Testimony of Deputy Chief Financial Officer Peggy Sherry and Chief Information Security Officer Robert West before the Subcommittee on Government Organization, Efficiency and Financial Management; of the House Oversight and Government Reform Committee

Rayburn House Office Building

Thank you Chairman Platts, Ranking Member Towns, and members of the Committee for the opportunity to provide an update on the Department of Homeland Security's (DHS) progress in addressing recommendations found in the Office of the Inspector General Audit report titled "Information Technology Management Letter for the FY 2010 Financial Statement Audit." Department leadership takes all audit findings seriously, and we are fully committed to resolving these issues as quickly as possible.

The Department has made significant progress in reducing IT security control risks and costs by transitioning from a highly decentralized IT landscape to enterprise data centers and services. DHS inherited approximately 1,100 separate and unique IT systems, with each system individually accountable for all security controls. IT systems are more secure today than ever before because the Department's enterprise security architecture—called "Mission Assurance through Defense-in-Depth"—now includes a comprehensive set of layered security controls. DHS has consolidated six wide-area networks into a secure, modern, fully-encrypted backbone infrastructure and has made significant progress in consolidating multiple data centers into two enterprise data centers. These data centers have been designed with a robust set of security controls to support systems that operate in those environments.

In addition to the enhanced security controls for the transport infrastructure and the two enterprise datacenters, the Department has also increased security by consolidating all Internet traffic behind two redundant Trusted Internet Connections (TIC). Currently over 95 percent of all of the Department's traffic accesses the Internet via the TICs, and the Office of the Chief Information Officer (OCIO) has placed TIC-like functionality in front of each major Component to ensure that Components can maintain flexible security policies appropriate for their individual missions, while at the same time maintaining a baseline security foundation from which to operate. These "Policy Enforcement Points" include both monitoring capabilities as well as next generation, application-aware firewalls designed specifically to address Advanced Persistent Threats (APT), which are malicious actors who regularly target the Department's information and information systems. The Department also has a dedicated, enterprise Security Operations Center, with trained analysts who leverage new monitoring tools to proactively look for and respond to APT-type activity.

The Department currently operates 783 IT systems that support multiple, complex and highly diverse missions. Of those systems, 32 support the Department's financial management and reporting and are considered material to the financial statement. Most of these financial systems have been in operation for many years and predate the Department's creation in 2003. While these legacy systems are now more secure due to the fact that they operate within the enterprise framework described above, some of these systems are missing system-specific controls and cannot fully support business processes that ensure accurate financial reporting. Heavily manual processes that are needed to compensate for a lack of automated controls highlight the fact that the significant progress we have made in financial management, reporting and accountability could be furthered with improvements to some of these financial systems.

When the Department was formed in 2003, we inherited 30 significant deficiencies, including 18 material weaknesses. DHS has shown great progress implementing corrective actions and improving the quality and reliability of our financial reporting in the past five years and now only has six material weaknesses.

As recommended in the OIG IT Management Letter, the Department has reviewed all IT Notices of Findings and Recommendations (NFRs) and Component leadership has created Plans of Actions and Milestones (POA&Ms) detailing planned remediation. In FY 2011, DHS focused on strengthening financial system security and controls using a three-phase assessment approach including a current state assessment, root cause analysis, and independent verification and validation of Component POA&Ms. IT personnel responsible for preparing POA&Ms are now trained on creating realistic corrective action plans that address root causes.

Additionally, the DHS Information Security Office (ISO) performed Critical Control Reviews (CCRs) in FY 2010 and FY 2011 to independently validate the implementation of key security controls information reported in a system's accreditation and certification documentation. Following each review, system owners are provided with detailed results and recommendations to improve security controls documentation and implementation. System owners are required to develop POA&Ms for weaknesses identified. The CCRs have increased Component awareness of security control issues and Component POA&Ms have greatly improved the documentation of IT security issues at the Department.

During the FY 2010 assessment, the auditors noted that DHS made progress in remediating IT findings from FY 2009, closing approximately 30 percent of the findings. The Department has taken numerous actions to address the five remaining significant weaknesses related to IT controls on financial systems as described below.

1. Full implementation of Homeland Security Presidential Directive - 12 (HSPD-12) Personal Identity Verification (PIV) smart card will make significant progress towards addressing the challenge of restricting unauthorized access to key DHS financial applications. For example, mandating use of PIV credentials provides the capability to deny access to multiple financial systems simultaneously upon personnel termination. DHS is aggressively working to deploy this capability, and as of today has issued over 275,000 HSPD-12 PIV cards, and is currently building out the necessary infrastructure to use the cards for strongly authenticated network and system access. Currently over 70,000 employees are able to use the PIV or Common Access Cards for logical access to networks, and all Components are developing plans for mandating the use of PIV cards for network logical access. A consolidated enterprise plan will be completed by second quarter of FY 2012.
    
2. Configuration management control weaknesses are being addressed through a continuous monitoring program initiated in FY 2011. This program is a risk management approach to Cybersecurity that maintains an accurate picture of an organization's security risk posture, provides visibility into assets, and leverages use of automated security management tools to quantify risks, ensure effectiveness of security controls, and implement prioritized risk mitigation. As a part of the "Defense-in-Depth" security framework, the Department is implementing a comprehensive continuous monitoring capability for maintaining configuration for all IT assets at DHS including financial systems. Efforts are currently underway at all Components, and will be completed by the end of FY 2012.
    
3. Corrective actions have been taken or are ongoing to remediate security management deficiencies in the certification and accreditation process. The financial systems that had not completed the required certification and accreditation process have either been accredited or were retired from use in FY 2011. As for deficiencies in adhering to and developing of policies and procedures, Component management is required to submit POA&Ms detailing the implementation of missing policies and procedures, as well as verifying and validating that the corrective action is complete. The POA&M process has also been improved to require additional monitoring of remediation progress and alert management when progress is delayed or appears inadequate.
    
4. Contingency plans that lacked current and tested continuity plans developed to protect DHS resources and financial applications, have been updated. During FY 2011, Component personnel either conducted continuity plan tests or submitted a POA&M committing to complete the required testing within six months. For those tested, the continuity plans were updated with lessons learned as appropriate and, in some instances, an independent verification and validation was performed to confirm the completion and adequacy of the updated, tested plan.
    
5. The lack of proper segregation of duties for roles and responsibilities within financial systems, are being addressed on a system-specific basis by each Component. Components are identifying and documenting the duties that should not be performed by one employee because doing so provides an opportunity to engage in erroneous activity. For example, personnel who submit check requests should not be jointly assigned responsibility for approving check requests. This information will ensure that Components properly divide and separate duties and responsibilities of critical information system functions among different individuals to minimize the possibility that any one employee would have the necessary authority or system access to be able to engage in erroneous, fraudulent or criminal activity. The Department has made significant progress in resolving this issue, and full remediation at all DHS Components will continue over the next two to three years.

Many improvements made in financial management at DHS over the past few years are a direct result of the processes and structures that have been put in place to ensure consistent operations for each of our financial accounting centers and financial management offices within DHS Components. The Department has made key changes to improve the overall internal controls process to enhance systems' security. The DHS CFO and CIO have worked to improve the overall controls process by aligning the FISMA framework with the DHS internal control assessment process to improve financial systems security at the Department. DHS's major activities under this integrated approach include:

• Published the Department's 5th Annual Internal Controls Playbook on March 31, 2011 which builds upon previous successes, defines current internal control initiatives, and establishes Mission Action Plans, milestones, and focus areas for the Department's most significant internal control challenges. The Playbook includes DHS's approach to documenting and testing the design effectiveness of financial system Information Technology General Controls (ITGCs).
• Updated the CFO Designated Systems List for FY 2010 as a result of the IT general control assessments performed in FY 2009. The list specifies the financial systems that require additional management accountability to ensure effective controls exist over financial reporting.
• Perform ongoing verification and validation procedures to ensure POA&Ms address root causes of financial system security control deficiencies identified from the financial statement audits and FISMA annual assessments. Issuance of the FY 2010 DHS Information Security Performance Plan includes the requirements to ensure key financial system security controls are tested annually and quality POA&Ms are developed and completed in a timely manner.
• Continue tracking remediation status of the issues identified during the OMB Circular A-123 ITGC annual assessments as a metric on the Department's monthly FISMA Scorecard. The Scorecard measures Components compliance with OMB FISMA reporting requirements and DHS senior management priorities such as the status and quality of system certifications and accreditations and weakness remediation.
• Continue annual revisions of the DHS 4300A, Sensitive Systems Handbook, Attachment H: Plan Of Action & Milestones (POA&M) Process Guide which includes the guidance and procedures for developing, maintaining, reporting, and maturing DHS Components' remediation plans to reduce vulnerabilities.
• Provide ongoing POA&M training, including root cause analysis, to DHS Components.