[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]











                         IS THE OPM DATA BREACH
                        THE TIP OF THE ICEBERG?

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                      SUBCOMMITTEE ON OVERSIGHT &
                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              July 8, 2015

                               __________

                           Serial No. 114-28

                               __________

 Printed for the use of the Committee on Science, Space, and Technology


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



       Available via the World Wide Web: http://science.house.gov
       
       
                                  ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

97-568PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001       
       
       
       
       
       
       
       
       
       
       
       
       

              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY

                   HON. LAMAR S. SMITH, Texas, Chair
FRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas
F. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California
    Wisconsin                        DANIEL LIPINSKI, Illinois
DANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland
RANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon
MICHAEL T. McCAUL, Texas             ERIC SWALWELL, California
MO BROOKS, Alabama                   ALAN GRAYSON, Florida
RANDY HULTGREN, Illinois             AMI BERA, California
BILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut
THOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas
JIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts
RANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia
BILL JOHNSON, Ohio                   ED PERLMUTTER, Colorado
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
STEVE KNIGHT, California             MARK TAKANO, California
BRIAN BABIN, Texas                   BILL FOSTER, Illinois
BRUCE WESTERMAN, Arkansas
BARBARA COMSTOCK, Virginia
DAN NEWHOUSE, Washington
GARY PALMER, Alabama
BARRY LOUDERMILK, Georgia
RALPH LEE ABRAHAM, Louisiana
                                 ------                                

                Subcommittee on Research and Technology

                 HON. BARBARA COMSTOCK, Virginia, Chair
FRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois
MICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut
RANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts
JOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York
BRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon
DAN NEWHOUSE, Washington             ERIC SWALWELL, California
GARY PALMER, Alabama                 EDDIE BERNICE JOHNSON, Texas
RALPH LEE ABRAHAM, Louisiana
LAMAR S. SMITH, Texas
                                 ------                                

                       Subcommittee on Oversight

                 HON. BARRY LOUDERMILK, Georgia, Chair
F. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia
    Wisconsin                        ALAN GRAYSON, Florida
BILL POSEY, Florida                  ZOE LOFGREN, California
THOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas
BILL JOHNSON, Ohio
DAN NEWHOUSE, Washington
LAMAR S. SMITH, Texas























                            C O N T E N T S

                              July 8, 2015

                                                                   Page
Witness List.....................................................     2

Hearing Charter..................................................     3

                           Opening Statements

Statement by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................     7
    Written Statement............................................     8

Statement by Representative Daniel Lipinski, Ranking Minority 
  Member, Subcommittee on Research, Committee on Science, Space, 
  and Technology, U.S. House of Representatives..................     9
    Written Statement............................................    11

Statement by Representative Barry Loudermilk, Chairman, 
  Subcommittee on Oversight, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................    12
    Written Statement............................................    13

Statement by Representative Donald S. Beyer, Jr., Ranking 
  Minority Member, Subcommittee on Oversight, Committee on 
  Science, Space, and Technology, U.S. House of Representatives..    14
    Written Statement............................................    16

Statement by Representative Lamar S. Smith, Chairman, Committee 
  on Science, Space, and Technology, U.S. House of 
  Representatives................................................    17
    Written Statement............................................    18

                               Witnesses:

Mr. Michael R. Esser, Assistant Inspector General for Audits, 
  Office of Personnel Management
    Oral Statement...............................................    19
    Written Statement............................................    22

Mr. David Snell, Director, Federal Benefits Service Department, 
  National Active and Retired Federal Employees Association
    Oral Statement...............................................    33
    Written Statement............................................    35

Dr. Charles Romine, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology
    Oral Statement...............................................    42
    Written Statement............................................    44

Mr. Gregory Wilshusen, Director, Information Security Issues, 
  U.S. Government Accountability Office
    Oral Statement...............................................    50
    Written Statement............................................    52

Discussion.......................................................    78

             Appendix I: Answers to Post-Hearing Questions

Mr. Michael R. Esser, Assistant Inspector General for Audits, 
  Office of Personnel Management.................................    96

Mr. David Snell, Director, Federal Benefits Service Department, 
  National Active and Retired Federal Employees Association......   100

Dr. Charles Romine, Director, Information Technology Laboratory, 
  National Institute of Standards and Technology.................   105

            Appendix II: Additional Material for the Record

Statement by Representative Eddie Bernice Johnson, Ranking 
  Member, Committee on Science, Space, and Technology, U.S. House 
  of Representatives.............................................   112

Letter submitted by Representative Barbara Comstock, Chairwoman, 
  Subcommittee on Research, Committee on Science, Space, and 
  Technology, U.S. House of Representatives......................   113

 
                         IS THE OPM DATA BREACH
                        THE TIP OF THE ICEBERG?

                              ----------                              


                        WEDNESDAY, JULY 8, 2015

                  House of Representatives,
  Subcommittee on Research and Technology &
                         Subcommittee on Oversight,
               Committee on Science, Space, and Technology,
                                                   Washington, D.C.

    The Subcommittees met, pursuant to call, at 3:36 p.m., in 
Room 2318 of the Rayburn House Office Building, Hon. Barbara 
Comstock [Chairwoman of the Subcommittee on Research and 
Technology] presiding.

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



    Chairwoman Comstock. The Subcommittees on Research and 
Technology and Oversight will come to order. Without objection, 
the Chair is authorized to declare recesses of the 
Subcommittees at any time.
    Good afternoon. Our apologies for the delay. As you saw or 
heard, we were voting.
    Welcome to today's hearing entitled ``Is the OPM Data 
Breach the Tip of the Iceberg?'' In front of you are packets 
containing the written testimony, biographies, and truth-in-
testimony disclosures for today's witnesses.
    I now recognize myself for five minutes for an opening 
statement.
    Just over a month ago, the Office of Personnel Management 
(OPM) announced a massive data breach that exposed the personal 
information of over 4 million current and former federal 
employees and contractors. Like thousands of my fellow 
constituents and people across the country, I received a letter 
from OPM informing me that my personal information may have 
been compromised or stolen by criminals who are behind this 
attack.
    Unfortunately, the news appears to be getting worse this 
week as we learn more about the reported second OPM data 
breach, compromising the security of potentially 18 million 
federal employees, contractors, and others who submitted 
sensitive information for background checks to the government. 
And sadly, the response from OPM has not inspired confidence 
over the past few weeks.
    Identity theft by what seems to be a foreign entity is a 
very serious national security threat. They are literally, you 
know, at cyber war with us, and we as leaders have to 
appreciate that reality and operate in that reality.
    Many of my constituents have contacted me about their fears 
and concerns. It has been months since OPM discovered the 
attack, and we still have too many questions and not enough 
answers. As we will hear from some of our witnesses today, 
federal employees have many unanswered questions. For example, 
just one: Are the credit monitoring identity theft provisions 
adequate? I know we've heard from people who are very concerned 
about whether they are.
    Most alarming to me about these breaches is that they were 
launched less than 18 months after a previous severe network 
assault on OPM. We know that information security incidents 
reported by federal agencies has increased by 1,000 percent 
since 2006, 1,000 percent increase.
    For years the OPM Office of Inspector General and the U.S. 
Government Accountability Office have been warning OPM 
leadership of critical vulnerabilities to their information 
systems. Some of the weakness and current problems were ID'd as 
far back as 2007. Today, many of their recommendations for 
fixing the systematic failures remain unmet.
    Cyber criminals and foreign enemies are working night and 
day with the latest technology to exploit every vulnerability 
in our system, and it appears we're behind the times. The 
United States has some of the world's best technological minds 
and resources, yet our management in OPM does not appear to be 
getting up to speed.
    Federal employees provide their sensitive personal 
information under the expectation that it is protected with all 
the seriousness that it should receive. However, that trust has 
now been broken and hence so many concerns.
    Cybersecurity has to be a top priority in every government 
agency from the top Cabinet official on down. We need an 
aggressive, nimble, and flexible strategy to anticipate, 
intercept, and stop these cyber attacks. Those who are engaging 
in the attacks on our citizens, agencies, and companies, 
whether they be nation states, adversaries, or hacktivists and 
just, you know, random criminals are a reality that we'll be 
living with in the 21st century and we must develop and use all 
the tools and technology available to thwart them and 
understand this is going to be an ongoing problem that we have 
to constantly adapt to.
    I want to note that we invited the OPM Chief Information 
Officer Donna Seymour to testify at today's hearing. She 
declined the Committee's invitation, citing other commitments, 
and we will continue to be working with them and asking them 
additional questions.
    Today's panel of witnesses will help us better understand 
the magnitude of cybersecurity challenges at OPM across the 
federal government, as well as determine what steps need to be 
taken to prevent future cyber attacks and the state-of-the-art 
best practices to do so. And I should note that in the coming 
weeks we will also be looking at a lot of the best practices 
that the private sector has and other experts want to bring to 
bear that will probably reflect a lot of what you are going to 
be talking about today.
    I appreciate the leadership of Chairman Lamar Smith on 
these issues and the role the Science Committee--that they have 
played in making cybersecurity research and development a 
priority.
    I look forward to continuing to work on the Subcommittee on 
efforts to make sure the federal government is staying ahead of 
our adversaries. And if officials neglected their duties or are 
not the right people for the job, we also need to hold them 
accountable and make sure we are doing everything to improve 
the situation.
    [The prepared statement of Chairwoman Comstock follows:]

      Prepared Statement of Subcommittee on Research & Technology
                      Chairwoman Barbara Comstock

    Just over a month ago the Office of Personnel Management (OPM) 
announced a massive data breach that exposed the personal information 
of over 4 million current and former federal employees and contractors.
    Like thousands of my fellow constituents, I received a letter from 
OPM informing me that my personal information may have been compromised 
or stolen by the criminals behind this attack.
    Unfortunately, the news gets worse this week, as we learn more 
about the reported second OPM data breach, compromising the security of 
18 million federal employees, contractors and others who submitted 
sensitive information for background checks. And sadly the response 
from OPM has not inspired confidence.
    Identity theft by what seems to be a foreign entity is a very 
serious national security issue. They are at cyberwar with us--do our 
leaders appreciate that reality?
    Many of my constituents have contacted me about their fears and 
concerns. It has been months since OPM discovered the attack, and we 
still have too many questions and not enough answers.
    As we will hear from witnesses today, federal employees have many 
unanswered questions. Just one: Are the credit monitoring identity 
theft provisions adequate? Most alarming to me about these breaches is 
that they were launched less than 18 months after a previous severe 
network assault on OPM. We know that information security incidents 
reporting by federal agencies has increased by 1000 percent since 2006.
    For years the OPM Office of Inspector General and the U.S. 
Government Accountability Office have been warning OPM leadership of 
critical vulnerabilities to their information systems. Some of the 
weakness and current problems were ID'd as far back as 2007. Today, 
many of their recommendations for fixing the systematic failures remain 
unmet.
    Cyber criminals and foreign enemies are working night and day with 
the latest technology to exploit every vulnerability in our system, 
while OPM is behind the times and operating apparently at a pace with 
systems designed for the last century not for the current threat. The 
United States has some of the world's best technological minds and 
resources, yet OPM's management is failing.
    Federal employees provide their sensitive personal information 
under the expectation that it is protected with all due seriousness. 
However, the trust between our federal employees, contractors, and 
others whose information has been compromised is damaged.
    Cybersecurity must be a top priority in every government agency 
from the top Cabinet official on down. We need an aggressive, nimble, 
and flexible strategy to anticipate, intercept, and stop cyberattacks.
    Those who are engaging in cyberattacks on our citizens, agencies, 
and companies--whether they be nation states, adversaries or 
hacktivists--are a reality we will be living with in the 21st century 
and we must develop and use all the tools and technology available to 
thwart them and understand this is an ongoing problem we have to 
constantly be on top of.
    I want to note that we invited the OPM Chief Information Officer 
Donna Seymour to testify at today's hearing. She declined the 
Committee's invitation, citing other commitments, we continue to have 
questions about how and why this cyberattack occurred and the measures 
that have been instituted to prevent a future attack at OPM. We will 
take any necessary steps to ensure my constituents get those answers.
    Today's panel of witnesses will help us better understand the 
magnitude of cybersecurity challenges at OPM and across the federal 
government, as well as determine what steps need to be taken to prevent 
future cyberattacks, and the state of the art best practices to do so.
    I appreciate the leadership of Chairman Lamar Smith on these issues 
and the role the Science Committee has played in making cybersecurity 
R&D a priority.
    I look forward to continuing to lead the Research & Technology 
Subcommittee in efforts to make sure the federal government is staying 
ahead of our adversaries who are constantly developing new and 
sophisticated malicious technologies.
    If officials neglected their duties, or are not the right people 
for the job, they must be held accountable so that proper leadership is 
in place to not just meet, but anticipate and beat the next cyber 
threat.

    Chairwoman Comstock. So with that I will yield to the 
Ranking Member, but I also ask unanimous consent to place into 
the record various letters and articles that are relevant to 
the hearing.
    [The information appears in Appendix II]
    Chairwoman Comstock. And without objection I'll now yield 
to the Ranking Member.
    Mr. Lipinski. Thank you, Chairwoman Comstock. I want to 
thank you, Chairman Loudermilk, Chairman Smith, for holding 
this hearing on the recent OPM data breach. I want to thank all 
of our witnesses for being here this afternoon.
    Unfortunately, major cyber attacks are happening more 
frequently. Today, we're going to talk about the significant 
breaches at the Office of Personnel Management. I have not 
received notification, but I believe I may have been a victim 
of this. But we all know that--I don't want to take away the 
significance of it but it's important to note there have been 
increasing number of cyber attacks in both the private and 
public sector where I know I've definitely been a victim of 
some of these attacks.
    Several years ago, I began working on cybersecurity 
legislation, the Cybersecurity Enhancement Act, with my 
colleague Mr. McCall. Our legislation dealt with cybersecurity 
standards, education, and workforce development. When we 
started, I said that I had no doubt that threats from 
individual hackers, criminal syndicates, and even other 
governments would grow and evolve along with our increased use 
of the internet. Unfortunately, I was right.
    In February, Anthem, one of the Nation's largest health 
insurance companies, announced it suffered a cyber breach that 
compromised the records of 80 million current and former 
customers. And just last year, there were high-profile breaches 
at J.P. Morgan Chase, eBay, Target, and many others affecting 
millions of people.
    Although I was happy that my bill with Mr. McCall was 
enacted at the end of last Congress, there is much, much more 
to do in the area of cybersecurity. Cybercrime and cyber 
espionage continue to threaten our national security, our 
critical infrastructure, businesses of all sizes, and every 
single American. This latest data breach at OPM is just another 
example of that.
    In the OPM breach, millions of federal employees' personal 
information has been compromised, leading to significant 
concerns about how the stolen information will be used. 
Additionally, since OPM conducts more than 90 percent of all 
security clearance background investigations, this breach is an 
example of how cyber attacks threaten our national security. We 
must do better.
    It'll take a collective effort in both the public and 
private sector to improve cybersecurity, and I cannot emphasize 
enough the importance of research into the social and 
behavioral aspects in this area. Our IT infrastructure is 
built, operated, and maintained by humans from the average 
worker at her desktop to Chief Information Officer of a major 
company or agency. Most cyber attacks are successful because of 
human error such as unwittingly opening a malicious email or 
allowing one's credentials to be compromised. Understanding the 
human element is necessary to combat threats and reduce risks.
    To set governmentwide guidelines protecting federal 
information security systems, Congress passed--if I can turn my 
page--an example of human error here. Congress passed the 
Federal Information Security Modernization Act, or FISMA. 
FISMA, which was updated at the end of last Congress, requires 
federal agencies to develop, document, and implement an 
agencywide information security program.
    Along with being responsible for their own information 
security system, the National Institute of Standards and 
Technology is tasked with developing standards and guidelines 
for all civilian federal information systems. Since NIST plays 
a critical role in protecting our nation's information security 
systems, it's important that they be part of this conversation. 
I'm happy that Dr. Romine is here today to tell us more about 
how NIST develops FISMA standards and how they work with other 
federal agencies.
    FISMA also requires annual reviews of individual agencies' 
information security programs, as well as reviews of 
information security policies in the implementation of FISMA 
requirements governmentwide. I hope to hear from our witnesses 
about the steps necessary to ensure that OPM meets FISMA 
requirements, as well as how other agencies are doing in this 
space.
    More information security systems, both in the public and 
private sector, will surely be subject to cyber attacks in the 
future, and while it's impossible to completely protect the 
connected information security system, we must do all we can to 
protect the personal information of millions of Americans and 
conduct the oversight to ensure such steps are taken. This 
hearing is the beginning of a conversation on how we can do 
that, and we must make sure that we follow through with action.
    I look forward to our discussion this afternoon. Thank you, 
and I yield back the balance of my time.
    [The prepared statement of Mr. Lipinski follows:]

                   Prepared Statement of Subcommittee
                Minority Ranking Member Daniel Lipinski

    Thank you Chairwoman Comstock and Chairman Loudermilk for holding 
this hearing on the recent OPM data breach. I want to thank all the 
witnesses for being here this afternoon.
    Unfortunately, major cyber-attacks are happening more frequently. 
Today, we are going to talk about the significant breaches at the 
Office of Personnel Management (OPM). Not to take away from the 
significance of the OPM breach, I think it is important to note that 
there have been an increasing number of cyber-attacks in both the 
private and public sector.
    Several years ago I began working on cybersecurity legislation, the 
Cybersecurity Enhancement Act, with my colleague, Mr. McCaul. Our 
legislation dealt with cybersecurity standards, education, and 
workforce development. When we started, I said that I had no doubt that 
threats from individual hackers, criminal syndicates, and even other 
governments would grow and evolve along with our increased use of the 
internet. Unfortunately, I was right.
    In February, Anthem, one of the nation's largest health insurance 
companies, announced that it suffered a cyber-breach that compromised 
the records of 80 million current and former customers. And just last 
year there were high profile breaches at JP Morgan Chase, eBay, Target, 
and many others affecting millions of people.
    Although I was happy that my bill with Mr. McCaul was enacted at 
the end of last Congress, there is much, much more to be done in the 
area of cybersecurity. Cybercrime and cyber- espionage continues to 
threaten our national security, our critical infrastructure, businesses 
of all sizes, and every single American. This latest data breach at OPM 
is just another example of that. In the OPM breach, millions of federal 
employees' personal information has been compromised, leading to 
significant concerns about how the stolen information will be used. 
Additionally, since OPM conducts more than 90 percent of all security 
clearance background investigations, this breach is an example of how 
cyber-attacks threaten our national security. We must do better.
    It will take a collective effort of both the public and private 
sector to improve cybersecurity, and I cannot emphasize enough the 
importance of research into the social and behavioral aspects in this 
area. Our IT infrastructure is built, operated and maintained by 
humans, from the average worker at her desktop to the chief information 
officer of a major company or agency. Most cyber-attacks are successful 
because of human error, such as unwittingly opening a malicious email 
or allowing one's credentials to be compromised. Understanding the 
human element is necessary to combat threats and reduce risk.
    To set government-wide guidelines for protecting federal 
information security systems, Congress passed the Federal Information 
Security Modernization Act or FISMA. FISMA, which was updated at the 
end of last Congress, requires federal agencies to develop, document, 
and implement an agency wide information security program.
    Along with being responsible for their own information security 
system, the National Institute of Standards and Technology (NIST) is 
tasked with developing standards and guidelines for all civilian 
federal information systems. Since NIST plays a critical role in 
protecting our nation's information security systems, it is important 
that they be part of this conversation. I am happy that Dr. Romine is 
here today to tell us more about how NIST develops FISMA standards and 
how they work with other federal agencies.
    FISMA also requires annual reviews of individual agencies' 
information security programs as well as reviews of information 
security policies and the implementation of FISMA requirements 
government-wide. I hope to hear from our witnesses about the steps 
necessary to ensure that OPM meets FISMA requirements, as well as how 
other agencies are doing in this space.
    More information security systems--both in the public and private 
sector--will surely be subject to cyber-attacks in the future. And 
while it is impossible to completely protect a connected information 
security system, we must do all we can to protect the personal 
information of millions of Americans and conduct the oversight to 
ensure such steps are taken. This hearing is the beginning of a 
conversation on how we can do that and we must make sure that we follow 
through with action.
    I look forward to our discussion this afternoon. Thank you and I 
yield back the balance of my time.

    Chairwoman Comstock. Thank you, Mr. Lipinski.
    And I now recognize the Chair of the Oversight 
Subcommittee, the gentleman from Georgia, Mr. Loudermilk, for 
his opening statement.
    Mr. Loudermilk. Thank you, Chairwoman Comstock, for holding 
this very important hearing on an issue that hits close to home 
for you, as many--as others in this country.
    I'd like to thank our witnesses for being here today in 
order to help us understand what seems to be an epidemic of 
cyber attacks. I look forward to discussing what needs need to 
be done to prevent similar attacks from occurring in the 
future.
    Now, it isn't a priority, nor it should be a priority for 
us just to address this because it affects some of us that are 
up here, but it's because it affects the American people. And 
unfortunately, this Administration has failed to provide 
Americans with any level of confidence that it will adequately 
protect their personal information when trusted with it.
    As we have witnessed over the past few months, there has 
been a concerning pattern of security breaches involving 
government computer systems. This includes the recent, massive 
data breach of the Office of Personnel Management disclosing 
personal and official information that could potentially harm 
our national security. For an Administration that touts that it 
has ``prioritized the cybersecurity of federal departments and 
agencies,'' we have instead witnessed a government that is 
unable to properly secure its computer systems and protect 
sensitive information.
    The situation at OPM is exactly why the subcommittee that I 
chair is looking into the collection of America's--Americans' 
personal data through the HealthCare.gov website. In that 
situation, it appears that Social Security numbers, dates of 
birth, names, mailing addresses, phone numbers, financial 
accounts information, military status, employment status, 
passport numbers, and taxpayer IDs are being retained. This 
information is being stored in a data warehouse that is 
intended to provide reporting and performance metrics related 
to the Federally Facilitated Marketplace and other 
HealthCare.gov-related systems.
    In the situation of the data warehouse, the Administration 
never appeared to be forthright about the use and storage of 
personally identifiable information on HealthCare.gov. The 
Administration has yet to explain the reason for indefinitely 
storing user information, particularly of the users of the 
website who input their data to log in but do not end up 
enrolling.
    While this Administration has claimed that cybersecurity is 
a priority, their actions on this and other issues regarding 
protecting the American people suggests the priorities are only 
lip service. From ending the Secure Cities program to storing 
critical information on American citizens without their 
approval or knowledge, this Administration is proving through 
their actions that protecting the American people is far from 
being on their list of priorities.
    If that data warehouse is being protected in the same way 
that OPM was protecting personal information, action needs to 
be taken now to avoid putting the American people at 
significant personal risk. With many Americans being forced 
into the government healthcare exchange, a breach of this 
system could end up having millions affected, just like the OPM 
data hack.
    The Government Accountability Office has included the 
cybersecurity of federal information systems on its list of 
high risk areas since 1997, so this isn't something new. Why, 
then, are we sitting here almost 20 years later, wondering why 
our federal information systems are not being adequately 
secured?
    In the most recent GAO High Risk Series report, it says 
that ``Inspectors General at 22 of the 24 agencies cited 
information security as a major management challenge for their 
agency. For fiscal year 2014, most of the agencies had 
information security weaknesses in the majority of five key 
control categories.'' As Chairman of this subcommittee--this 
Committee's Oversight Subcommittee, I want to find the truth 
behind this reckless behavior that is threatening the safety 
and security of the American people. These actions--or rather, 
lack of actions--put the future of our nation at great risk and 
must stop.
    I look forward to today's hearing, which I anticipate will 
inform us more about the recent OPM breach and the current 
state of our federal information systems. We owe it to the 
American people to ensure that their personally identifiable 
information is safe and protected from cybercriminals.
    And with that, Madam Chair, I yield back.
    [The prepared statement of Mr. Loudermilk follows:]

              Prepared Statement of Oversight Subcommittee
                       Chairman Barry Loudermilk

    Thank you, Chairwoman Comstock, for holding this very important 
hearing on an issue that hits too close to home for you as well as many 
others in this country. I would like to thank our witnesses for being 
here today in order to help us understand what seems to be an epidemic 
of cyber-attacks. I look forward to discussing what needs to be done to 
prevent similar attacks from occurring in the future.
    Unfortunately, this Administration has failed to provide Americans 
with any level of confidence that it will adequately protect their 
personal information when entrusted with it. As we have witnessed over 
the past few months, there has been a concerning pattern of security 
breaches involving government computer systems. This includes the 
recent, massive data breach of the Office of Personnel Management 
(OPM)--disclosing personal and official information that could 
potentially harm our national security. For an Administration that 
touts that it has ``prioritized the cybersecurity of federal 
departments and agencies,'' we have instead witnessed a government that 
is unable to properly secure its computer systems and protect sensitive 
information.
    The situation at OPM is exactly why the Subcommittee that I Chair 
is looking into the collection of Americans' personal data through the 
HealthCare.gov website. In that situation, it appears that social 
security numbers, dates of birth, names, mailing addresses, phone 
numbers, financial accounts information, military status, employment 
status, passport numbers, and taxpayer IDs are being retained. This 
information is being stored in a ``data warehouse that is intended to 
provide reporting and performance metrics related to the Federally 
Facilitated Marketplace (FFM) and other Healthcare.gov- related 
systems.''
    In the situation of the data warehouse, the Administration never 
appeared to be forthright about the use and storage of personally 
identifiable information on HealthCare.gov. The Administration has yet 
to explain the reason for indefinitely storing user information, 
particularly of the users of the website who input their data to log 
in, but do not end up enrolling.
    If that data warehouse is being protected in the same way that OPM 
was protecting personal information, action needs to be taken now to 
avoid putting the American people at significant personal risk. With 
many Americans being forced into the government health care exchange, a 
breach of this system could end up having millions affected, just like 
the OPM data hack.
    The Government Accountability Office (GAO) has included the 
cybersecurity of federal information systems on its list of high risk 
areas since 1997, so this isn't something new. Why, then, are we 
sitting here almost twenty years later, wondering why our federal 
information systems are not being adequately secured? In the most 
recent GAO High Risk Series report, it says that `` . . . inspectors 
general at 22 of the 24 agencies cited information security as a major 
management challenge for their agency. For fiscal year 2014, most of 
the agencies had information security weaknesses in the majority of 
five key control categories.''
    As the Chairman of this Committee's Oversight Subcommittee, I want 
to find the truth behind this reckless behavior that is threatening the 
safety and security of the American people. These actions--or rather, 
lack of actions--put the future of our nation at great risk, and must 
stop.
    I look forward to today's hearing, which I anticipate will inform 
us more about the recent OPM breach and the current state of our 
federal information systems. We owe it to the American people to ensure 
that their personally identifiable information is safe and protected 
from cybercriminals.

    Chairwoman Comstock. Thank you, Chairman Loudermilk.
    And I now recognize the Ranking Member of the Subcommittee 
on Oversight, the gentleman from Virginia, my colleague Mr. 
Beyer, for his opening statement.
    Mr. Beyer. Thank you, Madam Chair. And thank you, Chairs 
Comstock and Loudermilk, for holding this hearing today, 
incredibly timely and--because, you know, earlier today 
obviously New York Stock Exchange, United Airlines, the Wall 
Street Journal all suffering from computer glitches that has 
disrupted their computer networks. And whether this turns out 
to be intentional or whether--or not, it certainly highlights 
the potential vulnerabilities of our digital dependence. And 
today's hearing obviously is about Office of Personnel 
Management.
    Deterring, detecting, and defending against the multitude 
of online threats that constantly lurk in the cyberspace domain 
is a critical issue for federal agencies and the federal 
government and the private sector alike. Last year alone, 
federal agencies reported nearly 70,000 individual computer 
security incidents to the U.S. Computer Emergency Readiness 
Team, or CERT. During the same time period, October 1, 2013, to 
September 30, 2014, nonfederal entities reported more than 
570,000 incidents and many other incidents are potentially not 
identified or even not reported at all. Cyber threats are 
constant, they're evolving, they're very sophisticated, and 
many pose serious distress to companies, agencies, and 
individuals.
    The two recent data breaches at OPM are particularly 
important to me and to my constituents. Representing a 
Congressional District just outside the Nation's capital, many 
of my constituents are federal employees who may have had their 
personal data compromised as a result of these intrusions. One 
of those attacks is believed to have compromised the personal 
information of more than four million people and the other, up 
to 14 million people. And I'm particularly troubled that the 
data that was reportedly accessed included not just the 
personnel files but the security files of our defense, homeland 
security, and intelligence community employees. This could 
potentially jeopardize the financial security, personal safety, 
and ultimately the secrets that are entrusted to help protect 
the Nation.
    While the facts of this case are still being unraveled, 
including the motive for the attack, the identity of the 
perpetrators and the potential damage they may have caused, we 
should understand, too, that the federal government is not 
alone in being the victim of cyber attacks. In the past year 
hundreds of millions of personal records have been compromised 
by hackers targeting J.P. Morgan Chase, eBay, Home Depot, 
Target, and other private companies. I seem to receive a new 
credit card or debit card about every 6 weeks from my bank with 
a note telling me that the card has been compromised yet again.
    When I was in Switzerland, a State Department computer was 
hacked in one year, the Defense Department the next. The 
newspapers blamed China and Russia. Still, the OPM was 
significant and I'm particularly impacted--concerned about the 
impact this has on the morale of a federal workforce that 
recently has endured, through no fault of their own, a 
government shutdown, forced furloughs, staffing cuts, pay 
freezes. These government employees now have the added insult 
of a breach of their personal data.
    Agency heads should also be mindful and accommodating of 
the impact of federal employees who need time off to mitigate 
the fallout from this hack. And I encourage OPM to communicate 
with all agencies to ensure that workers are accommodated so 
they can visit their banks, Social Security offices, creditors 
in order to deal with the repercussions of the breach.
    I know every time I get a new card, I get four or five 
people that don't get paid because the card numbers change and 
then they call and--I know it upsets my wife terribly.
    I'm also concerned that the reports of this attack suggest 
it may have been the result of individuals with ties to foreign 
entities and that particularly a private company working for 
the government as a security contractor may have been the weak 
link in the chain of events that led to the successful attack.
    We're making steady, slow progress in fortifying our cyber 
defenses from potential attack. According to OMB's annual 
report on FISMA sent to Congress in February, there's been 
monitoring--improvement in federal agencies implementing 
continuous monitoring of their networks and the authentication 
of their users, for instance, but these results are not good 
enough. I know everyone on the panel here is interested in 
learning what we can do to strengthen the system as quickly as 
possible, as strongly as possible, recognizing that we're never 
going to have 100 percent security, that the creative hackers, 
ever younger, will figure out additional ways around it. How 
can we create the very best advice on closing cybersecurity 
holes if and when they exist and then augmenting our security 
defenses against them?
    So I very much look forward to your testimony and your 
advice, and Madam Chair, I yield back.
    [The prepared statement of Mr. Beyer follows:]

            Prepared Statement of Subcommittee on Oversight
              Minority Ranking Member Donald S. Beyer, Jr.

    Thank you Chairs Comstock and Loudermilk for holding this hearing 
today. I believe this is an important hearing and I look forward to 
hearing from our witnesses. I believe this is an important and timely 
hearing. Earlier today it was reported that the New York Stock 
Exchange, United Airlines and Wall Street Journal are all suffering 
from a ``computer glitch'' that has disrupted their computer networks. 
Whether this event is determined to be intentional or not it highlights 
the potential vulnerability of our digital dependence. Today's hearing, 
however, is about another computer incident at the Office of Personnel 
Management or OPM.
    Deterring, detecting and defending against the multitude of on-line 
threats that constantly lurk in the cyberspace domain is a critical 
issue for the federal government and private sector alike.Last year 
alone federal agencies reported nearly 70,000 individual computer 
security incidents to the U.S. Computer Emergency Readiness Team or 
CERT. During the same time period, from October 1, 2013 to September 
30, 2014, non-Federal entities reported more than 570,000 incidents and 
many other incidents are potentially not identified and others not 
reported at all.
    Cyber threats are constant and evolving, some are very 
sophisticated and many pose serious distress to companies, agencies and 
individuals. The two recent data breaches of the Office of Personnel 
Management (OPM) are particularly important to me and my 
constituents.Representing a congressional district just outside the 
nation's Capital many of my constituents are federal employees who may 
have had their personal data compromised as a result of these 
intrusions. One of those attacks is believed to have compromised the 
personal information of more than 4 million individuals and the other 
is suspected to have compromised the data of as many as 14 million 
people. I am particularly troubled that the data that was reportedly 
accessed included not just the personnel files but the security files 
of our defense, homeland security and intelligence community employees. 
This could potentially jeopardize their financial security, personal 
safety and ultimately the secrets they are entrusted to help protect 
for our Nation.
    While the facts of this case are still being unraveled, including 
the motive for the attack, the identities of the perpetrators and the 
potential damage they may have caused, we should understand too that 
the federal government is not alone in being victim to cyberattacks. In 
the past year, hundreds of millions of personal records have been 
compromised by hackers targeting JP Morgan Chase, Ebay, Home Depot and 
other private companies.
    Still, the OPM breach was significant. I am concerned for the 
personal and professional impact of this breach on our dedicated 
federal workforce, particularly those involved in the national security 
arena. It should not be understated the impact this has on the morale 
of a workforce that has recently endured--through no fault of their 
own--a government shutdown, forced furloughs, staffing cuts, and pay 
freezes. These government employees now have the added insult of a 
breach of their personal data.
    Agency heads should also be mindful and accommodating of impacted 
federal employees who need time off to mitigate the fallout from the 
hack. I encourage OPM to communicate with all agencies to ensure 
workers are accommodated so that they can visit their banks, Social 
Security offices, and creditors in order to deal with the repercussions 
of the breach.
    I am also concerned that reports of this attack suggest it may have 
been the result of individuals with ties to foreign entities and I am 
concerned that it appears a private company working for the government 
as a security contractor may have been the weak link in the chain of 
events that ultimately led to a successful attack.
    The federal government is making steady, but slow progress in 
fortifying our cyber defenses from potential attack. According to the 
Office of Management and Budget's (OMB's) annual report on the Federal 
Information Security Management Act (FISMA) sent to Congress in 
February there has been improvement in federal agencies implementing 
continuous monitoring of their networks and the authentication of their 
users, for instance. But the results are still not good enough. Federal 
Agencies need to do a better job meeting the IT security criteria 
demanded by compliance with FISMA and they need to apply the cyber 
security standards recommended by the National Institute of Standards 
and Technology (NIST) to their networks. At the same time, Congress and 
the public need to realize that no matter how well protected an Agency 
or private entity is that they will never be 100-percent secure and 
that data breaches are bound to occur in the future.
    I hope our witnesses can help provide us with advice on closing 
cyber-security holes when and where they exist and augmenting our 
security defenses against them.
    With that I yield back.

    Chairwoman Comstock. Thank you, Mr. Beyer. And thank you 
for your leadership on this, too, and being upfront on it.
    I now recognize the Chairman of the full committee, Mr. 
Smith.
    Chairman Smith. Thank you, Madam Chair.
    Today's hearing highlights the latest and, so far, the most 
extensive cybersecurity failure by a federal agency, the theft 
of millions of federal employee records from the Office of 
Personnel Management.
    National defense in our digital age no longer just means 
protecting ourselves against enemies who attack with 
traditional weapons. It now means protecting America from those 
who launch cyber attacks against our computers and networks, 
invading our privacy and probably endangering lives.
    But it is about much more than solely the invasion of 
privacy or the burden to our economy. This is a national 
security concern, as these breaches expose information about 
members of our military and employees of national security 
agencies.
    A number of federal agencies guard America's cybersecurity 
interests. Several are under the jurisdiction of the Science 
Committee. These include the National Science Foundation, the 
National Institute of Standards and Technology, the Department 
of Homeland Security's Science and Technology Directorate, and 
the Department of Energy. All of these agencies support 
critical research and development to promote cybersecurity and 
set federal standards. However, it is clear that too many 
federal agencies like OPM fail to meet the basic standards of 
information security, and no one is being held accountable.
    Last year audits revealed that 19 of 24 major federal 
agencies failed to meet the basic cybersecurity standards 
mandated by law. And yet the Administration has allowed 
deficient systems to stay online. What are the consequences 
when a federal agency fails to meet its basic duties to protect 
sensitive information? So far it seems the only people 
penalized are the millions of innocent Americans who have had 
their personal information exposed. It will be some time before 
we know the full extent of the damage to personal and national 
security caused by the OPM breach of security. But we do know 
that it is critical that we prevent further attacks on 
America's cyber systems.
    The federal government failed in its responsibility to keep 
sensitive and personal information secure, and Americans 
deserve better. The Science Committee will continue its efforts 
to support the research and development essential to strengthen 
our Nation's cyber defenses. We will also continue to demand 
better answers from OPM on the extent of this breach.
    The Director of the Office of Personnel Management recently 
testified: ``I don't believe anyone (at OPM) is personally 
responsible.'' That is not believable. In fact, it's an insult 
to the American people who pay her salary. The government 
should be accountable to the people, and this committee will 
continue to demand answers about who is responsible for failing 
to keep Americans' sensitive information secure. I hope we can 
use lessons learned from the OPM breach to help find solutions 
to prevent the next attack.
    I look forward to hearing from our witnesses today and I'll 
yield back.
    [The prepared statement of Chairman Smith follows:]

        Prepared Statement of Committee Chairman Lamar S. Smith

    Thank you Madam Chair. Today's hearing highlights the latest and so 
far the most extensive cybersecurity failure by a federal agency - the 
theft of millions of federal employee records from the Office of 
Personnel Management (OPM).
    National defense in the digital age no longer just means protecting 
ourselves against enemies who attack with traditional weapons. It now 
means protecting America from those who launch cyber-attacks against 
our computers and networks, invading our privacy and probably 
endangering lives.
    But it is about much more than solely the invasion of privacy or 
the burden to our economy. This is a national security concern as these 
breaches expose information about members of our military and employees 
of national security agencies.
    A number of federal agencies guard America's cybersecurity 
interests. Several are under the jurisdiction of the Science Committee. 
These include the National Science Foundation, the National Institute 
of Standards and Technology, the Department of Homeland Security's 
Science and Technology Directorate, and the Department of Energy.
    All of these agencies support critical research and development to 
promote cybersecurity and set federal standards. However it is clear 
that too many federal agencies like OPM fail to meet the basic 
standards of information security--and no one is being held 
accountable.
    Last year audits revealed that 19 of 24 major federal agencies 
failed to meet the basic cybersecurity standards mandated by law. And 
yet the Administration has allowed deficient systems to stay online.
    What are the consequences when a federal agency fails to meet its 
basic duties to protect sensitive information? So far it seems the only 
people penalized are the millions of innocent Americans who have had 
their personal information exposed.
    It will be some time before we know the full extent of the damage 
to personal and national security caused by the OPM breach of security. 
But we do know that it is critical that we prevent further attacks on 
America's cyber systems.
    The federal government failed in its responsibility to keep 
sensitive and personal information secure, and Americans deserve 
better.
    The Science Committee will continue its efforts to support the 
research and development essential to strengthen our Nation's cyber 
defenses. We will also continue to demand better answers from OPM on 
the extent of this breach.
    The Director of the Office of Personnel Management recently 
testified: ``I don't believe anyone (at OPM) is personally 
responsible.'' That is not believable. In fact, it's an insult the 
American people who pay her salary.
    The government should be accountable to the people, and this 
Committee will continue to demand answers about who is responsible for 
failing to keep Americans' sensitive information secure.
    I hope we can use lessons learned from the OPM breach to help find 
solutions to prevent the next attack. I look forward to hearing from 
our witnesses today and yield back.

    Chairwoman Comstock. Thank you, Mr. Chairman.
    And if there are Members who wish to submit additional 
opening statements, your statements will be added to the record 
at this point.
    Now at this time I would like to introduce our witnesses. 
Michael Esser is the Assistant Inspector General for Audits at 
the Office of Personnel Management. In this role, Mr. Esser is 
responsible for overseeing audits of OPM's information systems. 
Prior to joining the office in 1991 he worked in northern 
Virginia as a CPA. Mr. Esser holds a bachelor of science degree 
in accounting and a master's degree in business administration 
from George Mason University.
    Our second witness today is David Snell, Director of the 
Federal Benefits Service Department for the National active and 
Retired Federal Employees Association, which represents some 
300,000 active and retired federal employees and their spouses. 
Before joining there, Mr. Snell worked for nearly three decades 
at OPM ending his career there as Chief of Retirement Benefits 
Branch. He holds a bachelor of science degree from George Mason 
University. We have a theme here. Great university.
    Our third witness today is Dr. Charles Romine, Director of 
the Information Technology Laboratory at the National Institute 
of Standards and Technology. This program develops and 
disseminates standards for security and reliability of 
information systems, including cybersecurity standards and 
guidelines for federal agencies like OPM. Dr. Romine has 
previously served as a Senior Policy Analyst at the White House 
Office of Science and Technology Policy and as a Program 
Manager at the Department of Energy's Advanced Scientific 
Computing Research Office. Dr. Romine received his bachelor's 
degree in mathematics and his Ph.D. in applied mathematics from 
the University of Virginia.
    Today's final witness is Dr. Gregory--let me get this 
right--Wilshusen. Okay. Mr. Wilshusen is the Director of 
Information Security Issues at the U.S. Government 
Accountability Office. Prior to joining GAO in 1997, Mr. 
Wilshusen was a Senior Systems Analyst at the Department of 
Education. He received his bachelor's degree in business 
administration from the University of Missouri--I guess the 
non-Virginia university here--and his master of science in 
information management from George Washington University, close 
enough.
    In order to allow time for discussion, please limit your 
testimony to five minutes. Your entire written statement will 
be made part of the record.
    I now recognize Mr. Esser for five minutes to present his 
testimony.

               TESTIMONY OF MR. MICHAEL R. ESSER,

            ASSISTANT INSPECTOR GENERAL FOR AUDITS,

                 OFFICE OF PERSONNEL MANAGEMENT

    Mr. Esser. Chairwoman, Chairman, Ranking Members, and 
Members of the Committee, good afternoon. My name is Michael 
Esser and I am the Assistant Inspector General for audits at 
the U.S. Office of Personnel Management. Thank you for inviting 
me to testify at today's hearing on the IT security work done 
by my office at OPM.
    OPM has a long history of systemic failures to properly 
manage its IT infrastructure, which may have ultimately led to 
the recent data breaches. We are pleased to see that the agency 
is taking steps to improve its IT security posture but many 
challenges still lay ahead.
    To begin, I would like to discuss some of the findings from 
our annual audits under the Federal Information Security 
Management Act, known as FISMA. We have identified three 
general areas of concern which are discussed in detail in my 
written testimony.
    The first area is information security governance. This is 
the management structure and processes that form the foundation 
of a successful security program. It is vital to have a 
centralized governance structure. OPM has made improvements in 
this area but it is still working to recover from years of 
decentralization.
    The second area is security assessments and authorizations. 
This is a comprehensive assessment of each IT system to ensure 
that it meets the applicable security standards before allowing 
the system to operate. Our 2014 FISMA audit found that 11 of 
OPM's 47 major systems were operating without a valid 
authorization. Because of actions taken by the CIO in April 
2015 we expect this number to more than double by the end of 
fiscal year 2016.
    The third area is technical security controls. OPM has 
implemented a variety of controls to make the agency's IT 
systems more secure. However, these tools must be used properly 
and must cover the entire IT environment. Our FISMA audit last 
year found that they were not.
    These areas represent fundamental weaknesses in OPM's IT 
security program that have been reported to the OPM Director, 
OMB, and the Congress for many years. The fact that these 
longstanding issues were allowed to continue for so long 
without being taken seriously raises questions about the 
inherent effectiveness of the original FISMA legislation and 
implementing guidelines.
    Since 2002 the IGs have been reviewing their agencies' 
information security programs, but the reporting guidelines 
from OMB were focused on compliance with specific security 
areas and lacked perspective on the overall effectiveness of 
the agency's program.
    The FISMA Modernization Act of 2014 shifts the focus from 
review and compliance to assessing effectiveness of security 
controls. In addition, a new maturity model approach to 
evaluating the state of agencies' continuous monitoring 
programs was introduced in this year's FISMA reporting 
instructions for OIGs. These new developments should go a long 
way toward improving the IT security programs of federal 
agencies. OMB and DHS should also work toward making the OIG 
FISMA reporting metrics more reflective of the current risks 
and threats and further adopting the maturity model approach 
for other reporting domains.
    I would also like to take a moment to discuss e-QIP, the IT 
system that OPM uses to collect information related to federal 
background investigations. Just last week, OPM disabled the 
system due to serious vulnerabilities detected in the design of 
the database and public facing website. While we agree with the 
actions taken, OPM has known about vulnerabilities in the 
system for years but has not corrected them. During the 2012 
security assessment and authorization process for e-QIP, an 
independent assessor identified 18 security vulnerabilities 
which still remain open and unaddressed today. We believe this 
is an example of the importance of the security assessment 
process and also of OPM's historical negligence of IT security 
in general.
    Moving forward, OPM is undertaking a massive infrastructure 
improvement project which, when completed, should significantly 
improve the agency's IT security posture. However, we 
identified several concerns related to OPM's failure to follow 
proper project management processes and the agency's use of a 
sole-source contract. These are discussed in more detail in my 
written testimony.
    We fully support OPM's modernization efforts but we are 
concerned that if this project is not done correctly, the 
agency will be in a worse situation than it is today and 
millions of taxpayer dollars will have been wasted.
    Thank you for your time and I'm happy to answer any 
questions.
    [The prepared statement of Mr. Esser follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
  
    
    Chairwoman Comstock. Thank you.
    And I now recognize Mr. Snell for five minutes to present 
his testimony.

            TESTIMONY OF MR. DAVID SNELL, DIRECTOR,

              FEDERAL BENEFITS SERVICE DEPARTMENT,

              NATIONAL ACTIVE AND RETIRED FEDERAL

                     EMPLOYEES ASSOCIATION

    Mr. Snell. Thank you. Good afternoon and thank you for 
inviting me to testify. I appreciate the opportunity to express 
NARFE's views regarding the recent data breaches at the Office 
of Personnel Management, OPM. We are deeply concerned over the 
failure of the federal government to protect its personnel 
computer systems and the devastating impact the recent breaches 
of these systems may have on national security, as well as on 
the financial and personal security of millions of current and 
former federal employees.
    Let me be clear. The potential consequences of these 
breaches are severe. The personal records obtained through the 
data breaches include the highly personal and sensitive 
information of millions of current and former employees and 
even applicants for federal employment. The extent of the 
breaches is enormous, likely reaching beyond 18 million 
individuals.
    Possession of the information contained in the Standard 
Form 86, a 120-page security clearance form containing an 
applicant's life history, could give our enemies the means to 
attempt to corrupt or blackmail government employees and 
compromise military and intelligence secrets. Moreover, it 
could make public servants vulnerable to grave risks to their 
personal security and that of their families and loved ones.
    While the perpetrators of this act bear the obvious and 
primary fault in this matter, the federal government, including 
both the Administration and Congress, has an obligation to do 
its best to protect the sensitive information its employees and 
job applicants are required to disclose as a condition of 
employment. It failed to meet that obligation.
    Despite explicit warnings by Inspectors General since 1997, 
OPM failed to put in place adequate safeguards for both its 
aged and newer computer systems. This permitted the theft of 
massive amounts of personally identifiable information. Even 
now, the current OPM Inspector General issued a flash audit of 
OPM's plans to improve its data security and found them to have 
``a very high risk of project failure.''
    Our government has failed its employees. It is imperative 
to act swiftly and ensure an incident of this magnitude does 
not repeat itself. The Congressional oversight and response, 
including this hearing, is a good start, but we need continued 
vigilant efforts to improve the federal government's 
information technology and data security for the future.
    The federal government, including both the Administration 
and Congress, now has an obligation to remedy to the best of 
its ability what has transpired. This should have started with 
effective communication with federal employees, retirees, and 
others affected by the breaches and the organizations that 
represent them. Unfortunately, communications has fallen short 
of expectations. While OPM has provided notice to those 
affected by the breach announced June 4 and has communicated 
with organizations in that regard, it has thus far failed in 
its basic duty to inform individuals affected by the second and 
more troubling breach announced June 12 and continues to fail 
to answer many important questions about both breaches. The 
failure of OPM to safeguard personal information should not be 
compounded by deflecting questions.
    Our written testimony details many of the questions we are 
still seeking answers to regarding the details of exactly what 
data has been accessed. The federal community and everyone 
affected by the data have been--data breach deserves answers to 
these questions.
    In addition, to better communication, the federal 
government should provide lifetime credit monitoring and 
additional identity theft insurance. The 18 months of credit 
monitoring offered by OPM is woefully inadequate. The depth of 
personal information exposed is enormous and the threat to 
individuals extends way beyond 18 months. It is only fair to 
provide financial protection in line with the threat that has 
been posed. Furthermore, Congress should appropriate funds 
necessary to provide this protection.
    The question posed in the title of this hearing ``Is This 
the Tip of the Iceberg?'' is a valid one. While I cannot answer 
that, I will say I certainly hope not. The recent breaches 
should be a wake-up call to this country and its leaders about 
the dangers of cyber terrorism and the critical need to protect 
our government's core functions. Let's make sure this isn't the 
tip of the iceberg but rather the last time our federal 
government has to deal with cybersecurity breach that threatens 
the financial security of its employees.
    Thank you again for the opportunity to share our views.
    [The prepared statement of Mr. Snell follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    Chairwoman Comstock. Thank you, Mr. Snell.
    And now, Dr. Romine, for five minutes for your testimony.

           TESTIMONY OF DR. CHARLES ROMINE, DIRECTOR,

               INFORMATION TECHNOLOGY LABORATORY,

         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

    Dr. Romine. Chairwoman Comstock, Chairman Loudermilk, 
Ranking Member Lipinski, Ranking Member Beyer, and Members of 
the Subcommittees, I'm Dr. Charles Romine, Director of the 
Information Technology Laboratory at NIST. Thank you for the 
opportunity to appear before you today to discuss our 
responsibilities for assisting federal agencies with 
cybersecurity.
    NIST has worked in cybersecurity with federal agencies, 
industry, and academia since 1972. Our role, to research, 
develop, and deploy information security standards and 
technology to protect information systems against threats to 
the confidentiality, integrity, and availability of information 
and services was strengthened through the Computer Security Act 
of 1987, broadened through the Federal Information Security 
Management Act of 2002 or FISMA, and reaffirmed in the Federal 
Information Security Modernization Act of 2014.
    NIST carries out its responsibilities under FISMA through 
the creation of a series of Federal Information Processing 
Standards, or FIPS, and associated guidelines. Under FISMA 
agencies are required to implement those FIPS. To further 
assist agencies, NIST provides management, operational, and 
technical security guidelines covering a broad range of 
cybersecurity topics.
    NIST has a series of specific responsibilities in FISMA 
to--of particular relevance to today's hearing were addressed 
by NIST and published as FIPS 199, the standard for security 
categorization of federal information and information systems; 
and FIPS 200, which sets the minimum security requirements 
based on the categorization identified using FIPS 199.
    NIST created baselines for these minimum security 
requirements based on three levels determined in accordance 
with FIPS 199: low, moderate, and high. For example, at a high 
categorization, FIPS 199 states that ``the loss of 
confidentiality, integrity, or availability could be expected 
to have a severe or catastrophic adverse effect on 
organizational operations, organizational assets, or 
individuals.''
    Examples of controls included in the associated baselines 
then cover a range of requirements for a lifecycle of security. 
For example, security awareness and training, contingency 
planning, access control, system disposal, and incident 
response. Once a baseline is established, NIST provides 
guidance to agencies to assist in determining that the baseline 
is adequate to meet their risk-based requirements.
    An agency may need to enhance a given baseline to address 
local risks, the agency's mission, and technical 
infrastructure. For example, an agency with a real-time 
monitoring system such as workstations in air traffic control 
or critical patient monitoring systems might not want to use a 
timed password-locked screensaver to mitigate security issues 
for unattended workstations. Instead, a guard or site 
surveillance system might be more appropriate to support the 
mission and still meet the intent of the baseline.
    Establishing a sound security baseline is not the end of 
security for an agency. NIST provides standards, guidelines, 
and tools for agencies to test and assess their security and 
continuously monitor their implementation and new risks. The 
authorization of a system by a management official is an 
important quality control under FISMA. By authorizing a system, 
the manager formally assumes responsibility for operating a 
system at an acceptable level of risk to the agency operations 
or individuals.
    Under FISMA, NIST does not assess ,audit, or test agency 
security implementations. Congress recognized that placing such 
responsibilities on NIST would impede its ability to work with 
federal agency and private-sector stakeholders to develop 
standards, guidelines, and practices in the open, transparent, 
and collaborative manner that Congress intended.
    NIST's statutory role as the developer but not the enforcer 
of standards and guidelines under FISMA have ensured NIST's 
ongoing ability to engage freely and positively with federal 
agencies on the implementation challenges and issues they 
experience in using these standards and guidelines. NIST is 
committed to continue to help agency officials address their 
responsibilities under FISMA to understand and mitigate risks 
to their information and information systems that could 
adversely affect their missions.
    We recognize that we have an essential responsibility in 
cybersecurity and in helping industry, consumers, and 
government to counter cybersecurity threats. Active 
collaboration within the public sector and between the public 
and private sectors is the only way to effectively meet this 
challenge leveraging each participant's roles, 
responsibilities, and capabilities.
    Thank you for the opportunity to testify today on NIST's 
work in federal cybersecurity and I would be happy to answer 
any questions that you may have.
    [The prepared statement of Dr. Romine follows:]
    
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
   
    
    Chairwoman Comstock. Thank you, Doctor.
    And I now recognize Mr. Wilshusen for five minutes to 
present his testimony.

         TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,

                  INFORMATION SECURITY ISSUES,

             U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Dr. Wilshusen. Chairman Comstock, Chairman Loudermilk, 
Ranking Members Lipinski and Beyer, and Members of the 
Subcommittees, thank you for the opportunity to testify at 
today's hearing.
    The recent OPM data breaches affected millions of federal 
employees. However, OPM is by no means the only agency to 
suffer data breaches or face challenges securing its computer 
systems and information. The number of information security 
incidents both cyber and non-cyber reported by federal agencies 
continues to rise, increasing from about 5,500 in fiscal year 
2006 to over 67,000 in fiscal year 2014. Similarly, the number 
of incidents involving personally identifiable information more 
than doubled in recent years to over 27,000 in fiscal year 
2014. These incidents illustrate the need for stronger 
information security controls across the federal government.
    Today, I will discuss several cyber threats to federal 
systems, cybersecurity challenges facing federal agencies, and 
governmentwide initiatives aimed at improving cybersecurity.
    Before I begin, if I may, I'd like to recognize members of 
my team who are instrumental in developing my statement and 
some of the work underpinning it. With me today is Larry 
Crosland, an Assistant Director who led this body of work. I 
also want to recognize Brad Becker, Lee McCracken, Chris 
Businsky, Scott Pettis, who also made significant 
contributions.
    Madam Chairwoman, Mr. Chairman, the federal government 
faces an array of cyber-based threats to its computer networks 
and systems. These threats include both targeted and untargeted 
attacks from a variety of sources, including criminal groups, 
hackers, disgruntled insiders, and foreign nations. These 
sources vary in terms of their capabilities, willingness to 
act, and motives, which can include seeking monetary gain or 
pursuing an economic, political, or economic advantage.
    In the grip of these threats, most federal agencies face 
challenges securing their systems and networks. Agencies 
continue to have shortcomings in assessing risks, developing 
and implementing security controls, and monitoring results. For 
example, 19 of 24 agencies covered by the Chief Financial 
Officers Act reported that information security weaknesses were 
either significant deficiency or material weakness for 
financial reporting purposes. And the Inspectors General at 23 
of these agencies cited information security as a major 
management challenge for their agency.
    Agencies also need to provide better oversight of the 
security their contractor operator systems. Five of six 
agencies we reviewed did not consistently assess their 
contractors' information security practices and controls, 
resulting in security lapses.
    Even with effective controls, security incidents and data 
breaches can still occur. Agencies need to react swiftly and 
appropriately when they do. However, seven agencies we reviewed 
had not consistently implemented key operational practices for 
responding to data breaches involving personal information. GAO 
and agency IGs have made hundreds of recommendations to assist 
agencies in addressing these and other challenges. Implementing 
these recommendations will help strengthen agencies' ability to 
protect their systems and information.
    DHS and the Office of Management and Budget have also 
launched several governmentwide initiatives to enhance 
cybersecurity. One such initiative is requiring stronger 
authentication of users through the use of personal identity 
verification, or PIV cards. However, OMB recently reported that 
only 41 percent of agency user accounts at 23 civilian agencies 
required PIV cards for accessing agency system's.
    Another initiative, the National Cybersecurity Protection 
System is intended to detect and prevent malicious network 
traffic from entering federal civilian networks. GAO is 
presently reviewing the implementation of this system. Our 
preliminary observations indicate that the systems intrusion 
detection and prevention capabilities may be useful but are 
also limited.
    While governmentwide initiatives hold promise for 
bolstering the federal cybersecurity posture, no single 
technology or set of practices is sufficient to protect against 
all cyber threats. A multilayered defense in-depth strategy 
that includes well-trained personnel, effective and 
consistently applied processes, and appropriate technologies is 
needed to better manage cyber risks.
    This concludes my oral statement. I'd be happy to answer 
your questions.
    [The prepared statement of Mr. Wilshusen follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
  
    Chairwoman Comstock. I thank the witnesses for their 
testimony and for your expertise and work on this over quite a 
long time.
    I would like to remind Members that the Committee rules 
limit our questioning to five minutes and I now recognize 
myself for five minutes of questions.
    A Washington Post editorial from this past Sunday, July 5, 
they said the OPM Director knew as well as anyone how sensitive 
the data was, yet the door to her agency was apparently left 
ajar. Thieves walked out with an intelligence goldmine. This 
was an unforgivable failure of stewardship that should lead to 
firings for incompetence.
    Mr. Esser, to your knowledge has OPM reprimanded or fired 
any official over this failure to protect its employees' most 
sensitive data?
    Mr. Esser. I'm not aware of any.
    Chairwoman Comstock. Are you aware of any discussions to 
that effect?
    Mr. Esser. No, I haven't heard any.
    Chairwoman Comstock. Okay. Thank you.
    And, Mr. Snell, really thank you for being here and 
representing so many people not just here in our metropolitan 
area but all across the country because this impacts our 
contractors, our federal employees, so it's important for 
people to understand that this is really a nationwide breach 
and, you know, you're representing people who are aware of this 
but there's still many more that aren't. Could you tell us what 
some of their concerns and unanswered questions are and how you 
think additional things that might be helpful for the employees 
and from what you've heard that we might ask for to help answer 
the questions that you've been getting from people?
    Mr. Snell. Thank you. I'd be glad to. A lot of the folks we 
hear from are members as well as others. Their main concern is 
trust and trust in what they get. The information came to many 
of them through email. The email address was not a government 
email address. It was a .com address. They didn't know whether 
to open it, they didn't know what to do with it. They had 
little information. Many people have received letters. Those 
people don't have internet. They didn't--they weren't able to 
access the frequently asked questions and the explanations that 
the Office of Personnel Management had available out there. And 
so they were left in the dark.
    They didn't know if they called the number, if they 
contacted anybody if they could ever trust them, so we have a 
lot of distrust out there. A lot of folks are scared obviously. 
They don't know what's going happen. Some folks who have not 
been notified that their records were compromised are 
wondering, you know, were my records compromised? Can I trust 
the fact that I didn't get notice or is this another, you know, 
problem? So those are the questions, those are the concerns 
that we hear from our members both current federal employees 
and retirees.
    Chairwoman Comstock. Thank you. I appreciate that and we 
look forward to continuing to work with you on identifying any 
of those and how we can help answer their questions.
    I was wondering, maybe a question for all of you, what kind 
of things, if someone has had their information breached or 
compromised, what should they be on the lookout for now? What 
would be an unusual type of situation that should raise the 
antenna and say this might be something I need to pay attention 
to? Can you think of some scenarios just so that people can get 
an idea of what they have to be on the lookout for?
    Dr. Wilshusen. Sure. I'll start it off. First of all, 
individuals who believe their information may have been 
compromised or been notified that it has been should certainly 
check their credit reports to see if there have been any new 
credit accounts or charges that they're unaware of that may 
have cropped up, and certainly that's probably one of the basic 
things that individuals should do. They should also know that 
they are entitled to receive a free credit report from each of 
the three credit reporting agencies on an annual basis and 
that's something that one should do on a regular basis annually 
is to check each--credit reports from each of those 
organizations.
    Indeed, if they do receive the letter, as I have, is to 
also check to see about subscribing to the service that OPM is 
offering through their contractor because they, too, will 
provide--or supposed to provide anyway--some surveillance on 
the part of the individual.
    Chairwoman Comstock. Okay.
    Mr. Snell. I would add to that--and those are excellent 
suggestions. I would add to that that any statement they get 
regarding any other benefits they get from any other company or 
government entity such as Social Security, if there's something 
that has changed without their knowledge, they should report 
that right away. We had one member who found out his address on 
his Social Security payments had changed without his 
authorization. Being this close to the events of the breaches, 
of course, that member was concerned that this had been 
connected. But we did report it to OPM. The OPM folks had 
looked into it and decided that it was a separate incident. But 
still, any kind of changes like that, people should look into.
    Chairwoman Comstock. Okay. And one other thing I was 
wondering, should--a lot of people don't know what's 
necessarily in their personnel file. Have people asked you 
about possibly having copies of their personnel file, having 
copies of their background check? Because, you know, if 
something starts coming up, you don't necessarily know what's 
in your background check, right, or even your personnel file 
even though you fill it out. Particularly with the background 
checks, those people aren't going to have any idea what people 
have said, right?
    Mr. Snell. Right. We haven't heard from anybody--any of our 
members with that particular request so--
    Chairwoman Comstock. Okay. Thank you. And I now turn over 
to questions from Mr. Lipinski.
    Mr. Lipinski. Thank you. I want to get down to the big 
question and what--in terms of what we should do moving forward 
here. It's not acceptable for these data breaches to occur at 
OPM, anywhere else in the government, or in the private sector. 
We know--okay, we accept--we know that they can happen but I 
sometimes feel like there's not enough done not just in the 
public sector but the private sector to prevent these.
    So my question is how do we make FISMA effective? I 
understand, as Dr. Romine said, that NIST, for good reason, 
only sets the standards; they're not the enforcer. So who 
should be, who can be the enforcer when it comes to the federal 
government? And I want to--just want to try to figure this out 
so that we can get someone so we know who's accountable, who 
can be held accountable, and who has the responsibility. So, 
Mr. Esser, what would you recommend?
    Mr. Esser. Well, one possibility is OMB. I mean we--as an 
IG office we audit, we report, and we identify, you know, areas 
of weakness but that's as far as our authority extends. We have 
no enforcement authority. Those reports go eventually to OMB 
and that could potentially be one area of enforcement.
    Mr. Lipinski. Dr. Romine, do you have any recommendations?
    Dr. Romine. No, I think that's right. The oversight 
function, as it currently is set up under FISMA, I think is OMB 
with more recently DHS providing assistance to agencies to meet 
their obligations under FISMA. So I think that's the right 
answer.
    Mr. Lipinski. Mr. Wilshusen, do you have anything to add?
    Dr. Wilshusen. Yeah, I would agree to same extent that both 
of the other witnesses mentioned, but I would also just like to 
point out that under law both under the FISMA 2002 and FISMA 
2014 it is clearly the responsibility of the head of each 
agency to implement the appropriate information security 
protections to reduce the risk and magnitude of harm that could 
occur should information or information systems be compromised 
through unauthorized access, use, disclosure, modification, 
destruction, and disruption. And so clearly in terms of 
responsibility it's the head of agencies--each agency head to 
make that happen.
    Mr. Lipinski. Is there anything more that you recommend 
that we do? As you said, FISMA has been updated but is there 
anything more that should be done with, you know, that Congress 
should do with FISMA? Does anyone have any recommendations for 
anything further?
    Dr. Wilshusen. Well, I would just say first that I think 
Congress did--went quite a distance in terms of modernizing 
FISMA to include clarifying their roles and responsibilities 
for information security across the federal government, 
particularly with assigning responsibilities to the Department 
of Homeland Security, who has now responsibility for assisting 
and overseeing to an extent implementation security controls at 
the federal agencies.
    It also recognizes the need for new types of security 
controls and procedures to be put in place such as continuous 
monitoring, continuous diagnostics and mitigation, which is 
another type of control set that, if effectively implemented, 
could assist agencies in better protecting their systems, 
identifying their risk, and addressing the key vulnerabilities 
first.
    Mr. Lipinski. Okay. Mr. Esser, did you want to add 
something?
    Mr. Esser. Yeah. I agree with Mr. Wilshusen, and I think 
from our viewpoint, the FISMA Modernization Act of 2014 went a 
long ways toward improving the situation, changing our reviews 
from more of a compliance check of a yes or a no, do they 
have--or do they do security controls testing to an 
effectiveness test of how good are those tests and moving 
towards continuous monitoring and the mature model that is 
being put in place. So we think continuing to move along that 
path is the right direction.
    Mr. Lipinski. Anyone else have anything to add?
    Good. All right. Thank you very much. I yield back.
    Chairwoman Comstock. Thank you.
    And I now recognize Mr. Loudermilk.
    Mr. Loudermilk. Thank you, Madam Chair.
    Mr. Wilshusen, as I mentioned in my opening statement, the 
situation we have at OPM is exactly why my subcommittee is 
investigating the collection of America's personal data through 
HealthCare.gov. In September 2014, the GAO came out with a 
report noting that HealthCare.gov's data warehouse system MIDAS 
did not have an approved Privacy Impact Assessment that 
included a thorough analysis of privacy risks. Given that MIDAS 
is processing personally identifiable information and appears 
to have--indefinitely storing that information, how important 
is it to have an approved privacy impact statement for--or 
assessment for MIDAS?
    Dr. Wilshusen. I think it's vitally important because in 
that it helps the agencies to identify not only the privacy 
risks associated with that particular system but also 
alternatives and the controls that should be in place to better 
protect and help protect that information.
    Mr. Loudermilk. Thank you.
    Dr. Wilshusen. And we recommended--we also noted that not 
only had CMS not effectively implemented--or designed a policy 
impact assessment for MIDAS but for other systems connected 
with HealthCare.gov.
    Mr. Loudermilk. Do you know if an assessment is done since 
the September report?
    Dr. Wilshusen. We just received information from--we 
actually made a recommendation that in their Privacy Impact 
Assessment that they assess these privacy risks and today we 
believe that recommendation is still open----
    Mr. Loudermilk. So do they----
    Dr. Wilshusen. --and not fully implemented by----
    Mr. Loudermilk. They have not--is that concerning?
    Dr. Wilshusen. Well, we believe they should do that, yes.
    Mr. Loudermilk. Okay. When you looked into the MIDAS system 
as part of the HealthCare.gov review, was it known to you that 
personally identifiable information of individuals who signed 
up on the HealthCare.gov website would be indefinitely stored?
    Dr. Wilshusen. It was known that initially the CMS 
officials indicated that personally identifiable information 
may not be stored and it--but then they acknowledged that it 
would be and it was because of that acknowledgement that 
personally identifiable information would be stored in MIDAS, 
that the need for assessing those privacy risks is important as 
part of a Privacy Impact Assessment.
    Mr. Loudermilk. Okay. So the fact that they indicated that 
they intended to store this PII information is really what 
catapulted this assessment, the need for the assessment? Is 
that what you're saying?
    Dr. Wilshusen. Right. Any new development or system should 
have a Privacy Impact Assessment if personally identifiable 
information is going to be collected, stored, or disseminated 
through that system.
    Mr. Loudermilk. Is it normal for the federal government to 
store PII information on websites or information obtained 
through websites?
    Dr. Wilshusen. I would say that that is normal for agencies 
to store personally identifiable information, some of which may 
be obtained through a website, but we--I have not looked at 
that specifically with regard to collection of information 
through websites.
    Mr. Loudermilk. Okay. I appreciate that. Also, GAO has 
listed the security of our federal cyber assets on its high-
risk list since 1997. It's been almost 20 years. Does it remain 
on the high-risk list to this day because of evolving threats 
to federal information systems or is it because federal 
agencies have not been able to learn how to properly protect 
these systems?
    Dr. Wilshusen. I would say both----
    Mr. Loudermilk. Okay.
    Dr. Wilshusen. --because certainly there's an inherent risk 
to agency systems because of the evolving threats and just the 
complexity of the systems that agencies develop and operate 
because many--much of the software that agencies use have 
vulnerabilities in it, some discovered, some undiscovered. But 
at the same time it's incumbent upon federal agencies to 
implement the appropriate security controls to mitigate those 
risks to--at a cost-effective and acceptable level. And we 
found that agencies have not consistently implemented 
agencywide information security programs to mitigate that risk 
effectively.
    Mr. Loudermilk. Is it because of--it's a lack of priority 
for a lot of these agencies?
    Dr. Wilshusen. In some cases it might be but it's also in 
other cases I believe it's just to the fact that there are a 
number of actions that agencies just haven't really taken that 
they need to take such as installing patches on a timely manner 
and assuring that known vulnerabilities are ameliorated in a 
timely manner.
    Mr. Loudermilk. Can you tell me who's ultimately 
accountable for the cybersecurity of our federal government?
    Dr. Wilshusen. Accountable or responsible? You know, I have 
to say in terms of at least for federal agencies, the agency 
head is responsible for implementing effective security 
controls and that's under law under FISMA. At the same time in 
terms of accountable that's harder to measure because to my 
knowledge it's difficult to see what accountability mechanisms 
are in place to assure that individuals are effectively 
securing systems. That could be done through personnel 
performance expectations, but in terms of individuals being 
held to account for that is somewhat uncertain.
    Mr. Loudermilk. I see I'm out of time. One quick question 
if I may, Madam Chair.
    Chairwoman Comstock. We're just tight because we're going 
to have votes.
    Mr. Loudermilk. Okay.
    Chairwoman Comstock. We want to squeeze everybody in.
    Mr. Loudermilk. On a scale grading like elementary school A 
to F, our federal cybersecurity, how do you grade it?
    Dr. Wilshusen. D.
    Mr. Loudermilk. D minus from the way I hear that?
    Dr. Wilshusen. I'll go with D because in many respects 
there are improvements within federal information security and 
some of the initiatives but it's getting to the effective 
implementation of those security controls and the--some of the 
initiatives. Over time, consistently, that's been proved 
challenging.
    Mr. Loudermilk. Thank you very much. Thanks to all the 
panel.
    Chairwoman Comstock. Thank you.
    I now recognize Mr. Beyer for five minutes.
    Mr. Beyer. Thank you, Madam Chair.
    Mr. Snell, do you know how long it takes to have a negative 
report, a so-called derogatory report on your credit report 
drop off?
    Mr. Snell. [Nonverbal response.]
    Mr. Beyer. Okay. Well, six to eight years. I only bring 
that up because it's a long time.
    Mr. Snell. It is a long time.
    Mr. Beyer. And I want to bring--call attention to something 
that you mentioned in your written report where you say ``the 
federal government should offer identity theft insurance, 
should offer credit monitoring services for the lifetime of 
anyone affected, and increase the amount of identity theft 
insurance provided in certain circumstances. Unlimited coverage 
may be required.'' I just want all of us to highlight that 
because this is I think really an initiative that we can bring 
as Democrats and as Republicans on Oversight to this issue.
    Mr. Snell. Well, thank you.
    Mr. Beyer. So thank you for bringing that up because it--by 
the way, the other rhetorical question, do you know how long it 
takes them to fix something that's wrong on a credit report, 
which is like impossible? So----
    Mr. Snell. It's a nightmare.
    Mr. Beyer. Yes.
    Mr. Esser, your testimony was pretty devastating, all the 
things that didn't get fix that were identified year in and 
year out within OPM. And I'm just baffled by it. Do you have 
any idea why? Is this a series of CIOs who didn't respond? Is 
it a series of Directors, Democrat, Republican administrations 
that didn't respond? Does any of it come back to us on Congress 
because we didn't allocate the resources necessary, the 
hardware, the software, the staffing to make all this happen? 
For example, you mentioned in there that OPM has decided they 
needed a legacy system. With legacy systems, you couldn't go 
back and tinker with them one by one; you had to do an 
overhaul. Help us understand this lack of leadership and lack 
of action on something that you guys as Inspectors General had 
clearly identified.
    Mr. Esser. I would have to guess it's a combination of 
factors. Certainly, there's been, you know, different directors 
and different CIOs during the time period that we've reported 
material weaknesses in IT security. You know, so, you know, if 
you look at the current Director, she wasn't there when this 
all started. The current CIO wasn't there when this all 
started. But at the same time there's been current issues that 
we've reported that, you know, they also haven't gotten 
addressed in a timely fashion that we would like to see them 
addressed.
    Resources I think is always an issue but it's not the sole 
answer. I think sometimes we feel like things that we report 
don't get the attention that they should get. We've had, you 
know, weaknesses that have been outstanding for, you know, 
years and years and years and that just shouldn't be.
    Mr. Beyer. All right. Well, thank you. Thank you, Mr. 
Esser.
    Dr. Romine, did I say that right?
    Dr. Romine. [Nonverbal response.]
    Mr. Beyer. On NPR this morning they were talking about the 
difficulty that our military and our intelligence units are 
having with ISIS encrypting messages between their potential 
recruits. Can we use this encryption for federal government 
data?
    Dr. Romine. I don't know what encryption they're using but 
we do have access to strong encryption, and in fact NIST in my 
laboratory has been in the encryption space for decades now 
starting with the original DES, Data Encryption Standard, that 
was developed through NIST.
    We certainly recognized--our guidance provides input that 
encryption is a very powerful tool for securing information. 
It's not the only one in the arsenal but it is a very effective 
one and often not very costly. And so I think certainly it's an 
avenue for protecting the data.
    Mr. Beyer. You know, I know you're not responsible for the 
private sector and it seems that you clearly have developed 
some very thoughtful guidelines and protocols for how the 
federal government should work. Do you have any sense of 
whether the federal government leads or lags the private sector 
in terms of cybersecurity, data encryption, all the things 
we're talking about today?
    Dr. Romine. So I think there are bright spots in both 
cases. I mean I think there are--it's uneven in the private 
sector just as it's uneven in the federal government as well. I 
will say that the guidelines and the standards that we issue 
that are principally intended for the federal government are 
often picked up by the private sector because of the quality of 
those guidelines and standards. And in fact we depend on the 
private sector to participate and provide us with input. We 
have a multiphase comment period for almost all of our 
guidelines so that we get the best minds in the private sector 
and public sector to contribute.
    Mr. Beyer. Thank you.
    Madam Chair, I yield back.
    Chairwoman Comstock. Thank you.
    I now recognize Mr. Johnson for five minutes.
    Mr. Johnson. Thank you, Madam Chairman. And, gentlemen, 
thank you for joining us today.
    I--you know, cybersecurity and the kind of attack that we 
saw on OPM I think--and I believe I read it here somewhere 
earlier today--is just the tip of the iceberg. As a 30-year IT 
professional myself, I firmly understand that as long as 
computers are working off of 1s and 0s, the bad guys are going 
to be out there trying to get in. And the battle space is huge 
and our ability to protect it is going to require constant 
vigilance. It's not a problem that has--it's not a race that 
has a finish line because as soon as we get to one point, the 
goalposts are moved and the game strategy changes.
    And I spent a lot of my time helping to educate and inform 
those that will listen so that we understand. But this is a big 
issue and communications and computing technologies are 
foundational to our economy and to virtually every industry 
that supports our economy, including our own national security. 
So it's a really big issue.
    Mr. Esser, the OPM Director has stated that some of OPM's 
network systems are so old that it has been difficult if not 
impossible to upgrade and encrypt them. How credible is that 
explanation and how many of the OPM systems that were hacked 
were these old legacy systems versus more modern ones capable 
of encryptions and upgrades?
    Mr. Esser. I don't have an exact count of how many are 
legacy systems and how many are modern. There is a lot of 
credibility to what she says. There are old systems at OPM that 
it is difficult to bring into the modern area of security, not 
that it can't be done but it can be difficult. But our 
understanding is that at least a few of the systems that were 
hacked are more modern systems that certainly, you know, modern 
encryption techniques and other security techniques could have 
been implemented on.
    Mr. Johnson. Right. Okay. Well, a complete overhaul of the 
existing IT infrastructure at OPM could take years, right? Do 
you believe that there are intermediate steps OPM could take to 
address security needs in the short-term?
    Mr. Esser. There are and they have taken some of those 
steps. They've--
    Mr. Johnson. What are those? Can you enumerate some of 
them?
    Mr. Esser. Well, when the initial breach took place in 2014 
and they began working on tightening up their systems, they 
went into what they call a tactical phase of immediately 
remediating some of the high security problems they had. And so 
we're fully in favor of everything they've done related that. 
You know, things like, you know, requiring more two-factor 
authentication. They're not fully there but they're working on 
it so they have taken steps to tighten up systems in that 
respect.
    Mr. Johnson. Okay. Dr. Romine and Mr. Wilshusen--do I have 
that right?
    Dr. Wilshusen. Close enough. It's Wilshusen.
    Mr. Johnson. Wilshusen, okay. I apologize. Johnson is 
pretty easy for everybody so I don't ever have that problem. 
Sorry.
    Dr. Romine and Mr. Wilshusen, do you agree? Are there 
things that can be done in the near term? Are there more things 
that can be done in the near term?
    Dr. Romine. Well, certainly from the perspective of the 
NIST guidelines and FISMA guidelines that we issue I think we 
put those out as a means of reducing the susceptibility of the 
system to hack. Nothing is 100 percent secure but I think 
following those guidelines is the most effective way that I can 
think of to protect the systems.
    Mr. Johnson. Mr. Wilshusen?
    Dr. Wilshusen. And I would agree with both what Dr. Romine 
and Mr. Esser said. One thing that comes to mind, too, is based 
on what's been reported by the Office of Management and Budget 
as it relates to OPM is that, as of the end of fiscal year 
2014, OPM had only implemented the use of personal identity 
verification cards or strong authentication for one percent of 
its user accounts. My understanding is that they're making 
progress now to improve that but certainly having strong 
authentication, using multifactor authentication for user 
accounts would be one area that it seems that OPM could improve 
on and may be working on that now.
    Mr. Johnson. Okay. Well, gentlemen, thank you very much and 
I've exhausted my time.
    Madam Chair, I yield back.
    Chairwoman Comstock. Thank you.
    I now recognize Ms. Bonamici.
    Ms. Bonamici. Thank you very much, Madam Chair. Thanks to 
the Chairs and Ranking Members for this important conversation 
and thanks to the witnesses who are here. I wish we each had 
five hours instead of five minutes because there are so many 
questions.
    So I wanted to start, Mr. Snell, you mentioned the issues 
and the challenges with notification and communication, and 
this is something that I want to recognize both in the public 
and private sector has been a challenge. And of course with the 
number of current and former federal employees, it's my 
understanding that the FISMA requirement requires notice to 
affected individuals provided as expeditiously as practicable 
and without unreasonable delay. So those are obviously terms 
that are not concrete depending on the circumstances. I just 
bring this up to recognize the importance of communicating with 
people who are victims of the data breaches. And it's not just 
an issue in the federal arena either, in the private sector as 
well.
    I want to go back to the point that was made about 
encryption. It's my understanding that Estonia, even though 
it's a small country, had a significant data breach in 2007 and 
has really come around and is now considered one of the 
countries that does the best job of protecting data. Granted 
it's a smaller--much smaller population but they do make--heavy 
use of encryption. And they also have focused on educating the 
workforce.
    And I also serve on the Education Committee and I wanted to 
ask about the--whether we are really educating people who will 
be able to be the people who are preventing as well as 
understanding how we need to do this both psychologically and 
technically. So do we need to improve cybersecurity education? 
Are there enough opportunities for the workforce? Do we have 
the people we need out there to be able to do these jobs? I'll 
start with Mr. Wilshusen.
    Dr. Wilshusen. Well, I think certainly improving the 
cybersecurity understanding and awareness on the part of the 
public at large, which I believe you're referring to, as well 
as with the federal workforce, is going to be very important to 
address these cyber threats that consistently evolve and are 
becoming more sophisticated over time. And certainly having an 
awareness of that and what types of controls and activities one 
should engage in and should not engage in should be certainly 
on the minds and--of everyone because each individual 
potentially could be the weak link in--which results in some 
sort of a computer compromise.
    Ms. Bonamici. That's a great point. And in your testimony 
you have this whole chart about the common adversaries and you 
list hackers and I have to say I'm a little confused as I go 
visit schools and the high schools are having these hack-a-
thons and they're considered positive things. So is hacker a 
negative connotation or is it a positive or is it--depends on 
who the hacker is? It's a little confusing.
    Dr. Wilshusen. I guess it depends on what they're doing 
with their hacking. You know, if they're so-called white 
hackers, you know, but in terms of--it's good to know how 
hackers and particularly those individuals with malicious 
intent----
    Ms. Bonamici. Right.
    Dr. Wilshusen. --operate, what types of tools they use, 
how--their modus operandi if you will in order to understand 
how to protect against them. And so it's important to know that 
and certainly one of the things that information security 
professionals do is penetration testing and to see whether or 
not any organization's information security controls are 
effective in keeping out hackers who may use similar type of 
techniques.
    Ms. Bonamici. Terrific. And I wanted to ask, I guess, each 
of you. Can you talk a little bit about your--what are your two 
or three top recommendations for improving practices generally, 
not necessarily just for the federal government. Mr. Esser, 
what would be your top two or three recommendations?
    Mr. Esser. I mean one of the things I would go back to is 
the two-factor authentication to strengthen security. It's 
really necessary to implement that and not just that but I mean 
there's all kinds of different things that need to be 
implemented, and the key I think is having, you know, security 
Defense in Depth I think is the term that's used.
    Ms. Bonamici. Terrific. And I want to make sure the others 
get--and I'm almost out of time.
    Mr. Snell, do you have a couple of----
    Mr. Snell. No, that's not my strength so I'll----
    Ms. Bonamici. Dr. Romine?
    Dr. Romine. Sure. I would echo, I think, that proper 
identity management is a key driver. I think it can be really 
beneficial. Good use of encryption is good for preserving the 
integrity or at least the confidentiality of data, so I would 
just maybe add those two.
    Ms. Bonamici. And Mr. Wilshusen?
    Dr. Wilshusen. I would say one is addressing patches or 
installing critical patches and remediating known 
vulnerabilities. U.S. CERT recently came out with a technical 
alert that said if you address these top 30 targeted 
vulnerabilities, that would address up to 85 percent of the 
targeted vulnerabilities that are currently being used. The 
other thing would be improved detection and prevention 
capabilities because regardless of how well you protect your 
systems, it's likely you still may be subject to attack from 
unknown vulnerabilities.
    Ms. Bonamici. Thank you so much. I see my time is expired. 
I yield back. Thank you.
    Chairwoman Comstock. Thank you. And I would just take 
privilege to note, I know when I was visiting schools that also 
do the hacking and training them, you know, that--it's a great 
growth area for kids to get engaged in and get educated on 
because there's going to be lots of jobs for them in this area. 
And I know somebody who works in the business so they tell 
their clients if we can't hack into your system, you shouldn't 
hire us to protect your system because that's part of what 
their job is to constantly be looking for the next attack, 
right? So that's--thank you.
    I now recognize Mr. Abraham for five minutes.
    Dr. Abraham. Thank you, Madam Chair.
    I guess first I'll express my disappointment for the Chief 
Information Officer Ms. Seymour not--or declining our 
invitation to come speak here. It's my understanding that she 
has extensive involvement in preparing this system. Might I 
suggest that if OPM had put extensive involvement in preventing 
this, we might not even be having this hearing. So just that as 
a statement.
    Mr. Wilshusen, I'm going to start with you. Has the federal 
government's response to this breach in your opinion been 
sufficient?
    Dr. Wilshusen. Well, one of the responses--and I can't 
necessarily speak specifically to OPM, but more broadly 
speaking, as you may know, the federal CIO issued an initiative 
or a proclamation known as the 30-day Cybersecurity Sprint, and 
indeed, you know, to the extent that that 30-day sprint raises 
awareness and invigorates activity towards addressing these 
basic security requirements included in the sprint such as 
installing critical patches, assuring deploying multifactor 
authentication, and other--resolving known vulnerabilities, 
that's important. And to the extent that that gets done, that's 
a positive.
    But where it may become detrimental if after this 30 days, 
which expires on Sunday, by the way, that the agencies and the 
federal government relaxes and thinks, okay, we've accomplished 
our goal, I think that's a mistake because cybersecurity and 
implementing effective security is not a sprint; it's a 
marathon. And it's something that needs to be going on a 
continuous basis. And the fact of just going back to--possibly 
going back to the status quo, which only led to the conditions 
that resulted in the need for a 30-day sprint.
    So I would say it raised awareness. Agencies may be taking 
actions to improve their security, but that needs to continue 
in perpetuity.
    Dr. Abraham. And I'll follow up with you, Mr. Wilshusen. 
Knowing what you know about the cybersecurity or lack thereof 
of all our federal agencies, would you entrust any of your 
sensitive information with any of these agencies?
    Dr. Wilshusen. In some cases I have no choice because my 
information is at other agencies through security clearances 
and the like and through our tax systems and issuing tax 
returns, and so, yes, I do entrust personal information to 
agencies and that's why it's important and incumbent upon those 
agencies to adequately protect information that the American 
taxpayers, the American public entrust to it.
    Dr. Abraham. And it's my understanding that the GAO tracks 
the history of these breaches. How does this OPM recent breach 
compare or where does it rank in the history of the other 
government breaches as far as the tracking is concerned?
    Dr. Wilshusen. Well, in terms of the like number of 
individuals affected by this breach--
    Dr. Abraham. Right.
    Dr. Wilshusen. --it's among the top. You know, a few years 
ago back I think in 2005, 2006 there was a data breach at the 
Department of Veterans Affairs in which the hard drive was 
stolen from an employee's--from their home but that contained 
the personally identifiable information of 26, 27 million 
veterans and current service members. But that hard drive was 
ultimately found and determined not to have been--the 
information was determined not to have been disclosed. So 
that--this particular breach ranks right up near the top I 
would say.
    Dr. Abraham. Mr. Esser, you said in your testimony that the 
OPM leadership has been--has not been forthright about the 
claim of proactively shutting down the e-QIP system. Can you 
tell us how long the OPM has known about these vulnerabilities 
to that particular one system?
    Mr. Esser. There was a security assessment and 
authorization done on the e-QIP system in September of 2012 
which identified 18 vulnerabilities. I do not know if those 
vulnerabilities are related to the reason that the system was 
shut down last week but it certainly indicates that there has 
been vulnerabilities that OPM has been aware of and has not 
addressed even to date.
    Dr. Abraham. Okay. Thank you.
    Madam Chair, I'll yield back.
    Chairwoman Comstock. Thank you, Mr. Abraham.
    Ms. Esty.
    Ms. Esty. Thank you, Madam Chair. I want to thank you and 
Chairman Loudermilk and Ranking Members Lipinski and Beyer for 
holding today's extremely important hearing. And as we've--as 
has already been noted, with three other breaches having been 
noted today in the private sector, it's very much on all of our 
minds.
    Our national and personal security depends on a strong 
cybersecurity infrastructure, and the recent breaches that have 
been disclosed with OPM are to me particularly disturbing when 
I look at the security clearance records that could have been 
compromised. No credit check is going to make up for the risk 
to not just personal security but our nation's security for 
every individual who went through or was consulted as part of 
that system.
    So I'd like you to think and maybe get back to us on what 
sort of protection and advice do we give on the national 
security front, on the security breach aspect because that is 
very different than your personal information to raid your bank 
account. That's a risk of grave concern for this country, which 
we haven't really discussed today.
    It seems to me a number of issues have been raised and I 
want to quickly tick them off and then focus on the last. We 
need to understand the extent of vulnerability and that's been 
discussed at some length. The accountability for what's 
happened also been raised by other Members. And I want to focus 
on the last two, our capacity to address these issues in the 
future. That's a question in part of resources and that's been 
mentioned, both personnel resources--and Representative 
Bonamici raised an issue she and I share a grave concern and 
interest in, encouraging young people to pursue these fields 
and making sure we have enough capacity on both the private 
sector side and the public sector side. Is it a priority issue? 
Do we need to have different prioritization?
    But the last issue I'd really like you to respond to is how 
do we move to a continuous monitoring or effectiveness model 
from what we've had, which is a compliance model? It seems to 
me we have a real challenge. Congress enacts laws. Laws are 
about compliance. They are snapshots in time that reflect our 
knowledge and technical capabilities. But as we've all 
discussed here today, these are evolving risks, and the moment 
we stick a pin in the butterfly and pin it down, it will change 
by the time we finish pushing that pin in.
    So if you could discuss a little bit what can we do on the 
Congressional side and what can the agencies due to move to a 
mindset that is much more nimble and that is in a continuous 
mode because that's going to be both what our hard and software 
look like but also our mindset about what compliance actually 
means.
    Dr. Wilshusen. I'll take first stab if you don't mind.
    Well, one is an initiative that's already underway within 
the Department of Homeland Security as it relates to continuous 
diagnostics and mitigation, the extent to which DHS is 
providing tools that are available for agencies to implement 
this capability. Our work at the Department of State before 
this initiative was established showed that there are benefits 
to monitoring the security posture of an organization on a 
continuous basis, but there are also a number of challenges 
associated with that, some technological, some management and 
operational.
    But certainly that's one area that can be done and indeed 
Congress in the passage of the Federal Information Security 
Modernization Act of 2014 recognized the need for continuous 
monitoring and identified that as one of the areas that 
agencies should be focusing on in securing their systems. And 
so that's one part of it.
    But you're right, I totally agree. The need for assessing 
and monitoring the effectiveness of security controls needs to 
be done on a continuous monitoring basis because threats change 
every day, the computing environment changes is very dynamic, 
and new vulnerabilities are being identified each time.
    Dr. Romine. If I may, I'd like to spotlight two things that 
NIST is doing that address two of your issues. One is we house 
the program office for the National Initiative for 
Cybersecurity Education, which is an interagency activity that 
I think is making great strides in addressing the workforce 
issue that you brought up.
    And the second is under Executive Order 13636 NIST engaged 
the private sector and other stakeholders in a year-long effort 
to develop what turned into the cybersecurity framework for 
improving the cybersecurity of critical infrastructures. And 
although that was the focus, it has turned out that that report 
that we developed the framework is a model I think for 
establishing or improving a cybersecurity approach whether it's 
in the private sector or the public sector or other areas. It's 
a very dynamic approach that involves, you know, a development 
of maturity along the lines of--analogous to a maturity model 
and so I think that could be really beneficial.
    Chairwoman Comstock. Okay. Thank you.
    Ms. Esty. I see my time is expired.
    Chairwoman Comstock. We want to be able to squeeze in our 
last two folks here.
    Mr. Palmer, I recognize you for five minutes.
    Mr. Palmer. Thank you, Madam Chairman.
    We've talked about Defense in Depth and the hardware but I 
want to talk about the individuals involved.
    Dr. Wilshusen, OPM and the Department of Homeland Security 
officials stated that the attackers who reached OPM's systems 
may have been aided by user credentials that were obtained or 
stolen from one of OPM's contractors. Andy Ozment testified 
before the Oversight Committee that part of this breach may 
have occurred through social engineering. I want to know in 
your opinion what agencies can do to ensure that their IT 
contractors are effectively protecting federal systems and 
information? I mean I fully get it that we need to completely 
overhaul our hardware and software, but that alone in the 
context of Defense in Depth will not secure the system.
    Dr. Wilshusen. I wholeheartedly agree. The oversight of 
contractors and their information security practices over 
systems that they operate on behalf of the federal government 
or operate to process information on behalf of the federal 
government is really critical to assure that--agencies need to 
assure that that information is being adequately protected. And 
that requires that they go in and assess or have an independent 
assessor evaluate the security controls and assure that they're 
being operated effectively and efficiently and that indeed the 
requirements for information security are expressed to the 
contractor either through contractual instruments or other 
mechanisms to assure that they know what is required to help 
protect those systems.
    And another point you raised in terms of--was the stolen 
user credentials that might have been used to help promote or 
facilitate the attack on OPM, one of the things that could help 
there is having multifactor authentication, which would help to 
either prevent or at least raise the bar significantly for that 
attacker to be able to use compromised credentials. And that 
wasn't in place in all places throughout OPM.
    Mr. Palmer. Well, it's even worse than that. Dr. Ozment--it 
wasn't in his testimony but in an interview--talked about the 
fact that one of the contractors working with OPM was based in 
Argentina and was working with two people who were Republic of 
China nationals. I mean how do we let something like that 
happen? I mean with the amount of cyber assault--I visited a 
facility that monitors these cyber attacks and you can 
literally see them being launched. There were 700 and something 
cyber attacks launched from Russia with 10 minutes. China was a 
distant second.
    How is it that we would not be aware that we had people 
foreign-based involved in this and particularly a couple of 
Chinese nationals?
    Dr. Wilshusen. I guess I'm not familiar with that 
particular situation so I don't know if I can really comment to 
that, so----
    Mr. Palmer. But I think you would agree, though, that 
that's a pretty egregious oversight or failure to exercise 
oversight over our systems?
    Dr. Wilshusen. I think it's important that agencies 
understand who has access to their systems and are accessing 
their systems and that kind of gets back to the identity 
management area that we--the panel spoke about earlier. So that 
certainly is one specific point to that.
    Mr. Palmer. Mr. Snell, I want to ask you something here. 
Mr. Abraham brought up the fact that Ms. Seymour did not want 
to testify before this committee. When she testified before the 
Oversight Committee, I asked her if the breach was limited only 
to people who filled out the Standard Form 86, the security 
background check, because that was I think the position that 
OPM had taken. It turns out that it extends beyond that. Two of 
my staff who have never filled out an SF 86, who have never 
served in the executive branch, both got letters telling them 
that their personal data had been compromised.
    Do you have an idea of how broad this is and does it extend 
beyond current federal employees to retired employees? Is it 
possible that it would extend to civilians who have national 
security clearances?
    Mr. Snell. That's entirely possible. We don't have 
firsthand information. We only know what's being reported out 
of OPM and it's not very much. It's not very helpful what 
they're reporting as far as numbers but it's entirely--and it 
has been I think in the media mentioned that it could be 
contractors, as well as federal employees, former employees, 
people who are no longer in the federal government. So I'd have 
to turn that back over to the Office of Personnel Management to 
come forth with information letting us know exactly who the 
victims of these breaches are.
    Mr. Palmer. Madam Chairman, I yield the balance of my time. 
Thank you.
    Chairwoman Comstock. Thank you.
    And I now recognize five minutes for Mr. Tonko.
    Mr. Tonko. Thank you, Madam Chair.
    The--being a former federal employee, Mr. Snell, what are 
the kinds of communication that you would like to see happen?
    Mr. Snell. Well, in a situation like this I would like to 
see the communication be sent via letter with OPM agency seal 
on it so that the individuals would be able to at least feel 
confident that this is an official U.S. Government notice. And 
that kind of--I know it's not efficient in today's email world 
and all of that, but in a case like this where we have the 
credibility issue as to who do you trust, who do you don't 
trust, I think a letterhead--OPM letterhead or an agency 
letterhead would have gone a lot further to helping folks 
believe what they're getting is bona fide. So I like that like 
that kind of communication.
    Mr. Tonko. Thank you.
    And Mr. Esser, the review here that was done would 
obviously involve the private sector, right, with contractors 
serving the federal government with some of the reinforcement 
here? How--was there any review done of that private sector 
element?
    Mr. Esser. I'm not sure I understand what review you're 
referring to.
    Mr. Tonko. Well, just with the outcome that we had in the 
situation, were contractors reviewed in this situation that 
served the federal agencies?
    Mr. Esser. I'm sorry. I guess I still don't quite 
understand the question. What review are you referring to?
    Mr. Tonko. Just the malfunctioning that occurred. As we 
look over the situation and try to determine where the 
weaknesses in the system are, what--is there a role that the 
contractors to the system might have played here or that could 
have been better collaboration involved in this system? Were 
there any recommendations that you could make in that regard?
    Mr. Esser. If--I mean we in the IG office, when we do our 
reviews, certainly there's contractor-operated systems at OPM 
and we look at those the same way we look at the agency-
operated systems. I mean there's a number of contractors that 
are working at OPM and likely at many other agencies as well. 
They, I believe, are treated the same way as federal employees 
in how we conduct our reviews.
    Mr. Tonko. And in those reviews was there a need for better 
collaboration in this whole process where there could have been 
perhaps a stronger partnership with those efforts?
    Mr. Esser. I don't believe we reported any issues in that 
area.
    Mr. Tonko. And to any of you on the panel, when we look at 
a situation like this, is there a concern for the amount of 
available resources to an agency to prevent any of this 
activity? Is it a function of lack of resources or how those 
resources have been shared? Would any of you comment on, you 
know, weak investment or falling short in the resources we 
require?
    Dr. Wilshusen. You know, broadly speaking, not just talking 
to OPM but across the federal government, many of the security 
control deficiencies and weaknesses that we identified during 
our audits are more of an information security management 
process more than a lack of resources in terms of implementing 
effectively and consistently across an agency its own defined 
and developed policies and procedures.
    For example, one basic control is just installing patches 
on a timely manner, particularly those that have been rated as 
critical. Agencies often have policies that state they need to 
be installed within a certain period of time, usually within a 
week or a couple weeks, but we find that sometimes those 
patches are not being installed for months and sometimes over 
years. So, in part it's a management issue to make sure that 
these key security control issues and controls are being 
effectively implemented.
    There are also resource implications as well. In some cases 
it may be important for agencies to implement new technologies 
or tools, particularly with respect to installing intrusion 
detection capabilities within their networks to identify those 
types of vulnerabilities or cyber attacks or intrusions that do 
inevitably occur.
    Mr. Tonko. Thank you very much. I see my time is out. Thank 
you, Madam Chair.
    Chairwoman Comstock. Thank you. And we do have a vote now 
and so I just want to thank the witnesses for their very 
valuable testimony today. Sorry we had to sandwich it in 
between our votes because I know myself and my colleagues could 
spend a lot more time talking with you about this and will be 
talking with you and asking for any guidance that you can give 
us with your expertise. So we very much appreciate you coming 
before us.
    The record will remain open for two weeks for additional 
comments and written questions from the Members.
    And so the witnesses are excused and we thank you again for 
your expert testimony. And this hearing is adjourned.
    [Whereupon, at 5:19 p.m., the Subcommittees were 
adjourned.]

                               Appendix I

                              ----------                              


                   Answers to Post-Hearing Questions

Responses by Mr. Michael R. Esser

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Responses by Mr. David Snell

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

Responses by Dr. Charles Romine
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                              Appendix II

                              ----------                              


                   Additional Material for the Record




             Prepared statement of Committee Ranking Member
                         Eddie Bernice Johsnon

    Thank you Chairwoman Comstock and Chairman Loudermilk for holding 
this hearing on the recent OPM data breach.
    Even though we will continue to learn more details about the 
breach, we already know that millions of Americans' personal 
information was compromised. This number includes current and retired 
federal employees as well as the family members, friends, and co-
workers of federal employees.
    There are valid concerns about hackers using this data for criminal 
purposes. Additionally, since security clearance background 
investigation information was compromised, there are also serious 
national security concerns.
    It is frustrating to learn that OPM knew that they had serious 
information security systems problems long before this breach. Although 
addressing their information security systems is a top goal of the new 
OPM leadership, it is clear that action should have been taken years 
ago.
    Federal computer information systems are guided by FISMA. In this 
risk management approach, agencies evaluate the type of data in their 
systems, determine what level of controls are needed, and put together 
a plan to adequately protect their data.
    Although NIST is responsible for drafting the standards used by the 
agencies, they do not oversee the program and are not responsible for 
enforcing agency compliance with FISMA.
    Instead of picking on one federal agency, it is my hope that we can 
use this data breach as a starting point for addressing federal 
cybersecurity more broadly. What is working? What is not? What 
mechanisms need to be in place to better protect individuals' personal 
information on our federal systems?
    I want to end by saying that any conversation about federal 
cybersecurity must include a discussion about resources. It would be 
irresponsible for us to mandate additional cybersecurity measures that 
federal agencies must take without providing them with additional 
resources.
    Cybersecurity will always be about managing risks. No information 
security system, whether public sector or private sector, can be 
completely protected. And unfortunately the question is, when, not if a 
system will get hacked. Therefore, we must ensure that we have the 
appropriate policies and oversight in place to help federal agencies 
protect their data, and that we have provided federal agencies with the 
resources they need to do the job effectively.
    I want to thank the witnesses for their testimony and I yield back 
the balance of my time.
          Letter submitted by Representative Barbara Comstock
          
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       
          


                                 [all]