b"<html>\n<title> - CYBER SIDE-EFFECTS: HOW SECURE IS THE PERSONAL INFORMATION ENTERED INTO THE FLAWED HEALTHCARE.GOV?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\nCYBER SIDE-EFFECTS: HOW SECURE IS THE PERSONAL INFORMATION ENTERED INTO \n                       THE FLAWED HEALTHCARE.GOV?\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 13, 2013\n\n                               __________\n\n                           Serial No. 113-41\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n\n\n\n\n\n\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n                   U.S. GOVERNMENT PRINTING OFFICE\n\n87-371 PDF                WASHINGTON : 2014\n______________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Printing\nOffice Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;\nDC area (202) 512-1800 Fax: (202) 512-2250  Mail: Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nPaul C. Broun, Georgia               Yvette D. Clarke, New York\nCandice S. Miller, Michigan, Vice    Brian Higgins, New York\n    Chair                            Cedric L. Richmond, Louisiana\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nJeff Duncan, South Carolina          Ron Barber, Arizona\nTom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey\nJason Chaffetz, Utah                 Beto O'Rourke, Texas\nSteven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii\nLou Barletta, Pennsylvania           Filemon Vela, Texas\nChris Stewart, Utah                  Steven A. Horsford, Nevada\nRichard Hudson, North Carolina       Eric Swalwell, California\nSteve Daines, Montana\nSusan W. Brooks, Indiana\nScott Perry, Pennsylvania\nMark Sanford, South Carolina\n                       Greg Hill, Chief of Staff\n          Michael Geffroy, Deputy Chief of Staff/Chief Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               STATEMENTS\n\nThe Honorable Michael T. McCaul, a Representative in Congress \n  From the State of Texas, and Chairman, Committee on Homeland \n  Security.......................................................     1\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     5\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  From the State of Texas:\n  Prepared Statement.............................................     7\n\n                               WITNESSES\n                                Panel I\n\nMs. Roberta ``Bobby'' Stempfley, Acting Assistant Secretary, \n  Office of Cybersecurity and Communications, U.S. Department of \n  Homeland Security:\n  Oral Statement.................................................    11\n  Prepared Statement.............................................    13\nMs. Soraya Correa, Associate Director, Enterprise Services \n  Directorate, U.S. Citizenship and Immigration Services, U.S. \n  Department of Homeland Security:\n  Oral Statement.................................................    15\n  Prepared Statement.............................................    17\n\n                                Panel II\n\nMr. Luke Chung, President, FMS, Inc.:\n  Oral Statement.................................................    60\n  Prepared Statement.............................................    61\nMr. Waylon W. Krush, Chief Executive Officer, Lunarline, Inc.:\n  Oral Statement.................................................    73\n  Prepared Statement.............................................    75\n\n                             FOR THE RECORD\n\nThe Honorable Jeff Duncan, a Representative in Congress From the \n  State of South Carolina:\n  Memo...........................................................    27\n  Article, ``Midlands Man Has Personal Information Compromised on \n    healthcare.gov''.............................................    38\n\n \nCYBER SIDE-EFFECTS: HOW SECURE IS THE PERSONAL INFORMATION ENTERED INTO \n                       THE FLAWED HEALTHCARE.GOV?\n\n                              ----------                              \n\n\n                      Wednesday, November 13, 2013\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to call, at 10:11 a.m., in Room \n311, Cannon House Office Building, Hon. Michael T. McCaul \n[Chairman of the committee] presiding.\n    Present: Representatives McCaul, Miller, Meehan, Duncan, \nBarletta, Stewart, Hudson, Daines, Brooks, Perry, Sanford, \nThompson, Sanchez, Jackson Lee, Clarke, Richmond, Barber, \nPayne, O'Rourke, and Horsford.\n    Chairman McCaul. The Committee on Homeland Security will \ncome to order. The committee is meeting today to examine the \nsecurity of HealthCare.gov and the protection of private \ninformation of the American people. I now recognize myself for \nan opening statement.\n    This hearing is part of our on-going oversight of the roll-\nout of the Patient Protection and Affordable Care Act, also \nknown as Obamacare. Today's hearing follows two subcommittee \nhearings held by my good friend, Chairman Pat Meehan on the \nsecurity of the data hub and health care exchanges. I would \nnote that in those two hearings the Centers for Medicare and \nMedicaid Services, or CMS, repeatedly assured this committee \nthat the systems would be both functional and secure. Those \nassurances ring hollow in light of the disastrous roll-out of \nHealthCare.gov.\n    We are concerned that the security of the system is as \nflawed as its functionality. The Department of Homeland \nSecurity has two roles in the implementation of Obamacare. The \nfirst is to verify the immigration status of applicants. We \nlook forward to hearing more about how the system works from \nMs. Correa of USCIS, who is with us here today. The second role \nDHS plays in Obamacare is overseeing the security of Federal \ncivilian networks. We will have some slides up to demonstrate \nthat.\n    [The information follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Chairman McCaul. According to the Department's website, DHS \nis responsible for overseeing the protection of the dot.gov \ndomain. That being the case, I think it would surprise many \nAmericans to know that DHS had effectively no input into the \nsecurity of HealthCare.gov, despite it being, arguably, the \nmost significant Federal Government website ever created. To be \nclear, DHS has not participated in any meaningful way in \ndeveloping, monitoring, or ensuring the security of \nHealthCare.gov, the health exchanges, or the Federal Data \nServices Hub. The only contact between DHS and CMS consisted of \ntwo e-mails and one phone call.\n    Departments and agencies are responsible for setting up \ntheir own cybersecurity systems. But because of statutory \nlimitations, DHS can only recommend policies and offer \nassistance on a voluntary basis. In this case, CMS never asked \nDHS for advice, technical assistance, or even a threat \nbriefing. It is with this limited oversight that the same \npeople at CMS who told us the system would work are telling us \nnow that it is secure. The reason this concerns me is that if \ncustomers are able to log on to HealthCare.gov they are \nrequired to enter vast amounts of personal identifiable \ninformation about themselves and their family members.\n    This information includes their name, addresses, date of \nbirth, Social Security number, citizenship, immigration status, \nemployer information, veteran status, household income, \nrequests for a religious exemption, current health status such \nas whether or not the applicant is pregnant or has a \ndisability, among other things. While the administration and \nsome of my colleagues across the aisle point out that the Data \nServices Hub does not store this information, it is important \nto note that the State exchanges and the Federal exchange \nservicing 34 States store and keep that information for up to \n10 years.\n    All this information is a tempting target for hackers, \nidentity thieves, and other malicious actors. We already have \nreported cases of hacks, fraudulent websites, and documented \nsecurity vulnerabilities in the system. We are also concerned \nthat the so-called ``navigators,'' charged with helping people \nenroll in Obamacare are not subjected to background checks. \nThis will undoubtedly result in cases of fraud and identity \ntheft, most of which we won't even know about for months.\n    In fact, just yesterday we received reports of navigators \nin my home State of Texas encouraging applicants to lie in \norder to get information--or to get higher insurance subsidies. \nEven if a system worked properly, the centralization of so much \npersonal data would create security concerns. But in this case, \nHealthCare.gov is so flawed these concerns are even greater. \nMr. Luke Chung will testify to shed some light on the technical \nproblems with HealthCare.gov and how those affect security, and \nI look forward to his testimony.\n    Moving forward, we believe it is vital for the Federal \nGovernment to use every asset it has, including DHS, to secure \nits networks and ensure the security of Americans' most \nsensitive personal data. As such, DHS needs to have not just \nthe responsibility but, more importantly, the tools and \nauthorities it needs to secure the dot.gov domain. Our \ncommittee is currently working on legislation to address this \nby codifying the DHS cyber mission. We look forward to working \nwith the Ranking Member and other Members of the committee as \nwe move that bill through the legislative process.\n    With that, the Chairman now recognizes the Ranking Member, \nthe gentleman from Mississippi, Mr. Thompson, for any statement \nhe may have.\n    Mr. Thompson. Thank you very much, Mr. Chairman. Thank you \nfor holding today's hearing. I also want to thank the witnesses \nfor also appearing today.\n    Understand that this hearing will discuss the Department of \nHomeland Security's role in the Affordable Care Act. The role \nplayed by DHS is two-fold. First, the Department is responsible \nfor verifying that anyone who applies for benefits under the \nACA is a citizen or legal resident. This function required by \nthe ACA is very similar to the information required under E-\nVerify. The Department performs this function thousands of \ntimes each day, and transmits the information to any Government \nagency or employer that needs it.\n    I am sure we all remember the beginning of the E-Verify \nprogram. Just a few years ago, my friends on the other side of \nthe aisle sought to expand E-Verify. At that time, many critics \nbelieved E-Verify was a deeply-flawed program that relied on \ninaccurate Government databases and added unnecessary costs to \nbusinesses. We called attention to flaws in the computer \nsystems and databases that E-Verify relied upon. The \ndeficiencies in those systems were fixed.\n    Today, E-Verify has become an ordinary part of the \nverification process used by businesses and governments to \nassure that people are eligible to work in the United States. I \ndo not recall efforts to repeal E-Verify because of its faults. \nThe ``save'' system used in the ACA functions is much the same \nway as E-Verify. It seems that my colleagues have expressed \nconcerns about the other role DHS plays in the implementation \nof ACA. Those concerns have been examined at two subcommittee \nhearings in this committee.\n    Based on those hearings, we know that DHS did not have any \nrole in the planning or implementing the HealthCare.gov \nwebsite. Some of my colleagues have indicated that DHS should \nassure the safety and security of the personal information \nplaced on HealthCare.gov. While this is an interesting \nproposition, there is no law requiring that DHS play such a \nrole. DHS has few responsibilities in the cyber area. First, \nDHS is responsible for observing, reporting, and acting upon \nthreats to the Federal computer network system.\n    Second, DHS is responsible for assuring that all fellow \nagencies are in compliance with FISMA, the Federal law that \nestablishes benchmarks and standards for computer system \nsecurity within the Federal Government. In sum, DHS is \nresponsible for assuring that HHS followed the correct \nprotocols in establishing the system. DHS would be ready to \nrespond if the system were hacked. But DHS does not have an on-\ngoing role with the security of the HealthCare.gov system.\n    If my colleagues believed DHS oversight would be beneficial \nin assuring the privacy and security of the information \ncontained in the HealthCare.gov system, I would suggest that we \nexplore that option. But I am not aware of any law that \nsuggests that the role for DHS, and I do not believe that \nconsideration of such a role is a purpose of today's hearing. \nIt seems that the purpose of today's hearing is to raise \nconcern about the protection of the privacy and security of \npersonal information.\n    Several committees in the House of Representatives have had \nhearings on this same topic. Although it is my understanding \nthat DHS has a very small role in assuring the privacy and \nsecurity of a website established by another agency, I look \nforward to hearing from the witnesses called here today. \nFinally, Mr. Chairman, I do not think that the discussion today \ncan ignore the fact that this website was put together using \nover 50 contractors.\n    As we know from the committee's recent mark-up of a bill on \nthe Cybersecurity Workforce, the Federal Government is woefully \ndeficient in hiring and retaining cyber professionals. The \noversight conducted by this committee over several years has \nfound one IT system after another that has failed to perform or \nfailed to be completed after millions of dollars have been \nspent. The list of computer failures is as long, and stretches \nthrough a few administrations.\n    The list include SBInet, Emerge, Ramp, and several other IT \nsolutions that did not have names and did not work, but did \ncost a great deal of money. I am not here to point the finger \nat DHS. I am certain that DHS is not the only Federal entity \nthat has been plagued by the failure of computer contracts to \ndeliver as promised. So, Mr. Chairman, while I look forward to \nthe discussion today I hope that at some point we can light a \ncandle instead of continuing to curse the darkness.\n    Those of us in Congress need to come to grips with the \nnotion that computers are not going away, and we must take \nproactive steps to assure that some office or agency is the \nrepository of cyber expertise and knowledge. That agency must \nbe able to advise other agencies on everything from drafting a \nsolicitation for a computer system to oversight of the \ninstallation of the system. It must be the Federal IT help desk \nand information library. We need to think about new approaches \nthat will save money and work for the American people.\n    Or we can keep doing what we have been doing: Spending \nmoney, making mistakes, wondering what went wrong, and trying \nto figure out who to blame. Mr. Chairman, the people deserve a \nGovernment that stays open, works together, solves problems, \nand spends money wisely. I think this is the perfect time to \nshow that we are that Government.\n    With that, I yield back.\n    [The statement of Ranking Member Thompson follows:]\n             Statement of Ranking Member Bennie G. Thompson\n                           November 13, 2013\n    I understand that this hearing will discuss the Department of \nHomeland Security's role in the Affordable Care Act. The role played by \nDHS is two-fold. First, the Department is responsible for verifying \nthat anyone who applies for benefits under the ACA is a citizen or \nlegal resident. This function, required by the ACA, is very similar to \nthe information required under E-Verify. The Department performs this \nfunction thousands of times each day and transmits the information to \nany Government agency or employer that needs it.\n    I am sure we all remember the beginning of the E-Verify program. \nJust a few years ago, my friends on the other side of the aisle sought \nto expand E-Verify. At that time, many critics believed E-Verify was a \ndeeply-flawed program that relied on inaccurate Government databases \nand added unnecessary costs to businesses. We called attention to flaws \nin the computer systems and databases that E-Verify relied upon. The \ndeficiencies in those systems were fixed.\n    Today, E-Verify has become an ordinary part of the verification \nprocess used by businesses and governments to assure that people are \neligible to work in the United States. I do not recall efforts to \nrepeal E-Verify because of its faults.\n    The SAVE system, used in the ACA, functions in much the same way as \nE-Verify. It seems that my colleagues have expressed concerns about the \nother role DHS plays in the implementation of the ACA. Those concerns \nhave been examined at two subcommittee hearings in this committee. \nBased on those hearings, we know that DHS did not have any role in the \nplanning or implementing the HealthCare.gov website.\n    Some of my colleagues have indicated that DHS should assure the \nsafety and security of the personal information placed on \nHealthCare.gov. While this is an interesting proposition, there is no \nlaw requiring that DHS play such a role. DHS has a few responsibilities \nin the cyber area. First, DHS is responsible for observing, reporting, \nand acting upon threats to the Federal computer network system.\n    Second, DHS is responsible for assuring that all Federal agencies \nare in compliance with FISMA--the Federal law that establishes \nbenchmarks and standards for computer system security within the \nFederal Government. In sum, DHS is responsible for assuring that HHS \nfollowed the correct protocols in establishing the system and DHS would \nbe ready to respond if the system were hacked.\n    But DHS does not have an on-going role with the security of the \nHealthCare.gov system.\n    If my colleagues believe DHS oversight would be beneficial in \nassuring the privacy and security of the information contained in the \nHealthCare.gov system, I would suggest that we explore that option.\n    But I am not aware of any law that suggests that role for DHS, and \nI do not believe the consideration of such a role is the purpose of \ntoday's hearing. It seems that the purpose of today's hearing is to \nraise concerns about the protection of the privacy and security of \npersonal information. Several committees in the House of \nRepresentatives have had hearings on this same topic.\n    Although it is my understanding that DHS has a very small role in \nassuring the privacy and security of a website established by another \nagency, I look forward to hearing from the witnesses called here today.\n    Finally, Mr. Chairman, I do not think that the discussion today can \nignore the fact that this website was put together using over 50 \ncontractors. As we know from this committee's recent mark-up of a bill \non the cybersecurity workforce, the Federal Government is woefully \ndeficient in hiring and retaining cyber professionals. The oversight \nconducted by this committee over several years has found one IT system \nafter another that has failed to perform or failed to be completed \nafter millions of dollars have been spent.\n    The list of computer failures is long and stretches through a few \nadministrations. The list includes--SBI, Emerge, RAMP--and several \nother IT solutions that did not have names, did not work, but did cost \na great deal of money. I am not here to point a finger at DHS. I am \ncertain that DHS is not the only Federal entity that has been plagued \nby the failure of computer contracts to deliver what was promised.\n    So Mr. Chairman, while I look forward to the discussion today, I \nhope that at some point we can light a candle instead of continuing to \ncurse the darkness. Those of us in Congress need to come to grips with \nthe notion that computers are not going away and we must take proactive \nsteps to assure that some office or agency is the repository of cyber \nexpertise and knowledge.\n    That agency must be able to advise other agencies on everything \nfrom drafting a solicitation for a computer system to oversight of the \ninstallation of the system. It must be the Federal IT help desk and \ninformation library.\n    We need to think about a new approach that will save money and work \nfor the American people. Or we can keep doing what we have been doing--\nspending money, making mistakes, wondering what went wrong, and trying \nto figure out who to blame. Mr. Chairman, the people deserve a \nGovernment that stays open, works together, solves problems, and spends \nmoney wisely. I think this is the perfect time to show that we are that \nGovernment.\n\n    Chairman McCaul. I thank the Ranking Member. I also want to \nthank the Ranking Member for his cooperation in holding this \nimportant hearing, as well. Other Members of the committee are \nreminded that opening statements may be submitted for the \nrecord.\n    [The statement of Hon. Jackson Lee follows:]\n                  Statement of Hon. Sheila Jackson Lee\n                           November 13, 2013\n    Chairman McCaul, and Ranking Member Thompson, I thank you for this \nopportunity to take testimony on cybersecurity as it relates to Federal \nhealth insurance exchange.\n    I welcome today's witnesses:\n  <bullet> Ms. Roberta Stempfley, acting assistant secretary, Office of \n        Cybersecurity and Communications, U.S. Department of Homeland \n        Security;\n  <bullet> Ms. Soraya Correa, associate director, Enterprise Services \n        Directorate, U.S. Citizenship and Immigration Services, U.S. \n        Department of Homeland Security;\n  <bullet> Mr. Luke Chung, president, FMS, Inc. and\n  <bullet> Mr. Waylon Krush, chief executive officer, Lunarline, Inc.\n    I thank the witnesses for their contribution to committee's \nunderstanding regarding the nature of cybersecurity as it relates to \npersonal information.\n    Today, the House Committee on Homeland Security is holding a \nhearing to learn about privacy threats regarding the security of \npersonal information provided by visitors to the Federal Health \nExchange Marketplace HealthCare.gov.\n    As a senior member of the House Judiciary Committee, privacy \nprotection has been a prominent concern in the protection of women's \nrights, voting rights, and labor rights.\n    Today a number of voting rights are under threat because of abusive \nrequirements that undermine privacy rights of voters by requiring that \nthey produce documents proving citizenship, identity, and residency \nregardless of whether they have an established history of voting or are \nfirst-time voters.\n    Privacy is central to the health and strength of many other rights \nthat we enjoy. Specifically, the First, Fourth, and Fifth Amendments to \nthe Constitution rests on a foundation of privacy protection that allow \nus to speak as we wish, associate with other, and hold our own beliefs \nfree of fear or threats.\n    So the topic of today's hearing is of great concern to me. There \ncannot be privacy without security, although we can have security \nwithout privacy. The digital information age requires that Federal \nagencies must have cybersecurity for any system that collects, retains, \nor uses personal information.\n    Privacy protection and cybersecurity are linked in the work I have \ndone on the topic of privacy. The ability to control who, when, why, \nand how someone else can gain access to personal information requires \nsecurity. For this reason attention to this issue is central to my \nstrong support for the Federal Health Insurance Market Place found at \nHealthCare.gov.\n    In May 2006, the Department of Veterans Affairs had a real privacy \nmedical information data breach when a contract worker took home \nmedical information for 26.5 million people.\n    We are not here today to talk about a data breach of the affordable \ncare website, because they are not storing medical information nor are \nthey storing the information registered on forms. I know this for a \nfact and not for dramatic effect--I went in search of the facts \nregarding the website and what problems it was experiencing. I found \nthat there was not a problem with security of the website. There was a \nproblem with capacity and usability of the website and these issues \nbecame more complex after launch because the site could not be down \nmore than a few hours each day.\n    There would be real problems if the Obamacare web registration site \ncollected sensitive personal information on people registering for \nhealth care, but it does not collect sensitive personal information.\n    Sensitive personal information is the type found in taxpayer \nhistories collected over the life time of a person by the IRS. A \nconversation with a doctor in the examination room is an exchange of \nhighly sensitive personal information. There are no records other than \nthe doctor's notes and that information is not sent to the Federal \nGovernment to be stored and maintained for the entire life of a person \nnor should it be. Most Americans who have take the time to visit the \nsite and look at the information requested know that there is no highly \nsensitive or sensitive information collected for registering for health \ninsurance.\n    The real irony of today's hearing is why the registration process \nfor health insurance seeks any personal information. If my friends on \nthe other side of the aisle had not been so over concerned about the \nverification of income or proof of citizenship then the need to collect \na social security number, date of birth, income, place of employment \ncould have been eliminated. The whole process would have worked like \nevery other thing you get a tax exemption for annually. A tax break for \nmortgage or student loan interest only requires a letter being sent to \nyou for tax records to be sent to tax preparers and in the event of a \nthe rear request for proof of deduction qualification.\n    I hope that my colleagues on my right will take note that when they \ninsist that a voter must prove citizenship and residency it requires \nthe provision of more personal information which should concern them as \nmuch as what is being done at their behest to those seeking health \ninsurance.\n    When I look at the level of concern you would think that they have \nheld 45 votes to do away with the Affordable Care Act and not one vote \nto make changes that would address issues that would make it easier to \nget health insurance. In fact, we are scheduled to have the 46th vote \nlater this week--no help from the Majority just another effort to peck \naway at the law that they could not end by any other means.\n    I would offer that if there was no political effort to make \nsomething out of the website roll-out there would be an effort to focus \nnegative attention on the toll-free number and if there was nothing \nnegative to say about that aspect of the new law then they would find \nfault with the application assistance centers.\n    We are in the midst of a search for a problem that will justify all \nof the political and financial effort put into stopping a law that the \npublic needs and as people register and share their experience will \nturn all of this into familiar ground.\n    The years following the passage of Medicare Part D were rough, \nbecause of problems that were fixed with the passage of Obamacare.\n    There is little if any threat to privacy by cyber threats because \nof the data practices implemented by the Department of Health and Human \nServices.\n    This system is not storing highly sensitive or even sensitive \npersonal information and the personal information it is collecting is \nnot stored. What is being collected is personal information of the type \nfound on a credit application to purchase any product e.g. date of \nbirth, place of work, social security number, income level, and marital \nstatus. The information is checked as required by my colleagues on the \nother side of the aisle and is then discarded.\n    First, the most important rule for cybersecurity is following the \nexample of the professionals who work in this fast-paced area: Truth \ncomes before beauty. The truth is that there is no computer system that \nis 100% secure from hostile cyber attacks, natural disasters, \nstructural failures, or human errors.\n    Second, the internet is a rough neighborhood--the best we can do is \nto design the best systems possible, provide the resources necessary to \nfollow through on good designs, and ignore the politics of the moment. \nThe most dangerous threats to cybersecurity care very little about \nanyone's political party. They may care very much about your nation of \norigin.\n    Third, cybersecurity is not about the 14-year-old with a laptop, \nbut the botnet attack from a coordinated effort that brings to the \ndiscussion significant threats to networks. There is no evidence that \nnothing occurred that would suggest that the website experienced \nanything of this nature.\n    I understand that the interest of many Members in this hearing \nregarding the health information exchanges may focus on the name of the \nsystem, but it is important to note that regardless of the Federal \nsystem it is the personal information collected, stored, or used that \nshould be our focus.\n    Digital records management was of such grave concern to Members of \nCongress following investigations into the disclosures that then-\nPresident Nixon had used his high office to seek out means to cause \nharm to careers, reputations, and political enemies that the Church \nCommittee conducted extensive hearings on the abuse of power that had \noccurred.\n    Due to the revelations of the Church Committee a series of laws \nwere passed by Congress to protect the privacy of Americans and a \nnumber of reviews looked specifically at Federal Government use of \ncomputers to manage the personal information of citizens.\n    In 1973, a report ``Records, Computers, and the Rights of \nCitizens'' was produced by the former Federal Department of Health \nEducation and Welfare (HEW), which today exists as two agencies--one of \nwhich is the Department of Health and Human Services (HHS).\n    This fact is significant for the topic of today's hearing because \nHealth and Human Services is chiefly responsible for why the United \nStates became the first nation in the world to draft a Federal privacy \nstatute. The agency's role in drafting the world's first Code of Fair \nInformation practice for automated personal data systems places them at \nthe forefront of identifying the important role that computing would \nplay in meeting the needs of a fast-growing Nation, while also \nrecognizing the potential for technology's threat to privacy.\n    The Code of Fair Information Practices adopted by HEW is based on \nfive principles:\n  <bullet> There must be no personal data record-keeping systems whose \n        very existence is secret.\n  <bullet> There must be a way for a person to find out what \n        information about the person is in a record and how it is used.\n  <bullet> There must be a way for a person to prevent information \n        about the person that was obtained for one purpose from being \n        used or made available for other purposes without the person's \n        consent.\n  <bullet> There must be a way for a person to correct or amend a \n        record of identifiable information about the person.\n  <bullet> Any organization creating, maintaining, using, or \n        disseminating records of identifiable personal data must assure \n        the reliability of the data for their intended use and must \n        take precautions to prevent misuses of the data.\n    This ground-breaking work informs and guides our hearing today and \nI want to acknowledge the hard work of the Federal employees at the \nDepartment of Health and Human Services who were given little in the \nway of support or encouragement by the majority of the House in \naccomplishing a task that was monumental and historic.\n    Privacy is defined by law. The definition of privacy can be \ncaptured under five categories: Physical intrusion, e.g. entering into \npersonal space without permission like someone's home; information \nintrusion, e.g. accessing documents or information without permission; \nproprietary intrusion, e.g. using someone's image or name for \nadvertising purposes; associational intrusion, e.g. NAACP v. Alabama \nwhere the Alabama sought the State NAACP membership list; and \ndecisional intrusions, e.g. someone interfering with a woman's personal \nmedical decision making or deciding who can and cannot be married.\n    The issue of cybersecurity and the Federal and State health \ninsurance exchanges are important and for this reason it is important \nto provide the American public with accurate and reliable information.\n    The most important information regarding the Federal health \ninsurance exchange is that it does not violate any of the Code of Fair \nInformation Principles that is central to privacy. There is no secret \ndatabase; actually there is no database at all. There is a data \ncollection requirement to meet the demands of the House Majority that \nno person who is not a citizen could gain insurance through the \nexchange and the second condition that anyone receiving assistance be \nproven to qualify for that assistance prior to it being provided.\n    To be honest, if the Majority had not been so insistent on these \ntwo conditions the number of questions on the registration form could \nhave been greatly reduced. The form used for registration does not \ncollect sensitive personal information--it collects personal \ninformation. Sensitive personal information would be of the type found \non individual taxes, which are by law held in secret by the IRS, no \nmatter what someone may say publically about their taxes and the \nagency--true or not true the agency can never disclose the tax records \nof taxpayers.\n    So when we speak of the types and degrees of personal information \nit is important to know that personal information, sensitive personal \ninformation, and highly sensitive personal information are degrees that \nshould be recognized. The health exchanges were only intended and the \nFederal exchange designed to collect personal information of the nature \nrequired by Congress to meet the obligations under the law.\n    Highly-sensitive personal information would be the type exchanged \nbetween a doctor and patient none of which would ever be in this \nsystem. This is not to say that cybersecurity is not an issue, any time \npersonal information on citizens is collected by the Federal Government \nit is an issue that Congress should address by making sure that only \nwhat is needed is collected and only retained as long as necessary for \na specific purpose.\n    HHS only collected what was necessary, used it for the purpose of \nthe collection, and promptly discarded that data so no database or \nsystem of records was created. This is the most privacy-centric system \nthis committee may have the pleasure of discussing in a cybersecurity-\nfocused hearing. The data practices should be adopted by other agencies \nthat may collect too much, keep more than they need, and use \ninformation far outside the scope of the original collection.\n    The Federal Health Exchange data is only used to do a ``handshake'' \nwith data in other networks that can authenticate or verify the \naccuracy of the information provided. This is done in such a way that \nno data is exchanged with the agency providing the input that the \ninformation is accurate. In computing a checksum a mathematical \nequation is applied to data which produces an answer that will match \nthe same information found in another system. This is just one way of \nchecking information without knowing what the data is and this is the \nschool of thought that informed HHS in developing this system.\n    The Centers for Medicare and Medicaid Management found within HHS \ncould provide a more detailed reply on the topic of data security in \nthe Federal health information exchange. I ask that the Chairman and \nRanking Members both write to the committee of jurisdiction and seek \ninformation they may better inform our committee on the details \nregarding security and the Federal Exchange.\n    I appreciate the human factors and usability issues with the \nwebsite, which are being addressed as we meet today. I would suggest \nthat with the new-found interest of the Majority in the customer and \nuser experience that they would focus on redirecting the funding that \nhas be appropriated that would have gone to the States that opted out \nof the Medicaid expansion be redirected to the Federal.\n    I am particularly interested in hearing the testimony of the \nwitnesses before the committee who have background and training to \nspeak on the topic of cybersecurity.\n    Federal cybersecurity is guided by the Federal Information Security \nManagement Act (FISMA). The National Institute of Standards and \nTechnology develop the guidance on FISMA and the Office of Management \nand Budget provides oversight to assure agencies are meeting the \nobjectives.\n    Our Nation must continue to improve in the area of cybersecurity \nand the best approach is build it with the best knowledge we have and \nprovide continuous monitoring.\n    President Reagan said it best following the Challenger disaster--\nthe shuttle program is one of the Nation's most significant engineering \nmarvels--that after 25 years of space flight, the Nation had grown so \nused to it that we forgot how recent the Nation had begun to explore \nspace through human missions. He said that the future does not belong \nto the fainthearted; it belongs to the brave.\n    He said something that is very important that I will always \nremember: ``We don't keep secrets and cover things up. We do it all up \nfront and in public. That's the way freedom is, and we wouldn't change \nit for a minute.''\n    This was a very public event, but we will get through it and for \nthe rough start we will learn more than we would have without it and be \nthe better for it.\n    The first U.S. space station slid out of orbit and broke apart upon \nreentry into the atmosphere. It failed, but its failure meant that the \nnext time we built a space station is a better space station.\n    The Swine Flu vaccine miscalculation during the Ford \nadministration, which led to the vaccination of thousands of elderly \npeople for a flu that did not arrive meant that more people died from \nthe vaccine than Swine Flu that year.\n    The lack of enough Flu vaccine during the George W. Bush \nadministration meant that while nations around the globe had sufficient \nvaccine for that flu season, we had not ordered enough to meet our \nNation's needs.\n    Like anything in life, there will be rough starts, mistakes, and \noutright deceptions about the facts. Our strength is in not giving in \nto the naysayers or negative message peddlers. This may not be in the \nplaybook, but if we lose our edge for taking on the hardest challenges \nbecause they are too hard then we have lost something that is truly \nuniquely American.\n    I am looking forward to today's discussion and hearing from our \nwitnesses. Thank you.\n\n    Chairman McCaul. We are pleased to have two panels of \ndistinguished witnesses with us today to discuss this important \ntopic. I will introduce the first panel. Ms. Roberta Stempfley \nis the acting assistant secretary of the Office of \nCybersecurity and Communications at the Department of Homeland \nSecurity. In this role, she plays a leading role developing the \nstrategic direction for CS&C and its five divisions. She \npreviously served as the deputy assistant secretary to CS&C and \nas director of the National Cybersecurity Division. We thank \nyou for being here today.\n    Next we have Ms. Correa. She is the associate director of \nthe Enterprise Services Directorate at U.S. Citizenship and \nImmigration Services. She has over 30 years of experience in \nprocurement, Federal assistance, and program management. Before \nserving in her current role she was deputy associate director \nfor the management directorate, and was responsible for \ndelivering key management and infrastructure structure services \nto support the USCIS mission. We thank you for being here, as \nwell.\n    I would like to point out, though, that at this time \nneither of our witnesses submitted written testimony to the \ncommittee before their appearance today, apparently due to \ntheir inability to get testimony cleared by the White House. \nThe administration had nearly 2 weeks to provide this \ntestimony, and has been in the habit of providing their \ntestimony after the deadline. Frankly, I expect better, and \nlook forward to receiving testimony on a timely basis as we \nmove forward in this committee.\n    I ask that the witnesses provide their full written \nstatement as soon as it is available so it will appear in the \nrecord. My understanding is that Ms. Stempfley has an oral \nstatement she would like to give, so the Chairman now \nrecognizes her for 5 minutes.\n\n  STATEMENT OF ROBERTA ``BOBBY'' STEMPFLEY, ACTING ASSISTANT \n  SECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, U.S. \n                DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Stempfley. Thank you, sir. I truly appreciate the \nopportunity to provide this opening statement, oral statement. \nChairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, I appreciate the opportunity to discuss the \nDepartment of Homeland Security's efforts to improve \ncybersecurity posture and capabilities of civilian Federal \nagencies.\n    DHS is the lead for securing and defining Federal civilian \nunclassified information technology systems and networks \nagainst cyber intrusions or disruptions and enhancing \ncybersecurity among critical infrastructure partners. To this \nend, DHS ensures maximum coordination and partnership with \nFederal and private stakeholders, while keeping a steady focus \non safeguarding the public's privacy, confidentiality, civil \nrights, and civil liberties.\n    Within DHS's National Protection and Programs Directorate, \nthe Office of Cybersecurity and Communications focuses on \nmanaging risk to the communications and information technology \ninfrastructures and the sectors that depend on them, as well as \nenabling timely response and recovery to incidents affecting \ncritical infrastructure including Government systems. \nAdditionally, DHS is in the process of setting up critical \nprograms Federal-wide in order to be able to detect and respond \nto incidents and vulnerabilities, and consolidate traffic, \nreducing the surface area of possible threat vectors.\n    With the committee and Congress' support in passing FISMA \nauthorities, DHS and the dot.gov can help to ensure our \ncivilian infrastructure is secured while, at the same time, \nreducing cost and increasing efficiency with which we are able \nto work with our agency partners.\n    CS&C executes its mission by supporting 24/7 information \nsharing, analysis, and incident response, as well as \nfacilitating interoperable emergency communications, advancing \ntechnology solutions for private- and public-sector partners, \nproviding tools and capabilities to ensure the security of \nFederal civilian Executive branch networks, and engaging in \nstrategic-level coordination for the Department with private-\nsector organizations on cybersecurity and communications \nissues.\n    While DHS leads this National effort under the Federal \nInformation Security Management Act regulations, agency heads \nare responsible for providing information security protections \ncommensurate with the risk and magnitude of harm resulting from \nunauthorized access, use, disclosure, disruption, modification, \nor destruction of information or information systems within \ntheir agencies or operated on behalf of their agency by a \ncontracted entity.\n    Agency heads are provided the flexibility and authority to \ndelegate those responsibilities to the agency chief investment \nofficer in order to ensure compliance with requirements \noutlined in FISMA and the associated memoranda and directives. \nThese authorities are inclusive of programs to assess, inform, \nand report on agency status and capabilities relative to FISMA \nguidance.\n    While each Federal department and agency retains primary \nresponsibility for securing and defining its own networks and \ncritical information infrastructure, DHS leads efforts in \nplanning and implementing strategic management of information \nsecurity practices across the Federal enterprise.\n    The Department provides assistance by collecting and \nreporting information regarding cyber posture and risks, \ndisseminating cyber alert and warning information to promote \nprotection against cyber threats and the resolution of \nvulnerabilities, coordinating with partners and customers to \nattain shared cyber situational awareness, and providing \nresponse and recovery support to agencies upon their request. \nTraditionally, due to current authorities, DHS must be asked by \nFederal departments and agencies to provide this direct support \nof independent department and agency responsibilities.\n    Constantly evolving and sophisticated cyber threats \nchallenge the cybersecurity of the Nation's critical \ninfrastructure and its civilian government system. DHS' \nresponsibility in the breadth of cybersecurity activities and \nour statutory authorities have not kept up with the rapidly-\nevolving changes in the cyber environment. While DHS works \ndiligently with our partner agencies and organizations to \nprovide for a secure cyber environment, this often hinders the \nDepartment's ability to execute this mission.\n    The administration has requested legislation to clarify \nauthority, to deploy capabilities such as EINSTEIN across the \nFederal civilian networks, and to provide operational \nassistance under OMB's oversight of Federal information \ntechnology network security efforts under FISMA, among other \nthings.\n    We thank this committee for this focus on these important \nareas. DHS is committed to reducing increasingly sophisticated \nand damaging risks to Federal departments and agencies and \ncritical infrastructure.\n    We continue to leverage our partnerships inside and outside \nGovernment to enhance security and resilience of our Federal \nnetworks while incorporating the privacy and civil liberty \nsafeguards into all aspects of what we do at the Department.\n    Thank you, sir.\n    [The prepared statement of Ms. Stempfley follows:]\n           Prepared Statement of Roberta ``Bobby'' Stempfley\n                           November 13, 2013\n                              introduction\nOverview of the Mission\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, I appreciate the opportunity to discuss the Department of \nHomeland Security's (DHS's) efforts to improve the cybersecurity \nposture and capabilities of civilian Federal agencies. Government \ncomputer networks and systems contain information on National security, \nlaw enforcement, and other sensitive data. It is paramount that the \nGovernment protects all information from theft and protects networks \nand systems from attacks while continually providing essential services \nto the public.\n    DHS is the lead for securing and defending Federal civilian \nunclassified information technology systems and networks against cyber \nintrusions or disruptions and enhancing cybersecurity among critical \ninfrastructure partners. To this end, DHS ensures maximum coordination \nand partnership with Federal and private-sector stakeholders while \nkeeping a steady focus on safeguarding the public's privacy, \nconfidentiality, civil rights, and civil liberties. Within DHS's \nNational Protection and Programs Directorate (NPPD), the Office of \nCybersecurity and Communications (CS&C) focuses on managing risk to the \ncommunications and information technology infrastructures and the \nsectors that depend upon them, as well as enabling timely response and \nrecovery to incidents affecting critical infrastructure, including \nGovernment systems.\n    CS&C executes its mission by supporting 24\x1d7 information sharing, \nanalysis, and incident response as well as facilitating interoperable \nemergency communications and advancing technology solutions for \nprivate- and public-sector partners. We also provide tools and \ncapabilities to ensure the security of Federal civilian Executive \nbranch networks and engaging in strategic-level coordination for the \nDepartment with private-sector organizations on cybersecurity and \ncommunications issues.\nRoles and Responsibilities\n    While DHS leads the National effort to secure Federal civilian \nnetworks, agency heads are responsible for providing information \nsecurity protections commensurate with the risk and magnitude of the \nharm resulting from unauthorized access, use, disclosure, disruption, \nmodification, or destruction of information and information systems \nwithin their agency or operated on behalf of their agency by a \ncontracted entity in accordance with Federal Information Security \nManagement Act (FISMA) regulations. Agency heads are provided the \nflexibility and authority to delegate those responsibilities to the \nagency's Chief Information Officer (CIO) in order to ensure compliance \nwith the requirements outlined within FISMA and the associated \nmemoranda and directives. These authorities are inclusive of programs \nto assess, inform, and report on the agencies' status and capabilities \nrelative to FISMA guidance.\n    Although each Federal department and agency retains primary \nresponsibility for securing and defending its own networks and critical \ninformation infrastructure, DHS leads efforts in planning and \nimplementing strategic management of information security practices \nacross the Federal departments and agencies. The Department provides \nassistance to departments and agencies by collecting and reporting \nagency information regarding cybersecurity posture and risks, \ndisseminating cyber alert and warning information to promote protection \nagainst cyber threats and the resolution of vulnerabilities, \ncoordinating with partners and customers to attain shared cyber \nsituational awareness, and providing response and recovery support to \nagencies upon their request. Pursuant to current authorities, DHS must \nbe asked by the Federal departments and agencies to provide the \naforementioned direct support. The Department focuses its support to \nFederal networks through the following activities:\n  <bullet> FISMA.--The Office of Management and Budget (OMB) has \n        delegated operational responsibilities for Federal civilian \n        cybersecurity to DHS, which established the Department as the \n        lead in promoting and reporting on the cybersecurity posture of \n        Federal civilian Executive branch networks. FISMA requires \n        program officials, and the head of each agency, to mitigate \n        cybersecurity risks based upon its particular requirements. The \n        Department monitors and reports agency status in ensuring the \n        effective implementation of this guidance.\n  <bullet> Continuous Diagnostics and Mitigation (CDM).--The CDM \n        program focuses FISMA security metrics on those having a direct \n        impact on Federal civilian departments' and agencies' \n        cybersecurity. By empowering Federal civilian agency CIOs and \n        Chief Information Security Officers (CISO) with situational \n        awareness into their risk posture and with on-going insight \n        into the effectiveness of security controls, CDM will provide \n        these partners with resources necessary to identify and fix the \n        worst cybersecurity problems first. While this program is in \n        its early stages, we are working in conjunction with Congress \n        to clarify authorities and make CDM fully operational with \n        increased proactive protection of the websites in the .gov \n        domain.\n  <bullet> National Cybersecurity Protection System.--Operationally \n        known as EINSTEIN, this program protects Federal civilian \n        Executive branch networks by providing improved situational \n        awareness of cyber threats as well as identification and \n        prevention of malicious cyber activity. While the Department of \n        Health and Human Services (HHS) recently signed a Memorandum of \n        Agreement (MOA) for all EINSTEIN services, HHS is only covered \n        at this point by EINSTEIN 1. EINSTEIN 1, facilitates \n        identification and response to cyber threats and attacks which \n        further enables improvements to network cybersecurity. DHS \n        continues to engage HHS on deployment of other cybersecurity \n        measures based on discussions regarding statutory prohibitions \n        on certain disclosures.\nDHS Services\n    DHS offers additional capabilities and services to assist Federal \nagencies and stakeholders based upon their cybersecurity status and \nrequirements. The Department engages agency CIOs and CISOs through a \nvariety of mechanisms including information-sharing forums as well as \ndirectly through the National Cybersecurity and Communications \nIntegration Center (NCCIC) \\1\\ in response to a specific problem/issue \nor identified threat. These include:\n\n    \\1\\ The NCCIC, a 24\x1d7 cyber situational awareness, incident \nresponse, and management center, is a National nexus of cyber and \ncommunications integration for the Federal Government, intelligence \ncommunity, and law enforcement.\n---------------------------------------------------------------------------\n  <bullet> Assessing security posture and recommending improvements.--\n        Upon agency request, DHS conducts Risk and Vulnerability \n        Assessments to identify potential risks in specific operational \n        networks systems or applications and recommends mitigations.\n  <bullet> Providing technical assistance.--DHS may provide direct \n        technical assistance to agencies. For example, by assessing \n        agency compliance and progress in aggregating agencies' network \n        traffic into Trusted Internet Connections, DHS limits access \n        and protects the perimeter of agency networks.\n  <bullet> Incident response.--During or following a cybersecurity \n        incident, DHS may provide response capabilities that can aid in \n        mitigation and recovery. Through the NCCIC, DHS further \n        disseminates information on potential or active cybersecurity \n        threats and vulnerabilities analysis to public- and private-\n        sector partners. When requested by an affected agency, DHS \n        provides incident response through the United States Computer \n        Emergency Readiness Team or the Industrial Control Systems-\n        Cyber Emergency Response Team.\nDHS Interactions With HHS\n    DHS works to inform, educate, and increase the cybersecurity \ncapacity of all civilian Federal departments and agencies and has \ninteracted with HHS in the same manner as with all other Federal \nentities by making available its portfolio of capabilities and \nservices. Although still in the acquisition process, DHS and HHS have \nentered into a MOA for CDM program while working diligently on the \nimplementation of additional EINSTEIN capabilities. MOA's are a common \nstep taken by DHS as we work to support the cybersecurity needs of our \nFederal partners, and this MOA is only the latest out of many that have \nbeen previously agreed to.\n    On August 28, 2013 the Deputy Chief Security Officer of HHS's \nCenter for Medicare and Medicaid Services (CMS) initiated a discussion \nwith DHS regarding services that DHS might be able to provide in \nrelation to Affordable Care Act (ACA) systems. Consistent with DHS \npractice, and similar to actions taken to support a number of other \nagencies, the Department entered into a general conversation with CMS \nto refine the request and determine what might be appropriate to meet \nits needs. Based upon the outcomes of that conversation, further \ndiscussions were held and, to date, as DHS does for all Federal \npartners, DHS has provided descriptions of specific capabilities and \nservices to CMS for its consideration. CS&C has not yet received a \nspecific request from CMS relative to the ACA systems, and has not \nprovided technical assistance to CMS relative to ACA Systems.\n                               conclusion\n    Constantly evolving and sophisticated cyber threats challenge the \ncybersecurity of the Nation's critical infrastructure and its civilian \ngovernment systems. DHS is responsible for a large breadth of \ncybersecurity activities, yet lacks explicit statutory authority to \nperform these duties. While DHS works diligently with our partner \nagencies and organizations to provide for a secure cyber environment, \nthis often hinders the Department's ability to fulfill its mission. The \nadministration has requested legislation to clarify its authority to \ndeploy EINSTEIN across Federal civilian networks and to provide \noperational assistance to OMB's oversight of Federal information \ntechnology network security efforts under FISMA, among other things.\n    Despite this statutory ambiguity, DHS is committed to reducing \nrisks to Federal departments and agencies and critical infrastructure. \nWe will continue to leverage our partnerships inside and outside of \nGovernment to enhance the security and resilience of our Federal \nnetworks while incorporating privacy and civil liberties safeguards \ninto all aspects of what we do. Thank you again for the opportunity to \nprovide this information and I look forward to your questions.\n\n    Chairman McCaul. Thank you for your testimony.\n    The Chairman now recognizes Ms. Correa for 5 minutes for an \nopening statement.\n\n  STATEMENT OF SORAYA CORREA, ASSOCIATE DIRECTOR, ENTERPRISE \n    SERVICES DIRECTORATE, U.S. CITIZENSHIP AND IMMIGRATION \n         SERVICES, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Ms. Correa. Good morning. Chairman McCaul, Ranking Member \nThompson, and Members of the committee, I appreciate the \nopportunity to discuss our shared goals of supporting \nGovernment agencies to ensure that only authorized applicants \nreceive public benefits. As the associate director for the \nEnterprise Services Directorate of the U.S. Citizenship and \nImmigration Services, I am responsible for overseeing the \nagency's verification programs. The Patient Protection and \nAffordable Care Act of 2010, or the ACA, limits eligibility to \nenroll in a qualified health plan to citizens, nationals, or \nthose otherwise lawfully present in the United States.\n    The law directs the Department of Health and Human Services \nto check applicant eligibility against the Department of \nHomeland Security data if the applicant does not attest that he \nor she is a U.S. citizen or if the Social Security \nAdministration cannot verify the applicant's claim of U.S. \ncitizenship. The Systematic Alien Verification for Entitlements \nProgram, or SAVE, responds to queries it receives through the \nhub, a system established by the Centers for Medicare and \nMedicaid services to help process ACA applications.\n    SAVE provides the HHS hub with immigration status \ninformation and information on naturalized and derived citizens \non behalf of DHS. SAVE is a service that helps Federal, State, \nand local benefit-issuing agencies, institutions, and licensing \nagencies to determine the immigration status of benefit \napplicants so that only those applicants entitled to benefits \nreceive them. SAVE does not determine whether applicants are \neligible for a specific benefit or license. The benefit-\ngranting agency makes that determination.\n    SAVE uses an on-line system that checks a benefit \napplicant's immigration status information against over 100 \nmillion Federal records. Agencies that do not have access to an \nautomated system may submit a paper verification request form. \nSAVE is available in all 50 States. It has been providing \nimmigration status information to public benefit-granting \nagencies for over 25 years. SAVE has more than 1,060 customer \nagencies, including the Social Security Administration and most \nStates' departments of motor vehicles.\n    In fiscal year 2013, the SAVE program received over 14 \nmillion queries in our system. Before accessing SAVE, user \nagencies must sign an agreement with USCIS that details the \nterms and conditions of their use of SAVE. The SAVE \nverification process requires up to three steps: Initial \nverification, additional verify, and third-step verification. \nFor initial verification, a user agency submits a status \nverification request and the system provides the applicant's \nimmigration status information. If SAVE is not able to verify \nan individual's immigration status on initial verification, the \nbenefit-granting agency is prompted to submit the query to the \nadditional verification step.\n    When initiating additional verification, a user agency may \nalso submit additional information to USCIS using the SAVE \nsystem. Because this additional verification requires a manual \nreview of available databases the SAVE response time ranges \nfrom 3 to 5 Federal working days. If SAVE is not able to verify \nan individual's immigration status at this stage the agency is \nprompted to submit the query for third-step verification. To \naccomplish the third-step verification the user agency must \nprovide USCIS with legible photocopies of both sides of the \napplicant's immigration documentation.\n    Registered agencies may submit this information \nelectronically or manually. SAVE response time for the third-\nstep verification is generally 10 to 20 Federal working days. \nIf immigration status still cannot be confirmed, benefit-\ngranting agencies may refer applicants to a local USCIS office \nto correct or update their records. USCIS and HHS entered into \na computer-matching agreement for ACA verifications and tested \nthe web service's connection between SAVE and the HHS hub, \nincluding testing of case-specific queries and overall \nfunctionality.\n    After all testing was successfully completed, HHS was \ngranted access to SAVE to meet the October 1 implementation \ndate. SAVE is responding to all properly-submitted queries. As \nof November 10, 2013 there have been 91,011 hug-generated \nqueries, with an average of 1.31 seconds for initial \nverification responses. It is important to note that this \nfigure is not a proxy for the number of individuals about whom \nHHS has submitted queries to SAVE because there are often \nmultiple queries per applicant.\n    Moreover, this figure is not a proxy for the number of \npeople who have applied for health care coverage under the ACA \nbecause only a small percentage of such applicants require the \nsubmission of queries to SAVE. To help facilitate immigration \nstatus verification for HHS and other agencies under the ACA, \nUSCIS introduced several program enhancements which are not \navailable to all customer agencies. Registered agencies may not \nreceive grant date and sponsorship information for select \nstatuses on initial second- and third-step verification. \nPreviously, agencies has to submit manual forms to request that \ndata.\n    USCIS also introduced an optional auto second-step feature \nwhich allows SAVE to automatically send queries to additional \nverification if the initial step is unable to verify the \napplicant's immigration status. This eases burden on the user \nagencies, and makes the case resolution process more efficient. \nAdditionally, in April 2013 we launched a scan-and-upload \nfeature that enables agencies to electronically attach scanned \ncopies of immigration documents to queries. Since the inception \nof the SAVE program, USCIS has provided benefit-granting \nGovernment agencies a reliable method to verify an applicant's \nimmigration status and to ensure that only authorized \napplicants receive public benefits.\n    On behalf of all of my colleagues at USCIS, I am grateful \nfor the opportunity to speak to you today about the SAVE \nprogram.\n    [The prepared statement of Ms. Correa follows:]\n                  Prepared Statement of Soraya Correa\n                           November 13, 2013\n                              introduction\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee, I appreciate the opportunity to discuss our shared goals of \nsupporting Government agencies to ensure that only authorized \napplicants receive public benefits. My name is Soraya Correa, associate \ndirector for the Enterprise Services Directorate. I am responsible for \noverseeing verification programs at U.S. Citizenship and Immigration \nServices (USCIS). The Patient Protection and Affordable Care Act of \n2010 (ACA) limits eligibility to enroll in a qualified health plan \nthrough the State and Federal exchanges established under the ACA to \ncitizens, nationals, or those otherwise ``lawfully present'' in the \nUnited States. The law directs the Department of Health and Human \nServices (HHS) to check applicant eligibility against Department of \nHomeland Security (DHS) data if the applicant does not attest that he \nor she is a U.S. Citizen, or if the Social Security Administration \n(SSA) cannot verify the applicant's claim of U.S. Citizenship. The \nSystematic Alien Verification for Entitlements (SAVE) Program\\1\\ \nresponds to queries and provides HHS, through the ``Hub'' established \nby the Centers for Medicare and Medicaid Services, with immigration \nstatus information as well as information regarding naturalized and \nderived citizens on behalf of DHS.\n---------------------------------------------------------------------------\n    \\1\\ SAVE is a service that helps Federal, State, and local benefit-\nissuing agencies, institutions, and licensing agencies determine the \nimmigration status of benefit applicants so only those applicants \nentitled to benefits receive them. SAVE does not determine whether \napplicants are eligible for a specific benefit or license; the benefit-\ngranting agency makes that determination. SAVE uses an on-line system \nthat checks a benefit applicant's immigration status information \nagainst over 100 million Federal records. Agencies that do not have \naccess to an automated system may submit a paper verification request. \nSAVE is available in all 50 States. It has been providing immigration \nstatus information to public benefit granting agencies for over 25 \nyears. SAVE has more than 1,060 customer agencies, including the Social \nSecurity Administration and most State departments of motor vehicles. \nThe SAVE Program received over 14 million verification requests in \nfiscal year 2013.\n---------------------------------------------------------------------------\nSAVE Access and Verification Process\n    Before accessing SAVE, user agencies must sign a Memorandum of \nAgreement (MOA) or a Computer Matching Agreement (CMA) with USCIS that \ndetails the terms and conditions of their use of SAVE. The SAVE \nverification process requires up to three steps: (1) Initial \nVerification, (2) Additional Verification, and (3) Third-Step \nVerification. For initial verification, a user agency submits a status \nverification request and the system provides the applicant's \nimmigration status information. If SAVE is not able to verify an \nindividual's immigration status on initial verification, the benefit \ngranting agency is prompted to submit the query to the additional \nverification step.\n    During additional verification, a user agency may also submit \nadditional information, such as a maiden name or additional immigration \ndocument numbers, to USCIS using the SAVE system. SAVE response time \nfor additional verification, which includes manual review of available \ndatabases, ranges from 3-5 Federal working days. If SAVE is not able to \nverify an individual's immigration status at this stage, the agency is \nprompted to submit the query for third-step verification. The user \nagency must forward a completed Document Verification Request form, \nwith legible photocopies of both sides of the applicant's immigration \ndocumentation to USCIS for third-step verification. Registered agencies \nmay submit this information electronically or manually. SAVE response \ntimes for third-step verification is generally 10-20 Federal working \ndays. If immigration status still cannot be confirmed, benefit-granting \nagencies may refer applicants to a local USCIS office to correct or \nupdate their record.\n                          preparations for aca\n    USCIS and HHS entered into a CMA to authorize HHS to use the SAVE \nprogram for ACA verification. In preparation for the ACA open \nenrollment period, USCIS and HHS tested the web services connection \nbetween SAVE and the HHS ``Hub'' that the Exchanges uses to submit \nqueries to SAVE and other partner agencies. The testing included checks \non both case-specific queries and overall functionality.\n    After all testing was successfully completed in the weeks leading \nup to open enrollment, HHS was granted access to SAVE to meet the \nOctober 1 ACA exchanges implementation date. As of November 10, 2013, \nthere have been 91,011 Hub-generated initial queries with an average of \n1.31 seconds for initial electronic SAVE responses. It is important to \nnote that this figure is not a proxy for the number of individuals \nabout whom HHS has submitted queries to SAVE because there are often \nmultiple SAVE queries per applicant. Moreover, this figure is not a \nproxy for the number of people who have applied for health care \ncoverage under the ACA because only a small percentage of such \napplications require the submission of queries to SAVE. SAVE is \nresponding to all properly-submitted queries.\nProgram Enhancements\n    To help facilitate immigration status verification for HHS and \nother agencies under the ACA, USCIS designated more than 30 additional \nstaff to ACA cases and has introduced several program enhancements. \nAuthorized agencies may now receive grant date and sponsorship \ninformation for select statuses on initial, second, and third-step \nverification. Previously, agencies had to submit multiple forms to \ndetermine when an applicant was granted status, and sponsorship \ninformation was not available on initial verification.\n    USCIS also recently introduced an ``auto second step'' feature, \nwhich allows SAVE to automatically send cases to additional \nverification if the initial step requests additional verification. This \nenhancement decreases agency user burden, ensures that additional \nverification cases are referred to the second step, and makes the case \nresolution process more efficient. Additionally, in April 2013, the \nSAVE Program launched a scan-and-upload feature that enables agencies \nto electronically attach scanned copies of immigration documents to \ncases. Cases with a scanned copy of the immigration document do not \nrequire submission of a paper form.\n                               conclusion\n    Since the inception of the SAVE Program, USCIS has provided \nbenefit-granting Government agencies a reliable method to verify an \napplicant's immigration status to ensure that only authorized \napplicants receive public benefits. On behalf of all of my colleagues \nat USCIS, I am grateful for the opportunity to speak to you today about \nthe SAVE program.\n\n    Chairman McCaul. Thank you, Ms. Correa. The Chairman now \nrecognizes himself for 5 minutes for questions.\n    Let me just say at the outset, there have been many Members \nof Congress on both sides of the aisle who have called for a \ndelay in the implementation of Obamacare for many reasons. But \nI would think, first and foremost, we have a website that \ndoesn't work. It seems to me it ought to be delayed until that \nwebsite is functional. But more importantly to me and, I think, \nmany Americans, it should be delayed until we can receive \nassurances from this administration that these websites are \nsecure because of the personal data that is being put into \nthem, into the exchanges.\n    We are talking about Social Security numbers, names, \naddresses, e-mail addresses. You know, we are talking about \nhealth information, which is perhaps the most private of all \ninformation; certainly information that no American wants a \nhacker to get access to, to exploit for other purposes. I am \npersonally concerned about the security of this website, and I \nhaven't had the assurances that it is secure. Imagine a hacker \ngetting this personal identifying information and exploiting it \nfor personal gain.\n    We see identity theft happen all the time, and yet we have \nthis information being plugged into this exchange that I \nbelieve is not secure. I believe the American people deserve \nbetter. So my first question is to Ms. Stempfley. How many \ncyber attacks have there been on the HealthCare.gov system?\n    Ms. Stempfley. So thank you for the question. As I \ncommented in my opening statement, the awareness DHS has of \ncyber attacks that are on-going comes from a multitude of \nsources. One is Department and agency reports specifically of \nthings that they have identified. We have had a handful of \nreports from the Department of Health & Human Services--a \nnumber of about 16, as my memory recalls. But I will get a \nspecific number for you. As well as identification of threat \ninformation either provided to us from intelligence sources or \nfrom other mechanisms.\n    We are aware of one open-source action attempting to \nperpetrate a denial-of-service attack against a HealthCare.gov \nsite that has been successful.\n    Chairman McCaul. So there has been a denial-of-service \nattack on health care.\n    Ms. Stempfley. There was the attempt of one.\n    Chairman McCaul. Attempt.\n    Ms. Stempfley. But it has not been successful.\n    Chairman McCaul. Of course, a denial-of-service attack has \nthe capability to shut down websites.\n    Ms. Stempfley. The goal of a denial-of-service attack, sir, \nwould, yes, be to deny the access to that information.\n    Chairman McCaul. You know, on the Homeland Security web \npage it talks about one of your primary missions. That is to \noversee the security of the dot.gov domain. Did anyone at HHS--\ndid Secretary Sibelius or anyone at HHS--ever--and involved in \nthis website, and in this roll-out--ever contact DHS about the \nsecurity of HealthCare.gov?\n    Ms. Stempfley. Again, as I mentioned, the roles and \nresponsibilities between DHS and departments and agencies are \nsplit. Departments and agency leadership has principle \nresponsibility for building, operating, and securing their \ncapabilities. The HHS CIO is a member of the CIO Council. Their \nSISO is a member of the SISO exchanges. We regularly \ncommunicate about threat in those forums. We were approached--\nwe regularly communicate about threat and engagement and \ncapabilities in those forums, and we have had limited exchange, \nspecifically with HHS on this.\n    Chairman McCaul. Well, the extent of the conversations that \nI have seen between HHS and the Department of Homeland Security \nare two e-mails and one phone call regarding the security of \nthis website. Is that correct?\n    Ms. Stempfley. It is not typical for a Department or \nagency, as they are building a specific application, to involve \nDHS as they build any specific application. So that is an \nunusual activity at that level. We regularly engage at the \nDepartment level.\n    Chairman McCaul. So is the Department essentially \ndefaulting to HHS and Secretary Sibelius for the security of \nthe HealthCare.gov website?\n    Ms. Stempfley. As indicated, sir, under FISMA and current \nguidance, Department and agency leadership are responsible for \nsecuring specific applications under the broad guidance \nprovided by DHS.\n    Chairman McCaul. I believe the oversight of this \ncommittee--that you should play a greater role. As your mission \nstatement, you know, accurately says, correctly states that you \nhave the primary responsibility. Do you know what the \ncompliance rate is of HHS with respect to Government \ncybersecurity standards?\n    Ms. Stempfley. We have engaged with HHS around compliance \nagainst the trusted internet connection activity, and we are in \nthe process of collecting the figures for fiscal year 2013 for \nFISMA. The FISMA report is traditionally provided to the Hill \nin February.\n    Chairman McCaul. Well, perhaps I can educate you. It is 50 \npercent. It is a 50 percent compliance rate. Their score card \nis 50 percent, and we are defaulting our cybersecurity--the \nsecurity of Americans' most personal, private data to the \nSecretary of HHS. I find that unacceptable. Do you realize that \n50 percent is the second-lowest score in the Federal Government \nwhen it comes to a report card on cybersecurity in the Federal \nGovernment?\n    Ms. Stempfley. I believe, sir, that the scores you are \nspeaking of are the FISMA report from fiscal year 2012 that \ncame forward. Yes, you are accurately representing the scores \nof HHS in that situation. One of the things you will also see \nis that HHS has one of the top scores in the implementation of \nPIV cards, the two-factor authentication. So what is normal for \na department is that they will have a range of reporting in \nthat situation. In some instances they will be above average, \nand in other instances they will be----\n    Chairman McCaul. But do you find it acceptable that you are \ndefaulting to HHS for cybersecurity, when they have a 50 \npercent compliance record that is the second-lowest in the \nFederal Government?\n    Ms. Stempfley. Sir, as your opening statement indicated, we \nare operating under the current set of authorities and----\n    Chairman McCaul. Well, I hope the Ranking Member will work \nwith me to change that. Because I think you are the department \nwith this expertise, not HHS. I believe you are the one with \nthe--again, the background to fix this. I will just close with \nthis. There was a letter from the CMS administrator to the \nRanking Member that basically assured him that they would be \nfollowing industry best practices and that this website would \nbe secure. I believe that that did not happen.\n    With that, the Chairman now recognizes the Ranking Member.\n    Mr. Thompson. Thank you very much, Mr. Chairman.\n    Ms. Correa, in verifying whether or not people who want to \nparticipate in the Affordable Care Act are legal or illegal, \nhas that posed a problem for your agency?\n    Ms. Correa. Thank you for the question. No, we have not \nencountered any issues. As I indicated in my opening statement, \nwe establish the connection between the hub and our SAVE \nsystem. We tested that functionality and it is working as \nexpected.\n    Mr. Thompson. So those 91,000 queries to ACA have been met \nwithout any problem.\n    Ms. Correa. They have processed in the manner that they are \nsupposed to process through the SAVE system.\n    Mr. Thompson. Thank----\n    Ms. Correa. So in other words, they will come through for \ninitial verification. If we, for some reason, cannot confirm \nthat immigration status, then we prompt them to refer to second \nstep, and so on. So it is functioning as expected.\n    Mr. Thompson. Thank you.\n    Ms. Stempfley, with respect to the potential for hacking or \nwhatever, do you have any knowledge about the number of \nattempts that are made daily on the Federal system?\n    Ms. Stempfley. Sir, just to give you an order of magnitude, \nin fiscal year 2013 we processed more than 13,800--138,000, \nexcuse me, 138,000 reports to U.S. sort-of attempts against \nboth Federal Government and critical infrastructure systems. So \nthe multitude is fairly substantial.\n    Mr. Thompson. So 138,000 attempts is a big number.\n    Ms. Stempfley. It is, sir.\n    Mr. Thompson. To your knowledge, have we met the defense \nrequirement to not allow those attempts to be successful? Do we \nhave any kind of----\n    Ms. Stempfley. I am happy to provide for you, sir, as a \nresponse for the record the number of successful compromises \nthat may have occurred. I don't have that number in my brain at \nthe moment.\n    Mr. Thompson. Please provide that to the committee, if you \nwould. With respect to the dot.gov domain and its \nresponsibilities that you have, are you presently carrying that \ndot.gov domain oversight out?\n    Ms. Stempfley. Yes, sir.\n    Mr. Thompson. Now, with respect to the HealthCare.gov \ndomain, can you, for the committee, share the difference in \noversight on that?\n    Ms. Stempfley. If I understand your question, sir, we \nprovide for example, for FISMA, we provide details to \ndepartments and agencies about how to report their compliance \nwith FISMA both in terms of how to specifically answer the \nFISMA questions and measures, and how frequently to provide \nthose updates so that we can produce the annual report and \nassessment that is delivered to the Hill in February.\n    Mr. Thompson. Explain to the committee the FISMA \nrequirement; what FISMA is and what is required.\n    Ms. Stempfley. Certainly. So FISMA lays out a broad set of \nrequirements for departments and agencies to secure their \napplications and systems. It empowers Department leadership to \nmake local risk decisions about when something may--when a \ndecision about what may need to be--what may be appropriate for \na system or application needs to be looked at. You take into \naccount the risk environment that the system operates in. Is it \noperating inside the department, or is it a heavily-connected \nsystem.\n    Is it containing, for example, intellectual property \ninformation or something of that sort. So you are empowered--\nthe departments and agencies are empowered to make those local \nrisk decisions. It requires things such as training of all of \nyour workforce against cybersecurity activity, assurance of \naccreditation decisions made, and number of systems and \napplications operating under a range of accreditation \ndecisions.\n    Mr. Thompson. To your knowledge, in the HealthCare.gov \nreview, have you provided that training to the individuals with \nthe responsibility for looking at that?\n    Ms. Stempfley. Again, sir, each department and agency is \nresponsible for providing that training, for ensuring that \ntraining is received in there. Then that is reported through \nthe annual report to the Department of Homeland Security, the \ncompliance measures associated with that. So it isn't a--it is \nnot typical for the Department of Homeland Security to provide \nspecific training to a department.\n    Mr. Thompson. But they report the training to you.\n    Ms. Stempfley. They do. They----\n    Mr. Thompson. You put it in a report.\n    Ms. Stempfley. We do. At the end of the year, we are--as I \nindicated, we are in the midst of collecting the fiscal year \n2013 data, and the FISMA report is traditionally handed to the \nHill in February.\n    Mr. Thompson. Thank you.\n    Ms. Stempfley. You are welcome.\n    Mr. Thompson. I yield back.\n    Chairman McCaul. I thank the Ranking Member.\n    The Chairman will recognize other Members for 5 minutes for \nquestions, in accordance with out committee rules. I plan to \nrecognize Members who were present at the start of the hearing \nby seniority on the committee. Those coming in after the \nhearing will be recognized in order of arrival.\n    The Chairman now recognizes the Chairman of the \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies, who has held two previous hearings on \nthis issue, Mr. Meehan.\n    Mr. Meehan. I thank you, Mr. Chairman. I thank you, \nSecretary Stempfley, for your continued work in this area. You \nknow, I am just gonna follow on the question with regard to \nyour being consulted, and giving to the agencies the ability \nfor them to outline the security for their systems. Now, I \nwould suggest to you--and would you not agree--that this is \nperhaps some of the most important information that is being \ncollected by the Government today: The private identifying \ninformation on Americans who are applying, oftentimes giving \nintimate details about their families, and otherwise to the \nGovernment?\n    Ms. Stempfley. So the--certainly, the Federal Government, \nthrough a range of departments, has information about----\n    Mr. Meehan. Well, I mean, the PII is significant \ninformation, is it not, Ms. Stempfley?\n    Ms. Stempfley. PII is certainly important, sir.\n    Mr. Meehan. The Department itself lays out the \nqualifications. So here I hold in my hand what was created by \nHHS for the health insurance marketplace, the navigators' \nstandard operating procedures manual. To the best of our \nreview, the only security information developed is to make sure \nthat you don't leave copies of things out on copiers. But under \nthis manual, as was stated by the Secretary herself, it is \npossible that a felon may be a navigator.\n    Should there have been guidelines to do security checks on \nthe backgrounds of people who will be in privity of \ncommunication with the very applicants? Some of those \nnavigators, under the Secretary's own admission, may be felons?\n    Ms. Stempfley. Sir, respectfully, I believe that question \nis best addressed to the Department of Health & Human Services. \nI am in an area outside----\n    Mr. Meehan. I would like to ask but we don't get them in \nfront of us. I am grateful for your--the--I want to follow up \non this other issue, as well, with regard to the compliance \nwith FISMA. Now, we have had quite a go-around, as the Chairman \nhas stated, with representatives before us from HHS. The \nrequirement under FISMA to do the appropriate testing, then to \nthen make sure that they correct any problems that they see. \nThen, ultimately, give an authorization.\n    As you know, the inspector general themselves, the \nDepartment of Inspector General, released a report in late \nsummer suggesting that there was no window. That the only \ncertification, according to their schedule, was going to happen \nthe day before the operation of the website. Then suddenly, \nvoila! In the middle of the summer, HHS purportedly made these \nhuge leaps, in which they were able to suddenly certify the \nsecurity of the system.\n    Now, how is it that they would have been able to go from \nthe period in which they were being--the IG was concerned they \nweren't even going to be able to meet the deadline until the \nday before, and suddenly there was tremendous security steps \ntaken by an agency that hadn't done anything for 3 years?\n    Ms. Stempfley. Sir, the Department of Homeland Security is \nnot generally engaged as a specific application is built or \noperated. You are asking me a question that I couldn't possibly \nknow the answer to.\n    Mr. Meehan. Okay. Well, one of the things, as the HHS \ninspector general's report itself says, that the security \ncontrols and security testing notwithstanding, they may--the \nauthorizing official may grant security authorization with the \nknowledge that there are still risks that have not been fully \naddressed at the time of authorization. Is it possible that \nthis was granted with the recognition that there were still \nrisks, significant risks, that had not been addressed at the \ntime of the authorization?\n    Ms. Stempfley. The terms of FISMA enable Department \nleadership to delegate the responsibility for risk assessment \nand risk acceptance to lower levels. So it is certainly \nfeasible that in that delegation that is----\n    Mr. Meehan. So who is making the determination, then, on \nthe most significant information, the biggest collection of \nprivately-identifying information, that will be collected by \nthe Government anywhere in its history? That is not my words; \nthat is the testimony of others. This is being delegated to \npeople we don't even know?\n    Ms. Stempfley. Sir, I don't--one of the things that FISMA \ndoes not require is awareness of who the accrediting officials \nare to the Department of Homeland Security. So I am not aware \nof who the accrediting----\n    Mr. Meehan. So who made the decisions, in other words? We \ndon't know who is making the decisions to authorize the ability \nto suggest that they have complied with FISMA, when the \ninspector general themselves said it was going to be unlikely \nthat they could before the start?\n    Ms. Stempfley. Again, respectfully, sir, that question is \nbest addressed to the Department of Health & Human Services.\n    Mr. Meehan. I think my time is expired. Thank you, Mr. \nChairman.\n    Chairman McCaul. I thank the gentleman. I appreciate the \npoint that these ``navigators,'' that navigate people, the \nAmerican people, through this system, this website, don't \nundergo a background check. So the idea that convicted felons \ncould be responsible for this is just unconscionable.\n    With that, the Chairman now recognizes Ms. Sanchez, from \nCalifornia.\n    Ms. Sanchez. Thank you, Mr. Chairman. Thank you, ladies, \nfor being before us today and trying to shed some light on what \nI believe is an important topic. We need to ensure that we \nsafeguard the information of Americans. So I appreciate the \nwork that you do. When I look at everything that is under your \ndirectorates, et cetera it is pretty amazing.\n    So I have a question. I am trying to come from a more \ngeneral standpoint because, in a lot of ways, I am a layperson \nto the technical issues of securing somebody's identity, et \ncetera. But can you tell us, in general, across the Government \nnetworks that we have, what type of operational, \nadministrative, technical, and physical safeguards are \nimplemented to ensure confidentiality, integrity, and \navailability of PII and to prevent unauthorized or \ninappropriate access, use, or disclosure of PII?\n    How does that compare to, for example, HIPAA security \nstandards in place that protect the electronic health \ninformation that we have from a medical standpoint?\n    Ms. Stempfley. Thank you. I appreciate the opportunity. I \nam personally not familiar with HIPAA in great detail, so I \nwill----\n    Ms. Sanchez. Well, it is one of our standards that we try, \nsupposedly, to uphold so that people don't figure out----\n    Ms. Stempfley. Absolutely.\n    Ms. Sanchez [continuing]. What has been going on with----\n    Ms. Stempfley. I am happy to talk about the kinds of \nadministrative procedurals and technical controls that are part \nof the Federal enterprise security----\n    Ms. Sanchez. Super. In layman's terms, please.\n    Ms. Stempfley. I will do my best. So one of the most \nfoundational things that is necessary for a viable security \nprogram is a set of operational processes and operational \nresponsibility assignments and policy activities. Including \nthings such as ensuring that all users receive annual training \nfor their individual security awareness as a part of their \nreceiving their log-in. That log-ins and passwords are \neffective. For example, we are in the process of migrating to \ntwo-factor authentication, that is a PIV card for log-in.\n    So it is something more than just your password. You have \nto have something and know something in order to gain access. \nAs well as the employment of procedures for understanding where \nyour system--what systems you have, where they are, what assets \nare--what pieces of software are running on them. Then we have \nbeen on a long engagement under the Comprehensive National \nCyber Security Initiative to create defendable boundaries \naround the Federal enterprise and to put in place a series of \ncapabilities at those boundaries for better protection and \ndefense.\n    If you think about it in terms of a community, it is \nbecoming a gated community and one that is focused on securing. \nYou have a set of activities that have to happen for the \nindividuals in the homes, for the homes themselves, and then \nfor the community as a whole. That is a good allegory for \nlaymen, you know, in layman's terms for the kinds of efforts \nthat departments and agencies have to undertake in order to \nsecure their systems and the broad networks that all these \nactivities operate on.\n    It includes--and I am actually very grateful to this \ncommittee and the Members on it for their commitment to \ncapabilities such as the continuous diagnostics and mitigation \neffort, which we began more than a year ago and are in the \nprocess of releasing the contract for providing specific tools \nand capabilities for departments and agencies to put on their \nsystems and assets. HHS has agreed to be an early adopter of \nsuch a capability to include intrusion detection and preventing \ncapabilities that are provided at that boundary level.\n    Ms. Sanchez. Great. I guess I would just say, you know, I \nalways figure, on this committee, when we are looking at \ncybersecurity in particular, that the weakest link is an \nindividual. So we can protect as much as we want, but, you \nknow, it is what is going on. I remember a few years ago, when \nour system here within the House was being hacked. It turned \nout that it was because Members were taking their personal \ndevices overseas and they were being hacked.\n    So one of the rules we put in was that you either don't \ntake your personal device, you switch out to a dumb device to \nget some of your e-mails. Or when you land you take out your \nbattery, you know, from your thing, et cetera. Of course, my \nstaff had dumbed me down on my device when I landed, but I saw \nall my other colleagues turning on their devices. I said, ``Oh, \ndo you have a dumb device?'' They didn't even understand the \npolicy.\n    I looked at them, and I said, ``You guys, you know the new \npolicy is take out your battery and you can't use your \nBlackBerry here because, you know, they are getting into our \nsystem here.'' They all looked at me and said, ``Oh,'' they \nsaid, ``we weren't aware of that policy.'' I said, ``Well, yes, \nit is a policy because Frank Wolf and others have, you know, \nthey have gotten into our system.'' To which case they all \nturned around and started looking at their e-mails.\n    Chairman McCaul. [Off mike.]\n    Ms. Sanchez. So--no, it is true, Mr. Chairman. The other \nday I was flying back to California. I am on a plane, a \ncolleague--for some reason, my PDA dropped someplace. One of my \ncolleagues picked it up. She said to me, ``Oh, you know, I was \ngonna take a look.'' I said, ``Well, I am password-protected.'' \nShe looked at me, and I said, ``Well, aren't you password-\nprotected on your device?'' She looked at me and she goes, \n``No, it would slow me down.''\n    So we can, you know, we try, and do try. Thank you for the \nwork that you do is, I guess, what I am saying.\n    Thank you, Mr. Chairman.\n    Chairman McCaul. Thank you.\n    The Chairman now recognizes the gentleman from South \nCarolina, Mr. Duncan.\n    Mr. Duncan. Thank you, Mr. Chairman. I am proud to \nparticipate in No Shave November to raise awareness of men's \nhealth, specifically prostate cancer and cancer in general. I \ndo so in honor and memory of the late South Carolina State \nrepresentative, my good friend, David Umphlett, who passed away \nin 2011.\n    Mr. Chairman, it is crystal clear to me that the Obama \nadministration has put politics over the security of Americans' \npersonal information. President Obama and Secretary Sibelius \nand other senior officials accepted an excessive amount of risk \nto Americans' information, all so this flawed website could go \nforward to meet the Democrats' political agenda.\n    I have a memo from September 3, 2013, less than a month \nbefore the launch of the HealthCare.gov website from chief \ninformation officer of the Center of Medicare and Medicaid \nServices, Tony Trenkle. I would like to enter this into the \nrecord.\n    Chairman McCaul. Without objection, so ordered.\n    [The information follows:]\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    Mr. Duncan. Thank you. Approving authorization to operate \nthe system underlying the Obamacare health exchanges. Trenkle \nstates the risk to CMS information systems resulting from the \noperation of the FFM, or Obamacare--FFM stands for Federal \nFacilitated Marketplaces--information systems is acceptable. \nBut the memo then goes on to say page after page, describing \nenormous risk to Americans' personal information. Page 2 \ndiscusses, ``malicious macros, the threat and risk potential is \nlimitless.''\n    Page 3: ``No evidence of functional testing processes and \nprocedures being adequate to identify functional problems \nresulting in non-functional code being deployed.'' Page 4: \n``Many FFM controls documented in the security controls section \nof CFACS have an effectiveness of not satisfied. Security \ncontrols are not documented as being fully implemented.'' It \ngoes on: ``Ineffective controls do not appropriately protect \nthe confidentiality, integrity, and availability of data, and \npresent a risk to the CMS enterprise.''\n    These show serious concerns in the security of the \nObamacare exchanges. It makes clear that Obamacare represents a \nclear and present danger to Americans' personal information. \nHow could anyone with a technology background assess that with \nall this that the risk was acceptable to move forward? Which \nthey did, and launched a website October 1. Why weren't \nsecurity officials in DHS and HHS and others sounding the alarm \nabout the concerns raised by Mr. Trenkle? Is it in any way \nconceivable that these issues could be solved by the end of \nthis month?\n    That is a rhetorical question. We may get back with any \nconclusion. Mr. Chairman, I find it quite convenient that, in 2 \ndays, Mr. Trenkle has decided to cut and run from HHS and go \ninto the private sector; not to be accountable to the oversight \nfunctions of Congress anymore. The American people deserve \naccountability for the threat this administration has allowed \nto our personal information.\n    I would like to also share an article from South Carolina, \na Columbia, South Carolina gentleman, an attorney. Went onto \nthe HealthCare.gov website to browse for cheaper insurance for \nhim and his wife. He entered in his information, just as you \nwould normally do. A few days later, he had someone call him \nfrom North Carolina. He says, ``I believe, somehow, the ACA \nhealth care website has sent me your information. That is what \nit looks like to me,'' Mr. Judson Hadley said, a North Carolina \nresident, who could access Tom's information on HealthCare.gov.\n    I think there is a problem with the wrong information going \nto the wrong place. Now, the article goes on to say that Mr. \nHadley just entered into the website to try to shop for \ninsurance for himself and he was sent this gentleman from South \nCarolina's personal information. He actually went to another \nlink and clicked on it, and actually had a PDF that he could \nprint out on his computer of all of this gentleman's \ninformation. These are serious flaws.\n    This wasn't a hacker, this wasn't someone trying to \nintentionally access Americans' private information. This was \ninformation sent to a third party by HealthCare.gov. This \nwebsite has serious problems. Americans are relying on this \nGovernment to get it right. So I go back to the question that I \nhad asked rhetorically a minute ago: Is it any way conceivable \nthese issues could be solved, Ms. Stempfley, by the end of this \nmonth?\n    Ms. Stempfley. Again, sir, I respectfully submit that that \nquestion is best asked to the Department of Health & Human \nServices.\n    Mr. Duncan. Are you aware of Mr. Trenkle's memo? Have you \nseen that?\n    Ms. Stempfley. I believe I saw that this morning, sir.\n    Mr. Duncan. Okay. Well, it will be entered into the record.\n    Mr. Chairman, thank you for having this hearing. Americans \nexpect us to get it right. If not, let's delay Obamacare \nimplementation until the Government can assure Americans that \ntheir private information will not be stolen by a third party \nand their identity be taken that could cause serious financial \nharm to them and their families.\n    With that, I yield back.\n    Chairman McCaul. I thank the gentleman for his insight.\n    The Chairman now recognizes the gentleman from New Jersey, \nMr. Payne.\n    Mr. Payne. Thank you, Mr. Chairman. Ms. Stempfley and Ms. \nCorrea, I appreciate your being here today and your testimony. \nFrom my understanding, the Federal data service hub is not a \ndatabase or a repository for personally identifying information \nor for health care records in general. Is that correct?\n    Ms. Stempfley. Sir, I am not personally familiar with the \narchitecture of HealthCare.gov.\n    Mr. Payne. Ms. Correa.\n    Ms. Correa. I am not familiar with their--I don't know \nexactly what their architecture is. My understanding, it is \nnot. It is just a conduit for passing information.\n    Mr. Payne. That is my understanding, as well. I think that \nneeds to be clarified. You know, again, from my understanding, \nthis hub will just be used to determine someone's eligibility \nto participate in the exchange, enroll in a plan, receive a tax \ncredit, and determine whether someone is entitled to an \nexemption only. Is that your understanding?\n    Ms. Correa. From the accounts that I have read, yes, that \nis my understanding. That it is a help to process information.\n    Mr. Payne. Okay. Let's see. Can you describe how the \nFederal agencies like HHS, DHS, the IRS, and Social Security \nAdministration are coordinating with one another and with \ninsurance carriers to share information, and how is that \ninformation being protected?\n    Ms. Correa. I can speak to the agreements that we enter \ninto--``we,'' as in USCIS enter into--with our partner agencies \nwho have the databases that we go out and look at. We enter \ninto some form of an agreement, either a memorandum of \nagreement or a computer matching agreement--that is the \nagreement that we entered into with HHS--and we also have what \nare called ``service-level'' agreements. Service-level \nagreements typically talk about performance in terms of when we \ngo out and query a database what kind of response times we can \nexpect.\n    So those are the kinds of agreements that we enter into. \nAgain, I do want to emphasize that our SAVE program doesn't \ndownload information from those databases. We merely go out, \nping those databases for information, obtain the immigration \nstatus and the class of admission, and provide that information \nback to the inquiring agency.\n    Mr. Payne. Okay. It is--you know, it--do Federal agencies \noften share personal identifiable information for the purposes \nlike processing Social Security claims? How is that information \nprotected? You know, is the same approach being used for those \nenrolling in these exchanges?\n    Ms. Stempfley. Sir, unfortunately, it is atypical for the \nDepartment to engage at a system level in that perspective. \nAlthough one of the requirements under--for example, under \nFISMA, is an interconnection agreement which is put in place \nbetween two systems that are--articulates the security \nrequirements that both parties must be subject to.\n    Mr. Payne. Okay. One last question. You know, as you ladies \nknow, the changes are being made to HealthCare.gov to make it \nrun better. What steps are being taken in coordination with \nthese changes to ensure that personally identifiable \ninformation is still protected?\n    Ms. Stempfley. Sir, again, I think, respectfully, that \nquestion is best directed to the Department of Health & Human \nServices.\n    Mr. Payne. Okay. Well, with that, Mr. Chairman, I will \nyield back.\n    Chairman McCaul. The Chairman will now recognize the \ngentleman from Pennsylvania, Mr. Perry.\n    Mr. Perry. Thank you, Mr. Chairman. Thank you, ladies, for \nbeing here. Just looking for your overall assessment, because I \nthink we--at least I, as a Member, and I think many of my \nconstituents, members of Citizens of America--are concerned, \nwondering who is responsible. So I am looking for your broad \nknowledge of the system. To where does an American whose \ninformation has been compromised, to whom does that person seek \nredress?\n    Is there an individual, is there an agency? What is the \nmechanism to be made whole once your information is compromised \nand who knows what it is used for? If there someone that you \nknow of, is there any agency? Where do Americans go when it \ngoes bad, if it goes bad?\n    Ms. Stempfley. As a normal--sort of in the normal course of \nevents across the Federal enterprise, if a citizen experiences \nan issue with a Federal application, typically the first place \nthey go is that application's support desk or support function. \nThat is generally escalated to security operation centers \ninside the organization, and then further escalated to the \nDepartment of Homeland Security for visibility and for response \nfunctions.\n    Mr. Perry. So it would be the Homeland Security--it would \nbe the----\n    Ms. Stempfley. Department of Health & Human Services. \nGenerally, it is the support function for whatever that \napplication might be.\n    Mr. Perry. Would they be able to seek financial \nremuneration for, you know, some kind of grievance? Or if their \nidentity was taken and their accounts were emptied and their \nlives were destroyed from a digital standpoint would they be--\nis that where they would go?\n    Ms. Stempfley. I am sorry, sir, that is not an area of \nexpertise of mine about--in the redress areas. I will be happy \nto take the question----\n    Mr. Perry. Okay, appreciate it. Ms. Correa, do you know? \nOkay.\n    Ms. Correa. I do not.\n    Mr. Perry. Ms. Correa, I appreciate you being here. It \nprovides a unique opportunity. If you can explain CIS's role in \nidentifying somebody who comes here illegally to access our \nservices and tries to sign up on the exchange, what is the role \nthere of CIS in identifying that person? What is the process?\n    Ms. Correa. Thank you for your question and the opportunity \nto clarify how the process works. The benefit-granting agency \nis the organization that determines the eligibility of whether \nan individual is eligible for a particular benefit. They come \nto us through the--in this case, the Affordable Care Act, \nthrough the hub. They come to us, they provide us with \ninformation such as their alien number, their I-94 number, \ntheir name, their date of birth, et cetera. That is the data \nthat we use to go out and verify the immigration status of the \nindividual.\n    The SAVE responds with the immigration status information \nas well as the class of administration--if it is able to \nconfirm the immigration status based on the information \npresented. However, any decision on the eligibility for \nbenefits is made at the benefit-granting agency level. In other \nwords, USCIS does not make that determination.\n    Mr. Perry. Okay. Do you know, if you can tell me, how long \nthat process takes? I am looking, just so you understand, in \nthe context of the administration has on numerous occasions \nsaid that the process should take about 25 minutes to sign up. \nSo all that, in my mind, has to occur, right, before you can \nsign up? This is all in the span of 25 minutes. Is that--do you \nhave any idea of the time that that process takes?\n    Ms. Correa. I would like to clarify that the sign-up \nprocess is happening outside of this SAVE process. That sign-up \nprocess is before the exchange comes through the hub, to us, \nfor a SAVE query. So I wouldn't know how long that process \nwould take. What I can share with you is our response times, as \nI mentioned, in our testimony. From the moment we receive a \nquery, either in the initial verification step or in the \nsubsequent steps, how long that takes. But I couldn't talk \nabout how long does it really take to sign up.\n    Mr. Perry. Just for the record, again, what is your time \nframe?\n    Ms. Correa. Sure. Our average response time in the initial \nquery is about 3 to 5 seconds. On the ACA, right now, the \nqueries that we are getting through we are seeing about 1.31 \nseconds response times.\n    Mr. Perry. Okay.\n    Ms. Correa. For the second step, it takes about 3 to 5 \nFederal working days. For the third step, which is the more \ncomplex steps, it takes about 10 to 20 Federal working days.\n    Mr. Perry. Okay. So is that--am I to take it to mean as far \nas you can tell that somebody that is here illegally that maybe \ncame just to sign up for benefits could do that, and be \ninvolved in--could go through the exchange and sign up for \nbenefits, and receive a plan, before they could be identified \nas being here illegally?\n    Ms. Correa. Let me clarify that someone who is here \nillegally, who is undocumented----\n    Mr. Perry. Right.\n    Ms. Correa [continuing]. Is not likely to be able to come \nthrough the hub with a query. Because the benefit-granting \nagency, when an individual attests that they are either not a \nU.S. citizen or--if an individual attests that they are not a \nU.S. citizen they have to present their documentation as to \nwhat their status is.\n    Mr. Perry. Right.\n    Ms. Correa. That is the information that the benefit-\ngranting agency would enter into the system--or the individual \nwould have to enter that information if they are entering \ndirectly--to come through for a query. So an undocumented \nindividual wouldn't have that information and wouldn't be able \nto be the subject of a query.\n    Mr. Perry. Thank you. I see my time is expired, and I yield \nback.\n    Chairman McCaul. I thank the gentleman.\n    Mr. Duncan referred to an article during his questioning \nthat he would like to make part of the record. I would like to \nask unanimous consent that it be made a part of the record.\n    Ms. Jackson Lee. Will the gentleman yield?\n    Chairman McCaul. The Chairman yields to the gentlelady.\n    Ms. Jackson Lee. I am sorry. I did not hear what the \ndocument was. Would you just repeat for the record what the \ndocument was?\n    Chairman McCaul. It had to deal with a gentleman from, I \nbelieve, North Carolina that tried to sign up for Obamacare and \ngot information back regarding another gentleman from South \nCarolina, very personal information, that has been widely \nreported.\n    Ms. Jackson Lee. So it is a newspaper article?\n    Chairman McCaul. Correct.\n    Ms. Jackson Lee. I thank the gentleman. I yield.\n    Chairman McCaul. Okay. Without objection, so ordered.\n    [The information follows:]\n          Article Submitted For the Record by Hon. Jeff Duncan\n  midlands man has personal information compromised on healthcare.gov\nPosted: Nov 03, 2013 6:22 PM EST\nUpdated: Nov 04, 2013 4:04 PM EST\nBy Meaghan Norman\n    COLUMBIA, SC (WIS).--About a month ago, attorney Tom Dougall logged \non to healthcare.gov to browse for cheaper insurance for him and his \nwife.\n    On Friday, the last thing he expected to hear on his voicemail was \na man from North Carolina who says he can access all of Tom's personal \ninformation.\n    Dougall says he thought it was a scam until he realized his privacy \nhad been breached.\n    ``I believe somehow the ACA, the Healthcare website has sent me \nyour information, is what it looks like,'' said Justin Hadley, a North \nCarolina resident who could access Tom's information on healthcare.gov. \n``I think there's a problem with the wrong information getting to the \nwrong people.''\n    In a telephone interview, Hadley said he simply put in his username \nand password when Dougall's information appeared.\n    ``The next page that came up was a page that prompted that I have a \nmarketplace eligibility information to download. And that's when I \nclicked download and Mr. Dougall's information came up in a PDF \ndocument,'' said Hadley.\n    At first, Dougall didn't know what to think.\n    ``We received a phone call from a gentleman named Justin in North \nCarolina who informed me that he had gone on the healthcare.gov website \nand when he logged in under his log in and password, he received a \ndocument of all of my and my wife's personal information,'' Dougall \nsaid.\n    Dougall said he thought it was a ploy.\n    ``Initially I was concerned because I didn't know if this was some \nguy who was scamming me or if in fact this was a guy who really had my \npersonal information,'' he said.\n    Hadley even provided proof, documents containing Tom's personal \ninformation and screen shots of the website.\n    ``And you can see that he's actually signed in as Justin and it \ntells him he has notices about his marketplace eligibility and to \ndownload those and when he downloads it, the next screen shot shows him \nmy personal information,'' Dougall said.\n    Dougall said now Hadley cannot sign up for the coverage he needs \nbecause he's been blocked by Tom's personal information.\n    ``I'm assuming I'm going to have to pay the penalty or tax or \nwhatever they're calling it now for not having health insurance next \nyear,'' said Hadley.\n    ``We're told constantly that it's a secure system and it's not, \nobviously,'' Dougall said.\n    Having lived through one security breach in the State of South \nCarolina with the Department of Revenue, Dougall wonders what would \nhappen if a professional hacker tried to log on.\n    ``I tried to call healthcare.gov last night and they have no \nprocedure whatsoever to handle security breaches,'' he said. ``All they \ncan do is try to sell you a policy.''\n    Dougall has also contacted his Congressmen. He says he's calling \nthe Department of Health and Human Services directly on Monday.\n    ``They're so concerned with trying to fix the problems they \ncurrently have that they refuse to acknowledge or won't acknowledge \nthat there's been a major breach,'' Dougall said.\n    In the mean time, Dougall does not know how to secure his \ninformation.\n    ``I think there's a problem with the wrong information getting to \nthe wrong people,'' Dougall said.\n    We reached out the U.S. Department of Health and Human Services, \nthey responded via email Sunday afternoon asking for more information \nabout what happened to Tom and Justin.\n    Late Sunday, an HHS official said a security team is working to fix \nthe issue. ``We are aware of this issue and it is on our punch list of \nfixes, scheduled to be addressed in the very near future.''\n    They added consumers can call the toll-free number or access the \non-line chat tool that is available 24/7.\n\n    Chairman McCaul. The Chairman now recognizes the gentleman \nfrom Texas, Mr. O'Rourke.\n    Mr. O'Rourke. Thank you, Mr. Chairman. Thank you for \nholding this hearing.\n    The implementation of the Affordable Care Act, thus far, \nhas been deeply disappointing. Most obviously, the roll-out of \nthe website has been a disaster. I want to work to make sure \nthat we fix those problems that we have identified. I want to \nmake sure that we make this law work. It is, after all, the law \nof the land. It has been tested several times, and tested at \nthe level of the Supreme Court. The Government was effectively \nshut down, in part, in dispute and debate over this.\n    I think politically, legislatively, that has been resolved. \nNow we need to make sure that it works. Again, the \nimplementation so far has been disappointing. But I want to \nwork with Members from both sides to fix those problems that we \nhave identified, and there are many, and make this work.\n    I think about the 200,000 El Pasoans that I represent who \nare currently uninsured. Who, because of their lack of \ninsurance, are gonna have worse health outcomes than they \notherwise would. Who, because they don't have insurance, when \nthey do get care, the rest of us are subsidizing that care in a \nvery ineffective, inefficient, and costly manner.\n    So I want to make sure that this law works. I think its \ngoals and intentions are noble. I think it is perfectable. So I \nwant to make sure that we are focused on that. In today's \nhearing, we are looking at cybersecurity threats and problems. \nSome of the questions resolved around--or revolved around a tax \non HealthCare.gov. Denial of service attacks, hacking attempts, \nattempts to gain access, or entry, illegally.\n    I am assuming, and correct me if I am wrong, that every \nsingle Government web asset is attacked, perhaps on a daily or \na minute-by-minute basis. Is that correct?\n    Ms. Stempfley. Certainly, sir. The internet itself, where \nwe operate in this environment, is one that contains a \nmultitude of threats. The Federal Government websites and \nFederal Government systems are subject to the same environment \nand these same threats.\n    Mr. O'Rourke. So the existence of threats, proof that \nattacks have taken place, do not prove the system is \nvulnerable. Or, from your answer to the previous question from \nthe Chairman, do not establish that you have concerns about the \nsecurity of that system. Is that correct?\n    Ms. Stempfley. Certainly, sir. The existence of threats \ndoes not increase the vulnerability that the systems might be--\n--\n    Mr. O'Rourke. Have you seen anything, thus far--you know, a \nmonth-and-a-half in--that would give you concern about threats \nthat might be realized, or vulnerabilities that might be \nexploited that have not been addressed so far by the \nadministration or HHS?\n    Ms. Stempfley. The position that the Department of Homeland \nSecurity exists is in both awareness and in reporting has only \nprovided limited information, at this point. As I said earlier, \nwe received about 16 reports from HHS that are under \ninvestigation, and one open-source report about a denial of \nservice.\n    Mr. O'Rourke. In thinking about the VA, and the fact that \nthe VA is trying to move to a much more web- and digital-based \nsharing of service records and medical records for former \nservicemembers, anything that we can learn from the success or \nfailures in those VA programs that are sharing very sensitive \ninformation? In some case, I realize that information has been \ncompromised. Anything we can learn, or what lessons have we \nlearned, that we are able to apply to what we are doing now \nwith HealthCare.gov?\n    Ms. Stempfley. So I believe I mentioned that the HHS CIO as \nwell as the VA CIO are members of the CIO council and of the \nCISO forums. Those are--the CISO forum specifically is one that \nwe in DHS run to ensure that we have an avenue for that sharing \nof current activity and lessons learned in engagement. There is \na series of best practice documents and actions that are \npublished by DHS that are an amalgamation of all of that \nlearning and that are available.\n    Mr. O'Rourke. Do you know, specifically, if the VA has \nshared that information from their best practices and what they \nhave learned from failures within that system?\n    Ms. Stempfley. I could not speak to a VA-to-HHS-specific \nconversation. But we have the aggregation of all of those in a \npublished format so the departments and agencies can gain \naccess to that around the clock.\n    Mr. O'Rourke. Ms. Correa, let me ask you a question. In El \nPaso, there are bound to be many mixed-status families amongst \nthose 200,000 uninsured people that I represent in our \ncommunity. Walk me through what happens when you have a U.S. \ncitizen child to a parent who has undocumented status \ncurrently. How will they use that system? How will you use that \ninformation if you learn that that parent is here in an \nundocumented fashion?\n    Ms. Correa. As I mentioned before--thank you for your \nquestion, but as I mentioned before, what we would see is the \ninformation about that child that they are applying for a \nparticular benefit. So the benefit-granting agency would be \nentering that information. That is the only information that we \nwould be processing through the query. If the undocumented \nparent were trying to apply for a benefit, if they don't have \ndocumentation, then we wouldn't see that query because there \nwould be no information to enter into the system.\n    Mr. O'Rourke. With the Chairman's indulgence, if I could \njust ask a quick question.\n    Ms. Correa. Sure----\n    Mr. O'Rourke. If you somehow through this system, \nHealthCare.gov, learn that the parent is here illegally, would \nyou act on that information, and how would you act on that \ninformation?\n    Ms. Correa. I would like to confirm my answer on this, but \nwe do not rely on that information. Because, again, we only see \na fragment of data. So there is nothing that we would do with \nthat information at this time.\n    Mr. O'Rourke. Okay, thank you.\n    Thank you, Mr. Chairman.\n    Chairman McCaul. Gentleman.\n    The gentlelady from Michigan, Mrs. Miller, is recognized.\n    Mrs. Miller. Thank you, Mr. Chairman. I certainly thank you \nfor calling this very important hearing on this issue.\n    My question to the two of you--and I appreciate your \nattendance here today--as I have listened to the questions from \nmy other colleagues, it is certainly clear from your answers \nand your testimony that the Department of Homeland Security has \nnot been intimately involved in protecting the security of the \nmost personal and most private information of American citizens \nthrough the HealthCare.gov website. That that responsibility \nrests, as you kept testifying, solely--at this point, solely \nwith the Department of Health & Human Services. Many times, you \nsaid that question should be asked of them, not of you.\n    So my question to you, then, would be: Do you play a role \nin determining acceptable risk when the Department of Homeland \nSecurity--not the other departments or the Department of HHS, \nbut the Department of Homeland Security--do you play a role in \ndetermining what is acceptable risk when the Department of \nHomeland Security launches--when you launch, that--your \ndepartment launches a new website within the Department? Mr. \nDuncan was reading off a list of serious risks that the HHS had \nidentified before the launch of the HealthCare.gov.\n    If the Department of Homeland Security would have \nidentified those kinds of risks, similar risks, before you \nlaunched a website for the DHS--not one of the other \ndepartments, your department--would you have found that risk \nacceptable, and would you have advocated the launch of that \nwebsite?\n    Ms. Stempfley. In the Department of Homeland Security, the \nright principle risk acceptance official is the chief \ninformation officer, and that is an organization roughly \nparallel to mine. We have a strong engagement with the chief \ninformation officer through a series of information exchanges. \nIt is not typical, even in the Department of Homeland Security, \nfor that risk official to reach out to us on specific systems \nor applications as they go forward. We engage with them through \nthe same broad conversations as we go forward.\n    For the information technology systems that we operate as I \npointed out, things like the continuous diagnostics and \nmitigation program and the intrusion detection programs like \nEINSTEIN, which I am grateful to this committee for its support \nof--we are responsive to the CIO in detailing the compliance \nactions forward and ensuring compliance with security standards \nthat are set. So there is a----\n    Mrs. Miller. But would you have raised any question at all? \nI mean, I understand you don't want to answer any questions \nabout HHS. But now you can't even answer a question about your \nown Department. Although you say typically you talk back and \nforth, typically----\n    Ms. Stempfley. For----\n    Mrs. Miller. I mean, typically you can't even raise a red \nflag?\n    Ms. Stempfley. For the magnitude of the numbers of \napplications that we are talking about, ma'am, are substantial. \nFor example, in HHS, in their FISMA 2012 report, they reported \n10,648 individual applications. So within any specific one it \nis difficult to go in great detail. For the application----\n    Mrs. Miller. So typically, since I have a limited amount of \ntime--typically you can't even raise those questions, right? \nTypically?\n    Ms. Stempfley. Typically, under the current authority and \nlandscape, that is a true statement.\n    Mrs. Miller. Okay. Well, that is an interesting answer. I \nappreciate your candor. You can't raise a question if you have \nthose kinds of problems. Could you, then--shifting gears just \nfor a moment, I wanted to pick on something the Chairman \nmentioned at the outset. Typically, the Congress has oversight \nresponsibilities. Typically, when we have hearings like this, \ntypically--for hundreds of years, typically we get testimony \nfrom the witnesses typically at a deadline.\n    Now in this case, for whatever reason, we did not get--\nwhether you were unwilling or unable to give us your testimony. \nI mean, as a Member of Congress, trying to typically do my job, \nI am trying to read the information the day before, the night \nbefore, whatever so that I can be prepared, typically. But in \nthis case, we couldn't get your testimony before the hearing. \nNow, I don't know if that is typical for you or your Department \nnot to respond on the deadline. Usually we do get it.\n    The Chairman mentioned perhaps it is because the White \nHouse wouldn't allow you, in this case, to give us the \ninformation. Could you expand for me, at least, why that was--\nyou were not able, you were unable or unwilling, to give us \nyour testimony to meet the deadline which is a typical \nsituation?\n    Ms. Stempfley. It certainly is--I am a believer of being \nprepared myself, and so it is certainly a goal of all of ours \nto ensure that we provide information in as rapid a manner as \npossible to individuals. In my office we work very hard to \nensure that we are responsive and within the controls and \nconstraints that we operate under. So I am pleased that you \nwere willing to have us here to speak, even though the \ntestimony did not arrive to you in time. So thank you for that.\n    I am not familiar with all of the steps between here and \narriving on your door to speak to this specific event. I am \nhappy to go back and get you an answer.\n    Mrs. Miller. Thank you. Mr. Chairman, we are apparently not \ngoing to get any answers out of these witnesses, so I \nappreciate that. Appreciate the time. Thank you.\n    Chairman McCaul. I appreciate the gentlelady's questioning. \nI--as the Chairman of this committee, I would like to know, did \nyou prepare an opening statement?\n    Ms. Stempfley. Yes, sir.\n    Chairman McCaul. That opening statement was not delivered \nto this committee. Is that correct?\n    Ms. Stempfley. I believe I--you mean an oral statement or a \nwritten statement?\n    Chairman McCaul. We--well, we did not have your written \nopening statement.\n    Ms. Stempfley. I believe that----\n    Chairman McCaul. Until 9 o'clock this morning.\n    Ms. Stempfley. Yes, until this morning. I believe that is a \ntrue statement--5 copies----\n    Chairman McCaul. So it was held up by somebody, correct?\n    Ms. Stempfley. Again, sir, I----\n    Chairman McCaul. I see you have to refer to counsel. But \ncan you tell the Chairman?\n    Ms. Stempfley. There is a process for----\n    Chairman McCaul. Of course there is. But when did you \nfinish your draft of your opening statement?\n    Ms. Stempfley. Thursday? Thursday?\n    Chairman McCaul. So Thursday, and here we are today----\n    Ms. Stempfley. Yes, sir.\n    Chairman McCaul [continuing]. You know, many days later. \nWho approved your statement?\n    Ms. Stempfley. Who approved my statement?\n    Chairman McCaul. Correct.\n    Ms. Stempfley. It goes through a series of--the gentleman \nwho understands the process better than I do. I submit it to \nthe Department, and the Department submits it forward.\n    Chairman McCaul. Okay.\n    Ms. Stempfley. I am not sure--I don't have a name of who \napproved it.\n    Chairman McCaul. You do not know who held up your \nstatement.\n    Ms. Stempfley. I don't know, sir.\n    Chairman McCaul. Okay. I would like to know who did, and \nwhy. Because as Mrs. Miller stated, this is not typical.\n    Ms. Stempfley. I understand.\n    Chairman McCaul. In fact, extraordinary. I personally think \nit is due to the sensitivity of this issue. I would like to \nknow whether the White House did hold this statement up.\n    With that, the Chairman now recognizes the gentleman from \nNevada, Mr. Horsford.\n    Mr. Horsford. Thank you, Mr. Chairman. I will try to be \nbrief.\n    I want to fist associate myself with the comments of the \nRanking Member and several other Members of the committee who, \nlike myself listening to my constituents, am concerned about \nwhere things stand with the roll-out of the Affordable Care Act \nwebsite and the ability for my constituents and constituents \nacross the country to effectively access and shop for plans \nthat are available. Fortunately, in the State of Nevada, our \nGovernor, despite being opposed to the law, worked with the \nlegislature to implement a State exchange.\n    So we are better off than many States that have--continuing \nto oppose the implementation of the laws, as required. I am a \nbit perplexed by some of the comments that have been made this \nmorning by my colleagues on the other side that are so outraged \nby the glitches and the fact that there are security concerns \nwith HealthCare.gov. Particularly because, as a Member of the \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies, we have had many, many, many hearings \nabout the vulnerabilities of personal identifiable information \nin the private sector, as well.\n    There are financial institutions, there are private health \ncare companies that do not do a good job of protecting that \ninformation in the private sector. So if we could just work \ntogether, the two sides, to identify those challenges, and work \ntowards solving them in both the public and private sector, \nthen I think the public would be better off. But unfortunately, \nwe have things like the House Republican playbook that helped \nto disseminate information for how people shouldn't navigate \nthe system effectively and, instead, just bring the negative \ninformation forward.\n    So I want to just ask our panel a couple of questions. \nFirst, Ms. Stempfley, thank you very much for being here. I \nknow you have testified several times before the Subcommittee \non Cybersecurity, Infrastructure Protection, and Security \nTechnologies before. To the best of your knowledge, are the \nHIPAA privacy and security standards applicable to the \nexchanges and the data service hub?\n    Ms. Stempfley. Sir, as I believe I said, I am not a HIPAA \nexpert. So I would be happy to find one to answer that question \nfor you, but you are certainly on the edges of my personal \nknowledge.\n    Mr. Horsford. From my understanding, obviously the HIPAA \nrules as established set Federal standards to protect \nindividually identifiable health information. That is a Federal \nrequirement.\n    Ms. Stempfley. Yes.\n    Mr. Horsford. Correct?\n    Ms. Stempfley. Yes.\n    Mr. Horsford. The Department of Homeland Security is \nrequired to meet those Federal privacy and security standards, \ncorrect?\n    Ms. Stempfley. As with HHSB, yes, sir.\n    Mr. Horsford. So how do you go about doing that within your \nDepartment?\n    Ms. Stempfley. Forgive me, sir. Can you ask the question \none more time?\n    Mr. Horsford. How does the Department of Homeland Security \ngo about ensuring Federal privacy and security standards apply \nunder HIPAA?\n    Ms. Stempfley. Thank you. Great, thank you. So I--in my \noffice in DHS, we don't actually operate systems who contain \nthat kind of information. So I can speak in general terms about \nthe kinds of requirements we would operate under, and assume \nthat the HIPAA requirements would be similar in that situation. \nSo we are required to submit forward a package of evidence \ndemonstrating our compliance with each of these requirements to \nthe accrediting official.\n    Then the accrediting official reviews that package of \nevidence to determine that--to demonstrate that we have, in \nfact, provided that compliance as they are making their \naccrediting decision.\n    Mr. Horsford. Does the same apply for immigration?\n    Ms. Correa. Yes, sir, that is correct. From a system-owner \nstandpoint, that is the process that we follow. We submit the \npackage of information. It goes to the accreditation official, \nwhich normally resides within the chief information officer's \noffice, and they do the accrediting of the system.\n    Mr. Horsford. One last question in my concluding time \nallowed. The issue around the breach procedures. When there is \na breach, what is the requirement in Federal law for the \nnotification of the individual and States if the breach reached \na certain number of individuals?\n    Ms. Stempfley. So, certainly, one of the things that we \nhave been talking about with the subcommittee, sir, is that \nthere is not a single Federal breach require--Federal law \nassociated with data breach requirements. That there is a \nmultitude of State laws that are out there. So I appreciate \nyour raising this issue that I know we have spoken of. When it \ncomes to Federal systems, if personally identifiable \ninformation is, in fact--there has been a breach of personally \nidentifiable information, Department and agency leadership are \nresponsible for making a determination of the scope of that \nbreach and for reporting that to the Department of Homeland \nSecurity. We also through the annual report forwarded both to \nOMB and to--and in the FISMA report.\n    Mr. Horsford. Thank you, Mr. Chairman.\n    Chairman McCaul. The Chairman recognizes the gentleman from \nUtah, Mr. Stewart.\n    Mr. Stewart. Thank you, Mr. Chairman. I am gonna go \nquickly. There is a lot I want to cover.\n    I want to come back to a couple comments that have been \nmade previous, and then--to the witnesses. To Mr. Horsford, I \nappreciate your comments about trying to work together. I would \nremind the committee that that is what we were trying to do. \nThat is why we asked the administration for a delay. But the \nPresident assured us again and again and again, he promised the \nAmerican people we are ready. That is why he refused to work \nwith us on any kind of a delay. Of course, we found out now \nthat that is not the case.\n    I want to come back to--just very quickly, about your \nopening--not your opening comment, but your opening statements. \nDid anyone ever advise either of you that they were not going \nto submit those statements to the committee?\n    Ms. Stempfley. No, sir. I believe it was the 5th of \nNovember when I was asked to speak in front of this committee, \nand no one has advised that they weren't gonna be provided.\n    Mr. Stewart. So----\n    Ms. Stempfley. It was just a number of days between the 5th \nof November and the----\n    Mr. Stewart. Okay. So last Thursday you prepared your \nopening statements. You passed those up the line. No one ever \nasked you to revise them, no one ever indicated any problems \nwith them. They just disappeared and no one ever saw them, \nincluding the committee, until this morning. Is that right?\n    Ms. Stempfley. Sir, a number of grammatical errors were \nidentified and corrected----\n    Mr. Stewart. But nothing substantial.\n    Ms. Stempfley [continuing]. In the course of it. But no, \nthere was no----\n    Mr. Stewart. They didn't come to you say this is \nunacceptable, we can't submit this the way it is.\n    Ms. Stempfley. There was--I am trying to remember what it \nstarted and what it looked like when I got it back. But it was \neffectively--it was written and it was sort of choppy and \nsmoothed out. But there were no changes.\n    Mr. Stewart. Okay. So as far as you know, your opening \nstatements were acceptable. Okay. But, apparently, someone \nconcluded they were not because they were not submitted to the \ncommittee.\n    Ms. Stempfley. Sir, I would not--respectfully, sir, I \nbelieve it was just a matter of between the 5th of November and \nthe 13th of November----\n    Mr. Stewart. Okay.\n    Ms. Stempfley [continuing]. Going through the set of \nprocesses. It wasn't a----\n    Mr. Stewart. Well, perhaps. Although I think there may be \nothers who would say that it was more than just that. But let \nme move on, if I could.\n    You are both Federal employees, and you both will stay on \nthe Federal Employee Health Benefits program. Is that right? \nYes. You are not gonna move to the exchanges. Of course, both \nof you realize that I will, Members of the committee will, all \nof our staff will. In fact, tens of millions of Americans are \ngonna be forced to move onto the exchanges beginning, you know, \nJanuary 1, where they will be forced, in order to do that, to \nprovide very, very private information.\n    The President won't move onto the exchanges, will he? No. \nNo, of course he won't. Neither will any of his Cabinet, \nneither will Kathleen Sibelius, Secretary of HHS. Knowing that, \ndo you understand and can you help the American people \nunderstand why we are more concerned, apparently, about the \nsecurity of our private information? I am speaking now not for \nmyself or my staff. I am speaking for tens of millions of \nAmericans. What would you say to them who are concerned about \ntheir security, knowing that they have to do something that the \nadministration and the Cabinet and the Secretary will not have \nto do? That is, join the exchanges and provide this type of \nprivate information.\n    What could you say to them to make them feel better about \nthat?\n    Ms. Stempfley. Sir, I have 20 years in the Federal \nGovernment, and much of that focused on ensuring that \ncybersecurity is important to the American public and important \nto the people who build and operate applications, whether it be \nin critical infrastructure or in the Federal Government. It has \nbeen a passion of mine for a number of years. It is one of the \nreasons why I am in the job I am in.\n    Mr. Stewart. Yes. Knowing your background there, and \nknowing it is your passion and that you have 20 years' of \nexperience, it must be incredibly concerning to you to see some \nof the failures that--and some of the inherent weaknesses that \nare apparent within this website. Does that--is that true? Does \nthat bother you, knowing that it is not as secure as it should \nbe?\n    Ms. Stempfley. I believe the environment that we all \noperate in today and the dependence on information technology \nand our critical infrastructure and in other places, it is \ncertainly an area of focus and concern. I am not personally \nfamiliar with all of the specifics in health care--in this HHS \napplication. So I am, unfortunately, not in a position to----\n    Mr. Stewart. Let me ask--let me finish with this last \nthing. DHS, 99 percent compliant with the FISMA standards, with \nthe Federal Information and Secretary Management Act--99 \npercent. HHS, 50 percent compliant. Yet HHS did not seek out \nany council and expertise, any briefings or guidance from DHS \nin implementing and designing the security around their web \npage. Any explanation for why they wouldn't seek guidance from \nDHS, knowing that they were experts on this and that HHS was \nnot?\n    Ms. Stempfley. As I believe I said--that as we make \ndepartments and agencies aware of the capabilities that the \nDepartment has it is incumbent upon them to pick the best time \nin the operational life cycle of their systems and applications \nfor the engagement. I----\n    Mr. Stewart. Okay. I wish they had done that previous to \nthe portals being open, and not after the fact. But I am out of \ntime, and Mr. Chairman thank you for the hearing.\n    I yield back.\n    Chairman McCaul. I thank the gentleman.\n    The gentleman from Arizona, Mr. Barber, is recognized.\n    Mr. Barber. Thank you, Mr. Chairman. I thank you for having \nthis hearing. Also, thank you to the witnesses for your work as \nwell as for being here today.\n    I think it has been said, but I certainly agree that the \nroll-out of the Affordable Care Act has been--the website, in \nparticular, has been just a disaster. I think all of us find it \ntotally unacceptable that we would be in this position. While \nthe ACA offers many benefits to millions of Americans, I have \nrepeatedly said that there are provisions that need to be \nfixed, there are unintended consequences that need to be dealt \nwith. We need to move on that, I think, in a bipartisan manner \nin this Congress.\n    Now we come to a potential new problem. We don't know the \nmagnitude of it because it is early days. Obviously, since so \nmany people have not been able to get on the website we really \ndon't know yet how much personal information might be at risk. \nAmericans are putting data in, in order to even begin the \nprocess, that is very sensitive information. I do share the \nChairman's concern that the Department of Health & Human \nServices has a very poor record of cybersecurity, generally \nspeaking. Now, of course, more information than ever before is \ngonna be available through their system.\n    I think the American people, generally speaking, are very \nconcerned about their privacy on a number of levels. I mean, we \ncan go into other areas--we won't today--but this is a new area \nof concern. So having said that, I really believe that unless \nwe can give some assurances that the privacy of information in \nHealthCare.gov is adequately protected it will undermine the \nAmerican people's confidence in that system and they may choose \nnot even to explore their benefits that are available on that \nwebsite, when it gets fixed.\n    So having said that, Mr. Stempfley, your office is \nresponsible for maintaining the security, reliability, and \nresilience of our Nation's cyber and communications \ninfrastructure. This oversight and general maintenance \nobviously pertains to our critical infrastructure. But it also \npertains to the security of Federal Governments' cyber \nnetworks, which interface with the private sector and with \nindividual users to access Federal Government websites.\n    I would agree--I hope you would agree, we must be vigilant \nin monitoring and upgrading our systems, and design them to be \nas ironclad and as impenetrable as possible, particularly those \nsystems that house sensitive user data such as HealthCare.gov. \nNow, having said that, Ms. Stempfley, could you talk, in very \nspecific ways, about the steps that your office has taken to \nensure that data that is inputted by American people into the \nHealthCare.gov network, how it has been protected or will be \nprotected, and how have your actions been informed by the \nattempted incursions that you talked about earlier?\n    Ms. Stempfley. Sir, the Department of Homeland Security's \nengagement with the Department of Health & Human Services has \nbeen about general threat information provision of best \npractices and a requirement of compliance reporting. We have \nprovided a verification that Health and Human Services has \ncomplied with as domain name security. That is a set of \ntechnologies that translate internet addresses, the machine-\nreadable information, to human-readable; so when you type \nwww.google.com the internet knows how to translate that.\n    So we have been able to assure--provide verification that \nhave complied with that level of security in their environment, \nas well. However, we have not been in a specific architectural \nconversation with the Department of Health & Human Services on \nthis application.\n    Mr. Barber. Have you had any discussions with Health and \nHuman Services subsequent to identifying, as you said, perhaps \n16 incursions, actual or attempted?\n    Ms. Stempfley. We have had an operational conversation \nbetween their security operation center and our US-CERT about \nthese particular activities. As I pointed out, these are under \ninvestigation. These reports came in in the November 6, 7, and \n8 time frame. So there is a period of time where we have to go \nthrough a verification and determination.\n    Mr. Barber. Yes, I appreciate that you have to check in to \nmake sure that you have some--you can verify what is really \ngoing on. But I would urge you, obviously, to speed up that \nprocess. Because if and when the website is fully operational--\nand we are told it will be operational by December--I would \nexpect we will see many more and we need to be prepared for \nthat. I guess my final question is: What plans do you have for \non-going monitoring of the security of the website?\n    Ms. Stempfley. I appreciate the question, sir. A set of \ncapabilities that the Department provides, including one you \nmay know of, is EINSTEIN intrusion detection capabilities, the \nCenter for Medicare and Medicaid Services will be moving its \napplications behind in the second quarter of calendar year \n2013. HHS has been active in attempting to get behind this \ncapability, but had to work through some specific statutory \nlanguage that was in their statutes. Given that I know this \ncommittee has been supportive of, we have been trying to work \nto get some positive authorization language for these CHS \nprograms that would have shortened that time frame.\n    Additionally, they have agreed to be an early adopter of \nthe continuous diagnostics and mitigation capability. So we are \nanxious to get that provided to them. The contract is due to be \nreleased today or tomorrow for the acquisition of those \ncapabilities.\n    Mr. Barber. Thank you for the extra time, Mr. Chairman.\n    I yield back.\n    Chairman McCaul. Yes, let me thank the gentleman for \nraising one issue. That is, you know, EINSTEIN has been around \nfor awhile. It seems to me that it should have been applied to \nthis website and to HHS. I think anything we can do to expedite \nthat would certainly be in the best interest of the United \nStates.\n    So with that, the Chairman now recognizes the gentleman \nfrom Montana, Mr. Daines.\n    Mr. Daines. Thank you, Mr. Chairman. I spent 20 years in \nthe private sector prior to coming up to Congress. In fact, the \nlast 12 years, an executive with a cloud computing company. \nPublicly-traded; we took the company public, Oracle acquired \nus. So the point is, I have worked in the enterprise space with \nvery, very large organizations from around the world and \nunderstand the importance, certainly, of privacy as well as \nreliability.\n    As a taxpayer, I think it is outrageous as I have seen what \nhas happened here, where we have taken $500 million--by some \nestimates--to what this project costs--taken out of the pockets \nof hard-working taxpayers into a system that has failed. The \nnumbers are astounding from the benchmarking. Facebook--\nFacebook was operational for 6 years and didn't hit the $500 \nmillion mark. Twitter, operational for 5 years, $360 million \noperational investment. Instagram, $57 million investment.\n    LinkedIn and Spotify didn't even get to the $300 million \nmark in operational. So there will be a lot of questions, \ncertainly, about the cost and benefits, and value for the \ntaxpayer. That is not why we are here, but I want to pivot over \nhere to the issue of security. CBS News reported Monday evening \nthat Mr. Chao, who was the chief project manager of \nHealthCare.gov, testified last week for 9 hours. CBS is \nreporting that there was a memo that went out 27 days prior to \nthe launch of the website, on September 3, that said--and this \nwas given to senior officials at CMS--there were two high-risk \nissues that were redacted for security reasons.\n    The memo--I see counsel here is giving advice--the memo \nsaid the threat and the risk potential is limitless. Sir, I \nwant to make sure she hears the question. The risk and the risk \npotential, the threat is limitless. It said CMS said the \ndeadlines to fix these were around mid-2014 and early 2015 to \naddress them. In fact, Mr. Chao testified to these security \ngaps. By the way, when they said ``high-risk,'' what high-risk \nmeans is, according to Federal guidelines--``the vulnerability \ncould be expected to have a severe or catastrophic adverse \neffect on organizational operations, assets, or individuals.''\n    Mr. Chao testified that security gaps, as reported by CBS \nhere, could lead to identity theft, unauthorized access, and \nmisrouted data. As somebody who had to serve large \norganizations, people would have been fired, the company would \nhave gone under--our company--had we launched a website with \nthese kinds of errors. I understand about risk management and \nso forth. But it seems that we leaned in to launch--the Federal \nGovernment did--knowing that there were high-risk security \nissues.\n    Now, as you mentioned in your written testimony, the DHS is \nthe lead for securing and defining Federal civilian \nunclassified information technology systems and networks \nagainst attacks. First, what, if anything, did you recommend as \nfar as policies to CMS and the folks who are running the \nproject here for the HealthCare.gov?\n    Ms. Stempfley. As we engage with chief information officers \nin the SISOs, we provide a range of information; from general \nthreat briefings, which we provide to the CIO council on a \nregular basis, to best-practice activities as well as \ninformation about FISMA compliance as they go forward. We \nprovide this at a Department level and to participants in the \nCIO forum and SISO forum. There has not been a specific \ninteraction about--focused on this particular site.\n    Mr. Daines. So if, indeed, what CBS reported here and Mr. \nChao's testimony last week before a committee--if, indeed, \nthere was limitless potential, as I quote the report, for \nsecurity risks, knowing this would you have rolled out the \nHealthCare.gov site on October 1, 2013?\n    Ms. Stempfley. Sir, I am not aware of all of the \ninformation that goes into that went into that.\n    Mr. Daines. But my question is, if you knew that. As \nsomebody who has the lead here of 20 years' experience, and if \nI quote your written testimony here, you have the lead for \nsecuring and defining Federal and civilian unclassified \ninformation, knowing there was limitless potential for security \nrisks, as reported, would you have rolled out, would you have \npushed the button to say ``go'' on October 1, 2013?\n    Ms. Stempfley. Respectfully, sir, I have been an \naccrediting official before. These are very difficult decisions \nthat you make as a part of it, and I couldn't speak to a----\n    Mr. Daines. But with all due respect, you are the assistant \nsecretary----\n    Ms. Stempfley. I am----\n    Mr. Daines. Leadership is about the buck has to stop \nsomewhere. Would you have made that decision, knowing there \nwere limitless risks, if the report is correct?\n    Ms. Stempfley. Respectfully, sir, I can't answer a \ntheoretical in this situation. There is a multitude of \ninformation that goes into it. The amount of risk that a \nparticular site operates under is certainly one vector or one \ninput point.\n    Mr. Daines. All right. Well, I will conclude. The irony, \nperhaps, in this is that the failure of the website launch on \nObamacare may indeed have been the best safeguard for the \nAmerican people to protect their personal privacy, given the \nrisks now that are being identified in this launch. That is the \nirony. Because if the American people were prohibited to have, \nwhat, six people sign up the first day perhaps that is \nprotecting the American people because they didn't have a \nchance to enter it in the first place.\n    Yield back.\n    Chairman McCaul. I thank the gentleman. The gentleman \nfrom--Mr. Richmond is recruited, from Louisiana.\n    Mr. Richmond. Mr. Chairman, I guess this hearing is \nappropriate, and I guess the title is appropriate. It reminds \nme of the same show, same one-trick pony, that we keep hearing \nover and over again. The question or concern that I have is \nthat, you know, this is a self-fulfilling prophecy. We keep \ntalking about how bad Obamacare is. We talk about the fact \nthat--discourage everyone that it is not safe. When they don't \nenroll, some of us will declare victory and take glee in the \nfact that people don't have health insurance.\n    At the same time, we run around proclaiming ourselves to be \nthe Christian Right. So I guess my frustration is that there \nare many things that we could come together and do. We tried \nlast year to come together and pass a cybersecurity bill that \nwas bipartisan. What happened when it was time to mark up that \nbill and pass it to the floor? The Republican leadership came \nback and said it went too far, and Republicans had to sit in \nthe room and gut their own cybersecurity bill. Which never made \nit to the floor, which we never passed.\n    We sit here today to talk about cybersecurity and how much \nconfidence we should have in HealthCare.gov, when we lack \nconfidence in many areas of cybersecurity, which we have done \nnothing about, we have not passed a bill.\n    Chairman McCaul. Will the gentleman yield?\n    Mr. Richmond. I certainly will.\n    Chairman McCaul. We have conducted over 300 meetings with \nthe private sector. You are referring to last Congress, before \nI assumed the Chairmanship. I am fully committed to marking up \na cybersecurity bill. It is obviously very complex. I want to \ndo it the right way. I appreciate the work that Ms. Stempfley \ndoes in terms of cybersecurity. So know that that is just--as \nthe border security passed in a bipartisan way, I am fully \ncommitted to doing that work in a bipartisan way.\n    I yield back.\n    Mr. Richmond. Mr. Chairman, I believe you. I believe that \nChairman King wanted to do it also. But it was--and we marked \nit up in a bipartisan way, and the Republican leadership gutted \nit. It still didn't make it to the floor. I just say that in \nthe fact that I think that we should all have one purpose. That \nshould be to try to make this a success. Whether you agreed \nwith it or not, it is the law of the land. Let's try to get \npeople health care, get people healthier, and all of those \nthings. Because that is what my interpretation of what we \nshould be doing.\n    See, and I am not defending the launch. The launch was \ndeplorable. However, what real leadership does is acknowledge \nthat it is deplorable, and fix it. So the question would become \nwhen we feel that the website is safer are we going to have \nanother meeting to let the people know that we feel it is safe \nand encourage them to enroll? I would suggest that the answer \nwould be no because we want to keep that fear out there to \nreduce the number of people that enroll.\n    So my question would be, to Ms. Stempfley and to Ms. \nCorrea, basically the title of the committee, which I hope you \ncan give a short answer, but: Just how secure is the \ninformation? Do you have faith in the security of the \ninformation that people input into the website?\n    Ms. Correa. I will give Ms. Stempfley a short break. Thank \nyou for your question. I really couldn't answer that question. \nBecause, as I have indicated from our discussion, what we see \nis the information that is submitted through the hub to ask for \nthe immigration status of a particular applicant. So I couldn't \nreally talk to the front end of the process. Thank you.\n    Ms. Stempfley. The America public gives the Government its \ninformation in a variety of places and sources. Certainly, in \nmy experience with SISOs, the information security officers \nthroughout the Federal enterprise, they are committed to the \nobligation that they have in securing these systems and \napplications. I am not familiar with the specific security \nfeatures of the 10,000 applications that HHS operates, for \nexample, nor am I familiar with the specific security features \nof the tens of thousands and hundreds of thousands of \napplications across the Federal enterprise.\n    But I do know that in the Department of Homeland Security \nand with the SISOs that I work on a regular basis they are \nall--feel passionately about their obligation to protect this \ninformation that the America public gives the Government.\n    Mr. Richmond. With the knowledge and expertise that you \nhave in this arena--and you do it every day, and subject-matter \nexpertise--two-part question: Would you enter your information \ninto the exchange, the web portal? If not, would you do it at \nthe end of the month? At what point do you feel it is ready for \nyou to input your information?\n    Ms. Stempfley. So I, like all of us, put our information in \na variety of systems and applications, whether it be my bank, \nwhether it be HHS. I have family information in the HHS system \nbecause I am also a taxpayer. I do that, recognizing that \nwhenever I give my information to someone else, under any \ncircumstances, there is a--you know, there is a potential of it \nbeing at risk. Whether it be, again, my bank or my electric \ncompany or a Federal enterprise. But I do it because I believe \nthe benefit of doing so outweighs whatever that risk might be.\n    Mr. Richmond. Thank you, Mr. Chairman. I yield back.\n    Chairman McCaul. I thank the gentleman.\n    The Chairman recognizes Mr. Hudson, from North Carolina.\n    Mr. Hudson. Thank you, Mr. Chairman. I want to thank you \nfor having this hearing today on this very important topic. You \nknow, I go home every weekend, I travel my district, I talk to \nmy constituents as much as possible. I have been inundated with \ncalls and mail from my constituents who are deeply concerned \nabout the implementation of the Affordable Care Act. Lately, \nthe news reports about this implementation have focused on the \nwebsite.\n    As my colleague said, it has been a disaster. A lot of \nattention has been focused on the premium increases. North \nCarolina has been hit harder than most States. Women in our \nState can expect their rates to triple; men can expect them to \nquadruple, on average. So a lot of attention has been given to \nthat problem. Then we have heard a lot about loss of coverage. \nI was talking to a husband in Rockingham the other day whose \nwife has an acute illness. Their doctors told them that under \nthe Affordable Care Act he is no longer gonna offer them care.\n    So these are huge problems. But I think what has been lost \nin all this are these issues, this important issue, of security \nof our private information. I mean, we have an unprecedented \ncollection of data that the Government is undertaking now of \npersonal information. It is unprecedented that the Government \nwill be collecting these types of information through one \nprocess. So it is important that we talk about this and we \nexamine the issues here.\n    I am disappointed that our--I appreciate your all being \nhere, I appreciate the job you do. It is disappointing, though, \nthat DHS doesn't--isn't able to answer questions about this \nwebsite. That DHS doesn't have a working understanding of how \nthe security parameters of this website were set up. It is \ndeeply troubling to me that HHS, CMS hasn't asked the folks who \nare the experts in this--Secretary Stempfley's organization--to \nhelp with this implementation.\n    Why wouldn't you go to the experts when you have got a huge \nproblem? Especially when one of the architects of this website \nsaid, ``that there is limitless potential for security risks.'' \nThese are the folks building the website, have said this is a \nhuge problem. Yet they are not asking people who are experts at \nthis how to help them. So I appreciate you being here, Ms. \nStempfley, and I am--again, I appreciate the work you do. I am \njust sorry you weren't more involved in this because the \nAmerican people deserve every effort we have as a Government to \nprotect them.\n    So I will focus my questions on a different topic related \nto this: Ms. Correa, one of our colleagues earlier asked the \nquestion what happens if we run a query about someone's \ncitizenship, and we determine that they are here illegally, or \nan undocumented person. Would you tell me what happens at that \npoint? Is any action taken, any enforcement action on that \nindividual?\n    Ms. Correa. Thank you for your question, sir. Again, as I \nmentioned before, the way the process works is, an individual \nwho presents themselves to a benefit agency, a benefit-granting \nagency, has to present the information, documentation, on their \nstatus. Whether they are a citizenship or they attest, if you \nwill, in their application as to whether or not they are a \ncitizen. If they are not a citizen, then the information is \nprocessed as a query.\n    Mr. Hudson. If I can interrupt real quick. So it is up to \ntheir own word as to whether they are a citizen or not? Self--\n--\n    Ms. Correa. They are--when they apply for a benefit, they \nare filling out a form. On that form they typically attest what \ntheir status is, whether----\n    Mr. Hudson. So if they choose to mislead and say they are, \nthere is no----\n    Ms. Correa. If the agency, the benefit-granting agency, \nwould then, if they attest that they are not a citizen or the \nSocial Security Administration cannot confirm that they are a \ncitizen, would then request their information and process a \nquery through SAVE. SAVE would then go out and ping our \ndatabases to identify what the immigration status of that \nindividual is. Typically, our response is either to give what \nthe immigration status is, or if we cannot confirm the \nimmigration status, then we prompt the agency to go through the \nadditional verification steps.\n    As I described, the second step they could provide \nadditional information, other documentation, or other names \nthat the individual may have used.\n    Mr. Hudson. So at the end of the process, if you determine \nyou can't verify they are a citizen, what happens then?\n    Ms. Correa. At that point, what we notify the agency to do \nis to tell this applicant to schedule an appointment with \nUSCIS. We give them the pertinent information to come in and \nsee us. Because there could still be an error in their record. \nSo what we do is try to have an appointment with them, come \nvisit one of our adjudication officers who would then look at \ntheir data and look up their information in the records \ndatabase.\n    From a SAVE standpoint, we don't take any further action. \nIn other words, we cannot change an individual's record. We do \nnot tamper with the record at all whatsoever. We refer them to \none of our adjudications officers, who would then look at the \ninformation.\n    Mr. Hudson. So as my time is running out--so if someone--\nyou can't verify they are a citizen, they don't come in to see \nyou, that is it. We don't follow up, we don't enforce any \nimmigration law on this illegal person.\n    Ms. Correa. Not that I am aware of, sir, but I could \nconfirm that for you.\n    Mr. Hudson. If you wouldn't mind, I would appreciate that.\n    Mr. Chairman, my time has expired. I will yield back.\n    Chairman McCaul. I thank the gentleman.\n    The gentlelady from Texas, Ms. Jackson Lee, is recognized.\n    Ms. Jackson Lee. Mr. Chairman, let me thank you, as well, \nand Mr. Thompson for this hearing. I always believe that the \nexercise of our oversight is crucial and important. I think \nthis is the first hearing that I have been in since the loss of \nMr. Gerardo Hernandez, and I want to publicly offer my deepest \nsympathy to him and his family. That is the transportation \nsecurity officer killed in the line of duty, which reinforces \nthat the U.S. Department of Homeland Security is on the front \nline, all of your staff and personnel. Would you offer to all \nof them my deepest sympathy, and to his family.\n    I wanted to pursue a line of questioning that I think may \nbe helpful to us. First of all, I think it is important to note \nthat this committee invited DHS on November 5, which gives less \nthan 8 days, because of an intervening holiday. So let me thank \nyou for getting your testimony in as quickly as possible. I am \nnot at the agencies, but I do know that there is a layer of \nreview. Although you may be an eloquent writer, you may be a \npoet laureate, I know that they have to review your work. So I \nam grateful that you got it in.\n    One of the things that is happening all over the Congress \ntoday, we have got sequester issues, budget issues. But we are \ndealing with the Affordable Care Act and oversight and homeland \nsecurity and small business. Certainly, I think it is important \nto emphasize that the Affordable Care Act is here and it deals \nwith health care. It deals with having the ability to have \ninsurance if you have a preexisting disease. You can stay on \nyour family's insurance to age 26; preventive care and wellcare \nexamples. It is a solid piece of legislation, and I am grateful \nthat it is here.\n    Like my colleagues, I am dogged about fixing the technology \nand, as well, dealing with our privacy and the protection of \nthe privacy of the American people. They should know that. That \ncollectively, as Republicans and Democrats, we will not yield \nany moment, any minute, any second to protecting their private \ndata. In fact I have joined on to legislation by my colleague, \nJim Sensenbrenner, to, in essence, protect American citizens \nwith any reach of privacy beyond what is required for security \nunder the National Security Agency. I take no back seat to \nthat.\n    So in making that point, I want to just emphasize what I \nthink your work is. Let me go to Ms. Correa, and indicate--and \nlet me just make the point. There is always a representation \nthat Republicans had nothing to do with the Affordable Care \nAct. Well, it was the Republicans' amendments that required the \nchecking of citizenship and income. That was their language. I \nam surprised that every time we see a Republican, my friends, \nthey are talking about ending the Affordable Care Act. We never \ngot any amendments in. They got eons of amendments in to this \nbill.\n    That was one of them, which requires this simplistic data \ncollection, which is simply that. So I want to ask the \nquestion. This is data collection that is basically information \non income and citizenship. These fields of data are checked \nwith the records of accuracy. Is that what you do, Mr. Correa? \nWhen it comes in, you check the accuracy on citizenship issues?\n    Ms. Correa. That is correct.\n    Ms. Jackson Lee. All right. Once it is checked, is this \ninformation kept or discarded? The inquiry and the information?\n    Ms. Correa. We retain the transaction information because \nwe go back and do quality control checks to make sure we are \ngiving accurate information. But we do not download the actual \nrecord. Only the immigration status and the----\n    Ms. Jackson Lee. So what do you specifically keep?\n    Ms. Correa. That information--the immigration status, the--\n--\n    Ms. Jackson Lee. When you have an inquiry from HHS.\n    Ms. Correa. We retain the inquiry information that was \nreceived. The individual's name, their alien registration or I-\n94 number.\n    Ms. Jackson Lee. That you received an inquiry from HHS. How \nlong do you keep it?\n    Ms. Correa. I would have to confirm how long.\n    Ms. Jackson Lee. Well, you need to get an answer about how \nlong you keep it. Is it protected information?\n    Ms. Correa. Yes, it is.\n    Ms. Jackson Lee. Have you been hacked?\n    Ms. Correa. I am not aware that we have been hacked. I will \nconfirm that for you, but I am not aware that we have been \nhacked.\n    Ms. Jackson Lee. So what is your measure of securing it?\n    Ms. Correa. Our system is accredited and certified by our \nchief information officer.\n    Ms. Jackson Lee. Do you do regular checks?\n    Ms. Correa. Yes, we do.\n    Ms. Jackson Lee. Is it your highest responsibility to \nprotect this information of the American people?\n    Ms. Correa. Yes, it is.\n    Ms. Jackson Lee. You only get--you get information. Suppose \nsomeone is calling for Mr. Garcia, who is a citizen. Are you \nkeeping that inquiry, as well?\n    Ms. Correa. In the SAVE program, no. If the individual has \nattested they are a citizen----\n    Ms. Jackson Lee. Yes.\n    Ms. Correa [continuing]. And Social Security has been able \nto confirm, then we would never receive that query.\n    Ms. Jackson Lee. All right. So therefore, it is only \nindividuals that may be in question.\n    Ms. Correa. Correct.\n    Ms. Jackson Lee. You are checking this every day.\n    Ms. Correa. Yes, as query----\n    Ms. Jackson Lee. Or a regular basis.\n    Ms. Correa [continuing]. As queries are received, yes.\n    Ms. Jackson Lee. Let me go to Ms. Stempfley. You are the \nlead agency that coordinates on the cybersecurity for other \nagencies in the United States. The other--you sort of lead, but \nyou have the point that the other agencies also have \nresponsibility for their cybersecurity. Is that correct?\n    Ms. Stempfley. Yes, ma'am.\n    Ms. Jackson Lee. But as your Department, or your subset \nDepartment, DHS, do you feel that there are competencies under \nyour jurisdiction that are attentive to protecting information \nand preventing hacking through the DHS agency and in \ncoordinating with the other agencies?\n    Ms. Stempfley. Yes, ma'am, we are very focused on that. My \npart in the Office of Cybersecurity and Communication, and \nthere are competencies in the data operation centers through \nthe Federal enterprise.\n    Ms. Jackson Lee. So what--if we were to keep this system in \nplace, based upon Republican amendments, into the ACA--checking \nincome and immigration status, and that was being held--you \ndeal with cybersecurity, you deal with the potential of hacking \nor information going in a different direction that it should \nnot go. What is your level of confidence and your level of \ncompetence that you are working in a coordinated fashion, but \nhave the level of technology that can assure, as much as \npossible, the protection of this information?\n    Ms. Stempfley. So I am very grateful both for the question \nand for this committee's continued support of DHS authorities \nand support of important programs that will improve both the \ncompetence and confidence in this area. As we have been talking \nabout the continuous diagnostic and mitigation activity and the \nFISMA reform efforts that will both increase the awareness \nacross the Federal enterprise of the operational risks that \nsystems are operating under on a daily basis, and enable \naccrediting officials to take that into account in something \nmore often than annual or every 3-year accreditation processes. \nAs well as I believe I----\n    Ms. Jackson Lee. But are you confident in your present \nstructure in your oversight on cybersecurity? That is, \ninformation is being gathered; you don't compare this to the \nVeterans Administration loss of 24 million records under the \nBush administration. We are not at that----\n    Ms. Stempfley. We are not at that----\n    Ms. Jackson Lee. We are not at that point. So are you \nconfident, as this huge process is going forward, that we have \na system in place to protect that information?\n    Ms. Stempfley. Yes, ma'am.\n    Ms. Jackson Lee. I thank you very much for your answers.\n    Mr. Chairman, I hope that we can rid ourselves of \nsequestration so we can invest more in the work that is being \ndone by Ms. Stempfley and Ms. Correa. I yield back, thank you.\n    Chairman McCaul. I thank the gentlelady. Also, the \ngentlelady is correct that we did put provisions in to assure \nthat only those legally in the country received this--that were \neligible under this law. Also, we both agreed that if you have \na preexisting condition you cannot be denied coverage, as well.\n    I will just add lastly that we did make a request for the \nstatement, the opening statements, on August 31, and that is \nalmost 2 weeks. I am sorry, October 31, nearly 2 weeks.\n    So with that, the Chairman now recognizes the gentleman \nfrom Pennsylvania, Mr. Barletta.\n    Ms. Jackson Lee. Well, Mr. Chairman, I thank you. We \nrecognize the pounding of work on these various hard-working \npublic servants. As you well know, we were in the middle of a \nGovernment shutdown, and so I appreciate timely responses, Mr. \nChairman. I hope that they will work to get timely responses.\n    I yield back, Mr. Chairman. Thank you.\n    Chairman McCaul. Yes, right. The Chairman recognizes Mr. \nBarletta.\n    Mr. Barletta. Thank you, Mr. Chairman. Ms. Stempfley, I \nwould like to continue on and follow up on some questions that \nMr. Meehan had brought up earlier. Secretary Sibelius admitted \nthat convicted felons could be hired as exchange navigators \nbecause there was no background checks system in place for \nthese individuals. Why aren't we conducting background checks?\n    Ms. Stempfley. Respectfully, sir, my area of expertise is \ncybersecurity. Physical security and personal security are \noutside of that area. I am happy to take the question, but I \ncould only speculate and that seems inappropriate.\n    Mr. Barletta. Okay. With your expertise in cybersecurity, \ndo you think it would be a good idea to do background checks on \nthese navigators?\n    Ms. Stempfley. I believe one of the things that we \ncertainly focus on is assuring the protection against----\n    Mr. Barletta. I am just asking: Do you think it would be a \ngood idea to do background checks on the navigators?\n    Ms. Stempfley. I am happy--again, sir, I would be----\n    Mr. Barletta. No. Do you think it would be a good idea? \nThat is all I am asking, real simple. Do you think it would be \na good idea to do background checks on navigators?\n    Ms. Stempfley. I believe that all individuals should be \nvetted----\n    Mr. Barletta. Good idea, bad idea?\n    Ms. Stempfley [continuing]. Prior to access to the \ninformation that they provided.\n    Mr. Barletta. Good idea, bad idea?\n    Ms. Stempfley. I am not trying to evade, sir. I believe \nthat all individuals should be vetted prior to access.\n    Mr. Barletta. I am not gonna get an answer. Ms. Correa, my \ntime--I was mayor for quite some time. I remember one \nindividual. He was in the country illegally. It took our \ndetectives 5 hours to determine who he was. He had five Social \nSecurity cards, five different identities. You suggested a \nlittle earlier that illegal immigrants won't try to go through \nthe system, and because you are using the SAVE system. I am \ngonna disagree with you.\n    That is simply not true. We know, for a fact--is the SAVE \nsystem used for the SNAP program, do you know?\n    Ms. Correa. Not that I am aware of. Sir, may I clarify? I \nwasn't trying to imply that an illegal alien wouldn't try. What \nI was trying to make clear was that they would have to have \nsome form of documentation----\n    Mr. Barletta. Do you think that they can get through the \nsystem?\n    Ms. Correa. It is hard to say. It would depend on the \ndocumentation that they present.\n    Mr. Barletta. Well, we know for a fact that illegal \nimmigrants are able to access many Federal benefits through \nfraudulent documentations. We know that for a fact. That is--\nyou know, so I don't believe this Government program will \nreally be any different. There is nothing that indicates that \nit will. So if you determine an applicant is in the country \nillegally, am I correct, there is no enforcement action taken?\n    Ms. Correa. The SAVE program isn't making a determination \nwhether that individual is here illegally, or not. What the \nSAVE program is doing is based on the information that was \npresented to us. We are going out and checking the Federal----\n    Mr. Barletta. Well, it does tell if they are a lawful \ncitizen.\n    Ms. Correa. Whether they are here as----\n    Mr. Barletta. Right. So, you determine that this individual \nis not lawfully here, there is no enforcement action taken?\n    Ms. Correa. As I explained earlier, the determination that \nwe make is whether we can confirm that individual's immigration \nstatus and provide that information----\n    Mr. Barletta. Okay, so you determine that individual's \nstatus, that that person is not legally present in the United \nStates. Is there any enforcement action taken?\n    Ms. Correa. We don't determine whether the person is here \nlegally or not because we are not seeing the individual. All we \nare seeing is the information that comes through the query.\n    Mr. Barletta. So if the information that is presented is \nfraudulent, what happens?\n    Ms. Correa. We don't have a way of determining if that \ninformation is fraudulent.\n    Mr. Barletta. So we don't know.\n    Ms. Correa. As it is presented.\n    Mr. Barletta. So it doesn't seem like there is really any \nguard for illegal immigrants to access this program as they \nhave been able to access many Government programs. We know \nthere is fraud in so many Government programs. How can we \nassure the American people that this time we got it? This time \nwe are not gonna let people illegally get into a program that \nthey are not rightfully entitled to.\n    Ms. Correa. Sir, if I may explain. I appreciate your \nquestion. The benefit-granting agency is the organization that \nis receiving the information from the individual and is privy \nto that information. They submit a query to us, where we go \nback and confirm----\n    Mr. Barletta. But if the information is fraudulent.\n    Ms. Correa. What we do is, the only way we could ever \ndetermine that is if somebody actually sees the documents and \ncompares them to the individuals. That is why if we cannot \nconfirm immigration status we do ask them to set up an--to \nrefer the individual----\n    Mr. Barletta. I am not real confident that we are gonna be \nable to stop it. I just want to close, Mr. Chairman. I am a \nhuge baseball fan, huge baseball fan. Now that the Affordable \nCare Act has been rolled out, we find that the website doesn't \nwork, that Americans' personal information is at risk, that \nfelons could be navigators. This is only the first inning. The \nObamacare batting average is not so good.\n    If the Affordable Care Act was a baseball player, and I was \nthe manager, I would bench him. Thank you.\n    Chairman McCaul. I thank the gentleman for his analogy.\n    With that, I want to thank the members of the first panel \nfor their valuable testimony here today. With that, this panel \nis dismissed, and the clerk will prepare for the witness table \nfor a second panel.\n    I am pleased to welcome the second panel to today's \nhearing. Mr. Luke Chung is the president at FMS, Incorporated, \na company he founded in 1986. In addition to being a primary \nauthor and designer of many FMS commercial products, Mr. Chung \nhas personally provided consulting services to a wide range of \nclients. A recognized database expert, highly-regarded \nauthority in the Microsoft Access developer community, Mr. \nChung was featured by Microsoft as an Access hero during \nAccess' 10-year anniversary celebration. Mr. Chung, really good \nto have you here.\n    Our second witness, Mr. Waylon Krush is the chief executive \nofficer of Lunar, Incorporated. He served over 15 years of \nexperience in critical infrastructure protection, information \noperation, signal intelligence, system and telecommunications \nexploitation, and certification and accreditation. Prior to \nbecoming CEO, Mr. Krush was a senior InfoSec engineer in AT&T's \nadvanced systems division and chief of the information \nassurance group with the GRC/TSC.\n    The witnesses' full written statements will appear in the \nrecord. I now recognize Mr. Chung for 5 minutes for his opening \nstatement.\n\n         STATEMENT OF LUKE CHUNG, PRESIDENT, FMS, INC.\n\n    Mr. Chung. Well, thank you very much for having me. I am \nthe president and founder of FMS, Inc., a privately-held \nsoftware development firm located in Vienna, Virginia. For 27 \nyears, we have offered commercial software products and \nservices. We have tens of thousands of customers in over 100 \ncountries, including 90 of the Fortune 100. In response to 9/\n11, we created a product, Sentinel Visualizer, a link analysis \nsolution for the counterterrorism, defense, and law enforcement \ncommunities.\n    That work led to our only outside investor, InQTel, the \nCIA's venture capital arm. We also have a professional \nsolutions group that creates custom software. An example is a \nhumanitarian relief logistics system we built for the Pan-\nAmerican Health Organization and United Nations. It is deployed \naround the world, and I presume it is in heavy use right now in \nthe Philippines. I am a graduate of Harvard College, with a \nbachelor's degree in engineering and a masters in physical \noceanography.\n    On October 1, I visited the HealthCare.gov website, eager \nto see what it offered. As a small business owner, I am faced \nwith the challenge of purchasing health insurance for my \ncompany and family. Unfortunately, my shopping experience \nfailed due to technical problems with the website. It was not \ndesigned to be customer-friendly, appeared to be developed by \namateurs, and seemed to be untested. I sensed the site would \nnot work for one person, much less a National enterprise \nquality solution that was needed.\n    I wrote a blog post that day providing a nonpartisan \ntechnical assessment entitled ``HealthCare.gov is a Technical \nDisaster.'' I warned that the problems were far deeper than too \nmany users, and concluded this would be a huge public relations \nproblem that could doom the Affordable Care Act. That is what I \nsaw on Day 1. My blog post went viral. After a week, I was \nquoted in the New York Times and have been on many radio and \nNational TV news shows, which led to my appearance before you \ntoday.\n    I would like to say that my firm is not involved with the \ndevelopment of HealthCare.gov, we did not bid on any portion of \nthe project, and I am here to provide my perspective as a small \nbusiness owner, someone experienced with database web \ndevelopment and familiar with the Government contracting \nprocess. Since I don't like being a critic without offering \nsolutions, on October 14 I wrote another blog post outlining \nhow HealthCare.gov could be built properly; a site that would \nmatch the customer buying process, be quicker to develop, \neasier to test, be more robust, support more users, and be more \nsecure.\n    It is not that complicated. This website does not provide \nhealth care. It does not even provide health insurance. It is \nsupposed to let consumers shop and choose among health \ninsurance plans, and then apply for a subsidy. It is \nessentially the automation of a paper form. So how did we get \nhere? Originally, I thought the design decisions of \nHealthCare.gov were created by amateurs who didn't know what \nthey were doing. Now I see the design decisions can be \nexplained by considering what the contractors would choose to \nmaximize profitability at every step of the way.\n    The current Government contracting system discourages \ntechnically-qualified companies like mine. The big Government \ncontractors are great at winning contracts, protesting lost \nawards, and generating change orders. They are not known for \ntheir technical expertise and would unlikely survive in the \nprivate sector. This is a complete breakdown in managing \ntechnology investments. Policymakers and politicians do not \nunderstand if a project should cost a million dollars or $200 \nmillion, or the decisions they make that impact price.\n    For instance, $200 million, at a generous $200 per-hours, \nis 1 million man-hours. That is 500 man-years. Forget the \nmoney. What could these contractors have possibly been doing \nwith all that time? I propose that the Government needs to \ncreate a nonpartisan technology accountability office, TAO, \nsimilar to the GAO that is capable of assessing and managing \nGovernment technology projects. The TAO also needs to be \nempowered to enforce accountability.\n    Bad performance does not seem to prevent contractors from \nwinning new contracts. Multi-year and permanent bans should \ntarget underperforming vendors and their owners and the \nmanagers. Get refunds. In the private sector, vendors that fail \nlike this would rarely be allowed back in an organization. In \nconclusion, I have provided written testimony with additional \nexamples, information, and recommendations on investigating how \nso much money was spent for so little. This is a scandal beyond \nHealthCare.gov.\n    Unfortunately, the Federal Government has paid for even \nlarger software projects that were never deployed. Without \nchanging the processes, there will be more technology disasters \nin our future. Just so you know, while I was able to complete \nmy HealthCare.gov application on October 1, it remains in \nprogress as of last night. Thank you for inviting me. I look \nforward to your questions.\n    [The prepared statement of Mr. Chung follows:]\n                    Prepared Statement of Luke Chung\n                           November 13, 2013\n                                summary\nAbout Me and FMS, Inc.\n    I'm the president and founder of FMS, Inc., a privately-held \nsoftware development firm in Vienna, Virginia. For 27 years, we've \ncreated database solutions with a combination of commercial products \nand services. In response to 9/11, our Advanced Systems Group created \nSentinel Visualizer, a product for the counter-terrorism, defense, and \nlaw enforcement communities that led to our only outside investor, \nInQTel, the CIA's venture capital arm. We have tens of thousands of \ncustomers in over 100 countries, including 90 of the Fortune 100. Our \nProfessional Solutions Group has created a wide range of custom \nsolutions, some which are more complex than Healthcare.gov, but never \nmore expensive. I'm a graduate of Harvard College with a bachelor's in \nengineering and a master's in physical oceanography.\nMy Experience with Healthcare.gov\n    On October 1, I visited Healthcare.gov to get an insurance quote \nfor my family. The experience was so terrible that I documented the \ntechnical problems I encountered and wrote a blog post about it. I \ncould tell immediately from the nature of the crashed I encountered \nthat the site was not ready by prime time. It had a terrible design \nthat was not consumer-friendly, seemed to be coded by amateurs, and \nwasn't tested. I could tell the site would not work for one person much \nless the expected load.\n    The blog post I wrote on October 1 went viral as people began to \nunderstand the problems were deeper than too many users. That led to \nbeing quoted in the New York Times and appearing on radio and news \nshows such as CBS, CNN, Fox, MSNBC, NBC, Hannity, Greta, Al Jazeera, \nGeraldo, etc. Throughout the period, I've learned more about the \nwebsite and its many problems both political and technical.\nHealthcare.gov Overview\n    This website should not be that difficult to build. It doesn't \nprovide health care. It doesn't even provide health insurance. It's \ncomparing plans and applying for a subsidy. It's the automation of a \npaper form.\nSecurity Implications\n    Security is considered at the beginning of a project, not at the \nend. Avoiding the collection of unnecessary personal information is the \nfirst step to reducing security issues. Separating the user experience \nfrom back-end legacy systems is another. The pressure to make a \nsoftware solution ``work'' is not conducive to good security. There are \nways to improve the user experience, scalability, and security.\nContractor Abuse of Taxpayers\n    Healthcare.gov is just one example of a software project gone awry \nthat Government contractors profited at the expense of taxpayers. I \noriginally thought the website was created by people who didn't know \nwhat they were doing; that they were trying to do too much in an \nunnecessarily complicated and thorough manner. My thoughts have evolved \nand I now feel that it's designed quite cleverly to maximize taxpayer \nexpense. This is a scandal that needs to be investigated. Follow the \nmoney and I believe you'll see design decisions that led to increased \ncosts. There are ways to improve governance to fix this.\n                               background\n    Thank you for inviting me to your hearing.\nAbout FMS, Inc.\n    I'm Luke Chung; the president and founder of FMS, Inc., a \nprivately-held software development firm located in Vienna, Virginia. \nSince 1986, FMS has provided software products and development services \nto commercial and Government agencies. Over 27 years, we've created a \nwide range of database solutions helping organizations make better \ndecisions based on data. These important decisions include delivering \nservices, managing operations, understanding finances, increasing \naccuracy, improving customer service, making fewer errors, targeting \ncriminals, making more money, and increasing efficiency. We have tens \nof thousands of customers in over 100 countries.\n    In the 1990s, we became the world's leading provider of commercial \nproducts for Microsoft Access with 12 solutions to help people better \nanalyze data, automate e-mail blasts, create better solutions, \neliminate errors, and provide system administration.\n    In response to 9/11, we created the FMS Advanced Systems Group to \nuse link analysis and social network analysis (SNA) to find hidden \nrelationships among people, places, and events. That led to the \ncreation of our Sentinel Visualizer product that helps analysts in the \ncounter-terrorism, defense, and law enforcement communities, both in \nthe United States and abroad. Sentinel Visualizer led to our only \noutside investor, InQTel, the CIA's venture capital arm.\n    In addition to our commercial off-the-shelf products, the FMS \nProfessional Solutions Group has created custom database applications \nfor a wide range of customers. Examples include the Logistics Support \nSystem for the Pan American Health Organization sponsored by six U.N. \nagencies. It coordinates humanitarian relief logistics for disaster \nzones and is deployed with language localization features in over 100 \ncountries, including the Philippines. FMS also created a course \nmanagement system for the Defense Acquisition University, which \nprovides non-military training to all branches of the DoD. FMS has also \ncreated custom solutions for event management, e-commerce, logistics, \neducation, health care, public works, nonprofits, and businesses.\nAbout Me\n    I'm originally from New York, grew up in Orlando and Sarasota, \nFlorida, and am a graduate of Harvard College. I have a bachelor's \ndegree in engineering, and a master's degree in Physical Oceanography. \nPrior to founding FMS, I worked as a management consultant at Strategic \nPlanning Associates/Mercer.\n  <bullet> Current member and past president of the Washington, DC \n        Chapter of the Entrepreneurs Organization.\n  <bullet> Serve on the Business and Community Advisory Council to the \n        Fairfax County Virginia Public School Superintendent.\n  <bullet> Serve on the Information Technology Policy Advisory \n        Committee to assist the Fairfax County Board of Supervisors \n        oversee county technology investments. The committee exists \n        because the supervisors recognized years ago they were unable \n        to provide the proper governance over their technology \n        investments.\nCaveats\n    My testimony is based on my personal experiences and opinions. I am \nan observer to the Healthcare.gov website and am not personally \ninvolved with its design and development. Any suggestions of \nincompetence or wrongdoing are comments intended for further \ninvestigation by the committee.\nMy Perspective\n    I am providing my testimony from a non-partisan perspective focused \non my decades of experience creating database solutions, the challenges \nof running a small business, and having observed how the Government \ncontracting world works.\n    In 27 years running FMS, I've experienced multiple Government \nadministrations, economic cycles, and changes with technology. I run a \nsmall business and have responsibilities to my clients, firm, \nemployees, and family. These obligations include buying health \ninsurance.\n              experience with healthcare.gov on october 1\n    On October 1, I visited the Healthcare.gov website to get an \ninsurance quote for my family. I wanted to see what policies were \navailable and how they compared in features and price to what my small \nbusiness is currently purchasing in our group plan.\n    What started as a simple shopping experience turned into a venture \ninside the technically worst website I've ever visited. It was so bad \nthat I started documenting the bugs I encountered. I was shocked \nbecause the mistakes were so amateurish that it seemed the website was \ncreated by people who had never been paid to write commercial software. \nBased on my experience, I realized that if those types of bugs existed, \nthe website had huge problems way beyond the number of users. I sensed \nthat it would not support one user, much less the millions expected.\n    The shocking part is that this website should be very simple:\n  <bullet> It does not provide health care;\n  <bullet> It does not even provide health insurance;\n  <bullet> It's supposed to let consumers compare and choose among \n        insurance plans;\n  <bullet> It's supposed to generate a subsidy, if any, to buy \n        insurance;\n  <bullet> It is essentially the automation of a 12-page paper form.\n    I shared my findings in a company blog post entitled Healthcare.gov \nis a Technological Disaster (http://blog.fmsinc.com/healthcare-gov-is-\na-technological-disas- \nter/)--See Appendix A. It includes screenshots of the crashes and \nsuggested that I was embarrassed for my profession for delivering such \njunk. It looked like the developers never used or tested it. I \nconcluded that the quality of the work wouldn't pass a computer science \nclass and that there would be huge Public Relations problems that could \ndoom the entire Affordable Care Act. That's what I saw on Day 1.\nResponse to My Blog Post\n    While the contractors and administration tried to spin the problems \nas the result of too many users, my blog post--which provided a non-\npartisan, technical evaluation of Healthcare.gov--started getting \npicked up by multiple websites. And through the power of social media, \nit went viral.\n    Within a week, I was quoted in a New York Times article which was \nfollowed by interviews with radio and National TV news channels \nincluding CBS, CNN, Fox, MSNBC, NBC, Sean Hannity, Al Jazeera, Greta \nvan Susteren, Geraldo Rivera, etc. It has led to this testimony.\nOffering Solutions\n    Since I don't like being a critic without offering possible \nsolutions, on October 14, I wrote another blog post outlining how \nHealthcare.gov can be properly built: Creating a Healthcare.gov Web \nSite that Works (http://blog.fmsinc.com/creating-a-healthcare-gov-web-\nsite-that-works/) see Appendix B.\n    My suggestions would a website that would better address the needs \nof the customer, be simpler to develop, easier to test, more robust, \nsupport more simultaneous users, and be more secure. It would separate \nthe shopping experience and an estimate of a subsidy from the actual \napplication to receive a subsidy (the part that needs to be secure). \nThe marketplace would be the central site where it would be easy to \ncompare insurance plans before worrying about pricing and subsidies. \nThe site would be hosted on commercial cloud providers that could scale \nto support huge numbers of simultaneous users. It would use commercial \nbusiness software that would significantly reduce the amount of code \nthat needs to be written and tested, which would also reduce the \nsecurity risk.\nHealthcare.gov Observations\n    Here are my observations about the technical issues I encountered \non the Healthcare.gov website:\n  <bullet> It's poorly designed. It doesn't address the needs of a \n        consumer trying to shop for something, nor is it designed to \n        support lots of users or high security.\n  <bullet> It's poorly developed. The site has such amateurish errors \n        that it appears to be created by inexperienced developers.\n  <bullet> It's not tested, or if it was tested, the test plan was \n        woefully inadequate.\n  <bullet> In my experience, encountering that many bugs in such a \n        short period of time indicates that was only the tip of the \n        iceberg with many more bugs below the surface. As bugs are \n        fixed, more bugs will be found since those sections were never \n        adequately tested before.\n  <bullet> The management team and contractors seemed to think the site \n        was production quality on October 1. It clearly wasn't, which \n        would indicate that those people don't understand what \n        production quality means. They shouldn't be involved with the \n        project since we've experienced what they consider shipping \n        quality. I do not consider what was delivered to be beta (test) \n        quality.\n                         security implications\n    Lack of competent technical oversight not only leads to waste, but \nto potentially devastating security vulnerabilities if complex systems \nthat millions of people depend on are undermined or brought to their \nknees by attackers. Technology alone cannot deliver security, and the \nmore complex a system is, the harder it is to secure against known \nthreats, much less unknown ones which are sure to emerge in the future. \nWhen developers operate under deadline pressure, they tend to cut \ncorners to ``just get it to work'', generating fresh security \nvulnerabilities and bugs.\n  <bullet> Nothing is ever perfectly secure.\n  <bullet> Security has to be considered at the beginning of the \n        project, not at the end.\n  <bullet> The most important part of security is to NOT collect secure \n        information unnecessarily.\n  <bullet> The next step is to minimize the places where security is \n        necessary. The sections in which users shop for insurance \n        policies, get an estimate of the subsidy, and buy a policy \n        without a subsidy should not require any security.\n  <bullet> Another design consideration is to create as few places of \n        vulnerability as possible. That means fewer screens, fewer \n        places where data changes hands, and running secure processes \n        off-line separate from the user interface.\n  <bullet> The skills to build a secure web database application are \n        far more advanced than the skills the existing developers \n        failed to exhibit. A chain is only as strong as its weakest \n        link.\n                         contractor incentives\n    Originally, I thought the design decisions of the Healthcare.gov \nsite were done by amateurs who didn't know what they were doing. I'm \nnow moving away from that conclusion.\n    Instead, I'm seeing how the design decisions may have been made to \nmaximize taxpayer expense and vendor profitability.\nGovernment Contractors\n    The current Government contracting system excludes technically-\nqualified companies by making it difficult for them to bid and work on \nGovernment projects. The companies that specialize in Government \ncontracts are good at winning Government contracts, protesting lost \nawards, and creating change orders. They are not known for their \ntechnical expertise. Their strategies and operations would not be \ncompetitive in the private sector.\n    Currently there is no downside for failure to deliver on a \nGovernment contract. There is nothing to prevent failed vendors from \nbidding on future projects or being suspended from existing projects.\nAbusing Taxpayers\n    I don't know how the decisions were made, but if I look at it from \nthe contractors' perspective with the knowledge that the budget was \nessentially unlimited, it would explain how choices were made to add \ncomplexity, increase billable hours, purchase more hardware and \nbandwidth, and maximize profits.\n    Of course, the big mistake was not delivering a quality solution. \nUnlike many other IT projects that have failed in the Federal \nGovernment, this one let the public experience the quality of the \ndeliverables.\n    Examples of areas that maximize profits:\n  <bullet> Performing an identity check for each visitor. Is the credit \n        agency paid for each check?\n  <bullet> Creating a user login in three screens rather than one? Was \n        the contractor paid per screen? Was there consideration that \n        more screens use more resources? Why ask for secret questions?\n  <bullet> The email confirmation process requires almost immediate \n        confirmation. My 30-minute delay in responding canceled my \n        account and required creating a new login. Why does this \n        feature exist?\n  <bullet> Why are the screens to fill out the application one question \n        per screen? Why not put all the questions on one screen to \n        minimize the complexity, data exchanges, and improve \n        scalability and security? Were contractors paid based on the \n        number of questions and screens?\n  <bullet> Why ask optional questions such as race that are not part of \n        the subsidy process?\nAddressing Contractor Complaints\n    From what I can see, the contractors are trying their best to \ndeflect blame:\n  <bullet> There are claims the Government was changing the design at \n        the last minute and there wasn't enough time for testing. On \n        every project I've worked on, designs are always changing and \n        there has never been too much time for testing. It's the \n        responsibility of the contractor to provide the guidance and \n        services to ensure success.\n  <bullet> There are claims that individual portions were working but \n        the overall system was not. Based on what I observed, the \n        website wasn't working even if the overall system wasn't \n        tested. My belief is that both the individual portions AND the \n        integrated system were not working.\nWhere Did the Money Go?\n    I don't understand how the contractors could have charged the \ntaxpayers so much money. At $200 million at a generous $200 per hour, \nthat's 1,000,000 man hours. That's 500 man-years. Now the numbers are \neven larger. Where did all that time go?\n                 technology management recommendations\n    This is a complete breakdown in managing technology investments. \nPeople do not understand when a project should cost $1 million vs. $100 \nmillion. In the private sector, a $1 million budget to build a website \nis huge. The Government needs to remember that buying from companies \nthat specialize in Government contracting is not the same as vendors \nwho are competitive in the private sector.\nCreate a Technology Assessment Office\n    A Technology Assessment Office (TAO), a non-partisan entity similar \nto the GAO that is capable of assessing and managing Government \ntechnology projects. Policy makers, politicians, and bureaucrats do not \npossess the technology skills to keep up with the rapidly-changing \ntechnology options. They also don't understand what technology should \ncost or the implications their decisions have on cost, security, and \nother options. My serving on the Fairfax County Technology Policy \nAdvisory Committee is an example of this type of governance.\nEnforce Accountability\n    Past performance is considered an important part of winning \nGovernment contracts but it doesn't seem to prevent contractors \ninvolved with failed projects to continue winning new contracts. If \nqualifications matter for selecting contractors, when do contractors \never get permanently banned? Multi-year or permanent bans should target \nunderperforming vendors to prevent them from bidding on new contracts \nand removed from existing ones.\n    In the private sector, vendors that fail would rarely be allowed \nback. Do we have a too-big-to-exclude policy?\n                     audit and investigation needed\n    An exhaustive investigation and audit of the Healthcare.gov project \nwould help determine the various points of systemic failure in order to \nensure that a debacle of this magnitude never happens again.\nExperience of the Development Team\n    The experience of the vendor is important, but what's most \nimportant is the experience of the people actually doing the work. \nGiven my sense that the developers were quite junior, it would be \ninteresting to learn their previous experience building commercial \ndatabase websites, what they were being paid, and what the taxpayers \nwere charged. Make sure people involved with the entire life of the \nproject are questioned, and not just the ones remaining today.\nDevelopment Management and Environment\n  <bullet> How were the deliverables designed, scheduled, and \n        delivered?\n  <bullet> How were the teams managed?\n  <bullet> What code reviews were held, and by whom?\n  <bullet> What development, testing, and staging environments were \n        employed?\n  <bullet> Was there a test plan? If so, what were the results of the \n        test plan before October 1? What bugs were considered \n        acceptable for deployment?\n  <bullet> How did the test plan change and who was paid for the \n        October 1 that was so bad?\n  <bullet> Is load testing and balancing in place?\n  <bullet> What kind of security reviews, threat analyses, and \n        mitigation strategies were undertaken?\n  <bullet> What kinds of security vulnerabilities were detected, and \n        when are they scheduled to be addressed? How are security \n        issues addressed on an on-going basis?\nTechnology Selections\n  <bullet> Why did they take such a strong stand on using open-source \n        ``free'' software rather than commercial business software that \n        would require less customization (and therefore cost less with \n        fewer security vulnerabilities)? (TheAtlantic.com, June 28, \n        2013, Healthcare.gov: Code Developed by the People and for the \n        People, Released Back to the People)\n  <bullet> Why did they create their own cloud rather than using better \n        and cheaper commercial cloud providers? Especially when large \n        portions of this site do not need any security.\nDesign Flaws and Bugs\n    Secretary Sebelius and HHS have announced that they've fixed \nhundreds of bugs, which indicates that there are likely hundreds more \nyet to be found. No matter how many bugs are fixed, the unintended \nconsequence is that more will inevitably crop up elsewhere in the code \nbase. Is the current website being redesigned to make it work properly \nfor consumers, or are they instead trying to make the existing flawed \ndesign functional? Poorly-designed systems are nearly impossible to \nrescue, and inevitably lead to further support costs down the road. \nWhen a complex system is created by multiple vendors with no technical \nmanagerial oversight, it is inevitable that systemic flaws will lead \nonly to finger-pointing and recrimination, not to solid, functioning \nsoftware.\nNumber of Concurrent Users\n    The heaviest demand day was not October 1, but will be the day of \nthe deadline to sign up. It's the equivalent of April 15 for the IRS. \nHow are they preparing for that? How many simultaneous users can they \nsupport, and what happens if the number of users exceeds that? Is load \nbalancing in place? Are we buying lots of equipment for that one day \nthat will sit idle afterwards? Totally unnecessary if a commercial \ncloud provider is used.\n    There are policy implications if the system crashes and people are \nshut out before the deadline.\nWhat Are They Thinking?\n  <bullet> How could they have possibly thought the site was ready to \n        go on October 1? There was a seminar scheduled on HowTo.gov to \n        showcase how the contractors created this great website but it \n        was postponed due to the Government shutdown and later \n        canceled.\n  <bullet> Are they redesigning the website to make it work properly \n        for consumers or are they trying to make the existing bad \n        design work?\nA More Open Policy\n  <bullet> Many companies could have created the Healthcare.gov website \n        or similar database websites. Why is it so difficult for \n        technically-qualified companies to bid and work on Government \n        projects?\n  <bullet> Why isn't the data on the insurance policies, pricing, and \n        formulas for subsidies opened in a manner that the private \n        sector can create their own website marketplaces?\n                              conclusions\n    Overall, I'm embarrassed as an American to watch my President and \nCabinet Secretary talk about website design, development, and testing, \nand promoting 800 numbers. They should be focused on policy and things \nlike Iran and North Korea. Websites should be taken care of at a much \nlower level and certainly no higher than the CTO.\n    The underlying problem of Healthcare.gov lies in the way that \nGovernment contracts are awarded. Our way of life is becoming more, not \nless, dependent on technology every day, yet there is no one at the \nhighest levels of Government capable of determining when the Government \nis being ripped off.\n    Taxpayers made a significant investment with the contractors to \nexpect a functional Healthcare.gov website. While there may be some \nexcuse for complexity with connecting to legacy databases in various \nagencies, I don't see any reasonable excuse why the user experience \nwould be so defective or the costs so high.\n    This is a scandal beyond Healthcare.gov and touches on the entire \nway the Government purchases software solutions. Unfortunately, the \nFederal Government has paid for even larger software projects that were \nnever functional.\n    The need for a bi-partisan Technology Accountability Office to \ninvestigate and regulate technology at the Federal level is urgent and \nimmediate; not only to stem the hemorrhage of taxpayer dollars, but to \nensure the security and viability of the essential systems millions of \nAmericans depend on.\n    Taxpayers paid Super Bowl ticket prices and were delivered a high \nschool football game. Follow the money.\n                              Attachments\n   appendix 1.--blog post: healthcare.gov is a technological disaster\n    This was the blog post I wrote on October 1 providing a non-\npartisan technical review of the Healthcare.gov website.\nFinally Here\n    October 1, the Affordable Care Act (Obamacare) website \nHealthcare.gov finally went live today.\n    I was eager to personally review what was being offered and cut \nthrough the hoopla and criticism. I had previously written FMS Receives \nHealth Insurance Premium Refund from the Affordable Care Act, so my \nexpectations were high.\n    From the previously published rates for Virginia, the cost of \ninsurance premiums for individuals and families was considerably lower \nthan what FMS currently pays for our group plan. Business plans aren't \navailable yet, but the individual plans should be a good indicator. I \nwasn't interested in the subsidies; I simply wanted to know the prices \nfor the different plan options.\nApplying for Coverage\n    So I went on-line to Healthcare.gov around 5:30 A.M. to apply for \nmy family and see what it would cost. As expected, you create a log-in \nwith email confirmation, and fill out a Wizard to select the options. \nIt's similar to many other instances I've applied on-line for credit \ncards and other forms of insurance. How tough could it be? Technically, \nit's a very simple data entry application that should generate a quote \nat the end.\nWhat a Mess!\n    Unfortunately, what should be a simple process is a complete \nsoftware technology disaster. The logical flow of the application to \nregister, log-in, and fill out the data for a family was horrendously \ninefficient. It seemed like the person who designed it, had never used \nit. Or maybe didn't have a family which required filling out the same \ninformation for each member of the family.\n    Just the initial process of creating a log-in required multiple \nsecret questions and other unnecessary data for getting a quote. Sure \nthat may be necessary for the final acceptance, but it's a complete \nwaste of time and web resources initially. The system should expedite \nthe process as much as possible to get people a quote without \nsubsidies, then ask for more information to calculate the subsidies if \ndesired. Since I later discovered it never generates a quote, it may \nnot really matter anyway. What were the designers thinking?\nOverly Complex Data Entry\n    As for my family, I not only had to identify my spouse, my two \nkids, their relationship to me, but also their relationship to my wife, \nand even their relationship to each other! What? Given the prior \ninformation, obvious defaults could be offered. The selection of race \nwas also more complicated than it should be. Here's an idea that may \nnot have occurred to the designers: Maybe the kids should default to \ninherit their parents' races. That's how inheritance works. And does \nrace impact pricing? If not, why ask?\n    The system crashed several times for me and had problems when I \nlogged back in. It seemed like the system wasn't even tested. Here are \nsome screenshots:\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    What the hell is that? How could that get through testing much less \nproduction?\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Having error handling to catch unexpected crashes is a Best \nPractice in application development. It should tell the user what went \nwrong, what to do next, and gracefully exit the system. This page does \nnone of that. The error message and error number are blank. Who knows \nwhat went wrong? Useless and amateurish. They do have a Live Chat \nbutton. I wonder what I would chat with them about with this crash.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    In this screenshot a series of errors appear to be triggered \nwithout meaningful explanation. Embarrassing.\nLogging Back in and Repeating\n    If anything, I'm persistent. I not only had my original goal to see \nthe premium prices, I was now intrigued to discover how poorly \ndesigned, developed, and tested this application was. Eventually, I was \nable to finish. Took about an hour.\n    However, rather than receiving a quote immediately, it's now being \n``processed''. For what? It shouldn't be held up for pre-existing \nconditions which ACA eliminates. I would expect it to be some \nmathematical, logical formula that would generate the results. I \npresume it's because that part of the application isn't built yet. \nAlthough my application is submitted, given the crashes, I'm not sure \nwhat data it has. We'll see.\nAuthors of Healthcare.gov\n    A few months ago, I read this article about how the site was being \nbuilt and was impressed: Healthcare.gov: Code Developed by the People \nand for the People, Released Back to the People.\n    In hindsight, it appears the authors have a philosophical bias \ntoward Open Source and ``people power.'' That's all fine and dandy if \nit works, but this site doesn't. To deliver such low quality results \nrequires multiple process breakdowns. It just proves you can create bad \nsolutions independent of the choice of technology.\nTechnical Software Conclusions\n    What should clearly be an enterprise-quality, highly-scalable \nsoftware application, felt like it wouldn't pass a basic code review. \nIt appears the people who built the site don't know what they're doing, \nnever used it, and didn't test it.\n    I actually experienced many more problems than the screenshots I \ncaptured. Had I known I was performing a Quality Assurance assignment, \nI would have kept better documentation of typos, unclear directions, \nbad grammar, poorly-designed screens, and other crashes. My bad!\n    It makes me wonder if this is the first paid application created by \nthese developers. How much did the contractor receive for creating this \nawful solution? Was it awarded to the lowest price bidder? As a \ntaxpayer, I hope we didn't pay a premium for this because it needs to \nbe rebuilt. And fixing, testing, and redeploying a live application \nlike this is non-trivial. The managers who approved this system before \nit went live should be held accountable, along with the people who \nselected them.\n                    fms professional services group\n    Our Professional Solutions Group has created many mission-critical, \ncustom software applications where scalability, reliability, and \nquality are paramount. For instance, we built the Logistics Support \nSystem for International Humanitarian Relief for the United Nations \nwhere lives are dependent on accurate, timely data on a global scale.\n                          sentinel visualizer\n    We've also created a database link analysis program for the \nintelligence and law enforcement communities.\n    I know what's involved in creating great software, and this ain't \nit. Healthcare.gov is simply an insurance quote system. As a software \ndeveloper, I'm embarrassed for my profession. If FMS ever delivered \nsuch crap, I'd be personally inconsolable. This couldn't pass an \nintroductory computer science class.\nOverall Conclusions\n    This is going to be a huge public relations mess that could doom \nthe whole initiative. Maybe they can blame the problems on too many \nusers even if that weren't the real cause, but it's not going to be \nfixed with a few weekend tweaks and throwing more hardware at this. The \napplication process asks too many unnecessary questions and repeatedly \ncrashes. Since 9 A.M. and as of this evening, the site no longer lets \nyou apply. I presume it got overloaded or someone finally discovered \nhow broken it is and pulled the plug. Given what I experienced, it \nneeds to be off-line until it's corrected. Meanwhile, I'd be highly \nconcerned about the security of the data people enter given all the \ncrashes I encountered.\n    Of course, software problems with the application process are not \nthe reason to abandon health care reform. As a small business owner, we \nface the highest premiums for the lowest coverage. I applaud the \nefforts to reform health insurance and look forward to working in a \nconstructive, rather than destructive, manner to improve this. I \npresume once these issues are resolved, I'll have more options for my \ncompany and employees than I did before. In the big picture, this \nwebsite is much easier to fix than health insurance. We'll see.\n  appendix 2: blog post: creating a healthcare.gov website that works\nHealthcare.gov Suggestions for Improvement\n    Since I don't like to just complain without offering solutions, on \nOctober 14, I wrote a new blog post outlining a solution that would be \nbetter for consumers, easier to develop, quicker to test, more \nscalable, and more secure. Entitled Creating a Healthcare.gov Web Site \nthat Works (http://blog.fmsinc.com/creating-a-healthcare-gov-web-site-\nthat-works/), it offers suggestions:\nUnderstanding the Buying Process for Health Insurance\n    It's important to understand what the website should do. The \nprimary mistake the designers of the system made was assuming that \npeople would visit the website, step through the process, see their \nsubsidy, review the options, and select ``buy'' a policy. That is NOT \nhow the buying process works. It's not the way people use Amazon.com, a \nbank mortgage site, or other insurance pricing sites for life, auto, or \nhomeowner policies. People want to know their options and prices before \nmaking a purchase decision, often want to discuss it with others, and \ntake days to be comfortable making a decision. Especially when the \ndeadline is months away. What's the rush?\n    The existing process acts as if a retail website asked for your \ncredit card number before showing what you could buy and their prices. \nAlmost all sites let you browse without creating a user name. Retailers \nwant you to see what's available as quickly and easily as possible. \nPeople often visit multiple times before buying. Only after making a \npurchase decision should personal information be collected to complete \nthe transaction.\n    The website needs to reflect this and support a more common buying \nprocess.\nConceptual Overview\n    Here's an overview showing three distinct processes that flow into \neach other (or people buy a policy at their step and leave the system). \nA critical part is offering a comparison matrix at each level so \nconsumers can quickly see the differences between the insurance \npolicies.\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n    1. The first one gives policy options and non-subsidized quotes. \n        People can click to purchase the policy from the insurance \n        company. If so, they leave Healthcare.gov and the Government is \n        no longer involved.\n\n    2. The second provides a subsidy estimate and uses the same display \n        as the first but with and without subsidized prices. People can \n        also click to buy the policy without a subsidy and leave the \n        system, or they can officially apply for a subsidy.\n\n    3. The third is the actual application for the subsidy and the only \n        path which collects Personally Identifiable Information (PII). \n        Higher security is necessary for this.\n\n    The first two do not require PII and would not require high \nsecurity. That means a commercial cloud service such as Microsoft Azure \ncould be used to host the site and adjust to high traffic loads. It \nwould support people shopping and browsing multiple times before buying \nwithout the need to invest in hardware or bandwidth.\n    With this improved design, only a small portion of the site's \ntraffic would be in the final subsidy application portion. That can be \nisolated with high security and for much lower volumes of users since \npeople would only apply once. Hassling people at this stage with lots \nof personal questions is acceptable since people are serious about \npurchasing.\nUser Experience Goals\n    These are some objectives for creating a great user experience:\n  <bullet> Quickly get the unsubsidized insurance rate quotes and \n        policies (no login required);\n  <bullet> Easily compare among insurance policies based on features \n        and price;\n  <bullet> Easily select and subscribe with an insurance company \n        without a subsidy;\n  <bullet> Quickly receive an estimate of a subsidy without having to \n        provide personally identifiable, confidential information;\n  <bullet> Easily compare among insurance policies based on features \n        and subsidized prices;\n  <bullet> Formally apply for the subsidy (log-in and personal \n        information required);\n  <bullet> Select a subsidized policy and pass the appropriate \n        information so the insurance company can validate the \n        subscriber's information and receive the subsidy;\n  <bullet> Once policy options are offered, allow users to create a \n        log-in to save their inputs, and get back into the system to \n        recover their work-in-progress. This would be required with the \n        formal subsidy application but not necessary for the other \n        options.\nTechnical ``Back Office'' Goals\n  <bullet> Performance.--The system should move people through the \n        process as quickly as possible.\n  <bullet> Collecting Information.--It should not ask for any \n        information that's not required for generating the policy \n        options and prices.\n  <bullet> Fewer Screens.--Rather than having one screen per question, \n        multiple questions should be asked in as few screens as \n        possible. People know how to scroll. Extra screens should only \n        be added if they depend on answers from previous screens.\n  <bullet> Data Security.--The first part of data security is to NOT \n        collect sensitive information. Sensitive information should \n        only be collected from people actually applying for the \n        subsidy.\n  <bullet> Data Integrity.--All database changes need to be in \n        transactions with commitments and rollback on failure. \n        Situations where accounts are partially created with a valid \n        user name and no account details should never occur.\n  <bullet> No Other Connections During Data Entry.--The system should \n        not be connecting to other data sources while the user is \n        entering data. Just collect the data.\n  <bullet> Off-line Processing.--Once the user enters all their data \n        for a subsidy quote, a separate system processes the \n        applications and interfaces with the other systems to validate \n        the data and calculate the subsidy. By separating this process \n        from the user's on-line experience, problems with connections \n        to other systems do not impact the user.\n  <bullet> Email Notification.--Once a subsidy is calculated, an email \n        is sent to the user inviting them to log into the system to see \n        their options.\n  <bullet> Notification to Insurers.--Web pages and web services to \n        allow real-time views of the status of applications selecting \n        the insurer's policies.\n  <bullet> Commercial Cloud Hosting.--Using a commercial cloud platform \n        would provide automatic scalability to meet fluctuating levels \n        of users without having to make hardware purchases. By \n        eliminating the need to collect and store sensitive user data \n        for most of the website, commercial cloud hosting and its \n        benefits are available without security concerns.\nOversight Goals\n    Management and interested parties should have system dashboards:\n  <bullet> Real-time Displays.--Monitor user progress with summary \n        tables and graphs showing the status of people moving through \n        different stages of the system.\n  <bullet> Basic Business Intelligence.--Summary and drill-down details \n        by State, date, hour, etc.\n  <bullet> System Transparency.--Provide a public view of some data in \n        a cached mode (updated daily or hourly, but not real-time).\nDesign Overview\n    Here is how the goals could be implemented for the Healthcare.gov \nwebsite:\n\n    (1) The initial form asks people to select their State. If the \n        visitor is in a State that has their own system, ship them to \n        those sites, otherwise proceed with the next step in the \n        Federal system.\n\n    (2) Collect the information necessary to create the unsubsidized \n        options. I was told there were five or so pieces of information \n        necessary to generate the unsubsidized rates (e.g. gender, year \n        of birth, family status, smoking status, etc.).\n\n    (3) Display the available plans with options to compare and filter \n        them easily based on plan level (gold, silver, bronze, etc.), \n        provider, price, etc. Should be similar to retail websites like \n        Best Buy or Staples showing different products and their \n        features in a matrix comparison, with buttons to get more \n        details and a button to select one to buy. One would expect \n        users to come to this site multiple times over multiple days to \n        learn about their options before making a purchase.\n\n    (4) An option to save the inputs. This would be the first time to \n        create a simple account to collect user information (which does \n        not include things like social security numbers, birthdates, or \n        names). A simple user name (e-mail address) and password, with \n        a standard e-mail confirmation that doesn't have a time limit. \n        This would allow users to get back to the previous screen \n        without re-entering their data.\n\n    (5) An option to get a subsidized price estimate. If the person \n        chooses this option, they create a simple account because \n        highly sensitive information will not be collected. The account \n        is simply to retrieve the user's entries. The user provides the \n        information necessary to calculate the prices without having to \n        look up data from Government sources. The user can enter their \n        values for income and whatever other factors impact generating \n        a subsidy estimate. Just like bank websites let you enter basic \n        information to get a mortgage or car loan rate before you \n        apply, Healthcare.gov should do the same. This would allow the \n        site to create quotes quickly without having to bog down or \n        wait for the other sites such as the IRS, Experian, etc. This \n        minimizes the impact of too many users. Once the estimated \n        subsidies are calculated, a display similar to No. 3 above \n        would show the options.\n\n    (6) Finally, applying for the subsidy. Once someone decides they \n        want a particular policy, they can officially apply for a \n        subsidy. This is the first time personal data needs to be \n        entered. The system should collect the data as quickly as \n        possible without having to validate the information while the \n        user is entering it. Once all the data is collected, the user \n        is informed via email when the subsidy calculation is ready.\n\n    (7) A separate background process calculates the subsidy requests \n        and looks up the necessary data from the different sources. If \n        any of those linked systems is unavailable, it's no big deal \n        since it doesn't impact the user on the website. The user is \n        already gone and waiting for an e-mail. Once the calculation is \n        generated (or if it couldn't be generated), the user is \n        notified via e-mail and they can view the results by logging \n        back into their account.\n\n    For management, there should be dashboards with tables and graphs \nshowing what's happening. No more excuses of not knowing how many \npeople are in each phase of the process, how many have received quotes \nor enrolled, etc. For transparency, some of this information should be \npublicly available updated at least daily.\n                              conclusions\n    I'm not sure whether the people designing and developing the site \nwill find these suggestions helpful. There's obviously lots of details \nnot included in my proposal, but I'm confident my basic design is a \nsignificant improvement over the original site. It would provide a \nbetter user experience, be much easier and faster to develop, easier to \ntest, and more scalable and secure. Was it that tough to envision \nearlier?\n    Let's remember, this website remains the automation of a paper \nform. It's not as hard as providing health care.\n\n    Chairman McCaul. Thank you, Mr. Chung. I appreciate your \ntestimony.\n    Mr. Krush is now recognized for 5 minutes.\n\n    STATEMENT OF WAYLON W. KRUSH, CHIEF EXECUTIVE OFFICER, \n                        LUNARLINE, INC.\n\n    Mr. Krush. Chairman McCaul, Ranking Member Thompson, and \nthe Members of the committee, thank you for this opportunity to \ntestify today on the important topic of cybersecurity as it \nrelates to HealthCare.gov. I am Waylon Krush, founder and CEO \nof Lunarline, Inc. We are a leading provider of cybersecurity \nproducts, services, and training for the Federal Government and \nalso the commercial sector. I am also a founding member of the \nWarrior to Cyber Warrior program.\n    The Warrior to Cyber Warrior program provides, at no cost, \na 6-month boot camp for returning veterans. This program equips \nveterans or their--if a veteran is unable to participate \nbecause of service-related injuries, their spouses--with the \nskills, training, and certifications they need to thrive in the \ncybersecurity world. I have been asked to speak today on the \ntopic of cybersecurity as it relates to the recent events \nsurrounding the HealthCare.gov website and related systems.\n    I want to make clear that I am not here to weigh on the \npolitical debate surrounding the Patient Protection and \nAffordable Act. This is above my pay grade. Instead, I am here \nin my capacity as a cybersecurity professional, one who has \ncontributed to the defense of our Nation's IT infrastructure, \nboth as a soldier in uniform and as a leader of one of our \ncountry's fastest-growing cybersecurity firms. I was recently \nasked by the press if I would, as a cybersecurity professional, \ntrust my own personal data to HealthCare.gov.\n    I said yes that I would, and I stand by that statement. \nThis is not because I believe HealthCare.gov is 100 percent \nsecure. There is no IT system, Federal or otherwise, that can \nmake this claim. Instead, my confidence in HealthCare.gov is \nbased on my hands-on experience with the rigorous process the \nFederal Government has instituted to effectively manage--not \neliminate, but manage--cybersecurity risk.\n    Now, I realize it is a bit odd for a cybersecurity \nprofessional to come before Congress and preach the confidence \nin our Government's cybersecurity posture. We cybersecurity \nfolks are usually better known for peddling cyber doom and \ngloom. However, the truth is there is plenty of cause for \nconfidence, particularly when we--it comes to Federal \ncybersecurity. To explain why I feel this way, I would like to \nfocus my testimony today on the risk management framework and \nhow it relates to some of the concerns recently brought up in \nthe on-going media coverage of HealthCare.gov.\n    Now, I have been given just 5 minutes to briefly describe \nthis extensive cybersecurity process and regulations that \nprovide the foundation for the U.S. Government's systems \nsecurity. To put this task into context, a few years ago a \ncolleague and I wrote a book entitled, ``The Definitive Guide \nto the C&A Transformation.'' In this book, we did our best to \nscope down thousands upon thousands of pages of Federal \ncybersecurity and privacy regulations into 600 pages of easy \nreading.\n    The easy reading part is a joke, but the level of depth and \nrigor in this process is not. Here today, I will try to distill \nthese processes even further into just 5 minutes of testimony. \nDuring these 5 minutes, I will do my best to describe how the \n6-step risk management framework supports the Federal \nInformation Security Management Act. Excuse me.\n    This, in turn, should provide a baseline understanding for \nthe security processes governing HealthCare.gov and, in \nreality, any Government IT system. I hope that from my \ntestimony this will help folks interpret how now-famous \ndecision memo originally intended for Marilyn Tavenner that \ndescribes some of the known security risks faced by \nHealthCare.gov. The RMF is a 6-step process. It includes \ncategorization, security control selection, implementation, \nassessment, authorization, and continuous monitoring.\n    I will briefly describe each one of these steps, and \nprovide some insight into how each one relates to the security \nof HealthCare.gov. I will, however, caution the committee that \nany internal vulnerabilities related to HealthCare.gov should \nabsolutely not be publicly released until HHS or CMS has time \nto mitigate or remediate these issues. The first step is \ncategorization. We look at all of the data types that are \nactually in the Federal information system.\n    We have two publications, NIST Special Publication 860, \nVolume 1 and Volume 2. So we have to find out what type of data \nthis system consists of. The next step governs the selection of \nthe security controls. This is a process where we automatically \nassign a set of baseline security controls, whether it is low, \nmoderate, or high. And enhancements, if need be, based on the \nprotection requirements of the system. In step 3, this is where \nwe actually implement the security controls.\n    These are hundreds upon hundreds of controls, including \nenhancements and tailoring guidance that goes into every \nFederal information system. In step 4, we actually have \nassessment. These are on-going assessments, these are \nassessments before the authorization decision is made. These \nare annual assessments. These are what we call assessments that \ngo with the updates of code that we are gonna see during this \nprocess of updating HealthCare.gov. There is one thing that we \nneed to know; there is no such thing as a clean assessment.\n    An assessment of any system, Federal or otherwise, will \nalways reveal some security risk. It is not possible to have a \ncompletely secure system. In conclusion, I hate to tell \neveryone but at this point in time there is no cybersecurity \nbullet, silver bullet. If there were I would be selling them, \nlots of them. A secure system requires the right people, \nprocess, and technology to work together harder, smarter, and \nfaster than the adversary.\n    [The prepared statement of Mr. Krush follows:]\n                 Prepared Statement of Waylon W. Krush\n                           November 13, 2013\n    Chairman McCaul, Ranking Member Thompson, and Members of the \ncommittee: Thank you for this opportunity to testify today on the \nimportant topic of cybersecurity as it relates to Healthcare.gov. I am \nWaylon Krush, founder and CEO of Lunarline, a leading provider of \ncybersecurity products, services, and training to both Federal and \ncommercial clients.\n    I am also a founding member of the Warrior to Cyber Warrior \nprogram. Warrior to Cyber Warrior provides, at no-cost, a 6-month \ncybersecurity boot camp for returning Veterans. This program equips \nVeterans, or if a Veteran is unable to participate because of service-\nrelated injuries, their spouses, with the skills, training, and \ncertifications they need to thrive in the cybersecurity world.\n    I have been asked to speak today on the topic of cybersecurity as \nit relates to the recent events surrounding the Healthcare.gov website \nand related systems. I want to make clear that I am not here to weigh \nin on the political debate surrounding the Patient Protection and \nAffordable Care Act. That is above my pay grade. Instead, I am here in \nmy capacity as a cybersecurity professional, one who has contributed to \nthe defense of our Nation's IT infrastructure, both as a soldier in \nuniform and as a leader of one of our country's fastest-growing \ncybersecurity companies.\n    I was recently asked by the press if I would, as a cybersecurity \nprofessional, trust my own personal data to Healthcare.gov. I said yes, \nthat I would. I stand by that statement.\n    This is not because I believe that Healthcare.gov is 100% secure. \nThere is no IT system, Federal or otherwise, that can make this claim. \nInstead my confidence in Healthcare.gov is based on my hands-on \nexperience with the rigorous processes the Federal Government has \ninstituted to effectively manage--not eliminate, but manage--\ncybersecurity risk.\n    Now I realize it is a bit odd for a cybersecurity professional to \ncome before Congress and preach confidence in our Government's security \nposture. We cybersecurity folks are usually better known for pedaling \ncyber doom and gloom. However, the truth is, there is plenty of cause \nfor confidence, particularly when it comes to Federal cybersecurity.\n    To explain why I feel this way, I would like to focus my testimony \ntoday on the Risk Management Framework and how it relates to some of \nthe concerns recently brought up in the on-going media coverage of \nHealthcare.gov.\n    Now, I have been given just 5 minutes to very briefly describe the \nextensive cybersecurity processes and regulations that provide the \nfoundation for U.S. Government system security. To put this task in \ncontext, a few years ago a colleague and I wrote a book entitled The \nDefinitive Guide to the C&A Transformation. In this book we did our \nbest to scope down thousands upon thousands of pages of Federal \ncybersecurity and privacy regulations into just 600 pages of easy \nreading.\n    The easy reading part is a joke, but the level of depth and rigor \nin the process is not. Here today, I will try to distill these \nprocesses even further, into just 5 minutes of testimony. During these \n5 minutes I will do my best to inform everyone on how the 6-step \nFederal Risk Management Framework (RMF) supports the Federal \nInformation Security Management Act (FISMA).\n    This, in turn, should provide a baseline for understanding the \nsecurity processes governing Healthcare.gov, and in reality any \nGovernment IT system. I also hope that my testimony will help folks \ninterpret the now-famous ``decision memo''--originally intended for \nMarilyn Tavenner--that describes some of the known security risks faced \nby Healthcare.gov.\n    The RMF is a 6-step process that governs the categorization, \nsecurity control selection, control implementation, control assessment, \nauthorization, and continuous monitoring of all Federal IT systems. I \nwill briefly describe each step and provide some insight into how each \none relates to the security of Healthcare.gov. I will however caution \nthe committee that any internal vulnerabilities related to \nHealthcare.gov should absolutely not be publicly released until HHS or \nCMS has time to mitigate or remediate these issues.\n    The first step, Step 1, is called categorization. During system \ncategorization we analyze all the information stored, processed, or \ntransmitted by any component of the system. We classify all data by \ndata type and sensitivity, and set the protection level as ``Low,'' \n``Moderate,'' or ``High'' to meet the requirements of the most \nsensitive system data. Based on what I have read publicly thus far, \nHealthcare.gov is most likely categorized as a Moderate system.\n    The second step, Step 2, governs the selection of security controls \nto meet the protection requirements defined in Step 1. As a \n``Moderate'' level system, Healthcare.gov is required to implement, at \nminimum, several hundred security controls. Additional controls may be \nselected based on any unique system security requirements, such as the \npresence of personally identifiable information (PII).\n    In Step 3, we take the controls identified in Step 2 and implement \nthem. This is where the rubber hits the road. HHS and CMS have both \nauthored comprehensive information security policies that govern their \napproach to cybersecurity. These policies are backed by significant \ninvestments in enterprise detection and protection capabilities, \nincluding security operations centers, enterprise end-point \ntechnologies, border and gateway filtering, incident response teams, \nand enterprise continuous monitoring capabilities. For Healthcare.gov, \nthese enterprise-level controls are combined with system specific ones \nto support the implementation and maintenance of an effective security \nposture.\n    After selecting and implementing controls, Step 4 of the RMF \nmandates frequent security control assessments. These are tests that \nare conducted to determine whether or not to allow a system to continue \noperation. However, let me be clear: There is no such thing as a clean \nassessment. An assessment, of any system, Federal or otherwise, will \nalways reveal some security risks. It is not possible to have a \ncompletely secure system.\n    At this point, everyone here is probably familiar with the \n``Tavenner memo'' I discussed previously. This memo described some \ncomponents of the ``Federally Facilitated Marketplace'' that had not \nyet undergone thorough re-testing due to continued system development. \nIt was determined that this uncertainty represented a ``high risk.''\n    Now, there is no denying that this does indeed represent a \nsignificant system risk. Had the memo ended with that finding we would \nhave every right to be deeply concerned. However, the memo continues to \noutline a comprehensive mitigation strategy designed to mitigate this \nrisk. This includes the establishment of a dedicated security team to \nmonitor the system, weekly testing of all border and web-facing assets, \ndaily/weekly scans using continuous monitoring tools, and a promise to \nconduct a full Security Control Assessment within 90 days.\n    While Healthcare.gov's political sensitivity has cast a spotlight \non this process, these types of risk analyses are common place across \nthe Federal Government. Again, security assessments always reveal \nrisks, no matter what system is being assessed. How those risks are \nmanaged ultimately determine whether or not a system can be labeled \n``secure.'' There is a reason it's called the ``Risk Management \nFramework,'' rather than the ``No Risk Framework.'' It is designed to \nensure that Risk Executives conduct precisely these types of trade-off \nanalyses.\n    The Tavenner memo is also an example of Step 5, called System \nAuthorization. Simply put, this step requires a management decision on \nhow, when, and under what conditions a Federal system may be authorized \nto operate. Like Healthcare.gov, most Federal systems are authorized \nwith conditions and pending the implementation of an effective \nmitigation strategy. This is exactly what you are reading in the \nTavenner memo.\n    Finally, during Step 6 we continuously monitor security posture \nthroughout the entire system life cycle. This is the most important \nstep in the process. This is why I have publicly stated that I would \ntrust my own personal data to Healthcare.gov. I know as well as anyone \nthat as soon as a system is developed you are in a race against time to \nfind and mitigate vulnerabilities. This is particularly true for high-\nvalue targets such as Government IT assets.\n    That being said, if HHS follows through with their on-going daily \nand weekly scanning and more importantly--quickly remediates and \nmitigates security issues as they are discovered, we can be assured our \ndata is safe as possible.\n    In conclusion, I hate to tell everyone this, but at this point and \ntime there is no cybersecurity silver bullet. If there were, I would be \nselling them--lots of them. A secure system requires the right people, \nprocess, and technology to work together, harder, smarter, and faster \nthan the adversary.\n\n    Chairman McCaul. I thank Mr. Krush for your testimony. Yes, \nI have emphasized before this is probably one of the most \nsignificant websites ever created by the Federal Government. In \nthis exchange, the most personal, private data is put into \nthis--Social Security numbers, addresses, e-mails, personal-\nprivate health information. I can't think of anything more \nprivate than health information. What the American people want, \nI think, is not only a system that works and that is \nfunctional--which, clearly, this is not. As Mr. Chung said, it \nwas amateurish.\n    But they also want some assurance that it is secure. They \ndo not want this data breached and obtained by hackers, or \nidentify theft perpetrators who can then exploit that \ninformation. To that point, the CMS administrator wrote a \nletter to our committee and, specifically, to the Ranking \nMember, Mr. Thompson, because of his concerns about security of \nthis website. The assurance was given at that time, when that \nletter was written, that it would be both secure and follow \nindustry best practices.\n    We have since found out that a September 3 memo came out \nfrom a senior official at CMS stating that it found two high-\nrisk issues and said the threat and risk potential is \nlimitless. According to Federal guidelines, high-risk means \nvulnerability could be expected to have a severe or \ncatastrophic adverse effect on organizational operations, \nassets or, most importantly, individuals; individuals being the \nAmerican people. We have advocated for a delay in the \nimplementation of this law for many reasons.\n    But certainly, when you have a dysfunctional website and a \nsecurity risk to the American people's most personally \nidentifiable information, I think that delay, that argument, is \ncertainly even stronger. Mr. Chung, do you agree that we should \ndelay implementation?\n    Mr. Chung. Delaying that would be a policy question. With \nregard to my knowledge, it would be on the technical side. My \nexpectation would be that when we pay this kind of money to \nthese contractors they would build something that would be \nsecure. It is like buying a car that has tires on it. You would \nassume that for hundreds of millions of dollars it would be a \nsecure site.\n    The other part of this would--you know, the first step in \nsecurity and privacy is to not ask for information that needs \nto be secured. So going through the process of asking all those \npersonal pieces of information, when people are just shopping, \nwithout even buying or requesting a subsidy, is an outrage. I \ndon't know if the identity verification company is getting paid \nfor every person that they verify, but I think if you follow \nthe money it would be very easy to see how those decisions were \nmade.\n    Chairman McCaul. In your opinion here, did CMS actually \nfollow industry best practices in setting up this website?\n    Mr. Chung. I was not involved directly on the project so I \nam not exactly sure what they did or didn't do. I just know \nfrom a taxpayer's perspective we paid enough money to demand, \nand expect, a fully functional website. It is huge how much we \nhave paid. It is over, what, $300 million? I think you can get \na 747 and crash it into the ground for less. So it is \nunbelievable what we have spent for essentially the automation \nof a paper form.\n    Chairman McCaul. So I guess the question is, I mean: How \ndid this come to be? I mean, we spent, you know, all this money \nfor what you called an amateur website. How did that happen?\n    Mr. Chung. I think that we have an environment where \nGovernment contractors are incentivized, especially when they \nknow a customer has an open pocketbook, to create opportunities \nto bill more hours, to put in more features, to add more \ncomplexity, get more change orders, and get the next contract. \nThat is the product that they are really going after. It is not \nnecessarily creating a solution that works. They got caught \nthis time because the general public actually use software that \nthey created. But there are a lot of projects in the Government \nwhere Government contractors deliver things that the public \nnever sees.\n    Chairman McCaul. So in other words, you have a Government-\nrun program that the contractors exploited for their own profit \nat the expense of the American taxpayer.\n    Mr. Chung. Absolutely. I think that is very clear.\n    Chairman McCaul. I am personally stunned that DHS, that has \nprimary responsibility over the dot.gov space--Federal-civilian \nnetworks within the Government--the extent of communication \nwith the Secretary and with HHS was two e-mails and one phone \ncall. When I asked a question about how does HHS rank in its \nscorecard, if you will, for cybersecurity they get a 50 percent \ncompliance record and they rank No. 2 at the bottom.\n    They are the second-worst Federal agency when it comes to \nsecurity of their networks. Mr. Krush, don't you believe that \nthe Department of Homeland Security should play a greater role \nin trying to secure this website?\n    Mr. Krush. I believe they should play a greater role. I \nwill say, however, the process that was followed is the process \nthat is followed with all Government systems. Meaning that a \nrisk-based decision was made by an executive that was put in \ncharge of the site. They were provided the information about \nwhat type of vulnerabilities, what things need to be mitigated. \nYou know, this goes on throughout the entire Government.\n    You know, there is not a system out there that is perfect \nin nature, by any means, from a cybersecurity perspective.\n    Chairman McCaul. No, this was certainly not perfect. Mr. \nChung, if you have a business and you are pushing a product, \nand your website not only is dysfunctional but it crashes, \nwould you take a time out and try to fix it first? Or would you \nstill go forward with that program?\n    Mr. Chung. I guess it depends how desperate I was. But, you \nknow, being concerned about the experiences of my customers, \nno, I would not be able to deliver a product that didn't work. \nThat was what was so shocking when I experienced it on the \nfirst day. Because I wasn't there to do a quality assessment of \nthat HealthCare.gov website. I went there to get a price. It \nwas by accident that I find myself in this situation, after \nexperiencing what can truly be considered one of the worst \npieces of software I have ever used.\n    Chairman McCaul. In addition to a bad piece of software, \nthough, you have the security risk to Americans' most private \ninformation.\n    Mr. Chung. Absolutely. When you have an environment where \nthe developers can barely get the website functional, security \nis way down on the list of things to take care of, right? \nSecurity needs to be built in at the very beginning, not added \nat the end. When you have an inexperienced developer--people \ndon't--that can't even build a website properly or spell or do \ngrammar, I mean, the skill set that is necessary to create a \nsecure website are far higher than what I could see was the \nskills of the people that were put on creating that website.\n    Chairman McCaul. So I guess it comes as no surprise that \nunder 50,000 Americans have actually signed up for the \nexchanges, given the fact that, No. 1, the website is flawed. \nNo. 2, the security risks are so great, if people--if the \nadministration was really interested in getting more people to \nsign up you think they would take a time-out, fix this, and \nalso fix it from the security standpoint.\n    The thing that also bothers me tremendously is that it has \nbeen reported to me that there are about--there are over 700 \nfake websites out there that purport to be an exchange, purport \nto be part of this Obamacare program. HealthCare.gov is the \nofficial, but there are over 700 fake websites out there that \nare preying on victims for their personal identifying \ninformation so they can exploit that. Does that trouble either \none of you? Mr. Krush.\n    Mr. Chung. That happens all the time on every website. That \nis not unusual.\n    Mr. Krush. Yes, that is not abnormal. One of the things \nthat were brought up earlier by DHS was that they ensured that \nHHS actually implemented DNS security. So that if you go to \nHealthCare.gov you are arriving at HealthCare.gov. That doesn't \ntake away the process that when you go out to go to Google.com \nand you actually put a ``P'' in front of it, or a ``G'' or \nsomething, you are gonna sent to a site that looks like Google \nbut I wouldn't be using that search engine.\n    Chairman McCaul. Well, I think it demonstrates--I mean, \nperhaps a better public education process to demonstrate that \nthere are fake websites out there, and here is the official \none. Again, I will close by saying I am troubled that the \nDepartment of Homeland Security, that has the primary \nresponsibility for securing the dot.gov space, is defaulting to \nan agency, a department, HHS, which has one of the worst \nscorecards when it comes to cybersecurity.\n    With that, it is lunchtime. A lot of the Members have left. \nBut I do want to give the witnesses, since you have taken so \nmuch time to prepare and come here today, perhaps give you the \nlast word. I will start with Mr. Chung.\n    Mr. Chung. Well, thank you very much. I mean, I can tell \nyou that as a small business owner I am facing the need to buy \ninsurance for myself and my employees. I have to follow the \nlaw. I don't get to choose the laws that I follow. I was really \nhoping that this would be an opportunity for me to be able to \nbuy health insurance that would be more competitive. Health \ninsurance is a big problem for small businesses. We pay the \nhighest premiums for the worst coverage.\n    We are competing against companies like CGI and these other \nGovernment contractors that are much bigger and can probably \nget lower-priced insurance than we can. So I hope that \nthroughout this whole process we do keep in mind that getting \nhealth insurance for companies is important to small businesses \nfor us to remain competitive.\n    Chairman McCaul. Thank you.\n    Mr. Krush.\n    Mr. Krush. I would just like to say that, you know, the \nprocesses that we have in place in the Federal Government are \nsome of the most rigorous processes of any type of auditing you \nwould perform on any type of information system. I am very \nfamiliar with the type of commercial auditing that goes on. I \nam very familiar with the Federal auditing that goes on. So, \nyou know, the depth and rigor in the implementation of \ncybersecurity and privacy requirements that we do build into \nthe systems--whether, you know, they are always working \nproperly, or not--is some of the best out there.\n    I mean, there is just really no comparison. All of the \nprevious speakers brought up HIPAA, they brought up different \ncompliance requirements that are out there. I will tell you, if \nyou are gonna deploy a Federal information system you must not \nonly implement those controls, but the control catalogue itself \nthat we are required to implement throughout each one of the \ncomponents; whether that be starting at the hardware layer, the \nhypervisor, the operating system, and all the applications to \nsit on top of that is the most rigorous cybersecurity of any \nNation in the world. Also, just of any organization, whether it \nbe Government or not.\n    Chairman McCaul. Well, with all due respect, I would \nsubmit, in this case, it was an abysmal failure. We don't like \nto see that as Americans, and hope we can move forward in a \nmore productive way.\n    With that, I want to thank the witnesses for your \ntestimony. Members are advised if they have additional \nquestions they can submit that within 10 days. I would ask you \nto respond in writing to that. Without objection, the committee \nstands adjourned.\n    [Whereupon, at 12:45 p.m., the committee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"