations from 
happening?
    So, with the zero-trust making us not--not permit anyone 
and making everyone be reauthenticated into the services 
continually through the day is going to be helpful for 
agencies, but what's not going to be helpful is if the agencies 
can't really just get that fundamental handle on their 
networks.
    And you asked a question about Log4j, and I know what GAO 
has been doing because I do have that sit at the table for our 
agency. But agency wide--I mean, Federal Government wide, I 
cannot say that they have the necessary procedures in place to 
quickly contain that vulnerability and then perform the 
necessary eradication procedures.
    Mr. Lynch. OK, thank you.
    Mr. Nodurft, Mr. Schneider, or Mr. Bitko, any thoughts on 
the adoption and implementation of zero trust architecture and 
principles across Government?
    Mr. Bitko. Sure, Representative Lynch, I'll jump in with an 
answer on that.
    I think the challenge is what Ms. Franks was starting to 
hint at. Agencies don't have a comprehensive understanding of 
their data assets, and at the core, for zero trust to be 
effective, it's about what that data is, what that information 
is, and who should have access to it. Today, that's a very 
challenging thing for most agencies because of the dispersed 
nature, the federated nature of their infrastructure, the fact 
that the data can be dynamic, the people can be dynamic because 
they change roles over time.
    So, when you put all that together, zero trust is 
absolutely the right thing to be doing, but at the same time, 
having the visibility to do it effectively is really, really 
difficult. That's one of the reasons why we've talked a lot 
about focusing on risk and understanding where the highest 
risks are and start there.
    You cannot possibly boil the ocean of all of your data and 
zero trust at one time. You have to pick what are the most 
critical assets, what are the things that are the crown jewels 
of the agency, so to speak, that if they are compromised, the 
cost to the agency is unacceptable.
    Start with them and manage them and manage those data and 
the rules around them first, and then expand outwards. There's 
got to be an understanding that that's going to take a long 
time. There's so much legacy technology. There is so much in 
the federated landscape that it's not going to happen 
overnight.
    And I think, sir, by the way, that that's the same answer 
to your Log4j question. People will know up front at the high 
level where does Log4j exist. But when you have this dispersed 
federated enterprise, and Log4j might not be the product that 
you're using yourself. It might be buried three or four or five 
layers down in a product that was provided and acquired years 
ago. And that's hard to have visibility into, and agencies are 
struggling with that.
    Chairwoman Maloney. Thank you. The gentleman's time has 
expired.
    Mr. Lynch. Thank you, and I yield back. Thank you.
    Chairwoman Maloney. And I thank you for your questioning, 
and we will have a briefing on the challenges of Log4j, as you 
requested.
    Thank you.
    The gentleman from Ohio, Mr. Gibbs, is now recognized for 
five minutes. Mr. Gibbs?
    Mr. Gibbs. Thank you, Madam Chair.
    To the panel, back in FISMA 2014, the main emphasis, my 
understanding and my memory, was to build more collaboration 
and coordination with the public program and the private sector 
and especially through the Infrastructure Security Division. I 
was wondering if anybody on the panel can maybe give me an 
update how successful since 2014 building more coordination and 
collaboration with the private sector entities, or has it been 
a real challenge? What is the status?
    Ms. Franks. Well, I can go first. I do cover the COVID-19 
portfolio for the Government Accountability Office, and in 
that, there was a report issued November 2020 and a subsequent 
full report on HHS's cybersecurity roles and responsibilities 
issued June of last year. And in both of those reports, we 
highlight the coordination and collaboration that the 
Department was performing across its public health sector as 
well as all of their component agencies.
    Given the uptick of cyber-related vulnerabilities that were 
impacting the healthcare organizations due to the coronavirus 
pandemic, they had to lean on the coordination and 
collaboration, starting at the CIOs and then to the CISOs. They 
definitely leveraged all of the communication that we had--that 
was supplemented by CISA and the FBI and the like.
    But they communicated with the states and local departments 
as much as they needed to, to make sure that all entities that 
were impacted on the Federal level that could perhaps be 
impacted on those state and local levels, as well as some of 
those private industries--you know, there is patient research 
institutions and pharmacies and the like. So, they were always 
collaborating and still to this day doing so.
    Mr. Gibbs. OK. Just to kind of followup, maybe Ms. Wynn or 
somebody else might want to jump in, when we are looking at 
certain sectors like banking, utilities, transportation, and 
defense, has that status with the private sector improved, or 
is there challenges there? Is there challenges because they are 
afraid of liability issues, or you know, can you expound on 
that? Maybe Ms. Wynn might be a good one on that?
    Ms. Wynn. Yes. Thank you for that.
    I think it is domain-specific in terms of whether you 
experience some challenges in that and where the trust lies 
between the private sector and the public sector in terms of 
collaboration. We're seeing certainly in the space domain, 
where I last served, is they definitely collaborate across 
international space agencies and with some of the main 
contractors that focus on space and specifically in low-Earth 
orbit. But there's always more that can be done in this area 
because the threats change, the entry points change and that.
    And so, a concerted effort to collaborate across critical 
infrastructure or the whatever domain that you have to work in 
is absolutely critical in order to secure for national security 
purposes.
    Mr. Gibbs. Do you think we can do this on a voluntary 
approach or legislation that mandates more collaboration with 
the private sector?
    Ms. Wynn. I would say I would suggest a framework from a 
legislative perspective, and then--that would be at the high 
level. And then how some of that effort is done and where the 
recommendations flow, I think I would leave it up to the teams 
that are established in order to put the information in the 
right hands. But the framework and requiring collaboration is 
definitely a piece to the cybersecurity mindset.
    Mr. Gibbs. OK, thank you.
    Mr. Bitko, why is it we are seeing so many vulnerabilities 
in widely used software produced and developed by large private 
sector companies?
    Mr. Bitko. Congressman, thank you for the question.
    I think that the answer is software technology is just 
incredibly complex. And the adversaries who are out there are 
really sophisticated, and so they are going to find weaknesses 
when they exist. It highlights the importance of us 
collaborating together, and I'm going to tie this back to your 
last question.
    I think that there is a lot of room still to increase trust 
between Government and industry to ensure that that information 
is flowing in a timely manner. Today, a lot of the time--and 
it's understandable--there are investigative or intelligence 
priorities which limit the ability of information to be shared 
back, but that sometimes is what reduces the trust that we have 
on the industry side now because what we get back from the 
Government is sometimes a day late and a dollar short.
    And so, it's important to share that information, to have 
vulnerability discussions, to have that all going in a regular 
and continuous and ongoing basis. And we've improved. The JCDC 
with CISA, for example, is a good step forward, but there's 
still more work to be done there.
    Mr. Gibbs. It sounds like build trust to make sure that the 
private sector can trust the Federal Government. Maybe we need 
some sentences in there that gives us some protections to try 
and do the good things.
    You know, obviously, if there are bad actors, we have to go 
after them. But to try and do the right thing if it doesn't go 
quite right, you know, maybe it has to add some protections. 
Would you agree?
    Mr. Bitko. Yes, absolutely.
    Mr. Gibbs. Thank you. I yield.
    Chairwoman Maloney. The gentleman's time has expired, but 
you may answer--OK, it is over? All right.
    Let us now go to Mr. Cooper. Mr. Cooper, you are now 
recognized. Mr. Cooper?
    Mr. Cooper. Thank you, Madam Chair and Ranking Member.
    I am glad that we are considering bipartisan legislation 
today, but I am still deeply worried. If I were the average 
person sitting back home watching this hearing, I think I would 
doubt that any of our Nation state adversaries were shaking in 
their boots, especially now that they have franchised a lot of 
their activities to criminal gangs that are even doing things 
like conducting ransomware attacks on small businesses across 
America.
    So, I think the first question in a hearing like this 
really should be what is Congress' role, if we have a role at 
all in this? It has already been cited by one of the witnesses 
that we took 12 years one time to update the legislation. It 
took seven years another time. That sounds to me like too 
little too late. We can't always be playing catch-up.
    So, is there a way that Congress could delegate or step 
aside or get this done faster? Because I am worried, we will 
always be late and slow.
    Mr. Bitko. Congressman, if the approach is to provide 
recommendations on specific technologies, then absolutely. 
That's setting everybody up for failing, to be too late and be 
too slow. The pace that technology moves at just does not allow 
for legislation to keep up with that.
    But I think if you have a risk framework and you have clear 
authorities within the Government about who is responsible for 
saying this is the highest risk or highest risks and these are 
the things that we need to hold agencies accountable to do, you 
can have the right balance of centralized control and 
prescription with flexibility that you need for each agency to 
deal with its own risks, to understand that its landscape is 
different, that the threats it faces might be--might be varied.
    So, I think you need to strive to find the right balance 
there, not have legislation that is super prescriptive but 
allows the right framework to have that flexibility within 
agencies to provide particular technology solutions.
    Mr. Cooper. Thank you. My second question is even more 
aggravating. Isn't this all just a vendor gold mine? Companies 
sell us software that turns out to be easily hackable. We get 
hacked, and then they sell us more software that is also easily 
hackable.
    And people know out there that the Federal Government is 
one of the biggest, dumbest customers in the world. We also 
have the slowest reaction time. So, that makes the breaking and 
entry even more violative, even more dangerous for us, and yet 
we are not asking vendors for warranties or closer 
collaboration. It just, as I say, ends up being a gold mine for 
the companies.
    How am I wrong?
    Mr. Schneider. So, Congressman, I think I would say that, 
you know, certainly the vast majority of the companies and the 
ones that I work with are seeking to produce tools and 
capabilities that are resilient and are defendable and don't 
have vulnerability. As Gordon mentioned earlier, you know, 
technology is immensely complex, and technology is written by 
humans and ends up having failures.
    And you're certainly right. You know, some of the companies 
that are bringing us solutions are getting hacked and then 
claiming to be the solution to the hacks as well. And you know, 
I do think, you know, we need more diligence, and we need more 
accountability, and we need to expose that type of behavior and 
those instances. But at the same time, I don't know what 
another solution would be.
    We are dependent on commercial industries to bring us these 
capabilities. I would also say that it's not unique to 
Government. Government is buying commercial capabilities are 
the same ones being employed in industry, and industry is 
facing a lot of the same challenges.
    Mr. Cooper. I only have a minute left. Government is well 
known to have a slower reaction time. Remember, in many other 
areas of commerce, the products come with warranties and 
guarantees.
    Final question. There are some major utilities in the 
United States who have a day without cyber. That is even a day 
without cell phones, a day without smartphones, so that they 
can guarantee to their customers that they know how to run a 
business in the event of a major catastrophic hack. Is that too 
catastrophic of planning techniques? Is that too much red-
teaming or preparing for the worst?
    How can we guarantee our folks back home that they are 
going to be safe from electricity outages in cold weather or 
communications outages if companies don't even know how to run 
in the event of a major hack?
    Mr. Bitko. Congressman, companies and the Government need 
to be prepared for all scenarios. The core of the cybersecurity 
framework, which I think has come up already a couple of times, 
has in it how do you respond when an incident happens, and how 
do you recover? Agencies and companies, if they're not taking 
that seriously, and that means senior management in the 
companies or the agencies actually exercising that and being 
prepared, then they're being delinquent.
    They need to understand that that's a risk that they face, 
just like if you're a utility and you're faced with a natural 
disaster and that takes your capability offline. You need to 
have a response plan for that, the same way you need to have a 
response plan for a major cyber attack. And we should expect 
the same of Government agencies.
    That's just the world that we live in, as Grant noted. And 
you know, it's been said by cyber experts the only way to be 
secure is to take your computer, unplug it, disconnect it, turn 
it off, and bury it underground. And then maybe it will be--it 
will be safe, right?
    But that's not what Americans expect as the services that 
they're going to get from Government. So, I don't think that 
that's a viable solution. We've got to find ways to work 
together.
    Chairwoman Maloney. The gentleman's time has expired. The 
gentleman from Texas, Mr. Sessions, is now recognized for five 
minutes.
    Mr. Sessions. Madam Chairwoman, thank you very much.
    And by the way, this is a very successful hearing, and I 
want to thank you and Mr. Comer and, in particular, both staffs 
for the preparation.
    I would like to focus on two things. No. 1, we received in 
our packet what is called GAO at 100 Highlights, and it says, 
``Preliminary results show that agencies' implementation of 
FISMA requirements was inconsistent.'' And this tends to show 
at least preliminary in--preliminarily that consistently 2017, 
2018, 2019, and 2020, about 6 or 7 agencies had effective 
rating scores, and the others were called, some 17 or 18, not 
effective.
    We are now talking about us updating, highlighting, and 
revising things that we have since learned in law, and yet it 
is taking agencies a long time. What keeps them from 
effectively becoming effective under this rating system by GAO?
    Mr. Bitko, I will go with you.
    Mr. Bitko. Congressman, thank you for the question.
    I think that there's a few things that are inherent 
challenges to agencies' ability to be effective when it comes 
to FISMA scoring. They do not appropriately prioritize it at 
senior-most levels in the agency sometimes to ensure that the 
right resources are focused on the right activities. And it's 
got to really start there. So, that's--that's No. 1.
    But then I would say that they faced a lot of the 
challenges that we've talked about during the course of this 
hearing. The lack of reciprocity means work needing to be 
redone from agency to agency, and that's not the most effective 
solution.
    The focus on purely the compliance and the implementation 
of the upfront activities, rather than looking at the outcomes 
in themselves, I think that all of those, when you take them 
together, mean that agencies just are not focused on the right 
things when it comes to successful cybersecurity a lot of the 
time, unfortunately.
    Mr. Sessions. Very interesting. And that goes back to your 
comments about compliance rather than outcomes or processes, 
that the management of the organizations find a way to move, 
kick the ball down the road perhaps. Perhaps it is difficult. 
Perhaps it is muddy. Perhaps it is lack of management intent.
    I would like to now shift the other half of my time--and 
Chairwoman, thank you very much. We have not talked about 
prosecution levels and the ability--and, sir, you represented 
the Federal Bureau of Investigation for a number of years, and 
I know it is essentially an internal process that you did. But 
I have not the word really ``FBI'' or ``Secret Service'' today 
from the perspective of their deterrence to actually go and 
prosecute.
    Do any of you have an opinion, while it may not be your 
main source, an opinion about what we need to do proactively to 
have a strong law enforcement perspective of prosecution?
    Mr. Bitko. You're talking, Congressman, about cyber threats 
and criminal investigations of cyber actors?
    Mr. Sessions. Yes, sir. I am talking about once you have 
figured out that you had an intrusion and then you then go to 
law enforcement and share that information, I have not heard 
the word ``Secret Service'' today. I have not really heard the 
word ``Homeland Security.'' But how are we doing at then 
passing this to law enforcement and expecting them to do 
something about these bad actors?
    Mr. Bitko. Well, I think that there have been steps taken. 
It's clear that--I'll speak a little bit to what I know from 
the FBI Department of Justice perspective. They have certainly 
elevated cyber threats and cyber crime, ransomware, and things 
like as priorities that they look at and focus on.
    It takes a lot of work and a lot of resources for sometimes 
difficult returns because the bad actors are not in a territory 
where we can actually arrest them a lot of the time, right? And 
so it's particularly challenging. I think it's something that's 
got to be continually discussed by all stakeholders.
    I also think, Congressman, it's important to ensure that 
there are the right mechanisms within Government to find the 
right balance of offensive and defensive. I don't know that 
those conversations are always happening today at the right 
levels within Government to make a determination about what is 
the right mechanism in this case. Does it continue to live with 
the vulnerability because it's allowing for a law enforcement 
investigation to continue? But there's a cost to Government 
agencies or the private citizens who might be compromised.
    I think that in the roles and responsibilities in FISMA 
that you're looking to define where there's clarity for the 
National Cyber Director and others, that's got to be a part of 
their responsibility, too, to help figure out what that balance 
is.
    Mr. Sessions. Just as a response back to you and our other 
witnesses, I believe our chairwoman, I believe our ranking 
members on both sides have done a very good job at trying to 
highlight this. We had a hearing a few weeks ago from Homeland 
Security and others, and I have now heard it from your 
perspective.
    Madam Chairwoman, I want to thank you for conducting this 
hearing and the quality of witnesses we have had. Madam 
Chairman, I yield back my time.
    Chairwoman Maloney. Thank you. The gentleman from Virginia, 
Mr. Connolly, is now recognized. Mr. Connolly?
    Mr. Connolly. Thank you, Madam Chairwoman.
    And let me just begin by responding to our friend Mr. 
Cooper and some of his observations about the Federal 
Government. I do think we in Congress need to take 
responsibility for the fact that, frankly, this is a much 
neglected subject.
    The fact that it took 12 years to update FISMA, you know, 
and another seven years to have a hearing about it, I don't 
think speaks well about the legislative branch and the 
priorities we put on information technology and its security. 
And you know, the President asked for $10 billion as part of 
his COVID relief bill earlier in March, and the Senate zeroed 
it out, zeroed it out, arguing that IT wasn't directly relevant 
to COVID.
    Well, everything we do sits on an IT platform, and yet the 
lack of awareness of that by Members of Congress, serious 
Members of Congress who control appropriated dollars, was--you 
know, told us we still have a lot of work to do in educating 
ourselves and our colleagues about the criticality of IT, 
protecting it, making it efficient, upgrading it, and making 
investments in it. And that has been the work of our 
subcommittee for the time I have been on the committee.
    Ms. Franks, in your testimony, you talk about impediments 
for agencies to address 900 open GAO recommendations related to 
cybersecurity. Is that right? Nine hundred?
    Ms. Franks. Yes, it's 900 open recommendations.
    Mr. Connolly. That is a lot of recommendations. Just really 
quickly, but I mean, what are these impediments to addressing 
those recommendations?
    Ms. Franks. So, starting with the lack of resources, both 
financial and people. Obviously, we know talent acquisition 
across the Federal Government is a significant concern and has 
been since we put cybersecurity on the high-risk report 25 
years ago. So, looking at the IT and cyber work force issues, a 
lot of agencies have to contract out certain services because 
of those resources.
    Management attention, like you just noted. A lot of folks 
understand a breach once it's happened because it significantly 
perhaps may impact you as an individual and compromise your 
personally identifiable information. However, there is a lot of 
work to do with just understanding that almost all processes 
that we have operating through the Government to service the 
American people come from an automated service.
    So, like we noted the example earlier of shutting it off 
and then burying your device. That is the only way to prevent 
some type of cybersecurity event from perhaps causing a 
vulnerability in those networks. And with the increasing 
technologies, as Ms. Wynn discussed earlier, and the growing 
rate that they're increasing, it's hard for some agencies to 
kind of stay ahead of looking at open recommendations while 
they're also trying to implement new strategies to ward off 
these cybersecurity threats in their environments.
    So, it's not from a lack of trying. I do highlight of those 
900, it's fully implemented. We do work with the agencies quite 
a bit to understand where they are in the progress of meeting 
the intent of closing those recommendations, but sometimes even 
their partial addressing doesn't fully close a recommendation.
    Mr. Connolly. So, we may want to work with you and followup 
on that. You know, we are getting ready for the FITARA hearing, 
our 13th FITARA hearing, and we are working very closely with 
your agency. We may want to fold what you just talked about 
into that in terms of how we can help in encouraging 
compliance.
    Final question, Mr. Bitko. You talk about ensuring 
consistency through a holistic Government-wide approach to 
updating FISMA. That sounds like a lot of buzz words. Could you 
in plain English tell us what you mean, what we have to do as 
we look at this draft legislation?
    Mr. Bitko. Congressman, thanks for the question.
    A few things I think are important to bear in mind. One 
when I say that is consistency in definitions. We have in 
FISMA--and it's been discussed here a little bit already--
incident reporting and what the Government's responsibilities 
are, what their responsibilities are internally to report to 
you and to report to private citizens. Separately, Congress is 
considering incident reporting legislation. So, that's an 
example where it's important to have, I think, consistency in 
the language, in the terms and the definitions as much as 
possible.
    Every time we don't, it creates additional work, additional 
overhead, additional things that get in the way of people being 
able to be effective and efficient.
    I'll translate that to in the specifics of FISMA and 
security approvals. A company sells a product to one agency. 
They go through the full ATO process, the authority to operate. 
They get all the security controls that they've got in place 
approved, and that's great. Then they can use it in that 
agency. It does not always directly translate to another agency 
being able to just take all of that good work that's been done 
and say we can apply that in our environment.
    Frequently, what happens is they go through the same 
exercise all over again themselves. They find all the same 
issues. They come up with all the same solutions, but they've 
just spent a lot of time and energy being inefficient instead 
of leveraging the work that's already been done.
    Mr. Connolly. Thank you.
    Chairwoman Maloney. The gentleman's time has expired. Thank 
you so much.
    The gentleman from Florida, Mr. Franklin, is now recognized 
for five minutes.
    Mr. Franklin. Thank you, Madam Chairwoman.
    My first question is for Mr. Nodurft. In the wake of the 
disclosure of the Log4j vulnerabilities, the Director of CISA 
cited this as another reason for agencies to gather and utilize 
software bills of materials, SBOMs, which was a new term for 
me, as part of their cybersecurity programs. Do you recommend 
we codify in law the requirement for agencies to collect these 
software bills of materials from their vendors for critical 
assets?
    Mr. Nodurft. Thank you for the question, Congressman. I 
appreciate it.
    I think that there is a lot of work right now going on in 
the administration in the wake of the cybersecurity executive 
order that talks about what exactly is in an SBOM. So, I think 
when the committee discusses what it would look like to codify 
SBOM language, it's important to--to consider the availability 
of SBOMs, what the extent of them looks like, how those SBOMs 
are going to be utilized, what the definition of what's 
incorporated inside those SBOMs look like.
    So, to answer your question, I think that it is a--you 
have--the committee would have to give, if they were going to 
codify it, they would have to give the flexibility to apply the 
use of SBOMs in targeted manners that make sense for the risk-
based environment. And I know that's a nuanced answer, but you 
may not need an SBOM for every piece of software everywhere 
across all of the environments if they're not really risky 
assets.
    So, I think we need to be very conscious, the committee 
should be very conscious about how--if they were to consider 
codifying it, how that would be applicable in the Federal 
environment. We don't want to--we don't want to overburden the 
industry providers that are building this backbone for the 
departments and agencies.
    Mr. Franklin. Great. Appreciate that.
    Ms. Wynn, speaking of--and you talked about supply chain 
risk management and the burden on our vendors. This had me 
thinking there are--there are already a number of provisions 
that codified there in law that require vendors to use trusted 
sources and their components. Unfortunately, though, we know 
that many times vendors are accepting attestations of 
compliance from their subcontractors instead of doing the asset 
security training themselves to verify.
    How do you recommend that we enforce the existing 
provisions? Are those necessary? Are they stringent enough? Are 
they over-stringent on these vendors supplying assets to the 
Federal agencies?
    Ms. Wynn. Thank you for the question.
    I personally believe that you need to take very strong 
action regarding supply chain risk and cybersecurity. This is--
we have seen in the classified world actual efforts to target 
various aspects of software by well-resourced nation states, 
and then they go after the software that the U.S. Government 
and other government agencies use.
    And so, if we take a strong stance and enforce against this 
and go further than attestation or accept attestation and when 
your attestation is proven to be false, then maybe that's where 
you need to place some of your enforcement.
    Another thing, and then I'll give you your time back, is we 
also see that businesses may not always be very responsible in 
terms of the software that they hand back to the U.S. 
Government and how to use it. And so we need to be able to 
ensure and set the stage that if you're going to provide 
services and software to the U.S. Government, we need you to 
give us the best that you've got possible, and you've got to be 
responsible for the cyber threats that could come through that 
software.
    Mr. Franklin. And what sort of teeth should we put in that, 
in your view?
    Ms. Wynn. Well, you know, having been penalized as an 
individual through my schooling quite a bit, I preferred the 
lighter method first, right? Let's have the discussion with the 
principal to talk about the behaviors that were not acceptable 
in terms of that, and then a few times there were needed to be 
some elevation, both to parents and then when we got to 
detention, fortunately not suspension. And I do believe that 
the elevation and layering the amount of enforcement matters 
first because sometimes people really do just make a mistake.
    Humans do make mistakes. And so maybe making it on a tiered 
level so that the repeat offenders are actually called out a 
lot more harshly.
    Mr. Franklin. Thank you.
    In the little time we have left, Mr. Schneider, I am 
encouraged by that the bill has strong language around zero 
trust but concerned that securing the Federal agencies isn't 
enough considering our reliance on the outside industrial base. 
What recommendations would you have for extending zero trust 
and other requirements beyond to the broader industrial base? 
And I realize I have given you 10 seconds left to answer that, 
so that may be unfair.
    Mr. Schneider. Yes, I mean, I'll try to be brief. It's 
going to be really important to flow down, you know, the key 
cybersecurity requirements to vendors and contractors that are 
providing capabilities, and we're very dependent on, you know, 
DOD, the defense industrial base, but industry writ large. And 
we need industry to be providing and, you know, A, protecting 
their tools and then delivering us tools that are secure and 
resilient. So, I think there's a lot of work that we need to 
do, and it's going to have to be a collaboration with industry.
    Mr. Franklin. Thank you, Madam Chair. I yield back.
    Chairwoman Maloney. The gentleman yields back. The 
gentleman from Illinois, Mr. Krishnamoorthi, is recognized.
    Mr. Krishnamoorthi. I thank you so much, Chairwoman 
Maloney, and thanks for a great hearing.
    I find this subject to be incredibly fascinating, but so 
frustrating because it seems like we are constantly on the 
defense in this particular space.
    Mr. Schneider, I read an article in the New York Times 
talking about how in the last 18 months of the Obama 
Administration, security researchers and intelligence officials 
observed a notable drop in Chinese hacking. That is during the 
last 18 months of the Obama Administration. I wanted to ask you 
why did that happen?
    Mr. Schneider. So, thank you for the question, Congressman.
    The short answer is we don't know. I will say what we think 
is that we think there was an aspect of the engagement post the 
OPM brief--breach, excuse me, with the Chinese government with 
President Obama directly making a case to President Xi, and 
that perhaps had a direct impact.
    And I think that, you know, that said, I don't think we're 
going to--well, I guess what I would say is in order to get at 
this, we need a whole of government response, right? We need 
diplomatic actions. We need offensive cybersecurity 
capabilities in order----
    Mr. Krishnamoorthi. Let me--let me----
    Mr. Schneider. Sorry.
    Mr. Krishnamoorthi. Let me jump in because, otherwise, I 
know my time is limited. I think I know where you are going, 
and so I want to ask you a related question, which is in the 
law, you know, when you are attacked, there is a concept of 
self-defense. And most jurisdictions allow for self-defense 
measures.
    In cyber crime or in a cyber attack situation, is there a 
similar concept of cyber self-defense where let us say a 
private company was attacked. Is it allowed to take any 
offensive measures to defend itself and to exact a price on the 
attacker in the name of self-defense?
    Mr. Schneider. Sir, today, organizations are not able to do 
that. And I personally don't believe that we want commercial 
entities doing what's often to as ``hack back,'' right? 
Attacking hackers. I think that there need to be consequences--
--
    Mr. Krishnamoorthi. Let me--let me--can I jump in? Because 
I want to--I want to build on that. Not so much hack back or an 
offensive strike on the source, but what if it were something 
that would exact a price on the attacker at the time of the 
attack?
    In other words, is there any deterrent whatsoever for a 
Chinese criminal gang hacker who was attacking a U.S. entity or 
agency that would prevent them from doing it continuously and 
without any stoppage?
    Mr. Schneider. I think those deterrents are going to need 
to be--come diplomatically and come from the Department of 
Justice perhaps in sanctions. But I think they're going to have 
to be Government-led deterrents and responses as opposed to 
individual company-led responses.
    Mr. Krishnamoorthi. OK. I guess it just sounds pretty weak 
to me at this point, given the merciless attacks from these 
criminal gangs. Secretary Blinken said that the Chinese 
Ministry of State Security has fostered an ecosystem of 
criminal contract hackers to go after our companies and our 
agencies at this point, both for state-sponsored activities and 
for private gain.
    Is there a concept or an idea or a vision for us to employ 
a set of legal, almost contract bounty hunters on our side to 
defend our agencies against these criminal gangs from China, 
Russia, or elsewhere? How do we employ individuals or the best 
minds on our side, just the way that they are in going after 
us, in defending us as well?
    Mr. Schneider. I think the--I think the current structures 
allow for the people with those authorities and the 
intelligence community and the Department of Defense to bring 
in outside support and help and assist them, but I personally 
think they need to do that under the authorities that exist, as 
opposed to any sort of like a vigilante or bounty system.
    Mr. Krishnamoorthi. I understand, but it is not working. It 
is just not working right now.
    Last question. Is there another government that does it 
better than the U.S. Government in defending its cybersecurity 
assets?
    Chairwoman Maloney. The gentleman's time has expired, but 
you may answer the question, please.
    Mr. Schneider. So, I don't know about specifics. I 
certainly think smaller governments and smaller organizations 
have an advantage. We have an advantage to our Nation of size 
and scope, but it's a bit of a disadvantage when it comes to 
cyber defense.
    Mr. Krishnamoorthi. Thank you.
    Chairwoman Maloney. The gentleman from Kansas, Mr. 
LaTurner, is recognized for five minutes.
    Mr. LaTurner. Thank you, Madam Chairwoman.
    And welcome to all of the panelists today. I appreciate you 
being here, and Happy New Year.
    My first question is for Mr. Nodurft. The SolarWinds attack 
exposed a lot of confusion among different Government agencies 
on how to organize information and who was responsible. Do you 
agree that assigning the National Cyber Director as the primary 
executive branch official under FISMA to coordinate and report 
major Federal cyber incidents to Congress would effectively 
streamline the flow of information?
    Mr. Nodurft. Thank you, Congressman, very much for the 
question.
    I think that the legislation you're considering right now 
has an opportunity to ensure that what you're speaking about, 
which is aligning and streamlining reporting requirements and 
reporting to Congress, is enacted appropriately. I think right 
now we have several different leaders within the Federal 
Government space who are monitoring incident response, 
monitoring breach response, monitoring vulnerability response, 
and I think that this is an opportunity for the members of this 
committee to really direct--direct the Federal Government on 
ensuring that that flow occurs.
    So, the National Cyber Director is just standing up, and 
I'm encouraged and bullish that that is going to be a great 
addition to the ecosystem to allow you guys--to allow the 
members of the committee to have the oversight and interaction 
that the committee is looking for.
    Mr. LaTurner. Thank you.
    Let us stick with you. What is the most effective way to 
update FISMA metrics and reporting to ensure necessary agency 
administrative compliance burdens don't take--that they don't 
overtake the mission immediate security workflow?
    Mr. Nodurft. Thank you again for that question.
    So, I want to talk about two separate parts of that. First, 
I think updating--updating the metrics is going to be very 
important, given the migration to more modern ecosystems, 
whether it's cloud-based, zero trust architectures. So, I think 
right now directing OMB to make sure that we are focusing less 
on how many controls and piece parts are in place and more on 
are we actually stopping and preventing outcomes is a key part 
of updating FISMA metrics.
    For the second part, I want to discuss the--your question 
around how are we streamlining compliance requirements. And I 
think that--I said this in my testimony, I've heard Gordon talk 
about it as well--this is an opportunity for the committee to 
look across the different compliance frameworks that we have 
within Government right now, whether it's FedRAMP, whether it's 
FISMA, whether it's the impact levels of DOD, the forthcoming 
CMMC, and make sure that when a--when an innovative company 
comes forward and says we have the following solutions in place 
to ensure that our product or service is secure enough to go 
into the Federal ecosystem, that that process is reusable and 
is reused across both the agencies and the compliance 
frameworks that we just talked about.
    Mr. LaTurner. Thank you for that.
    Ms. Wynn, in your experience as a former agency CIO, can 
you explain the role of FISMA reporting requirements and how 
they affect the day-to-day operations of an agency?
    Ms. Wynn. The reporting requirements did begin to drive 
behaviors within the organizations that I had worked, and I 
liked to see that. But what it took was actually paying 
attention to the metrics at a level outside of the agencies 
where I served and coming back to the heads of the agencies and 
saying here's where you are on the spectrum of performance.
    I happen to, unfortunately, have sat in the seat of being 
at the end of the pack in terms of that performance, but having 
that conversation, having those metrics, and talking to the 
heads of the agencies gave the head of the agency the energy to 
delegate to me and to the CISO to go get stuff done. And we 
looked at every single network within the agency, which meant 
the complex mission networks were assessed on this one.
    So, it has some really good benefit as long as you actually 
hold the agencies accountable to it.
    Mr. LaTurner. Thank you very much.
    Madam Chairwoman, I yield back.
    Chairwoman Maloney. The gentleman from Maryland, Mr. 
Raskin, you are now recognized.
    Mr. Raskin. Well, thank you very much, Madam Chair, and 
thanks for organizing this great hearing. I think we are all 
concluding that it is time to really modernize and kind of 
uproot and improve our Federal cybersecurity policies to meet 
the challenges of the cyber threats that are out there.
    During our investigation into the SolarWinds cyber attack, 
we found several differences in how agencies viewed their 
responsibilities under FISMA, particularly whether a cyber 
attack counted as a ``major incident.'' Some agencies, like 
Commerce, reported the SolarWinds breach as a major incident, 
but other agencies, like HHS, did not. Under current law, OMB 
is the one responsible for defining ``major incident,'' and 
Federal agencies determine if an incident they have identified 
counts as one.
    Mr. Schneider and Mr. Nodurft, I understand that both of 
you worked on furnishing the definition of ``major incident'' 
while at OMB. Can you describe the process of crafting the 
definition and what kinds of challenges you faced in creating a 
definition that would be both comprehensive and flexible and 
that reflects the evolving nature of cyber attacks?
    Mr. Schneider?
    Mr. Schneider. Yes. No, happy to. Thank you for the 
question, Congressman.
    And you absolutely nailed it. The challenge is in having 
something that is specific enough to drive the behavior that 
we're looking for and make sure that Congress is getting 
reported to appropriately, as well as being flexible enough to 
allow agencies to have a risk management approach. And in 
SolarWinds, you know, it could be that an agency had SolarWinds 
installed in a lab on some network that was only in a lab and, 
therefore, didn't meet the threshold of--of, you know, rising 
to a major incident in the determination of that agency head. 
And that's understandable.
    When we were building the definition, there were two parts 
to it. One about the severity of the impact of a particular 
incident, and then one around the breach of potentially 
sensitive or personally identifiable information. And you know, 
and I think Ross can talk to or would concur that when we first 
did the breach piece, we set a threshold at 10,000 individuals' 
information being compromised, and we rapidly realized we were 
going to overwhelm Congress with a whole bunch of reporting 
and, in some cases, unauthorized access that really hadn't met 
the threshold for a compromise.
    And so, we raised that number to 100,000, which is where 
OMB has kept it. But you're absolutely right. It's fine-tuning, 
and I think having that done in the executive branch, where 
they can fine-tune it regularly and Congress can hold OMB 
accountable to that.
    Sorry for the long answer.
    Mr. Raskin. So, thank you--well, Mr. Nodurft, let me ask 
you, do you think that defining ``major incident'' in statute 
and embodying one definition in the law would be beneficial or 
detrimental to the flexibility of our responses?
    Mr. Nodurft. Thank you for that question, Congressman.
    I think that from my experience, prescriptive codification 
would be extremely detrimental. Given again the timeframes 
between--between FISMA reform efforts in Congress, it makes it 
very challenging to tweak the--especially if you're 
prescriptive about the number or the scope or the scale of the 
incident.
    And frankly, I know Grant mentioned it, when we had the 
10,000 instances of PII as the threshold, not only were we 
reporting more incidents than were necessary, there was a 
numbness that occurred with our interactions with the 
committees of jurisdiction. It was that at first it was a 
very--it was a very robust response. There was a lot of 
interaction with members of this committee, members of other 
committees that do oversight over incident response.
    But to be honest, after--after probably the 10th or 11th 
incident that really may not have been a good incident, the 
interaction dropped precipitously. So, I think that what I 
would caution as you--as the committee considers whether or not 
to codify major incident is make sure that if the committee 
does do that, it is not prescriptive and allows for 
flexibilities for change when necessary.
    Mr. Raskin. Thank you for that.
    Ms. Franks, I wonder if you would weigh in on this same 
question. There is the danger that Mr. Nodurft recommends to 
us, which is the problem of an overly rigid definition that has 
a numbing effect on people. But do you think that Federal 
agencies today have the tools to adequately make the 
determination themselves on a case-by-base basis to determine 
whether there is a major incident, and is it a problem to have 
the situation that Mr. Schneider discusses when different 
agencies are calling the same incident different things?
    Chairwoman Maloney. The gentleman's time has expired, but 
you may answer the question, please.
    Ms. Franks. OK. So, the short answer is, yes, most agencies 
definitely have tools in place to be able to identify what 
incident has taken place and even perform some of those 
necessary forensic analyses to further contain whatever 
vulnerability has impacted their environment and then start 
those eradication procedures.
    What's different is that timeframe we discussed a little 
earlier, and so agencies definitely take their time to really 
comb through what forensically could have happened, starting at 
the indicator of compromise and then perhaps looking at if that 
malicious actor was able to laterally move throughout their 
environment, what were they able to touch? What were they able 
to access once they did find another system, another service?
    Because of that, such as the SolarWinds incident, agencies 
did identify it as impacting their environments differently 
from another. For example, you mentioned Commerce. But 
Homeland--HHS basically did not. They--NIH was mainly impacted, 
but NIH's data was not breached in the sense of where 
Commerce's data was compromised.
    So, it just depends on the agency. It depends on the 
leadership. All the agencies have applicable security response 
teams in place to make those necessary identifications, but it 
becomes a risk process of really combing through that data to 
really figure out if it's major for their environment versus 
another environment. So, no two environments or two agencies 
are alike.
    Mr. Raskin. Thank you very much. I yield back, Madam Chair.
    Chairwoman Maloney. Thank you. The gentleman from 
Pennsylvania, Mr. Keller, is recognized. Mr. Keller?
    Mr. Keller. Thank you, Madam Chairwoman, and thank you to 
our witnesses for taking time to be here today.
    As we continue to move toward heavier reliance on automated 
systems, cybersecurity becomes more and more important to 
protecting our national interests. The annual Office of 
Management and Budget's Federal Information Security Management 
Act report disclosed over 30,000 agency cyber incidents in 
Fiscal Year 2020 alone. Congress must ensure that our Nation's 
cybersecurity laws offer the framework and the flexibility to 
allow agencies to handle cyber attacks quickly and efficiently.
    Mr. Bitko, the FBI executes most enforcement actions 
regarding Federal criminal laws dealing with cybersecurity, 
including investigating cyber attacks by bad actors both 
foreign and domestic. In your former role as the FBI's Chief 
Information Officer, did you run into any interagency legal or 
jurisdictional difficulties as you worked to investigate or 
enforce cybersecurity issues? And if you did, what 
recommendations would you give Congress to streamline 
Government reaction to cyber attacks?
    Mr. Bitko. Congressman, thank you for the question.
    My role was largely internal, looking at the FBI's own 
enterprise technology, not directly involved in the authority 
or their ability to conduct investigations. I don't know that I 
can give you too much deep insight, but I can tell you for sure 
that there are--there are issues and challenges that exist just 
within the Government today over what authorities does CISA, 
for example, have to help in investigating, to going onto other 
agencies' networks, to having access to sensitive data. All 
those are things I think it's important and there's an 
opportunity for FISMA, for Congress to establish clearly where 
those authorities lie so there is direct authority and 
responsibility for CISA, for the FBI, for other agencies to 
ensure that they can--they don't need to get those authorities 
resolved in the heat of the battle, but that they've been 
clearly defined in advance.
    Mr. Keller. Thank you. I appreciate that.
    And if I could, you know, for Mr. Schneider, attacks such 
as the SolarWinds hack in 2020, while conducted on a private 
company, are an immense threat to our national security. So, 
Mr. Schneider, how does the public sector work in tandem with 
the private sector to ensure the safety and privacy for all 
Americans?
    Mr. Schneider. Yes, thank you, Congressman, for the 
question.
    And I think one of the areas, and I think that CISA, the 
Cybersecurity and Infrastructure Security Agency, has really 
done an excellent job over--you know, since it came into 
existence in 2015 of working closely with private industry, 
helping with the creation of information-sharing analysis 
centers, which are industry driven, industry run by different 
sectors. You know, opportunities to share threat information 
and share vulnerability information, and I think that, you 
know, we have to have that dialog open.
    Gordon mentioned earlier that you need trust in order to 
trust what you're sharing and who you're sharing with. And so, 
we can't wait until we have an incident to start the sharing. 
We have to be sharing information continuously, and we have to 
be building those relationships and that trust continuously 
because this is truly, you know, it's needed to have a true 
public-private partnership in cybersecurity for us as a nation 
to be successful.
    Mr. Keller. Thank you. I appreciate that.
    And I guess if I could just ask Mr. Nodurft, can you please 
detail how zero trust cybersecurity principles might help 
prevent SolarWinds or other types of cyber attacks in the 
future?
    Mr. Nodurft. Absolutely. Thank you for that question, 
Congressman.
    I think that when you break down zero trust into its core 
components, what you're--what you're moving agencies toward is 
a very hardened center, and it's hard all the way out. You are 
constantly--you are--you are enabling interactions by 
continuously, continuously authenticating whether or not those 
interactions need to occur.
    And you have to rely on digital identity solutions. You 
have to rely on encryption. You have to rely on endpoint 
detection and response. You have to rely on multiple types of 
cybersecurity tools and services to come together in a uniquely 
architected way to provide for that no trust environment that 
is constantly assessing and checking for the interactions that 
occur and making sure that anything that touches or deals with 
the data is dealing with it in a way that's approved and 
validated and authenticated.
    Mr. Keller. Thank you. I appreciate that, and I yield back.
    Chairwoman Maloney. The gentleman yields back. The 
gentlelady from Ohio, Ms. Brown, is now recognized.
    Ms. Brown. Thank you, Chairwoman Maloney and Ranking Member 
Comer, for holding this important hearing.
    And thank you to all the witnesses for joining us today. I 
appreciate your contributions to improving FISMA.
    Technology is ever evolving, and IT systems are inherently 
at risk and vulnerable to cyber attacks. In 2002, FISMA became 
law, requiring each Federal agency to put an agency-wide 
program in place to ensure the security of its information and 
systems. Since the enactment of this legislation in 2002 and 
the subsequent update in 2014, the cyber threat landscape has 
transformed remarkably.
    The slew of harmful cyber-attacks has exposed 
vulnerabilities and revealed some of the flaws in our existing 
laws. The fact that DarkSide, a cyber crime group with Russian 
ties, was able to force the Colonial Pipeline Company to shut 
down the largest pipeline in the U.S. is a threat to our 
national security.
    In September 2020, the Ashtabula County Medical Center, a 
Northeast Ohio hospital, spent more than a week offline after 
being hit by a cyber attack. Just a few months ago, Southern 
Ohio Medical Center, another hospital in my home state, 
suffered a cyber attack that resulted in continued 
cancellations of patient appointments a week later.
    These attacks are deeply concerning because they have 
profound impacts on the lives of real people, in addition to 
our national security. I thank the chairwoman and ranking 
member for working to address emerging cyber threats and 
finding ways to better protect our cyber infrastructure, and I 
look forward to making positive changes to FISMA that create a 
clear, coordinated, and holistic approach to Federal 
information security to meet the ever-changing cyber frontier.
    I have a question for Ms. Jennifer Franks. Ms. Franks, let 
me ask you what the GAO is learning about the effectiveness of 
risk assessment metrics during its review of FISMA 
implementation. First, how is the data incorporated into risk 
assessment currently collected and reported? And second, does 
GAO have preliminary recommendations about how to improve the 
coordination between Government agencies responsible for 
ongoing risk assessment?
    Ms. Franks. So, thank you for that question.
    So, in short, our FISMA review, the ongoing review that we 
plan to take to agencies this month for comment, didn't 
necessarily get into what those risk assessments would look 
like from a FISMA implementation scoring metric timeline. We 
focused our efforts on what the IGs do and their various 
evaluations of the metrics they are to use that are prescribed 
by OMB.
    Those metrics definitely at this point do not highlight 
risk outward facing. But some of the intricacies of identifying 
what's in your environment, protecting what's within your 
computing environments, those get to the implications of risk 
assessments.
    NIST does have the Risk Management Framework, and in that 
framework that agencies do utilize to implement control in 
their environment, it looks at assessing risk from the 
identification down to the implementation of whatever 
likelihood of events and cyber threats that could be impacting 
the various agencies. We have had cybersecurity risk management 
work in the past, our last report issued late 2019. As of right 
now, we do not have any ongoing work specifically to risk 
management assessments.
    Ms. Brown. OK, thank you so much.
    My next question will be for Ms. Renee Wynn. In the past, 
agencies have had to focus much of their time on making sure 
they are compliant with FISMA and other cybersecurity measures, 
which often means they focus less of their time on risk 
management. I applaud the updated guidance on FISMA 
implementation that OMB released last month, which aims to 
shift the focus of FISMA assessment from compliance to actual 
observable security outcomes.
    The draft legislation that the chairwoman and ranking 
member released today recognizes this shift by requiring 
ongoing and continuous risk assessment instead of periodic 
point-in-time assessment. Ms. Wynn, can you explain to us how 
performing risk assessment on a continuous basis will 
strengthen an agency's security system?
    Ms. Wynn. Thank you for the question.
    I think performing continuous risk assessment is an 
absolute necessity. Environments change rapidly within the 
Federal Government, as new mission requirements change or new 
software, new capabilities come out, and you want to bring 
that, the best of a breed into the United States Federal 
Government to meet mission requirements. And so doing it on a 
continuous basis is really critical.
    A quick example on that is having assigned numerous 
authorities to operate, it wasn't shortly after assigning 
authority to operate when there was a software update, and it 
actually broke some of the controls that we had put into place. 
And so, several weeks later, after saying we're good and we've 
accepted the risk, we discovered this glaring hole, reported it 
back to the software developer, which then got fixed.
    But in this period of time, you've made an assessment. 
You've made a statement, but then two weeks later, and then 
ultimately took two more weeks to get that gap closed. So, on a 
continuous basis, you can get what I'll call red alerts so you 
can make sure that your holes or your backside is not so 
exposed.
    Ms. Brown. Thank you, Ms. Wynn, and it appears my time has 
expired. I will yield back.
    Thank you.
    Chairwoman Maloney. Thank you so much. The gentlelady from 
Florida, Ms. Wasserman Schultz, is now recognized.
    Ms. Wasserman Schultz. Thank you, Madam Chair, and thank 
you for having this important hearing, as many others have 
said.
    In recent years, my home state of Florida has been in the 
crosshairs of the onslaught of devastating cyber attacks. The 
targets range from large Federal agencies like NASA to local 
school districts, major hospital systems, and the private 
sector has faced equally dire threats with far-ranging impacts 
much like we saw in the ransomware attack on a Miami-based 
software company, Kaseya. And for them, they endured a 
ransomware attack that resulted in fallout to hundreds of 
downstream businesses.
    Cyber criminals clearly want the World Wide Web to be a 
lawless ``Wild West,'' and it is critical that we modernize our 
approach to meet the challenge of this evolving cyber frontier. 
One simple fact makes this clear. There are two entities with 
important roles in Federal cybersecurity, the Cybersecurity and 
Infrastructure Security Agency, or CISA, and the Office of the 
National Cyber Director. And that was established in just the 
last few years after the last FISMA update, which was in 2014.
    The draft FISMA reform bill that the chairwoman and ranking 
member released today integrates these offices into the 
cybersecurity Government structure, and they are careful to 
strike the appropriate balance with OMB to create a clear and 
effective dynamic.
    Mr. Schneider, you previously served as the Chief 
Information Security Officer at OMB, and based on your 
experience, can you characterize how CISA and the National 
Cyber Director fit within the FISMA framework and enhance our 
national cybersecurity defense posture?
    Mr. Schneider. Thank you, Congresswoman. Thank you for the 
question.
    Yes. I think how they fit in is the National Cyber Director 
is really the overarching voice and specifically to Federal 
cybersecurity because both organizations have roles beyond 
that. But for Federal cybersecurity, I view the National Cyber 
Director as having that overarching voice, being a bit of the 
conductor. I view CISA as really being the operational partner 
with agencies. CISA should be there to help agencies who are 
tasked to implement their risk management programs.
    And then the other two really important players are the 
National Institute of Standards and Technology, who is charged 
with the establishment of standards and creation of guidance, 
and then the Office of Management and Budget, who has--and I 
think should continue to have--the lead for developing policy 
and overseeing the programs, providing the oversight, being the 
hammer to agencies while CISA is being the partner to agencies.
    And I think the interaction with OMB and the National Cyber 
Director is going to need to be absolutely seamless to make 
this work.
    Ms. Wasserman Schultz. Thank you.
    Mr. Nodurft, can you illustrate why it is so important to 
have these roles clearly defined?
    Mr. Nodurft. Yes, Congresswoman. Thank you so much for the 
question.
    The necessity of streamlined reporting requirements from 
the agencies up makes it much easier for them to know how to 
respond, when to respond, with whom to speak with on the 
backend of responding to incidents. So, that's one.
    Two, when agencies are proactively trying to mitigate their 
cyber risks, they need clear reporting channels and clear areas 
of jurisdiction to go and propose budgets and work on budgeting 
with. They need clear direction from a strategic standpoint as 
well as an operational standpoint, and I think by clearly 
delineating who owns what, agencies will know where to look and 
where to go, and it will make it much easier for them to work 
together to build a broader defensive structure.
    Ms. Wasserman Schultz. Thank you.
    The Senate's version of FISMA reform would create a liaison 
between CISA and each agency by assigning a CISA adviser to 
each agency, much like every agency has a White House liaison, 
for example. And this role is intended to be a two-way street, 
providing additional support to the agency while also helping 
CISA better understand the agency's nuances and unique needs.
    Ms. Wynn, do you think such a dedicated liaison role would 
be helpful, or would that be an unhelpful intrusion of CISA 
into agency operations?
    Ms. Wynn. From my perspective, I worked--when I was within 
the Federal Government, I worked very closely with CISA on a 
couple of matters. I was very proactive in terms of engaging 
them, the Office of Management and Budget, DHS, and in fact, on 
a couple of occasions, the FBI. And having somebody to call 
makes a huge difference.
    So, if CISA's effectiveness depends upon having a liaison, 
and they agree that that's what's necessary for them to operate 
better within their organizational structure, then absolutely 
would support codifying having a liaison. The important thing 
to walk away with is we have to work together in order to solve 
very hard problems.
    Ms. Wasserman Schultz. Thank you so much, Madam Chair. My 
time has expired.
    Chairwoman Maloney. The gentlelady yields back. The 
gentlewoman from Illinois, Ms. Kelly, you are now recognized. 
Ms. Kelly?
    [No response.]
    Chairwoman Maloney. Move to the gentleman from Illinois, 
Mr. Davis. You are now recognized for five minutes. Mr. Davis?
    Mr. Davis. Thank you, Madam Chairman. And like others have 
already said, thank you for holding this important hearing.
    The Department of Homeland Security issued a binding 
operational directive in 2020 that requires most Federal 
agencies to have a vulnerability disclosure policy, which 
describes how someone who uncovers a cybersecurity 
vulnerability in a Federal system can report that vulnerability 
to the affected agency without fear of legal action.
    According to HackerOne, a cybersecurity firm that employs 
hackers and cybersecurity researchers to audit security 
hackers, reported more than 66,000 verified vulnerabilities in 
2021, a 21 percent increase from 2020. That is tens of 
thousands of vulnerabilities that may not have been found by 
automated process.
    It is crucial that these cybersecurity researchers have the 
ability to report to the Federal Government, and I am pleased 
that the draft legislation we are discussing includes a 
provision to codify Federal vulnerability disclosure programs.
    Mr. Schneider, before you left OMB, only a handful of 
Federal agencies had published a vulnerability disclosure 
policy. Fortunately, today, almost all Federal agencies have 
such policy. In your opinion, how efficient are Federal 
agencies at managing their vulnerability disclosure programs?
    Mr. Schneider. Congressman, thank you for the question.
    And vulnerability disclosure is a really important area. As 
you mentioned, and just before I left the Government or as I 
was departing, we published an OMB memo that went out in 
conjunction with that binding operational directive, memo--OMB 
Memo 20-32, which also directed agencies to implement 
vulnerability disclosure programs.
    And the fact that most agencies have one in place today I 
think is a testament to, A, the agencies' recognition of the 
importance of being able to leverage the research community to 
get vulnerabilities in and get them identified. I think the 
other really important aspect of a vulnerability disclosure 
program, though, is how you get those vulnerabilities sent back 
to industry or whoever the responsible party is to develop a 
mitigation for them, and how do you protect that information in 
the meantime?
    You know, the Log4j vulnerability that we're experiencing, 
you know, it had been identified by a researcher. It had been, 
you know, reported to Apache and was being worked on. And then 
another company identified it, put out a patch to their own 
software, and then it became public.
    So, really the, you know, disclosure of the vulnerability 
with Log4j got out ahead of the remediation, and that's why we 
have to be so careful about how we treat that vulnerability 
information as it's identified before there's a mitigation in 
place.
    Mr. Davis. Most agencies respond within a period of about 
three days. Do you think that is adequate in terms of response 
time?
    Mr. Schneider. For responding, I think you're talking about 
responding to the researcher. And I do think three days is 
adequate. I think, you know, you need to get back to the 
researcher quickly. They need to know that you're taking it 
seriously and that you're going to do something about it. 
Otherwise, they may go disclose--disclose the vulnerability 
more broadly and more publicly to potentially disastrous 
results.
    Mr. Davis. Thank you very much.
    Ms. Wynn, let me ask you how can we ensure that agencies 
have the ability to keep up with the influx of vulnerability 
reports? A lot of them are coming in.
    Ms. Wynn. Thank you for that.
    So, I had the pleasure of having well over 100,000 
vulnerabilities reported to me on a regular basis because of 
the complex systems used at NASA. And so, what we ended up 
doing was we established actually a vulnerability management 
program, and that's because you can't always address every 
vulnerability right away. And that sounds like that you might 
be ignoring risk, but what we would have at NASA are something 
called the flight freeze, and this was to ensure the risk on a 
flight was mitigated as fast as possible.
    And so during those flight freezes, we wouldn't be able to 
address the vulnerabilities that the system might have had, but 
that system, we would put other risk mitigations in place like 
making sure the system didn't go online, which is very, very 
much the case on mission control systems and that.
    And so you have a spectrum of risks you have to deal with. 
By having a vulnerability management program, you can hold 
mission and mission support heads accountable for dealing with 
their vulnerabilities in the right amount of time so that you 
don't disrupt operations.
    Mr. Davis. And quickly, Mr. Bitko----
    Chairwoman Maloney. The gentleman's time has expired. The 
gentleman----
    Mr. Davis. I yield back.
    Chairwoman Maloney. Thank you so much, Mr. Davis. The 
gentlelady from California, Ms. Speier, is recognized for five 
minutes.
    Ms. Speier. Thank you, Madam Chair, and I am delighted that 
this particular hearing is not only happening, but that the 
American people can see that Democrats and Republicans can work 
together.
    I want to focus on the work force because certainly in my 
work on the Intelligence Committee, the biggest hole is in 
getting the talent we need to perform the various functions. 
So, I would like to ask you, Mr. Schneider and Mr. Nodurft, 
what your experience was at OMB in terms of the staffing 
challenges, and what recommendations you would make to us to 
make sure that we have the talent and are able to afford the 
payments necessary in terms of salaries to attract the kind of 
talent we need.
    Mr. Schneider?
    Mr. Schneider. Yes. Thank you, Congresswoman.
    You are absolutely correct. The work force is--I mean, is 
so critical in cybersecurity. The work force are the ones that 
are doing literally all the work, making all the decisions, and 
it is an immense challenge. We don't have enough skilled 
cybersecurity professionals nationwide, and then the Federal 
Government is competing and, as you alluded to, challenged from 
a wage standpoint, from an ability to--compensation standpoint 
to bring people in.
    And so, what I saw is that we have a lot of really 
excellent and a lot of really dedicated people who are inside 
the Federal Government. I think we need more programs that 
allow people to come into the Government, maybe for a short 
period of time, or at least thinking it's for a short period of 
time. Because some of them will find out that they love the 
mission, and they'll stay.
    I think we also need the ability to have people move in and 
out of Government more easily. There's a whole bunch of 
challenges associated with----
    Ms. Speier. Thank you.
    Mr. Schneider. Oh, I'm sorry.
    Ms. Speier. I need to move on, but is there any--Mr. 
Nodurft, do you have any ideas on how we can attract this 
talent----
    Mr. Nodurft. Thank you for the question, yes, ma'am.
    Ms. Speier [continuing]. that Mr. Schneider has suggested?
    Mr. Nodurft. So, yes, ma'am. Thank you.
    The one idea I want to bring up is you're absolutely right. 
This is an ``all hands on deck'' moment. I think we need to or 
the committee should consider and should encourage the 
administration to consider new approaches that bring in and 
leverage industry expertise in certain areas in finite periods 
of time. And whether that's through contractual relationships, 
through different GSA vehicles or contract vehicles, or whether 
it's public-private partnerships that we currently have in 
place, we need to be able to access the talent that is in 
whatever part of our ecosystem that is possible.
    So, for example, the committee's work on the bill is 
encouraging agencies to move to zero trust environments. I 
think, ma'am, the committee has an opportunity to really 
encourage the administration to put in place specific 
authorities that allow for folks who are very familiar with the 
technology to work side by side with the departments and 
agencies to build out those environments, help them configure 
them, teach them how to manage and continue to grow them, and 
then move out.
    And we need--we need to be able to do that seamlessly. So, 
it's big ideas that talk about those types of partnerships that 
we're proposing.
    Ms. Speier. OK, thank you.
    Ms. Franks, Mr. Connolly had asked you about those 900 
recommendations that have not yet been complied with. Could you 
provide us with--and you can do this offline, but provide to 
the committee the most critical ones that still haven't been 
addressed so that we can review it, please?
    Ms. Franks. Yes, absolutely. I can provide that to you.
    Ms. Speier. Thank you.
    Ms. Franks. You're very welcome.
    Ms. Speier. And Ms. Wynn, you had mentioned that there are 
companies that repeatedly have, I guess, break-ins that we 
continue to contract with, if I remember or interpreted your 
testimony correctly. Could you actually specify those 
companies, please?
    Ms. Wynn. I don't have that list handy. I'm happy to 
followup maybe afterwards to share some of the information 
about having to work with vendors and contractors about some of 
their repeated challenges that they were creating for the 
agencies that I worked for.
    Ms. Speier. Thank you. Madam Chair, I think that is really 
important because we can't continue to contract with those that 
have inappropriate cyber hygiene. And there are lots of 
companies out there, new startups, particularly in my district, 
that are doing some very exciting things, and our procurement 
process is so long and arduous that we oftentimes get the 
contract and it is already out of date with a particular 
software company.
    So, I hope that we look at that as well because there is 
much that needs to be done. I yield back.
    Chairwoman Maloney. The lady yields back, and that is a 
very important point. Thank you very much, and we will look at 
that.
    Thank you.
    We now recognize the gentlewoman from Illinois, Ms. Kelly. 
You are now recognized.
    Ms. Kelly. Thank you, Madam Chair.
    The proliferation of smart devices across society has 
helped to improve some of the everyday functions of our lives. 
Examples include watches tracking our health analytics, voice-
activated light switches, and smart cities where sensors can 
analyze traffic patterns, water supplies, or energy use to 
better serve citizens.
    These smart devices that connect to the Internet, known as 
Internet of Things, or IoT devices, that are increasingly part 
of the market for both home and business operation. Last 
Congress, my IoT Cybersecurity Improvement Act was signed into 
law to help create Federal standards for Government-used IoT 
devices. The law sets minimum security standards for Internet-
connected devices purchased by a Federal Government agency and 
created a vulnerability disclosure program for Government IT.
    Despite this law, I am still concerned that our 
cybersecurity standards have not kept pace with the rise of IoT 
devices. This is really worrisome because it is not just smart 
refrigerators that can be at risk to hackers, but as you guys 
know, medical devices, security cameras, and even automobiles 
all offer inroads for hackers to enter network systems.
    Mr. Schneider, what are some of the important functions of 
IoT devices on Federal networks?
    Mr. Schneider. Congresswoman, thank you for the question.
    I think we're going to see--you know, we're seeing today, 
you know, numerous places where Internet of Things, where IoT 
devices are being integrated into Federal agencies. But, and I 
think some of them are going to serve important purposes. My 
concern is also about the ones that might not.
    You mentioned the Internet-connected refrigerator that 
might be in a breakroom, and someone might decide it would be a 
good idea from the facilities to be able to monitor the 
temperature of that refrigerator and connect it to the agency's 
network and if that device now could be the access point into 
the entire agency's network, into truly where the sensitive 
information is.
    So, I think agencies need to pay attention as they're 
implementing IoT devices. IoT devices need to be more secure. 
But we also need to find a way, when possible, to keep them 
segmented within the environment so they're not, you know, an 
entry point, if you will.
    Ms. Kelly. I know you talked about the refrigerator, but 
how do hackers exploit vulnerable IoT devices on a network? How 
do they do it?
    Mr. Schneider. So, I mean, hackers will do it like they 
will with other devices. They will identify a vulnerability. 
They are often able to remotely determine if the individual 
device is, you know, still vulnerable. Is it still running the 
version, the vulnerable version of the software? In some cases, 
with IoT devices, they can't even be updated. So, they know 
it's vulnerable.
    And then they're able to, you know, use whatever the 
exploitation is to gain access to that device, and then 
they're--you know, kind of once they're in, they start working 
their normal approach of elevating privileges, moving laterally 
through the system, and starting the reconnaissance phase of 
what information do they want to steal, gain, get access to. 
You know, what are they trying to achieve inside and really 
starting to look around to see what they can do inside the 
environment.
    Ms. Kelly. In 2020, Palo Alto Networks reported that--and I 
quote--``57 percent of IoT devices are vulnerable to medium or 
high severity attacks, making IoT the low-hanging fruit for 
attackers.'' And the risk of an IoT hack across the Federal 
Government is even greater since it is not sensitive 
information at risk for actual equipment or devices that 
underpin our infrastructure.
    Now reporting on these vulnerabilities is also necessary 
and critical to informing improvements to our cybersecurity 
system. Again, Mr. Schneider, how will reporting of 
vulnerabilities improve coordination of the Federal 
Government's cybersecurity infrastructure?
    Mr. Schneider. Yes, great question and great points, ma'am. 
And I think it highlights the need to take action when this 
information is reported, right? We need the vulnerabilities 
identified. Agencies need to be aware of them, and then 
agencies need to take action.
    It's really exciting for us to talk about something like 
SolarWinds that was a very sophisticated attack, but quite 
frankly, most cyber incidents, as the statistics you just 
mentioned, you know, come from a known vulnerability that could 
have been mitigated with a known patch that was out there that 
just had not been applied by organizations. That's where most 
cyber attacks, successful attacks take place.
    Ms. Kelly. Thank you.
    And Mr. Nodurft, how is the situation complicated by 
individual enterprises across the Government/dot-government 
landscape?
    Mr. Nodurft. Thank you very much, ma'am, for the question.
    So, we have individual enterprises across the Federal 
landscape that within them have their own individual 
enterprises across the Federal landscape. It is a very diverse 
enterprise environment, and what you have is the diverse set of 
missions requires technology purchases, acquisitions that want 
to bring in some of the--and leverage some of the most modern 
advanced technologies that are out there right now.
    I think that we, as a--or the Federal Government should 
encourage use of the latest and greatest and most modern 
technologies, whether it's for mission or for enterprise 
management. Both of those should be highly encouraged. And we 
just need to think through what are the--what are the 
frameworks, whether it's the NIST cybersecurity framework. What 
are the solutions?
    Are there--I can tell you that member companies of mine, of 
the Alliance for Digital Innovation can independently audit IoT 
environments for these new technologies to make sure that they 
are up to date, and they are secure. And I think we should take 
a look at how we are, again, partnering from a public-private 
standpoint to make sure that the talent that we need to secure 
these new environments is accessible to the agencies so that 
they use this modern technology.
    Ms. Kelly. Thank you, and I am way over time. I yield back.
    Thank you.
    Chairwoman Maloney. The gentlelady yields back, and now I 
recognize myself.
    I, first and foremost, want to thank Ranking Member Comer 
for working with us in a bipartisan way to confront this 
tremendous challenge. He has indicated he does not want a 
closing statement.
    But as we have seen here today, the breadth and the 
complexity of cybersecurity threats to the Federal Government 
are absolutely staggering. I am grateful to all of our 
witnesses for sharing their deep knowledge and personal 
experience from both the Federal Government and the private 
sector perspectives. The combined years of Government service 
represented on our panel must be around 100, and it shows in 
the high caliber of the recommendations shared today.
    I am tremendously grateful to Congressman Comer for his 
strong partnership on this issue and to all our committee 
members, Democrat and Republican, for their engagement during 
this hearing and for our staffs. Today's hearing showed there 
is a strong bipartisan commitment to modernizing FISMA, and I 
have been encouraged by similar strong support in the Senate 
and the Biden administration.
    So, we have a real opportunity to pass FISMA reform this 
year and to protect the intellectual property, sensitive data, 
and networks that are essential to our country's economy and 
national security. I am committed to getting FISMA reform done 
right, and I am looking forward to working in a bipartisan way 
to achieve this for the American people. And I thank all of the 
participants.
    Before we close, I want to take care of one piece of 
business. Without objection, Ms. Shontel Brown is added to the 
Government Operations Subcommittee and the Economic Consumer 
Policy Subcommittee. Without objection.
    I also ask unanimous consent to insert into the br a 
statement from the SecurityScorecard. Without objection, so 
ordered[SA1].
    Chairwoman Maloney. In closing, I want to thank again our 
panelists for their remarks, and I want to commend my 
colleagues for participating in this important conversation.
    With that, and without objection, all members have five 
legislative days within which to submit extraneous materials 
and to submit additional written questions for the witnesses to 
the chair, which will be forwarded to the witnesses for their 
response. I ask our witnesses to respond as promptly as 
possible.
    This hearing is now adjourned.
    [Whereupon, at 12:54 p.m., the committee was adjourned.]

                                 [all]