b"<html>\n<title> - OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n        OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 13, 2013\n\n                               __________\n\n                           Serial No. 113-91\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n87-316 PDF                WASHINGTON : 2014\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC \n20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of \nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, \nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois\nDOC HASTINGS, Washington             ROBIN L. KELLY, Illinois\nCYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois\nROB WOODALL, Georgia                 PETER WELCH, Vermont\nTHOMAS MASSIE, Kentucky              TONY CARDENAS, California\nDOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada\nMARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico\nKERRY L. BENTIVOLIO, Michigan        Vacancy\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on November 13, 2013................................     1\n\n                               WITNESSES\n\nMr. David A. Powner, Director of IT Management Issues, U.S. \n  Government Accountability Office\n    Oral Statement...............................................     9\n    Written Statement............................................    11\nMr. Henry Chao, Deputy Chief Information Officer, Deputy Director \n  of the Office of Information Services, Centers for Medicare and \n  Medicaid Services\n    Oral Statement...............................................    28\n    Written Statement............................................    30\nMr. Frank Baitman, Deputy Assistant Secretary for Information \n  Technology and Chief Information Officer, U.S. Department of \n  Health and Human Services\n    Oral Statement...............................................    38\n    Written Statement............................................    40\nMr. Todd Park, Chief Technology Officer of the United States, \n  Office of Science and Technology Policy\n    Oral Statement...............................................    44\n    Written Statement............................................    45\nMr. Steven VanRoekel, Chief Information Officer of the United \n  States, and Administrator, Office of Electronic Government, \n  Office of Management and Budget\n    Oral Statement...............................................    46\n    Written Statement............................................    48\n\n                                APPENDIX\n\nA letter to Chairman Issa from Ranking Member Cummings submitted \n  for the record by Chairman Issa................................   148\nPages 151-152 of Henry Chao's transcribed interview submitted for \n  the record by Chairman Issa....................................   150\nUSA Today article submitted for the record by Chairman Issa......   152\nCMS memo dated Sept 3, 2013 submitted for the record by Chairman \n  Issa...........................................................   155\nHouse Republican Playbook submitted for the record by Rep. \n  Cartwright.....................................................   162\nIT Critical Factors Underlying Successful Major Acquisitions Link   179\n\n \n        OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV\n\n                              ----------                              \n\n\n                      Wednesday, November 13, 2013\n\n                   House of Representatives\n      Committee on Oversight and Government Reform,\n                                           Washington, D.C.\n    The committee met, pursuant to call, at 9:35 a.m., in Room \n2154, Rayburn House Office Building, Hon. Darrell E. Issa \n[chairman of the committee] presiding.\n    Present: Representatives Issa, Mica, Turner, Duncan, \nMcHenry, Jordan, Chaffetz, Walberg, Lankford, Amash, Gosar, \nMeehan, DesJarlais, Gowdy, Farenthold, Lummis, Woodall, Massie, \nCollins, Meadows, Bentivolio, DeSantis, Cummings, Maloney, \nNorton, Tierney, Clay, Lynch, Cooper, Connolly, Cartwright, \nDuckworth, Kelly, Davis, Welch, Cardenas, Horsford, and Lujan \nGrisham.\n    Also Present: Representative Kelly.\n    Staff Present: Richard A. Beutel, Majority Senior Counsel; \nBrian Blase, Majority Professional Staff Member; Molly Boyl, \nMajority Deputy General Counsel and Parliamentarian; Lawrence \nJ. Brady, Majority Staff Director; Joseph A. Brazauskas, \nMajority Counsel; Caitlin Carroll, Majority Deputy Press \nSecretary; Sharon Casey, Majority Senior Assistant Clerk; Steve \nCastor, Majority General Counsel; John Cuaderes, Majority \nDeputy Staff Director; Adam P. Fromm, Majority Director of \nMember Services and Committee Operations; Linda Good, Majority \nChief Clerk; Meinan Goto, Majority Professional Staff Member; \nTyler Grimm, Majority Professional Staff Member; Frederick \nHill, Majority Staff Director of Communications and Strategy; \nChristopher Hixon, Majority Chief Counsel for Oversight; \nMichael R. Kiko, Majority Legislative Assistant; Mark D. Marin, \nMajority Deputy Staff Director of Oversight; Laura L. Rush, \nMajority Deputy Chief Clerk; Peter Warren, Majority Legislative \nPolicy Director; Rebecca Watkins, Majority Communications \nDirector; Krista Boyd, Minority Deputy Director of Legislation/\nCounsel; Aryele Bradford, Minority Press Secretary; Yvette \nCravins, Minority Counsel; Susanne Sachsman Grooms, Minority \nDeputy Staff Director/Chief Counsel; Jennifer Hoffman, Minority \nCommunications Director; Chris Knauer, Minority Senior \nInvestigator; Elisa LaNier, Minority Director of Operations; \nUna Lee, Minority Counsel; Juan McCullum, Minority Clerk; Leah \nPerry, Minority Chief Oversight Counsel; Dave Rapallo, Minority \nStaff Director; Daniel Roberts, Minority Staff Assistant/\nLegislative Correspondent; Valerie Shen, Minority Counsel; Mark \nStephenson, Minority Director of Legislation; and Cecelia \nThomas, Minority Counsel.\n    Chairman Issa. The committee will come to order.\n    The Oversight and Government Reform Committee exists to \nsecure two fundamental principles: first, Americans have a \nright to know that the money Government takes involuntarily \nfrom them is well spent and, second, Americans deserve an \nefficient, effective Government that works for them. Our duty \non the Oversight and Government Reform Committee is to, in \nfact, protect these rights. Our solemn responsibility is to \nhold Government accountable to taxpayers, because taxpayers \nhave a right to know that the money Government takes from them \nis well spent. It is our job to work tirelessly in partnership \nwith citizen watchdogs to deliver the facts to the American \npeople and bring genuine reform to the Federal bureaucracy.\n    Three and a half years ago, closer to four, in a partisan \nvote, the House of Representatives passed the Patient \nProtection Affordable Care Act, commonly referred to as \nObamaCare. The Act gave this Administration more than three \nyears to implement; it gave them virtually unlimited money; it \nensured them that, for all practical purposes, they need not \ncome back to Congress ever again because they created an \nentitlement, one that raised its own money, spent its own \nmoney, created its own rules.\n    The 2400 pages that were passed into law, and then read \nafterwards, now represent tens of thousands of pages of \nregulations that were created by this Administration based on \nhow this Administration wanted a law interpreted, meaning that \nlegislation created three and a half years ago was still being \nwritten in late September.\n    The cornerstone of the President's signature achievement \nincluded a website, Healthcare.gov. This site, and parallel \nsites created by some States, were supposed to make it easy to \nhave an online marketplace. It was, in fact, an attempt to \nduplicate what hundreds, perhaps thousands, of insurance \ncompanies, large and small, around America do well every day.\n    On October 1st, President Obama said using it would be as \neasy as buying an airline ticket on Kayak.com or buying a \ntelevision on Amazon. This is an insult to Amazon and Kayak. On \nthe day of the launch, President Obama should have known the \nharsh lesson we have all learned since that time, and that was \nthey weren't ready. They weren't close to ready. This wasn't a \nsmall mistake. This wasn't a scaling mistake. This was a \nmonumental mistake to go live and effectively explode on the \nlaunchpad.\n    For American people, ObamaCare is no longer an abstraction, \nand it is a lot more than a website. For millions of Americans, \nit is about losing insurance the President promised you can \nkeep, period. For many Americans, it is about premiums going \nup, when you were promised they would go down by $2500.\n    Big businesses lobbied and received an ObamaCare waiver \nthis year. However, the individual, the taxpayer, the citizen, \nthe only real recipient of health care, did not. Individuals \nstill have to pay a penalty if they don't have insurance that \nmeets a Federal standard, a standard of what your Government, \nyour nanny State believes, in fact, you must have. The penalty \nis still in effect, and even if new exchanges don't function. \nThe penalty is in effect even if you planned on keeping the \nhealth care you wanted, period, and discovered it is now gone, \nor have yet to discover, because ultimately, if you are on an \nemployer plan, you may not yet have found out that your \nemployer either cannot afford or cannot receive the health care \nyou have grown accustomed to.\n    The specific reason we are here today is a narrow part of \nthis committee's oversight and legislative authority. It is, in \nfact, to examine the failures of what should have been an IT \nsuccess story. Nearly $600 million, three and a half years, is \nlarger than Kayak ever dreamed of having to set up their \nwebsite. It is larger than eBay spent in the first many years \nof a much more complex site that auctions, in real-time, \nmillions and millions of products a year.\n    We are here to examine the failure of technology not \nbecause the technology was so new and innovative, not because \nthis was a moon shot, not because we needed Lockheed Martin and \nRockwell to come in and invent some new way to propel a ship to \nthe moon; but because we have discovered, and will undoubtedly \ncontinue to discover, that efforts were taken to cut corners to \nmeet political deadlines at the end, that for political reasons \nrules were not created in a timely fashion, that in fact the \nrules that should have been created at the time of the passage \nof the law or shortly thereafter in many cases were still being \ngiven to programmers in September of this year.\n    Now, I recognize that there are divisions on this \ncommittee, as there were when ObamaCare became law. Many \nmembers, including myself, believe that there was and is a \nhealth care crisis in America. It is a crisis of affordability. \nAnd insurance is simply a way to score what that affordability \nis, not to drive down the cost. Many members, including myself, \nopposed this new law because we thought it wouldn't work and it \nhad no systems to actually reduce the cost of health care from \nthe provider.\n    My friends on the other side may correctly note, as I will \nhere, that many Americans are benefitting from ObamaCare at the \ncost of trillions of dollars over a 10-year period. I certainly \nhope so. But divisions over whether or not taxpayer money taken \nand pushed back out to needy who are trying to afford health \ncare is not the subject today.\n    Unfortunately, during the first two years of the ObamaCare \nlaw, under Speaker Pelosi, there was no effective oversight. \nOversight was shut down during the first two years of the Obama \nAdministration, and the Minority pointing out anything was \nignored. Under my chairman, we have tried to correct that, but \nwe have been disappointed by continued obstruction by the \nMinority on this committee, defending the Administration even \nwhen it has failed to deliver the relevant documents, and they \nfind themselves objecting to hearings, witness requests, and \nconstantly engage in petty downplaying of what in fact are a \nserious problem.\n    The Minority today will undoubtedly point out that this \nmust be political, that we are not here because only 1100 \npeople at a time could get on to a website before it crashed, \neffectively, when 250,000 needed to get on it because it was \nthe law and they were mandated. We are not here for that \nreason, the Minority will say; we are here because this is \npolitical.\n    This committee, on a bipartisan basis, has offered \nlegislation that, if the Senate had taken up it and the \nPresident had supported and signed it and it had been \nimplemented in this project, undoubtedly many of the mistakes \nmade we would find would not be made. In fact, the lack of \nbudget authority for a single point on a project of this sort, \nconducted and overseen by somebody who had a success story in \nsimilar operations rising to the level of a $600 million multi-\ncommittee, multi-State website, if that person had been there \nand in charge, I have no doubt that person would not be with us \ntoday because that site would be up and running.\n    On October 10th I joined with Senator Lamar Alexander, a \nmember of the minority in the Senate who finds himself unable \nto get answers, asking Secretary Sebelius to provide documents \nrelated to Healthcare.gov. Unfortunately, on October 28th, a \nmonth in to ObamaCare, I was forced to issue a subpoena because \nof a lack of response from the Administration. To date, HHS has \nnot produced a single responsive document to this committee.\n    In contrast, the committee has received far more \ncooperation, transparency, and document production, receiving \nover 100,000 relevant documents, from the private sector, from \ncontractors working on this project, the very contractors who \nwere blamed on day one as their fault, not a single political \nappointee's fault, not Obama's fault.\n    I know the ranking member and I could fill an entire \nhearing with discussions about our differences, and I have no \ndoubt, in short order, he will air many of them. But for this \nhearing I think we can find agreement. The agreement would be \nsimple: whether you like ObamaCare or not, taxpayer dollars \nwere wasted, precious time was wasted, the American people's \npromise of ObamaCare, in fact, does not exist today in a \nmeaningful way because best practices, established best \npractices of our Government were not used in this case.\n    Now, our Government must quickly grasp the lessons of what \nhappened here in ObamaCare's Healthcare.gov project to better \nand more effectively implement underlying policy changes so \nthis won't happen again. The investigations of this committee \nhave received testimony and have paid documents indicating many \nproblems that led to the disastrous failure to launch on \nOctober 1st. The committee has learned that numerous missed \ndeadlines and ignoring of integrated security testing \nrequirements are still a problem for this system.\n    The ranking member gave to me, and I will put it in the \nrecord, a letter very concerned that some of the documents we \nreceived from contractors, if they got in public hands, would \nbe a roadmap to the security flaws that exist in ObamaCare's \nwebsite today. It is our committee's decision that those \ndocuments will not be released, that we will carefully ensure \nthat any material given to us by anyone that would help hackers \ndiscover more quickly the flaws in ObamaCare's website are not \nmade public.\n    But let us understand the ranking member's statement in \nthat letter says more than I could say, and that is, on the day \nof the launch, and even today, there are material failures in \nthe security of the ObamaCare website, meaning that even though \nwe may not put out the roadmap, hackers, if they can get on a \nwebsite that only accommodates 1100 people at a time, hackers \nin fact may have already or may soon find those \nvulnerabilities. They may soon find your social security number \nor your sensitive information because there was no integrated \nsecurity testing before the launch. And MITRE Corporation and \nothers pointed this out in time for the launch to not have \noccurred until security concerns were properly vetted.\n    The last known security test conducted by the records we \nhave been given--and, again, given by contractors, because the \nAdministration has failed to be in any way honest or \ntransparent in producing documents--show that in mid-September, \nat least as to the Federal marketplace segment of the site, \nthey identified significant findings of risk. Documents from \nthe contractor MITRE identified a chaotic testing environment.\n    According to Mr. Henry Chao, the top operational officer \nfor the marketplace, Administration delays in issuing \nregulations created a compressed time frame for building the IT \ninfrastructure. We know, for example, that HHS did not issue \nany regulations in the three months prior to November 2012 \nelection.\n    Yes, I am saying that it seems sad that you pass a law in \nthe first few months of an administration and, yet, it seems \nthat regulations came to a halt so they would not be out there \nin the marketplace during the President's re-elect. Two years \nis too long after a law that has mandates before you go and \ntell the American people and the website producers what they \nmust do.\n    This committee has learned that a complete integrated \nsecurity testing did not occur, meaning test the pieces, but do \nnot test the entire product was one of the faults at the \nlaunch. That heightens the risk of unauthorized access, non-\nencrypted data, identify theft, and the loss of personal \nidentifiable information. This is not this committee's opinion; \nthis is testimony.\n    The director of CMS stated he was not even aware of some \ntesting results that showed serious security problems in the \nweeks before the October 1st launch. He testified these results \nshould have been shared with him and said the situation was \ndisturbing. HHS offered no further explanation for nearly two \nweeks, until after the committee made a redacted version of the \nkey memo public.\n    At a briefing last week, Tony Trenkle, CMS Chief \nInformation Officer, told investigators he normally signs the \nauthority to operate memos to launch CMS IT projects. In this \ncase, however, and wisely, he determined that he would not sign \nthe Healthcare.gov document, and in fact required a less \nqualified and obviously erroneous signature by Marilyn Tavenner \nto occur on that document.\n    Now, that is kicking it upstairs because you know it isn't \nany good. And although I appreciate a CIO not signing a \ndocument for a site that wasn't ready, I think at the same time \nwe must recognize that there should have been public objection \nto Marilyn Tavenner signing that document for a website that \nclearly was not ready for prime time.\n    Additionally, today we are hearing from a distinguished \npanel of witnesses, and I recognize some of the witnesses, \nparticularly Mr. Park, are busy elsewhere trying to get this \nsite operational. But since we have been in the neighborhood of \nsix weeks into the launch, I trust that hundreds or, if \nnecessary, thousands of the right people have most of their \nmarching orders and that, in fact, it is time for Congress, on \nany committee of jurisdiction, to look over the shoulder of the \nAdministration to ask both what went wrong and, today, not just \nask do you promise, on November 30th, to make it right, but \nwill you in fact commit to the changes in law that would ensure \nthis doesn't happen again.\n    I don't hold this committee hearing today to sell IT \nreform. This committee has already done its job to sell IT \nreform. However, it is essential that you understand that when \nMr. Cummings and I make public billions of dollars worth of \nfailed IT programs, the American people often get a small \nsnippet in the newspaper. So today I think the American people \nshould know this isn't the $600 million unique event. If it \nwere, it would be a different hearing. This is part of a \npattern that occurs due to failure to adhere to the private \nsector's world-class standards for web production. This is a \npattern that includes Schedule C political appointees being \nmore involved than career professionals. This is a pattern that \nhas to stop.\n    Among our witnesses today will be Mr. Dave Powner, a \nGovernment Accountability Officer and an expert in, in fact, \nwhat those practices should have been and what failed on \nHealthcare.gov. I might note for all he is, in fact, a career \nprofessional, a nonpartisan, and an individual who doesn't work \nfor me, doesn't work for the ranking member, but works for the \nAmerican people.\n    I will do the rest of my introduction when the time comes. \nI now will yield to the ranking member.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Good morning to everyone and welcome to our witnesses who \nare here with us today. I want you to know that I appreciate \nyour service and, on behalf of a grateful Congress, we thank \nyou. I thank you for your dedication to ensuring that millions \nof Americans who do not have health insurance will be able to \nobtain quality affordable coverage going forward. This is an \nincredibly admirable goal, and I thank you for everything you \nare doing to make it a reality.\n    Unfortunately, not everyone in this room shares this very \nimportant goal. Republicans opposed the Affordable Care Act in \n2009 and voted against providing health insurance to millions \nof Americans. Over the past three years they have voted more \nthan 40 times to repeal parts or all of the law and eliminate \nhealth insurance for people across the Country. Since they \nfailed at these repeal efforts, they blocked requests for full \nfunding to implement the law. This forced Federal agencies to \ndivert limited funds from other areas.\n    Republican governors refused to set up State exchanges, \nforcing the Federal Government to bear more of the workload. \nAnd to make a political point against the Affordable Care Act, \nRepublican governors refused Federal funds to expand their \nMedicaid programs to provide medical care for the poor, \nincreasing the burden on their own State hospitals. To me, this \nis one of the most inexplicable actions I have ever witnessed \nfrom elected representatives against their own people, the \npeople who elect them; their neighbors, their family members, \ntheir friends, the grocer, the mortician.\n    After all of these efforts, House Republicans shut down the \nentire Federal Government for three weeks in October. Three \nweeks shut down the Government. They threatened to default on \nour national debt unless we repealed the Affordable Care Act. \nAgain, this effort failed.\n    Now they are attempting to use the congressional oversight \nprocess to scare Americans away from the website by once again \nmaking unsupported assertions about the risk to their personal \nmedical information. Let me be clear. The Centers for Medicare \nand Medicaid Services and its contractors failed to fully \ndeliver what they were supposed to deliver, and congressional \noversight of those failures is absolutely warranted. But nobody \nin this room, nobody in this Country believes that Republicans \nwant to fix the website.\n    For the past three years the number one priority of \ncongressional Republicans has been to bring down this law, and \nthat goal, ladies and gentlemen, has not changed. Today they \ncomplain that their constituents are waiting too long on \nHealthcare.gov to sign up for insurance. But is there a \nsolution to fix the website? No. It is to repeal the Affordable \nCare Act and eliminate health insurance for millions of \nAmericans.\n    While repealing the Affordable Care Act indeed would \nreducing waiting times on the website, it would increase \nwaiting times in our Nation's emergency rooms.\n    Mr. Chairman, over the past month, instead of working in a \nbipartisan manner to improve the website, you have politicized \nthis issue by repeatedly making unfounded allegations. In my \nopinion, these statements have impaired the committee's \ncredibility. For example, on October 27th, you went on national \ntelevision and accused the White House of ordering CMS to \ndisable the so-called Anonymous Shopper function in September \nfor political reasons: to avoid ``sticker shock.'' That \nallegation is totally wrong.\n    We have now reviewed documents and interviewed the CMS \nofficials who made that decision, and it was based on defects \nin the contractor's work, not on a White House political \ndirective.\n    Last Thursday you issued a press release with this blaring \nheadline: ``Healthcare.gov Could Only Handle 1,100 Users the \nDay Before Launch.'' This claim is wrong. You apparently based \nyour allegation on misinterpretation of the documents we \nreceived, which relate to a sample testing environment. I \nbelieve the witnesses will expound upon that today.\n    Most troubling of all was your allegation against one of \nour witnesses today, Todd Park, the Chief Technology Officer of \nthe United States of America. You went on national television \nand accused him of engaging in a ``pattern of interference and \nfalse statements.'' Mr. Park is widely respected by the \ntechnology community as an honest and upstanding professional. \nIn my opinion, your accusations denigrated his reputation with \nabsolutely no, absolutely no legitimate basis. As I said to my \nletter to you on Monday, I believe your statements crossed the \nline and I think you owe Mr. Park an apology, not a subpoena.\n    The unfortunate result of this approach is that we may miss \nan opportunity to do some very good work. Our committee has \ndone significant substantive and bipartisan work on Federal IT \nreform, and I applaud you for your leadership in that. And I go \nback to the word, it was indeed bipartisan. We joined in to do \nwhat this committee is supposed to do, to look at the facts, to \nseek the truth, the whole truth, and nothing but the truth, and \nthen bring about reform.\n    Under the leadership above you and our Democratic \ninformation technology expert, Mr. Connolly of Virginia, last \nMarch we passed the Federal Information Technology Acquisition \nReform Act. This bill would increase the authority of agency \nCIOs and provide them with budget authority over Federal IT \nprograms, including hiring. We did that together. We did that \nin a bipartisan way. We put politics aside, rolled up our \nsleeves, and worked together to constructively address these \nchallenges. I hope that that is what today's hearing is all \nabout.\n    And I again thank our witnesses, who I know are working \nvery hard to achieve these goals.\n    With that, I yield back.\n    Chairman Issa. I thank the gentleman.\n    Members may have seven days in which to submit opening \nstatements and other extraneous material.\n    I now ask that my entire opening statement be placed in the \nrecord. Without objection, so ordered.\n    I now ask that the letter from Mr. Cummings, dated November \n6, 2013, to me be placed in the record. Without objection, so \nordered.\n    Chairman Issa. I will now go to our panel of witnesses. We \nwelcome our first panel of witnesses:\n    Mr. Dave Powner is the Director of Information Technology \nManagement Issues at the Government Accountability Office.\n    Mr. Henry Chao is the Deputy Director of the Office of \nInformation Services at the Center for Medicare and Medicaid \nServices, today probably called CMS for the rest of the day, \nand Deputy Chief Information Officer at CMS.\n    Mr. Frank Baitman is the Chief Information Officer at the \nDepartment of Health and Human Services, normally called HHS.\n    Mr. Todd Park is the Chief Technology Officer of the United \nStates.\n    Mr. Steve VanRoekel is the Chief Information Officer of the \nUnited States.\n    Pursuant to the rules, as many of you who have not been \nhere before will see, I would ask that you all rise to take a \nsworn oath. Please raise your right hands.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    [Witnesses respond in the affirmative.]\n    Please be seated.\n    Let the record reflect that all witnesses answered in the \naffirmative.\n    Now, this is a large panel and it is going to be a long \nday, and I suspect witnesses will be asked questions by both \nsides of the aisle, so I would ask that since your entire \nopening statements will be placed in the record verbatim, that \nyou adhere to the time clock and come to a halt as quickly as \npossible when it hits red. Please understand yellow is not an \nopportunity to start a new subject, it is an opportunity to \nwrap up.\n    With that, we will go to our distinguished guest from the \nGAO, Mr. Powner.\n\n                       WITNESS STATEMENTS\n\n                  STATEMENT OF DAVID A. POWNER\n\n    Mr. Powner. Chairman Issa, Ranking Member Cummings, and \nmembers of the committee, we appreciate the opportunity to \ntestify on best practices that help agencies deliver complex IT \nacquisitions. In July I testified before Chairman Mica's \nsubcommittee on 15 failed IT projects and other troubled \nprojects, and now we are faced with one of the more visible \ntroubled IT projects in Healthcare.gov. These complex projects \ncan be delivered successfully when there is appropriate \naccountability, transparency, oversight, expertise, and program \nmanagement.\n    We issued a prior report that showcases seven successful IT \nacquisitions and what allowed them to be delivered \nsuccessfully. This morning I would like to highlight best \npractices from that report and others that would have made a \ndifference with Healthcare.gov. I would like to start by \nhighlighting the importance of FITAR, Mr. Chairman, \nspecifically those sections that increase CIO authorities and \nstrengthen IT acquisition practices.\n    Starting with accountability. Key IT executives need to be \naccountable with appropriate business leaders responsible for \nthe project. This needs to start with the department CIOs and \nfor projects of national importance includes the president CIO. \nAt HHS, CIO authority is an issue GAO reported on just last \nweek.\n    Transparency. The IT Dashboard was put in place in June of \n2009 to highlight the status and CIO assessments of \napproximately 700 major IT investments across 27 departments. \nAbout $40 billion are spent annually on these 700 investments \nand public dissemination of each project's status is intended \nto allow OMB and the Congress to hold agencies accountable for \nresults in performance. Surprisingly, recent Dashboard \nassessments on Healthcare.gov primarily showed a green CIO \nrating. But, interestingly, in March the rating was red, so \nsomething was wrong at that time.\n    Third, oversight. Both OMB, department and agency oversight \nand governance are important so executives are aware of project \nrisks and assure that they are effectively mitigated. We have \nissued reports on OMB and agency TechStat sessions highlighting \nthe importance of these meetings and their excellent results, \nprimarily halting, rescoping, and redirecting troubled \nprojects. We have also recommended that more TechStats needs to \noccur on troubled and risky projects. We are not aware that \nHealthcare.gov was subject to a TechStat review.\n    Fourth, expertise. It is extremely important to project \nsuccess that program staff have the necessary knowledge and \nskills. This applies to a number of areas, including program \nmanagement, engineering, architecture, systems integration, and \ntesting.\n    Fifth, program management. Several best practices increase \nthe likelihood that IT acquisitions will be delivered on time, \nwithin budget, and with the functionality promised. This starts \nwith getting your requirements right by involving end-users, \nhaving regular communication with contractors throughout the \nacquisition process, and adequately testing the system, \nincluding integration end-to-end and user acceptance.\n    There are a number of key questions that can be asked of \nany IT acquisition to ensure that appropriate accountability, \ntransparency, oversight expertise, and program management is in \nplace, and these most definitely pertain to Healthcare.gov. \nThese include:\n    What role is OMB playing in ensuring that this major \nacquisition is on track and specifically how involved is the \nFederal CIO?\n    Is the department and agency CIO accountable and actively \ninvolved in managing risks?\n    Is the acquisition status accurate, timely, and transparent \nas displayed on the IT Dashboard?\n    Are OMB and agency oversight and governance appropriate?\n    Were governance or TechStat meetings held with the right \nexecutives?\n    Were key risks addressed and was there appropriate follow-\nup?\n    Does the agency have the appropriate expertise to carry out \nits program management role and other roles it is to perform? \nIn the case of Healthcare.gov, a key question is whether CMS \nhas the capabilities to act as the systems integrator.\n    And, finally, is the program office following best \npractices throughout the acquisition life cycle, starting with \nhow the project is defined to how it is tested and deployed for \noperations? This would include security testing, assessment, \nand authorization.\n    In summary, Mr. Chairman, OMB and agencies can do more to \nensure that the Government's annual 80-plus billion dollar \ninvestment in IT has the appropriate accountability, oversight, \ntransparency, and best practices to deliver vital services to \nthe American taxpayers.\n    This concludes my statement. Thank you for your continued \noversight in Federal IT issues.\n    [Prepared statement of Mr. Powner follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    \n    Chairman Issa. Thank you.\n    Mr. Chao.\n\n                    STATEMENT OF HENRY CHAO\n\n    Mr. Chao. Good morning, Chairman Issa, Ranking Member \nCummings, and members of the committee. Since the passage of \nthe Affordable Care Act, CMS has been hard at work to design, \nbuild, and test secure systems that ensure Americans are able \nto enroll in affordable health care coverage.\n    I serve as CMS's Deputy Chief Information Officer and I am \na career civil servant that has 20 years working at CMS on \nMedicare and Medicaid systems of varying skills. My role has \nbeen to guide the technical aspects of the Marketplace \ndevelopment and implementation to Federally-facilitated a \nMarketplace eligibility enrollment systems in the data services \nHub.\n    I work closely with the private sector's contractors \nbuilding these IT components of Healthcare.gov. I also work \nclosely with my colleagues in CMS who handle other IT and \npolicy aspects of the site, including the Center for Consumer \nInformation and Insurance Oversight, which manages the business \noperations and makes policy decisions that relate to \nHealthcare.gov; the chief information officer who oversees the \naccount creation on Healthcare.gov through management of a \nshared service called the Enterprise Identity Management \nSystem; and the Office of Communications, which is focused on \nthe call center operations and the user experience aspects of \nHealthcare.gov.\n    To facilitate the various key functions of the Federally-\nfacilitate Marketplace, CMS contracted with QSSI to develop the \nHub and CGI Federal to develop the Federally-facilitated \nMarketplace. The Hub facilitates the secure verification of the \ninformation a consumer provides in their Marketplace \napplication with information maintained by other Federal data \nsources such as SSA and IRS. In addition to the Hub, CMS \ncontracted with CGI Federal to build the Federally-facilitated \nMarketplace system which consumers use to apply for health care \ncoverage through private qualified health plans and for \naffordability programs like Medicaid, CHIP, and advanced \npremium tax credits and cost-sharing reductions.\n    The Federally-facilitated Marketplace system consists of \nnumerous modules, each of which was tested for functionality \nand for security controls. Numerous test cases were used to \nexercise the end-to-end functionality of the system. We \nunderestimated the volume of users who would attempt to \nconcurrently access the system at any one time initially in \nOctober, and we immediately addressed the capacity issues in \nthe first few days and continue to actively work on further \nimproving performance and creating a better user experience.\n    Healthcare.gov is made up of two major subdivisions. One \nsubdivision is called Learn and contains information to assist \nand educate consumers about the Marketplace. In addition, a \npremium estimation tool was launched on October 10th to allow \nconsumers to browse health plans without creating a \nHealthcare.gov account on the Get Insured subdivision of \nHealthcare.gov, which contains the online application for \nenrollment.\n    While the premium estimation tool could only sort consumers \ninto two age categories when it was first launched, its \nfunctionality will be expanded to accommodate additional \nscenarios to better fit consumer shopping profiles. This tool \nis different from the FFM application because determinations \nabout consumers' eligibility for insurance affordability \nprograms, Medicaid and CHIP, are specific to the \ncharacteristics of an applicant and his or her household, and \ncould only be calculated when an application is completed, \nafter income, citizenship, and other information is verified.\n    I know that consumers using Healthcare.gov have been \nfrustrated in these initial weeks after the site's launch. \nWhile the Hub is working as intended, after the launch of the \nFFM online application, numerous unanticipated technical \nproblems surfaced which have prevented some consumers from \nmoving through the account creation, application, eligibility, \nand enrollment processes in a smooth and seamless manner. Some \nof those problems have been resolved and the site is \nfunctioning much better than it did initially. Users can now \nsuccessfully create an account, continue through the full \napplication and enrollment processes. We are now able to \nprocess nearly 17,000 registrations per hour, or 5 per second, \nwith no errors. Thanks to enhanced monitoring tools, we are now \nbetter able to see how quickly the online application is \nresponding and to measure how changes improve user experience \non the site.\n    We reconfigured various systems components to improve site \nresponsiveness, increasing performance across the site, but in \nparticular the viewing and filtering of health plans during the \nonline shopping process. We have also made software \nconfiguration changes that have added capacity to improve the \nefficiency and effectiveness of the system.\n    CMS is committed to creating a safe, secure, and resilient \nIT system that helps expand access to quality affordable health \ncare coverage. We are encouraged that the Hub is working as \nintended, and that the framework for a better functioning \nFederally-facilitated Marketplace eligibility system and \nenrollment is in place.\n    [Prepared statement of Mr. Chao follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Issa. I know this isn't questioning time, but if \nyou can tell us 17,000 are signing up per hour, then why is a \nsubpoena from Ways and Means unanswered as to how many have \nsigned up? Please, don't answer yet. We will get to that.\n    Mr. Baitman.\n\n                   STATEMENT OF FRANK BAITMAN\n\n    Mr. Baitman. Good morning, Chairman Issa, Ranking Member \nCummings, and members of this committee. My name is Frank \nBaitman, and I am the Deputy Assistant Secretary for \nInformation Technology and the Chief Information Officer at the \nU.S. Department of Health and Human Services. I am pleased to \njoin you here today.\n    The Department of Health and Human Services is the United \nStates Government's principal agency for protecting the health \nof all Americans and providing essential human services, \nespecially for those who are least able to help themselves. At \nthe Department level, the Office of the Chief Information \nOfficer serves this objective by leading the development and \nimplementation of an enterprise-level information technology \nframework. HHS is committed to the effective and efficient \nmanagement of our information resources in support of our \npublic health mission, human services program, and the U.S. \nhealth system.\n    The HHS OCIO is responsible for developing the Department's \npolicy framework for IT, including such areas as enterprise \narchitecture, capital planning, records management, \naccessibility, and security and privacy. For example, the \nsecurity arena has a healthy framework that encompasses the \nFederal Information Security Management Act of 2002, OMB \ndirectives, and the National Institute of Standards and \nTechnology's guidance on security and privacy, all of which are \nembodied in the Department's security policies.\n    Our information technology portfolio is sizeable, including \nsupport to a number of grant programs that provide IT resources \nto State, local, and tribal governments in support of the \nprograms administered by HHS. The Department's portfolio also \nsupports everything from common and commodity IT, things like \nhuman resources, email, and accounting systems; to the mission \nsystems that enable research at the National Institutes of \nHealth; to the regulation of drugs and devices at the Food and \nDrug Administration; and to the treatment of patients at the \nIndian Health Services' network of clinics.\n    HHS is a large department, with a diverse set of missions. \nOur operating divisions include the Administration for Children \nand Families; the Administration for Community Living; the \nAdministration for Health, Research and Quality; the Centers \nfor Disease Control and Prevention; the Centers for Medicare \nand Medicaid Services, known as CMS; the Food and Drug \nAdministration; the Health Resources and Services \nAdministration; the Indian Health Service; the National \nInstitutes of Health; and the Substance Abuse and Mental Health \nServices Administration. That is what makes up HHS. And we \nmanage our IT portfolio through a federated governance \nstructure. The vast majority of the Department's IT resources \nare dedicated directly to the appropriations made to our \nprograms and operating divisions, and our governance structure \nreflects that reality. Program-level IT decisions are governed \nand reviewed by our operating divisions.\n    Each of HHS's operating divisions has its own chief \ninformation officer, its own chief information security \nofficer, and an IT management structure; and management of the \ndevelopment of Healthcare.gov was comparable to management of \nsimilar IT initiatives throughout the Department's operating \ndivisions. Indeed, prior IT initiatives that we are all \nfamiliar with, including Medicare.gov and Medicare Part D \nPrescription Drug program were led and developed by CMS, who \nserves as the business owner and developer of Healthcare.gov's \nintegrated eligibility and enrollment system for the Federally-\nfacilitated Marketplace.\n    Since I joined the Department about 18 months ago, we have \nbeen working to restructure and update our IT governance, \nbringing visibility into what the Department buys and builds \nacross all of our operating divisions, and we are now in the \nprocess of putting in place three IT steering committees to \nbring together technology and program leaders from across the \nDepartment to improve our purchasing and management of IT \nresources. These steering committees take a functional view of \nour IT portfolio. We have created one to oversee health and \nhuman service systems, a second to oversee scientific research \nsystems, and a third for administrative and management systems.\n    This governance structure will improve Department-wide \noversight of IT purchases and projects. Secretary Sebelius has \nbeen a strong advocate for transparency into the Department's \nIT portfolio and this new governance structure is designed to \nachieve that outcome. Collectively, these three steering \ncommittees will provide Department-wide guidance to the \noperating divisions' respective IT portfolios and will ensure \nthat we identify and take advantage of opportunities to save \ntaxpayer funds.\n    For example, we are now in the process of establishing a \nVendor Management Office to improve the Department's \nnegotiating position with technology vendors and to make use of \nenterprise-wide license acquisitions. We are always looking for \nways to consolidate investment systems or acquisitions to meet \nthe Department's broad IT portfolio needs more effectively and \neconomically. In the fiscal year 2014 budget process, HHS \nidentified $250 million in reductions within our IT portfolio \nattributable to savings in various commodity IT areas.\n    Chairman Issa. Mr. Baitman, we know how great a job you are \ndoing; that is why you are here today. Could you please wrap \nup?\n    Mr. Baitman. Sure.\n    I appreciate the opportunity to be with you here today.\n    [Prepared statement of Mr. Baitman follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Issa. Thank you.\n    Mr. Park.\n\n                     STATEMENT OF TODD PARK\n\n    Mr. Park. Good morning, Chairman Issa, Ranking Member \nCummings and members of the committee. Thank you for inviting \nme to testify today on the Administration's ongoing efforts to \ndeliver on the promise of the Affordable Care Act.\n    As U.S. Chief Technology Officer, housed at the Office of \nScience and Technology Policy, I serve as an advisor at the \nWhite House on a broad range of technology policy and strategy \npriorities, ranging from how technological innovation can help \ngrow the economy to how to open up government data to spur \ninnovation and entrepreneurship in the private sector to how \nthe power of technology can be harnessed to improve health \ncare, aid disaster relief, fight human trafficking, and more. \nIn this work, I try to bring the sensibilities of the private \nsector tech entrepreneur that I have been for most of my \nprofessional life.\n    As you know, October 1st was the launch of the new \nHealthcare.gov and the Health Insurance Marketplace, where \npeople without health insurance, including those who cannot \nafford health insurance and those who are not part of a group \nplan, can go to get affordable coverage.\n    Unfortunately, the experience on Healthcare.gov has been \nhighly frustrating for many Americans. These problems are \nunacceptable. We know there is real interest from the American \npublic in having easy access to the new affordable choices in \nthe health insurance marketplace. I believe that as public \nservants we have a shared goal: to deliver to Americans the \nservice they deserve and expect. And since the beginning of \nOctober I have shifted into working full-time on the team that \nis working around the clock to fix Healthcare.gov and bring it \nto the place it should be.\n    The team is making progress. The website is getting better \neach week as we work to improve its performance, its stability, \nand its functionality. As a result, more and more individuals \nare successfully creating accounts, logging in, and moving on \nto apply for coverage and shop for plans. We have much work \nstill to do, but are making progress at a growing rate.\n    I will be happy to try to answer any questions you may have \nabout Healthcare.gov and the progress the team is making. Thank \nyou very much.\n    [Prepared statement of Mr. Park follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    \n    Chairman Issa. Thank you, Mr. Park.\n    Mr. VanRoekel.\n\n                 STATEMENT OF STEVEN VANROEKEL\n\n    Mr. VanRoekel. Good morning, Chairman Issa, Ranking Member \nCummings, and members of this committee. Thank you for this \nopportunity to testify on the efforts to improve the management \nof Federal information technology and its relationship to the \nimplementation of the Affordable Care Act.\n    As the Chief Information Officer of the United States, I \nserve as the Administrator of the Office of Electronic \nGovernment and Information Technology, a statutorily created \noffice within the Office of Management and Budget. My primary \nduties are: developing and issuing Government-wide, broad-brush \nguidance and policy; overseeing the development of the \nPresident's $82 billion IT budget; and convening and \nfacilitating Federal IT stakeholders to collectively address \nand resolve complex cross-Government issues.\n    The results from my office have followed these themes: \nflat-lining Federal IT spending since 2009, realizing over $1 \nbillion in savings since 2012 with our PortfolioStat program, \nand facilitating and convening agencies to work on crosscutting \nopportunities and policy such as our work on opening Government \ndata, closing and optimizing our data centers, promoting a new \nwave of cloud computing. My office has also done important work \nin the area of cybersecurity, creating new, secure mobile \ndevice specifications for our Country and protecting Federal IT \ndevices and the network.\n    My involvement in the implementation of the ACA also \nreflects from my role as Federal CIO. I acted as a convener and \nfacilitator of agencies to work through the technical details \nof the cross-agency implementation work of the ACA, primarily \nyielding the cross-agency Data Service Hub feature of the \noverall system.\n    As the committee is well aware, before joining the \nAdministration, I worked in the private sector for nearly 20 \nyears, the majority of which was at Microsoft Corporation. I \nshipped and helped launch many complex products and well-known \nbrands, such as Windows XP, Xbox, and Windows Server. The \nlaunch of each of these projects presented its own challenges. \nMicrosoft is still patching Windows XP, 12 years after I helped \nlaunched it in 2001. Continuous improvement is the nature of \nthese efforts.\n    As you can imagine, connecting multiple legacy IT systems \nacross multiple agencies of the Federal Government is a complex \ntask; however, this is no way an excuse for the problems \nencountered in launching Healthcare.gov. We are taking this \nunacceptable situation seriously and working hard to correct \ncourse.\n    Since October 1st, I am actively helping in the all-hands-\non-deck effort to assist the Department of Health and Human \nServices and the Centers for Medicare and Medicaid Services in \nfixing this system. Given my prior experience in the private \nsector, I acted as a customer advocate, helping to assess and \naddress opportunities to improve the customer experience while \nwe fix the website. Outcomes from this work include updates to \nthe home page of Healthcare.gov and listing alternative ways to \napply for health insurance. Recently, I am involved in the \ntechnical aspects of the site, including monitoring progress \nand advising the team.\n    We share the deep concern of this committee regarding the \ncurrent state of Healthcare.gov and we, as a team, are working \nto improve this site to improve access to affordable healthcare \ncoverage as soon as possible. I look forward to continuing this \nwork after this hearing.\n    Thank you again for the opportunity to appear before the \ncommittee today.\n    [Prepared statement of Mr. VanRoekel follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Issa. Thank you.\n    I now ask unanimous consent that pages 151 and 152 of Mr. \nChao's transcribed interview be placed in the record. Without \nobjection, so ordered.\n    Chairman Issa. I now ask that the redacted document of CGI \nFederal, which we will call Exhibit 1, I guess, be placed in \nthe record. Without objection, so ordered.\n    Chairman Issa. And I now ask that the CMS document entitled \nHealth Insurance Marketplace Preflight Checklist September \n25th, 2013 be placed in the record.\n    Mr. Cummings. Mr. Chairman?\n    Chairman Issa. Yes.\n    Mr. Cummings. I just want to reserve so I can just see the \ndocuments, that's all.\n    Chairman Issa. That is a committee document that both sides \nhave.\n    [Pause.]\n    Chairman Issa. Without objection, so ordered.\n    Chairman Issa. Mr. Chao, I am going to ask the clerk to \ngive you those documents and, before I start, I am going to \ngive you a very brief understanding of what I am going to come \nback to you on in just a few minutes. But you have made \ntestimony, on pages 151 and 152 of your transcribed interview, \nin a sequence of events that were related to the Minority's \nquestioning of you as to whether or not the Anonymous Shopper \nfunction worked on October 1st. The other document is related \nto that checklist, and we want to make sure you have that \nbefore I ask you any further questions under oath.\n    While he is reading that, Mr. Park, you are here today, and \ntaken away from your other duties, because of a serious concern \nabout what you knew and what the Administration may have had \nyou say, and I want to give you an opening opportunity to \nclarify that. After the October launch, and I will paraphrase, \nyou basically said that the problem with the website was that \nthere were 250,000 simultaneous users; they could have handled \n60,000, but that 250,000 simply slowed it down or brought it to \nits knees.\n    With your opening statement, the opening statements of \nothers, and what you now know, would you like to please, for \nthe record, give us the number of simultaneous users you \nbelieve could have been handled through the portal on day one?\n    Mr. Park. Thank you, Mr. Chairman, for the question. It is \nthe nature of this kind of situation----\n    Chairman Issa. Now, Mr. Park?\n    Mr. Park. Yes, sir.\n    Chairman Issa. I want to treat you with respect, but I have \na very few minutes.\n    Mr. Park. Yes, sir.\n    Chairman Issa. You gave a number. That number was \nerroneous. It couldn't handle 60,000 simultaneous users. \nDocuments that will be placed in the record show that on \nSeptember 30th the system crashed with 1100, and the goal was \nto get to 10,000. Would you like to tell us for the record, \nbased on your working on this, what number the American people \ncould simultaneously be on the site working on day one before \nthe system began to time out?\n    Mr. Park. So, to answer as succinctly as I can, thank you \nfor the question, the information that we had at the time was \nthat CMS had designed the system for 50,000 to 60,000 \nconcurrent users. Right now, if you ask me right now, based on \nwhat I know now, what the system is currently capable of \nhandling, the thing I would be comfortable saying is that the \nsystem has been comfortably handling, at present, about 20,000 \nto 25,000 current users.\n    Chairman Issa. Okay, so it is fair to say, and I will \nparaphrase, on day one, on October 1st, at the launch, some \namount, perhaps greater than 1,100, which was experienced on \nSeptember 30th, and closer to the goal set on September 30th, \nwhich they thought, in documents the committee has received, \nthey could get to 10,000 simultaneous. But on day one, on \nOctober 1st, when this site launched, the site was capable of \nhandling somewhere more than 1,100, perhaps, but less than \n10,000 simultaneous users, and certainly not the 60,000, \n50,000, 20,000, or 250,000 that simultaneously tried to use the \nsite. Is that correct?\n    Mr. Park. So there may be a matter of confusion here, which \nCMS may be better positioned to clarify.\n    Chairman Issa. Okay.\n    Mr. Park. But I believe that the 1,100 number was for a \nparticular unit of capacity.\n    Chairman Issa. Okay.\n    Mr. Park. As opposed to the entire system. But I will \ndefer.\n    Chairman Issa. Right. But the problem is there was a front \ndoor, and that unit of capacity was limited by the front door. \nYou know, I come out of the IT world, I come out of the tech \nworld, but the American people can understand that you are only \nas strong as your weakest link. If you have a bottleneck that \ncauses people trying to get through the site to not be able to \ndo it, to time out, that bottleneck is what determines it. And \nsince, on day one, only 6 people got to the end, I think that \nfor the American people, understanding that whatever the \ncapacity is today, the capacity was insufficient on day one. \nIsn't that correct?\n    Mr. Park. So, sir, just in the interest of providing the \nmost accurate testimony I can----\n    Chairman Issa. I only want to know on day one was the \ncapacity sufficient.\n    Mr. Park. I can't speak to the numbers that you are talking \nabout. But clearly on day one, clearly on day one the system \nwas overwhelmed by volume.\n    Chairman Issa. Okay. Well, Mr. Park, you are going back to \nsomething I hoped you wouldn't do. The volume on day one, and \nmaybe the GAO can answer, the volume on day one was not in \nexcess of what was expected, was it? The volume on day one was \nwhat you would expect if everyone is going on the site to see \nwhat it is all about after three and a half years of waiting, \nisn't it, Mr. Powner?\n    Mr. Powner. Mr. Chairman, I don't have those specifics, but \nI will say this: these volumes we are talking about, if you go \nto examples like IRS on e-filing and the volume they handle \nwith people filing taxes in the eleventh hour, this is the same \nproblem that the IRS deals with on an annual basis. What you \nneed to do is you need to appropriately plan for your \nperformance in stress-testing, and there is fundamental \nquestions whether that was adequate here.\n    Chairman Issa. Well, and that is what we are going to \ndiscover throughout the panel today.\n    Mr. Chao, I told you I would come back to you. You \ntestified under oath, on pages 151 and 152, on the Minority's \nquestions, that basically, and I will paraphrase because of \ntime, this site, the Anonymous Shopper function did not work. \nNow, we have seen a document with CMS on it dated September \n25th that said it passed that test. Is it that you did not know \nit had passed the test when you made your statement saying that \nit failed?\n    Mr. Chao. Well, first off, Chairman, I would like to say \nthat after working with your staff for eight, nine hours, as \nwell as the Minority staff, going through this transcribed \ninterview, I have not had a chance to look at this, so this is \nthe first time I am actually seeing the results of that day, \nso----\n    Chairman Issa. Wait a second. Look, your job is to know \nwhat is in the site. The CMS report that said, and this is \nSeptember, before the launch, that the test had been passed \nsuccessfully on the Anonymous Shopper. You testified that it \nwasn't and that is why it was turned off.\n    Mr. Chao. Correct.\n    Chairman Issa. Are you prepared to say under oath that the \nAnonymous Shopper was turned off by your knowledge, not your \nguess, not your hypothetical, but are you prepared to say the \nAnonymous Shopper was turned off because it failed the test? \nAnd that would be your knowledge based on what you knew.\n    Mr. Chao. My words were not that it was turned on or off. I \nthink that is actually technically incorrect. I said it was not \nmade available because it failed testing. So you hand me this \npage 151, 152, which I have not reviewed as far as correctness \nand accuracy, and I suppose you are handing me this other \ndocument that says----\n    Chairman Issa. Mr. Chao, what we are doing is we are saying \nthat CMS documents show that the Anonymous Shopper tested \npositive, it worked. You said under oath, and I am sorry that \nyou may not have remembered what you said under oath, but when \nthe Minority asked you what is normally nice questions, self-\nserving questions, help you rehabilitate yourself questions, \nthey are on your side, you said effectively that you gave a \nreason, which the ranking member used in his opening statement \neffectively, that the Anonymous Shopper was turned off for \nreasons other than political.\n    Mr. Chao. Because I have----\n    Chairman Issa. We believe the Anonymous Shopper, the easy \nfront door, the I just want to know what it is going to cost \nwas not on, and if in fact if it was on, Mr. Park has said this \nhad different components. That portion could have been much \nmore effective. The American people could have gotten on and \nshopped.\n    Mr. Chao. This line of questions that I was answering about \nAnonymous Shopper is in the context of my knowledge, under \noath, that it did not pass testing, and I have documents that \nshow it did not pass testing.\n    Chairman Issa. Okay, so, when--Mr. Chao, my time has \nexpired, but when HHS and CMS deliver us documents showing that \nit hasn't passed, we can have you back. Right now the documents \nprovided to us by the vendor show that it did pass on a CMS \ndocument. That document is placed in the record. If anyone else \nwould like to understand that you have said it failed test, \nthey said it passed test. This Administration, in their absence \nof transparency, has refused to give us the documents showing \nit failed test, but the document we have today, which says CMS \nall over it, which is in the record, says it passed test. It \npassed the test. You said under oath it failed the test. Our \nproblem is the people you work for won't give us the documents \nso we can fully understand that, just as the people you work \nfor won't answer a simple question to the Ways and Means \nCommittee, which is how many people have signed up, even under \na subpoena.\n    With that, I recognize the ranking member to try to \nrehabilitate your testimony.\n    Mr. Cummings. Mr. Chairman, let me be clear that we have \nstaff who work just as hard as yours. It is not about self-\nserving, it is about getting to the truth, and I would not \ninsult your staff----\n    Chairman Issa. I wasn't insulting your staff.\n    Mr. Cummings. Well, I take it as an insult.\n    Chairman Issa. What I said was that----\n    Mr. Cummings. It is not about self-serving; it is not about \nrehabilitating. It is about trying to get to the truth, period, \nthe truth and nothing but the truth. And I am not going to try \nto rehabilitate, as you said, Mr. Chao.\n    Chairman Issa. Well, maybe you can get him to give us the \ndocuments.\n    Mr. Cummings. I think in a few moments somebody else on \nthis panel will present the documents that there is something \nthat you did not disclose just now that will be brought out to \nshow that your statements are inaccurate.\n    Now, Mr. Park----\n    Chairman Issa. Would the gentleman yield?\n    Mr. Cummings. Of course. Somebody else will bring it up, \nanother member.\n    Chairman Issa. So somebody else will rehabilitate----\n    Mr. Cummings. No, no, no, no, no. No. No. No. Again, we \nwill show you the document that there are some things that you \nhave been blacked out that you have not disclosed, and we will \nshow you those in a few minutes.\n    Now, if I may proceed.\n    Mr. Park, although we have not met before today, I \nunderstand that you have an outstanding reputation in the IT \ncommunity. I did not know this previously, but the cofounder of \nyour former company is Jonathan Bush, of Athena Health, who is \nthe cousin of former President George Bush, is that right?\n    Mr. Park. Yes, sir.\n    Mr. Cummings. I have a quote here that Mr. Bush, the cousin \nof the former president, gave to a reporter a few weeks ago, \nand he says this about you: ``Todd is uniquely thoughtful, \ndedicated, and precise. He is a manic problem-solver, blind to \npartisanship. If there is anyone who can fix the problems with \nthe exchanges, it is Todd.''\n    Mr. Bush also said that you are working so hard to improve \nthe website that you ``spent the first week of October sleeping \non the floor of his office as he tried to help get \nHealthcare.gov off the mat.'' Is that right?\n    Mr. Park. Yes, sir.\n    Mr. Cummings. Well, your reputation certainly precedes you. \nUnfortunately, however, last week Chairman Issa appeared on Fox \nNews and accused you and other political appointees of engaging \nin a ``pattern of interference and false statements related to \nthis site.''\n    That is a serious attack against your integrity. I don't \nwant to get into anyone's intent or motives here, but I do want \nto give you an opportunity to respond directly. And this is not \nunusual for me, because I realize that we are all on this Earth \nfor a short while and that our reputation is all we have. And \nsince those statements were made about you, I would like to \ngive you an opportunity to respond.\n    Mr. Park. Thank you, sir. Thank you for the opportunity. \nAnd, again, I don't take any of this personally; it is a fast-\nmoving situation with a lot going on. So I would just say this, \nthat it was the case, absolutely, that volume was a key issue \nthat hit the site. It is still an issue for the site, although \nwe have greatly expanded and are expanding the ability for the \nsite to accommodate volume. I relayed my best understanding at \nthe time in each of my statements. It is the nature of things \nthat as you do more painstaking diagnosis of a system, you \nlearn more about what you need to do to fix it, and I can say \nnow that, in addition to volume, there are other key issues \nthat have to be addressed with the site in terms of its \nperformance, in terms of its stability, in terms of its \nfunctionality, and there are aggressive efforts happening to do \nthat which are making great progress, so it is getting better \nand better each week with the work of a tremendous team led by \nJeffrey Zients and Ms. Tavenner, of which I am proud to be a \nsmall part. But you have my assurance that at each part along \nthe way, if I am ever asked a question, I will tell you what I \nknow to the best of my ability, my best understanding, and that \nis what I will continue to do as my understanding gets better \nand better.\n    Mr. Cummings. Well, let me ask you this. Did you engage in \na ``pattern of interference and false statements?''\n    Mr. Park. No, I did not. I relayed my best understanding at \nthe time, and I will continue to do that. As my understanding \ngets better, I will relay that, absolutely.\n    Mr. Cummings. Before you were subpoenaed to come here \ntoday, your office wrote a letter describing your extreme \ndemanding workload for the next two weeks and offering to \ntestify in December instead. Was this concern coming just from \nyour office or was it really a legitimate concern of yours that \nyou would be pulled away from the website issues to prepare for \ntestifying here today?\n    Mr. Park. So it has never been a question of if I will \ntestify, it was just a question of when. It had been the hope \nof me and the team that is working to fix the site that I could \ncontinue to focus intensely on helping to fix the site this \nmonth and come back in a few weeks. That being said, I \nunderstand that the chairman came to a different decision. I \nrespect that decision. I am the son of immigrants from Korea. I \nhave incredible love for this Country. I have huge respect for \nthe institution of Congress and its role in our democracy, and \nif the committee wanted me to be here today and decided I \nshould be here today, then I am happy to be here today and make \nthe time to answer your questions.\n    Mr. Cummings. Although I understand that the website----\n    Chairman Issa. The gentleman's time has expired.\n    Mr. Cummings. Mr. Chairman, I just ask for the same amount \nof time you had.\n    Chairman Issa. I let you ask the last question after your \ntime had expired, and it was completed.\n    We now go to the gentleman from Florida for five minutes.\n    Mr. Tierney. Mr. Chairman, I think it was about almost four \nminutes that you exceeded your time by that. Is there----\n    Chairman Issa. I went to one question after the end, which \nwas Mr. Chao, which----\n    Mr. Tierney. Four minutes. I am only asking----\n    Chairman Issa. The gentleman is recognized.\n    Mr. Tierney. Well, you are not going to run a fair hearing, \nyou are just going to go out and do this all the way.\n    Chairman Issa. The gentleman from Florida is recognized.\n    Mr. Mica. Thank you for yielding.\n    It is kind of interesting to see, as ObamaCare implodes, \nhow everybody is running for cover. Yesterday we saw the former \nPresident of the United States, Bill Clinton, throw the current \nPresident under the bus, so to speak, on this issue. Today we \nheard the other side, Mr. Cummings, our Democrat leader, start \nout by citing that the problem with this is Republican \ngovernors, that a lot of them opted for an exchange.\n    Mr. Chao, are these governors Arkansas, Delaware, Illinois, \nMissouri, Montana, aren't they all Democrat governors and they \nopted out of the exchange? Are you aware of that? Well, they \nare, just for the record. But it is interesting to see how they \nrun for cover.\n    I have a question for all of you. Each of you I want to ask \nyou this question. It is obvious that ObamaCare was not ready \nfor prime time from both an IT performance ability and also \nfrom a security standpoint. Were you aware of that, Mr. Powner, \nbefore October 1st?\n    Mr. Powner. GAO did issue a report----\n    Mr. Mica. Were you--okay.\n    Mr. Powner.--in June that there was a lot to do in a \ncompressed schedule, correct.\n    Mr. Mica. Yes.\n    Were you aware of it, Mr. Chao?\n    Mr. Chao. Can you repeat the question again?\n    Mr. Mica. That ObamaCare was not ready from an IT \noperational standpoint and also from a security standpoint for \nprime time on October 1st. Were you aware of it?\n    Mr. Chao. I was aware that there was security testing----\n    Mr. Mica. You were aware that there were problems. Okay.\n    Mr. Chao. And that there were no high findings in security \ntesting.\n    Mr. Mica. I said from an operational. So you thought it was \noperational.\n    Mr. Chao. I am just trying to answer your question.\n    Mr. Mica. Well, operational and security.\n    Mr. Baitman?\n    Mr. Baitman. I was aware that various modules that were to \nbe part of the system were----\n    Mr. Mica. Weren't working.\n    Mr. Baitman.--were being removed.\n    Mr. Mica. Mr. Park, anything on security? Mr. Park, \noperational and security.\n    Mr. Park. As I recall, sir, no.\n    Mr. Mica. Oh, okay.\n    Mr. VanRoekel?\n    Mr. VanRoekel. I am aware that any system, private sector \nor public sector----\n    Mr. Mica. What about the security?\n    Mr. VanRoekel.--needs constant addressing of security.\n    Mr. Mica. What about the security issue?\n    Mr. VanRoekel. Any system needs constant--security needs to \nbe constantly addressed.\n    Mr. Mica. Did you review a document prepared by MITRE that \nreviewed--this hasn't been released yet, but it reviewed the \nsecurity testing and capability?\n    Mr. VanRoekel. No, sir, I didn't see that.\n    Mr. Mica. You did not see this, September 23rd, that \nhighlighted some of the issues? Okay.\n    First of all, it looks like political decisions got us into \nthis strait. You commented, Mr. Chao, to our committee that you \nhad to have regulations in place to go forward to make \ndecisions on the construct, right?\n    Mr. Chao. Correct.\n    Mr. Mica. And there were regulations that were not imposed, \nand I think you also intimated that some of them were stopped \nby the White House prior to the election.\n    Mr. Chao. No, I did not.\n    Mr. Mica. Okay. Mr. Chao, you said the delay in the \nissuance of regulations guidance was a significant problem in \ncompressing the time frame and actually the White House \npressure to stop those regulations coming out before the \nelection, because they didn't want folks to know what was \ncoming. You are not aware of that?\n    Mr. Chao. Well, I think you are paraphrasing from my \ntestimony, which I----\n    Mr. Mica. Okay. Well, here is your comment to our staff: \nYou can't test the system without requirements, so if \nrequirements are coming in late, then obviously you are going \nto be a little nervous. Was that your statement?\n    Mr. Chao. I think that holds true for any----\n    Mr. Mica. That is what we have. That was your statement. \nOkay, so----\n    Mr. Chao. My answer in the context was for any development \nproject that requires requirements in order to build the system \nin a compressed time frame----\n    Mr. Mica. Did you know that security and the testing was \ndone by MITRE, of security, is that correct?\n    Mr. Chao. MITRE and Blue Canopy.\n    Mr. Mica. Okay, both respectable firms. And this is the \nMITRE report. MITRE was unable to adequately test \nconfidentially and integrity of the exchange system in full. \nAre you aware of that?\n    Mr. Chao. Well, that seems actually true and appropriate, \nbecause the full system isn't built.\n    Mr. Mica. But it was never fully tested? Has it been \ntested?\n    Mr. Chao. No. I think what it is referring to is that there \nare other components of the Marketplace program that still need \nto be built.\n    Mr. Mica. Sir, can you sit here and tell us that there are \nnot heightened risk of unauthorized access, non-encrypted data, \nidentity theft, and loss of personal identifiable information?\n    Chairman Issa. The gentleman's time has expired.\n    Mr. Chao. That was----\n    Mr. Mica. And Mr. Powner, can he also answer to that?\n    Mr. Chao. That was my reply in response to a decision memo \nin which we wanted to generally highlight the potential risk \nthat is applicable to any system of this magnitude that is \nservicing the public and collecting information about people.\n    Chairman Issa. Mr. Powner, if you had anything else, \nbriefly.\n    Mr. Powner. Your staff shared that document with me. I \nthink the key is that was an early assessment, not on the \ncomplete system, and a key question going forward is what has \nbeen done in terms of security testing and assessment while the \nsystem continues to be built.\n    Chairman Issa. Thank you.\n    The gentlelady from New York, Mrs. Maloney.\n    Mrs. Maloney. Thank you. I would like to thank all of the \npanelists for their public service and thank the chairman and \nranking member for this oversight hearing. There is a success \nstory in the State that I am privileged to represent, New York \nState. Nearly 50,000 New Yorkers have enrolled in health \ninsurance plans through the New York State health program. \nAlmost 200,000 New Yorkers have completed full applications on \nthe New York State of Health. Additionally, the State's \ncustomer service center operators have provided assistance to \nmore than 142,000 New Yorkers. And the rates for the plans \nrepresent a 53 percent reduction compared to the previous \nyear's individual rates, and in addition to the cost savings, \nit is estimated that nearly three-quarters of individual \nenrollees will qualify for financial assistance. This is \naccording to an official State report from New York. So this is \ncertainly good news.\n    But we do need improvements on the Federal user experience, \nand I would like to ask Mr. Park have improvements been made \ndaily on the website? Are you working to make improvements \nevery day?\n    Mr. Park. Thank you so much for the question, and it is \nterrific news coming out of New York. So the answer to your \nquestion is people are working every day to make things better. \nI would say the site is getting better week by week. Some days \nare better than others, but if you look at the trend line, week \nover week things are getting better. So, for example, one \nmetric of the user experience is what is called system response \ntime. This is the rate at which the website responds to user \nrequests like displaying a page that you want. Just a few weeks \nago that rate was, on average, eight seconds across the system, \nwhich is totally unacceptable. It is now actually under a \nsecond today.\n    Mrs. Maloney. Well, that is really good news. How much \nfaster can the public expect the website to be? Now you are \nunder a second, is that what you are saying?\n    Mr. Park. On average, yes.\n    Mrs. Maloney. On average?\n    Mr. Park. Yes.\n    Mrs. Maloney. Well, can the public expect--can you make it \nany faster than a second?\n    Mr. Park. Yes. The team believes that it can, the team \ndoing this, and we are most of the way, I think, in terms of \naverage response time that we want to be. We want to get it \ndown further. We are also actually, thanks to----\n    Mrs. Maloney. So I would say that reducing wait time has \nbecome a priority, right? And that certainly will help \nenrollment numbers, don't you think, Mr. Park?\n    Mr. Park. That is right. Yes, ma'am.\n    Mrs. Maloney. Okay, great. That is terrific. Now, are \naccounts registering properly at this time? Was that problem \nsolved?\n    Mr. Park. That problem has actually largely been solved. \nThat was, of course, a significant problem up front that folks \nexperienced. But thanks to expanded capacity, thanks to system \nconfiguration changes and code fixes, that problem has largely \nbeen solved. People can actually get through the front door and \nbegin the application process and start shopping for affordable \nhealth options.\n    Mrs. Maloney. So how many registrations can the system \nhandle now? Congratulations on solving that, by the way.\n    Mr. Park. So I believe that the latest number the team \nreports is about 17,000 registrations an hour, and the plan is \nto actually up that in terms of new accounts being created. \nThen, of course, people who have registered previously are \ncoming back and coming back and coming back to keep working on \ntheir application, shop for plans, etcetera.\n    Mrs. Maloney. And how are you reaching out to people who \nmay have been discouraged and encouraging them to come back and \ntry again? Is there any effort to reach out to them or just the \nnotices that it is happening?\n    Mr. Park. Yes, ma'am. So CMS is currently engaged in an \neffort to begin to reach out to folks who actually got stuck in \nthe application process and encouraging them to come back and \nmake it through the front door and start applying for coverage.\n    Mrs. Maloney. Are there resources there to help people \nnavigate the process? I am hearing they are confused often. Is \nthere any resources there to help them figure it out?\n    Mr. Park. Yes, ma'am. There is Help text, there is also the \ncall center, and the team is also working quite vigorously to \nkeep improving the user interface and the flow so that you need \nless help, so that it is more and more clear to you at \nparticular points what to do.\n    Mrs. Maloney. And how are you assessing or distributing the \nfeedback that you are getting from users that have used the \nsystem and want to tell you how they can make it faster? But I \ndon't see how you could make it any faster than a second, quite \nfrankly. But how are you communicating that feedback from \nusers?\n    Mr. Park. You can make it faster, by the way, and so people \nare working on that. But there is feedback coming from a \nvariety of different sources; from users, from folks in the \nfield, from the call center, from testers, and that is actually \nbeing fed into a list dynamically kept on an ongoing basis of \nthings to do in priority order to make the website better and \nbetter.\n    Mrs. Maloney. And I understand that the Hub, the data Hub \nis working well. Is that correct?\n    Mr. Park. The Hub has worked extremely well from day one. \nIt supports actually not just the Federal Marketplace, but all \nthe State Marketplaces, including New York's great success; and \nthat continues to hum along very nicely.\n    Mrs. Maloney. Well, thank you. My time has expired and I \nsee that sleeping on the floor is paying off in your hard work. \nThanks.\n    Mr. Park. The team. It is the team. I am just part of it; \nthe team is doing the work.\n    Mrs. Maloney. Your team. Congratulations. Thank you.\n    Mr. Park. The team.\n    Chairman Issa. I thank the gentlelady.\n    We now go to the gentleman from Tennessee, Mr. Duncan.\n    Mr. Duncan. Thank you very much, Mr. Chairman. While I am \nvery skeptical about the Government's ability to run our health \ncare system, what I am more concerned about or object to more \nis all the sweetheart insider deals that Government contractors \nget under these programs and all the people and companies that \nare getting filthy rich off of these programs.\n    I have an estimate here on the cost of all the technology, \nthe estimate of OMB as of August 30th, before all the problems \nsurfaced, and they said we would spend $516.34 million on the \ntechnology. Now we have seen estimates way above that. So I \nhave a question about that, about how much all this is going to \ncost us to straighten this out and are these going to be \ncontinual costs each year? Are we going to have to spend more \nand more and more on the technology?\n    But secondly, and a greater concern, I have two stories \nhere, one from The Washington Post about 10 days ago and one \nfrom CBS News a couple days later, and they say the \nAdministration knew three and a half years in advance that \nthese problems were going to occur. The Washington Post story \nsays in May 2010, two months after the Affordable Care Act \nsqueaked through Congress, President Obama's top economic aids \nwere getting worried. Larry Summers, director of the White \nHouse's National Economic Council, and Peter Orzag, head of the \nOffice of Management and Budget, had just received a pointed \nfour page memo from a trusted outside health advisor that \nwarned that no one in the Administration was up to the task of \noverseeing the construction of an insurance exchange and other \nintricacies translating the 2,000 page statute into reality.\n    So what I am asking, and I welcome comments from anybody on \nthe panel, how much is all this going to cost to straighten out \nthese problems that we now know that we have? And, secondly, \nhow long is it going to take, when the Administration or you \nall have had three and a half years warning that this was going \nto happen? How much longer is it going to take to straighten \nall this out?\n    Chairman Issa. Mr. Powner, you seem to be giving the best \nanswers.\n    Mr. Powner. I can comment on the cost figure, what we know \nto date. If you look at OMB documentation, there are exhibits \nwhere you report spending by fiscal year, and through the \nfiscal year 2013, so by the end of September, it was north of \n$600 million spent. Now, I will caveat that by saying that did \ninclude IRS costs associated with that and some other \nGovernment agencies; it wasn't just all CMS and HHS.\n    But your question about what it is going to cost to fix, \nthat is where we are kind of blind to that, and I think that is \na key question, how much that will end up being.\n    Mr. Duncan. All right. Does anybody know? If we have spent \n$600 million already, and it is not working, does anybody have \nany idea how much all this is going to cost us in the end? \nNobody knows?\n    Then go to the second question. How long is all this going \nto take? If you have had three and a half years to get ready \nfor this and we had all these promises about you can keep your \nplan, you can keep your doctor, your health care cost premiums \nare going to go down by as much as $2500, and we now know that \nall that was false or incorrect, how much longer is it going to \ntake, another three and a half years to get this straightened \nout?\n    Mr. VanRoekel. I think it is important to note, sir, that \nAmericans are getting insurance today, that the system is \npassing through and people are registering. The focus today, as \nI said in my opening statement, is about continuous improvement \nand making sure that we make that even better and stronger, and \nthat more and more people----\n    Mr. Duncan. Millions are getting their policies canceled \nand more are getting sticker shock because of premium \nincreases, too. But I am just wondering. What I am asking about \nis all the technology. If we have had three and a half years \nthat the Administration has known that this was going to \nhappen, and they couldn't fix it in three and a half years, how \nmuch longer is it going to take us?\n    Chairman Issa. Would the gentleman yield?\n    Mr. Duncan. Yes, sir.\n    Chairman Issa. You know, we have two distinguished \nindividuals from the private sector, and I would suspect that \nat Athena and at Microsoft they knew what their burn rate was, \nthey knew what their time was. In fact, neither of their \ncompanies would exist if they had launched their product quite \nlike this. Even Windows Vista launched better than the Obama \nwebsite.\n    But the gentleman could include their experience in the \nprivate sector, if they would like to compare this launch with \nthe launch of each of their companies.\n    Mr. VanRoekel. I think it is important to note on this the \nway that Federal budgeting and Federal IT is managed and \nempowered, and I think FITAR actually emphasizes this, as well \nas many of the memos and things that I have put out, is \nempowering agencies to do their mission work, to execute \nagainst the budget. We formulate the budget within the Office \nof Management and Budget, and then the Congress and the \nappropriators actually grant that budget to the agencies to \nthen execute; and the tools that we build to track, spend, to \nmake sure that diligence is happening on that are all about \nempowering the agency to make those smart decisions about what \nthey do. So in the private sector it is not directly parallel \nbecause you are not, from our position, on the ground actually \nrunning these programs day-to-day.\n    Chairman Issa. You are begging an angel capitalist to give \nyou one more chunk of money that he may or may not give you.\n    With that, we go to the gentlelady from the District of \nColumbia for her five minutes.\n    Ms. Norton. Thank you, Mr. Chairman. And although you have \ncalled witnesses who are being asked to fix a plane while it is \nin the air, I do believe oversight is appropriate in light of \nthe round of surprises we have had.\n    Let me try to clear something up, Mr. Chairman. Mr. Chao \ngot a round of questions about the preflight checklist, and I \ndo have a document that said testing successfully, yes. I don't \nknow if that means conducted a test or what, because if you \nlook more deeply into the document, and you didn't have this \nbefore you, where you have the CGI checklist, that defect \nreport, it is entirely consistent, Mr. Chao, with what you have \nsaid because this defect report says there were 22 defects.\n    Chairman Issa. Would the gentlelady make that document \navailable?\n    Ms. Norton. I would be glad to make this available to you \nand to the press.\n    I am also troubled by how the committee often pulls the \nWhite House into these matters without any evidence. The White \nHouse, in this case, the rollout is accused of not knowing \nenough and now they have been accused of directing matters with \nrespect to the Anonymous Shopper function. Even the chairman \nhas said that publicly on television.\n    So I would like to ask Mr. Chao about that issue. And the \nquestion really has to do with whether you were forced to \nregister and then shop, whether that change was made from shop, \nthen register to register, then shop; whether that change was \nmade because of the involvement of the White House in any way.\n    Mr. Chao. Absolutely not. It was a decision made on the \nresults of testing. It would be pretty egregious, and I \nunderstand that a lot of folks are wondering why the website is \nfunctioning the way it is, but to consciously know that it \nfailed testing and to then put it into production for people to \nuse is not what we do. We use the best available information, \nand if the test results show that it is not working, we don't \nput it into production.\n    Chairman Issa. Would the gentlelady yield?\n    Ms. Norton. I certainly will, Mr. Chairman, if you will \nmake sure I get my time\n    Chairman Issa. Of course.\n    Would you stop the clock?\n    You know, the gentlelady's information, I have been told, \nthe one that you are referring to, is in fact a roll up to the \ndecision that it had passed. In other words, your document is \nnot inconsistent with it. I think Mr. VanRoekel made it clear \nthat they are still fixing XP, after they no longer support it. \nSo I think the conclusion of the document is clear. You are \nasking Mr. Chao. He is still saying that this thing failed the \ntest, when it in fact documents show it passed the test. Was it \nperfect? No. But if you could only get six people registered on \nday one and only 240 registered on day two, some might say that \nthe website was not passing the test in those first two days \neither. So hopefully that document, you can make it available \nto all of us, but I have been told that that is simply part of \nthe supporting documents for the conclusion that CMS has in \ntheir own documents, which is that that portion which was \nexcluded, and we have been told in testimony that, in fact, \nthey were told by people at CMS to turn it off and that those \npeople were being instructed by people at the White House.\n    Ms. Norton. Let me clear that up, Mr. President.\n    Chairman Issa. Okay.\n    Ms. Norton. I mean Mr. Chairman.\n    Chairman Issa. I just want you to understand that \ncontractors told us----\n    Ms. Norton. Well, Mr. Chairman, let's look at the document. \nLet's have people look at the fine print and decide when these \n22 defects were noted, because I got it in black and white \nhere.\n    Now, you say the White House did not say to turn off the \nAnonymous Shopper, Mr. Chao, was that your testimony?\n    Mr. Chao. Yes.\n    Ms. Norton. Because the allegation of the chairman was that \nthe White House ordered it because they wanted to avoid sticker \nshock. I remember seeing that on, I think, television. Now, \njust let me say something about sticker shock. I had a staff \nmember go on just to test the DC Health Link, which is where we \nall will have to go, and she found that the same--there are 267 \ndifferent policies, insurers on DC Health Link, and she found \nthat the same Blue Cross Blue Shield she is now getting from \nthe Federal employment program she can get for between $160 and \n$220 less. So if there is sticker shock, at least some people \nare finding sticker shock works the other way.\n    But I want to drill down on this decision from the White \nHouse. Was there White House directive that because--the \ndecision came not because--I want to make sure your testimony \nremains, because there has been some difference the chairman \ncited--that there was no White House directive, but the reason \nfor pulling the Anonymous Shopper was because the function \nfailed testing, does that continue to be your testimony?\n    Mr. Chao. Correct. If we would have put it into production, \neven though it is anonymous shopping nor browsing, it requires \nsome attributes about your preferences, your demographics to \napproximate potentially what premium tax credit ranges you \nwould qualify for so that you can then move into shopping or \nplan compare. It didn't work in either calculating the \napproximate premium tax credit, nor did it work in plan \ncompare, so if we allowed people to go through that, they would \nhave gotten erroneous information and that would have been much \nworse than not having it at all.\n    Ms. Norton. I have already pointed to a document. By the \nway, this document is from September.\n    Now, did you get----\n    Chairman Issa. The gentlelady's time has expired. Would you \nbriefly finish?\n    Ms. Norton. Did you get any direction from the White House \nto disable or to delay the shopper function and were there any \npolitical considerations that went into your decision to do so?\n    Mr. Chao. None whatsoever. I look at the facts of whether a \nsystem is going to be ready. And, of course, not everything is \nalways 100 percent perfect, and there are certain tolerances, \nbut in this case it failed so miserably that we could not \nconsciously let people use it.\n    Ms. Norton. Thank you, Mr. Chairman.\n    Chairman Issa. I thank the gentleman.\n    We now go to the gentleman from North Carolina, Mr. \nMcHenry. Could you yield for just 10 seconds?\n    Mr. McHenry. Happy to.\n    Chairman Issa. Thank you.\n    Mr. Chao, if it couldn't calculate the prices properly, is \nit your testimony that when people went through the back door, \nthose six that got through on the day one, that it did \ncalculate what their plan and let them shop through another \npart, a completely different portal?\n    Mr. Chao. If you don't go through what was----\n    Chairman Issa. No, no, no. I have taken six seconds from \nthe man and I don't want to go passed a few seconds.\n    Mr. Chao. If you fill out an online application and you put \nyour information in, you get an eligibility determination, you \nask for financial assistance----\n    Chairman Issa. Yes, you go through everything. But you are \nsaying you didn't get the right price through the same software \nthat would determine the right or wrong price----\n    Mr. Chao. No. Anonymous shopping was using different \nsoftware.\n    Chairman Issa. Oh, yeah. Okay. That remains to be seen.\n    Mr. McHenry, thank you.\n    Mr. McHenry. Mr. Chao, all my constituents care about and \nwant to know is when they log on, is their data, all their \npersonal identifiable information, is that as secure as if they \ndo online banking.\n    Mr. Chao. It was designed, implemented----\n    Mr. McHenry. I mean, that is a yes or no question.\n    Mr. Chao. It was designed, implemented, and tested to be \nsecure.\n    Mr. McHenry. So it was fully tested in best practices under \nthe Federal Government standard for IT proposals.\n    Mr. Chao. Correct.\n    Mr. McHenry. It was?\n    Mr. Chao. It was security assessment testing conducted by \nMITRE and another company.\n    Mr. McHenry. Okay. So it is fully tested as the other IT \nprojects you have overseen into that same standard.\n    Mr. Chao. I am trying to understand what you mean by fully \ntested. It was tested----\n    Mr. McHenry. Fully tested? Holy cow. This is like a new \nlow. Okay, then let me use the----\n    Mr. Chao. There are a lot of----\n    Mr. McHenry. Best practices are a complete integrated \ntesting, is that correct?\n    Mr. Chao. It is tested and prescribed under the FISMA \nframework and NIST controls that are specified as a standard.\n    Mr. McHenry. Okay. So why did your boss resign?\n    Mr. Chao. He didn't resign.\n    Mr. McHenry. Okay. So due to security readiness issues----\n    Mr. Chao. I think he decided to make a career change, which \nI can't speak to.\n    Mr. McHenry. I think it was a fantastic time to hightail it \nout after this great rollout. So let me ask another question. \nSo Marilyn Tavenner signed the authority to operate memorandum. \nTraditionally, would your office sign a memorandum or have you \nsigned previous memorandums on authority to operate?\n    Mr. Chao. Myself, I have not.\n    Mr. McHenry. Has your boss, or previous boss?\n    Mr. Chao. Not that I know of. But I do not manage the ATO \nsign-off process, that is done between the chief information \nofficer and the chief information security officer.\n    Mr. McHenry. Okay. And they would traditionally do it, not \nthe CMS administrator.\n    Mr. Chao. I think you would have to ask them.\n    Mr. McHenry. Okay. Fantastic. We plan to do that.\n    Let me ask you, Mr. Park, you said on USA Today, on October \n6, ``These bugs were functions of volume. Take away the volume \nand it works,'' referring to Healthcare.gov. It was in the \nfourth paragraph. Do you still stand by that statement?\n    Mr. Park. Thank you for the question. What I was \nspecifically referring to----\n    Mr. McHenry. No, no. Do you still stand by----\n    Mr. Chairman, I ask unanimous consent to submit this for \nthe record.\n    Have you seen this USA Today----\n    Chairman Issa. Without objection, so ordered.\n    Chairman Issa. And the question is on the statement, not on \nwhat you would want someone else to believe today.\n    Mr. McHenry. These bugs were function of volume. Take away \nthe volume and it works. Do you still stand by that?\n    Mr. Park. So I stand by the fact that the bugs that the \nreporter was referring to, which were issues users were \nexperiencing in account creation up front, were in fact \nfunctions of volume. What I will say now, based on additional \nunderstanding, is that in addition to volume, which was a \nchallenge, the account creation process was, later on, also \naffected by particular functionality bugs, which have been \nfixed, most of which have been fixed, along with volume \ncapacity expansion and other system configurations----\n    Mr. McHenry. So, Mr. Park, let me tell you a story. I have \na woman named Sue who logged on. She filled out everything \nelse. She did not fill out her middle initial. She got a \nprocessing error. She went back to try to fix it, put in the \nmiddle initial. She had to wait 48 hours to get another update. \nTurns out that her income was not verifiable because she put in \na monthly income. She calls a navigator, the navigator says, \nyeah, we have some problems with that; maybe you can do it on \nan annualized basis. Well, unfortunately, she couldn't get back \ninto the system, so then has to call back for another navigator \nand the navigator says, gosh, we have a little issue here, so \nlet me try an annualized income and put it in on the back end \nthat navigators can do. She is still waiting. She started on \nOctober 1st. She is still waiting to be successfully logged in \nto this website that you said these bugs were functions of \nvolume; take away the volume and it works.\n    This is such a deeply flawed data rollout, and my \nconstituents are most concerned about trying to sign up, much \nless when they do sign up that they don't have their data \nstolen.\n    Mr. Chairman, I yield back.\n    Chairman Issa. I thank the gentleman.\n    Mr. Park, you can answer, if you see a question there.\n    Mr. Park. That would be great. Thank you. So I was actually \ntalking specifically about issues with account creation. There \nare issues downstream as well, and, again, each time I speak \nwith you, each time I speak, I will relay the best \nunderstanding I have and try to be as precise as I can be.\n    Chairman Issa. I thank you.\n    We now go to the gentleman from Virginia, Mr. Connolly.\n    Mr. Connolly. Thank you, Mr. Chairman, and let me begin on \na bipartisan note. Mr. Chairman, you and I helped write, \njoining together, the FITAR Act requiring reform of Federal IT \nacquisition. Mr. VanRoekel, you seem to have been equivocal, \nmaybe, at our last meeting in January when you testified here, \nbut I want to read to you a statement by the President of the \nUnited States. He said, just recently, one of the lessons \nlearned from this whole process on the website is that probably \nthe biggest gap between the private sector and the Federal \nGovernment is when it comes to IT; how we procure it, how we \npurchase it. This has been true on a whole range of projects.\n    A reasonable inference from that statement could be drawn \nthat perhaps we do need some more legislation, some new \nlegislation to free up some of the moribund rules----\n    Chairman Issa. Would the gentleman yield?\n    Mr. Connolly. If we could freeze my time.\n    Chairman Issa. Of course. I couldn't agree with you more \nthat, in fact, one of the lessons that I hope all of us take \nout of this hearing today is that we have two people from the \nprivate sector who know that they would never do a process like \nthis one was done, and yours and my legislation is really about \ntrying to create at least a modicum of similarity in IT \nprocurement in the Federal Government the way it is done in the \nprivate sector. And I thank the gentleman for his comments.\n    Mr. Connolly. I thank the chairman.\n    So I commend to Mr. VanRoekel the statement of the boss.\n    Mr. Chao----\n    Chairman Issa. So now I am the boss?\n    Mr. Connolly. No. Well, you are too.\n    Chairman Issa. Oh, you mean the President.\n    Mr. Connolly. The other boss.\n    Chairman Issa. Ah, yes. His boss.\n    Mr. Connolly. The big boss.\n    Mr. Chao, during your interview with committee staff on \nNovember 1, you were presented with a document you had not seen \nbefore and it was titled Authority to Operate, signed by your \nboss on September 3rd, 2013, is that correct?\n    Mr. Chao. Correct.\n    Mr. Connolly. The Republican staffers told you during that \ninterview that this document indicated there were two open \nhigh-risk findings in the Federally-facilitated Marketplace \nlaunched October 1, is that correct?\n    Mr. Chao. Correct.\n    Mr. Connolly. This surprised you at the time.\n    Mr. Chao. Can I just qualify that a bit? It was dated \nSeptember 3rd and it was referring to two parts of the system \nthat were already----\n    Mr. Connolly. You are jumping ahead of me. We are going to \nget there.\n    So when you were asked questions about that document, you \ntold the staffers you needed to check with officials at CMS who \noversee security testing to understand the context, is that \ncorrect?\n    Mr. Chao. Correct.\n    Mr. Connolly. The staffers continued to ask you questions, \nnonetheless, and then they, or somebody, leaked parts of your \ntranscript to CBS Evening News, is that correct?\n    Mr. Chao. It seems that way.\n    Mr. Connolly. Since that interview, have you had a chance \nto follow up on your suggestion to check with CMS officials on \nthe context?\n    Mr. Chao. I have had some discussions about the nature of \nthe high findings that were in the document.\n    Mr. Connolly. Right. And this document, it turns out, \ndiscusses only the risks associated with two modules, one for \ndental plans and one for the qualified health plans, is that \ncorrect?\n    Mr. Chao. Yes.\n    Mr. Connolly. And neither of those modules is active right \nnow, is that correct?\n    Mr. Chao. That is correct.\n    Mr. Connolly. So the September 3rd document did in fact not \napply to the entire Federally-facilitated Marketplace, despite \nthe assertions of the leak to CBS notwithstanding, is that \ncorrect?\n    Mr. Chao. That is correct.\n    Mr. Connolly. And these modules allow insurance companies \nto submit their dental and health plan information to the \nMarketplace, is that correct?\n    Mr. Chao. Correct.\n    Mr. Connolly. That means those modules do not contain or \ntransmit any personally identified information on individual \nconsumers, is that correct?\n    Mr. Chao. Correct.\n    Mr. Connolly. So, to be clear, these modules don't transmit \nany specific user information, is that correct?\n    Mr. Chao. Correct.\n    Mr. Connolly. So when CBS Evening News ran its report based \non a leak, presumably from the Majority staff, but we don't \nknow, of a partial transcript, excerpts from a partial \ntranscript, they said that security issues raised in the \ndocument ``could lead to identity theft among buying \ninsurance,'' that cannot be true based on what we just \nestablished in our back and forth, is that correct?\n    Mr. Chao. That is correct. I think there was some \nrearrangement of the words that I used during the testimony and \nhow it was portrayed.\n    Mr. Connolly. So to just summarize, correct me if I am \nwrong, the document leaked to CBS Evening News did in fact not \nrelate to parts of the website that were active on October 1, \nthey did not relate to any part of the system that handles \npersonal consumer information, and there, in fact, was no \npossibility of identity theft, despite the leak.\n    Mr. Chao. Correct.\n    Mr. Connolly. Thank you, Mr. Chao.\n    I yield back.\n    Chairman Issa. Would the gentleman yield your 26 seconds?\n    Mr. Connolly. Yes, Mr. Chairman.\n    Chairman Issa. Have you read the November 6th letter from \nthe ranking member to me?\n    Mr. Connolly. Yes. In fact, I think I cosigned that letter.\n    Chairman Issa. Oh, that is good. So the gentleman is well \naware that even today there are significant security leaks that \nthe ranking member was concerned, if discovered, would allow \nhackers to take people's private information, that there is a \nsecurity risk, and that was cautioned by you not to let that \nout. Susannah will give you the answer, if you will just let \nher. Okay, I hear none.\n    Mr. Connolly. I am sorry, I am not following the quote.\n    Chairman Issa. Well, I was trying to let the staff speak to \nyou, but the bottom line is that there are security risks \ntoday, according to you and the ranking member. This website \nstill has vulnerabilities, if discovered, that would lead to \npersonal information coming out, is that correct, in your \nletter?\n    Mr. Connolly. Mr. Chairman, that may be, but I am talking \nabout a deliberate leak that, frankly, distorted reality based \non two modules that were inactive and using that misinformation \nto suggest that it applied to, in fact, the active website.\n    Chairman Issa. But end-to-end security problems in your \nletter do apply to the active website, right?\n    Mr. Connolly. Well, they may, Mr. Chairman, but right now \nmy questioning to Mr. Chao had to do----\n    Chairman Issa. No, I understand you are rehabilitating Mr. \nChao.\n    Mr. Connolly. No, I am not. Mr. Chairman----\n    Chairman Issa. But the question is----\n    Mr. Connolly. Mr. Chairman, Mr. Chairman, let's be fair. I \nam trying to get the facts on the record and correct a \ndeliberate smear against Mr. Chao. Not to rehabilitate him, but \nto, in fact, get the truth out because someone deliberately \nleaked something and distorted it, Mr. Chairman, in the name of \nthis committee.\n    Chairman Issa. No, I appreciate your concern. My concern \nis----\n    Mr. Connolly. I am glad you do, Mr. Chairman.\n    Chairman Issa.--Mr. Chao had the MITRE report and it is \nthat report that, even redacted, you didn't want released \nbecause it shows a roadmap to the vulnerabilities of the site \nas it is today. That is your letter.\n    Mr. Connolly. Mr. Chairman, I began my questioning by \nacknowledging our joint bipartisan effort to in fact try to \nlegislate reforms in IT acquisition. That is an acknowledgment \non my part, and yours, that, in fact, the Federal IT \nacquisition process is broken, whether it is this example or \nsome other. So I have no desire, no motivation to hide \nanything. But I am concerned at a pattern of calling people to \ngive us testimony and cherry-picking their testimony to make a \npolitical point that, frankly, does not serve this committee \nwell in terms of its oversight role and does damage to good \npublic servants' reputation.\n    Chairman Issa. I appreciate the gentleman's bipartisan \nefforts.\n    Mr. Connolly. I thank the chair.\n    Chairman Issa. Mr. Jordan is recognized.\n    Mr. Jordan. I thank the chairman.\n    Mr. Chao, a week ago the President was interviewed last \nThursday and was asked about Secretary Sebelius, and the \nPresident defended his health secretary--I am quoting from the \nChuck Todd interview--defended his health secretary, argued \nthat the website bugs aren't necessarily her fault. ``Kathleen \nSebelius doesn't write code. She wasn't our IT person.''\n    Who is the IT person? Who is the person in charge? Who is \nthe person responsible? Who is the one who signed off on this \nbefore it went public?\n    Mr. Chao. The person that is responsible is our \nadministrator, Marilyn Tavenner.\n    Mr. Jordan. And did she base her decisions on the memo you \nsent her on the 27th, is that right? Isn't that the Authority \nto Operate memo?\n    Mr. Chao. I think that is----\n    Mr. Jordan. I mean, the President talked about IT person. \nMs. Tavenner is not an IT person. Who is the IT person? Is that \nMr. VanRoekel?\n    Mr. Chao. I don't know.\n    Mr. Jordan. Is that Mr. Park? Is it Mr. Chao? Which of you \nis that person?\n    Mr. Chao. I don't know, I didn't speak to the President.\n    Mr. Jordan. No, but he refers to a person. Who would it be? \nWho is the IT person in charge?\n    Mr. Chao. I don't know what the President was referring to.\n    Mr. Jordan. Let me start with slide C3, if I could. The \nfinal report came out October 13th, after October 1st. I just \nwant to read the first: MITRE was unable to adequately test the \nconfidentiality and integrity of the exchange system in full. \nLower down: Complete end-to-end testing of the application \nnever occurred.\n    Doesn't that raise concerns? Did you know about this before \nOctober 1st, Mr. Chao?\n    Mr. Chao. I think that is taken out of context.\n    Mr. Jordan. It is pretty plain language. Didn't test it; no \nend-to-end testing; done before October 1st. And yet the IT \nperson in charge, whoever the President is referring to, \nsomebody said it is okay to start this thing.\n    Mr. Chao. I say it is taken out of context because there \nare still quite a few----\n    Mr. Jordan. Mr. VanRoekel, did you know the results of the \nMITRE testing before October 1st?\n    Mr. VanRoekel. I haven't seen this document, so I would \nlove to----\n    Mr. Jordan. Well, you have the fancy title; you are the \nChief Information Officer of the United States of America. That \nis a pretty big title. And you didn't know about this before \nthe biggest domestic policy program website in the history of \nthis Country ever is launched, and you didn't know about this?\n    Mr. VanRoekel. Sir, I haven't seen this document.\n    Mr. Jordan. Well, that scares us.\n    Mr. Park, you are supposed to be the guy who is going to \nsolve everything; you are Clark Kent coming out of the phone \nbooth here. Did you know about this before October 1st?\n    Mr. Park. I did not.\n    Mr. Jordan. And why is it----\n    Mr. Chao. Would you like me to explain why----\n    Mr. Jordan. I would like someone to tell me why you didn't \nknow that end-to-end testing wasn't done----\n    Mr. Chao. It is not about not knowing; it is that, for \nexample, the first payment to the insurance companies, the \nissuers, are not going to occur until sometime in the first \npart of January. We are still building the system.\n    Mr. Jordan. We just had this. The system all works \ntogether. It wasn't tested all at once.\n    Mr. Chao. We are still building parts of the system to \ncalculate payment, to collect the enrollment data from all the \nmarketplaces and to make that payment----\n    Mr. Jordan. So there is more system to be built. So we can \nexpect more problems in the future to add to the problems we \nhave already seen.\n    Mr. Chao. Security testing is ongoing.\n    Mr. Jordan. Let me ask you this. This, to me, seems to be \nthe billion dollar question. Why didn't you delay this? You \nguys knew there were going to be problems. You hadn't done end-\nto-end testing. Some of your testing we hoped that the tests \nwould work when we presented it to the White House. Why didn't \nyou delay this? Mr. Chao, why wasn't it delayed?\n    Mr. Chao. That is not my decision to make.\n    Mr. Jordan. This, to me, is the thing. The chief technology \npeople don't know, but October 1st is October 1st, a date that \nis in the law? It is not. It is just a date--let me cite you \nthis here. The Washington Post article--and I know I only have \na minute, but The Washington Post article I think is important. \nDavid Cutler sent a memo to the White House, says, you know \nwhat, don't keep the political people in the White House, Nancy \nAnn DeParle, Jeanne Lambrew in charge, bring in outside people. \nLarry Summers agreed with that assessment; Peter Orzag agreed \nwith that assessment, but the President says no, we are going \nto keep Nancy-Ann DeParle in charge of this, kept the political \npeople in charge.\n    In your testimony to the committee, Mr. Chao, you said \nthis, when asked about October 1st, my marching orders were get \nthe system up by October 1st, right?\n    Mr. Chao. Correct.\n    Mr. Jordan. Why? If you have all these problems, why not \nwait?\n    Mr. Chao. I didn't ask why. I said that was my----\n    Mr. Jordan. And what I am suggesting is the folks at the \nWhite House knew this thing had problems, evidenced by the \ntesting that wasn't done end-to-end. They, for political \nreasons, had picked this date, so for political reasons they \nhad to adhere to this date, and the end is, the end result is \nAmericans' personal information is put at risk.\n    Mr. Chao. I tried to correct your perception of what this \nexcerpt was from. It is about a long chain of systems that need \nto be built, and this is a point in time.\n    Mr. Jordan. Mr. Chairman, I have two seconds. Let me just \nfinish with this. We have asked, you and I have asked Ms. \nDeParle, Ms. Lambrew to come in front of this committee next \nweek, and the letter we got back yesterday was they are not \ngoing to come; and they are the people we need because they are \nthe political people in charge. They are the ones who \ndetermined October 1st was the date they needed to move forward \non, and they are the ones who I think ultimately are \nresponsible for putting at risk Americans' personal \ninformation.\n    With that, I yield back.\n    Chairman Issa. Okay.\n    Mr. Powner, there were all these questions and you seemed \nto have an answer you wanted to give on this end-to-end testing \nbefore it was done. Do you want to weigh in at this point?\n    Mr. Powner. Well, I would just reiterate the point that the \nsecurity testing was done early, on an incomplete system, and \nthe fundamental question is what is being done now and how \nadequate is that to date.\n    Chairman Issa. Thank you.\n    Mr. Davis.\n    Mr. Davis. Thank you. Thank you very much, Mr. Chairman. \nMr. Chairman, there has been a lot of information over the past \nseveral weeks regarding the security of Healthcare.gov and \nwhether consumers who use this system are at risk. I would like \nto hear from the witnesses about this matter and separate fact \nfrom fiction.\n    Mr. Chao, the Federal Information Security Management Act, \nknown as FISMA, requires agencies to protect information \nsystems. FISMA specifically requires an authorizing official to \nsign off before an agency begins operating a system. In the \ncase of Healthcare.gov, we have a memo that was signed by \nAdministrator Tavenner on September 27, 2013, entitled \n``Federally-Facilitated Marketplace.'' This memo says that the \nsecurity contractor ``has not been able to test all of the \nsecurity controls in one complete version of the system.'' It \nalso says this resulted in a ``level of uncertainty that can be \ndeemed as a high risk.''\n    Mr. Chao, can you explain how CMS tested various components \nof the system for security risk?\n    Mr. Chao. In general, in most large IT projects that \nrequire several what we call environments that are used to move \nfrom a developer's machine in writing code and to test that \nlocally, and then to put it into a larger environment to test \nwith other code, and you go through this step-wise process of \nconstructing the system. I think what the statement reflects is \nthat in any situation similar to the Marketplace systems, \nsecurity people have to test when they can and when they have a \nwindow. As I mentioned, there is a compressed time line, and \nthat compressed time line affords some ability for security \ntesting to occur as the software is being developed through its \nlife cycle.\n    I think what the memo was just trying to say, and it was \nerring on the side of caution, that as software is continuously \nbeing developed, it was tested in three cycles. So by the end \nof three cycles it had fully tested the necessary functions to \ngo live on October 1st. There are, as I mentioned earlier, \nother system functions that are yet to be built and will \ncontinue to have security testing conducted.\n    So security testing is a point in time. Risk acceptance of \nthat security testing results is a point in time. And then in \nthat memo you will also see that we have applied various \nmitigation steps to try to offset the potential risk that was \nidentified.\n    Mr. Davis. Do you know of any other IT systems, in your \nexperience, that were authorized without completing full system \nsecurity testing?\n    Mr. Chao. I think that there is a slight art in the wording \nof that. I think every system the Federal Government puts into \nlive production needs to have sufficient security testing, per \nFISMA and OMB and NIST requirements. Whether we tested in three \ncycles, whether we tested annually or every three years, \ntesting is an ongoing and ever-present, kind of part of the \nprocess. When we are testing the controls for a portion of a \nsystem that is ready for a particular delivery date, we fully \ntest those. For a portion of the controls for a part of the \nsystem, as I mentioned earlier, in which we do not have to make \npayment on October 1st, that is then tested at a later date, \nwhen that function is ready and needed in order to go into \noperation. So it is an iterative ongoing process.\n    Mr. Davis. Has a security team been established?\n    Mr. Chao. Yes.\n    Mr. Davis. Has CMS been performing weekly testing?\n    Mr. Chao. Yes.\n    Mr. Davis. I have no further questions. Thank you, Mr. \nChairman. I yield back.\n    Chairman Issa. I thank the gentleman for yielding back.\n    We now go to the gentleman from Utah, Mr. Chaffetz.\n    Mr. Chaffetz. I thank the chairman.\n    I thank you all for being here.\n    Mr. Baitman, I would like to start with you. Since the end \nof August, how many times have you personally met with \nSecretary Sebelius?\n    Mr. Baitman. I am not sure, probably once or twice.\n    Mr. Chaffetz. And when was the last time you met with the \nsecretary?\n    Mr. Baitman. I believe that it was during the shutdown. The \nsecretary had regular meetings with senior leadership.\n    Mr. Chaffetz. So you met one time in October?\n    Mr. Baitman. I believe so.\n    Mr. Chaffetz. So you met one time. You are the chief \ninformation officer. You met one time in October with the \nsecretary. My understanding is you engaged a hacker to look at \nHealthcare.gov, correct?\n    Mr. Baitman. CMS asked us to help them with various things.\n    Mr. Chaffetz. But you engaged a hacker to look at the \nsystem.\n    Mr. Baitman. We engaged someone who is called an ethical \nhacker who is on my staff.\n    Mr. Chaffetz. An ethical hacker. When did they start their \nhacking?\n    Mr. Baitman. It was during the shutdown.\n    Mr. Chaffetz. And how long did it take him to complete his \nhacking exercise?\n    Mr. Baitman. I think it is an ongoing activity. But he is \nactually based in Atlanta.\n    Mr. Chaffetz. And then he gave you a report. How many \nserious problems did he find?\n    Mr. Baitman. I don't know if I would call them serious. I \nthink that there were something like 7 to 10 items on that \nreport.\n    Mr. Chaffetz. So you had 7 to 10 items of hacking, some of \nwhich you don't believe are serious, but some are obviously \nserious. What percentage of those have been fully rectified?\n    Mr. Baitman. I turned those over to CMS for their review. \nSome actually weren't systems issues, they included things like \nphysical security as well.\n    Mr. Chaffetz. So you have no follow-up? You have no idea \nwhat percentage of those hacking incidents were rectified?\n    Mr. Baitman. I believe CMS got back to my staff last week \nand said the majority of those had been remediated.\n    Mr. Chaffetz. You don't know what percentage. It is not 100 \npercent.\n    Mr. Baitman. I don't believe it is 100 yet, no.\n    Mr. Chaffetz. So you shared that with CMS. Did you share \nthat with Secretary Sebelius?\n    Mr. Baitman. I have not.\n    Mr. Chaffetz. You are the chief information officer for the \nHealth and Human Services.\n    Mr. Baitman. These are fairly technical items. The \nappropriate place to share them is with the system owner.\n    Mr. Chaffetz. But it is not safe and secure, and I guess \nthat is the fundamental concern, is even after the October \nlaunch, you are the chief information officer, you get a hacker \nwho in a couple days finds probably 10 or so problems and \nchallenges. It is that easy to get in and hack the information. \nThat is the concern.\n    Mr. Powner, is this ready? Following up on Mr. McHenry's \nquestion, is the site, in your opinion, currently as safe and \nsecure as an online banking site?\n    Mr. Powner. I would have to look and assess the security. \nAnd all that stuff that MITRE did and the authority to operate \nis preliminary because it was on--I mean, MITRE said that they \ndidn't test the interfaces. The interface testing needed to \noccur. So all that stuff that is preliminary raised issues, \nbut, again, we----\n    Mr. Chaffetz. Would you put your information in there?\n    Mr. Powner. I would have to see what the security testing \nand assessment has been since then before I was comfortable. I \nhaven't seen it yet, so we are going to look at it.\n    Mr. Chaffetz. Well, the answer is not yet yes.\n    Mr. Chao, would you put all your personal information about \nyou and your loved ones in it?\n    Mr. Chao. Yes. In fact, I have recommended my sister, who \nis unemployed right now, to actually apply.\n    Mr. Chaffetz. Did she successfully register?\n    Mr. Chao. I haven't talked to her lately; she has been out \nof the Country.\n    Mr. Chaffetz. Interesting. And you have this report, then, \nfrom Mr. Baitman, about the hacker's report?\n    Mr. Chao. I do not personally, but as I mentioned earlier, \nthere are security teams in place, including permanent security \nstaff under the chief information security officer that \ncoordinates with franks.\n    Mr. Chaffetz. Mr. Chairman, this is something we obviously \nhave to follow up on.\n    Mr. Park, you are a very bright and talented person. The \nFederal Government is lucky to have somebody of your caliber \nengaged in this process, and it actually gives me comfort that \nyou are looking at this and spending some time in it, but I \nhave a fundamental question that I want to ask you. Have you \never shopped on Amazon.com?\n    Mr. Park. Yes, sir.\n    Mr. Chaffetz. Have you ever showed on eBay.com?\n    Mr. Park. Actually, no.\n    Mr. Chaffetz. We are going to have work with you on that \none.\n    Chairman Issa. As a Californian, I am personally offended.\n    Mr. Park. I would like to.\n    Mr. Chaffetz. Let's go back to the Amazon experience. When \nyou put something in your shopping cart, is that considered a \nsale?\n    Mr. Park. No.\n    Mr. Chaffetz. Thank you.\n    I yield back.\n    Chairman Issa. Would the gentleman yield?\n    Mr. Chaffetz. Sure.\n    Chairman Issa. Mr. Chao, you have been fairly defensive \nabout things being out of context, so I am going to ask \nunanimous consent that the CMS document of September 3rd, 2013, \nthe memorandum, be placed in the record in its entirety. But \nbefore I do so,--well, without objection, so ordered.\n    Chairman Issa. But I want to make something clear. We had \npreviously redacted information. Is there anything in that memo \nthat you believe needs to be redacted? Because otherwise we \nwill put it in in its entirety so there's no question about \nthat.\n    Mr. Chao. I would have to review it.\n    Chairman Issa. Okay, it is in the record now. By close of \nthis hearing, if there is something that needs to be redacted, \nI need to know, because I will consider redacting it.\n    Mr. Cummings. Mr. Chairman?\n    Chairman Issa. Yes.\n    Mr. Cummings. I just wanted to make sure there was no \nsensitive information in there.\n    Chairman Issa. Well, that is the problem.\n    Mr. Cummings. I am just trying to obey the law, Mr. \nChairman.\n    Chairman Issa. This thing is already in the record. If we \nchoose to redact something--the question is that there are \nnumerous things that give us sightings of lines in September \n3rd that clearly this thing wasn't ready for security on \nSeptember 3rd. And when our people questioned you about \nSeptember 27th and there was no end-to-end and security \nconcerns, you want to say you were taken out of context, but \nboth September 3rd and September 27th, what we find is that \nthere was no end-to-end testing, and any point of vulnerability \nis a point that could access people's private information.\n    Isn't that true, Mr. Powner? So the absence of end-to-end \ntesting means that anything that can reach into the database, \nin fact, could be a significant security risk to people's \npersonal information, and has nothing to do with whether or not \na module is about shopping, isn't that true?\n    Mr. Powner. That is correct.\n    Chairman Issa. Okay.\n    Yield back and at this point I recognize the gentleman from \nTennessee, Mr. Cooper, next.\n    Mr. Cooper. Thank you, Mr. Chairman. I am worried that the \nnet effect of this hearing might be to exaggerate the security \ndifficulties of the website. I serve on the Armed Services \nCommittee, and our own Pentagon is attacked many thousands of \ntimes a day, sometimes by foreign powers. So the entire \nInternet could and probably should be more secure. So we have \nto acknowledge some system problems for the whole Internet, and \nthen there are other issues we can deal with.\n    Another concern I have is the witnesses are being badgered, \nand I would like to offer witnesses, perhaps Mr. Baitman, \nperhaps Mr. Park, Mr. Chao, and others an opportunity to \nrespond, because I believe in fairness, and the American people \ndo not want to see a kangaroo court here. And the way this \nhearing has been conducted does not encourage good private \nsector people to want to join the Federal Government.\n    I personally had the privilege of hearing Mr. Park speak in \nNashville, Tennessee a couple years ago. He spoke before a \nhard-core private sector, pro-capitalist, business audience, \nand they told me they had never heard a speaker who understood \nbusiness better, who got it; and it was a real tribute to me \nthat someone of your caliber was willing to work for the \nFederal Government, because that instilled faith in the \nprocess, because we are the best Nation on Earth. We have to \nact like it. We do face problems sometimes, but the American \nspirit is the can-do, we can fix it attitude, not the blame \ngame, not the bickering game.\n    So if there are witnesses who would like a chance to say a \nfew words in public, because you have been treated unfairly, in \nmy opinion, and I would like to have this be an equal playing \nfield.\n    Chairman Issa. Would the gentleman yield? Have I cut off \nanyone's answer here today?\n    Mr. Cooper. Will I be able to keep my time?\n    Chairman Issa. Of course.\n    Mr. Cooper. You cut off the ranking member of this \ncommittee at the beginning of this hearing.\n    Chairman Issa. I cut him off a minute into question and \nanswer, after he had exceeded his five minutes. But no witness \nhere today has been cut off.\n    Mr. Cooper. But, Mr. Chairman----\n    Chairman Issa. Every witness has been allowed to complete \ntheir entire answer.\n    Mr. Cooper. Mr. Chairman, but using----\n    Chairman Issa. I just want to understand. Kangaroo courts \nis quite an accusation, and I hope the gentleman from \nTennessee, when he uses the term kangaroo court in the future, \nwill think better of making an accusation. No witness has been \ncut off. Every witness has been allowed to complete their \nentire answer in every case. We went about six minutes before I \nasked Mr. Baitman to simply conclude. That is the closest thing \nto anything. So this is not a partisan hearing. I will not have \nit accused of being a partisan hearing. We have a website that \nthe American people have seen doesn't work. We are trying to \nget to an understanding of why it didn't work so that it \ndoesn't happen again. And these happen to be experts, and for \nthe most part we are relying on them to be the people fixing \nit.\n    The gentleman is recognized.\n    Mr. Cooper. Thank you, Mr. Chairman. This is a hearing on a \nbroken website by a broken committee, and the air is thick with \ninnuendo. When the chairman discusses rehabilitating witnesses, \nthat implies they need rehabilitating, when in some cases the \nwitnesses have perhaps already been abused, sometimes by leaks, \nwhether deliberate or not. So let's focus on fixing the \nproblems. And I think Mr. Baitman was about to speak.\n    Mr. Baitman. Thank you, Mr. Cooper. There is one thing I \nwould like to clarify in response to my comments to Mr. \nChaffetz. We found vulnerabilities with the system, and there \nwill always be vulnerabilities. Every system that is out there, \nsystems that are live, systems that we trust right now, banks, \nonline shopping sites, all have issues because they are \ncontinually making changes to their code. That introduces \nvulnerabilities. And it is up to us on a continual basis, as \nMr. VanRoekel pointed out, all software goes through continuous \nimprovement. So what we are doing right now is continually \nimproving our software and on an ongoing basis identifying \nvulnerabilities that exist.\n    Mr. Cooper. Any other witness? Mr. Chao?\n    Mr. Chao. What I would like to say is that if I come across \nas being defensive, I apologize, but I am being defensive not \nin terms of me; I am being defensive in terms of the truth. And \nI believe that that is what this committee is trying to get to. \nIn fact, I think that is what you said in the beginning. So \nwhen I detect that there is distortions or misuse or unrevealed \nthings about that I spent nine hours with your staff basically \nbeing deposed, I am going to be defensive because that is not \nthe truth. That is all I want to make clear about my \ndefensiveness.\n    Mr. Cooper. Any other witness like to make a point?\n    This committee has many talents and it has broad \ninvestigative jurisdiction. To my knowledge, and I could be \nwrong because my colleagues have many talents, to my knowledge, \nnone of us could do a website on our own. We are not software \nengineers. You could?\n    Chairman Issa. I think, unfortunately, you have several \nhear, including one who made a living doing it.\n    Mr. Cooper. Well, none of us would want to certainly be \nengaged in this task. Are you volunteering to work for----\n    Chairman Issa. None of us want to own this particular \nwebsite.\n    Mr. Cooper. Well, yeah. But it is easy to criticize. It is \nhard to perform. And as the gentleman, Mr. VanRoekel, pointed \nout, even Microsoft, with Windows XP, is still revising it 12 \nyears later. Software is an iterative process. The Internet is \nnot perfect, but it is still one of the great technological \naccomplishments of mankind. It is transforming the planet, and \nin a good way overall, but there are glitches and we work on \nthose.\n    So when we swear witnesses, as we do, when we put them in a \nvery uncomfortable position, deliberately, in some cases when \nwe subpoena then unilaterally, that creates tension, and it is \nactually going to slow the fix of the website. So I worry about \nthat.\n    And the chairman and Mr. Connolly have already collaborated \non what sounds like an excellent bill to fix overall Federal \nIT. I was very impressed when Mr. VanRoekel pointed out that is \nan $82 billion issue. What we are talking about here today, at \nleast from the August cost estimate, is 0.6 percent of that. \nWhy don't we focus on the larger issue and fix it? Because, as \nI said earlier, it is much better to light a candle than to \ncurse the darkness.\n    Chairman Issa. If the gentleman would yield, maybe we can \nclose on a positive note. Both Mr. Powner, who has constantly \ntalked about stress-testing end-to-end, and Mr. VanRoekel, who \nknows very well that Microsoft never put a new operating system \nthat wasn't stress-tested end-to-end; it still had bugs, it \nstill had vulnerabilities. And by, the way, whenever you add a \nnew driver, a new something else, you create a potential new \none that has to be tested. But stress-testing end-to-end was \nsomething that this committee wanted to know at the onset, why \nit hadn't been done, because it is a best practices, which GAO \nhas very kindly made clear. I believe it is already in the \nrecord, but if it is not, the nine points that GAO had made in \ntheir report of best practices that were not followed.\n    So Mr. Connolly and I, Mr. Cooper, we are trying to get to \nwhere best practices will always be used. And in this case, not \nbecause of these individuals, per se, they are here as experts, \nbut this development over three and a half years shortcutted \nsome best practices, and it is not the first time and it won't \nbe the last time, but it is one where, as I said in the opening \nstatement, it is so important, when the American people are \nfocused, for us to say you can expect better from your \nGovernment in the future; and I don't mean on Healthcare.gov, I \nmean on all of that $82 billion worth of IT.\n    And I appreciate your comments to that end.\n    Mr. Cooper. Mr. Chairman, let's see about getting your bill \nto the floor.\n    Chairman Issa. Boy, I tell you, that is something we all \nwould like to do, so I am going to talk to leadership----\n    Mr. Cooper. You are in the majority party.\n    Chairman Issa. You know what? I tell you what. I will get \nit to the floor in the House. If you will help me in the \nSenate, we will get this done.\n    Mr. Cooper. I have lots of influence in the Senate. I would \nbe happy to help.\n    Chairman Issa. Thank you.\n    [Laughter.]\n    Chairman Issa. With that, we recognize the gentleman from \nMichigan, who knows a great deal about health care websites \nfrom his State, Mr. Walberg.\n    Mr. Walberg. Thank you, Mr. Chairman, and thank you for \nholding this hearing.\n    And to the panel as well, thank you for being here. You \nhave plenty to do. We wish you didn't have to be here today, \nbut when I receive letters on top of letters and contacts in \nsix town hall meetings that I held last week, live town hall \nmeetings, like this one from Rachel Haynes in Eaton Rapids, \nMichigan, where she talks about the fact of cutting off from \nher insurance, her husband and five children, she says this: I \nhated the idea of getting on to Healthcare.gov website, as I \nbelieve insurance is a private matter. I did it anyway. The \nwebsite did not work, so I called a number. And she goes on to \ntell of talking with a person on the phone and ultimately being \nhung up on.\n    That is the reason why this hearing is important. Frankly, \nMr. Chairman, I believe that this whole act that was put into \nlaw under the cover of darkness with the simple votes from the \nother side of the aisle who now take offense at us having \nhearings like this on problems and doing proper oversight is \nthe reason to have this hearing today, because people like \nRachel Haynes and her family are concerned not only about \nsecurity, but right now that is one of the biggest concerns on \na website that doesn't work for her.\n    I want to go back to some of the concerns in the MITRE \nreport and I want to ask the first question. Mr. Chao has \nalready, in earlier statements to questions just before me, \nindicated, when asked why he didn't push back on opening this \nthing up on October 1st, he didn't ask why. So I am going to go \nto Mr. Baitman, because I think that is an important question \nthat should have been asked, why. Why do we have to open up on \nOctober 1st?\n    But the question I would ask here, Mr. Baitman, MITRE was \nresponsible for conducting the security control assessment for \nthe Federal exchange, is that correct?\n    Mr. Baitman. That is my understanding.\n    Mr. Walberg. According to MITRE, the final security \nassessment for the Federal exchange occurred from late August \nthrough mid-September. Is that your understanding?\n    Mr. Baitman. It is.\n    Mr. Walberg. Mr. Baitman, to the best of your knowledge, \ndid MITRE conduct a complete integrated security test of the \nFederal Marketplace?\n    Mr. Baitman. I can't answer that; I don't have visibility \ninto it.\n    Mr. Walberg. Well, I would like a document put up that \ndeals with this test and the outcome, if I could have this \nparticular document. Okay. If you see there, FFM, the website, \nthe Marketplace, complete percentage, 66 percent complete. That \nis it. Sixty-six percent complete. This document was obtained \nby the committee. We have in place--let me ask this question, \nMr. Baitman. Is it a problem that MITRE wasn't fully able to \ntest one-third of the Exchange?\n    Mr. Baitman. I can't answer that. This project was run and \nmanaged by CMS. They are responsible for the security.\n    Mr. Walberg. In the security control assessment dated \nOctober 11th, 2013, and of which a preliminary copy was given \nto CMS, on September 23rd, 2013, MITRE writes that they are \nunable to adequately test the confidentiality and integrity of \nthe health insurance exchange system in full. They go on to say \nMITRE also writes the application at the time of testing was \nnot functionally complete.\n    Mr. Powner, what are the dangers of conducting a security \nassessment on an incomplete system?\n    Mr. Powner. Well, you could have vulnerabilities that go \nuntested. Also, too, on this document--see, there are a lot of \ndates that don't add up. My understanding is that MITRE \nconducted their security assessment in August and September, \nand it was later September. So there is data all over the \nplace. The bottom line to your point, though, is it wasn't done \non a complete system.\n    Mr. Walberg. MITRE has told, Mr. Powner----\n    Mr. Chao. Excuse me. I just want to point out that that is \na CGI-provided document, that is not from CMS.\n    Mr. Walberg. Yes, I understand that. MITRE has told \ncommittee staff that to their knowledge, there has not been a \ncomprehensive test of the entire system. One of the dangers \nposed by not conducting a complete, integrated security tests \nof all the system components, Mr. Powner?\n    Mr. Powner. Well, in order to ensure that your data is \nsecure and the system is safe to use, you want to test on as \ncomplete a system as possible.\n    Mr. Walberg. Then based on what you know, were Americans' \nsensitive personal information at risk when Healthcare.gov \nopened on October 1st, 2013?\n    Mr. Powner. I don't know what happened from mid-September \non. That is the only caveat I would like to say, because there \nwas testing done through mid-September, and I am blind to what \nhappened during that period of time.\n    Chairman Issa. The gentleman's time is expired, if you \ncould wrap up very quickly.\n    Mr. Walberg. Last question. Can you ensure the American \npeople that the website will work on November 30th?\n    Chairman Issa. The gentleman may answer.\n    Mr. Walberg. Asking Mr. Powner.\n    Mr. Powner. That is not my responsibility.\n    [Simultaneous conversations.]\n    Chairman Issa. The gentleman's time is expired. If anyone \nelse wants to answer November 30th, they may. Mr. Park, will it \nwork on November 30th? Properly, fully?\n    Mr. Park. The team set a goal of having Healthcare.gov \nfunction smoothly for the vast majority of Americans. The team \nis working incredibly hard to meet that goal.\n    Chairman Issa. I thank the gentleman.\n    Mr. Walberg. With secure information?\n    Mr. Park. With secure information.\n    Chairman Issa. Thank you. The gentleman from Nevada.\n    Mr. Horsford. Thank you, Mr. Chairman, and to the ranking \nmember and to the other committee members, to our witnesses. \nThis is an important hearing. Our constituents are rightfully \nconcerned about their right to be able to access affordable \nhealth care on the website, Healthcare.gov. And while the \nrollout has been problematic, what has been more troubling is \nthe fact that this has been turned into more of a game than it \nhas been about how we can work together to fix the problems of \nthe site.\n    My concern is one of security of personal information. I \nalso sit on the Homeland Security Committee, we are having a \nhearing also this morning on this subject. So I want to ask \nabout the potential security risks to consumers. Mr. Chao, do \nyou agree that protecting personal identifiable information on \nHealthcare.gov is important and is something that can be \nachieved?\n    Mr. Chao. I think that is something that we as CMS and as a \nFederal agency comply with, FISMA and OMB and NIST \nspecifications for securing people's data, and then following \nHIPAA's requirements for confidentiality, integrity and \navailability of data.\n    Mr. Horsford. Can you explain how CMS protects consumer \ninformation, how that is safeguarded by CMS?\n    Mr. Chao. I think one of the things that is very obvious \nwhen you come to Healthcare.gov, and if you go to, in my \nopening remarks I mentioned there are two sides to it, or two \nlegs. If you go to the Get Insured side, one of the first \nthings that you have to do is to register to establish an \naccount. And we mentioned that registrations are up to about \n17,000 per hour right now. That registration process allows you \nto establish what we call a level one assurance of assurance \naccount, which is based upon the National Institute of \nStandards and Technology. That is very similar to something \nlike what you would establish in terms of opening up a Gmail or \nYahoo account, just very basic information.\n    Mr. Horsford. Okay. Let's move on to the next question. We \nare very limited on our time.\n    Mr. Chao. So basically the answer is, it is about \nauthenticating you, it is about, are you who you say you are \nbefore we let you into the system. And that is one major step \nin ensuring that people's privacy is protected, so that they \nonly see their own data.\n    Mr. Horsford. And is Healthcare.gov any more or less risky \nto consumers than other sites, including private company \ninformation in the banking world or using credit cards to \npurchase information over the internet?\n    Mr. Chao. I can't speak for what privacy frameworks and \nprograms apply to private sectors. But for the Federal \ngovernment, we follow the FISMA guidelines and the requirements \nset forth by certain OMB directives. And we use independent \nsecurity testing contractors to ensure that we comply.\n    Mr. Horsford. Mr. Park, you have spent some time with this \nwebsite. Have you been able to understand the security features \nthat are inherent in it?\n    Mr. Park. That hasn't been my particular focus on the team, \nno. There is a CMS security team dedicated to security matters.\n    Mr. Horsford. Based on your review of that, do you believe \nthe site poses any unreasonable risks to consumers?\n    Mr. Park. I haven't actually, again, dived into that \npersonally. But my understanding is that CMS is applying its \ninformation security best practices to the protection of the \nsite. CMS has a great track record in protecting the privacy of \nAmericans.\n    Mr. Horsford. Mr. VanRoekel, I understand you worked on the \ndata Hub. Can you explain why you believe consumers should have \nconfidence that their information is secure as it passes \nthrough the Hub?\n    Mr. VanRoekel. I didn't actually code the Hub itself, so I \ndidn't do the day-to-day. But one thing that should be pointed \nout is that cyber security is part of everything we do. You \nalmost can't buy a keyboard in government now without having \ncyber security considerations on that. And we have built a \nculture of assessment and mitigation that is all about \nassessing the level of risk, it is low to high. And then you \nput into place technology to mitigate that risk, to make sure \nthat we are protected.\n    The standards that we abide by are the NIST standards which \nare actually co-developed with the private sector. So the \nbanking industry, financial industry, insurance industries \noutside of government actually use the same standards as \ngovernment does, and we hold government to those standards, and \noften in many cases lead those industries in the ability to do \nthese things.\n    The other aspect of this is, this is ongoing. You hear, I \nam sure, in the Homeland Security Committee, a lot around the \nfact that we have cyber security in what we do there, you have \nto do ongoing tests. You have to rapidly respond and \nassessments are never done. You have to just stay vigilant in \nthose cases.\n    Mr. Horsford. Thank you. Mr. Chairman, I would just say \nthat this is not about playing offense or defense. It is about \nus getting this job done on behalf of the American people and \nworking together. I am rather insulted by this House Republican \nplaybook----\n    Mr. Meadows. [Presiding.] The gentleman's time is expired.\n    Mr. Horsford.--where it talks about ObamaCare----\n    Mr. Meadows. The gentleman from Oklahoma is recognized.\n    Mr. Horsford.--the loss of insurance and what this means. \nThis is not----\n    Mr. Meadows. The gentleman will suspend. The gentleman from \nOklahoma is recognized.\n    Mr. Lankford. Thank you, Mr. Chairman. Gentlemen, thank \nyou. This is not a day that is probably a fun day for you, you \nprobably didn't get up and go gosh, I can't wait for this day. \nI get that, and I want to say thank you, because all of you are \nprofessionals that have given to public service. You all could \nmake a lot more money in the private sector and you have chosen \nto serve people. We all have differences on opinion on \ndirection and that kind of stuff, but I want to say thank you \nto you as well for what you are doing, because you have made a \nconscious choice in that.\n    Let me walk through a couple of things just to be able to \nget to some of the reality on it. About an hour and a half ago \nI went on my iPad, went to Healthcare.gov and hit this button \nthat says create account. It doesn't go anywhere. It just \nchanges colors and does nothing. So I reloaded on this and for \nabout an hour and a half I have just occasionally hit that \nbutton.\n    This is the frustration, the struggle of a lot of folks out \nthere. Then you all have the frustration, we get that. We have \nquestions, though, as we walk through this process of now what \nhappens.\n    Mr. Park, you were asked a question earlier about the \nNovember 30th time line. I assume Mr. Zients has laid that out \nthere at the end of November, when everything would be ready \nand available. You said it is our goal. Can you give me more \nspecifics? Are we going to hit November 30th?\n    Mr. Park. Thank you for the question, and thank you for \nyour kind words at the beginning as well.\n    The goal that has been laid out is not for the site to be \nperfect by the end of November.\n    Mr. Lankford. Functional, so people can log on?\n    Mr. Park. So that the vast majority of Americans will be \nable to use the site smoothly. That is the goal we are gunning \nfor. We are working very hard to get here.\n    Mr. Lankford. So here is the issue. Around 5 million people \nhave received a cancellation letter. I have multiple \nconstituents that have sent me copies of their letters, all of \nthem end with, your insurance policy concludes December 31st. \nIf they cannot get on and log into the site by December 15th, \nthey will not have access to insurance January 1st and they \nwill be uninsured. People who are currently insured will not \nhave insurance as of January 1st.\n    So I understand the deadline is out there for March 31st, \nand all this kind of stuff on it. Those individuals who have \nreceived it by the millions cannot get insurance and on January \n1st will be uninsured.\n    So I get that is the goal. But the reality is racing at us. \nAnd the comment has been made on it that we are trying to fix a \nplane that is in the air. I fully understand the complexities \nof that. The challenge of it is that many of us had said, park \nthe plane for a year, let's get it right before we launch this \nthing. That is not your fault, you all are dealing with the \nrealities that are on the ground. But that is something that we \nare trying to communicate on this.\n    Mr. Chao, let me ask you something. September 27th, the \nATO, the authorization to operate, in some of the committee \nstaff that you had mentioned, that was a very long day as well, \nyou visited with committee staff on it. During that \nconversation, there was a back and forth on this ATO coming out \nthat Mr. James Kerr and yourself, that you had edited there, \nsince Marilyn Tavenner. In that memo, you wrote, ``Due to a \nsystem of readiness issues, the security control assessment was \nonly partially completed. This constitutes a risk that must be \nmitigated to support the marketplace day one operations.'' You \nwere asked by staff, what are some of those risks that are out \nthere, that are kind of the unknowns on it, that have to be \nmitigated. During that conversation, you had listed things like \nunauthorized access, not encrypting data, identity theft, \nmisrouted data, personal identifiable information, those are \nthe kinds of the great unknowns of this, at that point.\n    Then, am I tracking this correctly? Do you remember this?\n    Mr. Chao. Yes. Those are examples that I was asked to \nprovide.\n    Mr. Lankford. Sure. The problem is that you are trying to \nmitigate on things that you don't know. I understand about \nmitigating on a risk. You mitigate on things that you know, is \nthat correct?\n    So on day one, Marilyn Tavenner is signing a document \nsaying, there are risks that are out there. Some of those that \nyou had listed, we are going to have to mitigate on those. Were \nwe mitigating for every possibility on it?\n    Mr. Chao. I think what you do is, on a risk-based approach, \nyou look at the probability of a particular risk occurring and \nyou prioritize. For example, one of the mitigation steps was to \nconduct weekly security testing and to report back to the \nAdministrator on the result of that security testing.\n    Mr. Lankford. During that testing process, did you find \nthat some data was misrouted? Once it was launched? Are \ninsurance companies getting information that is incorrect?\n    Mr. Chao. There are cases in which insurance companies were \ngetting data that were not incorrectly routed to them, but \nincorrectly formatted within the transaction.\n    Mr. Lankford. Do you know who briefed Marilyn Tavenner on \nthe security risks? Because obviously she had to sign off on \nthis document. Do you know who sat down with her and briefed \nher on the security risks, here are all the things we are \ntrying to walk through?\n    Mr. Chao. It was our chief information officer and chief \ninformation security officer.\n    Mr. Lankford. Two other quick questions. Is there a way to \nbe able to track what personal information any employees can \nsee while they are working on this? Obviously you had a lot of \ncontractors involved in this, now we have added even more \ncontractors trying to learn all those contractors, who they \neven are. Is there a way to be able to track? Because now there \nis personally identifiable information in the system as well. \nIs there something in place that tracks what people who are \nworking on the back end of the site can see as far as \npersonally identifiable information?\n    Mr. Chao. Yes. There are system logs. For example, if you \ncall the call center and the call center representative is----\n    Mr. Lankford. I am talking about people working on the back \nend.\n    Mr. Meadows. The gentleman's time is expired. You can \nfinish the question.\n    Mr. Chao. In certain cases, yes. Like if you are in a \ntesting environment. Very few people touch a production \nenvironment. So they wouldn't even have access to that live \ndata. Sometimes when we use testing data, you want to see the \nresults, so you do have developers having access to that \ninformation. But it is not live people's data.\n    Mr. Meadows. I thank the gentleman from Oklahoma.\n    For the record, Mr. Chao, I wanted to point out, those \nitems that you identified as particular inherent risks were \nidentified by you prior to the September 3rd memo that was \nintroduced. I know the gentleman from Virginia had indicated \nthat it was after that memo. But for the record, you indicated \nthose prior to that memo being introduced by committee.\n    Mr. Chao. I don't quite understand what you are trying to \nsay there. Because the question was asked, what examples, and \nit was in the context of the September 27th memo. You are \nsaying September 3rd.\n    Mr. Meadows. You mentioned these risks because of the \nfailure to do integrated security testing.\n    Mr. Chao. I don't believe I said failure.\n    [Simultaneous conversations.]\n    Mr. Chao. This is the problem, I don't have the transcript \nin front of me, I cannot confirm with you. I was not given an \nopportunity to make corrections, if there were corrections to \nbe made. So you can tell me what you want, but all I can say is \nto the best of my knowledge, I don't recall saying that. I need \nto see my transcript.\n    Mr. Meadows. The gentleman from Vermont, the distinguished \ngentleman from Vermont is recognized.\n    Mr. Welch. Thank you, Mr. Chairman.\n    First, I want to join Mr. Lankford in thanking each of you, \nMr. Powner, Mr. Chao, Mr. Baitman, Mr. Park, Mr. VanRoekel, for \nthe incredible effort that you are putting into trying to fix a \nvery serious problem. Thank you.\n    Second, you don't have to be an opponent or a supporter of \nthe health care law to acknowledge that there are significant \nrollout problems associated with the website. Those of us who \nare supporters, and I am a very strong supporter of the health \ncare law, are absolutely committed to providing the support you \nneed to make this thing work.\n    There are really four issues that we have that are rolling \naround. One is, the website, what we have to do to fix it, and \nit has to be fixed. Two is, what is the impact of these \ncancellation notices that a lot of Americans are receiving. \nThey thought they had health are, they were assured that they \ncould keep the policy that they had. And the problem gets \ncompounded if the website is not working. And then third is the \nindividual mandate that is the subtext of the debate, but that \nis essential to the law, but in order to make that work, the \nwebsite has to work. And the fourth is the IT purchasing, are \nthere some lessons that we can learn. I tend to think that it \nis really important to move ahead on the Issa-Connolly \nlegislation.\n    So that is the context that we are in. You are here to help \nus fix the problem. We have to get that done.\n    So I want to start by just asking you, Mr. Park, if you \ncould make some comments about, you would be repeating a little \nbit, but what are the specific things we can do to get this \nfixed? And I understand all of us would like to have a hard and \nfirm date where everything is going to be perfect. But what we \nare dealing with is the real world, and we want it to be \nfunctional for the vast majority of Americans. So what are the \nABCs that you need to do and hopefully not require you to sleep \non the floor in the office at night?\n    Mr. Park. Thank you so much for the question . The team is \ntaking all the right steps under the leadership of Jeffrey \nZients and Ms. Tavenner. So first of all, the team has \nimplemented monitoring cross the site, improved monitoring to \nactually understand performance of the system, and where are \nthe issues and where to focus.\n    Secondly, with the help of that data, the team has \nundertaken an aggressive program of improvements to actually \nimprove the stability and performance of the site through \ntuning, system configurations, capacity expansion, et cetera, \nwhich has resulted in, among other things, the site being more \nstable, system response times going down, as I mentioned, from \n8 seconds to less than a second.\n    Thirdly, the team is working on functionality bugs. So high \npriority issues with respect to the user interface and user \nexperience. And that is actually being pursued very \naggressively of course as well.\n    Then finally, there is a bunch of work underway to keep \nimproving the software release process. So you can actually fix \nthese issues faster and faster at a growing clip.\n    Then you have QSSI having been brought in by Administrator \nTavenner as the general contractor to manage this effort. And \nso it is all moving at increasing speed.\n    Mr. Welch. How are we going to address the problem that Mr. \nLankford had getting on the website, where he hit the enter \nbutton and it didn't work for an hour and a half?\n    Mr. Park. There has been a lot of progress on that front, \nand many more folks can get in now than previously, through \nboth the ability for that particular component of the system to \nhandle more volume through capacity expansion and software \noptimization. And also through bug fixes that have been \napplied. But actually, if Congressman Lankford would be so \nkind, I would love to follow up with you afterwards just to \nunderstand your specific situation. And then we can actually \nuse that to inform the troubleshooting and the fixing.\n    Mr. Welch. I would really like it if you did, because that \nis a fair question.\n    Mr. Lankford. If the gentleman would yield for just one \nsecond.\n    Mr. Welch. Yes.\n    Mr. Lankford. It is pretty straightforward. I just got to \nthat page and hit the button, it changed colors and did \nnothing. So it is nothing more than that, as far as moving in \nto just to log in to create an account.\n    Mr. Welch. Mr. Powner, do you have some concrete \nsuggestions about what we can do as a Congress to make it more \nefficient and more effective when we are making significant IT \npurchases on behalf of the American taxpayer?\n    Mr. Powner. I have a couple very specific suggestions, and \nI am going to go back to my oral statement. We are down in the \nweeds on what needs to be done to fix it, and the program \nmanagement needs to be in place. But the IT dashboard, there \nare 700 major IT investments. This is one of them. It was \ngreen. Given the late start, the compressed schedule and the \ncomplexity, does anyone think it was really a green project? I \ndon't think so. It should not have been green. There should \nhave been flags on the dashboard and better transparency.\n    The other thing is proactive governance. We look at the IT \nreform plan, things in the FITAR bill legislation. Proactive \ngovernance is very important. It is great and I am pleased that \nSteve and Todd and everyone is involved now. But we need that \ngovernance up front on important projects, not when things go \nin the tank. We need it up front. It is the same thing with \nwhen projects go in the tank, we get engaged with the \ncontractor more. Why don't we engage with the contractor, \nengage with the right executives, up front instead of when we \nhave problems? I know there are a lot of projects and a lot of \npriorities. But we need to find a way to tackle that better.\n    Mr. Welch. Thank you. I yield back.\n    Mr. Meadows. I thank the gentleman from Vermont. The \ngentleman from Pennsylvania, Mr. Meehan, is recognized.\n    Mr. Meehan. I thank the chairman, and I to want to join in \nthis sentiment, that I appreciate that you are legitimately \ntrying to work on this. We all are. And I happen to chair the \nCyber Subcommittee on Homeland in addition, and have great \nconcerns and frustrations. I think I reflect many of the people \nout there that with the concept of frustration, because in many \nways, when I talk to my folks at home, this isn't about a \nwebsite, it is about trust. It is about this inherent trust \nthat they have in the relationship with their doctor is now \nbeing impacted. And the very trust they have in the ability for \nthis system not only to operate but to operate securely.\n    Now, I know this is sort of outside, I was stunned when I \nheard the question the other day that the Secretary said yes, \nwe can have felons that are operating as navigators. What is \ngoing to be done from this point forward to assure that no \nfelon will be used as a navigator anywhere in the United \nStates? Mr. VanRoekel?\n    Mr. VanRoekel. In the context of this system, that is sort \nof a health policy decision, it is not a tech decision.\n    Mr. Meehan. Mr. Chao, is there anything that can be done? \nWill you participate in getting something done?\n    Mr. Chao. I think CMS is actively performing background \ninvestigations.\n    Mr. Meehan. Well, that is not what the Secretary said. \nLook, please look into that for me. That is not my line of \nquestioning, but I move into this whole issue of trust. Again, \ntrust, we had Ms. Tavenner and you before our committee \ntestifying about the readiness in July and August of this, to \nready to go. I just look at the background of, this is the IG's \nreport to Congress on FISMA. One of the things that Ms. \nTavenner and you were talking about was compliance with FISMA \nand therefore, when you look at HHS, the IGs came out, the \nsecond worst score in every agency across government, HHS. A 50 \npercent compliance with FISMA. The second worst in all of \ngovernment.\n    So we are already dealing, again, with a question of trust. \nSo let me just get to the heart of our engagement. Because I \nwas so frustrated, I couldn't understand how an IG's report, \nMr. Chao, could have suggested that there were great concerns \nabout the ability to be ready in time to conduct the testing. \nAnd you assured me at that time that they were on schedule and \nyou were going to meet all the requirements for the testing, as \ndid Ms. Tavenner.\n    Now, we were told before the marketplace systems were \nallowed to operate, they had to comply with all of the rigorous \nstandards. Yet at the same time that you were testifying before \nme, I had a Washington Post story that was saying staffers were \naware by late 2012 that the work of building the Federal \nexchange was lagging. Employees warned at meetings late last \nyear and in January that so many things were behind schedule, \nthere would be no time for adequate end to end testing of how \nthe moving parts worked together.\n    So how was it done, then, that in this short time frame, \nwhere their own employees are saying it couldn't be done, the \nIG said that there were tremendous concerns about the ability \nto do the testing, somehow the day before our committee had you \nbefore us, there was a report from the Secretary that said, all \nof our marketplace systems are allowed to operate and begin \nserving consumers, and I am pleased to report that the Hub \ncompleted its independent security control assessment on August \n23rd?\n    Mr. Chao. The Hub was tested first, and it was completed in \nAugust, as you mentioned. I think the remainder of August and \ninto September, we concluded the third round of testing for the \nmarketplace systems, particularly for the functions that were \nneeded for October 1st.\n    Mr. Meehan. How could you do the testing on the system? \nBecause you have reported, but here is the document that came \nout from CGI. At the very time you were saying to me that this \nwas, this had been certified as complete, by the certifying \nagency and Tavenner was here testifying that it was done, you \nhave at the same time an internal memo from CGI saying that the \nFFM schedule was only 51 percent completed, on the same day you \nare telling me that the certification has been finished. How \ncan you complete and certify when they haven't even built more \nthan half of the system?\n    Mr. Chao. I don't know what document you are holding, but I \nam assuming that in August, 51 percent is about where we were \nat. Remember, we still have other key functions, such as \npayment, risk adjustment, reconciliation.\n    Mr. Meehan. How do you give certification when it is only \n51 percent complete?\n    Mr. Meadows. The gentleman's time is expired.\n    Mr. Chao. Because you test the components, the parts of the \nsystem that go into production and that are actually \ninteracting with the public.\n    Mr. Meadows. The gentleman's time is expired.\n    We recognize the gentleman from Massachusetts, Mr. Tierney.\n    Mr. Tierney. Thank you very much.\n    Mr. Chao, do you feel you have had adequate opportunity to \nanswer that last question? Or do you have other things you want \nto add?\n    Mr. Chao. I think I got my last word in.\n    Mr. Tierney. Thanks. So earlier this morning, at the \nbeginning of the hearing, Chairman Issa asked you about the \nanonymous shopper function. Do you recall that?\n    Mr. Chao. Yes.\n    Mr. Tierney. You said you had decided to direct CGI to \ndisable it because of defects, and Chairman Issa challenged you \nand accused the White House of ordering the action for \npolitical reasons. Do you recall that?\n    Mr. Chao. Yes.\n    Chairman Issa. Would the gentleman yield?\n    Mr. Tierney. No.\n    So during that phrase, also I think Chairman Issa handed \nyou a document, and I think it is probably still with you \nthere.\n    Mr. Chao. Yes.\n    Mr. Tierney. And the chairman gave you the document that \nsaid it showed that there were no defects in the system. It \ndoes say that the function is anonymous shopper, does say the \nCGI said it tested successfully. Then he has blown up a box, \nover a number of the other statements made on the right hand \nside of that box. It just says 9/22 this feature will be turned \noff on day one, October 1.\n    Now, I have given you a sheet there, I believe staff has \ngiven you a sheet there that is clean from those boxes, and \njust as the original document without the chairman's blowups on \nthere obstructing any of the other materials. Do you have that \ndocument?\n    Mr. Chao. I think so. Is it this one?\n    Mr. Tierney. Yes. So that is the original document. ON the \nbottom right, will you read for me the last, the statement \nthere starting with defects identified?\n    Mr. Chao. Defects identified by CMS being treated as \ncritical target fixes for 9/12.\n    Mr. Tierney. And that is, in fact, what you testified to, \nright, that you had found defects?\n    Mr. Chao. Yes.\n    Mr. Tierney. As you read up from that box, you found that \nthere were defects that you decided to disable the shopper \nfunction and focus instead on plan compare?\n    Mr. Chao. Correct.\n    Mr. Tierney. Why did you do that?\n    Mr. Chao. Because if given the opportunity to choose a more \ncritical function, plan compare is much more critical in the \npath of a consumer being able to enroll in health care as \ncompared to the ability to browse.\n    Mr. Tierney. So you thought that was the best priority and \nyou focused attention on that?\n    Mr. Chao. At that time, yes, given the CGI resources that \nwere available. And actually, there was a subsequent date, I \nthink, I would have to locate the documentation. We did do \nanother round of testing post-9/12 and it was still failing.\n    Mr. Tierney. So you disagree with CGI, they thought it \ntested successfully and you instead had this ongoing belief \nthat it tested unsuccessfully, there were defects and that is \nwhy you made the decision to switch your priorities to the \nother?\n    Mr. Chao. Correct, because the report that I would look at \nis from our ACA independent testers, not from CGI.\n    Mr. Tierney. And, in fact, that is why the shopper function \nwas disabled, correct?\n    Mr. Chao. Correct, based on the report from the independent \ntesters.\n    Mr. Tierney. So when Chairman Issa stated on national \ntelevision that the White House ordered you as CMS to disable \nthe shopper function in September for political reasons to \navoid consumer sticker shock, that is not true, is it?\n    Chairman Issa. I object. The gentleman may not \nmischaracterize my statement.\n    Mr. Tierney. The gentleman may not object in the middle of \nsomebody else's questioning. If questions go through the chair, \nwhich you don't currently occupy, and I will continue my \nquestioning of Mr. Chao.\n    Chairman Issa. Mr. Chairman, point of privilege.\n    Mr. Meadows. The gentleman is recognized.\n    Chairman Issa. The gentleman is repeatedly disparaging and \nmischaracterizing what I have said. Could the chair please \ndirect all members, if they want to allege a quote, ensure that \nit is a quote and not in fact a characterization that is \ninaccurate, as the gentleman's is?\n    Mr. Meadows. The chair would remind each and every member \nhere to direct their comments, without personality, and \ndirecting those comments to make sure that they are reflected \nas to not make a personal attack.\n    Mr. Tierney. Well, that is well said. I don't know of any \npersonal attacks, so I assume you are directing that at \nsomebody else.\n    But I will read a quote on October 27th, from Chairman Issa \non national television. Here it is: ``Contractors have already \ntold us that, in fact, people represented that the White House \nwas telling them they needed these changes, including instead \nof a simple 'let me shop for a program then decided to \nregister' they were forced to register and go through all the \nthings they have slowed down in the website before they could \nfind out about a price.''\n    The contractors the chairman referred to were CGI, but CGI \nofficials have denied ever saying such a thing. Nevertheless, \nhe went on to claim the White House, ``buried the information \nabout the high cost of ObamaCare'' in order to avoid consumer \n``sticker shock.'' And that is not why you made the decision to \ndisable that program of anonymous shopper, is it, Mr. Chao?\n    Mr. Chao. Just as I answered before, absolutely not.\n    Mr. Tierney. Thank you. I yield back. No, I yield to my \ncolleague.\n    Mr. Cummings. I just want to address this to Chairman Issa. \nWhen speaking to Mr. Connolly earlier, you referred to a letter \nsent to you on November 6th. It is not a letter I sent jointly \nwith Mr. Connolly, so he did not read that letter. That letter \nwas about MITRE security testing document provided to the \ncommittee. MITRE told us that like any website security \ndocuments, they are sensitive, and their release potentially \ncould give hackers hints on how to break into the system.\n    So I asked you to treat those documents with sensitivity, \nto consult with me before making them public. You tried to use \nmy letter to argue that the system is not secure, but that is \nnot what I said. Every security testing document for every IT \nsystem, no matter how secure the system is, is sensitive. Every \nsecurity testing document could give ill-meaning individuals \nhelp in causing mischief.\n    These documents do not mean there are problems with the \nsecurity of the system. I just wanted to clear that up. And I \nyield back.\n    Mr. Tierney. I yield back as well.\n    Mr. Meadows. Thank you. The gentleman's time is expired\n    Mr. Chao, I know that you have made a number of comments \nwith regard to your sworn testimony and what you recall or \ndon't. I would make it available to you for your reference \nthere at the desk, if you would like to have that, in case \nthere are other questions that are asked regarding that.\n    Mr. Chao. Thank you, but I probably would need some time to \ngo over it.\n    Mr. Meadows. So you need time to review what you have said \npreviously on the record?\n    Mr. Chao. It was nine hours worth of interview questions.\n    Mr. Meadows. Okay. As soon as the hearing is over, if you \nwould like to come back and review this, we will be glad to \nmake it available to you.\n    With that, I recognize the gentleman from Tennessee, Mr. \nDesJarlais.\n    Mr. DesJarlais. Thank you, Mr. Chairman. Welcome. I know \nthat the hearing is getting long and here has been a lot of \nquestioning going on. But there is no doubt that eh American \npeople want some answers about this huge investment in a \nrollout of a website that certainly didn't go as planned. It \nhas been a learning experience, it has been an educational \nexperience.\n    Mr. Park, looking back, knowing what you know how, looking \nat the rollout in October, give a letter grade to the rollout \nof ObamaCare, A through F.\n    Mr. Park. That is an interesting question. In terms of the \nrollout of the website, it has obviously been really, really \nrocky. I kind of hesitate to assign a letter grade to it. But \nit is what nobody wanted.\n    Mr. DesJarlais. I think the people appreciate honesty. You \ndon't have to fail it, but what do you think it was, A through \nF?\n    Mr. Park. I think it depends on the user. There were some \nusers able to get through, and there were other users, a lot of \nusers who couldn't.\n    Mr. DesJarlais. So you are not going to give it a grade?\n    Mr. Park. I think that kind of oversimplifies it.\n    Mr. DesJarlais. Maybe. But there are a lot of people \nwatching who want answers. And this is a complex issue. So just \nmaybe for simplification, they would like to know that a lot of \npeople who are responsible for rolling this out don't think \nthat it went very well. To listen to this hearing, it doesn't \nreally sound like a lot of you think it was that abysmal of a \nfailure. This hearing started out with the ranking member \ntalking about how this is a Republican issue, how we are out to \ndestroy health care or the health care law, how we are trying \nto repeal it, how we are trying to not have this hearing to see \nif we can make this succeed.\n    Bottom line is, a lot of money was invested in this and \npeople do want answers. So it is complex, but yet in a simple \nfashion I think people would like to hear that hey, we screwed \nup.\n    Mr. Chao, could you give it a letter grade?\n    Mr. Chao. I agree with Todd that it is highly subjective.\n    Mr. DesJarlais. Okay. Fair enough.\n    Will anybody give it a letter grade?\n    Chairman Issa. Would the gentleman yield?\n    Mr. DesJarlais. Mr. Chairman.\n    Chairman Issa. Perhaps we could have it as a pass-fail, a \nlittle less subjective.\n    Mr. DesJarlais. Yes, that would be less complicated. Would \nyou give it a pass or a fail, Mr. Park?\n    Mr. Park. Again, I don't want to reduce it to something \nthat--just to be clear, all of us are frustrated about how the \nsite rolled out. None of us think it went well. All of us think \nit was incredibly rocky and we are incredibly focused on trying \nto fix it and make it better. And it is getting better week \nafter week after week.\n    Mr. DesJarlais. Okay, so knowing what we know now, Mr. \nChao, you testified that you were given your marching orders, \nbut yet, I don't think the October 1st date was immovable. \nWould you agree with that?\n    Mr. Chao. I don't have the luxury of determining what date \nis movable or not movable. I was given October 1st as a \ndelivery date, and that is what I targeted.\n    Mr. DesJarlais. Knowing what you know now, would you have \npushed harder to have the date moved back?\n    Mr. Chao. That is pure speculation.\n    Mr. DesJarlais. How can it be speculation? You know what \nyou know now.\n    Mr. Chao. Because I wasn't in a position to choose a date.\n    Mr. DesJarlais. I am asking today, sitting here today, \ntestifying in front of this committee, knowing what you know \nnow, would you have pushed harder to move the date back?\n    Mr. Chao. I go by what I said.\n    Mr. DesJarlais. So you would let history repeat itself.\n    Mr. Chao. That is not what I said.\n    Mr. DesJarlais. Mr. Park, would you have----\n    Mr. Chao. That is not what I said.\n    Mr. DesJarlais. Okay, Mr. Park, would you, knowing what you \nknow now, ask to have this delayed or pushed back?\n    Mr. Park. I don't actually have a really detailed knowledge \nbase of what actually happened pre-October 1. I don't know what \nlevers were available. So I would hesitate to make any point \nnow.\n    Mr. DesJarlais. So once again, we spent over a half a \nbillion dollars of taxpayer money and no one who is responsible \nfor the rollout is willing to say that we should have done \nthings differently. The President doesn't know it, but first of \nall, we were trying to save the American people from a bad law \nby all that we just went through over the past few months. And \nreally, we were trying to save the President from himself. He \nneeded to sit down and talk with us about delaying this, and \nnobody sitting on this panel, after seeing what a failure this \nhas been over the past month, is willing to step up and say, \nyes, we should have delayed this. Is that what I am hearing? I \ndidn't give everyone a chance. Does anyone want to speak to \nthat?\n    Chairman Issa. Perhaps the GAO could comment on whether or \nnot this was a site that in retrospect should have been \nlaunched on October 1st and serviced that full six people while \nmillions of people were unable to get through.\n    Mr. Powner. Clearly, knowing what we know now, a delay in \nrollout would have made sense. But the thing is, we are not \nprivy to who knew what when in terms of the test results and \nall that kind of stuff. That is where we don't have insight \ninto that.\n    Mr. DesJarlais. Okay, well, a lot of these regulations, Mr. \nChao, were delayed until after the election. Do you have any \nreason why a lot of the regulations that probably caused a lot \nof these problems were delayed until after the election?\n    Chairman Issa. [Presiding] The gentleman's time is expired. \nThe gentleman may answer.\n    Mr. Chao. I don't have the scope, it is not within my scope \nto cover when regulations get released or not.\n    Chairman Issa. Does anyone know? Mr. Park, you were chief \ntechnology. Mr. VanRoekel, your organization owned the question \nof whether or not in a timely fashion these regulations were \ncreated.\n    Mr. VanRoekel. No, that is actually a mischaracterization \nof my organization's role. We and my team are tech policy \npeople, not health policy people related to regulations.\n    Chairman Issa. But whether the trains run on time, where \nthere are things implementing laws, isn't that what OMB does?\n    Mr. VanRoekel. My role in OMB is to set government-wide \npolicy to look at government-wide communication of budget.\n    Chairman Issa. So we should get the OMB director in here \nand find out why after three and a half years things weren't \ndone so that this could be launched for the American people in \na timely fashion. I guess we could get a couple of OMB \ndirectors.\n    The gentleman's time is expired. The gentleman from \nMissouri is recognized for five minutes.\n    Mr. Clay. Thank you, Mr. Chairman, and thank you for \nattempting to get answers to your questions on Healthcare.gov. \nMy questions today will focus on the Federal contract between \nCMS to CGI Federal, to set up Healthcare.gov. If any other \nwitnesses, including Mr. Powner, care to comment on my \nquestion, please feel free to jump in.\n    Mr. Chao, in your testimony today you stated that CMS \ncontracted with CGI Federal to build a federally-facilitated \nmarketplace system, including the eligibility and enrollment \nsystem. According to the Washington Post, this contract is \nworth $93.7 million.\n    How much money from this contract has already been awarded \nto CGI?\n    Mr. Chao. I don't have the exact figures.\n    Mr. Clay. What incentives and disincentives were in the \ncontract for CGI Federal to successfully fulfill their contract \nto roll out Healthcare.gov?\n    Mr. Chao. I think as with, starting at the highest level of \nthe Federal Acquisition Regulation has very specific guidance \nabout contracting and the contracting framework in which you \nwill then award IT contracts, with specifications for something \nlike the marketplace.\n    Mr. Clay. And they are still working on the website, CGI \nFederal?\n    Mr. Chao. Yes.\n    Mr. Clay. And they have been paid how much to this point?\n    Mr. Chao. I don't have the exact figures in front of me.\n    Mr. Clay. And are you pleased with the product you received \nfrom CGI Federal?\n    Mr. Chao. I think as Todd mentioned, we are all----\n    Mr. Clay. Look, we have a responsibility as an oversight \ncommittee, and that is to protect taxpayer dollars. And so I am \nasking specific questions about the taxpayers' dollars. Perhaps \nMr. Powner can shed some light on that. Have we paid CGI \nFederal yet?\n    Mr. Powner. I don't know specifically what went to CGI. We \ndo know that the government has paid IT funding over $600 \nmillion. That is what we do know.\n    Mr. Clay. Okay, tell me about the structure of the \ncontract, then. If they perform, then they should get paid, \ncorrect?\n    Mr. Chao. I think how this contract is formulated is that \nthere is a performance element to it. So there is a based set \nof costs that are factored into performing the work.\n    And then during certain review periods, they could receive \na performance kind of incentive. But I would have to get back \nto you on exactly how that works, because I don't run the \ncontract.\n    Mr. Clay. Would you share with this committee how they are \ngoing to be paid for the work performed already? Are they still \nworking on Healthcare.gov? Since they messed it up in the first \nplace, are they still on it?\n    Mr. Chao. They are the contractor that does the \ndevelopment, as well as ongoing operations and maintenance. So \nyes, they are still working on it.\n    Mr. Clay. Mr. Powner, can you shed some light on this?\n    Mr. Powner. Yes. I would just like to say that we sit here \nand talk about contractor fault, government fault, government \nis at fault here too on the requirements point of view. It is \nclear that from a requirement perspective there is fault on the \ngovernment side. Congressman Clay, we went through this with \nthe Census Bureau, with the handhelds, same situation.\n    Mr. Clay. Same situation.\n    Mr. Powner. Same situation.\n    Mr. Clay. But we corrected it.\n    Mr. Powner. Ill-defined requirements, we overspent, we came \nin, fixed it. But it is the same situation, ill-defined \nrequirements, questions, there are all kinds of questions \nacross the board.\n    Mr. Clay. Okay. I have been told that this was simply lazy \nFederal contracting. What are the failures of CMS in policing \nthe CGI contract to ensure that the rollout of Healthcare.gov \nwould be a success? What are the failures? Can anybody tell me? \nI'm going to go back to CMS.\n    Mr. Powner. Executive oversight. I think there is a \nfundamental question. There are to be investment boards in \nplace with these agencies and departments. The questions are, \nwhat meetings occurred, who attended, what risks were \ndiscussed, what follow-up occurred, how timely were those \nmeetings. That is really what we need to look at.\n    Mr. Clay. Well, and from a taxpayer perspective, these are \nmillions of dollars going to a failed product. I don't think \nthey are happy. And with that, Mr. Chairman, I yield back.\n    Mr. Cummings. Would the gentleman yield?\n    Mr. Clay. I don't have time.\n    Chairman Issa. I would ask unanimous consent the ranking \nmember have 30 seconds. The gentleman is recognized.\n    Mr. Cummings. Mr. Park, we have had a lot of bad news in \nthis hearing. Can you just again tell us where we are and the \nprogress we are making, you are making?\n    Mr. Park. It is the progress the team is making, I am just \na small part of the team. But the team is working really hard \nto make progress week after week, just some numbers, which are \nalways helpful, right? As I mentioned previously, the average \nsystem response time, which is the time it takes a page to \nrender a request to be fulfilled of a user was eight seconds on \naverage a few weeks ago, it is now under a second. Another \nmeasure is the system error rate, which is the rate at which \nyou experience errors in the marketplace application. That was \nover 6 percent a few weeks ago, now it is actually at 1 percent \nand actually getting lower than that.\n    So really good progress, still much, much more to do. A lot \nof work to do. But there is a system and a pattern of attack in \nplace, as I mentioned earlier, around monitoring, production \nstability work, functional bug fixing and improvement of these \nprocesses.\n    Mr. Clay. Would the ranking member yield?\n    Chairman Issa. The Chairman would yield to the gentleman \nfrom Missouri.\n    Mr. Clay. Thank you, Mr. Chairman. Mr. Park, what \ncontractors are working on fixing the site? Isn't CGI one of \nthem, CGI Federal?\n    Mr. Park. CGI is one. And CMS of course is the manager of \nall the contracts, they could give you the most comprehensive \nanswer. But CGI is one, yes.\n    Mr. Clay. Thanks.\n    Chairman Issa. I thank all of you, and Mr. Park, in case it \nisn't said again in this hearing, we believe that what you are \ndoing today is important. I think what GAO has said is, there \nwasn't a single point of contact, an expert in charge in a \ntimely fashion that would be accountable and coordinate that \nwould, if you will, sleep on their floor if that is what it \ntook, before October 1st. So that is the big reason we are here \ntoday, but I think that is where GAO is making the point to all \nof us that the next time there is one of these, we need to have \nsomebody, perhaps not of your stature, but as close as we can \ncome, there in the months and years preceding it.\n    We now go to the gentleman from South Carolina, Mr. Gowdy.\n    Mr. Gowdy. Thank you, Mr. Chairman.\n    Mr. Park, do you agree that there is a difference between \nan innocent misstatement of a perceived fact and a deliberate \nattempt to deceive?\n    Mr. Park. Yes.\n    Mr. Gowdy. So do I. When did you first realize that you \ncouldn't keep your health insurance even if you did like it, \nperiod?\n    Mr. Park. Again, that is kind of a health policy matter, \nthat is really outside my lane.\n    Mr. Gowdy. You don't know when you first realized that you \ncouldn't keep your health insurance, even if you liked it, \nperiod?\n    Mr. Park. I don't recall, no.\n    Mr. Gowdy. Would you agree with me that credibility or the \nlack thereof in one area of life can impact credibility or the \nlack thereof in another area of life?\n    Mr. Park. I suppose it could.\n    Mr. Gowdy. In your written testimony, you wrote, ``As you \nknow, October 1st was the launch date of the new website, \nHealthcare.gov.'' And I did know that. I just didn't know why. \nAnd I am going to read to you a quote from Secretary Sebelius. \nShe said, and I will paraphrase it initially, that she was \nhurried into producing a website by October 1st because the law \nrequired it. Now I will read you the direct quote. ``In an \nideal world, there would have been a lot more testing. We did \nnot have the luxury of that, with a law that said it is go-time \non October 1st.''\n    Mr. Park, I don't know what ideal world she is referring \nto. So I am going to stick with the one we are in. What law was \nshe referencing? What law required this website to launch on \nOctober 1st?\n    Mr. Park. I can't really speak for Secretary Sebelius.\n    Mr. Gowdy. I am not asking you to speak for her. I am \nasking you, what law was she referring to? Is there a law that \nrequired this website to launch on October 1st?\n    Mr. Park. Again, that is a health policy, legal matter.\n    Mr. Gowdy. It is actually a legal question. Do you know if \nthere is a law that requires this website to launch on October \n1st, or do you know whether it was just an arbitrary date that \nthe Administration settled on?\n    Mr. Park. I actually do not.\n    Mr. Gowdy. Would you find that to be important, whether or \nnot we really had to go October 1st, given the fact that we \nweren't ready to go October 1st? Would you find that relevant, \nwhether or not we actually had to launch a substandard product?\n    Mr. Park. Sir, I am, respectfully, just a technology guy.\n    Mr. Gowdy. Don't short yourself. You are the smartest one \nin the room.\n    Mr. Park. That is not true, sir.\n    Mr. Gowdy. Trust me. I have been in this room for a while. \nIt is true.\n    [Laughter.]\n    Mr. Gowdy. There is no law that requires that. So what \nSecretary Sebelius said was patently false. There is no law \nthat required a go-time on October 1st.\n    But I want to move to another component of her quote. Some \nof us don't consider testing to be a luxury. But let's assume \narguendo that she is right, that additional testing would have \nbeen a luxury that would have been nice to have. How much more \ntesting would you have done prior to launching?\n    Mr. Park. I am not even familiar with the development and \ntesting regimen that happened prior to October 1. So I can't \nreally opine about that.\n    Mr. Gowdy. Let me ask you this. Because you are the \nsmartest one in the room, and very good at what you do, where \nthe heck were you for the first 184 weeks? If you are being \nasked to fix this after October 1st, in a couple of weeks, \nwhere were you for the first 184 after the so-called Affordable \nCare Act passed? Where did they have you hidden?\n    Mr. Park. Sir, in my role at the White House as USCTO in \nthe Office of Science and Technology Policy, I am a technology \nand innovation policy advisor. So I had a broad portfolio of \nresponsibilities.\n    Mr. Gowdy. But you are obviously good enough that they \nbrought you in to fix what was broken. It has been called a \ntrain wreck. That is not fair to train wrecks. It has been \ncalled other things. They brought you in to fix it. Why didn't \nthey bring you in to start it? Why are you doing a reclamation \nproject? Why didn't you build it?\n    Mr. Park. I am part of an all-hands-on-deck effort to \nmobilize across the Administration to actually help under Jeff \nZients' leadership. And in the lead-up to October 1, that \nwasn't part of my role.\n    Mr. Gowdy. When will it be operational to your \nsatisfaction?\n    Mr. Park. We have a goal that the team is pursuing with \ntremendous intensity.\n    Mr. Gowdy. How many more weeks? Because I am going to get \nasked when I go home. I know you can appreciate that. I am \ngoing to get asked. When will it be operational? When will it \nbe as good as it can get? Because you will concede the first \n184 weeks did not go swimmingly. Is it going to be another 184 \nweeks?\n    Mr. Park. Sir, I think the honest answer is that there is a \nteam of incredibly dedicated public servants working hard on \nit.\n    Mr. Gowdy. I get all that. I am looking for a number. We \ncan interpret the poem later. I am looking for a number.\n    Mr. Park. They are working hard to have the site \nfunctioning by the end of this month smoothly for the vast \nmajority of Americans. That is the goal.\n    Chairman Issa. The gentleman's time is expired. I might \nstipulate for the record that Mr. Park was at HHS at the time \nof passage, and for that roughly first two years. So his \nexpertise does come out of the origin of ObamaCare.\n    Mr. Gowdy. My question, Mr. Chairman, was simply if he is \ngood enough to be brought in to fix it after the locomotive has \ncrashed off the mountainside, where in the hell was he for the \nfirst 184 weeks when it was being broken? Why wait until it has \ncrashed? If he is a savant, and I am convinced he is, where has \nhe been? I know the Obama girl was missing. I think they found \nher, actually, the lady from the website, I think they found \nher. But where has he been?\n    Chairman Issa. The gentleman's time is expired. We now go \nto the gentleman from Texas. Would the gentleman yield for just \n10 seconds?\n    Mr. Farenthold. Certainly.\n    Chairman Issa. I want to make a statement, and Mr. Gowdy, \nyou are right on that they should have had the A team on this \nand some of the people here today clearly were there for the \ntrain wreck. I want to note that Mr. Park's duties did not \ninclude overseeing this website, and I do appreciate the fact \nthat it appears as though in 60 days they are going to make \nright what wasn't ready on October 1st. I think that is what \nthe gentleman wants to be able to explain back home, is that we \nhave been told that November 30th, this will work reasonably \nwell. In other words, a 60-day delay or less could have allowed \nthis to be launched in a timely fashion. I thank the gentleman \nand ask that his full time be restored.\n    Mr. Farenthold. Thank you very much.\n    I do want to follow up on that, Mr. Park. There are a lot \nof hedge words in there, vast majority of Americans, mostly \nworking. Am I going to be able to go to the IRS and say, it \ndidn't work for me, I couldn't get my insurance, I am not going \nto be fined? You have to tell us when it is going to be in good \nshape. Can you give us a date? Is the end of the month \nrealistic?\n    Mr. Park. The team is working really hard to hit that goal. \nThat is what I am able to say right now, sir.\n    Mr. Farenthold. As a former web developer, that is what I \nwas telling clients when we were going to miss a deadline, we \nare working real hard to meet it. And I am a former web \ndeveloper, certainly nothing of this scope. But with $600 \nmillion I probably could have put together a team to do it, and \ndo a better job.\n    But I am not going to throw the contractor under the bus. I \nthink it is too much money, a lot of issues there. But one of \nthe biggest struggle we had when we were developing websites \nwas getting stuff from the client, whether it was their copy \nfor the text of the website or whether it was the \nspecifications. The copy we could change pretty quick, we could \njust cut and paste it out of the email into an HTML editor or \ncontent manager.\n    But when the actual specifications for how it goes change \nup to the last minute, it is very difficult to do. Mr. Chao, \nhow late were there substantial changes being ordered to the \nwebsite? Do you have a time frame how long before that October \n1st launch?\n    Mr. Chao. I don't think there were any substantial changes \nordered. It was more a standard practice of looking at how much \ntime you have left, watching your schedule very closely and the \npriorities that are set by the business.\n    Mr. Farenthold. And then figuring out which corners to cut.\n    I want to follow up on a couple of questions that some \nother folks asked that I didn't think got completely answered. \nMr. Jordan asked you, Mr. Chao, if it was thoroughly tested. \nYou said yes, it was thoroughly tested. Mr. Jordan didn't ask \nthe next follow-up question, how did it do on those tests, did \nit pass?\n    Mr. Chao. If I said thoroughly, I apologize.\n    Mr. Farenthold. Maybe he said it was tested.\n    Mr. Chao. It was tested under the prescribed, we were \ntalking about security testing. So I was saying that it was \ntested under the prescribed security controls.\n    Mr. Farenthold. And let me follow up with Mr. Park on \nsomething Mr. Lankford asked. He was concerned about either \nmembers of your team or other folks having access to sensitive \ndata. Those days you were sleeping on the floor, could you have \nwalked in to a server with a thumb drive and walked out with \npeople's personal information like Mr. Snowden? Are those \nsecurity risks there?\n    Mr. Park. No, I could not have. No.\n    Mr. Farenthold. That is a little bit reassuring.\n    Let me also ask Mr. Chao or Mr. Powner, with respect to the \nprivate sector, if there is a data breach or a compromise, your \ncredit card information or your personal information gets \nreleased, there is a Federal law requiring notice. I just got a \nnotice from a major software company that my credit card had \nbeen compromised. Will we find out if our information on \nHealthcare.gov is compromised? Is there a notice requirement? \nIs there something in place? Will we know if that information \nhas been hacked and is public?\n    Mr. Chao. Yes, there are actually several laws and rules \nthat apply, particularly with disclosing any incident or breach \nthat involves a person's information.\n    Mr. Farenthold. Okay, so there are no special exemptions in \nObamaCare. We will hopefully find out.\n    Again, I am just concerned. We are at a time right now \nwhere the trust in government has never been lower. We have the \nwhole NSA-Snowden incident, we have the IRS looking at people \nfor political purposes. You will excuse me if I am concerned \nthat we have a massive website that is a target for hackers \nthat a lot of people have information to that by definition \nreaches out and touches the IRS and Social Security computers. \nWhenever you connect computers together you open pathways to \nhackers. So I am very concerned about the security issues. I \njust want to make sure we are going to know if there are some \nproblems that they are not going to be swept under the rug for \npolitical purposes.\n    Mr. Chao. We worked closely with Frank Baitman's security \noperations at the Department level as well as extensive \ncomputer testing.\n    Mr. Farenthold. And finally, Mr. Chao, you stated earlier \nin your testimony that the anonymous shopping feature, which I \nwould love to see, I don't think it is even in place now, but \nit was disabled before the election. We can talk about \npolitical purposes or not.\n    Chairman Issa. I think the gentleman is saying before the \nOctober 1st launch.\n    Mr. Farenthold. It was deleted. Why wasn't the October 1st \ndeadline push back because it didn't work? Why wasn't the whole \nthing delayed? When you delayed the anonymous shopping part, \nthe part we all feel most safe about, going and finding out how \nmuch it will cost without revealing personal information, you \ndelayed that, why didn't you delay the whole thing when you \nknew it wasn't going to work?\n    Mr. Chao. I think anonymous shopper was a very narrow slice \nof looking at what the tradeoffs would be in putting something \ninto production as opposed to----\n    Mr. Farenthold. Again, I am sorry, I am out of time. But I \ndo want to say, with my lack of trust in the Federal Government \nnow, I am loathe to put my personal information in and would \nlove to shop anonymously, just like I did on some of the \nprivate exchanges in Texas as I look for what I am going to \nabout my personal health care. I don't think you have to give \nup your personal information to get prices for something. You \ndon't have to do it on an airline website, you don't have to do \nit on Amazon and you shouldn't have to do it on Healthcare.gov.\n    I yield back.\n    Chairman Issa. I thank the gentleman.\n    Is the gentlelady from New Mexico prepared to go?\n    Ms. Lujan Grisham. Yes, Mr. Chairman, I believe so.\n    Chairman Issa. You are recognized. Thanks for coming back.\n    Ms. Lujan Grisham. Absolutely, thank you.\n    Actually, before we start, I realize I wasn't here for this \nstatement, but I want to echo what my colleague Congressman \nLankford said about gaps in coverage. Coming from a State with \nnearly 25 percent uninsured, two things have occurred. One, \npeople who as of October 1st couldn't get on the website and \nare continuing to follow this issue very closely, their \nindividual or family plans expired or were expiring and so they \nwent off the exchange, because they can't get on, and purchased \nbrand new policies for another year. Unlike the small \nbusinesses, they are in that now for a year. And they are \npaying much higher rates than they would have could they have \ngotten on the individual exchange, because New Mexico is a \npartnership State.\n    Then second, as December 15th looms ever closer, we know \nthat that is another important deadline for many individual \nplans. We have the same issue and I am very concerned about \nthat, and I appreciate that it was brought up. So I told you \nabout what we are working through. We have been fighting for a \nlong time in New Mexico to find ways to have access to \naffordable coverage. I need, we need, my constituents need this \nwebsite to work. We need to enroll in the exchange. I know you \nhave heard all day long that we are all frustrated. They are \nfrustrated, I am frustrated. And while I wish that we had \nbetter solutions for them earlier on, my biggest concern is \nthat we are reaching a critical point in the implementation \ntime line.\n    In order to ensure that there is no gap in coverage between \nplan years, individuals and families who would like to choose a \nplan from the exchanges, as I said earlier in my remarks, have \nto be enrolled by December 15th. Your stated goal of fixing the \nwebsite by the end of November leaves very little room for \nerror. And I know it is not easy. But while you are here, I \njust want to make sure that for the record, we are emphasizing \nthat there is real urgency here.\n    Mr. Park, I think that you have a deep appreciation for how \ntransformative good technology can be. But I would like to know \nif this is a time constraint that you are aware of, and also \nmore broadly if you feel the same urgency that I do about \ngetting the site operational for as many users as possible.\n    Mr. Park. Absolutely.\n    Ms. Lujan Grisham. All right, then, I can imagine that \nleaving your office for at least an entire day would have \npretty important impacts on your work fixing the website. What \nwould you be doing if you weren't here today?\n    Mr. Park. I would be working with the team on the site.\n    Ms. Lujan Grisham. So Mr. Park, I wish that you were \nworking on Healthcare.gov, on the website, right now. And part \nof this committee's job is to ensure that you have all the \ntools and resources that you need to do your job. What else can \nwe do to assist you to get this done?\n    Mr. Park. Well, again, I am a small part of the broad team \nthat is working incredibly hard, led by Administrator Tavenner \nand Jeff Zients, and the CMS team. I would say just one member \nof the team who could be responsive to that. And there are \nrequests for assistance, that would be correct.\n    Ms. Lujan Grisham. Great. I think we are going to need more \nclarity about that. I also agree with this committee's efforts \nto talk about reforming IT procurement. I don't know if today \nis the day to try to deal with those best practices. Given that \nStates do it poorly and the Federal Government is doing it \npoorly and that we have spent millions I guess, the whole \nCountry analysis, billions of dollars on IT projects that \nhaven't done well anywhere in the public center. We have to \nfigure out a better way to do that. I hope that this committee \nwill continue to lead that effort in a bipartisan way.\n    But I want to go back to the situation that we are in. I \nwant to be results-oriented. I want to solve these problems. I \nfeel like we shouldn't' be pulling a surgeon from the operating \nroom today. So thank you, Mr. Park. I yield back.\n    Mr. Park. May I just make one more statement?\n    Mr. Cummings. I just wanted you to yield.\n    Mr. Park. So do you yield?\n    Ms. Lujan Grisham. I do.\n    Mr. Park. I just wanted to actually not lose the second to \nlast thread that you started, which was IT procurement. I think \nthat is a phenomenally important issue. This committee has done \nterrific work on it, I think you can actually do more. So I \nwould love to see a high energy bipartisan effort attacking \nthis issue from multiple dimensions. I know less about it than \nmany people on this committee. What I do know is that there is \nnot a single silver bullet. There are decades of practices and \nrules and laws that have actually led to where we are now. But \nI think with a concerted effort, high energy effort, bipartisan \neffort that we could actually take this out and deliver better, \nfaster, higher return results to the American people.\n    Chairman Issa. I ask unanimous consent the gentlelady have \nan additional 30 seconds. Without objection, so ordered. And \nwould you yield to the ranking member?\n    Ms. Lujan Grisham. Yes.\n    Mr. Cummings. Thank you.\n    Chairman Issa. The gentleman is recognized.\n    Mr. Cummings. I want to just get to the bottom line here. \nWhat will happen is that people are sitting there, and I agree \nwith the gentlelady, looking at results, when we go back to \nwhat happened with Lankford and he was trying to get on the \npage, Mr. Park, and he couldn't get there, could you talk about \nthat for a minute? Because that is real.\n    And there are probably people watching us right now who are \ntrying to get on the page. Can you tell us what you are doing \nand how that affects things like that? Because they have \nreporters now that sit on telecasts, and they say, I waited an \nhour, I waited two hours. So tell us how that relates to what \nyou are doing, so our constituents can have some kind of \nassurances that things are going to get better. Do you follow \nme?\n    Mr. Park. Absolutely, sir. Thank you for the question.\n    I will just answer it quickly, because I know we have \nlimited time. One, there have been dramatic improvements in the \nability to, as a consumer, create an account and get on the \nsite. And all the metrics that we are seeing, that has been a \nfunction of basically improving the ability of that pat so it \ncan handle volume through capacity expansion, software work and \nalso fixing bugs. So many, many more people are actually able \nto get through now than at the beginning.\n    That being said, it is not perfect yet, so I actually would \nreally love to follow up with the Congressman to understand his \nparticular use case and dial that back to work with the team.\n    Also, there are folks who early on got caught in the middle \nof that cycle and are stuck there. Those are folks that CMS is \nnow reaching out to, as we talked about earlier in the hearing, \nto actually get them through the process cleanly. So it is an \nissue that actually I think has been in large part addressed \nbut there is still work to do. I do want to follow up with the \nCongressman and understand the specific use case he has had and \nhis situation so we can figure that out.\n    Chairman Issa. Thank you.\n    Now as we go to Mr. Massie, who from a standpoint of his \neducation and known IQ, could in fact rival you as the smartest \nguy in the room.\n    Mr. Massie. No, I am from the trade school that is a mile \ndown the river from your arts school that you attended.\n    Chairman Issa. You had better share that with the rest of \nthe world.\n    Mr. Massie. I went to MIT, you went to Harvard.\n    Mr. Park. You could definitely kick my butt, sir.\n    [Laughter.]\n    Mr. Massie. Maybe we could share some numbers later. I am \nsure we share an affinity for numbers.\n    But first I want to talk about the final security control \nassessment that was prepared by MITRE, and just read a little \nbit of that. It says MITRE was unable to adequately test the \nconfidentiality and integrity of the HIX access in full. The \nmajority of MITRE's testing efforts were focused on testing the \nexpected functionality of the application. Complete end-to-end \ntesting of the application never occurred.\n    So this was MITRE's final security control assessment. And \nwe are throwing around a lot of three-letter acronyms, HIX, \nCMS, ATO. But I have a document that has CYA written all over \nit here, Mr. Chao. You wrote a letter, and this is the final \nATO, or authority to operate, to Marilyn Tavenner, which she \nsigned off on. In this letter, you stated, ``Due to systems \nreadiness issues, the SCA,'' and that is security control \nassessment, ``was only partly completed. This constitutes a \nrisk that must be accepted and mitigated to support the \nmarketplace day one operations.''\n    In this sentence here, and this was written on September \n27th, or certainly signed off on September 27th, were you \ntrying to tell your boss that there is a risk and I am not \ngoing to accept it, but you must accept this risk, we can \neither delay the date or we can accept the security risk?\n    Mr. Chao. I think I was outlining more of a generalized \nrisk acceptance with a fairly significant rollout of the \nmarketplace system.\n    Mr. Massie. But that risk existed because there had never \nbeen an end-to-end security test on this, is that true? That is \nbasically what the letter states here.\n    Mr. Chao. I think in previous testimony I have also said \nthat end-to-end is a highly subjective term.\n    Mr. Massie. If it is subjective, how are you going to get \nit done in 60 to 90 days?\n    Mr. Chao. It depends on the scope of what you are trying to \nput in production.\n    Mr. Massie. Well, the scope is, is our data safe? Is the \npersonal information that Americans enter into the system going \nto be safe? For instance, in this same letter, and it is a very \nshort letter, signed by Marilyn Tavenner on September 27th, you \nsuggest that we conduct a full security control assessment, so \nI will let you define what that is, in a stable environment, \nwhich implies that you don't have a stable environment right \nnow, where all security controls can be tested within 60 to 90 \ndays of going live on October 1st.\n    Here is what troubles me about this letter. You are \nbasically saying, look, we can go live but there are going to \nbe security risks. But let's test it on real people's data, on \nreal personal information. Let's test it for 60 to 90 days.\n    Mr. Chao. No, that is not what I said. That is not what the \nmemo alludes to. When we do security testing, we don't do it in \nterms of using live people's data. We do security testing in a \npre-implementation environment prior----\n    Mr. Massie. Well, I would contend we are beyond pre-\nimplementation. We are testing this in the real market and it \nis failing.\n    You said that the format of this ATO is not typical, is \nthat true?\n    Mr. Chao. It is true.\n    Mr. Massie. So you have never seen that sort of format \nbefore. Is it a problem that you were not given the final \nsecurity control assessment prior to authoring the ATO, \nauthorization to----\n    Mr. Chao. I don't think that is necessarily a problem, \nbecause my staff were copied on it.\n    Mr. Massie. But you didn't get to see it. You said, \nactually I didn't get a copy of the final ATO.\n    Mr. Chao. Correct.\n    Mr. Massie. Those are your words.\n    Mr. Chao. Because I was with the information systems \nsecurity officer in Herndon when these tests were being \nconducted. It was determined that there was no high finding----\n    Mr. Massie. As the person with responsibility for the \nauthorization to operate, I think you should have been at your \ndesk reading the final security control assessment.\n    Mr. Chao. I was there in person.\n    Mr. Massie. But I am glad to see that you covered yourself \nby putting this sentence in here.\n    Mr. Chao. That was not to cover myself. That was a decision \nmemo between her and I.\n    Mr. Massie. Are any among you today willing to bet your job \nthat thousands of people's personal data won't be released \nbecause of implementation of this website?\n    Chairman Issa. That is certainly a yes or no question.\n    Mr. Massie. That is a yes or no question.\n    Mr. Chao. They are trying to ask us to predict something \nthat security vulnerabilities are as, some folks have mentioned \nbefore, it happens every day. That is why we do security \ntesting.\n    Mr. Massie. Obviously from the documents here, you weren't \ncomfortable with this, you were trying to transmit to your \nboss, let me just read your words again, ``This constitutes a \nrisk that must be accepted and mitigated to support the \nmarketplace day one operations.'' In other words, to launch \nthis thing by October 1st you were telling your boss she is \ngoing to have to accept some risks that are not normal for \nthis.\n    [Simultaneous conversations.]\n    Chairman Issa. Quickly. The gentleman's time is expired.\n    Mr. Massie. Okay. Mr. Park, we have Mr. Chao saying 17,000 \nusers an hour can subscribe. And we have Mr. Lankford who has \nbeen waiting for over an hour and a half. We have five orders \nof magnitude difference between those two numbers. Which is \ncloser to the truth?\n    Chairman Issa. The gentleman may answer.\n    Mr. Massie. How many people an hour are able to enroll in \nhealthcare?\n    Chairman Issa. The gentleman previously said 17,000. Is \nthat correct?\n    Mr. Park. Seventeen thousand registrations for new account \nper hour is the number that we have.\n    Mr. Massie. I imagine you have a war room somewhere where \nyou are directing these operations and you have some big \nnumber. The only number that matters, how many are enrolling? \nHow many are enrolling right now per hour? Can you tell us?\n    Mr. Park. Actually what the war room tracks----\n    Mr. Massie. Just a number. Come on. We both love numbers.\n    Chairman Issa. Let the gentleman answer. Your time is \nexpired, please. It is a Harvard-MIT problem, I think.\n    [Laughter.]\n    Mr. Park. In terms of enrollment numbers, those are going \nto be released by the Administration shortly.\n    Chairman Issa. I thank the gentleman. We now go to the \ngentleman from Pennsylvania, Mr. Cartwright.\n    Mr. Cartwright. Thank you, Mr. Chairman.\n    The Affordable Care Act was passed into law in 2010. It \nseeks to increase competition in the marketplace, to help bring \ndown health care costs. It ends the practice of denying \ncoverage to those with pre-existing conditions, bans annual and \nlifetime limits on health care benefits, it also enable parents \nto keep their children on health care until they are 26 years \nold, and it makes small businesses eligible for tax credits to \nease the burden of employee coverage.\n    The law also works to strengthen Medicare and will make \nprescription coverage for seniors more affordable. These tax \ncredits are desperately needed in my district, where nearly 9.4 \npercent of my constituents live below the poverty line; 70,000, \nthat is 10.5 percent, do not have health insurance in my \ndistrict, including 6,500 children. They will be able to \nutilize the subsidies offered under the Affordable Care Act \nfinally to get health care.\n    Now, I also want to get to the bottom of what is going on \nwith this website, Healthcare.gov, and I support oversight \nhearings for that purpose. However, this hearing, like so many \nprevious hearings this committee has held, is clearly an \nextension of the politically motivated repeal or delay agenda \nthat some of my friends on the other side of the aisle have \nbeen pushing since this law was first passed in 2010.\n    It seems to me that if the chairman really were so worried \nabout getting this website fixed, so that people could actually \naccess affordable health care, he would not have subpoenaed Mr. \nPark to come in and testify today. In fact, Mr. Park agreed to \ntestify before this committee just two and a half weeks later. \nBut the chairman refused that offer and subpoenaed him anyway. \nThe chairman's subpoena, combined with the constant releasing \nof partial transcripts, taking witnesses' quotes out of \ncontext, it seems like it is part of a predetermined political \nstrategy rather than a constructive effort to conduct \nresponsible oversight as this committee is supposed to do.\n    In fact, although the chairman claimed otherwise in his \nopening statement here today, the House Republican Conference \nis politicizing this issue. And here is the proof. They have \nissued a playbook to Republican Members, and they actually call \nit that, a playbook, right on the cover of the thing. It \ndoesn't say how to fix problems with the website or improve the \nprocess, or work to ensure Americans health care. It tells them \nhow to exploit any challenges or glitches for their own \npolitical gain.\n    I am not saying all Republicans are doing this. But it \ncertainly seems to me in this forum that the chairman of this \ncommittee is.\n    Chairman Issa. Would the gentleman like to place that into \nthe record? Because I haven't seen it.\n    Mr. Cartwright. Yes.\n    Chairman Issa. Without objection, so ordered.\n    Mr. Cartwright. It is my hope that we can have oversight \nwithout this kind of gamesmanship and partisan politics as this \ncommittee has been able to do in the past. I really would like \nto get to the bottom of what is going on with the website, \nbecause I want my constituents to be able to sign up for \nquality, affordable health care.\n    Mr. Chao, on November 7th, Chairman Issa issued a press \nrelease with the headline ``AACA Testing Bulletin: \nHealthcare.gov Could Only Handle 1,100 Users Day Before \nLaunch.'' He then accused Jay Carney and Mr. Park of making \nfalse statements to the American people by suggesting that \nofficials estimated capacity at about 60,000. That is what the \nchairman said, ``Jay Carney is being paid to say things that \naren't so. But in this case, Todd Park and other people who \nknew the facts, who had to know the facts, and the facts were \nfrom documents we received from lead contractors that slowed \ndown to an unacceptable level at 1,100 users. Well, in fact, \nTodd Park was telling us that at 60,000 was the target and at \n250,000 they just couldn't handle it.''\n    As the basis for that allegation, the chairman quoted from \na testing document that he released which says this, ``Ran \nperformance testing overnight in IMP1B environment, working \nwith CGI to tune the FFM environment to be able to handle \nmaximum load. Currently we are able to reach 1,100 users before \nresponse time gets too high.''\n    Mr. Chao, it is my understanding that the IMP1B environment \nwas only a sample testing environment, not a test of the full \nproduction capacity of the entire website. Am I correct in \nthat?\n    Chairman Issa. The gentleman's time has expired, but the \ngentleman may answer.\n    Mr. Chao. You are correct, the what we call implementation \n1B environment is about 10 percent the size of the full \nproduction environment.\n    Mr. Cartwright. Thank you. I yield back.\n    Chairman Issa. I thank you. We now go to the gentleman, Mr. \nMeadows. Mr. Meadows, would you yield for just 10 seconds for a \ncomment?\n    Mr. Meadows. Certainly, Mr. Chairman.\n    Chairman Issa. I never could quite understand how this \nthing could handle 60,000 simultaneous users but only do six in \na day. So maybe unlike some of the smart people here, I just \ndon't get it. But six in a day doesn't seem like 60,000 \nsimultaneous users. I thank the gentleman.\n    Mr. Meadows. Thank you, Mr. Chairman, and thank each one of \nyou for coming to testify. Mr. Park, you are not old enough \nprobably to remember this, but I remember the Six Million \nDollar Man. You are now the $600 million man, because you are \ncoming in to fix all this. So we are hopeful that you, based on \nthe people that I represent, that you are successful by \nNovember 30th.\n    We do want to ask you, though, how do we define success? \nBecause the talking points are all that it is going to be fixed \nfor the vast majority of Americans as they go on. And we see \nMr. Lankford here, he can't get on. So what is success? Is it a \n98 percent without wait time? How do we define success so on \nDecember 1st, we will know whether you were worth $600 million \nor not?\n    Mr. Park. Thank you for your comment sand your question. \nFirst of all, I am just a small part of the team working to fix \nthis.\n    Mr. Meadows. So what is success?\n    Mr. Park. Success is, first of all the site will most \ndefinitely not be perfect.\n    Mr. Meadows. But when the President asks you, were you \nsuccessful, how do you define success?\n    Mr. Park. First of all, on a system that is stable, so it \nis actually up and running consistently.\n    Mr. Meadows. What percentage of the time? Ninety-eight \npercent of the time?\n    Mr. Park. One proxy that we are using actually is, for its \nperformance in general is response time and error rate. And if \nthe system actually has issues and goes down then actually \nthese things can then exacerbate those rates.\n    Mr. Meadows. I am going to run out of time. What I would \nask you to do is, for the record, get to the committee what we \ncan look to so we can disseminate to all of America on what \nsuccess is, so on December 1st, we will all know.\n    Mr. Park. I will take that back, absolutely.\n    Mr. Meadows. All right, thank you.\n    Mr. Chao, much of your testimony is, I have read some of \nyour testimony and it seems to be a little different. But I \nalso know that you had several meetings, ongoing meetings with \nWhite House staff over this process, is that correct?\n    Mr. Chao. I accompanied Marilyn Tavenner and other \ndirectors, such as Gary Cohen.\n    Mr. Meadows. So how many times were you at the White House?\n    Mr. Chao. Over the course of three years, maybe less than \ntwo dozen times.\n    Mr. Meadows. Because the logs suggest 29 times, is that \ncorrect? Would that be in the ballpark?\n    Mr. Chao. That might not be accurate, because some meetings \nwere----\n    Mr. Meadows. Who conducted these meetings? Jeanne Lambrew?\n    Mr. Chao. I believe her name is pronounced Lambrew. There \nwere meetings conducted by her. Also, I met with Steve \nVanRoekel.\n    Mr. Meadows. In those meetings? So you all were a part of \nthose meetings?\n    Mr. Chao. No Steve chaired a----\n    Mr. Meadows. I am asking about the White House meetings. So \nthere were 29 White House meetings of which you had this group. \nWho were the people in the room? Were you in there?\n    Mr. Chao. I am not trying to be difficult, but there are \ndifferent parts of the White House. There is a White House \nconference center.\n    Mr. Meadows. Okay, the meetings with Jeanne, she was \nleading, the 29 meetings, about two dozen.\n    Mr. Chao. That was probably less than a handful.\n    Mr. Meadows. Okay. I guess my question is, I am a little \nconfused how the President would be surprised that this was \nsuch a debacle on October 1st if you all were meeting regularly \nwith the White House. Why would they be surprised on October \n1st that it didn't roll out the way everybody thought it \nshould?\n    Mr. Chao. I think the subject matter, at least with my \nattendance being there, was to discuss things such as the \nstatus of the Hub development.\n    Mr. Meadows. So did anybody express concern that there was \na problem, that October 1st there was going to be a problem?\n    Mr. Chao. No.\n    Mr. Meadows. There was no one in that room? We had all the \nbrightest minds in the world in this room and no one \nanticipated a problem on October 1st?\n    Mr. Chao. They were highly specific issues, such as working \non 6103 requirements with IRS, Privacy Act implementation with \nSSA, they are very operationally specific.\n    Mr. Meadows. So you all weren't meeting on how the website \nwas going to work?\n    Mr. Chao. Not meetings--my meetings were more operationally \nfocused about implementation.\n    Mr. Meadows. So it is plausible that the President would be \nsurprised that this wasn't going to work, based on those \nmeetings?\n    Mr. Chao. I wouldn't know that.\n    Mr. Meadows. So who would have been in the best position to \nbe able to advise the President that we were going to have this \nunmitigated mess? Anybody in that room? Who should we bring \nback here, I guess is what I am saying, Mr. Chao, that can help \nthe American people understand why this was such a fiasco?\n    Mr. Chao. I really don't have an answer to that.\n    Mr. Meadows. Mr. Chairman, I yield back. It is amazing how \nwe could find how you can't answer a simple question for the \nAmerican people.\n    Mr. Chao. I don't think that is for me to decide.\n    Mr. Meadows. I asked the question. It is for you to answer.\n    Mr. Chao. Okay, so my answer is, it is not really for me to \ndecide.\n    Chairman Issa. Mr. Meadows, your time is expired and I \nstrongly suspect that as is often said in politics, success has \nmany fathers, quite a few mothers, plenty of relatives, but \nfailure is an orphan. You are going to find an orphan here, if \nI have ever heard or seen one.\n    With that, the patient gentleman from Massachusetts, Mr. \nLynch, is recognized.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    I want to thank the members of the panel for coming forward \nand their willingness to help the committee with its work.\n    I do want to say just at the outset that my experience in \nMassachusetts with the Massachusetts health care, so-called \nRomneyCare, that was a precursor to this in many ways, I am \nspeaking of the Affordable Care Act, also rolled out very, very \nslowly. That is my experience, being on the ground in \nMassachusetts when that plan went forward. So it was very slow \nin ramping up. Of course it didn't have the urgency of this \nprogram. It was sort of planned that way.\n    I also remember the Medicare Part D Act, which was a \nRepublican initiative, also rolled out extremely slowly. I know \na lot of my seniors, I had to do 16 town halls around my \ndistrict to try to tamp down the backlash because of the \nslowness of how that was ramped up. So this is not, this \nexperience is not out of line with those other two programs. So \nI just wanted to make that note.\n    I have had a chance to go out and talk to some of the \noutreach workers. A lot of the outreach on the Affordable Care \nAct in my district is being conducted through the local \ncommunity health centers. I have basically an urban district. \nSo the health center employees are going out and signing people \nup.\n    One of the concerns that they have raised is that the \nAffordable Care Act is so focused and sort of facilitated by an \nemail address. People have to have an email address in order to \ninteract with this whole thing. If you look at the demographic \nof the 31 million people who we are trying to get health care \nto that were not receiving health care before, the poor, the \nelderly, that is a high correlation between folks who didn't \nget health care before and don't have an email.\n    So the outreach workers, when I said what is your biggest \nproblem, they said, well, when we are working with the elderly \nand we are working with low income families, the poor, they \ndon't have an email address. And the system we have is \nbasically, it requires an email address. To do it otherwise, to \nscratch that itch, we are somehow going to have to close that \ngap. Because a lot of these folks don't have email addresses \nand yet they are the very people that we are trying to get \nhealth care to.\n    Has any thought been given to, look, this was supposed to \nbe the easy part, getting people up on the grid. I am not \ntalking about making health care affordable or high quality \nhealth care or making sure access is there. Just getting up on \nthe grid, this was supposed to be the easy part.\n    So I am concerned, I am concerned about where we are today \nand where we need to get to in order to meet any definition of \nsuccess. So what are we doing about those people, who don't \nhave an email address because they are poor or elderly, they \nare not on the grid? How are we going at them? Anybody got an \nidea?\n    Mr. Chao. We do operate call centers. We have 12 call \ncenters in which people can work with a live person online to \nfill out the application and to go through their determination \nprocess and to select a plan.\n    Mr. Lynch. Yes, but at least the workers I have talked to \nhave said it is like 31 or 34 pages. Do they have to go through \na 34 page application on the phone?\n    Mr. Chao. I think what happens, the call center experience \nis, isn't you are necessarily filling out a paper application. \nYou can start that way and submit it that way. But I think you \ncan also start with a call center representative.\n    Mr. Lynch. Well, I am not so sure that is working. That \nmight be part of our problem. I have a district where I have a \nlot of seniors, a lot of folks that are struggling. So we have \nto figure that one out.\n    Mr. Chao. We can certainly confirm that, that process or \nthat procedure.\n    Mr. Lynch. That will help.\n    The other situation is this. At the same time that we are \ntrying to get this up, get people on the grid, we have \nemployers that are making decisions not to continue health care \nplans for their employees. So they are unplugging and they are \nsending people to the exchanges. So I have employers out there, \na lot of them in the construction industry, that are saying, I \nknow I used to provide health care for you, but now I want you \nto go to the exchanges and get them. So they are unplugging, \nthey used to provide health care. And now these employees in \nthe construction industry are trying to plug in. And they are \nhaving these problems.\n    I am wondering, is there any way to sort of make sure that \nthat unplugging doesn't occur until we have a platform that we \nare confident people can plug into? I think there is going to \nbe a gap here. It concerns me greatly that we have so many \npeople in the construction industry that are, and I have met \nwith union employers, about 50 union employers and about 35 \nnon-union or open shop employers that are both having the same \nproblem. I think there is a mismatch in what is going on here, \nwhere the employers are disengaging and sending their employees \nto the exchanges. And when they try to go to the exchanges, \nthey are having problems signing up. I am wondering if there is \nsome corrective action that we might be able to take, either \ndelaying the process for employers to disengage or just giving \npeople time to hook into the system that is not ready for prime \ntime.\n    Chairman Issa. The gentleman's time is expired. The \ngentleman may answer. If the gentleman would yield just \nbriefly?\n    Mr. Lynch. Sure.\n    Chairman Issa. I was hoping you would suggest the question \nof, can't we do this by mail.\n    [Laughter.]\n    Mr. Lynch. That is an inside joke.\n    Chairman Issa. But in all seriousness, the fact is that if \nsomebody doesn't have email capability, why couldn't they make \na call to a call center, receive those many pages, fill out \nthat paperwork, return it in a self-addressed stamped envelope, \nso that in fact the Post Office could ensure that the elderly \npeople not comfortable with email and so on.\n    Mr. Lynch. Well, it is just my thought, and I won't take \nlonger time than you did, but I know that generally, we are \ntrying to get away from a paper process. So I suppose as a \nlittle inefficient it might be necessary, but it is not the \nideal now.\n    Mr. Chao. Could I just answer that? It is not really, we \nare not considering that as a last resort, because paper is a \nlast resort, but we do make accommodation, if you want to start \nthe process in paper, you can, and then mail it in to our \neligibility support worker contract, which will then take you \nthrough the rest of the process.\n    Chairman Issa. I thank you.\n    And with that we go to the gentleman from Michigan, Mr. \nAmash.\n    Mr. Amash. Thank you, Mr. Chairman. I am going to yield my \ntime to my friend, the gentleman from Ohio, Mr. Jordan.\n    Chairman Issa. The gentleman from Ohio is recognized, and \nwithout objection, the gentleman from Ohio will be able to \ncontrol the time.\n    Mr. Jordan. I thank the gentleman for yielding.\n    Mr. Park, Mr. Meadows asked the pertinent question. There \nwere a series of meetings held at the White House, weekly \nmeetings that were presided over by folks in the White House. \nMr. Meadows asked who were those people who need to come in \nfront of this committee who can answer the questions. The \nquestions like, why didn't you know that the security \nassessment wasn't completely done end-to-end testing? Who can \nanswer the questions about why you decided to go ahead and \nlaunch this on October 1st?\n    And we know who that person is, because according to the \nWashington Post story, November 2nd, a memo that they got from \nDavid Cutler spells it out. Mr. Cutler said, we need to put \nsomeone from the private sector in charge, someone who has run \na business, someone who has that kind of experience and \nexpertise. And the President said no, he had already put in the \narticle, he had already made up his mind, Nancy Ann DeParle is \nthat person.\n    So that is the person we need, Mr. Chairman.\n    And Mr. Cutler also points out, Mr. Meadows referenced this \nas well, according to the memo, the overall head of \nimplementation inside HHS was Jeanne Lambrew. So those are the \ntwo people we need. Would you agree, Mr. Park, they need to \ncome here and tell us what took place, why these decisions were \nmade, why it was done the way it was done, these are the two \nkey people? This is the lady the President said, no, that is \nwho I want in charge. Even though Peter Orzaq, Larry Summers, \nZeke Emmanuel and David Cutler said, put someone else in \ncharge, the President said, no, I want Nancy Ann DeParle in \ncharge, don't you think she should come in front of this \ncommittee, Mr. Park?\n    Mr. Park. Respectfully, I can't really speak to that, sir.\n    Mr. Jordan. I know. We are probably going to have to do the \nsame thing for her that we did for you, we are going to have to \nsubpoena them. Because yesterday, last week, the Chairman and I \nsent a letter to the White House asking that simple question, \nwould Ms. DeParle, the person hand-picked by the President to \nrun this operation, would she come in front of this committee \nand testify about this disaster this rollout has been, and \nwould Ms. Lambrew come as well. And the response we got back \nyesterday from the White House was, thank you for inviting us, \nbut we are not coming.\n    So it looks like we are going to have to do the same thing, \nMr. Chairman, that we had to do with Mr. Park, to get the two \nkey people to come here.\n    Now, according to White House logs, Mr. Chao, you testified \nyou had been there been 10 and 29 times to these meetings, and \nMr. Park, nine times according to White House logs, you have \nbeen to nine of these where Jeanne Lambrew ran the meeting. Is \nthat correct, Mr. Park, you went to the White House when Ms. \nLambrew ran these weekly meetings?\n    Mr. Park. I can't verify that.\n    Mr. Jordan. But that is what the visitors log says. Were \nyou in meetings with Nancy Ann DeParle and Jeanne Lambrew at \nthe White House?\n    Mr. Park. From time to time, yes.\n    Mr. Jordan. And of course the meetings were about the \nrollout of the Affordable Care Act and the website?\n    Mr. Park. As I recall, there were different kinds of \nmeetings that I attended from time to time.\n    Mr. Jordan. Were they about ObamaCare, Mr. Park?\n    Mr. Park. They were about the Affordable Care Act.\n    Mr. Jordan. Right. And what is your official title? You are \nhead of information technology for the entire United States? \nThat is your title? So I assume it was about information \ntechnology, correct?\n    Mr. Park. No, actually, sir, first of all, I am a \ntechnology and innovation policy advisor in the Office of \nScience and Technology Policy. So I am not the head of IT for \nthe U.S. Government, just to clarify. And I can't actually \nrecall, like for the meetings, what particular topics were \ndiscussed, off the top of my head. So unless there is more \nspecificity.\n    Mr. Jordan. At any time during these nine different \nmeetings you had, or more, for that matter, meetings you had, \nwas the rollout of ObamaCare discussed and the concerns about \nthis thing not being ready on October 1st?\n    Mr. Park. Again, without more specificity----\n    Mr. Jordan. Mr. Chao, on these meetings, who ran the \nmeetings that you attended 29 times at the White House? Who was \nin charge of running the meetings then? Were any of those \nmeetings run by Ms. Lambrew or Ms. DeParle?\n    Mr. Chao. I don't think it was 29 times.\n    Mr. Jordan. You testified between 10 and 29. So whatever \nthe numbers, in those meetings when you were at the White \nHouse, were any of those run by Jeanne Lambrew or Nancy Ann \nDeParle?\n    Mr. Chao. One was run by Nancy Ann and one, just a couple I \nattended that was with Jeanne Lambrew. And as I mentioned \nbefore, my role was to provide a five-minute status on Hub \ndevelopment.\n    Mr. Jordan. I am not worried so much about your role. I \njust want to establish the fact that you were at the White \nHouse between 10 and 29 times. Mr. Park was there nine times. \nMr. VanRoekel, how many times were you in these weekly meetings \nat the White House?\n    Mr. VanRoekel. I don't recall. I didn't attend any weekly \nmeetings.\n    Mr. Jordan. Were you in any meetings with Jeanne Lambrew or \nNancy Ann DeParle?\n    Mr. VanRoekel. I have been in the company of those two \npeople.\n    Mr. Jordan. Regarding the Affordable Care Act?\n    Mr. VanRoekel. Maybe once or twice.\n    Mr. Jordan. Okay. Mr. Chairman, my time is expired. But \nthose are the two people, those are the individuals that need \nto come in front of this committee. And we can't accept the \nfact that we get a letter from the White House that says thank \nyou, but we are not coming.\n    Chairman Issa. I thank the gentleman. I would note for all \nmembers that there is a vote out on the Floor. We are going to \ngo until the very last minute. What I would ask is, if Mr. \nBentivolio or Mrs. Lummis, do either of you have specific \nquestions for Mr. Park?\n    Mrs. Lummis. I do not.\n    Chairman Issa. Then Mr. Park, because we would otherwise \nkeep you for longer than I think is necessary, I want to thank \nyou for being here. I apologize to the other witnesses, you get \nto stay through the vote. But Mr. Park, you have been a very \ncooperative witness. I appreciate your being here. I believe \nyou are being here as a person we are going to look to to get \nthis right by November 30th. It was critical I appreciate your \nbeing here and without objection, you are dismissed.\n    Mr. Park. Sir, just one more request?\n    Chairman Issa. Sure.\n    Mr. Park. Would someone send me contact info for \nCongressman Lankford, just so I can follow up?\n    Chairman Issa. We will have that contact information given \nto you. I will do one other thing quickly. If when you go back, \nsince you are a Federal employee, go to the FEHBP website. What \nyou will find there in a .pdf form is a spreadsheet. Now, Mr. \nChao seems to think that it was not important to give people a \nshopping list. But I will tell you, if you are Federal \nemployee, postal or non-postal, you can go to that website, you \ncan look at every single plan and it will tell you how much the \nannual rate is, the bi-weekly rate, how much your government \npays for you and how much you will pay by plan.\n    Now, that doesn't let you endlessly look at the details of \nthe plan. But for 230-plus plans spread over not just 50 States \nbut the District of Columbia and Puerto Rico, we provide this \nto the Federal workforce. I might suggest that if you can't get \nsome form of legitimate, open shopping list up quickly, that \ncurrently telling people what their rate is, if they are 27 or \n50, is disingenuous, because it distorts what the real rates \nare. And that a splash page like this, or a .pdf, so people \ncould look at all the plans, and by age, depending upon what \ntheir age is, they would know what the rate is, could be done \nin a matter of hours by a tenth grader.\n    And that might suffice until this program is available.\n    Mr. Chao. Can I make a comment really quickly? In my oral \nremarks, I mentioned that we are working on a premium \nestimation tool that will give you more details than just the \nvery coarse under 49, over 50, so that you can browse plans. We \nare working on that.\n    Chairman Issa. But understand, your under 50 is 27, your \nover 50 is 50. That misstates, because it is age-based, it \nmisstates the truth. If you were picking it, you should have \npicked 64 and 29, and you would have gotten much higher rates, \nif you are going to give anecdotal. But the truth is, a simple \nspreadsheet that Microsoft, forget about Microsoft, Supercalc \ncould have given you that spreadsheet before many of my staff \nwere born. And that could have been made available very \nquickly.\n    So I might suggest that the American people deserve to know \nthat a plan based on their age is X amount and a free look \nwould be very helpful. I commend you to look at FEHBP and what \nwe do for ourselves as Federal employees.\n    And with that, I am going to go to the gentleman from \nMichigan, I believe we have time. Mr. Bentivolio.\n    Mr. Bentivolio. Thank you very much, Mr. Chairman.\n    Gentlemen, are you familiar with Brook's law? Anybody? \nBrook's law? That is the first thing you learn in software \ndevelopment. You need to divert developers to training new \ndevelopers you added to the project, which kind of tells me \nthat November 30th rollout is another hope and a dream.\n    Are you familiar with this, Information Technology, \nCritical Factors Underlying Successful Major Acquisitions, \ndated October 2011, nine best practices?\n    Mr. Chao. I think I perused it.\n    Mr. Bentivolio. Oh, good. So you are familiar with, well, \nyou perused it, you didn't study it, apparently you didn't.\n    Mr. Chao. I was busy working on the marketplace program. So \nI don't have a whole lot of time to read a lot of other \nmaterials.\n    Mr. Bentivolio. Are you familiar with this fix that you are \nputting in for ObamaCare, you are diverting people that \nunderstand the software to train people, additional people to \ncome in and fix the problem?\n    Mr. Chao. Yes, I think that is what is happening now.\n    Mr. Bentivolio. You think. Okay. I am going to list three. \nProgram officials, three of the nine best practices essential \nto IT, which you did not implement. Program officials were \nactively engaged with stakeholders, ObamaCare rollout \napparently lacked senior oversight for most senior technology \nofficials, including Federal CIO, Federal CTO and HHS CIO.\n    Mr. Powner, what should take from this report?\n    Mr. Powner. Clearly, those are best practices. What we did, \nthat was a report that we did, we always report on failures. So \nwe actually went to ten agencies and we asked them for a \nsuccess story. So there are seven successful acquisitions in \nthere and we asked why they were successful. None of that is a \nsurprise. It is defining your projects right up front, putting \nthe right people in charge, good communications with \ncontractors and managing best practices throughout the life \ncycle.\n    So it is something everyone at this table knows needs to be \ndone on successful acquisitions. Mr. Chairman, I think FITAR \nand where we look at the acquisition process, and the whole \nbit, that is fine, that is going to be very helpful. But a lot \nof this just gets down to solid governance and good management \nand the right attention on these projects. That is what those \npractices really highlight.\n    Mr. Bentivolio. Thank you. Mr. Chairman, I would like to \nyield the rest of my time to Mr. Meadows. Thank you.\n    Chairman Issa. The gentleman is recognized.\n    Mr. Meadows. I thank the gentleman from Michigan. And I \nhave a question. I have been running the numbers, and my \nunderstanding is, we are creating this site to create a system \nthat is available for 17,000 users per hour, is that correct?\n    Mr. Chao. The way it was described is that the first part \nof the process is, you have to register for an account. That \ncurrent capacity is running at 17,000 registrations per hour.\n    Mr. Meadows. So what are we building the system to be able \nto handle in terms of capacity, 17,000 or higher than that?\n    Mr. Chao. It is approximately 48,000 to 58,000 users in the \nsystem. By that I mean you could be on the learn side just \nlooking at static web pages to actually actively filling out an \napplication.\n    Mr. Meadows. What is the smallest end of the conduit? What \ntruly is it, 17,000, 25,000 or 43,000? What is our smallest \nability in terms of volume to handle in terms of capacity?\n    Mr. Chao. I think right now there is about, on average, \nsomewhere between 22,000 to 25,000.\n    Mr. Meadows. So that is what we are building the capacity \nto, 25,000?\n    Mr. Chao. Per hour it is sitting right around that.\n    Mr. Meadows. And that is what we are building it to, that \nis the specs?\n    Mr. Chao. Actually a little exceeding that. For example, \nthe front part, identity management part, we are going to apply \nsome improvement that is going to go to 30,000 registrations \nper hour.\n    Mr. Meadows. Let me tell you the reason why I ask. I have \ndone the numbers. If you take the number of uninsured Americans \nthat are out there, and if they got on the system today, 24 \nhours a day, which we know doesn't happen, it would be 43,000 \npeople an hour. So we are building a system that won't even \ntake care of the uninsured people that we have right now. So \nhow are we going to be successful?\n    Mr. Chao. I would like to look at your calculations.\n    Mr. Meadows. It is 50 million people, you can do it over \nthe next 48 days.\n    Mr. Chao. I don't think the estimates were there.\n    Mr. Meadows. I know the estimates weren't there. But if you \ndo the math, that is what works. I yield back.\n    Chairman Issa. I thank the gentleman, and I am sorry that \nyou have to look at his figures, that in fact the burn rate \nnecessary to get done wasn't understood from day one, and the \nsurge requirement at 4:30 in the afternoon or 5:30 in the \nafternoon Pacific Time wasn't in fact what you were looking at. \nI know Mr. VanRoekel would understand that you need two or \nthree or four times the highest capacity to deal with when \npeople actually are going to log on and try to do it.\n    Mrs. Lummis is recognized.\n    Mrs. Lummis. Thank you, Mr. Chairman.\n    Mr. Chao, you said that NIST defines high risk as a \nvulnerability that could be expected to have a severe or \ncatastrophic adverse effect on individuals or organizational \noperations or assets. I want to focus on the part about the \nsevere or catastrophic adverse effect on individuals.\n    Is it true that there were two high risks that continue to \nbe found related to the marketplace information systems that \nyou weren't told about at the time?\n    Mr. Chao. I think you are referring to the September 3rd \nauthorization to operate.\n    Mrs. Lummis. I am.\n    Mr. Chao. Those two findings were, I think earlier in the \nhearing today, we clarified that that was dealing with two \ncomponents of the marketplace systems that deal with plans \nsubmitting dental and health plan information, qualified health \nplan, and didn't involve any personally identifiable \ninformation.\n    Mrs. Lummis. The memo I have is redacted. So it doesn't, I \ndon't have the information that you just testified to because \nof the redactions in the memo. So maybe that is correct, maybe \nit is not. Are you testifying that that is absolutely what it \nis about?\n    Mr. Chao. Yes, because I saw an unredacted version that was \nhanded by committee staffers to me last week. And if it has \nbeen redacted, it has been redacted by someone else.\n    Mrs. Lummis. Did one of the risks outlined in this memo \npertain to the protection of financial or privacy data?\n    Mr. Chao. I don't have it right in front of me. I think \nthere was an appendix section. But I don't recall seeing that.\n    Mrs. Lummis. So you don't know whether financial and \nprivacy data were outlined as a risk in this memo?\n    Mr. Chao. I don't believe so, because it dealt with our \nplan management or our qualified health plan submission module, \nwhich are data that is submitted by issuers and dental \nproviders.\n    Mrs. Lummis. Is it true that the internal memo, this memo, \noutlined one of these risks as the threat and risk potential \nare limitless?\n    Mr. Chao. No. I think it is referring to a very specific \ntype of risk when you allow an upload of a file that has an \ninternal macro that runs. But it is not about people. This is \nnot personally identifiable information.\n    Mrs. Lummis. What is it about?\n    Mr. Chao. It is plans submitting their network adequacy. It \nis basically worksheets that contain information about the \nbenefit data that each issuer submits.\n    Mrs. Lummis. Okay. I am going to switch gears. Mr. Chao, \ndid you brief White House officials prior to October 1st about \nthe status of the website?\n    Mr. Chao. No, not directly about the website.\n    Mrs. Lummis. Who did?\n    Mr. Chao. I don't know.\n    Mrs. Lummis. Mr. Baitman, did you?\n    Mr. Baitman. I did not.\n    Mrs. Lummis. Mr. VanRoekel, did you?\n    Mr. VanRoekel. Not only do I not know that that happened, I \ndon't know and I did not.\n    Mrs. Lummis. When Mr. Jordan asked you some questions, one \nof the things that he asked you was about your involvement in \nmeetings. He was specifically referencing Ms., I am looking for \nthe name. Well, let me just ask you this. Were any of the \nmeetings you attended at the White House?\n    Mr. VanRoekel. It depends how you describe the White House.\n    Chairman Issa. The White House includes Treasury, the Old \nExecutive Office Building, the New Executive Office Building, \nand the White House proper at a minimum.\n    Mr. VanRoekel. I didn't know if you were talking about \nphysical or organizational.\n    Chairman Issa. Organizational.\n    Mr. VanRoekel. I work in an agency that is part of the \nExecutive Office of the President. So every meeting I have is \nconsidered sort of part of that organization.\n    Mrs. Lummis. And was Ms. Lambrew present?\n    Mr. VanRoekel. As I mentioned in my answer to Mr. Jordan, \nin one to two meetings, yes.\n    Mrs. Lummis. And what were those meetings about?\n    Mr. VanRoekel. Those particular meetings were dealing with, \nthey were asking actually, my private sector advice on demand \ngeneration and marketing to young people, how to use social \nmedia to reach out to uninsured Americans.\n    Mrs. Lummis. So who was briefing the White House about the \nstatus of the website? No one? Did no one brief the White House \nabout the status of the website before October 1st? Mr. Chao?\n    Mr. Chao. Not me personally, but our administrator, Marilyn \nTavenner, certainly is representing the agency. So you might \nwant to ask her.\n    Mrs. Lummis. So we don't know whether the status of the \nFederal exchange and the data, how they were ever a focus of \nmeetings between White House and HHS personnel before October \n1st?\n    Mr. Chao. I think what I said earlier, that in the meetings \nI attended, I provided status briefings on the progress of \ncertain IT builds like the data services Hub.\n    Mrs. Lummis. And your reports on the status of the builds \nset off alarm bells with them?\n    Mr. Chao. No, because the data services Hub was actually \nperforming well and on time. And it received its authority to \noperate in August.\n    Mrs. Lummis. Okay. So what happened between August and \nOctober 1st?\n    Mr. Chao. I didn't attend any White House meetings.\n    Mrs. Lummis. What happened with the performance of the Hub?\n    Mr. Chao. The Hub is doing fine. It is doing what it is \nintended to do.\n    Mrs. Lummis. Mr. Chairman, I yield back.\n    Chairman Issa. I thank the gentlelady.\n    I will be brief. Mr. Chao, the EIDM, or what I call the \nfront door, is what didn't perform well, isn't that true?\n    Mr. Chao. Correct.\n    Chairman Issa. And since the system was designed so that \nyou had to go through the front door to get anything else, it \ndoesn't really matter if you had 60,000, 600,000 or 60 million \ncapability, if the American people had to go through that front \ndoor and only six got to the end, we can presume that the \nnumber that existed just prior to launch of 1,100 in that so-\ncalled minimized test, or as you said, it was only one-tenth \nthe amount, really wasn't true. The truth is that when people \ngot time outs as they tried to register, as they tried to go \nthrough the EIDM, the marketplace Hub, one that you forced them \nthrough by in September determining that they could not look at \na splash page to get a price idea if nothing else was \navailable.\n    That front door being blocked is essentially the reason \nthat the American people have wasted, for the most part, a \nmonth trying to get registered, isn't that true?\n    Mr. Chao. No, it is not true.\n    Chairman Issa. Yes, well, it is.\n    Mr. Baitman, where were you, since you and Mr. VanRoekel \nare critically part of this process? Where were you, and Mr. \nPark was brought in afterwards, where were you in the months \nand years leading up to this? Why is it that you were not aware \nthat on day one, this product was going to fail to launch in \nany legitimate, acceptable way?\n    Mr. Baitman. As I indicated in my opening testimony, HHS is \na federated agency.\n    Chairman Issa. Okay, not your job, this is an orphan.\n    Mr. VanRoekel, you came out of the private sector. Bill \nGates and Steve Baumer and a lot of other people at Microsoft \nwould have had somebody's neck hung, maybe not literally and \nmaybe not fired them, but they would want to know, demand to \nknow, Steve Jobs, when he was alive over at Apple or NEXT and \nthe other programs, they would have said, who the blank is \nresponsible for this failure? Can you tell me today whose job \nit was to make sure that we didn't have this dreadful failure \nto launch that didn't call the one person that should have \nknown and didn't do their job? One person? Who was that person?\n    Mr. VanRoekel. As I said earlier, I wasn't close to the \nactual development. I am not in a position to make that call.\n    Chairman Issa. Okay, so I had you and Mr. Park, Mr. \nBaitman, Mr. Chao, we will leave the GAO out of it, because we \nare probably going to ask them and others to help us find out. \nBut none of you today can tell us who failed to do their job. \nAnd as a result, the American people lost a month of any \neffective, real ability to sign up. This website was dead at \nlaunch for all practical purposes.\n    And I am sorry, Mr. Chao, you can give me all the numbers \nyou want, six on the first day, 240 on the second day, when \nmillions of Americans were trying to make this work. We may \ndisagree on ObamaCare, but we don't disagree that that was \nunacceptable. You heard it on both sides of the aisle.\n    Mr. VanRoekel, I think you fail to understand, you and Mr. \nBaitman and all of you in the Administration who were allowed \nto go to those meetings, Mr. Powner would tell you that best \npractices should be a lot more like it is at Toyota Company or \nHonda. In the production line, one person who sees a bad car \ncoming down is allowed to stop the production line. In this \ncase, a really defective, something that would make the Edsel \nlook like a success story, launched on October 1st and nobody \nsaid, here today or for that matter since I have been listening \nto the various hearings, nobody said, I should have pulled the \nstop button.\n    Mr. Chao, you refused to answer give a grade. Mr. Baitman, \nyou refused to answer give a grade. Mr. VanRoekel, you refused \nto answer to give it a grade. Well, I am going to give it a \ngrade. This was an F. Or on a pass-fail, this was a fail. Every \none of you should have been close enough to know there was \nsomething wrong, to ask somebody in one of those many meetings, \nare we sure this is going to work. And at least get an \nassurance from somebody that it would.\n    Mr. Powner, I want to thank you for being here today. \nAlthough many people have talked about FITAR and what we need \nto do in legislation, you are the only person here that \nrepresents an organization that has said, there is a right way \nto do it, we have looked at agencies at the Federal Government \nwho have done it right, and like you, we normally look at the \nagencies that fail. We look at the program out of Wright-Pat \nthat failed and lost us a billion dollars. We are looking at \nfailure that cost the American people millions of their hours, \nfrustrated, trying to get online to check whether or not health \ncare is going to be more affordable for them.\n    So I look forward to all of you being part of the process \nof best practices in your job going forward. But I look also \nwith all of you realizing without legislative change, we will \nbe back here again, with everybody saying, I didn't fail to do \nmy job, even when a product failed to launch.\n    And with that, you are dismissed. We will set up the next \npanel for after the vote.\n    [Recess.]\n    Chairman Issa. Now for our second panel we have Richard \nSpires, Former Chief Information Officer at the Department of \nHomeland Security. And Ms. Karen Evans is the former \nAdministrator of the Office of Electronic Government and \nInformation Technology at the Office of Management and Budget.\n    Pursuant to the rules, all witnesses will be sworn. Would \nyou please rise, raise your right hand to take the oath.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth and nothing \nbut the truth?\n    [Witnesses respond in the affirmative.]\n    Chairman Issa. Please be seated.\n    Let the record reflect that both witnesses answered in the \naffirmative.\n    In order to save time, we ask that the entire opening \nstatements of both witnesses be placed into the record. Without \nobjection, so moved.\n    We now will allow you to abbreviate, since your entire \nopening statement is in the record. Try to stay within the five \nminutes.\n    Ms. Evans?\n\n                    STATEMENT OF KAREN EVANS\n\n    Ms. Evans. Good morning, Chairman Issa, Ranking Member \nCummings and members of the committee. I am pleased to be \ninvited back to share my views of ObamaCare implementation, the \nrollout of Healthcare.gov.\n    From an IT implementation standpoint, Healthcare.gov was a \nclassic IT project failure that happens in the Federal \nGovernment too frequently. As the executive leadership at the \nFederal Departments and agencies, the President's political \nappointees are at the top of the management chain for Federal \nemployees and contractors. In looking for the cause of this \nfailure, some point to the lack of testing. Others, including \nthe President, cite the challenges of the IT procurement \nprocess. And still others note the complexity of the program \nand the interfaces with private insurance company systems.\n    However, the cause of this failure was not the complexity \nof the program nor the procurement process nor the testing. The \nfunctionality and the shortcomings of Healthcare.gov are a \nresult of bad management decisions made by policy officials \nwithin the Administration. They did this to themselves. And if \nthey are now surprised, it is because their own policy \nofficials failed to inform them of the decisions they have made \nand the consequences associated with those decisions.\n    As soon as this legislation was passed, there were policy \ndecisions which needed to be made. These policy decisions would \ndrive the technical design of healthcare.gov IT systems. They \nfundamentally determined the workflow and business processes \ndriving how the law would be implemented.\n    I have been on both sides of policy implementation, as a \ncareer civil servant and as a political appointee. The problems \nwith Healthcare.gov are symptomatic of a recurring problem. \nPassing a law or issuing a policy is not enough. If there is a \nnew law, management reform or policy initiative you want to \naccomplish, then you as a policy official need to be engaged \nduring the implementation to assure there is an appropriate, \nintegrated project team in place to manage the day to day \noperations.\n    All levels of the organization need to be willing to get \ninto the weeds to understand these intricate aspects of \nmanagement and implementation. Because the devil is in the \ndetails. Someone can change a seemingly innocuous requirement \nin a meeting and cause a huge impact on schedule, cost or \nfunctionality. IT projects are particularly good at \nhighlighting management failings, because they require \ncoordination between the many different parts of an \norganization. If the agency's CIO is not actively at the \nmanagement table, participating in those decision, and more \nimportantly, explaining the ramifications of the policy \ndecisions they are making, the projects get off track and \nultimately fail.\n    The chief information officer is the person in the C suite \nwho has the capacity to translate technology issues into \nbusiness-speak for other business leaders. When a technical \nimplementation specification hinges on a policy decision, the \ntechnical team depends upon the CIO to elevate the question to \nthe appropriate decision maker. Because the CIO can speak to \nsenior executive in terms that are relevant to them and can \nstate potential consequence in terms of political and policy \nvalues, the CIO is in a unique position to ensure that policy \nofficials do not regard those decisions as staff level \nfunctions. And if these potential consequences are significant, \nthen departmental and White House officials may need to be \nbriefed by the CIOs.\n    In the wake of the Healthcare.gov implementation failure, \nsome analysts have asserted that the private sector could have \ndone this better, thereby implying that there are some \nconditions inherent in Federal IT which impede success and \nimpair Federal CIOs. It is certainly true that Federal CIOs are \nburdened by deliberative restraints placed upon them by \nCongress and OMB. But Federal CIOs also enjoy freedom from \ncompetition and the whims of the market.\n    Overall, Federal CIOs and commercial CIOs are more similar \nthan different. We all have the same job description: to be the \ntechnical, savvy member of the executive team, to provide value \nthrough innovation, to manage data as a strategic asset, and to \nlead a large team of technologists and inspire them to achieve \ngreatness. Whether a CIO is at a large or small organization, \nbureau level or department, public sector or private, the scale \nmay differ, but the management challenges are the same.\n    I have included in my written statement some key questions \nwhich every CIO should be asking; but more importantly, the CIO \nshould be able to answer these questions for their leadership \nin clear business terms. Thank you for the opportunity to \ntestify today, and I look forward to answering any questions.\n    [Prepared statement of Ms. Evans follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Issa. Thank you.\n    Mr. Spires?\n\n                 STATEMENT OF RICHARD A. SPIRES\n\n    Mr. Spires. Chairman Issa, Ranking Member Cummings and \nmembers of the Committee, thank you for the opportunity to \ntestify on issues with Healthcare.gov and more generally on IT \nmanagement issues in the Federal Government.\n    With more than 30 years of experience working on delivery \nof large IT programs, I speak from real world experience \nregarding what is required to successfully deliver such \nprograms. I served in the past two Administrations and saw \nsimilar IT management issues in both. So my remarks focus on \nhighlighting systemic weaknesses in our ability to effectively \nmanage IT, along with some recommended solutions.\n    My written testimony outlines five key elements required to \neffectively deliver an IT program. In regard to the rollout of \nHealthcare.gov, my information was obtained from previous \nCongressional hearings and media articles. It is clear that \nthere were fundamental weaknesses in the program management \nprocesses. For a system as complex as Healthcare.gov, best \npractice would have led to a plan that included completion and \ntesting of all subsystems six months prior to public launch, \nthree months of end to end functional integration testing, and \na subsequent three month pilot phase in which selected groups \nof users identified problems not caught in testing.\n    It was reported that the program did not start and end \nfunctional testing until two weeks prior to launch and there \nwas no formal pilot program prior to roll-out. This is evidence \nof a lack of mature program management processes. Second, there \nwas a lack of program governance model that recognizes the \nproper roles and authorities of the important stakeholders, to \ninclude the business, IT, procurement, privacy, et cetera. For \nIT programs, the business organization or mission organization \nmust be intimately involved in helping define requirements, \nmaking hard functionality trade-offs and being a champion for \nthe program. The IT organization must ensure there is a capable \nprogram management office using management best practices to \ndeliver large IT programs.\n    Evidence of launch of Healthcare.gov shows the balance \nbetween the business and IT organizations was not correct. For \nexample, changes were being finalized up to a few weeks before \nlaunch. This is much too late. Requirements should have been \nlocked down months before. The business organization had the \nability to make changes that led to bad management practice.\n    The issues of the rollout of Healthcare.gov are emblematic \nof the IT management challenges in the Federal Government, yet \nimproving our ability to effectively manage our IT is critical. \nOur government, if it more effectively manages IT, can harness \nits transformational capability, significantly improving \ngovernment's effectiveness and efficiency. I recommend that \nthree actions be taken to improve Federal Government IT.\n    First, it is important that Congress pass legislation to \nupdate how this government manages IT. I appreciate the \nleadership of Chairman Issa and Representative Connolly in co-\nsponsoring the FITAR legislation. While legislation alone will \nnot fix all the issue with IT management, it will elevate the \nstanding of agency CIOs and put in place mechanisms for \ndevelopment of centers of excellence to leverage best practices \nand program management and acquisition across the Federal \nGovernment. These changes could have helped to address the \ncritical failings of the program management of Helathcare.gov.\n    Second, agency CIOs need to have control over \nimplementation, operations and the budget of all commodity in \ntheir agency, which includes the data centers, cloud services, \nservers, networks, standard collaboration tools like email as \nwell as back office administrative systems.\n    A couple of years ago, I was fortunate to be in a session \nthat included a number of CIOs for Fortune 50 companies. In the \ncourse of discussion, it became clear that one of the clear \nelements in effectively leveraging IT for an enterprise is a \nmodernization standardization and appropriate consolidation of \nthe underlying IT infrastructure.\n    I urge that Congress address this recommendation through \nthe IT reform legislation and the Administration to address \nthis recommendation through the portfolio stat process.\n    Third, the current Administration should make IT management \na centerpiece of its overall management reform agenda. This \nentails the recognition and focus at the most senior levels of \ngovernment of the importance of IT and improving IT management. \nIt includes a serious commitment to improving program \nmanagement practices, elevating the status of agency CIOs and \nensuring the agency CIOs own the commodity IT.\n    I hope the troubled launch of Healthcare.gov can serve as a \ncatalyst to drive positive change in the way we manage IT. The \nbest practices exist and are proven. We need leadership in \nCongress to pass reform legislation and leadership in the \nAdministration to recognize the importance of IT management.\n    Thank you.\n    [Prepared statement of Mr. Spires follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Chairman Issa. Thank you both.\n    First of all, I would ask unanimous consent that the \narticle entitled The Healthcare.gov Rollout: What Should We \nLearn?, which Mr. Spires authored on November 4th, 2013, be \nplaced into the record. Without objection, so ordered.\n    Chairman Issa. I am going to start with you, Mr. Spires. \nYou heard the first panel. From your experience, and I will go \nto Ms. Evans also, did I have the right people for the most \npart here, leaving GAO out for a moment, to ask who is \nresponsible, why was this thing launched practically non-\nworking, completely, only six successful registrations the \nfirst day? Did I have the right people?\n    Or did I have the wrong people and that is why they all \nsaid it wasn't their job?\n    Mr. Spires. You had the right technical people at the \ntable. I believe in a balanced program where you have \ntechnology leaders as well as the business leaders working \ntogether.\n    Chairman Issa. But somebody at that table should have been \nable to tell us basically who should have stopped this program \nor recognized that it was going to fail to launch?\n    Mr. Spires. Somebody at that table I think should have been \nable to tell you that.\n    Chairman Issa. Ms. Evans, in your time at OMB, I think more \nthan anything else, is it your experience that the Office of \nManagement and Budget ultimately, the OMB director, who gets to \nmeet with the President, who gets to say that key pieces of \nlegislation, key implementations are or are not going \ncorrectly? Has that been your experience?\n    Ms. Evans. And I will speak from my experience, and that is \ntrue. And so we viewed, during my tenure, that OMB had \noversight into the Executive Branch of ensuring that the \nPresident's priorities got implemented.\n    Chairman Issa. I am going to ask you from one personal \nexperience. Have you been in the Oval, other than ceremonially, \nhave you been the Oval for a meeting?\n    Ms. Evans. Not exactly in the Oval Office, but they have \nstaff offices outside.\n    Chairman Issa. But you were in that area?\n    Ms. Evans. Yes.\n    Chairman Issa. So you were there, I assume, with the \nDirector or somebody on some important briefing that was going \non?\n    Ms. Evans. Yes.\n    Chairman Issa. And that is a regular part of White House \nlife?\n    Ms. Evans. If you are working on priorities that are \nimportant to the Administration, yes. And one would assume that \nif you are a staff person in the White House, all of us are \nworking on priorities that are important to the President. Not \ngoing to meetings at that level are not necessarily a daily \noccurrence of the job.\n    Chairman Issa. I realize that is a rare one. But we can all \nagree, I believe, I think the ranking member would join with \nme, that the signature piece of legislation of the President is \nthe Affordable Care Act. Can you figure out for me or help me \nunderstand how people could serve the President so poorly that \nit appears he was never told that this was going to be a \ndisastrous launch?\n    Ms. Evans. In my analysis from the public record, as well \nas watching the testimony that happened prior, I believe that \nif I were in that position that I would have elevated things \nthrough, because that is the President's key legislation, it is \nhis number one priority. And so that is what the Chief \nInformation Officer is supposed to do. They are supposed to \nanalyze, as I said in my testimony, analyze what potential \ndecisions are being made and what is that impact on the \nPresident's priorities to get done, from a political \nperspective, from a communications perspective, from an \noversight perspective of what the impact would be and how you \nwould have to do a Congressional notification if you were \nchanging things.\n    That is what a CIO is supposed to do. That would have been \nelevated up so that the OMB director would have known what the \nimpact was happening, so that the director could then talk to \nthe President about potential opportunities.\n    Chairman Issa. Now, Mr. VanRoekel was your successor, is \nthat correct?\n    Ms. Evans. Yes.\n    Chairman Issa. And yet he said that he was only the \nfacilitator of these meetings. Did you do a lot of facilitation \nwhen you had his job?\n    Ms. Evans. I would call it facilitation. I don't know that \nthe agencies that I was supposed to provide leadership and \noversight to would necessarily call it facilitation. I would \nlike to think that that is the nice way that we did it.\n    Chairman Issa. You invited people to bring in groups?\n    Ms. Evans. Yes.\n    Chairman Issa. You brought them to the White House or \naccompanying facilities?\n    Ms. Evans. Yes.\n    Chairman Issa. And at those meetings, you either were there \npersonally or at least you introduced the meeting and monitored \nwhether it was going the direction that you and your bosses \nwanted it to go?\n    Ms. Evans. I can speak to my own management style, which is \na very hands-on approach. Because I really personally view that \nif it is my boss's priority, number one priority to get \nsomething done, then it is my job to make sure that the \nleadership up the chain to him are fully informed of decisions \nthat are being made.\n    So I am a little hands-on as a manager. I came up through \nthe ranks, through operations. So I have a tendency to do that.\n    Chairman Issa. But you are not a micromanager?\n    Ms. Evans. I would like to think I am not. But if it is \nsomething that is that important, I personally, especially for \nthings that are important to the Administration at the time \nduring my tenure, I would personally make sure that I knew the \nstatus of what was going on on those projects.\n    Chairman Issa. Mr. Spires, I am not leaving you out \ncompletely. But I will ask both of you, in 184 weeks from the \npassage of the Affordable Care Act, until the failure to \nlaunch, can you conceive that any one, leaving GAO out, on that \nfirst panel, should not have seen that there were problems and \nhad taken at least an active role in addressing those problems?\n    Mr. Spires. Proper governance is critical on programs like \nthis. Because there are a lot of stakeholders involved. And you \nneed to have good information and you need to do it on a very \nregular basis to make sure that these programs are going well. \nIndividuals at this panel, other than Mr. Powner, certainly I \nthink should have been in that chain of receiving that \ninformation, reviewing that, being part of reviews as part of a \ngood governance model. That clearly did not exist.\n    Chairman Issa. And Ms. Evans, I will modify that as my \nclose. Not only shouldn't they have, but can you give us a \nlittle bit of a feel for what life would have been like if \nPresident Bush, who you worked for, had gotten blindsided by a \nfailure of one of his hallmark pieces of legislation, Medicare \nPart D, No Child Left Behind or something of a similar level?\n    Ms. Evans. I was involved in Medicare Part D, just so that \nyou know. And we could talk about that as well. If something \nlike this happened during my tenure, I can only speak for what \nI would do. I would have offered my resignation before I got \nfired.\n    Chairman Issa. With that, I recognize the ranking member. \nAnd you never got fired, I want to make that clear.\n    Ms. Evans. No. I did not get fired. I did the job for six \nyears. But in this particular case, if my President had to go \non TV and say some of the things that this current President \nhas had to do in an area of my responsibility, I would have \noffered my resignation.\n    Chairman Issa. Thank you.\n    Mr. Cummings. What was your responsibility with regard to \nMedicare Part D?\n    Ms. Evans. When the rollout came out, there were some \nspecific issues related to information technology. I would say \nit is the same type of thing that is happening right now. An \nanalysis had to be done about, could you actually fix it \nthrough information technology, what were the issues. And it \nreally was a timing issue with the legislation, which is the \nreason why I am making the point about when you pass a law, you \nhave to know.\n    So the way that that legislation was crafted, if a user \nsigned up for the benefit at 11:59 p.m. on the 30th of the \nmonth or the 31st of the month, then they were eligible at \n12:01 a.m. the next month for that benefit. There is no IT \nsystem the way that these systems work that you could get all \nthat information populated through the system so you had to \nreally analyze what was the work process and how the IT worked.\n    So what we did was we provided options to the policy \ncouncils to say, if there really are additional funds \navailable, what happened was they had, similar to what the \nnavigators are now, people to help sign up, and if you signed \nup people before the 15th of the month, then those people \nactually got paid within 30 days, the ones that were helping \nsign people up. If you signed up after the 15th of the month, \nthen the people that were helping do this actually would get \npaid 45 to 60 days later.\n    So the idea was, okay, if the technology solutions can \nonly, there is a big badge process that happens the 15th of the \nmonth, you provide the incentives up front, get everybody into \nthe system between the 1st and the 15th, get them signed up so \nthat all their data shows up in the IT systems by the next \nmonth so that they are eligible.\n    Mr. Cummings. But let me ask you this, were there IT \nproblems back then?\n    Ms. Evans. There are always IT problems. But what you have \nto do is analyze it from a business perspective and provide \nalternatives to the policy leadership so that they can make \ninformed policy decisions of how they are going to handle it.\n    Mr. Cummings. Yes, because I specifically remember working \nwith my constituents because they were having all kinds of \nproblems.\n    Ms. Evans. Absolutely.\n    Mr. Cummings. Let me ask you both this. If you have a \nsituation here where for example, in the governors, more than \nhalf the governors decide not, for example, to do their own \nmarketplace, would that have affected you in any way or should \nthat have affected this project? I am just curious. From an IT \nstandpoint.\n    Mr. Spires. Well, sure it would, sir. From a volume \nstandpoint, from the scope and scale of what you would need to \ncreate.\n    Mr. Cummings. Would it make it a little harder?\n    Mr. Spires. Yes.\n    Mr. Cummings. A little more complicated?\n    Mr. Spires. A little more complicated, yes, sir.\n    Mr. Cummings. And so Mr. Spires, someone had suggested that \none of the problems with the development of the Affordable Care \nwebsite is that there was no single contractor overseeing the \nwork of all the other contractors, that there was no lead \nsystem integrator. However, experience in the past \nAdministrations with using contractors used to oversee other \ncontractors has often resulted in failed programs and millions \nof wasted tax dollars, is that right?\n    Mr. Spires. That is correct, and I have a close history \nwith this at the IRS, if you would like me to comment on the \ntopic.\n    Mr. Cummings. Yes.\n    Mr. Spires. When I came in in 2004 to run the business \nsystems modernization program at the IRS, and it got moved to \nthat outsourced kind of program management office where a \ncontractor was serving as that systems integrator. And it was \nnot working well. I am a huge believer that the government \nneeds to stand up to build a strong program management office \nfor these large scale, complex IT programs. You have to have \nsolid, experienced government people in charge and running \nthese programs.\n    It doesn't mean you can't have contractor support. But I \nhave found if you don't do that, the dynamics don't work. There \nare so many stakeholders involved that are government people \nyou have to work with who are not part of the program, and in \norder to make that work effectively, you need to have strong \ngovernment people on the ground that are running this program \nday in and day out.\n    Mr. Cummings. So I didn't see it in IT but I saw it when I \nwas chairman of the Coast Guard Subcommittee, with Deepwater, \nwhere we were literally buying boats that didn't float.\n    Mr. Spires. Yes.\n    Mr. Cummings. Literally. Some of them are sitting near my \ndistrict right now.\n    And the contractor, the lead systems integrator, didn't \nhave that intertwined situation that you just talked about \nwhere the government people were doing their piece. And it just \ndoesn't work.\n    I see my time is expired. Thank you.\n    Chairman Issa. I thank the gentleman.\n    Mr. DeSantis?\n    Mr. DeSantis. Thank you, Mr. Chairman. Thanks to the \nwitnesses.\n    Mr. Henry Chao, he told the committee when they interviewed \nhim that he had not ever rolled out a program that had complete \nsystems-wide end-to-end testing. I just wanted to get your take \non that, to not have system-wide end-to-end testing. Is that a \ngood practice?\n    Mr. Spires. That is poor practice at best. I may make \nanother comment about this, if I could. I was, as far as what I \nknow, right around the timing, the testing clearly was not \nadequate to put this system into production. My experience has \nalways been, and I have had to live this, where we have made \nthese hard calls. It is better to delay, and it is better to \ndelay for two reasons. One, you only get that one chance to \nmake that first impression with a system. We clearly didn't do \nit well here, did well, with the rollout of Healthcare.gov.\n    But two, and even more importantly than that, once you put \nthe system in production, you have to operate it and maintain \nit, deal with all the customer issues and all that. That in and \nof itself is a very large amount of work that takes energy from \nthe team, rather than the team really getting to the point of \nfixing the system to the point where it is running well, then \nputting it into production.\n    And I know for whatever reason this October 1st date was \nviewed as immovable. But I think that was a very big mistake \nmade on the rollout of Healthcare.gov.\n    Mr. DeSantis. I appreciate that. I was looking through some \nof the materials. In late September there was a memo that said \nthat the ongoing development had posed a level of uncertainty \nthat can be deemed as a high risk security threat. So when you \nsee that, it seems to me that would be a big red light that \nthis is not ready to go forward. Would you concur with that?\n    Ms. Evans. Based on my experience, yes, sir, I would. That \nwould be a risk that you would have to evaluate the October 1st \ndeadline against, what kind of operating risk is there and can \nyou mitigate that risk. It would have to be fully explained to \nthe leadership involved, in this case the CMS director and \nprobably farther up, about what could happen if we went forward \nwith the implementation and we haven't fully tested all of \nthese things.\n    Mr. DeSantis. It is frustrating, because so much of this \nlaw, and we see it in the implementation, was based on \nrepresentations to the American people that have now turned out \nnot to be true, for example, if you like your plan you can keep \nit, if you like your doctor you can keep it, it will reduce the \nbudget deficit, it will cover everybody. The most recent \nestimate is 10 years from now, you are still going to have 31 \nmillion people with no coverage. So this bill doesn't even do \nthat.\n    As I was looking through some of the testimony, some of \nthese regs that the people needed in order to start \nimplementing it were delayed on purpose, on political decision \nto get through the 2012 election. So these folks were in a \nsituation where they had to kind of create this website, but \nthey actually weren't giving as much time as they could have \nhad the Administration been forthright about some of these \nthings. But there was a desire to move this beyond the 2012 \nelection, so that the American people would not be able to \nfully evaluate the program.\n    So what I have seen here today is that there was a decision \nby the Administration, a knowing decision, to launch a website \nthat did not work and indeed, was not adequately tested for \nsecurity. I think this is problematic just generally, no matter \nwhat you are doing from a government IT perspective. But this \nwebsite is unique, because individual Americans, and we have \nmillions of people now who are seeing their insurance plans \ncanceled because of this law, it is not like that website is \njust out there for them. They are forced to get, under penalty \nof law, health coverage through that website if they are one of \nthe unfortunate folks who are seeing their plans canceled.\n    So we are in a situation where the government is going to \ntax them unless they procure insurance off this website that is \nnot fully functioning and that has questions about its \nsecurity. So it is very, very discouraging. I have a lot of \nconstituents who are upset about this.\n    So I just appreciate you guys coming. I think this is, in \nterms of a case study on how not to do something, I think \npeople will look back on this. But I think one of the things \nwas, there were political imperatives here and the politics \ntrumped what would work and what would be best for the American \npeople. I think that is unfortunate. I yield back the balance \nof my time.\n    Chairman Issa. I thank the gentleman.\n    I would like to ask just a couple more questions, seeing no \none else here. Both of you served the previous Administration. \nDid they ever tell you what the cost of not launching one of \nyour projects was? In the private sector, it is like, we are \ngoing to have X amount of revenue every month, and if we don't \nlaunch Windows XP, then we lose that much revenue? Did you ever \nhave those discussions as part of your daily work?\n    Mr. Spires. We would, sir. The IRS had discussions about \nit.\n    Chairman Issa. For example, the new audit thing.\n    Mr. Spires. Yes. There were business models that were built \nfor systems that would show the kind of return. And of course, \nat the IRS, you could actually measure it many times in \ndollars. So yes, we did have those kinds of discussions.\n    Chairman Issa. How about you, Ms. Evans?\n    Ms. Evans. We would have those discussions across the board \non each and every agency's performance. So when agencies turned \nin a business case to justify the investment, they also put in \nthere the return or the cost benefit analysis. So if you delay \nthe launch date, then it affects your ability to start getting \nsome of the benefits. Because the benefits in the government, \nwhen you measure them, is a little bit different than the \nbottom line in private industry. So it is benefits to the \ntaxpayer for the services that could be delayed with a delayed \nlaunch.\n    Chairman Issa. In this case, that doesn't happen to be \ntrue. This is like a private business, and I will show you \nhere. I wish Mr. VanRoekel was still here. The estimate from \nCBO at the time of, well, they keep changing it, but in \nFebruary of this year, the estimate was that penalties from \nuninsured individuals were going to total $52 billion over a \ndecade, half a billion dollars a year. Although that number \nkeeps shrinking of what they think they are going to get, \nsimilarly the penalties from employers, $150 billion over 10 \nyears, more or less $100 million a month.\n    So here is this website, and Mr. Cummings and I have heard \nthe figure $600 million enough times that it echoes in our \nsleep. But the delay of ObamaCare from a standpoint of revenue, \nwhen the President had to delay the employer mandate, he was \nlosing $100 million a month of revenue. If he had had to delay \nthe no I am sorry, I got my figure wrong. I will have to be \ncareful on that part. Forty-five billion over 10 years is $4.5 \nbillion a year. So it is about $250 million, well, the back in \nFebruary it was $300 million a month would have been lost if he \ndelayed the penalties on the uninsured individuals. But he had \nalready delayed something that was three times larger.\n    So the reason I am asking this s, Ms. Evans, if you were \nback at OMB and somebody had told you in timely fashion, we are \nin trouble on this website, and we need to delay this thing \nbecause our projections two months or three months out, it is \nnot going to be ready, and you were looking at having to go to \nthe President and say, we would like you to delay something \nthat will delay revenue by $300 million a month, wouldn't you \nhave had a normal business decision of, well, can't we spent \n$300 million more if that is what it takes to get this thing \ndone on time?\n    In a sense, again, I go back to what I said before Mr. \nCummings was there, the President was so poorly served in that \nI assume, and Mr. Spires, your experience particularly would be \nhelpful here, I assume that if six months earlier you said, in \norder to not lose $300 million a month of revenue, calculated \nrevenue, we need to put more money into this, we wouldn't be \ntalking half a billion or a billion or $2 billion. We would be \ntalking incrementally a relatively small amount of money to do \na project necessary to get this thing locked in and tested in a \ntimely fashion, wouldn't we?\n    Mr. Spires. If I could comment. I would even say this, I am \nnot sure this was about money. I am not sure we would have had \nto add more people to this.\n    Chairman Issa. I don't think we would have. I just wanted \nto make the point that there was plenty of money at stake.\n    Mr. Spires. Well, there might have been. But I go back to \nthe point of the program management disciplines. Now, to that \nend, once you get close, once you are six months in, it is \nvery, very hard to then change. You are not going to pick up a \nlot of time.\n    But if this had been done correctly on the program \nmanagement side, I suspect that the money was there. I don't \nthink that was a constraint on this particular program.\n    Chairman Issa. Ms. Evans?\n    Ms. Evans. Given the scenario that you just outlined, the \nway that this would be presented during my tenure, the way we \nwould present it is, these are tradeoffs, policy decisions that \nneed to have tradeoffs. So you would analyze, this is the \nincome that was going to come in, this is the method that we \nthought we were going to be able to do. But given where it is, \nhere are the alternatives, and then here are the tradeoffs, so \nthat you can either realize a portion of that or we can then \nrecover it and then some if we go with this.\n    So alternatives would have vetted through the policy \nprocess so that people could have looked at that and then said, \nokay, well, we can't put so many people on it, there is a point \nof diminishing return. There is only so many dollars and so \nmany people that you can throw at an IT project in order to fix \nit.\n    So then you would have alternatives in order to realize \nthat income, so that you could move forward to reduce the \ndeficit. That is part of the analysis that the Office of \nManagement and Budget would lend to the policy process so that \nthe decisions could be made by the appropriate policy \nofficials.\n    Chairman Issa. Let me just close with a question. If we \nwent back three and a half years and upon the passage the \nregulations necessary to determine some of the specifics this \noffer would have to deal with had been done in a timely \nfashion, six months or so, then presented to industry and \nstakeholders and going through a process of, if you will, \nanalyzing it from a standpoint of needs of those who would use \nit, then taking the outcome of that, producing a standard, a \nyear, year and a half into this process, delivering that to the \ncontractor and then monitoring the process of a fixed and final \nset of regulations relative to this new website and its work, \nis there any doubt in your mind that three and a half years was \nin any way, shape or form not enough time to start with the \npassage of the Affordable Care Act three and a half years ago \nand reach a well-tested, well-engineered, from a security, \nspeed, scalability on the launch date of October 1st?\n    In other words, was there anything inherently wrong with \npicking October 1st that good practices over three and a half \nyear wouldn't have taken care of?\n    Mr. Spires. I think with where they are at, it is a little \nhard to know how long it will take for this to really \nstabilize. But it will stabilize. So if you look at it from \nthat perspective, sir, I am pretty sure that if this had been \nwell-managed, and to your point, include the regulation process \nof that, that this site could have been delivered and \nappropriate on October 1st and could have been well running on \nthat date.\n    Ms. Evans. I would look at it, and I always look at things \nfrom my tenure at OMB.\n    Chairman Issa. It was a long tenure.\n    Ms. Evans. It was a long tenure. And also from an \noperational perspective coming up. But I would have looked at \nthe law to understand what were we really required to do by \nwhat time period. And really scoped the project to a point \nwhere it was very clear and understood what was going to be \ndelivered.\n    I think one of the major issues that you have here with the \nrequirements that happen on every IT project is that they are \nscope creeped. So as people start working through it, they add \non another requirement and they add on another requirement. So \nthe parameters have to be drawn on something that is this \ncomplex, so that everyone would have a clear understanding of \nwhat is really going to launch on October 1st, if that is the \nPresident's due date. And then stick to that and everything \nelse becomes an add-on and a module. That is best business \npractice. And if it is critical, that you have to have it, then \nit has to be voted on through the good governance process \nthrough a business process.\n    That is the part that is still a little unclear in this \noverall process of what really was the scope, and what was \nexpected to be delivered on October 1st.\n    Chairman Issa. Thank you. That is what we are going to \ncontinue working on, regardless of the actual Affordable Care \nAct, the question of what went wrong and how do we prevent it \nin the future.\n    Mr. Cummings?\n    Mr. Cummings. Thank you very much.\n    Ms. Evans, I was listening to you very carefully. You said \nthat if you were in this situation where your boss had to go \nbefore the American people and do what President Obama did, and \nI am not trying to put words in your mouth, you said you \nprobably would resign. Is that right?\n    Ms. Evans. Yes.\n    Mr. Cummings. There are two parts to this. One part is what \nhappened in the past. The other part is where we go in the \nfuture. I think it is very important that we learn from the \npast. I believe that it can tell us a lot about mistakes we \nmade, so that we don't fall into those ditches again.\n    This is where I want to go. I say to my staff, there are \ntwo things that I am most concerned about, effectiveness and \nefficiency. I tell them we have a limited amount of time on \nthis earth, we have a limited amount of time to be in the \npositions that we are in, that it is our watch and we must do \nwhat we have to do for the American people in an effective and \nefficient way.\n    I guess my question is, suppose you are President Bush, say \nif he was in these circumstances. And he said, Evans, don't \nquit. Fix it. What would you do? And do you believe it could be \nfixed in a reasonable amount of time? If at all? So you didn't \nquit.\n    Ms. Evans. I didn't quit.\n    Mr. Cummings. We wouldn't let you quit.\n    Ms. Evans. You wouldn't let me quit because I had to fix my \nmistake. So at this point I would be down in the daily \noperations, I would have done an assessment to see what exactly \ncould be fixed and then again, back to the scoping issue of \nwhat the President actually said would be available and what is \nnow required. Now, you have additional circumstances on here \nwith the insurance companies canceling policies, and you have \nthis gap now here people actually have to be able to sign up \nfor services. So that would be analyzed, and I would say, okay, \nhere is where we are with the IT project, we need to put other \nkinds of compensating controls in place in order to be able to \ndeal with the American public's need to be able to sign up for \ninsurance.\n    And that would be then elevated through the policy chain. \nSo things like going directly to insurance providers, putting \nup, as Chairman Issa said, the whole list of what plans are \navailable so that people could at least see the information and \nnot necessarily sign up, all those alternatives would be laid \nout. And they would be viewed from a communications \nperspective, from a policy perspective and from a political \nperspective to ensure that you could put the best service \nforward to meet that immediate need of that gap between the \nDecember 15th and the January 1st deadline. Because that is the \nbig critical piece that you are trying to get to right now.\n    And how do you fix that and how do you meet that need for \nthe American people.\n    Mr. Cummings. Mr. Spires, did you have a response to my \nsame question?\n    Mr. Spires. Well, let me add on.\n    Mr. Cummings. Yes, do you have something to add onto what \nshe said?\n    Mr. Spires. Let me just add that I applaud, and I want to \nthank the team that is working on this. We talked about Mr. \nPark and what he is doing, but my goodness, the whole team has \nto be working around the clock.\n    Mr. Cummings. Are you familiar with the team, other than \nMr. Park?\n    Mr. Spires. No.\n    Mr. Cummings. Are you familiar with Mr. Park?\n    Mr. Spires. Yes.\n    Mr. Cummings. And what is your opinion of him and his \ncompetence?\n    Mr. Spires. He is a very talented technologist, extremely \ntalented.\n    Mr. Cummings. They tell me he is one of the best in the \nworld.\n    Mr. Spires. I think that is probably a fair assessment, \nsir.\n    Mr. Cummings. All right.\n    Mr. Spires. Let me add a couple things, though, about the \nend of November. I would like it to work, too. This is all, for \nme, about helping government make IT more effective. But this \nend of November, there are two concerns I have. One is, it is \njust very difficult when you are in this, when you do \nintegration testing, and that is essentially what we are still \ndoing, even though the system is alive, for a while you tend to \nfind defects actually increase as you do more testing. And even \nas you work things off and fix things, you even get more. So I \nam worried about that.\n    The other thing I am worried about, frankly, is when you do \nthis integration testing, a lot of times you will uncover some \nsignificant architectural issues. You may not, but sometimes \nyou do when you integrate these subsystems. You know where \nthose architectural issues show themselves are in performance \nissues.\n    So I am concerned that we are seeing, when they open it up \nand it doesn't perform well from a scalability standpoint, and \nhandling the volume, that is an indication of some potentially \nunderlying technical issues from an architecture perspective. \nThose things may take longer to fix.\n    This is just my experience in working these kinds of \nproblems in the past. So when they say they are going to have \nit fixed by November, for the vast majority of users, I hope \nthat is the case. I just have concerns that that may not turn \nout to be the case.\n    Mr. Cummings. I think that Mr. Park answered that question \nseveral times.\n    Mr. Spires. Yes.\n    Mr. Cummings. And he talked about, and I think it is \nprobably because of the things that you just talked about, he \nsaid that, I can almost repeat it, he said it so many times, \nthat they have a goal and they are going to try to attain that \ngoal.\n    Mr. Spires. Yes, absolutely.\n    Mr. Cummings. But you said something a few minute ago, you \nsaid that, and I am going to put words in your mouth, you said \nsomething to the effect that eventually they will get it \ntogether.\n    Mr. Spires. Yes, they will.\n    Mr. Cummings. And my last comment is this. I guess as the \nson of two former sharecroppers sitting in the Congress after \none generation, and a father who only had a second grade \neducation, my father believed in a can-do attitude. Can-do. \nThat is what this Country is all about.\n    I guess when I hear all the naysayers, I am so glad to hear \nyou say that you believe that it will be worked out. You don't \nknow when, I understand that. But some kind of way, we have to \nmove to that can-do. This is the United States of America. I \nthink it would be an embarrassment if we can't get this done. \nWould you agree, as IT people?\n    Ms. Evans. Absolutely. We are the Nation that innovates and \ncreates technology. So it will get fixed. This is really a \ncommunications issue and an expectation of what are the \nservices that are actually going to be there. We have the \ntechnology to fix it, and you have some of the smartest people, \nI am sure, working on it right now. Technology is not a \npartisan issue. What really needs to be debated overall is some \nof the other issues that you brought out in what you are \ntalking about, is the policy issues. That is where the \nPresident should be debating with you, Congress, on policy \nissues. Technology should be implemented to support that.\n    Mr. Spires. I think it is also important to say that the \nway we manage our IT programs in government needs to improve. \nThat is a non-partisan view. I saw it in the last \nAdministration and I see it in this Administration.\n    Ms. Evans. I agree.\n    Mr. Spires. We need to fix that.\n    Mr. Cummings. Thank you both. Your testimony has been \nextremely helpful. Thank you.\n    Mr. Meadows. [Presiding] I thank the ranking member for his \ncomments. I thank each of you for coming today to testify.\n    I do want to follow up a little bit with this additional \ntesting. As we start to go in, and having been someone who was \nin the private sector, who has worked a number of times with \nsystems, just when you think you have the problem fixed, you \nfind ten more.\n    So with best practices, do you not think it is best \npractice to take down the site while we work through these \ntechnical glitches and, more importantly, through some of the \nsecurity concerns which are a bigger problem for me than \nwhether we can get on and log on, it is once you have done \nthat, would that not be the best practice, to take it down?\n    Mr. Spires. Yes. Let me caveat it by saying, this is a non-\npolitical statement I am making. Just from a best practices \nperspective, if I was running that program and no other \nconsiderations, I would immediately take the site down. I would \nhave the team focus on working through the issues. I would do \nreal stress testing on the system and then I would bring the \nsite back up when it was ready. That is what I would do from a \nbest practice perspective.\n    Mr. Meadows. Without all the politics of it.\n    Mr. Spires. Without any of that.\n    Mr. Meadows. But from a best practices standpoint?\n    Mr. Spires. Yes, because it could get the team focused on \nfixing the system and not operating the system right now.\n    Mr. Meadows. Ms. Evans, I want to go to some of your \ntestimony. Let me quote here, because I want to understand what \nyou said. You said, ``The functionality and shortcomings of \nHealthcare.gov are a result of bad management decisions made by \npolicy officials within the Administration.'' They did this \n``to themselves. And if they are now surprised, is it because \ntheir own policy officials failed to inform them of the \ndecisions and the consequences associated with those \ndecisions.'' We asked that in the earlier panel. And we really \ndidn't get a response. But in light of your testimony, what did \nyou mean by that?\n    Ms. Evans. For example, a decision that was made to remove \nthe browsing function. When you make that decision, and what \ncame out in the previous panel was that was actually made by \nthe project manager, based on a technical result of testing.\n    So by that type of decision and rolling that up, there is \npolicy implications associated with that. So the policy \nofficials said, okay, it is okay. So if you take a sequence of \nevents that are programmed into a system that are supposed to \ngo one, two, three, four, five, and you take out number two, \nand now you expect one, three, four and five to work really \nwell and two is not there anymore? That was a policy decision \nto go forward with a site, with a major piece of functionality \npulled out and not tested. That is why I made the statement \nabout, and now you are surprised that it is not working.\n    Mr. Meadows. So they shouldn't be surprised?\n    Ms. Evans. They should not be surprised. If the sequence is \none, two, three, four, five, and you take two out, and you \nhaven't tested the impact of when two is out, you should not be \nsurprised it doesn't work.\n    Mr. Meadows. So let me ask you this, then. Who should have \ninformed the White House or what policy official should have \ndone that in this overall Healthcare.gov? Who is the go-to \nperson? That is what we have been trying to figure out. Who is \nthe go-to person that said, golly, we pulled it out, but it is \nnot working.\n    Ms. Evans. In the rest of my testimony, and this is not a \npartisan statement either, this is my belief of what the role \nof a chief information officer is supposed to do. In my view, \nwhat would happen is that would have come up from CMS. So it \nwas made as a technical decision. And the chief information \nofficer at a department level is supposed to analyze what that \nimpact is on the portfolio overall, on behalf of the Secretary. \nWhat is that going to mean from both a policy, political, \ncommunications, technology, all of that. And then elevate that \nissue.\n    So I really believe that the chief information officer is \nthe one who is supposed to be the nexus, the tech-savvy person \non that staff, to analyze those implications as it relates to \nbusiness and policy.\n    Mr. Meadows. I know we have a lot of CIOs. Who specifically \nwould that have been? What is the name?\n    Ms. Evans. Well, in this particular case, if everything \nworked the way it is supposed to, it would have been the chief \ninformation officer at HHS.\n    Mr. Meadows. Which is who?\n    Mr. Spires. Mr. Baitman.\n    Ms. Evans. Mr. Baitman. Which is in his portfolio.\n    Mr. Spires. Can I add, though, because I think that is \nabsolutely right, what you said. But what I like to do in \nprograms is pull those people together on a regular basis in \nsome kind of governance forum so that you can have those \ndialogues, so the CIO can represent the technology issues and \nimplications to policy changes. But it shouldn't just be the \nCIO's decision.\n    Ms. Evans. No, and I am not saying it should be the CIO's \ndecision.\n    Mr. Spires. It should be a shared decision.\n    Mr. Meadows. A shared decision, but he should be the one \ninforming?\n    Mr. Spires. That is correct.\n    Ms. Evans. That is right.\n    Mr. Meadows. So I will finish with this last question. I \nhave Google in my district. I love Google. We have, in \nCalifornia, which I don't represent, we have unbelievable \nexpertise. Because we are the greatest Nation, as the ranking \nmember talked about, would we not be reaching out to those \nexperts right now and saying, please come help us get it all \ndone? Would that not be the appropriate thing to do?\n    Mr. Spires. I thought they had brought in a few of the \ntechnical experts as well.\n    Mr. Meadows. But really, if we are trying to get this done \nby November 30th, which I think a lot of us question whether it \nwill really happen, and that should not necessarily be an \nindictment, would we not reach out to more experts in the \nprivate sector?\n    Mr. Spires. I think at this point that would not work for \nNovember 30th. The learning curve is so great, you would spend \nmore time trying to get these experts up to speed on the \nspecifics of the details of Healthcare.gov than you would get \nany benefit out of that at this point. That doesn't mean going \nforward you might not want to engage others as well.\n    Ms. Evans. The one thing I would want to add, I think both \nRichard and I have been in situations with challenged rollouts \nin our career, where we have had challenged rollouts. To your \npoint, the best value that Silicon Valley could do at this \npoint is validate the solutions you are going to put in place.\n    So what I have done in the past on projects where I have \nhad, and I have had failures in my career, as my technical team \nis telling me that this is what we are going to do or these are \nthe changes that we are going to make, we would validate those \nagainst and talk to Silicon Valley saying, from a technical \nperspective, so they are only analyzing the technical issues at \nthat point, saying, if we roll this out and this is the current \nproblem, and we make these configuration changes, is that going \nto solve the problem. That is probably the best application of \nthose resources at that point, and as well with Healthcare.gov.\n    Mr. Meadows. I thank the chairman.\n    Chairman Issa. [Presiding.] I thank you, and if this were \nhealth care and not IT, we would probably say, get a second \nmedical opinion in this case.\n    Mr. Cummings?\n    Mr. Cummings. Again, I want to thank you all. I think when \nwe talk about best practices, you look at, I wish maybe in this \ninstance that some of these best practices that we are talking \nabout had been done. And I noticed that you all talked about \nIT, technical, and then you also talked a little bit about \npolitical. There is so much that goes into these decisions. But \nfor me, I want to see this work, and I am sure you do too.\n    I do not, I just don't believe in failure. We are better \nthan that. I hope that the folks who were part of the process \nwill hear the things that you are talking about. Because I \nthink our strength is in the expertise we all bring. All of us \nhave our own experiences. And having served in the positions \nthat you served, and served, you bring a lot to the table. \nHopefully, folks will have their ears open and their minds open \nto make sure that this doesn't happen this way again. I know we \ncan do better.\n    And I guess the bottom line is that there are so many \npeople that are depending on us. There are a lot of people.\n    Mr. Spires. I am not calling this a failure, sir. It is \ntroubled. But this is not a failure. We need to get it fixed, \nyou are right.\n    If I could just also say, because I think it is important \nenough to say, I made this comment, but I think it is \nimportant, we need the CIOs to be strengthened in this \ngovernment from the standpoint of their empowerment.\n    Mr. Cummings. So you are familiar with Mr. Issa's bill?\n    Mr. Spires. Absolutely, and I very much support that.\n    Mr. Cummings. Do you think that legislation gets to the \nissue you are trying to get to?\n    Mr. Spires. Yes. When you have the lineup of CIOs on your \nfirst panel and none of them were really engaged, that is just \nnot correct. And it leads to failure of IT programs.\n    Ms. Evans. My view is that the legislation should pass. I \nhave had a lot of discussions with Chairman Issa's staff about \nthis, and the role of the CIO. I obviously feel very passionate \nabout it. I believe if that law is passed, it will remove all \nexcuses for non-performance of CIOs and you would have a very \ndifferent oversight meeting. Because everything that the CIOs \nhave said in the past that they cannot do, that legislation \nwould fix. Therefore, they would be held accountable for their \njob.\n    Mr. Cummings. By the way, that is something we did on a \nbipartisan basis.\n    Ms. Evans. That is right.\n    Mr. Cummings. Thank you very much. I really appreciate both \nof you.\n    Chairman Issa. Thank you.\n    I have just one closing question. I know that you are not \nsoftware writers per se. But I talked to Mr. Farenthold, who \nactually put up websites. And I just ask a question. You saw on \nthe last panel where I essentially admonished all of them to \nlook at the FEHBP or what was just for 230 plans, what was just \na few pages that would tell you how much each plan was and how \nmuch the government would pay and how much each person would \npay.\n    Now, one of the reasons that that was only a few pages is \nthat that spreadsheet was for a program that did not age \ndiscriminate. The Affordable Care Act discriminates based on \nthree things: the plan itself, if it is regional, has a region \nin which it operates. If it is national, it has a single price, \nlike FEHBP.\n    It rate discriminates based on age and whether you smoke or \nnot. I have gone back and forth, those are the only variables. \nSo for a given location, which is where you choose your plan, \nlet's just say the Alabama something or other, you only have to \nknow your age and whether you smoke or not. And I do a little \nquick math, and again, unlike the gentleman from Harvard, Mr. \nPark or Mr. Massey from MIT, I went to Kent State and a little \nCatholic school up in Michigan. So I did arithmetic, not \ncalculus.\n    But between 65 and 27, when you leave your parents' plan, \nand the time you are eligible for Medicare, there are 38 years. \nSo as far as I can tell, there are 38 different ages you could \nbe based on the costs of a given plan. And then the question of \ndo you smoke or not.\n    So I saw essentially a spreadsheet or a data base to \nretrieve from of 76 possible answers if you want to go to a \nplan and ask how much it costs.\n    Now, for both of you, if I wanted a website that had an \nengine in the back end that looked at, for a given plan, and \nasked the question of, how old are you and do you smoke or not, \nand then I went out and got the number from that cell, how hard \ndo you think that would be? Because you understand on September \n12th, or September 3rd, they made a decision to not launch that \npart. September 12th, they reiterated. They scrubbed moving the \nsoftware, they moved their people to other problems.\n    I just want to understand, how many people and how long do \nyou think it would take for 76 different numbers that you put \nin on a little program, here is my age and I smoke or I don't \nsmoke, and I want to know how much this plan is? And I am being \na little facetious, and Mr. Spires, you are both smiling well. \nBut that really is the website that we are asking for a splash-\ntype open shopping.\n    Mr. Spires. Obviously, with the requirements you stated, \nthat is a pretty simple website. I suspect that what Mr. Chao \nwas referring to had a lot more functionality and capabilities, \nand you can call it bells and whistles, and that may be \ninappropriate, than that.\n    Chairman Issa. But didn't the American people deserve to be \nable to surf prices as simple as a data base? It is almost the \nback end of a pocket calculator to come up with that.\n    Ms. Evans. Absolutely. But again, when you get into some of \nthe big projects, and that is what I mean about scope creep, \nand really understanding what did have to launch on October \n1st, based on that policy decision. So if it is as simple as \nwhat you described, the government already has a website set up \ncalled Benefits.gov that those simple questions, and this might \nbe an alternative that they could use right now while they are \nworking on the longer plan, those simple questions could be put \nin there. You can fill out this information now, this was \nstarted as one of the 24 initiatives. And you would not only \nfind out what you are eligible for under Healthcare.gov, but \nyou could also find out what other Federal benefits you are \neligible for based on the way that you would answer these \nquestions that only live in the session.\n    So that whole site was set up for Federal benefits, so that \nyou could see everything that you are eligible for as a \ncitizen. So that simple requirement could have launched and can \nstill launch in Benefits.gov.\n    Chairman Issa. I am of an age that I knew the names of all \nthe Mercury astronauts. I didn't know much about government \ncontracting as a young man, but I have been told that the space \npen was designed to be able to write in zero gravity, so they \ncould make their notes in this inverted zero gravity. But the \nRussians used a pencil.\n    [Laughter.]\n    Chairman Issa. The pencil cost what it took to sharpen it, \nwhile the space pen cost millions of dollars to design and \nproduce.\n    Now, that may be a euphemism for a lot of what we deal \nwith. But today we heard somebody tell us that they decided to \nscrub because there were security concerns over what ultimately \nwas a glorified splash page. If you were back, both of you were \nback in your positions and you wanted to please your boss by \ngiving him as much deliverable as you could, and 30 days out \nyou discovered that something had to give, would you have \ngrabbed a pencil out of the drawer instead of telling people \nthey would have to wait months or years to get the space pen?\n    Mr. Spires. I certainly would have tried that, sir. I would \nhave even said, seems to me, and I will echo what Ms. Evans \nsaid, that there should have been a lot of work up front to \nsimplify as much as possible what needed to be launched on \nOctober 1st.\n    Chairman Issa. I want to thank you. Mr. Lacy Clay alluded \nto the Harris project that was done during a previous \nAdministration where the Census Bureau, not really the \nAdministration, had 10 years to launch something and they kept \nchanging it, so that the corporation could legitimately say \nthat it wasn't ready, but they could show all these change \norders in what was basically a handheld scanner, not a terribly \nhigh-faluting piece of technology. So I do understand the \nmission creep.\n    We were just told that apparently in the month of October, \nwe signed up approximately 27,000 people into ObamaCare. With \nthat, would either one of you like to venture whether or not \nthe estimate we were given that they are now signing up roughly \n27,000, on the Federal exchange, but we were told they are \nsigning up about 27,000 an hour. So apparently they are signing \nup about the same amount per hour that they signed up in the \nfirst month.\n    Would any of you venture a guess to what that number will \nbe? Will it be at least ten times 27,000 an hour or 270,000 a \nday at the end of the month? Or are you going to bet on the low \nside?\n    Ms. Evans. I am not a betting person. So I will put that on \nthe record. There is not enough information for me to bet.\n    Chairman Issa. But with 17,000 an hour being told to us \nunder oath here today, does anyone want to look at 170,000 or \n200,000 or 300,000 a day and bet higher or lower here?\n    Ms. Evans. Lower. It is going to be lower, because he said \n17,000 registrations. So that is not 17,000 completions. This \nis again, you are talking about how they are measuring certain \nthings and how you want the outcomes. So you are looking at the \noutcomes and they are measuring things at the beginning of the \nprocess. So if you are talking about all the way through the \nprocess, it is going to be on the lower side.\n    Chairman Issa. I suspect you are exactly right. When I was \nin private life, they always wanted to sell me impressions, how \nmany impressions a piece of advertising got. And I always \nwanted to buy how many sales. So I suspect that we have 17,000 \nimpressions an hour, while in fact the amount of sales could be \nnot much more than that less than 30,000. So I am betting that \nwhen we get our answer at the end of November, that it is \n100,000 or less in the Federal exchange. I certainly hope for \nmore, because we need it to be, I think, 43,000 a day if we are \ngoing to cover everyone.\n    Would either of you like to make any closing statements?\n    Ms. Evans. I just want to say I appreciate your inviting me \nback, the committee inviting me back to share my viewpoints. I \nwould echo some of the comments that Richard has made today, \nthat it is important to get that legislation through to enhance \nthe roles of the CIO, so that we can ensure that other things \nlike IT procurement and those things happen, so that we can \navoid this for this type project, for all of the whole, entire \nportfolio.\n    Mr. Spires. I am not sure I could say it any better than \nyou just said it, Karen. So I have no other remarks. Thank you.\n    Chairman Issa. Thank you both. We always say, I will \nassociate myself with the gentlelady. So I thank you both again \nfor your public service in the past and your continued service \ntoday. We stand adjourned.\n    [Whereupon, at 3:40 p.m., the committee was adjourned.]\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 <all>\n\x1a\n</pre></body></html>\n"