b"<html>\n<title> - A ROADMAP FOR HACKERS?</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \n  A ROADMAP FOR HACKERS?--DOCUMENTS DETAILING HEALTHCARE.GOV SECURITY\n                            VULNERABILITIES\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                            JANUARY 28, 2014\n\n                               __________\n\n                           Serial No. 113-141\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n\n                                 --------\n\n                        U.S. GOVERNMENT PRINTING OFFICE\n\n90-891 PDF                     WASHINGTON : 2014\n_____________________________________________________________________\n\n                      For sale by the Superintendent of Documents,\n        U.S. Government Printing Office Internet: bookstore.gpo.gov\n     Phone: toll free (866) 512-1800; DC area (202) 512-1800\n                   Fax: (202) 512-2104 Mail: Stop IDCC,\n                          Washington, DC 20402-0001\n\n\n                 COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                 DARRELL E. ISSA, California, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland,\nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, JR., Tennessee       CAROLYN B. MALONEY, New York\nPATRICK T. McHENRY, North Carolina   ELEANOR HOLMES NORTON, District of\nJIM JORDAN, Ohio                         Columbia\nJASON CHAFFETZ, Utah                 JOHN F. TIERNEY, Massachusetts\nTIM WALBERG, Michigan                WM. LACY CLAY, Missouri\nJAMES LANKFORD, Oklahoma             STEPHEN F. LYNCH, Massachusetts\nJUSTIN AMASH, Michigan               JIM COOPER, Tennessee\nPAUL A. GOSAR, Arizona               GERALD E. CONNOLLY, Virginia\nPATRICK MEEHAN, Pennsylvania         JACKIE SPEIER, California\nSCOTT DesJARLAIS, Tennessee          MATTHEW A. CARTWRIGHT,\nTREY GOWDY, South Carolina               Pennsylvania\nBLAKE FARENTHOLD, Texas              TAMMY DUCKWORTH, Illinois\nDOC HASTINGS, Washington             ROBIN L. KELLY, Illinois\nCYNTHIA M. LUMMIS, Wyoming           DANNY K. DAVIS, Illinois\nROB WOODALL, Georgia                 PETER WELCH, Vermont\nTHOMAS MASSIE, Kentucky              TONY CARDENAS, California\nDOUG COLLINS, Georgia                STEVEN A. HORSFORD, Nevada\nMARK MEADOWS, North Carolina         MICHELLE LUJAN GRISHAM, New Mexico\nKERRY L. BENTIVOLIO, Michigan        Vacancy\nRON DeSANTIS, Florida\n\n                   Lawrence J. Brady, Staff Director\n                John D. Cuaderes, Deputy Staff Director\n                    Stephen Castor, General Counsel\n                       Linda A. Good, Chief Clerk\n                 David Rapallo, Minority Staff Director\n\n\n\n                             C O N T E N T S\n\n                              ----------\n                                                                   Page\nHearing held on January 28, 2014.................................     1\n\n                                APPENDIX\n\nMemo from James Kerr to Marilyn Tavenner, submitted by Chairman\n  Issa...........................................................    10\n\n\n  A ROADMAP FOR HACKERS?--DOCUMENTS DETAILING HEALTHCARE.GOV SECURITY\n                            VULNERABILITIES\n\n                              ----------\n\n\n                       Tuesday, January 28, 2014\n\n                  House of Representatives,\n      Committee on Oversight and Government Reform,\n                                           Washington, D.C.\n    The committee met, pursuant to call, at 10:05 a.m., in Room\n2154, Rayburn House Office Building, Hon. Darrell E. Issa\n[chairman of the committee] presiding.\n    Present: Representatives Issa, Mica, Turner, Duncan,\nJordan, Chaffetz, Walberg, Lankford, Amash, Gosar, Meehan,\nDesJarlais, Gowdy, Farenthold, Massie, Collins, Meadows,\nBentivolio, DeSantis, Cummings, Maloney, Norton, Tierney,\nLynch, Cooper, Connolly, Speier, Cartwright, Duckworth, Davis,\nand Lujan Grisham.\n    Staff Present: Brian Blase, Senior Professional Staff\nMember; Molly Boyl, Deputy General Counsel and Parliamentarian;\nLawrence J. Brady, Staff Director; Joseph Brazauskas, Counsel;\nDaniel Bucheli, Assistant Clerk; Caitlin Carroll, Press\nSecretary; Sharon Casey, Senior Assistant Clerk; John Cuaderes,\nDeputy Staff Director; Adam P. Fromm, Director of Member\nServices and Committee Operations; Linda Good, Chief Clerk;\nMeinan Goto, Professional Staff Member; Tyler Grimm, Senior\nProfessional Staff Member; Ryan M. Hambleton, Senior\nProfessional Staff Member; Frederick Hill, Deputy Staff\nDirector for Communications and Strategy; Christopher Hixon,\nChief Counsel for Oversight; Michael R. Kiko, Legislative\nAssistant; Mark D. Marin, Deputy Staff Director for Oversight;\nAshok M. Pinto, Chief Counsel, Investigations; Laura L. Rush,\nDeputy Chief Clerk; Sarah Vance, Assistant Clerk; Peter Warren,\nLegislative Policy Director; Rebecca Watkins, Communications\nDirector; Tamara Alexander, Minority Counsel; Susanne Sachsman\nGrooms, Minority Deputy Staff Director/Chief Counsel; Jennifer\nHoffman, Minority Communications Director; Chris Knauer,\nMinority Senior Investigator; Julia Krieger, Minority New Media\nPress Secretary; Elisa LaNier, Minority Director of Operations;\nUna Lee, Minority Counsel; Juan McCullum, Minority Clerk; Dave\nRapallo, Minority Staff Director; Valerie Shen, Minority\nCounsel; Mark Stephenson, Minority Director of Legislation; and\nCecelia Thomas, Minority Counsel.\n    Chairman Issa. The committee will come to order.\n    The Oversight Committee exists to secure two fundamental\nprinciples. First of all, Americans have a right to know what\nthey get from their government and how the money is spent. And\nsecond, they deserve an efficient, effective government that\nworks for them.\n    Our duty on the Oversight and Government Reform Committee\nis to protect these rights. Our solemn responsibility is to\nhold government accountable to taxpayers because taxpayers have\na right to know what they get from their government. Our job is\nto work tirelessly, in partnership with citizen watchdogs, to\ndeliver the facts to the American people and bring genuine\nreform to the Federal bureaucracy.\n    Before I make my opening statement, it is the chair's\nintent to go into an executive session in order to protect any\nitems that may be disclosed as to vulnerabilities of the Web\nsite that as of today may or may not have been fully mitigated.\nSo I would advise all staff, members, and the audience that\nonce we go into executive session, we will only have cleared\npersonnel. For members it means stay here. For staff what it\nmeans is that you will be asked to leave the room, go back out,\nsign back in, and be recorded as here.\n    Additionally, there are numbered packets for information\nhere at your desk. I would admonish all members that these\ndocuments are not to be removed. They are committee documents,\nbut they are not personal documents. So you may use them and\nread them here during the session, they will be available to\nmembers and designated staff, but not to be removed. No copies\nare to be made, and they are not to be removed.\n    Lastly, these are unclassified documents. They have\nabsolutely no protection under classification to our knowledge.\nNotwithstanding that, it is our obligation to treat these as\npotentially sensitive until on a committee basis we are quite\ncomfortable that release would have no adverse effect on the\nability of the Web sites to remain up and unhacked.\n    If there are any questions prior to going to executive\nsession, members may ask them, but I advise that they ask staff\nbeforehand so that we not waste anyone's time, since this is\nnot an ordinary procedure, but a necessary procedure.\n    I will now recognize myself for an opening statement.\n    Today's hearing will focus on several remaining questions\nsurrounding the security of HealthCare.gov. In particular, what\nsecurity risks and concerns were present when the Obama\nadministration decided to launch HealthCare.gov on October 1st;\nwhat is being done to fix the critical security risk Web site\nusers are potentially still facing; and what limitations are\nthere on the latest security testing?\n    When Americans submit their sensitive personal information\nto HealthCare.gov or, I might add, when government takes\nsensitive information, including your IRS information, and\nmakes it available through a Web site to outsiders, they\ndeserve to know that it is safe from hackers, bad actors, and\nsecurity glitches. The possibility of security breach is not\nsome vague, distant concern. It is a real and tangible threat\nthat could affect millions. Private companies devote entire\ndepartments to bolstering their online security. They\nunderstand the threat of cyber attack is always present and\nthat the consequences of a successful cyber attack can be\ndevastating.\n    Sadly, the recent security breach at Target, Neiman Marcus,\nand other companies which have resulted in millions of\nAmericans having their credit card information compromised is\nan illustration of just how dangerous an attack can be.\n    The Department of Health and Human Services has repeatedly\nassured the American public that their sensitive, personally\nidentifiable information transmitted by HealthCare.gov is safe\nand secure, but because officials authorized the launch of the\nWeb site full of functional errors, Americans have deep\nskepticism that the site was, in fact, secure. Indeed,\ndocuments obtained by this committee by subpoena, around the\nHealth and Human Services, in spite of our repeated attempts to\nget the information from its source at Health and Human\nServices, help the committee show that why stopping--security\nofficials at CMS had recommended this site be delayed, not\nlaunched, or launched only in part, but CMS officials went\nahead anyway, and it is clear that they knew the risk.\n    Under current law it is possible to launch a site by simply\nsaying that an executive within the administration of the right\nlevel has the ability to accept the risk. That current law\nallows an administration official to accept the risk or almost\nthe assurance that American people's personal identifiable\ninformation will be compromised. There is no protection against\na judgment call that the risk of billions of dollars, trillions\nof dollars, the entire economy can, in fact, be waived by an\nadministration official, meaning there is no standard other\nthan the acceptance of risk.\n    Moreover, 11 weeks after the site is launched, no\nindependent security testing was conducted. Contrary to\nstatements made by Secretary Sebelius at a congressional\nhearing, independent security testing did not resume until\nDecember 9, 2013. When testing did resume, MITRE, the\ncontractor performing the testing, was unable to test half of\nthe functions of the Web site.\n    Even with the limited scope of testing, MITRE found a high\nrisk that allowed users to access system documents belonging to\nother users, which could result in the exposure of privileged\ninformation to unauthorized individuals. MITRE Corporation\nfound other serious vulnerabilities that would threaten users\nof HealthCare.gov which have not been shown to the public.\nThese vulnerabilities only reinforce the need for answers,\nwhich I intend to pursue.\n    Since December 15, when the administration offered a\nmeeting with Secretary Sebelius and I flew back during a\ndistrict work period, I have repeatedly tried to have HHS\nengage this committee to discuss the security testing\ndocuments. I even went so far, again I say, as to fly back to\nD.C. during the Christmas recess just to meet with Secretary\nSebelius. Once back, even though she was in town, she declined\nfor 2 days in a row to offer a meeting time, instead offering a\njunior level staff briefing.\n    Until this point, the administration had not made a good\nfaith effort to facilitate a meeting. However, I am pleased\nthat HHS has sent a knowledgeable representative here today so\nthat we can finally have at least the beginnings of a\nconversation. We are joined today by a top information security\nofficer at the Department of Health and Human Services, as well\nas an official from MITRE, the company hired by Health and\nHuman Services to conduct the security control assessments of\nHealthCare.gov and its many components.\n    Again, because of the sensitive nature of the security\ntesting documents, we have handled them carefully to ensure\nsensitive technical information does not end up in the wrong\nhands, and I will insist that our colleagues continue to\nrespect that.\n    I must, in closing, share with the American people a\npersonal sensitivity. I believe these documents do reflect\nongoing potential loss of personally identifiable information\nbelonging to the American people. However, if I am to take the\nadministration at their word, there are no vulnerabilities\nunmitigated. Therefore, these documents are not a hacker's\naccess to your personal information, and yet, when asking for\nbriefings, I get told that they have to be closed and in fact\nthat these documents cannot be released.\n    The administration cannot have it both ways. They can't\nboth say these documents represent completely mitigated\nvulnerabilities and then say, but they are a pathway, so they\ncan't be released. It is this committee's intent to err on the\nside of the assumption that the administration continues to lie\nabout the site being safe and secure. We can find no other\nbasis but to assume that they were lying about the\nvulnerabilities on the day they went live on October 1st and\nthat they are still lying.\n    I don't use the word lie without real forethought. You\ncannot continue to tell people there is no problem; there was a\nproblem on October 1st. You cannot tell people they have been\nmitigated, and then tell them, but don't release the documents\nbecause it is a pathway for hackers.\n    So I will assume that the truth is the site was vulnerable\non launch date, they went ahead with known vulnerabilities, and\nthat they continue to have unknown areas that could cause\ninformation to be made available outside of those having a\nright to. We can take no other assumptions. I hope in the long\nrun we find that it was far less than it appeared to be. But\nwith that I recognize Mr. Cummings for his opening statement.\n    Mr. Cummings. Thank you very much, Mr. Chairman. And I hope\nthat our witnesses can shed some light on the many lies that\nyou allege have been told.\n    Today is the 23rd hearing our committee has held on the\nAffordable Care Act. As I did at our previous hearing 2 weeks\nago, I want to recognize the importance of what has been\naccomplished for the American people. And when I say the\nAmerican people, I mean both Republican and Democrat, I mean\nall of America.\n    The law went into full effect on January 1st, and now\nmillions of people are obtaining health insurance coverage they\ndid not have before. Some of them have never had healthcare\ninsurance. They are receiving critical medical care, and they\nhave the security of knowing they will not go bankrupt if they\nget into an accident or get sick. This is, without a doubt, a\nhistoric achievement.\n    The law also put into place key protections for consumers.\nInsurance companies are now prohibited from discriminating--\nthat is what I said, discriminating--against people with\ncancer, diabetes, heart disease, and preexisting conditions.\nAgain, I am talking about our constituents, Americans, the ones\nwho pay taxes and work hard every day. Insurance companies may\nnot charge higher prices for women, and millions of people are\nnow receiving free preventative care. The President has made it\nclear that he wants to keep people well because it is far\ncheaper to keep them well than to treat them after they are\nsick.\n    There are also huge financial benefits. Health insurance\ncompanies are now sending rebate checks to millions of people.\nSince the law was passed, we have seen the lowest growth in\nhealth care costs in 50 years. If we repeal the law today, it\nwould increase our deficit by more than 1.5 trillion--not\nbillion--trillion dollars.\n    In terms of the security of the Web site, we received\ntestimony just 2 weeks ago from chief information security\nofficer of the CMS. She told us, and I quote, ``There have been\nno successful security attacks on the FFM, and no person or\ngroup has maliciously accessed personally identifiable\ninformation,'' end of quote. I want to repeat that: No person\nor group has maliciously accessed personally identifiable\ninformation on the HealthCare.gov Web site.\n    The chief information security officer also said that\nfollowing security testing in December, HealthCare.gov has, and\nI quote, ``a clean bill of health,'' end of quote.\n    Although no system is hack-proof, she said she is and I\nquote, ``confident based on the recent security controls\nassessment and the additional security protections in place\nthat the FFM is secure,'' end of quote.\n    I want to thank the chairman for proposing that today's\nhearing be held in executive session, a motion that I fully\nsupport. The MITRE Corporation and the Department of Health and\nHuman Services have warned the committee repeatedly that some\nof the security testing documents we have obtained contain\nhighly sensitive information and can provide a road map for\nhackers and others seeking to do us harm. I think it is a\npositive step that the committee is willing to hear from these\nofficials firsthand about their concerns. Conducting the\nhearing in executive session will allow us to discuss this\nsensitive information directly with the experts.\n    As we have heard on numerous occasions from the\ncybersecurity experts at MITRE and the Department, the security\ncontrol assessments contain information about cybersecurity\nmethods and the fundamental cyber architecture of\nHealthCare.gov that, and I quote, ``transcends the specific\nsecurity control vulnerabilities which have been the focus of\nnews reports and the committee's public inquiry,'' end of\nquote. Even when specific vulnerabilities identified by\nsecurity testing have been addressed, these experts warn that\npublicly disclosing the security control assessments could\nstill jeopardize HealthCare.gov and other CMS data networks,\nand again I hope our witnesses will shed light on that since\nthe chairman has alleged that so many people have been lying.\n    I believe our goal as a committee should be to conduct\nresponsible oversight that provides the American public with\ninformation necessary to understand the security of the\nHealthCare.gov Web site, while at the same time protecting\nsensitive information that could endanger the Web site's\nfunctioning or compromise the personal information of the\nAmerican people.\n    Let me conclude by thanking the officials testifying here\ntoday.\n    Dr. Charest, this is your second time before the committee\nin as many weeks. Thank you for returning to address these\nvital questions in closed session.\n    Mr. Shomo, I understand that you are one of the engineers\nresponsible for conducting security testing of HealthCare.gov\non behalf of MITRE Corporation, and we thank you for being\nhere.\n    As a nonprofit organization with a long history of running\nfederally funded research and development programs, MITRE is\nknown and respected for its objectivity and independence. We\nappreciate everything you both are doing to remain vigilant and\nprotect the security of HealthCare.gov. Millions of American\nfamilies thank you for helping them to get access to lifesaving\ncare that they so desperately need.\n    And with that I yield back.\n    Chairman Issa. Thank you.\n    I now ask unanimous consent that the document signed by\nMarilyn Tavenner, which is the authority to operate, be placed\nin the record. Without objection, so ordered.\n    Pursuant to that document, which says that within 60 to\n90--I will read it verbatim--conduct a full SCA test on the\nFFM, including its three modules, E&E, FM, and PM, in a stable\nenvironment where all security controls can be tested within 60\nto 90 days of going live on October 1st.\n    Based on this document, which declares known\nvulnerabilities that must be tested and mitigated within 60 to\n90 days, I now recognize the gentleman from Florida for a\nmotion.\n    Mr. Mica. Mr. Chairman, so the Committee on Oversight and\nGovernment Reform may proceed in executive session and continue\nits business pursuant to House Rule XI(g)(2), I move that the\nremainder of the hearing be closed to the public because the\ndisclosure of the testimony to be heard may compromise\nsensitive law enforcement information.\n    Chairman Issa. The question is on agreeing to the motion to\nclose the hearing. The clerk will call the roll.\n    The Clerk. Mr. Issa?\n    Chairman Issa. Yea.\n    The Clerk. Mr. Issa votes aye.\n    Mr. Mica?\n    Mr. Mica. Aye.\n    The Clerk. Mr. Mica votes aye.\n    Mr. Turner?\n    Mr. Turner. Aye.\n    The Clerk. Mr. Turner votes aye.\n    Mr. Duncan?\n    Mr. Duncan. Aye.\n    The Clerk. Mr. Duncan votes aye.\n    Mr. McHenry?\n    [No response.]\n    The Clerk. Mr. Jordan?\n    Mr. Jordan. Yes.\n    The Clerk. Mr. Jordan votes aye.\n    Mr. Chaffetz?\n    Mr. Chaffetz. Aye.\n    The Clerk. Mr. Chaffetz votes aye.\n    Mr. Walberg?\n    Mr. Walberg. Aye.\n    The Clerk. Mr. Walberg votes aye.\n    Mr. Lankford?\n    Mr. Lankford. Yes.\n    The Clerk. Mr. Lankford votes aye.\n    Mr. Amash?\n    Mr. Amash. Yes.\n    The Clerk. Mr. Amash votes aye.\n    Mr. Gosar?\n    Mr. Gosar. Yes.\n    The Clerk. Mr. Gosar votes aye.\n    Mr. Meehan?\n    Mr. Meehan. Aye.\n    The Clerk. Mr. Meehan votes aye.\n    Mr. DesJarlais?\n    Mr. DesJarlais. Aye.\n    The Clerk. Mr. DesJarlais votes aye.\n    Mr. Gowdy?\n    Mr. Gowdy. Yes.\n    The Clerk. Mr. Gowdy votes aye.\n    Mr. Farenthold?\n    Mr. Farenthold. Yes.\n    The Clerk. Mr. Farenthold votes aye.\n    Mr. Hastings?\n    [No response.]\n    The Clerk. Mrs. Lummis?\n    [No response.]\n    The Clerk. Mr. Woodall?\n    [No response.]\n    The Clerk. Mr. Massie?\n    Mr. Massie. Aye.\n    The Clerk. Mr. Massie votes aye.\n    Mr. Collins?\n    Mr. Collins. Aye.\n    The Clerk. Mr. Collins votes aye.\n    Mr. Meadows?\n    Mr. Meadows. Aye.\n    The Clerk. Mr. Meadows votes aye.\n    Mr. Bentivolio?\n    Mr. Bentivolio. Aye.\n    The Clerk. Mr. Bentivolio votes aye.\n    Mr. DeSantis?\n    Mr. DeSantis. Aye.\n    The Clerk. Mr. DeSantis votes aye.\n    Mr. Cummings?\n    Mr. Cummings. Yes.\n    The Clerk. Mr. Cummings votes aye.\n    Mrs. Maloney?\n    Mrs. Maloney. Aye.\n    The Clerk. Mrs. Maloney votes aye.\n    Ms. Norton?\n    [No response.]\n    The Clerk. Mr. Tierney?\n    Mr. Tierney. Aye.\n    The Clerk. Mr. Tierney votes aye.\n    Mr. Clay?\n    [No response.]\n    The Clerk. Mr. Lynch?\n    Mr. Lynch. Aye.\n    The Clerk. Mr. Lynch votes aye.\n    Mr. Cooper?\n    Mr. Cooper. Aye.\n    The Clerk. Mr. Cooper votes aye.\n    Mr. Connolly?\n    [No response.]\n    The Clerk. Ms. Speier?\n    [No response.]\n    The Clerk. Mr. Cartwright?\n    Mr. Cartwright. Aye.\n    The Clerk. Mr. Cartwright votes aye.\n    Ms. Duckworth?\n    Ms. Duckworth. Aye.\n    The Clerk. Ms. Duckworth votes aye.\n    Ms. Kelly?\n    [No response.]\n    The Clerk. Mr. Davis?\n    Mr. Davis. Aye.\n    The Clerk. Mr. Davis votes aye.\n    Mr. Welch?\n    [No response.]\n    The Clerk. Mr. Cardenas?\n    [No response.]\n    The Clerk. Mr. Horsford?\n    [No response.]\n    The Clerk. Ms. Lujan Grisham?\n    [No response.]\n    Chairman Issa. The clerk will report the tally.\n    The Clerk. Twenty-seven ayes, zero noes.\n    Chairman Issa. There being 27 ayes and zero noes, the\nmotion is agreed to. The clerk will now clear the room. Only\nMembers of Congress, cleared staff, the witnesses, and their\ncleared counsels may remain in the hearing room. The committee\nstands in a short recess.\n    [Whereupon, at 10:27 a.m., the committee proceeded to\nclosed session.]\n\n\n                               APPENDIX\n                              ----------\n\n\n               Material Submitted for the Hearing Record\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n                                 <all>\n</pre></body></html>\n"