[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]









   INCORPORATING SOCIAL MEDIA INTO FEDERAL BACKGROUND INVESTIGATIONS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                         GOVERNMENT OPERATIONS

                                AND THE

                            SUBCOMMITTEE ON
                           NATIONAL SECURITY

                                 OF THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 13, 2016

                               __________

                           Serial No. 114-158

                               __________

Printed for the use of the Committee on Oversight and Government Reform



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]







         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                                 ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

26-067 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                         Jack Thorlin, Counsel
                          William Marx, Clerk
                 David Rapallo, Minority Staff Director
                 Subcommittee on Government Operations

                 MARK MEADOWS, North Carolina, Chairman
JIM JORDAN, Ohio                     GERALD E. CONNOLLY, Virginia, 
TIM WALBERG, Michigan, Vice Chair        Ranking Minority Member
TREY GOWDY, South Carolina           CAROLYN B. MALONEY, New York
THOMAS MASSIE, Kentucky              ELEANOR HOLMES NORTON, District of 
MICK MULVANEY, South Carolina            Columbia
KEN BUCK, Colorado                   WM. LACY CLAY, Missouri
EARL L. ``BUDDY'' CARTER, Georgia    STACEY E. PLASKETT, Virgin Islands
GLENN GROTHMAN, Wisconsin            STEPHEN F. LYNCH, Massachusetts
                                 ------                                

                   Subcommittee on National Security

                    RON DeSANTIS, Florida, Chairman
JOHN L. MICA, Florida                STEPHEN F. LYNCH, Massachusetts, 
JOHN J. DUNCAN, JR., Tennessee           Ranking Minority Member
JODY B. HICE, Georgia                ROBIN KELLY, Illinois
STEVE RUSSELL, Oklahoma, Vice Chair  BRENDA L. LAWRENCE, Michigan
WILL HURD, Texas                     TED LIEU, California




















                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 13, 2016.....................................     1

                               WITNESSES

Mr. William Evanina, Director of National Counterintelligence and 
  Security Center, Office of the Director of National 
  Intelligence
    Oral Statement...............................................     4
    Written Statement............................................     7
Ms. Beth Cobert, Acting Director, U.S. Office of Personnel 
  Management
    Oral Statement...............................................    11
    Written Statement............................................    13
Mr. Tony Scott, U.S. Chief Information Officer, U.S. Office of 
  Management and Budget
    Oral Statement...............................................    17
    Written Statement............................................    18

 
   INCORPORATING SOCIAL MEDIA INTO FEDERAL BACKGROUND INVESTIGATIONS

                              ----------                              


                          Friday, May 13, 2016

                  House of Representatives,
 Subcommittee on Government Operations, Joint with 
                 Subcommittee on National Security,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The subcommittees met, pursuant to call, at 9:03 a.m., in 
Room 2154, Rayburn House Office Building, Hon. Mark Meadows 
[chairman of the subcommittee] presiding.
    Present: Representatives Meadows, DeSantis, Walberg, 
Jordan, Mica, Hice, Massie, Hurd, Mulvaney, Carter, Grothman, 
Chaffetz, Connolly, Lynch, Maloney, Lieu, and Kelly.
    Mr. Meadows. The Subcommittee on Government Operations and 
the Subcommittee on National Security will come to order. And 
without objection, the chair is authorized to declare a recess 
at any time.
    We're here today to discuss incorporating social media into 
the Federal security clearance and background investigations. 
Having a security clearance means, by definition, you have 
access to information that would hurt our national security if 
it got out, and that is why we perform background 
investigations on individuals who want a security clearance. 
The goal of our background investigations must be to find out 
if an individual is trustworthy. Back in the 1950s, that meant 
talking to neighbors and family.
    Today, with more than a billion individuals on Facebook, 
what a person says and does on social media can often give a 
better insight on who they really are. Since 2008, various 
Federal agencies have conducted studies on using social media 
data in investigations, and they all find the same thing, that 
there is a wealth of important information on social media.
    This issue now facing the Federal Government is how to use 
social media information while respecting the legitimate 
privacy concerns that are often brought forth. The good news is 
that using social media checks in security clearance 
investigation does not have to be a binary decision between big 
brother and an ineffective system. There are several reasonable 
options available to us to use social media data in a 
responsible way.
    It is encouraging to see that ODNI announced this morning, 
in advance of today's hearing, a new policy that will allow 
Federal agencies to review publicly available social media 
information as part of the clearance investigation process. We 
will continue to work with the agencies to ensure that the 
social media data of people with security clearances is used in 
a safe and responsible way.
    Mr. Meadows. I would like to thank the witnesses for coming 
here today and I look forward to their testimony.
    And with that, I would recognize the ranking member of the 
Subcommittee on Government Operations, my good friend, Mr. 
Connolly.
    Mr. Connolly. I thank my friend, the chairman, for holding 
this hearing to examine the usefulness of social media and 
other crucial enhancements to the Federal background 
investigation process.
    On January 22, the administration announced that the 
Federal Investigative Services, a former entity of OPM, would 
transfer its functions to a new national background 
investigations bureau. The Department of Defense assumed 
responsibility for designing and operating all information 
technology for the new NBIB. I think it makes abundant sense to 
task our national security experts with protecting the 
sensitive personal information of millions of clearance 
holders.
    Today, we're discussing another enhancement, the inclusion 
of social media in the background investigation process. The 
Army has a pilot program which used publicly available data 
from social media sites to enhance information available to 
investigators during background check processes. Currently, the 
Department of Defense is also conducting a pilot program that 
looks at all publicly available information online, such as 
news articles and commercial Web sites. I'm interested in 
learning the major findings and lessons learned from these 
pilot programs.
    While social media is a promising and valuable source, 
potentially, of information, I remain concerned that the 
government should not retain social media data of third parties 
who happen to engage with the applicant but have not consented 
to waiving their privacy rights. We must not forget to discuss 
other ways to enhance security clearance processes.
    The Performance Accountability Council is establishing a 
law enforcement liaison office that will communicate with local 
governments to expedite the requests for local criminal 
records. That's a major enhancement. We must remember that on 
September 16, 2013, Aaron Alexis, a Federal subcontractor with 
a secret-level clearance, entered the Washington Navy Yard and 
tragically killed 12 people and injured 4 others. He had a 
security clearance. The background investigation failed to 
identify that Mr. Alexis had a history of gun violence. The 
local police record of Mr. Alexis' 2004 firearms arrest had not 
been provided to Federal investigators. Improvements in 
communication between local law enforcement and Federal 
background investigators could prevent and could perhaps have 
prevented a tragedy like that that occurred in the Washington 
Navy Yard.
    I welcome each of the witnesses back from the full 
committee's February hearing and look forward to hearing about 
their progress on the administration's plan to reform the 
security clearance and background investigation process, while 
preserving privacy rights.
    Thank you, Mr. Chairman.
    Mr. Meadows. I thank the gentleman.
    The chair now recognizes the chairman of the Subcommittee 
on National Security, Mr. DeSantis, for his opening statement.
    Mr. DeSantis. Thank you, Chairman Meadows. I just wanted to 
say, I think this is an important issue. And it looks like that 
we just got a directive late last night where this is now going 
to be an implemented policy. So I'm interested in hearing how 
that's going to be implemented, but I'm sure that's partly as a 
result of your oversight. So thank you for doing that and I 
look forward to hearing the witness testimony.
    I yield back.
    Mr. Meadows. Well, Chairman DeSantis, thank you for your 
leadership on so many of these issues and I look forward to 
continuing to work with you.
    I now recognize the ranking member of the Subcommittee on 
National Security, the gentleman from Massachusetts, Mr. Lynch.
    Mr. Lynch. Thank you, Mr. Chairman. And I would also like 
to thank Chairman DeSantis and my friend, Mr. Connolly, for 
holding this hearing. It's important for a number of reasons, 
which you both have touched on already.
    When an individual applies to receive an initial or renewed 
security clearance, the Federal Government conducts a 
background investigation to determine whether he or she may be 
eligible to access classified national security information. 
Every security clearance candidate is required to complete a 
Standard Form 86. I have one right here; rather lengthy. It 
goes into a number of very personal aspects of each person's 
life. This 127-page form already requests a variety of personal 
applicant information, such as criminal history, any history of 
alcohol use or illegal drug use, any mental health counseling. 
It does not currently request social media information.
    But as Chairman DeSantis noted, last night about 11 
o'clock, we got copies of this policy. And I want to say thank 
you. You know, I--we have not always had information 
forthcoming in a timely manner. Even 11 o'clock at night, 
that's timely around here, you know, a few hours before the 
hearing. But I appreciate you sending it.
    I thought it might be a mistake, actually, that you sent 
the policy over. I did have a chance to read it a couple of 
times last night and it raises some questions, but I think it's 
a very good first effort. And we appreciate it.
    In December of 2015, Congress passed and President Obama 
signed a bipartisan funding legislation that included a robust 
directive to enhance the security clearance process. The recent 
Omnibus Appropriations Act also requires the director of DNI to 
direct the Federal agencies to use social media and other 
publicly available government and commercial data when 
conducting periodic reviews of their security clearance or 
clearance holders. The law also provides guidance on the types 
of information that could be obtained from social media and 
other sources and it may prove relevant to a determination of 
whether an individual should be granted clearance at all.
    Now, this includes information suggesting a change in 
ideology or ill intent or vulnerability to blackmail in 
allegiance to another country. The main impetus, as Mr. 
Connolly noted, was the terrible situation at the Washington 
Navy Yard. And also I would add, there has been exploitation of 
Twitter, Facebook, WhatsApp, and Telegram by the Islamic State. 
And also at one point we had everyone who filled out a Standard 
Form 86 hacked by the Chinese as well. So they have a list of 
everybody who filled out, you know, an 86 requesting security 
clearance, which is very troubling.
    There's a lot that needs to be talked about here. We're 
going to gather all this information on individuals in one 
place. In light of what has happened with the Chinese hack, I'm 
concerned about putting medical information, all of this about 
people who apply in one place where it might be accessed by 
hostile or nefarious actors. So we're going to talk a little 
bit about that this morning.
    As I said, I appreciate the Security Executive Agent 
Directive Number 5 and, you know, I think it's a very good 
first effort and I appreciate your transparency with us. Thank 
you.
    I yield back.
    Mr. Meadows. I thank the gentleman. And I will hold the 
record open for 5 legislative days for any member who would 
like to submit a written statement.
    We'll now recognize our panel of witnesses. I'm pleased to 
welcome Mr. William Evanina, Director of the National 
Counterintelligence and Security Center in the Office of the 
Director of National Intelligence; Ms. Beth Cobert, Acting 
Director of the U.S. Office of Personnel Management. And I 
might add, in her new role working incredibly well in a 
bipartisan and very transparent way that is recognized by this 
committee. So thank you so much. Mr. Tony Scott, the U.S. Chief 
Information Officer at the U.S. Office of Management and 
Budget.
    Welcome to you all. And pursuant to committee rules, all 
witnesses will be sworn in before they testify. So if you would 
please rise and raise your right hand.
    Do you solemnly swear or affirm that the testimony you're 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative. In order to allow time for discussion, please 
limit your oral testimony to 5 minutes. You're very familiar 
with the process. But your entire written statement will be 
made part of the record.
    And so, Mr. Evanina, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF WILLIAM EVANINA

    Mr. Evanina. Good morning. Good morning, everyone. Chairman 
Meadows, Chairman DeSantis, Ranking Member Connolly, Ranking 
Member Lynch, and members of the subcommittee, thank you for 
having me here as part of this team to participate in today's 
hearing.
    As the National Counterintelligence executive and the 
director of the National Counterintelligence Security Center, 
I'm responsible for leading and supporting the 
counterintelligence and security activities of the United 
States Government, which includes the entire U.S. Government 
and the private sector throughout the intelligence community. 
In addition, I'm responsible for providing outreach to U.S. 
private sector entities who are at risk of becoming a target of 
intelligence collection, penetration, or attack by foreign and 
other adversaries.
    I also support the Director of National Intelligence's 
responsibilities as a security executive agent, the role under 
which the social media directive was developed. And I work 
close in partnership with the Office of Management and Budget 
and the Office of Personnel Management, and my colleagues to my 
left. Department of Defense also partners in this effort as 
well as part of the PAC. Agencies across the executive branch 
are also part of today's process and the successes we have 
achieved with this policy.
    When I last appeared before this committee on February 25, 
we discussed the formation of the National Background 
Investigations Bureau and security clearance reforms. Today, 
I've been asked to discuss the administration's policy on the 
use of social media as part of the personnel security 
background investigation and adjudication process.
    Mr. Chairman, we have been steadfastly at work on a 
directive that addresses the collection and use of publicly 
available social media information during the conduct of 
personal security, background investigations, and 
adjudications. I want to acknowledge the important 
contributions to this effort made by our entire executive 
branch colleagues, particularly at the Office of Management and 
Budget and OPM. And I'm pleased, as you referenced, to announce 
that the Director of National Intelligence has recently 
approved this directive which is being publicly released.
    The data gathered via social media will enhance our ability 
to determine initial and continued eligibility for access to 
classified national security information and eligibility for 
sensitive positions.
    I realize that the Federal Government's authority to 
collect and review publicly available social media information 
in the course of a personnel security background investigation 
and adjudication raises some important legitimate civil 
liberties and privacy concerns. Nevertheless, let me be clear. 
I am strongly of the view that being able to collect and review 
publicly available social media and other information available 
to the public is an important and valuable capability to ensure 
that those individuals with access to our secrets continue to 
protect them and that the capability can be aligned with 
appropriate civil liberties and privacy protections.
    I would note to the committee that by the term ``publicly 
available social media information,'' we mean social media 
information that has been published or broadcast for public 
consumption, is available on request to the public, is 
accessible online to the public, is available to the public by 
subscription or purchase, or is otherwise lawfully accessible 
to the public.
    I believe the new directive on social media strikes this 
important balance. Under this new directive, only publicly 
available social media information pertaining to the individual 
under investigation will be intentionally collected. Absent a 
national security concern or criminal reporting requirement, 
information pertaining to the individuals, other than the 
individual being investigated, will not be investigated or 
pursued.
    In addition, the U.S. Government may not request or require 
individuals subject to the background investigation to provide 
passwords or login into private accounts or to take any action 
that would disclose nonpublicly available social media 
information. The complexity of these issues has led to a 
lengthy and thorough review by the departments and agencies 
that would be affected by this policy, as well as coordination 
with different members of civil liberties and privacy offices, 
privacy act offices, and office of general counsel.
    Mr. Chairman, the new guidelines approved by the Director 
of National Intelligence for the collection and use of publicly 
available social media information and security clearance 
investigations ensure this valuable avenue investigation can be 
pursued consistent with subjects' civil liberties and privacy 
rights.
    The use of social media has become an integral and very 
public part of the fabric of most American's daily lives. It is 
critical that we use this important source of information to 
help protect our Nation's security.
    Mr. Chairman, I welcome any questions that you and your 
colleagues have regarding this directive.
    [Prepared statement of Mr. Evanina follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Meadows. Thank you for your testimony.
    Ms. Cobert, you're recognized for 5 minutes.

                    STATEMENT OF BETH COBERT

    Ms. Cobert. Chairman Meadows, Chairman DeSantis, Ranking 
Members Connolly and Lynch, and members of the subcommittee, 
thank you for the opportunity to testify before you today on 
the use of social media in the Federal background investigation 
process.
    OPM plays an important role in conducting background 
investigations for the vast majority of the Federal Government. 
Currently, OPM's Federal Investigative Services, FIS, annually 
conducts approximately 1 million investigations for over 100 
Federal agencies, approximately 95 percent of the total 
background investigations governmentwide. These background 
investigations include more than 600,000 national security 
investigations and 400,000 investigations related to 
suitability, fitness, or credentialing each year.
    As we discussed in February, we are in the process of 
transitioning to the new National Background Investigations 
Bureau, NBIB, which will absorb FIS and its mission to be the 
governmentwide service provider for background investigations. 
The Department of Defense, with its unique national security 
perspective, will design, build, secure, and operate the NBIB's 
investigative IT systems in coordination with the NBIB.
    To provide some context for our discussion today, I would 
like to take a few minutes to review how the current security 
clearance process operates in most cases.
    First, an executive branch agency will make a requirements 
determination as to the sensitivity and risk level of the 
position. If an agency determines that a position requires a 
clearance, the employee completes an SF-86 and submits 
fingerprints, both of which are sent to OPM, along with an 
investigation request. OPM, through FIS now and NBIB in the 
future, conducts the investigation by doing all of the checks 
required by the Federal investigative standards. The results of 
the investigation are then sent to the requesting agency for 
adjudication.
    The clearance decision is made from the information in the 
investigative report in conformance with the adjudicative 
guidelines that are the purview of the Office of the Director 
of National Intelligence, ODNI.
    The requesting agency sends their decision back to OPM, who 
maintains the records for reciprocity purposes. The individual 
will also be reinvestigated on a periodic basis.
    As the committee is aware, agencies make security clearance 
decisions using a whole-person approach, meaning that 
available, reliable information about the person, past and 
present, favorable and unfavorable, should be considered by 
adjudicators in reaching a determination.
    One component of that approach in the 21st century is the 
topic of today's hearing, social media. ODNI, in its role as 
the security executive agent, has developed a social media 
policy that has undergone extensive coordination with relevant 
departments and agency officials. OPM looks forward to 
implementing the policy as part of its ongoing efforts to 
strengthen its investigative processes.
    In April, OPM issued a request for information seeking to 
better understand the market and the types of products vendors 
can provide to meet social media requirements. The RFI is in 
preparation for a pilot that OPM is planning to conduct this 
year that will incorporate automated searches of publicly 
available social media into the background investigation 
process. This planned pilot will be conducted by OPM in 
coordination with the ODNI.
    The pilot will obtain the results of searches of publicly 
available electronic information, including public posts on 
social media from a commercial vendor for a population of 
security clearance investigations using pertinent investigative 
and adjudicative criteria. This pilot is distinct from other 
pilots in that it will assess the practical aspects of 
incorporating social media searches into the operational end-
to-end process; the mechanics of adding this type of report to 
a background investigation and the affects on quality, costs, 
and timeliness.
    In addition, the pilot will assess the uniqueness of the 
information provided through social media checks as compared to 
information provided through traditional investigative sources.
    Supporting the implementation of the NBIB and aiding its 
success in all areas will continue to be a core focus for OPM, 
as well as the Performance Accountability Council, the PAC. Our 
goal is to have the NBIB's initial operating capability 
officially established with a new organizational design and 
leader in place by October 2016. The implementation work will 
remain to be done after that date.
    On behalf of OPM, I am proud to be part of this most recent 
effort by the administration, and I look forward to working 
with my colleagues on this panel and with this committee in a 
bipartisan manner on this important issue. I'm happy to answer 
any questions you may have.
    [Prepared statement of Ms. Cobert follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Mr. Meadows. Thank you for your testimony.
    Mr. Scott, you're recognized for 5 minutes.

                    STATEMENT OF TONY SCOTT

    Mr. Scott. Thank you.
    Chairman Meadows, Chairman DeSantis, Ranking Member 
Connolly, Ranking Member Lynch, and members of the 
subcommittees, I appreciate the opportunity to appear before 
you today.
    The administration recognizes the importance of gathering 
accurate up-to-date and relevant information in its background 
investigations to determine Federal employment and security 
clearance eligibility. And as a government, we must continue to 
improve and modernize the methods by which we obtain relevant 
information for these background investigations.
    Since 2009, various government agencies have conducted 
pilots and studies of the feasibility, effectiveness, and 
efficiency of collecting publicly available electronic 
information as a part of the background investigations process. 
Those pilots have informed the development of a new social 
media policy that has been issued by the director of National 
Intelligence in his role as the security executive agent. And I 
will defer to ODNI on the further details of this policy.
    But as you know, OMB chairs the interagency Security and 
Suitability Performance Accountability Council, or PAC, to 
ensure interagency coordination. And the new policy will 
reflect, I believe, an appropriate balance of a number of 
considerations, such as protecting national security; ensuring 
the privacy of and fairness to individuals seeking security 
clearances and associates of that individual; the veracity of 
the information collected from social media; and the resources 
required to process the collection, adjudication, and retention 
of the relevant data collected.
    As the policy is implemented, the administration will 
continue to assess the effectiveness and efficiency of the 
policy. To do so, the government must keep pace with 
advancements in technology to anticipate, detect, and counter 
external and internal threats to the Federal Government's 
personnel, property, and information. This need must also be 
considered with the full legal and national security 
implications in mind. I'm confident that this new policy will 
strike the correct balance between all of these considerations.
    I thank the committee for holding this hearing and for your 
commitment to improving this process. We look forward to 
working with Congress, and I'm pleased to answer any questions 
you may have.
    [Prepared statement of Mr. Scott follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
     
    Mr. DeSantis. [Presiding.] I thank the gentleman.
    The chair now recognizes himself for 5 minutes.
    And this is for each of you. Are your agencies utilizing 
commercially available software to vet security clearance 
applicants, monitor security clearance holders, and detect any 
cybertheft of these individuals' personal information?
    Ms. Cobert. Congressman, in the process of the 
investigations, we do work with commercial vendors of publicly 
available vetted information. That is sort of our core element. 
We use that and other methods to gather the information in the 
investigative process. I'm not sure if I've completely answered 
your question.
    Mr. DeSantis. Well, there's certain off-the-shelf 
technology that the Federal Government will use in other 
instances, and I just wanted to ask if there is any type of 
prohibition on doing that or if you guys just aren't doing that 
or you're actually trying to using all the tools that are 
potentially at your disposal?
    Ms. Cobert. We use a variety of tools to gather information 
from public sources, from both governmental and 
nongovernmental, so there's a variety of tools we use to do 
that. Those are used to, you know, gather some of the 
information, whether there's a national, you know, law 
enforcement database from which we get information. We do, for 
example, use electronic methods to gather appropriate--
appropriately gather information about financial history. So we 
do use some of those tools. I'd be happy to get back to you 
with more of the specifics, if that would be helpful.
    Mr. DeSantis. Okay. Thank you.
    Mr. Evanina. Sir, I would concur with my colleague. I think 
we encourage the most robust and effective, efficient tools 
that are processed for ensuring a speedy, effective background 
investigation. That's going to be different--this process will 
be different, depending which agency is doing the background 
investigation, the tools that they are capable of, the expense, 
and the number of--the volume of people that are applying for a 
clearance.
    Obviously, we would encourage the ODNI, the most effective 
and efficient off-the-shelf capabilities, as long as it's 
within the rules, regulations, and policies set forth.
    Mr. DeSantis. Let me ask you this: In the years leading up 
to Edward Snowden's theft of classified info, he made several 
posts to online forums using a consistent user name complaining 
about government surveillance. And these posts may have alerted 
authorities that he could be an insider threat. Have any of the 
social media pilot programs evaluated to date been capable of 
detecting that sort of post where the subject is posting under 
an online identity that is not explicitly the individual's 
name?
    Mr. Evanina. Sir, I'm not specific to the exact nature of 
the depth and granularity of those particular pilots. But I can 
tell you, those particular posts from Mr. Snowden that he did 
would not have been caught in the social media because it's not 
public facing and there was private chats with other 
individuals beyond the password protection.
    Mr. DeSantis. So if they're using semi-anonymous names, to 
the extent that there are public forums, would requiring the 
disclosure of any alternative online identities on the FS-86 
form be something that would be helpful?
    Mr. Evanina. Sir, we're currently not planning on asking 
anyone to provide any other alternative passwords or email 
accounts or individual reference to their online persona.
    Mr. DeSantis. So, basically, if--so we'll look at social 
media, if they're posting. If John Smith applies for security 
clearance and you'll look for John Smith, but if he goes by, 
you know, Jack Scott, then you're just not going to require 
that. So they can post whatever there and that's not going to 
be something that would be considered?
    Mr. Evanina. Not currently, unless they're willing to 
consent to provide that information to us.
    Mr. DeSantis. Okay. What reason could allow extensive 
questioning of friends--so I mean, the FS-86 is a very 
intensive investigation. I mean, you'll call up people's 
college roommates. You'll call up people's neighbors when 
they've lived--even if they've lived in a place for a short 
period of time. So there's a lot of extensive investigation. So 
why would you want to do that? And I'm not saying you shouldn't 
do that, but why would you want to do that but then not get the 
whole, I guess, picture of their online identities?
    Mr. Evanina. Well, I think if the additional information is 
obtained that an individual has a pseudonym or has--an 
individual has an offline persona that's different than his 
name, that can be pursued investigatively, but that's not 
something we are going to ask, or there's really not a way for 
us to identify Bob Smith who is really Dave Jones online 
without someone telling us that.
    Mr. DeSantis. But what would be the reason to just--since 
there's so much information required in the FS-86, what would 
be the negative of just asking, hey, do you post online under 
any type of pseudonym?
    Mr. Evanina. I think when you get past the public-facing 
interface of social media, you get to the, I think, the border 
of privacy and civil liberties in terms of what are your 
practices beyond what you would do in the course of your daily 
lives. And by this, the analogy would be, we don't look at 
their emails and we don't look at their telephone conversations 
as part of the background investigation as well.
    Mr. DeSantis. Okay. My time is up.
    I now recognize the gentleman from Virginia for 5 minutes.
    Mr. Connolly. Thank you, Mr. Chairman, and welcome.
    Help me understand how this works. Because it's one thing 
for a private individual to be sort of trolling in Facebook; 
it's another for the government to be doing it. And so how does 
this work? I mean, I--somebody in government gets on the 
Internet and looks up your Facebook history? You're subject--
you're Harry Houdini. You've applied for a security clearance 
and we're looking at, you know, through social media, anything 
that you used, Twitter, Facebook, YouTube, Hulu, whatever it 
might be. So we just go online and look at whatever we can find 
under his, Harry Houdini or Shirley Jones' name. Is that right?
    Mr. Evanina. Sir, I'll start--I think----
    Mr. Connolly. If you could pull the mic closer. Thank you.
    Mr. Evanina. I'm sorry, sir.
    Congressman, I think when we set forth this policy, we 
looked at it and tried to provide the most flexibility for 
investigative agencies and service providers to do what they 
feel is most practicable and most reasonable for their 
individual agency. So, for instance, some of the bigger 
agencies may provide a data service provider, they aggregate 
this data for multiple people to go out and do the search. We 
are clearly acknowledging that the effort will be exhaustive 
initially to identify people's social media footprint that's 
out there.
    Mr. Connolly. Okay. What are the red lights, though, that 
flag for us, got to follow up on this? So, you know, my 
Facebook posting, you know, we're talking about the block party 
for July in my cul-de-sac. You know, talking about maybe a 
family reunion and interspersed with all of that, oh, by the 
way, the President needs to die. How do we flag the serious 
from the trivial and how do we make sure that if it's all 
trivial, that's the end of it. It's deleted, it's not retained, 
because there may be other names in that Facebook. There may be 
pictures of other people who are not the subject of an 
investigation, unless that association is suspect.
    How do we make sure that we don't just have some enormous 
government depository of personal information of American 
citizens that's really not at all relevant, or parts of it may 
be? How do we do that?
    Mr. Evanina. That's a great question, Congressman. I think, 
putting this in context, the social media utilization is just 
one tool of many that we currently already use in background 
investigations. And the collection and retention of that data 
will be parallel to any other data we collect on an individual. 
And to your example of Facebook, and the examples you gave, the 
only relevant information that were there for investigative 
adjudicative processes would be the issue to the President. All 
the other stuff would not be retained, although we would 
collect and retain the Presidential, if----
    Mr. Connolly. Let me interrupt, though.
    Mr. Evanina. Yes, sir.
    Mr. Connolly. God forbid, but should there be such a 
reference, well, the other stuff is not being retained. 
Actually, I might now want to take a fresh look at your 
associations because maybe they're involved or--I mean, 
wouldn't we want to check that out?
    Mr. Evanina. Sir, so I was going to say----
    Mr. Connolly. If for no other reason than to talk to the 
neighbors to say, does Harry Houdini talk this way often? Have 
you ever heard him--you know, right?
    Mr. Evanina. Right. So the social media application here, 
like many other tools that are at the disposal of 
investigators, would provide an investigative lead. So that 
particular post on your Web site would lead to an investigative 
lead to be furthered up with your colleagues, your family, your 
friends, your neighbors as just another lead; no different than 
we would find in an anomalous financial disclosure.
    Mr. Connolly. Ms. Cobert and Mr. Scott, in the time I have 
left, I'd be derelict on behalf of my constituents if I didn't 
return to the OPM security breach, and if you can take some 
time to bring us up to date. Weaknesses identified, have they 
been addressed so that there can't be a recurrence? And how are 
we coming in trying to make people whole again in terms of the 
compromise of their personal information?
    Ms. Cobert. Let me start in the response to that one. In 
terms of improving the security of our systems, we have made 
significant strides in our ongoing effort and we will continue 
to do so. Working closely with DHS, with DOD as part of the 
NBIB standup, we actually have staff from DOD now on site 
working with us as well as ongoing working sessions. We've 
installed the latest versions of EINSTEIN. We've got a whole 
series of improvements that we've made to our firewalls. We now 
have the ability to much----
    Mr. Connolly. Excuse me, EINSTEIN 3 is in place now?
    Ms. Cobert. We are one of the first agencies to put that in 
place.
    Mr. Connolly. Because it wasn't in place at the time of the 
breach, right?
    Ms. Cobert. No.
    Mr. Connolly. Right. Excuse me.
    Ms. Cobert. So we continue to work to try and put in place 
a whole series of tools and we've seen real improvements in 
that, as well as strengthening. We have a new chief information 
security officer. I could go on and on, but we still will 
continue to work at that issue.
    In terms of the individuals whose information was taken, we 
have the identity theft, identity monitoring contracts in 
place. We continue to monitor those in terms of the quality of 
their customer service. We are also actively working to put in 
place the provisions to extend the identity theft insurance to 
$5 million, as well as being in the process of figuring out how 
to extend those to the 10 years that was also approved by 
Congress. So we continue to work at these quite closely, 
including with Tony and the team from OMB.
    Mr. Scott. And I would just add, I'm seeing almost as much 
of Beth as I did when she was at OMB as we work on this 
project. And Beth and I and the DOD CIO meet regularly to 
review the progress that the teams are making in both the 
transition, but also ensuring the security and integrity of the 
existing system. So I'm pleased with the progress.
    Mr. Connolly. Thank you.
    Thank you, Mr. Chairman.
    Mr. DeSantis. The chair now recognizes the gentleman from 
Georgia, Mr. Hice, for 5 minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    Mr. Evanina, let me begin with you. As we all know, in 
2008, there was a commissioned study in regard to showing the 
benefits of examining certain aspects of social media. Why has 
it taken 8 years to implement this thing, to get it started?
    Mr. Evanina. Congressman, I can't really answer the 8-year 
issue, but I can tell you that to get to where we are took a 
lot of extensive effort and interagency coordination to be able 
to strike the right balance between what we need to obtain or 
should be obtained reasonably from social media in the ever-
growing Internet age and balance that with the civil liberties 
and privacy of our, not only clearance holders, but U.S. 
citizens. So that process not only was exhaustive, but it was 
the right thing to do.
    Also, I think with the pilots that have started and 
continue to move on, we haven't really identified the correct 
value or weighted measure for what the efforts of social media 
collection will be or has been. So we're still efforting the 
pilot process to identify, is the effort resource allocation 
worthy of collecting other social media and using it as part of 
the background investigation process, number one. And number 
two, if it is, where do we allocate that within the 
investigative process, the beginning, the middle, the end? 
Because it will be resource intensive.
    Mr. Hice. Well, it seems like 8 years is an awfully long 
time to try to find a balance between privacy and, you know, 
that which is public information. I mean, this is not highly 
private information that people are publicizing out on social 
media like this, and I understand that we want to be very 
careful with that. We all do. But----
    Well, let me ask you this: It seems that the new policy 
that we saw this morning, that within there--and correct me if 
I'm wrong, but it seems like finding information on an 
individual's background appears to be largely at the discretion 
of individual agencies. Can you tell me why ODNI decided to 
leave that decision to individual agencies rather than opening 
this up for all departments of our Federal Government?
    Mr. Evanina. That's a great question, Congressman, but I 
will say that there's only 22 agencies who have the authority 
to conduct background investigations. So--and they do that on 
behest of all the other Federal organizations or agencies' 
departments who require that. So those individuals, the ones 
who are covered under this policy, the policy was purposely 
made flexible because I will proffer that from 2008 till 2 
years ago, the social media definition has changed dramatically 
and will continue to change.
    So in order to provide the agencies who conducted the 
investigations the maximum flexibility to go about utilizing 
social media as part of this process was paramount in this 
effort. Because I'm pretty sure a year from now, the social 
media definition may change, and we wanted to make sure that 
each agency had the flexibility, from a resource perspective, 
to identify the best, most efficient way to implement this 
policy.
    Mr. Hice. Do you believe those other 22 agencies will begin 
utilizing this?
    Mr. Evanina. I do.
    Mr. Hice. Okay.
    Ms. Cobert, could you explain how OPM plans to implement 
this policy?
    Ms. Cobert. Thank you, Congressman. As I mentioned in my 
testimony, we are working through this pilot process to figure 
out the best way to utilize social media as a standard, 
consistent part of the process. As Mr. Evanina described, we 
are committed to its value. It's a question of how.
    We need a way to make sure that when we gather information 
on social media, it's accurate. It's is not always accurate. 
What you find is not always the reality. We need to find a way 
to make sure, as we do this, that we have the resources to 
follow up on whatever information is revealed. How do we get 
those resources to follow up on those things?
    And so that is the goal of this pilot, is to embed it into 
the operational process. Are there places where, by using 
social media or other tools, we can replace some steps that 
exist today, take those resources and deploy them to something 
else? Are there other cases where the value of the information 
will merit adding additional resources? So that is the issue 
we're working through.
    And the pilot process that we are starting, we'll be 
starting that pilot before the end of this fiscal year. We also 
will continue, through the PAC and other forums, working with 
DOD and other agencies as they start to implement this so we 
all can learn from each other. We've got to figure out how to 
do this right and to do it at scale, and we want to move 
expeditiously but cautiously as we do that.
    Mr. Hice. Thank you. Could you provide the committee with a 
timeframe for implementation, besides just by the end of the 
year, a more specific timeframe?
    Ms. Cobert. We'll get back to you. The first piece is the 
pilot and then we will take that learning. But we're happy to 
provide you some more information on what we're doing next.
    Mr. Hice. Okay. Thank you very much.
    I yield back.
    Mr. DeSantis. The gentleman's time has expired. The chair 
now recognizes Mr. Lynch from Massachusetts for 5 minutes.
    Mr. Lynch. Thank you, Mr. Chairman. And I want to thank 
everybody for holding this hearing and thank the witnesses for 
their help.
    You know, every once in a while, my happy talk alarm goes 
off and sometimes I think I'm hearing happy talk and I think I 
just heard some.
    Look, I appreciate the idea that, you know, we got this 8-
year continuum of improvement and we're trying to improve our 
systems and, you know, there's this cautious progress of 
protecting and balancing, you know, private information, 
versus, you know, doing these background checks. But the 
reality on this committee is 10 months ago, Ms. Cobert, your 
predecessor, Ms. Archuleta, sat there and told me that, 10 
months ago, we were not even encrypting the Social Security 
numbers of the 4 million people who were hacked at OPM. That's 
the reality. Ten months ago we weren't even encrypting Social 
Security numbers. And she painfully had to admit that, and her 
legal counsel was with her and they confirmed that fact.
    So I'm very concerned about what is happening. And I am 
very encouraged that DOD is going to take over cybersecurity in 
your shop and you're going to help them with that. How is that 
going? And what steps have you taken--be specific--that should 
give me some level of reassurance that we don't have another 
problem like that?
    Ms. Cobert. Thank you, Congressman. Let me start with how 
we're working with DOD in the standup of the NBIB, and then I 
can come back to some things we have underway and that we will 
be doing in that context.
    We are working very closely with DOD, as Mr. Scott 
described, in a process to do two things.
    Mr. Lynch. Let me just cut you off because I don't want to 
go into this long diatribe. But have you encrypted the Social 
Security numbers for all of the employees right now at OPM?
    Ms. Cobert. There are still elements of the OPM systems 
that are difficult to encrypt. We have a multilayer defense.
    Mr. Lynch. And you've got all of these different systems 
and I understand that. I'be been at this a while, okay, and we 
have tried to get ahold of this. And I've been here for years 
working on this problem and it's been very difficult. And 
there's no shame in admitting how difficult that is. What I 
don't want is happy talk that it's all going well. That's the 
problem. Because then we'll have another hearing and, you know, 
there will be a lot of gnashing of teeth and criticisms, you 
know, and there will be somebody else in your spot.
    So what I'm trying to get at is, what are we actually--what 
are we getting done and where are the obstacles? If there are 
obstacles here in terms of what you're trying to do--and I 
believe you're all trying to do the right thing. Mr. Scott as 
well. You can get in on this because you're part of this.
    You know, what are we actually doing to try to protect the 
information that we do gather?
    Mr. Scott. Well, I would say, as Beth was saying, there's 
been all kinds of work done in this area, penetration testing, 
new tools deployed, multiple examinations, and ongoing help 
from DOD, DHS, and so on. So I think OPM actually is leading 
Federal agencies right now in terms of, you know, their efforts 
and the amount of progress that they've made. They've applied 
tools to the limits that they can within the limits of current 
technology. But as Beth said, there's some things that just 
can't be encrypted because the technology doesn't allow it.
    Mr. Lynch. DOD's funding in this area is much better than 
OPM's and some of the other departments. And so are we using 
their personnel now? Have they come over and taken over this?
    Mr. Scott. Absolutely. They've been in there side by side 
with the team at OPM helping not only review, but look at 
architecture and also build out the plans for the future NBIB 
technology. So I'm pleased with where it's going. I don't think 
there's anybody who would say our job is done or that we're 
not, you know, interested in pursuing what else we can do.
    Mr. Lynch. The cost estimate, you know, we've had some 
pilot programs that tell us it's somewhere between, you know, 
$100 and $500 per person for a private vendor to do these 
screenings, this gathering of social media information. Is that 
pretty close to what the--in practice what we're finding?
    Mr. Scott. Yeah, I would say some of the pilots that have 
run, the estimates have been in that range. Clearly, one of the 
things that will have to happen, and I think the pilots will 
inform this, is some greater level of automation. As you can 
probably appreciate, when you do a search, you get a ton of 
data that has to be sifted through and adjudicated.
    Mr. Lynch. Right.
    Mr. Scott. And I happen to be a person who has a name 
that's shared with, you know, a professional baseball player, a 
professional musician, a movie director, and a bunch of other 
things, and just a simple search would turn up a bunch of crazy 
stuff that wouldn't be relevant.
    Mr. Lynch. Yeah.
    Mr. Scott. So some degree of automation, ultimately, is 
going to have to help bring the cost down of that.
    Mr. Lynch. All right. I see my time has expired.
    Mr. Chairman, thank you for your indulgence, and I yield 
back.
    Mr. Meadows. [Presiding.] I thank the gentleman.
    The chair recognizes the gentleman from Kentucky, Mr. 
Massie, for 5 minutes.
    Mr. Massie. Thank you, Mr. Chairman. This is a great 
hearing. Thank you for conducting it.
    I have a friend who suggests that the government should 
outsource this background research to the consultants that do 
opposition research on us, on the politicians, because they 
seem to find anything all the way back to junior high. But on a 
serious note, though, you know, I see Edward Snowden as an 
example here in our notes as somebody who maybe you would have 
known something about if you had done social media research. 
That may or may not be true.
    But one thing that does stand out is that political 
contributions are available online and they--and I suppose even 
before social media and the online availability of this, they 
were available. So you already have an analog or probably a way 
of considering whether you should consider or not consider 
political contributions when doing background research.
    But now that you have social media available to you, 
there's another layer of transparency--or layer of opaqueness 
that has been removed. You can see where somebody supports a 
political candidate or not. By the way, Edward Snowden and I 
have similar contribution histories so--and my colleague here 
suggested that you should be suspect of anybody that 
contributes to me as well.
    But my question is this: Do you, Mr. Evanina, do you take 
into account political support when you're doing background 
research in social media?
    Mr. Evanina. We do not. I mean, I think it's important for 
the committee to understand that the investigators who conduct 
the background investigations are very well trained and they 
follow the Federal investigative standards. And there are 
plenty of policies that they put forth in their rigorous 
background investigation and they conduct investigations on 
information obtained that's relevant to whether or not you're 
capable of obtaining and holding a security clearance. So a 
political contribution would not be one of those.
    Mr. Massie. So if they encountered somebody who in their 
social media supported a candidate who was strong on the Fourth 
Amendment and believed very strongly in the right to privacy--
and there are different interpretations of the Fourth 
Amendment. I'm not saying everybody doesn't believe strongly in 
the Fourth Amendment--that wouldn't be a consideration?
    Mr. Evanina. Absolutely not. Whether you believe in the 
Fourth Amendment would not have any predication on whether you 
could hold or maintain a security clearance.
    Mr. Massie. Thank you very much.
    And I will yield back my time.
    Mr. Meadows. I thank the gentleman.
    The chair recognizes the gentlewoman from Illinois, Ms. 
Kelly, for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chair.
    Many of us have become so accustomed to using technology in 
our day-to-day lives that it seems second nature to examine the 
social media accounts of individuals applying for security 
clearance. However, it's important to note that when 
incorporating social media into the Federal background check 
process, a number of steps must be taken that go far beyond 
those we view as a friend's Facebook profile.
    Ms. Cobert, OPM conducts approximately 95 percent of 
background checks governmentwide. That's in our notes. The 
initial data collection portion of these investigations is 
completed by Federal contractors, in part, because you must 
comply with the various laws governing what information can be 
collected, used, and stored by the Federal Government. Is that 
accurate?
    Ms. Cobert. Congresswoman, we work with Federal contractors 
in the investigative process to enhance our capacity to conduct 
background investigations. They have to follow the same Federal 
investigative standards that Mr. Evanina referenced. There, the 
individuals from those contractors who work on investigations 
also have to undergo thorough training against those standards, 
and we work to ensure that that is the appropriate training.
    Ms. Kelly. Okay. The incorporation of social media data is 
not as simple as it may sound to many people, so I'd like to 
delve a little deeper into how we get from a vendor running 
query for publicly available information to the point at which 
we have valuable verified information for use in the 
adjudication process. Again, to begin with, contractors must 
conduct social media checks on clearance applicants based on 
guidance from you about the kind of information relevant to 
clearance investigations. Correct?
    Ms. Cobert. We are going to start with the social media 
thing, the social media efforts with the pilot I mentioned. 
That will help us understand what kind of guidance we should be 
putting in place when individuals are conducting social media 
searches to verify that information, to ensure we're focused on 
the pieces that are relevant to a security clearance, not the 
other issues that are not part of the process. That's why we're 
going to work this through in a pilot so we can create 
standards and processes that will get us relevant information, 
reliable information, and protect privacy.
    Ms. Kelly. And then your current contractors will need 
proper training and proper guidance to do all of that.
    Ms. Cobert. They will need training. Yes, they will.
    Ms. Kelly. Once the data has been collected, a human being 
is necessary to make a judgment and verify that it does, in 
fact, belong to the individual in question.
    Ms. Cobert. We are working to find the processes that will 
enable us to, in fact, match individuals. As Mr. Scott 
described, there are multiple Tony Scotts. So we are working 
through the pilots, and I think this will be an ongoing 
process, to see where are the places where we need human 
intervention; where are the places where technology can help 
with that resolution?
    Ms. Kelly. Okay. Mr. Evanina, can you speak to some of the 
challenges associated with verifying identities in social media 
data?
    Mr. Evanina. Yes, Congresswoman. I think the challenges 
cannot be understated in where we're headed in terms of, number 
one, identity resolution. As my colleagues have mentioned, the 
ability to identify Bob from--or Mr. Scott from Mr. Scott and 
all that goes with it, the resources that it will take to make 
sure that we are firmly in agreement that Mr. Scott is Mr. 
Scott. Then, what we found out on Mr. Scott, is it 
investigatively and adjudicatively relevant? Does it make sense 
to put forward? And if it is, then it gets put in the same box 
all other investigative data would be to make sure that it 
follows the policies, procedures, and the investigative 
standards and guidelines.
    I want to reiterate that social media identification of 
information is in the same box of all other tools and 
techniques investigators have.
    Ms. Kelly. And even after we have verified an individual's 
account, additional manual processing is needed in order to 
analyze, interpret, and contextualize information, particularly 
photographs. Is there any way to fully automate the analysis of 
photographs?
    Mr. Evanina. Well, I want to refer back to my colleague, 
Ms. Cobert, in terms of the ability to maximize any type of 
automation we can to facilitate not only the effectiveness of 
this tool, but at the end of the game. But I want to inform the 
committee that at the end of the day, no matter what we 
identify, the adjudicator is a fundamentally government role. 
So the adjudicator will make the ultimate decision if the 
individual is Mr. Scott, the information pertaining to him is 
investigatively relevant, and it should be a value-add to 
whether or not he gets a clearance or not.
    Ms. Kelly. Okay. Thank you.
    I yield back the balance of my time.
    Mr. Meadows. Thank you.
    The chair recognizes the gentleman from South Carolina, Mr. 
Mulvaney, for 5 minutes.
    Mr. Mulvaney. I thank the chairman for the opportunity. 
Thank you all for coming. I've just got a couple sort of random 
questions.
    Mr. Evanina, you said something during your opening 
statement I want to go back to, which is you--and a couple of 
you used the same terminology and maybe I just don't understand 
the issue. And full disclosure. Mr. Massie and I are sort of in 
the libertarian-leaning wing of the party, so we take civil 
liberties very seriously. And you mentioned that there were 
civil liberties concerns, I think, in doing this research in 
the first place. I don't get that.
    What civil liberty of mine could be at risk from you doing 
research on me?
    Mr. Evanina. Well, I--correct. I don't think in terms of 
the previous pilots and this particular policy----
    Mr. Mulvaney. Right.
    Mr. Evanina. --in order to get to where we were, we had to 
negotiate strongly to ensure that each individual who applies 
for a security clearance, we are going to protect their privacy 
and civil liberties, at the same time collect the information 
that we deem necessary to ensure they can get a clearance.
    Mr. Mulvaney. And, again, I'm not trying to split hairs 
with you, but if I'm coming to you--and we've had this--a very 
similar discussion, Mr. Chairman, when it comes to folks who 
want to come into the country on various visas. The lady who 
shot the people in San Bernardino came on a fiance visa, and we 
didn't do any social media on her. And one of the arguments we 
got from customs enforcement was that it would violate her 
civil liberties to go and do that. Okay?
    If I come to you and I'm asking for a job, or I'm asking in 
my current job to get a security clearance, can't you just get 
my permission to go look at everything?
    Mr. Evanina. Yes, sir. As a matter of fact, when you apply 
on an SF-86, the very first thing you get to do is consent to 
the government searching you, not only with regard to social 
media, but all your other financial, medical records, you 
consent to do that on the SF-86.
    Mr. Mulvaney. Okay. So there's no privacy concerns. Because 
I have the right to waive that and I do. Right?
    Mr. Evanina. That's correct.
    Mr. Mulvaney. So there's absolutely no privacy issue on the 
front end when you're doing your background research on me, 
correct?
    Mr. Evanina. As long you consent to it----
    Mr. Mulvaney. Right.
    Mr. Evanina. --on your SF-86.
    Mr. Mulvaney. Okay. Good. Good. Then we're all on the same 
page. Because then the real privacy concerns comes with what 
Mr. Lynch mentioned, which is what do you do with the 
information on me after you have it? Because while I consent to 
let you go and get it, I certainly don't consent with you 
giving it to other people.
    So I think that's why the focus, I think, for many of us 
who are interested in our civil liberties there is what are you 
doing after you have it. And I want to go a little bit deeper 
than just the Social Security numbers, because I think Mr. 
Lynch properly pointed out, what are you doing with Mr. 
Massie's medical records when you're doing the research on him? 
How are we----
    Mr. Connolly. Massie.
    Mr. Mulvaney. Yeah, especially on Massie, right? And his 
mental health records. No.
    Mr. Connolly. Actually, I've got it right here. Page 17 is 
kind of interesting.
    Mr. Mulvaney. So tell me about that. Because, again, we all 
know about the risks. Everyone in the country now has gotten a 
hard wire to sort of think, well, my Social Security thing is 
really important. I hope they're protecting that. But what 
about the stuff that doesn't, on its face, look like it could 
be damaging to us?
    You know, maybe Mr. Scott went to marriage counseling. 
Okay. Not illegal. And I don't even know if that's true, and I 
am not even suggesting it is. I am using it as an example. It's 
not illegal. It's certainly not the type of thing, though, that 
you want to have public. What are you doing to protect that 
kind of information? Not just the number data, not just the 
Social Security numbers, but the detail, the meat of the stuff 
that you might find on anybody that you're looking at.
    Mr. Evanina. I'll start and pass to my colleague, but I 
want to ensure that the only collection and retention of data 
will be what is investigatively relevant to completing and 
authorizing a background investigation. If it's not relevant to 
you obtaining a clearance, it won't be retained.
    Mr. Mulvaney. Okay. Let's focus on that one word then, 
because again, that's an open-ended questions that I've asked. 
Let's narrow it down.
    Nothing is not retained anymore. Okay. Once you have it, 
it's some place. Even if you hit erase on your hard drive, it's 
some place. So what are you doing to make sure the stuff that 
you don't retain really isn't retained?
    Ms. Cobert. Congressman, when we get the records of your 
background investigation, we have a set of rules and guidelines 
that govern those, that govern the sharing of those. So it is 
used for the investigative decision, but there are very 
specific guidelines about how that information is used. We have 
specific guidelines about records retention consistent with 
NARA and their policies.
    And a core element in the cybersecurity design of our 
systems, particularly as we're thinking about as we go forward, 
is how do we make sure we've got the appropriate protections in 
place for all of that information, not just Social Security 
numbers?
    But there are very explicit policies around records 
retention, around records sharing, both externally within the 
government. Right. This information was gathered for a specific 
purpose. That's what it was used for, and there are guidelines 
around that in place.
    Mr. Mulvaney. Just a quick question, and I honestly don't 
know the answer. But when the data was hacked that Mr. Lynch 
mentioned before, was it just Social Security numbers that were 
lost or was it other information as well?
    Ms. Cobert. The information that was lost was data in 
people's backgrounds investigation, so it included a range of 
information, not exclusively Social Security numbers.
    Mr. Mulvaney. Thank you.
    Thank you, Mr. Chairman.
    Mr. Meadows. I thank the gentleman.
    The chair recognizes the gentleman from California, Mr. 
Lieu, for 5 minutes.
    Mr. Lieu. Thank you, Mr. Chair.
    My questions are for Mr. Evanina. First of all, thank you 
for your service, and I support incorporating social media into 
Federal background investigations.
    I have a broader concern which is whether race or ethnicity 
play a role in security clearance denial or granting. And let 
me give you some context for this. Recently, four American 
citizens were arrested and indicted for espionage, and then all 
charges were dropped. These were in different cases, and it 
turned out that the government just got it wrong. And the one 
fact that was the same among all these cases is the defendants 
looked like me. They happened to be Asian Americans. The cases 
of Sherry Chen, Xiaoxing Xi, Guoqing Cao, and Shuyu Li. Their 
lives were turned upside down because of what our government 
did. The New York Times has asked our government to apologize.
    I wrote a letter signed by over 40 Members of Congress 
asking the Department of Justice to investigate. Since I wrote 
that letter, our office has been contacted by Federal employees 
who happen to be Asian American alleging that their security 
clearance was denied because of their race or ethnicity. And so 
my question to you is, does race or ethnicity play a role in 
Federal background investigations?
    Mr. Evanina. Sir, absolutely not, and it's unequivocally 
not. I don't think there has ever been a situation where an 
investigator has used race or ethnicity for any determination 
of a clearance for a U.S. citizen, number one.
    Number two, the situation you referenced, I could say that 
with 19 years in the FBI, I could assure you that the FBI does 
not conduct investigations relevant to whether your race or 
ethnicity comes to play.
    Mr. Lieu. Thank you. Let me ask you a question about how 
this policy would be implemented in terms of social media. 
Let's say a Japanese American Federal employee has a Facebook 
page, and friends of this Federal employee living in Japan or 
relatives post on that Facebook page. Does this Federal 
employee become more suspicious because of that?
    Mr. Evanina. Absolutely not. And the only issue would be if 
on that public facing Facebook page there is derogatory or 
negative information that's relevant to an adjudication of 
investigation, will result in a followup lead. But otherwise, 
it would not.
    Mr. Lieu. Thank you. The U.S. Government, under the Obama 
administration, runs something called the insider threat 
program, where Federal employees are asked to report on other 
Federal employees who may be suspicious. Is race or ethnicity 
allowed to be taken into account under that program?
    Mr. Evanina. Sir, first of all, the National Insider Threat 
Task Force is housed within my shop, National 
Counterintelligence Security Center. And, again, unequivocally, 
race or ethnicity has no part in the insider threat process or 
the criticality that we have across the government.
    Mr. Lieu. Are Federal employees, when they're given 
training on the insider threat program and how to report, are 
they given that training about race and ethnicity playing no 
part?
    Mr. Evanina. Well, I think the race--any fundamental 
training regarding race and ethnicity crosses all boundaries, 
not just investigative. That's part of the Federal workforce 
and our fabric as Americans, number one.
    But in terms of the Insider Threat Task Force, race, 
ethnicity, or any other type of genre of covered classes is 
never a part of the Insider Threat Task Force. We are--our 
number one mission is to identify potential insiders, spies, 
espionage matters, or those who seek to do harm to others.
    Mr. Lieu. Could you provide my office with guidance in how 
you train Federal employees?
    Mr. Evanina. Absolutely, sir.
    Mr. Lieu. Great. Thank you.
    I've gone to a number of national security events and 
briefings, and I think it's not a secret that our national 
security establishment looks very nondiverse. And there's been 
articles about the State Department having trouble recruiting 
people who are minorities. And I'm wondering if that has 
anything to do with security clearances and the inability of 
some folks, who are minorities, who might not be able to get 
them. Could you provide my office with some data or statistics 
on who gets security clearances based on race and ethnicity?
    Mr. Evanina. I'm sure we can, sir.
    Mr. Lieu. Great. Thank you.
    And with that, I yield back.
    Mr. Meadows. I thank the gentleman.
    The chair recognizes himself for a series of questions, and 
I'll be very brief.
    Let me follow up on a couple of clarifying things. You have 
obviously put out this new policy, and we applaud that. We 
thank you for that.
    Is there any particular legal reason or practical reason 
why we would not be asking them for their online identities?
    Mr. Evanina. Well, sir, I think as part of the SF-86 
application, and when you write your name, Bill Evanina, it's 
asked, do I have any other names or aliases that I go by. So 
that's the first----
    Mr. Meadows. Yeah, but I'm talking about online identity. 
So, I mean, you know, Twitter, Facebook, you know. Because I'm 
not going to give it in a public forum, but I have actually 
Twitter accounts that don't actually have my name associated 
with them, and yet I would tweet out things based on that. So 
is there any reason why we wouldn't ask for those types of 
things, practical or legal?
    Mr. Evanina. I don't believe it's a legal issue. I think 
it's a policy issue, and I think we have to have some clear 
differentiation between what is investigatively relevant. And 
we can get to those areas of----
    Mr. Meadows. But if we're talking about social media, that 
would be relevant. I mean, there's no expectation of privacy, 
other than--well, you know, you could perhaps make the case if 
I'm wanting to be private about it, I'm not putting my name. 
But if you just ask for those online identities, would the 
online identities be synonymous with an alias?
    Mr. Evanina. They could be, sir. There absolutely could be, 
but we----
    Mr. Meadows. So I guess if there's no legal or practical 
reason why we wouldn't do it, why would it not be part of your 
new policy?
    Mr. Evanina. Again, I will say that the policy is a start 
where we're going right now to get where we are.
    Mr. Meadows. So are you willing to look at that particular 
component about asking for other online identities and maybe 
report back and your philosophy here within the next 60 days to 
this committee?
    Mr. Evanina. Sir, I think we're willing to look at all 
suspects of social media and how it pertains to the background 
investigation process.
    Mr. Meadows. But, specifically, with regards to that 
question, are you willing to look at it and just report back? 
I'm not asking----
    Mr. Evanina. Yes, sir.
    Mr. Meadows. --you to give me a definitive answer; just 
that you get back to this committee on what your opinion is----
    Mr. Evanina. Yes, sir.
    Mr. Meadows. --on why you should or should not do that.
    Mr. Evanina. Yes, sir.
    Mr. Meadows. All right. Thank you.
    Ms. Cobert, I'm going to finish with you, and it's really 
something from in the past. And I just would like to ask you, 
with regards to the CIO and IG relationship, how would you 
characterize that from where it has been and where it is today? 
And if you can speak to that.
    Ms. Cobert. Thank you, Congressman. Let me turn it on. 
Thank you, Congressman. We have been working across the agency 
to strengthen our effectiveness of our dialogue with the CIO, 
and I believe we've made real progress in a number of different 
areas.
    We've set up a cadence of regular communications at my 
level with the inspector general, currently acting inspector 
general. On a biweekly basis we meet and get an overview of the 
issues. We have specific working teams that meet on a periodic 
basis as well, both around the CIO, around procurement. We set 
up that same kind of mechanism around the standup of the NBIB, 
given the oversight issues there and making--wanting to make 
sure we get those right.
    So I think we've made considerable progress in terms of the 
dialogue, the clarity of the communications. We welcome their 
input on what we could be doing as better, as we welcome input 
from our colleagues here and elsewhere.
    Mr. Meadows. So you would characterize it as much improved 
under your leadership?
    Ms. Cobert. I would characterize it as much improved, yes, 
sir.
    Mr. Meadows. All right. Thank you.
    The chair recognizes Mr. Lynch for a closing question or 
statement.
    Mr. Lynch. Thank you, Mr. Chairman.
    And, again, I want to thank you for being here. I want to 
ask you a question sort of off the grid here. I appreciate that 
you're making progress, and that's a good thing, and we're 
working together with DOD to secure our systems.
    There's another issue. You know, these hackers have become 
so proficient. You know, this morning we got news that the 
SWIFT, you know, commercial bank system--I think it's 11,000 
banks and companies that handle international banking 
transactions, they were hacked again. They were just hacked 
through Bangladesh and the New York Fed, which is troubling, to 
the tune of about $81 million. Now we find out there's another 
hack going on similar to that one. So they are being breached.
    The FDIC, Chinese hackers, news, again, this morning, that 
the FDIC has been hacked. And these are entities that have 
fairly robust, you know, protections. And we're about to enter 
into this--well, we're about to debate the Trans-Pacific 
Partnership, and one of the provisions in that Trans-Pacific 
Partnership requires U.S. companies to establish databases in 
the foreign countries. There's about 12 countries. But, you 
know, one of them is Vietnam, a Communist country.
    So we would have to--the U.S. companies will have to 
establish, physically, databases in those countries, Malaysia, 
Vietnam. And a lot of the banks and companies involved here are 
very concerned about the security aspect of this overseas.
    And I just wonder, especially, Mr. Evanina, you know, I 
know you worry about this stuff all the time; as well, you 
know, Ms. Cobert, you are dealing with; Mr. Scott, you as well. 
What about that dimension of this? I know it's not--you know, 
you weren't prepared this morning to address this question, and 
I appreciate it if you want to take a pass, but I'm just 
worried about that, about it's tough enough to protect the data 
when it's in the United States. And now we're being asked to 
force our companies, if they're dealing in international trade, 
to actually deposit their data in these foreign countries that 
don't have the security protections that even we have.
    Mr. Evanina?
    Mr. Evanina. Sir, I concur with your concern for 
cybersecurity and the need for us to be prepared to at least 
meet where we are in the global economy. I'm not particularly 
familiar with the requirements contained within this policy, so 
I can't speak to that. But under the purview of national 
security, the cyber threat is real. And I think we have to take 
that into consideration for anything we do moving forward, 
whether here domestically in the United States or any of our 
businesses and government operations overseas.
    Mr. Lynch. Okay. Thank you.
    Ms. Cobert, Mr. Scott, you want to take a bite at that, or 
you all set?
    Mr. Scott. Well, I would just say, one of the lessons 
learned, I think, worldwide has been that cybersecurity knows 
no national boundaries and, you know, concerns about 
cybersecurity are, you know, global. Physical location is one 
element, but probably in the case of cybersecurity, not the 
most dispositive in terms of the concerns I would have. It's 
more about the secure-by-design sort of notion, you know, what 
have you put in place and how well is it implemented, and so 
on. So those would be more my primary concerns.
    Mr. Lynch. Yeah, my----
    Mr. Scott. In some cases, the physical location.
    Mr. Lynch. Right. My concern is obviously the Communist 
government in Vietnam is going to require access. So that was 
my concern. You have suffered enough.
    I want to yield back. Thank you.
    Mr. Meadows. I thank you.
    And I want to thank all the witnesses for being here today. 
And if there's no further business before the subcommittees, 
the subcommittees stand adjourned.
    [Whereupon, at 10:15 a.m., the subcommittees were 
adjourned.]

                                 [all]