[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]





                      THE ROLE OF THE WHITE HOUSE
                      CHIEF TECHNOLOGY OFFICER IN
                   THE HEALTHCARE.GOV WEBSITE DEBACLE

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               ----------                              

                           NOVEMBER 19, 2014

                               ----------                              

                           Serial No. 113-96

                               ----------                              

 Printed for the use of the Committee on Science, Space, and Technology


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]








                      THE ROLE OF THE WHITE HOUSE
                      CHIEF TECHNOLOGY OFFICER IN
                   THE HEALTHCARE.GOV WEBSITE DEBACLE

=======================================================================

                                HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           NOVEMBER 19, 2014

                               __________

                           Serial No. 113-96

                               __________

 Printed for the use of the Committee on Science, Space, and Technology



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





       Available via the World Wide Web: http://science.house.gov

                                      ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

92-329PDF                     WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001










              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
DANA ROHRABACHER, California         EDDIE BERNICE JOHNSON, Texas
RALPH M. HALL, Texas                 ZOE LOFGREN, California
F. JAMES SENSENBRENNER, JR.,         DANIEL LIPINSKI, Illinois
    Wisconsin                        DONNA F. EDWARDS, Maryland
FRANK D. LUCAS, Oklahoma             FREDERICA S. WILSON, Florida
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
PAUL C. BROUN, Georgia               DAN MAFFEI, New York
STEVEN M. PALAZZO, Mississippi       ALAN GRAYSON, Florida
MO BROOKS, Alabama                   JOSEPH KENNEDY III, Massachusetts
RANDY HULTGREN, Illinois             SCOTT PETERS, California
LARRY BUCSHON, Indiana               DEREK KILMER, Washington
STEVE STOCKMAN, Texas                AMI BERA, California
BILL POSEY, Florida                  ELIZABETH ESTY, Connecticut
CYNTHIA LUMMIS, Wyoming              MARC VEASEY, Texas
DAVID SCHWEIKERT, Arizona            JULIA BROWNLEY, California
THOMAS MASSIE, Kentucky              ROBIN KELLY, Illinois
KEVIN CRAMER, North Dakota           KATHERINE CLARK, Massachusetts
JIM BRIDENSTINE, Oklahoma
RANDY WEBER, Texas
CHRIS COLLINS, New York
BILL JOHNSON, Ohio
                                 ------                                

                       Subcommittee on Oversight

                   HON. PAUL C. BROUN, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DAN MAFFEI, New York
    Wisconsin                        ERIC SWALWELL, California
BILL POSEY, Florida                  SCOTT PETERS, California
KEVIN CRAMER, North Dakota           EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
LAMAR S. SMITH, Texas
















                            C O N T E N T S

                           November 19, 2014

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Paul C. Broun, Chairman, Subcommittee 
  on Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................     8
    Written Statement............................................     9

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................    10
    Written Statement............................................    12

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    13
    Written Statement............................................    14

                               Witnesses:

Mr. Todd Park, former Chief Technology Officer of the United 
  States, Office of Science and Technology Policy (OSTP)
    Oral Statement...............................................    15
    Submitted Biography..........................................    18

Discussion.......................................................    25

             Appendix I: Answers to Post-Hearing Questions

Mr. Todd Park, former Chief Technology Officer of the United 
  States, Office of Science and Technology Policy (OSTP).........    50

            Appendix II: Additional Material for the Record

Prepared statement by Representative Eric Swalwell, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    80
Supporting documents submitted by Representative Paul C. Broun, 
  Chairman, Subcommittee on Oversight, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........    82
Hearing documents submitted by the Majority staff, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..   155
Letter submitted by Representative Scott Peters, Subcommittee on 
  Oversight, Committee on Science, Space, and Technology, U.S. 
  House of Representatives.......................................   193
Minority staff report submitted by Representative Eddie Bernice 
  Johnson, Ranking Member, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................   195
Majority staff report submitted by Representative Paul C. Broun, 
  Chairman, Subcommittee on Oversight, Committee on Science, 
  Space, and Technology, U.S. House of Representatives...........   413

 
                      THE ROLE OF THE WHITE HOUSE
                      CHIEF TECHNOLOGY OFFICER IN
                   THE HEALTHCARE.GOV WEBSITE DEBACLE

                              ----------                              


                      WEDNESDAY, NOVEMBER 19, 2014

                  House of Representatives,
                         Subcommittee on Oversight,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittee met, pursuant to call, at 10:10 a.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Paul Broun 
[Chairman of the Subcommittee] presiding.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


    Chairman Broun. This hearing of the Subcommittee on 
Oversight will come to order. Without objection, the Chair is 
authorized to declare recesses of the Committee at any time.
    Good morning, and welcome to today's hearing. In front of 
you are packets containing the written testimony, biography, 
and truth-in-testimony disclosure for today's witness. I now 
recognize myself for five minutes for an opening statement.
    I want to thank my colleagues for being here today, and I 
want to especially thank our witness for his presence. We have 
been waiting a very long time to be able to question you, sir. 
I am sorry that we had to come to the point of issuing you a 
subpoena to get that to happen, but I am glad that you are here 
today, sir.
    In fact, the Committee has invited you several times before 
on five different occasions. We wrote directly to you, Mr. 
Park, as well as to the Director of the Office of Science and 
Technology Policy. None of those invitations elicited the 
``yes'' response that we got as a result of issuing you a 
subpoena.
    In the course of our correspondence, several claims were 
made by OSTP as to why you were not the individual to answer 
the Committee's questions, such as: that you and OSTP personnel 
have not been substantially involved in developing or 
implementing the Federally Facilitated Marketplace's security 
measures; that you did not develop or approve the security 
measures in place to protect the website; that you do not 
manage those responsible for keeping the site safe; and that 
you are not a cybersecurity expert, which is an interesting 
description of you to say the least. You are the co-founder of 
Athenahealth, which you co-developed into one of the most 
innovative health IT companies in the industry and become very 
wealthy, in fact, doing that. As a government employee, you 
helped launch the President's Smarter IT Delivery Agenda, which 
created the new U.S. Digital Service, and you created the beta 
version of HealthCare.gov. How do these activities not require 
cybersecurity expertise?
    Further, on November 13, 2013, in testimony, sworn 
testimony, before the Committee on Oversight and Government 
Reform, you said that you did not, to quote you, ``actually 
have a really detailed knowledge base'' of the website before 
it was launched, and that you were, again quoting you, ``not 
deeply familiar with the development and testing regimen that 
happened prior to October 1.''
    However, the Committee has in its possession documents that 
appear to contradict much of what you have said in your prior 
Congressional appearance, again under oath, as well as what 
OSTP has explained to this Committee.
    But these documents were not easy to come by, despite 
requesting them in a letter last December, and despite 
preparing to ask about them in a briefing OSTP arranged on your 
behalf in September--a briefing that was canceled the evening 
before it was scheduled to take place when your colleagues were 
informed it would be transcribed.
    Mr. Park, I find your and the White House's lack of 
transparency intolerable and an obstruction to this Committee's 
efforts to conduct oversight. It took a subpoena to get you 
here, sir. It took another subpoena to compel your documents 
from the White House, but even with that, we have yet to 
receive all of your documents in compliance with our subpoena 
issued on September 19, exactly 2 months ago.
    As a gesture of good faith, Committee staff have engaged in 
multiple in-camera reviews with White House lawyers, yet there 
are still documents being withheld from the Committee without a 
claim of a legally recognized privilege. That begs the 
question: What are you hiding, Mr. Park?
    I have some theories about the answer to that question. 
Perhaps it is that you knew there were serious problems with 
HealthCare.gov prior to the launch but you did not convey them 
up the chain in your briefings with the President. Or, perhaps 
you did, and they were ignored because of this Administration's 
relentless pursuit to launch HealthCare.gov on October 1, 2013, 
no matter the consequences.
    Now here we are, a year later and fresh into the beginning 
of the second open enrollment, with questions that still remain 
about this $2 billion debacle you are credited with fixing--a 
debacle that, I might add, got hacked this summer and that, 
according to a recent Government Accountability Office report, 
still has weaknesses, as they say ``both in the processes used 
for managing information security and privacy, as well as the 
technical implementation of IT security controls.''
    We look forward to this opportunity to ask you some of our 
questions, Mr. Park.
    I also now ask unanimous consent to submit documents for 
the record, which will be referenced in some of our questions. 
Without objection, so ordered.
    [The information appears in Appendix II]
    Chairman Broun. Before I yield to the Ranking Member, Eddie 
Bernice Johnson, my friend from Texas, and because of some 
conflict with the Democrats, we will come back to Mr. 
Swalwell's statement later on, I might add that this is likely 
my last time chairing this Subcommittee on Oversight for a 
hearing, and I would like to thank my friends on both sides of 
the aisle, especially Chairman Smith, for a productive two 
years of hard work on this Subcommittee. Our staff, both 
Democrat and Republican, worked very hard. We worked together 
in as bipartisan manner as possible. We might not have agreed 
on all the issues. Some issues we did, some we didn't. But it 
has been a very productive two years, I think, and I have been 
very privileged to Chair this Subcommittee. I wish you all well 
next year.
    [The prepared statement of Mr. Broun follows:]

            Prepared Statement of Subcommittee on Oversight
                          Chairman Paul Broun

    Good morning. I want to thank my colleagues for being here today 
and I want to especially thank our witness for his presence--we have 
been waiting a very long time to question you, sir.
    In fact, the Committee has invited you to testify before us on five 
different occasions. We wrote directly to you, Mr. Park, as well as to 
the Director of the Office of Science and Technology Policy. None of 
those invitations elicited the ``yes'' response we got as a result of 
issuing you a subpoena.
    In the course of our correspondence, several claims were made by 
OSTP as to why you were not the individual to answer the Committee's 
questions, such as:

      That you and OSTP personnel have not been substantially 
involved in developing or implementing the Federally Facilitated 
Marketplace's security measures;

      That you did not develop or approve the security measures 
in place to protect the website;

      That you do not manage those responsible for keeping the 
site safe; and

      That you are not a cybersecurity expert--which is an 
interesting description of you to say the least. You are the co-founder 
of Athenahealth, which you co-developed into one of the most innovative 
health IT companies in the industry. As a government employee, you 
helped launch the President's Smarter IT Delivery Agenda, which created 
the new U.S. Digital Service.and you created the beta version of 
HealthCare.gov--how do these activities not require cybersecurity 
expertise?

    Further, on November 13, 2013, in testimony before the Committee on 
Oversight and Government Reform, you said that you did not ``actually 
have a really detailed knowledge base'' of the website before it was 
launched, and that you were ``not deeply familiar with the development 
and testing regimen that happened prior to October 1.'' \1\
---------------------------------------------------------------------------
    \1\ ``Obamacare Implementation-The Rollout of HealthCare.gov,'' 
House Oversight and Government Reform Committee, November 13, 2013, 
available at: http://oversight.house.gov/wp-content/uploads/2014/06/11-
13-13-TRANSCRIPT-Obamacare-Implementation-The-Rollout-of-
HealthCare.gov--.pdf.
---------------------------------------------------------------------------
    However, the Committee has in its possession documents that appear 
to contradict much of what you have said in your prior Congressional 
appearance, as well as what OSTP has explained to this Committee.
    But these documents were not easy to come by, despite requesting 
them in a letter last December, and despite preparing to ask about them 
in a briefing OSTP arranged on your behalf in September--a briefing 
that was cancelled the evening before it was scheduled to take place 
when your colleagues were informed it would be transcribed.
    Mr. Park, I find your and the White House's lack of transparency 
intolerable and an obstruction to this Committee's efforts to conduct 
oversight. It took a subpoena to get you here. It took another subpoena 
to compel your documents from the White House, but even with that, we 
have yet to receive all of your documents in compliance with our 
subpoena issued on September 19th, exactly two months ago. As a gesture 
of good faith, Committee staff have engaged in multiple in camera 
reviews with White House lawyers, yet there are still documents being 
withheld from the Committee without a claim of a legally recognized 
privilege. That begs the question--what are you hiding, Mr. Park?
    I have some theories about the answer to that question. Perhaps it 
is that you knew there were serious problems with HealthCare.gov prior 
to the launch but you did not convey them up the chain in your 
briefings with the President. Or, perhaps you did, and they were 
ignored because of this Administration's relentless pursuit to launch 
HealthCare.gov on October 1, 2013, no matter what the consequences.
    Now here we are, a year later and fresh into the beginning of the 
second Open Enrollment, with questions that still remain about this $2 
billion dollar debacle you are credited with fixing--a debacle that, I 
might add, got hacked this summer and that, according to a recent 
Government Accountability Office report, still has weaknesses ``both in 
the processes used for managing information security and privacy, as 
well as the technical implementation of IT security controls.''
    We look forward to this opportunity to ask you some of our 
questions.
    Before I yield to Mr. Swalwell for his opening statement, let me 
just add that this is likely my last time chairing an Oversight 
Subcommittee hearing, and I would like to thank my friends on both 
sides of the aisle--especially Chairman Smith--for a productive two 
years of hard work on this Subcommittee. I wish you all well next year, 
and I now recognize Mr. Swallwell.

    Chairman Broun. I now recognize our Ranking Member, Ms. 
Eddie Bernice Johnson, for her statement. You are recognized 
for five minutes.
    Ms. Johnson. Thank you, Mr. Chairman, and let me express my 
appreciation for your service, since this might very well be 
your last chairing of this Committee, and wish you well in the 
future. We have maintained a great relationship, although I 
must say that probably 99.9 percent of the time we disagree.
    But I want to welcome Mr. Park, the former Chief Technology 
Officer of the United States, to this Committee hearing, and I 
appreciate, Mr. Park, your willingness to appear before us. I 
want to apologize to you for all the political theater that is 
unfolding around your appearance. Please keep in mind that this 
hearing is largely an excuse for the majority to again express 
their dislike for the Affordable Care Act and the online 
Marketplace that has led millions of Americans to find medical 
coverage. I know that they do not like Obamacare. The Majority 
has voted at least some 53 times during this Congress to repeal 
or dismantle the ACA.
    Nevertheless, I want to ask all Members here today to 
please remember that Mr. Park is not personally responsible for 
the ACA, nor is he responsible for the problems on October 1, 
2013.
    Mr. Park, it is clear that you were not responsible for how 
the website performed last October 1st. In doling out 
responsibility for its performance on day one, I think it was 
fair to assign you zero percentage of the responsibility, which 
reflects the degree of your actual involvement in developing 
the website.
    Of course, your job at the White House put you in a 
position to have more insight than most into how the Centers 
for Medicare and Medicaid Services were doing in developing the 
program, but the management of the program was up to CMS. And 
the people doing the actual development work were contractors 
who legally answered to CMS. As I am sure you would agree, 
insight into what is going on does not equate to being 
intimately involved or directly responsible for the website. 
And of course your real job as CTO during that period had you 
leading multiple interagency initiatives designed to push 
technology into the American economy and across society. For 
example, you were working to make U.S. government data more 
easily accessible by the public, which can spur innovation, 
profits and jobs, as has been amply demonstrated by the way 
that publicly available National Weather Service data has 
spawned a multibillion-dollar weather forecasting industry.
    Mr. Park, I think it is fair to say that fundamentally you 
were working to make services of the government more readily 
available to citizens during your tenure as CTO. You were 
working to help reduce information costs in various areas of 
the economy, notably your green button initiative to let 
consumers get a better idea about energy consumption and 
sourcing. You were facilitating dialogues across communities to 
bring experts on particular social issues face-to-face with 
experts from the IT world. Laudably, you were a part of an 
initiative aimed at stopping human trafficking and another 
initiative designed to find ways to harness IT more effectively 
in disaster response.
    I know that as I cite these examples, I am just scratching 
the surface of the scope of your day job as CTO of the United 
States. Regrettably, the Committee has made no effort to 
understand this broad portfolio of your accomplishments there, 
and has shown little appreciation for your patriotic desire to 
serve, even though it meant leaving the lucrative world of 
Silicon Valley IT startups and venture capital. From the bottom 
of my heart, I want to thank you for all you did and tried to 
do, including joining the team tasked with fixing the 
HealthCare.gov site after October 1st.
    I hope your experience with this Committee won't diminish 
your sense of pride in your accomplishments or dampen your 
enthusiasm for public service. We need people like you to be 
willing to come serve this country.
    Thank you, and I yield back.
    [The prepared statement of Ms. Johnson follows:]

                  Prepared Statement of Full Committee
                  Ranking Member Eddie Bernice Johnson

    Mr. Chairman, I want to welcome Mr. Park, the former Chief 
Technology Officer of the United States, to this Committee hearing. I 
appreciate your willingness to appear before us, Mr. Park, and I want 
to apologize to you for all the political theater that is unfolding 
around your appearance.
    Please keep in mind that this hearing is largely an excuse for the 
Majority to again express their dislike for the Affordable Care Act and 
the online-Marketplace that has let millions of Americans find medical 
coverage. I know that they do not like Obamacare--the Majority have 
voted in the House some 53 times during this Congress to repeal or 
dismantle the ACA. Nevertheless, I want to ask all Members here today 
to please remember that Mr. Park is not personally responsible for the 
ACA, nor is he responsible for the problems on October 1, 2013.
    Mr. Park, it is clear that you were not responsible for how the 
website performed last October 1. In doling out responsibility for its 
performance on day one I think it's fair to assign you 0 % of the 
responsibility, which reflects the degree of your actual involvement in 
developing the website.
    Of course, your job at the White House put you in a position to 
have more insight than most into how the Centers for Medicare and 
Medicaid Services were doing in developing the program, but the 
management of the program was up to CMS. And the people doing the 
actual development work were contractors who legally answered to CMS. 
As I'm sure you would agree, insight into what is going on does not 
equate to being intimately involved or directly responsible for the 
website.
    And of course your real job as CTO during that period had you 
leading multiple interagency initiatives designed to push technology 
out into the American economy and across society. For example, you were 
working to make U.S. government data more easily accessible by the 
public, which can spur innovation, profits, and jobs, as has been amply 
demonstrated by the way that publicly available National Weather 
Service data has spawned a multi-billion dollar weather forecasting 
industry.
    Mr. Park, I think it is fair to say that fundamentally you were 
working to make services of the government more readily available to 
citizens during your tenure as CTO. You were working to help reduce 
information costs in various areas of the economy, notably your ``green 
button'' initiative to let consumers get a better idea about energy 
consumption and sourcing. You were facilitating dialogues across 
communities to bring experts on particular social issues face-to-face 
with experts from the IT world. Laudably, you were a part of an 
initiative aimed at stopping human trafficking and another initiative 
designed to find ways to harness IT more effectively in disaster 
response.
    I know that as I cite these examples, I am just scratching the 
surface of the scope of your day job as CTO of the United States. 
Regrettably, the Committee has made no effort to understand this broad 
portfolio or your accomplishments there, and has shown little 
appreciation for your patriotic desire to serve, even though it meant 
leaving the lucrative world of Silicon Valley IT start-ups and venture 
capital.
    From the bottom of my heart, I want to thank you for all you did 
and tried to do, including joining the team tasked with fixing the 
healthcare.gov site after October 1. I hope your experience with this 
Committee won't diminish your sense of pride in your accomplishments or 
dampen your enthusiasm for public service. We need people like you to 
be willing to come serve the country.

    Chairman Broun. Thank you, Ms. Johnson. I disagree with you 
about a couple of issues. One is that we have recognized Mr. 
Park's accomplishments and responsibilities outside of being 
involved in HealthCare.gov. In fact, he himself has said he has 
not been deeply involved, though there are emails that we have 
and that you have that show otherwise. So it is not zero 
involvement, and it seems to be the mantra of this 
Administration that people are zero involved and have no 
responsibility for issues, but thank you, Ms. Johnson.
    I now recognize the full Committee Chairman, Mr. Lamar 
Smith, for five minutes.
    Chairman Smith. Thank you, Mr. Chairman.
    Americans have seen firsthand the misrepresentations that 
surround Obamacare. First, there was the President's broken 
promise that ``If you like your health care plan, you can keep 
it.'' Then, in a video that surfaced last week, MIT professor 
Jonathan Gruber, a principal architect of Obamacare, admitted 
how the Administration sold this to the American people, saying 
``Lack of transparency is a huge political advantage. 
Basically, call it the stupidity of the American voter or 
whatever, but basically that was really, really critical to 
getting the thing [Obamacare] to pass.''
    Finally, after a year of requests by this Committee, the 
Administration has agreed to have someone who worked in the 
White House testify about the lack of security of the 
HealthCare.gov website. Mr. Todd Park was the White House Chief 
Technology Officer for the Office of Science and Technology 
Policy from March 2012 to August 2014.
    Joining the Obama Administration in the Department of 
Health and Human Services, Mr. Park was one of the principal 
architects for the HealthCare.gov website. Former Health and 
Human Services Secretary Kathleen Sebelius later called this 
website ``a debacle'' with a recent estimated cost of $2 
billion.
    Today we will review the White House's repeated 
misinformation about the HealthCare.gov website. Mr. Park's own 
emails show an in-depth, detailed knowledge about cybersecurity 
issues with the website. He was the primary spokesperson for 
the White House about the website and the website's security. 
Mr. Park directed several contractors to review the security of 
the website.
    On October 10th, soon after the website went operational, 
Mr. Park read an online article by David Kennedy, a white hat 
hacker who has testified twice before this Committee. Mr. 
Kennedy's article was titled ``Is the Affordable Care Website 
Secure? Probably Not.'' Mr. Park commented in an email how he 
was advised that ``these guys are on the level.'' We are asking 
Mr. Park to explain his role in developing the $2 billion 
website and what the Administration knew about the security 
risks of the website.
    As of today, the White House still has failed to provide 
this Committee with all the documents that are subject to the 
subpoena. The ones we do have paint a far different picture 
than that of the Office of Science and Technology Policy.
    As I mentioned, the Committee has not received all of the 
emails and other documents that were subject to the subpoena so 
another hearing may well be necessary.
    Finally, I want to take a moment to thank the Chairman of 
the Oversight Subcommittee, Dr. Paul Broun, for his tireless 
efforts on this subject as well as so many other subjects that 
have come before this Subcommittee. We appreciate his public 
service and his dedication over the years to his constituents, 
to Congress, and to our country. So Chairman Broun, thank you 
again for all you have done. We appreciate all your great work, 
and I look forward to today's hearing.
    [The prepared statement of Mr. Smith follows:]

      Prepared Statement of Full Committee Chairman Lamar S. Smith

    Americans have seen first-hand the misrepresentations that surround 
Obamacare. First, there was the President's broken promise that ``If 
you like your health care plan, you can keep it.''
    Then, in a video that surfaced last week, MIT professor Jonathan 
Gruber, a principal architect of Obamacare, admitted how the 
Administration sold this to the American people, saying:

          ``Lack of transparency is a huge political advantage. 
        Basically, call it the stupidity of the American voter or 
        whatever, but basically that was really, really critical to 
        getting the thing [Obamacare] to pass.''

    Finally, after a year of requests by this Committee, the 
Administration has agreed to have someone who worked in the White House 
testify about the lack of security of the HealthCare.gov website. Mr. 
Todd Park was the White House Chief Technology Officer for the Office 
of Science and Technology Policy (OSTP) from March 2012 to August 2014.
    Joining the Obama Administration in the Department of Health and 
Human Services, Mr. Park was one of the principal architects for the 
HealthCare.gov website. Former Health and Human Services (HHS) 
Secretary Kathleen Sebelius later called this website ``a debacle'' 
with a recent estimated cost of $2 billion.
    Today we will review the White House's repeated misinformation 
about the HealthCare.gov website.
    Mr. Park's own emails show an in-depth, detailed knowledge about 
cybersecurity issues with the website. He was the primary spokesperson 
for the White House about the website and the website's security.
    Mr. Park directed several contractors to review the security of the 
website. On October 10th--soon after the website went operational--Mr. 
Park read an online article by David Kennedy, a white hat hacker who 
has testified twice before this Committee.
    Mr. Kennedy's article was entitled ``Is the Affordable Care Website 
Secure? Probably Not.'' Mr. Park commented in an email how he was 
advised that ``these guys are on the level.''
    We're asking Mr. Park to explain his role in developing the $2 
billion website and what the Administration knew about the security 
risks of the website.
    As of today, the White House still has failed to provide this 
Committee with all the documents that are subject to the subpoena. The 
ones we do have paint a far different picture than that of the Office 
of Science and Technology Policy.
    As I mentioned, the Committee has not received all of the emails 
and other documents that were subject to the subpoena. So another 
hearing may well be necessary.
    Finally, I want to take a moment to thank the chairman of the 
Oversight Subcommittee, Dr. Paul Broun, for his tireless efforts on 
this subject and many others before the Oversight Subcommittee. We 
appreciate his public service and dedication over his many years on the 
Science Committee.
    I look forward to today's hearing.

    Chairman Broun. Thank you, Mr. Smith. As I announced 
earlier, Mr. Swalwell will be joining us in a bit, and he will 
give his opening statement at that time and then ask his 
questions in due order. If there are Members who wish to submit 
additional opening statements, your statements will be added to 
the record at this point.
    At this time, I would like to introduce today's witness, 
Mr. Todd Park, the former Chief Technology Officer of the 
United States and Assistant to the President. Prior to this 
role, Mr. Park served as Chief Technology Officer for the U.S. 
Department of Health and Human Services, and before entering 
Federal service, Mr. Park co-founded Athenahealth and co-led 
its development into one of the most impressive health IT 
companies in the industry.
    As our witness should know, spoken testimony is limited to 
five minutes after which the members of the Committee will have 
five minutes each to ask questions. And Mr. Park, it is the 
practice of this Subcommittee on Oversight to receive testimony 
under oath. If you now would please stand and raise your right 
hand? Do you solemnly swear and affirm to tell the whole truth 
and nothing but the truth, so help you God?
    Mr. Park. I do.
    Chairman Broun. Thank you. You may be seated. Let the 
record reflect that the witness answered in the affirmative and 
has taken the oath.
    I now recognize Mr. Park for five minutes to present your 
testimony, sir.

                    TESTIMONY OF TODD PARK,

                FORMER CHIEF TECHNOLOGY OFFICER

                     OF THE UNITED STATES,

            OFFICE OF SCIENCE AND TECHNOLOGY POLICY

    Mr. Park. Thank you, sir.
    Chairman Broun, thank you for your service. Chairman Smith, 
Ranking Member Swalwell, Ranking Member Johnson and Members of 
the Committee, good morning. I am looking forward to the 
opportunity to offer testimony to you today.
    To begin, I would like to provide some context for my time 
as U.S. Chief Technology Officer that will be helpful in 
addressing questions you have asked me to answer.
    I am a private-sector health IT entrepreneur by background 
and have been blessed with significant success in that arena. 
Only in America can the son of two brave immigrants from Korea 
have the kind of business-building experiences that I have been 
blessed to have. I love this country very much, and it has been 
the greatest honor of my life to serve it.
    In March 2012, after 2-1/2 years working at the U.S. 
Department of Health and Human Services, I joined the White 
House Office of Science and Technology Policy as U.S. CTO. In 
this role, my primary job was to serve as a Technology Policy 
and Innovation Advisor across a broad portfolio of issues, 
working on open data policy and initiatives, wireless spectrum 
policy, how to advance a free and open Internet, how to harness 
the power of technological innovation to fight human 
trafficking and improve disaster response and recovery, and 
more. My role as U.S. CTO was not to oversee the internal 
Federal IT budget and operations. However, given my background 
at HHS and as a health IT entrepreneur, I was asked to provide 
assistance to CMS, which was the agency in charge of managing 
the development of the new HealthCare.gov including the 
Federally Facilitated Marketplace for Health Insurance. I 
provided assistance to CMS in a few different capacities.
    For example, I served as one of three co-chairs of an 
interagency steering committee organized by the Office of 
Management and Budget and which focused on providing a neutral 
venue in which agencies like CMS, IRS, SSA and others could 
work through interagency items, primarily in support of the 
Data Services Hub, which ended up going live quite 
successfully. I assisted with a Red Team exercise in early 2013 
that helped identify actions to improve project execution as 
well as some associated follow-on work that summer. From time 
to time I helped connect people to each other, served as a 
spokesperson of sorts, and provided help on particular 
questions.
    However, to properly calibrate your expectations of my 
knowledge of CMS's initial development of the new 
HealthCare.gov and the Federally Facilitated Marketplace, I was 
not a project manager who was managing and executing the day-in 
and day-out operational work of building the new HealthCare.gov 
and the Federally Facilitated Marketplace. This was the 
responsibility of CMS. I didn't have the kind of comprehensive, 
deep, detailed knowledge of the effort that a hands-on project 
manager would have, and which I have had about other projects 
in my private-sector work.
    I assisted CMS with its work as an advisor while executing 
my overall duties as White House Technology Policy Innovation 
Advisor working on a broad range of policy issues as I 
described earlier.
    As the new HealthCare.gov and the Federally Facilitated 
Marketplace rolled out in the fall of 2013, as the extent of 
operational issues with the site became clear, it became an 
all-hands-on-deck moment, and I along with others dropped 
everything else I was doing and increased my involvement in 
HealthCare.gov dramatically, shifting full time into the 
HealthCare.gov turnaround effort and working as part of a tech 
surge, which radically improved the performance of the site. I 
worked as part of a terrific team working around the clock, 
even sleeping on office floors. My particular focus was on 
helping to reduce the amount of time the site was down, improve 
the site's speed, improve its ability to handle high user 
volume, and improve user-facing functionality. Our team effort 
drove massive improvement in the site, ultimately enabling 
millions of Americans to sign up for health insurance through 
the site, many of whom had previously been uninsured.
    At the end of the day on April 15, 2014, the last day of 
extended special enrollment, I went back to my U.S. CTO day job 
of being Technology Policy and Innovation Advisor, and my 
involvement in HealthCare.gov accordingly scaled back 
dramatically.
    As another contextual note, I understand that the 
Committee's primary interest has been the security of 
HealthCare.gov. I do not have the expertise in cybersecurity 
that the professors of cybersecurity and other experts who 
previously testified before this Committee have. Responsibility 
for the cybersecurity of HealthCare.gov rests with CMS. My 
involvement with the security of HealthCare.gov has been rather 
tangential. The interagency steering committee I co-chaired had 
a privacy and security subgroup but the subgroup was staffed 
and led by Agency personnel who occasionally asked the overall 
committee co-chairs to help facilitate interagency dialog and 
cooperation but who generally drove to the ultimate answers 
themselves. There were a small number of other occasions when I 
was asked to serve as a spokesperson of sorts--summarizing 
general cybersecurity content supplied by CMS and HHS--to 
function as a liaison or facilitator connecting people to each 
other, or to provide my general thoughts for whatever they were 
worth. But, again, I am not a cybersecurity expert.
    As a final contextual note, at the end of August of this 
year, in order to stay married, I stepped down as U.S. CTO and 
returned home to Silicon Valley, fulfilling my wife's 
longstanding desire to do so. I continue to serve our country 
as a consultant to the White House based in Silicon Valley, 
focused primarily on attracting more and more of the best tech 
talent in the Nation to serve the American people, which is 
important to our vital work as a government to radically 
improve how the government delivers digital services and 
unleashes the power of technology in general.
    Thank you for the opportunity to provide some context for 
my testimony today, and I look forward to answering your 
questions as best I can.
    [The prepared statement of Mr. Park follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Chairman Broun. Thank you, Mr. Park, for your testimony. 
Reminding members that Committee rules limit questioning to 
five minutes, the Chair at this point will open the round of 
questions. The Chairman recognizes himself for five minutes.
    Mr. Park, let us clarify something. You claim in your 
opening statement today that you did not have, to quote you, 
``comprehensive, deep, detailed knowledge'' of development, 
testing and cybersecurity of HealthCare.gov website and that 
you ``assisted CMS with its work as an advisor.'' Yet if you 
refer to tab 8 in your binder there, you can read along from 
the highlighted sections of one of your subpoenaed emails dated 
June 26, 2013, sent to Marilyn Tavener, Michele Snyder and 
Henry Chao about ``a deep-dive session with Henry Chao.'' 
Specifically, you wrote, ``Marilyn, I'm also going to visit 
with Henry and team for one of our evening deep-dive sessions 
to get up to speed on the latest status of IT and testing. 
There's no substitute for an evening deep dive. So I'll bring 
healthy food and snacks to Baltimore and camp out with Henry 
and team for a few hours.''
    Mr. Park, please explain to me how you define ``deep, 
detailed knowledge'' and then contrast that with a deep-dive 
experience with Mr. Chao and that lasts for several hours.
    Mr. Park. Sir, I would be delighted to. So in my private-
sector experience, when you have really deep, detailed, 
comprehensive knowledge of a project, that comes from being the 
project manager. That comes from being the person who is in 
charge of running things, you know what is going on, you know 
each axis of what is going on on an ongoing basis, and that is 
the role I served in my private-sector life on a variety of 
projects but that was not the role I was serving on the 
Federally Facilitated Marketplace. That was CMS's 
responsibility.
    What is happening here is that on a few occasions, I spent 
time with the folks who were actually running the project and 
asked a series of questions and got information but that level 
of knowledge pales in comparison to the really deep, detailed, 
comprehensive knowledge that you would have as the project 
manager running the thing on an ongoing basis.
    Chairman Broun. So you had some supervisory function there.
    Mr. Park, do you agree with Health Secretary Kathleen 
Sebelius' assessment that the rollout of the website was ``a 
debacle''?
    Mr. Park. The rollout was unacceptable, sir.
    Chairman Broun. Mr. Park, you acknowledge in your opening 
statement that you were one of three White House co-chairmen of 
the Affordable Care Act Information Technology Exchanges 
Steering Committee, and that at least initially met on a 
monthly basis. What was your role in these meetings? Would you 
say that you were the leader of this White House trio?
    Mr. Park. I would say that I was one of the three co-
chairs. It was actually principally led and organized by the 
Office of Management and Budget, and the role of the committee 
was to focus on providing a neutral venue where agencies could 
come together and work on really interagency issues, primarily 
in support of the Data Services Hub.
    Chairman Broun. Well, on April 11, 2013, in an email sent 
at 2:31 p.m.--that is in tab 1----
    Mr. Park. Thank you, sir.
    Chairman Broun. --of your binder, with the subject 
``Coordination on ACA,'' one of the co-chairs, Mr. Steven 
VanRoekel, then U.S. Chief Information Officer, expressed his 
concerns about your closeness to the Centers for Medicare and 
Medicaid Services by writing this: ``CMS has not been inclusive 
and is not leading a coordinated effort that will lead to 
success. I am also worried that you are getting a too-CMS-
centric picture. I would love nothing more than this not to be 
the case, to be assured ACA implementation is on a path we want 
to be on, and that existing efforts will deliver what we 
want.''
    Your response to him sent the same day at 4:58 p.m. states, 
``Hey, brother. Thanks so much for the note and the chat! Many 
apologies for not staying in tighter sync with you on this. 
Will make sure we stay in close sync going forward.''
    To be clear, this is the same CMS that the Office of 
Science and Technology Policy has told the Committee in various 
letters is in a ``far better position to discuss the standards 
that are in place for the website.''
    You did not deny this closeness to Mr. VanRoekel, and 
indeed, your closeness to individuals such as Henry Chao, Chief 
Information Officer at CMS, and Michele Snyder, then Chief 
Operating Officer at CMS and the number two official, is 
evident in the many emails we have seen of your conversations 
with them.
    If you were not the leader, then why was Mr. VanRoekel 
looking toward you for guidance? And if you were so close to 
CMS that it concerned your co-chair, then surely you are in 
just fine a position to answer our questions about the website 
and should have done so a year ago?
    Mr. Park. So thank you for the opportunity to discuss this 
particular email. As I recall, I think this was precipitated by 
the fact that I had assisted, as I said in my opening 
testimony, the Red Team exercise CMS had engaged in to 
basically assess risks and identify mitigative actions to 
mitigate those risks in early 2013. Steve was actually not 
involved with that, and he was expressing concern about the 
fact that he wasn't synced up and was worried about a variety 
of different things.
    What I can say, as actually the email says, is that we did 
sync up. We were going to, and then I can report that we did 
sync up on the Red Team results and recommendations and the 
path forward on the steering committee and other items and his 
concerns basically were dealt with in a way that was 
satisfactory to him.
    Chairman Broun. My time is expired. I now recognize Ms. 
Johnson for five minutes.
    Ms. Johnson. Thank you very much, Mr. Chairman.
    Mr. Park, Mr. Broun summarized your explanation regarding 
deep dives by saying you had some supervisory responsibilities. 
Did you indeed have supervisory responsibilities?
    Mr. Park. I would not define it that way. I was an advisor 
assisting CMS, but CMS was responsible for delivering the 
Federally Facilitated Marketplace and the new HealthCare.gov.
    Ms. Johnson. How would you describe your work on 
HealthCare.gov during your tenure there as CTO?
    Mr. Park. Yes. So we are talking about the new 
HealthCare.gov, the Federally Facilitated Marketplace. I will 
again describe it as I referred to in my opening testimony. I 
assisted CMS in a few different capacities, serving as a co-
chair of this interagency steering committee, focused on 
providing a venue for agencies to work together on interagency 
issues in support of the hub, assisting with the Red Team 
exercise and follow-up to the Red Team exercise that summer, 
serving from time to time as a spokesperson, as a liaison, as 
someone who could help with particular questions. I began as an 
assistant, as an advisor to CMS and certainly not as the person 
who was the hands-on project manager running the thing. I was 
doing this assistance work as I was fulfilling my much broader 
portfolio of duties as Technology Policy and Innovation Advisor 
at the White House.
    Ms. Johnson. Could you give me a little idea as to what 
that broader responsibility for being the Chief Technology 
Officer over and above or around or in conjunction with, in 
whatever you want to put it, for the dot.gov program for the 
health care?
    Mr. Park. Yes, ma'am. So as U.S. CTO, my job was to be a 
technology policy and innovation advisor at the White House 
focused on how can technological innovation help build a 
brighter future, create a brighter future for the country and 
for the American people. So there was a wide range of 
initiatives that I worked on and championed, so you mentioned 
one in your opening statement, you mentioned a few, but the 
open data policy, open data initiatives work of the 
Administration, which really focused on opening up the 
information and knowledge in the vaults of the federal 
government such as weather data, health data, energy data, 
public safety data, et cetera, as machine-readable fuel that 
taxpayers had paid for and returning it back to the American 
people and American entrepreneurs and American innovators and 
researchers to turn into all kinds of incredible new products, 
services and companies that help people and that create jobs.
    I also was one of the creators and leaders of the 
Presidential Innovation Fellows program, which was an effort to 
bring in the most amazing technologists and tech entrepreneurs 
from outside government and team them up with the best people 
inside government to work on projects like Blue Button, which 
has enabled well over 100 million Americans to be able to 
download copies of their own health information. I did a whole 
bunch of work in figuring out how we could tap into the 
ingenuity of the private sector to help use the power of 
technology to fight the evil of human trafficking, to help 
improve disaster recovery and response, and other key 
priorities. I worked on policy issues like how do you advance a 
free and open Internet, how do you actually massively improve 
the supply of and utilization of wireless spectrum, and more. 
It is the most amazing experience I have ever had.
    Ms. Johnson. It appears to me that though you were a person 
that could be asked a question or included in a loop that your 
responsibilities were really very broad and really had no key 
responsibility toward the HealthCare.gov.
    Mr. Park. So there was a chunk of my time that I reserved 
for basically being helpful, being an advisor on issues that 
came up beyond the initiatives that I was championing or co-
championing. That is the bucket in which I put being helpful to 
CMS on HealthCare.gov, which I did try to do in the capacities 
that I described.
    Ms. Johnson. Thank you very much. I yield back, Mr. 
Chairman.
    Chairman Broun. Thank you, Ms. Johnson. Now I recognize the 
full Committee chairman, Mr. Smith, for five minutes.
    Chairman Smith. Thank you, Mr. Chairman.
    Mr. Park, thank you for being here today.
    Mr. Park. Thank you, sir.
    Chairman Smith. As I understand it, you were briefed and 
given notice on several occasions that there were problems with 
the Obamacare website. So my question is, did you believe that 
the website was secure when it was first made operational?
    Mr. Park. So I think over the course of any large-scale 
digital project, there are issues and challenges that come up, 
so----
    Chairman Smith. Did you think the website was secure before 
it was operational?
    Mr. Park. I did, sir, to the best of my understanding.
    Chairman Smith. Despite the warnings you got, despite the 
briefings you had pointing out the problems, you still thought 
it was secure?
    Mr. Park. My understanding was that it was.
    Chairman Smith. What did you think yourself?
    Mr. Park. Again, I am not an expert.
    Chairman Smith. Did you discount the briefings and the 
notice that you had gotten?
    Mr. Park. So which briefings and notices are you referring 
to, sir?
    Chairman Smith. Well, there was a Red Team, there were 
emails, and then other indications that you knew that there 
were problems.
    Mr. Park. So the Red Team exercise didn't really focus on 
security. The Red Team focused on how the project was being 
run.
    Chairman Smith. The Mackenzie report is what I am talking 
about that pointed out the problems.
    Mr. Park. Yes, I am referring to the same report, sir. So 
it didn't really focused on security, it focus on how the 
project was operating and running generally.
    Chairman Smith. But they still pointed out problems, and 
you still decided that they were not significant enough, I 
guess, to put you on notice that it shouldn't be operational?
    Mr. Park. So the Mackenzie report again addressed the 
general management of the project and talked about----
    Chairman Smith. Again, they pointed out the problems but 
you discounted the problems?
    Mr. Park. Each of the issues, the risks, was tied to an 
action to mitigate that risk and deal with that risk.
    Chairman Smith. So you think all the risks were addressed 
before the website was made operational?
    Mr. Park. I think that the risks identified by the Red Team 
report, my understanding is that they were addressed.
    Chairman Smith. Well, that is amazing because both then and 
more recently, all the various studies that were conducted, not 
a one found that the website was secure, not a one found that 
the website was without risk.
    More recently, the U.S. Government Accountability Office 
found ``HealthCare.gov had weaknesses when it was first 
deployed including incomplete security plans and privacy 
documentation, incomplete security tests, and the lack of an 
alternative processing site to avoid major service 
disruptions.'' This report also finds ``weaknesses remain both 
in the processes used for managing information security and 
privacy and so forth.''
    So you have these outside studies saying that it was not 
secure at the beginning and it remains insecure. Do you think 
the website is secure today despite all these warnings by 
independent, objective entities?
    Mr. Park. So CMS is the best source of information about 
the detailed security----
    Chairman Smith. Do you discount the Government 
Accountability Office's review? The language I just read to you 
are direct quotes from the GAO.
    Mr. Park. So sir, I am not an expert in this arena. I don't 
want to comment on something----
    Chairman Smith. You said repeatedly that you were an 
advisor. As an advisor, do you advise people that the website 
is secure today?
    Mr. Park. That is not the area where I really concentrated 
my advisory work.
    Chairman Smith. Well, knowing what you know now, do you 
consider the website to be secure today?
    Mr. Park. So based on my understanding, I would use it. I 
would have family----
    Chairman Smith. No, no, I didn't ask you whether you would 
use it. That is easy for you to say yes. Do you think the 
website is secure today?
    Mr. Park. My understanding is----
    Chairman Smith. Would you advise the American people that 
the website is secure today?
    Mr. Park. My understanding is that it is, but again, I 
would say that the best----
    Chairman Smith. Despite the GAO, despite all these studies, 
despite all these reports saying it is not, you still think it 
is?
    Mr. Park. The best source of information about that is CMS, 
and they have a dedicated team----
    Chairman Smith. Well, they are obviously biased. They have 
got an in-house conflict of interest to say anything else. Do 
you discount all these third-party entities, these credible 
organizations saying that it is insecure? Do you disagree with 
them?
    Mr. Park. Sir, again, I would just refer you to CMS for----
    Chairman Smith. Like I said, you are asking the people that 
developed the plan whether it is secure. What else are they 
going to say? I was asking you as an advisor whether you 
thought these independent entities' reports were accurate or 
not.
    Mr. Park. I can't say that I have actually gone through----
    Chairman Smith. Okay. My last question is this. Did you 
advise the White House at any point or meet with the White 
House or brief the White House about Obamacare's roll-out?
    Mr. Park. Sir, can you repeat the question?
    Chairman Smith. Did you at any point brief the president or 
the White House about the Obamacare website before it went 
operational?
    Mr. Park. So as I can recall----
    Chairman Smith. And definitely how many times if you did.
    Mr. Park. As I can recall, I gave a briefing to senior 
White House officials about the results of the Red Team review 
and----
    Chairman Smith. How many times did you brief White House 
personnel?
    Mr. Park. So if you were talking about senior White House 
advisors----
    Chairman Smith. How many times roughly?
    Mr. Park. I can recall two.
    Chairman Smith. And during either of those times, if two or 
more times, did you ever say anything to them about the 
problems that were inherent in the system or about any of the 
warnings that you had received?
    Mr. Park. So in both the Red Team briefing from early 2013 
and then the follow-on in July----
    Chairman Smith. Well, again, my question was fairly 
specific. Did you alert the White House staff to any problems 
with the website?
    Mr. Park. So we were very clear, yes, about the risks 
identified by the----
    Chairman Smith. You did make it clear to the White House 
that there were risks?
    Mr. Park. That there were risks and here are the actions to 
mitigate those risks.
    Chairman Smith. But the actions had not been taken yet or 
that they had been taken yet?
    Mr. Park. Well, the actions at the time we identified the 
Red Team risks, we presented both the risks and the actions, 
and then in July we said that the actions had been taken.
    Chairman Smith. Okay. So you notified the White House of 
the risk and then you came back later and said that you had 
limited those risks even despite outside entities saying that 
there were still problems?
    Mr. Park. So this was specifically on how the project was 
being run, so--and again, just to be super clear, I briefed on 
the Mackenzie work to senior White House officials that there 
were risks that needed to be dealt with, and then there were 
actions that were needing to be taken to mitigate those risks.
    Chairman Smith. Okay. Thank you.
    Mr. Park. --and then----
    Chairman Smith. That answered my question. Thank you, Mr. 
Park.
    Thank you, Mr. Chairman.
    Chairman Broun. Thank you, Chairman Smith. I now recognize 
Mr. Peters for five minutes.
    Mr. Peters. Thank you, Mr. Chairman, and thank you for your 
service on the Committee. It has been a pleasure to serve with 
you and I wish you the best going forward. Thank you.
    There has been some suggestion and some discussion on the 
security of HealthCare.gov in reference to a hack over the 
summer, and it is not necessarily true that that means that the 
site is insecure. HHS worked with the Department of Homeland 
Security to analyze the effects of the package found on the 
site, and according to the Director for U.S. Computer Emergency 
Readiness at DHS, this type of malware is not designed to 
extract information. There is no indication that any data was 
compromised as a result of the intrusion.
    I would like, Mr. Chairman, unanimous consent to enter into 
the record a letter from Ms. Tavener to Congressman Issa of 
November 14, 2014, in which Ms. Tavener states that no one has 
maliciously accessed personally identifiable information from 
HealthCare.gov.
    Chairman Broun. Hearing no objection, so ordered.
    [The information appears in Appendix II]
    Mr. Peters. Thank you.
    Thank you, Mr. Park, for being here. In your testimony, you 
mentioned that you were not the project manager of 
HealthCare.gov but you functioned as the project manager for 
other projects when you were in the private sector. Is that 
correct?
    Mr. Park. Yes, sir.
    Mr. Peters. Since my colleagues have suggested that you 
were the project manager of HealthCare.gov or functioned as 
such, I thought it would be helpful to discuss the kinds of 
activities that a project manager does. And you founded 
Athenahealth with Jonathan Bush, incidentally, the cousin of 
former President George Bush, is that correct?
    Mr. Park. Yes, sir, my best friend.
    Mr. Peters. Athenahealth provides healthcare practices with 
services including cloud-based medical billing and electronic 
medical record services, which aims to make healthcare more 
efficient and effective, correct?
    Mr. Park. Yes, sir.
    Mr. Peters. Since you built the company, can you describe 
what was involved in creating the company from the ground up? 
What tasks were involved with developing a new IT company?
    Mr. Park. Thank you, sir.
    So as I think others who have had similar experiences would 
share, you know, it is a big, complex undertaking. You put 
together the best team that you can. You raise initial money. 
You put together the best plan you can but understand that that 
plan is likely to survive about 17 seconds of contact with 
reality. You put together an initial prototype as fast as you 
can of your product to try to figure out, you know, based on 
actual customers using it, what the real issues are and real 
opportunities are and then you iterate the plan, you iterate 
the product, you iterate execution constantly, right----
    Mr. Peters. Right.
    Mr. Park. --and it is an all-consuming thing and you have 
in your head each key axis of effort, how conditions are 
changing, how plan, product execution are changing constantly--
--
    Mr. Peters. Is it fair then----
    Mr. Park. --and balance all of that together.
    Mr. Peters. Is it fair then to say when you are on the 
project management, you are very hands-on? At athena you had a 
comprehensive, deep understanding of the efforts, very detailed 
knowledge of the projects and products based on your day-to-day 
engagement?
    Mr. Park. Absolutely.
    Mr. Peters. Okay. So what is the difference between that 
role at Athenahealth and the role you played with respect to 
the healthcare marketplace as CTO and the government?
    Mr. Park. It is night and day, sir, as I think anyone who 
has built a company or led a large initiative would tell you. I 
again did advise and assist CMS in a few different capacities, 
as I described in my testimony and earlier--in testimony and 
earlier.
    The--but again, it is just--it is very different from being 
the project leader, the project manager, actually running the 
day-to-day and having the kind of comprehensive, detailed, 
multi-axis knowledge that you have in that context.
    Mr. Peters. In one of the emails that the Committee has 
provided, you describe yourself as a consigliore. Is that kind 
of what you mean, as an advisor?
    Mr. Park. As an advisor, yeah.
    Mr. Peters. Okay. I want to--I do think that--it strikes me 
that the role of project manager is fairly well-defined as 
being different from what you were doing. I think that is 
pretty clear.
    I just offer, too, that one of the mistakes we make here in 
Congress is pulling people out of the bureaucracy and beating 
them up when we are all really trying to get the same place. We 
would like to get our government to be functioning--a 
healthcare website that is functioning. And I am--I would just 
observe that I have seen this in the Armed Services Committee, 
too. We are trying to get the best technology people we can to 
come work for the government, and in the federal--in the 
defense side we have a great need for cyber warriors and we 
have to be very sensitive about how we treat people like you 
and like those folks who can be in the private sector making 
much more money but who are willing to give up their time, to 
delay their careers, to step out of them and to help the 
government.
    And I want to thank you for your service. I want you to 
know that I appreciate it and I hope you are able to help 
continue to recruit the very, very best to come help us in this 
effort and other efforts throughout the government.
    Thank you, Mr. Chairman, and I yield back.
    Mr. Park. Thank you, sir.
    Chairman Broun. Thank you, Mr. Peters.
    Now, I recognize Mr. Sensenbrenner for five minutes.
    Mr. Sensenbrenner. Thank you very much, Mr. Chairman.
    Mr. Park, when you testified before the Committee on 
Oversight and Government Reform, you repeatedly claimed 
ignorance about any issues with HealthCare.gov prior to the 
website's launch. You testified that you had ``no detailed 
knowledge base of what actually happened pre-October 1.'' You 
further testified that you were not deeply familiar with the 
development and testing regimen that happened prior to October 
1.''
    But the email record tells a very different story. On June 
11, you emailed staff at CMS asking to ``check in on how things 
are going with respect to Marketplace IT development and 
testing.'' On June 26, you said you would visit Henry Chao of 
CMS and his team for ``one of our evening deep-dive sessions,'' 
and on July 12, Henry Chao referenced a briefing that you were 
doing for the President. If you were preparing to brief the 
President and doing deep-dives with CMS staff in June and July 
2013, how can you claim to have no knowledge of issues prior to 
October 1 of that year?
    Mr. Park. So thank you for the opportunity to answer your 
question.
    So what I said at the hearing last November was I didn't 
have really detailed knowledge--a really detailed knowledge 
base, if I recall correctly, of what actually happened in the 
run-up to October 1. And as I have described previously, when I 
say ``really detailed knowledge base of what actually 
happened,'' that is the kind of knowledge that comes from being 
the hands-on project manager running the thing and not the kind 
of knowledge that one would have as an assistant advisor who, 
on a series of occasions, meets with the people who are running 
the thing and asks questions. So that is what I would say.
    Mr. Sensenbrenner. Well, obviously on the June 11 email, 
where you said you were going to check in on how things were 
going with respect to marketplace IT development and testing, 
you just didn't ask that question out of the blue. Obviously, 
you decided to try to check up on this. And then I don't know 
what goes on at deep-dive briefings. I imagine that there is 
quite a bit of detail that goes on. But I guess it kind of 
boggles my mind that if you didn't know the detail of that, why 
were you asked to go and brief the President? Wasn't he 
interested in really the detail of what was going on, not just 
whether it was going well or not?
    Mr. Park. Could you just refer me again to the email you 
are talking about?
    Mr. Sensenbrenner. Okay. I referred to two emails. You 
emailed the staff at CMS to check in on how things were going 
with respect to marketplace IT development and testing, and 
then on June 26, two weeks and a day later, you said you would 
visit Henry Chao and his team for an evening deep-dive session.
    Mr. Park. Could you just refer me--I am so sorry--for the 
tabs in the binder?
    Mr. Sensenbrenner. I don't know if you have the same binder 
I have.
    Mr. Park. I see.
    Mr. Sensenbrenner. This is the tab on the deep-dive 
session, number 8.
    Mr. Park. Okay. So, again, just speaking to this session, 
the difference between the really detailed knowledge base that 
you have as a hands-on project manager and the knowledge that 
you have from asking people on the project a set of questions 
over the course of a few hours is, again, just night and day.
    And also I think to address something you asked earlier, 
the--as I recall, the trigger event for the check-in that you 
described was to follow up on the Red Team recommendations with 
respect to how the project should be managed and make sure 
those recommendation had been implemented by CMS. And so that 
was the trigger event for the inquiry.
    Mr. Sensenbrenner. Well, you denied involvement in your 
testimony before the OGR Committee, but obviously you were 
involved because you asked how things were going, then you 
asked for a deep-dive briefing and you came in to brief the 
President on this. It seems a complete disconnect between you 
claiming ignorance and the information you did get filled you 
in and you certainly weren't ignorant. How can you say that 
when you came in to brief the President, you briefed him from a 
base of ignorance?
    Mr. Park. So, again, just to respectfully disagree with 
something you said earlier, I don't believe I have said----
    Mr. Sensenbrenner. Um-hum.
    Mr. Park. --to the Committee last November that I had no 
involvement whatsoever. What I said was I didn't have a really 
detailed knowledge base of what actually happened in response 
to a question about something or other. So--but, again, the 
point I wanted to make was that I didn't have that level of 
really detailed knowledge. I did have the kind of involvement 
that I described in my testimony earlier.
    Mr. Sensenbrenner. Well, my last question is what did you 
tell the President about HealthCare.gov when you briefed him?
    Mr. Park. So at the Red Team briefing in early 2013 and 
then in the follow-up, as I recall, the gist was here are the 
Red Team recommendations in terms of the risks identified and 
what to do about them, and then in the follow-up in the summer, 
as I can recall, the briefing again to senior White House 
officials was that CMS implemented the key Red Team 
recommendations.
    Mr. Sensenbrenner. Did you brief the President or senior 
White House officials or was somebody other than the President 
there?
    Mr. Park. At those two meetings, as I recall, the President 
was there.
    Mr. Sensenbrenner. Thank you.
    Chairman Broun. Thank you, Mr. Sensenbrenner.
    I now recognize Mr. Cramer for five minutes.
    Mr. Cramer. Thank you, Mr. Chairman, and thank you, Mr. 
Park.
    Mr. Park, I want you to look at tab 5 in the binder if you 
would, please.
    Mr. Park. Thank you, sir.
    Mr. Cramer. Um-hum. So this is an email that has become a 
little bit famous today. It is an email from Michelle Snyder to 
you dated September 29, 2013, posted at 6:22 p.m. In this 
email, which, by the way, ends by her asking you to delete it, 
she writes, ``just so you know, she decided in January we are 
going no matter what, hence the really cruel and uncaring march 
that has occurred since January when she threatened me with a 
demotion or forced retirement if I didn't take this on. Do you 
really think she has enough understanding of the risks to fight 
for a delay? No, and hell no. For just one moment let's be 
honest with each other.''
    Now, Mr. Park, it is a reasonable inference that the 
``she'' in the email is Marilyn Tavenner because Ms. Snyder is 
responding to an email from you to her that same day at 5:54 
p.m. that says ``MT said that she appreciates the additional 
info we will generate tonight, but that she and she alone will 
make the decision to go or not.''
    Mr. Park, what were these risks that Ms. Snyder referenced 
in her email that she asked you to delete?
    Mr. Park. So at the time what I recall I was doing was 
helping CMS basically get hardware--additional hardware in 
place to provide additional server capacity for the federally 
facilitated marketplace, and that was the issue that we were 
talking about.
    Mr. Cramer. So the risk was there wasn't enough hardware? 
In other words, you testified that you thought everything was 
ready to go, that you were confident. This is September 29. I 
mean the risk was hardware?
    Mr. Park. So the risks I think that are being referred to 
in this email is that based on what we had been talking about 
where I had been asked to be helpful, and the hardware did 
actually get to where it needed to go in an operation that 
worked pretty well.
    Mr. Cramer. In this same email chain, about three hours 
earlier, she asked you this question--which is, by the way, 
located in tab 6.
    Mr. Park. Oh, thank you, sir.
    Mr. Cramer. Sure. She asked a series of questions, but one 
of them is ``should we go live on October 1?'' Now, again, I 
remind you this is September 29 so she is asking pretty close 
should we be going live on October 1?
    Mr. Park. I am sorry, who--what--could you just say that 
one more time? So who is asking who?
    Mr. Cramer. So in--it is the same email chain you asked 
Ms.--I am sorry, you asked Ms. Snyder a series of questions, 
one of which is should we go live on October 1. So when you 
asked her that question, obviously you had some concern it 
would seem to me earlier that day about whether they should 
even go live.
    Mr. Park. So, again, as I recall as I am looking at the 
email, I was suggesting a set of questions for her to think 
about as an advisor, and again, this was really again focused 
on the task of getting the hardware in place----
    Mr. Cramer. Did you ask the same question of anyone else? 
Whether it was Henry Chao or maybe somebody in the White House, 
Marilyn Tavenner, or was this just between you and Ms. Snyder? 
Did you raise this question with other people that might be in 
a position to do something more about it?
    Mr. Park. So I think Michelle was actually, as I recall, 
pretty central to us, and so I was injecting this set of 
questions as questions I thought that would be good for CMS to 
think through in the run-up.
    Mr. Cramer. Some of these risks that Ms. Snyder was 
raising, did you ever share them? Because clearly there is this 
confidence, it appears, between you and her. She references in 
other parts of the rant probably or possibly losing her job if 
she raises these risks with the wrong people. In fact, she did, 
of course, announce her resignation not too long after all of 
this.
    What I am trying to get at is that as an advisor, was your 
advice only given to this one person or to others higher up the 
chain? I mean considering that earlier you testified that you 
did of course brief the President himself. Was there other 
concern raised by other people to these risks that seem to be 
so central between you and Ms. Snyder?
    Mr. Park. So with respect to what we are talking about 
here, which, as I recall, are risks associated with not having 
enough server capacity the CMS senior management team, Office 
of Health Reform at the White House were following what was 
happening very closely.
    Mr. Cramer. And that gave you all the confidence in the 
world, that extra server space? That was all that was 
necessary----
    Mr. Park. Well, the specific question that I got asked to 
be helpful on was getting hardware to the data center for 
additional server capacity, and that operation did end up being 
successful as I recall.
    Mr. Cramer. All right. My time is expired, Mr. Chairman. 
Thank you.
    Chairman Broun. Thank you, Mr. Cramer.
    Now, I recognize Mr. Posey for five minutes.
    Mr. Posey. Thank you, Mr. Chairman.
    Mr. Park, in an email chain with the subject heading ``How 
serious are you about using Homestead Air Force Base to get the 
equipment to Culpepper,'' this is dated September 28, 2013. It 
is located in your tab 12.
    Mr. Park. Thank you, sir.
    Mr. Posey. You and Mr. Henry Chao worked with Mrs. Laura 
Fasching from Verizon Terremark to discuss several last-minute 
options to transport some hardware or computer equipment by 
either private ground, private jet, cargo, or even Air Force 
jets.
    For someone claiming to not have a detailed knowledge base 
of what actually happened pre-October 1, you seem to be all-in 
on a lot of aspects of operations related to the HealthCare.gov 
website. So, I am wondering whose idea it was to procure the 
equipment, and what the need was for spending $40,000 of 
taxpayers' money to transport computer equipment by plane?
    Mr. Park. So, first of all, thank you for the question. 
Just to clarify, when I say really detailed knowledge base of 
what actually happened prior to October 1, I am not talking 
about like one narrow aspect of what happened; I am talking 
about the full breadth of what happened over the course of the 
project. And as I have said, I did assist and advise CMS in a 
few different capacities. This was one where what happened is 
CMS contacted me, as I can recall, and said we think we have, 
long story short, a need for additional hardware to get to the 
data center, and they were the ones who teed up the notion of 
potentially a military option. And I volunteered to help look 
into that for them.
    Mr. Posey. Okay. Is it routine for a White House official, 
or actually, an assistant to the President, as you were at the 
time, to be engaged in last-minute discussions with a 
contractor about the delivery of computer equipment? Why and 
how did you get involved in that?
    Mr. Park. So my style is to try to help in every way I 
possibly can, and so I got asked to help with this and I threw 
myself into trying to help. And although the military option 
ended up not being used; it didn't have to be used; there was 
private transport, the operation to get hardware there worked 
out.
    Mr. Posey. It sounds like a pretty detailed knowledge base.
    Mr. Park. Not of the whole project and how it was working. 
This is one very specific, very narrow aspect and one episode 
in time.
    Mr. Posey. You also appear to be the point of contact for 
most interactions with technology companies and people such as 
Palantir, Red Hat, Alex Karp, MITRE, and even Gartner, a 
company used to help with the Administration's messaging on 
HealthCare.gov around the time of a Committee on Homeland 
Security hearing on September 11, 2013. In fact, a Gartner 
analyst provided a quote that the statements made in a CMS 
letter to the Ranking Member of Homeland Security Committee 
``represent current best practices for the protection of 
sensitive and regulated data and systems.'' That is in tab 14.
    Mr. Park. Oh, thank you, sir.
    Mr. Posey. I am wondering how often did you reach out to 
such companies or people to talk about aspects of the 
HealthCare.gov website for either PR purposes or technical 
purposes?
    Mr. Park. Not that often, as I can recall. But on the 
several occasions, yes.
    Mr. Posey. And what others do you recall?
    Mr. Park. Well, so you mentioned this one. I can speak to 
Red Hat. So what happened there was that CMS asked me to be on 
the phone with them as they asked for additional Red Hat 
resources to be applied and just to communicate that this was a 
top priority of the government, which I volunteered to do.
    I can talk to the Palantir example. So they are--you know, 
as part of my role as a facilitator, I connected Palantir to 
CMS to have a discussion at a high level about cybersecurity.
    Mr. Posey. That is a little bit beyond the scope of 
advisory, though, wouldn't you think?
    Mr. Park. Not in my experience, no.
    Mr. Posey. Okay. Arranging contractors to get together 
and----
    Mr. Park. No, we actually--it is assisting, as I have said, 
in a few different capacities.
    Mr. Posey. What did they have to say about the website? Did 
they ever provide feedback to you on the security aspects of 
the website?
    Mr. Park. So as I can recall, the Palantir conversation, I 
think the experts said here is what you should be thinking 
about, and CMS said that basically accords with what we are 
thinking about. So that was what I recall of the call.
    Mr. Posey. And that is the only time you are aware of any 
security issue at all?
    Mr. Park. Again, and that call basically it was a very 
high-level call and Palantir said just kind of not with any 
particular knowledge of HealthCare.gov but here are the kind of 
things that represent cybersecurity best practices and CMS 
said, yes, that makes sense; that is what we are thinking, too.
    Mr. Posey. Yeah. You had mentioned that you would use the 
website. Just out of curiosity, are you enrolled in ObamaCare?
    Mr. Park. I am not but I continue to get my insurance 
through the Federal Government. But my tour of duty in 
government, which has been the greatest experience of my life, 
will at some point end and then I am very excited about 
enrolling in Covered California, which is the marketplace in 
California, when I do roll off.
    Mr. Posey. Yeah. The people who wrote the bill aren't in it 
either so don't feel bad about that.
    My time is expired, Mr. Chairman. Thank you.
    Chairman Broun. Thank you, Mr. Posey.
    Now, Mr. Johnson from Ohio, you are recognized for five 
minutes.
    Mr. Johnson. Thank you, Mr. Chairman.
    Good morning, Mr. Park.
    Mr. Park. Good morning, sir.
    Mr. Johnson. You and I share something in common. My 
background is thirty years in information technology. I have 
never been a Chief Technical Officer, but I have certainly been 
a Program Manager, Project Manager, Chief Information Officer, 
and even had Chief Technical Officers work for me.
    Mr. Park. God bless you.
    Mr. Johnson. Yeah. So I certainly understand from where you 
come. And I must confess to you, Mr. Park, that I find it a 
little bit disingenuous that you would qualify or classify your 
role in all of this as simply an advisor.
    In 2008, when the President issued a position paper on the 
use of technology in innovation, he talked about standing up 
the Nation's first Chief Technology Officer. And to quote from 
what came directly from at that time the campaign website it 
said that ``the CTO will ensure the safety of our networks and 
will lead an interagency effort working with the Chief 
Technology and Information Officers of each of the Federal 
agencies to ensure that they use best-in-class technologies and 
share best practices.''
    In November of 2008, the President reiterated his 
intentions, and again quoting from the President-elect's 
website that he would ``appoint the Nation's first Chief 
Technology Officer to ensure the safety of our networks.'' 
Before that, it said ``ensuring the security of our networks.'' 
So whether you envisioned your role being an advisor, the 
President said you were responsible. That is what ``ensuring'' 
means. As a CIO, and as a Project Manager, I know what 
``ensuring'' means. It was your job to ensure the safety and 
security of those networks, at least according to what the 
President was telling the American people.
    So I want to go to your role as the co-Chair of the ACA IT 
Exchange Steering Committee. If I look at the charter that set 
that up, one of the responsibilities in there is to direct the 
formulation of workgroups to identify the barriers and 
recommend fixes and those kind of things, and two of those 
working groups were directly related to data-sharing and 
privacy and security harmonization. What was your role then as 
the co-Chair? You either misrepresented your knowledge of 
cybersecurity to the President or you didn't do your job. Which 
was it?
    Mr. Park. So thank you for the opportunity to address I 
think a couple different questions embedded in there. And I 
respect your service as technologist, sir, to the country.
    So the position of U.S. CTO has evolved quite a lot I think 
over the years. And what I can represent is what I did in the 
role, and cybersecurity ops for the Federal Government has very 
much not been part of my role.
    Mr. Johnson. I don't want to use the whole time just 
pontificating, Mr. Park. When you were with Athenahealth, was 
cybersecurity a part of what you considered important in 
standing up that cloud-based system?
    Mr. Park. Sure.
    Mr. Johnson. It was?
    Mr. Park. Um-hum.
    Mr. Johnson. Okay. On September the 2nd of 2013, you sent 
an email to Christopher Jennings. It said, ``Hi, Chris. Here 
are the cybersecurity background points for you. The first 
three are the points CMS put together previously, which I am 
sure you have already seen. They are followed by a couple of 
points about next steps currently underway.'' So are you trying 
to tell this Committee that you knew nothing about the security 
failures and the security risks associated with HealthCare.gov?
    Mr. Park. Would you mind just pointing me to the email that 
you are referencing? I think it is----
    Mr. Johnson. I am not sure where it is in your tab, but I 
have got it here. I don't know where it is in your tab.
    Mr. Park. Well, okay. Let me just speak to the episode that 
I think you are talking about, but long story short because I 
know we have very little time left, so the content that was put 
together for Office of Health Reform on cybersecurity was 
content supplied by CMS and HHS.
    Mr. Johnson. But, Mr. Park, there you are being 
disingenuous again. You are the Nation's CTO appointed by the 
President to ensure the safety and security of our networks. 
You can't just say this was CMS's responsibility. And let me 
remind you that you can delegate responsibility to people that 
do the actual coding, to Project Managers and Program Managers, 
but you can't delegate accountability.
    Mr. Park. So again, sir----
    Mr. Johnson. And you were responsible. You are accountable 
to the President and to the American people. Now, you have 
testified this morning that you briefed the President several 
times. Did you ever once tell the President that you had 
concerns about the security of the system in your role as Chief 
Technical Officer and co-Chair?
    Mr. Park. So, again, to go back to I think a fundamental 
misunderstanding, in my role as U.S. CTO I haven't been--the 
cybersecurity operations hasn't been a focus----
    Mr. Johnson. But it was as co-Chair of the Steering 
Committee. It was clearly in the charter, the co-Chair of the 
Steering Committee. You did have that responsibility.
    Mr. Park. I was co-Chair on a--one of three co-Chairs on a 
committee organized by OMB and there was a privacy security 
subgroup, as you have mentioned.
    Mr. Johnson. But----
    Mr. Park. That was staffed and led by agency personnel and 
was really self-propelled and driven by them. The point of us 
as co-Chairs was to provide a neutral venue where they could 
get together to do that work.
    Mr. Johnson. Well, that is not my reading of the charter, 
but my time has expired, Mr. Chairman, and I will yield back.
    Chairman Broun. Thank you, Mr. Johnson.
    Now, I recognize my friend Eric Swalwell for five minutes.
    Mr. Swalwell. Thank you, Mr. Chairman.
    I also would like to take a moment to thank you for your 
service and you served two years as Ranking Member and four 
years as Chairman of this Committee and you have always 
conducted yourself and your chairmanship with dignity and 
courtesy. And I know Mr. Maffei has also shared that with me 
privately. And so I wanted to thank you for that.
    Today may be a day of disagreement but I sincerely believe 
that if we conduct this hearing fairly, as we have in the past, 
that we will emerge as a more--we will emerge with a better 
understanding of what Mr. Park did and, most importantly, did 
not do with respect to HealthCare.gov.
    Fairness is particularly important because this hearing has 
the feeling quite frankly, as a former prosecutor, of a trial, 
and the only witness before us is Mr. Park. The title of the 
hearing implies that we are going to examine his involvement in 
the development of the HealthCare.gov website, but most 
significantly, a staff report released by you, Mr. Chair, and 
Chairman Smith on October 28 functions as a prosecutor's 
memorandum that makes very damning allegations regarding Mr. 
Park's honesty before the Committee on Oversight and Government 
Reform and Dr. Holdren's candor in his replies to this 
Committee regarding Mr. Park's involvement in cybersecurity. As 
a former prosecutor, I believe that allegations made against 
Mr. Park can place him in legal jeopardy. He deserves a chance 
to tell his own story and put these allegations to rest and I 
believe he can do that.
    Mr. Park is a successful entrepreneur in the IT world who 
took a break from developing successful companies to come to 
Washington, D.C., to help the government and the country think 
of creative ways to use information technology to improve our 
economy and address important social problems. He is a patriot 
and he is a son of immigrants who have played their own role in 
keeping the American economy vibrant and expanding. Mr. Park's 
parents, I understand, are here today, as is his wife, as is 
his pastor and friends from the IT business world.
    I mention this to remind all Members to not confuse their 
feelings towards the Affordable Care Act with Mr. Park as a 
person. He served the public and did his best and should be 
thanked for his contributions. In fact, Mr. Park has returned 
to the Bay area, and I know people personally who have been 
contacted by Mr. Park who he is trying to recruit to bring 
bright, young, innovative stars to the IT world and to take a 
break from the multimillion dollar contracts that they have in 
Silicon Valley, come out to Washington, D.C., and try and solve 
problems. I cannot imagine that this helps him make that case. 
In fact, this probably makes it much harder for him to make 
that case, to go through a process like this.
    I have reviewed a minority staff report, which I ask to be 
made part of the record, built on a complete review of the 
documents produced by the White House. The staff makes a very 
strong argument supported by White House documents that Mr. 
Park did not have a deep, direct, or intimate involvement in 
any of the work of developing the online marketplace launched 
on October 1, 2013, or the cybersecurity standards and 
techniques used for the site. If he was playing such a role, 
there should be monthly progress reports from contractors that 
show progress against deliverables and requirements, costs of 
work, a critical path analysis that identifies where problems 
threatened the successful launch, and a discussion of the 
integration process for the site across an army of contractors 
on the project.
    None of these documents have been produced because Mr. Park 
was not the day-to-day manager on the project. Nor are there 
any kind of documents that any of the contractors produce doing 
the actual work could possess, which would result or include a 
discussion of code, performance, and testing results. Those 
documents can be found at CMS, which managed this complex 
acquisition among the contractors.
    I believe that Mr. Park's job was about trying to push 
technology, and the record and evidence supports that, 
technology throughout all levels of the country to improve our 
competitiveness and quality of life. As just one example, Mr. 
Park drove an initiative to find innovative methods to use IT 
and big data to combat human trafficking. I don't think there 
is any Member who favors human trafficking. That is about as 
nonpartisan as an initiative as you can get. Mr. Park was 
working full-time in a much wider swath of issues and areas 
than HealthCare.gov. Members, I hope, will not lose sight of 
that and get tunnel vision about Mr. Park simply because we 
have such a narrow set of records.
    I believe that if Mr. Park is given a fair chance, a fair 
opportunity to answer questions here today, that Members on 
both sides of the aisle will conclude that Mr. Park was not a 
principal actor in the development of HealthCare.gov prior to 
October 1, 2013, and had no role in developing cybersecurity 
standards or techniques for the website.
    Mr. Park, I am going to apologize to you now for the way 
you have been treated and I am hopeful that you will get 
apologies from the Chairman and other Members by the end of 
this hearing.
    Thank you, Mr. Chair.
    Mr. Swalwell. And, Mr. Chair, I understand that the Chair 
will yield to me five minutes of questions, which I also 
appreciate.
    Chairman Broun. And you are recognized for five minutes for 
questions.
    Mr. Swalwell. Mr. Park, you are not a cybersecurity expert, 
are you?
    Mr. Park. I am not.
    Mr. Swalwell. Mr. Park, the White House provided several 
emails from you to CMS relating to cybersecurity. Was there 
ever a time where you were writing to CMS to give them 
direction on cybersecurity standards, design, testing, or 
tools?
    Mr. Park. Not that I can recall, no.
    Mr. Swalwell. When you wrote to CMS, Mr. Park, about 
cybersecurity, you were doing it because someone at the White 
House had asked you to gather information, whether for a 
briefing or meetings or to use as a press event for the White 
House, is that correct?
    Mr. Park. Correct.
    Mr. Swalwell. When Dr. Holdren wrote to this Committee that 
``Mr. Park and OSTP personnel have not been substantially 
involved in developing or implementing the federally 
facilitated marketplaces security measures;'' and ``Mr. Park is 
not a cybersecurity expert. He did not develop or approve the 
security measures in place to protect the website and he does 
not manage those responsible for keeping the site safe.'' Is 
every element of the statement made by Dr. Holdren that I just 
read correct?
    Mr. Park. Yes, sir.
    Mr. Swalwell. Henry Chao ran the website development for 
CMS and Mr. Chao told the White House--told the House Oversight 
and Government Reform Committee that he did not run the 
cybersecurity side of development. With 100 percent confidence 
do you know before October 2013 who was in charge of 
cybersecurity on this process?
    Mr. Park. I believe it was Tom Shankweiler, but I am not 
100 percent sure he was the leader.
    Mr. Swalwell. Henry Chao, who was doing the day-to-day 
management of the development of HealthCare.gov, was 
interviewed by the staff of the House Oversight and Government 
Reform Committee. He was asked if you Todd Park played a 
management role and replied that--this is Mr. Chao's words--you 
``didn't own anything meaning he didn't have the budget, the 
staff, the contractors, so the day-to-day management really 
still falls to the operating agencies.'' Is this an accurate 
statement, Mr. Park?
    Mr. Park. Yes, sir.
    Mr. Swalwell. Were you a manager on the HealthCare.gov 
website?
    Mr. Park. I was not a hands-on project manager, sir, as I 
have described. I did assist in particular ways that I have 
testified to earlier.
    Mr. Swalwell. Did you have any control, authority over 
budgets, staff, or contractors?
    Mr. Park. No, sir.
    Mr. Swalwell. And you asked Mr. Chao about attending the 
July 19 Readiness Review, which was to be an end-to-end review 
with all of the contractors about the state of the program. 
Initially, Mr. Chao said yes. Then you mentioned in an email to 
Michelle Snyder, Mr. Chao's supervisor, that you were going to 
be a ``fly on the wall at the event.'' And then Ms. Snyder 
responds that ``flies on the wall are seldom invisible and are 
often distracting.'' Then Mr. Chao writes a letter that the 
review is not the place for an observer. Did you go to this 
meeting?
    Mr. Park. I do not.
    Mr. Swalwell. You spoke with Mr. Chao and Ms. Snyder about 
getting a walk-through of the live website system as it was 
developing in mid-July. People are alleging that you were 
deeply involved in the implementation and development of the 
site so I assume that you got that walk-through very quickly?
    Mr. Park. As I recall, I believe the walk-through ended up 
happening with me and other officials in early September.
    Mr. Swalwell. Now, was that a walk-through that was 
exclusive to you or were there other officials present?
    Mr. Park. Other officials were present.
    Mr. Swalwell. Those managing or directing multibillion-
dollar developmental projects always get a core set of document 
to track progress. Usually, it is in the form of a monthly 
report from contractors that show their performance on 
requirements, the dollars spent, the value achieved, and the 
critical path issues. Without these detailed reports, Mr. Park, 
is it possible to have a detailed knowledge of how a project is 
going at an on-the-ground level? And if so, did you have any 
reports that would inform you on this?
    Mr. Park. You need those kinds of reports, and frankly, you 
need more. You need to be on the ground.
    Mr. Swalwell. And were you on the ground?
    Mr. Park. No, sir.
    Mr. Swalwell. Did you have those reports?
    Mr. Park. No, sir.
    Mr. Swalwell. Mr. Chairman, being a spokesperson or 
collecting talking points for a briefing does not translate 
into intimate involvement in the development and testing of the 
website. Mr. Park was not managing the acquisition, he was not 
directing the development or designing the cybersecurity 
system, and he sure as heck was not a contractor down in the 
trenches writing code, which I think is pretty apparent from 
his testimony. He was the Chief Technology Officer of the 
United States with the broad portfolio ranging from human 
trafficking to other important technology advising, and he did 
a lot more work with that portfolio than any two normal people 
could pull off. But at some point the actual evidence has to 
guide our opinion of Mr. Park, which is that he was not 
intimately involved in the development of HealthCare.gov.
    And I yield back.
    Chairman Broun. Thank you, Mr. Swalwell.
    And you remind me that, without objection, we will enter in 
the record our own majority staff report.
    [The information appears in Appendix II]
    Chairman Broun. Without objection, the Chair recognizes Ms. 
Bonamici for five minutes to ask questions.
    Ms. Bonamici. Thank you very much, Mr. Chairman, and thank 
you for allowing me to participate in this Subcommittee 
hearing. Even though I do not serve on this Subcommittee and do 
serve on the full Committee, it is an area of interest to me 
and I am glad to be here today. And I want to thank Mr. Park 
for being here and withstanding this line of questioning that 
frankly concerns me. I want to align myself with the remarks 
made by my colleagues Mr. Peters and Mr. Swalwell.
    When we have someone who has come and given so much to this 
country from the private sector and done so much, we want to 
make sure that we send a message to the American public that we 
appreciate your sacrifice and all of your hard work, Mr. Park. 
And I would imagine that when you said yes when you were asked 
to come and serve your country, you never imagined that you 
would be sitting in a Subcommittee hearing with what appears to 
be a game of gotcha about a whole series of emails.
    So I want to start by, again, saying thank you so much for 
your service. As someone who represents a district in Oregon 
with a lot of high-tech industry and innovation, I appreciate 
all you have been doing and understand that the drive for IT 
innovation to improve service delivery is something that we can 
all benefit from, so thank you for your expertise.
    Mr. Park. Thank you, ma'am.
    Ms. Bonamici. You are welcome. And apologies for perhaps 
being a bit repetitive on some of these issues, but I just want 
to make sure a couple of things are clear and that is what 
happens when you go last is that sometimes you sound like you 
are being repetitive.
    But I know that the title on the majority's report says 
something about ``knowingly put Americans' sensitive 
information at risk.'' And that is the title of the report. So, 
Mr. Park, did your interactions with the Administration 
personnel working on HealthCare.gov give you any cause to worry 
that they would knowingly put Americans' sensitive information 
at risk?
    Mr. Park. Not that I can recall, no.
    Ms. Bonamici. Thank you and I understand from the documents 
that were provided to us by the majority, what we have been 
looking at here is numerous emails that were exchanged with 
members of the Administration and officials on the subject of 
HealthCare.gov, but what we have not seen is what must be many 
emails that you have exchanged with them on other efforts that 
occupied your time. I know, for example, that you worked on the 
ConnectED initiative, and given my role on the Education 
Committee, I am grateful for your efforts with that as well.
    So we heard about a couple of other areas that you worked 
on but I understand that you oversaw at least 15 initiatives, 
including HealthCare.gov. So would you care to tell us a little 
bit about a few of those others just so we can understand the 
breadth of what you were doing?
    Mr. Park. Sure. And just to be specific, I think the 15 you 
are referring to, these are initiatives that I was either 
championing or co-championing. That didn't include 
HealthCare.gov. Advice and assistance to HealthCare.gov was 
something I classified into a chunk of my time that was set 
aside for reacting and helping on issues as they arose.
    But in terms of the 15 or so initiatives that I was 
directly helping to drive, as I described earlier, they 
included open data initiatives to help unlock the power of the 
data inside the Federal Government by making it available in 
machine-readable form for the public so that entrepreneurs and 
technologists could grab it and turn it into all kinds of 
incredible services and products and improvement in life and 
jobs, much as the National Weather Service's release of weather 
data has really powered all kinds of innovation in weather and 
jobs as a result.
    I championed a set of initiatives, as has been described, 
to do things like harness the power of private sector 
technologists and innovators to help fight the evil of human 
trafficking, rallying innovators to build tools that could help 
with that. I similarly did the same thing to help improve 
American disaster recovery and response. I worked on policy 
initiatives like how to advance a free and open internet, how 
to actually share wireless spectrum more efficiently and 
effectively across the country as demand for spectrum continues 
to increase significantly.
    I was a cofounder of the Presidential Innovation Fellows 
Program that brings in amazing technologists from the private 
sector to work with the best technologists in government on all 
kinds of exciting initiatives like Blue Button and Green Button 
to help Americans get access to their own health data, their 
own electricity usage data, and more.
    Ms. Bonamici. Well, thank you. And I think we get a sense 
from that of many of the areas where you do have expertise and 
where you did serve our country. And I want to suggest that the 
time on the Science Committee would have been much better spent 
on talking about some of those issues like open access, like 
innovation in healthcare technology rather than trying to get 
you to say that you are an expert on cybersecurity, which 
obviously from everything that I have read and seen and heard, 
you are not on this issue.
    So thank you again for spending your time here. Thank you 
for your service. And I hope that we can have you come back 
sometime and talk about those areas that the public would 
really be interested in hearing about. That to me, Mr. 
Chairman, would be a great use of Science Committee time.
    Thank you again, Mr. Park, for your service.
    Mr. Park. Thank you, ma'am.
    Chairman Broun. Thank you, Ms. Bonamici. Your time is 
expired.
    Before we adjourn, I would like to give myself some leeway 
as Chairman of this Subcommittee for the last time with one 
last question for you, Mr. Park.
    Mr. Park. Yes, sir.
    Chairman Broun. One of your emails provided to the 
Committee late last Friday was one on October the 10th where 
you forwarded an article that you had read by David Kennedy, a 
``white hat'' hacker, who has testified twice before this 
Committee about his concern. And the headline from that article 
was ``Is the Affordable Healthcare Website Secure? Probably 
Not.'' Mr. Park, if you want to refer to it, it is in tab 15 in 
your binder.
    Mr. Park. Thank you, sir.
    Chairman Broun. You even commented about David Kennedy's 
article that ``This got sent to me by someone who says these 
guys are on the level.'' Other documents provided to the 
Committee show that several other cybersecurity experts 
expressed concerns with the security of the website around that 
same time. Mr. Park, do you think that David Kennedy's concerns 
with the security of the website are on the level?
    Mr. Park. So thank you for the question. As I recall, this 
did get sent to me by someone who thought that TrustedSec was 
someone that was worth paying attention to. I can't comment on 
that----
    Chairman Broun. Do you think he is on the level, yes or no?
    Mr. Park. I don't have the judgment--the knowledge of 
cybersecurity to say and so that is why I forwarded it 
immediately to CMS, which then evaluated it, and had the 
response that you see.
    Chairman Broun. Are you being level with us today?
    Mr. Park. Yes, sir. Absolutely.
    Chairman Broun. Okay. According to a news report, it says 
that you reportedly briefed President Obama, Vice President 
Biden, Health Secretary Kathleen Sebelius, and others about the 
problems with the website only a few days after reading David 
Kennedy's report. Did you ever express the warnings that were 
in David Kennedy's report about the lack of security with the 
website to the President or others in the White House in that 
October meeting or any other previous meetings?
    Mr. Park. So, again, as I think this email demonstrates, I 
forwarded this to CMS right away and CMS responded saying CMS 
acknowledges this feedback by the security committee, 
analysis----
    Chairman Broun. So just forwarding the email was the only 
warning that you gave to anyone, is that correct?
    Mr. Park. Well, it says, ``Analysis of the code and review 
of the operational environment has confirmed the site is secure 
and operating with low risk to consumers,'' which then got 
forwarded back to me.
    Chairman Broun. So it is--but that was the only warning you 
gave anybody, is that correct?
    Mr. Park. Well, sir, again, cybersecurity is handled by 
CMS, and I think they----
    Chairman Broun. I am just asking. That is a yes-or-no 
question.
    Mr. Park. So I just--I can report what happened, which is I 
sent this----
    Chairman Broun. Okay.
    Mr. Park. --asked them to evaluate it----
    Chairman Broun. I take that that----
    Mr. Park. --and got a response.
    Chairman Broun. I take that that the answer is no.
    Mr. Park, I want to thank you for finally appearing before 
this Committee and I am sorry that we had to----
    Mr. Swalwell. Mr. Chairman, may I have a follow-up 
question, please?
    Chairman Broun. No, sir.
    Mr. Swalwell. Okay.
    Chairman Broun. We have got to adjourn.
    Mr. Swalwell. May I have a follow-up briefly, Mr. Chair?
    Chairman Broun. Mr. Park, I am sorry we came to the point 
where we had to subpoena you to come before this Committee, but 
thank you for coming, even possibly under duress.
    But obviously people can disagree about whether you were 
deeply involved or not with the HealthCare.gov website. While I 
thank you for your government service, the fact remains that 
the rollout of the HealthCare.gov website last year was a 
debacle, and that is not my assessment but that of Health 
Secretary Kathleen Sebelius.
    My assessment of this situation remains that you and others 
in the White House have been neither forthright nor forthcoming 
about your role and responsibilities at the White House. 
Integrity in government is integral to the public's faith in 
our democracy, thus, our Nation's leaders must be open and 
honest with our fellow Americans and respect the roles of the 
executive branch and Congress, as articulated in our 
Constitution.
    The fact remains that the White House still has not 
provided all the documents pursuant to the Committee's 
subpoena. We have asked for them, we subpoenaed them, we still 
haven't gotten them. And perhaps that is why people still 
disagree about your role in the debacle.
    Eternal vigilance is the price we pay for our liberty. To 
that end, the Committee maintains that all documents pursuant 
to the subpoena be provided and we ask for the Administration 
to please provide those expeditiously. After a more thorough 
assessment of these documents, you may be called to appear 
before us again, Mr. Park, in order to one day reach a better 
understanding. While I may no longer be in Congress on that 
day, the Committee's vigilance on this matter will carry on.
    Honest people can fundamentally disagree and we have seen 
that today. For example, you believe that ObamaCare will be a 
great thing for Americans, but I think too much of it was 
predicated on a lie. As a medical doctor, I believe that 
ObamaCare is the wrong prescription for what ails our nation's 
healthcare system, but that is a debate for another time.
    And with that, I want to thank you, Mr. Park, for appearing 
before us today, and the Members for their questions. The 
Members of the Committee may have additional questions for you, 
Mr. Park, and we will ask that you respond to those in writing, 
please, and do so expeditiously.
    I want to thank my friend Dan Maffei and Eric Swalwell for 
you all working with me through this process. It has been a 
great experience for me, and I consider you a friend and 
consider Dan a friend and I consider all of your staff to be 
excellent. It has been great working with you all. I had the 
opportunity to work with Ms. Bonamici also, and I enjoyed 
working with her, as I told her earlier today. She just left, 
but it has been a great experience, and I have been 
tremendously honored by chairing this Subcommittee.
    The record will remain open for two weeks for additional 
comments and written questions from Members. The witness is 
excused. The hearing is adjourned.
    Mr. Park. Thank you, sir.
    [Whereupon, at 11:47 a.m., the Subcommittee was adjourned.]
 
 
 
 
                             Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                              Appendix II

                              ----------                              


                   Additional Material for the Record




           Written statement submitted by Rep. Eric Swalwell

    Mr. Chairman, first, I would like to take a moment to thank you for 
your service. You served two years as Ranking Member and four years as 
Chairman. During your tenure, you have always conducted your 
chairmanship with generosity and great courtesy. While we have not 
always seen eye-to-eye on the matters before the Subcommittee, no 
Member on this side of the aisle has ever had reason to complain about 
the way you have conducted yourself, and that has gone a long way 
towards keeping relations civil and even cordial in the midst of 
disagreement. Thank you.
    Today may be a day of disagreement, but I sincerely believe that if 
you conduct this hearing as fairly as you have your past hearings, that 
we will all emerge with a clear understanding of what Mr. Park did and 
did not do related to HealthCare.gov.
    Fairness is particularly important because this hearing has the 
feel of a trial. The only witness before us is Mr. Park. The title of 
the hearing implies that we are going to examine his involvement in the 
development of the Healthcare.gov website. Most significantly, a staff 
report released by you and Chairman Smith on October 28 functions as a 
prosecutor's memorandum that makes very damning allegations regarding 
Mr. Park's honesty before the Committee on Oversight and Government 
Reform and Dr. Holdren's candor in his replies to this Committee 
regarding Mr. Park's involvement in cybersecurity. As a former 
prosecutor, I believe that the allegations you have made against Mr. 
Park could place him in legal jeopardy. He deserves a chance to tell 
his story and put these allegations to rest, and I believe he can do 
that.
    Mr. Park is a successful entrepreneur in the IT world who took a 
break from developing successful companies to come to Washington, D.C. 
to help the government and the country think of creative ways to use 
information technology to improve our economy and address important 
social problems.
    He is a patriot and the son of immigrants who have played their own 
role in keeping the American economy vibrant and expanding. Mr. Park's 
parents are here today. Mr. Park's wife is here today. Mr. Park's 
pastor is here today as well as friends from the IT business world. I 
mention this to remind all the Members to not confuse their feelings 
towards the Affordable Care Act with Mr. Park as a person. He served 
the public and did his best and should be thanked for his 
contributions. In fact, Mr. Park has returned to the Bay Area and is 
attempting to recruit other bright, innovative stars from the IT world 
to come to Washington and take a few years to try to make a difference 
for the good of the country. Good luck with that message after today, 
Mr. Park.
    I have reviewed a Minority staff report, which I ask be made part 
of the record, built on a complete review of the documents produced by 
the White House. The staff make a very strong argument, supported by 
White House documents, that Park did not have deep, direct, or intimate 
involvement in any of the work of developing the on-line marketplace 
launched on October 1, 2013 or the cybersecurity standards and 
techniques used for the site.
    If he was playing such a role, there should be monthly progress 
reports from contractors that show progress against deliverables and 
requirements, costs of work, a critical path analysis that identifies 
where problems threaten a successful launch and discussion of the 
integration process for the site across an army of contractors on the 
project. None of those documents have been produced because he was not 
the day-to-day manager on the project. Nor are there the kind of 
documents that the contractors doing the actual work would possess--
which would include discussion of code, performance and testing 
results. Those documents can be found at CMS, which managed this 
complex acquisition, and among the contractors, who did the work, but 
not in Todd Park's records.
    The records that did come to us make it very clear what he was 
doing: He acted to gather information when the White House had 
questions about the project and he acted to help CMS find resources 
when they asked for help from the White House. 90% of the records fall 
into one category or the other. Gathering information for the boss or 
to use as a spokesman or providing assistance to the actual managers 
sounds more like the kind of work our Legislative Assistants and 
Committee staff do than that of people deeply involved in a project. 
The record shows Park was not in charge of anything, and what he did do 
on healthcare.gov was about information aggregation or assistance at 
the request of others.
    There is another missing element in the records the Committee has 
received from the White House: the thousands of pages of records 
related to Mr. Park's full time job as Chief Technology Officer of the 
United States. Because we only requested records related to 
HealthCare.gov, it is easy to lose sight of the fact that his very 
limited work on Healthcare.gov was coming while he did a wide-ranging 
job as CTO.
    Park's job was about trying to push technology throughout all 
levels of the country to improve our competitiveness and quality of 
life. As just one example, he drove an initiative to find innovative 
methods to use IT and big data to combat human trafficking. I don't 
think there is any Member who favors human trafficking--that is about 
as non-partisan an initiative as you can get. Park was working, full 
time, in a much wider swath of issues and areas than healthcare.gov. 
Members should never lose sight of that and get tunnel vision about 
Park simply because we have such a narrow set of records.
    I believe that if Mr. Park is given a fair chance to answer 
questions here today, that Members on both sides of the aisle will 
conclude that Park was not a principal actor in the development of 
HealthCare.gov prior to October 1, 2013 and had no role in developing 
cybersecurity standards or techniques for the web site. Mr. Park, I am 
going to apologize to you now for the way you have been treated, and I 
am hopeful that you will get apologies from the Chairman by the end of 
this hearing.
   Supporting documents submitted by Subcommittee Chairman Paul Bourn

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




             Hearing documents submitted by Majority staff

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



            Letter submitted by Representative Scott Peters

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Minority staff report submitted by Ranking Member Eddie Bernice Johnson

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




  Majority staff report submitted by Subcommittee Chairman Paul Bourn


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]