b"<html>\n<title> - IS THE OPM DATA BREACH THE TIP OF THE ICEBERG?</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n\n\n\n\n\n                         IS THE OPM DATA BREACH\n                        THE TIP OF THE ICEBERG?\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                      SUBCOMMITTEE ON OVERSIGHT &\n                SUBCOMMITTEE ON RESEARCH AND TECHNOLOGY\n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              July 8, 2015\n\n                               __________\n\n                           Serial No. 114-28\n\n                               __________\n\n Printed for the use of the Committee on Science, Space, and Technology\n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n       Available via the World Wide Web: http://science.house.gov\n       \n       \n                                  ______\n\n                         U.S. GOVERNMENT PUBLISHING OFFICE \n\n97-568PDF                     WASHINGTON : 2016 \n-----------------------------------------------------------------------\n  For sale by the Superintendent of Documents, U.S. Government Publishing \n  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; \n         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, \n                          Washington, DC 20402-0001       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n       \n\n              COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY\n\n                   HON. LAMAR S. SMITH, Texas, Chair\nFRANK D. LUCAS, Oklahoma             EDDIE BERNICE JOHNSON, Texas\nF. JAMES SENSENBRENNER, JR.,         ZOE LOFGREN, California\n    Wisconsin                        DANIEL LIPINSKI, Illinois\nDANA ROHRABACHER, California         DONNA F. EDWARDS, Maryland\nRANDY NEUGEBAUER, Texas              SUZANNE BONAMICI, Oregon\nMICHAEL T. McCAUL, Texas             ERIC SWALWELL, California\nMO BROOKS, Alabama                   ALAN GRAYSON, Florida\nRANDY HULTGREN, Illinois             AMI BERA, California\nBILL POSEY, Florida                  ELIZABETH H. ESTY, Connecticut\nTHOMAS MASSIE, Kentucky              MARC A. VEASEY, Texas\nJIM BRIDENSTINE, Oklahoma            KATHERINE M. CLARK, Massachusetts\nRANDY K. WEBER, Texas                DON S. BEYER, JR., Virginia\nBILL JOHNSON, Ohio                   ED PERLMUTTER, Colorado\nJOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York\nSTEVE KNIGHT, California             MARK TAKANO, California\nBRIAN BABIN, Texas                   BILL FOSTER, Illinois\nBRUCE WESTERMAN, Arkansas\nBARBARA COMSTOCK, Virginia\nDAN NEWHOUSE, Washington\nGARY PALMER, Alabama\nBARRY LOUDERMILK, Georgia\nRALPH LEE ABRAHAM, Louisiana\n                                 ------                                \n\n                Subcommittee on Research and Technology\n\n                 HON. BARBARA COMSTOCK, Virginia, Chair\nFRANK D. LUCAS, Oklahoma             DANIEL LIPINSKI, Illinois\nMICHAEL T. MCCAUL, Texas             ELIZABETH H. ESTY, Connecticut\nRANDY HULTGREN, Illinois             KATHERINE M. CLARK, Massachusetts\nJOHN R. MOOLENAAR, Michigan          PAUL TONKO, New York\nBRUCE WESTERMAN, Arkansas            SUZANNE BONAMICI, Oregon\nDAN NEWHOUSE, Washington             ERIC SWALWELL, California\nGARY PALMER, Alabama                 EDDIE BERNICE JOHNSON, Texas\nRALPH LEE ABRAHAM, Louisiana\nLAMAR S. SMITH, Texas\n                                 ------                                \n\n                       Subcommittee on Oversight\n\n                 HON. BARRY LOUDERMILK, Georgia, Chair\nF. JAMES SENSENBRENNER, JR.,         DON BEYER, Virginia\n    Wisconsin                        ALAN GRAYSON, Florida\nBILL POSEY, Florida                  ZOE LOFGREN, California\nTHOMAS MASSIE, Kentucky              EDDIE BERNICE JOHNSON, Texas\nBILL JOHNSON, Ohio\nDAN NEWHOUSE, Washington\nLAMAR S. SMITH, Texas\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              July 8, 2015\n\n                                                                   Page\nWitness List.....................................................     2\n\nHearing Charter..................................................     3\n\n                           Opening Statements\n\nStatement by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................     7\n    Written Statement............................................     8\n\nStatement by Representative Daniel Lipinski, Ranking Minority \n  Member, Subcommittee on Research, Committee on Science, Space, \n  and Technology, U.S. House of Representatives..................     9\n    Written Statement............................................    11\n\nStatement by Representative Barry Loudermilk, Chairman, \n  Subcommittee on Oversight, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................    12\n    Written Statement............................................    13\n\nStatement by Representative Donald S. Beyer, Jr., Ranking \n  Minority Member, Subcommittee on Oversight, Committee on \n  Science, Space, and Technology, U.S. House of Representatives..    14\n    Written Statement............................................    16\n\nStatement by Representative Lamar S. Smith, Chairman, Committee \n  on Science, Space, and Technology, U.S. House of \n  Representatives................................................    17\n    Written Statement............................................    18\n\n                               Witnesses:\n\nMr. Michael R. Esser, Assistant Inspector General for Audits, \n  Office of Personnel Management\n    Oral Statement...............................................    19\n    Written Statement............................................    22\n\nMr. David Snell, Director, Federal Benefits Service Department, \n  National Active and Retired Federal Employees Association\n    Oral Statement...............................................    33\n    Written Statement............................................    35\n\nDr. Charles Romine, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology\n    Oral Statement...............................................    42\n    Written Statement............................................    44\n\nMr. Gregory Wilshusen, Director, Information Security Issues, \n  U.S. Government Accountability Office\n    Oral Statement...............................................    50\n    Written Statement............................................    52\n\nDiscussion.......................................................    78\n\n             Appendix I: Answers to Post-Hearing Questions\n\nMr. Michael R. Esser, Assistant Inspector General for Audits, \n  Office of Personnel Management.................................    96\n\nMr. David Snell, Director, Federal Benefits Service Department, \n  National Active and Retired Federal Employees Association......   100\n\nDr. Charles Romine, Director, Information Technology Laboratory, \n  National Institute of Standards and Technology.................   105\n\n            Appendix II: Additional Material for the Record\n\nStatement by Representative Eddie Bernice Johnson, Ranking \n  Member, Committee on Science, Space, and Technology, U.S. House \n  of Representatives.............................................   112\n\nLetter submitted by Representative Barbara Comstock, Chairwoman, \n  Subcommittee on Research, Committee on Science, Space, and \n  Technology, U.S. House of Representatives......................   113\n\n \n                         IS THE OPM DATA BREACH\n                        THE TIP OF THE ICEBERG?\n\n                              ----------                              \n\n\n                        WEDNESDAY, JULY 8, 2015\n\n                  House of Representatives,\n  Subcommittee on Research and Technology &\n                         Subcommittee on Oversight,\n               Committee on Science, Space, and Technology,\n                                                   Washington, D.C.\n\n    The Subcommittees met, pursuant to call, at 3:36 p.m., in \nRoom 2318 of the Rayburn House Office Building, Hon. Barbara \nComstock [Chairwoman of the Subcommittee on Research and \nTechnology] presiding.\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n    Chairwoman Comstock. The Subcommittees on Research and \nTechnology and Oversight will come to order. Without objection, \nthe Chair is authorized to declare recesses of the \nSubcommittees at any time.\n    Good afternoon. Our apologies for the delay. As you saw or \nheard, we were voting.\n    Welcome to today's hearing entitled ``Is the OPM Data \nBreach the Tip of the Iceberg?'' In front of you are packets \ncontaining the written testimony, biographies, and truth-in-\ntestimony disclosures for today's witnesses.\n    I now recognize myself for five minutes for an opening \nstatement.\n    Just over a month ago, the Office of Personnel Management \n(OPM) announced a massive data breach that exposed the personal \ninformation of over 4 million current and former federal \nemployees and contractors. Like thousands of my fellow \nconstituents and people across the country, I received a letter \nfrom OPM informing me that my personal information may have \nbeen compromised or stolen by criminals who are behind this \nattack.\n    Unfortunately, the news appears to be getting worse this \nweek as we learn more about the reported second OPM data \nbreach, compromising the security of potentially 18 million \nfederal employees, contractors, and others who submitted \nsensitive information for background checks to the government. \nAnd sadly, the response from OPM has not inspired confidence \nover the past few weeks.\n    Identity theft by what seems to be a foreign entity is a \nvery serious national security threat. They are literally, you \nknow, at cyber war with us, and we as leaders have to \nappreciate that reality and operate in that reality.\n    Many of my constituents have contacted me about their fears \nand concerns. It has been months since OPM discovered the \nattack, and we still have too many questions and not enough \nanswers. As we will hear from some of our witnesses today, \nfederal employees have many unanswered questions. For example, \njust one: Are the credit monitoring identity theft provisions \nadequate? I know we've heard from people who are very concerned \nabout whether they are.\n    Most alarming to me about these breaches is that they were \nlaunched less than 18 months after a previous severe network \nassault on OPM. We know that information security incidents \nreported by federal agencies has increased by 1,000 percent \nsince 2006, 1,000 percent increase.\n    For years the OPM Office of Inspector General and the U.S. \nGovernment Accountability Office have been warning OPM \nleadership of critical vulnerabilities to their information \nsystems. Some of the weakness and current problems were ID'd as \nfar back as 2007. Today, many of their recommendations for \nfixing the systematic failures remain unmet.\n    Cyber criminals and foreign enemies are working night and \nday with the latest technology to exploit every vulnerability \nin our system, and it appears we're behind the times. The \nUnited States has some of the world's best technological minds \nand resources, yet our management in OPM does not appear to be \ngetting up to speed.\n    Federal employees provide their sensitive personal \ninformation under the expectation that it is protected with all \nthe seriousness that it should receive. However, that trust has \nnow been broken and hence so many concerns.\n    Cybersecurity has to be a top priority in every government \nagency from the top Cabinet official on down. We need an \naggressive, nimble, and flexible strategy to anticipate, \nintercept, and stop these cyber attacks. Those who are engaging \nin the attacks on our citizens, agencies, and companies, \nwhether they be nation states, adversaries, or hacktivists and \njust, you know, random criminals are a reality that we'll be \nliving with in the 21st century and we must develop and use all \nthe tools and technology available to thwart them and \nunderstand this is going to be an ongoing problem that we have \nto constantly adapt to.\n    I want to note that we invited the OPM Chief Information \nOfficer Donna Seymour to testify at today's hearing. She \ndeclined the Committee's invitation, citing other commitments, \nand we will continue to be working with them and asking them \nadditional questions.\n    Today's panel of witnesses will help us better understand \nthe magnitude of cybersecurity challenges at OPM across the \nfederal government, as well as determine what steps need to be \ntaken to prevent future cyber attacks and the state-of-the-art \nbest practices to do so. And I should note that in the coming \nweeks we will also be looking at a lot of the best practices \nthat the private sector has and other experts want to bring to \nbear that will probably reflect a lot of what you are going to \nbe talking about today.\n    I appreciate the leadership of Chairman Lamar Smith on \nthese issues and the role the Science Committee--that they have \nplayed in making cybersecurity research and development a \npriority.\n    I look forward to continuing to work on the Subcommittee on \nefforts to make sure the federal government is staying ahead of \nour adversaries. And if officials neglected their duties or are \nnot the right people for the job, we also need to hold them \naccountable and make sure we are doing everything to improve \nthe situation.\n    [The prepared statement of Chairwoman Comstock follows:]\n\n      Prepared Statement of Subcommittee on Research & Technology\n                      Chairwoman Barbara Comstock\n\n    Just over a month ago the Office of Personnel Management (OPM) \nannounced a massive data breach that exposed the personal information \nof over 4 million current and former federal employees and contractors.\n    Like thousands of my fellow constituents, I received a letter from \nOPM informing me that my personal information may have been compromised \nor stolen by the criminals behind this attack.\n    Unfortunately, the news gets worse this week, as we learn more \nabout the reported second OPM data breach, compromising the security of \n18 million federal employees, contractors and others who submitted \nsensitive information for background checks. And sadly the response \nfrom OPM has not inspired confidence.\n    Identity theft by what seems to be a foreign entity is a very \nserious national security issue. They are at cyberwar with us--do our \nleaders appreciate that reality?\n    Many of my constituents have contacted me about their fears and \nconcerns. It has been months since OPM discovered the attack, and we \nstill have too many questions and not enough answers.\n    As we will hear from witnesses today, federal employees have many \nunanswered questions. Just one: Are the credit monitoring identity \ntheft provisions adequate? Most alarming to me about these breaches is \nthat they were launched less than 18 months after a previous severe \nnetwork assault on OPM. We know that information security incidents \nreporting by federal agencies has increased by 1000 percent since 2006.\n    For years the OPM Office of Inspector General and the U.S. \nGovernment Accountability Office have been warning OPM leadership of \ncritical vulnerabilities to their information systems. Some of the \nweakness and current problems were ID'd as far back as 2007. Today, \nmany of their recommendations for fixing the systematic failures remain \nunmet.\n    Cyber criminals and foreign enemies are working night and day with \nthe latest technology to exploit every vulnerability in our system, \nwhile OPM is behind the times and operating apparently at a pace with \nsystems designed for the last century not for the current threat. The \nUnited States has some of the world's best technological minds and \nresources, yet OPM's management is failing.\n    Federal employees provide their sensitive personal information \nunder the expectation that it is protected with all due seriousness. \nHowever, the trust between our federal employees, contractors, and \nothers whose information has been compromised is damaged.\n    Cybersecurity must be a top priority in every government agency \nfrom the top Cabinet official on down. We need an aggressive, nimble, \nand flexible strategy to anticipate, intercept, and stop cyberattacks.\n    Those who are engaging in cyberattacks on our citizens, agencies, \nand companies--whether they be nation states, adversaries or \nhacktivists--are a reality we will be living with in the 21st century \nand we must develop and use all the tools and technology available to \nthwart them and understand this is an ongoing problem we have to \nconstantly be on top of.\n    I want to note that we invited the OPM Chief Information Officer \nDonna Seymour to testify at today's hearing. She declined the \nCommittee's invitation, citing other commitments, we continue to have \nquestions about how and why this cyberattack occurred and the measures \nthat have been instituted to prevent a future attack at OPM. We will \ntake any necessary steps to ensure my constituents get those answers.\n    Today's panel of witnesses will help us better understand the \nmagnitude of cybersecurity challenges at OPM and across the federal \ngovernment, as well as determine what steps need to be taken to prevent \nfuture cyberattacks, and the state of the art best practices to do so.\n    I appreciate the leadership of Chairman Lamar Smith on these issues \nand the role the Science Committee has played in making cybersecurity \nR&D a priority.\n    I look forward to continuing to lead the Research & Technology \nSubcommittee in efforts to make sure the federal government is staying \nahead of our adversaries who are constantly developing new and \nsophisticated malicious technologies.\n    If officials neglected their duties, or are not the right people \nfor the job, they must be held accountable so that proper leadership is \nin place to not just meet, but anticipate and beat the next cyber \nthreat.\n\n    Chairwoman Comstock. So with that I will yield to the \nRanking Member, but I also ask unanimous consent to place into \nthe record various letters and articles that are relevant to \nthe hearing.\n    [The information appears in Appendix II]\n    Chairwoman Comstock. And without objection I'll now yield \nto the Ranking Member.\n    Mr. Lipinski. Thank you, Chairwoman Comstock. I want to \nthank you, Chairman Loudermilk, Chairman Smith, for holding \nthis hearing on the recent OPM data breach. I want to thank all \nof our witnesses for being here this afternoon.\n    Unfortunately, major cyber attacks are happening more \nfrequently. Today, we're going to talk about the significant \nbreaches at the Office of Personnel Management. I have not \nreceived notification, but I believe I may have been a victim \nof this. But we all know that--I don't want to take away the \nsignificance of it but it's important to note there have been \nincreasing number of cyber attacks in both the private and \npublic sector where I know I've definitely been a victim of \nsome of these attacks.\n    Several years ago, I began working on cybersecurity \nlegislation, the Cybersecurity Enhancement Act, with my \ncolleague Mr. McCall. Our legislation dealt with cybersecurity \nstandards, education, and workforce development. When we \nstarted, I said that I had no doubt that threats from \nindividual hackers, criminal syndicates, and even other \ngovernments would grow and evolve along with our increased use \nof the internet. Unfortunately, I was right.\n    In February, Anthem, one of the Nation's largest health \ninsurance companies, announced it suffered a cyber breach that \ncompromised the records of 80 million current and former \ncustomers. And just last year, there were high-profile breaches \nat J.P. Morgan Chase, eBay, Target, and many others affecting \nmillions of people.\n    Although I was happy that my bill with Mr. McCall was \nenacted at the end of last Congress, there is much, much more \nto do in the area of cybersecurity. Cybercrime and cyber \nespionage continue to threaten our national security, our \ncritical infrastructure, businesses of all sizes, and every \nsingle American. This latest data breach at OPM is just another \nexample of that.\n    In the OPM breach, millions of federal employees' personal \ninformation has been compromised, leading to significant \nconcerns about how the stolen information will be used. \nAdditionally, since OPM conducts more than 90 percent of all \nsecurity clearance background investigations, this breach is an \nexample of how cyber attacks threaten our national security. We \nmust do better.\n    It'll take a collective effort in both the public and \nprivate sector to improve cybersecurity, and I cannot emphasize \nenough the importance of research into the social and \nbehavioral aspects in this area. Our IT infrastructure is \nbuilt, operated, and maintained by humans from the average \nworker at her desktop to Chief Information Officer of a major \ncompany or agency. Most cyber attacks are successful because of \nhuman error such as unwittingly opening a malicious email or \nallowing one's credentials to be compromised. Understanding the \nhuman element is necessary to combat threats and reduce risks.\n    To set governmentwide guidelines protecting federal \ninformation security systems, Congress passed--if I can turn my \npage--an example of human error here. Congress passed the \nFederal Information Security Modernization Act, or FISMA. \nFISMA, which was updated at the end of last Congress, requires \nfederal agencies to develop, document, and implement an \nagencywide information security program.\n    Along with being responsible for their own information \nsecurity system, the National Institute of Standards and \nTechnology is tasked with developing standards and guidelines \nfor all civilian federal information systems. Since NIST plays \na critical role in protecting our nation's information security \nsystems, it's important that they be part of this conversation. \nI'm happy that Dr. Romine is here today to tell us more about \nhow NIST develops FISMA standards and how they work with other \nfederal agencies.\n    FISMA also requires annual reviews of individual agencies' \ninformation security programs, as well as reviews of \ninformation security policies in the implementation of FISMA \nrequirements governmentwide. I hope to hear from our witnesses \nabout the steps necessary to ensure that OPM meets FISMA \nrequirements, as well as how other agencies are doing in this \nspace.\n    More information security systems, both in the public and \nprivate sector, will surely be subject to cyber attacks in the \nfuture, and while it's impossible to completely protect the \nconnected information security system, we must do all we can to \nprotect the personal information of millions of Americans and \nconduct the oversight to ensure such steps are taken. This \nhearing is the beginning of a conversation on how we can do \nthat, and we must make sure that we follow through with action.\n    I look forward to our discussion this afternoon. Thank you, \nand I yield back the balance of my time.\n    [The prepared statement of Mr. Lipinski follows:]\n\n                   Prepared Statement of Subcommittee\n                Minority Ranking Member Daniel Lipinski\n\n    Thank you Chairwoman Comstock and Chairman Loudermilk for holding \nthis hearing on the recent OPM data breach. I want to thank all the \nwitnesses for being here this afternoon.\n    Unfortunately, major cyber-attacks are happening more frequently. \nToday, we are going to talk about the significant breaches at the \nOffice of Personnel Management (OPM). Not to take away from the \nsignificance of the OPM breach, I think it is important to note that \nthere have been an increasing number of cyber-attacks in both the \nprivate and public sector.\n    Several years ago I began working on cybersecurity legislation, the \nCybersecurity Enhancement Act, with my colleague, Mr. McCaul. Our \nlegislation dealt with cybersecurity standards, education, and \nworkforce development. When we started, I said that I had no doubt that \nthreats from individual hackers, criminal syndicates, and even other \ngovernments would grow and evolve along with our increased use of the \ninternet. Unfortunately, I was right.\n    In February, Anthem, one of the nation's largest health insurance \ncompanies, announced that it suffered a cyber-breach that compromised \nthe records of 80 million current and former customers. And just last \nyear there were high profile breaches at JP Morgan Chase, eBay, Target, \nand many others affecting millions of people.\n    Although I was happy that my bill with Mr. McCaul was enacted at \nthe end of last Congress, there is much, much more to be done in the \narea of cybersecurity. Cybercrime and cyber- espionage continues to \nthreaten our national security, our critical infrastructure, businesses \nof all sizes, and every single American. This latest data breach at OPM \nis just another example of that. In the OPM breach, millions of federal \nemployees' personal information has been compromised, leading to \nsignificant concerns about how the stolen information will be used. \nAdditionally, since OPM conducts more than 90 percent of all security \nclearance background investigations, this breach is an example of how \ncyber-attacks threaten our national security. We must do better.\n    It will take a collective effort of both the public and private \nsector to improve cybersecurity, and I cannot emphasize enough the \nimportance of research into the social and behavioral aspects in this \narea. Our IT infrastructure is built, operated and maintained by \nhumans, from the average worker at her desktop to the chief information \nofficer of a major company or agency. Most cyber-attacks are successful \nbecause of human error, such as unwittingly opening a malicious email \nor allowing one's credentials to be compromised. Understanding the \nhuman element is necessary to combat threats and reduce risk.\n    To set government-wide guidelines for protecting federal \ninformation security systems, Congress passed the Federal Information \nSecurity Modernization Act or FISMA. FISMA, which was updated at the \nend of last Congress, requires federal agencies to develop, document, \nand implement an agency wide information security program.\n    Along with being responsible for their own information security \nsystem, the National Institute of Standards and Technology (NIST) is \ntasked with developing standards and guidelines for all civilian \nfederal information systems. Since NIST plays a critical role in \nprotecting our nation's information security systems, it is important \nthat they be part of this conversation. I am happy that Dr. Romine is \nhere today to tell us more about how NIST develops FISMA standards and \nhow they work with other federal agencies.\n    FISMA also requires annual reviews of individual agencies' \ninformation security programs as well as reviews of information \nsecurity policies and the implementation of FISMA requirements \ngovernment-wide. I hope to hear from our witnesses about the steps \nnecessary to ensure that OPM meets FISMA requirements, as well as how \nother agencies are doing in this space.\n    More information security systems--both in the public and private \nsector--will surely be subject to cyber-attacks in the future. And \nwhile it is impossible to completely protect a connected information \nsecurity system, we must do all we can to protect the personal \ninformation of millions of Americans and conduct the oversight to \nensure such steps are taken. This hearing is the beginning of a \nconversation on how we can do that and we must make sure that we follow \nthrough with action.\n    I look forward to our discussion this afternoon. Thank you and I \nyield back the balance of my time.\n\n    Chairwoman Comstock. Thank you, Mr. Lipinski.\n    And I now recognize the Chair of the Oversight \nSubcommittee, the gentleman from Georgia, Mr. Loudermilk, for \nhis opening statement.\n    Mr. Loudermilk. Thank you, Chairwoman Comstock, for holding \nthis very important hearing on an issue that hits close to home \nfor you, as many--as others in this country.\n    I'd like to thank our witnesses for being here today in \norder to help us understand what seems to be an epidemic of \ncyber attacks. I look forward to discussing what needs need to \nbe done to prevent similar attacks from occurring in the \nfuture.\n    Now, it isn't a priority, nor it should be a priority for \nus just to address this because it affects some of us that are \nup here, but it's because it affects the American people. And \nunfortunately, this Administration has failed to provide \nAmericans with any level of confidence that it will adequately \nprotect their personal information when trusted with it.\n    As we have witnessed over the past few months, there has \nbeen a concerning pattern of security breaches involving \ngovernment computer systems. This includes the recent, massive \ndata breach of the Office of Personnel Management disclosing \npersonal and official information that could potentially harm \nour national security. For an Administration that touts that it \nhas ``prioritized the cybersecurity of federal departments and \nagencies,'' we have instead witnessed a government that is \nunable to properly secure its computer systems and protect \nsensitive information.\n    The situation at OPM is exactly why the subcommittee that I \nchair is looking into the collection of America's--Americans' \npersonal data through the HealthCare.gov website. In that \nsituation, it appears that Social Security numbers, dates of \nbirth, names, mailing addresses, phone numbers, financial \naccounts information, military status, employment status, \npassport numbers, and taxpayer IDs are being retained. This \ninformation is being stored in a data warehouse that is \nintended to provide reporting and performance metrics related \nto the Federally Facilitated Marketplace and other \nHealthCare.gov-related systems.\n    In the situation of the data warehouse, the Administration \nnever appeared to be forthright about the use and storage of \npersonally identifiable information on HealthCare.gov. The \nAdministration has yet to explain the reason for indefinitely \nstoring user information, particularly of the users of the \nwebsite who input their data to log in but do not end up \nenrolling.\n    While this Administration has claimed that cybersecurity is \na priority, their actions on this and other issues regarding \nprotecting the American people suggests the priorities are only \nlip service. From ending the Secure Cities program to storing \ncritical information on American citizens without their \napproval or knowledge, this Administration is proving through \ntheir actions that protecting the American people is far from \nbeing on their list of priorities.\n    If that data warehouse is being protected in the same way \nthat OPM was protecting personal information, action needs to \nbe taken now to avoid putting the American people at \nsignificant personal risk. With many Americans being forced \ninto the government healthcare exchange, a breach of this \nsystem could end up having millions affected, just like the OPM \ndata hack.\n    The Government Accountability Office has included the \ncybersecurity of federal information systems on its list of \nhigh risk areas since 1997, so this isn't something new. Why, \nthen, are we sitting here almost 20 years later, wondering why \nour federal information systems are not being adequately \nsecured?\n    In the most recent GAO High Risk Series report, it says \nthat ``Inspectors General at 22 of the 24 agencies cited \ninformation security as a major management challenge for their \nagency. For fiscal year 2014, most of the agencies had \ninformation security weaknesses in the majority of five key \ncontrol categories.'' As Chairman of this subcommittee--this \nCommittee's Oversight Subcommittee, I want to find the truth \nbehind this reckless behavior that is threatening the safety \nand security of the American people. These actions--or rather, \nlack of actions--put the future of our nation at great risk and \nmust stop.\n    I look forward to today's hearing, which I anticipate will \ninform us more about the recent OPM breach and the current \nstate of our federal information systems. We owe it to the \nAmerican people to ensure that their personally identifiable \ninformation is safe and protected from cybercriminals.\n    And with that, Madam Chair, I yield back.\n    [The prepared statement of Mr. Loudermilk follows:]\n\n              Prepared Statement of Oversight Subcommittee\n                       Chairman Barry Loudermilk\n\n    Thank you, Chairwoman Comstock, for holding this very important \nhearing on an issue that hits too close to home for you as well as many \nothers in this country. I would like to thank our witnesses for being \nhere today in order to help us understand what seems to be an epidemic \nof cyber-attacks. I look forward to discussing what needs to be done to \nprevent similar attacks from occurring in the future.\n    Unfortunately, this Administration has failed to provide Americans \nwith any level of confidence that it will adequately protect their \npersonal information when entrusted with it. As we have witnessed over \nthe past few months, there has been a concerning pattern of security \nbreaches involving government computer systems. This includes the \nrecent, massive data breach of the Office of Personnel Management \n(OPM)--disclosing personal and official information that could \npotentially harm our national security. For an Administration that \ntouts that it has ``prioritized the cybersecurity of federal \ndepartments and agencies,'' we have instead witnessed a government that \nis unable to properly secure its computer systems and protect sensitive \ninformation.\n    The situation at OPM is exactly why the Subcommittee that I Chair \nis looking into the collection of Americans' personal data through the \nHealthCare.gov website. In that situation, it appears that social \nsecurity numbers, dates of birth, names, mailing addresses, phone \nnumbers, financial accounts information, military status, employment \nstatus, passport numbers, and taxpayer IDs are being retained. This \ninformation is being stored in a ``data warehouse that is intended to \nprovide reporting and performance metrics related to the Federally \nFacilitated Marketplace (FFM) and other Healthcare.gov- related \nsystems.''\n    In the situation of the data warehouse, the Administration never \nappeared to be forthright about the use and storage of personally \nidentifiable information on HealthCare.gov. The Administration has yet \nto explain the reason for indefinitely storing user information, \nparticularly of the users of the website who input their data to log \nin, but do not end up enrolling.\n    If that data warehouse is being protected in the same way that OPM \nwas protecting personal information, action needs to be taken now to \navoid putting the American people at significant personal risk. With \nmany Americans being forced into the government health care exchange, a \nbreach of this system could end up having millions affected, just like \nthe OPM data hack.\n    The Government Accountability Office (GAO) has included the \ncybersecurity of federal information systems on its list of high risk \nareas since 1997, so this isn't something new. Why, then, are we \nsitting here almost twenty years later, wondering why our federal \ninformation systems are not being adequately secured? In the most \nrecent GAO High Risk Series report, it says that `` . . . inspectors \ngeneral at 22 of the 24 agencies cited information security as a major \nmanagement challenge for their agency. For fiscal year 2014, most of \nthe agencies had information security weaknesses in the majority of \nfive key control categories.''\n    As the Chairman of this Committee's Oversight Subcommittee, I want \nto find the truth behind this reckless behavior that is threatening the \nsafety and security of the American people. These actions--or rather, \nlack of actions--put the future of our nation at great risk, and must \nstop.\n    I look forward to today's hearing, which I anticipate will inform \nus more about the recent OPM breach and the current state of our \nfederal information systems. We owe it to the American people to ensure \nthat their personally identifiable information is safe and protected \nfrom cybercriminals.\n\n    Chairwoman Comstock. Thank you, Chairman Loudermilk.\n    And I now recognize the Ranking Member of the Subcommittee \non Oversight, the gentleman from Virginia, my colleague Mr. \nBeyer, for his opening statement.\n    Mr. Beyer. Thank you, Madam Chair. And thank you, Chairs \nComstock and Loudermilk, for holding this hearing today, \nincredibly timely and--because, you know, earlier today \nobviously New York Stock Exchange, United Airlines, the Wall \nStreet Journal all suffering from computer glitches that has \ndisrupted their computer networks. And whether this turns out \nto be intentional or whether--or not, it certainly highlights \nthe potential vulnerabilities of our digital dependence. And \ntoday's hearing obviously is about Office of Personnel \nManagement.\n    Deterring, detecting, and defending against the multitude \nof online threats that constantly lurk in the cyberspace domain \nis a critical issue for federal agencies and the federal \ngovernment and the private sector alike. Last year alone, \nfederal agencies reported nearly 70,000 individual computer \nsecurity incidents to the U.S. Computer Emergency Readiness \nTeam, or CERT. During the same time period, October 1, 2013, to \nSeptember 30, 2014, nonfederal entities reported more than \n570,000 incidents and many other incidents are potentially not \nidentified or even not reported at all. Cyber threats are \nconstant, they're evolving, they're very sophisticated, and \nmany pose serious distress to companies, agencies, and \nindividuals.\n    The two recent data breaches at OPM are particularly \nimportant to me and to my constituents. Representing a \nCongressional District just outside the Nation's capital, many \nof my constituents are federal employees who may have had their \npersonal data compromised as a result of these intrusions. One \nof those attacks is believed to have compromised the personal \ninformation of more than four million people and the other, up \nto 14 million people. And I'm particularly troubled that the \ndata that was reportedly accessed included not just the \npersonnel files but the security files of our defense, homeland \nsecurity, and intelligence community employees. This could \npotentially jeopardize the financial security, personal safety, \nand ultimately the secrets that are entrusted to help protect \nthe Nation.\n    While the facts of this case are still being unraveled, \nincluding the motive for the attack, the identity of the \nperpetrators and the potential damage they may have caused, we \nshould understand, too, that the federal government is not \nalone in being the victim of cyber attacks. In the past year \nhundreds of millions of personal records have been compromised \nby hackers targeting J.P. Morgan Chase, eBay, Home Depot, \nTarget, and other private companies. I seem to receive a new \ncredit card or debit card about every 6 weeks from my bank with \na note telling me that the card has been compromised yet again.\n    When I was in Switzerland, a State Department computer was \nhacked in one year, the Defense Department the next. The \nnewspapers blamed China and Russia. Still, the OPM was \nsignificant and I'm particularly impacted--concerned about the \nimpact this has on the morale of a federal workforce that \nrecently has endured, through no fault of their own, a \ngovernment shutdown, forced furloughs, staffing cuts, pay \nfreezes. These government employees now have the added insult \nof a breach of their personal data.\n    Agency heads should also be mindful and accommodating of \nthe impact of federal employees who need time off to mitigate \nthe fallout from this hack. And I encourage OPM to communicate \nwith all agencies to ensure that workers are accommodated so \nthey can visit their banks, Social Security offices, creditors \nin order to deal with the repercussions of the breach.\n    I know every time I get a new card, I get four or five \npeople that don't get paid because the card numbers change and \nthen they call and--I know it upsets my wife terribly.\n    I'm also concerned that the reports of this attack suggest \nit may have been the result of individuals with ties to foreign \nentities and that particularly a private company working for \nthe government as a security contractor may have been the weak \nlink in the chain of events that led to the successful attack.\n    We're making steady, slow progress in fortifying our cyber \ndefenses from potential attack. According to OMB's annual \nreport on FISMA sent to Congress in February, there's been \nmonitoring--improvement in federal agencies implementing \ncontinuous monitoring of their networks and the authentication \nof their users, for instance, but these results are not good \nenough. I know everyone on the panel here is interested in \nlearning what we can do to strengthen the system as quickly as \npossible, as strongly as possible, recognizing that we're never \ngoing to have 100 percent security, that the creative hackers, \never younger, will figure out additional ways around it. How \ncan we create the very best advice on closing cybersecurity \nholes if and when they exist and then augmenting our security \ndefenses against them?\n    So I very much look forward to your testimony and your \nadvice, and Madam Chair, I yield back.\n    [The prepared statement of Mr. Beyer follows:]\n\n            Prepared Statement of Subcommittee on Oversight\n              Minority Ranking Member Donald S. Beyer, Jr.\n\n    Thank you Chairs Comstock and Loudermilk for holding this hearing \ntoday. I believe this is an important hearing and I look forward to \nhearing from our witnesses. I believe this is an important and timely \nhearing. Earlier today it was reported that the New York Stock \nExchange, United Airlines and Wall Street Journal are all suffering \nfrom a ``computer glitch'' that has disrupted their computer networks. \nWhether this event is determined to be intentional or not it highlights \nthe potential vulnerability of our digital dependence. Today's hearing, \nhowever, is about another computer incident at the Office of Personnel \nManagement or OPM.\n    Deterring, detecting and defending against the multitude of on-line \nthreats that constantly lurk in the cyberspace domain is a critical \nissue for the federal government and private sector alike.Last year \nalone federal agencies reported nearly 70,000 individual computer \nsecurity incidents to the U.S. Computer Emergency Readiness Team or \nCERT. During the same time period, from October 1, 2013 to September \n30, 2014, non-Federal entities reported more than 570,000 incidents and \nmany other incidents are potentially not identified and others not \nreported at all.\n    Cyber threats are constant and evolving, some are very \nsophisticated and many pose serious distress to companies, agencies and \nindividuals. The two recent data breaches of the Office of Personnel \nManagement (OPM) are particularly important to me and my \nconstituents.Representing a congressional district just outside the \nnation's Capital many of my constituents are federal employees who may \nhave had their personal data compromised as a result of these \nintrusions. One of those attacks is believed to have compromised the \npersonal information of more than 4 million individuals and the other \nis suspected to have compromised the data of as many as 14 million \npeople. I am particularly troubled that the data that was reportedly \naccessed included not just the personnel files but the security files \nof our defense, homeland security and intelligence community employees. \nThis could potentially jeopardize their financial security, personal \nsafety and ultimately the secrets they are entrusted to help protect \nfor our Nation.\n    While the facts of this case are still being unraveled, including \nthe motive for the attack, the identities of the perpetrators and the \npotential damage they may have caused, we should understand too that \nthe federal government is not alone in being victim to cyberattacks. In \nthe past year, hundreds of millions of personal records have been \ncompromised by hackers targeting JP Morgan Chase, Ebay, Home Depot and \nother private companies.\n    Still, the OPM breach was significant. I am concerned for the \npersonal and professional impact of this breach on our dedicated \nfederal workforce, particularly those involved in the national security \narena. It should not be understated the impact this has on the morale \nof a workforce that has recently endured--through no fault of their \nown--a government shutdown, forced furloughs, staffing cuts, and pay \nfreezes. These government employees now have the added insult of a \nbreach of their personal data.\n    Agency heads should also be mindful and accommodating of impacted \nfederal employees who need time off to mitigate the fallout from the \nhack. I encourage OPM to communicate with all agencies to ensure \nworkers are accommodated so that they can visit their banks, Social \nSecurity offices, and creditors in order to deal with the repercussions \nof the breach.\n    I am also concerned that reports of this attack suggest it may have \nbeen the result of individuals with ties to foreign entities and I am \nconcerned that it appears a private company working for the government \nas a security contractor may have been the weak link in the chain of \nevents that ultimately led to a successful attack.\n    The federal government is making steady, but slow progress in \nfortifying our cyber defenses from potential attack. According to the \nOffice of Management and Budget's (OMB's) annual report on the Federal \nInformation Security Management Act (FISMA) sent to Congress in \nFebruary there has been improvement in federal agencies implementing \ncontinuous monitoring of their networks and the authentication of their \nusers, for instance. But the results are still not good enough. Federal \nAgencies need to do a better job meeting the IT security criteria \ndemanded by compliance with FISMA and they need to apply the cyber \nsecurity standards recommended by the National Institute of Standards \nand Technology (NIST) to their networks. At the same time, Congress and \nthe public need to realize that no matter how well protected an Agency \nor private entity is that they will never be 100-percent secure and \nthat data breaches are bound to occur in the future.\n    I hope our witnesses can help provide us with advice on closing \ncyber-security holes when and where they exist and augmenting our \nsecurity defenses against them.\n    With that I yield back.\n\n    Chairwoman Comstock. Thank you, Mr. Beyer. And thank you \nfor your leadership on this, too, and being upfront on it.\n    I now recognize the Chairman of the full committee, Mr. \nSmith.\n    Chairman Smith. Thank you, Madam Chair.\n    Today's hearing highlights the latest and, so far, the most \nextensive cybersecurity failure by a federal agency, the theft \nof millions of federal employee records from the Office of \nPersonnel Management.\n    National defense in our digital age no longer just means \nprotecting ourselves against enemies who attack with \ntraditional weapons. It now means protecting America from those \nwho launch cyber attacks against our computers and networks, \ninvading our privacy and probably endangering lives.\n    But it is about much more than solely the invasion of \nprivacy or the burden to our economy. This is a national \nsecurity concern, as these breaches expose information about \nmembers of our military and employees of national security \nagencies.\n    A number of federal agencies guard America's cybersecurity \ninterests. Several are under the jurisdiction of the Science \nCommittee. These include the National Science Foundation, the \nNational Institute of Standards and Technology, the Department \nof Homeland Security's Science and Technology Directorate, and \nthe Department of Energy. All of these agencies support \ncritical research and development to promote cybersecurity and \nset federal standards. However, it is clear that too many \nfederal agencies like OPM fail to meet the basic standards of \ninformation security, and no one is being held accountable.\n    Last year audits revealed that 19 of 24 major federal \nagencies failed to meet the basic cybersecurity standards \nmandated by law. And yet the Administration has allowed \ndeficient systems to stay online. What are the consequences \nwhen a federal agency fails to meet its basic duties to protect \nsensitive information? So far it seems the only people \npenalized are the millions of innocent Americans who have had \ntheir personal information exposed. It will be some time before \nwe know the full extent of the damage to personal and national \nsecurity caused by the OPM breach of security. But we do know \nthat it is critical that we prevent further attacks on \nAmerica's cyber systems.\n    The federal government failed in its responsibility to keep \nsensitive and personal information secure, and Americans \ndeserve better. The Science Committee will continue its efforts \nto support the research and development essential to strengthen \nour Nation's cyber defenses. We will also continue to demand \nbetter answers from OPM on the extent of this breach.\n    The Director of the Office of Personnel Management recently \ntestified: ``I don't believe anyone (at OPM) is personally \nresponsible.'' That is not believable. In fact, it's an insult \nto the American people who pay her salary. The government \nshould be accountable to the people, and this committee will \ncontinue to demand answers about who is responsible for failing \nto keep Americans' sensitive information secure. I hope we can \nuse lessons learned from the OPM breach to help find solutions \nto prevent the next attack.\n    I look forward to hearing from our witnesses today and I'll \nyield back.\n    [The prepared statement of Chairman Smith follows:]\n\n        Prepared Statement of Committee Chairman Lamar S. Smith\n\n    Thank you Madam Chair. Today's hearing highlights the latest and so \nfar the most extensive cybersecurity failure by a federal agency - the \ntheft of millions of federal employee records from the Office of \nPersonnel Management (OPM).\n    National defense in the digital age no longer just means protecting \nourselves against enemies who attack with traditional weapons. It now \nmeans protecting America from those who launch cyber-attacks against \nour computers and networks, invading our privacy and probably \nendangering lives.\n    But it is about much more than solely the invasion of privacy or \nthe burden to our economy. This is a national security concern as these \nbreaches expose information about members of our military and employees \nof national security agencies.\n    A number of federal agencies guard America's cybersecurity \ninterests. Several are under the jurisdiction of the Science Committee. \nThese include the National Science Foundation, the National Institute \nof Standards and Technology, the Department of Homeland Security's \nScience and Technology Directorate, and the Department of Energy.\n    All of these agencies support critical research and development to \npromote cybersecurity and set federal standards. However it is clear \nthat too many federal agencies like OPM fail to meet the basic \nstandards of information security--and no one is being held \naccountable.\n    Last year audits revealed that 19 of 24 major federal agencies \nfailed to meet the basic cybersecurity standards mandated by law. And \nyet the Administration has allowed deficient systems to stay online.\n    What are the consequences when a federal agency fails to meet its \nbasic duties to protect sensitive information? So far it seems the only \npeople penalized are the millions of innocent Americans who have had \ntheir personal information exposed.\n    It will be some time before we know the full extent of the damage \nto personal and national security caused by the OPM breach of security. \nBut we do know that it is critical that we prevent further attacks on \nAmerica's cyber systems.\n    The federal government failed in its responsibility to keep \nsensitive and personal information secure, and Americans deserve \nbetter.\n    The Science Committee will continue its efforts to support the \nresearch and development essential to strengthen our Nation's cyber \ndefenses. We will also continue to demand better answers from OPM on \nthe extent of this breach.\n    The Director of the Office of Personnel Management recently \ntestified: ``I don't believe anyone (at OPM) is personally \nresponsible.'' That is not believable. In fact, it's an insult the \nAmerican people who pay her salary.\n    The government should be accountable to the people, and this \nCommittee will continue to demand answers about who is responsible for \nfailing to keep Americans' sensitive information secure.\n    I hope we can use lessons learned from the OPM breach to help find \nsolutions to prevent the next attack. I look forward to hearing from \nour witnesses today and yield back.\n\n    Chairwoman Comstock. Thank you, Mr. Chairman.\n    And if there are Members who wish to submit additional \nopening statements, your statements will be added to the record \nat this point.\n    Now at this time I would like to introduce our witnesses. \nMichael Esser is the Assistant Inspector General for Audits at \nthe Office of Personnel Management. In this role, Mr. Esser is \nresponsible for overseeing audits of OPM's information systems. \nPrior to joining the office in 1991 he worked in northern \nVirginia as a CPA. Mr. Esser holds a bachelor of science degree \nin accounting and a master's degree in business administration \nfrom George Mason University.\n    Our second witness today is David Snell, Director of the \nFederal Benefits Service Department for the National active and \nRetired Federal Employees Association, which represents some \n300,000 active and retired federal employees and their spouses. \nBefore joining there, Mr. Snell worked for nearly three decades \nat OPM ending his career there as Chief of Retirement Benefits \nBranch. He holds a bachelor of science degree from George Mason \nUniversity. We have a theme here. Great university.\n    Our third witness today is Dr. Charles Romine, Director of \nthe Information Technology Laboratory at the National Institute \nof Standards and Technology. This program develops and \ndisseminates standards for security and reliability of \ninformation systems, including cybersecurity standards and \nguidelines for federal agencies like OPM. Dr. Romine has \npreviously served as a Senior Policy Analyst at the White House \nOffice of Science and Technology Policy and as a Program \nManager at the Department of Energy's Advanced Scientific \nComputing Research Office. Dr. Romine received his bachelor's \ndegree in mathematics and his Ph.D. in applied mathematics from \nthe University of Virginia.\n    Today's final witness is Dr. Gregory--let me get this \nright--Wilshusen. Okay. Mr. Wilshusen is the Director of \nInformation Security Issues at the U.S. Government \nAccountability Office. Prior to joining GAO in 1997, Mr. \nWilshusen was a Senior Systems Analyst at the Department of \nEducation. He received his bachelor's degree in business \nadministration from the University of Missouri--I guess the \nnon-Virginia university here--and his master of science in \ninformation management from George Washington University, close \nenough.\n    In order to allow time for discussion, please limit your \ntestimony to five minutes. Your entire written statement will \nbe made part of the record.\n    I now recognize Mr. Esser for five minutes to present his \ntestimony.\n\n               TESTIMONY OF MR. MICHAEL R. ESSER,\n\n            ASSISTANT INSPECTOR GENERAL FOR AUDITS,\n\n                 OFFICE OF PERSONNEL MANAGEMENT\n\n    Mr. Esser. Chairwoman, Chairman, Ranking Members, and \nMembers of the Committee, good afternoon. My name is Michael \nEsser and I am the Assistant Inspector General for audits at \nthe U.S. Office of Personnel Management. Thank you for inviting \nme to testify at today's hearing on the IT security work done \nby my office at OPM.\n    OPM has a long history of systemic failures to properly \nmanage its IT infrastructure, which may have ultimately led to \nthe recent data breaches. We are pleased to see that the agency \nis taking steps to improve its IT security posture but many \nchallenges still lay ahead.\n    To begin, I would like to discuss some of the findings from \nour annual audits under the Federal Information Security \nManagement Act, known as FISMA. We have identified three \ngeneral areas of concern which are discussed in detail in my \nwritten testimony.\n    The first area is information security governance. This is \nthe management structure and processes that form the foundation \nof a successful security program. It is vital to have a \ncentralized governance structure. OPM has made improvements in \nthis area but it is still working to recover from years of \ndecentralization.\n    The second area is security assessments and authorizations. \nThis is a comprehensive assessment of each IT system to ensure \nthat it meets the applicable security standards before allowing \nthe system to operate. Our 2014 FISMA audit found that 11 of \nOPM's 47 major systems were operating without a valid \nauthorization. Because of actions taken by the CIO in April \n2015 we expect this number to more than double by the end of \nfiscal year 2016.\n    The third area is technical security controls. OPM has \nimplemented a variety of controls to make the agency's IT \nsystems more secure. However, these tools must be used properly \nand must cover the entire IT environment. Our FISMA audit last \nyear found that they were not.\n    These areas represent fundamental weaknesses in OPM's IT \nsecurity program that have been reported to the OPM Director, \nOMB, and the Congress for many years. The fact that these \nlongstanding issues were allowed to continue for so long \nwithout being taken seriously raises questions about the \ninherent effectiveness of the original FISMA legislation and \nimplementing guidelines.\n    Since 2002 the IGs have been reviewing their agencies' \ninformation security programs, but the reporting guidelines \nfrom OMB were focused on compliance with specific security \nareas and lacked perspective on the overall effectiveness of \nthe agency's program.\n    The FISMA Modernization Act of 2014 shifts the focus from \nreview and compliance to assessing effectiveness of security \ncontrols. In addition, a new maturity model approach to \nevaluating the state of agencies' continuous monitoring \nprograms was introduced in this year's FISMA reporting \ninstructions for OIGs. These new developments should go a long \nway toward improving the IT security programs of federal \nagencies. OMB and DHS should also work toward making the OIG \nFISMA reporting metrics more reflective of the current risks \nand threats and further adopting the maturity model approach \nfor other reporting domains.\n    I would also like to take a moment to discuss e-QIP, the IT \nsystem that OPM uses to collect information related to federal \nbackground investigations. Just last week, OPM disabled the \nsystem due to serious vulnerabilities detected in the design of \nthe database and public facing website. While we agree with the \nactions taken, OPM has known about vulnerabilities in the \nsystem for years but has not corrected them. During the 2012 \nsecurity assessment and authorization process for e-QIP, an \nindependent assessor identified 18 security vulnerabilities \nwhich still remain open and unaddressed today. We believe this \nis an example of the importance of the security assessment \nprocess and also of OPM's historical negligence of IT security \nin general.\n    Moving forward, OPM is undertaking a massive infrastructure \nimprovement project which, when completed, should significantly \nimprove the agency's IT security posture. However, we \nidentified several concerns related to OPM's failure to follow \nproper project management processes and the agency's use of a \nsole-source contract. These are discussed in more detail in my \nwritten testimony.\n    We fully support OPM's modernization efforts but we are \nconcerned that if this project is not done correctly, the \nagency will be in a worse situation than it is today and \nmillions of taxpayer dollars will have been wasted.\n    Thank you for your time and I'm happy to answer any \nquestions.\n    [The prepared statement of Mr. Esser follows:]\n    \n    \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   \n    \n  \n    \n    Chairwoman Comstock. Thank you.\n    And I now recognize Mr. Snell for five minutes to present \nhis testimony.\n\n            TESTIMONY OF MR. DAVID SNELL, DIRECTOR,\n\n              FEDERAL BENEFITS SERVICE DEPARTMENT,\n\n              NATIONAL ACTIVE AND RETIRED FEDERAL\n\n                     EMPLOYEES ASSOCIATION\n\n    Mr. Snell. Thank you. Good afternoon and thank you for \ninviting me to testify. I appreciate the opportunity to express \nNARFE's views regarding the recent data breaches at the Office \nof Personnel Management, OPM. We are deeply concerned over the \nfailure of the federal government to protect its personnel \ncomputer systems and the devastating impact the recent breaches \nof these systems may have on national security, as well as on \nthe financial and personal security of millions of current and \nformer federal employees.\n    Let me be clear. The potential consequences of these \nbreaches are severe. The personal records obtained through the \ndata breaches include the highly personal and sensitive \ninformation of millions of current and former employees and \neven applicants for federal employment. The extent of the \nbreaches is enormous, likely reaching beyond 18 million \nindividuals.\n    Possession of the information contained in the Standard \nForm 86, a 120-page security clearance form containing an \napplicant's life history, could give our enemies the means to \nattempt to corrupt or blackmail government employees and \ncompromise military and intelligence secrets. Moreover, it \ncould make public servants vulnerable to grave risks to their \npersonal security and that of their families and loved ones.\n    While the perpetrators of this act bear the obvious and \nprimary fault in this matter, the federal government, including \nboth the Administration and Congress, has an obligation to do \nits best to protect the sensitive information its employees and \njob applicants are required to disclose as a condition of \nemployment. It failed to meet that obligation.\n    Despite explicit warnings by Inspectors General since 1997, \nOPM failed to put in place adequate safeguards for both its \naged and newer computer systems. This permitted the theft of \nmassive amounts of personally identifiable information. Even \nnow, the current OPM Inspector General issued a flash audit of \nOPM's plans to improve its data security and found them to have \n``a very high risk of project failure.''\n    Our government has failed its employees. It is imperative \nto act swiftly and ensure an incident of this magnitude does \nnot repeat itself. The Congressional oversight and response, \nincluding this hearing, is a good start, but we need continued \nvigilant efforts to improve the federal government's \ninformation technology and data security for the future.\n    The federal government, including both the Administration \nand Congress, now has an obligation to remedy to the best of \nits ability what has transpired. This should have started with \neffective communication with federal employees, retirees, and \nothers affected by the breaches and the organizations that \nrepresent them. Unfortunately, communications has fallen short \nof expectations. While OPM has provided notice to those \naffected by the breach announced June 4 and has communicated \nwith organizations in that regard, it has thus far failed in \nits basic duty to inform individuals affected by the second and \nmore troubling breach announced June 12 and continues to fail \nto answer many important questions about both breaches. The \nfailure of OPM to safeguard personal information should not be \ncompounded by deflecting questions.\n    Our written testimony details many of the questions we are \nstill seeking answers to regarding the details of exactly what \ndata has been accessed. The federal community and everyone \naffected by the data have been--data breach deserves answers to \nthese questions.\n    In addition, to better communication, the federal \ngovernment should provide lifetime credit monitoring and \nadditional identity theft insurance. The 18 months of credit \nmonitoring offered by OPM is woefully inadequate. The depth of \npersonal information exposed is enormous and the threat to \nindividuals extends way beyond 18 months. It is only fair to \nprovide financial protection in line with the threat that has \nbeen posed. Furthermore, Congress should appropriate funds \nnecessary to provide this protection.\n    The question posed in the title of this hearing ``Is This \nthe Tip of the Iceberg?'' is a valid one. While I cannot answer \nthat, I will say I certainly hope not. The recent breaches \nshould be a wake-up call to this country and its leaders about \nthe dangers of cyber terrorism and the critical need to protect \nour government's core functions. Let's make sure this isn't the \ntip of the iceberg but rather the last time our federal \ngovernment has to deal with cybersecurity breach that threatens \nthe financial security of its employees.\n    Thank you again for the opportunity to share our views.\n    [The prepared statement of Mr. Snell follows:]\n    \n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    \n    \n    Chairwoman Comstock. Thank you, Mr. Snell.\n    And now, Dr. Romine, for five minutes for your testimony.\n\n           TESTIMONY OF DR. CHARLES ROMINE, DIRECTOR,\n\n               INFORMATION TECHNOLOGY LABORATORY,\n\n         NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY\n\n    Dr. Romine. Chairwoman Comstock, Chairman Loudermilk, \nRanking Member Lipinski, Ranking Member Beyer, and Members of \nthe Subcommittees, I'm Dr. Charles Romine, Director of the \nInformation Technology Laboratory at NIST. Thank you for the \nopportunity to appear before you today to discuss our \nresponsibilities for assisting federal agencies with \ncybersecurity.\n    NIST has worked in cybersecurity with federal agencies, \nindustry, and academia since 1972. Our role, to research, \ndevelop, and deploy information security standards and \ntechnology to protect information systems against threats to \nthe confidentiality, integrity, and availability of information \nand services was strengthened through the Computer Security Act \nof 1987, broadened through the Federal Information Security \nManagement Act of 2002 or FISMA, and reaffirmed in the Federal \nInformation Security Modernization Act of 2014.\n    NIST carries out its responsibilities under FISMA through \nthe creation of a series of Federal Information Processing \nStandards, or FIPS, and associated guidelines. Under FISMA \nagencies are required to implement those FIPS. To further \nassist agencies, NIST provides management, operational, and \ntechnical security guidelines covering a broad range of \ncybersecurity topics.\n    NIST has a series of specific responsibilities in FISMA \nto--of particular relevance to today's hearing were addressed \nby NIST and published as FIPS 199, the standard for security \ncategorization of federal information and information systems; \nand FIPS 200, which sets the minimum security requirements \nbased on the categorization identified using FIPS 199.\n    NIST created baselines for these minimum security \nrequirements based on three levels determined in accordance \nwith FIPS 199: low, moderate, and high. For example, at a high \ncategorization, FIPS 199 states that ``the loss of \nconfidentiality, integrity, or availability could be expected \nto have a severe or catastrophic adverse effect on \norganizational operations, organizational assets, or \nindividuals.''\n    Examples of controls included in the associated baselines \nthen cover a range of requirements for a lifecycle of security. \nFor example, security awareness and training, contingency \nplanning, access control, system disposal, and incident \nresponse. Once a baseline is established, NIST provides \nguidance to agencies to assist in determining that the baseline \nis adequate to meet their risk-based requirements.\n    An agency may need to enhance a given baseline to address \nlocal risks, the agency's mission, and technical \ninfrastructure. For example, an agency with a real-time \nmonitoring system such as workstations in air traffic control \nor critical patient monitoring systems might not want to use a \ntimed password-locked screensaver to mitigate security issues \nfor unattended workstations. Instead, a guard or site \nsurveillance system might be more appropriate to support the \nmission and still meet the intent of the baseline.\n    Establishing a sound security baseline is not the end of \nsecurity for an agency. NIST provides standards, guidelines, \nand tools for agencies to test and assess their security and \ncontinuously monitor their implementation and new risks. The \nauthorization of a system by a management official is an \nimportant quality control under FISMA. By authorizing a system, \nthe manager formally assumes responsibility for operating a \nsystem at an acceptable level of risk to the agency operations \nor individuals.\n    Under FISMA, NIST does not assess ,audit, or test agency \nsecurity implementations. Congress recognized that placing such \nresponsibilities on NIST would impede its ability to work with \nfederal agency and private-sector stakeholders to develop \nstandards, guidelines, and practices in the open, transparent, \nand collaborative manner that Congress intended.\n    NIST's statutory role as the developer but not the enforcer \nof standards and guidelines under FISMA have ensured NIST's \nongoing ability to engage freely and positively with federal \nagencies on the implementation challenges and issues they \nexperience in using these standards and guidelines. NIST is \ncommitted to continue to help agency officials address their \nresponsibilities under FISMA to understand and mitigate risks \nto their information and information systems that could \nadversely affect their missions.\n    We recognize that we have an essential responsibility in \ncybersecurity and in helping industry, consumers, and \ngovernment to counter cybersecurity threats. Active \ncollaboration within the public sector and between the public \nand private sectors is the only way to effectively meet this \nchallenge leveraging each participant's roles, \nresponsibilities, and capabilities.\n    Thank you for the opportunity to testify today on NIST's \nwork in federal cybersecurity and I would be happy to answer \nany questions that you may have.\n    [The prepared statement of Dr. Romine follows:]\n    \n    \n  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  \n    \n   \n    \n    Chairwoman Comstock. Thank you, Doctor.\n    And I now recognize Mr. Wilshusen for five minutes to \npresent his testimony.\n\n         TESTIMONY OF MR. GREGORY WILSHUSEN, DIRECTOR,\n\n                  INFORMATION SECURITY ISSUES,\n\n             U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Dr. Wilshusen. Chairman Comstock, Chairman Loudermilk, \nRanking Members Lipinski and Beyer, and Members of the \nSubcommittees, thank you for the opportunity to testify at \ntoday's hearing.\n    The recent OPM data breaches affected millions of federal \nemployees. However, OPM is by no means the only agency to \nsuffer data breaches or face challenges securing its computer \nsystems and information. The number of information security \nincidents both cyber and non-cyber reported by federal agencies \ncontinues to rise, increasing from about 5,500 in fiscal year \n2006 to over 67,000 in fiscal year 2014. Similarly, the number \nof incidents involving personally identifiable information more \nthan doubled in recent years to over 27,000 in fiscal year \n2014. These incidents illustrate the need for stronger \ninformation security controls across the federal government.\n    Today, I will discuss several cyber threats to federal \nsystems, cybersecurity challenges facing federal agencies, and \ngovernmentwide initiatives aimed at improving cybersecurity.\n    Before I begin, if I may, I'd like to recognize members of \nmy team who are instrumental in developing my statement and \nsome of the work underpinning it. With me today is Larry \nCrosland, an Assistant Director who led this body of work. I \nalso want to recognize Brad Becker, Lee McCracken, Chris \nBusinsky, Scott Pettis, who also made significant \ncontributions.\n    Madam Chairwoman, Mr. Chairman, the federal government \nfaces an array of cyber-based threats to its computer networks \nand systems. These threats include both targeted and untargeted \nattacks from a variety of sources, including criminal groups, \nhackers, disgruntled insiders, and foreign nations. These \nsources vary in terms of their capabilities, willingness to \nact, and motives, which can include seeking monetary gain or \npursuing an economic, political, or economic advantage.\n    In the grip of these threats, most federal agencies face \nchallenges securing their systems and networks. Agencies \ncontinue to have shortcomings in assessing risks, developing \nand implementing security controls, and monitoring results. For \nexample, 19 of 24 agencies covered by the Chief Financial \nOfficers Act reported that information security weaknesses were \neither significant deficiency or material weakness for \nfinancial reporting purposes. And the Inspectors General at 23 \nof these agencies cited information security as a major \nmanagement challenge for their agency.\n    Agencies also need to provide better oversight of the \nsecurity their contractor operator systems. Five of six \nagencies we reviewed did not consistently assess their \ncontractors' information security practices and controls, \nresulting in security lapses.\n    Even with effective controls, security incidents and data \nbreaches can still occur. Agencies need to react swiftly and \nappropriately when they do. However, seven agencies we reviewed \nhad not consistently implemented key operational practices for \nresponding to data breaches involving personal information. GAO \nand agency IGs have made hundreds of recommendations to assist \nagencies in addressing these and other challenges. Implementing \nthese recommendations will help strengthen agencies' ability to \nprotect their systems and information.\n    DHS and the Office of Management and Budget have also \nlaunched several governmentwide initiatives to enhance \ncybersecurity. One such initiative is requiring stronger \nauthentication of users through the use of personal identity \nverification, or PIV cards. However, OMB recently reported that \nonly 41 percent of agency user accounts at 23 civilian agencies \nrequired PIV cards for accessing agency system's.\n    Another initiative, the National Cybersecurity Protection \nSystem is intended to detect and prevent malicious network \ntraffic from entering federal civilian networks. GAO is \npresently reviewing the implementation of this system. Our \npreliminary observations indicate that the systems intrusion \ndetection and prevention capabilities may be useful but are \nalso limited.\n    While governmentwide initiatives hold promise for \nbolstering the federal cybersecurity posture, no single \ntechnology or set of practices is sufficient to protect against \nall cyber threats. A multilayered defense in-depth strategy \nthat includes well-trained personnel, effective and \nconsistently applied processes, and appropriate technologies is \nneeded to better manage cyber risks.\n    This concludes my oral statement. I'd be happy to answer \nyour questions.\n    [The prepared statement of Mr. Wilshusen follows:]\n    \n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    \n    \n  \n    Chairwoman Comstock. I thank the witnesses for their \ntestimony and for your expertise and work on this over quite a \nlong time.\n    I would like to remind Members that the Committee rules \nlimit our questioning to five minutes and I now recognize \nmyself for five minutes of questions.\n    A Washington Post editorial from this past Sunday, July 5, \nthey said the OPM Director knew as well as anyone how sensitive \nthe data was, yet the door to her agency was apparently left \najar. Thieves walked out with an intelligence goldmine. This \nwas an unforgivable failure of stewardship that should lead to \nfirings for incompetence.\n    Mr. Esser, to your knowledge has OPM reprimanded or fired \nany official over this failure to protect its employees' most \nsensitive data?\n    Mr. Esser. I'm not aware of any.\n    Chairwoman Comstock. Are you aware of any discussions to \nthat effect?\n    Mr. Esser. No, I haven't heard any.\n    Chairwoman Comstock. Okay. Thank you.\n    And, Mr. Snell, really thank you for being here and \nrepresenting so many people not just here in our metropolitan \narea but all across the country because this impacts our \ncontractors, our federal employees, so it's important for \npeople to understand that this is really a nationwide breach \nand, you know, you're representing people who are aware of this \nbut there's still many more that aren't. Could you tell us what \nsome of their concerns and unanswered questions are and how you \nthink additional things that might be helpful for the employees \nand from what you've heard that we might ask for to help answer \nthe questions that you've been getting from people?\n    Mr. Snell. Thank you. I'd be glad to. A lot of the folks we \nhear from are members as well as others. Their main concern is \ntrust and trust in what they get. The information came to many \nof them through email. The email address was not a government \nemail address. It was a .com address. They didn't know whether \nto open it, they didn't know what to do with it. They had \nlittle information. Many people have received letters. Those \npeople don't have internet. They didn't--they weren't able to \naccess the frequently asked questions and the explanations that \nthe Office of Personnel Management had available out there. And \nso they were left in the dark.\n    They didn't know if they called the number, if they \ncontacted anybody if they could ever trust them, so we have a \nlot of distrust out there. A lot of folks are scared obviously. \nThey don't know what's going happen. Some folks who have not \nbeen notified that their records were compromised are \nwondering, you know, were my records compromised? Can I trust \nthe fact that I didn't get notice or is this another, you know, \nproblem? So those are the questions, those are the concerns \nthat we hear from our members both current federal employees \nand retirees.\n    Chairwoman Comstock. Thank you. I appreciate that and we \nlook forward to continuing to work with you on identifying any \nof those and how we can help answer their questions.\n    I was wondering, maybe a question for all of you, what kind \nof things, if someone has had their information breached or \ncompromised, what should they be on the lookout for now? What \nwould be an unusual type of situation that should raise the \nantenna and say this might be something I need to pay attention \nto? Can you think of some scenarios just so that people can get \nan idea of what they have to be on the lookout for?\n    Dr. Wilshusen. Sure. I'll start it off. First of all, \nindividuals who believe their information may have been \ncompromised or been notified that it has been should certainly \ncheck their credit reports to see if there have been any new \ncredit accounts or charges that they're unaware of that may \nhave cropped up, and certainly that's probably one of the basic \nthings that individuals should do. They should also know that \nthey are entitled to receive a free credit report from each of \nthe three credit reporting agencies on an annual basis and \nthat's something that one should do on a regular basis annually \nis to check each--credit reports from each of those \norganizations.\n    Indeed, if they do receive the letter, as I have, is to \nalso check to see about subscribing to the service that OPM is \noffering through their contractor because they, too, will \nprovide--or supposed to provide anyway--some surveillance on \nthe part of the individual.\n    Chairwoman Comstock. Okay.\n    Mr. Snell. I would add to that--and those are excellent \nsuggestions. I would add to that that any statement they get \nregarding any other benefits they get from any other company or \ngovernment entity such as Social Security, if there's something \nthat has changed without their knowledge, they should report \nthat right away. We had one member who found out his address on \nhis Social Security payments had changed without his \nauthorization. Being this close to the events of the breaches, \nof course, that member was concerned that this had been \nconnected. But we did report it to OPM. The OPM folks had \nlooked into it and decided that it was a separate incident. But \nstill, any kind of changes like that, people should look into.\n    Chairwoman Comstock. Okay. And one other thing I was \nwondering, should--a lot of people don't know what's \nnecessarily in their personnel file. Have people asked you \nabout possibly having copies of their personnel file, having \ncopies of their background check? Because, you know, if \nsomething starts coming up, you don't necessarily know what's \nin your background check, right, or even your personnel file \neven though you fill it out. Particularly with the background \nchecks, those people aren't going to have any idea what people \nhave said, right?\n    Mr. Snell. Right. We haven't heard from anybody--any of our \nmembers with that particular request so--\n    Chairwoman Comstock. Okay. Thank you. And I now turn over \nto questions from Mr. Lipinski.\n    Mr. Lipinski. Thank you. I want to get down to the big \nquestion and what--in terms of what we should do moving forward \nhere. It's not acceptable for these data breaches to occur at \nOPM, anywhere else in the government, or in the private sector. \nWe know--okay, we accept--we know that they can happen but I \nsometimes feel like there's not enough done not just in the \npublic sector but the private sector to prevent these.\n    So my question is how do we make FISMA effective? I \nunderstand, as Dr. Romine said, that NIST, for good reason, \nonly sets the standards; they're not the enforcer. So who \nshould be, who can be the enforcer when it comes to the federal \ngovernment? And I want to--just want to try to figure this out \nso that we can get someone so we know who's accountable, who \ncan be held accountable, and who has the responsibility. So, \nMr. Esser, what would you recommend?\n    Mr. Esser. Well, one possibility is OMB. I mean we--as an \nIG office we audit, we report, and we identify, you know, areas \nof weakness but that's as far as our authority extends. We have \nno enforcement authority. Those reports go eventually to OMB \nand that could potentially be one area of enforcement.\n    Mr. Lipinski. Dr. Romine, do you have any recommendations?\n    Dr. Romine. No, I think that's right. The oversight \nfunction, as it currently is set up under FISMA, I think is OMB \nwith more recently DHS providing assistance to agencies to meet \ntheir obligations under FISMA. So I think that's the right \nanswer.\n    Mr. Lipinski. Mr. Wilshusen, do you have anything to add?\n    Dr. Wilshusen. Yeah, I would agree to same extent that both \nof the other witnesses mentioned, but I would also just like to \npoint out that under law both under the FISMA 2002 and FISMA \n2014 it is clearly the responsibility of the head of each \nagency to implement the appropriate information security \nprotections to reduce the risk and magnitude of harm that could \noccur should information or information systems be compromised \nthrough unauthorized access, use, disclosure, modification, \ndestruction, and disruption. And so clearly in terms of \nresponsibility it's the head of agencies--each agency head to \nmake that happen.\n    Mr. Lipinski. Is there anything more that you recommend \nthat we do? As you said, FISMA has been updated but is there \nanything more that should be done with, you know, that Congress \nshould do with FISMA? Does anyone have any recommendations for \nanything further?\n    Dr. Wilshusen. Well, I would just say first that I think \nCongress did--went quite a distance in terms of modernizing \nFISMA to include clarifying their roles and responsibilities \nfor information security across the federal government, \nparticularly with assigning responsibilities to the Department \nof Homeland Security, who has now responsibility for assisting \nand overseeing to an extent implementation security controls at \nthe federal agencies.\n    It also recognizes the need for new types of security \ncontrols and procedures to be put in place such as continuous \nmonitoring, continuous diagnostics and mitigation, which is \nanother type of control set that, if effectively implemented, \ncould assist agencies in better protecting their systems, \nidentifying their risk, and addressing the key vulnerabilities \nfirst.\n    Mr. Lipinski. Okay. Mr. Esser, did you want to add \nsomething?\n    Mr. Esser. Yeah. I agree with Mr. Wilshusen, and I think \nfrom our viewpoint, the FISMA Modernization Act of 2014 went a \nlong ways toward improving the situation, changing our reviews \nfrom more of a compliance check of a yes or a no, do they \nhave--or do they do security controls testing to an \neffectiveness test of how good are those tests and moving \ntowards continuous monitoring and the mature model that is \nbeing put in place. So we think continuing to move along that \npath is the right direction.\n    Mr. Lipinski. Anyone else have anything to add?\n    Good. All right. Thank you very much. I yield back.\n    Chairwoman Comstock. Thank you.\n    And I now recognize Mr. Loudermilk.\n    Mr. Loudermilk. Thank you, Madam Chair.\n    Mr. Wilshusen, as I mentioned in my opening statement, the \nsituation we have at OPM is exactly why my subcommittee is \ninvestigating the collection of America's personal data through \nHealthCare.gov. In September 2014, the GAO came out with a \nreport noting that HealthCare.gov's data warehouse system MIDAS \ndid not have an approved Privacy Impact Assessment that \nincluded a thorough analysis of privacy risks. Given that MIDAS \nis processing personally identifiable information and appears \nto have--indefinitely storing that information, how important \nis it to have an approved privacy impact statement for--or \nassessment for MIDAS?\n    Dr. Wilshusen. I think it's vitally important because in \nthat it helps the agencies to identify not only the privacy \nrisks associated with that particular system but also \nalternatives and the controls that should be in place to better \nprotect and help protect that information.\n    Mr. Loudermilk. Thank you.\n    Dr. Wilshusen. And we recommended--we also noted that not \nonly had CMS not effectively implemented--or designed a policy \nimpact assessment for MIDAS but for other systems connected \nwith HealthCare.gov.\n    Mr. Loudermilk. Do you know if an assessment is done since \nthe September report?\n    Dr. Wilshusen. We just received information from--we \nactually made a recommendation that in their Privacy Impact \nAssessment that they assess these privacy risks and today we \nbelieve that recommendation is still open----\n    Mr. Loudermilk. So do they----\n    Dr. Wilshusen. --and not fully implemented by----\n    Mr. Loudermilk. They have not--is that concerning?\n    Dr. Wilshusen. Well, we believe they should do that, yes.\n    Mr. Loudermilk. Okay. When you looked into the MIDAS system \nas part of the HealthCare.gov review, was it known to you that \npersonally identifiable information of individuals who signed \nup on the HealthCare.gov website would be indefinitely stored?\n    Dr. Wilshusen. It was known that initially the CMS \nofficials indicated that personally identifiable information \nmay not be stored and it--but then they acknowledged that it \nwould be and it was because of that acknowledgement that \npersonally identifiable information would be stored in MIDAS, \nthat the need for assessing those privacy risks is important as \npart of a Privacy Impact Assessment.\n    Mr. Loudermilk. Okay. So the fact that they indicated that \nthey intended to store this PII information is really what \ncatapulted this assessment, the need for the assessment? Is \nthat what you're saying?\n    Dr. Wilshusen. Right. Any new development or system should \nhave a Privacy Impact Assessment if personally identifiable \ninformation is going to be collected, stored, or disseminated \nthrough that system.\n    Mr. Loudermilk. Is it normal for the federal government to \nstore PII information on websites or information obtained \nthrough websites?\n    Dr. Wilshusen. I would say that that is normal for agencies \nto store personally identifiable information, some of which may \nbe obtained through a website, but we--I have not looked at \nthat specifically with regard to collection of information \nthrough websites.\n    Mr. Loudermilk. Okay. I appreciate that. Also, GAO has \nlisted the security of our federal cyber assets on its high-\nrisk list since 1997. It's been almost 20 years. Does it remain \non the high-risk list to this day because of evolving threats \nto federal information systems or is it because federal \nagencies have not been able to learn how to properly protect \nthese systems?\n    Dr. Wilshusen. I would say both----\n    Mr. Loudermilk. Okay.\n    Dr. Wilshusen. --because certainly there's an inherent risk \nto agency systems because of the evolving threats and just the \ncomplexity of the systems that agencies develop and operate \nbecause many--much of the software that agencies use have \nvulnerabilities in it, some discovered, some undiscovered. But \nat the same time it's incumbent upon federal agencies to \nimplement the appropriate security controls to mitigate those \nrisks to--at a cost-effective and acceptable level. And we \nfound that agencies have not consistently implemented \nagencywide information security programs to mitigate that risk \neffectively.\n    Mr. Loudermilk. Is it because of--it's a lack of priority \nfor a lot of these agencies?\n    Dr. Wilshusen. In some cases it might be but it's also in \nother cases I believe it's just to the fact that there are a \nnumber of actions that agencies just haven't really taken that \nthey need to take such as installing patches on a timely manner \nand assuring that known vulnerabilities are ameliorated in a \ntimely manner.\n    Mr. Loudermilk. Can you tell me who's ultimately \naccountable for the cybersecurity of our federal government?\n    Dr. Wilshusen. Accountable or responsible? You know, I have \nto say in terms of at least for federal agencies, the agency \nhead is responsible for implementing effective security \ncontrols and that's under law under FISMA. At the same time in \nterms of accountable that's harder to measure because to my \nknowledge it's difficult to see what accountability mechanisms \nare in place to assure that individuals are effectively \nsecuring systems. That could be done through personnel \nperformance expectations, but in terms of individuals being \nheld to account for that is somewhat uncertain.\n    Mr. Loudermilk. I see I'm out of time. One quick question \nif I may, Madam Chair.\n    Chairwoman Comstock. We're just tight because we're going \nto have votes.\n    Mr. Loudermilk. Okay.\n    Chairwoman Comstock. We want to squeeze everybody in.\n    Mr. Loudermilk. On a scale grading like elementary school A \nto F, our federal cybersecurity, how do you grade it?\n    Dr. Wilshusen. D.\n    Mr. Loudermilk. D minus from the way I hear that?\n    Dr. Wilshusen. I'll go with D because in many respects \nthere are improvements within federal information security and \nsome of the initiatives but it's getting to the effective \nimplementation of those security controls and the--some of the \ninitiatives. Over time, consistently, that's been proved \nchallenging.\n    Mr. Loudermilk. Thank you very much. Thanks to all the \npanel.\n    Chairwoman Comstock. Thank you.\n    I now recognize Mr. Beyer for five minutes.\n    Mr. Beyer. Thank you, Madam Chair.\n    Mr. Snell, do you know how long it takes to have a negative \nreport, a so-called derogatory report on your credit report \ndrop off?\n    Mr. Snell. [Nonverbal response.]\n    Mr. Beyer. Okay. Well, six to eight years. I only bring \nthat up because it's a long time.\n    Mr. Snell. It is a long time.\n    Mr. Beyer. And I want to bring--call attention to something \nthat you mentioned in your written report where you say ``the \nfederal government should offer identity theft insurance, \nshould offer credit monitoring services for the lifetime of \nanyone affected, and increase the amount of identity theft \ninsurance provided in certain circumstances. Unlimited coverage \nmay be required.'' I just want all of us to highlight that \nbecause this is I think really an initiative that we can bring \nas Democrats and as Republicans on Oversight to this issue.\n    Mr. Snell. Well, thank you.\n    Mr. Beyer. So thank you for bringing that up because it--by \nthe way, the other rhetorical question, do you know how long it \ntakes them to fix something that's wrong on a credit report, \nwhich is like impossible? So----\n    Mr. Snell. It's a nightmare.\n    Mr. Beyer. Yes.\n    Mr. Esser, your testimony was pretty devastating, all the \nthings that didn't get fix that were identified year in and \nyear out within OPM. And I'm just baffled by it. Do you have \nany idea why? Is this a series of CIOs who didn't respond? Is \nit a series of Directors, Democrat, Republican administrations \nthat didn't respond? Does any of it come back to us on Congress \nbecause we didn't allocate the resources necessary, the \nhardware, the software, the staffing to make all this happen? \nFor example, you mentioned in there that OPM has decided they \nneeded a legacy system. With legacy systems, you couldn't go \nback and tinker with them one by one; you had to do an \noverhaul. Help us understand this lack of leadership and lack \nof action on something that you guys as Inspectors General had \nclearly identified.\n    Mr. Esser. I would have to guess it's a combination of \nfactors. Certainly, there's been, you know, different directors \nand different CIOs during the time period that we've reported \nmaterial weaknesses in IT security. You know, so, you know, if \nyou look at the current Director, she wasn't there when this \nall started. The current CIO wasn't there when this all \nstarted. But at the same time there's been current issues that \nwe've reported that, you know, they also haven't gotten \naddressed in a timely fashion that we would like to see them \naddressed.\n    Resources I think is always an issue but it's not the sole \nanswer. I think sometimes we feel like things that we report \ndon't get the attention that they should get. We've had, you \nknow, weaknesses that have been outstanding for, you know, \nyears and years and years and that just shouldn't be.\n    Mr. Beyer. All right. Well, thank you. Thank you, Mr. \nEsser.\n    Dr. Romine, did I say that right?\n    Dr. Romine. [Nonverbal response.]\n    Mr. Beyer. On NPR this morning they were talking about the \ndifficulty that our military and our intelligence units are \nhaving with ISIS encrypting messages between their potential \nrecruits. Can we use this encryption for federal government \ndata?\n    Dr. Romine. I don't know what encryption they're using but \nwe do have access to strong encryption, and in fact NIST in my \nlaboratory has been in the encryption space for decades now \nstarting with the original DES, Data Encryption Standard, that \nwas developed through NIST.\n    We certainly recognized--our guidance provides input that \nencryption is a very powerful tool for securing information. \nIt's not the only one in the arsenal but it is a very effective \none and often not very costly. And so I think certainly it's an \navenue for protecting the data.\n    Mr. Beyer. You know, I know you're not responsible for the \nprivate sector and it seems that you clearly have developed \nsome very thoughtful guidelines and protocols for how the \nfederal government should work. Do you have any sense of \nwhether the federal government leads or lags the private sector \nin terms of cybersecurity, data encryption, all the things \nwe're talking about today?\n    Dr. Romine. So I think there are bright spots in both \ncases. I mean I think there are--it's uneven in the private \nsector just as it's uneven in the federal government as well. I \nwill say that the guidelines and the standards that we issue \nthat are principally intended for the federal government are \noften picked up by the private sector because of the quality of \nthose guidelines and standards. And in fact we depend on the \nprivate sector to participate and provide us with input. We \nhave a multiphase comment period for almost all of our \nguidelines so that we get the best minds in the private sector \nand public sector to contribute.\n    Mr. Beyer. Thank you.\n    Madam Chair, I yield back.\n    Chairwoman Comstock. Thank you.\n    I now recognize Mr. Johnson for five minutes.\n    Mr. Johnson. Thank you, Madam Chairman. And, gentlemen, \nthank you for joining us today.\n    I--you know, cybersecurity and the kind of attack that we \nsaw on OPM I think--and I believe I read it here somewhere \nearlier today--is just the tip of the iceberg. As a 30-year IT \nprofessional myself, I firmly understand that as long as \ncomputers are working off of 1s and 0s, the bad guys are going \nto be out there trying to get in. And the battle space is huge \nand our ability to protect it is going to require constant \nvigilance. It's not a problem that has--it's not a race that \nhas a finish line because as soon as we get to one point, the \ngoalposts are moved and the game strategy changes.\n    And I spent a lot of my time helping to educate and inform \nthose that will listen so that we understand. But this is a big \nissue and communications and computing technologies are \nfoundational to our economy and to virtually every industry \nthat supports our economy, including our own national security. \nSo it's a really big issue.\n    Mr. Esser, the OPM Director has stated that some of OPM's \nnetwork systems are so old that it has been difficult if not \nimpossible to upgrade and encrypt them. How credible is that \nexplanation and how many of the OPM systems that were hacked \nwere these old legacy systems versus more modern ones capable \nof encryptions and upgrades?\n    Mr. Esser. I don't have an exact count of how many are \nlegacy systems and how many are modern. There is a lot of \ncredibility to what she says. There are old systems at OPM that \nit is difficult to bring into the modern area of security, not \nthat it can't be done but it can be difficult. But our \nunderstanding is that at least a few of the systems that were \nhacked are more modern systems that certainly, you know, modern \nencryption techniques and other security techniques could have \nbeen implemented on.\n    Mr. Johnson. Right. Okay. Well, a complete overhaul of the \nexisting IT infrastructure at OPM could take years, right? Do \nyou believe that there are intermediate steps OPM could take to \naddress security needs in the short-term?\n    Mr. Esser. There are and they have taken some of those \nsteps. They've--\n    Mr. Johnson. What are those? Can you enumerate some of \nthem?\n    Mr. Esser. Well, when the initial breach took place in 2014 \nand they began working on tightening up their systems, they \nwent into what they call a tactical phase of immediately \nremediating some of the high security problems they had. And so \nwe're fully in favor of everything they've done related that. \nYou know, things like, you know, requiring more two-factor \nauthentication. They're not fully there but they're working on \nit so they have taken steps to tighten up systems in that \nrespect.\n    Mr. Johnson. Okay. Dr. Romine and Mr. Wilshusen--do I have \nthat right?\n    Dr. Wilshusen. Close enough. It's Wilshusen.\n    Mr. Johnson. Wilshusen, okay. I apologize. Johnson is \npretty easy for everybody so I don't ever have that problem. \nSorry.\n    Dr. Romine and Mr. Wilshusen, do you agree? Are there \nthings that can be done in the near term? Are there more things \nthat can be done in the near term?\n    Dr. Romine. Well, certainly from the perspective of the \nNIST guidelines and FISMA guidelines that we issue I think we \nput those out as a means of reducing the susceptibility of the \nsystem to hack. Nothing is 100 percent secure but I think \nfollowing those guidelines is the most effective way that I can \nthink of to protect the systems.\n    Mr. Johnson. Mr. Wilshusen?\n    Dr. Wilshusen. And I would agree with both what Dr. Romine \nand Mr. Esser said. One thing that comes to mind, too, is based \non what's been reported by the Office of Management and Budget \nas it relates to OPM is that, as of the end of fiscal year \n2014, OPM had only implemented the use of personal identity \nverification cards or strong authentication for one percent of \nits user accounts. My understanding is that they're making \nprogress now to improve that but certainly having strong \nauthentication, using multifactor authentication for user \naccounts would be one area that it seems that OPM could improve \non and may be working on that now.\n    Mr. Johnson. Okay. Well, gentlemen, thank you very much and \nI've exhausted my time.\n    Madam Chair, I yield back.\n    Chairwoman Comstock. Thank you.\n    I now recognize Ms. Bonamici.\n    Ms. Bonamici. Thank you very much, Madam Chair. Thanks to \nthe Chairs and Ranking Members for this important conversation \nand thanks to the witnesses who are here. I wish we each had \nfive hours instead of five minutes because there are so many \nquestions.\n    So I wanted to start, Mr. Snell, you mentioned the issues \nand the challenges with notification and communication, and \nthis is something that I want to recognize both in the public \nand private sector has been a challenge. And of course with the \nnumber of current and former federal employees, it's my \nunderstanding that the FISMA requirement requires notice to \naffected individuals provided as expeditiously as practicable \nand without unreasonable delay. So those are obviously terms \nthat are not concrete depending on the circumstances. I just \nbring this up to recognize the importance of communicating with \npeople who are victims of the data breaches. And it's not just \nan issue in the federal arena either, in the private sector as \nwell.\n    I want to go back to the point that was made about \nencryption. It's my understanding that Estonia, even though \nit's a small country, had a significant data breach in 2007 and \nhas really come around and is now considered one of the \ncountries that does the best job of protecting data. Granted \nit's a smaller--much smaller population but they do make--heavy \nuse of encryption. And they also have focused on educating the \nworkforce.\n    And I also serve on the Education Committee and I wanted to \nask about the--whether we are really educating people who will \nbe able to be the people who are preventing as well as \nunderstanding how we need to do this both psychologically and \ntechnically. So do we need to improve cybersecurity education? \nAre there enough opportunities for the workforce? Do we have \nthe people we need out there to be able to do these jobs? I'll \nstart with Mr. Wilshusen.\n    Dr. Wilshusen. Well, I think certainly improving the \ncybersecurity understanding and awareness on the part of the \npublic at large, which I believe you're referring to, as well \nas with the federal workforce, is going to be very important to \naddress these cyber threats that consistently evolve and are \nbecoming more sophisticated over time. And certainly having an \nawareness of that and what types of controls and activities one \nshould engage in and should not engage in should be certainly \non the minds and--of everyone because each individual \npotentially could be the weak link in--which results in some \nsort of a computer compromise.\n    Ms. Bonamici. That's a great point. And in your testimony \nyou have this whole chart about the common adversaries and you \nlist hackers and I have to say I'm a little confused as I go \nvisit schools and the high schools are having these hack-a-\nthons and they're considered positive things. So is hacker a \nnegative connotation or is it a positive or is it--depends on \nwho the hacker is? It's a little confusing.\n    Dr. Wilshusen. I guess it depends on what they're doing \nwith their hacking. You know, if they're so-called white \nhackers, you know, but in terms of--it's good to know how \nhackers and particularly those individuals with malicious \nintent----\n    Ms. Bonamici. Right.\n    Dr. Wilshusen. --operate, what types of tools they use, \nhow--their modus operandi if you will in order to understand \nhow to protect against them. And so it's important to know that \nand certainly one of the things that information security \nprofessionals do is penetration testing and to see whether or \nnot any organization's information security controls are \neffective in keeping out hackers who may use similar type of \ntechniques.\n    Ms. Bonamici. Terrific. And I wanted to ask, I guess, each \nof you. Can you talk a little bit about your--what are your two \nor three top recommendations for improving practices generally, \nnot necessarily just for the federal government. Mr. Esser, \nwhat would be your top two or three recommendations?\n    Mr. Esser. I mean one of the things I would go back to is \nthe two-factor authentication to strengthen security. It's \nreally necessary to implement that and not just that but I mean \nthere's all kinds of different things that need to be \nimplemented, and the key I think is having, you know, security \nDefense in Depth I think is the term that's used.\n    Ms. Bonamici. Terrific. And I want to make sure the others \nget--and I'm almost out of time.\n    Mr. Snell, do you have a couple of----\n    Mr. Snell. No, that's not my strength so I'll----\n    Ms. Bonamici. Dr. Romine?\n    Dr. Romine. Sure. I would echo, I think, that proper \nidentity management is a key driver. I think it can be really \nbeneficial. Good use of encryption is good for preserving the \nintegrity or at least the confidentiality of data, so I would \njust maybe add those two.\n    Ms. Bonamici. And Mr. Wilshusen?\n    Dr. Wilshusen. I would say one is addressing patches or \ninstalling critical patches and remediating known \nvulnerabilities. U.S. CERT recently came out with a technical \nalert that said if you address these top 30 targeted \nvulnerabilities, that would address up to 85 percent of the \ntargeted vulnerabilities that are currently being used. The \nother thing would be improved detection and prevention \ncapabilities because regardless of how well you protect your \nsystems, it's likely you still may be subject to attack from \nunknown vulnerabilities.\n    Ms. Bonamici. Thank you so much. I see my time is expired. \nI yield back. Thank you.\n    Chairwoman Comstock. Thank you. And I would just take \nprivilege to note, I know when I was visiting schools that also \ndo the hacking and training them, you know, that--it's a great \ngrowth area for kids to get engaged in and get educated on \nbecause there's going to be lots of jobs for them in this area. \nAnd I know somebody who works in the business so they tell \ntheir clients if we can't hack into your system, you shouldn't \nhire us to protect your system because that's part of what \ntheir job is to constantly be looking for the next attack, \nright? So that's--thank you.\n    I now recognize Mr. Abraham for five minutes.\n    Dr. Abraham. Thank you, Madam Chair.\n    I guess first I'll express my disappointment for the Chief \nInformation Officer Ms. Seymour not--or declining our \ninvitation to come speak here. It's my understanding that she \nhas extensive involvement in preparing this system. Might I \nsuggest that if OPM had put extensive involvement in preventing \nthis, we might not even be having this hearing. So just that as \na statement.\n    Mr. Wilshusen, I'm going to start with you. Has the federal \ngovernment's response to this breach in your opinion been \nsufficient?\n    Dr. Wilshusen. Well, one of the responses--and I can't \nnecessarily speak specifically to OPM, but more broadly \nspeaking, as you may know, the federal CIO issued an initiative \nor a proclamation known as the 30-day Cybersecurity Sprint, and \nindeed, you know, to the extent that that 30-day sprint raises \nawareness and invigorates activity towards addressing these \nbasic security requirements included in the sprint such as \ninstalling critical patches, assuring deploying multifactor \nauthentication, and other--resolving known vulnerabilities, \nthat's important. And to the extent that that gets done, that's \na positive.\n    But where it may become detrimental if after this 30 days, \nwhich expires on Sunday, by the way, that the agencies and the \nfederal government relaxes and thinks, okay, we've accomplished \nour goal, I think that's a mistake because cybersecurity and \nimplementing effective security is not a sprint; it's a \nmarathon. And it's something that needs to be going on a \ncontinuous basis. And the fact of just going back to--possibly \ngoing back to the status quo, which only led to the conditions \nthat resulted in the need for a 30-day sprint.\n    So I would say it raised awareness. Agencies may be taking \nactions to improve their security, but that needs to continue \nin perpetuity.\n    Dr. Abraham. And I'll follow up with you, Mr. Wilshusen. \nKnowing what you know about the cybersecurity or lack thereof \nof all our federal agencies, would you entrust any of your \nsensitive information with any of these agencies?\n    Dr. Wilshusen. In some cases I have no choice because my \ninformation is at other agencies through security clearances \nand the like and through our tax systems and issuing tax \nreturns, and so, yes, I do entrust personal information to \nagencies and that's why it's important and incumbent upon those \nagencies to adequately protect information that the American \ntaxpayers, the American public entrust to it.\n    Dr. Abraham. And it's my understanding that the GAO tracks \nthe history of these breaches. How does this OPM recent breach \ncompare or where does it rank in the history of the other \ngovernment breaches as far as the tracking is concerned?\n    Dr. Wilshusen. Well, in terms of the like number of \nindividuals affected by this breach--\n    Dr. Abraham. Right.\n    Dr. Wilshusen. --it's among the top. You know, a few years \nago back I think in 2005, 2006 there was a data breach at the \nDepartment of Veterans Affairs in which the hard drive was \nstolen from an employee's--from their home but that contained \nthe personally identifiable information of 26, 27 million \nveterans and current service members. But that hard drive was \nultimately found and determined not to have been--the \ninformation was determined not to have been disclosed. So \nthat--this particular breach ranks right up near the top I \nwould say.\n    Dr. Abraham. Mr. Esser, you said in your testimony that the \nOPM leadership has been--has not been forthright about the \nclaim of proactively shutting down the e-QIP system. Can you \ntell us how long the OPM has known about these vulnerabilities \nto that particular one system?\n    Mr. Esser. There was a security assessment and \nauthorization done on the e-QIP system in September of 2012 \nwhich identified 18 vulnerabilities. I do not know if those \nvulnerabilities are related to the reason that the system was \nshut down last week but it certainly indicates that there has \nbeen vulnerabilities that OPM has been aware of and has not \naddressed even to date.\n    Dr. Abraham. Okay. Thank you.\n    Madam Chair, I'll yield back.\n    Chairwoman Comstock. Thank you, Mr. Abraham.\n    Ms. Esty.\n    Ms. Esty. Thank you, Madam Chair. I want to thank you and \nChairman Loudermilk and Ranking Members Lipinski and Beyer for \nholding today's extremely important hearing. And as we've--as \nhas already been noted, with three other breaches having been \nnoted today in the private sector, it's very much on all of our \nminds.\n    Our national and personal security depends on a strong \ncybersecurity infrastructure, and the recent breaches that have \nbeen disclosed with OPM are to me particularly disturbing when \nI look at the security clearance records that could have been \ncompromised. No credit check is going to make up for the risk \nto not just personal security but our nation's security for \nevery individual who went through or was consulted as part of \nthat system.\n    So I'd like you to think and maybe get back to us on what \nsort of protection and advice do we give on the national \nsecurity front, on the security breach aspect because that is \nvery different than your personal information to raid your bank \naccount. That's a risk of grave concern for this country, which \nwe haven't really discussed today.\n    It seems to me a number of issues have been raised and I \nwant to quickly tick them off and then focus on the last. We \nneed to understand the extent of vulnerability and that's been \ndiscussed at some length. The accountability for what's \nhappened also been raised by other Members. And I want to focus \non the last two, our capacity to address these issues in the \nfuture. That's a question in part of resources and that's been \nmentioned, both personnel resources--and Representative \nBonamici raised an issue she and I share a grave concern and \ninterest in, encouraging young people to pursue these fields \nand making sure we have enough capacity on both the private \nsector side and the public sector side. Is it a priority issue? \nDo we need to have different prioritization?\n    But the last issue I'd really like you to respond to is how \ndo we move to a continuous monitoring or effectiveness model \nfrom what we've had, which is a compliance model? It seems to \nme we have a real challenge. Congress enacts laws. Laws are \nabout compliance. They are snapshots in time that reflect our \nknowledge and technical capabilities. But as we've all \ndiscussed here today, these are evolving risks, and the moment \nwe stick a pin in the butterfly and pin it down, it will change \nby the time we finish pushing that pin in.\n    So if you could discuss a little bit what can we do on the \nCongressional side and what can the agencies due to move to a \nmindset that is much more nimble and that is in a continuous \nmode because that's going to be both what our hard and software \nlook like but also our mindset about what compliance actually \nmeans.\n    Dr. Wilshusen. I'll take first stab if you don't mind.\n    Well, one is an initiative that's already underway within \nthe Department of Homeland Security as it relates to continuous \ndiagnostics and mitigation, the extent to which DHS is \nproviding tools that are available for agencies to implement \nthis capability. Our work at the Department of State before \nthis initiative was established showed that there are benefits \nto monitoring the security posture of an organization on a \ncontinuous basis, but there are also a number of challenges \nassociated with that, some technological, some management and \noperational.\n    But certainly that's one area that can be done and indeed \nCongress in the passage of the Federal Information Security \nModernization Act of 2014 recognized the need for continuous \nmonitoring and identified that as one of the areas that \nagencies should be focusing on in securing their systems. And \nso that's one part of it.\n    But you're right, I totally agree. The need for assessing \nand monitoring the effectiveness of security controls needs to \nbe done on a continuous monitoring basis because threats change \nevery day, the computing environment changes is very dynamic, \nand new vulnerabilities are being identified each time.\n    Dr. Romine. If I may, I'd like to spotlight two things that \nNIST is doing that address two of your issues. One is we house \nthe program office for the National Initiative for \nCybersecurity Education, which is an interagency activity that \nI think is making great strides in addressing the workforce \nissue that you brought up.\n    And the second is under Executive Order 13636 NIST engaged \nthe private sector and other stakeholders in a year-long effort \nto develop what turned into the cybersecurity framework for \nimproving the cybersecurity of critical infrastructures. And \nalthough that was the focus, it has turned out that that report \nthat we developed the framework is a model I think for \nestablishing or improving a cybersecurity approach whether it's \nin the private sector or the public sector or other areas. It's \na very dynamic approach that involves, you know, a development \nof maturity along the lines of--analogous to a maturity model \nand so I think that could be really beneficial.\n    Chairwoman Comstock. Okay. Thank you.\n    Ms. Esty. I see my time is expired.\n    Chairwoman Comstock. We want to be able to squeeze in our \nlast two folks here.\n    Mr. Palmer, I recognize you for five minutes.\n    Mr. Palmer. Thank you, Madam Chairman.\n    We've talked about Defense in Depth and the hardware but I \nwant to talk about the individuals involved.\n    Dr. Wilshusen, OPM and the Department of Homeland Security \nofficials stated that the attackers who reached OPM's systems \nmay have been aided by user credentials that were obtained or \nstolen from one of OPM's contractors. Andy Ozment testified \nbefore the Oversight Committee that part of this breach may \nhave occurred through social engineering. I want to know in \nyour opinion what agencies can do to ensure that their IT \ncontractors are effectively protecting federal systems and \ninformation? I mean I fully get it that we need to completely \noverhaul our hardware and software, but that alone in the \ncontext of Defense in Depth will not secure the system.\n    Dr. Wilshusen. I wholeheartedly agree. The oversight of \ncontractors and their information security practices over \nsystems that they operate on behalf of the federal government \nor operate to process information on behalf of the federal \ngovernment is really critical to assure that--agencies need to \nassure that that information is being adequately protected. And \nthat requires that they go in and assess or have an independent \nassessor evaluate the security controls and assure that they're \nbeing operated effectively and efficiently and that indeed the \nrequirements for information security are expressed to the \ncontractor either through contractual instruments or other \nmechanisms to assure that they know what is required to help \nprotect those systems.\n    And another point you raised in terms of--was the stolen \nuser credentials that might have been used to help promote or \nfacilitate the attack on OPM, one of the things that could help \nthere is having multifactor authentication, which would help to \neither prevent or at least raise the bar significantly for that \nattacker to be able to use compromised credentials. And that \nwasn't in place in all places throughout OPM.\n    Mr. Palmer. Well, it's even worse than that. Dr. Ozment--it \nwasn't in his testimony but in an interview--talked about the \nfact that one of the contractors working with OPM was based in \nArgentina and was working with two people who were Republic of \nChina nationals. I mean how do we let something like that \nhappen? I mean with the amount of cyber assault--I visited a \nfacility that monitors these cyber attacks and you can \nliterally see them being launched. There were 700 and something \ncyber attacks launched from Russia with 10 minutes. China was a \ndistant second.\n    How is it that we would not be aware that we had people \nforeign-based involved in this and particularly a couple of \nChinese nationals?\n    Dr. Wilshusen. I guess I'm not familiar with that \nparticular situation so I don't know if I can really comment to \nthat, so----\n    Mr. Palmer. But I think you would agree, though, that \nthat's a pretty egregious oversight or failure to exercise \noversight over our systems?\n    Dr. Wilshusen. I think it's important that agencies \nunderstand who has access to their systems and are accessing \ntheir systems and that kind of gets back to the identity \nmanagement area that we--the panel spoke about earlier. So that \ncertainly is one specific point to that.\n    Mr. Palmer. Mr. Snell, I want to ask you something here. \nMr. Abraham brought up the fact that Ms. Seymour did not want \nto testify before this committee. When she testified before the \nOversight Committee, I asked her if the breach was limited only \nto people who filled out the Standard Form 86, the security \nbackground check, because that was I think the position that \nOPM had taken. It turns out that it extends beyond that. Two of \nmy staff who have never filled out an SF 86, who have never \nserved in the executive branch, both got letters telling them \nthat their personal data had been compromised.\n    Do you have an idea of how broad this is and does it extend \nbeyond current federal employees to retired employees? Is it \npossible that it would extend to civilians who have national \nsecurity clearances?\n    Mr. Snell. That's entirely possible. We don't have \nfirsthand information. We only know what's being reported out \nof OPM and it's not very much. It's not very helpful what \nthey're reporting as far as numbers but it's entirely--and it \nhas been I think in the media mentioned that it could be \ncontractors, as well as federal employees, former employees, \npeople who are no longer in the federal government. So I'd have \nto turn that back over to the Office of Personnel Management to \ncome forth with information letting us know exactly who the \nvictims of these breaches are.\n    Mr. Palmer. Madam Chairman, I yield the balance of my time. \nThank you.\n    Chairwoman Comstock. Thank you.\n    And I now recognize five minutes for Mr. Tonko.\n    Mr. Tonko. Thank you, Madam Chair.\n    The--being a former federal employee, Mr. Snell, what are \nthe kinds of communication that you would like to see happen?\n    Mr. Snell. Well, in a situation like this I would like to \nsee the communication be sent via letter with OPM agency seal \non it so that the individuals would be able to at least feel \nconfident that this is an official U.S. Government notice. And \nthat kind of--I know it's not efficient in today's email world \nand all of that, but in a case like this where we have the \ncredibility issue as to who do you trust, who do you don't \ntrust, I think a letterhead--OPM letterhead or an agency \nletterhead would have gone a lot further to helping folks \nbelieve what they're getting is bona fide. So I like that like \nthat kind of communication.\n    Mr. Tonko. Thank you.\n    And Mr. Esser, the review here that was done would \nobviously involve the private sector, right, with contractors \nserving the federal government with some of the reinforcement \nhere? How--was there any review done of that private sector \nelement?\n    Mr. Esser. I'm not sure I understand what review you're \nreferring to.\n    Mr. Tonko. Well, just with the outcome that we had in the \nsituation, were contractors reviewed in this situation that \nserved the federal agencies?\n    Mr. Esser. I'm sorry. I guess I still don't quite \nunderstand the question. What review are you referring to?\n    Mr. Tonko. Just the malfunctioning that occurred. As we \nlook over the situation and try to determine where the \nweaknesses in the system are, what--is there a role that the \ncontractors to the system might have played here or that could \nhave been better collaboration involved in this system? Were \nthere any recommendations that you could make in that regard?\n    Mr. Esser. If--I mean we in the IG office, when we do our \nreviews, certainly there's contractor-operated systems at OPM \nand we look at those the same way we look at the agency-\noperated systems. I mean there's a number of contractors that \nare working at OPM and likely at many other agencies as well. \nThey, I believe, are treated the same way as federal employees \nin how we conduct our reviews.\n    Mr. Tonko. And in those reviews was there a need for better \ncollaboration in this whole process where there could have been \nperhaps a stronger partnership with those efforts?\n    Mr. Esser. I don't believe we reported any issues in that \narea.\n    Mr. Tonko. And to any of you on the panel, when we look at \na situation like this, is there a concern for the amount of \navailable resources to an agency to prevent any of this \nactivity? Is it a function of lack of resources or how those \nresources have been shared? Would any of you comment on, you \nknow, weak investment or falling short in the resources we \nrequire?\n    Dr. Wilshusen. You know, broadly speaking, not just talking \nto OPM but across the federal government, many of the security \ncontrol deficiencies and weaknesses that we identified during \nour audits are more of an information security management \nprocess more than a lack of resources in terms of implementing \neffectively and consistently across an agency its own defined \nand developed policies and procedures.\n    For example, one basic control is just installing patches \non a timely manner, particularly those that have been rated as \ncritical. Agencies often have policies that state they need to \nbe installed within a certain period of time, usually within a \nweek or a couple weeks, but we find that sometimes those \npatches are not being installed for months and sometimes over \nyears. So, in part it's a management issue to make sure that \nthese key security control issues and controls are being \neffectively implemented.\n    There are also resource implications as well. In some cases \nit may be important for agencies to implement new technologies \nor tools, particularly with respect to installing intrusion \ndetection capabilities within their networks to identify those \ntypes of vulnerabilities or cyber attacks or intrusions that do \ninevitably occur.\n    Mr. Tonko. Thank you very much. I see my time is out. Thank \nyou, Madam Chair.\n    Chairwoman Comstock. Thank you. And we do have a vote now \nand so I just want to thank the witnesses for their very \nvaluable testimony today. Sorry we had to sandwich it in \nbetween our votes because I know myself and my colleagues could \nspend a lot more time talking with you about this and will be \ntalking with you and asking for any guidance that you can give \nus with your expertise. So we very much appreciate you coming \nbefore us.\n    The record will remain open for two weeks for additional \ncomments and written questions from the Members.\n    And so the witnesses are excused and we thank you again for \nyour expert testimony. And this hearing is adjourned.\n    [Whereupon, at 5:19 p.m., the Subcommittees were \nadjourned.]\n\n                               Appendix I\n\n                              ----------                              \n\n\n                   Answers to Post-Hearing Questions\n\nResponses by Mr. Michael R. Esser\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\nResponses by Mr. David Snell\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\nResponses by Dr. Charles Romine\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n                              Appendix II\n\n                              ----------                              \n\n\n                   Additional Material for the Record\n\n\n\n\n             Prepared statement of Committee Ranking Member\n                         Eddie Bernice Johsnon\n\n    Thank you Chairwoman Comstock and Chairman Loudermilk for holding \nthis hearing on the recent OPM data breach.\n    Even though we will continue to learn more details about the \nbreach, we already know that millions of Americans' personal \ninformation was compromised. This number includes current and retired \nfederal employees as well as the family members, friends, and co-\nworkers of federal employees.\n    There are valid concerns about hackers using this data for criminal \npurposes. Additionally, since security clearance background \ninvestigation information was compromised, there are also serious \nnational security concerns.\n    It is frustrating to learn that OPM knew that they had serious \ninformation security systems problems long before this breach. Although \naddressing their information security systems is a top goal of the new \nOPM leadership, it is clear that action should have been taken years \nago.\n    Federal computer information systems are guided by FISMA. In this \nrisk management approach, agencies evaluate the type of data in their \nsystems, determine what level of controls are needed, and put together \na plan to adequately protect their data.\n    Although NIST is responsible for drafting the standards used by the \nagencies, they do not oversee the program and are not responsible for \nenforcing agency compliance with FISMA.\n    Instead of picking on one federal agency, it is my hope that we can \nuse this data breach as a starting point for addressing federal \ncybersecurity more broadly. What is working? What is not? What \nmechanisms need to be in place to better protect individuals' personal \ninformation on our federal systems?\n    I want to end by saying that any conversation about federal \ncybersecurity must include a discussion about resources. It would be \nirresponsible for us to mandate additional cybersecurity measures that \nfederal agencies must take without providing them with additional \nresources.\n    Cybersecurity will always be about managing risks. No information \nsecurity system, whether public sector or private sector, can be \ncompletely protected. And unfortunately the question is, when, not if a \nsystem will get hacked. Therefore, we must ensure that we have the \nappropriate policies and oversight in place to help federal agencies \nprotect their data, and that we have provided federal agencies with the \nresources they need to do the job effectively.\n    I want to thank the witnesses for their testimony and I yield back \nthe balance of my time.\n          Letter submitted by Representative Barbara Comstock\n          \n   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       \n          \n\n\n                                 [all]\n                                 \n                                 \n</pre></body></html>\n"