Cyber Security: The Status of Information Security and the Effects of the Federal Information System Management Act at Federal Agencies
US Department of State
Bruce Morrison, Acting Chief Information Officer
Testimony Before Subcommittee on Technology, Information Policy,
Intergovernmental Relations and the Census
June 24, 2003
Good Morning Mr. Chairman and Members of the Committee. I am honored to be here
and appreciate the opportunity to discuss information security at the
Department of State. With your permission, I will submit my written testimony
for the record.
While we are not yet where we would like to be in cyber security, I would like
to take this opportunity to report on the initial stages of improving our
I would like to state that we at the State Department have the highest level of
support from Secretary Powell and Under Secretary for Management Green.
Secretary Powell considers Information Technology [IT] and Security to be a
strategic component in implementing U.S. foreign policy.
Let me summarize of IT Security at State
We have long established a strong perimeter defense with technical, physical,
and personnel controls, anti-virus, firewalls, intrusion detection, and
However, we realize that a sound cyber security program is built upon a
defense-in-depth strategy that includes management controls as well as
technical and operational measures. What we have lacked in the past is a
comprehensive management structure and a serious Systems Authorization program.
A New Day
It is a new day at State, with the convergence of several events bringing a
fresh approach and commitment to cyber security. First, GISRA [Government
Information Security Reform Act] and then FISMA [Federal Information System
Management Act] focused top management attention on cyber security. Second, we
have new cyber security leadership at State I stepped into the position of
acting CIO [Chief Information Officer] six months ago. Additionally, there is a
new Assistant Secretary for Diplomatic Security with whom we collaborate
closely. Finally, OMB [Office of Management and Budget] very helpfully
mandated that we authorize all systems by 4th Quarter FY 2004.
Our new organization is giving birth to a new cyber security culture, and is
producing results. We have a new Office of Information Assurance headed by a
senior officer reporting directly to me. This office handles IT security
policy, program management, performance measures, risk management, and
There is increased Department-wide cyber security focus as all offices are now
involved to some degree in cyber security through the Plans of Actions &
Milestones (POA&Ms) process and awareness programs. As I mentioned, there is
excellent rapport and collaboration between the CIO and the Bureau of
Diplomatic Security on all aspects of cyber security. A similarly cooperative
partnership exists with the Chief Financial Officer on Critical Infrastructure
protection and the information technology budget.
We have a senior-level, multi-disciplinary Cyber Security Advisory Group. There
is a close working relationship with the Office of the Inspector General [IG].
In bi-weekly meetings with the IG, we discuss a variety of cyber security
issues with FISMA requirements and systems authorization taking center stage.
Security and Capital Planning and Investment Control (CPIC)
State has recently established an E-Gov Program Board chaired by Under
Secretary for Management Green to manage all IT funds.
Information Assurance experts now review every IT system budget request to
assure that appropriate security considerations are budgeted and executed.
Cyber security is represented at all levels of the budget process. We have
initiated ongoing training for Systems Owners on completing the security part
of budget submissions.
We have developed a new process for IT, which is a hybrid of NIACAP [National
Information Assurance Certification and Accreditation Process] and NIST
[National Institute of Standards and Technology] guidance and categorizes
systems by type and security classification level. The plan was developed and
submitted to OMB in March and budgeted in mid-April. We are on track with 10%
of our systems done and with goals of 33% by August 2003 and 100% by August
Institutionalizing Cyber Security
We are taking specific steps to institutionalize cyber security management and
practices. New systems are addressing security from the outset and will undergo
C&A [Certification and Accreditation] so that they are authorized before being
put into operation. In our future budgets, requests will include security
costs. Regular awareness sessions for all users, establishing a cyber security
corps and mandatory training for the security practitioner will assist in
institutionalizing cyber security throughout the Department.
In summary, FY 2003 Progress
We are still in the early stages of creating a comprehensive cyber security
program but we have made great strides over the past few months. This progress
contributed to our PMA [President s Management Agenda] score of green for
|Join the GlobalSecurity.org mailing list|