b"<html>\n<title> - HEARING TO REVIEW U.S. DEPARTMENT OF AGRICULTURE'S RELEASE OF PROGRAM BENEFICIARIES' SOCIAL SECURITY NUMBERS AND THE DEPARTMENT'S INFORMATION SYSTEMS, GENERALLY</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n   HEARING TO REVIEW THE U.S. DEPARTMENT OF AGRICULTURE'S RELEASE OF \n                                PROGRAM\nBENEFICIARIES' SOCIAL SECURITY NUMBERS AND THE DEPARTMENT'S INFORMATION\n                           SYSTEMS, GENERALLY\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                        COMMITTEE ON AGRICULTURE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 2, 2007\n\n                               __________\n\n                           Serial No. 110-17\n\n\n          Printed for the use of the Committee on Agriculture\n                         agriculture.house.gov\n\n\n\n\n\n                   U.S. GOVERNMENT PRINTING OFFICE\n41-944 PDF                  WASHINGTON : 2008\n----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, \nWashington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n                        COMMITTEE ON AGRICULTURE\n\n                COLLIN C. PETERSON, Minnesota, Chairman\n\nTIM HOLDEN, Pennsylvania,            BOB GOODLATTE, Virginia, Ranking \n    Vice Chairman                    Minority Member\nMIKE McINTYRE, North Carolina        TERRY EVERETT, Alabama\nBOB ETHERIDGE, North Carolina        FRANK D. LUCAS, Oklahoma\nLEONARD L. BOSWELL, Iowa             JERRY MORAN, Kansas\nJOE BACA, California                 ROBIN HAYES, North Carolina\nDENNIS A. CARDOZA, California        TIMOTHY V. JOHNSON, Illinois\nDAVID SCOTT, Georgia                 SAM GRAVES, Missouri\nJIM MARSHALL, Georgia                JO BONNER, Alabama\nSTEPHANIE HERSETH SANDLIN, South     MIKE ROGERS, Alabama\nDakota                               STEVE KING, Iowa\nHENRY CUELLAR, Texas                 MARILYN N. MUSGRAVE, Colorado\nJIM COSTA, California                RANDY NEUGEBAUER, Texas\nJOHN T. SALAZAR, Colorado            CHARLES W. BOUSTANY, Jr., \nBRAD ELLSWORTH, Indiana              Louisiana\nNANCY E. BOYDA, Kansas               JOHN R. ``RANDY'' KUHL, Jr., New \nZACHARY T. SPACE, Ohio               York\nTIMOTHY J. WALZ, Minnesota           VIRGINIA FOXX, North Carolina\nKIRSTEN E. GILLIBRAND, New York      K. MICHAEL CONAWAY, Texas\nSTEVE KAGEN, Wisconsin               JEFF FORTENBERRY, Nebraska\nEARL POMEROY, North Dakota           JEAN SCHMIDT, Ohio\nLINCOLN DAVIS, Tennessee             ADRIAN SMITH, Nebraska\nJOHN BARROW, Georgia                 KEVIN McCARTHY, California\nNICK LAMPSON, Texas                  TIM WALBERG, Michigan\nJOE DONNELLY, Indiana\nTIM MAHONEY, Florida\n\n                                 ______\n\n                           Professional Staff\n\n                    Robert L. Larew, Chief of Staff\n                     Andrew W. Baker, Chief Counsel\n                 April Slayton, Communications Director\n           William E. O'Conner, Jr., Minority Staff Director\n\n                                  (ii)\n\n\n\n\n\n\n\n\n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nFoxx, Hon. Virginia, a Representative in Congress from North \n  Carolina, opening statement....................................     4\nGoodlatte, Hon. Bob, a Representative in Congress from Virginia, \n  opening statement..............................................    23\nPeterson, Hon. Collin C., a Representative in Congress from \n  Minnesota, opening statement...................................     1\nWalz, Hon. Timothy J., a Representative in Congress from \n  Minnesota, prepared statement..................................     3\n\n                               Witnesses\n\nChristopherson, Jr., Hon. Charles R., Chief Financial Officer, \n  U.S. Department of Agriculture, Washington, D.C.; accompanied \n  by Dave Combs, Chief Information Officer; and Hon. Boyd K. \n  Rutherford, Assistant Secretary for Administration, U.S. \n  Department of Agriculture......................................     4\nPrepared statement...............................................     7\n\n                          Additional Material\n\nSubmitted questions..............................................    41\n\n \n HEARING TO REVIEW U.S. DEPARTMENT OF AGRICULTURE'S RELEASE OF PROGRAM\nBENEFICIARIES' SOCIAL SECURITY NUMBERS AND THE DEPARTMENT'S INFORMATION\n                           SYSTEMS, GENERALLY\n\n                              ----------                              \n\n\n                         WEDNESDAY, MAY 2, 2007\n\n                  House of Representatives,\n                          Committee on Agriculture,\n                                           Washington, D.C.\n\n    The Committee met, pursuant to call, at 1:05 p.m., in Room \n1300 of the Longworth House Office Building, Hon. Collin C. \nPeterson [Chairman of the Committee] presiding.\n    Members present: Representatives Peterson, Holden, \nEtheridge, Boswell, Baca, Herseth Sandlin, Salazar, Ellsworth, \nBoyda, Space, Walz, Pomeroy, Barrow, Donnelly, Goodlatte, Foxx, \nMoran, Graves, Neugebauer, Conaway, Schmidt, Smith, and \nWalberg.\n    Staff present: Tyler Jameson, Rob Larew, John Riley, Sharon \nRusnak, Lisa Shelton, April Slayton, Debbie Smith, Kristin \nSosanie, Bryan Dierlam, Alise Kowalski, Bill O'Conner, and \nJamie Weyer.\n\nOPENING STATEMENT OF HON. COLLIN C. PETERSON, A REPRESENTATIVE \n                   IN CONGRESS FROM MINNESOTA\n\n    The Chairman. The Committee will come to order. I want to \nstart today by welcoming everyone to this hearing of the House \nAgriculture Committee. I want to especially welcome Charles \nChristopherson, the USDA's Chief Financial Officer, who will \nprovide testimony and answer the Committee's questions today. I \nwould also like to recognize Boyd Rutherford, USDA's Assistant \nSecretary for Administration, and Dave Combs, USDA'S Chief \nInformation Officer, who are accompanying Mr. Christopherson.\n    Information security and accessibility are two very serious \nissues that must be top priorities for USDA. Farmers, ranchers, \nsmall businesses and many others entrust USDA agencies and \nprograms with a great deal of private personal information on a \nregular basis. The USDA must take their responsibility to \nprotect this information very seriously. The recent \nannouncement that Social Security or tax information numbers of \nmore than 38,000 people were made public on the Internet has \ncalled into question the security of private information that \nUSDA has in its possession. I want to commend and very much \nappreciate Congressman Zach Space, one of our newest Members of \nthe Agriculture Committee, for recognizing the serious \nimplications of this situation and requesting a hearing today \non this issue. I hope that we will hear a more complete \nexplanation of how this could happen, what is being done to \nassist the people whose personal information was compromised, \nand I also look forward to hearing what is being done to be \nsure no additional personal information is exposed in this \nmanner.\n    In addition to this information security breach, \naccessibility to computer-based systems has been a recurring \nproblem at USDA. Computer failures at the Farm Service Agency \nhave prevented farmers from signing up for programs online and \nin FSA offices. As a result of the poor performance of FSA \ncomputer systems earlier this year, the USDA had to extend the \ndeadline for farmers to sign up for the Direct Encounter \nCyclical Payment Programs. Congressman Moran requested a \nhearing to review the system failures and delays that farmers \nand ranchers have faced because of the FSA computer problems \nand I also appreciate his attention to this serious issue.\n    Data security and reliable computer systems are priorities \nthat USDA must recognize and provide to the many individuals \nand organizations that do business with the agency every year. \nFarmers and ranchers must be able to trust that USDA will \nprotect their information and provide consistent access to \ncomputer-based applications. Without that trust, USDA cannot \naccomplish its mission and farmers and ranchers cannot take \nfull advantage of the programs available to them. I am \nconcerned that the Administration's budget request for \nnecessary computer maintenance and improvements at USDA does \nnot reflect the serious needs that have been exposed by these \nrecent computer problems. We are seeing the results of a broken \nsystem that should have been fixed long before these problems \nemerged.\n    The purpose of this hearing is, however, not to lay blame; \nalthough there is certainly plenty of blame to go around with \nlack of Congressional oversight, the agency's ability to \nrecognize these problems before they reached this crisis level, \nand the Administration's failure to request and provide \nresources needed to prevent these problems from happening in \nthe first place. So I am particularly interested to hear from \nour witnesses what resources USDA needs to assure farmers and \nranchers that they can expect secure and reliable access to \nfarm programs. I look forward to the testimony that we will \nhear today and look forward to working with the Administration \nto address these serious problems.\n    Without objection, all Members that wish to make a \nstatement will be made part of the record with the exception of \nthe Ranking Member, who today is Ms. Foxx from North Carolina. \nWe appreciate you being here today and if you want to say a \ncouple brief words?\n    [The prepared statement of Mr. Walz follows:]\n\n\n    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n    \n OPENING STATEMENT OF HON. VIRGINIA FOXX, A REPRESENTATIVE IN \n                  CONGRESS FROM NORTH CAROLINA\n\n    Ms. Foxx. Just briefly, Mr. Chairman. I want to say that I \nknow that I and my colleagues share the same concerns that you \nhave expressed, and what I hope we will discover is how \nproblems like these occur but more importantly, how can we \nestablish systems to prevent the problems from occurring again. \nAs you say, there is probably plenty of blame to go around; \nthat doesn't accomplish much. What we need to do is figure out \na way to make the system better and to hold the proper people \naccountable, and I thank you for your focus on that.\n    The Chairman. I thank the gentlelady, and I appreciate her \npresence here and the other Members.\n    Mr. Christopherson, we appreciate you being with the \nCommittee and your full statement will be made part of the \nrecord. We operate here under the 5 minute rule so if you could \nhit the high points and stick within that and then I think we \nprobably have quite a few questions, so thank you very much.\n\n    STATEMENT OF HON. CHARLES R. CHRISTOPHERSON, Jr., CHIEF \n             FINANCIAL OFFICER, U.S. DEPARTMENT OF\nAGRICULTURE, WASHINGTON, D.C.; ACCOMPANIED BY DAVE COMBS, CHIEF \n  INFORMATION OFFICER; AND HON. BOYD K. RUTHERFORD, ASSISTANT \n                         SECRETARY FOR\n         ADMINISTRATION, U.S. DEPARTMENT OF AGRICULTURE\n\n    Mr. Christopherson. Thank you, Mr. Chairman.\n    Mr. Chairman, Ranking Member and the Members of the \nCommittee, I thank you for this invitation to appear before you \ntoday to update the Committee on the current events related to \nthe information technology at the U.S. Department of \nAgriculture. I am joined today by Dave Combs, the Department's \nChief Information and Chief Privacy Officer, and Boyd \nRutherford, our Assistant Secretary of Administration.\n    We appreciate the opportunity to discuss the recent \ndiscovery of approximately 38,700 Social Security Numbers that \nhave been inadvertently made public through a government-wide \nwebsite. Our policy states USDA will protect personal, \nfinancial and employment information from unauthorized \ndisclosure. Customers and employees should also have the right \nto expect that USDA will collect, maintain, use and disseminate \nidentifiable personal information and data only as authorized \nby law and as necessary to carry out our agency's \nresponsibilities. At the outset, let me state that we take full \nresponsibility for this incident. We offer no excuses and we \ndeeply regret the exposure of the sensitive information and the \nconcern that it has caused our citizens that we serve.\n    By way of background, the USDA is compromised of \napproximately 100,000 employees and 29 component agencies, with \nstaff offices located at some 7,200 offices around the world. \nOf our more than 250 IT systems, many date back to the early \ndays of computing before the Internet and before the identify \ntheft challenges of the modern information age. As a result, \npersonal information such as Social Security Numbers were used \nas customer identifiers and thus were key to accessing records \nin many of these older systems. These older ways of doing \nbusiness are no longer acceptable and we are confronting the \nsignificant challenge of removing sensitive data whenever \npossible.\n    Let me assure you that we did not wake up to this challenge \njust last week. Addressing these issues has been a long, \nongoing effort. In Fiscal Year 2006 alone, we continued our \nFederal Information Security Management Act implementation, \ninventoried our Privacy Act data, scrubbed systems for \nunnecessary uses of personal identifying information, began \nencrypting mobile computers, strengthening remote access \ncontrols, required Privacy Act training throughout the \nDepartment and established incident response protocols.\n    Regarding the recent incident that brings us here today, on \nFriday, April 13, USDA learned that a grantee found her \ncompany's identifying information posted on a public website. \nThe identifying number was embedded with other numbers in a \nlarger data field known as a Federal Award Identifier Number, \nor FAIN, in a system known as the Federal Assistance Award Data \nSystems, or FAADS. Officials in my office immediately \nrecognized the potential sensitivities of this information and \nthat same day the identifying numbers associated with the \nfunding were removed.\n    Unable to conclude that this was an isolated instance, we \ncontinued our analysis of the information and here is what we \nfound. Many years ago, the predecessor agencies to the Farm \nService Agency and Rural Development established identifier \nnumbers for borrowers or grantee applicants; but for some, not \nall, programs they adopted as a unique file identifier a number \nthat included the Social Security Number for an individual \nrecipient or the IRS-issued EIN for business recipient. When \nthe predecessor agencies began providing USDA grant and loan \ndata to FAADS as required in 1982, they simply used the agency-\ncreated code as a Federal Award identifier number.\n    Pursuant to the direction from the Office of the Chief \nInformation Officer last year, USDA agencies searched for the \npresence of Social Security Numbers in their systems but the \nFAINs eluded the attention because the sensitive information \nwas not readily apparent when viewing the aggregated data. \nAfter extensive evaluation of approximately three million \nrecords spanning a period of 26 years, we were able to \ndetermine that the public website in question contained \nsensitive information relating to approximately 35,000 \nindividuals from FSA programs and 3,700 from Rural Development \nprograms.\n    Our immediate first steps were to confine and fix the \nproblem while at the same time making sure that we did not take \nany actions that would make the problem worse. To date, there \nis no evidence that this information has been misused. \nNonetheless, we are offering 12 months of services to help \naffected persons monitor and protect their credit. USDA funding \nrecipients whose personal information was exposed have been \nnotified by mail and are being provided with instructions for \nsetting up the credit monitoring.\n    As a result of this recent incident, we have initiated \nadditional actions consistent with the recommendations included \nin the recently released strategic plan to the President on \nidentity theft. The written testimony provides additional \ndetails but in brief summary, these actions include re-\ninventorying all of our data collections, expanding reviews to \ninclude external entities, updating our Privacy Act and \nawareness efforts, and integrating information protected in our \nannual internal controls assessment.\n    While this incident focuses our attention on protecting \nsensitive data, USDA is also redoubling its efforts in the area \nof overall IT security. To emphasize how seriously that we have \ntaken our role as data stewards, we are focused on improving \nour logical and physical access controls, our software change \ncontrols and our disaster recovery capabilities.\n    In closing, I again want to state that we regret the \nincident that has occurred. We are committed to taking care of \nthe individuals who are affected and we will fix the problems \nwhich led to this issue.\n    Mr. Chairman, we would be pleased to take any questions \nfrom the Committee.\n    [The prepared statement of Mr. Christopherson follows:]\n\n    [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n    \n    The Chairman. I thank the gentleman, and the other two \ngentlemen are just here for backup?\n    Mr. Christopherson. Yes, sir.\n    The Chairman. All right. We thank you very much for that \ntestimony, and I think we have a number of Members that have \nsome questions, but I am going to give my time to Mr. Space to \nstart the questioning because he is the one that was on top of \nthis before anybody else, so we appreciate, Mr. Space, your \ndiligence and hard work, and I will yield to you for 5 minutes \nor maybe give you a little bit of leeway.\n    Mr. Space. Thank you, Mr. Chairman, for deferring your time \nto me as well as for agreeing to this hearing, and I would like \nto thank you, Mr. Christopherson, for testifying today.\n    All of the Members of this Committee remember the situation \nthat occurred with the Department of Veterans Affairs, and \nwhile that situation was disturbing, this security breach is in \nsome ways worse. The Department put this personal information \nonline through an overt act which is very difficult, it not \nimpossible, to retrieve. These information security problems \nare nothing new at the USDA, unfortunately. The OMB, National \nInstitute of Standards and Technology, and the USDA's Inspector \nGeneral have all documented in numerous reports the history of \npoor performance when it comes to information security. The \nagency lost, I understand, 95 computers with access to personal \ninformation, according to the USDA's IG report a few months \nago. The reason this latest security breach is so troubling is \nthat farmers and ranchers live and die by their credit. If the \nagency put one of them at risk for identity theft, that would \nbe potentially devastating to their businesses. I believe many \nfarmers and ranchers already distrust the government, frankly, \nand this fiasco will prevent the USDA from accomplishing its \nmission to assist these producers.\n    Mr. Christopherson, in your written testimony that had been \ndelivered to the Committee prior to this hearing, you indicate \nat page five that before the revelations that occurred on April \n13 of this year, the USDA had already commenced working on \neliminating unnecessary usage of Social Security Numbers as \nidentifiers. The project of eliminating SSNs as identifiers had \nresulted in identifying over 29,000 people who had previously \nbeen identified with their Social Security Numbers, and the \nquestion I have for you is, when was that project started to \nstart to eliminate Social Security Numbers as identifiers?\n    Mr. Christopherson. What I will do is, I will actually \ndefer part of this question to our Chief Information Officer \nthat actually led that initiative. We have actively for this \nlast year moved through a process to identify the areas of USDA \nand the systems that have this information in it. We are----\n    Mr. Space. My question is, when was that project begun? \nWhen was it? I would like a date within a month or two when the \nproject to eliminate Social Security Numbers as identifiers was \nbegun by the USDA.\n    Mr. Christopherson. Okay. I know this was within the June \ntime frame, and----\n    Mr. Space. I would like to know when it was begun. Your \ntestimony indicates that prior to this event occurring, the \nUSDA, you as well as the other gentlemen with you today had \nalready commenced working on eliminating unnecessary usage of \nSSNs as an identifier at USDA. Simple question: When was that \nproject started?\n    Mr. Combs. I found my information, sir. It was June of last \nyear that we began this process following the tremendous \npublicity, as you are aware, with the Veterans Administration \nincident that certainly raised the awareness of everyone about \nthis particular issue. We initiated this, basically a re-review \nof all of our systems and looking where we use Social Security \nNumbers, with the view of eliminating unnecessary use back \nthen. It is such a pervasive, broadly-found issue throughout \nthe Department that it is not a short exercise to do that and \nso even today we continue to try to find places where these are \nunnecessarily used.\n    Mr. Space. So it would have been about 10 months before \nApril 13 that a process was begun to eliminate Social Security \nNumbers as an identifier?\n    Mr. Combs. Yes, sir.\n    Mr. Space. And apparently during that process over 29,000 \npeople's identifying information was changed from their Social \nSecurity Number to something else?\n    Mr. Combs. Yes.\n    Mr. Space. All right. Were any of those individuals posted \non the Internet?\n    Mr. Christopherson. No, not that we are aware of. None of \nthose individuals were actually posted to the Internet. This is \nthe first occurrence that we know about.\n    Mr. Space. And your testimony indicates that upon discovery \nof the use of the SSNs on April 13, you immediately recognized \nthat there was a problem and you were able to remove all 37,800 \nnumbers in 1 day from the Internet. Is that a correct \nreflection of your testimony?\n    Mr. Christopherson. Actually we actually removed those from \nwhat is called the FAADS database, which is a public access \ndatabase, and it was all the records for USDA at that time.\n    Mr. Space. Okay. So you were able to accomplish that in 1 \nday?\n    Mr. Christopherson. For the FAADS database, which is \nactually held by the Census there, the executive group that \nmanages that system, yes.\n    Mr. Space. Right. So here is a question that I have for \nyou, Mr. Christopherson. How or why is it that when you are \naware of the problem but that knowledge is internal and not \navailable to the general public, you are not able to identify \nand remove Social Security Numbers that are listed on the \nInternet over a course of 10 months from the time that you \nrecognized that that may be a problem? Those names stayed on \nthe Internet for 10 months. As soon as the problem gets \ndisclosed to Congress and the general public at large, you are \nable to do that in 1 day. I have serious concerns about the \noversight and the lack of prioritization and the lack of \ncommitment to the Privacy Act that the USDA has displayed, not \njust with this but with the loss of 95 computers that contained \nnon-encrypted information of a sensitive nature. I guess I am \nlooking for answers as to why the only time the USDA seems to \nget serious about protecting people's privacy is when they get \ncalled.\n    Mr. Christopherson. Actually, we are very serious about \nprotecting people's information. The reason why this was not \ndetected was, it was actually embedded in a 15 digit number. \nYou know, if it was a nine digit number we would have picked it \nup right away. However this information actually was exposed \nfor a longer period of time. We did go through and were \nactively checking for information that contained Social \nSecurity Numbers but it was embedded in a 15 digit number and \nwas just not readily apparent.\n    Mr. Space. But----\n    Mr. Christopherson. Now, we are moving back to actually \nlook at those factors again to make sure that we find all this \ninformation.\n    Mr. Space. Mr. Chairman----\n    The Chairman. Well, I will tell you what, the Ranking \nMember is here now and he has a statement, so we will give you \nsome more time here in a little bit.\n    Mr. Space. If there is time for that, Mr. Chairman. I do \nthank you deferring your time.\n    The Chairman. There will be time, and we will recognize \nyou.\n    Mr. Space. Thank you, Mr. Christopherson.\n    The Chairman. I want to recognize, right now, the \ndistinguished Ranking Member for a statement, and I am also \ngoing to let him ask a couple of questions, and maybe we just \nwon't even run that thing right now so that it doesn't beep. It \ncan be a useful thing that this is kind of like the Gong Show \nor something here to intimidate people but anyway, we are \npleased to have the Ranking Member, Mr. Goodlatte, here. I will \nrecognize him at this time.\n\n OPENING STATEMENT OF HON. BOB GOODLATTE, A REPRESENTATIVE IN \n                     CONGRESS FROM VIRGINIA\n\n    Mr. Goodlatte. Thank you, Mr. Chairman. Thank you for \nholding this hearing.\n    The discovery that the Social Security and tax \nidentification numbers of more than 38,000 USDA customers has \nbeen posted to a publicly accessible Internet site is \ndisturbing on many levels. This event is only one of several in \nwhich the personal identification information of farmers, other \nclients or employees has escaped the control of the USDA. In \nthis case, however, the numbers were actually placed on the \nInternet where anyone could access them. Perhaps the worst \naspect of this episode is that the original error occurred in \n1981 and that the data has been on the World Wide Web since \n1996. The number of questions that this raises is staggering. \nFor example, is there any reason to believe that if a farmer in \nMissouri had not stumbled across her personal identification in \na general search of references to her farm would USDA have ever \nfound this problem? Does the Department know all the locations \nof information that they have officially shared or publicly \nmade available? Do they know whether there are any other \ninstances where personal identification information has been \nreleased? What steps are being taken to ensure that this does \nnot happen again? These are the types of questions that our \nCommittee will want answered in today's hearing. We should all \ntake note that this event occurred in the midst of a major \ndebate over producers surrendering large amounts of sensitive \nbusiness and personal information in the livestock industry. \nThe performance of the USDA in this episode certainly lends \nsignificant credibility to those who fear that their \ninformation will not be protected from release while in the \nhands of the USDA.\n    Mr. Chairman, I hope that this hearing will provide some \nsense of reassurance to the millions of customers of the \nDepartment that episodes like this are not the status quo at \nthe USDA; and that the U.S. Department of Agriculture is making \na concerted effort to ensure in the future customers won't have \nto worry that their personal information will be showcased on \nthe Internet.\n    Mr. Christopherson, if I might ask you, I understand there \nare 250 information technology systems that have been developed \nat the Department over the years. How many of them contain \nSocial Security Numbers as an identifier?\n    Mr. Christopherson. That is approximately 56 of those \nsystems contain that information.\n    Mr. Goodlatte. Have all of these systems been evaluated to \ndetermine whether or not they contain a Social Security Number \nas an identifier? I take it from your answer to my first \nquestion that you have done that.\n    Mr. Christopherson. That is correct.\n    Mr. Goodlatte. And in your opinion, are any of these \nnumbers at risk of release at this point?\n    Mr. Christopherson. The only numbers that we show that have \nbeen released are these approximately 29,000.\n    Mr. Goodlatte. And how long will it take to remove these \nremaining Social Security Numbers from these systems to ensure \nthat events like this do not happen again?\n    Mr. Christopherson. There are a couple of factors with the \nSocial Security Numbers. Being a large loan and grant-making \nagency, we are required to pull in this information both for \ndebt collection and various other reasons. This will take \nnumerous years on some of these older systems to basically \nremediate and contain the information. Now, we do have plans \nassociated with that, et cetera, but a lot of this information \nUSDA will have for the life of its agency.\n    Mr. Goodlatte. Well, what is the process for removing the \nnumbers from the system? Do you have some other identifier that \nyou can use to replace that with?\n    Mr. Christopherson. We will be using other identifiers as \nwe modernize these systems or as we adjust them to change.\n    Mr. Goodlatte. How many unnecessary uses of Social Security \nNumbers as an identifier currently exist in the USDA system \ntoday?\n    Mr. Christopherson. We don't fully understand or know \nexactly how many are actually unnecessary. These are old \nsystems. In the 1980s, these were key indicators. What is \nimportant for us today is that we actually wrap internal \ncontrols around this information to make sure that it does stay \nin the systems and does not get exposed to the outside.\n    Mr. Goodlatte. Thank you very much.\n    Thank you, Mr. Chairman.\n    The Chairman. I thank the gentleman, and those are good \nquestions. I have got a couple questions but I will go down the \nline here first a little bit.\n    Mr. Etheridge from North Carolina.\n    Mr. Etheridge. Thank you, Mr. Chairman, and thank you for \nholding this hearing.\n    It is quite obvious from the questions thus far, Mr. \nChristopherson, that there is concern certainly on this side of \nthe table, and I hope you can clear up some confusion. \nAccording to a report and your answer thus far relating to this \nincident, the numbers were found of course as you already said \nby a farmer on the website, federalspending.org, which really \nis a nonprofit group who sort of keeps an eye on OMB. So was \nthis not actually a USDA website conveying this information or \nwas it linked to a USDA website? Can you clear that up?\n    Mr. Christopherson. Yes. Federalspending.org is actually a \npublic website or an awareness website for the public. It is a \nnot-for-profit or private website.\n    Mr. Etheridge. So it was linked to USDA?\n    Mr. Christopherson. It receives its information from what \nis called the FAADS information, which is actually held by \nCensus and we feed that information into this public database \nto make it available.\n    Mr. Etheridge. Okay. With that answer then, this was a \nprivate website that----\n    Mr. Christopherson. It was a private website.\n    Mr. Etheridge. All right. That USDA had been working with \nto provide information about program users ought to be a \nconcern to all of us and should have been a flag to USDA all \nalong. We have seen from time to time again how the rush to \nprivatize federal workers at USDA and hire contractors often \nresults in the work just not getting done in a timely manner. I \nknow this is an ongoing problem with our FSAs because their \nwebsites tend to be down quite often. Can you enlighten me as \nto how much of the IT functions at USDA are being farmed out to \nprivate contractors at this time?\n    Mr. Christopherson. First I want to clear up something \nhere. The information that is on this private website is \nactually requested and is by law available to them by what is \ncalled the Federal Award Assistance Data System. I want to make \nsure that is very clear that they have access to this, \nlawfully, to request this data. On the question when it comes \nto how much of our IT function is by contractors, I will be \nhappy to actually submit that to the record. I don't have that \nfull information here today.\n    Mr. Etheridge. Do you have any idea what that number might \nbe?\n    Mr. Christopherson. I don't. I don't have any idea exactly \nwhat that number is and I would hate to actually throw out an \nestimate for this Committee.\n    Mr. Etheridge. That is troubling in itself for someone who \nis in charge of finances and does not know in dealing with the \nIT how much of it might or might not be. I think this ought to \nbe a cause for concern for this Committee and you ought to be \nconcerned yourself and the Members seated adjacent to you if \nyou have no idea how much of it we are putting out on private \ncontract. But I hope you will provide that to this Committee in \nwriting.\n    Mr. Christopherson. I would be happy to.\n    Mr. Etheridge. I will make that request, Mr. Chairman, \nbecause I think that is important for us to have.\n    Mr. Christopherson. And the complexity behind this answer \nis actually dealing with, we actually have contractors in-house \nthat supplement our employee base. We have contractors that are \nactually contracted out under a formal contract as a section of \nthis information where we have very clear and distinct \nrequirements for these contractors. So this is actually a \ncomplex question and will require a fairly lengthy answer to \nactually address this.\n    Mr. Etheridge. Well, you have gotten a little bit deeper \ninto it then. As you give that answer, would you divide that up \nso we can know how many are in-house contractors, how many \noutside contractors, how many of them are under contract and \nhow those contracts are drawn, whether they are open-ended \ncontracts or whether they are contracts that are for definite \nperiods of time with open bids and their bid contracts.\n    Mr. Christopherson. We would be happy to provide that.\n    Mr. Etheridge. Thank you, Mr. Chairman. I yield back.\n    The Chairman. I thank the gentleman. Mr. Conaway.\n    Mr. Conaway. Thank you, Mr. Chairman.\n    Gentlemen, I appreciate you being here today. I compliment \nyou on your forthrightness. I appreciate that. Looking at the \nUSDA's response as shown on page 10, it looks to me like you \nhave done everything you need to do to protect anybody who \nmight have been harmed by this. Any evidence that over the 11 \nyears this information was on the Web that anybody was harmed \nas a result of these 15 digit numbers being available to the \npublic?\n    Mr. Christopherson. No, we do not have any evidence of \nthat.\n    Mr. Conaway. Okay. Anybody make any claims? Anybody call in \non the 24 hour hotline yet, questioning USDA?\n    Mr. Christopherson. No, nobody has actually made any claims \nthat that----\n    Mr. Conaway. So the 39,000 folks out there that got a \nletter saying that their embedded nine digit Social Security \nNumber was in a bigger 15 digit number had been available for \n11 years, those 39,000 so far, they have been relatively calm \nabout their response?\n    Mr. Christopherson. Right. Actually what happened is, we \nhad very little response up until they actually started to \nreceive the letters. Even with the press information that had \nbeen released----\n    Mr. Conaway. No, but until they get a letter though, they \ndon't know that their name was on the list.\n    Mr. Christopherson. Right.\n    Mr. Conaway. But they now have it? You are managing those \nresponses?\n    Mr. Christopherson. We are. We have set up an 800 number \nfor them and allowed them to call in and have ample questions \nand----\n    Mr. Conaway. All right. Who is providing the $20,000 \ninsurance policy? Is that self-insured by the agency or did you \nbuy those policies somewhere else?\n    Mr. Christopherson. No, that was actually part of the \nservice that we are providing these people so we are not self-\ninsuring. It is actually part of the fee that we pay into the \nservice.\n    Mr. Conaway. Okay. The response service?\n    Mr. Christopherson. Right.\n    Mr. Conaway. Let me ask you something else. On all of your \nsystems, I would suspect you would have had various levels of \nbackup copies, and is it part of your overall review since June \nas well as the review on this system, are you confident that \nyou have purged all of the backup systems the same way you have \npurged the current operating system that you are using?\n    Mr. Christopherson. This information, as we have gone out \nto assess this information previously, it does address the full \nsystem, including backups of this information.\n    Mr. Conaway. All right. Again, I compliment you on your \nresponse and the level of attention you have given to it on a \ngo-forward basis.\n    Mr. Chairman, I yield back. Thank you.\n    The Chairman. I thank the gentleman.\n    I recognize Mr. Boswell.\n    Mr. Boswell. Thank you, Mr. Chairman.\n    You have briefly covered some of this; but in your \ntestimony you stated the information provided to the Farm \nService Agency and Rural Development to the public website \ncontained the 38,000 individuals. Is that an isolated event?\n    Mr. Christopherson. That is an isolated event according to \nthis, you know, these Social Security Numbers that are in this \n15 digit number.\n    Mr. Boswell. How do you know that this information was not \noffered to other public websites?\n    Mr. Christopherson. We do not know that it has not been \noffered to other public websites but let me tell you what we \nhave done pertaining to this. We have actually pulled the \ninformation on those that actively receive this as a mailer, or \nhave actively received this as a link, or have actively \nreceived this as a download. Those people have been contacted. \nWe haven't been able to fully contact all of them but we have \nactively tried to contact them. We will continue to try to \ncontact them. It is approximately 92 different groups. We will \nmake sure that we will----\n    Mr. Boswell. So you have got an ongoing process trying to \ncontact the affected individuals?\n    Mr. Christopherson. We have an ongoing process to try to \nwork with----\n    Mr. Boswell. Would you say you are 75 percent complete?\n    Mr. Christopherson. On the actual 92 different groups, we \nprobably have contacted and actually spoken to I think the \nnumber is around 38 at this point.\n    Mr. Combs. It is over half of them.\n    Mr. Christopherson. Right, and the rest of them we actually \nhave messages. Anyway, that is about where we are at.\n    Mr. Boswell. You mentioned that the affected individuals \ncan opt into identity theft protection and will be insured. \nWill this be retroactive?\n    Mr. Christopherson. This will be based on the policy that \nwe have actually received from the vendor. I believe----\n    Mr. Boswell. So what is----\n    Mr. Christopherson.--it is actually retroactive. I think it \nis actually for the period of time that they are opting in and \nsetting themselves up, but we will actively, for a period of \ntime, try to pull in as many as we can of these farmers and \ncontinue our outreach efforts to sign up as many as we can.\n    Mr. Boswell. Since this information has been available for \nquite some time, say someone has been a victim of identify \ntheft and can trace it back to information that USDA provided, \nwill they be covered by this policy?\n    Mr. Christopherson. I think as those instances come up, we \nwill have to look at them as each independent instance. This \nissue of identity theft is a broad issue right now. Like I \nsaid, we regret that this happened and that it has been out \nthere for a period of about 26 years that people could actually \neither by CD or by public website pull this information in, but \nwe will look at those independently if they actually do----\n    Mr. Boswell. Have you had any requests for that yet?\n    Mr. Christopherson. We have not had any requests for that \nas of yet.\n    Mr. Boswell. Okay. Thank you, Mr. Chairman. I yield back.\n    The Chairman. I thank the gentleman.\n    Mr. Walberg.\n    Mr. Walberg. Thank you, Mr. Chairman.\n    Just one basic question. I appreciate you being here and \ntestifying and I appreciate the efforts you are taking now. \nThis is something that has gone on for some time. It goes back \na number of years but the impact is now and into the future. My \noffice was contacted by one of these recipients and after \nreceiving the letter that you sent out, which was appreciated \nby my constituent, however, he was very much concerned when he \ncalled the number and he got the answer that he would have to \nwait for a couple weeks until they came up with a process. It \nseems to me like it is not a good thing to send out a letter \ninforming of the issue if the process isn't in place to handle \nit. Ultimately he was contacted back after our office made \ncontact with the Department. So do you have a response to that? \nIs this just one strange experience that took place or you have \nhad other indications that people who do use your 800 number \nand call now are receiving information that we are not ready to \ndeal with it, wait a couple weeks and we will provide the \ninformation?\n    Mr. Christopherson. Well, let me tell you a little bit \nabout the process. We actually--this was a conscious decision \nto notify these people as soon as we possibly could. One of the \nthings that we wanted to do was to make sure that those who are \nnot affected individuals fully understood that they were not \naffected. We wanted to make sure that the pool of those \naffected understood that they were affected. Now, the \nprocurement process for these services takes a little bit of \ntime and we were able to do that fairly fast but it was \nimportant that we actually did notify these people. Those \nletters went out approximately a little over a week ago. Now, \nthe letters pertaining to the service and the setup, et cetera, \nhave been drafted. They are in the process of moving out. They \nhave started the process of moving out. It takes about 3 days \nto send this number of letters out. So those of your \nconstituents in your area will receive those letters shortly \nand it will be very detailed with the information to say this \nis how you set it up, this is the code that you use and these \nare the services that you will be provided including if \nsomething was to happen to your identity or that information \nwas actually compromised, here is a group that will help you \nget that back.\n    Mr. Rutherford. Excuse me. Can I add something?\n    Mr. Walberg. Sure.\n    Mr. Rutherford. I believe I actually spoke to your \nconstituent on Monday evening and explained pretty much what \nMr. Christopherson just said, but also that we were starting \nthe process of mailing the second batch of letters which would \nexplain the process for enrolling in the credit monitoring \nservice. In terms of the difficulties that he had with the 800 \nnumber, it is the communications challenges that we have been \nworking out. We think we have gotten those corrected as far as \nthe information that is passed on and they are making sure that \nthe number is updated on everything that we are doing.\n    Mr. Walberg. Thank you. Thanks for your answer.\n    The Chairman. I thank the gentleman.\n    Mr. Salazar.\n    Mr. Salazar. Thank you, Mr. Chairman.\n    Mr. Christopherson, you talked about notifying these \nindividuals who had been affected and you talked about sending \nout a letter 15 days ago or 2 weeks ago. Did you notify these \nindividuals immediately or how quickly did you notify them when \nyou found out what the problem was?\n    Mr. Christopherson. What we did is, it actually happened \nabout 7 days ago, so that we are clear. As soon as we could \nactually narrow it down to the people that were actually \naffected and that took some time to get through these three \nmillion records, we did have a letter that was ready to go. We \nmerged those in and we sent those right away. So we sent that \nas soon as we possibly could so that those who would be \nconcerned over this and they were not affected would know as \nwell as those who were affected would also know.\n    Mr. Salazar. Okay. And are you able to pinpoint where the \nproblem actually occurred and did you do any kind of \ndisciplinary action with the individuals who would ultimately \nbe responsible, whether your IT people or----\n    Mr. Christopherson. This exposure was over a long period of \ntime, about 26 years. This was an embedded number that was in a \nlarger field. As we look back through the scenario, this was a \n15 digit field that wasn't easily recognizable as an issue and \nthat that information was sitting out there. It had been \nundetected for years and years and years. Now, as my testimony \nshows we did issue a number of directives in this last year to \naddress these type of situations where we said, ``You need to \ngo through your systems and look for this and this and this and \nthis.'' We are reevaluating obviously those directives that we \nsent out. We will look to see how this problem made it through \nand we will make sure that we don't have this issue again.\n    Mr. Salazar. Okay. And for those who weren't affected on \nthis one specific instance, if someone was to call your office, \nsay myself as a member who participates in some of your \nprograms, could you definitely be able to tell people that my \ninformation has not been compromised?\n    Mr. Christopherson. As you call in and you give your name, \nthen we actually will go through and say you are not on the \nlist.\n    Mr. Salazar. Thank you, Mr. Chairman.\n    The Chairman. I thank the gentleman.\n    Mr. Moran.\n    Mr. Moran. Mr. Chairman, thank you very much. First of all, \nin my absence you mentioned my request for a hearing in regard \nto IT services at FSA-USDA, and I just would like to reiterate \nthe importance of us providing necessary oversight and the \nDepartment of Agriculture making certain that the computer \nsystems, particularly the servers, are adequate for meeting the \nneeds of farmers, their customers. I continue to have \nsignificant concerns that the difficulties we are experiencing \nat FSA in regard to, at the moment, advanced direct payments is \nonly the tip of the iceberg. I am worried that some \ncatastrophic event may occur in which USDA is incapable of \nproviding necessary services in any reasonable amount of time \nfor farmers and ranchers across the country.\n    The Chairman. Will the gentleman yield?\n    Mr. Moran. Absolutely.\n    The Chairman. We have been undertaking a considerable \namount of background work, some of which I have been given \ntoday, but as soon as we get a little more of that pulled \ntogether, we will be proceeding to some kind of a hearing. But \nI want to make sure I know enough background before we get to \nthat point.\n    Mr. Moran. I thank the Chairman and I know that you have \nexpressed to me you have concerns about the computer \ncapabilities at the Department of Agriculture and again \nreiterate that I think the issues may turn out to be very \nserious.\n    In regard to the hearing today, the specifics of the \nrelease of information, I just want to make certain I \nunderstand what it is that USDA has done wrong. My \nunderstanding is that the mistake made was the inclusion of the \nSocial Security Numbers identifying individuals within that \nlarger number and that was the error on the part of USDA. USDA \nhas not, as I understand the testimony or understand the facts \nregarding this, has not disclosed this information \ninappropriately. In fact, by law you are required to provide \nthat information to the Census Bureau and it is only through \naccess to Census Bureau information this website has been able \nto obtain this information. Is my understanding correct?\n    Mr. Christopherson. We are required to provide to Census \nBureau information concerning the grants and loans at the \nDepartment of Agriculture. This number was embedded into a 15 \ndigit number. Disclosing the Social Security Number wasn't \nappropriate for our policy. Now, we do need to provide \ninformation and have people have the ability to access that \ninformation in question through FOIA and other things that \ninformation concerning grants and loans.\n    Mr. Moran. This instance, the website did not obtain the \ninformation from the Department of Agriculture but from the \nU.S. Census Bureau which USDA was required to disclose to the \nCensus Bureau. Is that true?\n    Mr. Christopherson. We are required to disclose the \ninformation to the Census Bureau. The Census Bureau is actually \nthe group that handles it for the government-wide initiative.\n    Mr. Moran. And no problems would have arisen here but for \nthe Social Security Numbers being inappropriately embedded? \nThat is not the right way of saying that. Inappropriately \ndiscoverable in this embedded number. Had that not occurred, \nthen the problems that we are describing today would not have \noccurred?\n    Mr. Christopherson. That is actually correct. Having the \nSocial Security Numbers embedded is the issue that is \nincorrect, actually sending the information to the Census \nBureau is not. We are required to do that.\n    Mr. Moran. Thank you very much, and I yield back, Mr. \nChairman.\n    The Chairman. I thank the gentleman.\n    I am now going to recognize Mr. Space for his own time. I \ngave him my time earlier.\n    Mr. Space. Thank you again, Mr. Chairman.\n    Mr. Christopherson, I want to ask you a couple quick \nquestions about the letter that went out. When did that letter \ngo out? Do we have a date that that letter went out to those \naffected?\n    Mr. Christopherson. Those affected, it actually went out a \nweek ago Monday.\n    Mr. Space. Did they go out by certified mail? Was there any \nindication that we will have or that your agency will have \nconcerning who was noticed and who wasn't?\n    Mr. Christopherson. They actually went out first-class \nmail. The address service was requested so that if it is not \ndeliverable, then the post office will provide us with a slip \nthat says this is not deliverable, or if it was forwarded to a \nnew address, they will provide us with a slip saying that this \nis the person's new address so we can track them.\n    Mr. Space. All right. Do you have any idea as to the \npercentage of people on that list that you have received a \nresponse indicating it was undeliverable because they have \nchanged addresses?\n    Mr. Christopherson. Right now we have approximately 25 \npeople that it has been returned saying that we need either \nadditional information or they have changed addresses.\n    Mr. Space. And I want to clarify something in response to a \nquestion asked earlier. You indicated that you are still \nworking on eliminating these numbers from, we will call it an \naccount number. I guess my question is, is there still public \naccess in one means or another out there to these embedded \naccount numbers?\n    Mr. Christopherson. I don't believe that there is public \naccess out there, and like I said, these systems are very old. \nThey have been designed where the Social Security Number was a \nprimary field in these, just like in the 1980s even into the \n1990s. I can remember at the grocery store having the Social \nSecurity Number on my checkbook to provide to the cashier. Now \nour world has changed and we are working to adjust these \nsystems but no, we do not know of any other instance where this \ninformation has been disseminated out to the public.\n    Mr. Space. And is your office investigating the possibility \nthat that has happened through, for example, encryption on a \nmortgage? I know a lot of these accounts had to do with loan \npayments. Has your office begun investigating whether there are \nunintended releases of information out there that you haven't \neven given consideration to?\n    Mr. Christopherson. We have actually done that evaluation \nin the past and we are going back again to reevaluate to make \nsure that any and all information that is going out is clean \ninformation. We don't know of any information that we have sent \nout in this form.\n    Mr. Space. In this case, it is not a situation where you \ndidn't know that these problems were out there, and you fixed \nthem when you found out. Based on the testimony that you have \noffered as well as the audits by these other agencies, my \nimpression is the USDA has known about these problems for \nyears, certainly should have known about them, has not taken \nsecurity as seriously as it should. It has not developed a \ncommitment to adherence with the Privacy Act. And my question \nfor you is this: Does the USDA need additional authority from \nthis Congress, tools or resources from this Congress that will \nensure the security of our farmers' and our ranchers' personal \ninformation and make sure that the USDA does in fact or is in \nfact able or willing to comply with the privacy laws?\n    Mr. Christopherson. We are actively addressing this issue. \nOver this last--as my testimony actually says--we have actually \nsent out about seven directives to our agencies to both \nevaluate the information that they have as well as address \ninformation when it comes to their desktop, to provide training \nin that information. That is a very key step to make sure that \nthis information is contained.\n    Mr. Space. Are you getting the resources from Congress that \nyou need to ensure that the privacy of these individuals is \nbeing protected?\n    Mr. Christopherson. At the current time, I believe that \nthey are. The President's budget amply lays out the funds \nneeded for this type of a project.\n    Mr. Space. Thank you, Mr. Christopherson.\n    Thank you again, Mr. Chairman. I yield back.\n    The Chairman. I thank the gentleman.\n    Mr. Graves.\n    Mr. Graves. No questions.\n    The Chairman. Ms. Herseth Sandlin, you are next if you----\n    Ms. Herseth Sandlin. Thanks. I didn't know it was so close \nto me asking questions.\n    I have a question for Mr. Combs. You know, Mr. \nChristopherson, you mentioned in response to an earlier \nquestion the situation of what happened with the VA and the \nloss of records that were on a laptop. A few of us on this \nCommittee also serve on the Veterans Affairs Committee, and \nduring all of the oversight that we did on that issue; not just \nonce the laptop was retrieved, was the information accessed and \nused for identity theft purposes; which thankfully there was no \nevidence to that effect, but what type of information security \nmeasures have been undertaken at our various agencies. In the \ncase of the VA, and one of the things that we found was that \npast chief information officers at the VA were very frustrated \nwith the bureaucratic barriers that they encountered in the \nagency to actually implement certain controls and other \nsecurity measures over the past few years, and there was \nreference made earlier about these are old systems and this was \na number embedded in a field. Mr. Combs, has there been any \ninstance in which you feel that you could have been able to \nidentify it rather than someone out viewing this public website \nthat there was a problem with one of the older programs or the \nolder system with a Social Security Number being embedded in \nthe field because of any barriers that you have faced in \nimplementing your recommendations and various security measures \nat USDA?\n    Mr. Combs. That is a very good question. USDA and my office \nand the network of security folks that I work with throughout \nthe Department, as you may know, is a federated approach where \nthere are 29 agencies and offices and we now have a very close \nworking relationship with all of these agency CIOs. Even though \nthey don't report to me we have a very close working \nrelationship. My office issues policies and requirements to \nsurvey systems, to comply with FISMA and all of these aspects \nof security. I will have to say that I have really experienced \nno resistance from the cadre of folks that I deal with \nthroughout the Department. Even though they don't report to me, \nthat is not really an issue. We are working as a team. They are \na very good group of people who are as concerned about IT \nsecurity as I am, and it is just a very complex problem and we \nare very sorry that we did not pick up this one particular kind \nof exposure here. It just slipped through the net that we put \nout. But we are doing many, many things to tighten up our \nsecurity. We are putting in system, what we call defense in \ndepth where there are many layers of security so that people \ncan't get into our systems. Just yesterday we had almost 20,000 \npeople attempt to hack into USDA systems. Well, our defense \ncaught that and blocked it. But I really can't say that I have \nhad any resistance to these many directives and efforts that we \nare making. It is a pretty complex process to try to corral all \nof these problems because, as you know, Social Security Number \nis used in almost every financial system in the Federal \nGovernment because of the reporting requirements. So the bottom \nline is, no, I have not really seen the, ``bureaucratic \nresistance'' to what we need to do at USDA.\n    Ms. Herseth Sandlin. And how long have you been the Chief \nInformation Officer at USDA\n    Mr. Combs. Since October of 2004, I believe.\n    Ms. Herseth Sandlin. And I am pleased to hear that you \nhaven't experienced that kind of resistance that your \ncounterparts in other agencies perhaps have. The other part of \nmy question was, is there anything then as a matter of \nresources that could have been done, not so much in protecting \nthe existing systems but going back to older systems that seem \nto be part of the reason why this problem eluded the agency for \n11 years in terms of detecting it, you and your cadre of folks. \nWhere could you have identified this problem had you had \nsufficient resources or other authorization that you need from \nthis Committee?\n    Mr. Combs. I believe that one of the processes that we used \nin the past was one that was a very detailed questionnaire, but \nin hindsight now we see there were some questions that we \nneeded to ask. It is called a Privacy Impact Assessment and \nthere are some specific questions that we will now be adding to \nthat so that something cannot be misinterpreted or just treated \nas general. So we will be tightening that up, and that process \nis one of education and learning from our mistakes or our \nissues that we run into.\n    Ms. Herseth Sandlin. Thank you, Mr. Chairman.\n    Thank you for the testimony.\n    The Chairman. I thank the gentlelady.\n    Does the gentlelady from North Carolina have any questions?\n    Ms. Foxx. No, sir.\n    The Chairman. Mr. Walz?\n    Mr. Walz. Thank you, Mr. Chairman, and thank you, Mr. \nChristopherson, and gentlemen for coming today and I appreciate \nthe complexity of the issue you are dealing with and your \nstriving for excellence is appreciated. I know it is a tough \njob. The issue is with personal information security. It is \npretty much a zero-sum game though. If you lose it, you lose it \nand it causes problems and we all know that. My question is \nsomewhat I guess segueing with the gentlewoman from South \nDakota's question. I also sit on the Veterans Affairs Committee \nand we have been through this numerous times. I am one of the \npeople who received one of those 26 million letters last year, \nand to sit in there several weeks ago and listen to the people \nfrom the VA tell us that since that time the incident that lost \n26 million, we have had in excess of 100 such breaches of \nsecurity that lost personal data. This was after all the \nscrutiny had been brought down on them. It had been when their \nresources were reallocated and everything. We are still having \nthat.\n    My question is maybe a little broader and to ask you with \nyour experience on this, is there any sharing of lessons \nlearned and best practices amongst agencies in the U.S. \nGovernment, or are you convinced that the systems technology \nthat you have is so vastly different from the VA that the \nprotocols they are following or not following would not apply \nto you? I am just wondering what type of sharing happens \namongst agencies when it comes to IT.\n    Mr. Christopherson. Well, I will let Mr. Combs answer a \npiece of that because obviously the CIO's organization has the \nability to share information and I know that they do. As well \nas the information between the CIOs, I can tell you that we \nread reports and information from various aspects of the \ngovernment to understand where this information actually gets \ndisclosed, et cetera. This is a learning game obviously. These \npeople out there are smart that look at these systems. We are \nconstantly on the educational phase of this to make sure that \nwe can stay ahead of the game.\n    Mr. Walz. And who does your internal audits and oversees \ninternal IT? What is the entity that does that internally \ninside USDA?\n    Mr. Christopherson. That is our OIG, the Inspector General \ngroup.\n    Mr. Walz. Okay. And you think they are fully funded? The \nproblem we had in the VA system was that they told us when we \nasked them, ``Do you have the resources to do all the \ninspections you need,'' they said no point blank. And then we \nasked them, ``If they were seen as a part of the solution or if \nthey were seen as a watchdog to keep at arm's length,'' and the \nanswer wasn't quite as I would have liked it to be. How do you \nthink the IG is viewed inside USDA?\n    Mr. Christopherson. I can tell you, we work closely with IG \nand they have a high-quality group. Some of our audits and \nthose type of functions are actually procured on the outside \nwith large firms because we are a large agency. We have a lot \nof work that has to be accomplished when it comes to the audit \nfunctions but our Inspector General's group is a very high-\nquality group. They seem to be very knowledgeable. They \nactually bring a lot to the plate as we have these discussions \nand we are actively moving forward with them.\n    Mr. Walz. Super. I appreciate your time and your answers. I \nyield back, Mr. Chairman.\n    The Chairman. I thank the gentleman.\n    Mr. Donnelly.\n    Mr. Donnelly. Thank you, Mr. Chairman.\n    During the testimony, we are looking at completing \ninventory of the systems, memos are dated back to June of 2006, \nand I guess the question I have is, is how did we miss it when \nsomebody found it on Google?\n    Mr. Christopherson. This was actually, it was embedded in \nthis 15 digit number. Unfortunately it was the one area that \nwas missed. This information as we look back at it was an \nautomated function. It sent out the information. We looked, we \ndidn't see any other areas inside of USDA where we had this \nissue. Now, that being said, we are going to go back and re-\nevaluate all the information that we send outside as well as \nthe systems again. We are not happy that this happened. I \nrealize that Congress is not happy but we are very unhappy. We \nhave worked hard over this last year to try to make sure that \nwe had the regulations, the training to make sure from the \nsystems to the process to the desk procedures, that everybody \nunderstood what their responsibility was and that this \ninformation was evaluated.\n    Mr. Donnelly. The IT services, are any of them contracted \nto a private company at this time? Because I am on the Veterans \nCommittee as well. One of the things we saw in Walter Reed that \nthere were private contracting issues in a lot of the \ndifficulties there. I was wondering if we are doing private \ncontracting of our IT services at the USDA.\n    Mr. Christopherson. We do do some private contracting of IT \nservices and we have agreed that for the record we would \nactually disclose information concerning those contracts. In \nsome aspects and especially this is one of them, to have \nactually contractors that specialize in this is very important. \nPart of my background is actually as an executive responsible \nfor a private entity that was specialized basically for our \ncustomers trying to break into their systems. It is very \nspecialized. It is very expensive labor who does this and it is \nvery important that we have services like that retained. So \nthere are instances where this becomes very important in a \nskill set in order to have it contracted and available.\n    Mr. Donnelly. So it is not a skill set that we went private \nto save a few bucks, it is that they have some skills that we \nmay not have internally in the USDA?\n    Mr. Christopherson. That is correct. So in other words, \nwhat would happen would be that because this is ever changing, \nit takes a breadth of experience, they learn things by working \nwith multiple customers. It is important at times that we do \nhave these groups that are available to provide this service \nversus having our internal groups that see the same thing day \nin and day out.\n    Mr. Donnelly. When I go home this weekend and talk to some \nof the farmers back home in Indiana, how do I restore their \nfaith in this system when they say, ``Joe my information is \nright there online,'' how do we rebuild that confidence?\n    Mr. Christopherson. Like I said, we regret that this \nhappened. I realize that regret doesn't actually help out the \nproducers out there but we are taking all the steps that are \navailable to us in order to take care of this.\n    Mr. Donnelly. So we tell them we are in full speed on \nfixing that?\n    Mr. Christopherson. We are on full speed on fixing that.\n    Mr. Donnelly. My last question would be, one of these loans \nthat comes through and it happens today, and I apologize if I \nmissed this earlier but what would I find on the computer today \nfor one of these loans or disclosures that is out there?\n    Mr. Christopherson. We have actually redacted that field \nout of the system at this time and we are looking at what kind \nof a numbering system we are going to use to replace that.\n    Mr. Donnelly. Okay. So everything, if you go on that site \nnow, they are all gone?\n    Mr. Christopherson. They are all gone.\n    Mr. Donnelly. Thank you very much.\n    Thank you, Mr. Chairman.\n    The Chairman. I thank the gentleman.\n    I am going to invoke the chair's prerogative here to ask \none question because the Ranking Member and I have kind of the \nsame question. In your statement here, you say that pursuant to \nthe direction from OCIO last summer, that USDA agencies \nsearched for the presence of Social Security Numbers in the \nsystem but the FAINs eluded attention because the sensitive \ninformation was not readily apparent when viewing the \naggregated data. It is hard for me to understand how you could \nhave looked at this and not seen it. Is it because you had the \ncomputers look and the computer couldn't figure this out? If \nsomebody, if an actual person would have looked at this, it \nwould have probably jumped out at you if you would have seen \nit. You know, how did that happen? How could you be actually \nlooking for this since last summer and it gets missed?\n    Mr. Christopherson. Well, during our reviews we were \nactually fairly specific in the way that we asked for the \ninformation in the questions. We may have been too specific.\n    The Chairman. But was it just done by computer?\n    Mr. Christopherson. No, it was actually just done by \ncomputer. It was actually accomplished by our IT professionals.\n    The Chairman. No, but I mean, did anybody actually look at \nany of this stuff or did you just run a computer program trying \nto identify it?\n    Mr. Christopherson. No, people actually did look at the \nstuff, but it just was not in the format that if you were to \nlook at it that it was very apparent. It took a number of \nyears. This has been out there for a long period of time and \nobviously personal information--\n    The Chairman. But how could it be in a format so this \nperson whoever discovered this could figure it out and you guys \ncouldn't?\n    Mr. Christopherson. Because this person actually knew their \nnumber and so as they were looking, they saw their number in \nthere and they alerted us. You know, once again, like I said, \nwe are going back to look at our procedures and we are \naddressing this as we look to go forward. We will review, we \nwill look, we will review again and look again.\n    The Chairman. Well, so, because there were numbers ahead of \nthe Social Security Number and numbers after the Social \nSecurity Number, it just looked like one big long 15 digit \nnumber? Is that basically what the deal is?\n    Mr. Christopherson. That is actually correct. There are \nnumbers in this field. There are 15 digit numbers and by just \nlooking at it blankly, if you didn't know, if it wasn't your \nnumber that was in there, it is not necessarily fully apparent.\n    The Chairman. I guess I can see that, although being a CPA \nand having looked at Social Security Numbers on thousands and \nthousands of tax returns, I probably would have figured it out, \nbut there might not be many people like that.\n    Mr. Christopherson. There actually is a copy of what the \nnumber would look like, Mr. Chairman.\n    Mr. Combs. Mr. Chairman, if I may, let me show you an \nexample of--I don't know whether you can read it there or not \nbut this is a 15 digit number and can you see the numbers in \nthere, Mr. Space? Do you recognize anything in there?\n    The Chairman. That is too far away for me to see.\n    Mr. Combs. Let me show it to you again. Here is the same \nnumber but I have highlighted in yellow. In the middle of this \nnumber is the telephone number of the switchboard for the House \nof Representatives, and those of us who have called that number \nwould probably look at that say, ``Oh, that is the switchboard \nnumber.'' But if you didn't know that, this is just 15 digits. \nAnd so that is the theory. If it is not your Social Security \nNumber, it is just 15 digits.\n    The Chairman. I can see that, but like in my part of the \nworld, I suppose you have to look at four or five of them but \nthe Social Security Numbers, the first three digits are all the \nsame generally. They are within a range. And so people that \ndeal with it a lot probably would see it after looking at four \nor five of them. I suppose if you were sitting out here in \nWashington and looking at Social Security Numbers in some \nstates, you would not correlate it. So that is why the eyes on \ndidn't come up with anything. And the computer, you didn't run \nany computer programs to see if you could identify any Social \nSecurity Numbers? Why wasn't that done?\n    Mr. Combs. The embedded nature of this is the issue.\n    The Chairman. You wouldn't have been able to pull it up?\n    Mr. Combs. There are programs that in hindsight now you can \nsearch, there are ways to search for embedded information but \nwe did not have that tool available to us, no, sir.\n    Mr. Goodlatte. I just want to clarify. So in other words, \nthe woman who I cited in my opening statement who looked on the \nInternet, did a search in her name and her name showed up with \na number after it, she was looking at a 15 digit number, not a \nnine digit number?\n    Mr. Christopherson. She was looking at a 15 digit number \nwithout any dashes or anything like that in it.\n    Mr. Goodlatte. And noticed that her Social Security Number \nwas contained within those 15 digits?\n    Mr. Christopherson. That is correct.\n    Mr. Goodlatte. Do you know what the other six digits \nrepresented?\n    Mr. Christopherson. It had to do with the county offices \nand the state number.\n    Mr. Goodlatte. Thank you, Mr. Chairman.\n    Ms. Foxx. Mr. Chairman?\n    Mr. Chairman. The gentlelady from North Carolina.\n    Ms. Foxx. I have thought of a question I wanted to ask. Did \nI hear you all say that the creation of these numbers first \noccurred 11 years ago? Is that what you said?\n    Mr. Christopherson. I believe it actually occurred, from \nwhat my staff has briefed me on, about 26 years ago, if not \nbefore that.\n    Ms. Foxx. So there have been several Administrations since \nthis number was created?\n    Mr. Christopherson. It has been several years since this \nnumber has been created.\n    Ms. Foxx. Okay. Thank you.\n    The Chairman. I thank the gentlelady.\n    The gentleman from North Dakota, Mr. Pomeroy.\n    Mr. Pomeroy. Mr. Chairman, I thank you for this hearing and \nI appreciated your line of questioning.\n    This isn't something that maybe would have come to light at \n30,000 feet but somewhere in USDA someone is in charge of these \ndatabases. That is their job, their job is to make sure that \nyou are not revealing taxpayers' sensitive information in any \nway and so it is not really a matter, Mr. Combs, of looking at \na number on a page and whether a layman in 2 seconds is going \nto draw anything from it or not. Someone didn't do their job. \nYou pay someone to make sure these databases are appropriately \nmaintained and to protect the public information concealed \nbehind those databases and somebody didn't do their job, and I \ntrust that USDA feels bad about it. I know the professionalism \nof the men and women that work there, but it is completely \nunacceptable, and I tell you, there is a lot of concern out \nthere about just who and what is going after these numbers. \nNow, I understand you have a universe of 92 people that have \ntaken these numbers, some set of folks that have these numbers, \ndownloaded them. I would like to know a little more about your \ninvestigation into who has these numbers and why they have them \nand are you getting them back without them having been copied \nin the meantime.\n    Mr. Christopherson. This database actually--people who have \nthese numbers, one of them is obviously the watch group that we \nhad discussed earlier. A lot of them have to do with states and \nuniversities that have this information. We have actively \ncontacted them.\n    Mr. Pomeroy. I want to know, is the number 92?\n    Mr. Combs. I will be happy to answer that.\n    Mr. Pomeroy. Sure, Mr. Combs.\n    Mr. Combs. The number of entities that were on a \ndistribution list from the Bureau of Census for the FAADS \ndatabase of which I believe even Congress, states and a lot of \nthem were government entities, but there were 92 of those who \nsubscribe to a regular distribution every quarter of this FAADS \ndatabase from the Bureau of Census, and it is those people and \nentities that we have contacted. We have attempted to contact \nall 92 of them. Some of them are from years and years ago so \nthey are bad numbers and so forth. But every one of those to a \nperson and an entity that we have contacted has agreed to \ndestroy or certainly redact the information that they had \nreceived. They appreciated the problem. And on the other side, \nthe concern is, are there other websites or entities that may \nhave gotten this information, and my organization has contacted \nall of the major search engine companies, every entity we can \nthink of that might have had a reason to download this same \ndatabase and put it up someplace. I have personally contacted \nabout eight senior executives within these major corporations \nand they have gone back and searched and came back to me and \naffirmed that they did not or they could not find any reference \nto where this data was available. So as we discover new places \nto look and ask, we are not just assuming, we are picking up \nthe phone or e-mailing or every means we can to contact these \npeople and make sure it is not there.\n    Mr. Pomeroy. I appreciate that and I think that we would \nappreciate, I would put in a request that you submit to the \nCommittee a follow-up based on the universe of 92 and what has \nbeen the conclusion. I don't even care if you name the 92 or \nnot but just how many, has this been resolved, how many are \nstill in discussion, how many haven't been contacted.\n    Mr. Combs. We will be happy to do that, sir.\n    Mr. Pomeroy. Now, where are you on the project with the 92?\n    Mr. Combs. At the current time, we have basically attempted \nto contact all of them and have sent out some--some of them we \nhad e-mail addresses for and we have not heard back from. I \nwould say our activity on the contacting, the proactive part is \nfinished. We have done every possible method of communicating \nwith these folks that we can. It is the hearing back from some \nof them that we have--we need to close the book on that at some \npoint.\n    Mr. Pomeroy. My own thought is, the sensitivity of this \ninformation is of a high enough concern to where personnel \nought to get on airplanes and go fly down and track some of \nthese people down or however you might work it though offices \nin the states. Let us get that completed.\n    Mr. Christopherson. We agree. As of our briefing this \nmorning, about 65 percent of these people were actually \ncontacted, and just to set the record straight, it wasn't this \nperson's actual Social Security Number that was embedded that \nhas contacted us. It was actually their employer ID number that \nis actually assigned by the IRS.\n    Mr. Pomeroy. So it is not their Social Security Number, it \nis the employer ID number?\n    Mr. Christopherson. For the person who actually contacted \nus.\n    Mr. Pomeroy. What about the information of the taxpayers \nthat has been disclosed? It is my understanding that Social----\n    Mr. Christopherson. Those are Social Security Numbers. I \njust wanted to make sure that that was clear between the two \nfor the record.\n    Mr. Pomeroy. I appreciate that. You said 65 percent of the \n92 have been contacted?\n    Mr. Christopherson. That is correct.\n    Mr. Pomeroy. That is not very good. I mean, you have \ntestified that you understand this is of the highest concern. \nWell, then let us get 100 percent nailed down now. This is a \nmistake that shouldn't have happened and I believe the book \nneeds to be closed on getting ahold of each group to whom the \ninappropriate distribution was made quickly.\n    Mr. Christopherson. I understand your concern, and we will \nadequately attempt to make sure that we contact these people.\n    Mr. Pomeroy. I would like to see a little more urgency on \ngetting that 65 percent to 100 percent, to be frank. Thank you.\n    The Chairman. I thank the gentleman.\n    The gentlelady from Ohio, we have about a minute or 2.\n    Mrs. Schmidt. I am going to be very quick. This isn't the \nfirst time we are going to have this kind of a problem. When I \nwas in college many, many years ago, we had to put our Social \nSecurity Number on every test and every booklet. With the age \nof the Internet and mass communication, we are going to see \nmore and more of this issue. What kind of ideas do you have to \ngo forward not from just the USDA but any other department that \nhas to keep track of who we are, how to identify, and allow \nother agencies to figure out you are working with the same \nperson other than a Social Security Number? I know that is a \nlot and you have got about 30 seconds to answer and you can \ncall me later if you need to.\n    The Chairman. All right. I thank the gentlelady. You will \nsubmit that answer in writing?\n    Mr. Christopherson. We will submit that for the record.\n    The Chairman. And we may have some other questions that we \nwill be asking for you to answer in writing. We appreciate you \nbeing with us today and I look forward to you keeping us \nupdated on how you are doing.\n    Mr. Christopherson. Thank you, Mr. Chairman.\n    The Chairman. I thank everybody, and the Committee stands \nadjourned.\n    [Whereupon, at 2:30 p.m., the Committee was adjourned.]\n           Questions for the U.S. Department of Agriculture *\n      \n---------------------------------------------------------------------------\n    * At the time this hearing went to press the responses were not \nsubmitted.\n---------------------------------------------------------------------------\nQuestions Submitted by Hon. Bob Etheridge, a Representative in Congress \n        From North Carolina\n    Question 1. How much information technology at USDA is contracted \nout to the private sector? Please distinguish between in-house and \noutside contractors.\n\n    Question 2. How many are under contract?\n\n    Question 3. How are the contracts drawn up? Are they open ended or \nwithin a definitive time?\n\n    Question 4. Are contracts conducted by open bids? If not, how are \nthey conducted?\nQuestion Submitted by Hon. Earl Pomeroy, a Representative in Congress \n        From North Dakota\n    Question. Please report the progress and results of your attempts \nto contact all 92 of the entities who subscribe to the FAADS site. \nNames are not necessary.\nQuestion Submitted by Hon. Jean Schmidt, a Representative in Congress \n        From Ohio\n    Question. Please outline your plans for identifying clients without \nthe use of Social Security Numbers. How will duplication between \nagencies be avoided?\n\n                                  <all>\n\x1a\n</pre></body></html>\n"