Good morning, Mr. Chairman, and distinguished members of the Committee on International Relations, as the CIO for the State Department, I am pleased to report significant progress in managing the Department’s Information Technology resources. This morning I will focus on the actions we have taken to: 1) strengthen our computer security, 2) improve the integrity and quality of our IT Strategic Planning, our IT Capital planning and our management of IT resources, and 3) to achieve compliance with the Overseas Presence Advisory Panel IT recommendations. Since my testimony is limited to 5 minutes, I have provided a more detailed written report for the record.

Computer Security

In the past two years, since I was appointed CIO, the Department of State has taken significant steps in strengthening our computer security and the security of our global communications networks. For example, we now have in place a Corporate Information System Security Officer and Computer Security Incident Response Teams. Our systems are protected with an extensive array of electronic firewalls, intrusion detection systems, and a comprehensive Anti-Virus Program. We increased Systems Security Training, conducted extensive independent network penetration testing, and installed a Web-based geographic information system to collect cyber-threat information.

As additional examples of the Department’s commitment to Computer Security Awareness, I have hosted the CIO Council Security Awareness Day, a Critical Infrastructure Protection Day and a Hacker Briefing presented by an industry expert. All of these were open to the entire federal IT community.

With our improved security posture, we have successfully withstood numerous cyber attacks, such as those that have damaged other agencies’ and private sector web sites. For example, we were successful in defending against an attack after the NATO bombing of the Chinese Embassy in Belgrade, when we were bombarded with over 10,000 messages an hour for several weeks. However, despite significant improvements in our cyber security, we realize that the cyber underworld continues to improve its weapons. We routinely assess our presence on the Internet and so far we have been successful in adjusting our protection measures to meet the continuing and ever changing challenges.

I also established a Security Infrastructure Working Group (SIWG) to proactively oversee our enterprise infrastructure and coordinate an integrated, Department-wide security response. The SIWG is chaired by the Deputy CIO (DCIO) for Operations, and has representation from Diplomatic Security and other Bureaus.

Let me briefly highlight other accomplishments in our IT security over the past 2 years.

• We achieved 100 percent completion of the 72 technical findings and the 8 management recommendations identified in the 1998 GAO Computer Security Audit.

• We achieved closure on Federal Managers’ Financial Integrity Act (FMFIA) issues open since 1984 .

• We revised the Foreign Affairs Manual to include security-related policies.

• We globally deployed a computer security self-assessment software tool (the Kane Security Analyst).

• We conducted vulnerability assessments on our Classified, Sensitive but Unclassified, and Internet networks.

• In a joint effort with the NSA, we have begun a pilot program using Public Key Infrastructure to implement strong identification and authentication processes.

• We are implementing the risk management cycle as recommended in best practices published by GAO and OMB.

• And are implementing a robust certification and accreditation program incorporating the recently released National Information Assurance Certification and Accreditation Process (NIACAP).

Overseas Presence Advisory Panel IT Recommendations

Now let me turn to the Overseas Presence Advisory Panel IT recommendations, particularly the actions we are taking to address the challenges to obtain interagency coordination and cooperation and to ensure quality and cost effective program management. To ensure that all the foreign affairs agencies are partners in developing solutions to the OPAP recommendations, we have convened the OPAP Interagency Technology Subcommittee. This Subcommittee - which I chair as the representative of the lead agency - consists of the CIOs of the principal foreign affairs agencies. To date, the cooperation between all of the foreign affairs agencies in developing solutions to the OPAP report recommendations has been outstanding. This reflects the fact that over the past two years, through the CIO Council and its various subcommittees, the CIOs had already established strong relationships and had worked collaboratively on issues of common concern.

Specifically, we are progressing in our plans to deploy an interoperable infrastructure accessible to all agencies to improve communication and collaboration. Our OPAP architectural approach emphasizes interagency connectivity and collaboration, minimizing technical risk, and leveraging Internet and Web technologies. The intent is to build a browser-based environment such that agencies need not change their architectures to connect to and use the OPAP facilities, and a range of connection options will be accommodated. To provide the right information to the right people at the right time, we are designing a knowledge management system to share information across agency boundaries. Security of the infrastructure will be addressed through the use of technologies such as Public Key Infrastructure, data encryption and use of firewalls.

In order to ensure quality and cost effective program management (and avoid excessive cost overruns) we are following a disciplined, standard project management methodology which we used successfully in our world-wide Y2K remediation program, IT modernization program (ALMA), and the global emergency radio deployment program. I should point out that this methodology includes regular interagency project review and approval points, such as control gates and check points, and prototype and pilot site tests and assessments.

Accordingly, in FY 2001, conditional on the availability of timely and adequate resources, we plan to implement a pilot program at two posts to test the interagency developed solutions to the OPAP unclassified technology recommendations. Mexico and New Delhi are being considered as the pilot posts. Our goals and the effective participation of other federal agencies are achievable only with your support in providing us the resources to continue.

IT Management and Planning

In the time remaining, I will address our progress in responding to the 1998 GAO report which raised issues about our modernization program being at risk absent implementation of best practices. We have made significant improvements in the management, policy, planning, and governance of our IT resources as we demonstrated in our success at turning our Y2K program from an F to an A, closing FMFIA issues, and completing of a large scale, global IT ALMA modernization project on budget and on time.

Demonstrating the Department’s compliance with the GAO’s management improvement recommendations, we have:

• Adopted an enhanced Capital Planning Process that involves all the key stakeholders, including the Chief Financial Officer and other senior management, to comply with the mandates of Clinger Cohen and OMB Circular A-11.

• Created the Configuration Control Board whose role will be expanded to further strengthen the interrelationship with the Capital Planning Process.

• Established an Enterprise IT Architecture that is modeled after guidance issued by the Federal CIO Council.

• Included output and outcome measures in our IT Tactical Plan linking the relationship of those measures to mission effectiveness and efficiency.

• Instituted a disciplined life cycle management process, "Managing State Projects" to help ensure a consistent approach to all aspects of project management.

• And, continue to focus on well-articulated goals that are presented in our new IT Strategic Plan published in January of this year.

Thank you. I would be pleased to answer any questions.