[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



   HEARING TO REVIEW THE U.S. DEPARTMENT OF AGRICULTURE'S RELEASE OF 
                                PROGRAM
BENEFICIARIES' SOCIAL SECURITY NUMBERS AND THE DEPARTMENT'S INFORMATION
                           SYSTEMS, GENERALLY

=======================================================================

                                HEARING

                               BEFORE THE

                        COMMITTEE ON AGRICULTURE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 2, 2007

                               __________

                           Serial No. 110-17


          Printed for the use of the Committee on Agriculture
                         agriculture.house.gov





                   U.S. GOVERNMENT PRINTING OFFICE
41-944 PDF                  WASHINGTON : 2008
----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, 
Washington, DC 20402-0001










                        COMMITTEE ON AGRICULTURE

                COLLIN C. PETERSON, Minnesota, Chairman

TIM HOLDEN, Pennsylvania,            BOB GOODLATTE, Virginia, Ranking 
    Vice Chairman                    Minority Member
MIKE McINTYRE, North Carolina        TERRY EVERETT, Alabama
BOB ETHERIDGE, North Carolina        FRANK D. LUCAS, Oklahoma
LEONARD L. BOSWELL, Iowa             JERRY MORAN, Kansas
JOE BACA, California                 ROBIN HAYES, North Carolina
DENNIS A. CARDOZA, California        TIMOTHY V. JOHNSON, Illinois
DAVID SCOTT, Georgia                 SAM GRAVES, Missouri
JIM MARSHALL, Georgia                JO BONNER, Alabama
STEPHANIE HERSETH SANDLIN, South     MIKE ROGERS, Alabama
Dakota                               STEVE KING, Iowa
HENRY CUELLAR, Texas                 MARILYN N. MUSGRAVE, Colorado
JIM COSTA, California                RANDY NEUGEBAUER, Texas
JOHN T. SALAZAR, Colorado            CHARLES W. BOUSTANY, Jr., 
BRAD ELLSWORTH, Indiana              Louisiana
NANCY E. BOYDA, Kansas               JOHN R. ``RANDY'' KUHL, Jr., New 
ZACHARY T. SPACE, Ohio               York
TIMOTHY J. WALZ, Minnesota           VIRGINIA FOXX, North Carolina
KIRSTEN E. GILLIBRAND, New York      K. MICHAEL CONAWAY, Texas
STEVE KAGEN, Wisconsin               JEFF FORTENBERRY, Nebraska
EARL POMEROY, North Dakota           JEAN SCHMIDT, Ohio
LINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska
JOHN BARROW, Georgia                 KEVIN McCARTHY, California
NICK LAMPSON, Texas                  TIM WALBERG, Michigan
JOE DONNELLY, Indiana
TIM MAHONEY, Florida

                                 ______

                           Professional Staff

                    Robert L. Larew, Chief of Staff
                     Andrew W. Baker, Chief Counsel
                 April Slayton, Communications Director
           William E. O'Conner, Jr., Minority Staff Director

                                  (ii)










                             C O N T E N T S

                              ----------                              
                                                                   Page
Foxx, Hon. Virginia, a Representative in Congress from North 
  Carolina, opening statement....................................     4
Goodlatte, Hon. Bob, a Representative in Congress from Virginia, 
  opening statement..............................................    23
Peterson, Hon. Collin C., a Representative in Congress from 
  Minnesota, opening statement...................................     1
Walz, Hon. Timothy J., a Representative in Congress from 
  Minnesota, prepared statement..................................     3

                               Witnesses

Christopherson, Jr., Hon. Charles R., Chief Financial Officer, 
  U.S. Department of Agriculture, Washington, D.C.; accompanied 
  by Dave Combs, Chief Information Officer; and Hon. Boyd K. 
  Rutherford, Assistant Secretary for Administration, U.S. 
  Department of Agriculture......................................     4
Prepared statement...............................................     7

                          Additional Material

Submitted questions..............................................    41

 
 HEARING TO REVIEW U.S. DEPARTMENT OF AGRICULTURE'S RELEASE OF PROGRAM
BENEFICIARIES' SOCIAL SECURITY NUMBERS AND THE DEPARTMENT'S INFORMATION
                           SYSTEMS, GENERALLY

                              ----------                              


                         WEDNESDAY, MAY 2, 2007

                  House of Representatives,
                          Committee on Agriculture,
                                           Washington, D.C.

    The Committee met, pursuant to call, at 1:05 p.m., in Room 
1300 of the Longworth House Office Building, Hon. Collin C. 
Peterson [Chairman of the Committee] presiding.
    Members present: Representatives Peterson, Holden, 
Etheridge, Boswell, Baca, Herseth Sandlin, Salazar, Ellsworth, 
Boyda, Space, Walz, Pomeroy, Barrow, Donnelly, Goodlatte, Foxx, 
Moran, Graves, Neugebauer, Conaway, Schmidt, Smith, and 
Walberg.
    Staff present: Tyler Jameson, Rob Larew, John Riley, Sharon 
Rusnak, Lisa Shelton, April Slayton, Debbie Smith, Kristin 
Sosanie, Bryan Dierlam, Alise Kowalski, Bill O'Conner, and 
Jamie Weyer.

OPENING STATEMENT OF HON. COLLIN C. PETERSON, A REPRESENTATIVE 
                   IN CONGRESS FROM MINNESOTA

    The Chairman. The Committee will come to order. I want to 
start today by welcoming everyone to this hearing of the House 
Agriculture Committee. I want to especially welcome Charles 
Christopherson, the USDA's Chief Financial Officer, who will 
provide testimony and answer the Committee's questions today. I 
would also like to recognize Boyd Rutherford, USDA's Assistant 
Secretary for Administration, and Dave Combs, USDA'S Chief 
Information Officer, who are accompanying Mr. Christopherson.
    Information security and accessibility are two very serious 
issues that must be top priorities for USDA. Farmers, ranchers, 
small businesses and many others entrust USDA agencies and 
programs with a great deal of private personal information on a 
regular basis. The USDA must take their responsibility to 
protect this information very seriously. The recent 
announcement that Social Security or tax information numbers of 
more than 38,000 people were made public on the Internet has 
called into question the security of private information that 
USDA has in its possession. I want to commend and very much 
appreciate Congressman Zach Space, one of our newest Members of 
the Agriculture Committee, for recognizing the serious 
implications of this situation and requesting a hearing today 
on this issue. I hope that we will hear a more complete 
explanation of how this could happen, what is being done to 
assist the people whose personal information was compromised, 
and I also look forward to hearing what is being done to be 
sure no additional personal information is exposed in this 
manner.
    In addition to this information security breach, 
accessibility to computer-based systems has been a recurring 
problem at USDA. Computer failures at the Farm Service Agency 
have prevented farmers from signing up for programs online and 
in FSA offices. As a result of the poor performance of FSA 
computer systems earlier this year, the USDA had to extend the 
deadline for farmers to sign up for the Direct Encounter 
Cyclical Payment Programs. Congressman Moran requested a 
hearing to review the system failures and delays that farmers 
and ranchers have faced because of the FSA computer problems 
and I also appreciate his attention to this serious issue.
    Data security and reliable computer systems are priorities 
that USDA must recognize and provide to the many individuals 
and organizations that do business with the agency every year. 
Farmers and ranchers must be able to trust that USDA will 
protect their information and provide consistent access to 
computer-based applications. Without that trust, USDA cannot 
accomplish its mission and farmers and ranchers cannot take 
full advantage of the programs available to them. I am 
concerned that the Administration's budget request for 
necessary computer maintenance and improvements at USDA does 
not reflect the serious needs that have been exposed by these 
recent computer problems. We are seeing the results of a broken 
system that should have been fixed long before these problems 
emerged.
    The purpose of this hearing is, however, not to lay blame; 
although there is certainly plenty of blame to go around with 
lack of Congressional oversight, the agency's ability to 
recognize these problems before they reached this crisis level, 
and the Administration's failure to request and provide 
resources needed to prevent these problems from happening in 
the first place. So I am particularly interested to hear from 
our witnesses what resources USDA needs to assure farmers and 
ranchers that they can expect secure and reliable access to 
farm programs. I look forward to the testimony that we will 
hear today and look forward to working with the Administration 
to address these serious problems.
    Without objection, all Members that wish to make a 
statement will be made part of the record with the exception of 
the Ranking Member, who today is Ms. Foxx from North Carolina. 
We appreciate you being here today and if you want to say a 
couple brief words?
    [The prepared statement of Mr. Walz follows:]


    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

    
 OPENING STATEMENT OF HON. VIRGINIA FOXX, A REPRESENTATIVE IN 
                  CONGRESS FROM NORTH CAROLINA

    Ms. Foxx. Just briefly, Mr. Chairman. I want to say that I 
know that I and my colleagues share the same concerns that you 
have expressed, and what I hope we will discover is how 
problems like these occur but more importantly, how can we 
establish systems to prevent the problems from occurring again. 
As you say, there is probably plenty of blame to go around; 
that doesn't accomplish much. What we need to do is figure out 
a way to make the system better and to hold the proper people 
accountable, and I thank you for your focus on that.
    The Chairman. I thank the gentlelady, and I appreciate her 
presence here and the other Members.
    Mr. Christopherson, we appreciate you being with the 
Committee and your full statement will be made part of the 
record. We operate here under the 5 minute rule so if you could 
hit the high points and stick within that and then I think we 
probably have quite a few questions, so thank you very much.

    STATEMENT OF HON. CHARLES R. CHRISTOPHERSON, Jr., CHIEF 
             FINANCIAL OFFICER, U.S. DEPARTMENT OF
AGRICULTURE, WASHINGTON, D.C.; ACCOMPANIED BY DAVE COMBS, CHIEF 
  INFORMATION OFFICER; AND HON. BOYD K. RUTHERFORD, ASSISTANT 
                         SECRETARY FOR
         ADMINISTRATION, U.S. DEPARTMENT OF AGRICULTURE

    Mr. Christopherson. Thank you, Mr. Chairman.
    Mr. Chairman, Ranking Member and the Members of the 
Committee, I thank you for this invitation to appear before you 
today to update the Committee on the current events related to 
the information technology at the U.S. Department of 
Agriculture. I am joined today by Dave Combs, the Department's 
Chief Information and Chief Privacy Officer, and Boyd 
Rutherford, our Assistant Secretary of Administration.
    We appreciate the opportunity to discuss the recent 
discovery of approximately 38,700 Social Security Numbers that 
have been inadvertently made public through a government-wide 
website. Our policy states USDA will protect personal, 
financial and employment information from unauthorized 
disclosure. Customers and employees should also have the right 
to expect that USDA will collect, maintain, use and disseminate 
identifiable personal information and data only as authorized 
by law and as necessary to carry out our agency's 
responsibilities. At the outset, let me state that we take full 
responsibility for this incident. We offer no excuses and we 
deeply regret the exposure of the sensitive information and the 
concern that it has caused our citizens that we serve.
    By way of background, the USDA is compromised of 
approximately 100,000 employees and 29 component agencies, with 
staff offices located at some 7,200 offices around the world. 
Of our more than 250 IT systems, many date back to the early 
days of computing before the Internet and before the identify 
theft challenges of the modern information age. As a result, 
personal information such as Social Security Numbers were used 
as customer identifiers and thus were key to accessing records 
in many of these older systems. These older ways of doing 
business are no longer acceptable and we are confronting the 
significant challenge of removing sensitive data whenever 
possible.
    Let me assure you that we did not wake up to this challenge 
just last week. Addressing these issues has been a long, 
ongoing effort. In Fiscal Year 2006 alone, we continued our 
Federal Information Security Management Act implementation, 
inventoried our Privacy Act data, scrubbed systems for 
unnecessary uses of personal identifying information, began 
encrypting mobile computers, strengthening remote access 
controls, required Privacy Act training throughout the 
Department and established incident response protocols.
    Regarding the recent incident that brings us here today, on 
Friday, April 13, USDA learned that a grantee found her 
company's identifying information posted on a public website. 
The identifying number was embedded with other numbers in a 
larger data field known as a Federal Award Identifier Number, 
or FAIN, in a system known as the Federal Assistance Award Data 
Systems, or FAADS. Officials in my office immediately 
recognized the potential sensitivities of this information and 
that same day the identifying numbers associated with the 
funding were removed.
    Unable to conclude that this was an isolated instance, we 
continued our analysis of the information and here is what we 
found. Many years ago, the predecessor agencies to the Farm 
Service Agency and Rural Development established identifier 
numbers for borrowers or grantee applicants; but for some, not 
all, programs they adopted as a unique file identifier a number 
that included the Social Security Number for an individual 
recipient or the IRS-issued EIN for business recipient. When 
the predecessor agencies began providing USDA grant and loan 
data to FAADS as required in 1982, they simply used the agency-
created code as a Federal Award identifier number.
    Pursuant to the direction from the Office of the Chief 
Information Officer last year, USDA agencies searched for the 
presence of Social Security Numbers in their systems but the 
FAINs eluded the attention because the sensitive information 
was not readily apparent when viewing the aggregated data. 
After extensive evaluation of approximately three million 
records spanning a period of 26 years, we were able to 
determine that the public website in question contained 
sensitive information relating to approximately 35,000 
individuals from FSA programs and 3,700 from Rural Development 
programs.
    Our immediate first steps were to confine and fix the 
problem while at the same time making sure that we did not take 
any actions that would make the problem worse. To date, there 
is no evidence that this information has been misused. 
Nonetheless, we are offering 12 months of services to help 
affected persons monitor and protect their credit. USDA funding 
recipients whose personal information was exposed have been 
notified by mail and are being provided with instructions for 
setting up the credit monitoring.
    As a result of this recent incident, we have initiated 
additional actions consistent with the recommendations included 
in the recently released strategic plan to the President on 
identity theft. The written testimony provides additional 
details but in brief summary, these actions include re-
inventorying all of our data collections, expanding reviews to 
include external entities, updating our Privacy Act and 
awareness efforts, and integrating information protected in our 
annual internal controls assessment.
    While this incident focuses our attention on protecting 
sensitive data, USDA is also redoubling its efforts in the area 
of overall IT security. To emphasize how seriously that we have 
taken our role as data stewards, we are focused on improving 
our logical and physical access controls, our software change 
controls and our disaster recovery capabilities.
    In closing, I again want to state that we regret the 
incident that has occurred. We are committed to taking care of 
the individuals who are affected and we will fix the problems 
which led to this issue.
    Mr. Chairman, we would be pleased to take any questions 
from the Committee.
    [The prepared statement of Mr. Christopherson follows:]

    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

    
    The Chairman. I thank the gentleman, and the other two 
gentlemen are just here for backup?
    Mr. Christopherson. Yes, sir.
    The Chairman. All right. We thank you very much for that 
testimony, and I think we have a number of Members that have 
some questions, but I am going to give my time to Mr. Space to 
start the questioning because he is the one that was on top of 
this before anybody else, so we appreciate, Mr. Space, your 
diligence and hard work, and I will yield to you for 5 minutes 
or maybe give you a little bit of leeway.
    Mr. Space. Thank you, Mr. Chairman, for deferring your time 
to me as well as for agreeing to this hearing, and I would like 
to thank you, Mr. Christopherson, for testifying today.
    All of the Members of this Committee remember the situation 
that occurred with the Department of Veterans Affairs, and 
while that situation was disturbing, this security breach is in 
some ways worse. The Department put this personal information 
online through an overt act which is very difficult, it not 
impossible, to retrieve. These information security problems 
are nothing new at the USDA, unfortunately. The OMB, National 
Institute of Standards and Technology, and the USDA's Inspector 
General have all documented in numerous reports the history of 
poor performance when it comes to information security. The 
agency lost, I understand, 95 computers with access to personal 
information, according to the USDA's IG report a few months 
ago. The reason this latest security breach is so troubling is 
that farmers and ranchers live and die by their credit. If the 
agency put one of them at risk for identity theft, that would 
be potentially devastating to their businesses. I believe many 
farmers and ranchers already distrust the government, frankly, 
and this fiasco will prevent the USDA from accomplishing its 
mission to assist these producers.
    Mr. Christopherson, in your written testimony that had been 
delivered to the Committee prior to this hearing, you indicate 
at page five that before the revelations that occurred on April 
13 of this year, the USDA had already commenced working on 
eliminating unnecessary usage of Social Security Numbers as 
identifiers. The project of eliminating SSNs as identifiers had 
resulted in identifying over 29,000 people who had previously 
been identified with their Social Security Numbers, and the 
question I have for you is, when was that project started to 
start to eliminate Social Security Numbers as identifiers?
    Mr. Christopherson. What I will do is, I will actually 
defer part of this question to our Chief Information Officer 
that actually led that initiative. We have actively for this 
last year moved through a process to identify the areas of USDA 
and the systems that have this information in it. We are----
    Mr. Space. My question is, when was that project begun? 
When was it? I would like a date within a month or two when the 
project to eliminate Social Security Numbers as identifiers was 
begun by the USDA.
    Mr. Christopherson. Okay. I know this was within the June 
time frame, and----
    Mr. Space. I would like to know when it was begun. Your 
testimony indicates that prior to this event occurring, the 
USDA, you as well as the other gentlemen with you today had 
already commenced working on eliminating unnecessary usage of 
SSNs as an identifier at USDA. Simple question: When was that 
project started?
    Mr. Combs. I found my information, sir. It was June of last 
year that we began this process following the tremendous 
publicity, as you are aware, with the Veterans Administration 
incident that certainly raised the awareness of everyone about 
this particular issue. We initiated this, basically a re-review 
of all of our systems and looking where we use Social Security 
Numbers, with the view of eliminating unnecessary use back 
then. It is such a pervasive, broadly-found issue throughout 
the Department that it is not a short exercise to do that and 
so even today we continue to try to find places where these are 
unnecessarily used.
    Mr. Space. So it would have been about 10 months before 
April 13 that a process was begun to eliminate Social Security 
Numbers as an identifier?
    Mr. Combs. Yes, sir.
    Mr. Space. And apparently during that process over 29,000 
people's identifying information was changed from their Social 
Security Number to something else?
    Mr. Combs. Yes.
    Mr. Space. All right. Were any of those individuals posted 
on the Internet?
    Mr. Christopherson. No, not that we are aware of. None of 
those individuals were actually posted to the Internet. This is 
the first occurrence that we know about.
    Mr. Space. And your testimony indicates that upon discovery 
of the use of the SSNs on April 13, you immediately recognized 
that there was a problem and you were able to remove all 37,800 
numbers in 1 day from the Internet. Is that a correct 
reflection of your testimony?
    Mr. Christopherson. Actually we actually removed those from 
what is called the FAADS database, which is a public access 
database, and it was all the records for USDA at that time.
    Mr. Space. Okay. So you were able to accomplish that in 1 
day?
    Mr. Christopherson. For the FAADS database, which is 
actually held by the Census there, the executive group that 
manages that system, yes.
    Mr. Space. Right. So here is a question that I have for 
you, Mr. Christopherson. How or why is it that when you are 
aware of the problem but that knowledge is internal and not 
available to the general public, you are not able to identify 
and remove Social Security Numbers that are listed on the 
Internet over a course of 10 months from the time that you 
recognized that that may be a problem? Those names stayed on 
the Internet for 10 months. As soon as the problem gets 
disclosed to Congress and the general public at large, you are 
able to do that in 1 day. I have serious concerns about the 
oversight and the lack of prioritization and the lack of 
commitment to the Privacy Act that the USDA has displayed, not 
just with this but with the loss of 95 computers that contained 
non-encrypted information of a sensitive nature. I guess I am 
looking for answers as to why the only time the USDA seems to 
get serious about protecting people's privacy is when they get 
called.
    Mr. Christopherson. Actually, we are very serious about 
protecting people's information. The reason why this was not 
detected was, it was actually embedded in a 15 digit number. 
You know, if it was a nine digit number we would have picked it 
up right away. However this information actually was exposed 
for a longer period of time. We did go through and were 
actively checking for information that contained Social 
Security Numbers but it was embedded in a 15 digit number and 
was just not readily apparent.
    Mr. Space. But----
    Mr. Christopherson. Now, we are moving back to actually 
look at those factors again to make sure that we find all this 
information.
    Mr. Space. Mr. Chairman----
    The Chairman. Well, I will tell you what, the Ranking 
Member is here now and he has a statement, so we will give you 
some more time here in a little bit.
    Mr. Space. If there is time for that, Mr. Chairman. I do 
thank you deferring your time.
    The Chairman. There will be time, and we will recognize 
you.
    Mr. Space. Thank you, Mr. Christopherson.
    The Chairman. I want to recognize, right now, the 
distinguished Ranking Member for a statement, and I am also 
going to let him ask a couple of questions, and maybe we just 
won't even run that thing right now so that it doesn't beep. It 
can be a useful thing that this is kind of like the Gong Show 
or something here to intimidate people but anyway, we are 
pleased to have the Ranking Member, Mr. Goodlatte, here. I will 
recognize him at this time.

 OPENING STATEMENT OF HON. BOB GOODLATTE, A REPRESENTATIVE IN 
                     CONGRESS FROM VIRGINIA

    Mr. Goodlatte. Thank you, Mr. Chairman. Thank you for 
holding this hearing.
    The discovery that the Social Security and tax 
identification numbers of more than 38,000 USDA customers has 
been posted to a publicly accessible Internet site is 
disturbing on many levels. This event is only one of several in 
which the personal identification information of farmers, other 
clients or employees has escaped the control of the USDA. In 
this case, however, the numbers were actually placed on the 
Internet where anyone could access them. Perhaps the worst 
aspect of this episode is that the original error occurred in 
1981 and that the data has been on the World Wide Web since 
1996. The number of questions that this raises is staggering. 
For example, is there any reason to believe that if a farmer in 
Missouri had not stumbled across her personal identification in 
a general search of references to her farm would USDA have ever 
found this problem? Does the Department know all the locations 
of information that they have officially shared or publicly 
made available? Do they know whether there are any other 
instances where personal identification information has been 
released? What steps are being taken to ensure that this does 
not happen again? These are the types of questions that our 
Committee will want answered in today's hearing. We should all 
take note that this event occurred in the midst of a major 
debate over producers surrendering large amounts of sensitive 
business and personal information in the livestock industry. 
The performance of the USDA in this episode certainly lends 
significant credibility to those who fear that their 
information will not be protected from release while in the 
hands of the USDA.
    Mr. Chairman, I hope that this hearing will provide some 
sense of reassurance to the millions of customers of the 
Department that episodes like this are not the status quo at 
the USDA; and that the U.S. Department of Agriculture is making 
a concerted effort to ensure in the future customers won't have 
to worry that their personal information will be showcased on 
the Internet.
    Mr. Christopherson, if I might ask you, I understand there 
are 250 information technology systems that have been developed 
at the Department over the years. How many of them contain 
Social Security Numbers as an identifier?
    Mr. Christopherson. That is approximately 56 of those 
systems contain that information.
    Mr. Goodlatte. Have all of these systems been evaluated to 
determine whether or not they contain a Social Security Number 
as an identifier? I take it from your answer to my first 
question that you have done that.
    Mr. Christopherson. That is correct.
    Mr. Goodlatte. And in your opinion, are any of these 
numbers at risk of release at this point?
    Mr. Christopherson. The only numbers that we show that have 
been released are these approximately 29,000.
    Mr. Goodlatte. And how long will it take to remove these 
remaining Social Security Numbers from these systems to ensure 
that events like this do not happen again?
    Mr. Christopherson. There are a couple of factors with the 
Social Security Numbers. Being a large loan and grant-making 
agency, we are required to pull in this information both for 
debt collection and various other reasons. This will take 
numerous years on some of these older systems to basically 
remediate and contain the information. Now, we do have plans 
associated with that, et cetera, but a lot of this information 
USDA will have for the life of its agency.
    Mr. Goodlatte. Well, what is the process for removing the 
numbers from the system? Do you have some other identifier that 
you can use to replace that with?
    Mr. Christopherson. We will be using other identifiers as 
we modernize these systems or as we adjust them to change.
    Mr. Goodlatte. How many unnecessary uses of Social Security 
Numbers as an identifier currently exist in the USDA system 
today?
    Mr. Christopherson. We don't fully understand or know 
exactly how many are actually unnecessary. These are old 
systems. In the 1980s, these were key indicators. What is 
important for us today is that we actually wrap internal 
controls around this information to make sure that it does stay 
in the systems and does not get exposed to the outside.
    Mr. Goodlatte. Thank you very much.
    Thank you, Mr. Chairman.
    The Chairman. I thank the gentleman, and those are good 
questions. I have got a couple questions but I will go down the 
line here first a little bit.
    Mr. Etheridge from North Carolina.
    Mr. Etheridge. Thank you, Mr. Chairman, and thank you for 
holding this hearing.
    It is quite obvious from the questions thus far, Mr. 
Christopherson, that there is concern certainly on this side of 
the table, and I hope you can clear up some confusion. 
According to a report and your answer thus far relating to this 
incident, the numbers were found of course as you already said 
by a farmer on the website, federalspending.org, which really 
is a nonprofit group who sort of keeps an eye on OMB. So was 
this not actually a USDA website conveying this information or 
was it linked to a USDA website? Can you clear that up?
    Mr. Christopherson. Yes. Federalspending.org is actually a 
public website or an awareness website for the public. It is a 
not-for-profit or private website.
    Mr. Etheridge. So it was linked to USDA?
    Mr. Christopherson. It receives its information from what 
is called the FAADS information, which is actually held by 
Census and we feed that information into this public database 
to make it available.
    Mr. Etheridge. Okay. With that answer then, this was a 
private website that----
    Mr. Christopherson. It was a private website.
    Mr. Etheridge. All right. That USDA had been working with 
to provide information about program users ought to be a 
concern to all of us and should have been a flag to USDA all 
along. We have seen from time to time again how the rush to 
privatize federal workers at USDA and hire contractors often 
results in the work just not getting done in a timely manner. I 
know this is an ongoing problem with our FSAs because their 
websites tend to be down quite often. Can you enlighten me as 
to how much of the IT functions at USDA are being farmed out to 
private contractors at this time?
    Mr. Christopherson. First I want to clear up something 
here. The information that is on this private website is 
actually requested and is by law available to them by what is 
called the Federal Award Assistance Data System. I want to make 
sure that is very clear that they have access to this, 
lawfully, to request this data. On the question when it comes 
to how much of our IT function is by contractors, I will be 
happy to actually submit that to the record. I don't have that 
full information here today.
    Mr. Etheridge. Do you have any idea what that number might 
be?
    Mr. Christopherson. I don't. I don't have any idea exactly 
what that number is and I would hate to actually throw out an 
estimate for this Committee.
    Mr. Etheridge. That is troubling in itself for someone who 
is in charge of finances and does not know in dealing with the 
IT how much of it might or might not be. I think this ought to 
be a cause for concern for this Committee and you ought to be 
concerned yourself and the Members seated adjacent to you if 
you have no idea how much of it we are putting out on private 
contract. But I hope you will provide that to this Committee in 
writing.
    Mr. Christopherson. I would be happy to.
    Mr. Etheridge. I will make that request, Mr. Chairman, 
because I think that is important for us to have.
    Mr. Christopherson. And the complexity behind this answer 
is actually dealing with, we actually have contractors in-house 
that supplement our employee base. We have contractors that are 
actually contracted out under a formal contract as a section of 
this information where we have very clear and distinct 
requirements for these contractors. So this is actually a 
complex question and will require a fairly lengthy answer to 
actually address this.
    Mr. Etheridge. Well, you have gotten a little bit deeper 
into it then. As you give that answer, would you divide that up 
so we can know how many are in-house contractors, how many 
outside contractors, how many of them are under contract and 
how those contracts are drawn, whether they are open-ended 
contracts or whether they are contracts that are for definite 
periods of time with open bids and their bid contracts.
    Mr. Christopherson. We would be happy to provide that.
    Mr. Etheridge. Thank you, Mr. Chairman. I yield back.
    The Chairman. I thank the gentleman. Mr. Conaway.
    Mr. Conaway. Thank you, Mr. Chairman.
    Gentlemen, I appreciate you being here today. I compliment 
you on your forthrightness. I appreciate that. Looking at the 
USDA's response as shown on page 10, it looks to me like you 
have done everything you need to do to protect anybody who 
might have been harmed by this. Any evidence that over the 11 
years this information was on the Web that anybody was harmed 
as a result of these 15 digit numbers being available to the 
public?
    Mr. Christopherson. No, we do not have any evidence of 
that.
    Mr. Conaway. Okay. Anybody make any claims? Anybody call in 
on the 24 hour hotline yet, questioning USDA?
    Mr. Christopherson. No, nobody has actually made any claims 
that that----
    Mr. Conaway. So the 39,000 folks out there that got a 
letter saying that their embedded nine digit Social Security 
Number was in a bigger 15 digit number had been available for 
11 years, those 39,000 so far, they have been relatively calm 
about their response?
    Mr. Christopherson. Right. Actually what happened is, we 
had very little response up until they actually started to 
receive the letters. Even with the press information that had 
been released----
    Mr. Conaway. No, but until they get a letter though, they 
don't know that their name was on the list.
    Mr. Christopherson. Right.
    Mr. Conaway. But they now have it? You are managing those 
responses?
    Mr. Christopherson. We are. We have set up an 800 number 
for them and allowed them to call in and have ample questions 
and----
    Mr. Conaway. All right. Who is providing the $20,000 
insurance policy? Is that self-insured by the agency or did you 
buy those policies somewhere else?
    Mr. Christopherson. No, that was actually part of the 
service that we are providing these people so we are not self-
insuring. It is actually part of the fee that we pay into the 
service.
    Mr. Conaway. Okay. The response service?
    Mr. Christopherson. Right.
    Mr. Conaway. Let me ask you something else. On all of your 
systems, I would suspect you would have had various levels of 
backup copies, and is it part of your overall review since June 
as well as the review on this system, are you confident that 
you have purged all of the backup systems the same way you have 
purged the current operating system that you are using?
    Mr. Christopherson. This information, as we have gone out 
to assess this information previously, it does address the full 
system, including backups of this information.
    Mr. Conaway. All right. Again, I compliment you on your 
response and the level of attention you have given to it on a 
go-forward basis.
    Mr. Chairman, I yield back. Thank you.
    The Chairman. I thank the gentleman.
    I recognize Mr. Boswell.
    Mr. Boswell. Thank you, Mr. Chairman.
    You have briefly covered some of this; but in your 
testimony you stated the information provided to the Farm 
Service Agency and Rural Development to the public website 
contained the 38,000 individuals. Is that an isolated event?
    Mr. Christopherson. That is an isolated event according to 
this, you know, these Social Security Numbers that are in this 
15 digit number.
    Mr. Boswell. How do you know that this information was not 
offered to other public websites?
    Mr. Christopherson. We do not know that it has not been 
offered to other public websites but let me tell you what we 
have done pertaining to this. We have actually pulled the 
information on those that actively receive this as a mailer, or 
have actively received this as a link, or have actively 
received this as a download. Those people have been contacted. 
We haven't been able to fully contact all of them but we have 
actively tried to contact them. We will continue to try to 
contact them. It is approximately 92 different groups. We will 
make sure that we will----
    Mr. Boswell. So you have got an ongoing process trying to 
contact the affected individuals?
    Mr. Christopherson. We have an ongoing process to try to 
work with----
    Mr. Boswell. Would you say you are 75 percent complete?
    Mr. Christopherson. On the actual 92 different groups, we 
probably have contacted and actually spoken to I think the 
number is around 38 at this point.
    Mr. Combs. It is over half of them.
    Mr. Christopherson. Right, and the rest of them we actually 
have messages. Anyway, that is about where we are at.
    Mr. Boswell. You mentioned that the affected individuals 
can opt into identity theft protection and will be insured. 
Will this be retroactive?
    Mr. Christopherson. This will be based on the policy that 
we have actually received from the vendor. I believe----
    Mr. Boswell. So what is----
    Mr. Christopherson.--it is actually retroactive. I think it 
is actually for the period of time that they are opting in and 
setting themselves up, but we will actively, for a period of 
time, try to pull in as many as we can of these farmers and 
continue our outreach efforts to sign up as many as we can.
    Mr. Boswell. Since this information has been available for 
quite some time, say someone has been a victim of identify 
theft and can trace it back to information that USDA provided, 
will they be covered by this policy?
    Mr. Christopherson. I think as those instances come up, we 
will have to look at them as each independent instance. This 
issue of identity theft is a broad issue right now. Like I 
said, we regret that this happened and that it has been out 
there for a period of about 26 years that people could actually 
either by CD or by public website pull this information in, but 
we will look at those independently if they actually do----
    Mr. Boswell. Have you had any requests for that yet?
    Mr. Christopherson. We have not had any requests for that 
as of yet.
    Mr. Boswell. Okay. Thank you, Mr. Chairman. I yield back.
    The Chairman. I thank the gentleman.
    Mr. Walberg.
    Mr. Walberg. Thank you, Mr. Chairman.
    Just one basic question. I appreciate you being here and 
testifying and I appreciate the efforts you are taking now. 
This is something that has gone on for some time. It goes back 
a number of years but the impact is now and into the future. My 
office was contacted by one of these recipients and after 
receiving the letter that you sent out, which was appreciated 
by my constituent, however, he was very much concerned when he 
called the number and he got the answer that he would have to 
wait for a couple weeks until they came up with a process. It 
seems to me like it is not a good thing to send out a letter 
informing of the issue if the process isn't in place to handle 
it. Ultimately he was contacted back after our office made 
contact with the Department. So do you have a response to that? 
Is this just one strange experience that took place or you have 
had other indications that people who do use your 800 number 
and call now are receiving information that we are not ready to 
deal with it, wait a couple weeks and we will provide the 
information?
    Mr. Christopherson. Well, let me tell you a little bit 
about the process. We actually--this was a conscious decision 
to notify these people as soon as we possibly could. One of the 
things that we wanted to do was to make sure that those who are 
not affected individuals fully understood that they were not 
affected. We wanted to make sure that the pool of those 
affected understood that they were affected. Now, the 
procurement process for these services takes a little bit of 
time and we were able to do that fairly fast but it was 
important that we actually did notify these people. Those 
letters went out approximately a little over a week ago. Now, 
the letters pertaining to the service and the setup, et cetera, 
have been drafted. They are in the process of moving out. They 
have started the process of moving out. It takes about 3 days 
to send this number of letters out. So those of your 
constituents in your area will receive those letters shortly 
and it will be very detailed with the information to say this 
is how you set it up, this is the code that you use and these 
are the services that you will be provided including if 
something was to happen to your identity or that information 
was actually compromised, here is a group that will help you 
get that back.
    Mr. Rutherford. Excuse me. Can I add something?
    Mr. Walberg. Sure.
    Mr. Rutherford. I believe I actually spoke to your 
constituent on Monday evening and explained pretty much what 
Mr. Christopherson just said, but also that we were starting 
the process of mailing the second batch of letters which would 
explain the process for enrolling in the credit monitoring 
service. In terms of the difficulties that he had with the 800 
number, it is the communications challenges that we have been 
working out. We think we have gotten those corrected as far as 
the information that is passed on and they are making sure that 
the number is updated on everything that we are doing.
    Mr. Walberg. Thank you. Thanks for your answer.
    The Chairman. I thank the gentleman.
    Mr. Salazar.
    Mr. Salazar. Thank you, Mr. Chairman.
    Mr. Christopherson, you talked about notifying these 
individuals who had been affected and you talked about sending 
out a letter 15 days ago or 2 weeks ago. Did you notify these 
individuals immediately or how quickly did you notify them when 
you found out what the problem was?
    Mr. Christopherson. What we did is, it actually happened 
about 7 days ago, so that we are clear. As soon as we could 
actually narrow it down to the people that were actually 
affected and that took some time to get through these three 
million records, we did have a letter that was ready to go. We 
merged those in and we sent those right away. So we sent that 
as soon as we possibly could so that those who would be 
concerned over this and they were not affected would know as 
well as those who were affected would also know.
    Mr. Salazar. Okay. And are you able to pinpoint where the 
problem actually occurred and did you do any kind of 
disciplinary action with the individuals who would ultimately 
be responsible, whether your IT people or----
    Mr. Christopherson. This exposure was over a long period of 
time, about 26 years. This was an embedded number that was in a 
larger field. As we look back through the scenario, this was a 
15 digit field that wasn't easily recognizable as an issue and 
that that information was sitting out there. It had been 
undetected for years and years and years. Now, as my testimony 
shows we did issue a number of directives in this last year to 
address these type of situations where we said, ``You need to 
go through your systems and look for this and this and this and 
this.'' We are reevaluating obviously those directives that we 
sent out. We will look to see how this problem made it through 
and we will make sure that we don't have this issue again.
    Mr. Salazar. Okay. And for those who weren't affected on 
this one specific instance, if someone was to call your office, 
say myself as a member who participates in some of your 
programs, could you definitely be able to tell people that my 
information has not been compromised?
    Mr. Christopherson. As you call in and you give your name, 
then we actually will go through and say you are not on the 
list.
    Mr. Salazar. Thank you, Mr. Chairman.
    The Chairman. I thank the gentleman.
    Mr. Moran.
    Mr. Moran. Mr. Chairman, thank you very much. First of all, 
in my absence you mentioned my request for a hearing in regard 
to IT services at FSA-USDA, and I just would like to reiterate 
the importance of us providing necessary oversight and the 
Department of Agriculture making certain that the computer 
systems, particularly the servers, are adequate for meeting the 
needs of farmers, their customers. I continue to have 
significant concerns that the difficulties we are experiencing 
at FSA in regard to, at the moment, advanced direct payments is 
only the tip of the iceberg. I am worried that some 
catastrophic event may occur in which USDA is incapable of 
providing necessary services in any reasonable amount of time 
for farmers and ranchers across the country.
    The Chairman. Will the gentleman yield?
    Mr. Moran. Absolutely.
    The Chairman. We have been undertaking a considerable 
amount of background work, some of which I have been given 
today, but as soon as we get a little more of that pulled 
together, we will be proceeding to some kind of a hearing. But 
I want to make sure I know enough background before we get to 
that point.
    Mr. Moran. I thank the Chairman and I know that you have 
expressed to me you have concerns about the computer 
capabilities at the Department of Agriculture and again 
reiterate that I think the issues may turn out to be very 
serious.
    In regard to the hearing today, the specifics of the 
release of information, I just want to make certain I 
understand what it is that USDA has done wrong. My 
understanding is that the mistake made was the inclusion of the 
Social Security Numbers identifying individuals within that 
larger number and that was the error on the part of USDA. USDA 
has not, as I understand the testimony or understand the facts 
regarding this, has not disclosed this information 
inappropriately. In fact, by law you are required to provide 
that information to the Census Bureau and it is only through 
access to Census Bureau information this website has been able 
to obtain this information. Is my understanding correct?
    Mr. Christopherson. We are required to provide to Census 
Bureau information concerning the grants and loans at the 
Department of Agriculture. This number was embedded into a 15 
digit number. Disclosing the Social Security Number wasn't 
appropriate for our policy. Now, we do need to provide 
information and have people have the ability to access that 
information in question through FOIA and other things that 
information concerning grants and loans.
    Mr. Moran. This instance, the website did not obtain the 
information from the Department of Agriculture but from the 
U.S. Census Bureau which USDA was required to disclose to the 
Census Bureau. Is that true?
    Mr. Christopherson. We are required to disclose the 
information to the Census Bureau. The Census Bureau is actually 
the group that handles it for the government-wide initiative.
    Mr. Moran. And no problems would have arisen here but for 
the Social Security Numbers being inappropriately embedded? 
That is not the right way of saying that. Inappropriately 
discoverable in this embedded number. Had that not occurred, 
then the problems that we are describing today would not have 
occurred?
    Mr. Christopherson. That is actually correct. Having the 
Social Security Numbers embedded is the issue that is 
incorrect, actually sending the information to the Census 
Bureau is not. We are required to do that.
    Mr. Moran. Thank you very much, and I yield back, Mr. 
Chairman.
    The Chairman. I thank the gentleman.
    I am now going to recognize Mr. Space for his own time. I 
gave him my time earlier.
    Mr. Space. Thank you again, Mr. Chairman.
    Mr. Christopherson, I want to ask you a couple quick 
questions about the letter that went out. When did that letter 
go out? Do we have a date that that letter went out to those 
affected?
    Mr. Christopherson. Those affected, it actually went out a 
week ago Monday.
    Mr. Space. Did they go out by certified mail? Was there any 
indication that we will have or that your agency will have 
concerning who was noticed and who wasn't?
    Mr. Christopherson. They actually went out first-class 
mail. The address service was requested so that if it is not 
deliverable, then the post office will provide us with a slip 
that says this is not deliverable, or if it was forwarded to a 
new address, they will provide us with a slip saying that this 
is the person's new address so we can track them.
    Mr. Space. All right. Do you have any idea as to the 
percentage of people on that list that you have received a 
response indicating it was undeliverable because they have 
changed addresses?
    Mr. Christopherson. Right now we have approximately 25 
people that it has been returned saying that we need either 
additional information or they have changed addresses.
    Mr. Space. And I want to clarify something in response to a 
question asked earlier. You indicated that you are still 
working on eliminating these numbers from, we will call it an 
account number. I guess my question is, is there still public 
access in one means or another out there to these embedded 
account numbers?
    Mr. Christopherson. I don't believe that there is public 
access out there, and like I said, these systems are very old. 
They have been designed where the Social Security Number was a 
primary field in these, just like in the 1980s even into the 
1990s. I can remember at the grocery store having the Social 
Security Number on my checkbook to provide to the cashier. Now 
our world has changed and we are working to adjust these 
systems but no, we do not know of any other instance where this 
information has been disseminated out to the public.
    Mr. Space. And is your office investigating the possibility 
that that has happened through, for example, encryption on a 
mortgage? I know a lot of these accounts had to do with loan 
payments. Has your office begun investigating whether there are 
unintended releases of information out there that you haven't 
even given consideration to?
    Mr. Christopherson. We have actually done that evaluation 
in the past and we are going back again to reevaluate to make 
sure that any and all information that is going out is clean 
information. We don't know of any information that we have sent 
out in this form.
    Mr. Space. In this case, it is not a situation where you 
didn't know that these problems were out there, and you fixed 
them when you found out. Based on the testimony that you have 
offered as well as the audits by these other agencies, my 
impression is the USDA has known about these problems for 
years, certainly should have known about them, has not taken 
security as seriously as it should. It has not developed a 
commitment to adherence with the Privacy Act. And my question 
for you is this: Does the USDA need additional authority from 
this Congress, tools or resources from this Congress that will 
ensure the security of our farmers' and our ranchers' personal 
information and make sure that the USDA does in fact or is in 
fact able or willing to comply with the privacy laws?
    Mr. Christopherson. We are actively addressing this issue. 
Over this last--as my testimony actually says--we have actually 
sent out about seven directives to our agencies to both 
evaluate the information that they have as well as address 
information when it comes to their desktop, to provide training 
in that information. That is a very key step to make sure that 
this information is contained.
    Mr. Space. Are you getting the resources from Congress that 
you need to ensure that the privacy of these individuals is 
being protected?
    Mr. Christopherson. At the current time, I believe that 
they are. The President's budget amply lays out the funds 
needed for this type of a project.
    Mr. Space. Thank you, Mr. Christopherson.
    Thank you again, Mr. Chairman. I yield back.
    The Chairman. I thank the gentleman.
    Mr. Graves.
    Mr. Graves. No questions.
    The Chairman. Ms. Herseth Sandlin, you are next if you----
    Ms. Herseth Sandlin. Thanks. I didn't know it was so close 
to me asking questions.
    I have a question for Mr. Combs. You know, Mr. 
Christopherson, you mentioned in response to an earlier 
question the situation of what happened with the VA and the 
loss of records that were on a laptop. A few of us on this 
Committee also serve on the Veterans Affairs Committee, and 
during all of the oversight that we did on that issue; not just 
once the laptop was retrieved, was the information accessed and 
used for identity theft purposes; which thankfully there was no 
evidence to that effect, but what type of information security 
measures have been undertaken at our various agencies. In the 
case of the VA, and one of the things that we found was that 
past chief information officers at the VA were very frustrated 
with the bureaucratic barriers that they encountered in the 
agency to actually implement certain controls and other 
security measures over the past few years, and there was 
reference made earlier about these are old systems and this was 
a number embedded in a field. Mr. Combs, has there been any 
instance in which you feel that you could have been able to 
identify it rather than someone out viewing this public website 
that there was a problem with one of the older programs or the 
older system with a Social Security Number being embedded in 
the field because of any barriers that you have faced in 
implementing your recommendations and various security measures 
at USDA?
    Mr. Combs. That is a very good question. USDA and my office 
and the network of security folks that I work with throughout 
the Department, as you may know, is a federated approach where 
there are 29 agencies and offices and we now have a very close 
working relationship with all of these agency CIOs. Even though 
they don't report to me we have a very close working 
relationship. My office issues policies and requirements to 
survey systems, to comply with FISMA and all of these aspects 
of security. I will have to say that I have really experienced 
no resistance from the cadre of folks that I deal with 
throughout the Department. Even though they don't report to me, 
that is not really an issue. We are working as a team. They are 
a very good group of people who are as concerned about IT 
security as I am, and it is just a very complex problem and we 
are very sorry that we did not pick up this one particular kind 
of exposure here. It just slipped through the net that we put 
out. But we are doing many, many things to tighten up our 
security. We are putting in system, what we call defense in 
depth where there are many layers of security so that people 
can't get into our systems. Just yesterday we had almost 20,000 
people attempt to hack into USDA systems. Well, our defense 
caught that and blocked it. But I really can't say that I have 
had any resistance to these many directives and efforts that we 
are making. It is a pretty complex process to try to corral all 
of these problems because, as you know, Social Security Number 
is used in almost every financial system in the Federal 
Government because of the reporting requirements. So the bottom 
line is, no, I have not really seen the, ``bureaucratic 
resistance'' to what we need to do at USDA.
    Ms. Herseth Sandlin. And how long have you been the Chief 
Information Officer at USDA
    Mr. Combs. Since October of 2004, I believe.
    Ms. Herseth Sandlin. And I am pleased to hear that you 
haven't experienced that kind of resistance that your 
counterparts in other agencies perhaps have. The other part of 
my question was, is there anything then as a matter of 
resources that could have been done, not so much in protecting 
the existing systems but going back to older systems that seem 
to be part of the reason why this problem eluded the agency for 
11 years in terms of detecting it, you and your cadre of folks. 
Where could you have identified this problem had you had 
sufficient resources or other authorization that you need from 
this Committee?
    Mr. Combs. I believe that one of the processes that we used 
in the past was one that was a very detailed questionnaire, but 
in hindsight now we see there were some questions that we 
needed to ask. It is called a Privacy Impact Assessment and 
there are some specific questions that we will now be adding to 
that so that something cannot be misinterpreted or just treated 
as general. So we will be tightening that up, and that process 
is one of education and learning from our mistakes or our 
issues that we run into.
    Ms. Herseth Sandlin. Thank you, Mr. Chairman.
    Thank you for the testimony.
    The Chairman. I thank the gentlelady.
    Does the gentlelady from North Carolina have any questions?
    Ms. Foxx. No, sir.
    The Chairman. Mr. Walz?
    Mr. Walz. Thank you, Mr. Chairman, and thank you, Mr. 
Christopherson, and gentlemen for coming today and I appreciate 
the complexity of the issue you are dealing with and your 
striving for excellence is appreciated. I know it is a tough 
job. The issue is with personal information security. It is 
pretty much a zero-sum game though. If you lose it, you lose it 
and it causes problems and we all know that. My question is 
somewhat I guess segueing with the gentlewoman from South 
Dakota's question. I also sit on the Veterans Affairs Committee 
and we have been through this numerous times. I am one of the 
people who received one of those 26 million letters last year, 
and to sit in there several weeks ago and listen to the people 
from the VA tell us that since that time the incident that lost 
26 million, we have had in excess of 100 such breaches of 
security that lost personal data. This was after all the 
scrutiny had been brought down on them. It had been when their 
resources were reallocated and everything. We are still having 
that.
    My question is maybe a little broader and to ask you with 
your experience on this, is there any sharing of lessons 
learned and best practices amongst agencies in the U.S. 
Government, or are you convinced that the systems technology 
that you have is so vastly different from the VA that the 
protocols they are following or not following would not apply 
to you? I am just wondering what type of sharing happens 
amongst agencies when it comes to IT.
    Mr. Christopherson. Well, I will let Mr. Combs answer a 
piece of that because obviously the CIO's organization has the 
ability to share information and I know that they do. As well 
as the information between the CIOs, I can tell you that we 
read reports and information from various aspects of the 
government to understand where this information actually gets 
disclosed, et cetera. This is a learning game obviously. These 
people out there are smart that look at these systems. We are 
constantly on the educational phase of this to make sure that 
we can stay ahead of the game.
    Mr. Walz. And who does your internal audits and oversees 
internal IT? What is the entity that does that internally 
inside USDA?
    Mr. Christopherson. That is our OIG, the Inspector General 
group.
    Mr. Walz. Okay. And you think they are fully funded? The 
problem we had in the VA system was that they told us when we 
asked them, ``Do you have the resources to do all the 
inspections you need,'' they said no point blank. And then we 
asked them, ``If they were seen as a part of the solution or if 
they were seen as a watchdog to keep at arm's length,'' and the 
answer wasn't quite as I would have liked it to be. How do you 
think the IG is viewed inside USDA?
    Mr. Christopherson. I can tell you, we work closely with IG 
and they have a high-quality group. Some of our audits and 
those type of functions are actually procured on the outside 
with large firms because we are a large agency. We have a lot 
of work that has to be accomplished when it comes to the audit 
functions but our Inspector General's group is a very high-
quality group. They seem to be very knowledgeable. They 
actually bring a lot to the plate as we have these discussions 
and we are actively moving forward with them.
    Mr. Walz. Super. I appreciate your time and your answers. I 
yield back, Mr. Chairman.
    The Chairman. I thank the gentleman.
    Mr. Donnelly.
    Mr. Donnelly. Thank you, Mr. Chairman.
    During the testimony, we are looking at completing 
inventory of the systems, memos are dated back to June of 2006, 
and I guess the question I have is, is how did we miss it when 
somebody found it on Google?
    Mr. Christopherson. This was actually, it was embedded in 
this 15 digit number. Unfortunately it was the one area that 
was missed. This information as we look back at it was an 
automated function. It sent out the information. We looked, we 
didn't see any other areas inside of USDA where we had this 
issue. Now, that being said, we are going to go back and re-
evaluate all the information that we send outside as well as 
the systems again. We are not happy that this happened. I 
realize that Congress is not happy but we are very unhappy. We 
have worked hard over this last year to try to make sure that 
we had the regulations, the training to make sure from the 
systems to the process to the desk procedures, that everybody 
understood what their responsibility was and that this 
information was evaluated.
    Mr. Donnelly. The IT services, are any of them contracted 
to a private company at this time? Because I am on the Veterans 
Committee as well. One of the things we saw in Walter Reed that 
there were private contracting issues in a lot of the 
difficulties there. I was wondering if we are doing private 
contracting of our IT services at the USDA.
    Mr. Christopherson. We do do some private contracting of IT 
services and we have agreed that for the record we would 
actually disclose information concerning those contracts. In 
some aspects and especially this is one of them, to have 
actually contractors that specialize in this is very important. 
Part of my background is actually as an executive responsible 
for a private entity that was specialized basically for our 
customers trying to break into their systems. It is very 
specialized. It is very expensive labor who does this and it is 
very important that we have services like that retained. So 
there are instances where this becomes very important in a 
skill set in order to have it contracted and available.
    Mr. Donnelly. So it is not a skill set that we went private 
to save a few bucks, it is that they have some skills that we 
may not have internally in the USDA?
    Mr. Christopherson. That is correct. So in other words, 
what would happen would be that because this is ever changing, 
it takes a breadth of experience, they learn things by working 
with multiple customers. It is important at times that we do 
have these groups that are available to provide this service 
versus having our internal groups that see the same thing day 
in and day out.
    Mr. Donnelly. When I go home this weekend and talk to some 
of the farmers back home in Indiana, how do I restore their 
faith in this system when they say, ``Joe my information is 
right there online,'' how do we rebuild that confidence?
    Mr. Christopherson. Like I said, we regret that this 
happened. I realize that regret doesn't actually help out the 
producers out there but we are taking all the steps that are 
available to us in order to take care of this.
    Mr. Donnelly. So we tell them we are in full speed on 
fixing that?
    Mr. Christopherson. We are on full speed on fixing that.
    Mr. Donnelly. My last question would be, one of these loans 
that comes through and it happens today, and I apologize if I 
missed this earlier but what would I find on the computer today 
for one of these loans or disclosures that is out there?
    Mr. Christopherson. We have actually redacted that field 
out of the system at this time and we are looking at what kind 
of a numbering system we are going to use to replace that.
    Mr. Donnelly. Okay. So everything, if you go on that site 
now, they are all gone?
    Mr. Christopherson. They are all gone.
    Mr. Donnelly. Thank you very much.
    Thank you, Mr. Chairman.
    The Chairman. I thank the gentleman.
    I am going to invoke the chair's prerogative here to ask 
one question because the Ranking Member and I have kind of the 
same question. In your statement here, you say that pursuant to 
the direction from OCIO last summer, that USDA agencies 
searched for the presence of Social Security Numbers in the 
system but the FAINs eluded attention because the sensitive 
information was not readily apparent when viewing the 
aggregated data. It is hard for me to understand how you could 
have looked at this and not seen it. Is it because you had the 
computers look and the computer couldn't figure this out? If 
somebody, if an actual person would have looked at this, it 
would have probably jumped out at you if you would have seen 
it. You know, how did that happen? How could you be actually 
looking for this since last summer and it gets missed?
    Mr. Christopherson. Well, during our reviews we were 
actually fairly specific in the way that we asked for the 
information in the questions. We may have been too specific.
    The Chairman. But was it just done by computer?
    Mr. Christopherson. No, it was actually just done by 
computer. It was actually accomplished by our IT professionals.
    The Chairman. No, but I mean, did anybody actually look at 
any of this stuff or did you just run a computer program trying 
to identify it?
    Mr. Christopherson. No, people actually did look at the 
stuff, but it just was not in the format that if you were to 
look at it that it was very apparent. It took a number of 
years. This has been out there for a long period of time and 
obviously personal information--
    The Chairman. But how could it be in a format so this 
person whoever discovered this could figure it out and you guys 
couldn't?
    Mr. Christopherson. Because this person actually knew their 
number and so as they were looking, they saw their number in 
there and they alerted us. You know, once again, like I said, 
we are going back to look at our procedures and we are 
addressing this as we look to go forward. We will review, we 
will look, we will review again and look again.
    The Chairman. Well, so, because there were numbers ahead of 
the Social Security Number and numbers after the Social 
Security Number, it just looked like one big long 15 digit 
number? Is that basically what the deal is?
    Mr. Christopherson. That is actually correct. There are 
numbers in this field. There are 15 digit numbers and by just 
looking at it blankly, if you didn't know, if it wasn't your 
number that was in there, it is not necessarily fully apparent.
    The Chairman. I guess I can see that, although being a CPA 
and having looked at Social Security Numbers on thousands and 
thousands of tax returns, I probably would have figured it out, 
but there might not be many people like that.
    Mr. Christopherson. There actually is a copy of what the 
number would look like, Mr. Chairman.
    Mr. Combs. Mr. Chairman, if I may, let me show you an 
example of--I don't know whether you can read it there or not 
but this is a 15 digit number and can you see the numbers in 
there, Mr. Space? Do you recognize anything in there?
    The Chairman. That is too far away for me to see.
    Mr. Combs. Let me show it to you again. Here is the same 
number but I have highlighted in yellow. In the middle of this 
number is the telephone number of the switchboard for the House 
of Representatives, and those of us who have called that number 
would probably look at that say, ``Oh, that is the switchboard 
number.'' But if you didn't know that, this is just 15 digits. 
And so that is the theory. If it is not your Social Security 
Number, it is just 15 digits.
    The Chairman. I can see that, but like in my part of the 
world, I suppose you have to look at four or five of them but 
the Social Security Numbers, the first three digits are all the 
same generally. They are within a range. And so people that 
deal with it a lot probably would see it after looking at four 
or five of them. I suppose if you were sitting out here in 
Washington and looking at Social Security Numbers in some 
states, you would not correlate it. So that is why the eyes on 
didn't come up with anything. And the computer, you didn't run 
any computer programs to see if you could identify any Social 
Security Numbers? Why wasn't that done?
    Mr. Combs. The embedded nature of this is the issue.
    The Chairman. You wouldn't have been able to pull it up?
    Mr. Combs. There are programs that in hindsight now you can 
search, there are ways to search for embedded information but 
we did not have that tool available to us, no, sir.
    Mr. Goodlatte. I just want to clarify. So in other words, 
the woman who I cited in my opening statement who looked on the 
Internet, did a search in her name and her name showed up with 
a number after it, she was looking at a 15 digit number, not a 
nine digit number?
    Mr. Christopherson. She was looking at a 15 digit number 
without any dashes or anything like that in it.
    Mr. Goodlatte. And noticed that her Social Security Number 
was contained within those 15 digits?
    Mr. Christopherson. That is correct.
    Mr. Goodlatte. Do you know what the other six digits 
represented?
    Mr. Christopherson. It had to do with the county offices 
and the state number.
    Mr. Goodlatte. Thank you, Mr. Chairman.
    Ms. Foxx. Mr. Chairman?
    Mr. Chairman. The gentlelady from North Carolina.
    Ms. Foxx. I have thought of a question I wanted to ask. Did 
I hear you all say that the creation of these numbers first 
occurred 11 years ago? Is that what you said?
    Mr. Christopherson. I believe it actually occurred, from 
what my staff has briefed me on, about 26 years ago, if not 
before that.
    Ms. Foxx. So there have been several Administrations since 
this number was created?
    Mr. Christopherson. It has been several years since this 
number has been created.
    Ms. Foxx. Okay. Thank you.
    The Chairman. I thank the gentlelady.
    The gentleman from North Dakota, Mr. Pomeroy.
    Mr. Pomeroy. Mr. Chairman, I thank you for this hearing and 
I appreciated your line of questioning.
    This isn't something that maybe would have come to light at 
30,000 feet but somewhere in USDA someone is in charge of these 
databases. That is their job, their job is to make sure that 
you are not revealing taxpayers' sensitive information in any 
way and so it is not really a matter, Mr. Combs, of looking at 
a number on a page and whether a layman in 2 seconds is going 
to draw anything from it or not. Someone didn't do their job. 
You pay someone to make sure these databases are appropriately 
maintained and to protect the public information concealed 
behind those databases and somebody didn't do their job, and I 
trust that USDA feels bad about it. I know the professionalism 
of the men and women that work there, but it is completely 
unacceptable, and I tell you, there is a lot of concern out 
there about just who and what is going after these numbers. 
Now, I understand you have a universe of 92 people that have 
taken these numbers, some set of folks that have these numbers, 
downloaded them. I would like to know a little more about your 
investigation into who has these numbers and why they have them 
and are you getting them back without them having been copied 
in the meantime.
    Mr. Christopherson. This database actually--people who have 
these numbers, one of them is obviously the watch group that we 
had discussed earlier. A lot of them have to do with states and 
universities that have this information. We have actively 
contacted them.
    Mr. Pomeroy. I want to know, is the number 92?
    Mr. Combs. I will be happy to answer that.
    Mr. Pomeroy. Sure, Mr. Combs.
    Mr. Combs. The number of entities that were on a 
distribution list from the Bureau of Census for the FAADS 
database of which I believe even Congress, states and a lot of 
them were government entities, but there were 92 of those who 
subscribe to a regular distribution every quarter of this FAADS 
database from the Bureau of Census, and it is those people and 
entities that we have contacted. We have attempted to contact 
all 92 of them. Some of them are from years and years ago so 
they are bad numbers and so forth. But every one of those to a 
person and an entity that we have contacted has agreed to 
destroy or certainly redact the information that they had 
received. They appreciated the problem. And on the other side, 
the concern is, are there other websites or entities that may 
have gotten this information, and my organization has contacted 
all of the major search engine companies, every entity we can 
think of that might have had a reason to download this same 
database and put it up someplace. I have personally contacted 
about eight senior executives within these major corporations 
and they have gone back and searched and came back to me and 
affirmed that they did not or they could not find any reference 
to where this data was available. So as we discover new places 
to look and ask, we are not just assuming, we are picking up 
the phone or e-mailing or every means we can to contact these 
people and make sure it is not there.
    Mr. Pomeroy. I appreciate that and I think that we would 
appreciate, I would put in a request that you submit to the 
Committee a follow-up based on the universe of 92 and what has 
been the conclusion. I don't even care if you name the 92 or 
not but just how many, has this been resolved, how many are 
still in discussion, how many haven't been contacted.
    Mr. Combs. We will be happy to do that, sir.
    Mr. Pomeroy. Now, where are you on the project with the 92?
    Mr. Combs. At the current time, we have basically attempted 
to contact all of them and have sent out some--some of them we 
had e-mail addresses for and we have not heard back from. I 
would say our activity on the contacting, the proactive part is 
finished. We have done every possible method of communicating 
with these folks that we can. It is the hearing back from some 
of them that we have--we need to close the book on that at some 
point.
    Mr. Pomeroy. My own thought is, the sensitivity of this 
information is of a high enough concern to where personnel 
ought to get on airplanes and go fly down and track some of 
these people down or however you might work it though offices 
in the states. Let us get that completed.
    Mr. Christopherson. We agree. As of our briefing this 
morning, about 65 percent of these people were actually 
contacted, and just to set the record straight, it wasn't this 
person's actual Social Security Number that was embedded that 
has contacted us. It was actually their employer ID number that 
is actually assigned by the IRS.
    Mr. Pomeroy. So it is not their Social Security Number, it 
is the employer ID number?
    Mr. Christopherson. For the person who actually contacted 
us.
    Mr. Pomeroy. What about the information of the taxpayers 
that has been disclosed? It is my understanding that Social----
    Mr. Christopherson. Those are Social Security Numbers. I 
just wanted to make sure that that was clear between the two 
for the record.
    Mr. Pomeroy. I appreciate that. You said 65 percent of the 
92 have been contacted?
    Mr. Christopherson. That is correct.
    Mr. Pomeroy. That is not very good. I mean, you have 
testified that you understand this is of the highest concern. 
Well, then let us get 100 percent nailed down now. This is a 
mistake that shouldn't have happened and I believe the book 
needs to be closed on getting ahold of each group to whom the 
inappropriate distribution was made quickly.
    Mr. Christopherson. I understand your concern, and we will 
adequately attempt to make sure that we contact these people.
    Mr. Pomeroy. I would like to see a little more urgency on 
getting that 65 percent to 100 percent, to be frank. Thank you.
    The Chairman. I thank the gentleman.
    The gentlelady from Ohio, we have about a minute or 2.
    Mrs. Schmidt. I am going to be very quick. This isn't the 
first time we are going to have this kind of a problem. When I 
was in college many, many years ago, we had to put our Social 
Security Number on every test and every booklet. With the age 
of the Internet and mass communication, we are going to see 
more and more of this issue. What kind of ideas do you have to 
go forward not from just the USDA but any other department that 
has to keep track of who we are, how to identify, and allow 
other agencies to figure out you are working with the same 
person other than a Social Security Number? I know that is a 
lot and you have got about 30 seconds to answer and you can 
call me later if you need to.
    The Chairman. All right. I thank the gentlelady. You will 
submit that answer in writing?
    Mr. Christopherson. We will submit that for the record.
    The Chairman. And we may have some other questions that we 
will be asking for you to answer in writing. We appreciate you 
being with us today and I look forward to you keeping us 
updated on how you are doing.
    Mr. Christopherson. Thank you, Mr. Chairman.
    The Chairman. I thank everybody, and the Committee stands 
adjourned.
    [Whereupon, at 2:30 p.m., the Committee was adjourned.]
           Questions for the U.S. Department of Agriculture *
      
---------------------------------------------------------------------------
    * At the time this hearing went to press the responses were not 
submitted.
---------------------------------------------------------------------------
Questions Submitted by Hon. Bob Etheridge, a Representative in Congress 
        From North Carolina
    Question 1. How much information technology at USDA is contracted 
out to the private sector? Please distinguish between in-house and 
outside contractors.

    Question 2. How many are under contract?

    Question 3. How are the contracts drawn up? Are they open ended or 
within a definitive time?

    Question 4. Are contracts conducted by open bids? If not, how are 
they conducted?
Question Submitted by Hon. Earl Pomeroy, a Representative in Congress 
        From North Dakota
    Question. Please report the progress and results of your attempts 
to contact all 92 of the entities who subscribe to the FAADS site. 
Names are not necessary.
Question Submitted by Hon. Jean Schmidt, a Representative in Congress 
        From Ohio
    Question. Please outline your plans for identifying clients without 
the use of Social Security Numbers. How will duplication between 
agencies be avoided?

                                  
