b"<html>\n<title> - HHS' OWN SECURITY CONCERNS ABOUT HEALTHCARE.GOV</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n            HHS' OWN SECURITY CONCERNS ABOUT HEALTHCARE.GOV \n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            JANUARY 16, 2014\n\n                               __________\n\n                           Serial No. 113-94\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n\n                                   ------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n87-352 PDF                       WASHINGTON : 2013 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Printing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001\n\n\n\n\n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of \nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT, \nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois\nDOC HASTINGS, Washington             ROBIN L. KELLY, Illinois\nCYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois\nROB WOODALL, Georgia                 PETER WELCH, Vermont\nTHOMAS MASSIE, Kentucky              TONY CARDENAS, California\nDOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada\nMARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico\nKERRY L. BENTIVOLIO, Michigan        Vacancy\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on January 16, 2014.................................     1\n\n                               WITNESSES\n\nMr. Kevin Charest, Ph.D., Chief Information Security Officer, \n  Department of Health and Human Services\n    Oral Statement...............................................     7\n    Written Statement............................................    10\nMs. Teresa Fryer, Chief Information Security Officer\n    Oral Statement...............................................    17\nMr. Frank Baitman, Chief Information Officer, U.S. Department of \n  Health and Human Services\n    Oral Statement...............................................    18\n\n                                APPENDIX\n\nLetters dated Dec. 15, 2013 from the White House, and Dec. 17 \n  from this committee, an email exchange on Jan. 15, and a Jan. \n  15th letter to Sec. Sebelius...................................    54\n\n\n            HHS' OWN SECURITY CONCERNS ABOUT HEALTHCARE.GOV\n\n                              ----------                              \n\n\n                      Thursday, January 16, 2014,\n\n                  House of Representatives,\n      Committee on Oversight and Government Reform,\n                                           Washington, D.C.\n    The committee met, pursuant to call, at 9:36 a.m., in Room \n2154, Rayburn House Office Building, Hon. Darrell E. Issa \n[chairman of the committee] presiding.\n    Present: Representatives Issa, Mica, Turner, Duncan, \nJordan, Chaffetz, Walberg, Lankford, Amash, Gosar, Meehan, \nDesJarlais, Gowdy, Farenthold, Woodall, Massie, Meadows, \nBentivolio, DeSantis, Cummings, Maloney, Tierney, Lynch, \nConnolly, Speier, Cartwright, Duckworth, Horsford, Lujan \nGrisham, and Kelly.\n    Staff Present: Ali Ahmad, Majority Senior Communications \nAdvisor; Richard A. Beutel, Majority Senior Counsel; Brian \nBlase, Majority Professional Staff Member; Will L. Boyington, \nMajority Press Assistant; Joseph A. Brazauskas, Majority \nCounsel; Caitlin Carroll, Majority Deputy Press Secretary; \nSharon Casey, Majority Senior Assistant Clerk; John Cuaderes, \nMajority Deputy Staff Director; Adam P. Fromm, Majority \nDirector of Member Services and Committee Operations; Linda \nGood, Majority Chief Clerk; Meinan Goto, Majority Professional \nStaff Member; Ryan M. Hambleton, Majority Professional Staff \nMember; Frederick Hill, Majority Deputy Staff Director for \nCommunications and Strategy; Michael R. Kiko, Majority \nLegislative Assistant; Matthew Tallmer, Majority Investigator; \nSharon Vance, Majority Assistant Clerk; Rebecca Watkins, \nMajority Director of Communications; Tamara Alexander, Minority \nCounsel; Aryele Bradford, Minority Press Secretary; Susanne \nSachsman Grooms, Minority Deputy Staff Director/Chief Counsel; \nJennifer Hoffman, Minority Communications Director; Chris \nKnauer, Minority Senior Investigator; Elisa LaNier, Minority \nDirector of Operations; Una Lee, Minority Counsel; Juan \nMcCullum, Minority Clerk; Dave Rapallo, Minority Staff \nDirector; Valerie Shen, Minority Counsel; Mark Stephenson, \nMinority Director of Legislation; and Cecelia Thomas, Minority \nCounsel.\n    Chairman Issa. The committee will come to order.\n    The Oversight Committee exists to secure two fundamental: \nfirst, Americans have the right to know that the money \nWashington takes from them is well spent and, second, Americans \ndeserve an efficient, effective Government that works for them. \nOur duty on the Government Reform Committee is to protect these \nrights. Our solemn responsibility is to hold Government \naccountable to taxpayers, because taxpayers have a right to \nknow what they get from their Government. We must work \ntirelessly in partnership with citizen watchdogs to provide the \nAmerican people the facts and bring genuine reform to the \nFederal bureaucracy.\n    We are here today to ask and examine fundamental questions \nabout the security of Healthcare.gov. We recognize best \npractices were not followed. Was securing testing completed \nbefore the launch to the satisfaction of the experts will be \nasked. What did top information security officials at the \nCenter for Medicare Services and the Department of Health and \nHuman Services recommend? Were the people who knew about the \ntechnology empowered? Were the decision-makers people who knew \nabout the technology? Did leadership at CMS and HHS follow \nthese recommendations? If there was disagreement between people \nbelow the top, were these questions and concerns properly \ndelivered to higher-ups prior to the launch of the site?\n    By now the American people are well aware that there were \nfunctional problems in the Healthcare.gov website at launch. \nMany may know that other websites costing a fraction as much, \nbut doing the same thing, worked better. For example, Kentucky \nand Hawaii launched sites that cost the Federal taxpayer about \none-third as much and seemed to work better.\n    Those questions and others need to be asked, but today our \nreal question is why does the Administration steadfastly deny \nthe existence of security problems and shortcomings and lack of \nsecurity testing, while in fact the experts, Federal employees, \nwe hear from today will testify that there were known \nshortcomings and, in fact, unanswered questions at the time of \nthe launch.\n    For many Americans, myself included, it seems to defy \ncommon sense that a website plagued with functional problems \nwas in fact perfectly secure by design. Additionally, when an \nindividual finds himself, while on one website, getting \ninformation delivered to him by mail acknowledging another \nindividual from another State, we certainly know that there \nmust be some cross-connect within the system that occurred, and \nthat in fact was reported in the days shortly after the launch. \nThis and other areas do concern this committee.\n    But most important, because we are the Oversight Committee \nfor Federal contracting and Federal employees, our \ninvestigation has been active and attempted to get directly to \nthe contractors, such as MITRE, who did an evaluation, that has \nbeen thwarted by the Administration, who warned and tried to \ninterfere with this committee by asking vendors not to deliver \nus information. But through subpoena we have learned that in \nfact there were flaws that were reported. It is now undeniable \nthat MITRE and other companies did their job sufficient for \npeople to know an alarm was being sounded in the days before \nthe launch.\n    We have acted to protect the information we received from \nthose entities. Notwithstanding that, we have had repeated \ninterference and claims that in fact we are the ones that are \ngoing to disclose a roadmap to hackers. What is so amazing is, \nin fact, the Administration would like you to believe that, \nfirst, there were no problems; second, any problems that there \nwere, even though there were no problems, have been mitigated \nor, as I would quote or paraphrase the Administration, plans to \nmitigate are in place.\n    I have been in business a long time before I came to \nCongress. A plan to mitigate means you have not mitigated. \nTherefore, we will assume that any and all information given to \nus about known security risks at the time or prior to the time \nof the launch are still there.\n    Our witnesses today, for the most part, cannot refute that, \nbecause what we discover is they have not been personally \nassured, item by item, of the actual mitigation of those \nshortcomings. As I talk in circles to a certain extent, I do so \nbecause we continue to hear from the Administration there were \nno problems, the problems have been mitigated, and, oh, by the \nway, if you put out information about the problems others say \nexist, you are creating a roadmap to hackers.\n    I don't think anyone can square that; not my ranking \nmember, not our witnesses. For that reason, again, this \ncommittee will continue to look at all reports of alleged \nsecurity shortcomings or unknown areas, as in fact very, very \nimportant to keep private; and we will do so because we must \nassume that the website is still vulnerable, that the American \npeople may, as we speak, be having their personal identifiable \ninformation hacked and taken, that in fact we cannot consider \nthe website secure. If anyone would like to say the website is \nsecure today, then I ask would you allow the former flaws to be \nput out there; and the answer, of course, will be no.\n    In Washington, people like to talk out of both sides of \ntheir mouth; they like to say there never was a problem, the \nproblem there never was has been fixed, and, in fact, you may \nnot put out records of the problems that never were because, in \nfact, they are known vulnerabilities. That is what we are \nfacing today as we go into this.\n    It would be comical if it wasn't in fact all of your IRS \nrecords, links to Health and Human Services, of course, but \nlinks to the Department of Homeland Security and others. This \nwebsite has tentacles into some of the most personal \ninformation, and in the future even more. More importantly, \nStates have links into this same database; and, in fact, one of \nthe things we know, which will not be the prime subject today, \nis that the States, for the most part, were not end-to-end \ntested, the States were not held to a standard of best \npractices. My only hope is that, as we look to the billions of \ndollars provided in Federal taxpayer money to the States, that \nin fact consistently they did a better job in both operational \nreadiness and security. But that is but a hope. Today's hearing \nwill be about the failures or at least the failures to use best \npractices that went into the launch of this site.\n    Lastly, in a few minutes I will be putting into the record \na series of exchanges that went on between the White House and \nthe Speaker, between the Secretary of Health and Human Services \nthrough her surrogates and the chairman; and I will do so \nbecause I think it is important to understand this is a \nserious, serious hearing. It is one in which the White House \nwent to the Speaker of the House warning about the release of \ninformation and asking that information not be seen, not be \nheard, and not be delivered to this committee. It is one in \nwhich the secretary said she wanted to meet, again, to me. I \nflew back and she refused to meet with me, even though she was \nin town.\n    I am deeply disappointed that we are here today still \ndealing with the inability to deal with what happened prior to \nOctober 1st, what has happened since October 1st, and I think \nmost importantly a committee that on a bipartisan basis \nsupports real reforms, real reforms that in many cases would \nhave mitigated or eliminated some of the mistake made and would \nhave allowed the President's signature legislation to not be \nmarred by a website that failed to perform at its launch and is \nstill questionable in its security.\n    Lastly, I certainly want to make sure that we all \nunderstand the American people know that companies have been \nhacked, that credit card information has been taken. It has \nbeen widely publicized. The difference between Target and other \ncompanies who dealt with hackers is we don't have to put our \ncredit card into that machine at Target, we don't have to \ndeliver that information; we have the choice of paying cash, we \nhave the choice of not registering. We do not, no one on this \ndais has the ability to say I won't go into Obamacare; it is \nmandated by a law that I did not vote for, that the American \npeople did not agree with, but went forward anyway on a purely \npartisan basis.\n    Mr. Lynch. Mr. Chairman?\n    Chairman Issa. So, therefore, I want to make it very clear \nwe take serious that the standard for security on the \nGovernment side must be higher, and today's witnesses will help \nus begin the process of understanding how it could be higher.\n    I now recognize Mr. Cummings for his opening statement.\n    He is not recognized. The gentleman from Maryland is \nrecognized.\n    Mr. Lynch. Mr. Chairman, I just want to raise a point of \norder.\n    Chairman Issa. The gentleman----\n    Mr. Lynch. Are we going to balance out the time?\n    Chairman Issa. The gentleman is not recognized. The \ngentleman is not in order.\n    Mr. Lynch. I don't care to be recognized at all.\n    Chairman Issa. The gentleman is not recognized.\n    Mr. Lynch. You have gone on for 15 minutes. I am just \nasking for a point of order.\n    Chairman Issa. The gentleman is not in order. Mr. Cummings \nis recognized.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    You are absolutely right, this is a very, very serious \nhearing. But I think we need to be very careful and be reminded \nthat we have 110 million Americans, our constituents. You say \nthey could use cash at Target. A lot of them don't have cash \nbecause they don't have jobs. Give me a break.\n    It is good to be here this morning. Today is the twenty-\nsecond hearing our committee has held on the Affordable Care \nAct. Twenty-two. We have spent more time on this one issue over \nthe past three years than any other topic.\n    Mr. Chairman, I agree, we want to get this right. This is \nso very, very important. The consequences of what we do affect \nall of our constituents, and there are people watching us right \nnow who are suffering from dreadful diseases who are praying \nand hoping that we get it right. And I am determined to work \nhard with you to make sure that happens. But I am concerned \nabout them, but I am also concerned about this 110 million of \nour constituents who have been placed in a vulnerable position \nwith regard to their Target credit cards; and I am going to go \nfurther on that a little bit later.\n    So where are we today? The law that went into full effect, \nhello, full effect, on January 1st and now millions of people \nare getting health insurance they did not have before. They are \nreceiving critical medical care; they have the security of \nknowing they will not be bankrupt if they get into an accident \nor get sick. But there is something more important or just as \nimportant as all of that: even under those circumstances, they \nare allowed to live in dignity. Dignity. That is what our \nNation is all about, lifting up each other so that we all live \nin dignity. So this is a phenomenal accomplishment.\n    The law also put into place key protections for consumers, \nand I am so glad it did. I am so glad. Insurance companies are \nnow prohibited from discriminating against people with cancer, \nour constituents, diabetes and other preexisting conditions, \nour constituents, both Republican and Democrat, both rural and \nurban. Insurance companies may not charge higher prices for \nwomen, and millions of people are now receiving free \npreventative care. That is so important. It is cheaper to keep \nsomebody well than to treat them after they are sick. There are \nalso huge financial benefits.\n    Health insurance companies are now sending rebate checks to \nmillions of people. Since the law was passed, we have seen the \nlowest growth in healthcare costs in 50 years. If we repeal the \nlaw today, it would increase our deficit by more than $1.5 \ntrillion.\n    Despite all of these positive results, Republicans are \nstill obsessed with killing this law. After more than 40 votes \nin the House, they shut down the Government in an unsuccessful \nattempt to de-fund the law. Now they have shifted to a new \ntactic. This is brand new, hot off the press: scaring people \naway from the Healthcare.gov website.\n    Everyone agrees that initially the website's performance \nwas seriously flawed. Our committee has a legitimate interest \nin investigating contractor performance and agency oversight, \nand we have held multiple hearings on this topic already.\n    But let me pause here for a moment. I am just reminded of \nwhat Emerson said, a favorite quote of Mandela. He said do not, \ndo not be in fear and fail to act because of your fears and \nyour problems, but be led by your hopes and your dreams. And \nthis is about the hopes and the dreams of Americans to stay \nwell, to make sure that their children are well, to make sure \nthat if they get sick they don't have to go into bankruptcy. \nThat is what this is all about.\n    And that is why you are right, Mr. Chairman, this hearing \nis serious, because it has consequences. In terms of security \nof the website, however, it is important to highlight all of \nthe facts, instead of cherry-picking, I said it, cherry-picking \npartial information to promote a political narrative that is \ninaccurate. Based on the documents we have reviewed, and when I \nsay we, I mean Republicans and Democrats, and the interviews we \nhave conducted, I believe we can establish several key facts.\n    Number one, although some employees expressed concerns with \nsecurity testing before this website was launched, the agency \naddressed these risks by implementing a strong mitigation plan \nas part of the Authority to Operate memo that was issued on \nSeptember 27th.\n    Second, since that time the agency has complied \nsuccessfully with the mitigation plan. The agency has now \ncompelled full end-to-end security testing of the system and it \naddressed specific issues that arose in a timely manner.\n    Third, witnesses interviewed by the committee have praised \nthe current level of security testing. They have described \nmultiple layers of ongoing robust protections that meet, and in \nsome cases exceed, Federal standards. As Ms. Fryer put it \nduring her interview, the agency is using--and these are your \nwords, Ms. Fryer; correct me if I am wrong--Ms. Fryer said, she \nis one of our witnesses, she said that the agency is using \n``best practices,'' Mr. Chairman, ``above and beyond that which \nis usually recommended.'' So, Ms. Fryer, I hope you clear that \nup. Make it clear to us where you stand.\n    Finally, most importantly, to date there have been no \nsuccessful attacks on Healthcare.gov by domestic hackers, \nforeign entities, or others who seek to harm our national \nsecurity. Nobody's personal information has been maliciously \nhacked.\n    Now, we need to be careful. Obviously, this could change, \ngiven the increasing frequency and sophistication of attacks \nagainst all Federal IT systems. But the evidence obtained by \nour committee, and when I say our committee I mean Republicans \nand Democrats, indicates that the security of Healthcare.gov is \nstrong and it keeps getting stronger.\n    In very sharp contrast, up to 110 million Americans were \nsubjected to one of the most massive information technology \nbreaches in history when their credit, debit, and other \npersonal information was compromised at Target stores and \nonline in November and December.\n    Mr. Chairman, I sent you a letter on Tuesday requesting a \nhearing on the Target breach, and I understand you have agreed \nto have our staffs meet on this issue next week, and I thank \nyou for that. If our committee can hold dozens of hearings on \nthe Affordable Care Act and on Healthcare.gov, which has not \nbeen successfully attacked to date, surely we can hold at least \none hearing at the earliest possible date on the massive Target \nbreach that affected more than 100 million of our constituents.\n    As I close, I want to close by thanking Dr. Charest. You \nhave been pulling double duty, providing multiple classified \nbriefings to Congress in addition to your day job. We thank \nyou.\n    Ms. Fryer, your name has been thrown around on the House \nfloor, when I am sure you have heard about it, but you have \nyour opportunity today to clarify whatever it is you have to \nsay.\n    And, Mr. Baitman, after finishing a day-long interview less \nthan 36 hours ago, you were handed a letter inviting you to \ntestify here today, and we thank you.\n    I want you all to know that we appreciate everything you \nand your staffs are doing to remain vigilant and constantly \nmonitor the security of the website. Millions of American \nfamilies thank you for helping them.\n    With that, Mr. Chairman, I thank you and I yield back.\n    Chairman Issa. I thank the gentleman.\n    I now ask unanimous consent that letters dated December \n15th, 2013, from the White House; December 17th from this \ncommittee; an email exchange January 15th; and a letter to \nSecretary Sebelius on January 15th be placed in the record and \ncopies be made and distributed. Without objection, so ordered.\n    Chairman Issa. All members may have seven days in which to \nsubmit their opening statements and other information.\n    We now welcome our panel of witnesses.\n    Mr. Kevin Charest, Ph.D., is the Chief Information Security \nOfficer at the Department of Health and Human Services; Ms. \nTeresa Fryer is the Chief Information Security Officer at the \nCenters for Medicare and Medicaid Services, which will \nundoubtedly be called CMS throughout the hearing; and Mr. Frank \nBaitman is the Deputy Assistant Secretary for Information \nTechnology and Chief Information Officer at the Department of \nHealth and Human Services, and, again, I thank you for back-to-\nback appearances.\n    Pursuant to the committee rules, would you please rise, \nraise your right hand to take the oath?\n    Do you solemnly swear or affirm the testimony you are about \nto give will be the truth, the whole truth, and nothing but the \ntruth?\n    [Witnesses respond in the affirmative.]\n    Chairman Issa. Please be seated.\n    Let the record reflect that all witnesses answered in the \naffirmative.\n    In order to deal with a fairly short period of time--one of \nour witnesses has a hard stop at 12, which we are going to very \nmuch try to respect, and we are likely to have a vote more or \nless at that time--I want to announce that I will ask you to \nstay within that five minute opening statement, and I will be \nvery strict on the gavel today, which is not the history of \nthis committee.\n    So we want everyone to ask their question and complete \ntheir questions well prior to five minutes. I won't cut off a \nwitness answering a question, but I will cut off exactly at \nfive minutes a question that is droning on, and I will curtail \nthe answer of questions if, in fact, it is unable to be \nanswered within a short period of time. And I say this because \nI want to get through all the people on the dais and allow our \nwitnesses to leave timely.\n    Additionally, if witnesses need to excuse themselves for a \nshort period of time, please just go ahead, signal to the \nclerk, do it, and use the facilities back here.\n    Other than that, Mr. Charest, you are recognized.\n\n                       WITNESS STATEMENTS\n\n               STATEMENT OF KEVIN CHAREST, PH.D.\n\n    Mr. Charest. Good morning, Chairman Issa, Ranking Member \nCummings, and members of this committee. My name is Kevin \nCharest and I am the Chief Information Security Officer for the \nUnited States Department of Health and Human Services.\n    The Department of Health and Human Services is the United \nStates Government's principal agency for protecting the health \nof all Americans, providing essential human services, \nespecially for those who are least able to help themselves. The \nHHS Office of the Secretary and the Department's 11 operating \ndivisions administer more than 300 programs, covering a wide \nspectrum of activities.\n    The Office of the Chief Information Officer, in which I \nserve, is a part of OS. Our responsibility as one of the staff \ndivisions of OS is to manage programs within OS and support the \n11 operating divisions in carrying out their various and \ndiverse missions. It is important to point out, however, that \nwe manage the Department's information technology portfolio \nthrough a federated governance structure. The vast majority of \nthe Department's IT resources are tied directly to the \nappropriations and statutory authorities Congress provides \ndirectly to our programs and operating divisions. Our \ngovernance authorities at the OS level reflect that federated \nstructure. Thus, many of HHS's operating divisions have their \nown chief information officer, chief information security \nofficer, and IT management structure. The exception of this \nrule is in OS, where the Department's CIO and CISO perform \nthose responsibilities.\n    HHS's enterprise-wide information security and privacy \nprogram was launched in fiscal year 2003 to help protect HHS, \nincluding its operating divisions, against potential \ninformation technology threats and vulnerabilities. The program \nensures compliance with Federal mandates and legislation, \nincluding the Federal Information Security Management Act. \nUnder my leadership, I have established a framework for \noperating divisions to regularly report incidents involving IT \nsecurity to my office. Operating divisions routinely report \npotential information security incidents to the HHS Computer \nSecurity Incident Response Center, which I oversee.\n    In addition to our internal investigation of all IT \nsecurity incidents, we report all such incidents to the \nDepartment of Homeland Security's Computer Emergency Readiness \nTeam at DHS's National Cybersecurity and Communications \nIntegration Center. Through US-CERT's operations center, US-\nCERT accepts, triages, and collaboratively responds to \nincidents; provides technical assistance to information system \noperators; and disseminates timely notifications regarding \ncurrent and potential security threats and vulnerabilities. For \nreference, in fiscal year 2013, US-CERT processed approximately \n228,700 cyber incidents, an average of more than 620 per day, \nincluding Federal agencies, critical infrastructure, and \nindustry partners.\n    It is important to note that HHS operates a defense-in-\ndepth strategy for protecting its assets in accordance with \nguidance issued by the Office of Management and Budget and the \nNational institute of Standards and Technology, which has been \nreflected in HHS's information security policy. This strategy \nincludes the use of a risk-based approach to authorizing \nsystems to operate, a robust set of technologies for continuous \nmonitoring of systems, standards and minimum requirements for \nsystems, as well as the appropriate business processes and \ncontrols to ensure the confidentiality, integrity, and \navailability of all HHS IT assets.\n    Consistent with these policies, CMS reports actual or \nsuspected computer-security incidents in connection with \nHealthcare.gov to the CSIRC. The reports are based on the \noperational security protections CMS has in place to deter and \nprevent unauthorized access, and weekly penetration testing and \nsecurity scans of the system. CMS's chief information security \nofficer and its information system security officer are \nresponsible for designing and maintaining a security program to \nmitigate any risks identified in accordance with FISMA.\n    Additionally, building on Federal guidelines and \nregulations, and in conformance with industry standards, HHS \nhas dedicated teams of career experts, including officials from \nthe Office of the Chief Information Officer, the Office of \nInspector General, Office of Civil Rights' Privacy Office, the \nCSIRC and key operating divisions who work around the clock to \nidentify, manage, and mitigate suspected or potential breaches \nof PII.\n    In carrying out their work, those teams abide by HHS's PII \nBreach Response Team Policy, published in 2008, and HHS's \nPrivacy Incident Response Team Charter, published in 2011. HHS \nsecurity and privacy experts work with appropriate Federal \nGovernment and industry professionals to do the following: \nvalidate risk and review and approve response plans; review and \napprove communications or notice to affected individuals \nperform analysis on data in order to recommend strategies to \neffectively refine and improve the Department's response to the \npotential loss of PII; implement privacy and security solutions \nthat can reduce the potential loss of PII; and, finally, \nmonitor the privacy and security environment to raise awareness \nof threats to PII within the Department.\n    If the team determines that notification of a breach is \nwarranted, the operating division coordinates through the PIRT \nto send letters to the affected consumers or businesses, \ninforming them of the breach.\n    I appreciate the opportunity to meet with you today and \ndiscuss your interest in the Federal Government's IT security \npractices.\n    [Prepared statement of Mr. Charest follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Issa. Thank you.\n    Ms. Fryer?\n\n                   STATEMENT OF TERESA FRYER\n\n    Ms. Fryer. Chairman Issa, Ranking Member Cummings, and \nmembers of the committee, thank you for the opportunity to \nspeak about my role in protecting the security of the \nFederally-Facilitated Marketplace, also known as FFM. As a \ncareer civil servant, I have decades of experience in \ninformation security not only at CMS, but also at NASA, the \nU.S. Fish and Wildlife Service, Office of Personnel Management, \nand 20 years at security positions in the Navy. In my current \nrole as Chief Information Security Office for CMS, my \nresponsibilities include issuing CMS information security \npolicy; ensuring the CMS systems comply with applicable laws \nand regulations; and providing oversight to maintain the \nconfidentiality, integrity, and availability of all CMS \ninformation and information systems.\n    CMS has a long track record of successfully securing and \nprotecting almost 200 complex IT systems related not only to \nFFM, but also to Medicare, Medicaid, and the Children's Health \nInsurance Program. In my role as CISO at CMS, I lead the team \nthat is responsible for overseeing the independent security \ncontrol assessments of CMS systems, including the FFM. These \nare conducted to assess the effectiveness of the security \ncontrols that CMS has implemented in the agency's information \nsystems.\n    Independent security contractors completed a security \ncontrol assessment of the FFM on December 18th, with no open \nhigh findings. This security control assessment met all \nindustry standards, was an end-to-end test, and was conducted \nin a stable environment and allowed for testing to be completed \nin the allotted time. Given the positive results of the recent \nsecurity controls assessment, the ability to complete \ncomprehensive security testing and a mitigation plan in place, \nI would recommend the FFM to be given a new Authority to \nOperate when the current authority expires in March.\n    The FFM authorization to operate that is currently in place \nhas s a number of strategies to ensure the FFM is protected \nagainst attacks and mitigates risk, including regular testing \nthat exceeds best practices and a requirement to perform a full \nsecurity controls assessment within 90 days of a launch. The \nrisk mitigation strategies and compensating controls that were \nprescribed are being implemented and executed as planned. The \nprotections that we have put in place have successfully \nprevented attacks. There have been no successful security \nattacks on the FFM and no person or group has maliciously \naccessed personally identifiable information.\n    As part of this mitigation plan, CMS established a \ndedicated security team, of which I am a member, to monitor, \ntrack, and ensure the activities in the ATO memo are completed. \nThis team is responsible for the weekly testing, aborted \ndevices, and Internet-facing web service and scans using \ncontinuous monitoring tools. Ongoing vulnerability assessments \nof the FFM network infrastructure and Internet-facing web \nservice are conducted through penetration testing, which \ninvolves simulated attacks to breach the security defense of \nthe website and continuous monitoring of marketplace-related \nsystems to alert security professionals of any new \nvulnerabilities that may exist due to recent changes or \nmaintenance. Information from these tests has enabled us to \nprevent any successful attacks on the FFM.\n    While no serious security professional would ever guarantee \nthat any system is hack-proof, I am confident, based on the \nrecent security controls assessment and the additional security \nprotections in place, that the FFM is secure. In many instances \nwe have gone above and beyond what is required with layered \nprotection, continuous monitoring, and additional penetration \ntesting. CMS takes system security very seriously. My job is to \nanticipate and detect any possible security threat to our many \nsystems, no matter how small. We continue to carry out this \nresponsibility, protecting the FFM to ensure that consumers can \nuse the system with confidence that their personal information \nis secure.\n    Thank you, and I am happy to take your questions.\n    Chairman Issa. Thank you. Because we were not provided your \nopening statement, what date was that security assessment that \ncauses you to recommend completed?\n    Ms. Fryer. It was completed on December 18th.\n    Chairman Issa. December 18th.\n    Ms. Fryer. I am sorry. Yes, it was completed December 18th.\n    Chairman Issa. Thank you.\n    Mr. Baitman.\n\n                   STATEMENT OF FRANK BAITMAN\n\n    Mr. Baitman. Good morning, Chairman Issa, Ranking Member \nCummings, and members of the committee. My name is Frank \nBaitman and I am the Deputy Assistant Secretary for Information \nTechnology and the Chief Information Officer at the U.S. \nDepartment of Health and Human Services.\n    While I appreciate the committee's interest in \nHealthcare.gov, as you know, two days ago I spent eight hours \nin a transcribed interview with committee staff and with you \nand Representative Jordan, respectively, answering your \nquestions. I received the committee's invitation to testify at \ntoday's hearing approximately 36 hours ago, at the close of \nTuesday's transcribed interview. I will do my best to answer \nany questions you may still have, given the minimal time that I \nhave had to prepare.\n    I would like to make clear to the committee the role of my \noffice, that is, the Office of the Chief Information Officer \nfor the Department of Health and Human Services in \nHealthcare.gov. I personally, and my office generally, have \nvery little visibility into the development and operational \noversight for the website. The Department manages its IT \nportfolio through a federated governance structure. Most of \nHHS's operating divisions have their own chief information \nofficer and chief information security officer, one of whom is \nwith us today, as well as their own IT management structure. \nThe vast majority of the Department's IT resources are directly \ntied to appropriations made to our programs and operating \ndivisions, and our governance structure reflects this reality.\n    Management and governance of Healthcare.gov was comparable \nto the management of similar IT initiatives throughout the \nDepartment's 11 operating divisions. And as with Medicare.gov \nand Medicare Part D prescription drug program, the development \nand security of Healthcare.gov website has been led by CMS, \nwhich is the business owner for the system. Neither I nor my \noffice had operational control over or responsibility for \nHealthcare.gov.\n    Since I jointed the Department less than two years ago, we \nhave been working to restructure and update our IT governance \nto bring greater visibility into what the Department buys and \nbuilds across all of our 11 operating divisions. We are in the \nprocess of putting in place three It steering committees to \nbring together technology and program leaders from across the \nDepartment to improve our purchasing and management of \ninformation technology resources.\n    With respect to Healthcare.gov specifically, I would like \nto reiterate something that I have described to the committee \non a number of occasions during my transcribed interview on \nTuesday: Any discussions that I had regarding the rollout and \nlaunch of the website were based upon my past experiences in \nthe private sector and the practices of tech companies that are \noften used. I did not have any personal, direct, or detailed \nknowledge of the development or security of the website, so it \nwould not have been appropriate for me to make recommendations \non operational decisions and, accordingly, I did not. As I also \nsaid in response to the committee's questions, it is totally \nappropriate and consistent with NIST guidelines that \noperational decisions about the technical aspects of \nHealthcare.gov be made by the administrator of CMS because of \nthat individual's ability to broadly assess the acceptable risk \nfor operating the system.\n    I am happy to answer any questions you may have, Chairman.\n    Chairman Issa. Thank you.\n    Ms. Fryer, I am going to take you through a couple of quick \nslides here. They are all from the report that was not \npublished. As they put up the side, these particular slides \nwere provided to us after we initially interviewed you, and \nthis was a memo never sent. Would you please tell us why this \nmemo was never sent?\n    Ms. Fryer. So this was a memo that I initially was drafting \nto send to the chief information officer----\n    Chairman Issa. Right. And you chose not to send it because \nof?\n    Ms. Fryer. Because events had taken place the next week \nwith the chief information officer drafting the risk decision \nmemo.\n    Chairman Issa. In other words----\n    Ms. Fryer. So it was overcome by events.\n    Chairman Issa.--events--okay. But it is still a good one \nfor us to look at because it is consistent with your \nrecommendations and your thought at the time.\n    So in slide 1 of the draft, you wrote, FFM does not \nreasonably meet the CMS security requirements which are \nintended to minimize CMS business risk. Is that correct?\n    Ms. Fryer. During the security assessment that was \nconducted in September, the security testing was not able to be \ncompleted; they weren't able to test completely----\n    Chairman Issa. But these are your words.\n    Ms. Fryer. Yes.\n    Chairman Issa. Okay. Additionally, you said there is also \nno confidence that personal identifiable information will be \nprotected, correct?\n    Ms. Fryer. Again, there was security testing----\n    Chairman Issa. But these are your words.\n    Ms. Fryer. I drafted this initial memo.\n    Chairman Issa. Okay. And these are consistent with what you \nwere saying in meetings in the September 20th time frame.\n    Ms. Fryer. This memo was capturing the briefing that we had \ngiven to Mr. Charest and Mr. Baitman and the CIO.\n    Chairman Issa. Okay. So the other two witnesses knew that \nthese are your words, but in a paraphrased what you told them. \nThere is also no confidence that personal identifiable \ninformation will be protected. This is in slide 1A.\n    Ms. Fryer. Again, it was the results of the securing \ntesting that had occurred.\n    Chairman Issa. Okay. So in slide 1B you wrote, the \nindependent assessor was forced to test different modules in \nmultiple environments. In other words, no end-to-end, as it was \ngoing to be launched testing, correct?\n    Ms. Fryer. Yes.\n    Chairman Issa. Okay. In slide 1C you wrote, complete end-\nto-end testing of FFM never occurred. That is correct, right?\n    Ms. Fryer. Yes.\n    Chairman Issa. And that is best practices, of course, \nright?\n    Ms. Fryer. Yes.\n    Chairman Issa. And you now testified in your opener that on \nDecember 18th end-to-end testing was completed and that is why \nyou now have confidence that at least the snapshot of the site \nas it was that day would meet the requirements, subject to \nadditional changes that occur in maintenance and modification, \nright?\n    Ms. Fryer. On the testing that was conducted on December \n18th, yes.\n    Chairman Issa. Okay. In slide 1C you wrote, the majority of \nthe testing efforts were focused on testing the expected \nfunctionality of the application, not security, is that \ncorrect?\n    Ms. Fryer. Yes.\n    Chairman Issa. Okay. Again, in slide 1C you wrote, several \nfactors contributed to the limited effectiveness of the SSA \nmodules and their interconnects. Can you expect that this could \nbe a problem? And I guess in 1C you are saying yes, you are \nconcerned about that area, is that right?\n    Ms. Fryer. Again, this was a memo that I was drafting; I \ndidn't complete it, so some of these things hadn't been done.\n    Chairman Issa. Okay. Slide 1C also says, valid test data \nwas not provided prior to testing to give the true environment, \ncorrect?\n    Ms. Fryer. Yes. Normally, it is put into the system for the \nsecurity testers beforehand, so it doesn't delay testing.\n    Chairman Issa. So it is common to get real data, or at \nleast data that is substantially real in both size and in cells \nand information in order to do a real assessment, and that \nwasn't done, is that correct?\n    Ms. Fryer. Test data was put into, yes, it was just a delay \nin getting the test data put into the system.\n    Chairman Issa. Okay. So the two witnesses here were aware \nof essentially this information when you made your \nrecommendation that it basically wasn't ready to launch, or at \nleast you were uncomfortable with whether or not it was ready \nbecause of the lack of end-to-end testing and the like, is that \ncorrect?\n    Ms. Fryer. My responsibility as the chief information \nsecurity officer is to give an assessment to the chief \ninformation officer on the risks that were discovered during \nindependent testing.\n    Chairman Issa. And Mr. Charest, of course, was aware of \nthis, plus had independent knowledge.\n    Mr. Baitman, yesterday in testimony you told us that you \nrecommended a less than full rollout in a meeting, I believe \nSeptember 10th, essentially saying with the problems and so on, \nbest practices, in your opinion, would have been to roll out a \nportion of this rather than the size and scope that was rolled \nout on October 1st. You didn't characterize it completely as a \nrecommendation, but it was certainly something you put out. In \nretrospect, would you prefer that to have been the way this \nsite launched, in other words, more like a beta, in order to \nmitigate what we now know was pretty much a bad launch?\n    Mr. Baitman. Well, as you point out, Mr. Chairman, it \nwasn't actually a recommendation; it was a discussion topic for \nthe meeting, and it was based upon my experience in the private \nsector, having seen this being done elsewhere. Sometimes it is \nreferred to as a beta launch, a controlled, measured launch. In \nretrospect, I don't know that I can say because I didn't have \ndirect knowledge of the system, the operational, development \nissues.\n    Chairman Issa. Thank you.\n    Mr. Cummings.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Over the past few months, House Republicans have made a \nnumber of extraordinarily unfounded claims about the security \nof Healthcare.gov. This scare tactic appears to be part of a \ncoordinated campaign to frighten people away from \nHealthcare.gov's website. I want to make sure we separate fact \nfrom fiction today and tell the American people the whole \ntruth.\n    I would like to go down the line with each of you and ask \nwhether there have been any successful security attacks against \nthe website.\n    Dr. Charest, let me start with you. You oversee HHS's \nIncident Response Team, is that right?\n    Mr. Charest. Yes, sir.\n    Mr. Cummings. So if there is an attack on Healthcare.gov, \nyou would know about it, is that right?\n    Mr. Charest. Yes, sir.\n    Mr. Cummings. Dr. Charest, to date, I want you to look at \nme, now, has there been a single successful security attack \nagainst Healthcare.gov by a domestic hacker, foreign bad actor, \nor any other malicious individual group?\n    Mr. Charest. No, sir, there have been no reported attacks \nof any type of any malicious intent, either domestic or \nforeign.\n    Mr. Cummings. Mr. Baitman, let me turn to you. You are the \nchief information officer at HHS. My constitutes and our \nconstitutes are looking at you, they are depending on your \ninformation. Have there been any successful attacks against the \nwebsite?\n    Mr. Baitman. There have been no reported successful attacks \nagainst the website.\n    Mr. Cummings. Ms. Fryer, you are the chief information \nsecurity officer for CMS. Have there been any successful \nattacks against the system?\n    Ms. Fryer. No, there have been no successful attacks.\n    Mr. Cummings. So you all agree that over the past three and \na half months, since the website has been live, there have been \nno successful attacks against the Healthcare.gov website, and I \nthink that this is a very, very critical point.\n    Last November the CIO of Foreground Security testified \nbefore the House Energy and Commerce Committee, and this \ncompany is one of the contractors that conducts continuous \nsecurity monitoring of the website. The CIO testified that \nnobody could guaranty with 100 percent certainty that \nHealthcare.gov was secure from external hackers. Do you all \nagree with that?\n    Mr. Charest. Yes, sir.\n    Ms. Fryer. Yes, sir.\n    Mr. Baitman. Yes, I do.\n    Mr. Cummings. And he stated this, he said, ``I also would \nsay the same thing about Facebook or any banking website as \nwell.''\n    Dr. Charest, Mr. Baitman, during your interviews with the \ncommittee staff, you told us that you agree with this \nstatement. You have both worked in the private sector. Can you \nboth explain why Healthcare.gov is no more risky than \ncommercial sites like Facebook? Mr. Charest.\n    Mr. Charest. Yes, sir. So, in essence, there are always \nvulnerabilities, there are a number of vulnerabilities. All of \nthese sites rely on underlying infrastructure, third-party \nsoftwares. All of these variables coming together create an \nenvironment which can be compromised, candidly, at any time, so \nyou have to be vigilant. As the defender, we have to defend \nagainst every possible attack and the attacker, in essence, has \nto find the one way in which we have not defended. So they are \nall always at some level of risk.\n    Mr. Cummings. Now, Mr. Baitman, would you have anything to \nadd to that or do you agree or disagree?\n    Mr. Baitman. I agree. No site is perfect, and we need to be \nvigilant, which is why we have layers of security.\n    Mr. Cummings. Now, although there have been no successful \nattacks against Healthcare.gov to date, we have to keep in mind \nthat there are constant attempts by malicious individuals and \ngroups, both domestic and foreign, to attack large complex \nGovernment IT systems. We are all concerned about that, both \nRepublicans and Democrats. We have to remain one step ahead of \nthe actors.\n    I thank you for clearing all of this, the confusion that \nmay have occurred. Our job is to ensure that the American \npeople have accurate information so they are not wrongfully \ndeterred from obtaining the critical healthcare coverage they \nneed and deserve.\n    Now, I want to go to you just very briefly, Ms. Fryer. The \nchairman asked you some questions and I just want to summarize \nas I close. I want to make sure that I have this right, so let \nme ask you a series of very basic questions. The draft \nmemorandum that he talked about, you are familiar, right?\n    Ms. Fryer. Yes.\n    Mr. Cummings. Did you ever send the memorandum to anybody.\n    Ms. Fryer. No, I didn't.\n    Mr. Cummings. Anybody?\n    Ms. Fryer. No, I did not, sir.\n    Mr. Cummings. You never sent it to your boss, Mr. Trenkle?\n    Ms. Fryer. No, sir.\n    Mr. Cummings. You never sent it to Administrator Tavenner?\n    Ms. Fryer. No, sir.\n    Mr. Cummings. So you never pressed the Send button.\n    Ms. Fryer. No, sir.\n    Mr. Cummings. During your interview with the committee \nstaff, you explained that you stopped working on the memo and \nput it aside after you found out that your superiors were \nmoving forward with the December 27th ATO, which included the \nmitigation measures we have been discussing, is that right?\n    Ms. Fryer. Yes, sir.\n    Mr. Cummings. And did you ever finalize your draft memo?\n    Ms. Fryer. No, sir.\n    Mr. Cummings. So you never finished it.\n    Ms. Fryer. No, sir.\n    Mr. Cummings. Do you know if all of the information in the \nmemorandum is accurate?\n    Ms. Fryer. No, sir. I was still validating the information.\n    Mr. Cummings. Very well.\n    Thank you very much, Mr. Chairman.\n    Chairman Issa. Thank you.\n    Mr. Mica.\n    Mr. Mica. Just a commentary. I heard the ranking member \nstart out. I am as concerned. I came from a family that didn't \nhave healthcare at times in our life, and there are 42 to 45 \nmillion Americans that don't have healthcare, and yet we have \nrolled out a flawed system. Everyone from the President of the \nUnited States to members of Congress on both sides of the aisle \nsaid the rollout, from a technical standpoint, was a meltdown \nand a fiasco. That was accessing it.\n    We signed up about a million people. I am one of the \nunwilling participants in that and others had no other choice, \nreally, but we knocked six million people off of their \nhealthcare system. This is a great record of success. And we \nprobably left 41 to 44 million people still without healthcare. \nSo I just had to comment when I heard that.\n    Ms. Fryer, you did in fact draft this memo of the 24th, \nright?\n    Ms. Fryer. Yes, sir.\n    Mr. Mica. That was up there. Yes. And it said that this \nplatform basically doesn't reasonably meet the CMS security \nrequirements which are intended to minimize CMS business risk, \nenterprise risk, or the application risk. There is also no \nconfidence that the personal identifiable information will be \nprotected. You wrote that on the 24th, right?\n    Ms. Fryer. Yes.\n    Mr. Mica. The 27th, what happened? Ms. Tavenner, didn't she \nsign the Authority to Operate? On the 27th she signed the \nAuthority to Operate. Is that the event that overcame this? You \nwrote the memo. Who did you share the contents of this memo, \nthat there wasn't assurance when this was rolled out? It is bad \nenough the thing wouldn't work from a technical standpoint or \nmillions of people who wanted healthcare couldn't access the \nsystem. In fact, I was served by a waitress the other day and \nshe says, I wanted to get on it; I still don't have it because \nI couldn't access it. But it was flawed from the standpoint of \nbeing able to access it or work from an operational standpoint, \nright? At least initially, right?\n    Ms. Fryer. My responsibility was to brief my management and \nthe chief information officer.\n    Mr. Mica. You are security, but you wrote that it wasn't \nready for prime time rollout for security, right? And then you \nsaid events that overtook this. Well, the event was, in fact, \nthat Tavenner, she signed the ATO. Did you sign the ATO?\n    Ms. Fryer. No, I did not. It is not my responsibility.\n    Mr. Mica. In fact, I saw at the end of the ATO you put a \nlittle caveat to protect your rear end, kind of, you put this \nparagraph at the end of the ATO, didn't you?\n    Ms. Speier. Mr. Chairman?\n    Ms. Fryer. My responsibility is to brief the CIO on its \nface.\n    Chairman Issa. The lady will suspend. The gentleman will \nsuspend.\n    Ms. Speier. Mr. Chairman, I would like to suggest that we \nall----\n    Chairman Issa. No, the gentlelady will state her point of \nparliamentary inquiry, please.\n    Ms. Speier. Personal privilege.\n    Chairman Issa. Point of personal privilege. Please state \nit.\n    Ms. Speier. Mr. Chairman, I think that we should show \nrespect to the persons who are----\n    Chairman Issa. That is not a point of personal privilege. \nPlease state a point of personal privilege.\n    Ms. Speier. Well, I am offended by the fact that----\n    Chairman Issa. Okay, if the gentlelady can organize an \nactual procedural request, we will reconsider it at that time.\n    The gentleman may continue.\n    Mr. Mica. Well, I understand, and, again, protecting \nyourself, I may have used a term that some member found \noffensive, but protecting your rear end, everybody knows it \naround here.\n    Ms. Fryer, last December you testified to the committee \nthat prior to the October 1st launch you recommended again to \ndeny the exchange's Authority to Operate, also known as the \nATO, which is a document necessary to the website for the \nrecord. Is that accurate?\n    Ms. Fryer. Yes.\n    Mr. Mica. Why did you make this recommendation?\n    Ms. Fryer. The testing in September, there were some issues \nthat were encountered during the testing, so there was a level \nof uncertainty as to the known risk.\n    Mr. Mica. Who did you make the recommendation to?\n    Ms. Fryer. My responsibility is to make the recommendation \nto my management and the chief information officer of CMS.\n    Mr. Mica. Okay. Ms. Fryer, you also testified that you \ncommunicated your recommendation to Mr. Trenkle and he shared \nyour concerns, is that correct?\n    Ms. Fryer. Yes.\n    Mr. Mica. Did he sign the Authority to Operate, again, the \nATO?\n    Ms. Fryer. No, he did not.\n    Mr. Mica. He did not. When did you learn Mr. Trenkle was \nalso not comfortable enough to sign the ATO?\n    Ms. Fryer. It was probably during our conversation, during \nthe security testing, when there were problems that were being \nencountered.\n    Mr. Mica. So that was earlier.\n    Ms. Fryer. And on September 20th, when I briefed him, Mr. \nTrenkle, and Mr. Baitman and----\n    Mr. Mica. Did Mr. Trenkle tell you why he decided not to \nsign the ATO?\n    Ms. Fryer. No, he did not.\n    Mr. Mica. Did you ever brief Administrator Tavenner on the \nsecurity risks in the federal exchange?\n    Ms. Fryer. No, I did not.\n    Mr. Mica. Did you----\n    Chairman Issa. The gentleman's time has expired.\n    Mr. Mica.--Mr. Charest and also Mr. Baitman?\n    Chairman Issa. You may answer.\n    Mr. Charest. No, sir, I never briefed Tavenner.\n    Mr. Mica. Mr. Baitman?\n    Mr. Baitman. I am sorry, could you repeat the question?\n    Mr. Mica. Did you counsel with Ms. Tavenner on security \nissues?\n    Mr. Baitman. No, I did not.\n    Mr. Mica. Thank you.\n    Chairman Issa. Thank you very much.\n    The gentleman from Massachusetts, Mr. Tierney, is \nrecognized.\n    Mr. Tierney. Thank you very much.\n    Thank all the witnesses for their work and for being here \nagain today.\n    So essentially what we have established is that we have a \nmemorandum that allows the majority apparently to raise the \nspectre of problems, only to find out that it was never sent to \nanyone because those issues had been addressed and dealt with, \nand now we have a system that has not had any successful hack \nattack since then. But we continue to go over and over and over \nthis because, if we do go over and over and over it, maybe \nsomebody will think that there is a real problem.\n    But let's talk about the real problem. So we have spent a \nlot of time doing that on this committee, Oversight Committee, \nhad hearings and subpoenaed documents, conducted interviews; \nMr. Baitman ad nauseam with respect to you, at least. The good \nnews is that there have been no successful attacks in security \nagainst the website, but every day people do attempt, from time \nto time.\n    So I have a modest suggestion here. Why don't we try to \nfind out who is doing that? This is an oversight and \ninvestigatory committee, after all. It seems to me that if we \nhave a website and people want to have healthcare, but there \nare people trying to prevent them from doing that, by that I \ndon't reference my colleagues here, I reference people that are \ntrying to--although many people are tiresome of the efforts to \nrepeal--I am talking about people that are trying to get into \nthe system and destroy it. We ought to go after those bad guys \non that basis.\n    There are reports out there, pretty wide range set of \nreports, describing some of the malicious groups that are \norganizing to try to do this. One example is a group that \ndeveloped a program called Destroy Obamacare. Are you familiar \nwith that, Mr. Baitman?\n    Mr. Baitman. Yes, I have seen reports of it.\n    Mr. Tierney. And apparently what they were doing was trying \nto have a denial of service tool. Can one of you explain what \nthat is? Mr. Charest?\n    Mr. Charest. Yes, sir. So in the case of Destroy Obamacare \nand in all denial of service tools, the basic premise is to \nflood the website with potentially even appropriate traffic, \nbut such that legitimate users cannot access the site, it is \noverloaded, in essence.\n    Mr. Tierney. So the spectre this would raise is trying to \nbe made true by people who are taking an overt action, trying \nto interfere with the system, would that be right?\n    Mr. Charest. Yes, sir.\n    Mr. Tierney. So press reports indicate that these are, in \ntheir words, right-wing groups motivated not by financial gain, \nbut sort of a political animus. They disagree with the \nAffordable Care Act, so they are trying to intentionally block \napplicants from actually getting access and getting the rights \nentitled to them under the law. Is it a crime, Dr. Charest, for \nthem to do this?\n    Mr. Charest. I am not an attorney, sir, but I believe it \nis.\n    Mr. Tierney. And who investigates those types of attacks?\n    Mr. Charest. In the event--and we did investigate the \nDestroy Obamacare code and those--not the actors, that is not \nour role, but the attempted attack. We found it to be \nrudimentary, but we did report, as we report all these \nincidents, to the Office of the Inspector General, and they \nreceived that information and would indeed investigate, if \nappropriate.\n    Mr. Tierney. Okay. And would they investigate to try to \ndetermine who the individuals leading this attack are?\n    Mr. Charest. That is my understanding, sir, but they would \nhave to tell you their procedures.\n    Mr. Tierney. Okay. And perhaps that is a good action for \nthis committee, would be to meet with those people and find out \nwhere they are going and what they are finding out. Does your \nincident response team, in terms of checking out these \nallegations to look to see who is undermining it, do you look \nto see how you can trace back on the site, where it may \noriginate or where the site is hosted?\n    Mr. Charest. Yes, sir. We will trace back what we call the \ncommand and control, all the elements of the attack, as best as \nwe can, and then we will share that with DHS, law enforcement, \nand others, as appropriate.\n    Mr. Tierney. And do you think that if the right people were \ninvestigating this, they would be able to in fact locate and \nfind who these people are? Is there a likelihood of that?\n    Mr. Charest. It is possible, sir, but these things are \nfairly mercurial. IP addresses are rapidly changing; websites \ncome up and down pretty often. The reality is, though, very \noften they are found.\n    Mr. Tierney. And it is because of that mercurial aspect and \nother things in constant attacks that you have the need for \nlayered security, is that correct?\n    Mr. Charest. Yes, sir.\n    Mr. Tierney. And that layered security, once again, has \nbeen successful to date in stopping any successful hacking \nattack, is that correct?\n    Mr. Charest. Yes, sir, to date it has.\n    Mr. Tierney. All right. But because all systems, whether \nthey are private or public like this, are constantly under \nattack, we have to be vigilant, and that is exactly what all of \nyou are doing, is that correct?\n    Mr. Charest. Yes, sir, around the clock.\n    Mr. Tierney. Well, I thank you for your efforts.\n    Mr. Chairman, I think that I would ask that the committee \nconsider an investigation pursuing those who are making \nattempts to attack and hack this site, for whether it is \npolitical animus or any other means on that. I think that would \nbe an appropriate activity for us to do. That seems to be the \nreal danger here, interfering with people's rights to have \nhealthcare under the plan.\n    Chairman Issa. The gentleman absolutely is right. \nCybersecurity is part of our core jurisdiction. Mr. Connolly \nand I also spoke this morning at a cloud computing conference, \nso that is an area of not only interest, but a willingness to \nput staff and dais time into.\n    If I may, Mr. Cummings and I have been discussing, and I \nwill be brief, the fact that we need to link in, as part of our \ncommittee jurisdiction, other areas of best practice flaws \nwithin the Federal Government, but also a recognition that \nthose things have to be rippled out to private corporations; \nthe banking community. Certainly Target has been mentioned \nhere, but it wasn't the only commercial site hacked during this \nperiod of time. So I join with the gentleman and you can count \non there being a series of briefings and possible committee \nhearings on them.\n    Mr. Tierney. I thank the chairman. Yield back.\n    Chairman Issa. We now go to the gentleman from Michigan, \nMr. Walberg.\n    Mr. Walberg. Thank you, Mr. Chairman, and thanks to the \nwitnesses for being here.\n    Ms. Fryer, we have dealt with the memo and your ultimate \ndecision not to send it, but I think there is still questions \nthat are there and it can't be just simply an out of sight, out \nof mind issue, so let me ask you a question. In your testimony \nlast month before the committee you characterized the \nmitigation plan identified in the risk decision memo as ``added \nprotections to compensate for those unknown risks.'' What did \nyou mean by this, specifically those unknown risks?\n    Ms. Fryer. So the security testing in September was not to \nthe level that was expected, so they weren't able to test fully \nfor the confidentiality and integrity areas. So in order to \ncompensate for those compensating controls, we added those. \nThose were additional protections for the overall marketplace \nsystem.\n    Mr. Walberg. Well, is a mitigation able to effectively \naddress the vulnerabilities in the nearly half of the modules \nthat made up the marketplace that were not fully security \ntested?\n    Ms. Fryer. It was a later protection, so later protection \nwas put into place to mitigate the risk of those. You can't \nmitigate unknown risks, so, again, we have those later \nprotections in place.\n    Mr. Walberg. Well, based upon that, let me go, Ms. Fryer \nand Mr. Charest. Is it true that a good security control \nassessment makes it easier to create a good, tight mitigation \nplan?\n    Mr. Charest. I would say so, yes, sir.\n    Mr. Walberg. Would you agree, Ms. Fryer?\n    Ms. Fryer. Yes, I do, sir.\n    Mr. Walberg. Is it true that the more understood the risks, \nthe better it is to create a plan to address those risks? Mr. \nCharest, Ms. Fryer?\n    Mr. Charest. Yes, sir, it is.\n    Mr. Walberg. Just establishing the pattern here.\n    Ms. Fryer. Yes, sir.\n    Mr. Walberg. Is it possible to mitigate unknown risks?\n    Mr. Charest. I don't know of any way to do that, sir.\n    Ms. Fryer. No, sir.\n    Mr. Walberg. How difficult is it to mitigate unknown risks?\n    Mr. Charest. There are always unknown risks, so when you \nsay how to mitigate a specific unknown risk, obviously, it is \nunknown, so what you do is you create an environment as we \nhave, which is a defense in depth strategy; it is the \ninfrastructural components, it is the methodologies that you \nutilize for your IT systems. It is the preponderance of all of \nthese elements and then those teams that are designed to watch \nthose elements in operation that will allow you to, in essence, \naddress unknown risks.\n    Mr. Walberg. But clearly with this testimony, to advance \nthe rollout with unknown risks out there, with unclear \nmitigation, certainly appears, I think, to this committee to be \na concern worth addressing and worth having these hearings \nover.\n    Chairman Issa. Would the gentleman yield?\n    Mr. Walberg. Yes, I would.\n    Chairman Issa. I think the gentleman makes an extremely \ngood point, and I might note that Ms. Fryer had made it clear \nthat there were tests that could have been done that would have \ncaused the unknown risks to be less unknown.\n    Mr. Walberg. I concur.\n    Mr. Baitman, Teresa Fryer had a discussion with you about \nthe security risk of Healthcare.gov, is that correct?\n    Mr. Baitman. There was a video conference call, I think you \nare probably referring to, on September 20th.\n    Mr. Walberg. But you had a discussion with Ms. Fryer.\n    Mr. Baitman. She participated, that is correct.\n    Mr. Walberg. What did Ms. Fryer tell you in that video \nconference call?\n    Mr. Baitman. As I recall, the CIO of CMS at the time was \nTony Trenkle, and I believe Tony said that both he and Ms. \nFryer were uncomfortable with signing the ATO.\n    Mr. Walberg. Did you relay that discomfort with anyone \nabout Healthcare.gov who had the Authority to Operate within \nHHS?\n    Mr. Baitman. I am sorry, I don't understand.\n    Mr. Walberg. Did you relay Ms. Fryer's discomfort with the \nrisk in signing the Authority to Operate with HHS?\n    Mr. Baitman. Yes, I did.\n    Mr. Walberg. Did you tell this information to anyone, \nincluding Ned Holland or Jim Corr?\n    Mr. Baitman. I shared it with a few people, Ned Holland and \nDeputy Secretary Corr, yes.\n    Mr. Walberg. What did you tell them?\n    Mr. Baitman. I thought it was noteworthy that the chief \ninformation security officer for CMS had expressed that she was \nuncomfortable signing it. On the other hand, I didn't consider \nit a red flag. So I wanted to share it with them, but Ms. Fryer \nwasn't the operational security person and CMS has an official \nwho is responsible for that, so I thought that he was probably \nin a better position to know what changes had been made and \nwhat was going to launch on October 1st.\n    Chairman Issa. The gentleman's time has expired.\n    We now go to the gentleman from Massachusetts, Mr. Lynch, \nfor five minutes.\n    Mr. Lynch. Thank you, Mr. Chairman, and I thank the ranking \nmember as well.\n    Mr. Baitman, I want to go back some previous questioning. I \nam not sure if it was Mr. Cummings or Mr. Tierney, they talked \nabout the beta approach that you referred to, and I just want \nto be clear on this. During your interview with the committee \nyou had said earlier that your suggestion about the beta \napproach was based on your sort of general experience in the \nprivate sector with the rollout of IT systems, again, in the \nprivate sector, is that correct?\n    Mr. Baitman. That is correct.\n    Mr. Lynch. Okay. So you explained your suggestion had \nnothing to do with security concerns with regard to the \nwebsite.\n    Mr. Baitman. No. I didn't have any direct knowledge of \nfunctional or security issues; it was more of a this is a big, \nlarge, complex system and this is an approach that will \nminimize any challenges.\n    Mr. Lynch. Okay. I just wanted to be clear on it. And, in \nfact, you told us in your previous testimony on September 10th \nthat you had no specific knowledge of any security concerns \nwith the website. Is that still correct?\n    Mr. Baitman. No specific concerns, no.\n    Mr. Lynch. Okay. All right. Thank you.\n    I know we are talking about the technology, and in a moment \nof complete disclosure, I voted against the Affordable Care Act \nfor a whole slew of reasons. However, this was not one of them. \nThis was supposed to be the easy part, this rollout, the \nmechanical function of getting everybody up and on the system, \nso it is particularly discouraging. But I do want to say this \nis the law. I voted against it because I didn't think it was \nbeing done the right way, and people can differ on that. But I \nsee my role going forward as one of making sure that the people \nthat I represent have decent affordable, high-quality \nhealthcare. That is my role going forward, and I think that \nshould be everyone's goal here. But I have had an opportunity \nto sit with the folks that are running the Massachusetts \nConnector, the Health Connector, and some of the folks that are \ngoing out to sign everybody up, and I had one question.\n    I read the security documents for the Massachusetts Health \nConnector. Of course, I can't locate it right now, but what \nthey do say in the security section regarding personally \nidentifiable information, it talks about all the precautions \nthey are taking, but then it says, and it is sort of an odd \nwrinkle, however, once you voluntarily submit personally \nidentifiable information to us, the Health Connector, related \nto your use of the portal, its dissemination is governed by the \npublic records law, the Fair Information Practices Act of \nMassachusetts General Laws 66(a), so forth, and other \napplicable laws and regulations. And they have this one called \nout in bold, it says, for this reason, part or all of the \ninformation you send us may be provided to a member of the \npublic in response to a public records request.\n    Now, I don't think that is what we intended when we passed \nthat law in Massachusetts, but I know there are a whole lot of \nlaws all across probably in all 50 States and the District of \nColumbia that have this public records access ability. And I am \nnot sure if Mr. Charest or Ms. Fryer or you, Mr. Baitman, might \nhave some comment on that. Is that something that we are going \nto have to go back, all 50 States, and say we don't mean that \nyour personal information should be accessible through a public \nrecords request? Have you thought about that?\n    Mr. Baitman. I have to say I don't think I am in a position \nto address that, unfortunately.\n    Mr. Lynch. How about you, Ms. Fryer?\n    Ms. Fryer. Same here, sir.\n    Mr. Lynch. Okay. Mr. Charest?\n    Mr. Charest. I am from Massachusetts and, unfortunately, I \nstill can't address it, sir.\n    Mr. Lynch. That's three strikes and I am out, I guess. \nWell, I just want to say I appreciate your efforts and your \ngood work on this, and I will yield back the balance of my \ntime.\n    Chairman Issa. Would the gentleman yield?\n    Mr. Lynch. Sure I will. Sure I will.\n    Chairman Issa. Mr. Baitman, I just had one quick follow-up, \nI think Mr. Lynch would also want to know. You said that Ms. \nFryer's concerns did not raise a red flag. Do you really mean \nthat her being uncomfortable with the security launch didn't \nraise a red flag simply because, even though she was \nknowledgeable, she wasn't ``the one in charge''?\n    Mr. Baitman. That is what I mean, yes.\n    Chairman Issa. I wish you had said that yesterday in the \ntestimony.\n    Mr. Meehan is recognized for five minutes.\n    Mr. Meehan. I thank you, Mr. Chairman.\n    Mr. Charest, what is a successful attack on the system?\n    Mr. Charest. It can be defined, I suppose, in a number of \nways, sir, but basically where the attacker actually has \npenetrated the system and/or compromised the system or, as we \ncall it, exfiltrated, meaning taken away something from the \nsystem.\n    Mr. Meehan. Okay, so at this point in time, then, and this \nis the testimony. I am kind of interested in, on the record--\nand the chairman or the ranking member went through this with \nboth you and Ms. Fryer and it has been your testimony there has \nbeen no reported successful attack on the system.\n    Mr. Charest. That is correct, sir.\n    Mr. Meehan. Now, I know from my work with chairing the \nCybersecurity Committee for Homeland, a million hits a day on \nour banking systems and things like this, Chinese hackers now. \nThe record indicates that Chinese hackers came in in November \nand tried to get into the system. The last time they have ever \ndone it?\n    Mr. Charest. I just want to parse there are attempts all \nthe time by would-be attackers.\n    Mr. Meehan. So that is what I am trying to say. So we have \nmaybe 30, 40, 50,000 navigators around the United States \ndealing with personally identifying information; we have \nChinese hackers doing millions of attacks a day; sophisticated \nRussians; we had sophisticated networks that broke into Target. \nThey didn't know it, with the most secure systems, they didn't \nknow it for quite a period of time, did they? But somehow there \nhasn't been a successful attack since this has rolled out, this \nsystem?\n    Mr. Charest. That is correct, sir.\n    Mr. Meehan. All right. I am still struggling with the idea \nof how this thing was approved, the ATO decision was made, from \nmy work with FISMA. Now, let me ask you specifically. Was there \na security assessment plan that was done prior to the ATO \ndecision? Ms. Fryer, Mr. Charest? Ms. Fryer, was there a \nsecurity assessment plan completed and done by HHS prior to the \ndecision that was made?\n    Ms. Fryer. So let me clarify. There was a security test \nplan that was created before the testing was conducted in \nSeptember, and, yes, there was a security controls assessment \nreport that was completed after the testing was.\n    Mr. Meehan. Have you turned over that plan and that \nassessment to this committee?\n    Ms. Fryer. I can't answer that question.\n    Mr. Meehan. Will you turn over that plan and that \nassessment to this committee?\n    Ms. Fryer. I would have to bring that back to my agents.\n    Mr. Meehan. Why is that a difficult question? Will you turn \nthat plan and that assessment over to my committee on \nCybersecurity in Homeland Security?\n    Ms. Fryer. I believe that those documents have been turned \nover; they are sensitive documents. Usually, we don't like to \nhave them out there, but I believe that----\n    Mr. Meehan. It is my understanding that, in fact, the \ntesting preceded the completion of those documents, that plan \nand the final assessment. Is that accurate?\n    Ms. Fryer. The testing is conducted and then a security \ncontrols assessment report is delivered by the contractor.\n    Mr. Meehan. MITRE didn't have access to the full--doesn't \nit need access to the full scope of the network?\n    Ms. Fryer. I didn't understand that question, full scope. \nThey have a scope----\n    Mr. Meehan. Did they have full access to the information \nsystem and the environment of the operation?\n    Ms. Fryer. They have access----\n    Mr. Meehan. Did they have, did MITRE, who was the \ncontractor, is it your testimony that during the period of time \nwhen they were supposed to be preparing this report, which is \nrequired under the law, under FISMA, did MITRE have proper \naccess to the information system and the environment of \noperation, specifically?\n    Ms. Fryer. The system that was being tested, yes.\n    Mr. Meehan. Well, was it the system that was being tested \nor the full system? Not the system that was being tested, \nbecause what we had was parts of the system being tested. But \nFISMA doesn't authorize parts of the system being tested, it \nrequires, under the law, the entirety of the system.\n    Ms. Fryer. They tested what was in scope of the security \ntest plan that was provided by FISMA.\n    Mr. Meehan. Well, that is why I want to see the security \ntest plan; not for the parts of the security, but the entirety \nof the system. Was the security test plan dealing with the \nentirety of the system prior to the OTA being made?\n    Chairman Issa. The gentleman's time has expired, but you \nmay answer and I think include the words end-to-end, perhaps, \nif you think that is appropriate.\n    Ms. Fryer. If I understand, you are requesting the security \ntest plan.\n    Mr. Meehan. I want the security test plan, I want the \nsecurity assessment, and then I want the remediation that was \nby the contractor and HHS in which they resolved all of those \nissues and I want to know that they were all done prior to the \napproval of the OTA, which is required under the FISMA law.\n    Ms. Fryer. Yes, sir, and I will bring that request back.\n    Chairman Issa. Thank you. I thank both of you.\n    I will note for the committee that we were unaware of the \nDecember 18th study; it has not been provided, even though we \nbelieve it would be appropriate pursuant to the subpoena that \nwas already in place, and it is my intention to issue a new \nsubpoena to make sure there is no doubt that that document that \nwe were not aware of as of yesterday had not been provided.\n    And for the record, no, Mr. Meehan, those documents have \nnot been provided by HHS.\n    Mr. Connolly.\n    Mr. Connolly. Thank you, Mr. Chairman. It is my \nunderstanding, however, that an unredacted copy of the test \nresults was subpoenaed and was provided to this committee.\n    Is that correct, Ms. Fryer?\n    Ms. Fryer. Yes, I believe the September testing documents. \nIf it is the December ones, like I said, I have to bring that \nrequest back.\n    Mr. Connolly. Okay.\n    Chairman Issa. Mr. Connolly, if I may. I just want to make \nsure your question is clear. MITRE Corporation, pursuant to a \nsubpoena, supplied us documents; neither Health and Human \nServices, nor CMS have provided any such documents. Thank you.\n    Mr. Connolly. Thank you for the clarification.\n    And, Mr. Baitman, let me express my regret that you were \ngiven so little notice before being asked to testify here \ntoday, for a committee that insists on better compliance from \nvarious Federal agencies, and in a timely fashion. Sometimes we \nseem to have a double standard, or it might be perceived that \nway.\n    I want to ask about security, because I have to admit, when \nI heard some of the statements, especially the opening \nstatement of the chairman, it sounded scary to me. It sounded \nlike only Healthcare.gov represents a potential security, \ncybersecurity threat that could compromise everybody's \nhealthcare in America. And, of course, as you indicated, Mr. \nCharest, cybersecurity attacks are going on all the time, in \nthe private sector as well as in the public sector. The game \nhere is to stay ahead of it, to develop systems to try to \nprevent it, to track it down, and that is going to be an \nongoing battle forever for everybody because of the nature of \ntechnology. Do you think that is a fair statement, Mr. Charest?\n    Mr. Charest. Yes, sir. We cybersecurity professionals \nbelieve we have excellent job security.\n    Mr. Connolly. Okay. I want to ask about, because several of \nus wrote the chairman of this committee asking for \nclarification of protocols to safeguard sensitive documents, \nand, Ms. Fryer and Mr. Baitman, if I am hearing you correctly, \nthere is reason to be concerned about providing us with very \nsensitive documents that could somehow be compromised, \nobviously unwittingly. Nobody on this committee would ever leak \nanything to the press. But leaving it around accidentally or \nwhatever could in fact lead to the very result that presumably \nthis hearing is all about trying to deter, which is the \ncompromise of consumer information.\n    And I quote the president and CEO of MITRE, who wrote the \nchairman of this committee and said, ``In the wrong hands, this \ninformation could cause irreparable harm to the basic security \nand architecture of Healthcare.gov and potentially the security \nof other CMS data networks that share attributes of this \narchitecture.'' Is that a fair concern, Mr. Baitman, Ms. Fryer?\n    Mr. Baitman. I believe it is a fair concern. I think that \nthose documents could, if they were made public, provide a \nroadmap to an attacker.\n    Mr. Connolly. So the very thing we are having a hearing \nabout today we could, again, unwittingly, actually be part of \nthe problem if we don't establish clear guidelines, clear \nprotocols for the securing of such information. Fair statement, \nMs. Fryer?\n    Ms. Fryer. Yes. These are sensitive documents that are \ntightly controlled.\n    Mr. Connolly. So were someone to leak them, for example, \nsomeone got them through, I don't know, a subpoena, for \nexample, and somebody decided to, as the ranking member, the \nphrase he used, cherry-pick information and leaked it to the \npress, again, not that that would ever happen here, in this \ncommittee, but if that were to happen it could actually lead to \nthe very compromise and degradation of the security systems you \nare trying to put in place, is that correct?\n    Ms. Fryer. Yes, it is.\n    Mr. Connolly. Mr. Baitman, you want to comment on that? You \ncome from the private sector. You are looking sort of at a \nlittle different air level on these issues, looking at how CMS \nand your own department are handling it. Are you comfortable \nthat we have strict protocols in place here, on this committee, \nfor example, such that your concern would be abated?\n    Mr. Baitman. I am not familiar with the protocols the \ncommittee has.\n    Mr. Connolly. Ms. Fryer?\n    Ms. Fryer. Again, I am not familiar with the protocols.\n    Mr. Connolly. You are not familiar with our protocols. So, \nMr. Charest?\n    Mr. Charest. No, sir, I am not familiar with the protocols, \nbut I am concerned.\n    Mr. Connolly. Allegedly, we have asked an outside security \nagency to look at your security measures. Are you familiar with \nthat? Do you know who the outside--because the Democrats, as \nfar as I know, were not informed as to who that entity was and \nwhether they have come to some kind of conclusion. Have you \nbeen made--you were here seven hours, Mr. Baitman. Anyone talk \nto you about that?\n    Mr. Baitman. I was unaware of that, actually.\n    Mr. Connolly. So were we. I thank you. My time is up.\n    Mr. Mica. [Presiding.] The gentleman from Oklahoma, Mr. \nLankford, is recognized.\n    Mr. Lankford. Thank you, Mr. Chairman.\n    Mr. Baitman, I want to follow up real quick on a statement \nthat you had made earlier that the chairman had also mentioned \nabout Ms. Fryer and Tony Trenkle had made statements or \nrecommendations to say that they were not comfortable giving \nauthority to operate based on security issues. You had said \nthat was not a red flag to you because someone else has \nresponsibility for that. Who is that other person who has \nresponsibility?\n    Mr. Baitman. Well, as I understand it, the Healthcare.gov \nproject was built across various parts of CMS, some of which \nwere not under Mr. Trenkle's leadership. They also had a CMS \nofficial who was responsible for all operational security for \nHealthcare.gov, and that person was on the ground and obviously \nmore closely focused on it. Ultimately, though, I thought it \nwas appropriate that Ms. Tavenner, as the administrator for \nCMS, be the individual who accepted risk on behalf of CMS \nbecause the project was large and being done across various \nparts of CMS.\n    Mr. Lankford. As a leader that I have staff around me as \nwell, I gather the information from multiple staff, then have \nto make the final decision. Do you know if Ms. Fryer's \nrecommendations and Tony Trenkle's statements about the \nsecurity is not ready and this is a high risk, was that given \nto Ms. Tavenner before she made her decision?\n    Mr. Baitman. I actually don't know.\n    Mr. Lankford. Would you assume that that would be given to \nher?\n    Mr. Baitman. I would assume she would be briefed, yes.\n    Mr. Lankford. Because it would be an issue to me to make a \ndecision and then to find out later that I have staff around me \nthat had recommended this was a bad issue, but that information \nnever landed on my desk because someone stopped it.\n    So you passed on the information, Ms. Fryer that Tony \nTrenkle had given you to other folks, and it was their \nresponsibility then to pass it on to Ms. Tavenner, or who was \ngoing to give that to her?\n    Mr. Baitman. Well, as I said, the project was run within \nCMS, so I assume that the various parts of CMS who were running \nthe project were actually briefing Ms. Tavenner.\n    Mr. Lankford. Right. But you were the one on the phone with \nthem, getting the information saying this security is not \nready, we are at a high risk. Does that stop with you or do you \nsay, okay, someone--so that does not have a duty to be able to \nreport or somebody else is going to pick that up?\n    Mr. Baitman. So during that conversation they actually told \nme that they were going to bring the decision for whether or \nnot the ATO would be signed to Ms. Tavenner.\n    Mr. Lankford. Who is the they there?\n    Mr. Baitman. Tony Trenkle, who was the CIO at the time, and \nTeresa Fryer.\n    Mr. Lankford. Okay.\n    Ms. Fryer, were you part of that responsibility of \nreporting that to Ms. Tavenner?\n    Ms. Fryer. No, I was not.\n    Mr. Lankford. Do you know how that was reported to her or \nif it was?\n    Ms. Fryer. No, I don't know that.\n    Mr. Lankford. So you don't know if Tony Trenkle passed that \non as well.\n    Ms. Fryer. No, I don't.\n    Mr. Lankford. In October of this last year Secretary \nSebelius said, in an ideal world there would have been a lot \nmore testing, but we didn't have the luxury of that, and the \nlaw said the go time was October the 1st. Before the committee, \nthen, CMS Chief Operating Officer Michelle Schneider was also \nasked why October 1st was chosen as a launch date; she said, \nI'm assuming it was in the law or the regulation.\n    Ms. Fryer, is it your understanding that October the 1st \nwas required by the law to be the launch date?\n    Ms. Fryer. No, I don't know that.\n    Mr. Lankford. Did anyone repeat back to you, no we have \nsecurity issues and concerns, but we have to go October the \n1st, that is the law?\n    Ms. Fryer. No, they did not.\n    Mr. Lankford. Mr. Charest, were you aware of any provision \nin the Affordable Care Act that required October the 1st as the \nlaunch date?\n    Mr. Charest. No, sir.\n    Mr. Lankford. Anyone say to you we have to keep moving \nbecause the law requires this?\n    Mr. Charest. No, sir. From my perspective, it was just a \ndate in a project plan.\n    Mr. Lankford. How about you, Mr. Baitman, did you have any \nknowledge of the statute requiring October the 1st?\n    Mr. Baitman. I don't have any knowledge. When I joined HHS, \nit was already sort of ordained that October 1st was the date.\n    Mr. Lankford. Do you know of any particular reason to say \nwe have security questions and issues, October the 1st, if that \nis not in statute, if we have issues, maybe we should stall \nthis until we deal with some of the security issues and make \nsure we are ready to go?\n    Mr. Baitman. Again, we work on a federated structure, so \nCMS had direct knowledge of what the requirements were.\n    Mr. Lankford. Is there any possibility that there may be a \nmistaken belief about the October the 1st date, that the \nsecretary states obviously in October that the law requires \nthis? Is it possible that the Administration was working on a \nmisbelief that the law required October the 1st?\n    Mr. Baitman. I can't speak for why other people had their \nopinions of that.\n    Mr. Lankford. Mr. Baitman, you had testified you had \nsuggested a phased rollout after some beta testing. Was that \nsuggestion taken?\n    Mr. Baitman. It was a beta launch. No, that wasn't the \napproach that was taken.\n    Mr. Lankford. Did you ever ask anyone why? I mean, \nobviously, by mid-October, in quiet moments at your house, \nsurely you had some thought it probably would have been better \nto do a phased launch of this thing. Do you have any idea why \nthat suggestion was ignored or delayed?\n    Mr. Baitman. At the meeting that you are referring to, CMS \nindicated, and CMS was in the best position to know, that they \nwere confident the system would be ready for October 1st \nlaunch.\n    Mr. Lankford. Confidence seems to be misplaced.\n    I yield back.\n    Mr. Mica. The gentlelady from Illinois, Ms. Duckworth, is \nrecognized.\n    Ms. Duckworth. Thank you, Mr. Chairman.\n    I strongly believe that when my constituents are dealing \nwith the Government, the last thing they should be concerned \nabout is that their personal data is being compromised. \nInformation security should be a top priority for any \nGovernment website, so I would like the panel to sort of bear \nwith me as we go through exactly what is in place, to make sure \nthat I have a better understanding, because we have sort of \ntalked about all different things.\n    Ms. Fryer, could you walk me through the security \nprecautions? You mentioned that there were many different \nlayers that are in place. Can you explain what those three \nlayers of protection are, and what procedures and processes are \nused?\n    Ms. Fryer. Yes. So there is the operational security, the \nday-to-day activities; there is code software reviews, that is \nthe operational marketplace security team that does those \nactivities; and they also have continuous monitoring, they have \na group that has continuous monitoring tools in place; and then \nthere is my group that is the oversight for CMS, and we also \nhave continuous monitoring tools in place, as well as \npenetration testers that try to go in and hack into systems and \npenetrate the systems. HHS also has tools insight into our \nsystems. So there is a layered protection of security for all \nof our CMS systems.\n    Ms. Duckworth. So basically you are saying that it is not \njust the team that reports to you, but there are other groups \nof Government employees and contractors who oversee and conduct \nday-to-day security activities, is that right?\n    Ms. Fryer. Yes. Yes, there are many business information \nsystem security owners that have the day-to-day security \nactivities, as well as my office.\n    Ms. Duckworth. Are there systems in place, for example, at \nCMS, to ensure that the code is security tested on an ongoing \nbasis, not just when it is first implemented, but on an ongoing \nbasis with secure code reviews and software assurance?\n    Ms. Fryer. Yes. Any time a change is made to a system, they \nhave to do code reviews, and there is a very strict change \nmanagement process that is followed before the change is put \ninto production.\n    Ms. Duckworth. And then I also understand that there is a \nweekly, as you said on penetration protection, weekly scanning \nand penetration testing of perimeter devices such as firewalls, \nis that correct? Is that ongoing as well?\n    Ms. Fryer. Yes. So that is above and beyond best practices. \nWe do weekly scans of all the perimeter devices and all the \nexternal web-facing servers that are related to marketplace.\n    Ms. Duckworth. So touching on what you are saying about the \nbest practices, are you confident that the security systems and \nprocedures that are in place are well within or not superior to \nthe best practices that are ongoing with similar types of \nsecurity that is needed for other websites?\n    Ms. Fryer. Yes, I do.\n    Ms. Duckworth. Mr. Baitman, how does that compare to \nindustry?\n    Mr. Baitman. I would say that practices in the Federal \nGovernment generally exceed industry.\n    Ms. Duckworth. Generally exceeds industry? Thank you.\n    Have all of these layers of security, Ms. Fryer, been in \nplace since the website was launched in October?\n    Ms. Fryer. Yes, it has been.\n    Ms. Duckworth. And they are still in place and ongoing?\n    Ms. Fryer. Yes.\n    Ms. Duckworth. Does CMS have a security team dedicated to \nensuring that these multiple layers of protection are \noverlapping and continue to be effective?\n    Ms. Fryer. Yes. That was part of the ATO memo. Myself, I am \non part of that team.\n    Ms. Duckworth. How often does that team meet, talk to one \nanother, review the procedures?\n    Ms. Fryer. On a weekly basis.\n    Ms. Duckworth. On a weekly basis. Thank you. Can you sort \nof talk about how these multiple layers help to protect \nconfidential consumer information and how they interact? For \nexample, I signed up for healthcare reform and, by the way, \nsaved $60. I went from $295 a month for my healthcare plan to \n$239 a month for the exact same plan, so I am pretty happy I \ngot a savings. But when I put all that information, how do I, \nas a customer, know that I am protected? I know this is a very \nbroad question, but can you sort of sketch how those different \nlayers work with each other, say with my personal information \nthat I have entered?\n    Ms. Fryer. Well, there are different layers, again, so if \nthere are attackers coming in from the inside, we have many \nprotections to detect these attacks. As mentioned before, there \nhas been no successful attacks, but attacks are being made all \nthe time on the website, so we have these tools in place to \ndetect anomalies, all these tools. Even if one tool doesn't \npick it up, we have this layer of protection, so we have other \nvarious tools in place to detect.\n    Ms. Duckworth. So you could, for example, if there is just \nan unanticipated pattern that emerges or certain things that \nare happening, you can actually identify, wait, something is \ngoing on here that is unusual, we need to take a closer look at \nit?\n    Ms. Fryer. Yes, we have tools that will pick up anomalies.\n    Mr. Mica. I thank the gentlelady.\n    Ms. Duckworth. Thank you.\n    Mr. Mica. I thank the witness.\n    Mr. Meadows, the gentleman from North Carolina.\n    Mr. Meadows. Thank you, Mr. Chairman.\n    I want to follow up on Ms. Duckworth's questioning there, \nif I could, Mr. Charest. This question is to you. She went \nthrough a long list of all the security that has been \nimplemented and you were very, it seemed like, caution in the \nway that you said that there was no malicious attacks. Has \nthere been inadvertent personal information that has been \nshared with someone else in this particular website?\n    Mr. Charest. Yes, sir, there has.\n    Mr. Meadows. There has. How many times has that happened, \npersonal information from someone else getting shared with an \ninappropriate person?\n    Mr. Charest. I don't know the exact count, but in the early \nstages of the launch there were a number, I think somewhere \nless than 10. But there were some that were reported both in \nthe media and to us.\n    Mr. Meadows. All right, so somewhere less than 10. Now, it \nis interesting that you wouldn't know the exact number, because \nyou are very emphatic that there had been zero malicious \nattacks, but inadvertent disclosure you can't give us an exact \nnumber.\n    Mr. Charest. Well, I, in fact, have the categories in front \nof me here, sir, if you would like me to give you the numbers.\n    Mr. Meadows. Just the number.\n    Mr. Charest. Okay, no problem.\n    Mr. Meadows. So how many total disclosures of personal \ninformation to other people have we had?\n    Mr. Charest. We classify these incidents by----\n    Mr. Meadows. Total numbers.\n    Mr. Charest. It would appear, from the numbers I have in \nfront of me, there are 13 category one, which is where we put \npotential PII----\n    Mr. Meadows. Thirteen. Total numbers. Total numbers, 13.\n    Mr. Charest. That is what I have here, yes, sir.\n    Mr. Meadows. So there was no others. So it wasn't less than \n10, it was more than 10.\n    Mr. Charest. Well, no, not necessarily, sir, because the 13 \nin the category don't always mean there was a disclosure. They \nalso could be exposure, but not disclosure.\n    Mr. Meadows. Exposure, but not disclosure.\n    Mr. Charest. Yes, sir.\n    Mr. Meadows. Okay. Well, we will save that for another day, \nbecause I think what the American people want is honesty and \ntransparency, and to hear you testify less than 10 and more \nthan 13. But more problematic for me is for you to lead this \ngroup to say that there were no malicious intent, and yet \nknowing full well that there has been disclosure. They just \nwant honesty and transparency.\n    Wouldn't you agree, Ms. Fryer, that that is important?\n    Ms. Fryer. Yes, sir.\n    Mr. Meadows. Okay.\n    In that, you have testified before, so in your preparation \ntoday to come before, have you met with attorneys to prep you \non your testimony?\n    Ms. Fryer. I have been briefed on what to expect.\n    Mr. Meadows. Okay. How long has that briefing taken place? \nHow much time did you spend in that prep? How many days?\n    Ms. Fryer. It was over a few days, couple hours each day.\n    Mr. Meadows. Okay, so how many hours does it take to be \nbriefed to tell the truth?\n    Ms. Fryer. It doesn't.\n    Mr. Meadows. Okay. So why would that have gone on? Have you \never been told, well, we would prefer that you don't answer a \nquestion that way by an attorney?\n    Ms. Fryer. No, sir.\n    Mr. Meadows. All right. Have you ever had your previous \ntestimony looked at and said, well, we wish you hadn't have \nsaid that?\n    Ms. Fryer. No, sir.\n    Mr. Meadows. All right. So you believe that from an honesty \nstandpoint that you can tell the American people that their \nprivate information will not be disclosed to a third party?\n    Ms. Fryer. As a result of the recent security controls \ntesting, yes.\n    Mr. Meadows. Okay. So the recent security you are talking \nabout in December, that security testing.\n    Ms. Fryer. Yes, sir.\n    Mr. Meadows. Now, we have been led by other testimony here \nthat the website and programming and modules continues today. \nIs that correct?\n    Ms. Fryer. Yes, sir.\n    Mr. Meadows. So how do you, based on a security analysis \ndone in December, assure that the modules that are being \nwritten as we speak are secure?\n    Ms. Fryer. Because, again, there is the operational \nsecurity that the marketplace security team has in place every \ntime they do either--and it is done during the security \ndevelopment life cycle of a system and any time change is made \nto code they have all types of different security testing that \nis done on a day-to-day basis.\n    Mr. Meadows. All right. But we will have additional \nsecurity risks that have to be assessed.\n    Ms. Fryer. No, that does not mean to say there is \nadditional security risk.\n    Mr. Meadows. Okay, when is the next independent security \nassessment going to take place?\n    Ms. Fryer. We are requiring one every quarter.\n    Mr. Meadows. Okay, so we can expect one and you will submit \nthat to this committee?\n    Ms. Fryer. Yes, sir.\n    Mr. Meadows. Okay. And when will the next one happen?\n    Ms. Fryer. We are scheduling that right now for the books, \nwhich will happen in----\n    Mr. Mica. I thank the gentleman and the witness.\n    The gentlelady from California, distinguished gentlelady, \nMs. Speier.\n    Ms. Speier. Mr. Chairman, thank you.\n    Let me just say at the outset how delighted I am that the \ncommittee recognizes the importance of protecting the security \nof personally identifiable information in data systems and, as \nsuch, is making it a focus, because I think that one of the \nnext hearings we should have is one on the breach that took \nplace at Target with 110 million Americans who were impacted, \nand Neiman Marcus that was impacted as well, and I understand \nthere were a couple other retailers. So the potential for being \nhacked is real, it happens in Fortune 100 companies, and we \nshould do our due diligence by making sure that efforts in the \ncommercial sector are being as secure as possible.\n    Having said that, let's focus on the testing that took \nplace, the most recent testing that took place. Ms. Fryer, when \nyou were here on December 17th, that testing was ongoing at the \ntime. My understanding is that it has been completed, is that \ncorrect?\n    Ms. Fryer. Yes, ma'am.\n    Ms. Speier. And since it has been completed, can you say \nwith certainty that it was completed in a stable environment, \nthat all security controls were successfully tested and that it \nwas a full end-to-end security test?\n    Ms. Fryer. Yes, it was a full comprehensive end-to-end \nsecurity test and it was completed in one stable environment.\n    Ms. Speier. All right. Having completed that, is it your \nunderstanding as well, Dr. Charest, that it was completed under \nthose standards?\n    Mr. Charest. Yes, ma'am, Teresa related that to me.\n    Ms. Speier. So the purpose of this testing is to identify \nvulnerabilities in an IT system so that they can be remediated. \nIs that fair?\n    Ms. Fryer. Yes, ma'am.\n    Ms. Speier. Does the fact that the SEA testing identifies \nvulnerabilities mean the system is exceptionally risky?\n    Ms. Fryer. No. A security controls assessment is conducted \nto discover vulnerabilities so they can be mitigated.\n    Ms. Speier. So just like Target needs to do these \nassessments and determine if there are vulnerabilities, it is \nappropriate for you to do that within the ACA.\n    Ms. Fryer. Yes, ma'am.\n    Ms. Speier. Now, the December testing has been completed \nand you have seen the results of that testing. I have a \nquestion for all three of you.\n    Ms. Fryer, do you have any reason to believe that consumer \ninformation submitted in the system is not secure at this time, \nbased on the testing?\n    Ms. Fryer. No, I did not.\n    Ms. Speier. Dr. Charest?\n    Mr. Charest. No, ma'am, I do not.\n    Ms. Speier. Mr. Baitman?\n    Mr. Baitman. No, I do not.\n    Ms. Speier. So this is like giving the system a clean bill \nof health, is that correct?\n    Ms. Fryer. Yes, ma'am.\n    Ms. Speier. Knowing full well that just like Target and \nNeiman Marcus and any number of other companies that have been \nhacked into, there are persons out there, around the world, \nattempting to hack into systems. But at this point in time, \nhaving done the testing, we can say with confidence that the \nsystem is not subject to being breached, is that right?\n    Ms. Fryer. Well, there always is a chance for \nvulnerabilities, but the testing was completed successfully, it \nhad good results, so we are confident that the risks have been \nidentified and they are being mitigated.\n    Ms. Speier. Now, CMS has been running the Medicare system \nfor decades, and I guess my question is has there ever been a \nmajor data breach of that system?\n    Ms. Fryer. For the two years that I have been there, not \nthat I know of.\n    Ms. Speier. And how about the IRS data system?\n    Ms. Fryer. I can't answer that.\n    Ms. Speier. All right.\n    I have one more question. This committee passed a \nbipartisan measure that is referred to as FITARA, which is the \nFederal Information Technology Acquisition Reform Act. It would \ngive CIOs much more authority in terms of hiring personnel and \nbeing in control of their operation. Do you see that as \nappropriate and helpful in doing your job? Mr. Baitman?\n    Mr. Baitman. I think that we would be well advised to look \nat some of the challenges that we have not just with this \nproject, but other software projects the Federal Government has \ndone and identify solutions so that we do a better job of \nmanaging IT going forward.\n    Ms. Speier. So are you suggesting that we should amend \nFITARA and add to it? Are you familiar with FITARA?\n    Mr. Baitman. I am somewhat familiar with FITARA, but \ngetting into specifics I am not prepared to do right now.\n    Ms. Speier. Maybe you could do us a favor and review FITARA \nand make any recommendations you think would be appropriate to \naugment that bipartisan measure.\n    I yield back.\n    Chairman Issa. [Presiding.] Would the gentlelady yield?\n    Ms. Speier. I certainly will.\n    Chairman Issa. I think the gentlelady's question is a good \none, and perhaps the other witnesses could answer the question \nof do they think that budget authority and a single point of \naccountability would enhance these kinds of projects. Mr. \nBaitman commented on that yesterday, so perhaps asked that way \nyour question could get a more illustrative answer.\n    Mr. Baitman. I certainly think that you get greater \naccountability when you have one person who is clearly in \ncharge.\n    Chairman Issa. Ms. Fryer?\n    Ms. Fryer. Again, I agree with Mr. Baitman that it would \ngive greater authority if one person had budget authority, yes.\n    Mr. Charest. I also believe that to be true, and I believe \nit would increase efficiency, reduce cost, and have a number of \nother ancillary effects.\n    Chairman Issa. Thank you.\n    Thank you, Ms. Speier.\n    Mr. Bentivolio.\n    Mr. Bentivolio. Thank you very much, Mr. Chairman.\n    Ms. Fryer, Mr. Charest, Mr. Baitman, we are not here today \nto examine whether the Healthcare.gov website is safe to use. \nWe have already established that the Healthcare.gov website was \ncertainly not safe to use on October 1st and is likely not safe \nto use today either. While you claim the website meets, and \neven exceeds, security industry standards and claims that no \nbreach of the website has occurred, contradictory evidence is \nin abundance and is overwhelming. This evidence includes well-\ndocumented examples of security problems, some systematic, of \nextreme carelessness.\n    For example, an email disclosure of vulnerability was \nidentified that would allow an attacker to enumerate email \naccounts for individuals. In another example, a user logged \ninto to the Healthcare.gov website and saw information from a \ncompletely different person's profile. For another example, \nsecurity researchers discovered an open URL redirection bug, \nwhich allows users to visit the website thinking they were \ngoing to the legitimate Healthcare.gov website, but instead be \nredirected to a malicious website that would completely hack \ntheir computer. This was only fixed after it was discovered \nwhen the website was online.\n    Ms. Fryer, you recommended denying an ATO, a necessary \nAuthority to Launch Healthcare.gov, correct?\n    Ms. Fryer. Yes, sir.\n    Mr. Bentivolio. If officials had accepted your \nrecommendation, would you have been prepared to suggest an \nalternative date or would it have been an indefinite delay?\n    Ms. Fryer. Again, that wasn't my responsibility.\n    Mr. Bentivolio. Would you have recommended an alternative \ndate or would it have been an indefinite delay, yes or no?\n    Ms. Fryer. Again, that is not my responsibility. I can't \nanswer that.\n    Mr. Bentivolio. What would you have done had your \nrecommendation been accepted, if you had one? You are the IT \nperson. Would you recommend a delay or an alternative day?\n    Ms. Fryer. My responsibility is not to determine whether or \nnot to--when a system goes into operation, mine is, again, to \nidentify the risks and make sure that they are being mitigated.\n    Mr. Bentivolio. So you identify the risks, but you don't \nmake any recommendations?\n    Ms. Fryer. I brief the chief information officer on the \nsecurity risks, and there are many other risks that have to be \ntaken into consideration when a system is going operational.\n    Chairman Issa. Would the gentleman yield for a second?\n    Mr. Bentivolio. Yes.\n    Chairman Issa. I am not sure you were in the room, but 77 \ndays after the launch Ms. Fryer did testify that she now has \nconfidence that the end-to-end that she would have asked for \nand so on has been properly mitigated. So I think an answer to \nyour question to a certain extent is 77 days would have been \nenough because it occurred.\n    Mr. Bentivolio. Thank you. Thank you.\n    Do you know whether Ms. Tavenner was informed of your \nconcerns and your recommendations on the security risks?\n    Ms. Fryer. I am sorry, sir, I didn't hear the question.\n    Mr. Bentivolio. Do you know whether Ms. Tavenner was \ninformed of your concerns and your recommendations?\n    Ms. Fryer. I don't know that.\n    Mr. Bentivolio. To your knowledge, what IT security expert \ndid Ms. Tavenner rely on to override your concerns on the risks \nof----\n    Ms. Fryer. I can't answer that question.\n    Mr. Bentivolio. Do you know if she spoke with any IT \nsecurity experts prior to overruling your recommendations or--\n--\n    Ms. Fryer. I don't.\n    Mr. Bentivolio. You don't know.\n    Ms. Fryer. No, I don't know.\n    Mr. Bentivolio. Thank you. That is all my questions.\n    Chairman Issa. I thank the gentleman. We now go to the \ngentlelady from New Mexico, Ms. Grisham.\n    Ms. Lujan Grisham. Thank you, Mr. Chairman, and I want to \nthank the panel for being here. It is clear that we are all \nconcerned about securing the financial and health-related \nprivate information on the website. Whether it was this \nhealthcare website or any other application by the Federal \nGovernment, that is going to be one of our priority concerns \nfor our constituents, so I appreciate your attention and \nwillingness to engage directly in this hearing.\n    And like everyone, I think, I am happy that there haven't \nbeen any significant or malicious security breaches to date, so \nthat we are not seeing a significant problem with the security \nmeasures taken to date to protect that information for \nconsumers and users. And, I want to make sure that that is the \ngoal of this conversation, that we continue to do whatever \noversight and enhance those security tests and measures all of \nthe time, because every day those risks are greater because \npeople figure out better and more enhanced ways to get access \nto that information; and given that I am from a State that has \na particularly high uninsured population, we are going to have \na high user end result, I hope, in the marketplaces and \nexchanges. So I want to go just back to a couple things.\n    Ms. Fryer, it is my understanding that the Federal \nInformation Security Management Act defined the security \ncontrol standards for all Government information technology \nsecurity systems. Is the Healthcare.gov compliant with all the \nstandards set forth in FISMA?\n    Ms. Fryer. Yes, security testing was conducted in \naccordance with FISMA.\n    Ms. Lujan Grisham. And are CMS and HHS implementing \nadditional controls or best practices beyond what is called for \nin FISMA?\n    Ms. Fryer. Yes, ma'am. We are exceeding industry best \npractices, as well as we have HIPAA controls in place.\n    Ms. Lujan Grisham. And that is important to me because \nduring our last hearing on Healthcare.gov it was clear that \nthere were inherent security risks in any electronic system, so \ngetting a sense that you are going beyond that and looking at \nbest practices is critical. Can you give me a sense of what \nexactly you are doing to continually monitor and mitigate \nsecurity risks on the website, some examples?\n    Ms. Fryer. Again, we are keeping in place those additional \nabove and beyond the additional requirements of the weekly \nscanning or continuous monitoring tools, the weekly scans of \nthe external web-facing marketplace servers, and----\n    Ms. Lujan Grisham. So you are going beyond the weekly \nscans. That is what I am trying to get at. Give me a concrete \nexample of what in addition you are doing.\n    Ms. Fryer. Well, we are continuing those, those that are in \nthe mitigation plan, so we are continuing that. And then there \nis the operational day-to-day security that is in place as well \nby the other group.\n    Ms. Lujan Grisham. I appreciate that, and I would also \nencourage you to lead in best practices and do everything in \nyour power to go back and describe that. It is certainly my \nopinion, and I would guess the opinion of many more, that you \nwould do everything and enhance your mitigation plan to the \nhighest degree and lead that for the Country, given the \nimportance and the value of the information on the website. \nThank you.\n    Ms. Fryer. Yes, ma'am.\n    Chairman Issa. Thank you.\n    There was no question pending, was there? Okay.\n    I want to inform everyone that there is a vote on the \nfloor. We are going to stay as long as we can. Mr. Baitman will \nnot be here, if, and, or when we reconvene. You have a hard \nstop at 12 and we are clearly not going to be back in time for \nthat. So we are going to go as quickly as we can.\n    Mr. Jordan.\n    Mr. Jordan. Thank you, Mr. Chairman.\n    Ms. Fryer, the memo you wrote, but didn't send, dated \nSeptember 24th, 2013, you testified earlier that the reason you \ndidn't send it was because there were subsequent events that \nhappened that caused you not to think that it was necessary to \nsend, is that correct?\n    Ms. Fryer. Yes, sir.\n    Mr. Jordan. Why didn't you send it, though, the day you \nwrote it? If things happened after the fact that tell you, oh, \nI don't need to send it, on September 24th, when you wrote \nthis, you believed everything you wrote, correct?\n    Ms. Fryer. Yes. Yes. That was being prepared as a memo. \nUsually an ATO package would go up to the chief information \nofficer, and that is a draft.\n    Mr. Jordan. All I am asking is on September 24th, the date \non the memo, when you wrote there is no confidence that \npersonal identifiable information will be protected, that is a \nbig pretty statement. Why didn't you send it that day?\n    Ms. Fryer. Because this was just trying to capture what was \nalready briefed on September----\n    Mr. Jordan. Something that important--again, you said it \nwas events that happened the next week that caused me not to \nsend it. But on that day you believed everything you wrote \nhere. These are big statements. Why not send it? Did someone \ntalk to you and tell you, hey, Teresa, don't send that memo?\n    Ms. Fryer. No, sir. A decision had been made to elevate to \nMarilyn Tavenner.\n    Mr. Jordan. That doesn't change the fact that you were \ngoing to send this to Mr. Trenkle, directly above you in the \nchain of command. I just wonder why you didn't send it. If I \nwrite all this stuff down, important stuff, and also based on \ntestimony we had at a previous hearing, you were the only one \nwho read the MITRE report prior to this memo. I would assume \nthat had a big impact on why you wrote the things you did. All \nI am wondering is why you didn't send it. If I have this \ninformation, I know this thing is not ready, I do this memo, \nhard-hitting memo that says this thing isn't even close to \nbeing secure, no end-to-end testing is done, and then I don't \nsend it.\n    Ms. Fryer. Because it was part of the ATO package that was \nnot going up to Mr. Trenkle.\n    Mr. Jordan. All right, let me change here a little bit. You \nwere interviewed a month ago by the committee, and the young \nlady behind you, Ms. O'Connor, accompanied you in that \ninterview, is that correct?\n    Ms. Fryer. Yes, sir.\n    Mr. Jordan. And, Mr. Charest, you were interviewed last \nweek and Ms. O'Connor also accompanied you in that interview?\n    Mr. Charest. Yes, sir, that is correct.\n    Mr. Jordan. And, Mr. Baitman, you were interviewed two days \nago and Ms. O'Connor also accompanied you to that interview, is \nthat correct?\n    Mr. Baitman. That is correct.\n    Mr. Jordan. In the interviews we learned, Mr. Charest, you \nsaid that there was a meeting on, I believe, September 10th, \nwhere all the key leadership folks from Ms. Tavenner, Mr. Corr, \nCMS and HHS were there, and after the meeting--you weren't at \nthat meeting, Mr. Charest, but Mr. Baitman was. After that \nmeeting, Mr. Baitman, you had a conversation, and here is the \ntranscript. You said, after the meeting he recommended a \ndelayed rollout. Your answer was, that's my recollection, yes. \nA delayed rollout of Healthcare.gov? Your answer, that's my \nrecollection.\n    Now, two days ago, when we talked to Mr. Baitman, which I \nwasn't in your interview, but I was in Mr. Baitman's interview, \nMr. Baitman said that was not accurate. Do you stand by the \nstatement you made to the committee staff one week ago?\n    Mr. Charest. Yes, I do.\n    Mr. Jordan. Okay, Mr. Baitman, he said that you said to \nhim, in a conversation after that meeting, you recommended not \nrolling it out. Is that accurate?\n    Mr. Baitman. That is accurate. I am sorry, could you \nrephrase that? I am sorry.\n    Mr. Jordan. You recommended not rolling out Healthcare.gov \non October 1st.\n    Mr. Baitman. No, that is not.\n    Mr. Jordan. So which one of you told the truth? Which one \nis lying and which one is telling the truth? Mr. Charest said \nyou had a conversation--now, you have worked with Mr. Charest \nfor a while, Mr. Baitman?\n    Mr. Baitman. I have.\n    Mr. Jordan. Do you have a good working relationship?\n    Mr. Baitman. We have a great working relationship.\n    Mr. Jordan. Mr. Charest, is that accurate? You have worked \nwith Mr. Baitman obviously a while. Do you have a good working \nrelationship?\n    Mr. Charest. Yes, I do.\n    Mr. Jordan. Do you normally understand, when he \ncommunicates to you, what he is saying?\n    Mr. Charest. Yes, I do, sir, but I----\n    Mr. Jordan. So your recollection was he recommended, that \nMr. Baitman recommended not rolling out Healthcare.gov. He is \nsaying that is not what happened at all in that conversation.\n    Mr. Charest. With all due respect, sir, that is not exactly \nwhat I--my testimony, I was asked that question several times \nto sort of clarify what I meant by delayed rollout, and what I \nhope I made clear, and I would like to make clear here to you, \nsir, is that I didn't know exactly what he meant. This \nconversation took place, it was probably less than two minutes, \nliterally, and it was four months ago, and I didn't ask him the \ndetails. To me, as an IT professional over 30 years, a delayed \nrollout could have been a phased rollout, which is actually \nwhat I was thinking it meant, but I didn't ask and he didn't \noffer. I don't know what he meant and that is my recollection, \nthough.\n    Mr. Jordan. But the point is there was no delayed rollout.\n    Mr. Charest. Not to my knowledge.\n    Mr. Jordan. You understand that was what he wanted to do?\n    Mr. Charest. I understand that he made a recommendation----\n    Mr. Jordan. You agreed with that, Ms. Fryer agreed with \nthat, and it wasn't done.\n    Mr. Charest. No, it wasn't done.\n    Mr. Jordan. Okay. Prior to coming today, did the three of \nyou sit down with Ms. O'Connor and talk about what was going to \ntake place at today's hearing, and discuss what kind of answers \nyou might give, what kind of questions you might receive?\n    Mr. Charest. Yes, sir, I did.\n    Mr. Jordan. Ms. Fryer?\n    Ms. Fryer. Yes.\n    Mr. Jordan. Mr. Baitman?\n    Mr. Baitman. Yes, I did.\n    Mr. Jordan. Oh, so you worked it out after you had this \ndisagreement. One said that you said delay, then you said there \nwasn't. You sat down and talked this out?\n    Mr. Baitman. No, that isn't what happened.\n    Mr. Jordan. Okay.\n    Mr. Chairman, I see I am over time. I yield back.\n    Chairman Issa. I thank the gentleman.\n    We now go to the gentleman from Pennsylvania, Mr. \nCartwright.\n    Mr. Cartwright. Thank you, Mr. Chairman.\n    I want to start off by giving Mr. Charest and Mr. Baitman a \nchance to more fully respond. My colleague just basically said \none of the two of you was not telling the truth, and I want to \ngive you each a chance to fully talk about that.\n    Mr. Baitman. So let me begin. As I said earlier, at the \nSeptember 10th meeting there was a discussion topic about a \nbeta rollout. It was simply a discussion topic. I, after the \nmeeting, mentioned it to Kevin Charest. That meeting was four \nmonths ago. I talk to Mr. Charest 10 times a day about various \nthings in an operational capacity. This wasn't a high priority \ntopic and I am sure that the words could have changed over \ntime.\n    Mr. Cartwright. I thank you for that.\n    Mr. Charest?\n    Mr. Charest. Yes, sir. Basically, I don't believe that what \nI said is inconsistent with what I understand Mr. Baitman has \nbeen saying, which was an alternative rollout schedule. There \nare many different terms used in IT, and I may have just \nprocessed it that way, but fundamentally we are saying the same \nthing.\n    Mr. Cartwright. And my understanding is, just to be clear, \nMr. Baitman's recommendation had nothing to do with security, \nis that correct, gentlemen?\n    Mr. Baitman. It simply had to do with my observation from \nseeing how other companies have rolled out large, complex \nsystems to the public.\n    Mr. Cartwright. All right.\n    Now, Ms. Fryer, I didn't mean to leave you out. You are the \nchief information security officer at CMS. In that capacity you \nraised concerns in September about the status of security \ntesting for the website, is that right?\n    Ms. Fryer. Yes, sir.\n    Mr. Cartwright. And during your interview with committee \nstaff, you explained that in your roll as chief information \nsecurity officer your job is to make recommendations to your \nboss, the chief information officer. At the time that was Tony \nTrenkle, right?\n    Ms. Fryer. Yes, sir.\n    Mr. Cartwright. You explained to the committee staff that \nyour roll was not to make the final decision on whether to go \nforward, am I correct in that?\n    Ms. Fryer. Yes, that is correct.\n    Mr. Cartwright. The chief information officer, Mr. Trenkle, \nwas a career executive with decades of experience, is that \ntrue?\n    Ms. Fryer. Yes, sir.\n    Mr. Cartwright. Did you have respect for Mr. Trenkle? Did \nyou value his experience and his expertise?\n    Ms. Fryer. Yes, I did.\n    Mr. Cartwright. You told us during your interview that \nduring the two years in your position Mr. Trenkle often \naccepted your recommendations, but there were other instances \nwhen he did not, and those were unrelated to the Healthcare.gov \nwebsite. Am I correct in that?\n    Ms. Fryer. Yes, sir.\n    Mr. Cartwright. Now, in this case, Mr. Trenkle decided to \nrecommend to Administrator Tavenner that she go forward with \nthe Authority to Operate, but that was only after strong \nmitigation strategies were added to the ATO in order to \nmitigate against the risks you identified. Sitting here today, \ndo you believe that you provided Mr. Trenkle with the \ninformation necessary to enable him to make an informed \ndecision about moving forward?\n    Ms. Fryer. Yes. I provided him the risks that were \ndiscovered during testing from a security perspective. And as \nthe chief information officer, he takes that in and there are \nmany other teams that provide other risks, there are business \nrisks, mission risks, and all that is taken into consideration \nwhen a decision is made to put a system into operation.\n    Mr. Cartwright. You said during your interview that Mr. \nTrenkle, in his capacity as chief information officer, had a \nbroader perspective on various risks for the federally \nfacilitated marketplace. So when he was making his evaluation, \nyou were one of several sources from which he was receiving \ninformation, is that true?\n    Ms. Fryer. Yes, that is right.\n    Mr. Cartwright. Okay. Ultimately, Administrator Tavenner \nsigned the Authority to Operate based on her recommendation \nfrom her chief information officer, Mr. Trenkle. So in your \nview of the appropriate rules and authorities of various CMS \nofficials, do you believe Mr. Trenkle's actions complied with \nFISMA?\n    Ms. Fryer. Again, he was the one responsible for whether or \nnot a system goes into operation. I can't answer or speculate \nas to what path he took, but, you know.\n    Mr. Cartwright. Well, thank you. My time is up and I thank \nall of you for coming today.\n    Chairman Issa. Thank you.\n    Now we go to Mr. Woodall. Mr. Woodall, we are very close on \ntime, so be as pithy as possible.\n    Mr. Woodall. Thank you, Mr. Chairman, as we enter hour \nthree. My questions are primarily for Ms. Fryer and Dr. \nCharest. I want to thank you both for your military service, as \nwell as your service.\n    I understand you, Dr. Charest, have spent some time in the \ngreat State of Georgia over the years. We welcome you back. Any \ntime you want to come back, bring your big brain and your \npocketbook down there to spend with us.\n    Mr. Charest. Thank you, sir.\n    Mr. Woodall. I want to talk about a meeting that took place \nback on September 23rd. I don't believe either of you all was \nthere. It was a meeting with Michelle Schneider and George \nLinares and Tony Trenkle. You prepared a slide for that \npresentation identifying some of the high risks that you had \nfound, Ms. Fryer, and I want to put a slide up on the wall. I \nwant to ask you to help me understand this. This is about \nAuthority to Connect agreements.\n    And what I want to look at is, from my reading of this \nslide, and I want you all to help me with it, it says 17 States \ndid not have Authority to Connect agreements here on September \n23rd, and the recommendation was to go ahead and allow these \nStates to have day one operation authority notwithstanding the \nrisks that are listed below; and those risks listed below \ninclude things like, in most cases, one or more reviews of \nsecurity documentation have not been completed. In other words, \nno review of security documentation has been completed. And \neven more troubling, the third risk, CMS is accepting risk on \nbehalf of its Federal partners, the IRS, DHS, and SSA, which \ncould have legal implications in the event of a data breach.\n    Am I reading this slide correctly, to say that in many \ncases no review of security had taken place, but it was the \ndecision of CMS to assume the risk to allow these 17 States to \nconnect on day one? Ms. Fryer?\n    Ms. Fryer. I can't speak to this slide; I did not have \ninput into this slide. But I do know that CMS did establish a \nbaseline of secure requirements that the States had to meet in \norder to be granted an Authority to Connect by the chief \ninformation officer.\n    Mr. Woodall. There was such an authority in place, but what \nthis slide says is in most cases not even one review had been \ncompleted, and we are willing to waive that responsibility and \nassume that risk for a period of 90 days. At least that is how \nI am reading this slide. But you are saying, as chief \ninformation security officer, you weren't involved in that \ndecision-making at all?\n    Ms. Fryer. No. Again, this was the marketplace security \nteam that was involved in the State-based security \nrequirements.\n    Mr. Woodall. Dr. Charest, is that something that you have \nseen before? There is not one colleague out of 434 that has the \nauthority to accept risk on my behalf and on behalf of my \nconstituents. This seems incredibly unusual, CMS is accepting \nrisk on behalf of the IRS and the Department of Homeland \nSecurity. Is this something that you have seen before? We have \ntalked about best practices a lot while we have been here. This \nseems alarming to me. Am I misreading what I am seeing on this \nslide?\n    Mr. Charest. Well, sir, what I can tell you is I have not \nseen this other than it was shown to me during my transcribed \ninterview, but basically this is a PowerPoint presentation, so \nwhen I look at that, I am assuming, and I would have to assume \nit, that some discussion between CMS and those entities it is \nindicating it is accepting risk for took place.\n    Mr. Woodall. Again, we have talked a lot about best \npractices today. Is it best practices to, again, while formal \ntesting has not been completed, while no site visits have \noccurred, and while, in most cases, not even one review of \nsecurity documentation has been completed and weaknesses are \nnot known, is it best practices to allow folks to connect to \nCMS, HHS, IRS, and DHS, or was this an extraordinary exception; \nand if we go back and review another 10 years of documentation \nwe are likely not to see anything else like this again? Can \nyou? Because you are the experts.\n    Mr. Charest. I have not seen it before, sir.\n    Mr. Woodall. Ms. Fryer?\n    Ms. Fryer. And, again, it is best practices, and I know CMS \nhad baseline secure requirements in place for the State. Again, \nI can't speak to, you know----\n    Mr. Woodall. Now, Mr. Baitman, had you been in this \nmeeting, instead of Mr. Trenkle, at the time, would this have \nraised red flags for you?\n    Mr. Baitman. Yes. I didn't have the background on this, so \nI wouldn't be able to answer that. I can say that all decisions \ninvolve some degree of risk, and there probably were \ndiscussions, as Mr. Charest said, that mitigated that risk.\n    Mr. Woodall. I wish we had time to talk about whether \nOctober 1 really was a legal deadline or whether it was just a \npolitically desirable deadline, and whether we needed to assume \nthose risks on behalf of the American people. But as you said \nearlier, Mr. Baitman, we are going to do more of these rollouts \nin the future, and whatever we can learn from this one will no \ndoubt make us better next time around. Thank you all for being \nhere.\n    Mr. Chaffetz. [Presiding.] I thank the gentleman. I now \nrecognize myself for five minutes as we wrap up.\n    Mr. Baitman, is it accurate that you didn't make a \nrecommendation of a limited launch of Healthcare.gov until \nafter you were aware of significant problems with the \ndevelopment of Healthcare.gov and after you heard of concerns \nwith security testing?\n    Mr. Baitman. I made the recommendation--it wasn't a \nrecommendation, it was a discussion topic, on September 10th, \nand I hadn't been directly involved. We have a federated \nstructure, so I wasn't directly informed of any specific issues \nother than----\n    Mr. Chaffetz. Let me keep going. Mr. Baitman, do you, or \nanybody, ever recall a time when an ATO was elevated to an \nadministrator of an agency because both the chief information \nsecurity officer and the chief information officer refused to \nsign the ATO?\n    Mr. Baitman. I am not aware of any.\n    Mr. Chaffetz. Ms. Fryer?\n    Ms. Fryer. No, sir.\n    Mr. Chaffetz. Mr. Charest?\n    Mr. Charest. I am not aware either.\n    Mr. Chaffetz. Do any of you ever recall reviewing an ATO \nthat did not list a single specific security that was \nidentified by the security control assessment? Anybody ever \nrecall that?\n    Mr. Charest. I am sorry, sir, I am not sure I understand \nthe question.\n    Mr. Chaffetz. Security risk, I should say. Do any of you \never recall reviewing an ATO that listed the main risk for \nproceeding as a lack of complete security testing? Ms. Fryer?\n    Ms. Fryer. We do have systems that have indicated that the \nsecurity testing, there were issues raised during security \ntesting and it is a risk. Normally, it is----\n    Mr. Chaffetz. Any others that were launched without doing \nthe security risk assessment?\n    Ms. Fryer. No, sir.\n    Mr. Chaffetz. Let me ask you when it was launched, Ms. \nFryer, what percentage of the data transfer to the local \nservers was done over a secure socket layer?\n    Ms. Fryer. I can't answer that question; I was not involved \nin the operational day-to-day security and the details of that.\n    Mr. Chaffetz. But you are the chief security officer, are \nyou not? What percentage today of the data transfer is done \nover a secure socket layer?\n    Ms. Fryer. Again, that is the operational. I am not \ninvolved in the development and implementation of the----\n    Mr. Chaffetz. But you are in charge of the review of it, \ncorrect?\n    Ms. Fryer. I am in charge of the review of the findings \nduring the security control assessment, the independent \nsecurity control assessments that are conducted, yes.\n    Mr. Chaffetz. Are any of you aware what percentage of the \ndata, when it goes from the computer to the server, is done \nover a secure socket layer? None of you know the answer to that \nquestion? How much of this data that is transferred is \nencrypted?\n    Ms. Fryer. The data is encrypted. It is a requirement to be \nencrypted.\n    Mr. Chaffetz. What percentage of the data is encrypted?\n    Ms. Fryer. It is encrypted.\n    Mr. Chaffetz. What percentage of it?\n    Ms. Fryer. It would be 100 percent of the data.\n    Mr. Chaffetz. But you just said you don't know what \npercentage is done over an SSL.\n    Ms. Fryer. You are asking what percentage during testing.\n    Mr. Chaffetz. No. I want to know of the actual live site, \nwhen somebody in Missouri signs up and they are sending data \ninformation, is it all done over an SSL?\n    Ms. Fryer. They don't send the information over--it depends \non if it is a State-based marketplace or they access----\n    Mr. Chaffetz. If you are using Healthcare.gov, is that \ninformation encrypted or not?\n    Ms. Fryer. Yes.\n    Mr. Chaffetz. What percentage of it?\n    Ms. Fryer. It is encrypted, it is 100 percent.\n    Mr. Chaffetz. Was it on day one?\n    Ms. Fryer. Yes. That was the requirement to be in place.\n    Mr. Chaffetz. But you don't know what percentage was done \nover a secure socket layer, which is somewhat similar to saying \nis it encrypted or not, and you said you didn't know.\n    Ms. Fryer. Again, I don't know the technology; I am not \ninvolved in the operational day-to-day security. I have almost \n200 FISMA systems in CMS. That is why we have information----\n    Mr. Chaffetz. So when I have questions about Java script \nand how you encrypt some of that, you wouldn't know the answer \nto that.\n    Ms. Fryer. I know the technical, I don't know of every \nsystem in CMS. I don't know the technical----\n    Mr. Chaffetz. We are talking about Healthcare.gov. It is \nprobably the most visible--who does know the answer to that \nquestion?\n    Ms. Fryer. The information systems security officer is the \ngroup for the day-to-day development and implementation of \nsecured requirements for Healthcare.gov.\n    Mr. Chaffetz. It scares the living daylights out of me that \nnone of the three of you know the definitive answer about SSLs. \nIf anybody else cares to offer anything, we have a vote on the \nfloor. I am about to close this hearing. Does anybody else have \nsomething to offer regarding that point? Listen, we need this \nstuff to be encrypted, 100 percent of it, 100 percent of the \ntime.\n    I thank you all for your participation today. This hearing \nis adjourned.\n    [Whereupon, at 11:49 a.m., the committee was adjourned.]\n\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"