[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]





CYBER SIDE-EFFECTS: HOW SECURE IS THE PERSONAL INFORMATION ENTERED INTO 
                       THE FLAWED HEALTHCARE.GOV?

=======================================================================

                                HEARING

                               before the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 13, 2013

                               __________

                           Serial No. 113-41

                               __________

       Printed for the use of the Committee on Homeland Security








[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________


                   U.S. GOVERNMENT PRINTING OFFICE

87-371 PDF                WASHINGTON : 2014
______________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2250  Mail: Stop SSOP, 
Washington, DC 20402-0001






















                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Paul C. Broun, Georgia               Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice    Brian Higgins, New York
    Chair                            Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Jeff Duncan, South Carolina          Ron Barber, Arizona
Tom Marino, Pennsylvania             Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah                 Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi       Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania           Filemon Vela, Texas
Chris Stewart, Utah                  Steven A. Horsford, Nevada
Richard Hudson, North Carolina       Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
                       Greg Hill, Chief of Staff
          Michael Geffroy, Deputy Chief of Staff/Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director



















                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Michael T. McCaul, a Representative in Congress 
  From the State of Texas, and Chairman, Committee on Homeland 
  Security.......................................................     1
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas:
  Prepared Statement.............................................     7

                               WITNESSES
                                Panel I

Ms. Roberta ``Bobby'' Stempfley, Acting Assistant Secretary, 
  Office of Cybersecurity and Communications, U.S. Department of 
  Homeland Security:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Ms. Soraya Correa, Associate Director, Enterprise Services 
  Directorate, U.S. Citizenship and Immigration Services, U.S. 
  Department of Homeland Security:
  Oral Statement.................................................    15
  Prepared Statement.............................................    17

                                Panel II

Mr. Luke Chung, President, FMS, Inc.:
  Oral Statement.................................................    60
  Prepared Statement.............................................    61
Mr. Waylon W. Krush, Chief Executive Officer, Lunarline, Inc.:
  Oral Statement.................................................    73
  Prepared Statement.............................................    75

                             FOR THE RECORD

The Honorable Jeff Duncan, a Representative in Congress From the 
  State of South Carolina:
  Memo...........................................................    27
  Article, ``Midlands Man Has Personal Information Compromised on 
    healthcare.gov''.............................................    38

 
CYBER SIDE-EFFECTS: HOW SECURE IS THE PERSONAL INFORMATION ENTERED INTO 
                       THE FLAWED HEALTHCARE.GOV?

                              ----------                              


                      Wednesday, November 13, 2013

             U.S. House of Representatives,
                    Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to call, at 10:11 a.m., in Room 
311, Cannon House Office Building, Hon. Michael T. McCaul 
[Chairman of the committee] presiding.
    Present: Representatives McCaul, Miller, Meehan, Duncan, 
Barletta, Stewart, Hudson, Daines, Brooks, Perry, Sanford, 
Thompson, Sanchez, Jackson Lee, Clarke, Richmond, Barber, 
Payne, O'Rourke, and Horsford.
    Chairman McCaul. The Committee on Homeland Security will 
come to order. The committee is meeting today to examine the 
security of HealthCare.gov and the protection of private 
information of the American people. I now recognize myself for 
an opening statement.
    This hearing is part of our on-going oversight of the roll-
out of the Patient Protection and Affordable Care Act, also 
known as Obamacare. Today's hearing follows two subcommittee 
hearings held by my good friend, Chairman Pat Meehan on the 
security of the data hub and health care exchanges. I would 
note that in those two hearings the Centers for Medicare and 
Medicaid Services, or CMS, repeatedly assured this committee 
that the systems would be both functional and secure. Those 
assurances ring hollow in light of the disastrous roll-out of 
HealthCare.gov.
    We are concerned that the security of the system is as 
flawed as its functionality. The Department of Homeland 
Security has two roles in the implementation of Obamacare. The 
first is to verify the immigration status of applicants. We 
look forward to hearing more about how the system works from 
Ms. Correa of USCIS, who is with us here today. The second role 
DHS plays in Obamacare is overseeing the security of Federal 
civilian networks. We will have some slides up to demonstrate 
that.
    [The information follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Chairman McCaul. According to the Department's website, DHS 
is responsible for overseeing the protection of the dot.gov 
domain. That being the case, I think it would surprise many 
Americans to know that DHS had effectively no input into the 
security of HealthCare.gov, despite it being, arguably, the 
most significant Federal Government website ever created. To be 
clear, DHS has not participated in any meaningful way in 
developing, monitoring, or ensuring the security of 
HealthCare.gov, the health exchanges, or the Federal Data 
Services Hub. The only contact between DHS and CMS consisted of 
two e-mails and one phone call.
    Departments and agencies are responsible for setting up 
their own cybersecurity systems. But because of statutory 
limitations, DHS can only recommend policies and offer 
assistance on a voluntary basis. In this case, CMS never asked 
DHS for advice, technical assistance, or even a threat 
briefing. It is with this limited oversight that the same 
people at CMS who told us the system would work are telling us 
now that it is secure. The reason this concerns me is that if 
customers are able to log on to HealthCare.gov they are 
required to enter vast amounts of personal identifiable 
information about themselves and their family members.
    This information includes their name, addresses, date of 
birth, Social Security number, citizenship, immigration status, 
employer information, veteran status, household income, 
requests for a religious exemption, current health status such 
as whether or not the applicant is pregnant or has a 
disability, among other things. While the administration and 
some of my colleagues across the aisle point out that the Data 
Services Hub does not store this information, it is important 
to note that the State exchanges and the Federal exchange 
servicing 34 States store and keep that information for up to 
10 years.
    All this information is a tempting target for hackers, 
identity thieves, and other malicious actors. We already have 
reported cases of hacks, fraudulent websites, and documented 
security vulnerabilities in the system. We are also concerned 
that the so-called ``navigators,'' charged with helping people 
enroll in Obamacare are not subjected to background checks. 
This will undoubtedly result in cases of fraud and identity 
theft, most of which we won't even know about for months.
    In fact, just yesterday we received reports of navigators 
in my home State of Texas encouraging applicants to lie in 
order to get information--or to get higher insurance subsidies. 
Even if a system worked properly, the centralization of so much 
personal data would create security concerns. But in this case, 
HealthCare.gov is so flawed these concerns are even greater. 
Mr. Luke Chung will testify to shed some light on the technical 
problems with HealthCare.gov and how those affect security, and 
I look forward to his testimony.
    Moving forward, we believe it is vital for the Federal 
Government to use every asset it has, including DHS, to secure 
its networks and ensure the security of Americans' most 
sensitive personal data. As such, DHS needs to have not just 
the responsibility but, more importantly, the tools and 
authorities it needs to secure the dot.gov domain. Our 
committee is currently working on legislation to address this 
by codifying the DHS cyber mission. We look forward to working 
with the Ranking Member and other Members of the committee as 
we move that bill through the legislative process.
    With that, the Chairman now recognizes the Ranking Member, 
the gentleman from Mississippi, Mr. Thompson, for any statement 
he may have.
    Mr. Thompson. Thank you very much, Mr. Chairman. Thank you 
for holding today's hearing. I also want to thank the witnesses 
for also appearing today.
    Understand that this hearing will discuss the Department of 
Homeland Security's role in the Affordable Care Act. The role 
played by DHS is two-fold. First, the Department is responsible 
for verifying that anyone who applies for benefits under the 
ACA is a citizen or legal resident. This function required by 
the ACA is very similar to the information required under E-
Verify. The Department performs this function thousands of 
times each day, and transmits the information to any Government 
agency or employer that needs it.
    I am sure we all remember the beginning of the E-Verify 
program. Just a few years ago, my friends on the other side of 
the aisle sought to expand E-Verify. At that time, many critics 
believed E-Verify was a deeply-flawed program that relied on 
inaccurate Government databases and added unnecessary costs to 
businesses. We called attention to flaws in the computer 
systems and databases that E-Verify relied upon. The 
deficiencies in those systems were fixed.
    Today, E-Verify has become an ordinary part of the 
verification process used by businesses and governments to 
assure that people are eligible to work in the United States. I 
do not recall efforts to repeal E-Verify because of its faults. 
The ``save'' system used in the ACA functions is much the same 
way as E-Verify. It seems that my colleagues have expressed 
concerns about the other role DHS plays in the implementation 
of ACA. Those concerns have been examined at two subcommittee 
hearings in this committee.
    Based on those hearings, we know that DHS did not have any 
role in the planning or implementing the HealthCare.gov 
website. Some of my colleagues have indicated that DHS should 
assure the safety and security of the personal information 
placed on HealthCare.gov. While this is an interesting 
proposition, there is no law requiring that DHS play such a 
role. DHS has few responsibilities in the cyber area. First, 
DHS is responsible for observing, reporting, and acting upon 
threats to the Federal computer network system.
    Second, DHS is responsible for assuring that all fellow 
agencies are in compliance with FISMA, the Federal law that 
establishes benchmarks and standards for computer system 
security within the Federal Government. In sum, DHS is 
responsible for assuring that HHS followed the correct 
protocols in establishing the system. DHS would be ready to 
respond if the system were hacked. But DHS does not have an on-
going role with the security of the HealthCare.gov system.
    If my colleagues believed DHS oversight would be beneficial 
in assuring the privacy and security of the information 
contained in the HealthCare.gov system, I would suggest that we 
explore that option. But I am not aware of any law that 
suggests that the role for DHS, and I do not believe that 
consideration of such a role is a purpose of today's hearing. 
It seems that the purpose of today's hearing is to raise 
concern about the protection of the privacy and security of 
personal information.
    Several committees in the House of Representatives have had 
hearings on this same topic. Although it is my understanding 
that DHS has a very small role in assuring the privacy and 
security of a website established by another agency, I look 
forward to hearing from the witnesses called here today. 
Finally, Mr. Chairman, I do not think that the discussion today 
can ignore the fact that this website was put together using 
over 50 contractors.
    As we know from the committee's recent mark-up of a bill on 
the Cybersecurity Workforce, the Federal Government is woefully 
deficient in hiring and retaining cyber professionals. The 
oversight conducted by this committee over several years has 
found one IT system after another that has failed to perform or 
failed to be completed after millions of dollars have been 
spent. The list of computer failures is as long, and stretches 
through a few administrations.
    The list include SBInet, Emerge, Ramp, and several other IT 
solutions that did not have names and did not work, but did 
cost a great deal of money. I am not here to point the finger 
at DHS. I am certain that DHS is not the only Federal entity 
that has been plagued by the failure of computer contracts to 
deliver as promised. So, Mr. Chairman, while I look forward to 
the discussion today I hope that at some point we can light a 
candle instead of continuing to curse the darkness.
    Those of us in Congress need to come to grips with the 
notion that computers are not going away, and we must take 
proactive steps to assure that some office or agency is the 
repository of cyber expertise and knowledge. That agency must 
be able to advise other agencies on everything from drafting a 
solicitation for a computer system to oversight of the 
installation of the system. It must be the Federal IT help desk 
and information library. We need to think about new approaches 
that will save money and work for the American people.
    Or we can keep doing what we have been doing: Spending 
money, making mistakes, wondering what went wrong, and trying 
to figure out who to blame. Mr. Chairman, the people deserve a 
Government that stays open, works together, solves problems, 
and spends money wisely. I think this is the perfect time to 
show that we are that Government.
    With that, I yield back.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                           November 13, 2013
    I understand that this hearing will discuss the Department of 
Homeland Security's role in the Affordable Care Act. The role played by 
DHS is two-fold. First, the Department is responsible for verifying 
that anyone who applies for benefits under the ACA is a citizen or 
legal resident. This function, required by the ACA, is very similar to 
the information required under E-Verify. The Department performs this 
function thousands of times each day and transmits the information to 
any Government agency or employer that needs it.
    I am sure we all remember the beginning of the E-Verify program. 
Just a few years ago, my friends on the other side of the aisle sought 
to expand E-Verify. At that time, many critics believed E-Verify was a 
deeply-flawed program that relied on inaccurate Government databases 
and added unnecessary costs to businesses. We called attention to flaws 
in the computer systems and databases that E-Verify relied upon. The 
deficiencies in those systems were fixed.
    Today, E-Verify has become an ordinary part of the verification 
process used by businesses and governments to assure that people are 
eligible to work in the United States. I do not recall efforts to 
repeal E-Verify because of its faults.
    The SAVE system, used in the ACA, functions in much the same way as 
E-Verify. It seems that my colleagues have expressed concerns about the 
other role DHS plays in the implementation of the ACA. Those concerns 
have been examined at two subcommittee hearings in this committee. 
Based on those hearings, we know that DHS did not have any role in the 
planning or implementing the HealthCare.gov website.
    Some of my colleagues have indicated that DHS should assure the 
safety and security of the personal information placed on 
HealthCare.gov. While this is an interesting proposition, there is no 
law requiring that DHS play such a role. DHS has a few responsibilities 
in the cyber area. First, DHS is responsible for observing, reporting, 
and acting upon threats to the Federal computer network system.
    Second, DHS is responsible for assuring that all Federal agencies 
are in compliance with FISMA--the Federal law that establishes 
benchmarks and standards for computer system security within the 
Federal Government. In sum, DHS is responsible for assuring that HHS 
followed the correct protocols in establishing the system and DHS would 
be ready to respond if the system were hacked.
    But DHS does not have an on-going role with the security of the 
HealthCare.gov system.
    If my colleagues believe DHS oversight would be beneficial in 
assuring the privacy and security of the information contained in the 
HealthCare.gov system, I would suggest that we explore that option.
    But I am not aware of any law that suggests that role for DHS, and 
I do not believe the consideration of such a role is the purpose of 
today's hearing. It seems that the purpose of today's hearing is to 
raise concerns about the protection of the privacy and security of 
personal information. Several committees in the House of 
Representatives have had hearings on this same topic.
    Although it is my understanding that DHS has a very small role in 
assuring the privacy and security of a website established by another 
agency, I look forward to hearing from the witnesses called here today.
    Finally, Mr. Chairman, I do not think that the discussion today can 
ignore the fact that this website was put together using over 50 
contractors. As we know from this committee's recent mark-up of a bill 
on the cybersecurity workforce, the Federal Government is woefully 
deficient in hiring and retaining cyber professionals. The oversight 
conducted by this committee over several years has found one IT system 
after another that has failed to perform or failed to be completed 
after millions of dollars have been spent.
    The list of computer failures is long and stretches through a few 
administrations. The list includes--SBI, Emerge, RAMP--and several 
other IT solutions that did not have names, did not work, but did cost 
a great deal of money. I am not here to point a finger at DHS. I am 
certain that DHS is not the only Federal entity that has been plagued 
by the failure of computer contracts to deliver what was promised.
    So Mr. Chairman, while I look forward to the discussion today, I 
hope that at some point we can light a candle instead of continuing to 
curse the darkness. Those of us in Congress need to come to grips with 
the notion that computers are not going away and we must take proactive 
steps to assure that some office or agency is the repository of cyber 
expertise and knowledge.
    That agency must be able to advise other agencies on everything 
from drafting a solicitation for a computer system to oversight of the 
installation of the system. It must be the Federal IT help desk and 
information library.
    We need to think about a new approach that will save money and work 
for the American people. Or we can keep doing what we have been doing--
spending money, making mistakes, wondering what went wrong, and trying 
to figure out who to blame. Mr. Chairman, the people deserve a 
Government that stays open, works together, solves problems, and spends 
money wisely. I think this is the perfect time to show that we are that 
Government.

    Chairman McCaul. I thank the Ranking Member. I also want to 
thank the Ranking Member for his cooperation in holding this 
important hearing, as well. Other Members of the committee are 
reminded that opening statements may be submitted for the 
record.
    [The statement of Hon. Jackson Lee follows:]
                  Statement of Hon. Sheila Jackson Lee
                           November 13, 2013
    Chairman McCaul, and Ranking Member Thompson, I thank you for this 
opportunity to take testimony on cybersecurity as it relates to Federal 
health insurance exchange.
    I welcome today's witnesses:
   Ms. Roberta Stempfley, acting assistant secretary, Office of 
        Cybersecurity and Communications, U.S. Department of Homeland 
        Security;
   Ms. Soraya Correa, associate director, Enterprise Services 
        Directorate, U.S. Citizenship and Immigration Services, U.S. 
        Department of Homeland Security;
   Mr. Luke Chung, president, FMS, Inc. and
   Mr. Waylon Krush, chief executive officer, Lunarline, Inc.
    I thank the witnesses for their contribution to committee's 
understanding regarding the nature of cybersecurity as it relates to 
personal information.
    Today, the House Committee on Homeland Security is holding a 
hearing to learn about privacy threats regarding the security of 
personal information provided by visitors to the Federal Health 
Exchange Marketplace HealthCare.gov.
    As a senior member of the House Judiciary Committee, privacy 
protection has been a prominent concern in the protection of women's 
rights, voting rights, and labor rights.
    Today a number of voting rights are under threat because of abusive 
requirements that undermine privacy rights of voters by requiring that 
they produce documents proving citizenship, identity, and residency 
regardless of whether they have an established history of voting or are 
first-time voters.
    Privacy is central to the health and strength of many other rights 
that we enjoy. Specifically, the First, Fourth, and Fifth Amendments to 
the Constitution rests on a foundation of privacy protection that allow 
us to speak as we wish, associate with other, and hold our own beliefs 
free of fear or threats.
    So the topic of today's hearing is of great concern to me. There 
cannot be privacy without security, although we can have security 
without privacy. The digital information age requires that Federal 
agencies must have cybersecurity for any system that collects, retains, 
or uses personal information.
    Privacy protection and cybersecurity are linked in the work I have 
done on the topic of privacy. The ability to control who, when, why, 
and how someone else can gain access to personal information requires 
security. For this reason attention to this issue is central to my 
strong support for the Federal Health Insurance Market Place found at 
HealthCare.gov.
    In May 2006, the Department of Veterans Affairs had a real privacy 
medical information data breach when a contract worker took home 
medical information for 26.5 million people.
    We are not here today to talk about a data breach of the affordable 
care website, because they are not storing medical information nor are 
they storing the information registered on forms. I know this for a 
fact and not for dramatic effect--I went in search of the facts 
regarding the website and what problems it was experiencing. I found 
that there was not a problem with security of the website. There was a 
problem with capacity and usability of the website and these issues 
became more complex after launch because the site could not be down 
more than a few hours each day.
    There would be real problems if the Obamacare web registration site 
collected sensitive personal information on people registering for 
health care, but it does not collect sensitive personal information.
    Sensitive personal information is the type found in taxpayer 
histories collected over the life time of a person by the IRS. A 
conversation with a doctor in the examination room is an exchange of 
highly sensitive personal information. There are no records other than 
the doctor's notes and that information is not sent to the Federal 
Government to be stored and maintained for the entire life of a person 
nor should it be. Most Americans who have take the time to visit the 
site and look at the information requested know that there is no highly 
sensitive or sensitive information collected for registering for health 
insurance.
    The real irony of today's hearing is why the registration process 
for health insurance seeks any personal information. If my friends on 
the other side of the aisle had not been so over concerned about the 
verification of income or proof of citizenship then the need to collect 
a social security number, date of birth, income, place of employment 
could have been eliminated. The whole process would have worked like 
every other thing you get a tax exemption for annually. A tax break for 
mortgage or student loan interest only requires a letter being sent to 
you for tax records to be sent to tax preparers and in the event of a 
the rear request for proof of deduction qualification.
    I hope that my colleagues on my right will take note that when they 
insist that a voter must prove citizenship and residency it requires 
the provision of more personal information which should concern them as 
much as what is being done at their behest to those seeking health 
insurance.
    When I look at the level of concern you would think that they have 
held 45 votes to do away with the Affordable Care Act and not one vote 
to make changes that would address issues that would make it easier to 
get health insurance. In fact, we are scheduled to have the 46th vote 
later this week--no help from the Majority just another effort to peck 
away at the law that they could not end by any other means.
    I would offer that if there was no political effort to make 
something out of the website roll-out there would be an effort to focus 
negative attention on the toll-free number and if there was nothing 
negative to say about that aspect of the new law then they would find 
fault with the application assistance centers.
    We are in the midst of a search for a problem that will justify all 
of the political and financial effort put into stopping a law that the 
public needs and as people register and share their experience will 
turn all of this into familiar ground.
    The years following the passage of Medicare Part D were rough, 
because of problems that were fixed with the passage of Obamacare.
    There is little if any threat to privacy by cyber threats because 
of the data practices implemented by the Department of Health and Human 
Services.
    This system is not storing highly sensitive or even sensitive 
personal information and the personal information it is collecting is 
not stored. What is being collected is personal information of the type 
found on a credit application to purchase any product e.g. date of 
birth, place of work, social security number, income level, and marital 
status. The information is checked as required by my colleagues on the 
other side of the aisle and is then discarded.
    First, the most important rule for cybersecurity is following the 
example of the professionals who work in this fast-paced area: Truth 
comes before beauty. The truth is that there is no computer system that 
is 100% secure from hostile cyber attacks, natural disasters, 
structural failures, or human errors.
    Second, the internet is a rough neighborhood--the best we can do is 
to design the best systems possible, provide the resources necessary to 
follow through on good designs, and ignore the politics of the moment. 
The most dangerous threats to cybersecurity care very little about 
anyone's political party. They may care very much about your nation of 
origin.
    Third, cybersecurity is not about the 14-year-old with a laptop, 
but the botnet attack from a coordinated effort that brings to the 
discussion significant threats to networks. There is no evidence that 
nothing occurred that would suggest that the website experienced 
anything of this nature.
    I understand that the interest of many Members in this hearing 
regarding the health information exchanges may focus on the name of the 
system, but it is important to note that regardless of the Federal 
system it is the personal information collected, stored, or used that 
should be our focus.
    Digital records management was of such grave concern to Members of 
Congress following investigations into the disclosures that then-
President Nixon had used his high office to seek out means to cause 
harm to careers, reputations, and political enemies that the Church 
Committee conducted extensive hearings on the abuse of power that had 
occurred.
    Due to the revelations of the Church Committee a series of laws 
were passed by Congress to protect the privacy of Americans and a 
number of reviews looked specifically at Federal Government use of 
computers to manage the personal information of citizens.
    In 1973, a report ``Records, Computers, and the Rights of 
Citizens'' was produced by the former Federal Department of Health 
Education and Welfare (HEW), which today exists as two agencies--one of 
which is the Department of Health and Human Services (HHS).
    This fact is significant for the topic of today's hearing because 
Health and Human Services is chiefly responsible for why the United 
States became the first nation in the world to draft a Federal privacy 
statute. The agency's role in drafting the world's first Code of Fair 
Information practice for automated personal data systems places them at 
the forefront of identifying the important role that computing would 
play in meeting the needs of a fast-growing Nation, while also 
recognizing the potential for technology's threat to privacy.
    The Code of Fair Information Practices adopted by HEW is based on 
five principles:
   There must be no personal data record-keeping systems whose 
        very existence is secret.
   There must be a way for a person to find out what 
        information about the person is in a record and how it is used.
   There must be a way for a person to prevent information 
        about the person that was obtained for one purpose from being 
        used or made available for other purposes without the person's 
        consent.
   There must be a way for a person to correct or amend a 
        record of identifiable information about the person.
   Any organization creating, maintaining, using, or 
        disseminating records of identifiable personal data must assure 
        the reliability of the data for their intended use and must 
        take precautions to prevent misuses of the data.
    This ground-breaking work informs and guides our hearing today and 
I want to acknowledge the hard work of the Federal employees at the 
Department of Health and Human Services who were given little in the 
way of support or encouragement by the majority of the House in 
accomplishing a task that was monumental and historic.
    Privacy is defined by law. The definition of privacy can be 
captured under five categories: Physical intrusion, e.g. entering into 
personal space without permission like someone's home; information 
intrusion, e.g. accessing documents or information without permission; 
proprietary intrusion, e.g. using someone's image or name for 
advertising purposes; associational intrusion, e.g. NAACP v. Alabama 
where the Alabama sought the State NAACP membership list; and 
decisional intrusions, e.g. someone interfering with a woman's personal 
medical decision making or deciding who can and cannot be married.
    The issue of cybersecurity and the Federal and State health 
insurance exchanges are important and for this reason it is important 
to provide the American public with accurate and reliable information.
    The most important information regarding the Federal health 
insurance exchange is that it does not violate any of the Code of Fair 
Information Principles that is central to privacy. There is no secret 
database; actually there is no database at all. There is a data 
collection requirement to meet the demands of the House Majority that 
no person who is not a citizen could gain insurance through the 
exchange and the second condition that anyone receiving assistance be 
proven to qualify for that assistance prior to it being provided.
    To be honest, if the Majority had not been so insistent on these 
two conditions the number of questions on the registration form could 
have been greatly reduced. The form used for registration does not 
collect sensitive personal information--it collects personal 
information. Sensitive personal information would be of the type found 
on individual taxes, which are by law held in secret by the IRS, no 
matter what someone may say publically about their taxes and the 
agency--true or not true the agency can never disclose the tax records 
of taxpayers.
    So when we speak of the types and degrees of personal information 
it is important to know that personal information, sensitive personal 
information, and highly sensitive personal information are degrees that 
should be recognized. The health exchanges were only intended and the 
Federal exchange designed to collect personal information of the nature 
required by Congress to meet the obligations under the law.
    Highly-sensitive personal information would be the type exchanged 
between a doctor and patient none of which would ever be in this 
system. This is not to say that cybersecurity is not an issue, any time 
personal information on citizens is collected by the Federal Government 
it is an issue that Congress should address by making sure that only 
what is needed is collected and only retained as long as necessary for 
a specific purpose.
    HHS only collected what was necessary, used it for the purpose of 
the collection, and promptly discarded that data so no database or 
system of records was created. This is the most privacy-centric system 
this committee may have the pleasure of discussing in a cybersecurity-
focused hearing. The data practices should be adopted by other agencies 
that may collect too much, keep more than they need, and use 
information far outside the scope of the original collection.
    The Federal Health Exchange data is only used to do a ``handshake'' 
with data in other networks that can authenticate or verify the 
accuracy of the information provided. This is done in such a way that 
no data is exchanged with the agency providing the input that the 
information is accurate. In computing a checksum a mathematical 
equation is applied to data which produces an answer that will match 
the same information found in another system. This is just one way of 
checking information without knowing what the data is and this is the 
school of thought that informed HHS in developing this system.
    The Centers for Medicare and Medicaid Management found within HHS 
could provide a more detailed reply on the topic of data security in 
the Federal health information exchange. I ask that the Chairman and 
Ranking Members both write to the committee of jurisdiction and seek 
information they may better inform our committee on the details 
regarding security and the Federal Exchange.
    I appreciate the human factors and usability issues with the 
website, which are being addressed as we meet today. I would suggest 
that with the new-found interest of the Majority in the customer and 
user experience that they would focus on redirecting the funding that 
has be appropriated that would have gone to the States that opted out 
of the Medicaid expansion be redirected to the Federal.
    I am particularly interested in hearing the testimony of the 
witnesses before the committee who have background and training to 
speak on the topic of cybersecurity.
    Federal cybersecurity is guided by the Federal Information Security 
Management Act (FISMA). The National Institute of Standards and 
Technology develop the guidance on FISMA and the Office of Management 
and Budget provides oversight to assure agencies are meeting the 
objectives.
    Our Nation must continue to improve in the area of cybersecurity 
and the best approach is build it with the best knowledge we have and 
provide continuous monitoring.
    President Reagan said it best following the Challenger disaster--
the shuttle program is one of the Nation's most significant engineering 
marvels--that after 25 years of space flight, the Nation had grown so 
used to it that we forgot how recent the Nation had begun to explore 
space through human missions. He said that the future does not belong 
to the fainthearted; it belongs to the brave.
    He said something that is very important that I will always 
remember: ``We don't keep secrets and cover things up. We do it all up 
front and in public. That's the way freedom is, and we wouldn't change 
it for a minute.''
    This was a very public event, but we will get through it and for 
the rough start we will learn more than we would have without it and be 
the better for it.
    The first U.S. space station slid out of orbit and broke apart upon 
reentry into the atmosphere. It failed, but its failure meant that the 
next time we built a space station is a better space station.
    The Swine Flu vaccine miscalculation during the Ford 
administration, which led to the vaccination of thousands of elderly 
people for a flu that did not arrive meant that more people died from 
the vaccine than Swine Flu that year.
    The lack of enough Flu vaccine during the George W. Bush 
administration meant that while nations around the globe had sufficient 
vaccine for that flu season, we had not ordered enough to meet our 
Nation's needs.
    Like anything in life, there will be rough starts, mistakes, and 
outright deceptions about the facts. Our strength is in not giving in 
to the naysayers or negative message peddlers. This may not be in the 
playbook, but if we lose our edge for taking on the hardest challenges 
because they are too hard then we have lost something that is truly 
uniquely American.
    I am looking forward to today's discussion and hearing from our 
witnesses. Thank you.

    Chairman McCaul. We are pleased to have two panels of 
distinguished witnesses with us today to discuss this important 
topic. I will introduce the first panel. Ms. Roberta Stempfley 
is the acting assistant secretary of the Office of 
Cybersecurity and Communications at the Department of Homeland 
Security. In this role, she plays a leading role developing the 
strategic direction for CS&C and its five divisions. She 
previously served as the deputy assistant secretary to CS&C and 
as director of the National Cybersecurity Division. We thank 
you for being here today.
    Next we have Ms. Correa. She is the associate director of 
the Enterprise Services Directorate at U.S. Citizenship and 
Immigration Services. She has over 30 years of experience in 
procurement, Federal assistance, and program management. Before 
serving in her current role she was deputy associate director 
for the management directorate, and was responsible for 
delivering key management and infrastructure structure services 
to support the USCIS mission. We thank you for being here, as 
well.
    I would like to point out, though, that at this time 
neither of our witnesses submitted written testimony to the 
committee before their appearance today, apparently due to 
their inability to get testimony cleared by the White House. 
The administration had nearly 2 weeks to provide this 
testimony, and has been in the habit of providing their 
testimony after the deadline. Frankly, I expect better, and 
look forward to receiving testimony on a timely basis as we 
move forward in this committee.
    I ask that the witnesses provide their full written 
statement as soon as it is available so it will appear in the 
record. My understanding is that Ms. Stempfley has an oral 
statement she would like to give, so the Chairman now 
recognizes her for 5 minutes.

  STATEMENT OF ROBERTA ``BOBBY'' STEMPFLEY, ACTING ASSISTANT 
  SECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, U.S. 
                DEPARTMENT OF HOMELAND SECURITY

    Ms. Stempfley. Thank you, sir. I truly appreciate the 
opportunity to provide this opening statement, oral statement. 
Chairman McCaul, Ranking Member Thompson, and Members of the 
committee, I appreciate the opportunity to discuss the 
Department of Homeland Security's efforts to improve 
cybersecurity posture and capabilities of civilian Federal 
agencies.
    DHS is the lead for securing and defining Federal civilian 
unclassified information technology systems and networks 
against cyber intrusions or disruptions and enhancing 
cybersecurity among critical infrastructure partners. To this 
end, DHS ensures maximum coordination and partnership with 
Federal and private stakeholders, while keeping a steady focus 
on safeguarding the public's privacy, confidentiality, civil 
rights, and civil liberties.
    Within DHS's National Protection and Programs Directorate, 
the Office of Cybersecurity and Communications focuses on 
managing risk to the communications and information technology 
infrastructures and the sectors that depend on them, as well as 
enabling timely response and recovery to incidents affecting 
critical infrastructure including Government systems. 
Additionally, DHS is in the process of setting up critical 
programs Federal-wide in order to be able to detect and respond 
to incidents and vulnerabilities, and consolidate traffic, 
reducing the surface area of possible threat vectors.
    With the committee and Congress' support in passing FISMA 
authorities, DHS and the dot.gov can help to ensure our 
civilian infrastructure is secured while, at the same time, 
reducing cost and increasing efficiency with which we are able 
to work with our agency partners.
    CS&C executes its mission by supporting 24/7 information 
sharing, analysis, and incident response, as well as 
facilitating interoperable emergency communications, advancing 
technology solutions for private- and public-sector partners, 
providing tools and capabilities to ensure the security of 
Federal civilian Executive branch networks, and engaging in 
strategic-level coordination for the Department with private-
sector organizations on cybersecurity and communications 
issues.
    While DHS leads this National effort under the Federal 
Information Security Management Act regulations, agency heads 
are responsible for providing information security protections 
commensurate with the risk and magnitude of harm resulting from 
unauthorized access, use, disclosure, disruption, modification, 
or destruction of information or information systems within 
their agencies or operated on behalf of their agency by a 
contracted entity.
    Agency heads are provided the flexibility and authority to 
delegate those responsibilities to the agency chief investment 
officer in order to ensure compliance with requirements 
outlined in FISMA and the associated memoranda and directives. 
These authorities are inclusive of programs to assess, inform, 
and report on agency status and capabilities relative to FISMA 
guidance.
    While each Federal department and agency retains primary 
responsibility for securing and defining its own networks and 
critical information infrastructure, DHS leads efforts in 
planning and implementing strategic management of information 
security practices across the Federal enterprise.
    The Department provides assistance by collecting and 
reporting information regarding cyber posture and risks, 
disseminating cyber alert and warning information to promote 
protection against cyber threats and the resolution of 
vulnerabilities, coordinating with partners and customers to 
attain shared cyber situational awareness, and providing 
response and recovery support to agencies upon their request. 
Traditionally, due to current authorities, DHS must be asked by 
Federal departments and agencies to provide this direct support 
of independent department and agency responsibilities.
    Constantly evolving and sophisticated cyber threats 
challenge the cybersecurity of the Nation's critical 
infrastructure and its civilian government system. DHS' 
responsibility in the breadth of cybersecurity activities and 
our statutory authorities have not kept up with the rapidly-
evolving changes in the cyber environment. While DHS works 
diligently with our partner agencies and organizations to 
provide for a secure cyber environment, this often hinders the 
Department's ability to execute this mission.
    The administration has requested legislation to clarify 
authority, to deploy capabilities such as EINSTEIN across the 
Federal civilian networks, and to provide operational 
assistance under OMB's oversight of Federal information 
technology network security efforts under FISMA, among other 
things.
    We thank this committee for this focus on these important 
areas. DHS is committed to reducing increasingly sophisticated 
and damaging risks to Federal departments and agencies and 
critical infrastructure.
    We continue to leverage our partnerships inside and outside 
Government to enhance security and resilience of our Federal 
networks while incorporating the privacy and civil liberty 
safeguards into all aspects of what we do at the Department.
    Thank you, sir.
    [The prepared statement of Ms. Stempfley follows:]
           Prepared Statement of Roberta ``Bobby'' Stempfley
                           November 13, 2013
                              introduction
Overview of the Mission
    Chairman McCaul, Ranking Member Thompson, and Members of the 
committee, I appreciate the opportunity to discuss the Department of 
Homeland Security's (DHS's) efforts to improve the cybersecurity 
posture and capabilities of civilian Federal agencies. Government 
computer networks and systems contain information on National security, 
law enforcement, and other sensitive data. It is paramount that the 
Government protects all information from theft and protects networks 
and systems from attacks while continually providing essential services 
to the public.
    DHS is the lead for securing and defending Federal civilian 
unclassified information technology systems and networks against cyber 
intrusions or disruptions and enhancing cybersecurity among critical 
infrastructure partners. To this end, DHS ensures maximum coordination 
and partnership with Federal and private-sector stakeholders while 
keeping a steady focus on safeguarding the public's privacy, 
confidentiality, civil rights, and civil liberties. Within DHS's 
National Protection and Programs Directorate (NPPD), the Office of 
Cybersecurity and Communications (CS&C) focuses on managing risk to the 
communications and information technology infrastructures and the 
sectors that depend upon them, as well as enabling timely response and 
recovery to incidents affecting critical infrastructure, including 
Government systems.
    CS&C executes its mission by supporting 247 information sharing, 
analysis, and incident response as well as facilitating interoperable 
emergency communications and advancing technology solutions for 
private- and public-sector partners. We also provide tools and 
capabilities to ensure the security of Federal civilian Executive 
branch networks and engaging in strategic-level coordination for the 
Department with private-sector organizations on cybersecurity and 
communications issues.
Roles and Responsibilities
    While DHS leads the National effort to secure Federal civilian 
networks, agency heads are responsible for providing information 
security protections commensurate with the risk and magnitude of the 
harm resulting from unauthorized access, use, disclosure, disruption, 
modification, or destruction of information and information systems 
within their agency or operated on behalf of their agency by a 
contracted entity in accordance with Federal Information Security 
Management Act (FISMA) regulations. Agency heads are provided the 
flexibility and authority to delegate those responsibilities to the 
agency's Chief Information Officer (CIO) in order to ensure compliance 
with the requirements outlined within FISMA and the associated 
memoranda and directives. These authorities are inclusive of programs 
to assess, inform, and report on the agencies' status and capabilities 
relative to FISMA guidance.
    Although each Federal department and agency retains primary 
responsibility for securing and defending its own networks and critical 
information infrastructure, DHS leads efforts in planning and 
implementing strategic management of information security practices 
across the Federal departments and agencies. The Department provides 
assistance to departments and agencies by collecting and reporting 
agency information regarding cybersecurity posture and risks, 
disseminating cyber alert and warning information to promote protection 
against cyber threats and the resolution of vulnerabilities, 
coordinating with partners and customers to attain shared cyber 
situational awareness, and providing response and recovery support to 
agencies upon their request. Pursuant to current authorities, DHS must 
be asked by the Federal departments and agencies to provide the 
aforementioned direct support. The Department focuses its support to 
Federal networks through the following activities:
   FISMA.--The Office of Management and Budget (OMB) has 
        delegated operational responsibilities for Federal civilian 
        cybersecurity to DHS, which established the Department as the 
        lead in promoting and reporting on the cybersecurity posture of 
        Federal civilian Executive branch networks. FISMA requires 
        program officials, and the head of each agency, to mitigate 
        cybersecurity risks based upon its particular requirements. The 
        Department monitors and reports agency status in ensuring the 
        effective implementation of this guidance.
   Continuous Diagnostics and Mitigation (CDM).--The CDM 
        program focuses FISMA security metrics on those having a direct 
        impact on Federal civilian departments' and agencies' 
        cybersecurity. By empowering Federal civilian agency CIOs and 
        Chief Information Security Officers (CISO) with situational 
        awareness into their risk posture and with on-going insight 
        into the effectiveness of security controls, CDM will provide 
        these partners with resources necessary to identify and fix the 
        worst cybersecurity problems first. While this program is in 
        its early stages, we are working in conjunction with Congress 
        to clarify authorities and make CDM fully operational with 
        increased proactive protection of the websites in the .gov 
        domain.
   National Cybersecurity Protection System.--Operationally 
        known as EINSTEIN, this program protects Federal civilian 
        Executive branch networks by providing improved situational 
        awareness of cyber threats as well as identification and 
        prevention of malicious cyber activity. While the Department of 
        Health and Human Services (HHS) recently signed a Memorandum of 
        Agreement (MOA) for all EINSTEIN services, HHS is only covered 
        at this point by EINSTEIN 1. EINSTEIN 1, facilitates 
        identification and response to cyber threats and attacks which 
        further enables improvements to network cybersecurity. DHS 
        continues to engage HHS on deployment of other cybersecurity 
        measures based on discussions regarding statutory prohibitions 
        on certain disclosures.
DHS Services
    DHS offers additional capabilities and services to assist Federal 
agencies and stakeholders based upon their cybersecurity status and 
requirements. The Department engages agency CIOs and CISOs through a 
variety of mechanisms including information-sharing forums as well as 
directly through the National Cybersecurity and Communications 
Integration Center (NCCIC) \1\ in response to a specific problem/issue 
or identified threat. These include:

    \1\ The NCCIC, a 247 cyber situational awareness, incident 
response, and management center, is a National nexus of cyber and 
communications integration for the Federal Government, intelligence 
community, and law enforcement.
---------------------------------------------------------------------------
   Assessing security posture and recommending improvements.--
        Upon agency request, DHS conducts Risk and Vulnerability 
        Assessments to identify potential risks in specific operational 
        networks systems or applications and recommends mitigations.
   Providing technical assistance.--DHS may provide direct 
        technical assistance to agencies. For example, by assessing 
        agency compliance and progress in aggregating agencies' network 
        traffic into Trusted Internet Connections, DHS limits access 
        and protects the perimeter of agency networks.
   Incident response.--During or following a cybersecurity 
        incident, DHS may provide response capabilities that can aid in 
        mitigation and recovery. Through the NCCIC, DHS further 
        disseminates information on potential or active cybersecurity 
        threats and vulnerabilities analysis to public- and private-
        sector partners. When requested by an affected agency, DHS 
        provides incident response through the United States Computer 
        Emergency Readiness Team or the Industrial Control Systems-
        Cyber Emergency Response Team.
DHS Interactions With HHS
    DHS works to inform, educate, and increase the cybersecurity 
capacity of all civilian Federal departments and agencies and has 
interacted with HHS in the same manner as with all other Federal 
entities by making available its portfolio of capabilities and 
services. Although still in the acquisition process, DHS and HHS have 
entered into a MOA for CDM program while working diligently on the 
implementation of additional EINSTEIN capabilities. MOA's are a common 
step taken by DHS as we work to support the cybersecurity needs of our 
Federal partners, and this MOA is only the latest out of many that have 
been previously agreed to.
    On August 28, 2013 the Deputy Chief Security Officer of HHS's 
Center for Medicare and Medicaid Services (CMS) initiated a discussion 
with DHS regarding services that DHS might be able to provide in 
relation to Affordable Care Act (ACA) systems. Consistent with DHS 
practice, and similar to actions taken to support a number of other 
agencies, the Department entered into a general conversation with CMS 
to refine the request and determine what might be appropriate to meet 
its needs. Based upon the outcomes of that conversation, further 
discussions were held and, to date, as DHS does for all Federal 
partners, DHS has provided descriptions of specific capabilities and 
services to CMS for its consideration. CS&C has not yet received a 
specific request from CMS relative to the ACA systems, and has not 
provided technical assistance to CMS relative to ACA Systems.
                               conclusion
    Constantly evolving and sophisticated cyber threats challenge the 
cybersecurity of the Nation's critical infrastructure and its civilian 
government systems. DHS is responsible for a large breadth of 
cybersecurity activities, yet lacks explicit statutory authority to 
perform these duties. While DHS works diligently with our partner 
agencies and organizations to provide for a secure cyber environment, 
this often hinders the Department's ability to fulfill its mission. The 
administration has requested legislation to clarify its authority to 
deploy EINSTEIN across Federal civilian networks and to provide 
operational assistance to OMB's oversight of Federal information 
technology network security efforts under FISMA, among other things.
    Despite this statutory ambiguity, DHS is committed to reducing 
risks to Federal departments and agencies and critical infrastructure. 
We will continue to leverage our partnerships inside and outside of 
Government to enhance the security and resilience of our Federal 
networks while incorporating privacy and civil liberties safeguards 
into all aspects of what we do. Thank you again for the opportunity to 
provide this information and I look forward to your questions.

    Chairman McCaul. Thank you for your testimony.
    The Chairman now recognizes Ms. Correa for 5 minutes for an 
opening statement.

  STATEMENT OF SORAYA CORREA, ASSOCIATE DIRECTOR, ENTERPRISE 
    SERVICES DIRECTORATE, U.S. CITIZENSHIP AND IMMIGRATION 
         SERVICES, U.S. DEPARTMENT OF HOMELAND SECURITY

    Ms. Correa. Good morning. Chairman McCaul, Ranking Member 
Thompson, and Members of the committee, I appreciate the 
opportunity to discuss our shared goals of supporting 
Government agencies to ensure that only authorized applicants 
receive public benefits. As the associate director for the 
Enterprise Services Directorate of the U.S. Citizenship and 
Immigration Services, I am responsible for overseeing the 
agency's verification programs. The Patient Protection and 
Affordable Care Act of 2010, or the ACA, limits eligibility to 
enroll in a qualified health plan to citizens, nationals, or 
those otherwise lawfully present in the United States.
    The law directs the Department of Health and Human Services 
to check applicant eligibility against the Department of 
Homeland Security data if the applicant does not attest that he 
or she is a U.S. citizen or if the Social Security 
Administration cannot verify the applicant's claim of U.S. 
citizenship. The Systematic Alien Verification for Entitlements 
Program, or SAVE, responds to queries it receives through the 
hub, a system established by the Centers for Medicare and 
Medicaid services to help process ACA applications.
    SAVE provides the HHS hub with immigration status 
information and information on naturalized and derived citizens 
on behalf of DHS. SAVE is a service that helps Federal, State, 
and local benefit-issuing agencies, institutions, and licensing 
agencies to determine the immigration status of benefit 
applicants so that only those applicants entitled to benefits 
receive them. SAVE does not determine whether applicants are 
eligible for a specific benefit or license. The benefit-
granting agency makes that determination.
    SAVE uses an on-line system that checks a benefit 
applicant's immigration status information against over 100 
million Federal records. Agencies that do not have access to an 
automated system may submit a paper verification request form. 
SAVE is available in all 50 States. It has been providing 
immigration status information to public benefit-granting 
agencies for over 25 years. SAVE has more than 1,060 customer 
agencies, including the Social Security Administration and most 
States' departments of motor vehicles.
    In fiscal year 2013, the SAVE program received over 14 
million queries in our system. Before accessing SAVE, user 
agencies must sign an agreement with USCIS that details the 
terms and conditions of their use of SAVE. The SAVE 
verification process requires up to three steps: Initial 
verification, additional verify, and third-step verification. 
For initial verification, a user agency submits a status 
verification request and the system provides the applicant's 
immigration status information. If SAVE is not able to verify 
an individual's immigration status on initial verification, the 
benefit-granting agency is prompted to submit the query to the 
additional verification step.
    When initiating additional verification, a user agency may 
also submit additional information to USCIS using the SAVE 
system. Because this additional verification requires a manual 
review of available databases the SAVE response time ranges 
from 3 to 5 Federal working days. If SAVE is not able to verify 
an individual's immigration status at this stage the agency is 
prompted to submit the query for third-step verification. To 
accomplish the third-step verification the user agency must 
provide USCIS with legible photocopies of both sides of the 
applicant's immigration documentation.
    Registered agencies may submit this information 
electronically or manually. SAVE response time for the third-
step verification is generally 10 to 20 Federal working days. 
If immigration status still cannot be confirmed, benefit-
granting agencies may refer applicants to a local USCIS office 
to correct or update their records. USCIS and HHS entered into 
a computer-matching agreement for ACA verifications and tested 
the web service's connection between SAVE and the HHS hub, 
including testing of case-specific queries and overall 
functionality.
    After all testing was successfully completed, HHS was 
granted access to SAVE to meet the October 1 implementation 
date. SAVE is responding to all properly-submitted queries. As 
of November 10, 2013 there have been 91,011 hug-generated 
queries, with an average of 1.31 seconds for initial 
verification responses. It is important to note that this 
figure is not a proxy for the number of individuals about whom 
HHS has submitted queries to SAVE because there are often 
multiple queries per applicant.
    Moreover, this figure is not a proxy for the number of 
people who have applied for health care coverage under the ACA 
because only a small percentage of such applicants require the 
submission of queries to SAVE. To help facilitate immigration 
status verification for HHS and other agencies under the ACA, 
USCIS introduced several program enhancements which are not 
available to all customer agencies. Registered agencies may not 
receive grant date and sponsorship information for select 
statuses on initial second- and third-step verification. 
Previously, agencies has to submit manual forms to request that 
data.
    USCIS also introduced an optional auto second-step feature 
which allows SAVE to automatically send queries to additional 
verification if the initial step is unable to verify the 
applicant's immigration status. This eases burden on the user 
agencies, and makes the case resolution process more efficient. 
Additionally, in April 2013 we launched a scan-and-upload 
feature that enables agencies to electronically attach scanned 
copies of immigration documents to queries. Since the inception 
of the SAVE program, USCIS has provided benefit-granting 
Government agencies a reliable method to verify an applicant's 
immigration status and to ensure that only authorized 
applicants receive public benefits.
    On behalf of all of my colleagues at USCIS, I am grateful 
for the opportunity to speak to you today about the SAVE 
program.
    [The prepared statement of Ms. Correa follows:]
                  Prepared Statement of Soraya Correa
                           November 13, 2013
                              introduction
    Chairman McCaul, Ranking Member Thompson, and Members of the 
committee, I appreciate the opportunity to discuss our shared goals of 
supporting Government agencies to ensure that only authorized 
applicants receive public benefits. My name is Soraya Correa, associate 
director for the Enterprise Services Directorate. I am responsible for 
overseeing verification programs at U.S. Citizenship and Immigration 
Services (USCIS). The Patient Protection and Affordable Care Act of 
2010 (ACA) limits eligibility to enroll in a qualified health plan 
through the State and Federal exchanges established under the ACA to 
citizens, nationals, or those otherwise ``lawfully present'' in the 
United States. The law directs the Department of Health and Human 
Services (HHS) to check applicant eligibility against Department of 
Homeland Security (DHS) data if the applicant does not attest that he 
or she is a U.S. Citizen, or if the Social Security Administration 
(SSA) cannot verify the applicant's claim of U.S. Citizenship. The 
Systematic Alien Verification for Entitlements (SAVE) Program\1\ 
responds to queries and provides HHS, through the ``Hub'' established 
by the Centers for Medicare and Medicaid Services, with immigration 
status information as well as information regarding naturalized and 
derived citizens on behalf of DHS.
---------------------------------------------------------------------------
    \1\ SAVE is a service that helps Federal, State, and local benefit-
issuing agencies, institutions, and licensing agencies determine the 
immigration status of benefit applicants so only those applicants 
entitled to benefits receive them. SAVE does not determine whether 
applicants are eligible for a specific benefit or license; the benefit-
granting agency makes that determination. SAVE uses an on-line system 
that checks a benefit applicant's immigration status information 
against over 100 million Federal records. Agencies that do not have 
access to an automated system may submit a paper verification request. 
SAVE is available in all 50 States. It has been providing immigration 
status information to public benefit granting agencies for over 25 
years. SAVE has more than 1,060 customer agencies, including the Social 
Security Administration and most State departments of motor vehicles. 
The SAVE Program received over 14 million verification requests in 
fiscal year 2013.
---------------------------------------------------------------------------
SAVE Access and Verification Process
    Before accessing SAVE, user agencies must sign a Memorandum of 
Agreement (MOA) or a Computer Matching Agreement (CMA) with USCIS that 
details the terms and conditions of their use of SAVE. The SAVE 
verification process requires up to three steps: (1) Initial 
Verification, (2) Additional Verification, and (3) Third-Step 
Verification. For initial verification, a user agency submits a status 
verification request and the system provides the applicant's 
immigration status information. If SAVE is not able to verify an 
individual's immigration status on initial verification, the benefit 
granting agency is prompted to submit the query to the additional 
verification step.
    During additional verification, a user agency may also submit 
additional information, such as a maiden name or additional immigration 
document numbers, to USCIS using the SAVE system. SAVE response time 
for additional verification, which includes manual review of available 
databases, ranges from 3-5 Federal working days. If SAVE is not able to 
verify an individual's immigration status at this stage, the agency is 
prompted to submit the query for third-step verification. The user 
agency must forward a completed Document Verification Request form, 
with legible photocopies of both sides of the applicant's immigration 
documentation to USCIS for third-step verification. Registered agencies 
may submit this information electronically or manually. SAVE response 
times for third-step verification is generally 10-20 Federal working 
days. If immigration status still cannot be confirmed, benefit-granting 
agencies may refer applicants to a local USCIS office to correct or 
update their record.
                          preparations for aca
    USCIS and HHS entered into a CMA to authorize HHS to use the SAVE 
program for ACA verification. In preparation for the ACA open 
enrollment period, USCIS and HHS tested the web services connection 
between SAVE and the HHS ``Hub'' that the Exchanges uses to submit 
queries to SAVE and other partner agencies. The testing included checks 
on both case-specific queries and overall functionality.
    After all testing was successfully completed in the weeks leading 
up to open enrollment, HHS was granted access to SAVE to meet the 
October 1 ACA exchanges implementation date. As of November 10, 2013, 
there have been 91,011 Hub-generated initial queries with an average of 
1.31 seconds for initial electronic SAVE responses. It is important to 
note that this figure is not a proxy for the number of individuals 
about whom HHS has submitted queries to SAVE because there are often 
multiple SAVE queries per applicant. Moreover, this figure is not a 
proxy for the number of people who have applied for health care 
coverage under the ACA because only a small percentage of such 
applications require the submission of queries to SAVE. SAVE is 
responding to all properly-submitted queries.
Program Enhancements
    To help facilitate immigration status verification for HHS and 
other agencies under the ACA, USCIS designated more than 30 additional 
staff to ACA cases and has introduced several program enhancements. 
Authorized agencies may now receive grant date and sponsorship 
information for select statuses on initial, second, and third-step 
verification. Previously, agencies had to submit multiple forms to 
determine when an applicant was granted status, and sponsorship 
information was not available on initial verification.
    USCIS also recently introduced an ``auto second step'' feature, 
which allows SAVE to automatically send cases to additional 
verification if the initial step requests additional verification. This 
enhancement decreases agency user burden, ensures that additional 
verification cases are referred to the second step, and makes the case 
resolution process more efficient. Additionally, in April 2013, the 
SAVE Program launched a scan-and-upload feature that enables agencies 
to electronically attach scanned copies of immigration documents to 
cases. Cases with a scanned copy of the immigration document do not 
require submission of a paper form.
                               conclusion
    Since the inception of the SAVE Program, USCIS has provided 
benefit-granting Government agencies a reliable method to verify an 
applicant's immigration status to ensure that only authorized 
applicants receive public benefits. On behalf of all of my colleagues 
at USCIS, I am grateful for the opportunity to speak to you today about 
the SAVE program.

    Chairman McCaul. Thank you, Ms. Correa. The Chairman now 
recognizes himself for 5 minutes for questions.
    Let me just say at the outset, there have been many Members 
of Congress on both sides of the aisle who have called for a 
delay in the implementation of Obamacare for many reasons. But 
I would think, first and foremost, we have a website that 
doesn't work. It seems to me it ought to be delayed until that 
website is functional. But more importantly to me and, I think, 
many Americans, it should be delayed until we can receive 
assurances from this administration that these websites are 
secure because of the personal data that is being put into 
them, into the exchanges.
    We are talking about Social Security numbers, names, 
addresses, e-mail addresses. You know, we are talking about 
health information, which is perhaps the most private of all 
information; certainly information that no American wants a 
hacker to get access to, to exploit for other purposes. I am 
personally concerned about the security of this website, and I 
haven't had the assurances that it is secure. Imagine a hacker 
getting this personal identifying information and exploiting it 
for personal gain.
    We see identity theft happen all the time, and yet we have 
this information being plugged into this exchange that I 
believe is not secure. I believe the American people deserve 
better. So my first question is to Ms. Stempfley. How many 
cyber attacks have there been on the HealthCare.gov system?
    Ms. Stempfley. So thank you for the question. As I 
commented in my opening statement, the awareness DHS has of 
cyber attacks that are on-going comes from a multitude of 
sources. One is Department and agency reports specifically of 
things that they have identified. We have had a handful of 
reports from the Department of Health & Human Services--a 
number of about 16, as my memory recalls. But I will get a 
specific number for you. As well as identification of threat 
information either provided to us from intelligence sources or 
from other mechanisms.
    We are aware of one open-source action attempting to 
perpetrate a denial-of-service attack against a HealthCare.gov 
site that has been successful.
    Chairman McCaul. So there has been a denial-of-service 
attack on health care.
    Ms. Stempfley. There was the attempt of one.
    Chairman McCaul. Attempt.
    Ms. Stempfley. But it has not been successful.
    Chairman McCaul. Of course, a denial-of-service attack has 
the capability to shut down websites.
    Ms. Stempfley. The goal of a denial-of-service attack, sir, 
would, yes, be to deny the access to that information.
    Chairman McCaul. You know, on the Homeland Security web 
page it talks about one of your primary missions. That is to 
oversee the security of the dot.gov domain. Did anyone at HHS--
did Secretary Sibelius or anyone at HHS--ever--and involved in 
this website, and in this roll-out--ever contact DHS about the 
security of HealthCare.gov?
    Ms. Stempfley. Again, as I mentioned, the roles and 
responsibilities between DHS and departments and agencies are 
split. Departments and agency leadership has principle 
responsibility for building, operating, and securing their 
capabilities. The HHS CIO is a member of the CIO Council. Their 
SISO is a member of the SISO exchanges. We regularly 
communicate about threat in those forums. We were approached--
we regularly communicate about threat and engagement and 
capabilities in those forums, and we have had limited exchange, 
specifically with HHS on this.
    Chairman McCaul. Well, the extent of the conversations that 
I have seen between HHS and the Department of Homeland Security 
are two e-mails and one phone call regarding the security of 
this website. Is that correct?
    Ms. Stempfley. It is not typical for a Department or 
agency, as they are building a specific application, to involve 
DHS as they build any specific application. So that is an 
unusual activity at that level. We regularly engage at the 
Department level.
    Chairman McCaul. So is the Department essentially 
defaulting to HHS and Secretary Sibelius for the security of 
the HealthCare.gov website?
    Ms. Stempfley. As indicated, sir, under FISMA and current 
guidance, Department and agency leadership are responsible for 
securing specific applications under the broad guidance 
provided by DHS.
    Chairman McCaul. I believe the oversight of this 
committee--that you should play a greater role. As your mission 
statement, you know, accurately says, correctly states that you 
have the primary responsibility. Do you know what the 
compliance rate is of HHS with respect to Government 
cybersecurity standards?
    Ms. Stempfley. We have engaged with HHS around compliance 
against the trusted internet connection activity, and we are in 
the process of collecting the figures for fiscal year 2013 for 
FISMA. The FISMA report is traditionally provided to the Hill 
in February.
    Chairman McCaul. Well, perhaps I can educate you. It is 50 
percent. It is a 50 percent compliance rate. Their score card 
is 50 percent, and we are defaulting our cybersecurity--the 
security of Americans' most personal, private data to the 
Secretary of HHS. I find that unacceptable. Do you realize that 
50 percent is the second-lowest score in the Federal Government 
when it comes to a report card on cybersecurity in the Federal 
Government?
    Ms. Stempfley. I believe, sir, that the scores you are 
speaking of are the FISMA report from fiscal year 2012 that 
came forward. Yes, you are accurately representing the scores 
of HHS in that situation. One of the things you will also see 
is that HHS has one of the top scores in the implementation of 
PIV cards, the two-factor authentication. So what is normal for 
a department is that they will have a range of reporting in 
that situation. In some instances they will be above average, 
and in other instances they will be----
    Chairman McCaul. But do you find it acceptable that you are 
defaulting to HHS for cybersecurity, when they have a 50 
percent compliance record that is the second-lowest in the 
Federal Government?
    Ms. Stempfley. Sir, as your opening statement indicated, we 
are operating under the current set of authorities and----
    Chairman McCaul. Well, I hope the Ranking Member will work 
with me to change that. Because I think you are the department 
with this expertise, not HHS. I believe you are the one with 
the--again, the background to fix this. I will just close with 
this. There was a letter from the CMS administrator to the 
Ranking Member that basically assured him that they would be 
following industry best practices and that this website would 
be secure. I believe that that did not happen.
    With that, the Chairman now recognizes the Ranking Member.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    Ms. Correa, in verifying whether or not people who want to 
participate in the Affordable Care Act are legal or illegal, 
has that posed a problem for your agency?
    Ms. Correa. Thank you for the question. No, we have not 
encountered any issues. As I indicated in my opening statement, 
we establish the connection between the hub and our SAVE 
system. We tested that functionality and it is working as 
expected.
    Mr. Thompson. So those 91,000 queries to ACA have been met 
without any problem.
    Ms. Correa. They have processed in the manner that they are 
supposed to process through the SAVE system.
    Mr. Thompson. Thank----
    Ms. Correa. So in other words, they will come through for 
initial verification. If we, for some reason, cannot confirm 
that immigration status, then we prompt them to refer to second 
step, and so on. So it is functioning as expected.
    Mr. Thompson. Thank you.
    Ms. Stempfley, with respect to the potential for hacking or 
whatever, do you have any knowledge about the number of 
attempts that are made daily on the Federal system?
    Ms. Stempfley. Sir, just to give you an order of magnitude, 
in fiscal year 2013 we processed more than 13,800--138,000, 
excuse me, 138,000 reports to U.S. sort-of attempts against 
both Federal Government and critical infrastructure systems. So 
the multitude is fairly substantial.
    Mr. Thompson. So 138,000 attempts is a big number.
    Ms. Stempfley. It is, sir.
    Mr. Thompson. To your knowledge, have we met the defense 
requirement to not allow those attempts to be successful? Do we 
have any kind of----
    Ms. Stempfley. I am happy to provide for you, sir, as a 
response for the record the number of successful compromises 
that may have occurred. I don't have that number in my brain at 
the moment.
    Mr. Thompson. Please provide that to the committee, if you 
would. With respect to the dot.gov domain and its 
responsibilities that you have, are you presently carrying that 
dot.gov domain oversight out?
    Ms. Stempfley. Yes, sir.
    Mr. Thompson. Now, with respect to the HealthCare.gov 
domain, can you, for the committee, share the difference in 
oversight on that?
    Ms. Stempfley. If I understand your question, sir, we 
provide for example, for FISMA, we provide details to 
departments and agencies about how to report their compliance 
with FISMA both in terms of how to specifically answer the 
FISMA questions and measures, and how frequently to provide 
those updates so that we can produce the annual report and 
assessment that is delivered to the Hill in February.
    Mr. Thompson. Explain to the committee the FISMA 
requirement; what FISMA is and what is required.
    Ms. Stempfley. Certainly. So FISMA lays out a broad set of 
requirements for departments and agencies to secure their 
applications and systems. It empowers Department leadership to 
make local risk decisions about when something may--when a 
decision about what may need to be--what may be appropriate for 
a system or application needs to be looked at. You take into 
account the risk environment that the system operates in. Is it 
operating inside the department, or is it a heavily-connected 
system.
    Is it containing, for example, intellectual property 
information or something of that sort. So you are empowered--
the departments and agencies are empowered to make those local 
risk decisions. It requires things such as training of all of 
your workforce against cybersecurity activity, assurance of 
accreditation decisions made, and number of systems and 
applications operating under a range of accreditation 
decisions.
    Mr. Thompson. To your knowledge, in the HealthCare.gov 
review, have you provided that training to the individuals with 
the responsibility for looking at that?
    Ms. Stempfley. Again, sir, each department and agency is 
responsible for providing that training, for ensuring that 
training is received in there. Then that is reported through 
the annual report to the Department of Homeland Security, the 
compliance measures associated with that. So it isn't a--it is 
not typical for the Department of Homeland Security to provide 
specific training to a department.
    Mr. Thompson. But they report the training to you.
    Ms. Stempfley. They do. They----
    Mr. Thompson. You put it in a report.
    Ms. Stempfley. We do. At the end of the year, we are--as I 
indicated, we are in the midst of collecting the fiscal year 
2013 data, and the FISMA report is traditionally handed to the 
Hill in February.
    Mr. Thompson. Thank you.
    Ms. Stempfley. You are welcome.
    Mr. Thompson. I yield back.
    Chairman McCaul. I thank the Ranking Member.
    The Chairman will recognize other Members for 5 minutes for 
questions, in accordance with out committee rules. I plan to 
recognize Members who were present at the start of the hearing 
by seniority on the committee. Those coming in after the 
hearing will be recognized in order of arrival.
    The Chairman now recognizes the Chairman of the 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies, who has held two previous hearings on 
this issue, Mr. Meehan.
    Mr. Meehan. I thank you, Mr. Chairman. I thank you, 
Secretary Stempfley, for your continued work in this area. You 
know, I am just gonna follow on the question with regard to 
your being consulted, and giving to the agencies the ability 
for them to outline the security for their systems. Now, I 
would suggest to you--and would you not agree--that this is 
perhaps some of the most important information that is being 
collected by the Government today: The private identifying 
information on Americans who are applying, oftentimes giving 
intimate details about their families, and otherwise to the 
Government?
    Ms. Stempfley. So the--certainly, the Federal Government, 
through a range of departments, has information about----
    Mr. Meehan. Well, I mean, the PII is significant 
information, is it not, Ms. Stempfley?
    Ms. Stempfley. PII is certainly important, sir.
    Mr. Meehan. The Department itself lays out the 
qualifications. So here I hold in my hand what was created by 
HHS for the health insurance marketplace, the navigators' 
standard operating procedures manual. To the best of our 
review, the only security information developed is to make sure 
that you don't leave copies of things out on copiers. But under 
this manual, as was stated by the Secretary herself, it is 
possible that a felon may be a navigator.
    Should there have been guidelines to do security checks on 
the backgrounds of people who will be in privity of 
communication with the very applicants? Some of those 
navigators, under the Secretary's own admission, may be felons?
    Ms. Stempfley. Sir, respectfully, I believe that question 
is best addressed to the Department of Health & Human Services. 
I am in an area outside----
    Mr. Meehan. I would like to ask but we don't get them in 
front of us. I am grateful for your--the--I want to follow up 
on this other issue, as well, with regard to the compliance 
with FISMA. Now, we have had quite a go-around, as the Chairman 
has stated, with representatives before us from HHS. The 
requirement under FISMA to do the appropriate testing, then to 
then make sure that they correct any problems that they see. 
Then, ultimately, give an authorization.
    As you know, the inspector general themselves, the 
Department of Inspector General, released a report in late 
summer suggesting that there was no window. That the only 
certification, according to their schedule, was going to happen 
the day before the operation of the website. Then suddenly, 
voila! In the middle of the summer, HHS purportedly made these 
huge leaps, in which they were able to suddenly certify the 
security of the system.
    Now, how is it that they would have been able to go from 
the period in which they were being--the IG was concerned they 
weren't even going to be able to meet the deadline until the 
day before, and suddenly there was tremendous security steps 
taken by an agency that hadn't done anything for 3 years?
    Ms. Stempfley. Sir, the Department of Homeland Security is 
not generally engaged as a specific application is built or 
operated. You are asking me a question that I couldn't possibly 
know the answer to.
    Mr. Meehan. Okay. Well, one of the things, as the HHS 
inspector general's report itself says, that the security 
controls and security testing notwithstanding, they may--the 
authorizing official may grant security authorization with the 
knowledge that there are still risks that have not been fully 
addressed at the time of authorization. Is it possible that 
this was granted with the recognition that there were still 
risks, significant risks, that had not been addressed at the 
time of the authorization?
    Ms. Stempfley. The terms of FISMA enable Department 
leadership to delegate the responsibility for risk assessment 
and risk acceptance to lower levels. So it is certainly 
feasible that in that delegation that is----
    Mr. Meehan. So who is making the determination, then, on 
the most significant information, the biggest collection of 
privately-identifying information, that will be collected by 
the Government anywhere in its history? That is not my words; 
that is the testimony of others. This is being delegated to 
people we don't even know?
    Ms. Stempfley. Sir, I don't--one of the things that FISMA 
does not require is awareness of who the accrediting officials 
are to the Department of Homeland Security. So I am not aware 
of who the accrediting----
    Mr. Meehan. So who made the decisions, in other words? We 
don't know who is making the decisions to authorize the ability 
to suggest that they have complied with FISMA, when the 
inspector general themselves said it was going to be unlikely 
that they could before the start?
    Ms. Stempfley. Again, respectfully, sir, that question is 
best addressed to the Department of Health & Human Services.
    Mr. Meehan. I think my time is expired. Thank you, Mr. 
Chairman.
    Chairman McCaul. I thank the gentleman. I appreciate the 
point that these ``navigators,'' that navigate people, the 
American people, through this system, this website, don't 
undergo a background check. So the idea that convicted felons 
could be responsible for this is just unconscionable.
    With that, the Chairman now recognizes Ms. Sanchez, from 
California.
    Ms. Sanchez. Thank you, Mr. Chairman. Thank you, ladies, 
for being before us today and trying to shed some light on what 
I believe is an important topic. We need to ensure that we 
safeguard the information of Americans. So I appreciate the 
work that you do. When I look at everything that is under your 
directorates, et cetera it is pretty amazing.
    So I have a question. I am trying to come from a more 
general standpoint because, in a lot of ways, I am a layperson 
to the technical issues of securing somebody's identity, et 
cetera. But can you tell us, in general, across the Government 
networks that we have, what type of operational, 
administrative, technical, and physical safeguards are 
implemented to ensure confidentiality, integrity, and 
availability of PII and to prevent unauthorized or 
inappropriate access, use, or disclosure of PII?
    How does that compare to, for example, HIPAA security 
standards in place that protect the electronic health 
information that we have from a medical standpoint?
    Ms. Stempfley. Thank you. I appreciate the opportunity. I 
am personally not familiar with HIPAA in great detail, so I 
will----
    Ms. Sanchez. Well, it is one of our standards that we try, 
supposedly, to uphold so that people don't figure out----
    Ms. Stempfley. Absolutely.
    Ms. Sanchez [continuing]. What has been going on with----
    Ms. Stempfley. I am happy to talk about the kinds of 
administrative procedurals and technical controls that are part 
of the Federal enterprise security----
    Ms. Sanchez. Super. In layman's terms, please.
    Ms. Stempfley. I will do my best. So one of the most 
foundational things that is necessary for a viable security 
program is a set of operational processes and operational 
responsibility assignments and policy activities. Including 
things such as ensuring that all users receive annual training 
for their individual security awareness as a part of their 
receiving their log-in. That log-ins and passwords are 
effective. For example, we are in the process of migrating to 
two-factor authentication, that is a PIV card for log-in.
    So it is something more than just your password. You have 
to have something and know something in order to gain access. 
As well as the employment of procedures for understanding where 
your system--what systems you have, where they are, what assets 
are--what pieces of software are running on them. Then we have 
been on a long engagement under the Comprehensive National 
Cyber Security Initiative to create defendable boundaries 
around the Federal enterprise and to put in place a series of 
capabilities at those boundaries for better protection and 
defense.
    If you think about it in terms of a community, it is 
becoming a gated community and one that is focused on securing. 
You have a set of activities that have to happen for the 
individuals in the homes, for the homes themselves, and then 
for the community as a whole. That is a good allegory for 
laymen, you know, in layman's terms for the kinds of efforts 
that departments and agencies have to undertake in order to 
secure their systems and the broad networks that all these 
activities operate on.
    It includes--and I am actually very grateful to this 
committee and the Members on it for their commitment to 
capabilities such as the continuous diagnostics and mitigation 
effort, which we began more than a year ago and are in the 
process of releasing the contract for providing specific tools 
and capabilities for departments and agencies to put on their 
systems and assets. HHS has agreed to be an early adopter of 
such a capability to include intrusion detection and preventing 
capabilities that are provided at that boundary level.
    Ms. Sanchez. Great. I guess I would just say, you know, I 
always figure, on this committee, when we are looking at 
cybersecurity in particular, that the weakest link is an 
individual. So we can protect as much as we want, but, you 
know, it is what is going on. I remember a few years ago, when 
our system here within the House was being hacked. It turned 
out that it was because Members were taking their personal 
devices overseas and they were being hacked.
    So one of the rules we put in was that you either don't 
take your personal device, you switch out to a dumb device to 
get some of your e-mails. Or when you land you take out your 
battery, you know, from your thing, et cetera. Of course, my 
staff had dumbed me down on my device when I landed, but I saw 
all my other colleagues turning on their devices. I said, ``Oh, 
do you have a dumb device?'' They didn't even understand the 
policy.
    I looked at them, and I said, ``You guys, you know the new 
policy is take out your battery and you can't use your 
BlackBerry here because, you know, they are getting into our 
system here.'' They all looked at me and said, ``Oh,'' they 
said, ``we weren't aware of that policy.'' I said, ``Well, yes, 
it is a policy because Frank Wolf and others have, you know, 
they have gotten into our system.'' To which case they all 
turned around and started looking at their e-mails.
    Chairman McCaul. [Off mike.]
    Ms. Sanchez. So--no, it is true, Mr. Chairman. The other 
day I was flying back to California. I am on a plane, a 
colleague--for some reason, my PDA dropped someplace. One of my 
colleagues picked it up. She said to me, ``Oh, you know, I was 
gonna take a look.'' I said, ``Well, I am password-protected.'' 
She looked at me, and I said, ``Well, aren't you password-
protected on your device?'' She looked at me and she goes, 
``No, it would slow me down.''
    So we can, you know, we try, and do try. Thank you for the 
work that you do is, I guess, what I am saying.
    Thank you, Mr. Chairman.
    Chairman McCaul. Thank you.
    The Chairman now recognizes the gentleman from South 
Carolina, Mr. Duncan.
    Mr. Duncan. Thank you, Mr. Chairman. I am proud to 
participate in No Shave November to raise awareness of men's 
health, specifically prostate cancer and cancer in general. I 
do so in honor and memory of the late South Carolina State 
representative, my good friend, David Umphlett, who passed away 
in 2011.
    Mr. Chairman, it is crystal clear to me that the Obama 
administration has put politics over the security of Americans' 
personal information. President Obama and Secretary Sibelius 
and other senior officials accepted an excessive amount of risk 
to Americans' information, all so this flawed website could go 
forward to meet the Democrats' political agenda.
    I have a memo from September 3, 2013, less than a month 
before the launch of the HealthCare.gov website from chief 
information officer of the Center of Medicare and Medicaid 
Services, Tony Trenkle. I would like to enter this into the 
record.
    Chairman McCaul. Without objection, so ordered.
    [The information follows:]


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Mr. Duncan. Thank you. Approving authorization to operate 
the system underlying the Obamacare health exchanges. Trenkle 
states the risk to CMS information systems resulting from the 
operation of the FFM, or Obamacare--FFM stands for Federal 
Facilitated Marketplaces--information systems is acceptable. 
But the memo then goes on to say page after page, describing 
enormous risk to Americans' personal information. Page 2 
discusses, ``malicious macros, the threat and risk potential is 
limitless.''
    Page 3: ``No evidence of functional testing processes and 
procedures being adequate to identify functional problems 
resulting in non-functional code being deployed.'' Page 4: 
``Many FFM controls documented in the security controls section 
of CFACS have an effectiveness of not satisfied. Security 
controls are not documented as being fully implemented.'' It 
goes on: ``Ineffective controls do not appropriately protect 
the confidentiality, integrity, and availability of data, and 
present a risk to the CMS enterprise.''
    These show serious concerns in the security of the 
Obamacare exchanges. It makes clear that Obamacare represents a 
clear and present danger to Americans' personal information. 
How could anyone with a technology background assess that with 
all this that the risk was acceptable to move forward? Which 
they did, and launched a website October 1. Why weren't 
security officials in DHS and HHS and others sounding the alarm 
about the concerns raised by Mr. Trenkle? Is it in any way 
conceivable that these issues could be solved by the end of 
this month?
    That is a rhetorical question. We may get back with any 
conclusion. Mr. Chairman, I find it quite convenient that, in 2 
days, Mr. Trenkle has decided to cut and run from HHS and go 
into the private sector; not to be accountable to the oversight 
functions of Congress anymore. The American people deserve 
accountability for the threat this administration has allowed 
to our personal information.
    I would like to also share an article from South Carolina, 
a Columbia, South Carolina gentleman, an attorney. Went onto 
the HealthCare.gov website to browse for cheaper insurance for 
him and his wife. He entered in his information, just as you 
would normally do. A few days later, he had someone call him 
from North Carolina. He says, ``I believe, somehow, the ACA 
health care website has sent me your information. That is what 
it looks like to me,'' Mr. Judson Hadley said, a North Carolina 
resident, who could access Tom's information on HealthCare.gov.
    I think there is a problem with the wrong information going 
to the wrong place. Now, the article goes on to say that Mr. 
Hadley just entered into the website to try to shop for 
insurance for himself and he was sent this gentleman from South 
Carolina's personal information. He actually went to another 
link and clicked on it, and actually had a PDF that he could 
print out on his computer of all of this gentleman's 
information. These are serious flaws.
    This wasn't a hacker, this wasn't someone trying to 
intentionally access Americans' private information. This was 
information sent to a third party by HealthCare.gov. This 
website has serious problems. Americans are relying on this 
Government to get it right. So I go back to the question that I 
had asked rhetorically a minute ago: Is it any way conceivable 
these issues could be solved, Ms. Stempfley, by the end of this 
month?
    Ms. Stempfley. Again, sir, I respectfully submit that that 
question is best asked to the Department of Health & Human 
Services.
    Mr. Duncan. Are you aware of Mr. Trenkle's memo? Have you 
seen that?
    Ms. Stempfley. I believe I saw that this morning, sir.
    Mr. Duncan. Okay. Well, it will be entered into the record.
    Mr. Chairman, thank you for having this hearing. Americans 
expect us to get it right. If not, let's delay Obamacare 
implementation until the Government can assure Americans that 
their private information will not be stolen by a third party 
and their identity be taken that could cause serious financial 
harm to them and their families.
    With that, I yield back.
    Chairman McCaul. I thank the gentleman for his insight.
    The Chairman now recognizes the gentleman from New Jersey, 
Mr. Payne.
    Mr. Payne. Thank you, Mr. Chairman. Ms. Stempfley and Ms. 
Correa, I appreciate your being here today and your testimony. 
From my understanding, the Federal data service hub is not a 
database or a repository for personally identifying information 
or for health care records in general. Is that correct?
    Ms. Stempfley. Sir, I am not personally familiar with the 
architecture of HealthCare.gov.
    Mr. Payne. Ms. Correa.
    Ms. Correa. I am not familiar with their--I don't know 
exactly what their architecture is. My understanding, it is 
not. It is just a conduit for passing information.
    Mr. Payne. That is my understanding, as well. I think that 
needs to be clarified. You know, again, from my understanding, 
this hub will just be used to determine someone's eligibility 
to participate in the exchange, enroll in a plan, receive a tax 
credit, and determine whether someone is entitled to an 
exemption only. Is that your understanding?
    Ms. Correa. From the accounts that I have read, yes, that 
is my understanding. That it is a help to process information.
    Mr. Payne. Okay. Let's see. Can you describe how the 
Federal agencies like HHS, DHS, the IRS, and Social Security 
Administration are coordinating with one another and with 
insurance carriers to share information, and how is that 
information being protected?
    Ms. Correa. I can speak to the agreements that we enter 
into--``we,'' as in USCIS enter into--with our partner agencies 
who have the databases that we go out and look at. We enter 
into some form of an agreement, either a memorandum of 
agreement or a computer matching agreement--that is the 
agreement that we entered into with HHS--and we also have what 
are called ``service-level'' agreements. Service-level 
agreements typically talk about performance in terms of when we 
go out and query a database what kind of response times we can 
expect.
    So those are the kinds of agreements that we enter into. 
Again, I do want to emphasize that our SAVE program doesn't 
download information from those databases. We merely go out, 
ping those databases for information, obtain the immigration 
status and the class of admission, and provide that information 
back to the inquiring agency.
    Mr. Payne. Okay. It is--you know, it--do Federal agencies 
often share personal identifiable information for the purposes 
like processing Social Security claims? How is that information 
protected? You know, is the same approach being used for those 
enrolling in these exchanges?
    Ms. Stempfley. Sir, unfortunately, it is atypical for the 
Department to engage at a system level in that perspective. 
Although one of the requirements under--for example, under 
FISMA, is an interconnection agreement which is put in place 
between two systems that are--articulates the security 
requirements that both parties must be subject to.
    Mr. Payne. Okay. One last question. You know, as you ladies 
know, the changes are being made to HealthCare.gov to make it 
run better. What steps are being taken in coordination with 
these changes to ensure that personally identifiable 
information is still protected?
    Ms. Stempfley. Sir, again, I think, respectfully, that 
question is best directed to the Department of Health & Human 
Services.
    Mr. Payne. Okay. Well, with that, Mr. Chairman, I will 
yield back.
    Chairman McCaul. The Chairman will now recognize the 
gentleman from Pennsylvania, Mr. Perry.
    Mr. Perry. Thank you, Mr. Chairman. Thank you, ladies, for 
being here. Just looking for your overall assessment, because I 
think we--at least I, as a Member, and I think many of my 
constituents, members of Citizens of America--are concerned, 
wondering who is responsible. So I am looking for your broad 
knowledge of the system. To where does an American whose 
information has been compromised, to whom does that person seek 
redress?
    Is there an individual, is there an agency? What is the 
mechanism to be made whole once your information is compromised 
and who knows what it is used for? If there someone that you 
know of, is there any agency? Where do Americans go when it 
goes bad, if it goes bad?
    Ms. Stempfley. As a normal--sort of in the normal course of 
events across the Federal enterprise, if a citizen experiences 
an issue with a Federal application, typically the first place 
they go is that application's support desk or support function. 
That is generally escalated to security operation centers 
inside the organization, and then further escalated to the 
Department of Homeland Security for visibility and for response 
functions.
    Mr. Perry. So it would be the Homeland Security--it would 
be the----
    Ms. Stempfley. Department of Health & Human Services. 
Generally, it is the support function for whatever that 
application might be.
    Mr. Perry. Would they be able to seek financial 
remuneration for, you know, some kind of grievance? Or if their 
identity was taken and their accounts were emptied and their 
lives were destroyed from a digital standpoint would they be--
is that where they would go?
    Ms. Stempfley. I am sorry, sir, that is not an area of 
expertise of mine about--in the redress areas. I will be happy 
to take the question----
    Mr. Perry. Okay, appreciate it. Ms. Correa, do you know? 
Okay.
    Ms. Correa. I do not.
    Mr. Perry. Ms. Correa, I appreciate you being here. It 
provides a unique opportunity. If you can explain CIS's role in 
identifying somebody who comes here illegally to access our 
services and tries to sign up on the exchange, what is the role 
there of CIS in identifying that person? What is the process?
    Ms. Correa. Thank you for your question and the opportunity 
to clarify how the process works. The benefit-granting agency 
is the organization that determines the eligibility of whether 
an individual is eligible for a particular benefit. They come 
to us through the--in this case, the Affordable Care Act, 
through the hub. They come to us, they provide us with 
information such as their alien number, their I-94 number, 
their name, their date of birth, et cetera. That is the data 
that we use to go out and verify the immigration status of the 
individual.
    The SAVE responds with the immigration status information 
as well as the class of administration--if it is able to 
confirm the immigration status based on the information 
presented. However, any decision on the eligibility for 
benefits is made at the benefit-granting agency level. In other 
words, USCIS does not make that determination.
    Mr. Perry. Okay. Do you know, if you can tell me, how long 
that process takes? I am looking, just so you understand, in 
the context of the administration has on numerous occasions 
said that the process should take about 25 minutes to sign up. 
So all that, in my mind, has to occur, right, before you can 
sign up? This is all in the span of 25 minutes. Is that--do you 
have any idea of the time that that process takes?
    Ms. Correa. I would like to clarify that the sign-up 
process is happening outside of this SAVE process. That sign-up 
process is before the exchange comes through the hub, to us, 
for a SAVE query. So I wouldn't know how long that process 
would take. What I can share with you is our response times, as 
I mentioned, in our testimony. From the moment we receive a 
query, either in the initial verification step or in the 
subsequent steps, how long that takes. But I couldn't talk 
about how long does it really take to sign up.
    Mr. Perry. Just for the record, again, what is your time 
frame?
    Ms. Correa. Sure. Our average response time in the initial 
query is about 3 to 5 seconds. On the ACA, right now, the 
queries that we are getting through we are seeing about 1.31 
seconds response times.
    Mr. Perry. Okay.
    Ms. Correa. For the second step, it takes about 3 to 5 
Federal working days. For the third step, which is the more 
complex steps, it takes about 10 to 20 Federal working days.
    Mr. Perry. Okay. So is that--am I to take it to mean as far 
as you can tell that somebody that is here illegally that maybe 
came just to sign up for benefits could do that, and be 
involved in--could go through the exchange and sign up for 
benefits, and receive a plan, before they could be identified 
as being here illegally?
    Ms. Correa. Let me clarify that someone who is here 
illegally, who is undocumented----
    Mr. Perry. Right.
    Ms. Correa [continuing]. Is not likely to be able to come 
through the hub with a query. Because the benefit-granting 
agency, when an individual attests that they are either not a 
U.S. citizen or--if an individual attests that they are not a 
U.S. citizen they have to present their documentation as to 
what their status is.
    Mr. Perry. Right.
    Ms. Correa. That is the information that the benefit-
granting agency would enter into the system--or the individual 
would have to enter that information if they are entering 
directly--to come through for a query. So an undocumented 
individual wouldn't have that information and wouldn't be able 
to be the subject of a query.
    Mr. Perry. Thank you. I see my time is expired, and I yield 
back.
    Chairman McCaul. I thank the gentleman.
    Mr. Duncan referred to an article during his questioning 
that he would like to make part of the record. I would like to 
ask unanimous consent that it be made a part of the record.
    Ms. Jackson Lee. Will the gentleman yield?
    Chairman McCaul. The Chairman yields to the gentlelady.
    Ms. Jackson Lee. I am sorry. I did not hear what the 
document was. Would you just repeat for the record what the 
document was?
    Chairman McCaul. It had to deal with a gentleman from, I 
believe, North Carolina that tried to sign up for Obamacare and 
got information back regarding another gentleman from South 
Carolina, very personal information, that has been widely 
reported.
    Ms. Jackson Lee. So it is a newspaper article?
    Chairman McCaul. Correct.
    Ms. Jackson Lee. I thank the gentleman. I yield.
    Chairman McCaul. Okay. Without objection, so ordered.
    [The information follows:]
          Article Submitted For the Record by Hon. Jeff Duncan
  midlands man has personal information compromised on healthcare.gov
Posted: Nov 03, 2013 6:22 PM EST
Updated: Nov 04, 2013 4:04 PM EST
By Meaghan Norman
    COLUMBIA, SC (WIS).--About a month ago, attorney Tom Dougall logged 
on to healthcare.gov to browse for cheaper insurance for him and his 
wife.
    On Friday, the last thing he expected to hear on his voicemail was 
a man from North Carolina who says he can access all of Tom's personal 
information.
    Dougall says he thought it was a scam until he realized his privacy 
had been breached.
    ``I believe somehow the ACA, the Healthcare website has sent me 
your information, is what it looks like,'' said Justin Hadley, a North 
Carolina resident who could access Tom's information on healthcare.gov. 
``I think there's a problem with the wrong information getting to the 
wrong people.''
    In a telephone interview, Hadley said he simply put in his username 
and password when Dougall's information appeared.
    ``The next page that came up was a page that prompted that I have a 
marketplace eligibility information to download. And that's when I 
clicked download and Mr. Dougall's information came up in a PDF 
document,'' said Hadley.
    At first, Dougall didn't know what to think.
    ``We received a phone call from a gentleman named Justin in North 
Carolina who informed me that he had gone on the healthcare.gov website 
and when he logged in under his log in and password, he received a 
document of all of my and my wife's personal information,'' Dougall 
said.
    Dougall said he thought it was a ploy.
    ``Initially I was concerned because I didn't know if this was some 
guy who was scamming me or if in fact this was a guy who really had my 
personal information,'' he said.
    Hadley even provided proof, documents containing Tom's personal 
information and screen shots of the website.
    ``And you can see that he's actually signed in as Justin and it 
tells him he has notices about his marketplace eligibility and to 
download those and when he downloads it, the next screen shot shows him 
my personal information,'' Dougall said.
    Dougall said now Hadley cannot sign up for the coverage he needs 
because he's been blocked by Tom's personal information.
    ``I'm assuming I'm going to have to pay the penalty or tax or 
whatever they're calling it now for not having health insurance next 
year,'' said Hadley.
    ``We're told constantly that it's a secure system and it's not, 
obviously,'' Dougall said.
    Having lived through one security breach in the State of South 
Carolina with the Department of Revenue, Dougall wonders what would 
happen if a professional hacker tried to log on.
    ``I tried to call healthcare.gov last night and they have no 
procedure whatsoever to handle security breaches,'' he said. ``All they 
can do is try to sell you a policy.''
    Dougall has also contacted his Congressmen. He says he's calling 
the Department of Health and Human Services directly on Monday.
    ``They're so concerned with trying to fix the problems they 
currently have that they refuse to acknowledge or won't acknowledge 
that there's been a major breach,'' Dougall said.
    In the mean time, Dougall does not know how to secure his 
information.
    ``I think there's a problem with the wrong information getting to 
the wrong people,'' Dougall said.
    We reached out the U.S. Department of Health and Human Services, 
they responded via email Sunday afternoon asking for more information 
about what happened to Tom and Justin.
    Late Sunday, an HHS official said a security team is working to fix 
the issue. ``We are aware of this issue and it is on our punch list of 
fixes, scheduled to be addressed in the very near future.''
    They added consumers can call the toll-free number or access the 
on-line chat tool that is available 24/7.

    Chairman McCaul. The Chairman now recognizes the gentleman 
from Texas, Mr. O'Rourke.
    Mr. O'Rourke. Thank you, Mr. Chairman. Thank you for 
holding this hearing.
    The implementation of the Affordable Care Act, thus far, 
has been deeply disappointing. Most obviously, the roll-out of 
the website has been a disaster. I want to work to make sure 
that we fix those problems that we have identified. I want to 
make sure that we make this law work. It is, after all, the law 
of the land. It has been tested several times, and tested at 
the level of the Supreme Court. The Government was effectively 
shut down, in part, in dispute and debate over this.
    I think politically, legislatively, that has been resolved. 
Now we need to make sure that it works. Again, the 
implementation so far has been disappointing. But I want to 
work with Members from both sides to fix those problems that we 
have identified, and there are many, and make this work.
    I think about the 200,000 El Pasoans that I represent who 
are currently uninsured. Who, because of their lack of 
insurance, are gonna have worse health outcomes than they 
otherwise would. Who, because they don't have insurance, when 
they do get care, the rest of us are subsidizing that care in a 
very ineffective, inefficient, and costly manner.
    So I want to make sure that this law works. I think its 
goals and intentions are noble. I think it is perfectable. So I 
want to make sure that we are focused on that. In today's 
hearing, we are looking at cybersecurity threats and problems. 
Some of the questions resolved around--or revolved around a tax 
on HealthCare.gov. Denial of service attacks, hacking attempts, 
attempts to gain access, or entry, illegally.
    I am assuming, and correct me if I am wrong, that every 
single Government web asset is attacked, perhaps on a daily or 
a minute-by-minute basis. Is that correct?
    Ms. Stempfley. Certainly, sir. The internet itself, where 
we operate in this environment, is one that contains a 
multitude of threats. The Federal Government websites and 
Federal Government systems are subject to the same environment 
and these same threats.
    Mr. O'Rourke. So the existence of threats, proof that 
attacks have taken place, do not prove the system is 
vulnerable. Or, from your answer to the previous question from 
the Chairman, do not establish that you have concerns about the 
security of that system. Is that correct?
    Ms. Stempfley. Certainly, sir. The existence of threats 
does not increase the vulnerability that the systems might be--
--
    Mr. O'Rourke. Have you seen anything, thus far--you know, a 
month-and-a-half in--that would give you concern about threats 
that might be realized, or vulnerabilities that might be 
exploited that have not been addressed so far by the 
administration or HHS?
    Ms. Stempfley. The position that the Department of Homeland 
Security exists is in both awareness and in reporting has only 
provided limited information, at this point. As I said earlier, 
we received about 16 reports from HHS that are under 
investigation, and one open-source report about a denial of 
service.
    Mr. O'Rourke. In thinking about the VA, and the fact that 
the VA is trying to move to a much more web- and digital-based 
sharing of service records and medical records for former 
servicemembers, anything that we can learn from the success or 
failures in those VA programs that are sharing very sensitive 
information? In some case, I realize that information has been 
compromised. Anything we can learn, or what lessons have we 
learned, that we are able to apply to what we are doing now 
with HealthCare.gov?
    Ms. Stempfley. So I believe I mentioned that the HHS CIO as 
well as the VA CIO are members of the CIO council and of the 
CISO forums. Those are--the CISO forum specifically is one that 
we in DHS run to ensure that we have an avenue for that sharing 
of current activity and lessons learned in engagement. There is 
a series of best practice documents and actions that are 
published by DHS that are an amalgamation of all of that 
learning and that are available.
    Mr. O'Rourke. Do you know, specifically, if the VA has 
shared that information from their best practices and what they 
have learned from failures within that system?
    Ms. Stempfley. I could not speak to a VA-to-HHS-specific 
conversation. But we have the aggregation of all of those in a 
published format so the departments and agencies can gain 
access to that around the clock.
    Mr. O'Rourke. Ms. Correa, let me ask you a question. In El 
Paso, there are bound to be many mixed-status families amongst 
those 200,000 uninsured people that I represent in our 
community. Walk me through what happens when you have a U.S. 
citizen child to a parent who has undocumented status 
currently. How will they use that system? How will you use that 
information if you learn that that parent is here in an 
undocumented fashion?
    Ms. Correa. As I mentioned before--thank you for your 
question, but as I mentioned before, what we would see is the 
information about that child that they are applying for a 
particular benefit. So the benefit-granting agency would be 
entering that information. That is the only information that we 
would be processing through the query. If the undocumented 
parent were trying to apply for a benefit, if they don't have 
documentation, then we wouldn't see that query because there 
would be no information to enter into the system.
    Mr. O'Rourke. With the Chairman's indulgence, if I could 
just ask a quick question.
    Ms. Correa. Sure----
    Mr. O'Rourke. If you somehow through this system, 
HealthCare.gov, learn that the parent is here illegally, would 
you act on that information, and how would you act on that 
information?
    Ms. Correa. I would like to confirm my answer on this, but 
we do not rely on that information. Because, again, we only see 
a fragment of data. So there is nothing that we would do with 
that information at this time.
    Mr. O'Rourke. Okay, thank you.
    Thank you, Mr. Chairman.
    Chairman McCaul. Gentleman.
    The gentlelady from Michigan, Mrs. Miller, is recognized.
    Mrs. Miller. Thank you, Mr. Chairman. I certainly thank you 
for calling this very important hearing on this issue.
    My question to the two of you--and I appreciate your 
attendance here today--as I have listened to the questions from 
my other colleagues, it is certainly clear from your answers 
and your testimony that the Department of Homeland Security has 
not been intimately involved in protecting the security of the 
most personal and most private information of American citizens 
through the HealthCare.gov website. That that responsibility 
rests, as you kept testifying, solely--at this point, solely 
with the Department of Health & Human Services. Many times, you 
said that question should be asked of them, not of you.
    So my question to you, then, would be: Do you play a role 
in determining acceptable risk when the Department of Homeland 
Security--not the other departments or the Department of HHS, 
but the Department of Homeland Security--do you play a role in 
determining what is acceptable risk when the Department of 
Homeland Security launches--when you launch, that--your 
department launches a new website within the Department? Mr. 
Duncan was reading off a list of serious risks that the HHS had 
identified before the launch of the HealthCare.gov.
    If the Department of Homeland Security would have 
identified those kinds of risks, similar risks, before you 
launched a website for the DHS--not one of the other 
departments, your department--would you have found that risk 
acceptable, and would you have advocated the launch of that 
website?
    Ms. Stempfley. In the Department of Homeland Security, the 
right principle risk acceptance official is the chief 
information officer, and that is an organization roughly 
parallel to mine. We have a strong engagement with the chief 
information officer through a series of information exchanges. 
It is not typical, even in the Department of Homeland Security, 
for that risk official to reach out to us on specific systems 
or applications as they go forward. We engage with them through 
the same broad conversations as we go forward.
    For the information technology systems that we operate as I 
pointed out, things like the continuous diagnostics and 
mitigation program and the intrusion detection programs like 
EINSTEIN, which I am grateful to this committee for its support 
of--we are responsive to the CIO in detailing the compliance 
actions forward and ensuring compliance with security standards 
that are set. So there is a----
    Mrs. Miller. But would you have raised any question at all? 
I mean, I understand you don't want to answer any questions 
about HHS. But now you can't even answer a question about your 
own Department. Although you say typically you talk back and 
forth, typically----
    Ms. Stempfley. For----
    Mrs. Miller. I mean, typically you can't even raise a red 
flag?
    Ms. Stempfley. For the magnitude of the numbers of 
applications that we are talking about, ma'am, are substantial. 
For example, in HHS, in their FISMA 2012 report, they reported 
10,648 individual applications. So within any specific one it 
is difficult to go in great detail. For the application----
    Mrs. Miller. So typically, since I have a limited amount of 
time--typically you can't even raise those questions, right? 
Typically?
    Ms. Stempfley. Typically, under the current authority and 
landscape, that is a true statement.
    Mrs. Miller. Okay. Well, that is an interesting answer. I 
appreciate your candor. You can't raise a question if you have 
those kinds of problems. Could you, then--shifting gears just 
for a moment, I wanted to pick on something the Chairman 
mentioned at the outset. Typically, the Congress has oversight 
responsibilities. Typically, when we have hearings like this, 
typically--for hundreds of years, typically we get testimony 
from the witnesses typically at a deadline.
    Now in this case, for whatever reason, we did not get--
whether you were unwilling or unable to give us your testimony. 
I mean, as a Member of Congress, trying to typically do my job, 
I am trying to read the information the day before, the night 
before, whatever so that I can be prepared, typically. But in 
this case, we couldn't get your testimony before the hearing. 
Now, I don't know if that is typical for you or your Department 
not to respond on the deadline. Usually we do get it.
    The Chairman mentioned perhaps it is because the White 
House wouldn't allow you, in this case, to give us the 
information. Could you expand for me, at least, why that was--
you were not able, you were unable or unwilling, to give us 
your testimony to meet the deadline which is a typical 
situation?
    Ms. Stempfley. It certainly is--I am a believer of being 
prepared myself, and so it is certainly a goal of all of ours 
to ensure that we provide information in as rapid a manner as 
possible to individuals. In my office we work very hard to 
ensure that we are responsive and within the controls and 
constraints that we operate under. So I am pleased that you 
were willing to have us here to speak, even though the 
testimony did not arrive to you in time. So thank you for that.
    I am not familiar with all of the steps between here and 
arriving on your door to speak to this specific event. I am 
happy to go back and get you an answer.
    Mrs. Miller. Thank you. Mr. Chairman, we are apparently not 
going to get any answers out of these witnesses, so I 
appreciate that. Appreciate the time. Thank you.
    Chairman McCaul. I appreciate the gentlelady's questioning. 
I--as the Chairman of this committee, I would like to know, did 
you prepare an opening statement?
    Ms. Stempfley. Yes, sir.
    Chairman McCaul. That opening statement was not delivered 
to this committee. Is that correct?
    Ms. Stempfley. I believe I--you mean an oral statement or a 
written statement?
    Chairman McCaul. We--well, we did not have your written 
opening statement.
    Ms. Stempfley. I believe that----
    Chairman McCaul. Until 9 o'clock this morning.
    Ms. Stempfley. Yes, until this morning. I believe that is a 
true statement--5 copies----
    Chairman McCaul. So it was held up by somebody, correct?
    Ms. Stempfley. Again, sir, I----
    Chairman McCaul. I see you have to refer to counsel. But 
can you tell the Chairman?
    Ms. Stempfley. There is a process for----
    Chairman McCaul. Of course there is. But when did you 
finish your draft of your opening statement?
    Ms. Stempfley. Thursday? Thursday?
    Chairman McCaul. So Thursday, and here we are today----
    Ms. Stempfley. Yes, sir.
    Chairman McCaul [continuing]. You know, many days later. 
Who approved your statement?
    Ms. Stempfley. Who approved my statement?
    Chairman McCaul. Correct.
    Ms. Stempfley. It goes through a series of--the gentleman 
who understands the process better than I do. I submit it to 
the Department, and the Department submits it forward.
    Chairman McCaul. Okay.
    Ms. Stempfley. I am not sure--I don't have a name of who 
approved it.
    Chairman McCaul. You do not know who held up your 
statement.
    Ms. Stempfley. I don't know, sir.
    Chairman McCaul. Okay. I would like to know who did, and 
why. Because as Mrs. Miller stated, this is not typical.
    Ms. Stempfley. I understand.
    Chairman McCaul. In fact, extraordinary. I personally think 
it is due to the sensitivity of this issue. I would like to 
know whether the White House did hold this statement up.
    With that, the Chairman now recognizes the gentleman from 
Nevada, Mr. Horsford.
    Mr. Horsford. Thank you, Mr. Chairman. I will try to be 
brief.
    I want to fist associate myself with the comments of the 
Ranking Member and several other Members of the committee who, 
like myself listening to my constituents, am concerned about 
where things stand with the roll-out of the Affordable Care Act 
website and the ability for my constituents and constituents 
across the country to effectively access and shop for plans 
that are available. Fortunately, in the State of Nevada, our 
Governor, despite being opposed to the law, worked with the 
legislature to implement a State exchange.
    So we are better off than many States that have--continuing 
to oppose the implementation of the laws, as required. I am a 
bit perplexed by some of the comments that have been made this 
morning by my colleagues on the other side that are so outraged 
by the glitches and the fact that there are security concerns 
with HealthCare.gov. Particularly because, as a Member of the 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies, we have had many, many, many hearings 
about the vulnerabilities of personal identifiable information 
in the private sector, as well.
    There are financial institutions, there are private health 
care companies that do not do a good job of protecting that 
information in the private sector. So if we could just work 
together, the two sides, to identify those challenges, and work 
towards solving them in both the public and private sector, 
then I think the public would be better off. But unfortunately, 
we have things like the House Republican playbook that helped 
to disseminate information for how people shouldn't navigate 
the system effectively and, instead, just bring the negative 
information forward.
    So I want to just ask our panel a couple of questions. 
First, Ms. Stempfley, thank you very much for being here. I 
know you have testified several times before the Subcommittee 
on Cybersecurity, Infrastructure Protection, and Security 
Technologies before. To the best of your knowledge, are the 
HIPAA privacy and security standards applicable to the 
exchanges and the data service hub?
    Ms. Stempfley. Sir, as I believe I said, I am not a HIPAA 
expert. So I would be happy to find one to answer that question 
for you, but you are certainly on the edges of my personal 
knowledge.
    Mr. Horsford. From my understanding, obviously the HIPAA 
rules as established set Federal standards to protect 
individually identifiable health information. That is a Federal 
requirement.
    Ms. Stempfley. Yes.
    Mr. Horsford. Correct?
    Ms. Stempfley. Yes.
    Mr. Horsford. The Department of Homeland Security is 
required to meet those Federal privacy and security standards, 
correct?
    Ms. Stempfley. As with HHSB, yes, sir.
    Mr. Horsford. So how do you go about doing that within your 
Department?
    Ms. Stempfley. Forgive me, sir. Can you ask the question 
one more time?
    Mr. Horsford. How does the Department of Homeland Security 
go about ensuring Federal privacy and security standards apply 
under HIPAA?
    Ms. Stempfley. Thank you. Great, thank you. So I--in my 
office in DHS, we don't actually operate systems who contain 
that kind of information. So I can speak in general terms about 
the kinds of requirements we would operate under, and assume 
that the HIPAA requirements would be similar in that situation. 
So we are required to submit forward a package of evidence 
demonstrating our compliance with each of these requirements to 
the accrediting official.
    Then the accrediting official reviews that package of 
evidence to determine that--to demonstrate that we have, in 
fact, provided that compliance as they are making their 
accrediting decision.
    Mr. Horsford. Does the same apply for immigration?
    Ms. Correa. Yes, sir, that is correct. From a system-owner 
standpoint, that is the process that we follow. We submit the 
package of information. It goes to the accreditation official, 
which normally resides within the chief information officer's 
office, and they do the accrediting of the system.
    Mr. Horsford. One last question in my concluding time 
allowed. The issue around the breach procedures. When there is 
a breach, what is the requirement in Federal law for the 
notification of the individual and States if the breach reached 
a certain number of individuals?
    Ms. Stempfley. So, certainly, one of the things that we 
have been talking about with the subcommittee, sir, is that 
there is not a single Federal breach require--Federal law 
associated with data breach requirements. That there is a 
multitude of State laws that are out there. So I appreciate 
your raising this issue that I know we have spoken of. When it 
comes to Federal systems, if personally identifiable 
information is, in fact--there has been a breach of personally 
identifiable information, Department and agency leadership are 
responsible for making a determination of the scope of that 
breach and for reporting that to the Department of Homeland 
Security. We also through the annual report forwarded both to 
OMB and to--and in the FISMA report.
    Mr. Horsford. Thank you, Mr. Chairman.
    Chairman McCaul. The Chairman recognizes the gentleman from 
Utah, Mr. Stewart.
    Mr. Stewart. Thank you, Mr. Chairman. I am gonna go 
quickly. There is a lot I want to cover.
    I want to come back to a couple comments that have been 
made previous, and then--to the witnesses. To Mr. Horsford, I 
appreciate your comments about trying to work together. I would 
remind the committee that that is what we were trying to do. 
That is why we asked the administration for a delay. But the 
President assured us again and again and again, he promised the 
American people we are ready. That is why he refused to work 
with us on any kind of a delay. Of course, we found out now 
that that is not the case.
    I want to come back to--just very quickly, about your 
opening--not your opening comment, but your opening statements. 
Did anyone ever advise either of you that they were not going 
to submit those statements to the committee?
    Ms. Stempfley. No, sir. I believe it was the 5th of 
November when I was asked to speak in front of this committee, 
and no one has advised that they weren't gonna be provided.
    Mr. Stewart. So----
    Ms. Stempfley. It was just a number of days between the 5th 
of November and the----
    Mr. Stewart. Okay. So last Thursday you prepared your 
opening statements. You passed those up the line. No one ever 
asked you to revise them, no one ever indicated any problems 
with them. They just disappeared and no one ever saw them, 
including the committee, until this morning. Is that right?
    Ms. Stempfley. Sir, a number of grammatical errors were 
identified and corrected----
    Mr. Stewart. But nothing substantial.
    Ms. Stempfley [continuing]. In the course of it. But no, 
there was no----
    Mr. Stewart. They didn't come to you say this is 
unacceptable, we can't submit this the way it is.
    Ms. Stempfley. There was--I am trying to remember what it 
started and what it looked like when I got it back. But it was 
effectively--it was written and it was sort of choppy and 
smoothed out. But there were no changes.
    Mr. Stewart. Okay. So as far as you know, your opening 
statements were acceptable. Okay. But, apparently, someone 
concluded they were not because they were not submitted to the 
committee.
    Ms. Stempfley. Sir, I would not--respectfully, sir, I 
believe it was just a matter of between the 5th of November and 
the 13th of November----
    Mr. Stewart. Okay.
    Ms. Stempfley [continuing]. Going through the set of 
processes. It wasn't a----
    Mr. Stewart. Well, perhaps. Although I think there may be 
others who would say that it was more than just that. But let 
me move on, if I could.
    You are both Federal employees, and you both will stay on 
the Federal Employee Health Benefits program. Is that right? 
Yes. You are not gonna move to the exchanges. Of course, both 
of you realize that I will, Members of the committee will, all 
of our staff will. In fact, tens of millions of Americans are 
gonna be forced to move onto the exchanges beginning, you know, 
January 1, where they will be forced, in order to do that, to 
provide very, very private information.
    The President won't move onto the exchanges, will he? No. 
No, of course he won't. Neither will any of his Cabinet, 
neither will Kathleen Sibelius, Secretary of HHS. Knowing that, 
do you understand and can you help the American people 
understand why we are more concerned, apparently, about the 
security of our private information? I am speaking now not for 
myself or my staff. I am speaking for tens of millions of 
Americans. What would you say to them who are concerned about 
their security, knowing that they have to do something that the 
administration and the Cabinet and the Secretary will not have 
to do? That is, join the exchanges and provide this type of 
private information.
    What could you say to them to make them feel better about 
that?
    Ms. Stempfley. Sir, I have 20 years in the Federal 
Government, and much of that focused on ensuring that 
cybersecurity is important to the American public and important 
to the people who build and operate applications, whether it be 
in critical infrastructure or in the Federal Government. It has 
been a passion of mine for a number of years. It is one of the 
reasons why I am in the job I am in.
    Mr. Stewart. Yes. Knowing your background there, and 
knowing it is your passion and that you have 20 years' of 
experience, it must be incredibly concerning to you to see some 
of the failures that--and some of the inherent weaknesses that 
are apparent within this website. Does that--is that true? Does 
that bother you, knowing that it is not as secure as it should 
be?
    Ms. Stempfley. I believe the environment that we all 
operate in today and the dependence on information technology 
and our critical infrastructure and in other places, it is 
certainly an area of focus and concern. I am not personally 
familiar with all of the specifics in health care--in this HHS 
application. So I am, unfortunately, not in a position to----
    Mr. Stewart. Let me ask--let me finish with this last 
thing. DHS, 99 percent compliant with the FISMA standards, with 
the Federal Information and Secretary Management Act--99 
percent. HHS, 50 percent compliant. Yet HHS did not seek out 
any council and expertise, any briefings or guidance from DHS 
in implementing and designing the security around their web 
page. Any explanation for why they wouldn't seek guidance from 
DHS, knowing that they were experts on this and that HHS was 
not?
    Ms. Stempfley. As I believe I said--that as we make 
departments and agencies aware of the capabilities that the 
Department has it is incumbent upon them to pick the best time 
in the operational life cycle of their systems and applications 
for the engagement. I----
    Mr. Stewart. Okay. I wish they had done that previous to 
the portals being open, and not after the fact. But I am out of 
time, and Mr. Chairman thank you for the hearing.
    I yield back.
    Chairman McCaul. I thank the gentleman.
    The gentleman from Arizona, Mr. Barber, is recognized.
    Mr. Barber. Thank you, Mr. Chairman. I thank you for having 
this hearing. Also, thank you to the witnesses for your work as 
well as for being here today.
    I think it has been said, but I certainly agree that the 
roll-out of the Affordable Care Act has been--the website, in 
particular, has been just a disaster. I think all of us find it 
totally unacceptable that we would be in this position. While 
the ACA offers many benefits to millions of Americans, I have 
repeatedly said that there are provisions that need to be 
fixed, there are unintended consequences that need to be dealt 
with. We need to move on that, I think, in a bipartisan manner 
in this Congress.
    Now we come to a potential new problem. We don't know the 
magnitude of it because it is early days. Obviously, since so 
many people have not been able to get on the website we really 
don't know yet how much personal information might be at risk. 
Americans are putting data in, in order to even begin the 
process, that is very sensitive information. I do share the 
Chairman's concern that the Department of Health & Human 
Services has a very poor record of cybersecurity, generally 
speaking. Now, of course, more information than ever before is 
gonna be available through their system.
    I think the American people, generally speaking, are very 
concerned about their privacy on a number of levels. I mean, we 
can go into other areas--we won't today--but this is a new area 
of concern. So having said that, I really believe that unless 
we can give some assurances that the privacy of information in 
HealthCare.gov is adequately protected it will undermine the 
American people's confidence in that system and they may choose 
not even to explore their benefits that are available on that 
website, when it gets fixed.
    So having said that, Mr. Stempfley, your office is 
responsible for maintaining the security, reliability, and 
resilience of our Nation's cyber and communications 
infrastructure. This oversight and general maintenance 
obviously pertains to our critical infrastructure. But it also 
pertains to the security of Federal Governments' cyber 
networks, which interface with the private sector and with 
individual users to access Federal Government websites.
    I would agree--I hope you would agree, we must be vigilant 
in monitoring and upgrading our systems, and design them to be 
as ironclad and as impenetrable as possible, particularly those 
systems that house sensitive user data such as HealthCare.gov. 
Now, having said that, Ms. Stempfley, could you talk, in very 
specific ways, about the steps that your office has taken to 
ensure that data that is inputted by American people into the 
HealthCare.gov network, how it has been protected or will be 
protected, and how have your actions been informed by the 
attempted incursions that you talked about earlier?
    Ms. Stempfley. Sir, the Department of Homeland Security's 
engagement with the Department of Health & Human Services has 
been about general threat information provision of best 
practices and a requirement of compliance reporting. We have 
provided a verification that Health and Human Services has 
complied with as domain name security. That is a set of 
technologies that translate internet addresses, the machine-
readable information, to human-readable; so when you type 
www.google.com the internet knows how to translate that.
    So we have been able to assure--provide verification that 
have complied with that level of security in their environment, 
as well. However, we have not been in a specific architectural 
conversation with the Department of Health & Human Services on 
this application.
    Mr. Barber. Have you had any discussions with Health and 
Human Services subsequent to identifying, as you said, perhaps 
16 incursions, actual or attempted?
    Ms. Stempfley. We have had an operational conversation 
between their security operation center and our US-CERT about 
these particular activities. As I pointed out, these are under 
investigation. These reports came in in the November 6, 7, and 
8 time frame. So there is a period of time where we have to go 
through a verification and determination.
    Mr. Barber. Yes, I appreciate that you have to check in to 
make sure that you have some--you can verify what is really 
going on. But I would urge you, obviously, to speed up that 
process. Because if and when the website is fully operational--
and we are told it will be operational by December--I would 
expect we will see many more and we need to be prepared for 
that. I guess my final question is: What plans do you have for 
on-going monitoring of the security of the website?
    Ms. Stempfley. I appreciate the question, sir. A set of 
capabilities that the Department provides, including one you 
may know of, is EINSTEIN intrusion detection capabilities, the 
Center for Medicare and Medicaid Services will be moving its 
applications behind in the second quarter of calendar year 
2013. HHS has been active in attempting to get behind this 
capability, but had to work through some specific statutory 
language that was in their statutes. Given that I know this 
committee has been supportive of, we have been trying to work 
to get some positive authorization language for these CHS 
programs that would have shortened that time frame.
    Additionally, they have agreed to be an early adopter of 
the continuous diagnostics and mitigation capability. So we are 
anxious to get that provided to them. The contract is due to be 
released today or tomorrow for the acquisition of those 
capabilities.
    Mr. Barber. Thank you for the extra time, Mr. Chairman.
    I yield back.
    Chairman McCaul. Yes, let me thank the gentleman for 
raising one issue. That is, you know, EINSTEIN has been around 
for awhile. It seems to me that it should have been applied to 
this website and to HHS. I think anything we can do to expedite 
that would certainly be in the best interest of the United 
States.
    So with that, the Chairman now recognizes the gentleman 
from Montana, Mr. Daines.
    Mr. Daines. Thank you, Mr. Chairman. I spent 20 years in 
the private sector prior to coming up to Congress. In fact, the 
last 12 years, an executive with a cloud computing company. 
Publicly-traded; we took the company public, Oracle acquired 
us. So the point is, I have worked in the enterprise space with 
very, very large organizations from around the world and 
understand the importance, certainly, of privacy as well as 
reliability.
    As a taxpayer, I think it is outrageous as I have seen what 
has happened here, where we have taken $500 million--by some 
estimates--to what this project costs--taken out of the pockets 
of hard-working taxpayers into a system that has failed. The 
numbers are astounding from the benchmarking. Facebook--
Facebook was operational for 6 years and didn't hit the $500 
million mark. Twitter, operational for 5 years, $360 million 
operational investment. Instagram, $57 million investment.
    LinkedIn and Spotify didn't even get to the $300 million 
mark in operational. So there will be a lot of questions, 
certainly, about the cost and benefits, and value for the 
taxpayer. That is not why we are here, but I want to pivot over 
here to the issue of security. CBS News reported Monday evening 
that Mr. Chao, who was the chief project manager of 
HealthCare.gov, testified last week for 9 hours. CBS is 
reporting that there was a memo that went out 27 days prior to 
the launch of the website, on September 3, that said--and this 
was given to senior officials at CMS--there were two high-risk 
issues that were redacted for security reasons.
    The memo--I see counsel here is giving advice--the memo 
said the threat and the risk potential is limitless. Sir, I 
want to make sure she hears the question. The risk and the risk 
potential, the threat is limitless. It said CMS said the 
deadlines to fix these were around mid-2014 and early 2015 to 
address them. In fact, Mr. Chao testified to these security 
gaps. By the way, when they said ``high-risk,'' what high-risk 
means is, according to Federal guidelines--``the vulnerability 
could be expected to have a severe or catastrophic adverse 
effect on organizational operations, assets, or individuals.''
    Mr. Chao testified that security gaps, as reported by CBS 
here, could lead to identity theft, unauthorized access, and 
misrouted data. As somebody who had to serve large 
organizations, people would have been fired, the company would 
have gone under--our company--had we launched a website with 
these kinds of errors. I understand about risk management and 
so forth. But it seems that we leaned in to launch--the Federal 
Government did--knowing that there were high-risk security 
issues.
    Now, as you mentioned in your written testimony, the DHS is 
the lead for securing and defining Federal civilian 
unclassified information technology systems and networks 
against attacks. First, what, if anything, did you recommend as 
far as policies to CMS and the folks who are running the 
project here for the HealthCare.gov?
    Ms. Stempfley. As we engage with chief information officers 
in the SISOs, we provide a range of information; from general 
threat briefings, which we provide to the CIO council on a 
regular basis, to best-practice activities as well as 
information about FISMA compliance as they go forward. We 
provide this at a Department level and to participants in the 
CIO forum and SISO forum. There has not been a specific 
interaction about--focused on this particular site.
    Mr. Daines. So if, indeed, what CBS reported here and Mr. 
Chao's testimony last week before a committee--if, indeed, 
there was limitless potential, as I quote the report, for 
security risks, knowing this would you have rolled out the 
HealthCare.gov site on October 1, 2013?
    Ms. Stempfley. Sir, I am not aware of all of the 
information that goes into that went into that.
    Mr. Daines. But my question is, if you knew that. As 
somebody who has the lead here of 20 years' experience, and if 
I quote your written testimony here, you have the lead for 
securing and defining Federal and civilian unclassified 
information, knowing there was limitless potential for security 
risks, as reported, would you have rolled out, would you have 
pushed the button to say ``go'' on October 1, 2013?
    Ms. Stempfley. Respectfully, sir, I have been an 
accrediting official before. These are very difficult decisions 
that you make as a part of it, and I couldn't speak to a----
    Mr. Daines. But with all due respect, you are the assistant 
secretary----
    Ms. Stempfley. I am----
    Mr. Daines. Leadership is about the buck has to stop 
somewhere. Would you have made that decision, knowing there 
were limitless risks, if the report is correct?
    Ms. Stempfley. Respectfully, sir, I can't answer a 
theoretical in this situation. There is a multitude of 
information that goes into it. The amount of risk that a 
particular site operates under is certainly one vector or one 
input point.
    Mr. Daines. All right. Well, I will conclude. The irony, 
perhaps, in this is that the failure of the website launch on 
Obamacare may indeed have been the best safeguard for the 
American people to protect their personal privacy, given the 
risks now that are being identified in this launch. That is the 
irony. Because if the American people were prohibited to have, 
what, six people sign up the first day perhaps that is 
protecting the American people because they didn't have a 
chance to enter it in the first place.
    Yield back.
    Chairman McCaul. I thank the gentleman. The gentleman 
from--Mr. Richmond is recruited, from Louisiana.
    Mr. Richmond. Mr. Chairman, I guess this hearing is 
appropriate, and I guess the title is appropriate. It reminds 
me of the same show, same one-trick pony, that we keep hearing 
over and over again. The question or concern that I have is 
that, you know, this is a self-fulfilling prophecy. We keep 
talking about how bad Obamacare is. We talk about the fact 
that--discourage everyone that it is not safe. When they don't 
enroll, some of us will declare victory and take glee in the 
fact that people don't have health insurance.
    At the same time, we run around proclaiming ourselves to be 
the Christian Right. So I guess my frustration is that there 
are many things that we could come together and do. We tried 
last year to come together and pass a cybersecurity bill that 
was bipartisan. What happened when it was time to mark up that 
bill and pass it to the floor? The Republican leadership came 
back and said it went too far, and Republicans had to sit in 
the room and gut their own cybersecurity bill. Which never made 
it to the floor, which we never passed.
    We sit here today to talk about cybersecurity and how much 
confidence we should have in HealthCare.gov, when we lack 
confidence in many areas of cybersecurity, which we have done 
nothing about, we have not passed a bill.
    Chairman McCaul. Will the gentleman yield?
    Mr. Richmond. I certainly will.
    Chairman McCaul. We have conducted over 300 meetings with 
the private sector. You are referring to last Congress, before 
I assumed the Chairmanship. I am fully committed to marking up 
a cybersecurity bill. It is obviously very complex. I want to 
do it the right way. I appreciate the work that Ms. Stempfley 
does in terms of cybersecurity. So know that that is just--as 
the border security passed in a bipartisan way, I am fully 
committed to doing that work in a bipartisan way.
    I yield back.
    Mr. Richmond. Mr. Chairman, I believe you. I believe that 
Chairman King wanted to do it also. But it was--and we marked 
it up in a bipartisan way, and the Republican leadership gutted 
it. It still didn't make it to the floor. I just say that in 
the fact that I think that we should all have one purpose. That 
should be to try to make this a success. Whether you agreed 
with it or not, it is the law of the land. Let's try to get 
people health care, get people healthier, and all of those 
things. Because that is what my interpretation of what we 
should be doing.
    See, and I am not defending the launch. The launch was 
deplorable. However, what real leadership does is acknowledge 
that it is deplorable, and fix it. So the question would become 
when we feel that the website is safer are we going to have 
another meeting to let the people know that we feel it is safe 
and encourage them to enroll? I would suggest that the answer 
would be no because we want to keep that fear out there to 
reduce the number of people that enroll.
    So my question would be, to Ms. Stempfley and to Ms. 
Correa, basically the title of the committee, which I hope you 
can give a short answer, but: Just how secure is the 
information? Do you have faith in the security of the 
information that people input into the website?
    Ms. Correa. I will give Ms. Stempfley a short break. Thank 
you for your question. I really couldn't answer that question. 
Because, as I have indicated from our discussion, what we see 
is the information that is submitted through the hub to ask for 
the immigration status of a particular applicant. So I couldn't 
really talk to the front end of the process. Thank you.
    Ms. Stempfley. The America public gives the Government its 
information in a variety of places and sources. Certainly, in 
my experience with SISOs, the information security officers 
throughout the Federal enterprise, they are committed to the 
obligation that they have in securing these systems and 
applications. I am not familiar with the specific security 
features of the 10,000 applications that HHS operates, for 
example, nor am I familiar with the specific security features 
of the tens of thousands and hundreds of thousands of 
applications across the Federal enterprise.
    But I do know that in the Department of Homeland Security 
and with the SISOs that I work on a regular basis they are 
all--feel passionately about their obligation to protect this 
information that the America public gives the Government.
    Mr. Richmond. With the knowledge and expertise that you 
have in this arena--and you do it every day, and subject-matter 
expertise--two-part question: Would you enter your information 
into the exchange, the web portal? If not, would you do it at 
the end of the month? At what point do you feel it is ready for 
you to input your information?
    Ms. Stempfley. So I, like all of us, put our information in 
a variety of systems and applications, whether it be my bank, 
whether it be HHS. I have family information in the HHS system 
because I am also a taxpayer. I do that, recognizing that 
whenever I give my information to someone else, under any 
circumstances, there is a--you know, there is a potential of it 
being at risk. Whether it be, again, my bank or my electric 
company or a Federal enterprise. But I do it because I believe 
the benefit of doing so outweighs whatever that risk might be.
    Mr. Richmond. Thank you, Mr. Chairman. I yield back.
    Chairman McCaul. I thank the gentleman.
    The Chairman recognizes Mr. Hudson, from North Carolina.
    Mr. Hudson. Thank you, Mr. Chairman. I want to thank you 
for having this hearing today on this very important topic. You 
know, I go home every weekend, I travel my district, I talk to 
my constituents as much as possible. I have been inundated with 
calls and mail from my constituents who are deeply concerned 
about the implementation of the Affordable Care Act. Lately, 
the news reports about this implementation have focused on the 
website.
    As my colleague said, it has been a disaster. A lot of 
attention has been focused on the premium increases. North 
Carolina has been hit harder than most States. Women in our 
State can expect their rates to triple; men can expect them to 
quadruple, on average. So a lot of attention has been given to 
that problem. Then we have heard a lot about loss of coverage. 
I was talking to a husband in Rockingham the other day whose 
wife has an acute illness. Their doctors told them that under 
the Affordable Care Act he is no longer gonna offer them care.
    So these are huge problems. But I think what has been lost 
in all this are these issues, this important issue, of security 
of our private information. I mean, we have an unprecedented 
collection of data that the Government is undertaking now of 
personal information. It is unprecedented that the Government 
will be collecting these types of information through one 
process. So it is important that we talk about this and we 
examine the issues here.
    I am disappointed that our--I appreciate your all being 
here, I appreciate the job you do. It is disappointing, though, 
that DHS doesn't--isn't able to answer questions about this 
website. That DHS doesn't have a working understanding of how 
the security parameters of this website were set up. It is 
deeply troubling to me that HHS, CMS hasn't asked the folks who 
are the experts in this--Secretary Stempfley's organization--to 
help with this implementation.
    Why wouldn't you go to the experts when you have got a huge 
problem? Especially when one of the architects of this website 
said, ``that there is limitless potential for security risks.'' 
These are the folks building the website, have said this is a 
huge problem. Yet they are not asking people who are experts at 
this how to help them. So I appreciate you being here, Ms. 
Stempfley, and I am--again, I appreciate the work you do. I am 
just sorry you weren't more involved in this because the 
American people deserve every effort we have as a Government to 
protect them.
    So I will focus my questions on a different topic related 
to this: Ms. Correa, one of our colleagues earlier asked the 
question what happens if we run a query about someone's 
citizenship, and we determine that they are here illegally, or 
an undocumented person. Would you tell me what happens at that 
point? Is any action taken, any enforcement action on that 
individual?
    Ms. Correa. Thank you for your question, sir. Again, as I 
mentioned before, the way the process works is, an individual 
who presents themselves to a benefit agency, a benefit-granting 
agency, has to present the information, documentation, on their 
status. Whether they are a citizenship or they attest, if you 
will, in their application as to whether or not they are a 
citizen. If they are not a citizen, then the information is 
processed as a query.
    Mr. Hudson. If I can interrupt real quick. So it is up to 
their own word as to whether they are a citizen or not? Self--
--
    Ms. Correa. They are--when they apply for a benefit, they 
are filling out a form. On that form they typically attest what 
their status is, whether----
    Mr. Hudson. So if they choose to mislead and say they are, 
there is no----
    Ms. Correa. If the agency, the benefit-granting agency, 
would then, if they attest that they are not a citizen or the 
Social Security Administration cannot confirm that they are a 
citizen, would then request their information and process a 
query through SAVE. SAVE would then go out and ping our 
databases to identify what the immigration status of that 
individual is. Typically, our response is either to give what 
the immigration status is, or if we cannot confirm the 
immigration status, then we prompt the agency to go through the 
additional verification steps.
    As I described, the second step they could provide 
additional information, other documentation, or other names 
that the individual may have used.
    Mr. Hudson. So at the end of the process, if you determine 
you can't verify they are a citizen, what happens then?
    Ms. Correa. At that point, what we notify the agency to do 
is to tell this applicant to schedule an appointment with 
USCIS. We give them the pertinent information to come in and 
see us. Because there could still be an error in their record. 
So what we do is try to have an appointment with them, come 
visit one of our adjudication officers who would then look at 
their data and look up their information in the records 
database.
    From a SAVE standpoint, we don't take any further action. 
In other words, we cannot change an individual's record. We do 
not tamper with the record at all whatsoever. We refer them to 
one of our adjudications officers, who would then look at the 
information.
    Mr. Hudson. So as my time is running out--so if someone--
you can't verify they are a citizen, they don't come in to see 
you, that is it. We don't follow up, we don't enforce any 
immigration law on this illegal person.
    Ms. Correa. Not that I am aware of, sir, but I could 
confirm that for you.
    Mr. Hudson. If you wouldn't mind, I would appreciate that.
    Mr. Chairman, my time has expired. I will yield back.
    Chairman McCaul. I thank the gentleman.
    The gentlelady from Texas, Ms. Jackson Lee, is recognized.
    Ms. Jackson Lee. Mr. Chairman, let me thank you, as well, 
and Mr. Thompson for this hearing. I always believe that the 
exercise of our oversight is crucial and important. I think 
this is the first hearing that I have been in since the loss of 
Mr. Gerardo Hernandez, and I want to publicly offer my deepest 
sympathy to him and his family. That is the transportation 
security officer killed in the line of duty, which reinforces 
that the U.S. Department of Homeland Security is on the front 
line, all of your staff and personnel. Would you offer to all 
of them my deepest sympathy, and to his family.
    I wanted to pursue a line of questioning that I think may 
be helpful to us. First of all, I think it is important to note 
that this committee invited DHS on November 5, which gives less 
than 8 days, because of an intervening holiday. So let me thank 
you for getting your testimony in as quickly as possible. I am 
not at the agencies, but I do know that there is a layer of 
review. Although you may be an eloquent writer, you may be a 
poet laureate, I know that they have to review your work. So I 
am grateful that you got it in.
    One of the things that is happening all over the Congress 
today, we have got sequester issues, budget issues. But we are 
dealing with the Affordable Care Act and oversight and homeland 
security and small business. Certainly, I think it is important 
to emphasize that the Affordable Care Act is here and it deals 
with health care. It deals with having the ability to have 
insurance if you have a preexisting disease. You can stay on 
your family's insurance to age 26; preventive care and wellcare 
examples. It is a solid piece of legislation, and I am grateful 
that it is here.
    Like my colleagues, I am dogged about fixing the technology 
and, as well, dealing with our privacy and the protection of 
the privacy of the American people. They should know that. That 
collectively, as Republicans and Democrats, we will not yield 
any moment, any minute, any second to protecting their private 
data. In fact I have joined on to legislation by my colleague, 
Jim Sensenbrenner, to, in essence, protect American citizens 
with any reach of privacy beyond what is required for security 
under the National Security Agency. I take no back seat to 
that.
    So in making that point, I want to just emphasize what I 
think your work is. Let me go to Ms. Correa, and indicate--and 
let me just make the point. There is always a representation 
that Republicans had nothing to do with the Affordable Care 
Act. Well, it was the Republicans' amendments that required the 
checking of citizenship and income. That was their language. I 
am surprised that every time we see a Republican, my friends, 
they are talking about ending the Affordable Care Act. We never 
got any amendments in. They got eons of amendments in to this 
bill.
    That was one of them, which requires this simplistic data 
collection, which is simply that. So I want to ask the 
question. This is data collection that is basically information 
on income and citizenship. These fields of data are checked 
with the records of accuracy. Is that what you do, Mr. Correa? 
When it comes in, you check the accuracy on citizenship issues?
    Ms. Correa. That is correct.
    Ms. Jackson Lee. All right. Once it is checked, is this 
information kept or discarded? The inquiry and the information?
    Ms. Correa. We retain the transaction information because 
we go back and do quality control checks to make sure we are 
giving accurate information. But we do not download the actual 
record. Only the immigration status and the----
    Ms. Jackson Lee. So what do you specifically keep?
    Ms. Correa. That information--the immigration status, the--
--
    Ms. Jackson Lee. When you have an inquiry from HHS.
    Ms. Correa. We retain the inquiry information that was 
received. The individual's name, their alien registration or I-
94 number.
    Ms. Jackson Lee. That you received an inquiry from HHS. How 
long do you keep it?
    Ms. Correa. I would have to confirm how long.
    Ms. Jackson Lee. Well, you need to get an answer about how 
long you keep it. Is it protected information?
    Ms. Correa. Yes, it is.
    Ms. Jackson Lee. Have you been hacked?
    Ms. Correa. I am not aware that we have been hacked. I will 
confirm that for you, but I am not aware that we have been 
hacked.
    Ms. Jackson Lee. So what is your measure of securing it?
    Ms. Correa. Our system is accredited and certified by our 
chief information officer.
    Ms. Jackson Lee. Do you do regular checks?
    Ms. Correa. Yes, we do.
    Ms. Jackson Lee. Is it your highest responsibility to 
protect this information of the American people?
    Ms. Correa. Yes, it is.
    Ms. Jackson Lee. You only get--you get information. Suppose 
someone is calling for Mr. Garcia, who is a citizen. Are you 
keeping that inquiry, as well?
    Ms. Correa. In the SAVE program, no. If the individual has 
attested they are a citizen----
    Ms. Jackson Lee. Yes.
    Ms. Correa [continuing]. And Social Security has been able 
to confirm, then we would never receive that query.
    Ms. Jackson Lee. All right. So therefore, it is only 
individuals that may be in question.
    Ms. Correa. Correct.
    Ms. Jackson Lee. You are checking this every day.
    Ms. Correa. Yes, as query----
    Ms. Jackson Lee. Or a regular basis.
    Ms. Correa [continuing]. As queries are received, yes.
    Ms. Jackson Lee. Let me go to Ms. Stempfley. You are the 
lead agency that coordinates on the cybersecurity for other 
agencies in the United States. The other--you sort of lead, but 
you have the point that the other agencies also have 
responsibility for their cybersecurity. Is that correct?
    Ms. Stempfley. Yes, ma'am.
    Ms. Jackson Lee. But as your Department, or your subset 
Department, DHS, do you feel that there are competencies under 
your jurisdiction that are attentive to protecting information 
and preventing hacking through the DHS agency and in 
coordinating with the other agencies?
    Ms. Stempfley. Yes, ma'am, we are very focused on that. My 
part in the Office of Cybersecurity and Communication, and 
there are competencies in the data operation centers through 
the Federal enterprise.
    Ms. Jackson Lee. So what--if we were to keep this system in 
place, based upon Republican amendments, into the ACA--checking 
income and immigration status, and that was being held--you 
deal with cybersecurity, you deal with the potential of hacking 
or information going in a different direction that it should 
not go. What is your level of confidence and your level of 
competence that you are working in a coordinated fashion, but 
have the level of technology that can assure, as much as 
possible, the protection of this information?
    Ms. Stempfley. So I am very grateful both for the question 
and for this committee's continued support of DHS authorities 
and support of important programs that will improve both the 
competence and confidence in this area. As we have been talking 
about the continuous diagnostic and mitigation activity and the 
FISMA reform efforts that will both increase the awareness 
across the Federal enterprise of the operational risks that 
systems are operating under on a daily basis, and enable 
accrediting officials to take that into account in something 
more often than annual or every 3-year accreditation processes. 
As well as I believe I----
    Ms. Jackson Lee. But are you confident in your present 
structure in your oversight on cybersecurity? That is, 
information is being gathered; you don't compare this to the 
Veterans Administration loss of 24 million records under the 
Bush administration. We are not at that----
    Ms. Stempfley. We are not at that----
    Ms. Jackson Lee. We are not at that point. So are you 
confident, as this huge process is going forward, that we have 
a system in place to protect that information?
    Ms. Stempfley. Yes, ma'am.
    Ms. Jackson Lee. I thank you very much for your answers.
    Mr. Chairman, I hope that we can rid ourselves of 
sequestration so we can invest more in the work that is being 
done by Ms. Stempfley and Ms. Correa. I yield back, thank you.
    Chairman McCaul. I thank the gentlelady. Also, the 
gentlelady is correct that we did put provisions in to assure 
that only those legally in the country received this--that were 
eligible under this law. Also, we both agreed that if you have 
a preexisting condition you cannot be denied coverage, as well.
    I will just add lastly that we did make a request for the 
statement, the opening statements, on August 31, and that is 
almost 2 weeks. I am sorry, October 31, nearly 2 weeks.
    So with that, the Chairman now recognizes the gentleman 
from Pennsylvania, Mr. Barletta.
    Ms. Jackson Lee. Well, Mr. Chairman, I thank you. We 
recognize the pounding of work on these various hard-working 
public servants. As you well know, we were in the middle of a 
Government shutdown, and so I appreciate timely responses, Mr. 
Chairman. I hope that they will work to get timely responses.
    I yield back, Mr. Chairman. Thank you.
    Chairman McCaul. Yes, right. The Chairman recognizes Mr. 
Barletta.
    Mr. Barletta. Thank you, Mr. Chairman. Ms. Stempfley, I 
would like to continue on and follow up on some questions that 
Mr. Meehan had brought up earlier. Secretary Sibelius admitted 
that convicted felons could be hired as exchange navigators 
because there was no background checks system in place for 
these individuals. Why aren't we conducting background checks?
    Ms. Stempfley. Respectfully, sir, my area of expertise is 
cybersecurity. Physical security and personal security are 
outside of that area. I am happy to take the question, but I 
could only speculate and that seems inappropriate.
    Mr. Barletta. Okay. With your expertise in cybersecurity, 
do you think it would be a good idea to do background checks on 
these navigators?
    Ms. Stempfley. I believe one of the things that we 
certainly focus on is assuring the protection against----
    Mr. Barletta. I am just asking: Do you think it would be a 
good idea to do background checks on the navigators?
    Ms. Stempfley. I am happy--again, sir, I would be----
    Mr. Barletta. No. Do you think it would be a good idea? 
That is all I am asking, real simple. Do you think it would be 
a good idea to do background checks on navigators?
    Ms. Stempfley. I believe that all individuals should be 
vetted----
    Mr. Barletta. Good idea, bad idea?
    Ms. Stempfley [continuing]. Prior to access to the 
information that they provided.
    Mr. Barletta. Good idea, bad idea?
    Ms. Stempfley. I am not trying to evade, sir. I believe 
that all individuals should be vetted prior to access.
    Mr. Barletta. I am not gonna get an answer. Ms. Correa, my 
time--I was mayor for quite some time. I remember one 
individual. He was in the country illegally. It took our 
detectives 5 hours to determine who he was. He had five Social 
Security cards, five different identities. You suggested a 
little earlier that illegal immigrants won't try to go through 
the system, and because you are using the SAVE system. I am 
gonna disagree with you.
    That is simply not true. We know, for a fact--is the SAVE 
system used for the SNAP program, do you know?
    Ms. Correa. Not that I am aware of. Sir, may I clarify? I 
wasn't trying to imply that an illegal alien wouldn't try. What 
I was trying to make clear was that they would have to have 
some form of documentation----
    Mr. Barletta. Do you think that they can get through the 
system?
    Ms. Correa. It is hard to say. It would depend on the 
documentation that they present.
    Mr. Barletta. Well, we know for a fact that illegal 
immigrants are able to access many Federal benefits through 
fraudulent documentations. We know that for a fact. That is--
you know, so I don't believe this Government program will 
really be any different. There is nothing that indicates that 
it will. So if you determine an applicant is in the country 
illegally, am I correct, there is no enforcement action taken?
    Ms. Correa. The SAVE program isn't making a determination 
whether that individual is here illegally, or not. What the 
SAVE program is doing is based on the information that was 
presented to us. We are going out and checking the Federal----
    Mr. Barletta. Well, it does tell if they are a lawful 
citizen.
    Ms. Correa. Whether they are here as----
    Mr. Barletta. Right. So, you determine that this individual 
is not lawfully here, there is no enforcement action taken?
    Ms. Correa. As I explained earlier, the determination that 
we make is whether we can confirm that individual's immigration 
status and provide that information----
    Mr. Barletta. Okay, so you determine that individual's 
status, that that person is not legally present in the United 
States. Is there any enforcement action taken?
    Ms. Correa. We don't determine whether the person is here 
legally or not because we are not seeing the individual. All we 
are seeing is the information that comes through the query.
    Mr. Barletta. So if the information that is presented is 
fraudulent, what happens?
    Ms. Correa. We don't have a way of determining if that 
information is fraudulent.
    Mr. Barletta. So we don't know.
    Ms. Correa. As it is presented.
    Mr. Barletta. So it doesn't seem like there is really any 
guard for illegal immigrants to access this program as they 
have been able to access many Government programs. We know 
there is fraud in so many Government programs. How can we 
assure the American people that this time we got it? This time 
we are not gonna let people illegally get into a program that 
they are not rightfully entitled to.
    Ms. Correa. Sir, if I may explain. I appreciate your 
question. The benefit-granting agency is the organization that 
is receiving the information from the individual and is privy 
to that information. They submit a query to us, where we go 
back and confirm----
    Mr. Barletta. But if the information is fraudulent.
    Ms. Correa. What we do is, the only way we could ever 
determine that is if somebody actually sees the documents and 
compares them to the individuals. That is why if we cannot 
confirm immigration status we do ask them to set up an--to 
refer the individual----
    Mr. Barletta. I am not real confident that we are gonna be 
able to stop it. I just want to close, Mr. Chairman. I am a 
huge baseball fan, huge baseball fan. Now that the Affordable 
Care Act has been rolled out, we find that the website doesn't 
work, that Americans' personal information is at risk, that 
felons could be navigators. This is only the first inning. The 
Obamacare batting average is not so good.
    If the Affordable Care Act was a baseball player, and I was 
the manager, I would bench him. Thank you.
    Chairman McCaul. I thank the gentleman for his analogy.
    With that, I want to thank the members of the first panel 
for their valuable testimony here today. With that, this panel 
is dismissed, and the clerk will prepare for the witness table 
for a second panel.
    I am pleased to welcome the second panel to today's 
hearing. Mr. Luke Chung is the president at FMS, Incorporated, 
a company he founded in 1986. In addition to being a primary 
author and designer of many FMS commercial products, Mr. Chung 
has personally provided consulting services to a wide range of 
clients. A recognized database expert, highly-regarded 
authority in the Microsoft Access developer community, Mr. 
Chung was featured by Microsoft as an Access hero during 
Access' 10-year anniversary celebration. Mr. Chung, really good 
to have you here.
    Our second witness, Mr. Waylon Krush is the chief executive 
officer of Lunar, Incorporated. He served over 15 years of 
experience in critical infrastructure protection, information 
operation, signal intelligence, system and telecommunications 
exploitation, and certification and accreditation. Prior to 
becoming CEO, Mr. Krush was a senior InfoSec engineer in AT&T's 
advanced systems division and chief of the information 
assurance group with the GRC/TSC.
    The witnesses' full written statements will appear in the 
record. I now recognize Mr. Chung for 5 minutes for his opening 
statement.

         STATEMENT OF LUKE CHUNG, PRESIDENT, FMS, INC.

    Mr. Chung. Well, thank you very much for having me. I am 
the president and founder of FMS, Inc., a privately-held 
software development firm located in Vienna, Virginia. For 27 
years, we have offered commercial software products and 
services. We have tens of thousands of customers in over 100 
countries, including 90 of the Fortune 100. In response to 9/
11, we created a product, Sentinel Visualizer, a link analysis 
solution for the counterterrorism, defense, and law enforcement 
communities.
    That work led to our only outside investor, InQTel, the 
CIA's venture capital arm. We also have a professional 
solutions group that creates custom software. An example is a 
humanitarian relief logistics system we built for the Pan-
American Health Organization and United Nations. It is deployed 
around the world, and I presume it is in heavy use right now in 
the Philippines. I am a graduate of Harvard College, with a 
bachelor's degree in engineering and a masters in physical 
oceanography.
    On October 1, I visited the HealthCare.gov website, eager 
to see what it offered. As a small business owner, I am faced 
with the challenge of purchasing health insurance for my 
company and family. Unfortunately, my shopping experience 
failed due to technical problems with the website. It was not 
designed to be customer-friendly, appeared to be developed by 
amateurs, and seemed to be untested. I sensed the site would 
not work for one person, much less a National enterprise 
quality solution that was needed.
    I wrote a blog post that day providing a nonpartisan 
technical assessment entitled ``HealthCare.gov is a Technical 
Disaster.'' I warned that the problems were far deeper than too 
many users, and concluded this would be a huge public relations 
problem that could doom the Affordable Care Act. That is what I 
saw on Day 1. My blog post went viral. After a week, I was 
quoted in the New York Times and have been on many radio and 
National TV news shows, which led to my appearance before you 
today.
    I would like to say that my firm is not involved with the 
development of HealthCare.gov, we did not bid on any portion of 
the project, and I am here to provide my perspective as a small 
business owner, someone experienced with database web 
development and familiar with the Government contracting 
process. Since I don't like being a critic without offering 
solutions, on October 14 I wrote another blog post outlining 
how HealthCare.gov could be built properly; a site that would 
match the customer buying process, be quicker to develop, 
easier to test, be more robust, support more users, and be more 
secure.
    It is not that complicated. This website does not provide 
health care. It does not even provide health insurance. It is 
supposed to let consumers shop and choose among health 
insurance plans, and then apply for a subsidy. It is 
essentially the automation of a paper form. So how did we get 
here? Originally, I thought the design decisions of 
HealthCare.gov were created by amateurs who didn't know what 
they were doing. Now I see the design decisions can be 
explained by considering what the contractors would choose to 
maximize profitability at every step of the way.
    The current Government contracting system discourages 
technically-qualified companies like mine. The big Government 
contractors are great at winning contracts, protesting lost 
awards, and generating change orders. They are not known for 
their technical expertise and would unlikely survive in the 
private sector. This is a complete breakdown in managing 
technology investments. Policymakers and politicians do not 
understand if a project should cost a million dollars or $200 
million, or the decisions they make that impact price.
    For instance, $200 million, at a generous $200 per-hours, 
is 1 million man-hours. That is 500 man-years. Forget the 
money. What could these contractors have possibly been doing 
with all that time? I propose that the Government needs to 
create a nonpartisan technology accountability office, TAO, 
similar to the GAO that is capable of assessing and managing 
Government technology projects. The TAO also needs to be 
empowered to enforce accountability.
    Bad performance does not seem to prevent contractors from 
winning new contracts. Multi-year and permanent bans should 
target underperforming vendors and their owners and the 
managers. Get refunds. In the private sector, vendors that fail 
like this would rarely be allowed back in an organization. In 
conclusion, I have provided written testimony with additional 
examples, information, and recommendations on investigating how 
so much money was spent for so little. This is a scandal beyond 
HealthCare.gov.
    Unfortunately, the Federal Government has paid for even 
larger software projects that were never deployed. Without 
changing the processes, there will be more technology disasters 
in our future. Just so you know, while I was able to complete 
my HealthCare.gov application on October 1, it remains in 
progress as of last night. Thank you for inviting me. I look 
forward to your questions.
    [The prepared statement of Mr. Chung follows:]
                    Prepared Statement of Luke Chung
                           November 13, 2013
                                summary
About Me and FMS, Inc.
    I'm the president and founder of FMS, Inc., a privately-held 
software development firm in Vienna, Virginia. For 27 years, we've 
created database solutions with a combination of commercial products 
and services. In response to 9/11, our Advanced Systems Group created 
Sentinel Visualizer, a product for the counter-terrorism, defense, and 
law enforcement communities that led to our only outside investor, 
InQTel, the CIA's venture capital arm. We have tens of thousands of 
customers in over 100 countries, including 90 of the Fortune 100. Our 
Professional Solutions Group has created a wide range of custom 
solutions, some which are more complex than Healthcare.gov, but never 
more expensive. I'm a graduate of Harvard College with a bachelor's in 
engineering and a master's in physical oceanography.
My Experience with Healthcare.gov
    On October 1, I visited Healthcare.gov to get an insurance quote 
for my family. The experience was so terrible that I documented the 
technical problems I encountered and wrote a blog post about it. I 
could tell immediately from the nature of the crashed I encountered 
that the site was not ready by prime time. It had a terrible design 
that was not consumer-friendly, seemed to be coded by amateurs, and 
wasn't tested. I could tell the site would not work for one person much 
less the expected load.
    The blog post I wrote on October 1 went viral as people began to 
understand the problems were deeper than too many users. That led to 
being quoted in the New York Times and appearing on radio and news 
shows such as CBS, CNN, Fox, MSNBC, NBC, Hannity, Greta, Al Jazeera, 
Geraldo, etc. Throughout the period, I've learned more about the 
website and its many problems both political and technical.
Healthcare.gov Overview
    This website should not be that difficult to build. It doesn't 
provide health care. It doesn't even provide health insurance. It's 
comparing plans and applying for a subsidy. It's the automation of a 
paper form.
Security Implications
    Security is considered at the beginning of a project, not at the 
end. Avoiding the collection of unnecessary personal information is the 
first step to reducing security issues. Separating the user experience 
from back-end legacy systems is another. The pressure to make a 
software solution ``work'' is not conducive to good security. There are 
ways to improve the user experience, scalability, and security.
Contractor Abuse of Taxpayers
    Healthcare.gov is just one example of a software project gone awry 
that Government contractors profited at the expense of taxpayers. I 
originally thought the website was created by people who didn't know 
what they were doing; that they were trying to do too much in an 
unnecessarily complicated and thorough manner. My thoughts have evolved 
and I now feel that it's designed quite cleverly to maximize taxpayer 
expense. This is a scandal that needs to be investigated. Follow the 
money and I believe you'll see design decisions that led to increased 
costs. There are ways to improve governance to fix this.
                               background
    Thank you for inviting me to your hearing.
About FMS, Inc.
    I'm Luke Chung; the president and founder of FMS, Inc., a 
privately-held software development firm located in Vienna, Virginia. 
Since 1986, FMS has provided software products and development services 
to commercial and Government agencies. Over 27 years, we've created a 
wide range of database solutions helping organizations make better 
decisions based on data. These important decisions include delivering 
services, managing operations, understanding finances, increasing 
accuracy, improving customer service, making fewer errors, targeting 
criminals, making more money, and increasing efficiency. We have tens 
of thousands of customers in over 100 countries.
    In the 1990s, we became the world's leading provider of commercial 
products for Microsoft Access with 12 solutions to help people better 
analyze data, automate e-mail blasts, create better solutions, 
eliminate errors, and provide system administration.
    In response to 9/11, we created the FMS Advanced Systems Group to 
use link analysis and social network analysis (SNA) to find hidden 
relationships among people, places, and events. That led to the 
creation of our Sentinel Visualizer product that helps analysts in the 
counter-terrorism, defense, and law enforcement communities, both in 
the United States and abroad. Sentinel Visualizer led to our only 
outside investor, InQTel, the CIA's venture capital arm.
    In addition to our commercial off-the-shelf products, the FMS 
Professional Solutions Group has created custom database applications 
for a wide range of customers. Examples include the Logistics Support 
System for the Pan American Health Organization sponsored by six U.N. 
agencies. It coordinates humanitarian relief logistics for disaster 
zones and is deployed with language localization features in over 100 
countries, including the Philippines. FMS also created a course 
management system for the Defense Acquisition University, which 
provides non-military training to all branches of the DoD. FMS has also 
created custom solutions for event management, e-commerce, logistics, 
education, health care, public works, nonprofits, and businesses.
About Me
    I'm originally from New York, grew up in Orlando and Sarasota, 
Florida, and am a graduate of Harvard College. I have a bachelor's 
degree in engineering, and a master's degree in Physical Oceanography. 
Prior to founding FMS, I worked as a management consultant at Strategic 
Planning Associates/Mercer.
   Current member and past president of the Washington, DC 
        Chapter of the Entrepreneurs Organization.
   Serve on the Business and Community Advisory Council to the 
        Fairfax County Virginia Public School Superintendent.
   Serve on the Information Technology Policy Advisory 
        Committee to assist the Fairfax County Board of Supervisors 
        oversee county technology investments. The committee exists 
        because the supervisors recognized years ago they were unable 
        to provide the proper governance over their technology 
        investments.
Caveats
    My testimony is based on my personal experiences and opinions. I am 
an observer to the Healthcare.gov website and am not personally 
involved with its design and development. Any suggestions of 
incompetence or wrongdoing are comments intended for further 
investigation by the committee.
My Perspective
    I am providing my testimony from a non-partisan perspective focused 
on my decades of experience creating database solutions, the challenges 
of running a small business, and having observed how the Government 
contracting world works.
    In 27 years running FMS, I've experienced multiple Government 
administrations, economic cycles, and changes with technology. I run a 
small business and have responsibilities to my clients, firm, 
employees, and family. These obligations include buying health 
insurance.
              experience with healthcare.gov on october 1
    On October 1, I visited the Healthcare.gov website to get an 
insurance quote for my family. I wanted to see what policies were 
available and how they compared in features and price to what my small 
business is currently purchasing in our group plan.
    What started as a simple shopping experience turned into a venture 
inside the technically worst website I've ever visited. It was so bad 
that I started documenting the bugs I encountered. I was shocked 
because the mistakes were so amateurish that it seemed the website was 
created by people who had never been paid to write commercial software. 
Based on my experience, I realized that if those types of bugs existed, 
the website had huge problems way beyond the number of users. I sensed 
that it would not support one user, much less the millions expected.
    The shocking part is that this website should be very simple:
   It does not provide health care;
   It does not even provide health insurance;
   It's supposed to let consumers compare and choose among 
        insurance plans;
   It's supposed to generate a subsidy, if any, to buy 
        insurance;
   It is essentially the automation of a 12-page paper form.
    I shared my findings in a company blog post entitled Healthcare.gov 
is a Technological Disaster (http://blog.fmsinc.com/healthcare-gov-is-
a-technological-disas- 
ter/)--See Appendix A. It includes screenshots of the crashes and 
suggested that I was embarrassed for my profession for delivering such 
junk. It looked like the developers never used or tested it. I 
concluded that the quality of the work wouldn't pass a computer science 
class and that there would be huge Public Relations problems that could 
doom the entire Affordable Care Act. That's what I saw on Day 1.
Response to My Blog Post
    While the contractors and administration tried to spin the problems 
as the result of too many users, my blog post--which provided a non-
partisan, technical evaluation of Healthcare.gov--started getting 
picked up by multiple websites. And through the power of social media, 
it went viral.
    Within a week, I was quoted in a New York Times article which was 
followed by interviews with radio and National TV news channels 
including CBS, CNN, Fox, MSNBC, NBC, Sean Hannity, Al Jazeera, Greta 
van Susteren, Geraldo Rivera, etc. It has led to this testimony.
Offering Solutions
    Since I don't like being a critic without offering possible 
solutions, on October 14, I wrote another blog post outlining how 
Healthcare.gov can be properly built: Creating a Healthcare.gov Web 
Site that Works (http://blog.fmsinc.com/creating-a-healthcare-gov-web-
site-that-works/) see Appendix B.
    My suggestions would a website that would better address the needs 
of the customer, be simpler to develop, easier to test, more robust, 
support more simultaneous users, and be more secure. It would separate 
the shopping experience and an estimate of a subsidy from the actual 
application to receive a subsidy (the part that needs to be secure). 
The marketplace would be the central site where it would be easy to 
compare insurance plans before worrying about pricing and subsidies. 
The site would be hosted on commercial cloud providers that could scale 
to support huge numbers of simultaneous users. It would use commercial 
business software that would significantly reduce the amount of code 
that needs to be written and tested, which would also reduce the 
security risk.
Healthcare.gov Observations
    Here are my observations about the technical issues I encountered 
on the Healthcare.gov website:
   It's poorly designed. It doesn't address the needs of a 
        consumer trying to shop for something, nor is it designed to 
        support lots of users or high security.
   It's poorly developed. The site has such amateurish errors 
        that it appears to be created by inexperienced developers.
   It's not tested, or if it was tested, the test plan was 
        woefully inadequate.
   In my experience, encountering that many bugs in such a 
        short period of time indicates that was only the tip of the 
        iceberg with many more bugs below the surface. As bugs are 
        fixed, more bugs will be found since those sections were never 
        adequately tested before.
   The management team and contractors seemed to think the site 
        was production quality on October 1. It clearly wasn't, which 
        would indicate that those people don't understand what 
        production quality means. They shouldn't be involved with the 
        project since we've experienced what they consider shipping 
        quality. I do not consider what was delivered to be beta (test) 
        quality.
                         security implications
    Lack of competent technical oversight not only leads to waste, but 
to potentially devastating security vulnerabilities if complex systems 
that millions of people depend on are undermined or brought to their 
knees by attackers. Technology alone cannot deliver security, and the 
more complex a system is, the harder it is to secure against known 
threats, much less unknown ones which are sure to emerge in the future. 
When developers operate under deadline pressure, they tend to cut 
corners to ``just get it to work'', generating fresh security 
vulnerabilities and bugs.
   Nothing is ever perfectly secure.
   Security has to be considered at the beginning of the 
        project, not at the end.
   The most important part of security is to NOT collect secure 
        information unnecessarily.
   The next step is to minimize the places where security is 
        necessary. The sections in which users shop for insurance 
        policies, get an estimate of the subsidy, and buy a policy 
        without a subsidy should not require any security.
   Another design consideration is to create as few places of 
        vulnerability as possible. That means fewer screens, fewer 
        places where data changes hands, and running secure processes 
        off-line separate from the user interface.
   The skills to build a secure web database application are 
        far more advanced than the skills the existing developers 
        failed to exhibit. A chain is only as strong as its weakest 
        link.
                         contractor incentives
    Originally, I thought the design decisions of the Healthcare.gov 
site were done by amateurs who didn't know what they were doing. I'm 
now moving away from that conclusion.
    Instead, I'm seeing how the design decisions may have been made to 
maximize taxpayer expense and vendor profitability.
Government Contractors
    The current Government contracting system excludes technically-
qualified companies by making it difficult for them to bid and work on 
Government projects. The companies that specialize in Government 
contracts are good at winning Government contracts, protesting lost 
awards, and creating change orders. They are not known for their 
technical expertise. Their strategies and operations would not be 
competitive in the private sector.
    Currently there is no downside for failure to deliver on a 
Government contract. There is nothing to prevent failed vendors from 
bidding on future projects or being suspended from existing projects.
Abusing Taxpayers
    I don't know how the decisions were made, but if I look at it from 
the contractors' perspective with the knowledge that the budget was 
essentially unlimited, it would explain how choices were made to add 
complexity, increase billable hours, purchase more hardware and 
bandwidth, and maximize profits.
    Of course, the big mistake was not delivering a quality solution. 
Unlike many other IT projects that have failed in the Federal 
Government, this one let the public experience the quality of the 
deliverables.
    Examples of areas that maximize profits:
   Performing an identity check for each visitor. Is the credit 
        agency paid for each check?
   Creating a user login in three screens rather than one? Was 
        the contractor paid per screen? Was there consideration that 
        more screens use more resources? Why ask for secret questions?
   The email confirmation process requires almost immediate 
        confirmation. My 30-minute delay in responding canceled my 
        account and required creating a new login. Why does this 
        feature exist?
   Why are the screens to fill out the application one question 
        per screen? Why not put all the questions on one screen to 
        minimize the complexity, data exchanges, and improve 
        scalability and security? Were contractors paid based on the 
        number of questions and screens?
   Why ask optional questions such as race that are not part of 
        the subsidy process?
Addressing Contractor Complaints
    From what I can see, the contractors are trying their best to 
deflect blame:
   There are claims the Government was changing the design at 
        the last minute and there wasn't enough time for testing. On 
        every project I've worked on, designs are always changing and 
        there has never been too much time for testing. It's the 
        responsibility of the contractor to provide the guidance and 
        services to ensure success.
   There are claims that individual portions were working but 
        the overall system was not. Based on what I observed, the 
        website wasn't working even if the overall system wasn't 
        tested. My belief is that both the individual portions AND the 
        integrated system were not working.
Where Did the Money Go?
    I don't understand how the contractors could have charged the 
taxpayers so much money. At $200 million at a generous $200 per hour, 
that's 1,000,000 man hours. That's 500 man-years. Now the numbers are 
even larger. Where did all that time go?
                 technology management recommendations
    This is a complete breakdown in managing technology investments. 
People do not understand when a project should cost $1 million vs. $100 
million. In the private sector, a $1 million budget to build a website 
is huge. The Government needs to remember that buying from companies 
that specialize in Government contracting is not the same as vendors 
who are competitive in the private sector.
Create a Technology Assessment Office
    A Technology Assessment Office (TAO), a non-partisan entity similar 
to the GAO that is capable of assessing and managing Government 
technology projects. Policy makers, politicians, and bureaucrats do not 
possess the technology skills to keep up with the rapidly-changing 
technology options. They also don't understand what technology should 
cost or the implications their decisions have on cost, security, and 
other options. My serving on the Fairfax County Technology Policy 
Advisory Committee is an example of this type of governance.
Enforce Accountability
    Past performance is considered an important part of winning 
Government contracts but it doesn't seem to prevent contractors 
involved with failed projects to continue winning new contracts. If 
qualifications matter for selecting contractors, when do contractors 
ever get permanently banned? Multi-year or permanent bans should target 
underperforming vendors to prevent them from bidding on new contracts 
and removed from existing ones.
    In the private sector, vendors that fail would rarely be allowed 
back. Do we have a too-big-to-exclude policy?
                     audit and investigation needed
    An exhaustive investigation and audit of the Healthcare.gov project 
would help determine the various points of systemic failure in order to 
ensure that a debacle of this magnitude never happens again.
Experience of the Development Team
    The experience of the vendor is important, but what's most 
important is the experience of the people actually doing the work. 
Given my sense that the developers were quite junior, it would be 
interesting to learn their previous experience building commercial 
database websites, what they were being paid, and what the taxpayers 
were charged. Make sure people involved with the entire life of the 
project are questioned, and not just the ones remaining today.
Development Management and Environment
   How were the deliverables designed, scheduled, and 
        delivered?
   How were the teams managed?
   What code reviews were held, and by whom?
   What development, testing, and staging environments were 
        employed?
   Was there a test plan? If so, what were the results of the 
        test plan before October 1? What bugs were considered 
        acceptable for deployment?
   How did the test plan change and who was paid for the 
        October 1 that was so bad?
   Is load testing and balancing in place?
   What kind of security reviews, threat analyses, and 
        mitigation strategies were undertaken?
   What kinds of security vulnerabilities were detected, and 
        when are they scheduled to be addressed? How are security 
        issues addressed on an on-going basis?
Technology Selections
   Why did they take such a strong stand on using open-source 
        ``free'' software rather than commercial business software that 
        would require less customization (and therefore cost less with 
        fewer security vulnerabilities)? (TheAtlantic.com, June 28, 
        2013, Healthcare.gov: Code Developed by the People and for the 
        People, Released Back to the People)
   Why did they create their own cloud rather than using better 
        and cheaper commercial cloud providers? Especially when large 
        portions of this site do not need any security.
Design Flaws and Bugs
    Secretary Sebelius and HHS have announced that they've fixed 
hundreds of bugs, which indicates that there are likely hundreds more 
yet to be found. No matter how many bugs are fixed, the unintended 
consequence is that more will inevitably crop up elsewhere in the code 
base. Is the current website being redesigned to make it work properly 
for consumers, or are they instead trying to make the existing flawed 
design functional? Poorly-designed systems are nearly impossible to 
rescue, and inevitably lead to further support costs down the road. 
When a complex system is created by multiple vendors with no technical 
managerial oversight, it is inevitable that systemic flaws will lead 
only to finger-pointing and recrimination, not to solid, functioning 
software.
Number of Concurrent Users
    The heaviest demand day was not October 1, but will be the day of 
the deadline to sign up. It's the equivalent of April 15 for the IRS. 
How are they preparing for that? How many simultaneous users can they 
support, and what happens if the number of users exceeds that? Is load 
balancing in place? Are we buying lots of equipment for that one day 
that will sit idle afterwards? Totally unnecessary if a commercial 
cloud provider is used.
    There are policy implications if the system crashes and people are 
shut out before the deadline.
What Are They Thinking?
   How could they have possibly thought the site was ready to 
        go on October 1? There was a seminar scheduled on HowTo.gov to 
        showcase how the contractors created this great website but it 
        was postponed due to the Government shutdown and later 
        canceled.
   Are they redesigning the website to make it work properly 
        for consumers or are they trying to make the existing bad 
        design work?
A More Open Policy
   Many companies could have created the Healthcare.gov website 
        or similar database websites. Why is it so difficult for 
        technically-qualified companies to bid and work on Government 
        projects?
   Why isn't the data on the insurance policies, pricing, and 
        formulas for subsidies opened in a manner that the private 
        sector can create their own website marketplaces?
                              conclusions
    Overall, I'm embarrassed as an American to watch my President and 
Cabinet Secretary talk about website design, development, and testing, 
and promoting 800 numbers. They should be focused on policy and things 
like Iran and North Korea. Websites should be taken care of at a much 
lower level and certainly no higher than the CTO.
    The underlying problem of Healthcare.gov lies in the way that 
Government contracts are awarded. Our way of life is becoming more, not 
less, dependent on technology every day, yet there is no one at the 
highest levels of Government capable of determining when the Government 
is being ripped off.
    Taxpayers made a significant investment with the contractors to 
expect a functional Healthcare.gov website. While there may be some 
excuse for complexity with connecting to legacy databases in various 
agencies, I don't see any reasonable excuse why the user experience 
would be so defective or the costs so high.
    This is a scandal beyond Healthcare.gov and touches on the entire 
way the Government purchases software solutions. Unfortunately, the 
Federal Government has paid for even larger software projects that were 
never functional.
    The need for a bi-partisan Technology Accountability Office to 
investigate and regulate technology at the Federal level is urgent and 
immediate; not only to stem the hemorrhage of taxpayer dollars, but to 
ensure the security and viability of the essential systems millions of 
Americans depend on.
    Taxpayers paid Super Bowl ticket prices and were delivered a high 
school football game. Follow the money.
                              Attachments
   appendix 1.--blog post: healthcare.gov is a technological disaster
    This was the blog post I wrote on October 1 providing a non-
partisan technical review of the Healthcare.gov website.
Finally Here
    October 1, the Affordable Care Act (Obamacare) website 
Healthcare.gov finally went live today.
    I was eager to personally review what was being offered and cut 
through the hoopla and criticism. I had previously written FMS Receives 
Health Insurance Premium Refund from the Affordable Care Act, so my 
expectations were high.
    From the previously published rates for Virginia, the cost of 
insurance premiums for individuals and families was considerably lower 
than what FMS currently pays for our group plan. Business plans aren't 
available yet, but the individual plans should be a good indicator. I 
wasn't interested in the subsidies; I simply wanted to know the prices 
for the different plan options.
Applying for Coverage
    So I went on-line to Healthcare.gov around 5:30 A.M. to apply for 
my family and see what it would cost. As expected, you create a log-in 
with email confirmation, and fill out a Wizard to select the options. 
It's similar to many other instances I've applied on-line for credit 
cards and other forms of insurance. How tough could it be? Technically, 
it's a very simple data entry application that should generate a quote 
at the end.
What a Mess!
    Unfortunately, what should be a simple process is a complete 
software technology disaster. The logical flow of the application to 
register, log-in, and fill out the data for a family was horrendously 
inefficient. It seemed like the person who designed it, had never used 
it. Or maybe didn't have a family which required filling out the same 
information for each member of the family.
    Just the initial process of creating a log-in required multiple 
secret questions and other unnecessary data for getting a quote. Sure 
that may be necessary for the final acceptance, but it's a complete 
waste of time and web resources initially. The system should expedite 
the process as much as possible to get people a quote without 
subsidies, then ask for more information to calculate the subsidies if 
desired. Since I later discovered it never generates a quote, it may 
not really matter anyway. What were the designers thinking?
Overly Complex Data Entry
    As for my family, I not only had to identify my spouse, my two 
kids, their relationship to me, but also their relationship to my wife, 
and even their relationship to each other! What? Given the prior 
information, obvious defaults could be offered. The selection of race 
was also more complicated than it should be. Here's an idea that may 
not have occurred to the designers: Maybe the kids should default to 
inherit their parents' races. That's how inheritance works. And does 
race impact pricing? If not, why ask?
    The system crashed several times for me and had problems when I 
logged back in. It seemed like the system wasn't even tested. Here are 
some screenshots:


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    What the hell is that? How could that get through testing much less 
production?


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Having error handling to catch unexpected crashes is a Best 
Practice in application development. It should tell the user what went 
wrong, what to do next, and gracefully exit the system. This page does 
none of that. The error message and error number are blank. Who knows 
what went wrong? Useless and amateurish. They do have a Live Chat 
button. I wonder what I would chat with them about with this crash.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    In this screenshot a series of errors appear to be triggered 
without meaningful explanation. Embarrassing.
Logging Back in and Repeating
    If anything, I'm persistent. I not only had my original goal to see 
the premium prices, I was now intrigued to discover how poorly 
designed, developed, and tested this application was. Eventually, I was 
able to finish. Took about an hour.
    However, rather than receiving a quote immediately, it's now being 
``processed''. For what? It shouldn't be held up for pre-existing 
conditions which ACA eliminates. I would expect it to be some 
mathematical, logical formula that would generate the results. I 
presume it's because that part of the application isn't built yet. 
Although my application is submitted, given the crashes, I'm not sure 
what data it has. We'll see.
Authors of Healthcare.gov
    A few months ago, I read this article about how the site was being 
built and was impressed: Healthcare.gov: Code Developed by the People 
and for the People, Released Back to the People.
    In hindsight, it appears the authors have a philosophical bias 
toward Open Source and ``people power.'' That's all fine and dandy if 
it works, but this site doesn't. To deliver such low quality results 
requires multiple process breakdowns. It just proves you can create bad 
solutions independent of the choice of technology.
Technical Software Conclusions
    What should clearly be an enterprise-quality, highly-scalable 
software application, felt like it wouldn't pass a basic code review. 
It appears the people who built the site don't know what they're doing, 
never used it, and didn't test it.
    I actually experienced many more problems than the screenshots I 
captured. Had I known I was performing a Quality Assurance assignment, 
I would have kept better documentation of typos, unclear directions, 
bad grammar, poorly-designed screens, and other crashes. My bad!
    It makes me wonder if this is the first paid application created by 
these developers. How much did the contractor receive for creating this 
awful solution? Was it awarded to the lowest price bidder? As a 
taxpayer, I hope we didn't pay a premium for this because it needs to 
be rebuilt. And fixing, testing, and redeploying a live application 
like this is non-trivial. The managers who approved this system before 
it went live should be held accountable, along with the people who 
selected them.
                    fms professional services group
    Our Professional Solutions Group has created many mission-critical, 
custom software applications where scalability, reliability, and 
quality are paramount. For instance, we built the Logistics Support 
System for International Humanitarian Relief for the United Nations 
where lives are dependent on accurate, timely data on a global scale.
                          sentinel visualizer
    We've also created a database link analysis program for the 
intelligence and law enforcement communities.
    I know what's involved in creating great software, and this ain't 
it. Healthcare.gov is simply an insurance quote system. As a software 
developer, I'm embarrassed for my profession. If FMS ever delivered 
such crap, I'd be personally inconsolable. This couldn't pass an 
introductory computer science class.
Overall Conclusions
    This is going to be a huge public relations mess that could doom 
the whole initiative. Maybe they can blame the problems on too many 
users even if that weren't the real cause, but it's not going to be 
fixed with a few weekend tweaks and throwing more hardware at this. The 
application process asks too many unnecessary questions and repeatedly 
crashes. Since 9 A.M. and as of this evening, the site no longer lets 
you apply. I presume it got overloaded or someone finally discovered 
how broken it is and pulled the plug. Given what I experienced, it 
needs to be off-line until it's corrected. Meanwhile, I'd be highly 
concerned about the security of the data people enter given all the 
crashes I encountered.
    Of course, software problems with the application process are not 
the reason to abandon health care reform. As a small business owner, we 
face the highest premiums for the lowest coverage. I applaud the 
efforts to reform health insurance and look forward to working in a 
constructive, rather than destructive, manner to improve this. I 
presume once these issues are resolved, I'll have more options for my 
company and employees than I did before. In the big picture, this 
website is much easier to fix than health insurance. We'll see.
  appendix 2: blog post: creating a healthcare.gov website that works
Healthcare.gov Suggestions for Improvement
    Since I don't like to just complain without offering solutions, on 
October 14, I wrote a new blog post outlining a solution that would be 
better for consumers, easier to develop, quicker to test, more 
scalable, and more secure. Entitled Creating a Healthcare.gov Web Site 
that Works (http://blog.fmsinc.com/creating-a-healthcare-gov-web-site-
that-works/), it offers suggestions:
Understanding the Buying Process for Health Insurance
    It's important to understand what the website should do. The 
primary mistake the designers of the system made was assuming that 
people would visit the website, step through the process, see their 
subsidy, review the options, and select ``buy'' a policy. That is NOT 
how the buying process works. It's not the way people use Amazon.com, a 
bank mortgage site, or other insurance pricing sites for life, auto, or 
homeowner policies. People want to know their options and prices before 
making a purchase decision, often want to discuss it with others, and 
take days to be comfortable making a decision. Especially when the 
deadline is months away. What's the rush?
    The existing process acts as if a retail website asked for your 
credit card number before showing what you could buy and their prices. 
Almost all sites let you browse without creating a user name. Retailers 
want you to see what's available as quickly and easily as possible. 
People often visit multiple times before buying. Only after making a 
purchase decision should personal information be collected to complete 
the transaction.
    The website needs to reflect this and support a more common buying 
process.
Conceptual Overview
    Here's an overview showing three distinct processes that flow into 
each other (or people buy a policy at their step and leave the system). 
A critical part is offering a comparison matrix at each level so 
consumers can quickly see the differences between the insurance 
policies.


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    1. The first one gives policy options and non-subsidized quotes. 
        People can click to purchase the policy from the insurance 
        company. If so, they leave Healthcare.gov and the Government is 
        no longer involved.

    2. The second provides a subsidy estimate and uses the same display 
        as the first but with and without subsidized prices. People can 
        also click to buy the policy without a subsidy and leave the 
        system, or they can officially apply for a subsidy.

    3. The third is the actual application for the subsidy and the only 
        path which collects Personally Identifiable Information (PII). 
        Higher security is necessary for this.

    The first two do not require PII and would not require high 
security. That means a commercial cloud service such as Microsoft Azure 
could be used to host the site and adjust to high traffic loads. It 
would support people shopping and browsing multiple times before buying 
without the need to invest in hardware or bandwidth.
    With this improved design, only a small portion of the site's 
traffic would be in the final subsidy application portion. That can be 
isolated with high security and for much lower volumes of users since 
people would only apply once. Hassling people at this stage with lots 
of personal questions is acceptable since people are serious about 
purchasing.
User Experience Goals
    These are some objectives for creating a great user experience:
   Quickly get the unsubsidized insurance rate quotes and 
        policies (no login required);
   Easily compare among insurance policies based on features 
        and price;
   Easily select and subscribe with an insurance company 
        without a subsidy;
   Quickly receive an estimate of a subsidy without having to 
        provide personally identifiable, confidential information;
   Easily compare among insurance policies based on features 
        and subsidized prices;
   Formally apply for the subsidy (log-in and personal 
        information required);
   Select a subsidized policy and pass the appropriate 
        information so the insurance company can validate the 
        subscriber's information and receive the subsidy;
   Once policy options are offered, allow users to create a 
        log-in to save their inputs, and get back into the system to 
        recover their work-in-progress. This would be required with the 
        formal subsidy application but not necessary for the other 
        options.
Technical ``Back Office'' Goals
   Performance.--The system should move people through the 
        process as quickly as possible.
   Collecting Information.--It should not ask for any 
        information that's not required for generating the policy 
        options and prices.
   Fewer Screens.--Rather than having one screen per question, 
        multiple questions should be asked in as few screens as 
        possible. People know how to scroll. Extra screens should only 
        be added if they depend on answers from previous screens.
   Data Security.--The first part of data security is to NOT 
        collect sensitive information. Sensitive information should 
        only be collected from people actually applying for the 
        subsidy.
   Data Integrity.--All database changes need to be in 
        transactions with commitments and rollback on failure. 
        Situations where accounts are partially created with a valid 
        user name and no account details should never occur.
   No Other Connections During Data Entry.--The system should 
        not be connecting to other data sources while the user is 
        entering data. Just collect the data.
   Off-line Processing.--Once the user enters all their data 
        for a subsidy quote, a separate system processes the 
        applications and interfaces with the other systems to validate 
        the data and calculate the subsidy. By separating this process 
        from the user's on-line experience, problems with connections 
        to other systems do not impact the user.
   Email Notification.--Once a subsidy is calculated, an email 
        is sent to the user inviting them to log into the system to see 
        their options.
   Notification to Insurers.--Web pages and web services to 
        allow real-time views of the status of applications selecting 
        the insurer's policies.
   Commercial Cloud Hosting.--Using a commercial cloud platform 
        would provide automatic scalability to meet fluctuating levels 
        of users without having to make hardware purchases. By 
        eliminating the need to collect and store sensitive user data 
        for most of the website, commercial cloud hosting and its 
        benefits are available without security concerns.
Oversight Goals
    Management and interested parties should have system dashboards:
   Real-time Displays.--Monitor user progress with summary 
        tables and graphs showing the status of people moving through 
        different stages of the system.
   Basic Business Intelligence.--Summary and drill-down details 
        by State, date, hour, etc.
   System Transparency.--Provide a public view of some data in 
        a cached mode (updated daily or hourly, but not real-time).
Design Overview
    Here is how the goals could be implemented for the Healthcare.gov 
website:

    (1) The initial form asks people to select their State. If the 
        visitor is in a State that has their own system, ship them to 
        those sites, otherwise proceed with the next step in the 
        Federal system.

    (2) Collect the information necessary to create the unsubsidized 
        options. I was told there were five or so pieces of information 
        necessary to generate the unsubsidized rates (e.g. gender, year 
        of birth, family status, smoking status, etc.).

    (3) Display the available plans with options to compare and filter 
        them easily based on plan level (gold, silver, bronze, etc.), 
        provider, price, etc. Should be similar to retail websites like 
        Best Buy or Staples showing different products and their 
        features in a matrix comparison, with buttons to get more 
        details and a button to select one to buy. One would expect 
        users to come to this site multiple times over multiple days to 
        learn about their options before making a purchase.

    (4) An option to save the inputs. This would be the first time to 
        create a simple account to collect user information (which does 
        not include things like social security numbers, birthdates, or 
        names). A simple user name (e-mail address) and password, with 
        a standard e-mail confirmation that doesn't have a time limit. 
        This would allow users to get back to the previous screen 
        without re-entering their data.

    (5) An option to get a subsidized price estimate. If the person 
        chooses this option, they create a simple account because 
        highly sensitive information will not be collected. The account 
        is simply to retrieve the user's entries. The user provides the 
        information necessary to calculate the prices without having to 
        look up data from Government sources. The user can enter their 
        values for income and whatever other factors impact generating 
        a subsidy estimate. Just like bank websites let you enter basic 
        information to get a mortgage or car loan rate before you 
        apply, Healthcare.gov should do the same. This would allow the 
        site to create quotes quickly without having to bog down or 
        wait for the other sites such as the IRS, Experian, etc. This 
        minimizes the impact of too many users. Once the estimated 
        subsidies are calculated, a display similar to No. 3 above 
        would show the options.

    (6) Finally, applying for the subsidy. Once someone decides they 
        want a particular policy, they can officially apply for a 
        subsidy. This is the first time personal data needs to be 
        entered. The system should collect the data as quickly as 
        possible without having to validate the information while the 
        user is entering it. Once all the data is collected, the user 
        is informed via email when the subsidy calculation is ready.

    (7) A separate background process calculates the subsidy requests 
        and looks up the necessary data from the different sources. If 
        any of those linked systems is unavailable, it's no big deal 
        since it doesn't impact the user on the website. The user is 
        already gone and waiting for an e-mail. Once the calculation is 
        generated (or if it couldn't be generated), the user is 
        notified via e-mail and they can view the results by logging 
        back into their account.

    For management, there should be dashboards with tables and graphs 
showing what's happening. No more excuses of not knowing how many 
people are in each phase of the process, how many have received quotes 
or enrolled, etc. For transparency, some of this information should be 
publicly available updated at least daily.
                              conclusions
    I'm not sure whether the people designing and developing the site 
will find these suggestions helpful. There's obviously lots of details 
not included in my proposal, but I'm confident my basic design is a 
significant improvement over the original site. It would provide a 
better user experience, be much easier and faster to develop, easier to 
test, and more scalable and secure. Was it that tough to envision 
earlier?
    Let's remember, this website remains the automation of a paper 
form. It's not as hard as providing health care.

    Chairman McCaul. Thank you, Mr. Chung. I appreciate your 
testimony.
    Mr. Krush is now recognized for 5 minutes.

    STATEMENT OF WAYLON W. KRUSH, CHIEF EXECUTIVE OFFICER, 
                        LUNARLINE, INC.

    Mr. Krush. Chairman McCaul, Ranking Member Thompson, and 
the Members of the committee, thank you for this opportunity to 
testify today on the important topic of cybersecurity as it 
relates to HealthCare.gov. I am Waylon Krush, founder and CEO 
of Lunarline, Inc. We are a leading provider of cybersecurity 
products, services, and training for the Federal Government and 
also the commercial sector. I am also a founding member of the 
Warrior to Cyber Warrior program.
    The Warrior to Cyber Warrior program provides, at no cost, 
a 6-month boot camp for returning veterans. This program equips 
veterans or their--if a veteran is unable to participate 
because of service-related injuries, their spouses--with the 
skills, training, and certifications they need to thrive in the 
cybersecurity world. I have been asked to speak today on the 
topic of cybersecurity as it relates to the recent events 
surrounding the HealthCare.gov website and related systems.
    I want to make clear that I am not here to weigh on the 
political debate surrounding the Patient Protection and 
Affordable Act. This is above my pay grade. Instead, I am here 
in my capacity as a cybersecurity professional, one who has 
contributed to the defense of our Nation's IT infrastructure, 
both as a soldier in uniform and as a leader of one of our 
country's fastest-growing cybersecurity firms. I was recently 
asked by the press if I would, as a cybersecurity professional, 
trust my own personal data to HealthCare.gov.
    I said yes that I would, and I stand by that statement. 
This is not because I believe HealthCare.gov is 100 percent 
secure. There is no IT system, Federal or otherwise, that can 
make this claim. Instead, my confidence in HealthCare.gov is 
based on my hands-on experience with the rigorous process the 
Federal Government has instituted to effectively manage--not 
eliminate, but manage--cybersecurity risk.
    Now, I realize it is a bit odd for a cybersecurity 
professional to come before Congress and preach the confidence 
in our Government's cybersecurity posture. We cybersecurity 
folks are usually better known for peddling cyber doom and 
gloom. However, the truth is there is plenty of cause for 
confidence, particularly when we--it comes to Federal 
cybersecurity. To explain why I feel this way, I would like to 
focus my testimony today on the risk management framework and 
how it relates to some of the concerns recently brought up in 
the on-going media coverage of HealthCare.gov.
    Now, I have been given just 5 minutes to briefly describe 
this extensive cybersecurity process and regulations that 
provide the foundation for the U.S. Government's systems 
security. To put this task into context, a few years ago a 
colleague and I wrote a book entitled, ``The Definitive Guide 
to the C&A Transformation.'' In this book, we did our best to 
scope down thousands upon thousands of pages of Federal 
cybersecurity and privacy regulations into 600 pages of easy 
reading.
    The easy reading part is a joke, but the level of depth and 
rigor in this process is not. Here today, I will try to distill 
these processes even further into just 5 minutes of testimony. 
During these 5 minutes, I will do my best to describe how the 
6-step risk management framework supports the Federal 
Information Security Management Act. Excuse me.
    This, in turn, should provide a baseline understanding for 
the security processes governing HealthCare.gov and, in 
reality, any Government IT system. I hope that from my 
testimony this will help folks interpret how now-famous 
decision memo originally intended for Marilyn Tavenner that 
describes some of the known security risks faced by 
HealthCare.gov. The RMF is a 6-step process. It includes 
categorization, security control selection, implementation, 
assessment, authorization, and continuous monitoring.
    I will briefly describe each one of these steps, and 
provide some insight into how each one relates to the security 
of HealthCare.gov. I will, however, caution the committee that 
any internal vulnerabilities related to HealthCare.gov should 
absolutely not be publicly released until HHS or CMS has time 
to mitigate or remediate these issues. The first step is 
categorization. We look at all of the data types that are 
actually in the Federal information system.
    We have two publications, NIST Special Publication 860, 
Volume 1 and Volume 2. So we have to find out what type of data 
this system consists of. The next step governs the selection of 
the security controls. This is a process where we automatically 
assign a set of baseline security controls, whether it is low, 
moderate, or high. And enhancements, if need be, based on the 
protection requirements of the system. In step 3, this is where 
we actually implement the security controls.
    These are hundreds upon hundreds of controls, including 
enhancements and tailoring guidance that goes into every 
Federal information system. In step 4, we actually have 
assessment. These are on-going assessments, these are 
assessments before the authorization decision is made. These 
are annual assessments. These are what we call assessments that 
go with the updates of code that we are gonna see during this 
process of updating HealthCare.gov. There is one thing that we 
need to know; there is no such thing as a clean assessment.
    An assessment of any system, Federal or otherwise, will 
always reveal some security risk. It is not possible to have a 
completely secure system. In conclusion, I hate to tell 
everyone but at this point in time there is no cybersecurity 
bullet, silver bullet. If there were I would be selling them, 
lots of them. A secure system requires the right people, 
process, and technology to work together harder, smarter, and 
faster than the adversary.
    [The prepared statement of Mr. Krush follows:]
                 Prepared Statement of Waylon W. Krush
                           November 13, 2013
    Chairman McCaul, Ranking Member Thompson, and Members of the 
committee: Thank you for this opportunity to testify today on the 
important topic of cybersecurity as it relates to Healthcare.gov. I am 
Waylon Krush, founder and CEO of Lunarline, a leading provider of 
cybersecurity products, services, and training to both Federal and 
commercial clients.
    I am also a founding member of the Warrior to Cyber Warrior 
program. Warrior to Cyber Warrior provides, at no-cost, a 6-month 
cybersecurity boot camp for returning Veterans. This program equips 
Veterans, or if a Veteran is unable to participate because of service-
related injuries, their spouses, with the skills, training, and 
certifications they need to thrive in the cybersecurity world.
    I have been asked to speak today on the topic of cybersecurity as 
it relates to the recent events surrounding the Healthcare.gov website 
and related systems. I want to make clear that I am not here to weigh 
in on the political debate surrounding the Patient Protection and 
Affordable Care Act. That is above my pay grade. Instead, I am here in 
my capacity as a cybersecurity professional, one who has contributed to 
the defense of our Nation's IT infrastructure, both as a soldier in 
uniform and as a leader of one of our country's fastest-growing 
cybersecurity companies.
    I was recently asked by the press if I would, as a cybersecurity 
professional, trust my own personal data to Healthcare.gov. I said yes, 
that I would. I stand by that statement.
    This is not because I believe that Healthcare.gov is 100% secure. 
There is no IT system, Federal or otherwise, that can make this claim. 
Instead my confidence in Healthcare.gov is based on my hands-on 
experience with the rigorous processes the Federal Government has 
instituted to effectively manage--not eliminate, but manage--
cybersecurity risk.
    Now I realize it is a bit odd for a cybersecurity professional to 
come before Congress and preach confidence in our Government's security 
posture. We cybersecurity folks are usually better known for pedaling 
cyber doom and gloom. However, the truth is, there is plenty of cause 
for confidence, particularly when it comes to Federal cybersecurity.
    To explain why I feel this way, I would like to focus my testimony 
today on the Risk Management Framework and how it relates to some of 
the concerns recently brought up in the on-going media coverage of 
Healthcare.gov.
    Now, I have been given just 5 minutes to very briefly describe the 
extensive cybersecurity processes and regulations that provide the 
foundation for U.S. Government system security. To put this task in 
context, a few years ago a colleague and I wrote a book entitled The 
Definitive Guide to the C&A Transformation. In this book we did our 
best to scope down thousands upon thousands of pages of Federal 
cybersecurity and privacy regulations into just 600 pages of easy 
reading.
    The easy reading part is a joke, but the level of depth and rigor 
in the process is not. Here today, I will try to distill these 
processes even further, into just 5 minutes of testimony. During these 
5 minutes I will do my best to inform everyone on how the 6-step 
Federal Risk Management Framework (RMF) supports the Federal 
Information Security Management Act (FISMA).
    This, in turn, should provide a baseline for understanding the 
security processes governing Healthcare.gov, and in reality any 
Government IT system. I also hope that my testimony will help folks 
interpret the now-famous ``decision memo''--originally intended for 
Marilyn Tavenner--that describes some of the known security risks faced 
by Healthcare.gov.
    The RMF is a 6-step process that governs the categorization, 
security control selection, control implementation, control assessment, 
authorization, and continuous monitoring of all Federal IT systems. I 
will briefly describe each step and provide some insight into how each 
one relates to the security of Healthcare.gov. I will however caution 
the committee that any internal vulnerabilities related to 
Healthcare.gov should absolutely not be publicly released until HHS or 
CMS has time to mitigate or remediate these issues.
    The first step, Step 1, is called categorization. During system 
categorization we analyze all the information stored, processed, or 
transmitted by any component of the system. We classify all data by 
data type and sensitivity, and set the protection level as ``Low,'' 
``Moderate,'' or ``High'' to meet the requirements of the most 
sensitive system data. Based on what I have read publicly thus far, 
Healthcare.gov is most likely categorized as a Moderate system.
    The second step, Step 2, governs the selection of security controls 
to meet the protection requirements defined in Step 1. As a 
``Moderate'' level system, Healthcare.gov is required to implement, at 
minimum, several hundred security controls. Additional controls may be 
selected based on any unique system security requirements, such as the 
presence of personally identifiable information (PII).
    In Step 3, we take the controls identified in Step 2 and implement 
them. This is where the rubber hits the road. HHS and CMS have both 
authored comprehensive information security policies that govern their 
approach to cybersecurity. These policies are backed by significant 
investments in enterprise detection and protection capabilities, 
including security operations centers, enterprise end-point 
technologies, border and gateway filtering, incident response teams, 
and enterprise continuous monitoring capabilities. For Healthcare.gov, 
these enterprise-level controls are combined with system specific ones 
to support the implementation and maintenance of an effective security 
posture.
    After selecting and implementing controls, Step 4 of the RMF 
mandates frequent security control assessments. These are tests that 
are conducted to determine whether or not to allow a system to continue 
operation. However, let me be clear: There is no such thing as a clean 
assessment. An assessment, of any system, Federal or otherwise, will 
always reveal some security risks. It is not possible to have a 
completely secure system.
    At this point, everyone here is probably familiar with the 
``Tavenner memo'' I discussed previously. This memo described some 
components of the ``Federally Facilitated Marketplace'' that had not 
yet undergone thorough re-testing due to continued system development. 
It was determined that this uncertainty represented a ``high risk.''
    Now, there is no denying that this does indeed represent a 
significant system risk. Had the memo ended with that finding we would 
have every right to be deeply concerned. However, the memo continues to 
outline a comprehensive mitigation strategy designed to mitigate this 
risk. This includes the establishment of a dedicated security team to 
monitor the system, weekly testing of all border and web-facing assets, 
daily/weekly scans using continuous monitoring tools, and a promise to 
conduct a full Security Control Assessment within 90 days.
    While Healthcare.gov's political sensitivity has cast a spotlight 
on this process, these types of risk analyses are common place across 
the Federal Government. Again, security assessments always reveal 
risks, no matter what system is being assessed. How those risks are 
managed ultimately determine whether or not a system can be labeled 
``secure.'' There is a reason it's called the ``Risk Management 
Framework,'' rather than the ``No Risk Framework.'' It is designed to 
ensure that Risk Executives conduct precisely these types of trade-off 
analyses.
    The Tavenner memo is also an example of Step 5, called System 
Authorization. Simply put, this step requires a management decision on 
how, when, and under what conditions a Federal system may be authorized 
to operate. Like Healthcare.gov, most Federal systems are authorized 
with conditions and pending the implementation of an effective 
mitigation strategy. This is exactly what you are reading in the 
Tavenner memo.
    Finally, during Step 6 we continuously monitor security posture 
throughout the entire system life cycle. This is the most important 
step in the process. This is why I have publicly stated that I would 
trust my own personal data to Healthcare.gov. I know as well as anyone 
that as soon as a system is developed you are in a race against time to 
find and mitigate vulnerabilities. This is particularly true for high-
value targets such as Government IT assets.
    That being said, if HHS follows through with their on-going daily 
and weekly scanning and more importantly--quickly remediates and 
mitigates security issues as they are discovered, we can be assured our 
data is safe as possible.
    In conclusion, I hate to tell everyone this, but at this point and 
time there is no cybersecurity silver bullet. If there were, I would be 
selling them--lots of them. A secure system requires the right people, 
process, and technology to work together, harder, smarter, and faster 
than the adversary.

    Chairman McCaul. I thank Mr. Krush for your testimony. Yes, 
I have emphasized before this is probably one of the most 
significant websites ever created by the Federal Government. In 
this exchange, the most personal, private data is put into 
this--Social Security numbers, addresses, e-mails, personal-
private health information. I can't think of anything more 
private than health information. What the American people want, 
I think, is not only a system that works and that is 
functional--which, clearly, this is not. As Mr. Chung said, it 
was amateurish.
    But they also want some assurance that it is secure. They 
do not want this data breached and obtained by hackers, or 
identify theft perpetrators who can then exploit that 
information. To that point, the CMS administrator wrote a 
letter to our committee and, specifically, to the Ranking 
Member, Mr. Thompson, because of his concerns about security of 
this website. The assurance was given at that time, when that 
letter was written, that it would be both secure and follow 
industry best practices.
    We have since found out that a September 3 memo came out 
from a senior official at CMS stating that it found two high-
risk issues and said the threat and risk potential is 
limitless. According to Federal guidelines, high-risk means 
vulnerability could be expected to have a severe or 
catastrophic adverse effect on organizational operations, 
assets or, most importantly, individuals; individuals being the 
American people. We have advocated for a delay in the 
implementation of this law for many reasons.
    But certainly, when you have a dysfunctional website and a 
security risk to the American people's most personally 
identifiable information, I think that delay, that argument, is 
certainly even stronger. Mr. Chung, do you agree that we should 
delay implementation?
    Mr. Chung. Delaying that would be a policy question. With 
regard to my knowledge, it would be on the technical side. My 
expectation would be that when we pay this kind of money to 
these contractors they would build something that would be 
secure. It is like buying a car that has tires on it. You would 
assume that for hundreds of millions of dollars it would be a 
secure site.
    The other part of this would--you know, the first step in 
security and privacy is to not ask for information that needs 
to be secured. So going through the process of asking all those 
personal pieces of information, when people are just shopping, 
without even buying or requesting a subsidy, is an outrage. I 
don't know if the identity verification company is getting paid 
for every person that they verify, but I think if you follow 
the money it would be very easy to see how those decisions were 
made.
    Chairman McCaul. In your opinion here, did CMS actually 
follow industry best practices in setting up this website?
    Mr. Chung. I was not involved directly on the project so I 
am not exactly sure what they did or didn't do. I just know 
from a taxpayer's perspective we paid enough money to demand, 
and expect, a fully functional website. It is huge how much we 
have paid. It is over, what, $300 million? I think you can get 
a 747 and crash it into the ground for less. So it is 
unbelievable what we have spent for essentially the automation 
of a paper form.
    Chairman McCaul. So I guess the question is, I mean: How 
did this come to be? I mean, we spent, you know, all this money 
for what you called an amateur website. How did that happen?
    Mr. Chung. I think that we have an environment where 
Government contractors are incentivized, especially when they 
know a customer has an open pocketbook, to create opportunities 
to bill more hours, to put in more features, to add more 
complexity, get more change orders, and get the next contract. 
That is the product that they are really going after. It is not 
necessarily creating a solution that works. They got caught 
this time because the general public actually use software that 
they created. But there are a lot of projects in the Government 
where Government contractors deliver things that the public 
never sees.
    Chairman McCaul. So in other words, you have a Government-
run program that the contractors exploited for their own profit 
at the expense of the American taxpayer.
    Mr. Chung. Absolutely. I think that is very clear.
    Chairman McCaul. I am personally stunned that DHS, that has 
primary responsibility over the dot.gov space--Federal-civilian 
networks within the Government--the extent of communication 
with the Secretary and with HHS was two e-mails and one phone 
call. When I asked a question about how does HHS rank in its 
scorecard, if you will, for cybersecurity they get a 50 percent 
compliance record and they rank No. 2 at the bottom.
    They are the second-worst Federal agency when it comes to 
security of their networks. Mr. Krush, don't you believe that 
the Department of Homeland Security should play a greater role 
in trying to secure this website?
    Mr. Krush. I believe they should play a greater role. I 
will say, however, the process that was followed is the process 
that is followed with all Government systems. Meaning that a 
risk-based decision was made by an executive that was put in 
charge of the site. They were provided the information about 
what type of vulnerabilities, what things need to be mitigated. 
You know, this goes on throughout the entire Government.
    You know, there is not a system out there that is perfect 
in nature, by any means, from a cybersecurity perspective.
    Chairman McCaul. No, this was certainly not perfect. Mr. 
Chung, if you have a business and you are pushing a product, 
and your website not only is dysfunctional but it crashes, 
would you take a time out and try to fix it first? Or would you 
still go forward with that program?
    Mr. Chung. I guess it depends how desperate I was. But, you 
know, being concerned about the experiences of my customers, 
no, I would not be able to deliver a product that didn't work. 
That was what was so shocking when I experienced it on the 
first day. Because I wasn't there to do a quality assessment of 
that HealthCare.gov website. I went there to get a price. It 
was by accident that I find myself in this situation, after 
experiencing what can truly be considered one of the worst 
pieces of software I have ever used.
    Chairman McCaul. In addition to a bad piece of software, 
though, you have the security risk to Americans' most private 
information.
    Mr. Chung. Absolutely. When you have an environment where 
the developers can barely get the website functional, security 
is way down on the list of things to take care of, right? 
Security needs to be built in at the very beginning, not added 
at the end. When you have an inexperienced developer--people 
don't--that can't even build a website properly or spell or do 
grammar, I mean, the skill set that is necessary to create a 
secure website are far higher than what I could see was the 
skills of the people that were put on creating that website.
    Chairman McCaul. So I guess it comes as no surprise that 
under 50,000 Americans have actually signed up for the 
exchanges, given the fact that, No. 1, the website is flawed. 
No. 2, the security risks are so great, if people--if the 
administration was really interested in getting more people to 
sign up you think they would take a time-out, fix this, and 
also fix it from the security standpoint.
    The thing that also bothers me tremendously is that it has 
been reported to me that there are about--there are over 700 
fake websites out there that purport to be an exchange, purport 
to be part of this Obamacare program. HealthCare.gov is the 
official, but there are over 700 fake websites out there that 
are preying on victims for their personal identifying 
information so they can exploit that. Does that trouble either 
one of you? Mr. Krush.
    Mr. Chung. That happens all the time on every website. That 
is not unusual.
    Mr. Krush. Yes, that is not abnormal. One of the things 
that were brought up earlier by DHS was that they ensured that 
HHS actually implemented DNS security. So that if you go to 
HealthCare.gov you are arriving at HealthCare.gov. That doesn't 
take away the process that when you go out to go to Google.com 
and you actually put a ``P'' in front of it, or a ``G'' or 
something, you are gonna sent to a site that looks like Google 
but I wouldn't be using that search engine.
    Chairman McCaul. Well, I think it demonstrates--I mean, 
perhaps a better public education process to demonstrate that 
there are fake websites out there, and here is the official 
one. Again, I will close by saying I am troubled that the 
Department of Homeland Security, that has the primary 
responsibility for securing the dot.gov space, is defaulting to 
an agency, a department, HHS, which has one of the worst 
scorecards when it comes to cybersecurity.
    With that, it is lunchtime. A lot of the Members have left. 
But I do want to give the witnesses, since you have taken so 
much time to prepare and come here today, perhaps give you the 
last word. I will start with Mr. Chung.
    Mr. Chung. Well, thank you very much. I mean, I can tell 
you that as a small business owner I am facing the need to buy 
insurance for myself and my employees. I have to follow the 
law. I don't get to choose the laws that I follow. I was really 
hoping that this would be an opportunity for me to be able to 
buy health insurance that would be more competitive. Health 
insurance is a big problem for small businesses. We pay the 
highest premiums for the worst coverage.
    We are competing against companies like CGI and these other 
Government contractors that are much bigger and can probably 
get lower-priced insurance than we can. So I hope that 
throughout this whole process we do keep in mind that getting 
health insurance for companies is important to small businesses 
for us to remain competitive.
    Chairman McCaul. Thank you.
    Mr. Krush.
    Mr. Krush. I would just like to say that, you know, the 
processes that we have in place in the Federal Government are 
some of the most rigorous processes of any type of auditing you 
would perform on any type of information system. I am very 
familiar with the type of commercial auditing that goes on. I 
am very familiar with the Federal auditing that goes on. So, 
you know, the depth and rigor in the implementation of 
cybersecurity and privacy requirements that we do build into 
the systems--whether, you know, they are always working 
properly, or not--is some of the best out there.
    I mean, there is just really no comparison. All of the 
previous speakers brought up HIPAA, they brought up different 
compliance requirements that are out there. I will tell you, if 
you are gonna deploy a Federal information system you must not 
only implement those controls, but the control catalogue itself 
that we are required to implement throughout each one of the 
components; whether that be starting at the hardware layer, the 
hypervisor, the operating system, and all the applications to 
sit on top of that is the most rigorous cybersecurity of any 
Nation in the world. Also, just of any organization, whether it 
be Government or not.
    Chairman McCaul. Well, with all due respect, I would 
submit, in this case, it was an abysmal failure. We don't like 
to see that as Americans, and hope we can move forward in a 
more productive way.
    With that, I want to thank the witnesses for your 
testimony. Members are advised if they have additional 
questions they can submit that within 10 days. I would ask you 
to respond in writing to that. Without objection, the committee 
stands adjourned.
    [Whereupon, at 12:45 p.m., the committee was adjourned.]

                                 
