Critical Releases in Homeland Security: February 19, 2014

"On September 16, 2013, Aaron Alexis killed twelve people and injured several others at the Washington Navy Yard. Alexis entered the facility with a shotgun using his credentials as an employee of a federal subcontractor that performed computer software updates for the Navy. Alexis qualified for this position because he had received a Secret level security clearance in 2008 when he served in the Navy Reserve. Last fall, the Committee initiated a bipartisan investigation to examine the circumstances by which Alexis received and retained his security clearance, particularly given subsequent revelations about his multiple arrests involving firearms. This week, the Republican staff of the Committee issued a report focusing primarily on the role of the Office of Personnel Management (OPM) in overseeing its contractors that conduct background investigations. This Republican staff report was incomplete because it did not present the full findings of the Committee's investigation into the role of U.S. Investigations Services, Inc. (USIS)--the company that conducted Alexis' background investigation and that conducts more background investigations than any other federal contractor. For these reasons, the Committee's Ranking Member, Rep. Elijah E. Cummings, asked Democratic staff to set forth additional information regarding USIS, including new allegations of a massive fraud committed by the company's top executives over 4½ years that may have endangered national security."

"According to the United States Global Change Research Program, the costs and impacts of weather disasters resulting from floods, drought, and other events are expected to increase in significance as previously 'rare' events become more common and intense. These impacts pose financial risks to the federal government. While it is not possible to link any individual weather event to climate change, these events provide insight into the potential climate-related vulnerabilities the United States faces. GAO [Government Accountability Office] focuses particular attention on government operations it identifies as posing a 'high risk' to the American taxpayer and, in February 2013, added to its High Risk List the area 'Limiting the Federal Government's Fiscal Exposure by Better Managing Climate Change Risks'. GAO's past work identified a variety of fiscal exposures--responsibilities, programs, and activities that may either legally commit the federal government to future spending or create the expectation for future spending in response to extreme weather events. This testimony is based on reports GAO issued from March 2007 to November 2013 that address these issues."

"The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation's security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company's bottom line. It can drive up costs and impact revenue. It can harm an organization's ability to innovate and to gain and maintain customers. […] The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks -- different threats, different vulnerabilities, different risk tolerances -- and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. The Framework is a living document and will continue to be updated and improved as industry provides feedback on implementation. As the Framework is put into practice, lessons learned will be integrated into future versions. This will ensure it is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions. Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation's critical infrastructure -- providing guidance for individual organizations, while increasing the cybersecurity posture of the Nation's critical infrastructure as a whole."