[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
SECURITY OF HEALTHCARE.GOV
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 19, 2013
__________
Serial No. 113-100
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
______
U.S. GOVERNMENT PUBLISHING OFFICE
87-764 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
RALPH M. HALL, Texas HENRY A. WAXMAN, California
JOE BARTON, Texas Ranking Member
Chairman Emeritus JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky FRANK PALLONE, Jr., New Jersey
JOHN SHIMKUS, Illinois BOBBY L. RUSH, Illinois
JOSEPH R. PITTS, Pennsylvania ANNA G. ESHOO, California
GREG WALDEN, Oregon ELIOT L. ENGEL, New York
LEE TERRY, Nebraska GENE GREEN, Texas
MIKE ROGERS, Michigan DIANA DeGETTE, Colorado
TIM MURPHY, Pennsylvania LOIS CAPPS, California
MICHAEL C. BURGESS, Texas MICHAEL F. DOYLE, Pennsylvania
MARSHA BLACKBURN, Tennessee JANICE D. SCHAKOWSKY, Illinois
Vice Chairman JIM MATHESON, Utah
PHIL GINGREY, Georgia G.K. BUTTERFIELD, North Carolina
STEVE SCALISE, Louisiana JOHN BARROW, Georgia
ROBERT E. LATTA, Ohio DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington DONNA M. CHRISTENSEN, Virgin
GREGG HARPER, Mississippi Islands
LEONARD LANCE, New Jersey KATHY CASTOR, Florida
BILL CASSIDY, Louisiana JOHN P. SARBANES, Maryland
BRETT GUTHRIE, Kentucky JERRY McNERNEY, California
PETE OLSON, Texas BRUCE L. BRALEY, Iowa
DAVID B. McKINLEY, West Virginia PETER WELCH, Vermont
CORY GARDNER, Colorado BEN RAY LUJAN, New Mexico
MIKE POMPEO, Kansas PAUL TONKO, New York
ADAM KINZINGER, Illinois JOHN A. YARMUTH, Kentucky
H. MORGAN GRIFFITH, Virginia
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Ohio
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
_____
Subcommittee on Oversight and Investigations
TIM MURPHY, Pennsylvania
Chairman
MICHAEL C. BURGESS, Texas DIANA DeGETTE, Colorado
Vice Chairman Ranking Member
MARSHA BLACKBURN, Tennessee BRUCE L. BRALEY, Iowa
PHIL GINGREY, Georgia BEN RAY LUJAN, New Mexico
STEVE SCALISE, Louisiana JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi G.K. BUTTERFIELD, North Carolina
PETE OLSON, Texas KATHY CASTOR, Florida
CORY GARDNER, Colorado PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York
BILL JOHNSON, Ohio JOHN A. YARMUTH, Kentucky
BILLY LONG, Missouri GENE GREEN, Texas
RENEE L. ELLMERS, North Carolina JOHN D. DINGELL, Michigan (ex
JOE BARTON, Texas officio)
FRED UPTON, Michigan (ex officio) HENRY A. WAXMAN, California (ex
officio)
(ii)
C O N T E N T S
----------
Page
Hon. Tim Murphy, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 1
Prepared statement........................................... 3
Hon. Diana DeGette, a Representative in Congress from the State
of Colorado, opening statement................................. 4
Hon. Fred Upton, a Representative in Congress from the State of
Michigan, opening statement.................................... 8
Prepared statement........................................... 9
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 10
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, opening statement............................... 10
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, opening statement................................. 12
Prepared statement........................................... 12
Hon. G.K. Butterfield, a Representative in Congress from the
State of North Carolina, prepared statement.................... 116
Witnesses
Henry Chao, Deputy Chief Information Officer and Deputy Director,
Office of Information Services, Centers for Medicare and
Medicaid Services.............................................. 13
Prepared statement........................................... 16
Answers to submitted questions............................... 178
Jason Providakes, Senior Vice President, Center for Connected
Government, The MITRE Corporation.............................. 88
Prepared statement........................................... 91
Answers to submitted questions............................... 185
Maggie Bauer, Senior Vice President, Creative Computing
Solutions, Inc................................................. 94
Prepared statement........................................... 95
Answers to submitted questions............................... 188
David Amsler, President and Chief Information Officer, Foreground
Security, Inc.................................................. 99
Prepared statement........................................... 101
Answers to submitted questions............................... 192
Submitted Material
Letter of November 19, 2013, from Mr. Waxman, et al., to Mr.
Upton and Mr. Murphy, submitted by Ms. DeGette................. 6
Report, dated April 24, 2012, ``Cybersecurity, Threats Impacting
the Nation,'' Government Accountability Office, submitted by
Mr. Lujan...................................................... 48
Article, undated, ``Bad news for woman cited as Obamacare success
story,'' CNN.com, submitted by Mrs. Ellmers.................... 79
Majority memorandum, submitted by Mr. Murphy..................... 118
Subcommittee exhibit binder...................................... 125
SECURITY OF HEALTHCARE.GOV
----------
TUESDAY, NOVEMBER 19, 2013
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:15 a.m., in
room 2123 of the Rayburn House Office Building, Hon. Tim Murphy
(chairman of the subcommittee) presiding.
Members present: Representatives Murphy, Burgess,
Blackburn, Scalise, Harper, Olson, Gardner, Griffith, Johnson,
Long, Ellmers, Barton, Upton (ex officio), DeGette, Braley,
Lujan, Schakowsky, Butterfield, Welch, Tonko, Yarmuth, Dingell,
and Waxman (ex officio).
Staff present: Carl Anderson, Counsel, Oversight; Mike
Bloomquist, General Counsel; Sean Bonyun, Communications
Director; Karen Christian, Chief Counsel, Oversight and
Investigations; Noelle Clemente, Press Secretary; Brad Grantz,
Policy Coordinator, Oversight and Investigations; Brittany
Havens, Legislative Clerk; Sean Hayes, Counsel, Oversight and
Investigations; Brandon Mooney, Professional Staff Member;
Andrew Powaleny, Deputy Press Secretary; Tom Wilbur, Digital
Media Advisor; Jessica Wilkerson, Staff Assistant; Stacia
Cardille, Democratic Deputy Chief Counsel; Brian Cohen,
Democratic Staff Director, Oversight and Investigations, and
Senior Policy Advisor; Hannah Green, Democratic Staff
Assistant; Elizabeth Letter, Democratic Press Secretary; Karen
Lightfoot, Democratic Communications Director and Senior Policy
Advisor; Karen Nelson, Democratic Deputy Committee Staff
Director for Health; Stephen Salsbury, Democratic Special
Assistant; and Matt Siegler, Democratic Counsel.
OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Murphy. Good morning. I convene this hearing of the
Subcommittee on Oversight and Investigations to discuss the
security of the Healthcare.gov Web site.
Americans want to know the answers to two simple questions:
is my information secure if I use Healthcare.gov, and why
should I believe the administration that it is?
It has been nearly 50 days since the launch of
Healthcare.gov, and the Web site is still not functioning at an
acceptable level. This is despite the numerous promises and
assurances the public was given by members of the
administration leading up to and over the several months up to
the launch of the Web site.
This committee heard directly from Secretary Sebelius,
Administrator Tavenner, and CCIIO Director, Gary Cohen, that
they were ready by October 1. We are all deeply troubled that
the individuals who want to be in charge of America's
healthcare system could not even predict accurately if the Web
site would work. And those predictions were not just limited to
the Web site. We have also been routinely promised that the Web
site was safe, and that Americans' personal information would
be secure.
When Administrator Tavenner last appeared before this
committee, she informed us that testing began in October of
last year, that end-to-end testing would be completed by the
end of August this year. We have now learned that this simply
was not the case. End-to-end testing is not possible when the
Web site isn't completed.
Today we hope to hear from our witness about how much of
the Web site remains to be built. If the first parts of
Healthcare.gov have been this problematic, we are obviously
concerned about parts that are being constructed under current
pressures and time constraints.
The witness for our first panel today is Mr. Henry Chao,
the Deputy Chief Information Officer at the Centers for
Medicare and Medicaid Services, and we want to thank you for
coming and testifying today. I can only imagine how stressful
the last few months have been for you, so welcome here. Yet, I
hope you can appreciate the fact that HHS has a ways to go to
regain the trust of the American people in this Web site. They
were promised a functioning Web site as easy as buying a TV on
Amazon, and what they got was a train wreck.
The reason the trust of the American people may be so
difficult to regain is because every day, new revelations
emerge that show this wreck was entirely foreseeable. Last
week, this subcommittee uncovered emails from CMS showing that
as early as July of this year, Mr. Chao, our first witness, was
worried that the company primarily responsible for building the
Web site, CGI, would ``crash at takeoff.''
Today this subcommittee also released materials showing
that as early as March to April of this year, top
administration officials were well aware that Healthcare.gov
was far off schedule, and testing of the Web site would be
limited. We have also learned that Healthcare.gov was only
launched after Administrator Tavenner signed an authority to
operate, which included a memo warning her that a full security
control assessment was not yet completed. This memo makes it
clear that the highest levels of CMS knew that there were
security risks present, yet again, while this document was
being signed in private, administration officials were
promising the public that in only a few days, the American
people would be able to use a perfectly functioning Web site.
A few weeks ago, Secretary Sebelius told this committee
that the highest security standards are in place, and people
have every right to expect privacy. I hope that today we hear
what those standards are, not only from Mr. Chao and also from
our second panel as well.
Our second panel features some of the contractors that are
responsible for the security of Healthcare.gov, and I thank
them for testifying today. I am disappointed that one of the
companies responsible for security, Verizon, chose not to
testify today. We will certainly be following up with Verizon
so that they are accountable to the public for their work here.
Today's hearing is not just about the Web site. Web sites
can be fixed. What cannot be fixed is the damage that could be
done to the American people if their personal data is
compromised. Right now, Healthcare.gov screams to those who are
trying to break into the system, ``If you like my healthcare
info, maybe you can steal it.''
[The prepared statement of Mr. Murphy follows:]
Prepared statement of Hon. Tim Murphy
Americans want to know the answers to two simple questions:
Is my information secure if I use HealthCare.gov? And why
should I believe the administration that it is?
It has been nearly 50 days since the launch of
HealthCare.gov, and the Web site is still not functioning at an
acceptable level. This is despite the numerous promises and
assurances the public was given by members of the
administration leading up to the launch of the Web site. This
committee heard directly from Secretary Sebelius, Administrator
Tavenner, and CCIIO Director Gary Cohen that they were ready by
October 1. We are all deeply troubled that the individuals who
want to be in charge of America's healthcare system could not
even predict accurately if the Web site would work.
And those predications were not just limited to the Web
site. We have also been routinely promised that the Web site
was safe and that Americans personal information would be
secure. When Administrator Tavenner last appeared before this
committee, she informed us that testing began in October of
last year, and that end-to-end testing would be completed by
the end of August this year. We have now learned that this was
simply not the case. End-to-end testing is not possible when
the Web site isn't completed. Today, we hope to hear from our
witness about how much of the Web site remains to be built. If
the first parts of HealthCare.gov have been this problematic,
we are obviously concerned about parts that are being
constructed under current pressures and time constraints.
The witness for our first panel today is Mr. Henry Chao,
the Deputy Chief Information Officer at the Centers for
Medicare and Medicaid Services. We thank you for testifying
today. I can only imagine how stressful the last few months
have been. Yet, I hope you can appreciate the fact that HHS has
a ways to go to regain the trust of the American people. They
were promised a functioning Web site--as easy as buying ``a TV
on Amazon''--and they got a train wreck.
The reason the trust of the American people may be so
difficult to regain is because every day new revelations emerge
that show this train wreck was entirely foreseeable. Last week
this subcommittee uncovered emails from CMS showing that as
early as July of this year Mr. Chao, our first witness, was
worried that the company primarily responsible for building the
Web site--CGI--would crash on takeoff. This subcommittee also
released materials showing that as early as April top
administration officials were well aware that Healthcare.gov
was far off schedule and testing of the Web site would be
limited.
We have also learned that HealthCare.gov was only launched
after Administrator Tavenner signed an ``Authority to
Operate,'' which included a memo warning her that a full
Security Control Assessment was not completed. This memo makes
it clear that the highest levels of CMS knew that there were
security risks present. Yet, again, while this document was
being signed behind closed doors, in public, administration
officials were promising that in only a few days the public
would be able to use a perfectly functioning Web site.
A few weeks ago Secretary Sebelius told this committee that
the ``highest security standards are in place, and people have
every right to expect privacy.'' I hope that today we hear what
those standards are from not only Mr. Chao, but our second
panel as well. Our second panel features some of the
contractors that are responsible for the security of
HealthCare.gov, and I thank them for testifying today. I am
disappointed that one of the companies responsible for
security, Verizon, chose not to testify today. We will
certainly be following up with Verizon so that they are
accountable to the public for their work here.
Today's hearing is not just about the Web site. Web sites
can be fixed. What cannot be fixed is the damage that could be
done to Americans if their personal data is compromised.
Right now, HealthCare.gov screams to crooks, ``If you like
my healthcare info, you can steal it.''
Mr. Murphy. But I now recognize for an opening statement
Ms. DeGette of Colorado, for 5 minutes.
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Thank you very much, Chairman Murphy. I want
to add to your thanks to Mr. Chao for being here today, as well
as the three contractor witnesses; MITRE, CCSi and Foreground.
We must make sure that the data on Healthcare.gov is
secure. Everybody can agree on that. The American people must
know that their data is protected when they go on the site to
find a quality, affordable insurance plan for themselves or
their families. This is critical. However, my fear is that
today's hearing is actually less about the facts of the
security of Healthcare.gov, and more about political points and
undermining the ACA.
Now, without a doubt, no one could disagree there are
troubling problems with the rollout of the Exchanges. Three
weeks ago, our full committee held the first hearing on the
inexcusable fact that Healthcare.gov seems to have been broken
since it was very first launched. And three weeks later, while
improving, it is clearly not up to speed. As I have said
before, the Exchanges need to be fixed, and they need to be
fixed fast so that the American people can easily access
quality, affordable insurance plans open to them. I hope we
will have another hearing after the November 30 deadline to see
how they are working.
My fear about this hearing today though is that it won't
enlighten the American public, but instead raise unjustified
fears about security piling on all of the other issues. Now,
obviously, as I said, we need to make sure that the data on
Healthcare.gov is secure, but we should not create smoke if
there is no fire.
So before we begin, I want to give the American people some
peace of mind based on the facts that we know about security on
Healthcare.gov.
First, and critically, no American has to provide any
personal health information to Healthcare.gov or to insurers in
order to qualify for health coverage and subsidies. To make
sure about this, I went on the Exchange myself the other day,
and that is because the ACA bans discrimination based on pre-
existing health conditions. Before the ACA became law,
Americans buying coverage on the individual insurance market
had to fill out page after page of personal health information
to apply for insurance. But no longer, thanks to the Affordable
Care Act. Americans do not have to turn over any private health
insurance to get coverage.
Second, while no Web site in the Government or in the
private sector is 100 percent secure, unfortunately, there is a
complex and detailed set of rules that HHS must follow to make
sure that data on Healthcare.gov is secure. And I am looking
forward to hearing from you, Mr. Chao, about these security
issues today.
The Agency has a long record of maintaining personal
information about Medicare, Medicaid, Social Security and many
areas, and has never had a significant leak of information. HHS
must comply with the Federal Information Security Management
Act, and National Institute of Standards and Technology
Guidelines to protect information systems and the data
collected or maintained by Healthcare.gov. And like all Federal
agencies, HHS is required to develop, document and implement an
agency-wide information security program.
To date, our committee's investigation has found that CMS
has complied with every important security rule and guideline.
They hired a small army of contractors to make sure the Web
site is secure, and they are going to talk to us about it
today.
The memo, Mr. Chairman, that you talked about at our last
hearing, that identified some security concerns, primarily a
lack of end-to-end testing on Healthcare.gov, but it also
outlined a mitigation plan, one we learned was--that the Agency
was following to mitigate security risks. So I want to hear
from the contractors and from you, Mr. Chao, if, in fact, these
findings are being heeded.
Now, unfortunately, Mr. Chairman, I have to raise one more
issue in my remaining minute, and that is this committee's
grand tradition of bipartisanship investigation. Apparently,
the committee, last Thursday, received a memo from CMS, Red
Team discussion document. The majority on this committee did
not share this memo with the minority on this committee until
yesterday, coincidentally, just after they leaked this memo to
The Washington Post. Now--and if you saw The Washington Post
front page today, you saw a big story, and, Mr. Chairman, you
were quoted in that story, talking about concerns about the
readiness of the Exchange based on this memo.
I know that is not the topic of this hearing today, but I
have got to say it is not in the tradition of the committee to
conduct investigations that way. And when the majority received
this memo, it should have immediately provided it to all of the
members so that we could read it and find out. We are all just
as concerned about making these Exchanges work.
And to that end, Mr. Waxman and I have written a letter
expressing our displeasure, and we would like to enter that
into the record at this time, Mr. Chairman.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. That is fine, and I will look forward to
talking with you more about these procedures. I know that these
came as part of a couple of hundred thousand pages of documents
that we are going through, but I will be glad to review that
with you because I certainly respect my colleague on this----
Ms. DeGette. That we were able to find it in time to give
it to The Washington Post in time for today's hearing, and to
be quoted----
Mr. Murphy. We will----
Ms. DeGette [continuing]. In The Washington Post.
Mr. Murphy. We will have a good discussion on that. I thank
my colleague, whose time has expired.
I now recognize the chairman of the full committee, Mr.
Upton, for 5 minutes.
OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Upton. Well, thank you, Mr. Chairman.
You know, for months, administration witnesses have come
before this committee and assured us that the implementation of
the President's healthcare law was ``on track''--their words--
and that Healthcare.gov would be ready for the October 1
launch. But why not give the straight story to the Congress and
the public, because back on April 18, Secretary Sebelius
testified in this very room, we have the Federal hub on track
and on time. I can tell you we are on track. Those are her
words. But we now know that the Secretary's testimony did not
match what was happening behind the scenes.
Two weeks before she testified before this committee,
Secretary Sebelius was present at an April 4 meeting where
experts identified significant threats and risks launching the
site on October 1. The administration was on track, on track
for disaster, but stubbornly they stayed the course, repeating
their claims that all is well and on track, right up until the
mess that launched on October 1. And even after the launch,
administration officials insisted that the volume was primarily
the culprit, when they, in fact, knew otherwise.
But our oversight of the health law is not just about a Web
site. No, it is not. It is about whether the public can trust
and rely on this healthcare system that the administration has
been building for over three years, and spending hundreds of
millions of dollars. The failure of this Web site has
significant consequences for all Americans. One important
question is whether individuals will be able to enroll and
obtain coverage by January 1. Security is another critical
concern. How can the public trust a hastily thrown-together
system in which meeting a deadline was more important for the
administration than conducting complete end-to-end testing of
the site's security.
Mr. Henry Chao, Deputy Chief Information Officer of CMS, is
here to answer those questions, about CMS's management of the
Federal Exchange and the implications for security. And, Mr.
Chao, I do understand that you are a career employee, and have
been at CMS for years, and I know, as Chairman Murphy
indicated, the last few months have not been particularly easy.
Last March, you were one of the first to publicly offer a
glimpse of the true situation when you candidly remarked about
the Web site and said, let us just make sure it is not a Third
World experience. Documents produced to the committee paint a
clear picture that the administration officials, in fact, knew
for months before the October 1 date about delays and problems
with the Web site development. Mr. Chao, you have been
responsible for managing the development of Healthcare.gov, but
I can imagine many matters were outside of your control. And
given the lack of end-to-end testing, I hope that you can
explain to us today why the administration felt confident in
the security of Healthcare.gov when the system went live on
October 1.
We are also joined by three companies that were awarded
contracts by CMS to provide security services for the Federal
Exchange. These companies are here also today to answer
questions about their roles. I know the subjects of security
presents certain sensitivities, and I am glad that they made
the decision to accept our invitations to testify and inform us
about how Healthcare.gov works or doesn't.
One thing that we have learned; there are countless
contractors involved in building this Web site, and
responsibilities are divided. Very divided. It is a complex
system, I know, but we would like to know how the delays and
rushed implementation have affected or complicated the ability
to perform the security work for the Web site.
[The prepared statement of Mr. Upton follows:]
Prepared statement of Hon. Fred Upton
For months, administration witnesses have come before this
committee and assured us thatimplementation of the president's
healthcare law was ``on track,'' and that HealthCare.gov would
be ready for the October 1 launch.
But why not give the straight story to the Congress and the
public? On April 18, Secretary Sebelius testified in this very
room, ``we have the Federal hub on track and on time. . I can
tell you we are on track.'' But we now know that the
secretary's testimony did not match what was happening behind
the scenes. Two weeks before she testified before this
committee, Secretary Sebelius was present at an April 4 meeting
where experts identified significant threats and risks to
launching the site on October 1. The administration was on
track--on track for disaster. But stubbornly, they stayed the
course, repeating their claims that all was well and on track
right up until the mess that launched October 1. Even after the
launch, administration officials insisted volume was the
primary culprit, when they knew otherwise.
But our oversight of the health law is not just about a Web
site. It is about whether the public can trust and rely on this
healthcare system that the administration has been building for
over 3 years. The failures of this Web site have significant
consequences for Americans. One important question is whether
individuals will be able to enroll and obtain coverage by
January 1. Security is another critical concern. How can the
public trust a hastily thrown together system in which meeting
a deadline was more important for the administration than
conducting complete, end to end testing of the site's security?
Mr. Henry Chao, Deputy Chief Information Officer of CMS, is
here to answer our questions about CMS' management of the
Federal exchange and the implications for security. Mr. Chao, I
understand you are a career employee and have been at CMS for
years. I am sure the last few months have not been easy for
you. Last March, you were one of the first to publicly offer a
glimpse of the true situation when you candidly remarked about
the Web site, ``Let's just make sure it's not a third-world
experience.'' Documents produced to the committee paint a
clearer picture that administration officials knew for months
before October 1 about delays and problems with the Web site
development. Mr. Chao, you have been responsible for managing
the development of HealthCare.gov, but I imagine many matters
were outside your control. Given the lack of end-to-end
testing, I hope you can explain to us today why the
administration felt confident in the security of HealthCare.gov
when the system went live on October 1.
We are also joined by three companies that were awarded
contracts by CMS to provide security services for the Federal
exchange. These companies--MITRE, CCSi, and Foreground--are
here today to answer questions about their roles. I know the
subject of security presents certain sensitivities and I am
glad they made the decision to accept our invitations to
testify and inform this committee about how HealthCare.gov
works. One thing we have learned--there are countless
contractors involved in building this Web site, and
responsibilities are divided. It is a complex system. I would
like to know how the delays and rushed implementation have
affected or complicated your ability to perform the security
work for the Web site.
Mr. Upton. And I yield the balance of my time to Dr.
Burgess.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
Mr. Burgess. I thank the chairman for the recognition, and
I do want to thank our witnesses for being here today.
Pretty broad agreement, the implementation of the
Affordable Care Act has been problematic, and rather than
getting better, it may be getting worse. We have low enrollment
numbers, a Web site so bad that it has required the appointment
of a glitch tsar, cancelled plan, broken promises from the
President, just for starters. These initial problems break the
surface of the deeper issues that lie ahead for not just the
law, but for the American people that must live under the law.
And, Mr. Chao, you probably, prior to anyone else, sounded
the alarm with that speech to AHIP, and I know you are tired of
hearing it, but I will tell you once again, your comments that
you were just trying to prevent the Web site from becoming a
Third World experience, I admire your ability to see over the
horizon and tell the problems before they come up and hit you
in the windshield. But also you are the one who recommended
that it was safe to launch the Web site on October 1. So what
happened in those 6 months that led you, yourself, and others
in the administration to believe that this law was, in fact,
ready for primetime? Not only did the Center for Medicare and
Medicaid Services fail to establish basic functionality, but
Healthcare.gov's flaws continue to pose a threat to the
security of Americans' personal data. And just on a personal
note, when I went to Healthcare.gov this morning, it was still
not functional. Another Web site, HealthSherpa.com, can
actually tell me about the plans that are available in my area.
We know it was possible to do this. We are all wondering why it
wasn't.
Thank you, Mr. Chairman. I will yield back.
Mr. Murphy. Gentleman yields back.
Now recognize the ranking member of the full committee, Mr.
Waxman, for 5 minutes.
OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF CALIFORNIA
Mr. Waxman. Thank you very much, Mr. Chairman.
The last 6 weeks have been difficult ones for supporters of
the Affordable Care Act. The troubled rollout of the Web site
prevented many of our constituents from signing up for the
affordable, high-quality coverage for which they now qualify.
And it has been relentlessly exploited for political gain by
Republican opponents of the law.
I was interested to hear the phrase in the 2 Republicans'
statements, maybe in all of them; we don't want a Third World
Web site. Well, let me tell you what is Third World. Third
world in this country is when we leave millions of people
unable to get insurance because they have pre-existing medical
conditions, or they can't afford it. No other industrial
country allows such a thing to happen, but that is what
Republicans who have opposed this law would have us return to.
I think we are turning the corner on the Web site. On
Friday, Jeff Zients, the administration's point person on
Healthcare.gov, announced two key metrics of improvement, and
it seems to me these are all very good signs the Web site is
getting better. Additional improvements are still needed, but
Healthcare.gov means more and more people will be signing up
for coverage as that Web site becomes more usable.
I want to tell you what is happening in California. In the
first month, 35,000 people enrolled in the Exchange, over
70,000 qualified for Medicaid, and State officials say that the
pace of enrollment is increasing. In just the first 12 days of
November, enrollment from the first month almost doubled.
Now, I know we are looking today at the issue of data
security on Healthcare.gov. It is an important issue. We should
begin by acknowledging that the ACA represents an enormous step
forward for privacy because, when people apply for insurance
coverage, the law bans them from being asked questions about
their underwriting, about their medical conditions, about the
privacy of things that affect their health, because it is not
necessary to ask those questions. They are not going to be
denied insurance coverage because of previous medical problems.
But there is some personal information that people are going to
be asked for when they sign up, and we need to ensure that this
information is protected.
This question comes up repeatedly--came up repeatedly when
Secretary Sebelius was before us. She told us the department is
placing a high priority on the security of the Web site, and
the highest security standards are in place to protect personal
information on Healthcare.gov.
I hope this hearing will be serious, evenhanded inquiry,
but I fear that some of my Republican colleagues may exaggerate
security concerns to stoke public fear, and exaggerate it so
that they can dissuade people from even signing up. This is
exactly what this subcommittee did when they launched an
investigation into nonprofit community organizations serving as
healthcare navigators. They were harassing these people in
order to prevent them from helping people learn what is
available to them.
Mr. Chairman, yesterday we learned that you have been
withholding important investigative documents, leaking them to
the press before even providing them to the Democratic members
and staff. And I sent you a letter this morning describing why
this is a violation of the committee's precedent. It is not the
way this committee has traditionally operated, and it raises
concerns about whether these hearings are becoming another
partisan attempt to weaken the Affordable Care Act.
The committee should not go down that road. We should be
using our oversight powers to improve the Affordable Care Act,
not to sabotage it or to discourage Americans from signing up
for quality care.
I want to yield the balance of my time, Mr. Chairman, to
Mr. Dingell.
OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Dingell. I thank the gentleman. I ask unanimous consent
to revise and extend my remarks, and I am pleased to be here
and I am certainly pleased that my subscription to The
Washington Post is in effect so I can find out what is being
leaked by my Republican colleagues to the media.
This is interesting. We have clearly a violation of the
practices, traditions and histories this committee and the
investigations it has done. I speak as a member who has done
more investigations than anybody in this room, including
probably more than all of them put together.
Here, we have a breach of the responsibility of the
leadership to make information available to the committee at
the same time they make it to the press. I find that difficult,
but worse than that, I find it intolerable that this committee
is running around fishing for trouble where none exists. I feel
a little bit like the old maid who came home and looked under
the bed to find out if there was somebody there, hoping, in
fact, that there would be. Unfortunately, there is not.
I have seen no evidence of any complaints or any evidence
of misbehavior with regard to the information that is
controlled by the Government. I would urge this committee to
spend its time trying to make this situation work, and see to
it that we collect the information that is necessary, make the
Web site work, and see to it that we register the Americans so
that we can cease being a Third World nation, both with regard
to how the Congress runs and how the health care of this
country works.
Mr. Murphy. Gentleman's time has expired.
Mr. Dingell. We are down around the Third World nations in
the way that we take care of the health of our people. Look at
the statistics.
Mr. Murphy. Thank you.
Mr. Dingell. It will give you a shock.
Prepared statement of Hon. John D. Dingell
I thank the gentlemen for yielding.
Partisan politics have always been at the heart of the
Majority's investigation into the Affordable Care Act, but
today we have reached a new low.
Breaking with longstanding committee practice, the majority
selectively released certain documents to the press before
Democratic staff even had the opportunity to review.
Oversight is one of the most important responsibilities of
the Congress, and it can result in good things when used
properly. This committee has a long history of bipartisan
cooperation when conducting oversight.
When I was chairman, the minority always had ample time to
access documents. I hope we can soon return to that precedent
and work on these issues together rather than playing games
with the press.
Mr. Murphy. Gentleman's time has expired.
Thank you very much. And now I would like to introduce the
witnesses on our first panel for today's hearing. Henry Chao
has served since January 2011 as the Deputy Chief Information
Officer and Deputy Director of the Office of Information
Services at the Centers for Medicare and Medicaid Services.
Some of his prior roles include Chief Information Officer in
the Office of Consumer Information and Insurance Oversight, and
Chief Technology Officer for CMS. I will now swear in the
witness.
You are aware, Mr. Chao, that the committee is holding an
investigative hearing, and when doing so, has the practice of
taking testimony under oath. Do you have any objection to
taking testimony under oath? The witness indicates no. The
Chair then advises you that under the rules of the House and
the rules of the committee, you are entitled to be advised by
counsel. Do you desire to be advised by counsel during your
testimony today? Mr. Chao indicates no. In that case, would you
please rise, raise your right hand, I will swear you in.
[Witness sworn.]
Mr. Murphy. Thank you. You are now under oath and subject
to the penalties set forth in Title XVIII, Section 1001 of the
United States Code. You may now give a 5-minute summary of your
written statement. And make sure the microphone is on and
pulled close to you. Thank you, Mr. Chao.
STATEMENT OF HENRY CHAO, DEPUTY CHIEF INFORMATION OFFICER AND
DEPUTY DIRECTOR, OFFICE OF INFORMATION SERVICES, CENTERS FOR
MEDICARE AND MEDICAID SERVICES
Mr. Chao. Thank you, Chairman Murphy, Ranking Member
DeGette, and members of the subcommittee for inviting me to
testify about the security of the Federally Facilitated
Marketplace.
The security and protection of personal and financial
information is a top priority for CMS which, for decades, has
protected the personal information of the more than 100 million
Americans enrolled in Medicare, Medicaid and the Children's
Health Insurance Program.
The protection of personal information in CMS programs is a
monumental responsibility. Every day, CMS enrolls new Medicare
beneficiaries, pays claims timely and efficiently, and protects
the information of consumers and providers. CMS used this
experience and our security-best practices to build a secure
Federal Marketplace that consumers should feel confident
entrusting with their personal information.
CMS follows Federal law, Government-wide security processes
and standard business practices to ensure stringent security
and privacy protections. CMS's security protections are not
singular in nature; rather, the marketplace is protected by an
extensive set of security layers.
First and foremost, the application--the online application
is developed with secure code. Second, the application
infrastructure is physically and logically protected by our
hosting provider. Third, the application is protected through
an internet defense shield in order to protect unauthorized
access to any personal data. Finally, several entities provide
direct and indirect security monitoring, security testing, and
security oversight which includes the various organizational
groups that CMS are reporting to key stakeholders with respect
to security and privacy.
This includes the Department of Health and Human Services.
We also work in conjunction with US-CERT, which is operated by
the Department of Homeland Security. CERT stands for Computer
Emergency Response Team. And the Office of the Inspector
General of HHS. Each of these groups has varying roles to
ensure operational management and technical controls are
implemented and successfully working.
The Federally Facilitated Marketplace is protected by the
high standards demanded of Federal information systems,
including regulations and standards proscribed by FISMA, NIST,
the Privacy Act and the directives promulgated by the Office of
Management and Budget.
CMS designed the marketplace IT systems and the Hub to
reduce possible vulnerabilities and increase the efficiency. A
large number of connections can cause security vulnerabilities.
The Hub allows for 1 highly secured connection between highly
protected databases of trusted State and Federal agencies,
instead of hundreds of connections that would have been
established as part of how normal business practices in present
day in how Government connects organizations with each other to
conduct business.
A series of business agreements enforce privacy controls
between CMS and our Federal and State partners. Additionally,
CMS designed the marketplace systems to limit the amount of
personal data stored, and protects personal information and
limits access through passwords, encryption technologies, zoned
architecture with firewall separation in between the zones, and
various other security controls to monitor log-in and to
prevent unauthorized access to our systems.
CMS also protects the Federal Marketplace through intensive
and stringent security testing. While the Federal Marketplace
has had some performance issues that could have been addressed
through more comprehensive functionality and performance
testing, I want to be clear that we have conducted extensive
security testing for the systems that went live on October 1.
We continue to test for security on a daily and a weekly basis
any new functions or code prior to its launch. Of course, we
are working around the clock to fix our performance issues so
that the vast majority of users have a smooth experience with
the site by the end of the month.
While I cannot go into specifics of our security testing
due to the sensitive nature, I assure you that CMS conducts
continuous antivirus and malware scans, as well as monitors
data flow and protections against threats by denying access to
known source-bad IP addresses and actors. Additionally, we
conduct two separate types of penetration testing on a weekly
basis. The most recent penetration testing showed no
significant findings. Also on a weekly basis, CMS reviews the
operation system infrastructure and the application software to
be sure that these systems are compliant and do not have
vulnerabilities. Vulnerabilities are often fixed immediately
on-site, and retested to ensure the strength of our system's
security. Each month, we review our plan of action and
milestones in order to continuously improve our system's
security.
For the Federally Facilitated Marketplace, we conduct
security control assessments on a quarterly basis, which is
beyond the FISMA requirements. As of today, no vulnerabilities
identified by our tests have been exploited through an attack.
Because of CMS's experience running trusted secure programs,
our fulfillment of Federal security standards and constant and
routine security monitoring and testing, the American people
can be confident in the privacy and security of the
marketplace.
Thank you, and I would be happy to answer your questions.
[The prepared statement of Mr. Chao follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you, Mr. Chao. I will recognize myself
first for 5 minutes.
Mr. Chao, for the last year, members of this committee have
asked you and others in the administration about the status of
the launch of the President's healthcare law. We wanted to know
if you would be ready for the October 1 start of enrollment.
Over and over, we were assured that all was well and everything
was on track.
The documents produced to the committee show a different
picture, and I would like to walk through a couple of them with
you.
In mid-March, you made a candid comment that you didn't
want the Exchange Web site to be a Third World experience. Now
the committee has learned about a report prepared by committee
for senior HHS and White House officials, and presented to
these officials in late March and early April this year. That
document is tab 1 of your document binder. This document
highlights a number of risks facing Healthcare.gov's launch,
late policy, delayed designs, and building time and limited to
a test.
When did you first see this presentation?
Mr. Chao. I haven't seen that presentation.
Mr. Murphy. You were not briefed at all that there was a
McKinsey report presentation going on?
Mr. Chao. I knew that McKinsey had been brought in to
conduct some interviews and assessments and report to our
administrator, in which I actually participated in some of
those----
Mr. Murphy. You participated in the interviews when
McKinsey was exploring this?
Mr. Chao. Right, but I was not given the final report.
Mr. Murphy. Were you aware that they had met with Secretary
Sebelius, Marilyn Tavenner, Gary Cohen and others at CMS
Headquarters, HHS Headquarters, the Executive Office Building
and the White House?
Mr. Chao. We----
Mr. Murphy. Any of those incidences?
Mr. Chao. I believe there were some meetings that I heard
of, but I don't know the exact dates when they occurred.
Mr. Murphy. Now, part of your job is to make sure that this
Web site is working, am I correct?
Mr. Chao. Correct.
Mr. Murphy. And so this was a major report that went as
high up as the Secretary, maybe others, we don't know, but
saying that there were serious problems with this. And you are
saying that, even though you were interviewed by this, you did
not ever have this briefing yourself?
Mr. Chao. No, I didn't.
Mr. Murphy. You knew it existed?
Mr. Chao. I had heard that there was a final report out,
but I didn't see the actual report.
Mr. Murphy. Did anything change for you in recognizing that
this report was out there, basically telling people working on
the HHS Web site that there were serious problems, no end-to-
end testing, that other various aspects of it?
Mr. Chao. I can't really tell you or speak to you of the
contents of that report because I did not see it, and I didn't
hear about it until actually it was in The Washington Post.
Mr. Murphy. I mean certainly, this is part of the concerns
we have, and we are not making this stuff up. It is a matter
that we have a Web site out there which untold millions, tens
of millions or hundreds of millions are spent on this Web Site,
which you have major leadership role here. McKinsey is hired to
come and present what the problems are, and lay out a roadmap
of those problems. I am deeply concerned that this is something
that you knew existed but had not read.
So when were you first concerned that the administration
wasn't going to be ready October 1 for the start of the open
enrollment?
Mr. Chao. I never thought that. I had relative----
Mr. Murphy. But you made a comment about you didn't want
this to be a plane crash.
Mr. Chao. Well, you are referring to the email----
Mr. Murphy. Yes.
Mr. Chao [continuing]. Exchange that I had with several----
Mr. Murphy. Yes, certainly that email didn't say everything
is going fine, congratulations team.
Mr. Chao. Of course--I----
Mr. Murphy. It said I don't want this to be a--so you must
have had some awareness that some problems existed.
Mr. Chao. Chairman, you have to understand, and the
committee, that I have been working on this since mid-2010----
Mr. Murphy. And we appreciate that.
Mr. Chao [continuing]. And I have--I am a very cautious
and--you know, I err on the side of caution and urgency
because, even back in 2010, I didn't believe that, you know,
everything would be easy and just, you know, going along
smoothly. So on a regular basis, I work with a lot of my
contractors and my staff to sensitize them on the sense and
level of urgency that is involved.
Mr. Murphy. Absolutely. Especially with McKinsey was called
in to prepare this document which was important enough for them
to have meetings at CMS, HHS, with the Secretary of Health and
Human Services, at the Executive Office Building and at the
White House, describing the level of problems. So I appreciate
your sensitivity and awareness to that. I am concerned you
saying you have not even read this yet.
Your testimony mentions the use of sensors and active event
monitoring. You state that if an event occurs, an instant
response capability is activated. Has that happened yet?
Mr. Chao. Yes.
Mr. Murphy. How many times?
Mr. Chao. You mean whether if we are conducting----
Mr. Murphy. No, an instant response----
Mr. Chao [continuing]. An instant response----
Mr. Murphy [continuing]. Capability. Well, first of all,
has anything happened yet, any hackers, any breaches, anyone
trying to get into the system from the outside, has that
occurred yet?
Mr. Chao. I think that there was 1 incident that I am aware
of, but it requires that we go to a classified facility and to
actually----
Mr. Murphy. Only once since the--where--but you are saying
no other attempts to breach into this system have occurred?
Mr. Chao. Not successful ones, no.
Mr. Murphy. Not since when?
Mr. Chao. Not successful ones.
Mr. Murphy. All right. Now, when there are attempts, who do
you report this to?
Mr. Chao. It is a combination of a series of authorities
that are involved.
Mr. Murphy. Law enforcement?
Mr. Chao. Well, through our incident reporting and breach
reporting processes that go through our agencies, various key
leadership and then up through the department, as well as we
have a Security Incident Response Center at the department that
works with US-CERT at DHS.
Mr. Murphy. Thank you. We will follow-up subsequently.
I know I am out of time, so we will now recognize Ms.
DeGette for 5 minutes.
Ms. DeGette. Thank you very much, Mr. Chairman.
First of all, Mr. Chao, and also to the contractors,
something you said in your opening I think we should really
take heed, which is you want to be careful not to divulge
sensitive information about the security designs of the Web
site. Is that right?
Mr. Chao. That is correct.
Ms. DeGette. So I would say to you and to the contractors,
and I think the majority would agree with me, if there is a
question asked about that sensitive information, if you would
just let us know and then we can take it into executive
session, or whatever we need to do.
Ms. Murphy. Absolutely.
Mr. Chao. Certainly.
Ms. DeGette. Thank you, Mr. Chairman.
Now, Mr. Chao, the chairman was asking you about this memo
that you had--or it is an email, and it was on Tuesday, July
16. If you can take a look at tab 7 in your document binder,
please. That is a copy of your memo, and it looks to me in
reading it that you were basically telling people that you
wanted to make sure this Web site got up and going. Is that
right?
Mr. Chao. Yes.
Ms. DeGette. And that was your view, right?
Mr. Chao. Yes.
Ms. DeGette. Did you take further actions after July 16 to
try to get the Web site up and going?
Mr. Chao. It was a constant daily effort.
Ms. DeGette. And it still is, isn't it?
Mr. Chao. To improve it, certainly.
Ms. DeGette. Yes. OK, I would like you now to take a look
at tab 1 of your document binder. Now, Mr. Chao, this is the
document that was given to The Washington Post yesterday by the
majority, and also simultaneously to the Democrats on the
committee. This is the document the chairman was asking you
about in his opening statement. Have you ever seen this
document before?
Mr. Chao. No, I haven't.
Ms. DeGette. OK, so you don't really know about whatever it
might have said in that document, right?
Mr. Chao. No, I----
Ms. DeGette. OK, thanks.
Mr. Chao. I believe it is an executive level briefing for--
--
Ms. DeGette. Right, but you weren't--you didn't--you
weren't part of that briefing?
Mr. Chao. No.
Ms. DeGette. OK. That doesn't mean though that you weren't
concerned about the Web site working and trying to make it
work.
Mr. Chao. Well, of course. I think in some of the
interviews with McKinsey, you know, I think some of what is in
here could have potentially come from information that----
Ms. DeGette. But you wouldn't know that because you didn't
see it.
Mr. Chao. No, I----
Ms. DeGette. OK.
Mr. Chao [continuing]. Don't see how it was formed.
Ms. DeGette. I want to talk to you about the topic of this
hearing now for a few minutes, and that is the issue of
security. And I think I heard you say both in your opening and
in response to questioning by the chairman, I just wanted to
ask again. Have there been vulnerabilities that have been
discovered since the Web site unveiled on October 1?
Mr. Chao. Security vulnerabilities----
Ms. DeGette. Yes.
Mr. Chao [continuing]. Have not necessarily been reported
in terms of it being a security threat. I think there was some
misuse of terminology of something like 16 incidents reported
that--in a previous DHS testimony a couple of days ago, but
they were actually incidents involving disclosure of PII
information, and it wasn't due to the result of anyone trying
to attack the Web site.
Ms. DeGette. What was it a result of?
Mr. Chao. It was dealing with some training issues at the
call center, or we had a system issue where if you had similar
usernames and you chose a special character at the end of that
username, for example, if your name is Smith and you chose an @
sign at the end of the username, sometimes that @ sign was
treated like a--what we call a wildcard search, so the return
log-in information about someone else, but that since--since
was reported, has been fixed as of today.
Ms. DeGette. That problem has been fixed so that is----
Mr. Chao. Yes.
Ms. DeGette [continuing]. Not happening anymore?
Mr. Chao. It is not a hacker----
Ms. DeGette. Now, you have been at the Agency how long,
sir?
Mr. Chao. Approximately 20 years.
Ms. DeGette. And in working on the other sensitive areas,
Medicare and other areas, is this common that sometimes there
might be a little bump like this?
Mr. Chao. Fairly common.
Ms. DeGette. Uh-huh, and what does the Agency do when that
is identified?
Mr. Chao. We have an extensive set of processes and
controls in place with designated personnel to handle whether
they are----
Ms. DeGette. And----
Mr. Chao [continuing]. For example, security breaches
versus the personally identifiable information-type incidents,
data loss.
Ms. DeGette. And there is continuing testing, is that
right?
Mr. Chao. Correct.
Ms. DeGette. Now, MITRE has been performing assessments for
CMS, is that correct?
Mr. Chao. Correct.
Ms. DeGette. And what that does is it gives the contractors
the opportunity to identify and resolve security
vulnerabilities, is that correct?
Mr. Chao. I think what is--the benefit is that we use a set
of contractors to independently test the system so that we are
not taking the words of, let us say, for example, QSSI or CGI
themselves performing security testing. So this independent
testing provides us a more, you know, balanced view of----
Ms. DeGette. And is this ongoing, this----
Mr. Chao. Yes.
Ms. DeGette [continuing]. This independent testing?
Mr. Chao. It is on a daily and weekly basis.
Ms. DeGette. Thank you very much, Mr. Chairman.
Mr. Murphy. The Chair now recognizes Mr. Barton for 5
minutes.
Mr. Barton. Thank you, Mr. Chairman.
In Mr. Dingell's opening statement, and to some extent what
Ms. DeGette just said, I am reminded of the movie
``Casablanca,'' and Claude Rains, the French chief of police,
goes into Rick's Cafe and says, ``I am shutting it down, I am
shutting it down.'' And Rick comes up, who is played by
Humphrey Bogart, and says, ``Why are you shutting us down?''
And Claude Rains, the chief of police, says, ``I am shocked,
shocked, to learn there is gambling going on,'' just as the
croupier comes up and says to Claude Rains, ``Your winnings,
sir."
It is interesting and amusing that the past master running
this committee, Mr. Dingell, would be shocked, shocked and
amazed that something was given to The Washington Post
yesterday. Now, I am not saying that it was, I don't know, but
if it did happen, it wouldn't be the first time in this
committee's history that documents were given to the press at
approximately the same time they were distributed to the
members of the committee.
Mr. Dingell. If the gentleman would yield, I didn't say I
was shocked, I said I was grateful I had the subscription to
The Washington Post so I could keep track of what----
Mr. Barton. Well----
Mr. Dingell [continuing]. Is going on in the committee----
Mr. Barton. Well----
Mr. Dingell [continuing]. Along with my Republican----
Mr. Barton [continuing]. Reclaiming my time from my--which
is my time, from my good friend. What shocks me is that Mr.
Chao, our witness, who is the Deputy Chief Information Officer
and Deputy Director of the Office of Information and Services
for Medicare and Medicaid, who has been identified numerous
times as the chief person in charge of preparing this Web site
at the CMS level, was not aware of this document. I mean to me,
that is what is shocking.
So my first question to you, sir, is when were you made
aware of this McKinsey briefing document?
Mr. Chao. I think I was aware that some document was being
prepared, because I had gone through the interviews, but
towards the end when the briefings occurred, I was not part of
them, nor was I given a copy.
Mr. Barton. I mean, were you aware that McKinsey had been
hired to come in and basically troubleshoot the status of the
Web site?
Mr. Chao. I don't think they were brought in to
troubleshoot, I think they were brought in to make an
assessment by conducting various interviews with key----
Mr. Barton. Did----
Mr. Chao [continuing]. Stakeholders.
Mr. Barton. Did this group ever talk to you?
Mr. Chao. Yes.
Mr. Barton. OK, so they did come in and at least visit with
you?
Mr. Chao. Yes, they have interviewed me before.
Mr. Barton. Once, twice, a dozen?
Mr. Chao. Probably at least two times from what I recall.
Mr. Barton. OK. Now, since you have been made aware of the
document----
Mr. Chao. Well, I----
Mr. Barton [continuing]. Have you studied it?
Mr. Chao. No, I was not made aware of the document. I was
interviewed by the team that put that together. When the
document was assembled, I didn't get a copy of it.
Mr. Barton. OK. Well, as Mr. Dingell has pointed out, it is
in The Washington Post. So have you--before coming before this
subcommittee this morning, have you perused this document?
Mr. Chao. No, I have not.
Mr. Barton. You have not perused this document, OK. Well,
on page 1 of the document, it says the working group, whoever
that is, maybe you can enlighten us on that, determined that
extending the go-live date, which, as we all know, is October
the 1st, should not be a part of the analysis and, therefore,
worked with a boundary condition of October the 1st as the
launch date. Now, in plain English, what that means is somebody
decided we couldn't delay the startup date so, by golly, we are
going to assume it is going to go live on October the 1st.
Were you a part of the working group that made that
decision?
Mr. Chao. No.
Mr. Barton. Do you know who the working group was that made
that decision?
Mr. Chao. No.
Mr. Barton. Do you have any idea, was it the President and
the Secretary of Health and Human Services, or was it somebody
below your level that made a decision somewhere in the bowels
of the bureaucracy?
Mr. Chao. I think that it probably was a conglomerate of
several----
Mr. Barton. A conglomerate?
Mr. Chao [continuing]. Key leadership that came to that
conclusion.
Mr. Barton. OK. Did you----
Mr. Chao. I was----
Mr. Barton. Did you have any decision-making authority
yourself about when the start-up date should be?
Mr. Chao. No.
Mr. Barton. That was not in your authority to say we are
going to have to put it off or make a decision to go forward?
Mr. Chao. No, I do not get to pick what date.
Mr. Barton. Do you know who did have that decision-making
authority?
Mr. Chao. I believe it is our administrator, Marilyn
Tavenner, and potentially other folks, but primarily I take my
direction from Marilyn Tavenner.
Mr. Barton. All right. Well, Mr. Chairman, my time has
expired, but I will just say in summing up, we are concerned at
multiple levels, but if you review this CMS document, which I
did not see until just now, this morning, it doesn't take but
about 10 minutes to go through and look at it, and it is
absolutely clear that the startup of the Web site was not going
to work well, if at all, on October the 1st. It was not. And it
says that in here.
So with that, I yield back.
Mr. Murphy. Thank you. Gentleman's time has expired.
The Chair now recognizes Mr. Dingell for 5 minutes.
Mr. Dingell. Chairman, I thank you for the recognition and
thank you for holding this hearing.
We are over 6 weeks into the implementation of the
Affordable Care Act, and while the functionality of the
Healthcare.gov Web site has improved, it is clear there is more
work to be done, and I am hopeful that the subcommittee will
work hard to achieve that goal.
ACA is the law of the land, and I believe we share the goal
of making it a functioning and secure Web site, however, it is
important to remember that we can never fully eliminate the
risks when building a large IT system, and so we must take
steps to mitigate them. I would also urge that we take the
necessary steps to make the program work, because this is the
largest undertaking of this character I believe that we have
ever seen by a Government anywhere.
First question, yes or no. Is CMS responsible for
developing the Data Services Hub and the eligibility enrollment
tools for the Federally Facilitated Marketplace? Yes or no, Mr.
Chao?
Mr. Chao. Yes.
Mr. Dingell. Now, Mr. Chao, are these projects required to
comply with the Privacy Act of 1974, the Computer Security Act
of 1987, the Federal Information Security Management Act of
2002? Yes or no?
Mr. Chao. Yes.
Mr. Dingell. Now, additionally, CMS must also comply with
regulations and standards promulgated by the National Institute
of Standards and Technology at the U.S. Department of Commerce.
Is that correct?
Mr. Chao. Yes.
Mr. Dingell. Now, these NIST standards require CMS to
balance security considerations with operational requirements.
Is that correct?
Mr. Chao. Yes.
Mr. Dingell. Mr. Chao, once the key pieces of
Healthcare.gov Web site is the Data Hub. Is this a large
repository of personal information as some of my friends on the
other side have claimed? Yes or no?
Mr. Chao. No.
Mr. Dingell. Say that again. No?
Mr. Chao. No, it does not store any----
Mr. Dingell. OK, I want----
Mr. Chao [continuing]. Personal----
Mr. Dingell. I want that on the record and clearly heard.
Does the Data Hub retain any personal information at all? Yes
or no?
Mr. Chao. No.
Mr. Dingell. Indeed, is it fair to say that the Data Hub is
a tool to transmit eligibility information to Federal agencies?
Yes or no?
Mr. Chao. Yes.
Mr. Dingell. Now, did the Data Hub pass a security test to
the October 1 launch of Healthcare.gov? Yes or no?
Mr. Chao. Yes.
Mr. Dingell. All right, is the Data Hub working as intended
today? Yes----
Mr. Chao. Yes.
Mr. Dingell [continuing]. Or no?
Mr. Chao. Yes.
Mr. Dingell. And is there any evidence to the contrary?
Mr. Chao. No.
Mr. Dingell. Is there any evidence of breaches or lack of
security of personal data or information by any person who has
submitted such data to this undertaking? Yes or no?
Mr. Chao. No.
Mr. Dingell. It is always true--our duty to remember how
our healthcare system operated prior to the passage of the ACA.
At that time, insurance companies were allowed to medically
underwrite people to determine their premium. This required
lengthy, confusing applications, and contained a lot of
personal medical information. Oftentimes this was submitted
electronically as well. ACA has changed all of this.
Now, in fact, this is a question to you again, Mr. Chao. In
fact, application forms on Healthcare.gov do not require the
submission of any personal health information. Is that correct,
yes or no?
Mr. Chao. Yes.
Mr. Dingell. Now, Mr. Chao, that is because ACA prohibits
discrimination on the basis of pre-existing conditions, and
outlaws charging people more because they are sick. Is that
correct?
Mr. Chao. Yes.
Mr. Dingell. So the information is not necessary?
Mr. Chao. It is not.
Mr. Dingell. And it is not correct--and it is not
collected?
Mr. Chao. It is not collected.
Mr. Dingell. All right, this is a remarkable improvement
over the old system in terms of both security and the quality
of care.
Next question. There are a lot of negative stories in the
press that create a lot of confusion, so I want to get this
record straight.
Is Healthcare.gov safe and secure for my constituents to
use today with regard to protection of their personal
information and their privacy? Yes or no?
Mr. Chao. Yes.
Mr. Dingell. Is there any evidence at all to the contrary?
Mr. Chao. No.
Mr. Dingell. Mr. Chairman, you have been most gracious. I
yield you back 12 seconds.
Mr. Murphy. Thank you.
Now going to recognize Mrs. Blackburn for 5 minutes. Thank
you.
Mrs. Blackburn. Thank you, Mr. Chairman.
Mr. Chao, we really appreciate that you would come and work
with us on this issue. I want to talk with you for a minute
about some red flags that seemed to be apparent to you, and you
are going to find the email I am referencing at tab 7, and it
is the July 16, 2013, email that you sent to Monique
Outerbridge. And I really want to focus there. You know, when
you have something that is running off the rails and--as this
obviously seemed to you to be doing, it was a project that just
was not proceeding as it should be proceeding, and you
expressed these concerns about the performance of CGI, what I
would like to hear from you is just an articulation of maybe
what were those top 3 or 4 red flags that seemed to be going up
to you, that you said I fear that the plane is going to crash
on takeoff, and some of those wordings that we have heard from
you now.
So give me just kind of the top 3 or 4 things.
Mr. Chao. I think in the context of this email, it was at a
time period in which we were getting ready to roll out what we
called Light Account, which is that initial registration
process. And as I mentioned before, I am a person who has a lot
of anxiety and I always err on the side of caution if we are
going to run out of time, so I occasionally get a little
passionate in my emails to remind people that they need to move
fast, and if they are moving fast, they need to move faster.
That is just the way I operate and the way I direct staff and
contractors. And what I was afraid of was, at this particular
point in time, was that we were falling behind in the rollout
of Light Account.
Mrs. Blackburn. OK, on Light Account, did your test on that
go off without a hitch, or what happened?
Mr. Chao. There--I don't exactly remember the specifics
about what tests passed or failed, I just was afraid that we
were in jeopardy of missing the date. So, therefore, you know,
I--at that time period, starting July, I wrote lots of emails
to try to----
Mrs. Blackburn. OK, did you hit the date?
Mr. Chao. I believe we--it took an extra 4 days.
Mrs. Blackburn. An extra 4 days?
Mr. Chao. Yes.
Mrs. Blackburn. On the test. And you don't remember exactly
what the concerns were that came to you at that point in time.
Is there a memo of review, a memo, an articulation of what----
Mr. Chao. I----
Mrs. Blackburn [continuing]. Transpired in that test
process?
Mr. Chao. I don't think it is necessarily a memo. I think
the way we operate is that we have daily meetings and----
Mrs. Blackburn. Are there minutes from those meetings----
Mr. Chao [continuing]. We----
Mrs. Blackburn [continuing]. And could you submit those to
us for the record?
Mr. Chao. I don't believe that there were minutes. I
believe they were just status check-ins with, you know,
contractors and their----
Mrs. Blackburn. Are there notes?
Mr. Chao. No, I don't----
Mrs. Blackburn. Informal notes?
Mr. Chao. I don't believe so. I think when my emails were--
--
Mrs. Blackburn. OK.
Mr. Chao [continuing]. Submitted as evidence----
Mrs. Blackburn. OK.
Mr. Chao [continuing]. That is kind of a----
Mrs. Blackburn. All right, let me go on a minute. I want to
talk specifically about CGI. What about, you know, if you all
kind of informally worked in a group, and didn't have formal
meetings or minutes and memos and things of that nature, just
give me your impression, what was it--your perception that
caused you to lose confidence in CGI, where were you on that,
because I think it is so interesting, you mentioned price and I
note in this email chain from Monique Outerbridge that they had
$40 million already that they had taken, they were coming back
and asking for another $38 million. Now, if I had someone who
had used up all of their money from a project, and then they
came back and asked for that much more, I think I would have to
say, wait a minute. So regardless, obviously, the price to you
was of tremendous concern. Am I right on that?
Mr. Chao. Correct.
Mrs. Blackburn. OK, so they had already kind of washed your
confidence there. What else was it in their conduct that eroded
your confidence in their ability to transact this portion of
business?
Mr. Chao. I think what I was trying to say is that,
relatively speaking to, I would say, most project managers that
are looking at smaller-scale projects, I would say there might
be some room to be----
Mrs. Blackburn. OK----
Mr. Chao [continuing]. A little more confident, but given
the task at hand, my confidence level had to deal with the
enormous amount of activities we had to be successful at to
deliver, you know, on Light Account, that interim, you know,
kind of piece, as well as the October 1 delivery.
Mrs. Blackburn. I yield back.
Mr. Murphy. Yes, I am just curious, to follow-up to that.
Did you ever present these concerns that you had about being
ready--whether or not it would be ready on October 1, when you
were interviewed by McKinsey people?
Mr. Chao. Well, this was in the July time frame. I think
McKinsey was--their interviews were in maybe a March or April
time frame.
Mr. Murphy. I just wondered if you presented any concerns
to them about being able to meet these dates when you spoke
with them?
Mr. Chao. I think as a course of conducting project
management, program management, that working with CGI and QSSI
and my team, we discussed these concerns on an ongoing basis.
In----
Mr. Murphy. Just one note. I will follow up----
Mr. Chao. OK.
Mr. Murphy. We will make sure someone follows up.
Now I will recognize Mr. Waxman for 5 minutes.
Mr. Waxman. And thank you, Mr. Chairman.
Nobody is happy with this rollout of Healthcare.gov, and
the administration has taken its lumps, but aside from lessons
learned, it seems to me that my focus ought to be and my
concern is getting this thing working. Americans want to be
able to access the Web site and choose a healthcare plan,
especially those who haven't been able to get an opportunity to
buy health insurance in the past. That is why it seems to me,
if we need legislative changes, we should make changes to make
it work, not to repeal it. You know, the Republicans are so
fixated on hating this law and they want to repeal it. They
don't even want to consider helping make it work, and that is
the focus that I want to use in asking you some questions, Mr.
Chao. How do we make this work better?
Now, is it accurate to say that CMS is getting the Web site
up and running?
Mr. Chao. Yes.
Mr. Waxman. OK, and is it accurate that CMS has crossed--
Center for Medicare and Medicaid Services, that is the
department--part of HHS that is working on it, they have
crossed 200 items off its punch list?
Mr. Chao. Correct.
Mr. Waxman. And can you give me a few examples of important
issues that have recently been addressed?
Mr. Chao. Issues related to the enrollment transactions
that had some data issues--data quality issues that were fixed,
and now issuers can receive that data without doing a lot of
cleaning up of that data. So----
Mr. Waxman. Um-hum.
Mr. Chao [continuing]. Data quality has improved. The daily
transactions that we send to them have improved.
Mr. Waxman. Um-hum.
Mr. Chao. The response times for the Web site have
improved. The error rate of people experiencing some level of
difficulty with moving from stage to stage in their online
application, that has been reduced and improved.
Mr. Waxman. Well, in fact, Jeff Zients, the
administration's point person on this whole Web site, announced
on Friday that you have dropped your error rate from 6 percent
to below 1 percent, and you have cut the average wait time for
page loading from 8 seconds to less than 1 second. What do
these improvements look like to the average consumer going on
the site?
Mr. Chao. I think they become transparent to the user. The
user then can get at the task at hand of filling out their
information, of finding out if they are asking for a premium
tax credit, that they are calculated timely, and they are
proceeding ahead in the application so that they can apply
some, all or none of that premium tax credit to their plan
compare so that they can look at the offsets that occur, and
what the final premium should be, to make their selection and
to go through the process in a very efficient and speedy
fashion, as compared to what they experienced on day 1.
Mr. Waxman. How about the overall stability of the site? It
was down frequently in the early weeks. Has that improved?
Mr. Chao. Yes, certainly. I think we do have regular
maintenance windows, but those maintenance windows are used to
implement these improvements that you have been hearing about.
Mr. Waxman. So numbers seem to be getting better, and I
expect we will see more improvements. The anecdotal evidence I
get is that the site is getting better, slowly but surely, and
that explains why the enrollment rate in November is speeding
up significantly. In fact, I do have more than anecdotes, I
have some figures. In Massachusetts, where they started a
similar program, it started off slowly, only \3/10\ of a
percent of overall enrollees for private coverage signed up in
the first month, and then thus far, in the Affordable Care Act,
1.5 percent. So both started slowly. We are even ahead of what
Massachusetts was. But after that, there was a surge in
enrollment as people got closer to deadlines.
The LA Times reported that ``a number of States that use
their own systems are on track to hit enrollment targets for
2014 because of a sharp increase in November.'' California,
which enrolled 31,000 people in private plans last month,
nearly doubled that in the first 2 weeks of this month, and
several other States are outpacing their enrollment estimates.
In Minnesota, enrollment in the second half of October was
triple the rate of the first half. So we see an acceleration,
even in the Federal Marketplace. The New York Times reported
that the Federal Marketplace has nearly doubled its private
plan enrollment in just the first 2 weeks of November.
We are not where we need to be, but we are seeing
improvements, and this increased pace of people going back on
the site successfully is, to me, very encouraging. So rather
than just attack the healthcare law or look for ways to
undermine it, we ought to try to make it work, and we are
anxious to make sure that you do your job of getting the Web
site and all of that working, and if we need any legislative
change, call on us because we are ready, willing and able to
act in that regard.
Yield back my time.
Mr. Murphy. The gentleman's time has expired.
I now recognize for 5 minutes the gentleman from Texas, Dr.
Burgess.
Mr. Burgess. And thank you, Mr. Chairman. Thank you again,
Mr. Chao, for being here.
In response to one of Dr. Murphy's questions about a breach
of the system, you responded that you could not talk about it
in open session, that it would require a classified briefing.
Is that correct? Did I hear you correctly?
Mr. Chao. Correct. That was--that is how I was instructed
by our department.
Mr. Burgess. Very well. I would like to go on the record as
asking that that classified briefing with staff--bipartisan
staff occur. Can I get your commitment on trying to make that
happen?
Mr. Chao. Yes, sir.
Mr. Burgess. Thank you. So the much-talked-about Red Team
discussion document from The Washington Post this morning,
which, of course, you have not seen, and I appreciate that, but
you were interviewed, in response to Mr. Barton's questions,
you were interviewed by the McKinsey team who were developing
this?
Mr. Chao. Yes.
Mr. Burgess. Do you remember when?
Mr. Chao. Approximately an April time frame.
Mr. Burgess. During the time frame that this was being
developed. Do you recall what you talked about?
Mr. Chao. I think primarily what I was intimating to the
McKinsey team was a schedule challenge, because during April,
we had just started QHP submission, and working with issuers.
They were very nervous that----
Mr. Burgess. Excuse me, what is QHP?
Mr. Chao. Qualified health plans.
Mr. Burgess. OK.
Mr. Chao. I apologize. And in--during that month, it was a
rapid, you know, process to collect all the qualified health
plan data that you see in plan compare on Healthcare.gov now,
as well as in the State-based marketplaces, and I was remarking
on how that is unprecedented to only give issuers, you know,
that short amount of time to submit their data, and that we
needed to make adjustments in the windows potentially so that
they could come back in and make corrections. You know, that is
an example of what I talked about in terms of the schedule
challenges that we were trying to undertake something large-
scale, fairly complex compared to what is happening in the
insurance landscape today, and that this was new and we were
working on a short time frame.
Mr. Burgess. And I will stipulate that those are legitimate
concerns. And so on page 1 of this Red Team document, at the
bottom of the page, highlighted, the working group determined
that extending the go-live date should not be part of the
analysis, and, therefore, work with a boundary condition of
October 1 as the launch date. In other words, it didn't matter
what the conditions on the ground were, come hell or high
water, October 1 we have got to go live. And were you given
that impression by anyone on your team as you worked through
this?
Mr. Chao. Not necessarily characterized that way, but as I
mentioned----
Mr. Burgess. Well, let me interrupt you again, my time is
limited. Who would have made a decision like that, that it
doesn't matter--I mean it is like the old saying, it doesn't
matter what--don't check the weather, we are flying anyway. Who
would make a decision like that?
Mr. Chao. I think the decision ultimately is made, you
know, by Marilyn Tavenner and, you know, a team of folks, I
suppose, that she works with. But as the administrator, she
sets the deadlines for my work, and----
Mr. Burgess. Now, some of the people that are referenced in
the report given to the committee by McKinsey, that people that
had discussions in the White House, the old Executive Office
Building, people like Nancy-Ann DeParle, Jeanne Lambrew, do you
know if they were involved in these decisions?
Mr. Chao. I can't speak to that. I didn't hear anything
about those discussions.
Mr. Burgess. Have you been in meetings with Jeanne Lambrew
and Nancy-Ann DeParle?
Mr. Chao. Yes.
Mr. Burgess. And what--could you characterize those
meetings?
Mr. Chao. The ones that I remember were dealing with
coordination with IRS on their FTI, Federal Tax Information,
requirements, security protections and the Privacy Act with
SSA.
Mr. Burgess. At any point during those meetings, did it
come up with the concern that we may not be ready trying to
integrate all of these moving parts by October 1?
Mr. Chao. Not in that context, no.
Mr. Burgess. In any context?
Mr. Chao. You know, concerns about whether if agencies were
working closely together, but not really in the context of
October 1, no.
Mr. Burgess. One of the other things that keeps coming up
repeatedly in this report is that, number 1, there were
evolving requirements, there wasn't a consistent endpoint,
there were multiple definitions of success, and in spite of all
of the concerns brought up by the report, it must launch at
full volume. I mean it almost sounds like a recipe for
disaster, doesn't it? You are changing the definition as it
goes along, you are not allowed to change the date, and you
have got to launch at full volume. That is a pretty tall order,
isn't it?
Mr. Chao. It is.
Mr. Burgess. Well, let me ask you this. How does it make
you feel to know that there was this kind of report out there,
and that other people knew about it, people in the White House,
people within the Agency, and you have been the primary point
man out there and no one discussed it with you? How does that
make you feel?
Mr. Chao. I am actually not terribly hurt by it or
surprised by it. I think the information contained within it is
something that I live on a day-to-day basis to try to deliver a
working system. I----
Mr. Burgess. You are playing into everyone's worst fear
about what it is like to be in the bureaucracy.
Let me ask you this. One of the things brought up in this
report is that there is not a single implementation leader----
Mr. Murphy. Gentleman's time has expired.
Mr. Burgess [continuing]. Do you feel during your time that
there has been a single implementation leader that you could
look to for advice and direction through this?
Mr. Chao. I think I have looked to several because of how--
--
Mr. Burgess. Name one.
Mr. Chao. Marilyn Tavenner.
Mr. Murphy. Gentleman's time has expired. We are going to
need to follow up with that. So we will submit those questions
for the record too.
Now recognize the gentleman from Texas, Mr. Green, for 5
minutes.
Mr. Green. Thank you, Mr. Chairman. And like all of us, I
have some concern, I have some questions in a minute about the
Healthcare.gov, but I want to just say that, you know, it is
frustrating for those of us on this side of the aisle who
supported it, who actually worked a lot of times on the
drafting of different versions of the Affordable Care Act, to
see what happened on October 1 without the rollout. And to have
it successful, that is the way we need to deal with it, because
having been here through also the prescription drug plan for
seniors, that is the way you can get to the numbers you really
need. So hopefully that will happen. But the law is still
there, and last Saturday in our district, at least in Houston,
because in Texas, we are unfortunate, we have some of the
highest percentage and numbers of uninsured folks in the
country, and in our congressional district 42 percent of my
constituents work and don't have insurance through their
employer. So they would be qualified to go with the ACA. And we
actually did it by paper. Now, I have to admit, I can't
remember except--and I wasn't around when Medicare was rolled
out. I guess that was the last time we rolled anything out by
paper, but let me give you the results. We had 3 members of
Congress, the Mayor of Houston, our Republican county judge,
and the Secretary of Labor. We actually had 800 families show
up on a Saturday morning and signed in, of course, with
multiple attendees per family, nearly 300 people set up follow-
up appointments after a navigator. We had 88 of the certified
navigators there. And we don't know how many applications were
completed because the number is still be tallied by navigators
and HHS and our regional office out of Dallas. So there are
people out there who want to do it. And if we have to do it by
paper, we will do it, but that is the frustration we have. We
want this to work because there are millions of people in our
country who need this. Now, I know the majority in the House
may not understand that, but I know in our district they do.
But I don't know if you have a comment, but let me--and I
can get to the Healthcare.gov.
Mr. Chao. I think CMS takes to heart the matter, and I
think everyone working on this is absolutely serious about
improving this experience because we know that in districts
like yours, there are quite a few number of people that need
and want to enroll and use this benefit. So we are certainly
working very hard to make that happen.
Mr. Green. Well, with that success, believe me, we are
going to do a lot of smaller ones in our district, and try and
work with them and partner with media companies to maybe get
the message out.
I have a few questions about Healthcare.gov and the
important goal I think we both share, and sharing is part of
the success in implementation of the Affordable Care Act,
people can have access to care they need and when they need it.
Part of this goal requires that Federal and State exchanges
secure the American people can trust their information and
privacy won't be compromised. How is the Data Hub used to
determine eligibility and enroll applicants and process appeals
different from the data systems used by other Federal agencies,
such as Social Security or the IRS?
Mr. Chao. How is the Data Hub different?
Mr. Green. Than the other agencies who obviously have up
and running ways where Social Security and even IRS you can
file?
Mr. Chao. Well, I think what makes it different is that,
for example, SSA is the eligibility agency for Medicare. So
every night, SSA's field offices load data about accretions and
deletions into the Medicare Program, and we receive a very
large file from them every night that we process for 2 to 3
hours to update all of our systems, so that providers can see
new Medicare beneficiaries accreting into the system. That is
lots of data moving between 2 organizations, and it is stored
and it is time-intensive. The Data Services Hub goes out and,
for a requestor of that data, a valid requestor, it reads the
data where the source is, transfers it back to the requestor in
a secure fashion, does not remember the contents of that data,
and facilitates that without moving massive, you know, millions
of records of data all at once, all the time, every day. It
only transfers enough data to get the job done.
Mr. Green. Were you at the HHS when we have gone through
two Medicare enrolling by internet? I mean when we shifted from
having to go into a Social Security office to file the
paperwork, you can do it online now.
Mr. Chao. Yes. Yes.
Mr. Green. And I assume there were some glitches when that
first started.
Mr. Chao. Yes.
Mr. Green. And, of course, we didn't have a deadline and a
rollout and things like that. It was built in over the time so
you had time to problem solve. And----
Mr. Chao. Right.
Mr. Green [continuing]. Our problem is we don't have that
time to problem solve here in later November, and----
Mr. Chao. I still remember in the mid-'90s, SSA put up the
electronic benefits statement, and after a few months, they had
to take it down and it didn't come back up until years later--
--
Mr. Green. Well----
Mr. Chao [continuing]. Until they perfected it.
Mr. Green. OK, thank you, Mr. Chairman.
Mr. Murphy. Gentleman yields back.
Now recognize the gentleman from Louisiana, Mr. Scalise,
for 5 minutes.
Mr. Scalise. Thank you, Mr. Chairman. I appreciate you
having this hearing, and, Mr. Chao, appreciate you coming to
testify before the committee.
We have had a number of hearings like this over the last
few months, trying to find out first how the rollout was going
to work, and of course, we have gotten testimony time and time
again from the administration that the rollout was going to be
fine. And then I think what is most frustrating is that when
this report came out, this McKinsey report, that really
chronicles the problems that were happening months ago, back in
March and April, at the same time that administration officials
were telling us that everything was going to be fine, and to
that--and telling American families that everything was going
to be fine when October 1 hit. I guess there are many things
about this that trouble me, but first, you know, when I look at
this, you say you hadn't seen this report, and I have read
through a number of these items that McKinsey pointed out in
the report that they were telling them to somebody in CMS,
around you, over you, under you, somewhere, but these are
things that should have been just basic testing requirements.
I, you know, I used to write software. I actually wrote test
plans for software rollouts, and, you know, in fact, many of
these are just basic commonsense things you do. I mean we--if
we made one line of code change, we literally would test that
over and over in multiple ways, let alone major changes.
What this report talks about is chaos at CMS. Nobody is in
charge. They talk about the fact that you had multiple people
that were making multiple changes to--and major design changes
to the system just weeks prior to testing, I mean--prior to the
rollout without testing it. I mean did you have a test plan,
whether or not you read this report, these are things that you
should have been doing anyway. I mean were you all making
changes, big changes all the way through, and were you testing
any of those changes, or just saying, well, you know, they told
us October 1, roll it out no matter what.
Mr. Chao. You have asked a lot of questions in there.
Mr. Scalise. Yes.
Ms. Chao. So let me try to recall how to address them. I
think that certainly, yes, if you have this experience in
software development, you need to have solid requirements
before you can actually have good test cases in which to
actually run tests. I think it is a dynamically changing
environment of which, if we had more time and that time would
have been devoted to solidifying requirements that are
translated from policy----
Mr. Scalise. You had 3 years. I mean there were 3 years.
This is not something that just kind of got plopped on your
desk. I mean the law passed and was signed into law in 2010.
There was a lot of time to prepare for it. The requirements--
the major requirements were changing weeks before, some of them
for political reasons by the Obama administration. So you can't
just say, well, you know, we just didn't have enough time. I
mean somebody in CMS, and if it wasn't you, it was--maybe it
was Ms. Tavenner or who knows who it was, but somebody was
making all these changes and saying, gee whiz, I mean, you
know, we--let us make big changes and don't test it because we
just want to roll this thing out no matter what.
Mr. Chao. Well, having written software or written test
cases, you know that the requirements come from the business
side or the policy side. And they are subject to change based
upon how your customer or your business----
Mr. Scalise. The law didn't change.
Mr. Chao. I----
Mr. Scalise. The law was passed, and for 3 years that law
didn't change. The law was there. You knew what those
requirements were. Now, if you make changes in the
requirements, you also ought to make changes in your test plan.
Mr. Chao. I think the law has a very high-level expression
of requirements that, certainly, you can't develop code or test
cases from. There needs to be a significant amount of
translation into lower level details. And that is what I mean
by a schedule, challenges that we have to receive those
requirements and translate them into test cases, test data, to
exercise the system as well as build the system too. So----
Mr. Scalise. All right, well, look, they talk in this
report that the contractor received absolutely conflicting
direction between the various entities within CMS. Conflicting
directions within CMS. That is not a requirement change. That
is one person saying do this, and another person in the same
agency saying do something different. And, by the way, none of
that is being tested in the meantime. That is not evolving
requirements, that is chaos within the Obama administration
where they are literally changing things and multiple people
are changing them and nobody is talking to anybody.
Mr. Chao. Well, I can't speak to how they characterized it,
but I think that in CMS, we have Medicaid and CHIP
requirements, we have insurance exchange requirements,
oversight requirements, medical loss ratio, rate review, early
retiree reinsurance, pre-existing----
Mr. Scalise. And I know you all have that. Look----
Mr. Chao. There are lots of----
Mr. Scalise [continuing]. You have got a job to----
Mr. Chao [continuing]. All I am saying is----
Mr. Scalise. The bottom line is, the bottom line is, you
know, this report lays out the chaos that was going on, but all
of this information was known within the White House. Reports
were being briefed to people in the White House. And either
President Obama didn't know about it, in which case people
directly under him knew that this thing was going to be a
disaster and just didn't tell him, or the President did know
about it and went out misleading people anyway. But either way,
if the President really didn't know about this, this report
says the White House absolutely knew what was going on, and
they didn't tell the President. He ought to be firing these
people today. If somebody--if a CEO went out there and said I
am rolling out this project, this would be just like buying a
TV on Amazon, that is what the President said, and if somebody
right underneath him knew that it wasn't going to be like that,
and this report says absolutely they knew and they didn't tell
the President, he ought to go and fire every single one of
those people right now and hold them accountable, or maybe that
just says that he did know about it. And we will see what the
President says, but this report is damming.
And I yield back the balance of my time.
Mr. Murphy. Gentleman's time has expired.
Just--can you just clarify an answer you gave to the
gentleman here? I thought you said something like, with more
time, you would have done more testing, or something along
those lines. Are you saying you would have liked to have more
time?
Mr. Chao. No, I think that is what I mean by there is a
schedule, challenges that you are trying to maximize the time
that you have left, as you are trying to extract the
requirements from the policy that is being finalized. The
longer a policy takes to be finalized, the longer it takes to
translate the----
Mr. Murphy. Do you wish you would have had more time to
test it?
Mr. Chao. I think that is true of every project I have ever
worked on.
Mr. Murphy. Thank you.
Now recognize Mr. Yarmuth for 5 minutes.
Mr. Yarmuth. Thank you, Mr. Chairman. Thank you, Mr. Chao,
for your testimony today.
I just want to follow up a little bit on Mr. Scalise's line
of questioning, the issue of whether or not you had 3 years to
prepare for this. When was the deadline for States to decide
when they're--they were joining the--doing their own Exchanges
or were going to participate in the Federal Exchange?
Mr. Chao. I think the time frame was the end of 2012.
Mr. Yarmuth. End of 2012. So January 1, essentially, of
this past year. And when was the deadline for States to decide
whether they were going to enter into a partnership with the
Federal Government?
Mr. Chao. I believe it was the end of April of 2013.
Mr. Yarmuth. So really, the department did--or CMS did not
have 3 years to prepare, and there was probably no way to guess
3 years ago that only 14 States and the District of Columbia
were going to set up their own Exchanges. Wasn't the
anticipation that far more States would do their own Exchanges?
Mr. Chao. Yes, we were hoping so.
Mr. Yarmuth. So it really wasn't until this year that CMS
really understood the magnitude of the volume of work that the
Web site was going to have to accommodate?
Mr. Chao. Correct. It is----
Mr. Yarmuth. Right.
Mr. Chao [continuing]. Not such a clear binary decision.
You do or you don't. There is still coordination that has to
occur in----
Mr. Yarmuth. Right. Thank you for that.
Now, obviously, when we are talking about security, we are
talking about two separate issues; one is the vulnerability of
the system to some kind of outside attack. I don't know why
anyone would really want to attack the Federal Exchange, but
assuming that is an issue. The second one is, the average
citizen is concerned about information that is there about
them. And I think that is one thing we are most interested
here. Mr. Dingell actually asked you directly about the fact
that there really isn't very much information on the Web site
that would be considered private in nature. And I guess the
question I would ask is, are people who are working with the
Exchange now subject to or vulnerable to a more of a breach of
their privacy than they were under the prior system when the
insurance companies had pages and pages and pages of health
information, including every doctor they had ever visited,
every prescription they had ever taken, every medical procedure
they had undergone and--over a certain period of time? Would
you say that there was much more vulnerability under that
system than there would be under the Federal Exchange?
Mr. Chao. Much more so because so much more personal
information, including health information, was involved in that
process.
Mr. Yarmuth. And I think during the course of questioning
we have actually done a pretty good job of debunking the issue
as to whether there really was security problem here. There is
no evidence that there has been, and I think there really
hasn't been any evidence presented that would make us doubt
that. So I am glad about that, and I think that should
encourage Americans to participate more actively.
And since--one other thing that has come up, and it
involves the question of 80 percent, and it is something I want
to clarify because the press reports have been that the
administration has said as a metric that 80 percent will be
able to get on the site and smoothly sign up--enroll for health
coverage as of the end of this month. That doesn't mean that
the remaining 20 percent won't be able to access affordable
quality health insurance, does it?
Mr. Chao. No. I can't speak to the exact percentages, but I
think there is a recognition that some people, whether it be
Healthcare.gov or any system, for example, if you walked into
an SSA field office, how many people can actually get their
business done in one visit, as compared to, you know, the
greater majority of people? I think some people need extra
help. They need assistance to navigate the process, and I think
that that is probably what they were referring to.
Mr. Yarmuth. Thank you very much for that.
And I just want to do some shameless self-promotion for my
State right now. As of last Friday, Kentucky, obviously
operating its own Exchange, 48,000 Kentuckians are enrolled in
new health insurance, 41 percent of them are under the age of
35. Over 452,000 visitors have gone to the Web site, 380,000
people have conducted preliminary screenings to find out if
they are eligible for coverage. And I think most importantly
maybe, over--almost 1,000 businesses have actually begun the
process of signing up for new coverage for their employees, and
over 300 have actually been enrolled and have been qualified
now to offer coverage. So Kentucky is doing well, and I hope
the Federal Exchange will do just as well.
I yield back.
Mr. Murphy. Gentleman yields back.
Now recognize Mr. Harper for 5 minutes.
Mr. Harper. Thank you, Mr. Chairman. And, Mr. Chao, thank
you for your time here today.
And you replied earlier on a follow-up question that the
chairman had, I believe you said you would have liked to have
had more time for the testing. Did you request more time from
anyone?
Mr. Chao. No.
Mr. Harper. And can you tell me why you did not request
more time?
Mr. Chao. Because I was given a target of October 1 and
various other deliver dates, of which I had to stay on schedule
for.
Mr. Harper. Did you believe it was ready for October 1?
Mr. Chao. I believe we did everything we could to make sure
that the right priorities were set so that we could deliver a
system on October 1.
Mr. Harper. And do you believe the system was delivered on
October 1?
Mr. Chao. It was.
Mr. Harper. Do you believe----
Mr. Chao. It wasn't performing as well as we liked, and
certainly had more glitches than we anticipated, but we did
deliver a system on October 1.
Mr. Harper. Do you think glitches is the proper word to use
to describe the rollout?
Mr. Chao. I think there are problems. There are defects if
you--you know, glitches is just a word that is commonly used
right now.
Mr. Harper. Well, glitches doesn't seem to convey how
serious the failure of the rollout has been, and so here we
are. And, of course, one of the big concerns that we have is
what do you do about making sure that personally identifiable
information for those who sign up is protected. And on the
report that you have there, on page 11, if I could get you to
take a look at that real quick. On the McKinsey report. At the
bottom of page 11 it says--and, of course, at the top it says,
options that could be implemented to help mitigate key risks.
At the bottom it says, name a single implementation leader and
implement associated Government process. Has there been a
single implementation leader named?
Mr. Chao. I don't think that is the way it has been
characterized before by, I think, Marilyn Tavenner, our
administrator, certainly has accepted accountability and she
does run the agency and----
Mr. Harper. Certainly, but that is not saying that she is
supposed to be the single implementation leader there. Is that
how you read that report?
Mr. Chao. I--but again, I didn't see this until just this
very minute, so I----
Mr. Harper. All right, when--you know, I spent some time
here while we were waiting on time to question here, I went to
the Healthcare.gov site, and it took a little while to try to
figure out how in the search to get to the information on how
you protect yourself from fraud in the health insurance
marketplace. And it takes a couple of steps to get to this
information. So people probably more sophisticated than I am on
this would need to be tracking this. But if you look at it on
the site, it says how to report suspected fraud, and it said
you can report suspected fraud in one of two ways, and it lists
a breakdown of one way, which is to use the Federal Trade
Commission's online complaint assistant. And I tried that a
moment ago and it was not very successful. It says you can call
your local police department, and then it says you can visit a
site, the Federal Trade Commission, to learn more about
identity theft. And the second choice is to call the Health
Insurance Marketplace Call Center, and it gives that number. So
if you were the victim of personally identifiable information
being fraudulently released or obtained, who would you call
first under that scenario?
Mr. Chao. The listed call center number. The marketplace
call center.
Mr. Harper. And it----
Mr. Chao. If you are in a Federally Facilitated
Marketplace.
Mr. Harper. OK, and it says, explain what happened and your
information will be handled appropriately. How do you define
handled appropriately? What is that? How do you get someone's
identity back once it has been compromised or there has been an
identity theft?
Mr. Chao. Well, I think there needs to be some analysis and
collection of information to make sure what type of situation
occurred, and then make a decision going forward there.
Mr. Harper. Well, obviously, this is a critical matter, so
some determination made. What is the time frame? How quickly
can someone's life be put back together if this were to happen?
Mr. Chao. I think it is situationally dependent, and I
really can't--I am not comfortable----
Mr. Harper. Sure.
Mr. Chao [continuing]. Giving you an answer right off----
Mr. Harper. You had said earlier that steps were being
taken to prevent unauthorized access to the site. What about
those who may have authorized access but release it in an
unauthorized manner, what protections or safeguards are put in
there particularly for those that are the navigators, and the
situation that there has been no background check, unless it
was required in the State, how is that being handled with the
use of navigators?
Mr. Chao. I think the premise is that when we issue, for
example, a grant to a navigator organization, or we sign a
computer matching agreement with a State, that there are rules
of behavior and certain, you know, kinds of requirements that
are associated with signing that agreement or receiving that
grant.
Mr. Harper. Do you have a central reporting location of the
navigators that are in violation or reported in violation?
Mr. Chao. I have to check on that.
Mr. Harper. My time has----
Mr. Murphy. Gentleman's time has expired.
Mr. Harper. You let us know. My time has expired.
Mr. Murphy. Thank you.
Mr. Lujan is recognized for 5 minutes.
Mr. Lujan. Mr. Chairman, thank you so very much.
Mr. Chao, you were just presented with a whole series of
hypotheticals. Have any of those hypotheticals happened?
Mr. Chao. No, not to our knowledge, no.
Mr. Lujan. I appreciate that, and I would suggest, Mr.
Chao, if someone was maliciously using information in a way
that they were not allowed to use it, would that be a crime?
Mr. Chao. Can you repeat that question again?
Mr. Lujan. If someone hacked into the Web site, and was
using information in a way that they weren't allowed to use it,
so--and anyway, wouldn't that be considered a crime?
Mr. Chao. Certainly, yes.
Mr. Lujan. And I believe that we could fully prosecute
those individuals?
Mr. Chao. Yes.
Mr. Lujan. And I would hope that this committee would fully
support and encourage the Department of Justice to go and fully
prosecute anyone that is hacking this Web site.
Mr. Chairman, it wasn't too long ago that there was a
hearing that this committee had on Lifeline, and some of my
Republican colleagues were encouraging members--citizens of the
United States to go to visit Obamaphone.net to sign up for a
Lifeline or to get information from the Web site as to the
accuracy of what the program was about. An hour later, the Web
site was taken down, and this committee, myself and
Congresswoman Eshoo, asked the FTC to look into the matter, but
they said it appears that in the fraudulent way that this data
was being collected, that the Web site is now down.
I think we as Members of Congress need to be careful with
how we are purporting information out to the American people.
We need to be careful about this. There is not, again, a member
on this committee that doesn't believe that we should get the
Web site working, that we need to get to the facts of what is
happening. And with that being said, Mr. Chao, I guess two
things. Mr. Chairman, there is GAO report that was published on
April 24 of 2012, entitled ``Cybersecurity, Threats Impacting
the Nation,'' and I would like to ask unanimous consent to
insert it into the record.
Mr. Murphy. Sure.
Mr. Lujan. The report, and I would invite everyone in the
committee to take a look at this. It was to the Homeland
Security Department or committee, talking about the threats
that our Nation is facing. The intelligence community, Homeland
Security, the White House, members of Congress Web sites that
have been hacked into. We need to do more in this area to make
sure that we are keeping information secure.
But with that being said, Mr. Chao, this has been talked
about a bit, but on the front page of The Washington Post this
morning, there was an article about a document that was leaked
to the paper by the committee majority. The article describes
an analysis conducted in 2013 by McKinsey and Company that
identified potential risks in the development of
Healthcare.gov. The report shadowed some of the problems that
we now face today.
Mr. Chao, did you see the report at the time it was
published in March and April of 2013?
Mr. Chao. No, I did not.
M. Lujan. So is it fair to say that you are not the best
person to comment on why the report was done, and how CMS and
HHS responded to its findings?
Mr. Chao. Yes.
Mr. Lujan. Mr. Chairman, I raise this because it
illustrates a number of problems with how this has been
handled. In particular, the perception that is created when you
withhold documents from the Democrats on the committee, and
when you play gotcha games by leaking material to the press
without context, it makes it appear that you are more
interested in running a partisan investigation than in finding
the facts, and I certainly hope that that is not the case, and
believe that not to be true, but we need to work together to
get to the bottom of this.
So with that being said, Mr. Chao, what efforts is the
Department of Health and Human Services undertaking to address
the ongoing threats?
Mr. Chao. We listed as part of our mitigation strategy
daily and weekly security testing and scans, which is something
we always do, but in this case we do it more frequently because
we understand the sensitive nature of Healthcare.gov and the
trust that--and confidence we have to obtain from people to
come and use the site.
Mr. Lujan. And how is the department coordinating with
other Federal agencies who maintain Web sites that also gather
personal information?
Mr. Chao. I think we work with all of our key partners that
are connected to the Hub to make sure that we function under
what we call a harmonized privacy and security framework, and
along with the States, have a process and a program in place to
handle certain situations of which there are incidents that
need to be managed, about potential data breaches. So we have a
program, we have a policy, we have a set of operational
procedures in place, working and coordinating across all these
agencies.
Mr. Lujan. And does that include, Mr. Chao, the
intelligence community, the Department of Homeland Security?
Mr. Chao. Yes.
Mr. Lujan. Very good.
So with that, Mr. Chairman, as I yield back my time, I just
hope that it is clear, Mr. Chao, to you, to the President, that
we are not happy with the rollout right now. We need to get
this working. There are too many vulnerable Americans that need
access to care, and we need to make sure that we can get them
that coverage, in the same way, protect the information. But I
think it is a big step forward that no longer will individuals
have to report the kind of illnesses or accidents that they
have had in their past, so that they can get care in the
future.
And with that, Mr. Chairman, I yield back.
Mr. Murphy. Gentleman yields back.
And without objection, the gentleman's document will be
admitted to the record.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. The Chair now recognizes the gentleman from
Colorado, Mr. Gardner, for 5 minutes.
Mr. Gardner. Thank you, Mr. Chairman, and thank you, Mr.
Chao, for your time before the committee today.
Last week, the President met with several representatives
of the insurance industry to discuss solutions that may be
possible in light of the Healthcare.gov debacle. Have you had
any conversations about changes you can make to Healthcare.gov
to assist the insurance industry?
Mr. Chao. I think part of the strategy--I haven't spoken to
the issues myself or been part of those meetings, but I think
as part of the strategy under Jeff Zients is to improve the
experience of consumers, but that involves, you know, key third
parties that are also key to this equation of getting around
those agents and brokers, and working with issuers to fix, you
know, certain aspects of the systems to make it work better.
Mr. Gardner. So have you had any discussions then about
providing insurance companies with the ability to directly
enroll, or anybody in your agency department?
Mr. Chao. We had designed something called direct
enrollment into Healthcare.gov, or part of that FFM system
architecture to accommodate that.
Mr. Gardner. And so that is ready--that feature has been
turned on or it has not been turned on?
Mr. Chao. It was not working well initially, like many
other things, but we have been performing fixes and optimizing
it, and working with issuers to get direct enrollment up.
Mr. Gardner. So have you had any discussions about giving
insurers direct access to information on eligibility for
subsidies?
Mr. Chao. Only at--in terms of the result. There is a
series of----
Mr. Gardner. That is a----
Mr. Chao [continuing]. Security and of handoffs.
Mr. Gardner [continuing]. Yes----
Mr. Chao. Right.
Mr. Gardner. That is a yes then?
Mr. Chao. Yes.
Mr. Gardner. OK. Thank you for that.
Do you--going back to the question then about the feature
on the Web site, will that happen in the future then to that
question, discussions about giving insurers direct access to
information on eligibility for subsidies? Do you believe that
will happen in the future?
Mr. Chao. It is not really direct access, it is more of a
hand-off, a secure hand-off in which they have collected enough
information about the applicant and their, you know, or an
agent and broker, and this person has given authorization for a
consent to work with them as a third party.
Mr. Gardner. So that is a yes then again as well?
Mr. Chao. It is not access direct to eligibility data, it
is a more involved process that protects the person's
information.
Mr. Gardner. But the insurance company will be getting the
subsidy access?
Mr. Chao. They don't get to calculate it. We--that is a
marketplace----
Mr. Gardner. But they will have information on the
eligibility for the subsidies directly?
Mr. Chao. Only as a result of the marketplace handling that
data, not touching that eligibility data themselves.
Mr. Gardner. The committee has been reviewing materials
that indicates that some parts of Healthcare.gov were not
completed before the launch, as we have discussed here. What
portion or percentage of the Web site remained to be created
when you launched on October 1?
Mr. Chao. I don't have an exact percentage. I think some of
previous conversations when people ask about whether things
were complete, I look at it in terms of overall marketplace
systems----
Mr. Gardner. So you have never talked about what is
complete, what is not complete, whether it is--how much to go?
Mr. Chao. I think it was a set of priority functions that
needed to be in place. Like, for example, you had to
authenticate an individual. That is a key function that had to
be done.
Mr. Gardner. Well, how much do we have to build today
still? I mean what do we need to build, 50 percent, 40 percent,
30 percent?
Mr. Chao. I think it is, just an approximation, we are
probably sitting somewhere between 60 and 70 percent, because
we still have to build the system----
Mr. Gardner. But 60 or 70 percent that needs to be built
still?
Mr. Chao. Because we still have to build the payment
systems to make payments to issuers in January.
Mr. Gardner. So let me get this correct, 60 to 70 percent
of Healthcare.gov still needs to be built?
Mr. Chao. It is not really Healthcare.gov; it is the
Federally Facilitated Marketplace----
Mr. Gardner. But the entire system that the American people
are being required to rely upon----
Mr. Chao. That part is there.
Mr. Gardner [continuing]. Sixty to 70 percent----
Mr. Chao. Healthcare.gov, the online application,
verification, determination----
Mr. Gardner. That is----
Mr. Chao [continuing]. Plan compare, getting enrolled,
generating the enrollment transaction, that is 100 percent
there. What I am talking about is----
Mr. Gardner. But the entire system is 60 to 70 percent away
from being complete?
Mr. Chao. Yes, there is the back office systems, the
accounting systems, the----
Mr. Gardner. Thank----
Mr. Chao [continuing]. Payment systems----
Mr. Gardner. Thank you for that.
Mr. Chao [continuing]. They still need to be----
Mr. Gardner. And how--of those 60 to 70 percent of systems
that are still being built, how are they going to be tested?
Mr. Chao. You mean the remaining----
Mr. Gardner. Yes.
Mr. Chao [continuing]. Thirty to 40 percent? How are they
going to be tested?
Mr. Gardner. Yes.
Mr. Chao. In the same exact manner we tested everything
else.
Mr. Gardner. Is it difficult to review the new parts of the
Web site while it is operating?
Mr. Chao. It won't affect the front end--the front part----
Mr. Gardner. But that is pretty difficult, isn't it?
Mr. Chao. Excuse me?
Mr. Gardner. It is pretty difficult to review it while it
is in operation, correct?
Mr. Chao. No, it doesn't involve the front part. The----
Mr. Gardner. Right, but where it is operating within----
Mr. Chao [continuing]. Eligibility--when we are trying to
calculate a payment, derive a payment, do data matches on the
back end, that doesn't affect the Healthcare.gov operations.
Mr. Gardner. How long will you have to test those parts
that you are building?
Mr. Chao. They are an ongoing basis. Depends on their build
schedule.
Mr. Gardner. So is it appropriate, given the performance of
Healthcare.gov where we are at right now, to launch any new
applications or features without testing them heavily before
they go live?
Mr. Chao. We are testing.
Mr. Gardner. Mr. Chairman, I have several other questions
and will follow up with you, but thank you for your time.
Mr. Murphy. Thank you.
Now recognize Mr. Welch for 5 minutes.
Mr. Welch. Thank you very much. Thank you for the hearing.
There is a mutual desire to get this thing to work, and
there are really two models that we can use to deal with the
failed rollout. One is to fix it, and the other is to use it as
fodder to re-litigate the battle about whether health care is
the law of the land. And my hope is that we are past that.
There is an absolute urgency to make things work, and I know,
Mr. Chao, that is your job, and I just want to put this into
context. We had a big battle in this Congress, I was not here,
over the passage of Medicare Part D. It was a largely partisan
vote. The Republicans, under George Bush, were for it, most of
the Democrats were against it, but it passed in a very close,
tense vote. And my understanding is that as it then went into
the implementation phase which required a computer program and
a Web site, there were lots of significant difficulties with
that program, and there were concerns about having it work.
And I just want to ask you a little bit about that history,
so that we have a context for the challenges we have today, not
at all as an excuse because there is real unity about needing
to get this fixed, but are the actions we take about getting it
fixed or about trying to derail and scuttle the overall
healthcare program. America is going to have to judge.
But can you give us a sense what was going on inside the
Agency when you were preparing the Medicare Part D Web site in
2005, and were there concerns and issues that needed to be
addressed then?
Mr. Chao. The biggest and most prominent example that I can
recall was the concern around auto-assignment and auto-
enrolling Medicare--Medicaid full benefit dual eligibles to
receive a Part D prescription drug benefit, and switching them
over as of January 1, and that we had sent these enrollment
files out to the plans--the health plans or Part D sponsors,
around November, and in December it was some realization, you
know, last-minute realization that pharmacists and pharmacies
were--who were on the frontline of helping these beneficiaries,
required, you know, some access to information to help them
navigate this new change. So as an example, we scrambled and we
developed a method for pharmacies to actually get access
through authorizations to Medicare enrollment data for the dual
eligibles that were enrolled so that, at point of sale, they
can at least do things such as, you know, three day fills----
Mr. Welch. Right.
Mr. Chao [continuing]. Just to figure out what plan they
might be in. And, you know, that is just an example. I recall
that was a mass scramble, time crunch, had to get it in place,
lots of, you know, working around the clock, lots of urgency,
pushing many, many people, not just on the contractor and the
staff side, but working with the prescription drug industry as
a whole, including pharmacists, to make this happen.
Mr. Welch. All right, and those problems continued even
after the January 1 rollout date, my understanding.
Mr. Chao. Correct, because it is not perfected. It is--it
is not so much a technical issue, when you introduce a new
business process, for example, in a procedure, you know, in an
administrative aspect of health care, it takes a while for
people to actually understand how that works, you know, as
compared to learning the data system that is involved to
support that business process. So it is more than just a
technical issue.
Mr. Welch. OK, and is it your view that, as we ultimately
succeeded with Part D, we can ultimately succeed in terms of
the technical Web site issues with Healthcare.gov?
Mr. Chao. Certainly. I think it comes with being focused
and driven to get at the root of the problem and to fix the
systems, because on the technical issue side, it is solvable,
very solvable, and we have shown that it has made improvements.
Mr. Welch. OK, thank you very much.
I yield back.
Mr. Murphy. Gentleman yields back.
Now recognize for 5 minutes the gentleman from Virginia,
Mr. Griffith.
Mr. Griffith. Thank you, Mr. Chairman.
Now, speaking of Medicare Part D, no one was required by
law or force of penalty to subscribe to that, isn't that
correct?
Mr. Chao. No, but we did auto-assign, auto-enroll
Medicare--Medicaid dual eligibles into Medicare Part D.
Mr. Griffith. But it is a different animal than what we are
dealing with now because a lot of Americans are being told they
can't have their insurance so they are going to have to sign up
through the Exchanges. So I do appreciate that, but there is a
difference.
You know, one of the things that when you get time today to
look at the report, and I think it is a symptom of the problems
that this Web site has had, is that you were not included in
the briefings on the report that has come to light in the last
24 hours, but when you get a chance to read that, one of the
things you will see is they thought there ought to be one
person overseeing all of the different parts. And listening to
the vendors who previously testified before this committee, it
looked like they were each building their own part and then, in
the last month, they had to squeeze it all together in the last
two weeks, things were changing.
Another part of that report shows us that on a timeline,
you really want to define your policy requirements prior to
finishing the design and starting the build. Wouldn't you agree
with that?
Mr. Chao. That is the logical thing to do.
Mr. Griffith. It is the logical thing to do, but in
reality, we have heard testimony in this committee that they
were changing policy, we know the big change on July the 2nd
when all of a sudden the employer mandate was allegedly
delayed--the President signed an executive order, I am not sure
it has legal authority, but he did that, delayed that employer
mandate. Further, we know from testimony that there were
changes being made as close to the launch as 2 weeks before. So
based on that, it would be the logical conclusion that you are
going to have significant problems, wouldn't it?
Mr. Chao. With the luxury of hindsight, I can see that, you
know, there are contributors to the way the system performed
when it was unveiled, but that is not----
Mr. Griffith. Well, if you----
Mr. Chao. But that is not, you know, I need to focus on
fixing this thing.
Mr. Griffith. And I know that is your focus is to fix it
now, but also when you take a look at it, when you are still
defining your policy requirements as late as two weeks prior to
launch, it is very difficult to design and then to build and
then to test a system and have it work, whether it is the
security component or the performance component. It would be
logical to do it in the proper order. When you do the
illogical, you are liable to have problems. And I know you
would agree with that, if you were free to answer honestly. And
I would say to you that I also noticed that no one person was
ever appointed to head this up while you were in charge of part
of it, and you are in charge of making part of it work. It
looks like there are at least six different representatives
from different agencies that had a hand in overseeing what was
going on, and no one had control over the others, isn't that
correct?
Mr. Chao. I think it was a governance committee that was
formed.
Mr. Griffith. A governance committee. And--isn't that
interesting. And sometimes when you are trying to launch a big
project like this though, you have to have one general in
charge of the operation. Wouldn't that be logical?
Mr. Chao. I would say that for the technical pieces, you
know, I was responsible for making sure that the technical
pieces were----
Mr. Griffith. All right.
Mr. Chao [continuing]. Organized.
Mr. Griffith. And last month, this committee uncovered a
September 27 memorandum indicating that Healthcare.gov launched
without a full security control assessment. Administrator
Tavenner had to attest that she was aware that the launch
carried security risks. Can you tell us what those risks are
specifically?
Mr. Chao. First of all, I think the incomplete testing--it
was fully security tested through 3 rounds of testing so that
when we--when Marilyn Tavenner signed the authority to operate
on September 27, it had no high findings and had gone through
the appropriate security tests.
Mr. Griffith. So what she said was not accurate, that it
had a--did not have a full security control assessment, she was
mistaken when she testified in front of us on that?
Mr. Chao. I think there is a part of that sentence that
might be--it needs clarification. I think what we were trying
to say was that the security control assessment was not tested
for a full entire system of which we were still--remember, I--
we are still building financial management aspects of it. I
think it was just an acknowledgement that the--100 percent of
the system was not complete at that time.
Mr. Griffith. OK, and it is still not complete today, and
the people of America want to know, you know, what is the
security going to be----
Mr. Chao. Well----
Mr. Griffith [continuing]. If it is not completed on
January 1.
Mr. Chao. The October 1 pieces that were necessary, such as
ensuring security privacy for those functions that I mentioned,
were tested.
Mr. Griffith. OK, and I appreciate that, but what can we
expect on January 1?
I apologize, I yield back.
Mr. Murphy. Thank you. And by the way, our prayers are with
the family of State Senator Creigh in Virginia who is, I guess,
in critical condition.
Mr. Griffith. If I might----
Mr. Murphy. Right.
Mr. Griffith [continuing]. Take a--since you bring it up.
If I might take a moment of personal privilege. I do appreciate
your prayers. Creigh and I were in opposite parties, but just
like on this committee, you form friendships. And he served
with me in that Virginia House of Delegates before he went on
to the Senate and went on to run for other offices. But he
still is a sitting Senator, and it obviously has shaken
everybody in Virginia. And he is a good man and our prayers are
with him, and I encourage everybody to say a prayer for Senator
Deeds and his family.
Mr. Murphy. I thank the gentleman.
Now turning to Mr. Tonko for 5 minutes.
Mr. Tonko. Thank you, Mr. Chair.
I would like to continue on that recent questioning of the
document that my Republican colleagues have released.
Mr. Chao, this document was signed, I believe, on September
27, and it is an ATO, an authority to operate, memorandum to
operate the Federally Facilitated Marketplace for 6 months, and
implement a security mitigation plan.
Mr. Chao. Correct.
Mr. Tonko. Can you tell us, are ATO's commonly used in
Federal data systems?
Mr. Chao. Yes. It is the, in essence, the last official
sign-off to authorize a Federal system to go into operations.
Mr. Tonko. Thank you. And can you tell us why Administrator
Tavenner signed this ATO rather than, well, perhaps other
officials that might report to the administrator?
Mr. Chao. I think the span of the stakeholders that were
involved across the Agency has--we had not had a system that
had this unprecedented involvement of so many different
components, so that the recommendation by our chief information
officer was to make a recommendation for the administrator to
actually sign off on this, because she runs the entire agency.
Mr. Tonko. And the fact that she signed it is good news? It
is an indication, I would believe, that officials at the
highest level of CMS were briefed on and taking responsibility
for site security?
Mr. Chao. Correct, yes.
Mr. Tonko. Now, as I understand it, this document describes
security testing for the Healthcare.gov Web site. It says that
security testing of the marketplace was ongoing since inception
and into September 2013. In fact, it says that, and I quote,
``throughout the 3 rounds of security control assessment
testing, all of the security controls have been tested on
different versions of this system.'' Is that correct?
Mr. Chao. Correct.
Mr. Tonko. But the document goes on to say that because of
system readiness, a complete security assessment of all the
security controls in one complete version of the system was not
performed. It says that this lack of testing, and I quote,
``exposed a level of uncertainty that could be deemed as a high
risk.''
Mr. Chao. I didn't actually--I had recommended as part of
that decision memo and I think at that time, as I mentioned
earlier, you know, it is semantics, you know, not 100 percent
of the system is built so you can't really consciously say you
have it all available in one place to fully test, because not
everything was needed for October 1. Only essential pieces
involving Healthcare.gov were tested for security.
Mr. Tonko. So the document then indicated that CMS
postponed a final security assessment screening, right, and
the--in its place, CMS did put in place a number of mitigation
measures. And it concluded that these measures would mitigate
the security risks.
I want to take a moment to ask you about the September 27
ATO, and how the risks identified are being addressed. Can you
describe their recommendations in that September 27 memo?
Mr. Chao. You mean in terms of mitigations?
Mr. Tonko. Yes.
Mr. Chao. OK, so on a daily basis, we run antivirus scans
every 3 minutes, malware scans every 3 minutes, data full
monitoring is a continuous effort, threat protection analysis
against known bad IP's or hackers, I mentioned that in my
opening remarks that it is continuous. On a weekly basis, we
monitor operating system compliance, infrastructure system
compliance, we conduct penetration testing, authenticated and
unauthenticated, by marketplace security teams. We have a 24 by
7 security operations team. We conduct additional penetration
testing, authenticated and unauthenticated, by another group of
security professionals in CMS that report under our chief of
information security officer. We also conduct application
software assurance testing, which is occurring biweekly. And on
a monthly basis, we produce a plan of actions and milestones
that keeps track and reports on any discovered weaknesses
during all of this monitoring.
Mr. Tonko. So CMS is taking action that was recommended in
the ATO?
Mr. Chao. Correct.
Mr. Tonko. And do you have confidence in these and other
measures you are taking to protect the security of Americans'
personal information?
Mr. Chao. I have high confidence.
Mr. Tonko. OK. As I understand it here, the remedial
actions and the ongoing security testing are protecting the
security of the Web site.
Mr. Chao. Yes.
Mr. Tonko. And so perhaps the message coming from my
Republican colleagues is that they do not want the Web site to
work, and that they want to scare people from going on the Web
site, when, in fact, we are hearing that security has been
provided for.
Mr. Chao. I think we have gone over and above, because we
are very sensitive and we appreciate the nervousness around
this new program with peoples' information.
Mr. Tonko. Well, we appreciate you building the security of
the Web site, and responding to the actions recommended in the
ATO memo.
Thank you so much. I yield back.
Mr. Murphy. Thank you. Gentleman's time has expired.
Now recognize the gentleman from Ohio, Mr. Johnson, for 5
minutes.
Mr. Johnson. Thank you, Mr. Chairman.
Mr. Chao, I spent 30 years in information technology as--I
have been the chief information officer of publicly traded
companies, as well as the director of the CIO staff at U.S.
Special Operations Command, and I know the pressures that
delivering on a system of this complexity, I know the pressures
that are there.
I assume that you and I have a common goal here today, and
that is to make sure that the American people hear the truth.
Is that an accurate statement?
Mr. Chao. That is correct.
Mr. Johnson. OK. Given that then, would it be OK if you and
I have an understanding, because this is two IT guys talking to
one another. If I ask you a question that you don't understand,
would you ask me for clarification so that we can get to the
bottom of it, because we want to dig down in here into some
things that are pertinent?
Mr. Chao. Yes, sir.
Mr. Johnson. OK, great. You know, under FISMA, agencies
operating IT systems are required to establish security
baselines, incorporate them into applications and networks, and
test them to see that they are incorporated correctly. The use
and review of this testing plan is typically known as a
security control assessment. Several of the security control
assessments for Healthcare.gov were either not completed or
otherwise ignored.
So are you familiar with the four security control
assessments that were completed on the various aspects of the
Federally Facilitated Marketplaces?
Mr. Chao. Not in intricate detail, but I think I--going
back to what you said about ignored or missed, I think the most
important thing to remember is that on September----
Mr. Johnson. Are you familiar with those security control
assessments?
Mr. Chao. I----
Mr. Johnson. Have you seen or read them?
Mr. Chao. I have read the most important one, that is the
one----
Mr. Johnson. Have you read all four of them?
Mr. Chao. No, not all four.
Mr. Johnson. OK, could you turn to tab 4 of the document
binder that you have in front of you? This is the security
control assessment completed on October 11, 2013. Are you
familiar with the findings of this security control assessment?
Mr. Chao. Yes.
Mr. Johnson. OK. You testified a little earlier that it was
your opinion, based on what you knew at the time, that the
security control assessments--that security had been adequately
addressed when Administrator Tavenner signed the document
authorizing the operation of the Web site. Is that correct?
Mr. Chao. Yes.
Mr. Johnson. But yet you just testified that you were not
aware and you didn't read the security control assessment, so
how can you make that assertion that security had been
adequately addressed when you hadn't even read the control
assessments yourself?
Mr. Chao. I am thinking that there might be some mismatch
in versions here. Yours says final report October 11 for Health
Insurance Exchange August through September 2013, SCA report. I
have the Federally Facilitated Marketplace decision security
part----
Mr. Johnson. Well, I am talking about the one in your tab
there.
Voice. Excuse me, can we ask the witness to speak up a
little bit? I am having difficulty hearing him.
Mr. Chao. I am sorry.
Mr. Johnson. But I have got to move on because I don't have
time to look through the binder.
Who develops the scope of a security control assessment
before the contractor performs it?
Mr. Chao. We have independent contractors that design our
SCA testing.
Mr. Johnson. Do you need an application like the Data
Services Hub or the Web site to be complete in order to test it
for purposes of a security control assessment?
Mr. Chao. I think that depends on, you know, we don't like
testing security----
Mr. Johnson. Well, I can assure you that we don't.
Mr. Chao. The--in terms of using live data, you know. So
prior to going to production, we tend to conduct security----
Mr. Johnson. Well, let me ask you a question. Let us put up
a slide. Are you familiar with the term sequel injection?
Mr. Chao. Um-hum.
Mr. Johnson. OK. You know, sequel injection is a process
that hackers use to gain access to sequel databases, relational
databases, through a sequel. This is a screenshot directly off
of Healthcare.gov that you see, if you put a semicolon in the
search box, you get all of those different breakdowns of sequel
injection.
Have--can you give me any idea how vigorous the testing was
around sequel injection, and are you aware that potential
hackers have the capability to go in through sequel injection
and manipulate these strings?
Mr. Chao. I can't speak to the exact--that situation. I
think some of the folks that are coming up behind me in the
other panel might be able to specifically address----
Mr. Johnson. I can assure you, Mr. Chairman, that I still
have very serious concerns about the security aspects of this
system.
And with that, I yield back.
Mr. Murphy. Thank you. Gentleman's time has expired.
Now recognize Ms. Schakowsky for 5 minutes.
Ms. Schakowsky. I want to also focus on this particular
system that the contractor, MITRE--I am here, Mr. Chao. Yes,
OK.
Mr. Chao. Sorry.
Ms. Schakowsky. We have heard this morning, we just heard,
about the risks that the contract--contractor, MITRE,
identified when it performed security control assessments for
different components of Healthcare.gov. And at first glance,
they can seem alarming, but my understanding is that all of
these issues were mitigated for the functions on the Web site
that launched on October 1. It is important to understand the
general point of security testing, to identify any potential
issues so they can be addressed before they became--become real
problems. Asking MITRE to perform these assessments gives CMS
and the contractors the opportunity to identify and resolve any
security vulnerabilities before anyone's personal information
could be put at risk.
So, Mr. Chao, does that sound to you like an accurate
description? Do the security control assessments involve an
iterative process where problems are identified and then
mitigated?
Mr. Chao. Yes, that is correctly characterized.
Ms. Schakowsky. So, Mr. Chao, I want to walk through some
of these key security assessments to determine whether the high
risks that MITRE identified have, in fact, been addressed.
In January and February of 2013, MITRE performed a security
control assessment of EIDM, the account creation function on
Healthcare.gov. According to the final report, MITRE identified
several high-risk findings.
So, Mr. Chao, were these high-risk findings resolved and
mitigated before the October 1 start of open enrollment in the
Federal Marketplace?
Mr. Chao. Yes, they were.
Ms. Schakowsky. And the fact is that they were noted in
the--that fact is noted in the MITRE report.
OK, so MITRE also performed a security control assessment
of the Data Services Hub in August 2013, and again identified
several high-risk findings. Were these findings resolved and
also mitigated before the October 1 launch?
Mr. Chao. Yes, and the Hub received authority to operate in
August.
Ms. Schakowsky. Yes, and the fact is that was--and that
fact was noted in the report.
I also want to discuss the security control assessment that
MITRE performed over August and September 2013 for the Health
Insurance Exchange. Mr. Chao, were all high risks identified in
this assessment mitigated before October 1?
Mr. Chao. Yes.
Ms. Schakowsky. I thank you. And what your answers confirm
is that the system worked. MITRE identified potentially high
risks--high security risks, and CMS made sure that they were
mitigated before they would become major problems.
The MITRE reports do not show a flawed system, they show
that CMS conducted security control assessments to identify
problems, and then fixed those problems. And I hope that my
Republican colleagues will keep these findings in mind when
they talk about the security of Healthcare.gov. We don't want
to alarm the public about security risks that have already been
addressed by CMS and its contractors. It just seems to me that
identifying risks that were named, it is important also to note
that they were all fixed before the launch on October 1. And I
thank you very much for your testimony.
I yield back.
Mr. Chao. Thank you.
Mr. Murphy. Gentlelady yields back.
And now I recognize the gentlewoman from North Carolina,
Mrs. Ellmers, for 5 minutes.
Mrs. Ellmers. Thank you, Mr. Chairman. And thank you, Mr.
Chao, for being with us today.
Mr. Chao, I have a question about the subsidies, and some
questions about some miscalculations that could be happening on
the Exchange. Press reports have indicated that some subsidies
are being miscalculated. In fact, one individual the President
identified as a beneficiary of Obamacare now can't afford it.
And, Mr. Chairman, I would ask unanimous consent to submit an
article from CNN to the committee for the record.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mrs. Ellmers. OK. This is a single mom, has a teenage son
with ADHD, went on the Washington State Exchange, had gotten an
insurance quote for what she would pay at a gold price. Then
she received notification that it was actually--the quote was
actually higher for a silver plan. More confusion went on. Then
even a cheaper plan at bronze level for $324. So, in other
words, she ended up paying a lot more.
I guess in my questioning for you is, is this happening on
the Healthcare.gov site or the Federal Marketplace?
Mr. Chao. I think there are a lot of inputs to how an
advanced premium tax credit is calculated. A person can come
back and make some modifications to their income levels, to
their household composition. So--and Washington is a State-
based marketplace, so I can't really speak----
Mrs. Ellmers. Um-hum.
Mr. Chao [continuing]. For that particular case, but I
think that Healthcare.gov allows people the flexibility to try
several ways----
Mrs. Ellmers. Um-hum.
Mr. Chao [continuing]. To determine, you know, what their
tax credit is.
Mrs. Ellmers. OK, you know, and there again, I am just
going based off the article. It doesn't seem to be that she had
gone back to make any changes, it sounded to me like, you know,
there were miscalculations that she was notified of. So again,
my questioning is, is this happening in the Federal Exchange?
Mr. Chao. I would need some specifics to be able to answer
that.
Mrs. Ellmers. OK.
Mr. Chao. I think that if anyone ever does have issues with
believing that their subsidies were incorrectly calculated,
they could certainly call our call center to try to find out if
it was correct or not.
Mrs. Ellmers. So that is basically, you know, I am just
asking how someone would address that, or how that would
happen, if there were miscalculations then you could speak to
someone personally and----
Mr. Chao. Yes, we have both the call center and what we
call an eligibility support work----
Mrs. Ellmers. Um-hum. Do you know if this is what is
happening?
Mr. Chao. I----
Mrs. Ellmers. Have you heard any reports of----
Mr. Chao. I think there are many calls to the call center
for many different reasons.
Mrs. Ellmers. Um-hum.
Mr. Chao. I don't know exactly, you know, I can't tell you
there were 10 cases today or----
Mrs. Ellmers. Um-hum, OK.
Mr. Chao. But if you----
Mrs. Ellmers. CGI--well, we can move on. I appreciate that.
CGI, the contractor responsible for building Healthcare.gov,
can you explain your role with them in the last weeks of
September? Did you, you know, were you in contact with them,
were you working with them one-on-one, were you in their
office?
Mr. Chao. Yes, I actually--I moved down to Herndon and
lived in a hotel from September 10 to about the last week of
October----
Mrs. Ellmers. Um-hum.
Mr. Chao [continuing]. And I worked at CGI almost every
day.
Mrs. Ellmers. So you were actually there in their offices,
working out of their offices? OK.
Mr. Chao. Yes.
Mrs. Ellmers. One of the things that--I have got about a
minute left on my time. The President announced a tech surge to
fix the Web site. Who is involved in that surge?
Mr. Chao. There--Todd Park is involved----
Mrs. Ellmers. Um-hum.
Mr. Chao [continuing]. And there are two fellows, one by
the name of Mikey Dickerson, and another by the name of Greg
Gershman.
Mrs. Ellmers. Do you know about their compensation? How are
they being compensated?
Mr. Chao. I have no insight to that.
Mrs. Ellmers. Um-hum. Do they have a contract or did they
have to sign an agreement?
Mr. Chao. I don't know.
Mrs. Ellmers. Who do these individuals report to?
Mr. Chao. I am not--actually, I am not sure who they have a
contract with, or whether if they----
Mrs. Ellmers. So--but you are in charge of the technical
component to Healthcare.gov, and they don't report to you?
Mr. Chao. No, they are part of a tech surge team that is
being led by Jeff Zients.
Mrs. Ellmers. OK.
Mr. Chao. Right.
Mrs. Ellmers. So Jeff Zients is really the person that they
are reporting to?
Mr. Chao. Right.
Mrs. Ellmers. OK, thank you very much.
Mr. Chairman, my time has expired.
Mr. Murphy. Gentlelady yields back.
Now go to Mr. Olson for 5 minutes.
Mr. Olson. I thank the Chair. Welcome, Mr. Chao.
As you can imagine, sir, folks back home in Texas 22 have
one simple question: Why, why, why did Healthcare.gov roll out
on October 1 when most people in CMS, including yourself and
every contractor writing codes and doing the testing, said
stop, stop, stop, stop. We need more time. This Red Team
document is frightening. I refer you to page 4 of the document,
terms like limited end-to-end testing, parallel stacking of all
phases. Stacking is vertical not parallel. Insufficient time
and scope of end-to-end testing. Launch at full volume. And I
refer you to a 7/16 email which you said you were worried that,
and this is a quote, ``crash the plane takeoff.''
With all due respect, sir, it never got to the runway. It
was still waiting at the ramp there, waiting for the pilots,
the bags, the fuel, waiting for new tires. Using your analogy
and my record as a naval aviator, Healthcare.gov was a ``hangar
queen,'' never ready to fly.
I do want to talk about--the folks back home I work for are
most concerned about protection of their personal health
information. With so little testing, they are concerned about
the lack of security control assessments, SCA's. And my
question is, I will refer you to the document brief there, and
on--please turn to tab 2, sir. My question concerns--you guys
said that--this is a document you wrote for Ms. Tavenner, that
you needed a 2-part mitigation plan. And part 2 is basically,
you said, 1 of the recommended steps is to ``conduct a full SCA
test on the FFM in a stable environment where all security
controls can be tested within 60 to 90 days of going live on
October 1.'' The FFM will not be completed by November 30, so
how can you conduct a full test of the SCA within 60 days of
open enrollment? How could that happen when you are losing 30
days right off the bat?
Mr. Chao. I think the 60 to 90 days refers to the inclusion
of the final piece that needs to be built. What we mentioned
earlier, which I just want to say that it is actually 30
percent of the systems are left to be developed, not 70
percent, and that 30 percent represents the payment aspect and
the accounting aspects of making payments in the marketplace,
for all marketplaces, not just for Federally Facilitated
Marketplaces, and that that functionality has to be in place
for the January 1 effective date enrollments. And so I think
once we have that completed, we could do a full SCA across the
entire system.
Mr. Olson. But, sir, the document says October 1 rollout,
60 to 90 days after that. And apparently right now, we are
going back to at least November 1 at the earliest for the
rollout. I don't see how you get 60 days or 90 days of testing
before we are going live again.
And one further question about the SCA's. How many SCA's
did you identify and fix before the rollout on October 1, how
many have been identified and fixed after rollout, and how many
are still out there. What is the scope that my constituents
should be worried about?
Mr. Chao. The most important aspect is that there were no
high findings in the SCA tests as of the October 1 rollout. And
as I mentioned earlier, I read off a list of mitigation
activities that we go over and above any system that we put
into--we deploy and put in operations and monitor on a daily
basis.
Mr. Olson. When can you assure us that a full SCA will be
conducted system-wide? Ever?
Mr. Chao. When the last pieces of the system are completely
built, which is not--you know, I don't want people to think
that there hasn't been a full SCA. A full SCA has been
conducted on the pieces that were needed for October 1 for
eligibility enrollment. We have yet--we still have to build the
financial management aspects of the system, which includes our
accounting system and payment system and reconciliation system.
Those will also have security testing involved as well.
Mr. Olson. And the full end-to-end----
Mr. Chao. Testing----
Mr. Olson [continuing]. Testing, the whole, full system,
when can we expect that to occur, sir? What date?
Mr. Chao. I don't have an exact date, but it should be in--
some time in December.
Mr. Olson. So 2013, not 2014, 2015, 2016?
Mr. Chao. Correct.
Mr. Olson. 2013. OK, sir. One final question, and I want to
refer back to your email from July 16 about needing to feel
more confident about Healthcare.gov. I am assuming that some
time in the last 4 months you got that confidence. What gave
you that confidence? What was the trigger mechanism, when did
that happen? Something changed in the last 4 months.
Mr. Chao. I didn't say anything about having more
confidence. I am always cautious, which is what I was trying to
say earlier is that, until this is fixed, until the vast
majority of people have a good experience going through here,
and we have people who want to enroll, get enrolled,
particularly for January 1, I am going to continue to focus on
that along with the rest of the team. And, you know, and so it
is not really about confidence level right now, it is about
focusing on fixing the problem.
Mr. Olson. And so we are not fine yet. The hangar queen is
still at the hangar.
I yield back the balance of my time.
Mr. Murphy. I thank the gentleman for yielding back.
What we are going to do is give each side 5 more total
minutes, because Ms. DeGette has a couple of clarifying
questions, I have a couple of clarifying questions. If anybody
from my side needs some time, we will do that real quick.
Ms. DeGette.
Ms. DeGette. Thank you, Mr. Chairman.
Mr. Chao, I want to thank you for coming and spending the
morning with us. I am going to try to be quick because I would
like you to get back to wherever you are going and make this
thing work. OK.
The first thing I want to clear up, because even though I
thought we established it, my friends on the other side
continued to ask you about this McKinsey document at tab 1, and
I just want to clarify. You didn't--you weren't part of this
Red Team evaluation, is that right?
Mr. Chao. Correct.
Ms. DeGette. And you didn't really see this document until
today, is that correct?
Mr. Chao. Correct.
Ms. DeGette. So there were a lot of questions people asked
you, hypothetical questions people asked you about this
evaluation that you really don't know the answer to because you
weren't involved in the process and you didn't see the document
until today, right?
Mr. Chao. Correct.
Ms. DeGette. Now, as I understand it, this evaluation was
done in March/April 2013. Is that your understanding as well,
this McKinsey evaluation?
Mr. Chao. It is approximately that time.
Ms. DeGette. And do you have any knowledge of what that
evaluation was supposed to be for? Was it a snapshot in time or
do you even know?
Mr. Chao. From the interviews that I had with McKinsey, it
was about really 2 things. One was, I spent some time helping
McKinsey understand the program.
Ms. DeGette. Uh-huh.
Mr. Chao. Meaning how it worked, where we were in terms of
status and schedule. I don't--I suppose it also includes a
point in time kind of an assessment, because I educated them on
exactly what was happening up to the date----
Ms. DeGette. Up to that time. Now, on page 4 of this
assessment, I don't really want you to respond to this because
you weren't involved in the document, but I do want to point
out, there were a lot of questions that were asked today about
the current situation, evolving requirements, multiple
definitions of success, et cetera, but the people who were
asking those questions today didn't talk about the last thing,
which is in bold letters in a box, that says CMS has been
working to mitigate challenges resulting from program
characteristics. This was in March or April. And so without
talking about this document necessarily, but I think what your
testimony--what your job is really to identify issues
throughout and try to mitigate them, is that right?
Mr. Chao. Correct.
Ms. DeGette. And that is what you have tried to do
throughout.
Mr. Chao. It is a constant mitigation set of activities----
Ms. DeGette. And the administration has said it is going to
try to have the Federal Exchange site working for 80 percent of
the people by the end of November. Is that right? That is what
we have been reading in the press.
Mr. Chao. That is what the press quoted.
Ms. DeGette. OK.
Mr. Chao. I think what we have been saying is the vast
majority of----
Ms. DeGette. All right, and do you believe that that is a
reasonable goal at this point?
Mr. Chao. I think that is an attainable goal, given what I
have seen so far.
Ms. DeGette. Do you think it is going to happen?
Mr. Chao. I don't think there are any guarantees. I think
we are still in a stage where we are trying to apply as much
due diligence, acquiring additional assistance, the tech surge,
looking at performance, fixing the functional defects, along
with making sure that security monitoring is an ongoing basis.
So I think there is still a lot of moving parts that it
wouldn't be prudent to give 100 percent guarantees about where
we are going to be at on an exact date----
Ms. DeGette. Well----
Mr. Chao [continuing]. But I think we are on the right
track.
Ms. DeGette. You are--OK, but what I will say to you is,
truly, and you have heard this from all of us, all of us were
disappointed that it didn't work on October 1. I am sure you
were too.
Mr. Chao. Very.
Ms. DeGette. And so we need this to be essentially working
ASAP. For one thing, people who want insurance coverage as of
January 1 have to sign up by December 15. So if it is not
working for the vast majority of people by the end of November,
that is going to be hard to do. Understood?
Mr. Chao. We certainly understand that.
Ms. DeGette. OK. One last thing. Someone had asked you the
question--or had made the assertion that 60 percent of the site
was not working, but I am told that is not really accurate,
that it is really about 30 percent that is not working, and
most of that is the backend which is the payment to insurance
companies. So that is not necessarily the part that has to be
working at this moment. Is that correct?
Mr. Chao. Yes, it is not that it is not working, it is
still being developed and tested.
Ms. DeGette. OK.
Mr. Chao. Right.
Ms. DeGette. But that is the payment to the insurance
companies.
Mr. Chao. Correct.
Ms. DeGette. Right.
Mr. Chao. Which involves testing with Treasury----
Ms. DeGette. OK.
Mr. Chao [continuing]. And others.
Ms. DeGette. All right. Thanks, Mr. Chairman.
Mr. Murphy. Thank you.
Recognize myself for 5 minutes.
Just let me follow up here that--then what you are saying
this 30 percent is yet to develop on the payment end. On
October 1, the day this went live, how much of the site was
developed at that time?
Mr. Chao. Probably--well 100 percent of all the priorities
that were set for by the business for October 1, it was up and
running.
Mr. Murphy. OK, but what about the other parts?
Mr. Chao. I think there was a reprioritization associated
with, like, the shop employer, shop employee and the Spanish
Web site that was----
Mr. Murphy. But it was crashing for everybody. We have
heard that it wasn't designed for that many people, it didn't
pass a stress test, it never had end-to-end testing, and you
are saying it was 100 percent ready?
Mr. Chao. No, it----
Mr. Murphy. I just want to make sure I understand. What----
Mr. Chao. When I--it was 100 percent built, meaning----
Mr. Murphy. One hundred percent built, but----
Mr. Chao. Or the----
Mr. Murphy [continuing]. Just not working.
Mr. Chao. Yes, working functionally and----
Mr. Murphy. Well, then it is not built.
Mr. Chao [continuing]. Performing well, that----
Mr. Murphy. If a car is built but you can't run the car,
that car is not built. If a Web site isn't working, it is not
built.
Mr. Chao. Well, I am certainly not going to sit here and
try to tell you that it was working well. So I do----
Mr. Murphy. Yes, but you said on October 1 it was 100
percent built. I really need to know because you had said
before you wish you had had more time, and you had just said to
Ms. DeGette that your job was to identify issues and mitigate
them. And since you would have liked to have had more time, and
your job was to mitigate them, would you have liked to have
seen this whole report from McKinsey that identified the
problems so you didn't have to find them out?
Mr. Chao. I don't--I--actually, I don't think it was
necessary because I think this report was for--really for
Marilyn Tavenner and others, and it was written for that level
of consumption and that audience.
Mr. Murphy. But you haven't seen this so you don't know. Or
do you know?
Mr. Chao. I am just assuming that that is why I wasn't----
Mr. Murphy. OK, I just want you to stick with facts you
know. So--well, what I am seeing here is from March on,
Marianne Bowen, Jim Kerr, Todd Park, Brian Spivack, Michelle
Snyder, Gary Cohen, Bill Corr, Mike Hash, Aryana Khalid,
Katherine Sebelius, William Schultz, Michelle Snyder, Marilyn
Tavenner, Mark Childress, Jeanne Lambrew and Ellen Montz all
had briefings on this. Are those any people you work with?
Mr. Chao. I have been in meetings with several of those
folks.
Mr. Murphy. Some of them. Since March and April?
Mr. Chao. Yes.
Mr. Murphy. And none of them raised any of these concerns
to you, and you identified yourself that your job was to
identify issues and mitigate them, but none of them
identified----
Mr. Chao. Within----
Mr. Chao [continuing]. That, with all of these interviews
and the 200 documents reviewed, that there were these problems?
Mr. Chao. Within my day-to-day operational, you know,
requirements to manage the contract, to manage schedule, to
manage staff and----
Mr. Murphy. Yes, but what you don't measure, you can't
manage. And so I am concerned that this list of people who you
work with were not communicating to you this document that you
knew something existed because you, indeed, were interviewed on
it yourself, but here we have this messy rollout that didn't
work, that crashed, that only 6 people signed up the first day,
and we still are concerned about problems, and yet it is
puzzling to me why these key people just didn't talk to you
about it. They gave you no hints that this existed?
Mr. Chao. Perhaps that--I just was not included in certain
discussions.
Mr. Murphy. Well, if you knew then what you know now, would
you have spoken up more with regard to rolling out this Web
site on October 1?
Mr. Chao. I wish I had the luxury of a time machine to go
back and change things, but I can't do that.
Mr. Murphy. I understand that, but it is a matter that--did
you ask someone at that time for more time?
Mr. Chao. No.
Mr. Murphy. Why not?
Mr. Chao. Because my direction----
Mr. Murphy. From?
Mr. Chao [continuing]. Was from Marilyn Tavenner, is to
deliver a system on October 1.
Mr. Murphy. So Marilyn Tavenner said deliver October 1. She
had been in on these briefings from McKinsey that said there
were serious problems. She was in at least 2 of them I believe.
And this was at HHS Headquarters on April 4, she was there, and
also at the Eisenhower Executive Office Building on April 6.
She was there, she was briefed on these problems. She said move
it for October 1, and you, as the man who is in charge of
making sure this works, she didn't tell you that those problems
existed. Is that what you are saying today?
Mr. Chao. I can't comment on that. I----
Mr. Murphy. It is--well, it is either she told you or she
didn't tell you. I am just curious.
Mr. Chao. I don't think she told me in the context of this
briefing. I think we have status meetings all the time in which
we talk about ways to mitigate and to----
Mr. Murphy. You--so you met with her frequently over those
months, but she never brought up the extent of these concerns?
Mr. Chao. Not the McKinsey report, no.
Mr. Murphy. OK.
Mr. Chao. I think we talked about certainly about issues
and priorities for October 1.
Mr. Murphy. I see.
Well, I have no further questions, so, Mr. Chao, I
appreciate you spending so much time with us today. We are
going to take a real quick 5-minute break. We recognize our
next panel of witnesses has been sitting here for a while, so
we will be right back in 5 minutes.
And thank you again, Mr. Chao.
Mr. Chao. Thank you.
[Recess.]
Mr. Murphy. All right, this hearing is reconvened.
I would now like to introduce the witnesses in the second
panel for today's hearing, and thank you all for being so
patient and waiting.
Our first witness is Jason Providakes. He is the Senior
Vice President and General Manager for the Center for Connected
Government at MITRE Corporation. He is also the Director of the
Centers for Medicare and Medicaid Services Alliance to
Modernize Medicare. Our second witness is Maggie Bauer. She is
the Senior Vice President of Health Services at Creative
Computing Solutions, Inc., also known as CCSi. She has
extensive operations management experience in consulting,
program management, IT infrastructure services, software
development, lifecycle and end-user support on service-level
drive performance-based programs. And our third witness is
David Amsler. He is the Founder, President and Chief
Information Officer at Foreground Security, Inc. He has more
than 15 years of IT security experience, and he oversees the
overall customer-centered vision and direction of Foreground
Security, its industry-leading offerings and day-to-day
operations.
I will now swear in the witnesses.
You are all aware that the committee is holding an
investigative hearing, and when doing so, has the practice of
taking testimony under oath. Do you have any objections to
testifying under oath?
Ms. Bauer. No.
Voices. No.
Mr. Murphy. All the witnesses are in the negative there.
The Chair then advises you that under the rules of the House
and the rules of the committee, you are entitled to be advised
by counsel. Do any of you desire to be advised by counsel
during your testimony today?
Voices. No.
Mr. Murphy. And all the witnesses have said no. In that
case, would you please rise, raise your right hand and I will
swear you in.
[Witnesses sworn.]
Mr. Murphy. And all the witnesses responded, ``I do.''
You are now under oath and subject to the penalties set
forth in Title XCIII, Section 1001 of the United States Code.
You may now give a 5-minute opening summary of your
statement, Mr. Providakes.
STATEMENTS OF JASON PROVIDAKES, SENIOR VICE PRESIDENT, CENTER
FOR CONNECTED GOVERNMENT, THE MITRE CORPORATION; MAGGIE BAUER,
SENIOR VICE PRESIDENT, CREATIVE COMPUTING SOLUTIONS, INC.; AND
DAVID AMSLER, PRESIDENT AND CHIEF INFORMATION OFFICER,
FOREGROUND SECURITY, INC.
STATEMENT OF JASON PROVIDAKES
Mr. Providakes. Yes. All right, well, good morning,
Chairman Murphy, and Ranking Member DeGette. My name is Jason
Providakes, and I am here today on behalf of the MITRE
Corporation. I serve as the director of the not-for-profit,
Federally funded research and development center, operated by
MITRE and sponsored by the U.S. Department of Health and Human
Services.
The MITRE Corporation is chartered in the public interest
to apply systems engineering skills and advanced technology, to
address issues of critical national importance. We accomplish
this through operation of research and development centers that
support our Government sponsors with scientific research and
development, analysis and systems engineering and integration
as well.
Known as Federally funded research development centers,
they are operated under a set of rules and constraints
proscribed by the Federal acquisition regulations. The rules
are designed to preserve the FFRDC's objectivity and dependence
and freedom from conflict of interest.
MITRE operates FFRDC centers for seven Federal agency
sponsors. We were awarded the contract to operate the CMS
Alliance to Modernize Healthcare center about a year ago
following a competitive bid. The center was charged with
assisting CMS in modernizing its operation, and supporting the
implementation of health reform, and the expansion of health
care to millions of Americans.
MITRE serves as a technical, independent objective advisor
to CMS. We have been supporting CMS successfully since about
2005 on a contract basis, prior to the establishment of the new
center. We advise on health IT, helped plan and develop future
policies, we provide technical evaluations and objective
evaluation of business models, and assess new technology.
As part of its efforts to establish Healthcare.gov, CMS
asked MITRE to conduct security assessments on parts of the
site. And I appreciate the opportunity to clarify what our role
was in assisting CMS on Healthcare.gov. We provide CMS with
information security support and guidance under two contracts;
the Office of Information Systems, and Enterprise Information
Systems Group. Pursuant to tasks issued under those contracts,
MITRE performed a total of 18 security control assessments, or
SCA's, for components across the range of CMS enterprise
systems. Most of these were performed on supporting
infrastructure and development components. Six of the SCA's
were directly related to Healthcare.gov, and were performed
between September of 2012 and September of 2013.
MITRE performs various tasks as part of overall support for
CMS enterprise security maintenance. A limited amount of that
support is in the form of external penetration testing relative
to CMS Web sites, including Healthcare.gov. MITRE is not in
charge of security for Healthcare.gov. We were not asked nor
did we perform end-to-end security testing. We have no view on
the overall safety or security status of Healthcare.gov.
MITRE did not and does not recommend approval of--or
disapproval of an authority to operate. Deciding whether and
when to grant an ATO is inherently a governmental function that
derives from the Government's assessment of overall risk
posture. In this case, the Government made its ATO decisions
based on a large set of inputs and factors, among which were 6
SCA's performed by MITRE. We do not have visibility into the
many other factors that went into the Government's ATO
decision. CMS did not advise MITRE whether or when ATO's were
granted for the marketplace components being tested. In this
case, the Government made its ATO decisions based on a large
set of data.
Again, we were not asked to conduct end-to-end testing,
rather we tested specific parts of Healthcare.gov, under a set
of specific parameters established by CMS. We worked alongside
the CMS-designated contractor in the course of testing to
remediate risks as high, and in almost all cases, we succeeded.
Our testing was accomplished in accordance with standard SCA
engineering methodologies. In each case, we assessed component
security control risks against CMS-defined security control
parameters, on a high, moderate to low scale, and we
recommended appropriate risk mitigations.
On site security control assessment, testing typically
begins on a Monday and wraps up within a week. The tests
against CMS-defined security control parameters, over the
course of 5 days of testing, MITRE identifies the risk and
assigns a remediation priorities for risks judged to be high
and moderate levels. Security testing is designed to flush out
and pinpoint the security weakness of a digital information
system. This enables corrective remediations to be applied, and
also allows the system operator to make necessary business
judgments and tradeoffs about the overall system.
Because our role in performing the security control tests
was limited in both time and scope, MITRE has no insight into
how assessed security control risks were handled, or what other
risks may have surfaced subsequent to the date of testing.
Judgments about the potential impact of assessed security
control risks on overall system operation or performance were
business judgments made by CMS as part of the operating
authority.
Through our broader partnership with the Federal
Government, we remain committed to assisting CMS in working to
enhance the care and delivery of health care for all Americans.
I would be happy to respond to your questions. Thank you.
[The prepared statement of Mr. Providakes follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you.
Now turn to Ms. Bauer for her opening statement.
STATEMENT OF MAGGIE BAUER
Ms. Bauer. Good afternoon, Chairman Murphy, Ranking Member
DeGette. My name is Maggie Bauer, and I am a Senior Vice
President at Creative Computing Solutions, Inc., CCSi.
I have responsibility for CCSi's Federal health contracts,
including the Centers for Medicare and Medicaid Services,
Veterans Affairs, the Department of Health and Human Services
National Institutes of Health, and the Military Health Service.
In addition to health-related services, CCSi delivers
program and project management services, cyber security
services and enterprise systems engineering, exclusively to the
Federal Government.
CCSi was founded in 1992 by Dr. Manju Bewtra.
In August of 2012, CMS awarded CCSi a contract to provide
security oversight of the CMS e-cloud. The e-cloud refers to
CMS's virtual data center, which hosts systems and applications
that support the Affordable Care Act. Foreground Security is
their subcontractor, and we function as a fully integrated
team.
CCSi's role on this contract is to provide security
operations monitoring and management, including 24 by 7 by 365
security monitoring from a secure operation center, otherwise
known as a SOC. We monitor the perimeter firewalls and network
devices for the e-cloud, and we scan applications for security
incidents. These scans do not measure or track availability,
up/downtimes or latency. If we detect an anomaly, we follow the
CMS-approved incident response plan procedures for identified
security incidents, such as network security configuration
flaws or vulnerabilities in the network, security devices or in
applications. CCSi's contract does not extend to remediating
security incidents.
CCSi's scope of work includes configuration, tuning,
monitoring and management of CMS Government-furnished equipment
that resides in the Verizon Terremark security monitoring zone.
We review log files, we conduct event analysis, we provide
reporting on security incidents, all of this under the
direction and supervision of CMS.
Activities involving the development, scaling, testing,
release or administration of the Federal Exchange Program,
Healthcare.gov, the Federal Exchange, or the Federally
Facilitated Marketplace are not within the scope of our
contract.
I would be pleased to answer any questions that you have.
Thank you.
[The prepared statement of Ms. Bauer follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you, Ms. Bauer.
Mr. Amsler, you are recognized for 5 minutes.
STATEMENT OF DAVID AMSLER
Mr. Amsler. Thank you, sir.
Chairman Murphy, Ranking Member DeGette, members of the
subcommittee, good afternoon and thank you for inviting me to
testify at this hearing on the security of the Web site,
Healthcare.gov.
I am the president and chief information officer of
Foreground Security. I also founded the company. We provide
cyber security consulting, training and services for both
private-sector and Government agencies. Our clients include
Fortune 100 companies, smaller but highly targeted firms, and
Government agencies.
We defend our customers against an increasingly intricate
threat and threat actors, through an integrated approach that
entails building security architecture and assessing,
monitoring and responding to attacks against our customer
environments.
Foreground Security is a small but growing dedicated cyber
security business located in Herndon, Virginia, and Florida.
Our roughly 100 employees are highly trained and committed to
serving our clients.
Foreground Security is one of the companies hired to help
develop a robust operational security management program for
the new virtual data center created to implement the Affordable
Care Act. We are subcontracted to our teammate, Creative
Computing Solutions, Inc., or CCSi, which is the prime
contractor for the Centers for Medicare and Medicaid Services.
Our role with CCSi includes a number of objectives relating
to the security environment of Healthcare.gov. I think of our
role as encompassing 3 phases. First is the creation of the
security monitoring environment. This entailed getting key
staff in place, identifying needed security monitoring software
and hardware, and building out a dedicated security operation
center, or SOC, from which all monitoring is performed. Second
is building those security monitoring capabilities identified
in phase 1 into the cloud environment itself. This has been the
most challenging part of our contract, in large part because we
have had to construct security monitoring capabilities while
the system itself is being built. Our work on this phase
continues. And third is actually monitoring the environment,
which itself can be thought of as having two components. One is
day-to-day, continuously searching for malicious activities
including reporting and defending against them when they do
occur. The other is monitoring known malicious actors or groups
in advance of attacks to proactively identify the techniques or
tactics they may be using or planning to use to compromise this
environment. These are our main and State responsibilities
relating to the security environment.
We have worked very closely with CMS and Verizon Terremark
on all phases of our work. CMS reviews and approves any
capability we place in the environment, and Verizon Terremark,
as the host of the environment, helps determine what security
measures are placed in the virtual data center.
Prospective on our role is important. While our work for
CMS is essential, it is narrowly focused, and we were not
involved in the design of the site, developing the software
that runs it, or its administration. To that end, we do not
monitor the site for performance purposes. Foreground Security
is just 1 member of the security team, in addition to the other
companies represented today here on this panel, Verizon
Terremark, URS, CGI and QSSI, all play key roles in developing
and testing the security of Healthcare.gov.
I am proud of the work that Foreground Security has
undertaken and continues to undertake in order to allow
families and individuals looking for health insurance to use
the Healthcare.gov Web site, secure in the knowledge that their
personal information is being protected with state-of-the-art
monitoring and defenses. To this point, Foreground Security has
fulfilled its obligations to CMS on time and under budget. We
are dedicated to secure the operation of Healthcare.gov, and
take extremely serious the obligations to the public trust.
I welcome any questions you may have.
[The prepared statement of Mr. Amsler follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you, Mr. Amsler.
Couple of questions I want to begin with. First of all, I
will start with you, Mr. Amsler. You were here throughout Mr.
Chao's testimony, all three of you were. Do you have any
concerns about any comments that were made by Mr. Chao?
Mr. Amsler. I wouldn't have any specific concerns----
Mr. Murphy. Ms. Bauer?
Mr. Amsler [continuing]. I would like to voice.
Ms. Bauer. No.
Mr. Murphy. Mr. Providakes?
Mr. Providakes. No concerns.
Mr. Murphy. All right. Mr. Amsler, you had said that in
addition to the other companies represented today in this
panel, Verizon Terremark, URS, CGI and QSSI, all played key
roles in developing and testing the security of Healthcare.gov.
Are you also referring to Ms. Bauer's company played a role in
this?
Mr. Amsler. I view them as our teammate, I view them as one
of us.
Mr. Murphy. Because I thought in her testimony she said
that they were not that involved. So let me ask you, with this
many companies involved, who did you all report to?
Mr. Amsler. Well, our customer was CMS, and the security
team----
Mr. Murphy. Person. Is there a person?
Mr. Amsler. Our direct Government technical lead, his name
is Tom Shankweiler.
Mr. Murphy. And with regard to this, with all of these
companies involved playing key roles in developing and testing
security, is that typical to have so many companies involved as
opposed to one that is trying to do the end-to-end work on
this?
Mr. Amsler. Well, we have experienced all sizes of
implementations. This one is obviously, certainly one of the
largest that I have ever seen undertaken. I have certainly seen
lots of people involved, but probably not this many.
Mr. Murphy. Mr. Providakes, is this typical to have so many
companies involved in dealing with the security in a site?
Mr. Providakes. Not really number of companies that were
involved, but having two or three is not untypical to have on
the complexity of a site like this.
Mr. Murphy. I just wondered if that added to the complexity
of trying to monitor security of the site.
Mr. Providakes. If it is well-managed from a program
perspective----
Mr. Murphy. Was it well-managed?
Mr. Providakes. I would not know.
Mr. Murphy. From your perspective?
Mr. Providakes. I don't--we weren't involved in that level
of insight on that. I believe, you know----
Mr. Murphy. All right, Ms. Bauer, were you involved in that
level, and was it well-managed from your point of view?
Ms. Bauer. Our management from CMS has been on a very
regular basis. We have daily meetings, in fact, since
Healthcare.gov went live. Those meetings actually began, or
ramped up I should say, to hourly and then back to way to about
every 4 hours, and now they are on a shift basis of three times
a day.
Mr. Murphy. Well, you just said activities involving the
development, scaling, testing, release or administration of the
Federal Exchange Program system, Healthcare.gov, the Federal
Exchange or the Federally Facilitated Marketplace, or FFM, are
not within the scope of your contract. So you were not involved
in the security issues involved with those Web sites?
Ms. Bauer. The security, yes, but not the development,
scaling, or testing of the Healthcare.gov applications, per se.
Mr. Murphy. Were you involved with the testing of the
security?
Ms. Bauer. Yes.
Mr. Murphy. And was it working?
Ms. Bauer. Yes.
Mr. Murphy. At October 1?
Ms. Bauer. Everything that was under our scope.
Mr. Murphy. Under your scope.
Ms. Bauer. Yes----
Mr. Murphy. But in terms of----
Ms. Bauer [continuing]. Was functioning.
Mr. Murphy [continuing]. How it relates to other parts, you
don't know?
Ms. Bauer. I would not know that.
Mr. Murphy. OK. Mr. Amsler, how about for you, were your
parts working OK in your individual part, and was that also
tested with regard to the others?
Mr. Amsler. Congressman, to be clear, as far as our work is
concerned, our focus worked around operational monitoring
security and some testing, we absolutely were working. I can't
speak to the rest of the groups and the teams that were
involved in development, or even the SCA----
Mr. Murphy. What I am trying to find out, was that----
Mr. Amsler [continuing]. People who were not involved.
Mr. Murphy [continuing]. Typical, atypical, and would you
be concerned about how your parts worked in conjunction with
the site overall, or is that not typically a question you would
ask? Well, it is like this: If you design a part for a car and
you know your part is working, would you like to know if the
car works?
Mr. Amsler. Absolutely.
Mr. Murphy. And so that is what I am asking all of you,
would you have liked to have known that if your segments may
have worked on their own, but you didn't know whether or not it
worked at the whole system security. Is that correct, Mr.
Providakes?
Mr. Providakes. Well, that would be correct.
Mr. Murphy. Ms. Bauer?
Ms. Bauer. Yes.
Mr. Murphy. OK. Mr. Providakes, CMS adopted the security
controls you developed, correct?
Mr. Providakes. That is correct.
Mr. Murphy. And are these controls embedded in the
applications at the direction of CMS?
Mr. Providakes. They were assessed, but yes, they were
embedded for the configuration changes would be made based on
the configuration controls.
Mr. Murphy. And at what point of the application
development phase should security controls begin to be embedded
into the application?
Mr. Providakes. Well, at the production phase. Generally,
when we test with an SCA, we are assuming that we are looking
at the production-ready version of the application, and then we
apply those CMS security controls we talked about and assess
those against the production-ready version of that application.
Mr. Murphy. Are they embedded into the architecture of
Healthcare.gov?
Mr. Providakes. The overall CMS enterprise security
controls are to be applied across all the systems of
Healthcare.gov.
Mr. Murphy. So they should be embedded then into
Healthcare.gov?
Mr. Providakes. It should be.
Mr. Murphy. Were they?
Mr. Providakes. I have no way of knowing that.
Mr. Murphy. Ms. Bauer, do you know if they were?
Ms. Bauer. I do not know.
Mr. Murphy. Mr. Amsler?
Mr. Amsler. I wouldn't know the answer to that.
Mr. Murphy. OK. But you all worked on these security parts.
We don't know if they were embedded and you don't know if
anybody did testing, but you would have liked to have seen
that. Am I correct with all of you?
Mr. Providakes. No, just parts. Just some parts.
Mr. Murphy. Ms. Bauer, correct?
Ms. Bauer. Correct
Mr. Murphy. Mr. Amsler?
Mr. Amsler. Correct.
Mr. Murphy. Thank you.
And now I will yield to Ms. DeGette for 5 minutes.
Ms. DeGette. Thank you, Mr. Chairman.
As Mr. Chao testified, it is part of CMS's protocols that
they hire independent contractors to test different parts of
the security aspects of the site. Is that your understanding as
well, Mr. Providakes?
Mr. Providakes. Yes, it is.
Ms. DeGette. And is it yours, Ms. Bauer?
Ms. Bauer. Yes.
Ms. DeGette. And is it yours, Mr. Amsler?
Mr. Amsler. Yes.
Ms. DeGette. So, Mr. Providakes, I want to ask you first.
You testified your company was not hired to perform end-to-end
security testing, is that correct?
Mr. Providakes. That is correct.
Ms. DeGette. And so what your job was to assess and
identify risks and specific components of Healthcare.gov, to
work with CMS and to address those concerns and report on the
findings and results. Is that correct?
Mr. Providakes. That is correct.
Ms. DeGette. And am I correct that in virtually all cases,
when you did identify high risks in Healthcare.gov components,
CMS was able to mitigate those risks before the system went
live?
Mr. Providakes. Yes. Almost all the high risks were
mitigated.
Ms. DeGette. And you said in your testimony--in your
written testimony, MITRE is not in charge of security for
Healthcare.gov. We were not asked, nor did we perform, end-to-
end security testing. We have no view of the overall safety or
security status of Healthcare.gov. That is because you were
only asked to do a narrow assessment of part of it, right?
Mr. Providakes. A narrow assessment in scope and in a time
that is----
Ms. DeGette. In time.
Mr. Providakes. In time.
Ms. DeGette. Now, I just want to ask you, what is your
personal view of the overall safety or security of
Healthcare.gov, having worked on this, at least some aspects of
it?
Mr. Providakes. Well, my personal perspective----
Ms. DeGette. Uh-huh.
Mr. Providakes [continuing]. Knowing CMS experience in the
past, as Henry Chao alluded to, they do a very solid job in
terms of securing their systems--
Ms. DeGette. And----
Mr. Providakes [continuing]. Historically.
Ms. DeGette. And what you were doing was part of the same
types of things CMS has done to secure their systems in the
past----
Mr. Providakes. That is correct.
Ms. DeGette [continuing]. Is that right?
Mr. Providakes. That is correct.
Ms. DeGette. Ms. Bauer--now, as I understand it, Mr.
Amsler, your company works sort of as a subcontractor of Ms.
Bauer's company. Is that right?
Mr. Amsler. Yes.
Ms. DeGette. OK. So what you folks do is your company--CCSi
monitors the firewalls and network devices for the e-cloud that
hosts Healthcare.gov, and scans the Web site's application for
security vulnerabilities. Is that correct?
Ms. Bauer. That is correct.
Ms. DeGette. And on October 22, you briefed this committee,
and I want to ask you, at that time, had you detected any
activity that you would consider to be out of the ordinary for
a system like this?
Ms. Bauer. Not out of the ordinary, no.
Ms. DeGette. OK. And are you continuing to monitor the Web
site moving forward?
Ms. Bauer. Yes, we continue to perform all the functions of
our contract.
Ms. DeGette. And why is that?
Ms. Bauer. I am sorry?
Ms. DeGette. Why are you continuing to monitor the
functions?
Ms. Bauer. Because that is the scope of our contract, is to
continually----
Ms. DeGette. OK. And have you----
Ms. Bauer [continuing]. Monitor it.
Ms. DeGette. Have you detected any activity since October
22 that you considered to be out of the ordinary?
Ms. Bauer. We would detect activity on a daily, if not
hourly basis. That is part of the nature of security
monitoring. Whether it is extreme or out of the ordinary, there
is nothing that has been brought to my attention that would----
Ms. DeGette. And would that be then reported to CMS?
Ms. Bauer. Yes, there is an incident response plan, and we
follow the procedures of that plan.
Ms. DeGette. And have you seen anything that would indicate
some terrible problem with the Web site vis-a-vis security?
Ms. Bauer. Nothing that I have seen or that has been
escalated to me, no.
Ms. DeGette. OK. And there is another contractor as I
understand that has also been asked to look at other aspects,
and that is Verizon. They are not here today. Is that your
understanding as well?
Ms. Bauer. Yes. Yes.
Ms. DeGette. So Ms. Bauer, has your company worked with CMS
before? Mr. Providakes said his has on security issues.
Ms. Bauer. No, we have not, but we----
Ms. DeGette. OK.
Ms. Bauer [continuing]. Have other security work.
Ms. DeGette. OK. And Mr. Amsler, what about your company?
Mr. Amsler. Not directly for CMS----
Ms. DeGette. OK.
Mr. Amsler [continuing]. But other HHS----
Ms. DeGette. OK, so you wouldn't know whether this is--kind
of mirrors other security activity with CMS. But, Mr.
Providakes, you are telling me that, with what your company has
done before, you are seeing a similar concern and readiness for
security applications?
Mr. Providakes. Well, what I said was that following CMS's
approach towards security, they do execute, you know, 10, 20,
70 SCA's a year that we actually executed for CMS. So part of
their process is, before they execute an ATO, they look for the
input of these SCA's, which is a very rigorous process, a
definition, defined in a parameter in a moment of time that we
would conduct these SCA's for CMS as input to the ATO process.
Ms. DeGette. Right. OK, thank you.
Thanks, Mr. Chairman. I appreciate it.
Mr. Murphy. Let me ask clarification of something Ms.
DeGette said.
Mr. Providakes. Sure.
Mr. Murphy. She asked you a question about CMS and their
work on this, and you used the word historically. Were you
referring then to the Healthcare.gov Web site or in the past
they were?
Mr. Providakes. No. In the past. Broadly across CMS in
terms of their security rigor that they apply across their
systems.
Mr. Murphy. Thank you.
Mr. Olson, you are recognized for 5 minutes.
Mr. Olson. I thank the Chair. I mostly want to thank the
witnesses for your patience being here. It has been a long day,
I know that.
Very brief questions. I mean, getting Healthcare.gov up and
running is not rocket science, and that is good because if it
were, we would still be waiting to land on the moon over 50
years later.
You may have seen the McKinsey report, the Red Team report.
Have you all seen that?
Ms. Bauer. I have not.
Mr. Olson. OK. I will get the copies to you. I just want to
ask some questions about the report. And I apologize that you
haven't seen it, but it compares on page 4 ideal, large-scale
programs and the current state of Healthcare.gov. And I want
to--just some yes-or-no questions, do you agree with the
statements from this report. And again, it is compared to
large-scale program development ideal program with the
characteristics of Healthcare.gov. The first ideal situation,
clear articulation of requirements and success metrics in
Healthcare.gov, evolving requirements and multiple definitions
of success. Do you agree with those assessments that that is
ideal, and that is what has happened with Healthcare.gov, Mr.
Providakes? Yes or no, sir? Don't want to put you on the spot.
Mr. Providakes. It is very difficult to answer that
question. Is that a hypothetical question in terms of----
Mr. Olson. Hypothetical, yes, sir. I mean the ideal program
is in clear articulation and has that happened on
Healthcare.gov?
Mr. Providakes. In the best world, you would love to have
clear articulated requirements upfront that you can design to,
build to, test to, and that would be great, although it is
rare, but that would be great.
Mr. Olson. OK, involving requirements with Healthcare.gov,
has that been a problem?
Mr. Providakes. I am not sure of the number of
requirements. I would think there were quite a number of
requirements for Healthcare.gov.
Mr. Olson. Ms. Bauer?
Ms. Bauer. I would--just having looked at it briefly, I
would agree with----
Mr. Olson. I apologize for that, ma'am.
Ms. Bauer. I would agree with the description of ideals--
the ideal situation, however, I wouldn't have insight into the
current situation because that involves the development of
Healthcare.gov----
Mr. Olson. OK.
Ms. Bauer [continuing]. Which is not within the scope of
our contract.
Mr. Olson. Mr. Amsler?
Mr. Amsler. I would--ideal is--I agree with ideal. Again,
we weren't involved in those aspects, so I couldn't speak to
it.
Mr. Olson. How about the program that ideal is sequential
requirements design, build and testing, integration, revision
between phases, and what the current situation is parallel
stacking of all phases. Do you agree, Mr. Providakes? I
apologize, sir, for not----
Mr. Providakes. That is fine. If----
Mr. Olson [continuing]. Pronouncing--would idealism work?
Mr. Providakes. It would create significant challenges to
the program office to deliver that.
Mr. Olson. Has there been parallel stacking?
Mr. Providakes. It would be a significant challenge to do
that.
Mr. Olson. Ms. Bauer?
Ms. Bauer. I would agree with that statement.
Mr. Olson. Mr. Amsler?
Mr. Amsler. Agree.
Mr. Olson. OK, how about interim integrated operations and
testing is ideal. I think we all agree with that. And what has
happened is insufficient time and scope of end-to-end testing.
Would you all agree with those statements, yes or no?
Mr. Providakes. I guess in the context you put it, you are
saying is there a limited end-to-end testing, and given the
fact that you have a hard date, I would surmise they had
limited time to end-to-end testing. It doesn't mean you
couldn't have done it, it just meant there is limited time to
do it.
Mr. Olson. Ms. Bauer?
Ms. Bauer. Yes, generally I would agree. I would have no
insight though into what the increments were as regards to
schedule, but, you know, you could create milestones and
achieve ideally just about any goal if you create the
milestones and achieve them on the way to the goal.
Mr. Olson. Mr. Amsler?
Mr. Amsler. End-to-end testing for me is pure security.
That is the world we live in, and that is the world that we
only live in. We can achieve a lot testing along the way, but I
would certainly--I always shoot for ideal. Ideal would be end-
to-end testing.
Mr. Olson. And ideal a limited initial launch or a full
launch? Not ideal. Last question. Yes or no, do you agree with
those statements? Launching at full volume is not very good,
limited initial launch what we should be seeking?
Mr. Providakes. Well, limited launch increases the risk,
obviously, than a full. It is an increased risk.
Mr. Olson. Yes. Ms. Bauer?
Ms. Bauer. I would actually suggest that perhaps a limited
launch would have had a lower risk, and that a full launch may
have a larger risk, whatever system you would be deploying.
Mr. Olson. Mr. Amsler?
Mr. Amsler. I agree with Ms. Bauer's statement.
Mr. Olson. Well said, sir.
And one final question. Again, I am not trying to put you
on the spot, but with all your knowledge about how this program
rolled out, are you comfortable putting yourselves' and your
families', putting your personal information into
Healthcare.gov?
Mr. Providakes. I have.
Mr. Olson. You are comfortable? Yes.
Mr. Providakes. That is a personal choice that you have to
make based on, in my case, where knowing the limited amount of
personal information I put up there and other information, I
feel comfortable personally, but that might not apply to
everyone.
Mr. Olson. Ms. Bauer, yes or no, ma'am, comfortable?
Ms. Bauer. Yes.
Mr. Olson. Mr. Amsler?
Mr. Amsler. I am actually very happy with my current health
care.
Mr. Olson. Oh boy, you are trying to open a hornet's nest
there.
Mr. Murphy. Well, too bad you can't keep it.
Mr. Olson. That is my time.
Mr. Murphy. What it comes down to. Gentleman's time has
expired.
Ms. DeGette, you have a clarifying question?
Ms. DeGette. Thank you, Mr. Chairman.
The questions that Mr. Olson was asking you folks were on
this McKinsey document that we spent so much time with the last
witness talking about, tab 1 of the notebook. Have you seen
that report before, Mr. Providakes?
Mr. Providakes. I am familiar with this report.
Ms. DeGette. OK. Ms. Bauer, have you seen it?
Ms. Bauer. No, I have not.
Ms. DeGette. And, Mr. Amsler, have you seen it?
Mr. Amsler. I have not.
Ms. DeGette. OK. So, Mr. Providakes, the 2 of you--Ms.
Bauer and Mr. Amsler, any answers you were giving were really
just based on speculation, since you haven't seen it and
weren't involved with it, is that right?
Ms. Bauer. Yes.
Ms. DeGette. Mr. Amsler?
Mr. Amsler. That is correct.
Ms. DeGette. OK, Mr. Providakes, so Mr. Olson was asking
you about some of these recommendations. This is from last
spring. It was a snapshot in time. On page 4 of that report, at
the bottom where he was talking about evolving requirements,
multiple definitions of success, et cetera.
Mr. Providakes. Um-hum.
Ms. DeGette. The part he forgot to mention, which was the
part also I noticed they forgot to mention when the previous
witness was up, is the part that is in the box in bold type at
the bottom of all of those current situation bullets, which
says, CMS has been working to mitigate challenges resulting
from program characteristics. Do you see that?
Mr. Providakes. I do see it.
Ms. DeGette. What does that mean to you?
Mr. Providakes. Well, it means to me that they recognize
the risks and the challenges of the program, and they were
looking at options or mitigation approaches that would minimize
the risks.
Ms. DeGette. So CMS hired McKinsey to do an evaluation of
the program and come up with some concerns that they could then
work to mitigate. Is that right?
Mr. Providakes. Only what I--yes.
Ms. DeGette. And that is the same reason they hired your
company to do security assessments, is to find places where
there might be problems, and to make recommendations that they
could then work to mitigate. Is that right?
Mr. Providakes. That is correct. Identify risks, mitigate
risks.
Ms. DeGette. And in your view, at least the recommendations
your company made, did they, in fact, work to mitigate those
risks?
Mr. Providakes. In the context of the SCA, yes.
Ms. DeGette. Thank you very much, Mr. Chairman. I have no
further questions.
Mr. Murphy. OK, had you seen this document before today,
Mr. Providakes?
Mr. Providakes. I am familiar of the document. It has been
a while.
Mr. Murphy. But--so you are familiar. So when they say they
have been working to mitigate challenges, you are personally
aware that some of these mitigations were taking place, or you
are just saying so today?
Mr. Providakes. No, I had no idea of what mitigation--
whether they took the recommendations of this or not----
Mr. Murphy. I was curious because you were drawing a
conclusion, but I didn't know if you had--so that is based
upon----
Mr. Providakes. Based upon----
Mr. Murphy [continuing]. Just a guess today, OK.
Mr. Providakes. Exactly, yes.
Mr. Murphy. Quick thing. Mr. Amsler, while developing the
security measures for the cloud environment, have you
encountered any challenges at all?
Mr. Amsler. Certainly lots of challenges along the way.
Congressman, did you mean more implementing them or certain
things?
Mr. Murphy. Some things that are different from what you
are used to here, or anything standing out to you that is a
concern with regard to the cloud environment or the security
there?
Mr. Amsler. Well, the cloud in and of itself brings a
unique set of challenges that any--us in the industry are all
trying to deal with. It----
Mr. Murphy. That is a system that you can't necessarily
correct right now with a cloud environment. On its own, it is a
secure concern.
Mr. Amsler. Agreed. It is our biggest--one of our biggest
challenges that we are facing as an industry today, that being
the cyber security industry.
Mr. Murphy. Who is in charge of that cloud environment?
Mr. Amsler. Verizon Terremark is, and I assume you mean
actually owns it----
Mr. Murphy. Yes.
Mr. Amsler [continuing]. And controls it.
Mr. Murphy. And how difficult is it to develop these
security measures while the system is being built?
Mr. Amsler. That would not be ideal.
Mr. Murphy. Do you have all the tools and capabilities now
to successfully and fully monitor this system?
Mr. Amsler. I am a unique animal in that I live, eat and
breathe cyber security, and as a company, we do----
Mr. Murphy. I understand.
Mr. Amsler [continuing]. So we always strive for better. I
am always striving to make it the best that I can.
Mr. Murphy. Do you have all the tools now you need to fully
monitor the system?
Mr. Amsler. We have a set of controls that exceed any
standard set of controls----
Mr. Murphy. I understand you are trying to do a great job.
I appreciate that. I am just trying to get a sense of have you
been limited in any way in your ability to do all the things
you would like to do with your excellent team in place?
Mr. Amsler. There are some things that we have asked for
that are not in place as of yet.
Mr. Murphy. Tell me, such as what?
Mr. Amsler. These were--they are very technical in nature.
Again, we have a standard set of controls----
Mr. Murphy. Sure.
Mr. Amsler [continuing]. Or we are shooting for more.
Ms. DeGette. Mr. Chairman, we might want to have him give
us that information----
Mr. Murphy. Yes, could you let us know that?
Ms. DeGette [continuing]. And provide it.
Mr. Amsler. I would be happy to.
Mr. Murphy. Or is that something you would like to do in
private instead of public? Would that be better?
Mr. Amsler. I would be happy to get with my team and get
with the----
Mr. Murphy. I appreciate that. Ms. Bauer, do you have all
the tools necessary to fully----
Ms. Bauer. Well, our answers are essentially the same
because we are an integrated team.
Mr. Murphy. I see.
Ms. Bauer. I would agree with Dave.
Mr. Murphy. All right. And, Mr. Providakes, do you have all
the tools necessary to fully do your work here?
Mr. Providakes. Well, we are in a slightly different role,
but, yes.
Mr. Murphy. I see. So let me ask this then, with regard to
how things are. Have there been any attempts under what you
have monitored, Ms. Bauer and Mr. Amsler, any attempts to hack
into the system that you can tell?
Mr. Amsler. Congressman, the simple answer is yes. The
longer answer is I don't have an environment where it is not
being attacked today, though.
Mr. Murphy. I understand. So with regard to this, then, is
the system now--are you saying that it is fully secure from
external hackers trying to get in?
Mr. Amsler. You know, I am never--we live in a world of not
if but more when.
Mr. Murphy. Um-hum.
Mr. Amsler. That is the nature of the world we live in
today. So I can never give you a guarantee that someone is not
going to get in. It is probably going to happen at some point,
but we have designed it to limit the damage and identify it as
quick as possible.
Mr. Murphy. So we can't at this point sign off and say the
system is fully secure. It is an ongoing process, you are
saying?
Mr. Amsler. It is an always ongoing process. Today I feel
comfortable with the capabilities we have put in place, but I
am always striving for more.
Mr. Murphy. I understand. And, Ms. Bauer, would you agree
with that assessment?
Ms. Bauer. I would. Dave is answering it from a very----
Mr. Murphy. You have to talk into the microphone, I can't
hear you.
Ms. Bauer [continuing]. Very technical perspective, but I
would say that from our perspective with regard to the tools
and appliances we have in place, right now today, the system is
secure. As Dave says, security is always evolving, it is always
dynamic and ongoing, and we are always going to want to do
better and keep on top of the latest technology, the latest
appliances, so it will always be maturing. But as regards the
scope of our contract and the appliances and tools and
processes we have in place, we are confident----
Mr. Murphy. I mean, I appreciate your standards of
excellence, and I appreciate you understand this is an evolving
process, but given the concerns for security, what I am hearing
from you is nobody can really give 100 percent guarantee that
this Web site is secure with regard to the data that it has in
it, the personally identifiable information as people put those
things in there. No one can guarantee that some hacker isn't
going to try and get into it, and that they will continue to
try and probe until they get through. Is that what you are
saying?
Mr. Amsler. But I also would say the same thing about
Facebook or any banking Web site as well.
Mr. Murphy. Sure.
Mr. Amsler. It is just unfortunately the world we live in
today.
Mr. Murphy. I appreciate that. Same with you, Ms. Bauer?
Ms. Bauer. Yes, and I think that the critical factor is the
rigor with which we have procedures in place to identify any
risks, any vulnerabilities, and then work to mitigate them. And
we have very robust procedures in place for that.
Mr. Murphy. Very good. Well, I appreciate the comments from
the panel today, and I ask unanimous consent that the written
opening statements of other members be introduced into the
record, and without objection, those documents will be in the
record.
[The information follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. I also ask unanimous consent that the contents
of the document binder be introduced into the record, and I
authorize staff to make appropriate redactions. And without
objection, the documents will be entered into the record with
any redactions that staff determines are appropriate.
[The information appears at the conclusion of the hearing.]
Mr. Murphy. So in conclusion, I would like to thank all the
witnesses and members that participated in today's hearing. I
remind members they have 10 business days to submit questions
for the record, and I ask that the witnesses all please agree
to answer promptly to the questions, and we will work out some
mechanism to answer some of them in confidential, in-camera
discussions.
And with that, this hearing is concluded.
[Whereupon, at 1:30 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]