[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]





        OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV

=======================================================================

                                HEARING

                               before the

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 13, 2013

                               __________

                           Serial No. 113-91

                               __________

Printed for the use of the Committee on Oversight and Government Reform






[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE
87-316 PDF                WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop IDCC, Washington, DC 
20402-0001






















              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of 
JIM JORDAN, Ohio                         Columbia
JASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan                WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan               JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, 
TREY GOWDY, South Carolina               Pennsylvania
BLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington             ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia                 PETER WELCH, Vermont
THOMAS MASSIE, Kentucky              TONY CARDENAS, California
DOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan        Vacancy
RON DeSANTIS, Florida

                   Lawrence J. Brady, Staff Director
                John D. Cuaderes, Deputy Staff Director
                    Stephen Castor, General Counsel
                       Linda A. Good, Chief Clerk
                 David Rapallo, Minority Staff Director





























                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 13, 2013................................     1

                               WITNESSES

Mr. David A. Powner, Director of IT Management Issues, U.S. 
  Government Accountability Office
    Oral Statement...............................................     9
    Written Statement............................................    11
Mr. Henry Chao, Deputy Chief Information Officer, Deputy Director 
  of the Office of Information Services, Centers for Medicare and 
  Medicaid Services
    Oral Statement...............................................    28
    Written Statement............................................    30
Mr. Frank Baitman, Deputy Assistant Secretary for Information 
  Technology and Chief Information Officer, U.S. Department of 
  Health and Human Services
    Oral Statement...............................................    38
    Written Statement............................................    40
Mr. Todd Park, Chief Technology Officer of the United States, 
  Office of Science and Technology Policy
    Oral Statement...............................................    44
    Written Statement............................................    45
Mr. Steven VanRoekel, Chief Information Officer of the United 
  States, and Administrator, Office of Electronic Government, 
  Office of Management and Budget
    Oral Statement...............................................    46
    Written Statement............................................    48

                                APPENDIX

A letter to Chairman Issa from Ranking Member Cummings submitted 
  for the record by Chairman Issa................................   148
Pages 151-152 of Henry Chao's transcribed interview submitted for 
  the record by Chairman Issa....................................   150
USA Today article submitted for the record by Chairman Issa......   152
CMS memo dated Sept 3, 2013 submitted for the record by Chairman 
  Issa...........................................................   155
House Republican Playbook submitted for the record by Rep. 
  Cartwright.....................................................   162
IT Critical Factors Underlying Successful Major Acquisitions Link   179

 
        OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV

                              ----------                              


                      Wednesday, November 13, 2013

                   House of Representatives
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:35 a.m., in Room 
2154, Rayburn House Office Building, Hon. Darrell E. Issa 
[chairman of the committee] presiding.
    Present: Representatives Issa, Mica, Turner, Duncan, 
McHenry, Jordan, Chaffetz, Walberg, Lankford, Amash, Gosar, 
Meehan, DesJarlais, Gowdy, Farenthold, Lummis, Woodall, Massie, 
Collins, Meadows, Bentivolio, DeSantis, Cummings, Maloney, 
Norton, Tierney, Clay, Lynch, Cooper, Connolly, Cartwright, 
Duckworth, Kelly, Davis, Welch, Cardenas, Horsford, and Lujan 
Grisham.
    Also Present: Representative Kelly.
    Staff Present: Richard A. Beutel, Majority Senior Counsel; 
Brian Blase, Majority Professional Staff Member; Molly Boyl, 
Majority Deputy General Counsel and Parliamentarian; Lawrence 
J. Brady, Majority Staff Director; Joseph A. Brazauskas, 
Majority Counsel; Caitlin Carroll, Majority Deputy Press 
Secretary; Sharon Casey, Majority Senior Assistant Clerk; Steve 
Castor, Majority General Counsel; John Cuaderes, Majority 
Deputy Staff Director; Adam P. Fromm, Majority Director of 
Member Services and Committee Operations; Linda Good, Majority 
Chief Clerk; Meinan Goto, Majority Professional Staff Member; 
Tyler Grimm, Majority Professional Staff Member; Frederick 
Hill, Majority Staff Director of Communications and Strategy; 
Christopher Hixon, Majority Chief Counsel for Oversight; 
Michael R. Kiko, Majority Legislative Assistant; Mark D. Marin, 
Majority Deputy Staff Director of Oversight; Laura L. Rush, 
Majority Deputy Chief Clerk; Peter Warren, Majority Legislative 
Policy Director; Rebecca Watkins, Majority Communications 
Director; Krista Boyd, Minority Deputy Director of Legislation/
Counsel; Aryele Bradford, Minority Press Secretary; Yvette 
Cravins, Minority Counsel; Susanne Sachsman Grooms, Minority 
Deputy Staff Director/Chief Counsel; Jennifer Hoffman, Minority 
Communications Director; Chris Knauer, Minority Senior 
Investigator; Elisa LaNier, Minority Director of Operations; 
Una Lee, Minority Counsel; Juan McCullum, Minority Clerk; Leah 
Perry, Minority Chief Oversight Counsel; Dave Rapallo, Minority 
Staff Director; Daniel Roberts, Minority Staff Assistant/
Legislative Correspondent; Valerie Shen, Minority Counsel; Mark 
Stephenson, Minority Director of Legislation; and Cecelia 
Thomas, Minority Counsel.
    Chairman Issa. The committee will come to order.
    The Oversight and Government Reform Committee exists to 
secure two fundamental principles: first, Americans have a 
right to know that the money Government takes involuntarily 
from them is well spent and, second, Americans deserve an 
efficient, effective Government that works for them. Our duty 
on the Oversight and Government Reform Committee is to, in 
fact, protect these rights. Our solemn responsibility is to 
hold Government accountable to taxpayers, because taxpayers 
have a right to know that the money Government takes from them 
is well spent. It is our job to work tirelessly in partnership 
with citizen watchdogs to deliver the facts to the American 
people and bring genuine reform to the Federal bureaucracy.
    Three and a half years ago, closer to four, in a partisan 
vote, the House of Representatives passed the Patient 
Protection Affordable Care Act, commonly referred to as 
ObamaCare. The Act gave this Administration more than three 
years to implement; it gave them virtually unlimited money; it 
ensured them that, for all practical purposes, they need not 
come back to Congress ever again because they created an 
entitlement, one that raised its own money, spent its own 
money, created its own rules.
    The 2400 pages that were passed into law, and then read 
afterwards, now represent tens of thousands of pages of 
regulations that were created by this Administration based on 
how this Administration wanted a law interpreted, meaning that 
legislation created three and a half years ago was still being 
written in late September.
    The cornerstone of the President's signature achievement 
included a website, Healthcare.gov. This site, and parallel 
sites created by some States, were supposed to make it easy to 
have an online marketplace. It was, in fact, an attempt to 
duplicate what hundreds, perhaps thousands, of insurance 
companies, large and small, around America do well every day.
    On October 1st, President Obama said using it would be as 
easy as buying an airline ticket on Kayak.com or buying a 
television on Amazon. This is an insult to Amazon and Kayak. On 
the day of the launch, President Obama should have known the 
harsh lesson we have all learned since that time, and that was 
they weren't ready. They weren't close to ready. This wasn't a 
small mistake. This wasn't a scaling mistake. This was a 
monumental mistake to go live and effectively explode on the 
launchpad.
    For American people, ObamaCare is no longer an abstraction, 
and it is a lot more than a website. For millions of Americans, 
it is about losing insurance the President promised you can 
keep, period. For many Americans, it is about premiums going 
up, when you were promised they would go down by $2500.
    Big businesses lobbied and received an ObamaCare waiver 
this year. However, the individual, the taxpayer, the citizen, 
the only real recipient of health care, did not. Individuals 
still have to pay a penalty if they don't have insurance that 
meets a Federal standard, a standard of what your Government, 
your nanny State believes, in fact, you must have. The penalty 
is still in effect, and even if new exchanges don't function. 
The penalty is in effect even if you planned on keeping the 
health care you wanted, period, and discovered it is now gone, 
or have yet to discover, because ultimately, if you are on an 
employer plan, you may not yet have found out that your 
employer either cannot afford or cannot receive the health care 
you have grown accustomed to.
    The specific reason we are here today is a narrow part of 
this committee's oversight and legislative authority. It is, in 
fact, to examine the failures of what should have been an IT 
success story. Nearly $600 million, three and a half years, is 
larger than Kayak ever dreamed of having to set up their 
website. It is larger than eBay spent in the first many years 
of a much more complex site that auctions, in real-time, 
millions and millions of products a year.
    We are here to examine the failure of technology not 
because the technology was so new and innovative, not because 
this was a moon shot, not because we needed Lockheed Martin and 
Rockwell to come in and invent some new way to propel a ship to 
the moon; but because we have discovered, and will undoubtedly 
continue to discover, that efforts were taken to cut corners to 
meet political deadlines at the end, that for political reasons 
rules were not created in a timely fashion, that in fact the 
rules that should have been created at the time of the passage 
of the law or shortly thereafter in many cases were still being 
given to programmers in September of this year.
    Now, I recognize that there are divisions on this 
committee, as there were when ObamaCare became law. Many 
members, including myself, believe that there was and is a 
health care crisis in America. It is a crisis of affordability. 
And insurance is simply a way to score what that affordability 
is, not to drive down the cost. Many members, including myself, 
opposed this new law because we thought it wouldn't work and it 
had no systems to actually reduce the cost of health care from 
the provider.
    My friends on the other side may correctly note, as I will 
here, that many Americans are benefitting from ObamaCare at the 
cost of trillions of dollars over a 10-year period. I certainly 
hope so. But divisions over whether or not taxpayer money taken 
and pushed back out to needy who are trying to afford health 
care is not the subject today.
    Unfortunately, during the first two years of the ObamaCare 
law, under Speaker Pelosi, there was no effective oversight. 
Oversight was shut down during the first two years of the Obama 
Administration, and the Minority pointing out anything was 
ignored. Under my chairman, we have tried to correct that, but 
we have been disappointed by continued obstruction by the 
Minority on this committee, defending the Administration even 
when it has failed to deliver the relevant documents, and they 
find themselves objecting to hearings, witness requests, and 
constantly engage in petty downplaying of what in fact are a 
serious problem.
    The Minority today will undoubtedly point out that this 
must be political, that we are not here because only 1100 
people at a time could get on to a website before it crashed, 
effectively, when 250,000 needed to get on it because it was 
the law and they were mandated. We are not here for that 
reason, the Minority will say; we are here because this is 
political.
    This committee, on a bipartisan basis, has offered 
legislation that, if the Senate had taken up it and the 
President had supported and signed it and it had been 
implemented in this project, undoubtedly many of the mistakes 
made we would find would not be made. In fact, the lack of 
budget authority for a single point on a project of this sort, 
conducted and overseen by somebody who had a success story in 
similar operations rising to the level of a $600 million multi-
committee, multi-State website, if that person had been there 
and in charge, I have no doubt that person would not be with us 
today because that site would be up and running.
    On October 10th I joined with Senator Lamar Alexander, a 
member of the minority in the Senate who finds himself unable 
to get answers, asking Secretary Sebelius to provide documents 
related to Healthcare.gov. Unfortunately, on October 28th, a 
month in to ObamaCare, I was forced to issue a subpoena because 
of a lack of response from the Administration. To date, HHS has 
not produced a single responsive document to this committee.
    In contrast, the committee has received far more 
cooperation, transparency, and document production, receiving 
over 100,000 relevant documents, from the private sector, from 
contractors working on this project, the very contractors who 
were blamed on day one as their fault, not a single political 
appointee's fault, not Obama's fault.
    I know the ranking member and I could fill an entire 
hearing with discussions about our differences, and I have no 
doubt, in short order, he will air many of them. But for this 
hearing I think we can find agreement. The agreement would be 
simple: whether you like ObamaCare or not, taxpayer dollars 
were wasted, precious time was wasted, the American people's 
promise of ObamaCare, in fact, does not exist today in a 
meaningful way because best practices, established best 
practices of our Government were not used in this case.
    Now, our Government must quickly grasp the lessons of what 
happened here in ObamaCare's Healthcare.gov project to better 
and more effectively implement underlying policy changes so 
this won't happen again. The investigations of this committee 
have received testimony and have paid documents indicating many 
problems that led to the disastrous failure to launch on 
October 1st. The committee has learned that numerous missed 
deadlines and ignoring of integrated security testing 
requirements are still a problem for this system.
    The ranking member gave to me, and I will put it in the 
record, a letter very concerned that some of the documents we 
received from contractors, if they got in public hands, would 
be a roadmap to the security flaws that exist in ObamaCare's 
website today. It is our committee's decision that those 
documents will not be released, that we will carefully ensure 
that any material given to us by anyone that would help hackers 
discover more quickly the flaws in ObamaCare's website are not 
made public.
    But let us understand the ranking member's statement in 
that letter says more than I could say, and that is, on the day 
of the launch, and even today, there are material failures in 
the security of the ObamaCare website, meaning that even though 
we may not put out the roadmap, hackers, if they can get on a 
website that only accommodates 1100 people at a time, hackers 
in fact may have already or may soon find those 
vulnerabilities. They may soon find your social security number 
or your sensitive information because there was no integrated 
security testing before the launch. And MITRE Corporation and 
others pointed this out in time for the launch to not have 
occurred until security concerns were properly vetted.
    The last known security test conducted by the records we 
have been given--and, again, given by contractors, because the 
Administration has failed to be in any way honest or 
transparent in producing documents--show that in mid-September, 
at least as to the Federal marketplace segment of the site, 
they identified significant findings of risk. Documents from 
the contractor MITRE identified a chaotic testing environment.
    According to Mr. Henry Chao, the top operational officer 
for the marketplace, Administration delays in issuing 
regulations created a compressed time frame for building the IT 
infrastructure. We know, for example, that HHS did not issue 
any regulations in the three months prior to November 2012 
election.
    Yes, I am saying that it seems sad that you pass a law in 
the first few months of an administration and, yet, it seems 
that regulations came to a halt so they would not be out there 
in the marketplace during the President's re-elect. Two years 
is too long after a law that has mandates before you go and 
tell the American people and the website producers what they 
must do.
    This committee has learned that a complete integrated 
security testing did not occur, meaning test the pieces, but do 
not test the entire product was one of the faults at the 
launch. That heightens the risk of unauthorized access, non-
encrypted data, identify theft, and the loss of personal 
identifiable information. This is not this committee's opinion; 
this is testimony.
    The director of CMS stated he was not even aware of some 
testing results that showed serious security problems in the 
weeks before the October 1st launch. He testified these results 
should have been shared with him and said the situation was 
disturbing. HHS offered no further explanation for nearly two 
weeks, until after the committee made a redacted version of the 
key memo public.
    At a briefing last week, Tony Trenkle, CMS Chief 
Information Officer, told investigators he normally signs the 
authority to operate memos to launch CMS IT projects. In this 
case, however, and wisely, he determined that he would not sign 
the Healthcare.gov document, and in fact required a less 
qualified and obviously erroneous signature by Marilyn Tavenner 
to occur on that document.
    Now, that is kicking it upstairs because you know it isn't 
any good. And although I appreciate a CIO not signing a 
document for a site that wasn't ready, I think at the same time 
we must recognize that there should have been public objection 
to Marilyn Tavenner signing that document for a website that 
clearly was not ready for prime time.
    Additionally, today we are hearing from a distinguished 
panel of witnesses, and I recognize some of the witnesses, 
particularly Mr. Park, are busy elsewhere trying to get this 
site operational. But since we have been in the neighborhood of 
six weeks into the launch, I trust that hundreds or, if 
necessary, thousands of the right people have most of their 
marching orders and that, in fact, it is time for Congress, on 
any committee of jurisdiction, to look over the shoulder of the 
Administration to ask both what went wrong and, today, not just 
ask do you promise, on November 30th, to make it right, but 
will you in fact commit to the changes in law that would ensure 
this doesn't happen again.
    I don't hold this committee hearing today to sell IT 
reform. This committee has already done its job to sell IT 
reform. However, it is essential that you understand that when 
Mr. Cummings and I make public billions of dollars worth of 
failed IT programs, the American people often get a small 
snippet in the newspaper. So today I think the American people 
should know this isn't the $600 million unique event. If it 
were, it would be a different hearing. This is part of a 
pattern that occurs due to failure to adhere to the private 
sector's world-class standards for web production. This is a 
pattern that includes Schedule C political appointees being 
more involved than career professionals. This is a pattern that 
has to stop.
    Among our witnesses today will be Mr. Dave Powner, a 
Government Accountability Officer and an expert in, in fact, 
what those practices should have been and what failed on 
Healthcare.gov. I might note for all he is, in fact, a career 
professional, a nonpartisan, and an individual who doesn't work 
for me, doesn't work for the ranking member, but works for the 
American people.
    I will do the rest of my introduction when the time comes. 
I now will yield to the ranking member.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Good morning to everyone and welcome to our witnesses who 
are here with us today. I want you to know that I appreciate 
your service and, on behalf of a grateful Congress, we thank 
you. I thank you for your dedication to ensuring that millions 
of Americans who do not have health insurance will be able to 
obtain quality affordable coverage going forward. This is an 
incredibly admirable goal, and I thank you for everything you 
are doing to make it a reality.
    Unfortunately, not everyone in this room shares this very 
important goal. Republicans opposed the Affordable Care Act in 
2009 and voted against providing health insurance to millions 
of Americans. Over the past three years they have voted more 
than 40 times to repeal parts or all of the law and eliminate 
health insurance for people across the Country. Since they 
failed at these repeal efforts, they blocked requests for full 
funding to implement the law. This forced Federal agencies to 
divert limited funds from other areas.
    Republican governors refused to set up State exchanges, 
forcing the Federal Government to bear more of the workload. 
And to make a political point against the Affordable Care Act, 
Republican governors refused Federal funds to expand their 
Medicaid programs to provide medical care for the poor, 
increasing the burden on their own State hospitals. To me, this 
is one of the most inexplicable actions I have ever witnessed 
from elected representatives against their own people, the 
people who elect them; their neighbors, their family members, 
their friends, the grocer, the mortician.
    After all of these efforts, House Republicans shut down the 
entire Federal Government for three weeks in October. Three 
weeks shut down the Government. They threatened to default on 
our national debt unless we repealed the Affordable Care Act. 
Again, this effort failed.
    Now they are attempting to use the congressional oversight 
process to scare Americans away from the website by once again 
making unsupported assertions about the risk to their personal 
medical information. Let me be clear. The Centers for Medicare 
and Medicaid Services and its contractors failed to fully 
deliver what they were supposed to deliver, and congressional 
oversight of those failures is absolutely warranted. But nobody 
in this room, nobody in this Country believes that Republicans 
want to fix the website.
    For the past three years the number one priority of 
congressional Republicans has been to bring down this law, and 
that goal, ladies and gentlemen, has not changed. Today they 
complain that their constituents are waiting too long on 
Healthcare.gov to sign up for insurance. But is there a 
solution to fix the website? No. It is to repeal the Affordable 
Care Act and eliminate health insurance for millions of 
Americans.
    While repealing the Affordable Care Act indeed would 
reducing waiting times on the website, it would increase 
waiting times in our Nation's emergency rooms.
    Mr. Chairman, over the past month, instead of working in a 
bipartisan manner to improve the website, you have politicized 
this issue by repeatedly making unfounded allegations. In my 
opinion, these statements have impaired the committee's 
credibility. For example, on October 27th, you went on national 
television and accused the White House of ordering CMS to 
disable the so-called Anonymous Shopper function in September 
for political reasons: to avoid ``sticker shock.'' That 
allegation is totally wrong.
    We have now reviewed documents and interviewed the CMS 
officials who made that decision, and it was based on defects 
in the contractor's work, not on a White House political 
directive.
    Last Thursday you issued a press release with this blaring 
headline: ``Healthcare.gov Could Only Handle 1,100 Users the 
Day Before Launch.'' This claim is wrong. You apparently based 
your allegation on misinterpretation of the documents we 
received, which relate to a sample testing environment. I 
believe the witnesses will expound upon that today.
    Most troubling of all was your allegation against one of 
our witnesses today, Todd Park, the Chief Technology Officer of 
the United States of America. You went on national television 
and accused him of engaging in a ``pattern of interference and 
false statements.'' Mr. Park is widely respected by the 
technology community as an honest and upstanding professional. 
In my opinion, your accusations denigrated his reputation with 
absolutely no, absolutely no legitimate basis. As I said to my 
letter to you on Monday, I believe your statements crossed the 
line and I think you owe Mr. Park an apology, not a subpoena.
    The unfortunate result of this approach is that we may miss 
an opportunity to do some very good work. Our committee has 
done significant substantive and bipartisan work on Federal IT 
reform, and I applaud you for your leadership in that. And I go 
back to the word, it was indeed bipartisan. We joined in to do 
what this committee is supposed to do, to look at the facts, to 
seek the truth, the whole truth, and nothing but the truth, and 
then bring about reform.
    Under the leadership above you and our Democratic 
information technology expert, Mr. Connolly of Virginia, last 
March we passed the Federal Information Technology Acquisition 
Reform Act. This bill would increase the authority of agency 
CIOs and provide them with budget authority over Federal IT 
programs, including hiring. We did that together. We did that 
in a bipartisan way. We put politics aside, rolled up our 
sleeves, and worked together to constructively address these 
challenges. I hope that that is what today's hearing is all 
about.
    And I again thank our witnesses, who I know are working 
very hard to achieve these goals.
    With that, I yield back.
    Chairman Issa. I thank the gentleman.
    Members may have seven days in which to submit opening 
statements and other extraneous material.
    I now ask that my entire opening statement be placed in the 
record. Without objection, so ordered.
    I now ask that the letter from Mr. Cummings, dated November 
6, 2013, to me be placed in the record. Without objection, so 
ordered.
    Chairman Issa. I will now go to our panel of witnesses. We 
welcome our first panel of witnesses:
    Mr. Dave Powner is the Director of Information Technology 
Management Issues at the Government Accountability Office.
    Mr. Henry Chao is the Deputy Director of the Office of 
Information Services at the Center for Medicare and Medicaid 
Services, today probably called CMS for the rest of the day, 
and Deputy Chief Information Officer at CMS.
    Mr. Frank Baitman is the Chief Information Officer at the 
Department of Health and Human Services, normally called HHS.
    Mr. Todd Park is the Chief Technology Officer of the United 
States.
    Mr. Steve VanRoekel is the Chief Information Officer of the 
United States.
    Pursuant to the rules, as many of you who have not been 
here before will see, I would ask that you all rise to take a 
sworn oath. Please raise your right hands.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    [Witnesses respond in the affirmative.]
    Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative.
    Now, this is a large panel and it is going to be a long 
day, and I suspect witnesses will be asked questions by both 
sides of the aisle, so I would ask that since your entire 
opening statements will be placed in the record verbatim, that 
you adhere to the time clock and come to a halt as quickly as 
possible when it hits red. Please understand yellow is not an 
opportunity to start a new subject, it is an opportunity to 
wrap up.
    With that, we will go to our distinguished guest from the 
GAO, Mr. Powner.

                       WITNESS STATEMENTS

                  STATEMENT OF DAVID A. POWNER

    Mr. Powner. Chairman Issa, Ranking Member Cummings, and 
members of the committee, we appreciate the opportunity to 
testify on best practices that help agencies deliver complex IT 
acquisitions. In July I testified before Chairman Mica's 
subcommittee on 15 failed IT projects and other troubled 
projects, and now we are faced with one of the more visible 
troubled IT projects in Healthcare.gov. These complex projects 
can be delivered successfully when there is appropriate 
accountability, transparency, oversight, expertise, and program 
management.
    We issued a prior report that showcases seven successful IT 
acquisitions and what allowed them to be delivered 
successfully. This morning I would like to highlight best 
practices from that report and others that would have made a 
difference with Healthcare.gov. I would like to start by 
highlighting the importance of FITAR, Mr. Chairman, 
specifically those sections that increase CIO authorities and 
strengthen IT acquisition practices.
    Starting with accountability. Key IT executives need to be 
accountable with appropriate business leaders responsible for 
the project. This needs to start with the department CIOs and 
for projects of national importance includes the president CIO. 
At HHS, CIO authority is an issue GAO reported on just last 
week.
    Transparency. The IT Dashboard was put in place in June of 
2009 to highlight the status and CIO assessments of 
approximately 700 major IT investments across 27 departments. 
About $40 billion are spent annually on these 700 investments 
and public dissemination of each project's status is intended 
to allow OMB and the Congress to hold agencies accountable for 
results in performance. Surprisingly, recent Dashboard 
assessments on Healthcare.gov primarily showed a green CIO 
rating. But, interestingly, in March the rating was red, so 
something was wrong at that time.
    Third, oversight. Both OMB, department and agency oversight 
and governance are important so executives are aware of project 
risks and assure that they are effectively mitigated. We have 
issued reports on OMB and agency TechStat sessions highlighting 
the importance of these meetings and their excellent results, 
primarily halting, rescoping, and redirecting troubled 
projects. We have also recommended that more TechStats needs to 
occur on troubled and risky projects. We are not aware that 
Healthcare.gov was subject to a TechStat review.
    Fourth, expertise. It is extremely important to project 
success that program staff have the necessary knowledge and 
skills. This applies to a number of areas, including program 
management, engineering, architecture, systems integration, and 
testing.
    Fifth, program management. Several best practices increase 
the likelihood that IT acquisitions will be delivered on time, 
within budget, and with the functionality promised. This starts 
with getting your requirements right by involving end-users, 
having regular communication with contractors throughout the 
acquisition process, and adequately testing the system, 
including integration end-to-end and user acceptance.
    There are a number of key questions that can be asked of 
any IT acquisition to ensure that appropriate accountability, 
transparency, oversight expertise, and program management is in 
place, and these most definitely pertain to Healthcare.gov. 
These include:
    What role is OMB playing in ensuring that this major 
acquisition is on track and specifically how involved is the 
Federal CIO?
    Is the department and agency CIO accountable and actively 
involved in managing risks?
    Is the acquisition status accurate, timely, and transparent 
as displayed on the IT Dashboard?
    Are OMB and agency oversight and governance appropriate?
    Were governance or TechStat meetings held with the right 
executives?
    Were key risks addressed and was there appropriate follow-
up?
    Does the agency have the appropriate expertise to carry out 
its program management role and other roles it is to perform? 
In the case of Healthcare.gov, a key question is whether CMS 
has the capabilities to act as the systems integrator.
    And, finally, is the program office following best 
practices throughout the acquisition life cycle, starting with 
how the project is defined to how it is tested and deployed for 
operations? This would include security testing, assessment, 
and authorization.
    In summary, Mr. Chairman, OMB and agencies can do more to 
ensure that the Government's annual 80-plus billion dollar 
investment in IT has the appropriate accountability, oversight, 
transparency, and best practices to deliver vital services to 
the American taxpayers.
    This concludes my statement. Thank you for your continued 
oversight in Federal IT issues.
    [Prepared statement of Mr. Powner follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Chairman Issa. Thank you.
    Mr. Chao.

                    STATEMENT OF HENRY CHAO

    Mr. Chao. Good morning, Chairman Issa, Ranking Member 
Cummings, and members of the committee. Since the passage of 
the Affordable Care Act, CMS has been hard at work to design, 
build, and test secure systems that ensure Americans are able 
to enroll in affordable health care coverage.
    I serve as CMS's Deputy Chief Information Officer and I am 
a career civil servant that has 20 years working at CMS on 
Medicare and Medicaid systems of varying skills. My role has 
been to guide the technical aspects of the Marketplace 
development and implementation to Federally-facilitated a 
Marketplace eligibility enrollment systems in the data services 
Hub.
    I work closely with the private sector's contractors 
building these IT components of Healthcare.gov. I also work 
closely with my colleagues in CMS who handle other IT and 
policy aspects of the site, including the Center for Consumer 
Information and Insurance Oversight, which manages the business 
operations and makes policy decisions that relate to 
Healthcare.gov; the chief information officer who oversees the 
account creation on Healthcare.gov through management of a 
shared service called the Enterprise Identity Management 
System; and the Office of Communications, which is focused on 
the call center operations and the user experience aspects of 
Healthcare.gov.
    To facilitate the various key functions of the Federally-
facilitate Marketplace, CMS contracted with QSSI to develop the 
Hub and CGI Federal to develop the Federally-facilitated 
Marketplace. The Hub facilitates the secure verification of the 
information a consumer provides in their Marketplace 
application with information maintained by other Federal data 
sources such as SSA and IRS. In addition to the Hub, CMS 
contracted with CGI Federal to build the Federally-facilitated 
Marketplace system which consumers use to apply for health care 
coverage through private qualified health plans and for 
affordability programs like Medicaid, CHIP, and advanced 
premium tax credits and cost-sharing reductions.
    The Federally-facilitated Marketplace system consists of 
numerous modules, each of which was tested for functionality 
and for security controls. Numerous test cases were used to 
exercise the end-to-end functionality of the system. We 
underestimated the volume of users who would attempt to 
concurrently access the system at any one time initially in 
October, and we immediately addressed the capacity issues in 
the first few days and continue to actively work on further 
improving performance and creating a better user experience.
    Healthcare.gov is made up of two major subdivisions. One 
subdivision is called Learn and contains information to assist 
and educate consumers about the Marketplace. In addition, a 
premium estimation tool was launched on October 10th to allow 
consumers to browse health plans without creating a 
Healthcare.gov account on the Get Insured subdivision of 
Healthcare.gov, which contains the online application for 
enrollment.
    While the premium estimation tool could only sort consumers 
into two age categories when it was first launched, its 
functionality will be expanded to accommodate additional 
scenarios to better fit consumer shopping profiles. This tool 
is different from the FFM application because determinations 
about consumers' eligibility for insurance affordability 
programs, Medicaid and CHIP, are specific to the 
characteristics of an applicant and his or her household, and 
could only be calculated when an application is completed, 
after income, citizenship, and other information is verified.
    I know that consumers using Healthcare.gov have been 
frustrated in these initial weeks after the site's launch. 
While the Hub is working as intended, after the launch of the 
FFM online application, numerous unanticipated technical 
problems surfaced which have prevented some consumers from 
moving through the account creation, application, eligibility, 
and enrollment processes in a smooth and seamless manner. Some 
of those problems have been resolved and the site is 
functioning much better than it did initially. Users can now 
successfully create an account, continue through the full 
application and enrollment processes. We are now able to 
process nearly 17,000 registrations per hour, or 5 per second, 
with no errors. Thanks to enhanced monitoring tools, we are now 
better able to see how quickly the online application is 
responding and to measure how changes improve user experience 
on the site.
    We reconfigured various systems components to improve site 
responsiveness, increasing performance across the site, but in 
particular the viewing and filtering of health plans during the 
online shopping process. We have also made software 
configuration changes that have added capacity to improve the 
efficiency and effectiveness of the system.
    CMS is committed to creating a safe, secure, and resilient 
IT system that helps expand access to quality affordable health 
care coverage. We are encouraged that the Hub is working as 
intended, and that the framework for a better functioning 
Federally-facilitated Marketplace eligibility system and 
enrollment is in place.
    [Prepared statement of Mr. Chao follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. I know this isn't questioning time, but if 
you can tell us 17,000 are signing up per hour, then why is a 
subpoena from Ways and Means unanswered as to how many have 
signed up? Please, don't answer yet. We will get to that.
    Mr. Baitman.

                   STATEMENT OF FRANK BAITMAN

    Mr. Baitman. Good morning, Chairman Issa, Ranking Member 
Cummings, and members of this committee. My name is Frank 
Baitman, and I am the Deputy Assistant Secretary for 
Information Technology and the Chief Information Officer at the 
U.S. Department of Health and Human Services. I am pleased to 
join you here today.
    The Department of Health and Human Services is the United 
States Government's principal agency for protecting the health 
of all Americans and providing essential human services, 
especially for those who are least able to help themselves. At 
the Department level, the Office of the Chief Information 
Officer serves this objective by leading the development and 
implementation of an enterprise-level information technology 
framework. HHS is committed to the effective and efficient 
management of our information resources in support of our 
public health mission, human services program, and the U.S. 
health system.
    The HHS OCIO is responsible for developing the Department's 
policy framework for IT, including such areas as enterprise 
architecture, capital planning, records management, 
accessibility, and security and privacy. For example, the 
security arena has a healthy framework that encompasses the 
Federal Information Security Management Act of 2002, OMB 
directives, and the National Institute of Standards and 
Technology's guidance on security and privacy, all of which are 
embodied in the Department's security policies.
    Our information technology portfolio is sizeable, including 
support to a number of grant programs that provide IT resources 
to State, local, and tribal governments in support of the 
programs administered by HHS. The Department's portfolio also 
supports everything from common and commodity IT, things like 
human resources, email, and accounting systems; to the mission 
systems that enable research at the National Institutes of 
Health; to the regulation of drugs and devices at the Food and 
Drug Administration; and to the treatment of patients at the 
Indian Health Services' network of clinics.
    HHS is a large department, with a diverse set of missions. 
Our operating divisions include the Administration for Children 
and Families; the Administration for Community Living; the 
Administration for Health, Research and Quality; the Centers 
for Disease Control and Prevention; the Centers for Medicare 
and Medicaid Services, known as CMS; the Food and Drug 
Administration; the Health Resources and Services 
Administration; the Indian Health Service; the National 
Institutes of Health; and the Substance Abuse and Mental Health 
Services Administration. That is what makes up HHS. And we 
manage our IT portfolio through a federated governance 
structure. The vast majority of the Department's IT resources 
are dedicated directly to the appropriations made to our 
programs and operating divisions, and our governance structure 
reflects that reality. Program-level IT decisions are governed 
and reviewed by our operating divisions.
    Each of HHS's operating divisions has its own chief 
information officer, its own chief information security 
officer, and an IT management structure; and management of the 
development of Healthcare.gov was comparable to management of 
similar IT initiatives throughout the Department's operating 
divisions. Indeed, prior IT initiatives that we are all 
familiar with, including Medicare.gov and Medicare Part D 
Prescription Drug program were led and developed by CMS, who 
serves as the business owner and developer of Healthcare.gov's 
integrated eligibility and enrollment system for the Federally-
facilitated Marketplace.
    Since I joined the Department about 18 months ago, we have 
been working to restructure and update our IT governance, 
bringing visibility into what the Department buys and builds 
across all of our operating divisions, and we are now in the 
process of putting in place three IT steering committees to 
bring together technology and program leaders from across the 
Department to improve our purchasing and management of IT 
resources. These steering committees take a functional view of 
our IT portfolio. We have created one to oversee health and 
human service systems, a second to oversee scientific research 
systems, and a third for administrative and management systems.
    This governance structure will improve Department-wide 
oversight of IT purchases and projects. Secretary Sebelius has 
been a strong advocate for transparency into the Department's 
IT portfolio and this new governance structure is designed to 
achieve that outcome. Collectively, these three steering 
committees will provide Department-wide guidance to the 
operating divisions' respective IT portfolios and will ensure 
that we identify and take advantage of opportunities to save 
taxpayer funds.
    For example, we are now in the process of establishing a 
Vendor Management Office to improve the Department's 
negotiating position with technology vendors and to make use of 
enterprise-wide license acquisitions. We are always looking for 
ways to consolidate investment systems or acquisitions to meet 
the Department's broad IT portfolio needs more effectively and 
economically. In the fiscal year 2014 budget process, HHS 
identified $250 million in reductions within our IT portfolio 
attributable to savings in various commodity IT areas.
    Chairman Issa. Mr. Baitman, we know how great a job you are 
doing; that is why you are here today. Could you please wrap 
up?
    Mr. Baitman. Sure.
    I appreciate the opportunity to be with you here today.
    [Prepared statement of Mr. Baitman follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. Thank you.
    Mr. Park.

                     STATEMENT OF TODD PARK

    Mr. Park. Good morning, Chairman Issa, Ranking Member 
Cummings and members of the committee. Thank you for inviting 
me to testify today on the Administration's ongoing efforts to 
deliver on the promise of the Affordable Care Act.
    As U.S. Chief Technology Officer, housed at the Office of 
Science and Technology Policy, I serve as an advisor at the 
White House on a broad range of technology policy and strategy 
priorities, ranging from how technological innovation can help 
grow the economy to how to open up government data to spur 
innovation and entrepreneurship in the private sector to how 
the power of technology can be harnessed to improve health 
care, aid disaster relief, fight human trafficking, and more. 
In this work, I try to bring the sensibilities of the private 
sector tech entrepreneur that I have been for most of my 
professional life.
    As you know, October 1st was the launch of the new 
Healthcare.gov and the Health Insurance Marketplace, where 
people without health insurance, including those who cannot 
afford health insurance and those who are not part of a group 
plan, can go to get affordable coverage.
    Unfortunately, the experience on Healthcare.gov has been 
highly frustrating for many Americans. These problems are 
unacceptable. We know there is real interest from the American 
public in having easy access to the new affordable choices in 
the health insurance marketplace. I believe that as public 
servants we have a shared goal: to deliver to Americans the 
service they deserve and expect. And since the beginning of 
October I have shifted into working full-time on the team that 
is working around the clock to fix Healthcare.gov and bring it 
to the place it should be.
    The team is making progress. The website is getting better 
each week as we work to improve its performance, its stability, 
and its functionality. As a result, more and more individuals 
are successfully creating accounts, logging in, and moving on 
to apply for coverage and shop for plans. We have much work 
still to do, but are making progress at a growing rate.
    I will be happy to try to answer any questions you may have 
about Healthcare.gov and the progress the team is making. Thank 
you very much.
    [Prepared statement of Mr. Park follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    
    Chairman Issa. Thank you, Mr. Park.
    Mr. VanRoekel.

                 STATEMENT OF STEVEN VANROEKEL

    Mr. VanRoekel. Good morning, Chairman Issa, Ranking Member 
Cummings, and members of this committee. Thank you for this 
opportunity to testify on the efforts to improve the management 
of Federal information technology and its relationship to the 
implementation of the Affordable Care Act.
    As the Chief Information Officer of the United States, I 
serve as the Administrator of the Office of Electronic 
Government and Information Technology, a statutorily created 
office within the Office of Management and Budget. My primary 
duties are: developing and issuing Government-wide, broad-brush 
guidance and policy; overseeing the development of the 
President's $82 billion IT budget; and convening and 
facilitating Federal IT stakeholders to collectively address 
and resolve complex cross-Government issues.
    The results from my office have followed these themes: 
flat-lining Federal IT spending since 2009, realizing over $1 
billion in savings since 2012 with our PortfolioStat program, 
and facilitating and convening agencies to work on crosscutting 
opportunities and policy such as our work on opening Government 
data, closing and optimizing our data centers, promoting a new 
wave of cloud computing. My office has also done important work 
in the area of cybersecurity, creating new, secure mobile 
device specifications for our Country and protecting Federal IT 
devices and the network.
    My involvement in the implementation of the ACA also 
reflects from my role as Federal CIO. I acted as a convener and 
facilitator of agencies to work through the technical details 
of the cross-agency implementation work of the ACA, primarily 
yielding the cross-agency Data Service Hub feature of the 
overall system.
    As the committee is well aware, before joining the 
Administration, I worked in the private sector for nearly 20 
years, the majority of which was at Microsoft Corporation. I 
shipped and helped launch many complex products and well-known 
brands, such as Windows XP, Xbox, and Windows Server. The 
launch of each of these projects presented its own challenges. 
Microsoft is still patching Windows XP, 12 years after I helped 
launched it in 2001. Continuous improvement is the nature of 
these efforts.
    As you can imagine, connecting multiple legacy IT systems 
across multiple agencies of the Federal Government is a complex 
task; however, this is no way an excuse for the problems 
encountered in launching Healthcare.gov. We are taking this 
unacceptable situation seriously and working hard to correct 
course.
    Since October 1st, I am actively helping in the all-hands-
on-deck effort to assist the Department of Health and Human 
Services and the Centers for Medicare and Medicaid Services in 
fixing this system. Given my prior experience in the private 
sector, I acted as a customer advocate, helping to assess and 
address opportunities to improve the customer experience while 
we fix the website. Outcomes from this work include updates to 
the home page of Healthcare.gov and listing alternative ways to 
apply for health insurance. Recently, I am involved in the 
technical aspects of the site, including monitoring progress 
and advising the team.
    We share the deep concern of this committee regarding the 
current state of Healthcare.gov and we, as a team, are working 
to improve this site to improve access to affordable healthcare 
coverage as soon as possible. I look forward to continuing this 
work after this hearing.
    Thank you again for the opportunity to appear before the 
committee today.
    [Prepared statement of Mr. VanRoekel follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. Thank you.
    I now ask unanimous consent that pages 151 and 152 of Mr. 
Chao's transcribed interview be placed in the record. Without 
objection, so ordered.
    Chairman Issa. I now ask that the redacted document of CGI 
Federal, which we will call Exhibit 1, I guess, be placed in 
the record. Without objection, so ordered.
    Chairman Issa. And I now ask that the CMS document entitled 
Health Insurance Marketplace Preflight Checklist September 
25th, 2013 be placed in the record.
    Mr. Cummings. Mr. Chairman?
    Chairman Issa. Yes.
    Mr. Cummings. I just want to reserve so I can just see the 
documents, that's all.
    Chairman Issa. That is a committee document that both sides 
have.
    [Pause.]
    Chairman Issa. Without objection, so ordered.
    Chairman Issa. Mr. Chao, I am going to ask the clerk to 
give you those documents and, before I start, I am going to 
give you a very brief understanding of what I am going to come 
back to you on in just a few minutes. But you have made 
testimony, on pages 151 and 152 of your transcribed interview, 
in a sequence of events that were related to the Minority's 
questioning of you as to whether or not the Anonymous Shopper 
function worked on October 1st. The other document is related 
to that checklist, and we want to make sure you have that 
before I ask you any further questions under oath.
    While he is reading that, Mr. Park, you are here today, and 
taken away from your other duties, because of a serious concern 
about what you knew and what the Administration may have had 
you say, and I want to give you an opening opportunity to 
clarify that. After the October launch, and I will paraphrase, 
you basically said that the problem with the website was that 
there were 250,000 simultaneous users; they could have handled 
60,000, but that 250,000 simply slowed it down or brought it to 
its knees.
    With your opening statement, the opening statements of 
others, and what you now know, would you like to please, for 
the record, give us the number of simultaneous users you 
believe could have been handled through the portal on day one?
    Mr. Park. Thank you, Mr. Chairman, for the question. It is 
the nature of this kind of situation----
    Chairman Issa. Now, Mr. Park?
    Mr. Park. Yes, sir.
    Chairman Issa. I want to treat you with respect, but I have 
a very few minutes.
    Mr. Park. Yes, sir.
    Chairman Issa. You gave a number. That number was 
erroneous. It couldn't handle 60,000 simultaneous users. 
Documents that will be placed in the record show that on 
September 30th the system crashed with 1100, and the goal was 
to get to 10,000. Would you like to tell us for the record, 
based on your working on this, what number the American people 
could simultaneously be on the site working on day one before 
the system began to time out?
    Mr. Park. So, to answer as succinctly as I can, thank you 
for the question, the information that we had at the time was 
that CMS had designed the system for 50,000 to 60,000 
concurrent users. Right now, if you ask me right now, based on 
what I know now, what the system is currently capable of 
handling, the thing I would be comfortable saying is that the 
system has been comfortably handling, at present, about 20,000 
to 25,000 current users.
    Chairman Issa. Okay, so it is fair to say, and I will 
paraphrase, on day one, on October 1st, at the launch, some 
amount, perhaps greater than 1,100, which was experienced on 
September 30th, and closer to the goal set on September 30th, 
which they thought, in documents the committee has received, 
they could get to 10,000 simultaneous. But on day one, on 
October 1st, when this site launched, the site was capable of 
handling somewhere more than 1,100, perhaps, but less than 
10,000 simultaneous users, and certainly not the 60,000, 
50,000, 20,000, or 250,000 that simultaneously tried to use the 
site. Is that correct?
    Mr. Park. So there may be a matter of confusion here, which 
CMS may be better positioned to clarify.
    Chairman Issa. Okay.
    Mr. Park. But I believe that the 1,100 number was for a 
particular unit of capacity.
    Chairman Issa. Okay.
    Mr. Park. As opposed to the entire system. But I will 
defer.
    Chairman Issa. Right. But the problem is there was a front 
door, and that unit of capacity was limited by the front door. 
You know, I come out of the IT world, I come out of the tech 
world, but the American people can understand that you are only 
as strong as your weakest link. If you have a bottleneck that 
causes people trying to get through the site to not be able to 
do it, to time out, that bottleneck is what determines it. And 
since, on day one, only 6 people got to the end, I think that 
for the American people, understanding that whatever the 
capacity is today, the capacity was insufficient on day one. 
Isn't that correct?
    Mr. Park. So, sir, just in the interest of providing the 
most accurate testimony I can----
    Chairman Issa. I only want to know on day one was the 
capacity sufficient.
    Mr. Park. I can't speak to the numbers that you are talking 
about. But clearly on day one, clearly on day one the system 
was overwhelmed by volume.
    Chairman Issa. Okay. Well, Mr. Park, you are going back to 
something I hoped you wouldn't do. The volume on day one, and 
maybe the GAO can answer, the volume on day one was not in 
excess of what was expected, was it? The volume on day one was 
what you would expect if everyone is going on the site to see 
what it is all about after three and a half years of waiting, 
isn't it, Mr. Powner?
    Mr. Powner. Mr. Chairman, I don't have those specifics, but 
I will say this: these volumes we are talking about, if you go 
to examples like IRS on e-filing and the volume they handle 
with people filing taxes in the eleventh hour, this is the same 
problem that the IRS deals with on an annual basis. What you 
need to do is you need to appropriately plan for your 
performance in stress-testing, and there is fundamental 
questions whether that was adequate here.
    Chairman Issa. Well, and that is what we are going to 
discover throughout the panel today.
    Mr. Chao, I told you I would come back to you. You 
testified under oath, on pages 151 and 152, on the Minority's 
questions, that basically, and I will paraphrase because of 
time, this site, the Anonymous Shopper function did not work. 
Now, we have seen a document with CMS on it dated September 
25th that said it passed that test. Is it that you did not know 
it had passed the test when you made your statement saying that 
it failed?
    Mr. Chao. Well, first off, Chairman, I would like to say 
that after working with your staff for eight, nine hours, as 
well as the Minority staff, going through this transcribed 
interview, I have not had a chance to look at this, so this is 
the first time I am actually seeing the results of that day, 
so----
    Chairman Issa. Wait a second. Look, your job is to know 
what is in the site. The CMS report that said, and this is 
September, before the launch, that the test had been passed 
successfully on the Anonymous Shopper. You testified that it 
wasn't and that is why it was turned off.
    Mr. Chao. Correct.
    Chairman Issa. Are you prepared to say under oath that the 
Anonymous Shopper was turned off by your knowledge, not your 
guess, not your hypothetical, but are you prepared to say the 
Anonymous Shopper was turned off because it failed the test? 
And that would be your knowledge based on what you knew.
    Mr. Chao. My words were not that it was turned on or off. I 
think that is actually technically incorrect. I said it was not 
made available because it failed testing. So you hand me this 
page 151, 152, which I have not reviewed as far as correctness 
and accuracy, and I suppose you are handing me this other 
document that says----
    Chairman Issa. Mr. Chao, what we are doing is we are saying 
that CMS documents show that the Anonymous Shopper tested 
positive, it worked. You said under oath, and I am sorry that 
you may not have remembered what you said under oath, but when 
the Minority asked you what is normally nice questions, self-
serving questions, help you rehabilitate yourself questions, 
they are on your side, you said effectively that you gave a 
reason, which the ranking member used in his opening statement 
effectively, that the Anonymous Shopper was turned off for 
reasons other than political.
    Mr. Chao. Because I have----
    Chairman Issa. We believe the Anonymous Shopper, the easy 
front door, the I just want to know what it is going to cost 
was not on, and if in fact if it was on, Mr. Park has said this 
had different components. That portion could have been much 
more effective. The American people could have gotten on and 
shopped.
    Mr. Chao. This line of questions that I was answering about 
Anonymous Shopper is in the context of my knowledge, under 
oath, that it did not pass testing, and I have documents that 
show it did not pass testing.
    Chairman Issa. Okay, so, when--Mr. Chao, my time has 
expired, but when HHS and CMS deliver us documents showing that 
it hasn't passed, we can have you back. Right now the documents 
provided to us by the vendor show that it did pass on a CMS 
document. That document is placed in the record. If anyone else 
would like to understand that you have said it failed test, 
they said it passed test. This Administration, in their absence 
of transparency, has refused to give us the documents showing 
it failed test, but the document we have today, which says CMS 
all over it, which is in the record, says it passed test. It 
passed the test. You said under oath it failed the test. Our 
problem is the people you work for won't give us the documents 
so we can fully understand that, just as the people you work 
for won't answer a simple question to the Ways and Means 
Committee, which is how many people have signed up, even under 
a subpoena.
    With that, I recognize the ranking member to try to 
rehabilitate your testimony.
    Mr. Cummings. Mr. Chairman, let me be clear that we have 
staff who work just as hard as yours. It is not about self-
serving, it is about getting to the truth, and I would not 
insult your staff----
    Chairman Issa. I wasn't insulting your staff.
    Mr. Cummings. Well, I take it as an insult.
    Chairman Issa. What I said was that----
    Mr. Cummings. It is not about self-serving; it is not about 
rehabilitating. It is about trying to get to the truth, period, 
the truth and nothing but the truth. And I am not going to try 
to rehabilitate, as you said, Mr. Chao.
    Chairman Issa. Well, maybe you can get him to give us the 
documents.
    Mr. Cummings. I think in a few moments somebody else on 
this panel will present the documents that there is something 
that you did not disclose just now that will be brought out to 
show that your statements are inaccurate.
    Now, Mr. Park----
    Chairman Issa. Would the gentleman yield?
    Mr. Cummings. Of course. Somebody else will bring it up, 
another member.
    Chairman Issa. So somebody else will rehabilitate----
    Mr. Cummings. No, no, no, no, no. No. No. No. Again, we 
will show you the document that there are some things that you 
have been blacked out that you have not disclosed, and we will 
show you those in a few minutes.
    Now, if I may proceed.
    Mr. Park, although we have not met before today, I 
understand that you have an outstanding reputation in the IT 
community. I did not know this previously, but the cofounder of 
your former company is Jonathan Bush, of Athena Health, who is 
the cousin of former President George Bush, is that right?
    Mr. Park. Yes, sir.
    Mr. Cummings. I have a quote here that Mr. Bush, the cousin 
of the former president, gave to a reporter a few weeks ago, 
and he says this about you: ``Todd is uniquely thoughtful, 
dedicated, and precise. He is a manic problem-solver, blind to 
partisanship. If there is anyone who can fix the problems with 
the exchanges, it is Todd.''
    Mr. Bush also said that you are working so hard to improve 
the website that you ``spent the first week of October sleeping 
on the floor of his office as he tried to help get 
Healthcare.gov off the mat.'' Is that right?
    Mr. Park. Yes, sir.
    Mr. Cummings. Well, your reputation certainly precedes you. 
Unfortunately, however, last week Chairman Issa appeared on Fox 
News and accused you and other political appointees of engaging 
in a ``pattern of interference and false statements related to 
this site.''
    That is a serious attack against your integrity. I don't 
want to get into anyone's intent or motives here, but I do want 
to give you an opportunity to respond directly. And this is not 
unusual for me, because I realize that we are all on this Earth 
for a short while and that our reputation is all we have. And 
since those statements were made about you, I would like to 
give you an opportunity to respond.
    Mr. Park. Thank you, sir. Thank you for the opportunity. 
And, again, I don't take any of this personally; it is a fast-
moving situation with a lot going on. So I would just say this, 
that it was the case, absolutely, that volume was a key issue 
that hit the site. It is still an issue for the site, although 
we have greatly expanded and are expanding the ability for the 
site to accommodate volume. I relayed my best understanding at 
the time in each of my statements. It is the nature of things 
that as you do more painstaking diagnosis of a system, you 
learn more about what you need to do to fix it, and I can say 
now that, in addition to volume, there are other key issues 
that have to be addressed with the site in terms of its 
performance, in terms of its stability, in terms of its 
functionality, and there are aggressive efforts happening to do 
that which are making great progress, so it is getting better 
and better each week with the work of a tremendous team led by 
Jeffrey Zients and Ms. Tavenner, of which I am proud to be a 
small part. But you have my assurance that at each part along 
the way, if I am ever asked a question, I will tell you what I 
know to the best of my ability, my best understanding, and that 
is what I will continue to do as my understanding gets better 
and better.
    Mr. Cummings. Well, let me ask you this. Did you engage in 
a ``pattern of interference and false statements?''
    Mr. Park. No, I did not. I relayed my best understanding at 
the time, and I will continue to do that. As my understanding 
gets better, I will relay that, absolutely.
    Mr. Cummings. Before you were subpoenaed to come here 
today, your office wrote a letter describing your extreme 
demanding workload for the next two weeks and offering to 
testify in December instead. Was this concern coming just from 
your office or was it really a legitimate concern of yours that 
you would be pulled away from the website issues to prepare for 
testifying here today?
    Mr. Park. So it has never been a question of if I will 
testify, it was just a question of when. It had been the hope 
of me and the team that is working to fix the site that I could 
continue to focus intensely on helping to fix the site this 
month and come back in a few weeks. That being said, I 
understand that the chairman came to a different decision. I 
respect that decision. I am the son of immigrants from Korea. I 
have incredible love for this Country. I have huge respect for 
the institution of Congress and its role in our democracy, and 
if the committee wanted me to be here today and decided I 
should be here today, then I am happy to be here today and make 
the time to answer your questions.
    Mr. Cummings. Although I understand that the website----
    Chairman Issa. The gentleman's time has expired.
    Mr. Cummings. Mr. Chairman, I just ask for the same amount 
of time you had.
    Chairman Issa. I let you ask the last question after your 
time had expired, and it was completed.
    We now go to the gentleman from Florida for five minutes.
    Mr. Tierney. Mr. Chairman, I think it was about almost four 
minutes that you exceeded your time by that. Is there----
    Chairman Issa. I went to one question after the end, which 
was Mr. Chao, which----
    Mr. Tierney. Four minutes. I am only asking----
    Chairman Issa. The gentleman is recognized.
    Mr. Tierney. Well, you are not going to run a fair hearing, 
you are just going to go out and do this all the way.
    Chairman Issa. The gentleman from Florida is recognized.
    Mr. Mica. Thank you for yielding.
    It is kind of interesting to see, as ObamaCare implodes, 
how everybody is running for cover. Yesterday we saw the former 
President of the United States, Bill Clinton, throw the current 
President under the bus, so to speak, on this issue. Today we 
heard the other side, Mr. Cummings, our Democrat leader, start 
out by citing that the problem with this is Republican 
governors, that a lot of them opted for an exchange.
    Mr. Chao, are these governors Arkansas, Delaware, Illinois, 
Missouri, Montana, aren't they all Democrat governors and they 
opted out of the exchange? Are you aware of that? Well, they 
are, just for the record. But it is interesting to see how they 
run for cover.
    I have a question for all of you. Each of you I want to ask 
you this question. It is obvious that ObamaCare was not ready 
for prime time from both an IT performance ability and also 
from a security standpoint. Were you aware of that, Mr. Powner, 
before October 1st?
    Mr. Powner. GAO did issue a report----
    Mr. Mica. Were you--okay.
    Mr. Powner.--in June that there was a lot to do in a 
compressed schedule, correct.
    Mr. Mica. Yes.
    Were you aware of it, Mr. Chao?
    Mr. Chao. Can you repeat the question again?
    Mr. Mica. That ObamaCare was not ready from an IT 
operational standpoint and also from a security standpoint for 
prime time on October 1st. Were you aware of it?
    Mr. Chao. I was aware that there was security testing----
    Mr. Mica. You were aware that there were problems. Okay.
    Mr. Chao. And that there were no high findings in security 
testing.
    Mr. Mica. I said from an operational. So you thought it was 
operational.
    Mr. Chao. I am just trying to answer your question.
    Mr. Mica. Well, operational and security.
    Mr. Baitman?
    Mr. Baitman. I was aware that various modules that were to 
be part of the system were----
    Mr. Mica. Weren't working.
    Mr. Baitman.--were being removed.
    Mr. Mica. Mr. Park, anything on security? Mr. Park, 
operational and security.
    Mr. Park. As I recall, sir, no.
    Mr. Mica. Oh, okay.
    Mr. VanRoekel?
    Mr. VanRoekel. I am aware that any system, private sector 
or public sector----
    Mr. Mica. What about the security?
    Mr. VanRoekel.--needs constant addressing of security.
    Mr. Mica. What about the security issue?
    Mr. VanRoekel. Any system needs constant--security needs to 
be constantly addressed.
    Mr. Mica. Did you review a document prepared by MITRE that 
reviewed--this hasn't been released yet, but it reviewed the 
security testing and capability?
    Mr. VanRoekel. No, sir, I didn't see that.
    Mr. Mica. You did not see this, September 23rd, that 
highlighted some of the issues? Okay.
    First of all, it looks like political decisions got us into 
this strait. You commented, Mr. Chao, to our committee that you 
had to have regulations in place to go forward to make 
decisions on the construct, right?
    Mr. Chao. Correct.
    Mr. Mica. And there were regulations that were not imposed, 
and I think you also intimated that some of them were stopped 
by the White House prior to the election.
    Mr. Chao. No, I did not.
    Mr. Mica. Okay. Mr. Chao, you said the delay in the 
issuance of regulations guidance was a significant problem in 
compressing the time frame and actually the White House 
pressure to stop those regulations coming out before the 
election, because they didn't want folks to know what was 
coming. You are not aware of that?
    Mr. Chao. Well, I think you are paraphrasing from my 
testimony, which I----
    Mr. Mica. Okay. Well, here is your comment to our staff: 
You can't test the system without requirements, so if 
requirements are coming in late, then obviously you are going 
to be a little nervous. Was that your statement?
    Mr. Chao. I think that holds true for any----
    Mr. Mica. That is what we have. That was your statement. 
Okay, so----
    Mr. Chao. My answer in the context was for any development 
project that requires requirements in order to build the system 
in a compressed time frame----
    Mr. Mica. Did you know that security and the testing was 
done by MITRE, of security, is that correct?
    Mr. Chao. MITRE and Blue Canopy.
    Mr. Mica. Okay, both respectable firms. And this is the 
MITRE report. MITRE was unable to adequately test 
confidentially and integrity of the exchange system in full. 
Are you aware of that?
    Mr. Chao. Well, that seems actually true and appropriate, 
because the full system isn't built.
    Mr. Mica. But it was never fully tested? Has it been 
tested?
    Mr. Chao. No. I think what it is referring to is that there 
are other components of the Marketplace program that still need 
to be built.
    Mr. Mica. Sir, can you sit here and tell us that there are 
not heightened risk of unauthorized access, non-encrypted data, 
identity theft, and loss of personal identifiable information?
    Chairman Issa. The gentleman's time has expired.
    Mr. Chao. That was----
    Mr. Mica. And Mr. Powner, can he also answer to that?
    Mr. Chao. That was my reply in response to a decision memo 
in which we wanted to generally highlight the potential risk 
that is applicable to any system of this magnitude that is 
servicing the public and collecting information about people.
    Chairman Issa. Mr. Powner, if you had anything else, 
briefly.
    Mr. Powner. Your staff shared that document with me. I 
think the key is that was an early assessment, not on the 
complete system, and a key question going forward is what has 
been done in terms of security testing and assessment while the 
system continues to be built.
    Chairman Issa. Thank you.
    The gentlelady from New York, Mrs. Maloney.
    Mrs. Maloney. Thank you. I would like to thank all of the 
panelists for their public service and thank the chairman and 
ranking member for this oversight hearing. There is a success 
story in the State that I am privileged to represent, New York 
State. Nearly 50,000 New Yorkers have enrolled in health 
insurance plans through the New York State health program. 
Almost 200,000 New Yorkers have completed full applications on 
the New York State of Health. Additionally, the State's 
customer service center operators have provided assistance to 
more than 142,000 New Yorkers. And the rates for the plans 
represent a 53 percent reduction compared to the previous 
year's individual rates, and in addition to the cost savings, 
it is estimated that nearly three-quarters of individual 
enrollees will qualify for financial assistance. This is 
according to an official State report from New York. So this is 
certainly good news.
    But we do need improvements on the Federal user experience, 
and I would like to ask Mr. Park have improvements been made 
daily on the website? Are you working to make improvements 
every day?
    Mr. Park. Thank you so much for the question, and it is 
terrific news coming out of New York. So the answer to your 
question is people are working every day to make things better. 
I would say the site is getting better week by week. Some days 
are better than others, but if you look at the trend line, week 
over week things are getting better. So, for example, one 
metric of the user experience is what is called system response 
time. This is the rate at which the website responds to user 
requests like displaying a page that you want. Just a few weeks 
ago that rate was, on average, eight seconds across the system, 
which is totally unacceptable. It is now actually under a 
second today.
    Mrs. Maloney. Well, that is really good news. How much 
faster can the public expect the website to be? Now you are 
under a second, is that what you are saying?
    Mr. Park. On average, yes.
    Mrs. Maloney. On average?
    Mr. Park. Yes.
    Mrs. Maloney. Well, can the public expect--can you make it 
any faster than a second?
    Mr. Park. Yes. The team believes that it can, the team 
doing this, and we are most of the way, I think, in terms of 
average response time that we want to be. We want to get it 
down further. We are also actually, thanks to----
    Mrs. Maloney. So I would say that reducing wait time has 
become a priority, right? And that certainly will help 
enrollment numbers, don't you think, Mr. Park?
    Mr. Park. That is right. Yes, ma'am.
    Mrs. Maloney. Okay, great. That is terrific. Now, are 
accounts registering properly at this time? Was that problem 
solved?
    Mr. Park. That problem has actually largely been solved. 
That was, of course, a significant problem up front that folks 
experienced. But thanks to expanded capacity, thanks to system 
configuration changes and code fixes, that problem has largely 
been solved. People can actually get through the front door and 
begin the application process and start shopping for affordable 
health options.
    Mrs. Maloney. So how many registrations can the system 
handle now? Congratulations on solving that, by the way.
    Mr. Park. So I believe that the latest number the team 
reports is about 17,000 registrations an hour, and the plan is 
to actually up that in terms of new accounts being created. 
Then, of course, people who have registered previously are 
coming back and coming back and coming back to keep working on 
their application, shop for plans, etcetera.
    Mrs. Maloney. And how are you reaching out to people who 
may have been discouraged and encouraging them to come back and 
try again? Is there any effort to reach out to them or just the 
notices that it is happening?
    Mr. Park. Yes, ma'am. So CMS is currently engaged in an 
effort to begin to reach out to folks who actually got stuck in 
the application process and encouraging them to come back and 
make it through the front door and start applying for coverage.
    Mrs. Maloney. Are there resources there to help people 
navigate the process? I am hearing they are confused often. Is 
there any resources there to help them figure it out?
    Mr. Park. Yes, ma'am. There is Help text, there is also the 
call center, and the team is also working quite vigorously to 
keep improving the user interface and the flow so that you need 
less help, so that it is more and more clear to you at 
particular points what to do.
    Mrs. Maloney. And how are you assessing or distributing the 
feedback that you are getting from users that have used the 
system and want to tell you how they can make it faster? But I 
don't see how you could make it any faster than a second, quite 
frankly. But how are you communicating that feedback from 
users?
    Mr. Park. You can make it faster, by the way, and so people 
are working on that. But there is feedback coming from a 
variety of different sources; from users, from folks in the 
field, from the call center, from testers, and that is actually 
being fed into a list dynamically kept on an ongoing basis of 
things to do in priority order to make the website better and 
better.
    Mrs. Maloney. And I understand that the Hub, the data Hub 
is working well. Is that correct?
    Mr. Park. The Hub has worked extremely well from day one. 
It supports actually not just the Federal Marketplace, but all 
the State Marketplaces, including New York's great success; and 
that continues to hum along very nicely.
    Mrs. Maloney. Well, thank you. My time has expired and I 
see that sleeping on the floor is paying off in your hard work. 
Thanks.
    Mr. Park. The team. It is the team. I am just part of it; 
the team is doing the work.
    Mrs. Maloney. Your team. Congratulations. Thank you.
    Mr. Park. The team.
    Chairman Issa. I thank the gentlelady.
    We now go to the gentleman from Tennessee, Mr. Duncan.
    Mr. Duncan. Thank you very much, Mr. Chairman. While I am 
very skeptical about the Government's ability to run our health 
care system, what I am more concerned about or object to more 
is all the sweetheart insider deals that Government contractors 
get under these programs and all the people and companies that 
are getting filthy rich off of these programs.
    I have an estimate here on the cost of all the technology, 
the estimate of OMB as of August 30th, before all the problems 
surfaced, and they said we would spend $516.34 million on the 
technology. Now we have seen estimates way above that. So I 
have a question about that, about how much all this is going to 
cost us to straighten this out and are these going to be 
continual costs each year? Are we going to have to spend more 
and more and more on the technology?
    But secondly, and a greater concern, I have two stories 
here, one from The Washington Post about 10 days ago and one 
from CBS News a couple days later, and they say the 
Administration knew three and a half years in advance that 
these problems were going to occur. The Washington Post story 
says in May 2010, two months after the Affordable Care Act 
squeaked through Congress, President Obama's top economic aids 
were getting worried. Larry Summers, director of the White 
House's National Economic Council, and Peter Orzag, head of the 
Office of Management and Budget, had just received a pointed 
four page memo from a trusted outside health advisor that 
warned that no one in the Administration was up to the task of 
overseeing the construction of an insurance exchange and other 
intricacies translating the 2,000 page statute into reality.
    So what I am asking, and I welcome comments from anybody on 
the panel, how much is all this going to cost to straighten out 
these problems that we now know that we have? And, secondly, 
how long is it going to take, when the Administration or you 
all have had three and a half years warning that this was going 
to happen? How much longer is it going to take to straighten 
all this out?
    Chairman Issa. Mr. Powner, you seem to be giving the best 
answers.
    Mr. Powner. I can comment on the cost figure, what we know 
to date. If you look at OMB documentation, there are exhibits 
where you report spending by fiscal year, and through the 
fiscal year 2013, so by the end of September, it was north of 
$600 million spent. Now, I will caveat that by saying that did 
include IRS costs associated with that and some other 
Government agencies; it wasn't just all CMS and HHS.
    But your question about what it is going to cost to fix, 
that is where we are kind of blind to that, and I think that is 
a key question, how much that will end up being.
    Mr. Duncan. All right. Does anybody know? If we have spent 
$600 million already, and it is not working, does anybody have 
any idea how much all this is going to cost us in the end? 
Nobody knows?
    Then go to the second question. How long is all this going 
to take? If you have had three and a half years to get ready 
for this and we had all these promises about you can keep your 
plan, you can keep your doctor, your health care cost premiums 
are going to go down by as much as $2500, and we now know that 
all that was false or incorrect, how much longer is it going to 
take, another three and a half years to get this straightened 
out?
    Mr. VanRoekel. I think it is important to note, sir, that 
Americans are getting insurance today, that the system is 
passing through and people are registering. The focus today, as 
I said in my opening statement, is about continuous improvement 
and making sure that we make that even better and stronger, and 
that more and more people----
    Mr. Duncan. Millions are getting their policies canceled 
and more are getting sticker shock because of premium 
increases, too. But I am just wondering. What I am asking about 
is all the technology. If we have had three and a half years 
that the Administration has known that this was going to 
happen, and they couldn't fix it in three and a half years, how 
much longer is it going to take us?
    Chairman Issa. Would the gentleman yield?
    Mr. Duncan. Yes, sir.
    Chairman Issa. You know, we have two distinguished 
individuals from the private sector, and I would suspect that 
at Athena and at Microsoft they knew what their burn rate was, 
they knew what their time was. In fact, neither of their 
companies would exist if they had launched their product quite 
like this. Even Windows Vista launched better than the Obama 
website.
    But the gentleman could include their experience in the 
private sector, if they would like to compare this launch with 
the launch of each of their companies.
    Mr. VanRoekel. I think it is important to note on this the 
way that Federal budgeting and Federal IT is managed and 
empowered, and I think FITAR actually emphasizes this, as well 
as many of the memos and things that I have put out, is 
empowering agencies to do their mission work, to execute 
against the budget. We formulate the budget within the Office 
of Management and Budget, and then the Congress and the 
appropriators actually grant that budget to the agencies to 
then execute; and the tools that we build to track, spend, to 
make sure that diligence is happening on that are all about 
empowering the agency to make those smart decisions about what 
they do. So in the private sector it is not directly parallel 
because you are not, from our position, on the ground actually 
running these programs day-to-day.
    Chairman Issa. You are begging an angel capitalist to give 
you one more chunk of money that he may or may not give you.
    With that, we go to the gentlelady from the District of 
Columbia for her five minutes.
    Ms. Norton. Thank you, Mr. Chairman. And although you have 
called witnesses who are being asked to fix a plane while it is 
in the air, I do believe oversight is appropriate in light of 
the round of surprises we have had.
    Let me try to clear something up, Mr. Chairman. Mr. Chao 
got a round of questions about the preflight checklist, and I 
do have a document that said testing successfully, yes. I don't 
know if that means conducted a test or what, because if you 
look more deeply into the document, and you didn't have this 
before you, where you have the CGI checklist, that defect 
report, it is entirely consistent, Mr. Chao, with what you have 
said because this defect report says there were 22 defects.
    Chairman Issa. Would the gentlelady make that document 
available?
    Ms. Norton. I would be glad to make this available to you 
and to the press.
    I am also troubled by how the committee often pulls the 
White House into these matters without any evidence. The White 
House, in this case, the rollout is accused of not knowing 
enough and now they have been accused of directing matters with 
respect to the Anonymous Shopper function. Even the chairman 
has said that publicly on television.
    So I would like to ask Mr. Chao about that issue. And the 
question really has to do with whether you were forced to 
register and then shop, whether that change was made from shop, 
then register to register, then shop; whether that change was 
made because of the involvement of the White House in any way.
    Mr. Chao. Absolutely not. It was a decision made on the 
results of testing. It would be pretty egregious, and I 
understand that a lot of folks are wondering why the website is 
functioning the way it is, but to consciously know that it 
failed testing and to then put it into production for people to 
use is not what we do. We use the best available information, 
and if the test results show that it is not working, we don't 
put it into production.
    Chairman Issa. Would the gentlelady yield?
    Ms. Norton. I certainly will, Mr. Chairman, if you will 
make sure I get my time
    Chairman Issa. Of course.
    Would you stop the clock?
    You know, the gentlelady's information, I have been told, 
the one that you are referring to, is in fact a roll up to the 
decision that it had passed. In other words, your document is 
not inconsistent with it. I think Mr. VanRoekel made it clear 
that they are still fixing XP, after they no longer support it. 
So I think the conclusion of the document is clear. You are 
asking Mr. Chao. He is still saying that this thing failed the 
test, when it in fact documents show it passed the test. Was it 
perfect? No. But if you could only get six people registered on 
day one and only 240 registered on day two, some might say that 
the website was not passing the test in those first two days 
either. So hopefully that document, you can make it available 
to all of us, but I have been told that that is simply part of 
the supporting documents for the conclusion that CMS has in 
their own documents, which is that that portion which was 
excluded, and we have been told in testimony that, in fact, 
they were told by people at CMS to turn it off and that those 
people were being instructed by people at the White House.
    Ms. Norton. Let me clear that up, Mr. President.
    Chairman Issa. Okay.
    Ms. Norton. I mean Mr. Chairman.
    Chairman Issa. I just want you to understand that 
contractors told us----
    Ms. Norton. Well, Mr. Chairman, let's look at the document. 
Let's have people look at the fine print and decide when these 
22 defects were noted, because I got it in black and white 
here.
    Now, you say the White House did not say to turn off the 
Anonymous Shopper, Mr. Chao, was that your testimony?
    Mr. Chao. Yes.
    Ms. Norton. Because the allegation of the chairman was that 
the White House ordered it because they wanted to avoid sticker 
shock. I remember seeing that on, I think, television. Now, 
just let me say something about sticker shock. I had a staff 
member go on just to test the DC Health Link, which is where we 
all will have to go, and she found that the same--there are 267 
different policies, insurers on DC Health Link, and she found 
that the same Blue Cross Blue Shield she is now getting from 
the Federal employment program she can get for between $160 and 
$220 less. So if there is sticker shock, at least some people 
are finding sticker shock works the other way.
    But I want to drill down on this decision from the White 
House. Was there White House directive that because--the 
decision came not because--I want to make sure your testimony 
remains, because there has been some difference the chairman 
cited--that there was no White House directive, but the reason 
for pulling the Anonymous Shopper was because the function 
failed testing, does that continue to be your testimony?
    Mr. Chao. Correct. If we would have put it into production, 
even though it is anonymous shopping nor browsing, it requires 
some attributes about your preferences, your demographics to 
approximate potentially what premium tax credit ranges you 
would qualify for so that you can then move into shopping or 
plan compare. It didn't work in either calculating the 
approximate premium tax credit, nor did it work in plan 
compare, so if we allowed people to go through that, they would 
have gotten erroneous information and that would have been much 
worse than not having it at all.
    Ms. Norton. I have already pointed to a document. By the 
way, this document is from September.
    Now, did you get----
    Chairman Issa. The gentlelady's time has expired. Would you 
briefly finish?
    Ms. Norton. Did you get any direction from the White House 
to disable or to delay the shopper function and were there any 
political considerations that went into your decision to do so?
    Mr. Chao. None whatsoever. I look at the facts of whether a 
system is going to be ready. And, of course, not everything is 
always 100 percent perfect, and there are certain tolerances, 
but in this case it failed so miserably that we could not 
consciously let people use it.
    Ms. Norton. Thank you, Mr. Chairman.
    Chairman Issa. I thank the gentleman.
    We now go to the gentleman from North Carolina, Mr. 
McHenry. Could you yield for just 10 seconds?
    Mr. McHenry. Happy to.
    Chairman Issa. Thank you.
    Mr. Chao, if it couldn't calculate the prices properly, is 
it your testimony that when people went through the back door, 
those six that got through on the day one, that it did 
calculate what their plan and let them shop through another 
part, a completely different portal?
    Mr. Chao. If you don't go through what was----
    Chairman Issa. No, no, no. I have taken six seconds from 
the man and I don't want to go passed a few seconds.
    Mr. Chao. If you fill out an online application and you put 
your information in, you get an eligibility determination, you 
ask for financial assistance----
    Chairman Issa. Yes, you go through everything. But you are 
saying you didn't get the right price through the same software 
that would determine the right or wrong price----
    Mr. Chao. No. Anonymous shopping was using different 
software.
    Chairman Issa. Oh, yeah. Okay. That remains to be seen.
    Mr. McHenry, thank you.
    Mr. McHenry. Mr. Chao, all my constituents care about and 
want to know is when they log on, is their data, all their 
personal identifiable information, is that as secure as if they 
do online banking.
    Mr. Chao. It was designed, implemented----
    Mr. McHenry. I mean, that is a yes or no question.
    Mr. Chao. It was designed, implemented, and tested to be 
secure.
    Mr. McHenry. So it was fully tested in best practices under 
the Federal Government standard for IT proposals.
    Mr. Chao. Correct.
    Mr. McHenry. It was?
    Mr. Chao. It was security assessment testing conducted by 
MITRE and another company.
    Mr. McHenry. Okay. So it is fully tested as the other IT 
projects you have overseen into that same standard.
    Mr. Chao. I am trying to understand what you mean by fully 
tested. It was tested----
    Mr. McHenry. Fully tested? Holy cow. This is like a new 
low. Okay, then let me use the----
    Mr. Chao. There are a lot of----
    Mr. McHenry. Best practices are a complete integrated 
testing, is that correct?
    Mr. Chao. It is tested and prescribed under the FISMA 
framework and NIST controls that are specified as a standard.
    Mr. McHenry. Okay. So why did your boss resign?
    Mr. Chao. He didn't resign.
    Mr. McHenry. Okay. So due to security readiness issues----
    Mr. Chao. I think he decided to make a career change, which 
I can't speak to.
    Mr. McHenry. I think it was a fantastic time to hightail it 
out after this great rollout. So let me ask another question. 
So Marilyn Tavenner signed the authority to operate memorandum. 
Traditionally, would your office sign a memorandum or have you 
signed previous memorandums on authority to operate?
    Mr. Chao. Myself, I have not.
    Mr. McHenry. Has your boss, or previous boss?
    Mr. Chao. Not that I know of. But I do not manage the ATO 
sign-off process, that is done between the chief information 
officer and the chief information security officer.
    Mr. McHenry. Okay. And they would traditionally do it, not 
the CMS administrator.
    Mr. Chao. I think you would have to ask them.
    Mr. McHenry. Okay. Fantastic. We plan to do that.
    Let me ask you, Mr. Park, you said on USA Today, on October 
6, ``These bugs were functions of volume. Take away the volume 
and it works,'' referring to Healthcare.gov. It was in the 
fourth paragraph. Do you still stand by that statement?
    Mr. Park. Thank you for the question. What I was 
specifically referring to----
    Mr. McHenry. No, no. Do you still stand by----
    Mr. Chairman, I ask unanimous consent to submit this for 
the record.
    Have you seen this USA Today----
    Chairman Issa. Without objection, so ordered.
    Chairman Issa. And the question is on the statement, not on 
what you would want someone else to believe today.
    Mr. McHenry. These bugs were function of volume. Take away 
the volume and it works. Do you still stand by that?
    Mr. Park. So I stand by the fact that the bugs that the 
reporter was referring to, which were issues users were 
experiencing in account creation up front, were in fact 
functions of volume. What I will say now, based on additional 
understanding, is that in addition to volume, which was a 
challenge, the account creation process was, later on, also 
affected by particular functionality bugs, which have been 
fixed, most of which have been fixed, along with volume 
capacity expansion and other system configurations----
    Mr. McHenry. So, Mr. Park, let me tell you a story. I have 
a woman named Sue who logged on. She filled out everything 
else. She did not fill out her middle initial. She got a 
processing error. She went back to try to fix it, put in the 
middle initial. She had to wait 48 hours to get another update. 
Turns out that her income was not verifiable because she put in 
a monthly income. She calls a navigator, the navigator says, 
yeah, we have some problems with that; maybe you can do it on 
an annualized basis. Well, unfortunately, she couldn't get back 
into the system, so then has to call back for another navigator 
and the navigator says, gosh, we have a little issue here, so 
let me try an annualized income and put it in on the back end 
that navigators can do. She is still waiting. She started on 
October 1st. She is still waiting to be successfully logged in 
to this website that you said these bugs were functions of 
volume; take away the volume and it works.
    This is such a deeply flawed data rollout, and my 
constituents are most concerned about trying to sign up, much 
less when they do sign up that they don't have their data 
stolen.
    Mr. Chairman, I yield back.
    Chairman Issa. I thank the gentleman.
    Mr. Park, you can answer, if you see a question there.
    Mr. Park. That would be great. Thank you. So I was actually 
talking specifically about issues with account creation. There 
are issues downstream as well, and, again, each time I speak 
with you, each time I speak, I will relay the best 
understanding I have and try to be as precise as I can be.
    Chairman Issa. I thank you.
    We now go to the gentleman from Virginia, Mr. Connolly.
    Mr. Connolly. Thank you, Mr. Chairman, and let me begin on 
a bipartisan note. Mr. Chairman, you and I helped write, 
joining together, the FITAR Act requiring reform of Federal IT 
acquisition. Mr. VanRoekel, you seem to have been equivocal, 
maybe, at our last meeting in January when you testified here, 
but I want to read to you a statement by the President of the 
United States. He said, just recently, one of the lessons 
learned from this whole process on the website is that probably 
the biggest gap between the private sector and the Federal 
Government is when it comes to IT; how we procure it, how we 
purchase it. This has been true on a whole range of projects.
    A reasonable inference from that statement could be drawn 
that perhaps we do need some more legislation, some new 
legislation to free up some of the moribund rules----
    Chairman Issa. Would the gentleman yield?
    Mr. Connolly. If we could freeze my time.
    Chairman Issa. Of course. I couldn't agree with you more 
that, in fact, one of the lessons that I hope all of us take 
out of this hearing today is that we have two people from the 
private sector who know that they would never do a process like 
this one was done, and yours and my legislation is really about 
trying to create at least a modicum of similarity in IT 
procurement in the Federal Government the way it is done in the 
private sector. And I thank the gentleman for his comments.
    Mr. Connolly. I thank the chairman.
    So I commend to Mr. VanRoekel the statement of the boss.
    Mr. Chao----
    Chairman Issa. So now I am the boss?
    Mr. Connolly. No. Well, you are too.
    Chairman Issa. Oh, you mean the President.
    Mr. Connolly. The other boss.
    Chairman Issa. Ah, yes. His boss.
    Mr. Connolly. The big boss.
    Mr. Chao, during your interview with committee staff on 
November 1, you were presented with a document you had not seen 
before and it was titled Authority to Operate, signed by your 
boss on September 3rd, 2013, is that correct?
    Mr. Chao. Correct.
    Mr. Connolly. The Republican staffers told you during that 
interview that this document indicated there were two open 
high-risk findings in the Federally-facilitated Marketplace 
launched October 1, is that correct?
    Mr. Chao. Correct.
    Mr. Connolly. This surprised you at the time.
    Mr. Chao. Can I just qualify that a bit? It was dated 
September 3rd and it was referring to two parts of the system 
that were already----
    Mr. Connolly. You are jumping ahead of me. We are going to 
get there.
    So when you were asked questions about that document, you 
told the staffers you needed to check with officials at CMS who 
oversee security testing to understand the context, is that 
correct?
    Mr. Chao. Correct.
    Mr. Connolly. The staffers continued to ask you questions, 
nonetheless, and then they, or somebody, leaked parts of your 
transcript to CBS Evening News, is that correct?
    Mr. Chao. It seems that way.
    Mr. Connolly. Since that interview, have you had a chance 
to follow up on your suggestion to check with CMS officials on 
the context?
    Mr. Chao. I have had some discussions about the nature of 
the high findings that were in the document.
    Mr. Connolly. Right. And this document, it turns out, 
discusses only the risks associated with two modules, one for 
dental plans and one for the qualified health plans, is that 
correct?
    Mr. Chao. Yes.
    Mr. Connolly. And neither of those modules is active right 
now, is that correct?
    Mr. Chao. That is correct.
    Mr. Connolly. So the September 3rd document did in fact not 
apply to the entire Federally-facilitated Marketplace, despite 
the assertions of the leak to CBS notwithstanding, is that 
correct?
    Mr. Chao. That is correct.
    Mr. Connolly. And these modules allow insurance companies 
to submit their dental and health plan information to the 
Marketplace, is that correct?
    Mr. Chao. Correct.
    Mr. Connolly. That means those modules do not contain or 
transmit any personally identified information on individual 
consumers, is that correct?
    Mr. Chao. Correct.
    Mr. Connolly. So, to be clear, these modules don't transmit 
any specific user information, is that correct?
    Mr. Chao. Correct.
    Mr. Connolly. So when CBS Evening News ran its report based 
on a leak, presumably from the Majority staff, but we don't 
know, of a partial transcript, excerpts from a partial 
transcript, they said that security issues raised in the 
document ``could lead to identity theft among buying 
insurance,'' that cannot be true based on what we just 
established in our back and forth, is that correct?
    Mr. Chao. That is correct. I think there was some 
rearrangement of the words that I used during the testimony and 
how it was portrayed.
    Mr. Connolly. So to just summarize, correct me if I am 
wrong, the document leaked to CBS Evening News did in fact not 
relate to parts of the website that were active on October 1, 
they did not relate to any part of the system that handles 
personal consumer information, and there, in fact, was no 
possibility of identity theft, despite the leak.
    Mr. Chao. Correct.
    Mr. Connolly. Thank you, Mr. Chao.
    I yield back.
    Chairman Issa. Would the gentleman yield your 26 seconds?
    Mr. Connolly. Yes, Mr. Chairman.
    Chairman Issa. Have you read the November 6th letter from 
the ranking member to me?
    Mr. Connolly. Yes. In fact, I think I cosigned that letter.
    Chairman Issa. Oh, that is good. So the gentleman is well 
aware that even today there are significant security leaks that 
the ranking member was concerned, if discovered, would allow 
hackers to take people's private information, that there is a 
security risk, and that was cautioned by you not to let that 
out. Susannah will give you the answer, if you will just let 
her. Okay, I hear none.
    Mr. Connolly. I am sorry, I am not following the quote.
    Chairman Issa. Well, I was trying to let the staff speak to 
you, but the bottom line is that there are security risks 
today, according to you and the ranking member. This website 
still has vulnerabilities, if discovered, that would lead to 
personal information coming out, is that correct, in your 
letter?
    Mr. Connolly. Mr. Chairman, that may be, but I am talking 
about a deliberate leak that, frankly, distorted reality based 
on two modules that were inactive and using that misinformation 
to suggest that it applied to, in fact, the active website.
    Chairman Issa. But end-to-end security problems in your 
letter do apply to the active website, right?
    Mr. Connolly. Well, they may, Mr. Chairman, but right now 
my questioning to Mr. Chao had to do----
    Chairman Issa. No, I understand you are rehabilitating Mr. 
Chao.
    Mr. Connolly. No, I am not. Mr. Chairman----
    Chairman Issa. But the question is----
    Mr. Connolly. Mr. Chairman, Mr. Chairman, let's be fair. I 
am trying to get the facts on the record and correct a 
deliberate smear against Mr. Chao. Not to rehabilitate him, but 
to, in fact, get the truth out because someone deliberately 
leaked something and distorted it, Mr. Chairman, in the name of 
this committee.
    Chairman Issa. No, I appreciate your concern. My concern 
is----
    Mr. Connolly. I am glad you do, Mr. Chairman.
    Chairman Issa.--Mr. Chao had the MITRE report and it is 
that report that, even redacted, you didn't want released 
because it shows a roadmap to the vulnerabilities of the site 
as it is today. That is your letter.
    Mr. Connolly. Mr. Chairman, I began my questioning by 
acknowledging our joint bipartisan effort to in fact try to 
legislate reforms in IT acquisition. That is an acknowledgment 
on my part, and yours, that, in fact, the Federal IT 
acquisition process is broken, whether it is this example or 
some other. So I have no desire, no motivation to hide 
anything. But I am concerned at a pattern of calling people to 
give us testimony and cherry-picking their testimony to make a 
political point that, frankly, does not serve this committee 
well in terms of its oversight role and does damage to good 
public servants' reputation.
    Chairman Issa. I appreciate the gentleman's bipartisan 
efforts.
    Mr. Connolly. I thank the chair.
    Chairman Issa. Mr. Jordan is recognized.
    Mr. Jordan. I thank the chairman.
    Mr. Chao, a week ago the President was interviewed last 
Thursday and was asked about Secretary Sebelius, and the 
President defended his health secretary--I am quoting from the 
Chuck Todd interview--defended his health secretary, argued 
that the website bugs aren't necessarily her fault. ``Kathleen 
Sebelius doesn't write code. She wasn't our IT person.''
    Who is the IT person? Who is the person in charge? Who is 
the person responsible? Who is the one who signed off on this 
before it went public?
    Mr. Chao. The person that is responsible is our 
administrator, Marilyn Tavenner.
    Mr. Jordan. And did she base her decisions on the memo you 
sent her on the 27th, is that right? Isn't that the Authority 
to Operate memo?
    Mr. Chao. I think that is----
    Mr. Jordan. I mean, the President talked about IT person. 
Ms. Tavenner is not an IT person. Who is the IT person? Is that 
Mr. VanRoekel?
    Mr. Chao. I don't know.
    Mr. Jordan. Is that Mr. Park? Is it Mr. Chao? Which of you 
is that person?
    Mr. Chao. I don't know, I didn't speak to the President.
    Mr. Jordan. No, but he refers to a person. Who would it be? 
Who is the IT person in charge?
    Mr. Chao. I don't know what the President was referring to.
    Mr. Jordan. Let me start with slide C3, if I could. The 
final report came out October 13th, after October 1st. I just 
want to read the first: MITRE was unable to adequately test the 
confidentiality and integrity of the exchange system in full. 
Lower down: Complete end-to-end testing of the application 
never occurred.
    Doesn't that raise concerns? Did you know about this before 
October 1st, Mr. Chao?
    Mr. Chao. I think that is taken out of context.
    Mr. Jordan. It is pretty plain language. Didn't test it; no 
end-to-end testing; done before October 1st. And yet the IT 
person in charge, whoever the President is referring to, 
somebody said it is okay to start this thing.
    Mr. Chao. I say it is taken out of context because there 
are still quite a few----
    Mr. Jordan. Mr. VanRoekel, did you know the results of the 
MITRE testing before October 1st?
    Mr. VanRoekel. I haven't seen this document, so I would 
love to----
    Mr. Jordan. Well, you have the fancy title; you are the 
Chief Information Officer of the United States of America. That 
is a pretty big title. And you didn't know about this before 
the biggest domestic policy program website in the history of 
this Country ever is launched, and you didn't know about this?
    Mr. VanRoekel. Sir, I haven't seen this document.
    Mr. Jordan. Well, that scares us.
    Mr. Park, you are supposed to be the guy who is going to 
solve everything; you are Clark Kent coming out of the phone 
booth here. Did you know about this before October 1st?
    Mr. Park. I did not.
    Mr. Jordan. And why is it----
    Mr. Chao. Would you like me to explain why----
    Mr. Jordan. I would like someone to tell me why you didn't 
know that end-to-end testing wasn't done----
    Mr. Chao. It is not about not knowing; it is that, for 
example, the first payment to the insurance companies, the 
issuers, are not going to occur until sometime in the first 
part of January. We are still building the system.
    Mr. Jordan. We just had this. The system all works 
together. It wasn't tested all at once.
    Mr. Chao. We are still building parts of the system to 
calculate payment, to collect the enrollment data from all the 
marketplaces and to make that payment----
    Mr. Jordan. So there is more system to be built. So we can 
expect more problems in the future to add to the problems we 
have already seen.
    Mr. Chao. Security testing is ongoing.
    Mr. Jordan. Let me ask you this. This, to me, seems to be 
the billion dollar question. Why didn't you delay this? You 
guys knew there were going to be problems. You hadn't done end-
to-end testing. Some of your testing we hoped that the tests 
would work when we presented it to the White House. Why didn't 
you delay this? Mr. Chao, why wasn't it delayed?
    Mr. Chao. That is not my decision to make.
    Mr. Jordan. This, to me, is the thing. The chief technology 
people don't know, but October 1st is October 1st, a date that 
is in the law? It is not. It is just a date--let me cite you 
this here. The Washington Post article--and I know I only have 
a minute, but The Washington Post article I think is important. 
David Cutler sent a memo to the White House, says, you know 
what, don't keep the political people in the White House, Nancy 
Ann DeParle, Jeanne Lambrew in charge, bring in outside people. 
Larry Summers agreed with that assessment; Peter Orzag agreed 
with that assessment, but the President says no, we are going 
to keep Nancy-Ann DeParle in charge of this, kept the political 
people in charge.
    In your testimony to the committee, Mr. Chao, you said 
this, when asked about October 1st, my marching orders were get 
the system up by October 1st, right?
    Mr. Chao. Correct.
    Mr. Jordan. Why? If you have all these problems, why not 
wait?
    Mr. Chao. I didn't ask why. I said that was my----
    Mr. Jordan. And what I am suggesting is the folks at the 
White House knew this thing had problems, evidenced by the 
testing that wasn't done end-to-end. They, for political 
reasons, had picked this date, so for political reasons they 
had to adhere to this date, and the end is, the end result is 
Americans' personal information is put at risk.
    Mr. Chao. I tried to correct your perception of what this 
excerpt was from. It is about a long chain of systems that need 
to be built, and this is a point in time.
    Mr. Jordan. Mr. Chairman, I have two seconds. Let me just 
finish with this. We have asked, you and I have asked Ms. 
DeParle, Ms. Lambrew to come in front of this committee next 
week, and the letter we got back yesterday was they are not 
going to come; and they are the people we need because they are 
the political people in charge. They are the ones who 
determined October 1st was the date they needed to move forward 
on, and they are the ones who I think ultimately are 
responsible for putting at risk Americans' personal 
information.
    With that, I yield back.
    Chairman Issa. Okay.
    Mr. Powner, there were all these questions and you seemed 
to have an answer you wanted to give on this end-to-end testing 
before it was done. Do you want to weigh in at this point?
    Mr. Powner. Well, I would just reiterate the point that the 
security testing was done early, on an incomplete system, and 
the fundamental question is what is being done now and how 
adequate is that to date.
    Chairman Issa. Thank you.
    Mr. Davis.
    Mr. Davis. Thank you. Thank you very much, Mr. Chairman. 
Mr. Chairman, there has been a lot of information over the past 
several weeks regarding the security of Healthcare.gov and 
whether consumers who use this system are at risk. I would like 
to hear from the witnesses about this matter and separate fact 
from fiction.
    Mr. Chao, the Federal Information Security Management Act, 
known as FISMA, requires agencies to protect information 
systems. FISMA specifically requires an authorizing official to 
sign off before an agency begins operating a system. In the 
case of Healthcare.gov, we have a memo that was signed by 
Administrator Tavenner on September 27, 2013, entitled 
``Federally-Facilitated Marketplace.'' This memo says that the 
security contractor ``has not been able to test all of the 
security controls in one complete version of the system.'' It 
also says this resulted in a ``level of uncertainty that can be 
deemed as a high risk.''
    Mr. Chao, can you explain how CMS tested various components 
of the system for security risk?
    Mr. Chao. In general, in most large IT projects that 
require several what we call environments that are used to move 
from a developer's machine in writing code and to test that 
locally, and then to put it into a larger environment to test 
with other code, and you go through this step-wise process of 
constructing the system. I think what the statement reflects is 
that in any situation similar to the Marketplace systems, 
security people have to test when they can and when they have a 
window. As I mentioned, there is a compressed time line, and 
that compressed time line affords some ability for security 
testing to occur as the software is being developed through its 
life cycle.
    I think what the memo was just trying to say, and it was 
erring on the side of caution, that as software is continuously 
being developed, it was tested in three cycles. So by the end 
of three cycles it had fully tested the necessary functions to 
go live on October 1st. There are, as I mentioned earlier, 
other system functions that are yet to be built and will 
continue to have security testing conducted.
    So security testing is a point in time. Risk acceptance of 
that security testing results is a point in time. And then in 
that memo you will also see that we have applied various 
mitigation steps to try to offset the potential risk that was 
identified.
    Mr. Davis. Do you know of any other IT systems, in your 
experience, that were authorized without completing full system 
security testing?
    Mr. Chao. I think that there is a slight art in the wording 
of that. I think every system the Federal Government puts into 
live production needs to have sufficient security testing, per 
FISMA and OMB and NIST requirements. Whether we tested in three 
cycles, whether we tested annually or every three years, 
testing is an ongoing and ever-present, kind of part of the 
process. When we are testing the controls for a portion of a 
system that is ready for a particular delivery date, we fully 
test those. For a portion of the controls for a part of the 
system, as I mentioned earlier, in which we do not have to make 
payment on October 1st, that is then tested at a later date, 
when that function is ready and needed in order to go into 
operation. So it is an iterative ongoing process.
    Mr. Davis. Has a security team been established?
    Mr. Chao. Yes.
    Mr. Davis. Has CMS been performing weekly testing?
    Mr. Chao. Yes.
    Mr. Davis. I have no further questions. Thank you, Mr. 
Chairman. I yield back.
    Chairman Issa. I thank the gentleman for yielding back.
    We now go to the gentleman from Utah, Mr. Chaffetz.
    Mr. Chaffetz. I thank the chairman.
    I thank you all for being here.
    Mr. Baitman, I would like to start with you. Since the end 
of August, how many times have you personally met with 
Secretary Sebelius?
    Mr. Baitman. I am not sure, probably once or twice.
    Mr. Chaffetz. And when was the last time you met with the 
secretary?
    Mr. Baitman. I believe that it was during the shutdown. The 
secretary had regular meetings with senior leadership.
    Mr. Chaffetz. So you met one time in October?
    Mr. Baitman. I believe so.
    Mr. Chaffetz. So you met one time. You are the chief 
information officer. You met one time in October with the 
secretary. My understanding is you engaged a hacker to look at 
Healthcare.gov, correct?
    Mr. Baitman. CMS asked us to help them with various things.
    Mr. Chaffetz. But you engaged a hacker to look at the 
system.
    Mr. Baitman. We engaged someone who is called an ethical 
hacker who is on my staff.
    Mr. Chaffetz. An ethical hacker. When did they start their 
hacking?
    Mr. Baitman. It was during the shutdown.
    Mr. Chaffetz. And how long did it take him to complete his 
hacking exercise?
    Mr. Baitman. I think it is an ongoing activity. But he is 
actually based in Atlanta.
    Mr. Chaffetz. And then he gave you a report. How many 
serious problems did he find?
    Mr. Baitman. I don't know if I would call them serious. I 
think that there were something like 7 to 10 items on that 
report.
    Mr. Chaffetz. So you had 7 to 10 items of hacking, some of 
which you don't believe are serious, but some are obviously 
serious. What percentage of those have been fully rectified?
    Mr. Baitman. I turned those over to CMS for their review. 
Some actually weren't systems issues, they included things like 
physical security as well.
    Mr. Chaffetz. So you have no follow-up? You have no idea 
what percentage of those hacking incidents were rectified?
    Mr. Baitman. I believe CMS got back to my staff last week 
and said the majority of those had been remediated.
    Mr. Chaffetz. You don't know what percentage. It is not 100 
percent.
    Mr. Baitman. I don't believe it is 100 yet, no.
    Mr. Chaffetz. So you shared that with CMS. Did you share 
that with Secretary Sebelius?
    Mr. Baitman. I have not.
    Mr. Chaffetz. You are the chief information officer for the 
Health and Human Services.
    Mr. Baitman. These are fairly technical items. The 
appropriate place to share them is with the system owner.
    Mr. Chaffetz. But it is not safe and secure, and I guess 
that is the fundamental concern, is even after the October 
launch, you are the chief information officer, you get a hacker 
who in a couple days finds probably 10 or so problems and 
challenges. It is that easy to get in and hack the information. 
That is the concern.
    Mr. Powner, is this ready? Following up on Mr. McHenry's 
question, is the site, in your opinion, currently as safe and 
secure as an online banking site?
    Mr. Powner. I would have to look and assess the security. 
And all that stuff that MITRE did and the authority to operate 
is preliminary because it was on--I mean, MITRE said that they 
didn't test the interfaces. The interface testing needed to 
occur. So all that stuff that is preliminary raised issues, 
but, again, we----
    Mr. Chaffetz. Would you put your information in there?
    Mr. Powner. I would have to see what the security testing 
and assessment has been since then before I was comfortable. I 
haven't seen it yet, so we are going to look at it.
    Mr. Chaffetz. Well, the answer is not yet yes.
    Mr. Chao, would you put all your personal information about 
you and your loved ones in it?
    Mr. Chao. Yes. In fact, I have recommended my sister, who 
is unemployed right now, to actually apply.
    Mr. Chaffetz. Did she successfully register?
    Mr. Chao. I haven't talked to her lately; she has been out 
of the Country.
    Mr. Chaffetz. Interesting. And you have this report, then, 
from Mr. Baitman, about the hacker's report?
    Mr. Chao. I do not personally, but as I mentioned earlier, 
there are security teams in place, including permanent security 
staff under the chief information security officer that 
coordinates with franks.
    Mr. Chaffetz. Mr. Chairman, this is something we obviously 
have to follow up on.
    Mr. Park, you are a very bright and talented person. The 
Federal Government is lucky to have somebody of your caliber 
engaged in this process, and it actually gives me comfort that 
you are looking at this and spending some time in it, but I 
have a fundamental question that I want to ask you. Have you 
ever shopped on Amazon.com?
    Mr. Park. Yes, sir.
    Mr. Chaffetz. Have you ever showed on eBay.com?
    Mr. Park. Actually, no.
    Mr. Chaffetz. We are going to have work with you on that 
one.
    Chairman Issa. As a Californian, I am personally offended.
    Mr. Park. I would like to.
    Mr. Chaffetz. Let's go back to the Amazon experience. When 
you put something in your shopping cart, is that considered a 
sale?
    Mr. Park. No.
    Mr. Chaffetz. Thank you.
    I yield back.
    Chairman Issa. Would the gentleman yield?
    Mr. Chaffetz. Sure.
    Chairman Issa. Mr. Chao, you have been fairly defensive 
about things being out of context, so I am going to ask 
unanimous consent that the CMS document of September 3rd, 2013, 
the memorandum, be placed in the record in its entirety. But 
before I do so,--well, without objection, so ordered.
    Chairman Issa. But I want to make something clear. We had 
previously redacted information. Is there anything in that memo 
that you believe needs to be redacted? Because otherwise we 
will put it in in its entirety so there's no question about 
that.
    Mr. Chao. I would have to review it.
    Chairman Issa. Okay, it is in the record now. By close of 
this hearing, if there is something that needs to be redacted, 
I need to know, because I will consider redacting it.
    Mr. Cummings. Mr. Chairman?
    Chairman Issa. Yes.
    Mr. Cummings. I just wanted to make sure there was no 
sensitive information in there.
    Chairman Issa. Well, that is the problem.
    Mr. Cummings. I am just trying to obey the law, Mr. 
Chairman.
    Chairman Issa. This thing is already in the record. If we 
choose to redact something--the question is that there are 
numerous things that give us sightings of lines in September 
3rd that clearly this thing wasn't ready for security on 
September 3rd. And when our people questioned you about 
September 27th and there was no end-to-end and security 
concerns, you want to say you were taken out of context, but 
both September 3rd and September 27th, what we find is that 
there was no end-to-end testing, and any point of vulnerability 
is a point that could access people's private information.
    Isn't that true, Mr. Powner? So the absence of end-to-end 
testing means that anything that can reach into the database, 
in fact, could be a significant security risk to people's 
personal information, and has nothing to do with whether or not 
a module is about shopping, isn't that true?
    Mr. Powner. That is correct.
    Chairman Issa. Okay.
    Yield back and at this point I recognize the gentleman from 
Tennessee, Mr. Cooper, next.
    Mr. Cooper. Thank you, Mr. Chairman. I am worried that the 
net effect of this hearing might be to exaggerate the security 
difficulties of the website. I serve on the Armed Services 
Committee, and our own Pentagon is attacked many thousands of 
times a day, sometimes by foreign powers. So the entire 
Internet could and probably should be more secure. So we have 
to acknowledge some system problems for the whole Internet, and 
then there are other issues we can deal with.
    Another concern I have is the witnesses are being badgered, 
and I would like to offer witnesses, perhaps Mr. Baitman, 
perhaps Mr. Park, Mr. Chao, and others an opportunity to 
respond, because I believe in fairness, and the American people 
do not want to see a kangaroo court here. And the way this 
hearing has been conducted does not encourage good private 
sector people to want to join the Federal Government.
    I personally had the privilege of hearing Mr. Park speak in 
Nashville, Tennessee a couple years ago. He spoke before a 
hard-core private sector, pro-capitalist, business audience, 
and they told me they had never heard a speaker who understood 
business better, who got it; and it was a real tribute to me 
that someone of your caliber was willing to work for the 
Federal Government, because that instilled faith in the 
process, because we are the best Nation on Earth. We have to 
act like it. We do face problems sometimes, but the American 
spirit is the can-do, we can fix it attitude, not the blame 
game, not the bickering game.
    So if there are witnesses who would like a chance to say a 
few words in public, because you have been treated unfairly, in 
my opinion, and I would like to have this be an equal playing 
field.
    Chairman Issa. Would the gentleman yield? Have I cut off 
anyone's answer here today?
    Mr. Cooper. Will I be able to keep my time?
    Chairman Issa. Of course.
    Mr. Cooper. You cut off the ranking member of this 
committee at the beginning of this hearing.
    Chairman Issa. I cut him off a minute into question and 
answer, after he had exceeded his five minutes. But no witness 
here today has been cut off.
    Mr. Cooper. But, Mr. Chairman----
    Chairman Issa. Every witness has been allowed to complete 
their entire answer.
    Mr. Cooper. Mr. Chairman, but using----
    Chairman Issa. I just want to understand. Kangaroo courts 
is quite an accusation, and I hope the gentleman from 
Tennessee, when he uses the term kangaroo court in the future, 
will think better of making an accusation. No witness has been 
cut off. Every witness has been allowed to complete their 
entire answer in every case. We went about six minutes before I 
asked Mr. Baitman to simply conclude. That is the closest thing 
to anything. So this is not a partisan hearing. I will not have 
it accused of being a partisan hearing. We have a website that 
the American people have seen doesn't work. We are trying to 
get to an understanding of why it didn't work so that it 
doesn't happen again. And these happen to be experts, and for 
the most part we are relying on them to be the people fixing 
it.
    The gentleman is recognized.
    Mr. Cooper. Thank you, Mr. Chairman. This is a hearing on a 
broken website by a broken committee, and the air is thick with 
innuendo. When the chairman discusses rehabilitating witnesses, 
that implies they need rehabilitating, when in some cases the 
witnesses have perhaps already been abused, sometimes by leaks, 
whether deliberate or not. So let's focus on fixing the 
problems. And I think Mr. Baitman was about to speak.
    Mr. Baitman. Thank you, Mr. Cooper. There is one thing I 
would like to clarify in response to my comments to Mr. 
Chaffetz. We found vulnerabilities with the system, and there 
will always be vulnerabilities. Every system that is out there, 
systems that are live, systems that we trust right now, banks, 
online shopping sites, all have issues because they are 
continually making changes to their code. That introduces 
vulnerabilities. And it is up to us on a continual basis, as 
Mr. VanRoekel pointed out, all software goes through continuous 
improvement. So what we are doing right now is continually 
improving our software and on an ongoing basis identifying 
vulnerabilities that exist.
    Mr. Cooper. Any other witness? Mr. Chao?
    Mr. Chao. What I would like to say is that if I come across 
as being defensive, I apologize, but I am being defensive not 
in terms of me; I am being defensive in terms of the truth. And 
I believe that that is what this committee is trying to get to. 
In fact, I think that is what you said in the beginning. So 
when I detect that there is distortions or misuse or unrevealed 
things about that I spent nine hours with your staff basically 
being deposed, I am going to be defensive because that is not 
the truth. That is all I want to make clear about my 
defensiveness.
    Mr. Cooper. Any other witness like to make a point?
    This committee has many talents and it has broad 
investigative jurisdiction. To my knowledge, and I could be 
wrong because my colleagues have many talents, to my knowledge, 
none of us could do a website on our own. We are not software 
engineers. You could?
    Chairman Issa. I think, unfortunately, you have several 
hear, including one who made a living doing it.
    Mr. Cooper. Well, none of us would want to certainly be 
engaged in this task. Are you volunteering to work for----
    Chairman Issa. None of us want to own this particular 
website.
    Mr. Cooper. Well, yeah. But it is easy to criticize. It is 
hard to perform. And as the gentleman, Mr. VanRoekel, pointed 
out, even Microsoft, with Windows XP, is still revising it 12 
years later. Software is an iterative process. The Internet is 
not perfect, but it is still one of the great technological 
accomplishments of mankind. It is transforming the planet, and 
in a good way overall, but there are glitches and we work on 
those.
    So when we swear witnesses, as we do, when we put them in a 
very uncomfortable position, deliberately, in some cases when 
we subpoena then unilaterally, that creates tension, and it is 
actually going to slow the fix of the website. So I worry about 
that.
    And the chairman and Mr. Connolly have already collaborated 
on what sounds like an excellent bill to fix overall Federal 
IT. I was very impressed when Mr. VanRoekel pointed out that is 
an $82 billion issue. What we are talking about here today, at 
least from the August cost estimate, is 0.6 percent of that. 
Why don't we focus on the larger issue and fix it? Because, as 
I said earlier, it is much better to light a candle than to 
curse the darkness.
    Chairman Issa. If the gentleman would yield, maybe we can 
close on a positive note. Both Mr. Powner, who has constantly 
talked about stress-testing end-to-end, and Mr. VanRoekel, who 
knows very well that Microsoft never put a new operating system 
that wasn't stress-tested end-to-end; it still had bugs, it 
still had vulnerabilities. And by, the way, whenever you add a 
new driver, a new something else, you create a potential new 
one that has to be tested. But stress-testing end-to-end was 
something that this committee wanted to know at the onset, why 
it hadn't been done, because it is a best practices, which GAO 
has very kindly made clear. I believe it is already in the 
record, but if it is not, the nine points that GAO had made in 
their report of best practices that were not followed.
    So Mr. Connolly and I, Mr. Cooper, we are trying to get to 
where best practices will always be used. And in this case, not 
because of these individuals, per se, they are here as experts, 
but this development over three and a half years shortcutted 
some best practices, and it is not the first time and it won't 
be the last time, but it is one where, as I said in the opening 
statement, it is so important, when the American people are 
focused, for us to say you can expect better from your 
Government in the future; and I don't mean on Healthcare.gov, I 
mean on all of that $82 billion worth of IT.
    And I appreciate your comments to that end.
    Mr. Cooper. Mr. Chairman, let's see about getting your bill 
to the floor.
    Chairman Issa. Boy, I tell you, that is something we all 
would like to do, so I am going to talk to leadership----
    Mr. Cooper. You are in the majority party.
    Chairman Issa. You know what? I tell you what. I will get 
it to the floor in the House. If you will help me in the 
Senate, we will get this done.
    Mr. Cooper. I have lots of influence in the Senate. I would 
be happy to help.
    Chairman Issa. Thank you.
    [Laughter.]
    Chairman Issa. With that, we recognize the gentleman from 
Michigan, who knows a great deal about health care websites 
from his State, Mr. Walberg.
    Mr. Walberg. Thank you, Mr. Chairman, and thank you for 
holding this hearing.
    And to the panel as well, thank you for being here. You 
have plenty to do. We wish you didn't have to be here today, 
but when I receive letters on top of letters and contacts in 
six town hall meetings that I held last week, live town hall 
meetings, like this one from Rachel Haynes in Eaton Rapids, 
Michigan, where she talks about the fact of cutting off from 
her insurance, her husband and five children, she says this: I 
hated the idea of getting on to Healthcare.gov website, as I 
believe insurance is a private matter. I did it anyway. The 
website did not work, so I called a number. And she goes on to 
tell of talking with a person on the phone and ultimately being 
hung up on.
    That is the reason why this hearing is important. Frankly, 
Mr. Chairman, I believe that this whole act that was put into 
law under the cover of darkness with the simple votes from the 
other side of the aisle who now take offense at us having 
hearings like this on problems and doing proper oversight is 
the reason to have this hearing today, because people like 
Rachel Haynes and her family are concerned not only about 
security, but right now that is one of the biggest concerns on 
a website that doesn't work for her.
    I want to go back to some of the concerns in the MITRE 
report and I want to ask the first question. Mr. Chao has 
already, in earlier statements to questions just before me, 
indicated, when asked why he didn't push back on opening this 
thing up on October 1st, he didn't ask why. So I am going to go 
to Mr. Baitman, because I think that is an important question 
that should have been asked, why. Why do we have to open up on 
October 1st?
    But the question I would ask here, Mr. Baitman, MITRE was 
responsible for conducting the security control assessment for 
the Federal exchange, is that correct?
    Mr. Baitman. That is my understanding.
    Mr. Walberg. According to MITRE, the final security 
assessment for the Federal exchange occurred from late August 
through mid-September. Is that your understanding?
    Mr. Baitman. It is.
    Mr. Walberg. Mr. Baitman, to the best of your knowledge, 
did MITRE conduct a complete integrated security test of the 
Federal Marketplace?
    Mr. Baitman. I can't answer that; I don't have visibility 
into it.
    Mr. Walberg. Well, I would like a document put up that 
deals with this test and the outcome, if I could have this 
particular document. Okay. If you see there, FFM, the website, 
the Marketplace, complete percentage, 66 percent complete. That 
is it. Sixty-six percent complete. This document was obtained 
by the committee. We have in place--let me ask this question, 
Mr. Baitman. Is it a problem that MITRE wasn't fully able to 
test one-third of the Exchange?
    Mr. Baitman. I can't answer that. This project was run and 
managed by CMS. They are responsible for the security.
    Mr. Walberg. In the security control assessment dated 
October 11th, 2013, and of which a preliminary copy was given 
to CMS, on September 23rd, 2013, MITRE writes that they are 
unable to adequately test the confidentiality and integrity of 
the health insurance exchange system in full. They go on to say 
MITRE also writes the application at the time of testing was 
not functionally complete.
    Mr. Powner, what are the dangers of conducting a security 
assessment on an incomplete system?
    Mr. Powner. Well, you could have vulnerabilities that go 
untested. Also, too, on this document--see, there are a lot of 
dates that don't add up. My understanding is that MITRE 
conducted their security assessment in August and September, 
and it was later September. So there is data all over the 
place. The bottom line to your point, though, is it wasn't done 
on a complete system.
    Mr. Walberg. MITRE has told, Mr. Powner----
    Mr. Chao. Excuse me. I just want to point out that that is 
a CGI-provided document, that is not from CMS.
    Mr. Walberg. Yes, I understand that. MITRE has told 
committee staff that to their knowledge, there has not been a 
comprehensive test of the entire system. One of the dangers 
posed by not conducting a complete, integrated security tests 
of all the system components, Mr. Powner?
    Mr. Powner. Well, in order to ensure that your data is 
secure and the system is safe to use, you want to test on as 
complete a system as possible.
    Mr. Walberg. Then based on what you know, were Americans' 
sensitive personal information at risk when Healthcare.gov 
opened on October 1st, 2013?
    Mr. Powner. I don't know what happened from mid-September 
on. That is the only caveat I would like to say, because there 
was testing done through mid-September, and I am blind to what 
happened during that period of time.
    Chairman Issa. The gentleman's time is expired, if you 
could wrap up very quickly.
    Mr. Walberg. Last question. Can you ensure the American 
people that the website will work on November 30th?
    Chairman Issa. The gentleman may answer.
    Mr. Walberg. Asking Mr. Powner.
    Mr. Powner. That is not my responsibility.
    [Simultaneous conversations.]
    Chairman Issa. The gentleman's time is expired. If anyone 
else wants to answer November 30th, they may. Mr. Park, will it 
work on November 30th? Properly, fully?
    Mr. Park. The team set a goal of having Healthcare.gov 
function smoothly for the vast majority of Americans. The team 
is working incredibly hard to meet that goal.
    Chairman Issa. I thank the gentleman.
    Mr. Walberg. With secure information?
    Mr. Park. With secure information.
    Chairman Issa. Thank you. The gentleman from Nevada.
    Mr. Horsford. Thank you, Mr. Chairman, and to the ranking 
member and to the other committee members, to our witnesses. 
This is an important hearing. Our constituents are rightfully 
concerned about their right to be able to access affordable 
health care on the website, Healthcare.gov. And while the 
rollout has been problematic, what has been more troubling is 
the fact that this has been turned into more of a game than it 
has been about how we can work together to fix the problems of 
the site.
    My concern is one of security of personal information. I 
also sit on the Homeland Security Committee, we are having a 
hearing also this morning on this subject. So I want to ask 
about the potential security risks to consumers. Mr. Chao, do 
you agree that protecting personal identifiable information on 
Healthcare.gov is important and is something that can be 
achieved?
    Mr. Chao. I think that is something that we as CMS and as a 
Federal agency comply with, FISMA and OMB and NIST 
specifications for securing people's data, and then following 
HIPAA's requirements for confidentiality, integrity and 
availability of data.
    Mr. Horsford. Can you explain how CMS protects consumer 
information, how that is safeguarded by CMS?
    Mr. Chao. I think one of the things that is very obvious 
when you come to Healthcare.gov, and if you go to, in my 
opening remarks I mentioned there are two sides to it, or two 
legs. If you go to the Get Insured side, one of the first 
things that you have to do is to register to establish an 
account. And we mentioned that registrations are up to about 
17,000 per hour right now. That registration process allows you 
to establish what we call a level one assurance of assurance 
account, which is based upon the National Institute of 
Standards and Technology. That is very similar to something 
like what you would establish in terms of opening up a Gmail or 
Yahoo account, just very basic information.
    Mr. Horsford. Okay. Let's move on to the next question. We 
are very limited on our time.
    Mr. Chao. So basically the answer is, it is about 
authenticating you, it is about, are you who you say you are 
before we let you into the system. And that is one major step 
in ensuring that people's privacy is protected, so that they 
only see their own data.
    Mr. Horsford. And is Healthcare.gov any more or less risky 
to consumers than other sites, including private company 
information in the banking world or using credit cards to 
purchase information over the internet?
    Mr. Chao. I can't speak for what privacy frameworks and 
programs apply to private sectors. But for the Federal 
government, we follow the FISMA guidelines and the requirements 
set forth by certain OMB directives. And we use independent 
security testing contractors to ensure that we comply.
    Mr. Horsford. Mr. Park, you have spent some time with this 
website. Have you been able to understand the security features 
that are inherent in it?
    Mr. Park. That hasn't been my particular focus on the team, 
no. There is a CMS security team dedicated to security matters.
    Mr. Horsford. Based on your review of that, do you believe 
the site poses any unreasonable risks to consumers?
    Mr. Park. I haven't actually, again, dived into that 
personally. But my understanding is that CMS is applying its 
information security best practices to the protection of the 
site. CMS has a great track record in protecting the privacy of 
Americans.
    Mr. Horsford. Mr. VanRoekel, I understand you worked on the 
data Hub. Can you explain why you believe consumers should have 
confidence that their information is secure as it passes 
through the Hub?
    Mr. VanRoekel. I didn't actually code the Hub itself, so I 
didn't do the day-to-day. But one thing that should be pointed 
out is that cyber security is part of everything we do. You 
almost can't buy a keyboard in government now without having 
cyber security considerations on that. And we have built a 
culture of assessment and mitigation that is all about 
assessing the level of risk, it is low to high. And then you 
put into place technology to mitigate that risk, to make sure 
that we are protected.
    The standards that we abide by are the NIST standards which 
are actually co-developed with the private sector. So the 
banking industry, financial industry, insurance industries 
outside of government actually use the same standards as 
government does, and we hold government to those standards, and 
often in many cases lead those industries in the ability to do 
these things.
    The other aspect of this is, this is ongoing. You hear, I 
am sure, in the Homeland Security Committee, a lot around the 
fact that we have cyber security in what we do there, you have 
to do ongoing tests. You have to rapidly respond and 
assessments are never done. You have to just stay vigilant in 
those cases.
    Mr. Horsford. Thank you. Mr. Chairman, I would just say 
that this is not about playing offense or defense. It is about 
us getting this job done on behalf of the American people and 
working together. I am rather insulted by this House Republican 
playbook----
    Mr. Meadows. [Presiding.] The gentleman's time is expired.
    Mr. Horsford.--where it talks about ObamaCare----
    Mr. Meadows. The gentleman from Oklahoma is recognized.
    Mr. Horsford.--the loss of insurance and what this means. 
This is not----
    Mr. Meadows. The gentleman will suspend. The gentleman from 
Oklahoma is recognized.
    Mr. Lankford. Thank you, Mr. Chairman. Gentlemen, thank 
you. This is not a day that is probably a fun day for you, you 
probably didn't get up and go gosh, I can't wait for this day. 
I get that, and I want to say thank you, because all of you are 
professionals that have given to public service. You all could 
make a lot more money in the private sector and you have chosen 
to serve people. We all have differences on opinion on 
direction and that kind of stuff, but I want to say thank you 
to you as well for what you are doing, because you have made a 
conscious choice in that.
    Let me walk through a couple of things just to be able to 
get to some of the reality on it. About an hour and a half ago 
I went on my iPad, went to Healthcare.gov and hit this button 
that says create account. It doesn't go anywhere. It just 
changes colors and does nothing. So I reloaded on this and for 
about an hour and a half I have just occasionally hit that 
button.
    This is the frustration, the struggle of a lot of folks out 
there. Then you all have the frustration, we get that. We have 
questions, though, as we walk through this process of now what 
happens.
    Mr. Park, you were asked a question earlier about the 
November 30th time line. I assume Mr. Zients has laid that out 
there at the end of November, when everything would be ready 
and available. You said it is our goal. Can you give me more 
specifics? Are we going to hit November 30th?
    Mr. Park. Thank you for the question, and thank you for 
your kind words at the beginning as well.
    The goal that has been laid out is not for the site to be 
perfect by the end of November.
    Mr. Lankford. Functional, so people can log on?
    Mr. Park. So that the vast majority of Americans will be 
able to use the site smoothly. That is the goal we are gunning 
for. We are working very hard to get here.
    Mr. Lankford. So here is the issue. Around 5 million people 
have received a cancellation letter. I have multiple 
constituents that have sent me copies of their letters, all of 
them end with, your insurance policy concludes December 31st. 
If they cannot get on and log into the site by December 15th, 
they will not have access to insurance January 1st and they 
will be uninsured. People who are currently insured will not 
have insurance as of January 1st.
    So I understand the deadline is out there for March 31st, 
and all this kind of stuff on it. Those individuals who have 
received it by the millions cannot get insurance and on January 
1st will be uninsured.
    So I get that is the goal. But the reality is racing at us. 
And the comment has been made on it that we are trying to fix a 
plane that is in the air. I fully understand the complexities 
of that. The challenge of it is that many of us had said, park 
the plane for a year, let's get it right before we launch this 
thing. That is not your fault, you all are dealing with the 
realities that are on the ground. But that is something that we 
are trying to communicate on this.
    Mr. Chao, let me ask you something. September 27th, the 
ATO, the authorization to operate, in some of the committee 
staff that you had mentioned, that was a very long day as well, 
you visited with committee staff on it. During that 
conversation, there was a back and forth on this ATO coming out 
that Mr. James Kerr and yourself, that you had edited there, 
since Marilyn Tavenner. In that memo, you wrote, ``Due to a 
system of readiness issues, the security control assessment was 
only partially completed. This constitutes a risk that must be 
mitigated to support the marketplace day one operations.'' You 
were asked by staff, what are some of those risks that are out 
there, that are kind of the unknowns on it, that have to be 
mitigated. During that conversation, you had listed things like 
unauthorized access, not encrypting data, identity theft, 
misrouted data, personal identifiable information, those are 
the kinds of the great unknowns of this, at that point.
    Then, am I tracking this correctly? Do you remember this?
    Mr. Chao. Yes. Those are examples that I was asked to 
provide.
    Mr. Lankford. Sure. The problem is that you are trying to 
mitigate on things that you don't know. I understand about 
mitigating on a risk. You mitigate on things that you know, is 
that correct?
    So on day one, Marilyn Tavenner is signing a document 
saying, there are risks that are out there. Some of those that 
you had listed, we are going to have to mitigate on those. Were 
we mitigating for every possibility on it?
    Mr. Chao. I think what you do is, on a risk-based approach, 
you look at the probability of a particular risk occurring and 
you prioritize. For example, one of the mitigation steps was to 
conduct weekly security testing and to report back to the 
Administrator on the result of that security testing.
    Mr. Lankford. During that testing process, did you find 
that some data was misrouted? Once it was launched? Are 
insurance companies getting information that is incorrect?
    Mr. Chao. There are cases in which insurance companies were 
getting data that were not incorrectly routed to them, but 
incorrectly formatted within the transaction.
    Mr. Lankford. Do you know who briefed Marilyn Tavenner on 
the security risks? Because obviously she had to sign off on 
this document. Do you know who sat down with her and briefed 
her on the security risks, here are all the things we are 
trying to walk through?
    Mr. Chao. It was our chief information officer and chief 
information security officer.
    Mr. Lankford. Two other quick questions. Is there a way to 
be able to track what personal information any employees can 
see while they are working on this? Obviously you had a lot of 
contractors involved in this, now we have added even more 
contractors trying to learn all those contractors, who they 
even are. Is there a way to be able to track? Because now there 
is personally identifiable information in the system as well. 
Is there something in place that tracks what people who are 
working on the back end of the site can see as far as 
personally identifiable information?
    Mr. Chao. Yes. There are system logs. For example, if you 
call the call center and the call center representative is----
    Mr. Lankford. I am talking about people working on the back 
end.
    Mr. Meadows. The gentleman's time is expired. You can 
finish the question.
    Mr. Chao. In certain cases, yes. Like if you are in a 
testing environment. Very few people touch a production 
environment. So they wouldn't even have access to that live 
data. Sometimes when we use testing data, you want to see the 
results, so you do have developers having access to that 
information. But it is not live people's data.
    Mr. Meadows. I thank the gentleman from Oklahoma.
    For the record, Mr. Chao, I wanted to point out, those 
items that you identified as particular inherent risks were 
identified by you prior to the September 3rd memo that was 
introduced. I know the gentleman from Virginia had indicated 
that it was after that memo. But for the record, you indicated 
those prior to that memo being introduced by committee.
    Mr. Chao. I don't quite understand what you are trying to 
say there. Because the question was asked, what examples, and 
it was in the context of the September 27th memo. You are 
saying September 3rd.
    Mr. Meadows. You mentioned these risks because of the 
failure to do integrated security testing.
    Mr. Chao. I don't believe I said failure.
    [Simultaneous conversations.]
    Mr. Chao. This is the problem, I don't have the transcript 
in front of me, I cannot confirm with you. I was not given an 
opportunity to make corrections, if there were corrections to 
be made. So you can tell me what you want, but all I can say is 
to the best of my knowledge, I don't recall saying that. I need 
to see my transcript.
    Mr. Meadows. The gentleman from Vermont, the distinguished 
gentleman from Vermont is recognized.
    Mr. Welch. Thank you, Mr. Chairman.
    First, I want to join Mr. Lankford in thanking each of you, 
Mr. Powner, Mr. Chao, Mr. Baitman, Mr. Park, Mr. VanRoekel, for 
the incredible effort that you are putting into trying to fix a 
very serious problem. Thank you.
    Second, you don't have to be an opponent or a supporter of 
the health care law to acknowledge that there are significant 
rollout problems associated with the website. Those of us who 
are supporters, and I am a very strong supporter of the health 
care law, are absolutely committed to providing the support you 
need to make this thing work.
    There are really four issues that we have that are rolling 
around. One is, the website, what we have to do to fix it, and 
it has to be fixed. Two is, what is the impact of these 
cancellation notices that a lot of Americans are receiving. 
They thought they had health are, they were assured that they 
could keep the policy that they had. And the problem gets 
compounded if the website is not working. And then third is the 
individual mandate that is the subtext of the debate, but that 
is essential to the law, but in order to make that work, the 
website has to work. And the fourth is the IT purchasing, are 
there some lessons that we can learn. I tend to think that it 
is really important to move ahead on the Issa-Connolly 
legislation.
    So that is the context that we are in. You are here to help 
us fix the problem. We have to get that done.
    So I want to start by just asking you, Mr. Park, if you 
could make some comments about, you would be repeating a little 
bit, but what are the specific things we can do to get this 
fixed? And I understand all of us would like to have a hard and 
firm date where everything is going to be perfect. But what we 
are dealing with is the real world, and we want it to be 
functional for the vast majority of Americans. So what are the 
ABCs that you need to do and hopefully not require you to sleep 
on the floor in the office at night?
    Mr. Park. Thank you so much for the question . The team is 
taking all the right steps under the leadership of Jeffrey 
Zients and Ms. Tavenner. So first of all, the team has 
implemented monitoring cross the site, improved monitoring to 
actually understand performance of the system, and where are 
the issues and where to focus.
    Secondly, with the help of that data, the team has 
undertaken an aggressive program of improvements to actually 
improve the stability and performance of the site through 
tuning, system configurations, capacity expansion, et cetera, 
which has resulted in, among other things, the site being more 
stable, system response times going down, as I mentioned, from 
8 seconds to less than a second.
    Thirdly, the team is working on functionality bugs. So high 
priority issues with respect to the user interface and user 
experience. And that is actually being pursued very 
aggressively of course as well.
    Then finally, there is a bunch of work underway to keep 
improving the software release process. So you can actually fix 
these issues faster and faster at a growing clip.
    Then you have QSSI having been brought in by Administrator 
Tavenner as the general contractor to manage this effort. And 
so it is all moving at increasing speed.
    Mr. Welch. How are we going to address the problem that Mr. 
Lankford had getting on the website, where he hit the enter 
button and it didn't work for an hour and a half?
    Mr. Park. There has been a lot of progress on that front, 
and many more folks can get in now than previously, through 
both the ability for that particular component of the system to 
handle more volume through capacity expansion and software 
optimization. And also through bug fixes that have been 
applied. But actually, if Congressman Lankford would be so 
kind, I would love to follow up with you afterwards just to 
understand your specific situation. And then we can actually 
use that to inform the troubleshooting and the fixing.
    Mr. Welch. I would really like it if you did, because that 
is a fair question.
    Mr. Lankford. If the gentleman would yield for just one 
second.
    Mr. Welch. Yes.
    Mr. Lankford. It is pretty straightforward. I just got to 
that page and hit the button, it changed colors and did 
nothing. So it is nothing more than that, as far as moving in 
to just to log in to create an account.
    Mr. Welch. Mr. Powner, do you have some concrete 
suggestions about what we can do as a Congress to make it more 
efficient and more effective when we are making significant IT 
purchases on behalf of the American taxpayer?
    Mr. Powner. I have a couple very specific suggestions, and 
I am going to go back to my oral statement. We are down in the 
weeds on what needs to be done to fix it, and the program 
management needs to be in place. But the IT dashboard, there 
are 700 major IT investments. This is one of them. It was 
green. Given the late start, the compressed schedule and the 
complexity, does anyone think it was really a green project? I 
don't think so. It should not have been green. There should 
have been flags on the dashboard and better transparency.
    The other thing is proactive governance. We look at the IT 
reform plan, things in the FITAR bill legislation. Proactive 
governance is very important. It is great and I am pleased that 
Steve and Todd and everyone is involved now. But we need that 
governance up front on important projects, not when things go 
in the tank. We need it up front. It is the same thing with 
when projects go in the tank, we get engaged with the 
contractor more. Why don't we engage with the contractor, 
engage with the right executives, up front instead of when we 
have problems? I know there are a lot of projects and a lot of 
priorities. But we need to find a way to tackle that better.
    Mr. Welch. Thank you. I yield back.
    Mr. Meadows. I thank the gentleman from Vermont. The 
gentleman from Pennsylvania, Mr. Meehan, is recognized.
    Mr. Meehan. I thank the chairman, and I to want to join in 
this sentiment, that I appreciate that you are legitimately 
trying to work on this. We all are. And I happen to chair the 
Cyber Subcommittee on Homeland in addition, and have great 
concerns and frustrations. I think I reflect many of the people 
out there that with the concept of frustration, because in many 
ways, when I talk to my folks at home, this isn't about a 
website, it is about trust. It is about this inherent trust 
that they have in the relationship with their doctor is now 
being impacted. And the very trust they have in the ability for 
this system not only to operate but to operate securely.
    Now, I know this is sort of outside, I was stunned when I 
heard the question the other day that the Secretary said yes, 
we can have felons that are operating as navigators. What is 
going to be done from this point forward to assure that no 
felon will be used as a navigator anywhere in the United 
States? Mr. VanRoekel?
    Mr. VanRoekel. In the context of this system, that is sort 
of a health policy decision, it is not a tech decision.
    Mr. Meehan. Mr. Chao, is there anything that can be done? 
Will you participate in getting something done?
    Mr. Chao. I think CMS is actively performing background 
investigations.
    Mr. Meehan. Well, that is not what the Secretary said. 
Look, please look into that for me. That is not my line of 
questioning, but I move into this whole issue of trust. Again, 
trust, we had Ms. Tavenner and you before our committee 
testifying about the readiness in July and August of this, to 
ready to go. I just look at the background of, this is the IG's 
report to Congress on FISMA. One of the things that Ms. 
Tavenner and you were talking about was compliance with FISMA 
and therefore, when you look at HHS, the IGs came out, the 
second worst score in every agency across government, HHS. A 50 
percent compliance with FISMA. The second worst in all of 
government.
    So we are already dealing, again, with a question of trust. 
So let me just get to the heart of our engagement. Because I 
was so frustrated, I couldn't understand how an IG's report, 
Mr. Chao, could have suggested that there were great concerns 
about the ability to be ready in time to conduct the testing. 
And you assured me at that time that they were on schedule and 
you were going to meet all the requirements for the testing, as 
did Ms. Tavenner.
    Now, we were told before the marketplace systems were 
allowed to operate, they had to comply with all of the rigorous 
standards. Yet at the same time that you were testifying before 
me, I had a Washington Post story that was saying staffers were 
aware by late 2012 that the work of building the Federal 
exchange was lagging. Employees warned at meetings late last 
year and in January that so many things were behind schedule, 
there would be no time for adequate end to end testing of how 
the moving parts worked together.
    So how was it done, then, that in this short time frame, 
where their own employees are saying it couldn't be done, the 
IG said that there were tremendous concerns about the ability 
to do the testing, somehow the day before our committee had you 
before us, there was a report from the Secretary that said, all 
of our marketplace systems are allowed to operate and begin 
serving consumers, and I am pleased to report that the Hub 
completed its independent security control assessment on August 
23rd?
    Mr. Chao. The Hub was tested first, and it was completed in 
August, as you mentioned. I think the remainder of August and 
into September, we concluded the third round of testing for the 
marketplace systems, particularly for the functions that were 
needed for October 1st.
    Mr. Meehan. How could you do the testing on the system? 
Because you have reported, but here is the document that came 
out from CGI. At the very time you were saying to me that this 
was, this had been certified as complete, by the certifying 
agency and Tavenner was here testifying that it was done, you 
have at the same time an internal memo from CGI saying that the 
FFM schedule was only 51 percent completed, on the same day you 
are telling me that the certification has been finished. How 
can you complete and certify when they haven't even built more 
than half of the system?
    Mr. Chao. I don't know what document you are holding, but I 
am assuming that in August, 51 percent is about where we were 
at. Remember, we still have other key functions, such as 
payment, risk adjustment, reconciliation.
    Mr. Meehan. How do you give certification when it is only 
51 percent complete?
    Mr. Meadows. The gentleman's time is expired.
    Mr. Chao. Because you test the components, the parts of the 
system that go into production and that are actually 
interacting with the public.
    Mr. Meadows. The gentleman's time is expired.
    We recognize the gentleman from Massachusetts, Mr. Tierney.
    Mr. Tierney. Thank you very much.
    Mr. Chao, do you feel you have had adequate opportunity to 
answer that last question? Or do you have other things you want 
to add?
    Mr. Chao. I think I got my last word in.
    Mr. Tierney. Thanks. So earlier this morning, at the 
beginning of the hearing, Chairman Issa asked you about the 
anonymous shopper function. Do you recall that?
    Mr. Chao. Yes.
    Mr. Tierney. You said you had decided to direct CGI to 
disable it because of defects, and Chairman Issa challenged you 
and accused the White House of ordering the action for 
political reasons. Do you recall that?
    Mr. Chao. Yes.
    Chairman Issa. Would the gentleman yield?
    Mr. Tierney. No.
    So during that phrase, also I think Chairman Issa handed 
you a document, and I think it is probably still with you 
there.
    Mr. Chao. Yes.
    Mr. Tierney. And the chairman gave you the document that 
said it showed that there were no defects in the system. It 
does say that the function is anonymous shopper, does say the 
CGI said it tested successfully. Then he has blown up a box, 
over a number of the other statements made on the right hand 
side of that box. It just says 9/22 this feature will be turned 
off on day one, October 1.
    Now, I have given you a sheet there, I believe staff has 
given you a sheet there that is clean from those boxes, and 
just as the original document without the chairman's blowups on 
there obstructing any of the other materials. Do you have that 
document?
    Mr. Chao. I think so. Is it this one?
    Mr. Tierney. Yes. So that is the original document. ON the 
bottom right, will you read for me the last, the statement 
there starting with defects identified?
    Mr. Chao. Defects identified by CMS being treated as 
critical target fixes for 9/12.
    Mr. Tierney. And that is, in fact, what you testified to, 
right, that you had found defects?
    Mr. Chao. Yes.
    Mr. Tierney. As you read up from that box, you found that 
there were defects that you decided to disable the shopper 
function and focus instead on plan compare?
    Mr. Chao. Correct.
    Mr. Tierney. Why did you do that?
    Mr. Chao. Because if given the opportunity to choose a more 
critical function, plan compare is much more critical in the 
path of a consumer being able to enroll in health care as 
compared to the ability to browse.
    Mr. Tierney. So you thought that was the best priority and 
you focused attention on that?
    Mr. Chao. At that time, yes, given the CGI resources that 
were available. And actually, there was a subsequent date, I 
think, I would have to locate the documentation. We did do 
another round of testing post-9/12 and it was still failing.
    Mr. Tierney. So you disagree with CGI, they thought it 
tested successfully and you instead had this ongoing belief 
that it tested unsuccessfully, there were defects and that is 
why you made the decision to switch your priorities to the 
other?
    Mr. Chao. Correct, because the report that I would look at 
is from our ACA independent testers, not from CGI.
    Mr. Tierney. And, in fact, that is why the shopper function 
was disabled, correct?
    Mr. Chao. Correct, based on the report from the independent 
testers.
    Mr. Tierney. So when Chairman Issa stated on national 
television that the White House ordered you as CMS to disable 
the shopper function in September for political reasons to 
avoid consumer sticker shock, that is not true, is it?
    Chairman Issa. I object. The gentleman may not 
mischaracterize my statement.
    Mr. Tierney. The gentleman may not object in the middle of 
somebody else's questioning. If questions go through the chair, 
which you don't currently occupy, and I will continue my 
questioning of Mr. Chao.
    Chairman Issa. Mr. Chairman, point of privilege.
    Mr. Meadows. The gentleman is recognized.
    Chairman Issa. The gentleman is repeatedly disparaging and 
mischaracterizing what I have said. Could the chair please 
direct all members, if they want to allege a quote, ensure that 
it is a quote and not in fact a characterization that is 
inaccurate, as the gentleman's is?
    Mr. Meadows. The chair would remind each and every member 
here to direct their comments, without personality, and 
directing those comments to make sure that they are reflected 
as to not make a personal attack.
    Mr. Tierney. Well, that is well said. I don't know of any 
personal attacks, so I assume you are directing that at 
somebody else.
    But I will read a quote on October 27th, from Chairman Issa 
on national television. Here it is: ``Contractors have already 
told us that, in fact, people represented that the White House 
was telling them they needed these changes, including instead 
of a simple 'let me shop for a program then decided to 
register' they were forced to register and go through all the 
things they have slowed down in the website before they could 
find out about a price.''
    The contractors the chairman referred to were CGI, but CGI 
officials have denied ever saying such a thing. Nevertheless, 
he went on to claim the White House, ``buried the information 
about the high cost of ObamaCare'' in order to avoid consumer 
``sticker shock.'' And that is not why you made the decision to 
disable that program of anonymous shopper, is it, Mr. Chao?
    Mr. Chao. Just as I answered before, absolutely not.
    Mr. Tierney. Thank you. I yield back. No, I yield to my 
colleague.
    Mr. Cummings. I just want to address this to Chairman Issa. 
When speaking to Mr. Connolly earlier, you referred to a letter 
sent to you on November 6th. It is not a letter I sent jointly 
with Mr. Connolly, so he did not read that letter. That letter 
was about MITRE security testing document provided to the 
committee. MITRE told us that like any website security 
documents, they are sensitive, and their release potentially 
could give hackers hints on how to break into the system.
    So I asked you to treat those documents with sensitivity, 
to consult with me before making them public. You tried to use 
my letter to argue that the system is not secure, but that is 
not what I said. Every security testing document for every IT 
system, no matter how secure the system is, is sensitive. Every 
security testing document could give ill-meaning individuals 
help in causing mischief.
    These documents do not mean there are problems with the 
security of the system. I just wanted to clear that up. And I 
yield back.
    Mr. Tierney. I yield back as well.
    Mr. Meadows. Thank you. The gentleman's time is expired
    Mr. Chao, I know that you have made a number of comments 
with regard to your sworn testimony and what you recall or 
don't. I would make it available to you for your reference 
there at the desk, if you would like to have that, in case 
there are other questions that are asked regarding that.
    Mr. Chao. Thank you, but I probably would need some time to 
go over it.
    Mr. Meadows. So you need time to review what you have said 
previously on the record?
    Mr. Chao. It was nine hours worth of interview questions.
    Mr. Meadows. Okay. As soon as the hearing is over, if you 
would like to come back and review this, we will be glad to 
make it available to you.
    With that, I recognize the gentleman from Tennessee, Mr. 
DesJarlais.
    Mr. DesJarlais. Thank you, Mr. Chairman. Welcome. I know 
that the hearing is getting long and here has been a lot of 
questioning going on. But there is no doubt that eh American 
people want some answers about this huge investment in a 
rollout of a website that certainly didn't go as planned. It 
has been a learning experience, it has been an educational 
experience.
    Mr. Park, looking back, knowing what you know how, looking 
at the rollout in October, give a letter grade to the rollout 
of ObamaCare, A through F.
    Mr. Park. That is an interesting question. In terms of the 
rollout of the website, it has obviously been really, really 
rocky. I kind of hesitate to assign a letter grade to it. But 
it is what nobody wanted.
    Mr. DesJarlais. I think the people appreciate honesty. You 
don't have to fail it, but what do you think it was, A through 
F?
    Mr. Park. I think it depends on the user. There were some 
users able to get through, and there were other users, a lot of 
users who couldn't.
    Mr. DesJarlais. So you are not going to give it a grade?
    Mr. Park. I think that kind of oversimplifies it.
    Mr. DesJarlais. Maybe. But there are a lot of people 
watching who want answers. And this is a complex issue. So just 
maybe for simplification, they would like to know that a lot of 
people who are responsible for rolling this out don't think 
that it went very well. To listen to this hearing, it doesn't 
really sound like a lot of you think it was that abysmal of a 
failure. This hearing started out with the ranking member 
talking about how this is a Republican issue, how we are out to 
destroy health care or the health care law, how we are trying 
to repeal it, how we are trying to not have this hearing to see 
if we can make this succeed.
    Bottom line is, a lot of money was invested in this and 
people do want answers. So it is complex, but yet in a simple 
fashion I think people would like to hear that hey, we screwed 
up.
    Mr. Chao, could you give it a letter grade?
    Mr. Chao. I agree with Todd that it is highly subjective.
    Mr. DesJarlais. Okay. Fair enough.
    Will anybody give it a letter grade?
    Chairman Issa. Would the gentleman yield?
    Mr. DesJarlais. Mr. Chairman.
    Chairman Issa. Perhaps we could have it as a pass-fail, a 
little less subjective.
    Mr. DesJarlais. Yes, that would be less complicated. Would 
you give it a pass or a fail, Mr. Park?
    Mr. Park. Again, I don't want to reduce it to something 
that--just to be clear, all of us are frustrated about how the 
site rolled out. None of us think it went well. All of us think 
it was incredibly rocky and we are incredibly focused on trying 
to fix it and make it better. And it is getting better week 
after week after week.
    Mr. DesJarlais. Okay, so knowing what we know now, Mr. 
Chao, you testified that you were given your marching orders, 
but yet, I don't think the October 1st date was immovable. 
Would you agree with that?
    Mr. Chao. I don't have the luxury of determining what date 
is movable or not movable. I was given October 1st as a 
delivery date, and that is what I targeted.
    Mr. DesJarlais. Knowing what you know now, would you have 
pushed harder to have the date moved back?
    Mr. Chao. That is pure speculation.
    Mr. DesJarlais. How can it be speculation? You know what 
you know now.
    Mr. Chao. Because I wasn't in a position to choose a date.
    Mr. DesJarlais. I am asking today, sitting here today, 
testifying in front of this committee, knowing what you know 
now, would you have pushed harder to move the date back?
    Mr. Chao. I go by what I said.
    Mr. DesJarlais. So you would let history repeat itself.
    Mr. Chao. That is not what I said.
    Mr. DesJarlais. Mr. Park, would you have----
    Mr. Chao. That is not what I said.
    Mr. DesJarlais. Okay, Mr. Park, would you, knowing what you 
know now, ask to have this delayed or pushed back?
    Mr. Park. I don't actually have a really detailed knowledge 
base of what actually happened pre-October 1. I don't know what 
levers were available. So I would hesitate to make any point 
now.
    Mr. DesJarlais. So once again, we spent over a half a 
billion dollars of taxpayer money and no one who is responsible 
for the rollout is willing to say that we should have done 
things differently. The President doesn't know it, but first of 
all, we were trying to save the American people from a bad law 
by all that we just went through over the past few months. And 
really, we were trying to save the President from himself. He 
needed to sit down and talk with us about delaying this, and 
nobody sitting on this panel, after seeing what a failure this 
has been over the past month, is willing to step up and say, 
yes, we should have delayed this. Is that what I am hearing? I 
didn't give everyone a chance. Does anyone want to speak to 
that?
    Chairman Issa. Perhaps the GAO could comment on whether or 
not this was a site that in retrospect should have been 
launched on October 1st and serviced that full six people while 
millions of people were unable to get through.
    Mr. Powner. Clearly, knowing what we know now, a delay in 
rollout would have made sense. But the thing is, we are not 
privy to who knew what when in terms of the test results and 
all that kind of stuff. That is where we don't have insight 
into that.
    Mr. DesJarlais. Okay, well, a lot of these regulations, Mr. 
Chao, were delayed until after the election. Do you have any 
reason why a lot of the regulations that probably caused a lot 
of these problems were delayed until after the election?
    Chairman Issa. [Presiding] The gentleman's time is expired. 
The gentleman may answer.
    Mr. Chao. I don't have the scope, it is not within my scope 
to cover when regulations get released or not.
    Chairman Issa. Does anyone know? Mr. Park, you were chief 
technology. Mr. VanRoekel, your organization owned the question 
of whether or not in a timely fashion these regulations were 
created.
    Mr. VanRoekel. No, that is actually a mischaracterization 
of my organization's role. We and my team are tech policy 
people, not health policy people related to regulations.
    Chairman Issa. But whether the trains run on time, where 
there are things implementing laws, isn't that what OMB does?
    Mr. VanRoekel. My role in OMB is to set government-wide 
policy to look at government-wide communication of budget.
    Chairman Issa. So we should get the OMB director in here 
and find out why after three and a half years things weren't 
done so that this could be launched for the American people in 
a timely fashion. I guess we could get a couple of OMB 
directors.
    The gentleman's time is expired. The gentleman from 
Missouri is recognized for five minutes.
    Mr. Clay. Thank you, Mr. Chairman, and thank you for 
attempting to get answers to your questions on Healthcare.gov. 
My questions today will focus on the Federal contract between 
CMS to CGI Federal, to set up Healthcare.gov. If any other 
witnesses, including Mr. Powner, care to comment on my 
question, please feel free to jump in.
    Mr. Chao, in your testimony today you stated that CMS 
contracted with CGI Federal to build a federally-facilitated 
marketplace system, including the eligibility and enrollment 
system. According to the Washington Post, this contract is 
worth $93.7 million.
    How much money from this contract has already been awarded 
to CGI?
    Mr. Chao. I don't have the exact figures.
    Mr. Clay. What incentives and disincentives were in the 
contract for CGI Federal to successfully fulfill their contract 
to roll out Healthcare.gov?
    Mr. Chao. I think as with, starting at the highest level of 
the Federal Acquisition Regulation has very specific guidance 
about contracting and the contracting framework in which you 
will then award IT contracts, with specifications for something 
like the marketplace.
    Mr. Clay. And they are still working on the website, CGI 
Federal?
    Mr. Chao. Yes.
    Mr. Clay. And they have been paid how much to this point?
    Mr. Chao. I don't have the exact figures in front of me.
    Mr. Clay. And are you pleased with the product you received 
from CGI Federal?
    Mr. Chao. I think as Todd mentioned, we are all----
    Mr. Clay. Look, we have a responsibility as an oversight 
committee, and that is to protect taxpayer dollars. And so I am 
asking specific questions about the taxpayers' dollars. Perhaps 
Mr. Powner can shed some light on that. Have we paid CGI 
Federal yet?
    Mr. Powner. I don't know specifically what went to CGI. We 
do know that the government has paid IT funding over $600 
million. That is what we do know.
    Mr. Clay. Okay, tell me about the structure of the 
contract, then. If they perform, then they should get paid, 
correct?
    Mr. Chao. I think how this contract is formulated is that 
there is a performance element to it. So there is a based set 
of costs that are factored into performing the work.
    And then during certain review periods, they could receive 
a performance kind of incentive. But I would have to get back 
to you on exactly how that works, because I don't run the 
contract.
    Mr. Clay. Would you share with this committee how they are 
going to be paid for the work performed already? Are they still 
working on Healthcare.gov? Since they messed it up in the first 
place, are they still on it?
    Mr. Chao. They are the contractor that does the 
development, as well as ongoing operations and maintenance. So 
yes, they are still working on it.
    Mr. Clay. Mr. Powner, can you shed some light on this?
    Mr. Powner. Yes. I would just like to say that we sit here 
and talk about contractor fault, government fault, government 
is at fault here too on the requirements point of view. It is 
clear that from a requirement perspective there is fault on the 
government side. Congressman Clay, we went through this with 
the Census Bureau, with the handhelds, same situation.
    Mr. Clay. Same situation.
    Mr. Powner. Same situation.
    Mr. Clay. But we corrected it.
    Mr. Powner. Ill-defined requirements, we overspent, we came 
in, fixed it. But it is the same situation, ill-defined 
requirements, questions, there are all kinds of questions 
across the board.
    Mr. Clay. Okay. I have been told that this was simply lazy 
Federal contracting. What are the failures of CMS in policing 
the CGI contract to ensure that the rollout of Healthcare.gov 
would be a success? What are the failures? Can anybody tell me? 
I'm going to go back to CMS.
    Mr. Powner. Executive oversight. I think there is a 
fundamental question. There are to be investment boards in 
place with these agencies and departments. The questions are, 
what meetings occurred, who attended, what risks were 
discussed, what follow-up occurred, how timely were those 
meetings. That is really what we need to look at.
    Mr. Clay. Well, and from a taxpayer perspective, these are 
millions of dollars going to a failed product. I don't think 
they are happy. And with that, Mr. Chairman, I yield back.
    Mr. Cummings. Would the gentleman yield?
    Mr. Clay. I don't have time.
    Chairman Issa. I would ask unanimous consent the ranking 
member have 30 seconds. The gentleman is recognized.
    Mr. Cummings. Mr. Park, we have had a lot of bad news in 
this hearing. Can you just again tell us where we are and the 
progress we are making, you are making?
    Mr. Park. It is the progress the team is making, I am just 
a small part of the team. But the team is working really hard 
to make progress week after week, just some numbers, which are 
always helpful, right? As I mentioned previously, the average 
system response time, which is the time it takes a page to 
render a request to be fulfilled of a user was eight seconds on 
average a few weeks ago, it is now under a second. Another 
measure is the system error rate, which is the rate at which 
you experience errors in the marketplace application. That was 
over 6 percent a few weeks ago, now it is actually at 1 percent 
and actually getting lower than that.
    So really good progress, still much, much more to do. A lot 
of work to do. But there is a system and a pattern of attack in 
place, as I mentioned earlier, around monitoring, production 
stability work, functional bug fixing and improvement of these 
processes.
    Mr. Clay. Would the ranking member yield?
    Chairman Issa. The Chairman would yield to the gentleman 
from Missouri.
    Mr. Clay. Thank you, Mr. Chairman. Mr. Park, what 
contractors are working on fixing the site? Isn't CGI one of 
them, CGI Federal?
    Mr. Park. CGI is one. And CMS of course is the manager of 
all the contracts, they could give you the most comprehensive 
answer. But CGI is one, yes.
    Mr. Clay. Thanks.
    Chairman Issa. I thank all of you, and Mr. Park, in case it 
isn't said again in this hearing, we believe that what you are 
doing today is important. I think what GAO has said is, there 
wasn't a single point of contact, an expert in charge in a 
timely fashion that would be accountable and coordinate that 
would, if you will, sleep on their floor if that is what it 
took, before October 1st. So that is the big reason we are here 
today, but I think that is where GAO is making the point to all 
of us that the next time there is one of these, we need to have 
somebody, perhaps not of your stature, but as close as we can 
come, there in the months and years preceding it.
    We now go to the gentleman from South Carolina, Mr. Gowdy.
    Mr. Gowdy. Thank you, Mr. Chairman.
    Mr. Park, do you agree that there is a difference between 
an innocent misstatement of a perceived fact and a deliberate 
attempt to deceive?
    Mr. Park. Yes.
    Mr. Gowdy. So do I. When did you first realize that you 
couldn't keep your health insurance even if you did like it, 
period?
    Mr. Park. Again, that is kind of a health policy matter, 
that is really outside my lane.
    Mr. Gowdy. You don't know when you first realized that you 
couldn't keep your health insurance, even if you liked it, 
period?
    Mr. Park. I don't recall, no.
    Mr. Gowdy. Would you agree with me that credibility or the 
lack thereof in one area of life can impact credibility or the 
lack thereof in another area of life?
    Mr. Park. I suppose it could.
    Mr. Gowdy. In your written testimony, you wrote, ``As you 
know, October 1st was the launch date of the new website, 
Healthcare.gov.'' And I did know that. I just didn't know why. 
And I am going to read to you a quote from Secretary Sebelius. 
She said, and I will paraphrase it initially, that she was 
hurried into producing a website by October 1st because the law 
required it. Now I will read you the direct quote. ``In an 
ideal world, there would have been a lot more testing. We did 
not have the luxury of that, with a law that said it is go-time 
on October 1st.''
    Mr. Park, I don't know what ideal world she is referring 
to. So I am going to stick with the one we are in. What law was 
she referencing? What law required this website to launch on 
October 1st?
    Mr. Park. I can't really speak for Secretary Sebelius.
    Mr. Gowdy. I am not asking you to speak for her. I am 
asking you, what law was she referring to? Is there a law that 
required this website to launch on October 1st?
    Mr. Park. Again, that is a health policy, legal matter.
    Mr. Gowdy. It is actually a legal question. Do you know if 
there is a law that requires this website to launch on October 
1st, or do you know whether it was just an arbitrary date that 
the Administration settled on?
    Mr. Park. I actually do not.
    Mr. Gowdy. Would you find that to be important, whether or 
not we really had to go October 1st, given the fact that we 
weren't ready to go October 1st? Would you find that relevant, 
whether or not we actually had to launch a substandard product?
    Mr. Park. Sir, I am, respectfully, just a technology guy.
    Mr. Gowdy. Don't short yourself. You are the smartest one 
in the room.
    Mr. Park. That is not true, sir.
    Mr. Gowdy. Trust me. I have been in this room for a while. 
It is true.
    [Laughter.]
    Mr. Gowdy. There is no law that requires that. So what 
Secretary Sebelius said was patently false. There is no law 
that required a go-time on October 1st.
    But I want to move to another component of her quote. Some 
of us don't consider testing to be a luxury. But let's assume 
arguendo that she is right, that additional testing would have 
been a luxury that would have been nice to have. How much more 
testing would you have done prior to launching?
    Mr. Park. I am not even familiar with the development and 
testing regimen that happened prior to October 1. So I can't 
really opine about that.
    Mr. Gowdy. Let me ask you this. Because you are the 
smartest one in the room, and very good at what you do, where 
the heck were you for the first 184 weeks? If you are being 
asked to fix this after October 1st, in a couple of weeks, 
where were you for the first 184 after the so-called Affordable 
Care Act passed? Where did they have you hidden?
    Mr. Park. Sir, in my role at the White House as USCTO in 
the Office of Science and Technology Policy, I am a technology 
and innovation policy advisor. So I had a broad portfolio of 
responsibilities.
    Mr. Gowdy. But you are obviously good enough that they 
brought you in to fix what was broken. It has been called a 
train wreck. That is not fair to train wrecks. It has been 
called other things. They brought you in to fix it. Why didn't 
they bring you in to start it? Why are you doing a reclamation 
project? Why didn't you build it?
    Mr. Park. I am part of an all-hands-on-deck effort to 
mobilize across the Administration to actually help under Jeff 
Zients' leadership. And in the lead-up to October 1, that 
wasn't part of my role.
    Mr. Gowdy. When will it be operational to your 
satisfaction?
    Mr. Park. We have a goal that the team is pursuing with 
tremendous intensity.
    Mr. Gowdy. How many more weeks? Because I am going to get 
asked when I go home. I know you can appreciate that. I am 
going to get asked. When will it be operational? When will it 
be as good as it can get? Because you will concede the first 
184 weeks did not go swimmingly. Is it going to be another 184 
weeks?
    Mr. Park. Sir, I think the honest answer is that there is a 
team of incredibly dedicated public servants working hard on 
it.
    Mr. Gowdy. I get all that. I am looking for a number. We 
can interpret the poem later. I am looking for a number.
    Mr. Park. They are working hard to have the site 
functioning by the end of this month smoothly for the vast 
majority of Americans. That is the goal.
    Chairman Issa. The gentleman's time is expired. I might 
stipulate for the record that Mr. Park was at HHS at the time 
of passage, and for that roughly first two years. So his 
expertise does come out of the origin of ObamaCare.
    Mr. Gowdy. My question, Mr. Chairman, was simply if he is 
good enough to be brought in to fix it after the locomotive has 
crashed off the mountainside, where in the hell was he for the 
first 184 weeks when it was being broken? Why wait until it has 
crashed? If he is a savant, and I am convinced he is, where has 
he been? I know the Obama girl was missing. I think they found 
her, actually, the lady from the website, I think they found 
her. But where has he been?
    Chairman Issa. The gentleman's time is expired. We now go 
to the gentleman from Texas. Would the gentleman yield for just 
10 seconds?
    Mr. Farenthold. Certainly.
    Chairman Issa. I want to make a statement, and Mr. Gowdy, 
you are right on that they should have had the A team on this 
and some of the people here today clearly were there for the 
train wreck. I want to note that Mr. Park's duties did not 
include overseeing this website, and I do appreciate the fact 
that it appears as though in 60 days they are going to make 
right what wasn't ready on October 1st. I think that is what 
the gentleman wants to be able to explain back home, is that we 
have been told that November 30th, this will work reasonably 
well. In other words, a 60-day delay or less could have allowed 
this to be launched in a timely fashion. I thank the gentleman 
and ask that his full time be restored.
    Mr. Farenthold. Thank you very much.
    I do want to follow up on that, Mr. Park. There are a lot 
of hedge words in there, vast majority of Americans, mostly 
working. Am I going to be able to go to the IRS and say, it 
didn't work for me, I couldn't get my insurance, I am not going 
to be fined? You have to tell us when it is going to be in good 
shape. Can you give us a date? Is the end of the month 
realistic?
    Mr. Park. The team is working really hard to hit that goal. 
That is what I am able to say right now, sir.
    Mr. Farenthold. As a former web developer, that is what I 
was telling clients when we were going to miss a deadline, we 
are working real hard to meet it. And I am a former web 
developer, certainly nothing of this scope. But with $600 
million I probably could have put together a team to do it, and 
do a better job.
    But I am not going to throw the contractor under the bus. I 
think it is too much money, a lot of issues there. But one of 
the biggest struggle we had when we were developing websites 
was getting stuff from the client, whether it was their copy 
for the text of the website or whether it was the 
specifications. The copy we could change pretty quick, we could 
just cut and paste it out of the email into an HTML editor or 
content manager.
    But when the actual specifications for how it goes change 
up to the last minute, it is very difficult to do. Mr. Chao, 
how late were there substantial changes being ordered to the 
website? Do you have a time frame how long before that October 
1st launch?
    Mr. Chao. I don't think there were any substantial changes 
ordered. It was more a standard practice of looking at how much 
time you have left, watching your schedule very closely and the 
priorities that are set by the business.
    Mr. Farenthold. And then figuring out which corners to cut.
    I want to follow up on a couple of questions that some 
other folks asked that I didn't think got completely answered. 
Mr. Jordan asked you, Mr. Chao, if it was thoroughly tested. 
You said yes, it was thoroughly tested. Mr. Jordan didn't ask 
the next follow-up question, how did it do on those tests, did 
it pass?
    Mr. Chao. If I said thoroughly, I apologize.
    Mr. Farenthold. Maybe he said it was tested.
    Mr. Chao. It was tested under the prescribed, we were 
talking about security testing. So I was saying that it was 
tested under the prescribed security controls.
    Mr. Farenthold. And let me follow up with Mr. Park on 
something Mr. Lankford asked. He was concerned about either 
members of your team or other folks having access to sensitive 
data. Those days you were sleeping on the floor, could you have 
walked in to a server with a thumb drive and walked out with 
people's personal information like Mr. Snowden? Are those 
security risks there?
    Mr. Park. No, I could not have. No.
    Mr. Farenthold. That is a little bit reassuring.
    Let me also ask Mr. Chao or Mr. Powner, with respect to the 
private sector, if there is a data breach or a compromise, your 
credit card information or your personal information gets 
released, there is a Federal law requiring notice. I just got a 
notice from a major software company that my credit card had 
been compromised. Will we find out if our information on 
Healthcare.gov is compromised? Is there a notice requirement? 
Is there something in place? Will we know if that information 
has been hacked and is public?
    Mr. Chao. Yes, there are actually several laws and rules 
that apply, particularly with disclosing any incident or breach 
that involves a person's information.
    Mr. Farenthold. Okay, so there are no special exemptions in 
ObamaCare. We will hopefully find out.
    Again, I am just concerned. We are at a time right now 
where the trust in government has never been lower. We have the 
whole NSA-Snowden incident, we have the IRS looking at people 
for political purposes. You will excuse me if I am concerned 
that we have a massive website that is a target for hackers 
that a lot of people have information to that by definition 
reaches out and touches the IRS and Social Security computers. 
Whenever you connect computers together you open pathways to 
hackers. So I am very concerned about the security issues. I 
just want to make sure we are going to know if there are some 
problems that they are not going to be swept under the rug for 
political purposes.
    Mr. Chao. We worked closely with Frank Baitman's security 
operations at the Department level as well as extensive 
computer testing.
    Mr. Farenthold. And finally, Mr. Chao, you stated earlier 
in your testimony that the anonymous shopping feature, which I 
would love to see, I don't think it is even in place now, but 
it was disabled before the election. We can talk about 
political purposes or not.
    Chairman Issa. I think the gentleman is saying before the 
October 1st launch.
    Mr. Farenthold. It was deleted. Why wasn't the October 1st 
deadline push back because it didn't work? Why wasn't the whole 
thing delayed? When you delayed the anonymous shopping part, 
the part we all feel most safe about, going and finding out how 
much it will cost without revealing personal information, you 
delayed that, why didn't you delay the whole thing when you 
knew it wasn't going to work?
    Mr. Chao. I think anonymous shopper was a very narrow slice 
of looking at what the tradeoffs would be in putting something 
into production as opposed to----
    Mr. Farenthold. Again, I am sorry, I am out of time. But I 
do want to say, with my lack of trust in the Federal Government 
now, I am loathe to put my personal information in and would 
love to shop anonymously, just like I did on some of the 
private exchanges in Texas as I look for what I am going to 
about my personal health care. I don't think you have to give 
up your personal information to get prices for something. You 
don't have to do it on an airline website, you don't have to do 
it on Amazon and you shouldn't have to do it on Healthcare.gov.
    I yield back.
    Chairman Issa. I thank the gentleman.
    Is the gentlelady from New Mexico prepared to go?
    Ms. Lujan Grisham. Yes, Mr. Chairman, I believe so.
    Chairman Issa. You are recognized. Thanks for coming back.
    Ms. Lujan Grisham. Absolutely, thank you.
    Actually, before we start, I realize I wasn't here for this 
statement, but I want to echo what my colleague Congressman 
Lankford said about gaps in coverage. Coming from a State with 
nearly 25 percent uninsured, two things have occurred. One, 
people who as of October 1st couldn't get on the website and 
are continuing to follow this issue very closely, their 
individual or family plans expired or were expiring and so they 
went off the exchange, because they can't get on, and purchased 
brand new policies for another year. Unlike the small 
businesses, they are in that now for a year. And they are 
paying much higher rates than they would have could they have 
gotten on the individual exchange, because New Mexico is a 
partnership State.
    Then second, as December 15th looms ever closer, we know 
that that is another important deadline for many individual 
plans. We have the same issue and I am very concerned about 
that, and I appreciate that it was brought up. So I told you 
about what we are working through. We have been fighting for a 
long time in New Mexico to find ways to have access to 
affordable coverage. I need, we need, my constituents need this 
website to work. We need to enroll in the exchange. I know you 
have heard all day long that we are all frustrated. They are 
frustrated, I am frustrated. And while I wish that we had 
better solutions for them earlier on, my biggest concern is 
that we are reaching a critical point in the implementation 
time line.
    In order to ensure that there is no gap in coverage between 
plan years, individuals and families who would like to choose a 
plan from the exchanges, as I said earlier in my remarks, have 
to be enrolled by December 15th. Your stated goal of fixing the 
website by the end of November leaves very little room for 
error. And I know it is not easy. But while you are here, I 
just want to make sure that for the record, we are emphasizing 
that there is real urgency here.
    Mr. Park, I think that you have a deep appreciation for how 
transformative good technology can be. But I would like to know 
if this is a time constraint that you are aware of, and also 
more broadly if you feel the same urgency that I do about 
getting the site operational for as many users as possible.
    Mr. Park. Absolutely.
    Ms. Lujan Grisham. All right, then, I can imagine that 
leaving your office for at least an entire day would have 
pretty important impacts on your work fixing the website. What 
would you be doing if you weren't here today?
    Mr. Park. I would be working with the team on the site.
    Ms. Lujan Grisham. So Mr. Park, I wish that you were 
working on Healthcare.gov, on the website, right now. And part 
of this committee's job is to ensure that you have all the 
tools and resources that you need to do your job. What else can 
we do to assist you to get this done?
    Mr. Park. Well, again, I am a small part of the broad team 
that is working incredibly hard, led by Administrator Tavenner 
and Jeff Zients, and the CMS team. I would say just one member 
of the team who could be responsive to that. And there are 
requests for assistance, that would be correct.
    Ms. Lujan Grisham. Great. I think we are going to need more 
clarity about that. I also agree with this committee's efforts 
to talk about reforming IT procurement. I don't know if today 
is the day to try to deal with those best practices. Given that 
States do it poorly and the Federal Government is doing it 
poorly and that we have spent millions I guess, the whole 
Country analysis, billions of dollars on IT projects that 
haven't done well anywhere in the public center. We have to 
figure out a better way to do that. I hope that this committee 
will continue to lead that effort in a bipartisan way.
    But I want to go back to the situation that we are in. I 
want to be results-oriented. I want to solve these problems. I 
feel like we shouldn't' be pulling a surgeon from the operating 
room today. So thank you, Mr. Park. I yield back.
    Mr. Park. May I just make one more statement?
    Mr. Cummings. I just wanted you to yield.
    Mr. Park. So do you yield?
    Ms. Lujan Grisham. I do.
    Mr. Park. I just wanted to actually not lose the second to 
last thread that you started, which was IT procurement. I think 
that is a phenomenally important issue. This committee has done 
terrific work on it, I think you can actually do more. So I 
would love to see a high energy bipartisan effort attacking 
this issue from multiple dimensions. I know less about it than 
many people on this committee. What I do know is that there is 
not a single silver bullet. There are decades of practices and 
rules and laws that have actually led to where we are now. But 
I think with a concerted effort, high energy effort, bipartisan 
effort that we could actually take this out and deliver better, 
faster, higher return results to the American people.
    Chairman Issa. I ask unanimous consent the gentlelady have 
an additional 30 seconds. Without objection, so ordered. And 
would you yield to the ranking member?
    Ms. Lujan Grisham. Yes.
    Mr. Cummings. Thank you.
    Chairman Issa. The gentleman is recognized.
    Mr. Cummings. I want to just get to the bottom line here. 
What will happen is that people are sitting there, and I agree 
with the gentlelady, looking at results, when we go back to 
what happened with Lankford and he was trying to get on the 
page, Mr. Park, and he couldn't get there, could you talk about 
that for a minute? Because that is real.
    And there are probably people watching us right now who are 
trying to get on the page. Can you tell us what you are doing 
and how that affects things like that? Because they have 
reporters now that sit on telecasts, and they say, I waited an 
hour, I waited two hours. So tell us how that relates to what 
you are doing, so our constituents can have some kind of 
assurances that things are going to get better. Do you follow 
me?
    Mr. Park. Absolutely, sir. Thank you for the question.
    I will just answer it quickly, because I know we have 
limited time. One, there have been dramatic improvements in the 
ability to, as a consumer, create an account and get on the 
site. And all the metrics that we are seeing, that has been a 
function of basically improving the ability of that pat so it 
can handle volume through capacity expansion, software work and 
also fixing bugs. So many, many more people are actually able 
to get through now than at the beginning.
    That being said, it is not perfect yet, so I actually would 
really love to follow up with the Congressman to understand his 
particular use case and dial that back to work with the team.
    Also, there are folks who early on got caught in the middle 
of that cycle and are stuck there. Those are folks that CMS is 
now reaching out to, as we talked about earlier in the hearing, 
to actually get them through the process cleanly. So it is an 
issue that actually I think has been in large part addressed 
but there is still work to do. I do want to follow up with the 
Congressman and understand the specific use case he has had and 
his situation so we can figure that out.
    Chairman Issa. Thank you.
    Now as we go to Mr. Massie, who from a standpoint of his 
education and known IQ, could in fact rival you as the smartest 
guy in the room.
    Mr. Massie. No, I am from the trade school that is a mile 
down the river from your arts school that you attended.
    Chairman Issa. You had better share that with the rest of 
the world.
    Mr. Massie. I went to MIT, you went to Harvard.
    Mr. Park. You could definitely kick my butt, sir.
    [Laughter.]
    Mr. Massie. Maybe we could share some numbers later. I am 
sure we share an affinity for numbers.
    But first I want to talk about the final security control 
assessment that was prepared by MITRE, and just read a little 
bit of that. It says MITRE was unable to adequately test the 
confidentiality and integrity of the HIX access in full. The 
majority of MITRE's testing efforts were focused on testing the 
expected functionality of the application. Complete end-to-end 
testing of the application never occurred.
    So this was MITRE's final security control assessment. And 
we are throwing around a lot of three-letter acronyms, HIX, 
CMS, ATO. But I have a document that has CYA written all over 
it here, Mr. Chao. You wrote a letter, and this is the final 
ATO, or authority to operate, to Marilyn Tavenner, which she 
signed off on. In this letter, you stated, ``Due to systems 
readiness issues, the SCA,'' and that is security control 
assessment, ``was only partly completed. This constitutes a 
risk that must be accepted and mitigated to support the 
marketplace day one operations.''
    In this sentence here, and this was written on September 
27th, or certainly signed off on September 27th, were you 
trying to tell your boss that there is a risk and I am not 
going to accept it, but you must accept this risk, we can 
either delay the date or we can accept the security risk?
    Mr. Chao. I think I was outlining more of a generalized 
risk acceptance with a fairly significant rollout of the 
marketplace system.
    Mr. Massie. But that risk existed because there had never 
been an end-to-end security test on this, is that true? That is 
basically what the letter states here.
    Mr. Chao. I think in previous testimony I have also said 
that end-to-end is a highly subjective term.
    Mr. Massie. If it is subjective, how are you going to get 
it done in 60 to 90 days?
    Mr. Chao. It depends on the scope of what you are trying to 
put in production.
    Mr. Massie. Well, the scope is, is our data safe? Is the 
personal information that Americans enter into the system going 
to be safe? For instance, in this same letter, and it is a very 
short letter, signed by Marilyn Tavenner on September 27th, you 
suggest that we conduct a full security control assessment, so 
I will let you define what that is, in a stable environment, 
which implies that you don't have a stable environment right 
now, where all security controls can be tested within 60 to 90 
days of going live on October 1st.
    Here is what troubles me about this letter. You are 
basically saying, look, we can go live but there are going to 
be security risks. But let's test it on real people's data, on 
real personal information. Let's test it for 60 to 90 days.
    Mr. Chao. No, that is not what I said. That is not what the 
memo alludes to. When we do security testing, we don't do it in 
terms of using live people's data. We do security testing in a 
pre-implementation environment prior----
    Mr. Massie. Well, I would contend we are beyond pre-
implementation. We are testing this in the real market and it 
is failing.
    You said that the format of this ATO is not typical, is 
that true?
    Mr. Chao. It is true.
    Mr. Massie. So you have never seen that sort of format 
before. Is it a problem that you were not given the final 
security control assessment prior to authoring the ATO, 
authorization to----
    Mr. Chao. I don't think that is necessarily a problem, 
because my staff were copied on it.
    Mr. Massie. But you didn't get to see it. You said, 
actually I didn't get a copy of the final ATO.
    Mr. Chao. Correct.
    Mr. Massie. Those are your words.
    Mr. Chao. Because I was with the information systems 
security officer in Herndon when these tests were being 
conducted. It was determined that there was no high finding----
    Mr. Massie. As the person with responsibility for the 
authorization to operate, I think you should have been at your 
desk reading the final security control assessment.
    Mr. Chao. I was there in person.
    Mr. Massie. But I am glad to see that you covered yourself 
by putting this sentence in here.
    Mr. Chao. That was not to cover myself. That was a decision 
memo between her and I.
    Mr. Massie. Are any among you today willing to bet your job 
that thousands of people's personal data won't be released 
because of implementation of this website?
    Chairman Issa. That is certainly a yes or no question.
    Mr. Massie. That is a yes or no question.
    Mr. Chao. They are trying to ask us to predict something 
that security vulnerabilities are as, some folks have mentioned 
before, it happens every day. That is why we do security 
testing.
    Mr. Massie. Obviously from the documents here, you weren't 
comfortable with this, you were trying to transmit to your 
boss, let me just read your words again, ``This constitutes a 
risk that must be accepted and mitigated to support the 
marketplace day one operations.'' In other words, to launch 
this thing by October 1st you were telling your boss she is 
going to have to accept some risks that are not normal for 
this.
    [Simultaneous conversations.]
    Chairman Issa. Quickly. The gentleman's time is expired.
    Mr. Massie. Okay. Mr. Park, we have Mr. Chao saying 17,000 
users an hour can subscribe. And we have Mr. Lankford who has 
been waiting for over an hour and a half. We have five orders 
of magnitude difference between those two numbers. Which is 
closer to the truth?
    Chairman Issa. The gentleman may answer.
    Mr. Massie. How many people an hour are able to enroll in 
healthcare?
    Chairman Issa. The gentleman previously said 17,000. Is 
that correct?
    Mr. Park. Seventeen thousand registrations for new account 
per hour is the number that we have.
    Mr. Massie. I imagine you have a war room somewhere where 
you are directing these operations and you have some big 
number. The only number that matters, how many are enrolling? 
How many are enrolling right now per hour? Can you tell us?
    Mr. Park. Actually what the war room tracks----
    Mr. Massie. Just a number. Come on. We both love numbers.
    Chairman Issa. Let the gentleman answer. Your time is 
expired, please. It is a Harvard-MIT problem, I think.
    [Laughter.]
    Mr. Park. In terms of enrollment numbers, those are going 
to be released by the Administration shortly.
    Chairman Issa. I thank the gentleman. We now go to the 
gentleman from Pennsylvania, Mr. Cartwright.
    Mr. Cartwright. Thank you, Mr. Chairman.
    The Affordable Care Act was passed into law in 2010. It 
seeks to increase competition in the marketplace, to help bring 
down health care costs. It ends the practice of denying 
coverage to those with pre-existing conditions, bans annual and 
lifetime limits on health care benefits, it also enable parents 
to keep their children on health care until they are 26 years 
old, and it makes small businesses eligible for tax credits to 
ease the burden of employee coverage.
    The law also works to strengthen Medicare and will make 
prescription coverage for seniors more affordable. These tax 
credits are desperately needed in my district, where nearly 9.4 
percent of my constituents live below the poverty line; 70,000, 
that is 10.5 percent, do not have health insurance in my 
district, including 6,500 children. They will be able to 
utilize the subsidies offered under the Affordable Care Act 
finally to get health care.
    Now, I also want to get to the bottom of what is going on 
with this website, Healthcare.gov, and I support oversight 
hearings for that purpose. However, this hearing, like so many 
previous hearings this committee has held, is clearly an 
extension of the politically motivated repeal or delay agenda 
that some of my friends on the other side of the aisle have 
been pushing since this law was first passed in 2010.
    It seems to me that if the chairman really were so worried 
about getting this website fixed, so that people could actually 
access affordable health care, he would not have subpoenaed Mr. 
Park to come in and testify today. In fact, Mr. Park agreed to 
testify before this committee just two and a half weeks later. 
But the chairman refused that offer and subpoenaed him anyway. 
The chairman's subpoena, combined with the constant releasing 
of partial transcripts, taking witnesses' quotes out of 
context, it seems like it is part of a predetermined political 
strategy rather than a constructive effort to conduct 
responsible oversight as this committee is supposed to do.
    In fact, although the chairman claimed otherwise in his 
opening statement here today, the House Republican Conference 
is politicizing this issue. And here is the proof. They have 
issued a playbook to Republican Members, and they actually call 
it that, a playbook, right on the cover of the thing. It 
doesn't say how to fix problems with the website or improve the 
process, or work to ensure Americans health care. It tells them 
how to exploit any challenges or glitches for their own 
political gain.
    I am not saying all Republicans are doing this. But it 
certainly seems to me in this forum that the chairman of this 
committee is.
    Chairman Issa. Would the gentleman like to place that into 
the record? Because I haven't seen it.
    Mr. Cartwright. Yes.
    Chairman Issa. Without objection, so ordered.
    Mr. Cartwright. It is my hope that we can have oversight 
without this kind of gamesmanship and partisan politics as this 
committee has been able to do in the past. I really would like 
to get to the bottom of what is going on with the website, 
because I want my constituents to be able to sign up for 
quality, affordable health care.
    Mr. Chao, on November 7th, Chairman Issa issued a press 
release with the headline ``AACA Testing Bulletin: 
Healthcare.gov Could Only Handle 1,100 Users Day Before 
Launch.'' He then accused Jay Carney and Mr. Park of making 
false statements to the American people by suggesting that 
officials estimated capacity at about 60,000. That is what the 
chairman said, ``Jay Carney is being paid to say things that 
aren't so. But in this case, Todd Park and other people who 
knew the facts, who had to know the facts, and the facts were 
from documents we received from lead contractors that slowed 
down to an unacceptable level at 1,100 users. Well, in fact, 
Todd Park was telling us that at 60,000 was the target and at 
250,000 they just couldn't handle it.''
    As the basis for that allegation, the chairman quoted from 
a testing document that he released which says this, ``Ran 
performance testing overnight in IMP1B environment, working 
with CGI to tune the FFM environment to be able to handle 
maximum load. Currently we are able to reach 1,100 users before 
response time gets too high.''
    Mr. Chao, it is my understanding that the IMP1B environment 
was only a sample testing environment, not a test of the full 
production capacity of the entire website. Am I correct in 
that?
    Chairman Issa. The gentleman's time has expired, but the 
gentleman may answer.
    Mr. Chao. You are correct, the what we call implementation 
1B environment is about 10 percent the size of the full 
production environment.
    Mr. Cartwright. Thank you. I yield back.
    Chairman Issa. I thank you. We now go to the gentleman, Mr. 
Meadows. Mr. Meadows, would you yield for just 10 seconds for a 
comment?
    Mr. Meadows. Certainly, Mr. Chairman.
    Chairman Issa. I never could quite understand how this 
thing could handle 60,000 simultaneous users but only do six in 
a day. So maybe unlike some of the smart people here, I just 
don't get it. But six in a day doesn't seem like 60,000 
simultaneous users. I thank the gentleman.
    Mr. Meadows. Thank you, Mr. Chairman, and thank each one of 
you for coming to testify. Mr. Park, you are not old enough 
probably to remember this, but I remember the Six Million 
Dollar Man. You are now the $600 million man, because you are 
coming in to fix all this. So we are hopeful that you, based on 
the people that I represent, that you are successful by 
November 30th.
    We do want to ask you, though, how do we define success? 
Because the talking points are all that it is going to be fixed 
for the vast majority of Americans as they go on. And we see 
Mr. Lankford here, he can't get on. So what is success? Is it a 
98 percent without wait time? How do we define success so on 
December 1st, we will know whether you were worth $600 million 
or not?
    Mr. Park. Thank you for your comment sand your question. 
First of all, I am just a small part of the team working to fix 
this.
    Mr. Meadows. So what is success?
    Mr. Park. Success is, first of all the site will most 
definitely not be perfect.
    Mr. Meadows. But when the President asks you, were you 
successful, how do you define success?
    Mr. Park. First of all, on a system that is stable, so it 
is actually up and running consistently.
    Mr. Meadows. What percentage of the time? Ninety-eight 
percent of the time?
    Mr. Park. One proxy that we are using actually is, for its 
performance in general is response time and error rate. And if 
the system actually has issues and goes down then actually 
these things can then exacerbate those rates.
    Mr. Meadows. I am going to run out of time. What I would 
ask you to do is, for the record, get to the committee what we 
can look to so we can disseminate to all of America on what 
success is, so on December 1st, we will all know.
    Mr. Park. I will take that back, absolutely.
    Mr. Meadows. All right, thank you.
    Mr. Chao, much of your testimony is, I have read some of 
your testimony and it seems to be a little different. But I 
also know that you had several meetings, ongoing meetings with 
White House staff over this process, is that correct?
    Mr. Chao. I accompanied Marilyn Tavenner and other 
directors, such as Gary Cohen.
    Mr. Meadows. So how many times were you at the White House?
    Mr. Chao. Over the course of three years, maybe less than 
two dozen times.
    Mr. Meadows. Because the logs suggest 29 times, is that 
correct? Would that be in the ballpark?
    Mr. Chao. That might not be accurate, because some meetings 
were----
    Mr. Meadows. Who conducted these meetings? Jeanne Lambrew?
    Mr. Chao. I believe her name is pronounced Lambrew. There 
were meetings conducted by her. Also, I met with Steve 
VanRoekel.
    Mr. Meadows. In those meetings? So you all were a part of 
those meetings?
    Mr. Chao. No Steve chaired a----
    Mr. Meadows. I am asking about the White House meetings. So 
there were 29 White House meetings of which you had this group. 
Who were the people in the room? Were you in there?
    Mr. Chao. I am not trying to be difficult, but there are 
different parts of the White House. There is a White House 
conference center.
    Mr. Meadows. Okay, the meetings with Jeanne, she was 
leading, the 29 meetings, about two dozen.
    Mr. Chao. That was probably less than a handful.
    Mr. Meadows. Okay. I guess my question is, I am a little 
confused how the President would be surprised that this was 
such a debacle on October 1st if you all were meeting regularly 
with the White House. Why would they be surprised on October 
1st that it didn't roll out the way everybody thought it 
should?
    Mr. Chao. I think the subject matter, at least with my 
attendance being there, was to discuss things such as the 
status of the Hub development.
    Mr. Meadows. So did anybody express concern that there was 
a problem, that October 1st there was going to be a problem?
    Mr. Chao. No.
    Mr. Meadows. There was no one in that room? We had all the 
brightest minds in the world in this room and no one 
anticipated a problem on October 1st?
    Mr. Chao. They were highly specific issues, such as working 
on 6103 requirements with IRS, Privacy Act implementation with 
SSA, they are very operationally specific.
    Mr. Meadows. So you all weren't meeting on how the website 
was going to work?
    Mr. Chao. Not meetings--my meetings were more operationally 
focused about implementation.
    Mr. Meadows. So it is plausible that the President would be 
surprised that this wasn't going to work, based on those 
meetings?
    Mr. Chao. I wouldn't know that.
    Mr. Meadows. So who would have been in the best position to 
be able to advise the President that we were going to have this 
unmitigated mess? Anybody in that room? Who should we bring 
back here, I guess is what I am saying, Mr. Chao, that can help 
the American people understand why this was such a fiasco?
    Mr. Chao. I really don't have an answer to that.
    Mr. Meadows. Mr. Chairman, I yield back. It is amazing how 
we could find how you can't answer a simple question for the 
American people.
    Mr. Chao. I don't think that is for me to decide.
    Mr. Meadows. I asked the question. It is for you to answer.
    Mr. Chao. Okay, so my answer is, it is not really for me to 
decide.
    Chairman Issa. Mr. Meadows, your time is expired and I 
strongly suspect that as is often said in politics, success has 
many fathers, quite a few mothers, plenty of relatives, but 
failure is an orphan. You are going to find an orphan here, if 
I have ever heard or seen one.
    With that, the patient gentleman from Massachusetts, Mr. 
Lynch, is recognized.
    Mr. Lynch. Thank you, Mr. Chairman.
    I want to thank the members of the panel for coming forward 
and their willingness to help the committee with its work.
    I do want to say just at the outset that my experience in 
Massachusetts with the Massachusetts health care, so-called 
RomneyCare, that was a precursor to this in many ways, I am 
speaking of the Affordable Care Act, also rolled out very, very 
slowly. That is my experience, being on the ground in 
Massachusetts when that plan went forward. So it was very slow 
in ramping up. Of course it didn't have the urgency of this 
program. It was sort of planned that way.
    I also remember the Medicare Part D Act, which was a 
Republican initiative, also rolled out extremely slowly. I know 
a lot of my seniors, I had to do 16 town halls around my 
district to try to tamp down the backlash because of the 
slowness of how that was ramped up. So this is not, this 
experience is not out of line with those other two programs. So 
I just wanted to make that note.
    I have had a chance to go out and talk to some of the 
outreach workers. A lot of the outreach on the Affordable Care 
Act in my district is being conducted through the local 
community health centers. I have basically an urban district. 
So the health center employees are going out and signing people 
up.
    One of the concerns that they have raised is that the 
Affordable Care Act is so focused and sort of facilitated by an 
email address. People have to have an email address in order to 
interact with this whole thing. If you look at the demographic 
of the 31 million people who we are trying to get health care 
to that were not receiving health care before, the poor, the 
elderly, that is a high correlation between folks who didn't 
get health care before and don't have an email.
    So the outreach workers, when I said what is your biggest 
problem, they said, well, when we are working with the elderly 
and we are working with low income families, the poor, they 
don't have an email address. And the system we have is 
basically, it requires an email address. To do it otherwise, to 
scratch that itch, we are somehow going to have to close that 
gap. Because a lot of these folks don't have email addresses 
and yet they are the very people that we are trying to get 
health care to.
    Has any thought been given to, look, this was supposed to 
be the easy part, getting people up on the grid. I am not 
talking about making health care affordable or high quality 
health care or making sure access is there. Just getting up on 
the grid, this was supposed to be the easy part.
    So I am concerned, I am concerned about where we are today 
and where we need to get to in order to meet any definition of 
success. So what are we doing about those people, who don't 
have an email address because they are poor or elderly, they 
are not on the grid? How are we going at them? Anybody got an 
idea?
    Mr. Chao. We do operate call centers. We have 12 call 
centers in which people can work with a live person online to 
fill out the application and to go through their determination 
process and to select a plan.
    Mr. Lynch. Yes, but at least the workers I have talked to 
have said it is like 31 or 34 pages. Do they have to go through 
a 34 page application on the phone?
    Mr. Chao. I think what happens, the call center experience 
is, isn't you are necessarily filling out a paper application. 
You can start that way and submit it that way. But I think you 
can also start with a call center representative.
    Mr. Lynch. Well, I am not so sure that is working. That 
might be part of our problem. I have a district where I have a 
lot of seniors, a lot of folks that are struggling. So we have 
to figure that one out.
    Mr. Chao. We can certainly confirm that, that process or 
that procedure.
    Mr. Lynch. That will help.
    The other situation is this. At the same time that we are 
trying to get this up, get people on the grid, we have 
employers that are making decisions not to continue health care 
plans for their employees. So they are unplugging and they are 
sending people to the exchanges. So I have employers out there, 
a lot of them in the construction industry, that are saying, I 
know I used to provide health care for you, but now I want you 
to go to the exchanges and get them. So they are unplugging, 
they used to provide health care. And now these employees in 
the construction industry are trying to plug in. And they are 
having these problems.
    I am wondering, is there any way to sort of make sure that 
that unplugging doesn't occur until we have a platform that we 
are confident people can plug into? I think there is going to 
be a gap here. It concerns me greatly that we have so many 
people in the construction industry that are, and I have met 
with union employers, about 50 union employers and about 35 
non-union or open shop employers that are both having the same 
problem. I think there is a mismatch in what is going on here, 
where the employers are disengaging and sending their employees 
to the exchanges. And when they try to go to the exchanges, 
they are having problems signing up. I am wondering if there is 
some corrective action that we might be able to take, either 
delaying the process for employers to disengage or just giving 
people time to hook into the system that is not ready for prime 
time.
    Chairman Issa. The gentleman's time is expired. The 
gentleman may answer. If the gentleman would yield just 
briefly?
    Mr. Lynch. Sure.
    Chairman Issa. I was hoping you would suggest the question 
of, can't we do this by mail.
    [Laughter.]
    Mr. Lynch. That is an inside joke.
    Chairman Issa. But in all seriousness, the fact is that if 
somebody doesn't have email capability, why couldn't they make 
a call to a call center, receive those many pages, fill out 
that paperwork, return it in a self-addressed stamped envelope, 
so that in fact the Post Office could ensure that the elderly 
people not comfortable with email and so on.
    Mr. Lynch. Well, it is just my thought, and I won't take 
longer time than you did, but I know that generally, we are 
trying to get away from a paper process. So I suppose as a 
little inefficient it might be necessary, but it is not the 
ideal now.
    Mr. Chao. Could I just answer that? It is not really, we 
are not considering that as a last resort, because paper is a 
last resort, but we do make accommodation, if you want to start 
the process in paper, you can, and then mail it in to our 
eligibility support worker contract, which will then take you 
through the rest of the process.
    Chairman Issa. I thank you.
    And with that we go to the gentleman from Michigan, Mr. 
Amash.
    Mr. Amash. Thank you, Mr. Chairman. I am going to yield my 
time to my friend, the gentleman from Ohio, Mr. Jordan.
    Chairman Issa. The gentleman from Ohio is recognized, and 
without objection, the gentleman from Ohio will be able to 
control the time.
    Mr. Jordan. I thank the gentleman for yielding.
    Mr. Park, Mr. Meadows asked the pertinent question. There 
were a series of meetings held at the White House, weekly 
meetings that were presided over by folks in the White House. 
Mr. Meadows asked who were those people who need to come in 
front of this committee who can answer the questions. The 
questions like, why didn't you know that the security 
assessment wasn't completely done end-to-end testing? Who can 
answer the questions about why you decided to go ahead and 
launch this on October 1st?
    And we know who that person is, because according to the 
Washington Post story, November 2nd, a memo that they got from 
David Cutler spells it out. Mr. Cutler said, we need to put 
someone from the private sector in charge, someone who has run 
a business, someone who has that kind of experience and 
expertise. And the President said no, he had already put in the 
article, he had already made up his mind, Nancy Ann DeParle is 
that person.
    So that is the person we need, Mr. Chairman.
    And Mr. Cutler also points out, Mr. Meadows referenced this 
as well, according to the memo, the overall head of 
implementation inside HHS was Jeanne Lambrew. So those are the 
two people we need. Would you agree, Mr. Park, they need to 
come here and tell us what took place, why these decisions were 
made, why it was done the way it was done, these are the two 
key people? This is the lady the President said, no, that is 
who I want in charge. Even though Peter Orzaq, Larry Summers, 
Zeke Emmanuel and David Cutler said, put someone else in 
charge, the President said, no, I want Nancy Ann DeParle in 
charge, don't you think she should come in front of this 
committee, Mr. Park?
    Mr. Park. Respectfully, I can't really speak to that, sir.
    Mr. Jordan. I know. We are probably going to have to do the 
same thing for her that we did for you, we are going to have to 
subpoena them. Because yesterday, last week, the Chairman and I 
sent a letter to the White House asking that simple question, 
would Ms. DeParle, the person hand-picked by the President to 
run this operation, would she come in front of this committee 
and testify about this disaster this rollout has been, and 
would Ms. Lambrew come as well. And the response we got back 
yesterday from the White House was, thank you for inviting us, 
but we are not coming.
    So it looks like we are going to have to do the same thing, 
Mr. Chairman, that we had to do with Mr. Park, to get the two 
key people to come here.
    Now, according to White House logs, Mr. Chao, you testified 
you had been there been 10 and 29 times to these meetings, and 
Mr. Park, nine times according to White House logs, you have 
been to nine of these where Jeanne Lambrew ran the meeting. Is 
that correct, Mr. Park, you went to the White House when Ms. 
Lambrew ran these weekly meetings?
    Mr. Park. I can't verify that.
    Mr. Jordan. But that is what the visitors log says. Were 
you in meetings with Nancy Ann DeParle and Jeanne Lambrew at 
the White House?
    Mr. Park. From time to time, yes.
    Mr. Jordan. And of course the meetings were about the 
rollout of the Affordable Care Act and the website?
    Mr. Park. As I recall, there were different kinds of 
meetings that I attended from time to time.
    Mr. Jordan. Were they about ObamaCare, Mr. Park?
    Mr. Park. They were about the Affordable Care Act.
    Mr. Jordan. Right. And what is your official title? You are 
head of information technology for the entire United States? 
That is your title? So I assume it was about information 
technology, correct?
    Mr. Park. No, actually, sir, first of all, I am a 
technology and innovation policy advisor in the Office of 
Science and Technology Policy. So I am not the head of IT for 
the U.S. Government, just to clarify. And I can't actually 
recall, like for the meetings, what particular topics were 
discussed, off the top of my head. So unless there is more 
specificity.
    Mr. Jordan. At any time during these nine different 
meetings you had, or more, for that matter, meetings you had, 
was the rollout of ObamaCare discussed and the concerns about 
this thing not being ready on October 1st?
    Mr. Park. Again, without more specificity----
    Mr. Jordan. Mr. Chao, on these meetings, who ran the 
meetings that you attended 29 times at the White House? Who was 
in charge of running the meetings then? Were any of those 
meetings run by Ms. Lambrew or Ms. DeParle?
    Mr. Chao. I don't think it was 29 times.
    Mr. Jordan. You testified between 10 and 29. So whatever 
the numbers, in those meetings when you were at the White 
House, were any of those run by Jeanne Lambrew or Nancy Ann 
DeParle?
    Mr. Chao. One was run by Nancy Ann and one, just a couple I 
attended that was with Jeanne Lambrew. And as I mentioned 
before, my role was to provide a five-minute status on Hub 
development.
    Mr. Jordan. I am not worried so much about your role. I 
just want to establish the fact that you were at the White 
House between 10 and 29 times. Mr. Park was there nine times. 
Mr. VanRoekel, how many times were you in these weekly meetings 
at the White House?
    Mr. VanRoekel. I don't recall. I didn't attend any weekly 
meetings.
    Mr. Jordan. Were you in any meetings with Jeanne Lambrew or 
Nancy Ann DeParle?
    Mr. VanRoekel. I have been in the company of those two 
people.
    Mr. Jordan. Regarding the Affordable Care Act?
    Mr. VanRoekel. Maybe once or twice.
    Mr. Jordan. Okay. Mr. Chairman, my time is expired. But 
those are the two people, those are the individuals that need 
to come in front of this committee. And we can't accept the 
fact that we get a letter from the White House that says thank 
you, but we are not coming.
    Chairman Issa. I thank the gentleman. I would note for all 
members that there is a vote out on the Floor. We are going to 
go until the very last minute. What I would ask is, if Mr. 
Bentivolio or Mrs. Lummis, do either of you have specific 
questions for Mr. Park?
    Mrs. Lummis. I do not.
    Chairman Issa. Then Mr. Park, because we would otherwise 
keep you for longer than I think is necessary, I want to thank 
you for being here. I apologize to the other witnesses, you get 
to stay through the vote. But Mr. Park, you have been a very 
cooperative witness. I appreciate your being here. I believe 
you are being here as a person we are going to look to to get 
this right by November 30th. It was critical I appreciate your 
being here and without objection, you are dismissed.
    Mr. Park. Sir, just one more request?
    Chairman Issa. Sure.
    Mr. Park. Would someone send me contact info for 
Congressman Lankford, just so I can follow up?
    Chairman Issa. We will have that contact information given 
to you. I will do one other thing quickly. If when you go back, 
since you are a Federal employee, go to the FEHBP website. What 
you will find there in a .pdf form is a spreadsheet. Now, Mr. 
Chao seems to think that it was not important to give people a 
shopping list. But I will tell you, if you are Federal 
employee, postal or non-postal, you can go to that website, you 
can look at every single plan and it will tell you how much the 
annual rate is, the bi-weekly rate, how much your government 
pays for you and how much you will pay by plan.
    Now, that doesn't let you endlessly look at the details of 
the plan. But for 230-plus plans spread over not just 50 States 
but the District of Columbia and Puerto Rico, we provide this 
to the Federal workforce. I might suggest that if you can't get 
some form of legitimate, open shopping list up quickly, that 
currently telling people what their rate is, if they are 27 or 
50, is disingenuous, because it distorts what the real rates 
are. And that a splash page like this, or a .pdf, so people 
could look at all the plans, and by age, depending upon what 
their age is, they would know what the rate is, could be done 
in a matter of hours by a tenth grader.
    And that might suffice until this program is available.
    Mr. Chao. Can I make a comment really quickly? In my oral 
remarks, I mentioned that we are working on a premium 
estimation tool that will give you more details than just the 
very coarse under 49, over 50, so that you can browse plans. We 
are working on that.
    Chairman Issa. But understand, your under 50 is 27, your 
over 50 is 50. That misstates, because it is age-based, it 
misstates the truth. If you were picking it, you should have 
picked 64 and 29, and you would have gotten much higher rates, 
if you are going to give anecdotal. But the truth is, a simple 
spreadsheet that Microsoft, forget about Microsoft, Supercalc 
could have given you that spreadsheet before many of my staff 
were born. And that could have been made available very 
quickly.
    So I might suggest that the American people deserve to know 
that a plan based on their age is X amount and a free look 
would be very helpful. I commend you to look at FEHBP and what 
we do for ourselves as Federal employees.
    And with that, I am going to go to the gentleman from 
Michigan, I believe we have time. Mr. Bentivolio.
    Mr. Bentivolio. Thank you very much, Mr. Chairman.
    Gentlemen, are you familiar with Brook's law? Anybody? 
Brook's law? That is the first thing you learn in software 
development. You need to divert developers to training new 
developers you added to the project, which kind of tells me 
that November 30th rollout is another hope and a dream.
    Are you familiar with this, Information Technology, 
Critical Factors Underlying Successful Major Acquisitions, 
dated October 2011, nine best practices?
    Mr. Chao. I think I perused it.
    Mr. Bentivolio. Oh, good. So you are familiar with, well, 
you perused it, you didn't study it, apparently you didn't.
    Mr. Chao. I was busy working on the marketplace program. So 
I don't have a whole lot of time to read a lot of other 
materials.
    Mr. Bentivolio. Are you familiar with this fix that you are 
putting in for ObamaCare, you are diverting people that 
understand the software to train people, additional people to 
come in and fix the problem?
    Mr. Chao. Yes, I think that is what is happening now.
    Mr. Bentivolio. You think. Okay. I am going to list three. 
Program officials, three of the nine best practices essential 
to IT, which you did not implement. Program officials were 
actively engaged with stakeholders, ObamaCare rollout 
apparently lacked senior oversight for most senior technology 
officials, including Federal CIO, Federal CTO and HHS CIO.
    Mr. Powner, what should take from this report?
    Mr. Powner. Clearly, those are best practices. What we did, 
that was a report that we did, we always report on failures. So 
we actually went to ten agencies and we asked them for a 
success story. So there are seven successful acquisitions in 
there and we asked why they were successful. None of that is a 
surprise. It is defining your projects right up front, putting 
the right people in charge, good communications with 
contractors and managing best practices throughout the life 
cycle.
    So it is something everyone at this table knows needs to be 
done on successful acquisitions. Mr. Chairman, I think FITAR 
and where we look at the acquisition process, and the whole 
bit, that is fine, that is going to be very helpful. But a lot 
of this just gets down to solid governance and good management 
and the right attention on these projects. That is what those 
practices really highlight.
    Mr. Bentivolio. Thank you. Mr. Chairman, I would like to 
yield the rest of my time to Mr. Meadows. Thank you.
    Chairman Issa. The gentleman is recognized.
    Mr. Meadows. I thank the gentleman from Michigan. And I 
have a question. I have been running the numbers, and my 
understanding is, we are creating this site to create a system 
that is available for 17,000 users per hour, is that correct?
    Mr. Chao. The way it was described is that the first part 
of the process is, you have to register for an account. That 
current capacity is running at 17,000 registrations per hour.
    Mr. Meadows. So what are we building the system to be able 
to handle in terms of capacity, 17,000 or higher than that?
    Mr. Chao. It is approximately 48,000 to 58,000 users in the 
system. By that I mean you could be on the learn side just 
looking at static web pages to actually actively filling out an 
application.
    Mr. Meadows. What is the smallest end of the conduit? What 
truly is it, 17,000, 25,000 or 43,000? What is our smallest 
ability in terms of volume to handle in terms of capacity?
    Mr. Chao. I think right now there is about, on average, 
somewhere between 22,000 to 25,000.
    Mr. Meadows. So that is what we are building the capacity 
to, 25,000?
    Mr. Chao. Per hour it is sitting right around that.
    Mr. Meadows. And that is what we are building it to, that 
is the specs?
    Mr. Chao. Actually a little exceeding that. For example, 
the front part, identity management part, we are going to apply 
some improvement that is going to go to 30,000 registrations 
per hour.
    Mr. Meadows. Let me tell you the reason why I ask. I have 
done the numbers. If you take the number of uninsured Americans 
that are out there, and if they got on the system today, 24 
hours a day, which we know doesn't happen, it would be 43,000 
people an hour. So we are building a system that won't even 
take care of the uninsured people that we have right now. So 
how are we going to be successful?
    Mr. Chao. I would like to look at your calculations.
    Mr. Meadows. It is 50 million people, you can do it over 
the next 48 days.
    Mr. Chao. I don't think the estimates were there.
    Mr. Meadows. I know the estimates weren't there. But if you 
do the math, that is what works. I yield back.
    Chairman Issa. I thank the gentleman, and I am sorry that 
you have to look at his figures, that in fact the burn rate 
necessary to get done wasn't understood from day one, and the 
surge requirement at 4:30 in the afternoon or 5:30 in the 
afternoon Pacific Time wasn't in fact what you were looking at. 
I know Mr. VanRoekel would understand that you need two or 
three or four times the highest capacity to deal with when 
people actually are going to log on and try to do it.
    Mrs. Lummis is recognized.
    Mrs. Lummis. Thank you, Mr. Chairman.
    Mr. Chao, you said that NIST defines high risk as a 
vulnerability that could be expected to have a severe or 
catastrophic adverse effect on individuals or organizational 
operations or assets. I want to focus on the part about the 
severe or catastrophic adverse effect on individuals.
    Is it true that there were two high risks that continue to 
be found related to the marketplace information systems that 
you weren't told about at the time?
    Mr. Chao. I think you are referring to the September 3rd 
authorization to operate.
    Mrs. Lummis. I am.
    Mr. Chao. Those two findings were, I think earlier in the 
hearing today, we clarified that that was dealing with two 
components of the marketplace systems that deal with plans 
submitting dental and health plan information, qualified health 
plan, and didn't involve any personally identifiable 
information.
    Mrs. Lummis. The memo I have is redacted. So it doesn't, I 
don't have the information that you just testified to because 
of the redactions in the memo. So maybe that is correct, maybe 
it is not. Are you testifying that that is absolutely what it 
is about?
    Mr. Chao. Yes, because I saw an unredacted version that was 
handed by committee staffers to me last week. And if it has 
been redacted, it has been redacted by someone else.
    Mrs. Lummis. Did one of the risks outlined in this memo 
pertain to the protection of financial or privacy data?
    Mr. Chao. I don't have it right in front of me. I think 
there was an appendix section. But I don't recall seeing that.
    Mrs. Lummis. So you don't know whether financial and 
privacy data were outlined as a risk in this memo?
    Mr. Chao. I don't believe so, because it dealt with our 
plan management or our qualified health plan submission module, 
which are data that is submitted by issuers and dental 
providers.
    Mrs. Lummis. Is it true that the internal memo, this memo, 
outlined one of these risks as the threat and risk potential 
are limitless?
    Mr. Chao. No. I think it is referring to a very specific 
type of risk when you allow an upload of a file that has an 
internal macro that runs. But it is not about people. This is 
not personally identifiable information.
    Mrs. Lummis. What is it about?
    Mr. Chao. It is plans submitting their network adequacy. It 
is basically worksheets that contain information about the 
benefit data that each issuer submits.
    Mrs. Lummis. Okay. I am going to switch gears. Mr. Chao, 
did you brief White House officials prior to October 1st about 
the status of the website?
    Mr. Chao. No, not directly about the website.
    Mrs. Lummis. Who did?
    Mr. Chao. I don't know.
    Mrs. Lummis. Mr. Baitman, did you?
    Mr. Baitman. I did not.
    Mrs. Lummis. Mr. VanRoekel, did you?
    Mr. VanRoekel. Not only do I not know that that happened, I 
don't know and I did not.
    Mrs. Lummis. When Mr. Jordan asked you some questions, one 
of the things that he asked you was about your involvement in 
meetings. He was specifically referencing Ms., I am looking for 
the name. Well, let me just ask you this. Were any of the 
meetings you attended at the White House?
    Mr. VanRoekel. It depends how you describe the White House.
    Chairman Issa. The White House includes Treasury, the Old 
Executive Office Building, the New Executive Office Building, 
and the White House proper at a minimum.
    Mr. VanRoekel. I didn't know if you were talking about 
physical or organizational.
    Chairman Issa. Organizational.
    Mr. VanRoekel. I work in an agency that is part of the 
Executive Office of the President. So every meeting I have is 
considered sort of part of that organization.
    Mrs. Lummis. And was Ms. Lambrew present?
    Mr. VanRoekel. As I mentioned in my answer to Mr. Jordan, 
in one to two meetings, yes.
    Mrs. Lummis. And what were those meetings about?
    Mr. VanRoekel. Those particular meetings were dealing with, 
they were asking actually, my private sector advice on demand 
generation and marketing to young people, how to use social 
media to reach out to uninsured Americans.
    Mrs. Lummis. So who was briefing the White House about the 
status of the website? No one? Did no one brief the White House 
about the status of the website before October 1st? Mr. Chao?
    Mr. Chao. Not me personally, but our administrator, Marilyn 
Tavenner, certainly is representing the agency. So you might 
want to ask her.
    Mrs. Lummis. So we don't know whether the status of the 
Federal exchange and the data, how they were ever a focus of 
meetings between White House and HHS personnel before October 
1st?
    Mr. Chao. I think what I said earlier, that in the meetings 
I attended, I provided status briefings on the progress of 
certain IT builds like the data services Hub.
    Mrs. Lummis. And your reports on the status of the builds 
set off alarm bells with them?
    Mr. Chao. No, because the data services Hub was actually 
performing well and on time. And it received its authority to 
operate in August.
    Mrs. Lummis. Okay. So what happened between August and 
October 1st?
    Mr. Chao. I didn't attend any White House meetings.
    Mrs. Lummis. What happened with the performance of the Hub?
    Mr. Chao. The Hub is doing fine. It is doing what it is 
intended to do.
    Mrs. Lummis. Mr. Chairman, I yield back.
    Chairman Issa. I thank the gentlelady.
    I will be brief. Mr. Chao, the EIDM, or what I call the 
front door, is what didn't perform well, isn't that true?
    Mr. Chao. Correct.
    Chairman Issa. And since the system was designed so that 
you had to go through the front door to get anything else, it 
doesn't really matter if you had 60,000, 600,000 or 60 million 
capability, if the American people had to go through that front 
door and only six got to the end, we can presume that the 
number that existed just prior to launch of 1,100 in that so-
called minimized test, or as you said, it was only one-tenth 
the amount, really wasn't true. The truth is that when people 
got time outs as they tried to register, as they tried to go 
through the EIDM, the marketplace Hub, one that you forced them 
through by in September determining that they could not look at 
a splash page to get a price idea if nothing else was 
available.
    That front door being blocked is essentially the reason 
that the American people have wasted, for the most part, a 
month trying to get registered, isn't that true?
    Mr. Chao. No, it is not true.
    Chairman Issa. Yes, well, it is.
    Mr. Baitman, where were you, since you and Mr. VanRoekel 
are critically part of this process? Where were you, and Mr. 
Park was brought in afterwards, where were you in the months 
and years leading up to this? Why is it that you were not aware 
that on day one, this product was going to fail to launch in 
any legitimate, acceptable way?
    Mr. Baitman. As I indicated in my opening testimony, HHS is 
a federated agency.
    Chairman Issa. Okay, not your job, this is an orphan.
    Mr. VanRoekel, you came out of the private sector. Bill 
Gates and Steve Baumer and a lot of other people at Microsoft 
would have had somebody's neck hung, maybe not literally and 
maybe not fired them, but they would want to know, demand to 
know, Steve Jobs, when he was alive over at Apple or NEXT and 
the other programs, they would have said, who the blank is 
responsible for this failure? Can you tell me today whose job 
it was to make sure that we didn't have this dreadful failure 
to launch that didn't call the one person that should have 
known and didn't do their job? One person? Who was that person?
    Mr. VanRoekel. As I said earlier, I wasn't close to the 
actual development. I am not in a position to make that call.
    Chairman Issa. Okay, so I had you and Mr. Park, Mr. 
Baitman, Mr. Chao, we will leave the GAO out of it, because we 
are probably going to ask them and others to help us find out. 
But none of you today can tell us who failed to do their job. 
And as a result, the American people lost a month of any 
effective, real ability to sign up. This website was dead at 
launch for all practical purposes.
    And I am sorry, Mr. Chao, you can give me all the numbers 
you want, six on the first day, 240 on the second day, when 
millions of Americans were trying to make this work. We may 
disagree on ObamaCare, but we don't disagree that that was 
unacceptable. You heard it on both sides of the aisle.
    Mr. VanRoekel, I think you fail to understand, you and Mr. 
Baitman and all of you in the Administration who were allowed 
to go to those meetings, Mr. Powner would tell you that best 
practices should be a lot more like it is at Toyota Company or 
Honda. In the production line, one person who sees a bad car 
coming down is allowed to stop the production line. In this 
case, a really defective, something that would make the Edsel 
look like a success story, launched on October 1st and nobody 
said, here today or for that matter since I have been listening 
to the various hearings, nobody said, I should have pulled the 
stop button.
    Mr. Chao, you refused to answer give a grade. Mr. Baitman, 
you refused to answer give a grade. Mr. VanRoekel, you refused 
to answer to give it a grade. Well, I am going to give it a 
grade. This was an F. Or on a pass-fail, this was a fail. Every 
one of you should have been close enough to know there was 
something wrong, to ask somebody in one of those many meetings, 
are we sure this is going to work. And at least get an 
assurance from somebody that it would.
    Mr. Powner, I want to thank you for being here today. 
Although many people have talked about FITAR and what we need 
to do in legislation, you are the only person here that 
represents an organization that has said, there is a right way 
to do it, we have looked at agencies at the Federal Government 
who have done it right, and like you, we normally look at the 
agencies that fail. We look at the program out of Wright-Pat 
that failed and lost us a billion dollars. We are looking at 
failure that cost the American people millions of their hours, 
frustrated, trying to get online to check whether or not health 
care is going to be more affordable for them.
    So I look forward to all of you being part of the process 
of best practices in your job going forward. But I look also 
with all of you realizing without legislative change, we will 
be back here again, with everybody saying, I didn't fail to do 
my job, even when a product failed to launch.
    And with that, you are dismissed. We will set up the next 
panel for after the vote.
    [Recess.]
    Chairman Issa. Now for our second panel we have Richard 
Spires, Former Chief Information Officer at the Department of 
Homeland Security. And Ms. Karen Evans is the former 
Administrator of the Office of Electronic Government and 
Information Technology at the Office of Management and Budget.
    Pursuant to the rules, all witnesses will be sworn. Would 
you please rise, raise your right hand to take the oath.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth and nothing 
but the truth?
    [Witnesses respond in the affirmative.]
    Chairman Issa. Please be seated.
    Let the record reflect that both witnesses answered in the 
affirmative.
    In order to save time, we ask that the entire opening 
statements of both witnesses be placed into the record. Without 
objection, so moved.
    We now will allow you to abbreviate, since your entire 
opening statement is in the record. Try to stay within the five 
minutes.
    Ms. Evans?

                    STATEMENT OF KAREN EVANS

    Ms. Evans. Good morning, Chairman Issa, Ranking Member 
Cummings and members of the committee. I am pleased to be 
invited back to share my views of ObamaCare implementation, the 
rollout of Healthcare.gov.
    From an IT implementation standpoint, Healthcare.gov was a 
classic IT project failure that happens in the Federal 
Government too frequently. As the executive leadership at the 
Federal Departments and agencies, the President's political 
appointees are at the top of the management chain for Federal 
employees and contractors. In looking for the cause of this 
failure, some point to the lack of testing. Others, including 
the President, cite the challenges of the IT procurement 
process. And still others note the complexity of the program 
and the interfaces with private insurance company systems.
    However, the cause of this failure was not the complexity 
of the program nor the procurement process nor the testing. The 
functionality and the shortcomings of Healthcare.gov are a 
result of bad management decisions made by policy officials 
within the Administration. They did this to themselves. And if 
they are now surprised, it is because their own policy 
officials failed to inform them of the decisions they have made 
and the consequences associated with those decisions.
    As soon as this legislation was passed, there were policy 
decisions which needed to be made. These policy decisions would 
drive the technical design of healthcare.gov IT systems. They 
fundamentally determined the workflow and business processes 
driving how the law would be implemented.
    I have been on both sides of policy implementation, as a 
career civil servant and as a political appointee. The problems 
with Healthcare.gov are symptomatic of a recurring problem. 
Passing a law or issuing a policy is not enough. If there is a 
new law, management reform or policy initiative you want to 
accomplish, then you as a policy official need to be engaged 
during the implementation to assure there is an appropriate, 
integrated project team in place to manage the day to day 
operations.
    All levels of the organization need to be willing to get 
into the weeds to understand these intricate aspects of 
management and implementation. Because the devil is in the 
details. Someone can change a seemingly innocuous requirement 
in a meeting and cause a huge impact on schedule, cost or 
functionality. IT projects are particularly good at 
highlighting management failings, because they require 
coordination between the many different parts of an 
organization. If the agency's CIO is not actively at the 
management table, participating in those decision, and more 
importantly, explaining the ramifications of the policy 
decisions they are making, the projects get off track and 
ultimately fail.
    The chief information officer is the person in the C suite 
who has the capacity to translate technology issues into 
business-speak for other business leaders. When a technical 
implementation specification hinges on a policy decision, the 
technical team depends upon the CIO to elevate the question to 
the appropriate decision maker. Because the CIO can speak to 
senior executive in terms that are relevant to them and can 
state potential consequence in terms of political and policy 
values, the CIO is in a unique position to ensure that policy 
officials do not regard those decisions as staff level 
functions. And if these potential consequences are significant, 
then departmental and White House officials may need to be 
briefed by the CIOs.
    In the wake of the Healthcare.gov implementation failure, 
some analysts have asserted that the private sector could have 
done this better, thereby implying that there are some 
conditions inherent in Federal IT which impede success and 
impair Federal CIOs. It is certainly true that Federal CIOs are 
burdened by deliberative restraints placed upon them by 
Congress and OMB. But Federal CIOs also enjoy freedom from 
competition and the whims of the market.
    Overall, Federal CIOs and commercial CIOs are more similar 
than different. We all have the same job description: to be the 
technical, savvy member of the executive team, to provide value 
through innovation, to manage data as a strategic asset, and to 
lead a large team of technologists and inspire them to achieve 
greatness. Whether a CIO is at a large or small organization, 
bureau level or department, public sector or private, the scale 
may differ, but the management challenges are the same.
    I have included in my written statement some key questions 
which every CIO should be asking; but more importantly, the CIO 
should be able to answer these questions for their leadership 
in clear business terms. Thank you for the opportunity to 
testify today, and I look forward to answering any questions.
    [Prepared statement of Ms. Evans follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. Thank you.
    Mr. Spires?

                 STATEMENT OF RICHARD A. SPIRES

    Mr. Spires. Chairman Issa, Ranking Member Cummings and 
members of the Committee, thank you for the opportunity to 
testify on issues with Healthcare.gov and more generally on IT 
management issues in the Federal Government.
    With more than 30 years of experience working on delivery 
of large IT programs, I speak from real world experience 
regarding what is required to successfully deliver such 
programs. I served in the past two Administrations and saw 
similar IT management issues in both. So my remarks focus on 
highlighting systemic weaknesses in our ability to effectively 
manage IT, along with some recommended solutions.
    My written testimony outlines five key elements required to 
effectively deliver an IT program. In regard to the rollout of 
Healthcare.gov, my information was obtained from previous 
Congressional hearings and media articles. It is clear that 
there were fundamental weaknesses in the program management 
processes. For a system as complex as Healthcare.gov, best 
practice would have led to a plan that included completion and 
testing of all subsystems six months prior to public launch, 
three months of end to end functional integration testing, and 
a subsequent three month pilot phase in which selected groups 
of users identified problems not caught in testing.
    It was reported that the program did not start and end 
functional testing until two weeks prior to launch and there 
was no formal pilot program prior to roll-out. This is evidence 
of a lack of mature program management processes. Second, there 
was a lack of program governance model that recognizes the 
proper roles and authorities of the important stakeholders, to 
include the business, IT, procurement, privacy, et cetera. For 
IT programs, the business organization or mission organization 
must be intimately involved in helping define requirements, 
making hard functionality trade-offs and being a champion for 
the program. The IT organization must ensure there is a capable 
program management office using management best practices to 
deliver large IT programs.
    Evidence of launch of Healthcare.gov shows the balance 
between the business and IT organizations was not correct. For 
example, changes were being finalized up to a few weeks before 
launch. This is much too late. Requirements should have been 
locked down months before. The business organization had the 
ability to make changes that led to bad management practice.
    The issues of the rollout of Healthcare.gov are emblematic 
of the IT management challenges in the Federal Government, yet 
improving our ability to effectively manage our IT is critical. 
Our government, if it more effectively manages IT, can harness 
its transformational capability, significantly improving 
government's effectiveness and efficiency. I recommend that 
three actions be taken to improve Federal Government IT.
    First, it is important that Congress pass legislation to 
update how this government manages IT. I appreciate the 
leadership of Chairman Issa and Representative Connolly in co-
sponsoring the FITAR legislation. While legislation alone will 
not fix all the issue with IT management, it will elevate the 
standing of agency CIOs and put in place mechanisms for 
development of centers of excellence to leverage best practices 
and program management and acquisition across the Federal 
Government. These changes could have helped to address the 
critical failings of the program management of Helathcare.gov.
    Second, agency CIOs need to have control over 
implementation, operations and the budget of all commodity in 
their agency, which includes the data centers, cloud services, 
servers, networks, standard collaboration tools like email as 
well as back office administrative systems.
    A couple of years ago, I was fortunate to be in a session 
that included a number of CIOs for Fortune 50 companies. In the 
course of discussion, it became clear that one of the clear 
elements in effectively leveraging IT for an enterprise is a 
modernization standardization and appropriate consolidation of 
the underlying IT infrastructure.
    I urge that Congress address this recommendation through 
the IT reform legislation and the Administration to address 
this recommendation through the portfolio stat process.
    Third, the current Administration should make IT management 
a centerpiece of its overall management reform agenda. This 
entails the recognition and focus at the most senior levels of 
government of the importance of IT and improving IT management. 
It includes a serious commitment to improving program 
management practices, elevating the status of agency CIOs and 
ensuring the agency CIOs own the commodity IT.
    I hope the troubled launch of Healthcare.gov can serve as a 
catalyst to drive positive change in the way we manage IT. The 
best practices exist and are proven. We need leadership in 
Congress to pass reform legislation and leadership in the 
Administration to recognize the importance of IT management.
    Thank you.
    [Prepared statement of Mr. Spires follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Issa. Thank you both.
    First of all, I would ask unanimous consent that the 
article entitled The Healthcare.gov Rollout: What Should We 
Learn?, which Mr. Spires authored on November 4th, 2013, be 
placed into the record. Without objection, so ordered.
    Chairman Issa. I am going to start with you, Mr. Spires. 
You heard the first panel. From your experience, and I will go 
to Ms. Evans also, did I have the right people for the most 
part here, leaving GAO out for a moment, to ask who is 
responsible, why was this thing launched practically non-
working, completely, only six successful registrations the 
first day? Did I have the right people?
    Or did I have the wrong people and that is why they all 
said it wasn't their job?
    Mr. Spires. You had the right technical people at the 
table. I believe in a balanced program where you have 
technology leaders as well as the business leaders working 
together.
    Chairman Issa. But somebody at that table should have been 
able to tell us basically who should have stopped this program 
or recognized that it was going to fail to launch?
    Mr. Spires. Somebody at that table I think should have been 
able to tell you that.
    Chairman Issa. Ms. Evans, in your time at OMB, I think more 
than anything else, is it your experience that the Office of 
Management and Budget ultimately, the OMB director, who gets to 
meet with the President, who gets to say that key pieces of 
legislation, key implementations are or are not going 
correctly? Has that been your experience?
    Ms. Evans. And I will speak from my experience, and that is 
true. And so we viewed, during my tenure, that OMB had 
oversight into the Executive Branch of ensuring that the 
President's priorities got implemented.
    Chairman Issa. I am going to ask you from one personal 
experience. Have you been in the Oval, other than ceremonially, 
have you been the Oval for a meeting?
    Ms. Evans. Not exactly in the Oval Office, but they have 
staff offices outside.
    Chairman Issa. But you were in that area?
    Ms. Evans. Yes.
    Chairman Issa. So you were there, I assume, with the 
Director or somebody on some important briefing that was going 
on?
    Ms. Evans. Yes.
    Chairman Issa. And that is a regular part of White House 
life?
    Ms. Evans. If you are working on priorities that are 
important to the Administration, yes. And one would assume that 
if you are a staff person in the White House, all of us are 
working on priorities that are important to the President. Not 
going to meetings at that level are not necessarily a daily 
occurrence of the job.
    Chairman Issa. I realize that is a rare one. But we can all 
agree, I believe, I think the ranking member would join with 
me, that the signature piece of legislation of the President is 
the Affordable Care Act. Can you figure out for me or help me 
understand how people could serve the President so poorly that 
it appears he was never told that this was going to be a 
disastrous launch?
    Ms. Evans. In my analysis from the public record, as well 
as watching the testimony that happened prior, I believe that 
if I were in that position that I would have elevated things 
through, because that is the President's key legislation, it is 
his number one priority. And so that is what the Chief 
Information Officer is supposed to do. They are supposed to 
analyze, as I said in my testimony, analyze what potential 
decisions are being made and what is that impact on the 
President's priorities to get done, from a political 
perspective, from a communications perspective, from an 
oversight perspective of what the impact would be and how you 
would have to do a Congressional notification if you were 
changing things.
    That is what a CIO is supposed to do. That would have been 
elevated up so that the OMB director would have known what the 
impact was happening, so that the director could then talk to 
the President about potential opportunities.
    Chairman Issa. Now, Mr. VanRoekel was your successor, is 
that correct?
    Ms. Evans. Yes.
    Chairman Issa. And yet he said that he was only the 
facilitator of these meetings. Did you do a lot of facilitation 
when you had his job?
    Ms. Evans. I would call it facilitation. I don't know that 
the agencies that I was supposed to provide leadership and 
oversight to would necessarily call it facilitation. I would 
like to think that that is the nice way that we did it.
    Chairman Issa. You invited people to bring in groups?
    Ms. Evans. Yes.
    Chairman Issa. You brought them to the White House or 
accompanying facilities?
    Ms. Evans. Yes.
    Chairman Issa. And at those meetings, you either were there 
personally or at least you introduced the meeting and monitored 
whether it was going the direction that you and your bosses 
wanted it to go?
    Ms. Evans. I can speak to my own management style, which is 
a very hands-on approach. Because I really personally view that 
if it is my boss's priority, number one priority to get 
something done, then it is my job to make sure that the 
leadership up the chain to him are fully informed of decisions 
that are being made.
    So I am a little hands-on as a manager. I came up through 
the ranks, through operations. So I have a tendency to do that.
    Chairman Issa. But you are not a micromanager?
    Ms. Evans. I would like to think I am not. But if it is 
something that is that important, I personally, especially for 
things that are important to the Administration at the time 
during my tenure, I would personally make sure that I knew the 
status of what was going on on those projects.
    Chairman Issa. Mr. Spires, I am not leaving you out 
completely. But I will ask both of you, in 184 weeks from the 
passage of the Affordable Care Act, until the failure to 
launch, can you conceive that any one, leaving GAO out, on that 
first panel, should not have seen that there were problems and 
had taken at least an active role in addressing those problems?
    Mr. Spires. Proper governance is critical on programs like 
this. Because there are a lot of stakeholders involved. And you 
need to have good information and you need to do it on a very 
regular basis to make sure that these programs are going well. 
Individuals at this panel, other than Mr. Powner, certainly I 
think should have been in that chain of receiving that 
information, reviewing that, being part of reviews as part of a 
good governance model. That clearly did not exist.
    Chairman Issa. And Ms. Evans, I will modify that as my 
close. Not only shouldn't they have, but can you give us a 
little bit of a feel for what life would have been like if 
President Bush, who you worked for, had gotten blindsided by a 
failure of one of his hallmark pieces of legislation, Medicare 
Part D, No Child Left Behind or something of a similar level?
    Ms. Evans. I was involved in Medicare Part D, just so that 
you know. And we could talk about that as well. If something 
like this happened during my tenure, I can only speak for what 
I would do. I would have offered my resignation before I got 
fired.
    Chairman Issa. With that, I recognize the ranking member. 
And you never got fired, I want to make that clear.
    Ms. Evans. No. I did not get fired. I did the job for six 
years. But in this particular case, if my President had to go 
on TV and say some of the things that this current President 
has had to do in an area of my responsibility, I would have 
offered my resignation.
    Chairman Issa. Thank you.
    Mr. Cummings. What was your responsibility with regard to 
Medicare Part D?
    Ms. Evans. When the rollout came out, there were some 
specific issues related to information technology. I would say 
it is the same type of thing that is happening right now. An 
analysis had to be done about, could you actually fix it 
through information technology, what were the issues. And it 
really was a timing issue with the legislation, which is the 
reason why I am making the point about when you pass a law, you 
have to know.
    So the way that that legislation was crafted, if a user 
signed up for the benefit at 11:59 p.m. on the 30th of the 
month or the 31st of the month, then they were eligible at 
12:01 a.m. the next month for that benefit. There is no IT 
system the way that these systems work that you could get all 
that information populated through the system so you had to 
really analyze what was the work process and how the IT worked.
    So what we did was we provided options to the policy 
councils to say, if there really are additional funds 
available, what happened was they had, similar to what the 
navigators are now, people to help sign up, and if you signed 
up people before the 15th of the month, then those people 
actually got paid within 30 days, the ones that were helping 
sign people up. If you signed up after the 15th of the month, 
then the people that were helping do this actually would get 
paid 45 to 60 days later.
    So the idea was, okay, if the technology solutions can 
only, there is a big badge process that happens the 15th of the 
month, you provide the incentives up front, get everybody into 
the system between the 1st and the 15th, get them signed up so 
that all their data shows up in the IT systems by the next 
month so that they are eligible.
    Mr. Cummings. But let me ask you this, were there IT 
problems back then?
    Ms. Evans. There are always IT problems. But what you have 
to do is analyze it from a business perspective and provide 
alternatives to the policy leadership so that they can make 
informed policy decisions of how they are going to handle it.
    Mr. Cummings. Yes, because I specifically remember working 
with my constituents because they were having all kinds of 
problems.
    Ms. Evans. Absolutely.
    Mr. Cummings. Let me ask you both this. If you have a 
situation here where for example, in the governors, more than 
half the governors decide not, for example, to do their own 
marketplace, would that have affected you in any way or should 
that have affected this project? I am just curious. From an IT 
standpoint.
    Mr. Spires. Well, sure it would, sir. From a volume 
standpoint, from the scope and scale of what you would need to 
create.
    Mr. Cummings. Would it make it a little harder?
    Mr. Spires. Yes.
    Mr. Cummings. A little more complicated?
    Mr. Spires. A little more complicated, yes, sir.
    Mr. Cummings. And so Mr. Spires, someone had suggested that 
one of the problems with the development of the Affordable Care 
website is that there was no single contractor overseeing the 
work of all the other contractors, that there was no lead 
system integrator. However, experience in the past 
Administrations with using contractors used to oversee other 
contractors has often resulted in failed programs and millions 
of wasted tax dollars, is that right?
    Mr. Spires. That is correct, and I have a close history 
with this at the IRS, if you would like me to comment on the 
topic.
    Mr. Cummings. Yes.
    Mr. Spires. When I came in in 2004 to run the business 
systems modernization program at the IRS, and it got moved to 
that outsourced kind of program management office where a 
contractor was serving as that systems integrator. And it was 
not working well. I am a huge believer that the government 
needs to stand up to build a strong program management office 
for these large scale, complex IT programs. You have to have 
solid, experienced government people in charge and running 
these programs.
    It doesn't mean you can't have contractor support. But I 
have found if you don't do that, the dynamics don't work. There 
are so many stakeholders involved that are government people 
you have to work with who are not part of the program, and in 
order to make that work effectively, you need to have strong 
government people on the ground that are running this program 
day in and day out.
    Mr. Cummings. So I didn't see it in IT but I saw it when I 
was chairman of the Coast Guard Subcommittee, with Deepwater, 
where we were literally buying boats that didn't float.
    Mr. Spires. Yes.
    Mr. Cummings. Literally. Some of them are sitting near my 
district right now.
    And the contractor, the lead systems integrator, didn't 
have that intertwined situation that you just talked about 
where the government people were doing their piece. And it just 
doesn't work.
    I see my time is expired. Thank you.
    Chairman Issa. I thank the gentleman.
    Mr. DeSantis?
    Mr. DeSantis. Thank you, Mr. Chairman. Thanks to the 
witnesses.
    Mr. Henry Chao, he told the committee when they interviewed 
him that he had not ever rolled out a program that had complete 
systems-wide end-to-end testing. I just wanted to get your take 
on that, to not have system-wide end-to-end testing. Is that a 
good practice?
    Mr. Spires. That is poor practice at best. I may make 
another comment about this, if I could. I was, as far as what I 
know, right around the timing, the testing clearly was not 
adequate to put this system into production. My experience has 
always been, and I have had to live this, where we have made 
these hard calls. It is better to delay, and it is better to 
delay for two reasons. One, you only get that one chance to 
make that first impression with a system. We clearly didn't do 
it well here, did well, with the rollout of Healthcare.gov.
    But two, and even more importantly than that, once you put 
the system in production, you have to operate it and maintain 
it, deal with all the customer issues and all that. That in and 
of itself is a very large amount of work that takes energy from 
the team, rather than the team really getting to the point of 
fixing the system to the point where it is running well, then 
putting it into production.
    And I know for whatever reason this October 1st date was 
viewed as immovable. But I think that was a very big mistake 
made on the rollout of Healthcare.gov.
    Mr. DeSantis. I appreciate that. I was looking through some 
of the materials. In late September there was a memo that said 
that the ongoing development had posed a level of uncertainty 
that can be deemed as a high risk security threat. So when you 
see that, it seems to me that would be a big red light that 
this is not ready to go forward. Would you concur with that?
    Ms. Evans. Based on my experience, yes, sir, I would. That 
would be a risk that you would have to evaluate the October 1st 
deadline against, what kind of operating risk is there and can 
you mitigate that risk. It would have to be fully explained to 
the leadership involved, in this case the CMS director and 
probably farther up, about what could happen if we went forward 
with the implementation and we haven't fully tested all of 
these things.
    Mr. DeSantis. It is frustrating, because so much of this 
law, and we see it in the implementation, was based on 
representations to the American people that have now turned out 
not to be true, for example, if you like your plan you can keep 
it, if you like your doctor you can keep it, it will reduce the 
budget deficit, it will cover everybody. The most recent 
estimate is 10 years from now, you are still going to have 31 
million people with no coverage. So this bill doesn't even do 
that.
    As I was looking through some of the testimony, some of 
these regs that the people needed in order to start 
implementing it were delayed on purpose, on political decision 
to get through the 2012 election. So these folks were in a 
situation where they had to kind of create this website, but 
they actually weren't giving as much time as they could have 
had the Administration been forthright about some of these 
things. But there was a desire to move this beyond the 2012 
election, so that the American people would not be able to 
fully evaluate the program.
    So what I have seen here today is that there was a decision 
by the Administration, a knowing decision, to launch a website 
that did not work and indeed, was not adequately tested for 
security. I think this is problematic just generally, no matter 
what you are doing from a government IT perspective. But this 
website is unique, because individual Americans, and we have 
millions of people now who are seeing their insurance plans 
canceled because of this law, it is not like that website is 
just out there for them. They are forced to get, under penalty 
of law, health coverage through that website if they are one of 
the unfortunate folks who are seeing their plans canceled.
    So we are in a situation where the government is going to 
tax them unless they procure insurance off this website that is 
not fully functioning and that has questions about its 
security. So it is very, very discouraging. I have a lot of 
constituents who are upset about this.
    So I just appreciate you guys coming. I think this is, in 
terms of a case study on how not to do something, I think 
people will look back on this. But I think one of the things 
was, there were political imperatives here and the politics 
trumped what would work and what would be best for the American 
people. I think that is unfortunate. I yield back the balance 
of my time.
    Chairman Issa. I thank the gentleman.
    I would like to ask just a couple more questions, seeing no 
one else here. Both of you served the previous Administration. 
Did they ever tell you what the cost of not launching one of 
your projects was? In the private sector, it is like, we are 
going to have X amount of revenue every month, and if we don't 
launch Windows XP, then we lose that much revenue? Did you ever 
have those discussions as part of your daily work?
    Mr. Spires. We would, sir. The IRS had discussions about 
it.
    Chairman Issa. For example, the new audit thing.
    Mr. Spires. Yes. There were business models that were built 
for systems that would show the kind of return. And of course, 
at the IRS, you could actually measure it many times in 
dollars. So yes, we did have those kinds of discussions.
    Chairman Issa. How about you, Ms. Evans?
    Ms. Evans. We would have those discussions across the board 
on each and every agency's performance. So when agencies turned 
in a business case to justify the investment, they also put in 
there the return or the cost benefit analysis. So if you delay 
the launch date, then it affects your ability to start getting 
some of the benefits. Because the benefits in the government, 
when you measure them, is a little bit different than the 
bottom line in private industry. So it is benefits to the 
taxpayer for the services that could be delayed with a delayed 
launch.
    Chairman Issa. In this case, that doesn't happen to be 
true. This is like a private business, and I will show you 
here. I wish Mr. VanRoekel was still here. The estimate from 
CBO at the time of, well, they keep changing it, but in 
February of this year, the estimate was that penalties from 
uninsured individuals were going to total $52 billion over a 
decade, half a billion dollars a year. Although that number 
keeps shrinking of what they think they are going to get, 
similarly the penalties from employers, $150 billion over 10 
years, more or less $100 million a month.
    So here is this website, and Mr. Cummings and I have heard 
the figure $600 million enough times that it echoes in our 
sleep. But the delay of ObamaCare from a standpoint of revenue, 
when the President had to delay the employer mandate, he was 
losing $100 million a month of revenue. If he had had to delay 
the no I am sorry, I got my figure wrong. I will have to be 
careful on that part. Forty-five billion over 10 years is $4.5 
billion a year. So it is about $250 million, well, the back in 
February it was $300 million a month would have been lost if he 
delayed the penalties on the uninsured individuals. But he had 
already delayed something that was three times larger.
    So the reason I am asking this s, Ms. Evans, if you were 
back at OMB and somebody had told you in timely fashion, we are 
in trouble on this website, and we need to delay this thing 
because our projections two months or three months out, it is 
not going to be ready, and you were looking at having to go to 
the President and say, we would like you to delay something 
that will delay revenue by $300 million a month, wouldn't you 
have had a normal business decision of, well, can't we spent 
$300 million more if that is what it takes to get this thing 
done on time?
    In a sense, again, I go back to what I said before Mr. 
Cummings was there, the President was so poorly served in that 
I assume, and Mr. Spires, your experience particularly would be 
helpful here, I assume that if six months earlier you said, in 
order to not lose $300 million a month of revenue, calculated 
revenue, we need to put more money into this, we wouldn't be 
talking half a billion or a billion or $2 billion. We would be 
talking incrementally a relatively small amount of money to do 
a project necessary to get this thing locked in and tested in a 
timely fashion, wouldn't we?
    Mr. Spires. If I could comment. I would even say this, I am 
not sure this was about money. I am not sure we would have had 
to add more people to this.
    Chairman Issa. I don't think we would have. I just wanted 
to make the point that there was plenty of money at stake.
    Mr. Spires. Well, there might have been. But I go back to 
the point of the program management disciplines. Now, to that 
end, once you get close, once you are six months in, it is 
very, very hard to then change. You are not going to pick up a 
lot of time.
    But if this had been done correctly on the program 
management side, I suspect that the money was there. I don't 
think that was a constraint on this particular program.
    Chairman Issa. Ms. Evans?
    Ms. Evans. Given the scenario that you just outlined, the 
way that this would be presented during my tenure, the way we 
would present it is, these are tradeoffs, policy decisions that 
need to have tradeoffs. So you would analyze, this is the 
income that was going to come in, this is the method that we 
thought we were going to be able to do. But given where it is, 
here are the alternatives, and then here are the tradeoffs, so 
that you can either realize a portion of that or we can then 
recover it and then some if we go with this.
    So alternatives would have vetted through the policy 
process so that people could have looked at that and then said, 
okay, well, we can't put so many people on it, there is a point 
of diminishing return. There is only so many dollars and so 
many people that you can throw at an IT project in order to fix 
it.
    So then you would have alternatives in order to realize 
that income, so that you could move forward to reduce the 
deficit. That is part of the analysis that the Office of 
Management and Budget would lend to the policy process so that 
the decisions could be made by the appropriate policy 
officials.
    Chairman Issa. Let me just close with a question. If we 
went back three and a half years and upon the passage the 
regulations necessary to determine some of the specifics this 
offer would have to deal with had been done in a timely 
fashion, six months or so, then presented to industry and 
stakeholders and going through a process of, if you will, 
analyzing it from a standpoint of needs of those who would use 
it, then taking the outcome of that, producing a standard, a 
year, year and a half into this process, delivering that to the 
contractor and then monitoring the process of a fixed and final 
set of regulations relative to this new website and its work, 
is there any doubt in your mind that three and a half years was 
in any way, shape or form not enough time to start with the 
passage of the Affordable Care Act three and a half years ago 
and reach a well-tested, well-engineered, from a security, 
speed, scalability on the launch date of October 1st?
    In other words, was there anything inherently wrong with 
picking October 1st that good practices over three and a half 
year wouldn't have taken care of?
    Mr. Spires. I think with where they are at, it is a little 
hard to know how long it will take for this to really 
stabilize. But it will stabilize. So if you look at it from 
that perspective, sir, I am pretty sure that if this had been 
well-managed, and to your point, include the regulation process 
of that, that this site could have been delivered and 
appropriate on October 1st and could have been well running on 
that date.
    Ms. Evans. I would look at it, and I always look at things 
from my tenure at OMB.
    Chairman Issa. It was a long tenure.
    Ms. Evans. It was a long tenure. And also from an 
operational perspective coming up. But I would have looked at 
the law to understand what were we really required to do by 
what time period. And really scoped the project to a point 
where it was very clear and understood what was going to be 
delivered.
    I think one of the major issues that you have here with the 
requirements that happen on every IT project is that they are 
scope creeped. So as people start working through it, they add 
on another requirement and they add on another requirement. So 
the parameters have to be drawn on something that is this 
complex, so that everyone would have a clear understanding of 
what is really going to launch on October 1st, if that is the 
President's due date. And then stick to that and everything 
else becomes an add-on and a module. That is best business 
practice. And if it is critical, that you have to have it, then 
it has to be voted on through the good governance process 
through a business process.
    That is the part that is still a little unclear in this 
overall process of what really was the scope, and what was 
expected to be delivered on October 1st.
    Chairman Issa. Thank you. That is what we are going to 
continue working on, regardless of the actual Affordable Care 
Act, the question of what went wrong and how do we prevent it 
in the future.
    Mr. Cummings?
    Mr. Cummings. Thank you very much.
    Ms. Evans, I was listening to you very carefully. You said 
that if you were in this situation where your boss had to go 
before the American people and do what President Obama did, and 
I am not trying to put words in your mouth, you said you 
probably would resign. Is that right?
    Ms. Evans. Yes.
    Mr. Cummings. There are two parts to this. One part is what 
happened in the past. The other part is where we go in the 
future. I think it is very important that we learn from the 
past. I believe that it can tell us a lot about mistakes we 
made, so that we don't fall into those ditches again.
    This is where I want to go. I say to my staff, there are 
two things that I am most concerned about, effectiveness and 
efficiency. I tell them we have a limited amount of time on 
this earth, we have a limited amount of time to be in the 
positions that we are in, that it is our watch and we must do 
what we have to do for the American people in an effective and 
efficient way.
    I guess my question is, suppose you are President Bush, say 
if he was in these circumstances. And he said, Evans, don't 
quit. Fix it. What would you do? And do you believe it could be 
fixed in a reasonable amount of time? If at all? So you didn't 
quit.
    Ms. Evans. I didn't quit.
    Mr. Cummings. We wouldn't let you quit.
    Ms. Evans. You wouldn't let me quit because I had to fix my 
mistake. So at this point I would be down in the daily 
operations, I would have done an assessment to see what exactly 
could be fixed and then again, back to the scoping issue of 
what the President actually said would be available and what is 
now required. Now, you have additional circumstances on here 
with the insurance companies canceling policies, and you have 
this gap now here people actually have to be able to sign up 
for services. So that would be analyzed, and I would say, okay, 
here is where we are with the IT project, we need to put other 
kinds of compensating controls in place in order to be able to 
deal with the American public's need to be able to sign up for 
insurance.
    And that would be then elevated through the policy chain. 
So things like going directly to insurance providers, putting 
up, as Chairman Issa said, the whole list of what plans are 
available so that people could at least see the information and 
not necessarily sign up, all those alternatives would be laid 
out. And they would be viewed from a communications 
perspective, from a policy perspective and from a political 
perspective to ensure that you could put the best service 
forward to meet that immediate need of that gap between the 
December 15th and the January 1st deadline. Because that is the 
big critical piece that you are trying to get to right now.
    And how do you fix that and how do you meet that need for 
the American people.
    Mr. Cummings. Mr. Spires, did you have a response to my 
same question?
    Mr. Spires. Well, let me add on.
    Mr. Cummings. Yes, do you have something to add onto what 
she said?
    Mr. Spires. Let me just add that I applaud, and I want to 
thank the team that is working on this. We talked about Mr. 
Park and what he is doing, but my goodness, the whole team has 
to be working around the clock.
    Mr. Cummings. Are you familiar with the team, other than 
Mr. Park?
    Mr. Spires. No.
    Mr. Cummings. Are you familiar with Mr. Park?
    Mr. Spires. Yes.
    Mr. Cummings. And what is your opinion of him and his 
competence?
    Mr. Spires. He is a very talented technologist, extremely 
talented.
    Mr. Cummings. They tell me he is one of the best in the 
world.
    Mr. Spires. I think that is probably a fair assessment, 
sir.
    Mr. Cummings. All right.
    Mr. Spires. Let me add a couple things, though, about the 
end of November. I would like it to work, too. This is all, for 
me, about helping government make IT more effective. But this 
end of November, there are two concerns I have. One is, it is 
just very difficult when you are in this, when you do 
integration testing, and that is essentially what we are still 
doing, even though the system is alive, for a while you tend to 
find defects actually increase as you do more testing. And even 
as you work things off and fix things, you even get more. So I 
am worried about that.
    The other thing I am worried about, frankly, is when you do 
this integration testing, a lot of times you will uncover some 
significant architectural issues. You may not, but sometimes 
you do when you integrate these subsystems. You know where 
those architectural issues show themselves are in performance 
issues.
    So I am concerned that we are seeing, when they open it up 
and it doesn't perform well from a scalability standpoint, and 
handling the volume, that is an indication of some potentially 
underlying technical issues from an architecture perspective. 
Those things may take longer to fix.
    This is just my experience in working these kinds of 
problems in the past. So when they say they are going to have 
it fixed by November, for the vast majority of users, I hope 
that is the case. I just have concerns that that may not turn 
out to be the case.
    Mr. Cummings. I think that Mr. Park answered that question 
several times.
    Mr. Spires. Yes.
    Mr. Cummings. And he talked about, and I think it is 
probably because of the things that you just talked about, he 
said that, I can almost repeat it, he said it so many times, 
that they have a goal and they are going to try to attain that 
goal.
    Mr. Spires. Yes, absolutely.
    Mr. Cummings. But you said something a few minute ago, you 
said that, and I am going to put words in your mouth, you said 
something to the effect that eventually they will get it 
together.
    Mr. Spires. Yes, they will.
    Mr. Cummings. And my last comment is this. I guess as the 
son of two former sharecroppers sitting in the Congress after 
one generation, and a father who only had a second grade 
education, my father believed in a can-do attitude. Can-do. 
That is what this Country is all about.
    I guess when I hear all the naysayers, I am so glad to hear 
you say that you believe that it will be worked out. You don't 
know when, I understand that. But some kind of way, we have to 
move to that can-do. This is the United States of America. I 
think it would be an embarrassment if we can't get this done. 
Would you agree, as IT people?
    Ms. Evans. Absolutely. We are the Nation that innovates and 
creates technology. So it will get fixed. This is really a 
communications issue and an expectation of what are the 
services that are actually going to be there. We have the 
technology to fix it, and you have some of the smartest people, 
I am sure, working on it right now. Technology is not a 
partisan issue. What really needs to be debated overall is some 
of the other issues that you brought out in what you are 
talking about, is the policy issues. That is where the 
President should be debating with you, Congress, on policy 
issues. Technology should be implemented to support that.
    Mr. Spires. I think it is also important to say that the 
way we manage our IT programs in government needs to improve. 
That is a non-partisan view. I saw it in the last 
Administration and I see it in this Administration.
    Ms. Evans. I agree.
    Mr. Spires. We need to fix that.
    Mr. Cummings. Thank you both. Your testimony has been 
extremely helpful. Thank you.
    Mr. Meadows. [Presiding] I thank the ranking member for his 
comments. I thank each of you for coming today to testify.
    I do want to follow up a little bit with this additional 
testing. As we start to go in, and having been someone who was 
in the private sector, who has worked a number of times with 
systems, just when you think you have the problem fixed, you 
find ten more.
    So with best practices, do you not think it is best 
practice to take down the site while we work through these 
technical glitches and, more importantly, through some of the 
security concerns which are a bigger problem for me than 
whether we can get on and log on, it is once you have done 
that, would that not be the best practice, to take it down?
    Mr. Spires. Yes. Let me caveat it by saying, this is a non-
political statement I am making. Just from a best practices 
perspective, if I was running that program and no other 
considerations, I would immediately take the site down. I would 
have the team focus on working through the issues. I would do 
real stress testing on the system and then I would bring the 
site back up when it was ready. That is what I would do from a 
best practice perspective.
    Mr. Meadows. Without all the politics of it.
    Mr. Spires. Without any of that.
    Mr. Meadows. But from a best practices standpoint?
    Mr. Spires. Yes, because it could get the team focused on 
fixing the system and not operating the system right now.
    Mr. Meadows. Ms. Evans, I want to go to some of your 
testimony. Let me quote here, because I want to understand what 
you said. You said, ``The functionality and shortcomings of 
Healthcare.gov are a result of bad management decisions made by 
policy officials within the Administration.'' They did this 
``to themselves. And if they are now surprised, is it because 
their own policy officials failed to inform them of the 
decisions and the consequences associated with those 
decisions.'' We asked that in the earlier panel. And we really 
didn't get a response. But in light of your testimony, what did 
you mean by that?
    Ms. Evans. For example, a decision that was made to remove 
the browsing function. When you make that decision, and what 
came out in the previous panel was that was actually made by 
the project manager, based on a technical result of testing.
    So by that type of decision and rolling that up, there is 
policy implications associated with that. So the policy 
officials said, okay, it is okay. So if you take a sequence of 
events that are programmed into a system that are supposed to 
go one, two, three, four, five, and you take out number two, 
and now you expect one, three, four and five to work really 
well and two is not there anymore? That was a policy decision 
to go forward with a site, with a major piece of functionality 
pulled out and not tested. That is why I made the statement 
about, and now you are surprised that it is not working.
    Mr. Meadows. So they shouldn't be surprised?
    Ms. Evans. They should not be surprised. If the sequence is 
one, two, three, four, five, and you take two out, and you 
haven't tested the impact of when two is out, you should not be 
surprised it doesn't work.
    Mr. Meadows. So let me ask you this, then. Who should have 
informed the White House or what policy official should have 
done that in this overall Healthcare.gov? Who is the go-to 
person? That is what we have been trying to figure out. Who is 
the go-to person that said, golly, we pulled it out, but it is 
not working.
    Ms. Evans. In the rest of my testimony, and this is not a 
partisan statement either, this is my belief of what the role 
of a chief information officer is supposed to do. In my view, 
what would happen is that would have come up from CMS. So it 
was made as a technical decision. And the chief information 
officer at a department level is supposed to analyze what that 
impact is on the portfolio overall, on behalf of the Secretary. 
What is that going to mean from both a policy, political, 
communications, technology, all of that. And then elevate that 
issue.
    So I really believe that the chief information officer is 
the one who is supposed to be the nexus, the tech-savvy person 
on that staff, to analyze those implications as it relates to 
business and policy.
    Mr. Meadows. I know we have a lot of CIOs. Who specifically 
would that have been? What is the name?
    Ms. Evans. Well, in this particular case, if everything 
worked the way it is supposed to, it would have been the chief 
information officer at HHS.
    Mr. Meadows. Which is who?
    Mr. Spires. Mr. Baitman.
    Ms. Evans. Mr. Baitman. Which is in his portfolio.
    Mr. Spires. Can I add, though, because I think that is 
absolutely right, what you said. But what I like to do in 
programs is pull those people together on a regular basis in 
some kind of governance forum so that you can have those 
dialogues, so the CIO can represent the technology issues and 
implications to policy changes. But it shouldn't just be the 
CIO's decision.
    Ms. Evans. No, and I am not saying it should be the CIO's 
decision.
    Mr. Spires. It should be a shared decision.
    Mr. Meadows. A shared decision, but he should be the one 
informing?
    Mr. Spires. That is correct.
    Ms. Evans. That is right.
    Mr. Meadows. So I will finish with this last question. I 
have Google in my district. I love Google. We have, in 
California, which I don't represent, we have unbelievable 
expertise. Because we are the greatest Nation, as the ranking 
member talked about, would we not be reaching out to those 
experts right now and saying, please come help us get it all 
done? Would that not be the appropriate thing to do?
    Mr. Spires. I thought they had brought in a few of the 
technical experts as well.
    Mr. Meadows. But really, if we are trying to get this done 
by November 30th, which I think a lot of us question whether it 
will really happen, and that should not necessarily be an 
indictment, would we not reach out to more experts in the 
private sector?
    Mr. Spires. I think at this point that would not work for 
November 30th. The learning curve is so great, you would spend 
more time trying to get these experts up to speed on the 
specifics of the details of Healthcare.gov than you would get 
any benefit out of that at this point. That doesn't mean going 
forward you might not want to engage others as well.
    Ms. Evans. The one thing I would want to add, I think both 
Richard and I have been in situations with challenged rollouts 
in our career, where we have had challenged rollouts. To your 
point, the best value that Silicon Valley could do at this 
point is validate the solutions you are going to put in place.
    So what I have done in the past on projects where I have 
had, and I have had failures in my career, as my technical team 
is telling me that this is what we are going to do or these are 
the changes that we are going to make, we would validate those 
against and talk to Silicon Valley saying, from a technical 
perspective, so they are only analyzing the technical issues at 
that point, saying, if we roll this out and this is the current 
problem, and we make these configuration changes, is that going 
to solve the problem. That is probably the best application of 
those resources at that point, and as well with Healthcare.gov.
    Mr. Meadows. I thank the chairman.
    Chairman Issa. [Presiding.] I thank you, and if this were 
health care and not IT, we would probably say, get a second 
medical opinion in this case.
    Mr. Cummings?
    Mr. Cummings. Again, I want to thank you all. I think when 
we talk about best practices, you look at, I wish maybe in this 
instance that some of these best practices that we are talking 
about had been done. And I noticed that you all talked about 
IT, technical, and then you also talked a little bit about 
political. There is so much that goes into these decisions. But 
for me, I want to see this work, and I am sure you do too.
    I do not, I just don't believe in failure. We are better 
than that. I hope that the folks who were part of the process 
will hear the things that you are talking about. Because I 
think our strength is in the expertise we all bring. All of us 
have our own experiences. And having served in the positions 
that you served, and served, you bring a lot to the table. 
Hopefully, folks will have their ears open and their minds open 
to make sure that this doesn't happen this way again. I know we 
can do better.
    And I guess the bottom line is that there are so many 
people that are depending on us. There are a lot of people.
    Mr. Spires. I am not calling this a failure, sir. It is 
troubled. But this is not a failure. We need to get it fixed, 
you are right.
    If I could just also say, because I think it is important 
enough to say, I made this comment, but I think it is 
important, we need the CIOs to be strengthened in this 
government from the standpoint of their empowerment.
    Mr. Cummings. So you are familiar with Mr. Issa's bill?
    Mr. Spires. Absolutely, and I very much support that.
    Mr. Cummings. Do you think that legislation gets to the 
issue you are trying to get to?
    Mr. Spires. Yes. When you have the lineup of CIOs on your 
first panel and none of them were really engaged, that is just 
not correct. And it leads to failure of IT programs.
    Ms. Evans. My view is that the legislation should pass. I 
have had a lot of discussions with Chairman Issa's staff about 
this, and the role of the CIO. I obviously feel very passionate 
about it. I believe if that law is passed, it will remove all 
excuses for non-performance of CIOs and you would have a very 
different oversight meeting. Because everything that the CIOs 
have said in the past that they cannot do, that legislation 
would fix. Therefore, they would be held accountable for their 
job.
    Mr. Cummings. By the way, that is something we did on a 
bipartisan basis.
    Ms. Evans. That is right.
    Mr. Cummings. Thank you very much. I really appreciate both 
of you.
    Chairman Issa. Thank you.
    I have just one closing question. I know that you are not 
software writers per se. But I talked to Mr. Farenthold, who 
actually put up websites. And I just ask a question. You saw on 
the last panel where I essentially admonished all of them to 
look at the FEHBP or what was just for 230 plans, what was just 
a few pages that would tell you how much each plan was and how 
much the government would pay and how much each person would 
pay.
    Now, one of the reasons that that was only a few pages is 
that that spreadsheet was for a program that did not age 
discriminate. The Affordable Care Act discriminates based on 
three things: the plan itself, if it is regional, has a region 
in which it operates. If it is national, it has a single price, 
like FEHBP.
    It rate discriminates based on age and whether you smoke or 
not. I have gone back and forth, those are the only variables. 
So for a given location, which is where you choose your plan, 
let's just say the Alabama something or other, you only have to 
know your age and whether you smoke or not. And I do a little 
quick math, and again, unlike the gentleman from Harvard, Mr. 
Park or Mr. Massey from MIT, I went to Kent State and a little 
Catholic school up in Michigan. So I did arithmetic, not 
calculus.
    But between 65 and 27, when you leave your parents' plan, 
and the time you are eligible for Medicare, there are 38 years. 
So as far as I can tell, there are 38 different ages you could 
be based on the costs of a given plan. And then the question of 
do you smoke or not.
    So I saw essentially a spreadsheet or a data base to 
retrieve from of 76 possible answers if you want to go to a 
plan and ask how much it costs.
    Now, for both of you, if I wanted a website that had an 
engine in the back end that looked at, for a given plan, and 
asked the question of, how old are you and do you smoke or not, 
and then I went out and got the number from that cell, how hard 
do you think that would be? Because you understand on September 
12th, or September 3rd, they made a decision to not launch that 
part. September 12th, they reiterated. They scrubbed moving the 
software, they moved their people to other problems.
    I just want to understand, how many people and how long do 
you think it would take for 76 different numbers that you put 
in on a little program, here is my age and I smoke or I don't 
smoke, and I want to know how much this plan is? And I am being 
a little facetious, and Mr. Spires, you are both smiling well. 
But that really is the website that we are asking for a splash-
type open shopping.
    Mr. Spires. Obviously, with the requirements you stated, 
that is a pretty simple website. I suspect that what Mr. Chao 
was referring to had a lot more functionality and capabilities, 
and you can call it bells and whistles, and that may be 
inappropriate, than that.
    Chairman Issa. But didn't the American people deserve to be 
able to surf prices as simple as a data base? It is almost the 
back end of a pocket calculator to come up with that.
    Ms. Evans. Absolutely. But again, when you get into some of 
the big projects, and that is what I mean about scope creep, 
and really understanding what did have to launch on October 
1st, based on that policy decision. So if it is as simple as 
what you described, the government already has a website set up 
called Benefits.gov that those simple questions, and this might 
be an alternative that they could use right now while they are 
working on the longer plan, those simple questions could be put 
in there. You can fill out this information now, this was 
started as one of the 24 initiatives. And you would not only 
find out what you are eligible for under Healthcare.gov, but 
you could also find out what other Federal benefits you are 
eligible for based on the way that you would answer these 
questions that only live in the session.
    So that whole site was set up for Federal benefits, so that 
you could see everything that you are eligible for as a 
citizen. So that simple requirement could have launched and can 
still launch in Benefits.gov.
    Chairman Issa. I am of an age that I knew the names of all 
the Mercury astronauts. I didn't know much about government 
contracting as a young man, but I have been told that the space 
pen was designed to be able to write in zero gravity, so they 
could make their notes in this inverted zero gravity. But the 
Russians used a pencil.
    [Laughter.]
    Chairman Issa. The pencil cost what it took to sharpen it, 
while the space pen cost millions of dollars to design and 
produce.
    Now, that may be a euphemism for a lot of what we deal 
with. But today we heard somebody tell us that they decided to 
scrub because there were security concerns over what ultimately 
was a glorified splash page. If you were back, both of you were 
back in your positions and you wanted to please your boss by 
giving him as much deliverable as you could, and 30 days out 
you discovered that something had to give, would you have 
grabbed a pencil out of the drawer instead of telling people 
they would have to wait months or years to get the space pen?
    Mr. Spires. I certainly would have tried that, sir. I would 
have even said, seems to me, and I will echo what Ms. Evans 
said, that there should have been a lot of work up front to 
simplify as much as possible what needed to be launched on 
October 1st.
    Chairman Issa. I want to thank you. Mr. Lacy Clay alluded 
to the Harris project that was done during a previous 
Administration where the Census Bureau, not really the 
Administration, had 10 years to launch something and they kept 
changing it, so that the corporation could legitimately say 
that it wasn't ready, but they could show all these change 
orders in what was basically a handheld scanner, not a terribly 
high-faluting piece of technology. So I do understand the 
mission creep.
    We were just told that apparently in the month of October, 
we signed up approximately 27,000 people into ObamaCare. With 
that, would either one of you like to venture whether or not 
the estimate we were given that they are now signing up roughly 
27,000, on the Federal exchange, but we were told they are 
signing up about 27,000 an hour. So apparently they are signing 
up about the same amount per hour that they signed up in the 
first month.
    Would any of you venture a guess to what that number will 
be? Will it be at least ten times 27,000 an hour or 270,000 a 
day at the end of the month? Or are you going to bet on the low 
side?
    Ms. Evans. I am not a betting person. So I will put that on 
the record. There is not enough information for me to bet.
    Chairman Issa. But with 17,000 an hour being told to us 
under oath here today, does anyone want to look at 170,000 or 
200,000 or 300,000 a day and bet higher or lower here?
    Ms. Evans. Lower. It is going to be lower, because he said 
17,000 registrations. So that is not 17,000 completions. This 
is again, you are talking about how they are measuring certain 
things and how you want the outcomes. So you are looking at the 
outcomes and they are measuring things at the beginning of the 
process. So if you are talking about all the way through the 
process, it is going to be on the lower side.
    Chairman Issa. I suspect you are exactly right. When I was 
in private life, they always wanted to sell me impressions, how 
many impressions a piece of advertising got. And I always 
wanted to buy how many sales. So I suspect that we have 17,000 
impressions an hour, while in fact the amount of sales could be 
not much more than that less than 30,000. So I am betting that 
when we get our answer at the end of November, that it is 
100,000 or less in the Federal exchange. I certainly hope for 
more, because we need it to be, I think, 43,000 a day if we are 
going to cover everyone.
    Would either of you like to make any closing statements?
    Ms. Evans. I just want to say I appreciate your inviting me 
back, the committee inviting me back to share my viewpoints. I 
would echo some of the comments that Richard has made today, 
that it is important to get that legislation through to enhance 
the roles of the CIO, so that we can ensure that other things 
like IT procurement and those things happen, so that we can 
avoid this for this type project, for all of the whole, entire 
portfolio.
    Mr. Spires. I am not sure I could say it any better than 
you just said it, Karen. So I have no other remarks. Thank you.
    Chairman Issa. Thank you both. We always say, I will 
associate myself with the gentlelady. So I thank you both again 
for your public service in the past and your continued service 
today. We stand adjourned.
    [Whereupon, at 3:40 p.m., the committee was adjourned.]
















                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 
