b'<html>\n<title> - OPM: DATA BREACH</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n                            OPM: DATA BREACH\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             JUNE 16, 2015\n\n                               __________\n\n                           Serial No. 114-60\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                      \n                      \n                              ____________\n                              \n                        U.S. GOVERNMENT PUBLISHING OFFICE\n99-659 PDF                    WASHINGTON : 2016                        \n              \n              \n________________________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a7c0d7c8e7c4d2d4d3cfc2cbd789c4c8ca89">[email&#160;protected]</a>  \n             \n              \n              \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY\'\' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                    Sean McLaughlin, Staff Director\n                 David Rapallo, Minority Staff Director\n             Troy D. Stock, IT Subcommittee Staff director\n Jennifer Hemingway, Government Operations Subcommittee Staff Director\n                    Sharon Casey, Deputy Chief Clerk\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on June 16, 2015....................................     1\n\n                               WITNESSES\n\nThe Hon. Katherine Archuleta, Director, U.S. Office of Personnel \n  Management\n    Oral Statement...............................................     6\n    Written Statement............................................     9\nMr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and \n  Communications, National Program Preparedness Directorate, U.S. \n  Department of Homeland Security\n    Oral Statement...............................................    13\n    Written Statement............................................    15\nMr. Tony Scott, U.S. Chief Information Officer, Office of E-\n  Goverment and Information Technology, U.S. Office of Management \n  and Budget\n    Oral Statement...............................................    22\n    Written Statement............................................    24\nMs. Sylvia Burns, Chief Information Officer, U.S. Department of \n  the Interior\n    Oral Statement...............................................    27\n    Written Statement............................................    29\nMs. Donna K. Seymour, Chief Information Officer, U.S. Office of \n  Personnel Management\n    Oral Statement...............................................    32\nMr. Michael R. Esser, Assistant Inspector General for Audits, \n  Office of Inspector General, U.S. Office of Personnel \n  Management\n    Oral Statement...............................................    32\n    Written Statement............................................    34\n\n                                \n                                APPENDIX\n\nABC News-Feds Eye Link to Private Contractor in Massive \n  Government Hack, Submitted by Rep. Maloney.....................    76\nColleen M. Kelley-NTEU Statement for the Record..................    79\nRESPONSE Tony Scott-CIO OMB-Walberg Questions for the Record.....    83\n\n \n                            OPM: DATA BREACH\n\n                              ----------                              \n\n\n                         Tuesday, June 16, 2015\n\n                   House of Representatives\n      Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The committee met, pursuant to call, at 10:11 a.m., in Room \n2247, Rayburn House Office Building, the Honorable Jason \nChaffetz [chairman of the committee] presiding.\n    Present: Representatives Chaffetz, Mica, Jordan, Walberg, \nAmash, Gosar, Massie, Meadows, DeSantis, Mulvaney, Walker, \nHice, Russell, Carter, Grothman, Hurd, Palmer, Cummings, \nMaloney, Norton, Lynch, Connolly, Cartwright, Kelly, Lawrence, \nLieu, Watson Coleman, Plaskett, DeSaulnier, Boyle, Welch, and \nLujan Grisham.\n    Chairman Chaffetz. The Committee on Oversight and \nGovernment Reform will come to order.\n    Without objection, the chair is authorized to declare a \nrecess at any time.\n    Mr. Cummings will be with us momentarily. Another committee \nassignment is also pressing on his schedule.\n    Last week we learned that the United States of America may \nhave had what may be the most devastating cyber attack in our \nNation\'s history, and that this may have been happening over a \nlong period of time.\n    As we sit here this morning, there is a lot of confusion \nabout exactly what personal information for millions of current \nand former Federal employees and workers were exposed through \nthe latest data breach at the Office of Personnel Management.\n    OPM initially reported that the personal information of \nmore than 4 million Federal employees was exposed during this \nattack. More recent public reports suggest that the breach was \nperhaps much worse than that.\n    It is also unclear exactly what information was exposed. We \nwould like to know what information was exposed, over what \nperiod of time, and who has this vulnerability.\n    It would also be great to know who had conducted this \nattack. And I think we need to have candor with not only the \nFederal employees, but the American people as well.\n    The breach potentially included highly sensitive personal \nbackground information collected through the security clearance \napplications. We would like clarity on that position as well.\n    The loss of this information puts our Federal workforce at \nrisk, particularly our intelligence officers and others working \non sensitive projects throughout the globe. But we are \nconcerned about each and every Federal worker and the public \nwho has interacted with the Government and entrusted this \ninformation with the Government. We need to understand why the \nFederal Government, and OPM in particular, is struggling to \nguard some of our Nation\'s most important information.\n    The fact that OPM was breached should come as no surprise \ngiving its troubled track record on data security. This has \nbeen going on for years and it is inexcusable.\n    Each year, the Office of Inspector General reviews and \nrates its respective agency\'s compliance with the Federal \nInformation Security standards. According to the last eight \nyears of IG reports, OPM\'s data security posture was akin to \nleaving all the doors and windows open in your house and \nexpecting that nobody would walk in and nobody would take any \ninformation. How wrong they were.\n    Since 2007, the OPM Inspector General rated OPM\'s data \nsecurity as a ``material weakness\'\' because the agency had no \nIT policies or procedures that can come anywhere close to \nsomething that could be used as an excuse for securing the \ninformation.\n    It is unbelievable to think the agency charged with \nmaintaining and protecting all personal information of almost \nall former and current Federal employees would have so few \ninformation technology policies or procedures in place.\n    Let me just kind of read through some of the reports that \nhave happened through the course of the years.\n    This is the inspector general from fiscal year 2009: This \nyear we are expanding the material weakness to include the \nagency\'s overall information security governance programs and \nincorporating our concerns about the agency\'s information \nsecurity management structure. The continuing weakness at OPM\'s \ninformation security program result directly from inadequate \ngovernance. Most, if not all, of the exceptions we noted this \nyear resulted from a lack of necessary leadership, policy, and \nguidance.\n    Go to fiscal year 2010: We continue to consider the IT \nsecurity management structure insufficient staff and the lack \nof policies and procedures to be a material weakness in OPM\'s \nIT security program.\n    Fiscal year 2011: We continue to believe that the \ninformation security governance represents a material weakness \nat OPM\'s IT security program.\n    Fiscal year 2012: Throughout fiscal year 2012, the OCIO, \nthe Office of the Chief Information Officer, continued to \noperate with a decentralized IT security structure that did not \nhave the authority or resources available to adequately \nimplement new policies. However, the material weakness remains \nopen in this report as the agency\'s IT security function \nremained decentralized throughout fiscal year 2012, FISMA \nreporting period, and because of the continued instances of \nnon-compliance with FISMA requirements.\n    It goes on later: The OCIO\'s response to our draft audit \nreport indicated that they disagree with the classification of \nthe material weakness because of the program that OPM has made \nwith its IT security program and because there was no loss of \nsensitive data during the fiscal year. But as the inspector \ngeneral pointed out, however, the OCIO\'s statement is \ninaccurate, as there were in fact numerous information security \nincidents in fiscal year 2012 that led to the loss or \nunauthorized release of mission-critical and sensitive data.\n    They couldn\'t even decide and agree that they had lost the \ndata back in fiscal year 2012, let alone actually solve the \nproblem.\n    Go to fiscal year 2013. Again, the inspector general: The \nfindings of this audit report highlight the fact that OPM\'s \ndecentralized governance structure continues to result in many \ninstances of non-compliance with FISMA requirements; therefore, \nwe are again reporting this issue as a material weakness in \nfiscal year 2013.\n    Fast forward to fiscal year 2014. This is November of 2014: \nEleven major OPM information systems are operating without \nvalid authorization. This represents a material weakness in the \ninternal control structure at OPM\'s IT security program.\n    It goes on: OPM does not maintain a comprehensive inventory \nof servers, databases, and network devices. They didn\'t even \nknow what they have. They don\'t even know what is in the \ninventory.\n    Program offices are not adequately incorporating known \nweakness into plans of action and milestones, and the majority \nof systems are 120 days overdue. OPM continues to implement its \ncontinuous monitoring plan; however, security controls for all \nOPM systems are not adequately tested in accordance with their \nown policies. Not all OPM systems have conducted contingency \nplan tests in fiscal year 2014. Several information security \nagreements between OPM and contract operated information \nsystems have expired. Multi-factor authentication is not \nrequired to access OPM systems in accordance with the OMB \nmemorandum.\n    This has been going on for a long time. And yet, when I \nread the testimony that was provided here, we are about to hear \nsome say, hey, we are doing a great job. You are not. It is \nfailing.\n    This went on for years and it did not change. The inspector \ngeneral found that 11 of the 47 major information systems, or \nroughly 23 percent, at OPM lacked proper security \nauthorization, meaning the security of 11 major systems was \ncompletely outdated and unknown. Five of the 11 systems were in \nthe Office of the Chief Information Officer, Ms. Seymour. They \nare in your office, which is a horrible example to be setting \nas the person in charge of the agency\'s data security.\n    The IG only recently upgraded OPM to a ``significant \ndeficiency.\'\' In November 2014, FISMA, over 65 percent of all \nsystems operated by OPM reside on two of the systems without \nvalid authorization. Sitting on two systems, no valid \nauthorization, 65 percent of the information.\n    For any agency to consciously disregard its data security \nfor so long is grossly negligent. And the fact that the agency \nthat did this is responsible for maintaining highly sensitive \ninformation for almost all Federal employees, in my opinion, is \neven more egregious.\n    OPM isn\'t alone. A number of other agencies also suffered \nbreaches in the last year. This later cyber hack comes on the \nheels of several data breaches across the Government, including \nthe Postal Service, the State Department, the Internal Revenue \nService, the Nuclear Regulatory Commission, and even the White \nHouse.\n    At the same time, government is spending more and more on \ninformation technology. Last year, across government, we, the \nAmerican people, spent almost $80 billion on information \ntechnology, and it stinks. It doesn\'t work, $80 billion dollars \nlater. And the person in charge of security, the person who is \nin charge of making sure there is authentication of our \nsystems, even in her own office there isn\'t the authorization \nneeded.\n    OPM is not alone in the blame for this failure. The Office \nof Management and Budget has the responsibility for setting \nstandards for Federal cybersecurity practices, and it is OMB\'s \njob to hold agencies accountable for complying and enforcing \nthese standards.\n    The Department of Homeland Security has been given the lead \nresponsibility for serving as the Federal Government\'s so-\ncalled geek squad to monitor day-to-day cybersecurity \npractices, but the technical tools that DHS has deployed to try \nto protect Federal networks apparently isn\'t doing the job.\n    While DHS has developed EINSTEIN to monitor Government \nnetworks, it only detects known intruders, proving that it is \ncompletely useless in the latest OPM hacks.\n    The status quo cannot continue. We have to do better. We \nare talking about the most vital information of the most \nsensitive nature of the people that we care about most. The \npeople entrust that information to OPM, and through the years \nit has been a complete and total utter failure, to the point we \nfind ourselves where millions of Americans are left wondering \nwhat somebody knows about them. What are they supposed to do?\n    And I have read the letter that you have been sending out \nto employees, and it is grossly inadequate. It is grossly \ninadequate, and that is why we are having this hearing today.\n    We do appreciate you all being here.\n    I think what we are going to do now is I would like to \nrecognize the gentleman from Texas who is the chairman of the \nsubcommittee that we have on IT. We at the Oversight and \nGovernment Reform Committee have set up a new subcommittee that \ndeals just with IT issues.\n    We are honored and pleased to have Mr. Hurd chairing that \ncommittee, so I will now recognize the gentleman from Texas, \nMr. Hurd, for five minutes.\n    Mr. Hurd. Thank you, Mr. Chairman.\n    Not only as the head of the subcommittee, but as a former \nintelligence officer who has been through background \ninvestigation and whose information probably resides with OPM, \nI am concerned.\n    Today\'s hearing is just another example of the undeniable \nfact that America is under constant attack. It is not bombs \ndropping or missiles launching; it is the constant stream of \ncyber weapons aimed at our data. From private sector \ninnovations to military seekers, our enemies are attempting to \nrob this Country on a daily basis, and, unfortunately, they are \nsucceeding.\n    The worst of these cyber attacks are not coming from the \ncaves of Afghanistan or Syria, but from air conditioned office \nbuildings in China, Iran, and Russian, far from battlefields. \nThese hackers work with impunity, knowing that their actions \nhave no consequences.\n    This is not only a question of how we can protect our \nnetworks and data, but of how we define the appropriate \nresponses for digital and digital attacks. This is one of the \nquestions I have been asking for years and I have continued to \nask in my role as chairman of the Information Technology \nSubcommittee.\n    It is no secret that Federal agencies need to improve their \ncybersecurity posture. We have years and years of reports \nhighlighting the vulnerabilities of Federal agencies from \nlegacy systems to poor FISMA compliance. And while there have \nbeen improvements, they have not kept pace with the nature of \nthe threats we are facing.\n    But until agency leadership takes control of these basic \ncybersecurity measures, things like strong authentication, \nnetwork monitoring, encrypting data, and segmentation, we will \nalways be playing catch-up against our highly sophisticated and \nwell-resourced adversaries.\n    I welcome the witnesses here today and look forward to \ntheir testimony.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We will now recognize the gentlewoman from Illinois, the \nranking member of the subcommittee on IT, Ms. Kelly, for five \nminutes.\n    Ms. Kelly. Thank you, Mr. Chair.\n    I want to thank our expert witnesses for their \nparticipation today, and I thank the chairman and ranking \nmember for holding this important hearing on the OPM data \nbreach.\n    As you know, I have the privilege of serving as the ranking \nmember of the IT subcommittee. The issue of data breach is \nsomething that Chairman Hurd and I are quite concerned with, \nand we are looking forward to working with our colleagues to be \nactive in addressing this issue.\n    All of us here today should be quite concerned. The OPM \nbreach has raised significant questions about how adequately \nthe personnel information of government employees is stored on \ngovernment networks. We know that every day our government and \nAmerican businesses face a barrage of cyber threats.\n    We are reminded of many of the high-profiled breaches on \nsome of our Nation\'s most important companies, but there are \neveryday cyber intrusions of our data that aren\'t making the \nheadlines. Whether it is criminals beyond our borders profiting \nfrom fraud and identity theft, domestic competitors who steal \nintellectual property to gain advantage, or hacktivists looking \nto make a statement against governments, cyber crime threatens \nour national security and economic prosperity.\n    Data breaches probably won\'t end any time soon, but they \nare something that we can be more aggressive in addressing. As \nwe catch on to cyber attackers\' methods, these bad actors will \nlook to innovate their way around newly integrated cyber \ndefenses. This is why we must be just as innovative. That is \nwhy we must have a frank conversation today and prepare a \nmulti-front strategy to ward off and diminish the possibility \nof future data breaches.\n    So I thank the committee and our witnesses again for this \nopportunity to examine the OPM attack and, with that, I yield \nback.\n    Chairman Chaffetz. I thank the gentlewoman.\n    It is our intention to hear the ranking member\'s, Mr. \nCummings, statement, but I think what we will do now is swear \nin the witnesses, hear their statements, then we will go to Mr. \nCummings before we get to questions, if that is okay with \neverybody.\n    I will also hold the record open for five legislative days \nfor any members who would like to submit a written statement.\n    We will now recognize our first panel of witnesses.\n    We are pleased to welcome the Honorable Katherine \nArchuleta, who is the Director of Office of Personnel \nManagement; Dr. Andy Ozment, Assistant Secretary of the Office \nof Cybersecurity and Communications at the National Program \nPreparedness Directorate at the United States Department of \nHomeland Security; Mr. Tony Scott, U.S. Chief Information \nOfficer of the Office of E-Government and Information \nTechnology at the U.S. Office of Management and Budget; Ms. \nSylvia Burns, Chief Information Officer of the United States \nDepartment of Interior; Ms. Donna Seymour, Chief Information \nOfficer of the United States Office of Personnel Management; \nand Mr. Michael Esser, Assistant Inspector General for Audits, \nOffice of The Inspector General at the United States Office of \nPersonnel Management.\n    We welcome you all.\n    Pursuant to committee rules, witnesses are all to be sworn \nbefore they testify. If you will please rise and raise your \nright hand.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    [Witnesses respond in the affirmative.]\n    Chairman Chaffetz. Thank you. Please be seated.\n    Let the record reflect that all witnesses answered in the \naffirmative.\n    In order to allow time for discussion, we would appreciate \nyour limiting your testimony to five minutes. Again, please \nlimit your comments to five minutes. I will be a little bit \ngenerous, but five minutes, if you could, and then your entire \nwritten statement will be entered into the record.\n    At the conclusion of those, then we will hear from Mr. \nCummings with his opening statement and we will go to questions \nfrom there.\n    So, with that, we will now recognize Ms. Archuleta, the \nDirector of the Office of Personnel Management, and you are now \nrecognized for five minutes.\n\n                       WITNESS STATEMENTS\n\n         STATEMENT OF THE HONORABLE KATHERINE ARCHULETA\n\n    Ms. Archuleta. Chairman Chaffetz, Ranking Member Cummings, \nand members of the committee, I am here today to talk to you \nabout two successful intrusions into OPM\'s systems and data. \nBut first I want to deliver a message to Federal employees, \nretirees, and their families. The security of their personnel \ndata is of paramount importance. We are committed to full and \ncomplete investigation of these incidents and are taking \nactions to mitigate vulnerabilities exposed by their \nintrusions.\n    When I was sworn in as Director 18 months ago, I recognized \nthat in order to build and manage an engaged, inclusive and \nwell-trained workforce, that we would need a thorough \nassessment of the state of information technology at OPM. I \nimmediately became aware of vulnerabilities in our aging legacy \nsystems and I made the modernization and the security of our \nnetwork one of my top priorities.\n    Government and non-government entities are under constant \nattack by evolving and advanced persistent threats and criminal \nactors. These adversaries are sophisticated, well-funded, and \nfocused. These attacks will not stop. If anything, they will \nincrease.\n    Within the last year, we have undertaken an aggressive \neffort to update our cybersecurity posture, adding numerous \ntools and capabilities to our networks. As a result, in April \nof 2015, an intrusion that predated the adoption of these \nsecurity controls was detected. We immediately contacted the \nDepartment of Homeland Security and the FBI, and together with \nthese partners, initiated an investigation to determine the \nscope and the impact of the intrusion. In May, the interagency \nincident response team concluded that the exposure of personnel \nrecords had occurred, and notifications to affected individuals \nbegan on June 8th and will continue through June 19th.\n    As part of our ongoing notification process, we are \ncontinuing to learn more about the systems that contributed to \nindividuals\' data potentially being compromised. These \nindividuals were included in the previously identified \npopulation of approximately 4 million individuals and are being \nappropriately notified. For example, we have now confirmed that \nany Federal employee from across all branches of government \nwhose organization submitted service history records to OPM may \nhave been compromised, even if their full personnel file is not \nstored on OPM\'s system.\n    During the course of the ongoing investigation, the \ninteragency incident response team concluded later in May that \nadditional systems were likely compromised. This separate \nincident, which also predated deployment of our new security \ntools and capabilities, remains under investigation by OPM and \nour interagency partners.\n    However, there is a high degree of confidence that systems \nrelated to background investigations of current, former and \nprospective Federal Government employees and those for whom a \nFederal background investigation was conducted may have been \nexfiltrated. While we have not yet determined its scope or its \nimpact, we are committed to notifying those individuals whose \ninformation may have been compromised as soon as practicable.\n    Throughout these investigations, we have provided regular \nupdates to congressional leadership and the relevant committees \nof these incidents. But for the fact that we implemented new, \nmore stringent security tools, we would have never known that \nmalicious activity had previously existed on that network and \nwould not have been able to share that information for the \nprotection of the rest of the Federal Government.\n    In response to these incidents and working with our \npartners at DHS, we have immediately implemented additional \nsecurity measures to protect sensitive information and to take \nsteps toward building a simplified, modern, and flexible \nnetwork structure. We continue to execute on our aggressive \nplan to modernize OPM\'s platform and bolster security tools.\n    Our 2016 budget request includes an additional $21 million \nabove 2015 funding levels to further the support of the \nmodernization of our IT infrastructure, which is critical to \nprotecting data from the persistent adversaries we face. This \nfunding will help us sustain the network security upgrades and \nmaintenance initiated in fiscal year 2014 and fiscal year 2015 \nto improve our cyber posture, including advanced tools such as \ndatabase encryption, stronger firewalls, storage devices, and \nmasking software. The funding will also support the redesign of \nOPM\'s legacy network.\n    Thank you for this opportunity to testify today and I am \nhappy to address any questions you may have.\n    [Prepared statement of Ms. Archuleta follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] \n    \n    Chairman Chaffetz. Thank you.\n    Dr. Ozment.\n\n                    STATEMENT OF ANDY OZMENT\n\n    Mr. Ozment. Chairman Chaffetz, Ranking Member Cummings, and \nmembers of the committee, I appreciate the opportunity to \nappear before you today.\n    Like you, my fellow panelists, and countless Americans, I \nam deeply concerned about the recent compromise at OPM. I am \npersonally dedicated to ensuring that we take all necessary \nsteps to protect our Federal workforce and to drive forward the \ncybersecurity of the entire Federal Government.\n    Director Archuleta and my written statement both spoke to \nthe facts of the OPM incident, so I want to focus my remarks on \nhow DHS is accelerating our efforts to protect the Federal \nGovernment.\n    This morning I will discuss how the Department of Homeland \nSecurity is protecting civilians, Federal agencies, and helping \nthose agencies better protect themselves.\n    Under legislation passed by this Congress last year, \nFederal agencies are responsible for their own cybersecurity. \nHowever, DHS provides a common baseline of security across the \ncivilian government and helps agencies better manage their \ncyber risks through four key efforts. First, we protect \nagencies by providing a common set of capabilities through the \nEINSTEIN and Continuous Diagnostics and Mitigation, or CDM, \nprograms. Second, we measure and motivate agencies to implement \nbest practices; third, we serve as a hub for information \nsharing. Finally, we provide incident response assistance when \nagencies suffer a cyber intrusion.\n    I will focus this morning on the first area, how DHS \nprovides a baseline of security across the Federal Government \nthrough EINSTEIN and CDM. I have described the other three \nareas in my written statement and am happy to take your \nquestions on them.\n    Our first line of defense against cyber threats is the \nEINSTEIN system, which protects agencies at the perimeter. A \nuseful analogy is that of a physical government facility. In \nthis analogy with the physical world, EINSTEIN 1 is similar to \na camera at the entrance to the facility that records the \ntraffic coming and going, and identifies anomalies in the \nnumber of cars.\n    EINSTEIN 2 adds the ability to detect suspicious cars based \nupon a watch list and to alert security personnel when a \nprohibited vehicle is identified. EINSTEIN 2 does not stop \ncars, but it does set off an alarm.\n    EINSTEIN 1 and 2 are fully deployed in screening \napproximately 90 percent of all Federal civilian traffic, all \nof the traffic that goes through trusted Internet connections.\n    The latest phase of the program, known as EINSTEIN 3A, is \nakin to a guard post at the highway that leads to multiple \ngovernment facilities. EINSTEIN 3A uses classified information \nto look at the cars and compare them with a classified watch \nlist. It then actively blocks prohibited cars from entering the \nfacility.\n    We are accelerating our efforts to protect all civilian \nagencies with EINSTEIN 3A. The system now covers 15 Federal \ncivilian agencies, with over 930,000 Federal personnel, which \nis approximately 45 percent of the civilian government, and \nthose are protected with at least one of two security \ncountermeasures. That is about double the coverage we had just \nnine months ago.\n    During this time, EINSTEIN 3A has blocked over 550,000 \nattempts to access potentially malicious Web sites, which is \none of our two countermeasures. EINSTEIN played a key role in \nidentifying the recent compromise of OPM data at the Department \nof Interior.\n    As we accelerate EINSTEIN deployment, we also recognize \nthat security cannot be achieved through only one type of tool. \nEINSTEIN will never be able to block every threat. For example, \nit must be complemented with systems and tools to monitor \ninside agency networks. Our CDM program addresses this \nchallenge.\n    Returning to our analogy of a government facility, CDM \nPhase 1 allows agencies to continuously check building locks \nand security cameras to ensure they are operated as intended. \nContinuing the analogy, the next two phases will monitor \npersonnel in the facility to ensure they are not engaged in \nunauthorized activity, and it will assess activity across the \nfacility to detect unusual patterns.\n    We have provided CDM Phase 1 capabilities to eight \nagencies, covering over 50 percent of the Federal Government, \nand we expect to cover 97 percent of the Government by the end \nof this fiscal year.\n    Now, the deadlines I have just told you are when DHS will \nprovide a given capability. It will take a few additional \nmonths for agencies to fully implement their side of both \nEINSTEIN and CDM once they are available. And, of course, \nagencies must supplement EINSTEIN and CDM with additional tools \nappropriate to their needs.\n    I would like to conclude by noting that Federal agencies \nare a rich target and will continue to experience frequent \nattempted intrusions. This problem is not unique to the \ngovernment. As our detection methods continue to improve, we \nwill in fact detect more incidents, incidents that are already \noccurring and we just didn\'t know it yet.\n    The recent breach of OPM is emblematic of this trend, as \nOPM was able to detect the intrusion by implementing \ncybersecurity best practices recommended by DHS. We are facing \na major challenge in protecting our most sensitive information \nagainst sophisticated, well resourced, and persistent \nadversaries.\n    Further, the entire Nation is now making up for 20 years of \nunder-investment in our Nation\'s cybersecurity in both the \npublic and private sectors. In response, we in the government \nare accelerating the deployment of the tools we have and are \nbringing cutting-edge capabilities online, and we are asking \nour partner agencies and Congress to take action and work with \nus to strengthen the cybersecurity of Federal agencies.\n    Thank you again for the opportunity to appear today, and I \nlook forward to any questions.\n    [Prepared statement of Mr. Ozment follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you.\n    Mr. Scott, you have a very impressive background. Your \njoining the Federal Government is much appreciated. We look \nforward to hearing your testimony. You are now recognized for \nfive minutes.\n\n                    STATEMENT OF TONY SCOTT\n\n    Mr. Scott. Thank you, Chairman Chaffetz, Ranking Member \nCummings, members of the committee. Thank you for the \nopportunity to appear before you today. And I appreciate the \nopportunity to speak with you about recent cyber incidents \naffecting Federal agencies.\n    I would like to start by highlighting a very important \npoint, which has been mentioned already and of which I am sure \nyou are aware. Both state and non-state actors who are well \nfinanced, highly motivated, and persistent are attempting to \nbreach both government and non-government systems every day, \nand these attempts are not going away. They will continue to \naccelerate on two fronts, first, the attacks will become more \nsophisticated and, second, as we remediate and strengthen our \nown practices, our detection capabilities will improve. But \nthat means we have to be as nimble, as aggressive, and as well-\nresourced as those who are trying to break into our systems.\n    Confronting cybersecurity threats on a continuous basis is \nour Nation\'s new reality, a reality that I faced in the private \nsector and am continuing to see here in my new role as Federal \nChief Information Officer.\n    As Federal CIO, I lead the Office of Management and \nBudget\'s Office of E-Government and Information Technology. My \noffice is responsible for developing and overseeing the \nimplementation of Federal information technology policy. And \neven though my team has a variety of responsibilities, I will \nfocus today\'s remarks on cybersecurity.\n    Under the Federal Information Security Modernization Act of \n2014, most of us know this as FISMA, OMB is responsible for \nFederal information security oversight and policy issuance. OMB \nexecutes its responsibilities in close coordination with its \nFederal cybersecurity partners, including the Department of \nHomeland Security and the Department of Commerce National \nInstitute of Standards and Technology.\n    As I mentioned in front of this committee in April, OMB \nalso recently announced the creation of the first ever \ndedicated cybersecurity unit within my office. This is the team \nthat is behind the work articulated in the fiscal year 2014 \nFISMA report which highlighted both the successes and \nchallenges facing Federal agencies\' cybersecurity programs.\n    In fiscal year 2015, the E-Gov Cyber Unit is targeting \noversight through CyberStat reviews, prioritizing agencies with \nhigh risk factors as determined by cybersecurity performance \nand incident data. My colleagues will fully address the recent \ncyber incidents affecting the Office of Personnel Management, \nknown as OPM.\n    In terms of the role of OMB, my office monitors very \nclosely all reports of incidents affecting Federal networks and \nsystems. We use these reports to look for trends and patterns, \nas well as for areas where our government-wide processes, \npolicies, and practices can be strengthened. We then update our \nguidance and coordinate with other agencies to ensure that that \nguidance is implemented.\n    As you heard from me last week, the recently-passed Federal \nInformation Technology Acquisition Reform Act, known as FITARA, \nand our guidance associated with that legislation strengthens \nthe role of the CIO in agency cybersecurity.\n    In this case, OPM notified OMB in April 2015 of an incident \naffecting data in transit in its network. OPM reported that \nthey were working closely with various government agencies on a \ncomprehensive investigation and response to this incident. We \nhave been actively monitoring the situation and have engaged in \nmaking sure that there is a government-wide response to the \nevents that OPM.\n    To further improve Federal cybersecurity infrastructure and \nto protect systems against these evolving threats, OMB launched \na 30-day Cybersecurity Sprint last week. The Sprint will focus \non two areas: first, an interagency team is creating a set of \naction plans and strategies to further address critical \ncybersecurity priorities; second, agencies were directed to \naccelerate efforts to deploy threat indicators, patch critical \nvulnerabilities, and tighten policies and practices for \nprivileged users, and to dramatically accelerate implementation \nof multi-factor authentication.\n    In closing, I want to underscore a critical point I made at \nthe beginning of this testimony: both State and non-State \nactors are attempting to breach government and non-government \nsystems in a very aggressive way. It is not going to go away, \nand we are going to see more of it. Ensuring the security of \ninformation on Federal Government networks and systems will \nremain a core focus of the Administration as we move \naggressively to implement innovative protections and response \nto new challenges as they arise. In addition to the actions we \nare taking, we also look forward to working with Congress on \nlegislative actions that may further protect our Nation\'s \ncritical networks and systems.\n    I thank the committee for holding this hearing and for your \ncommitment to improving Federal cybersecurity. I would be \npleased to answer any questions you may have.\n    [Prepared statement of Mr. Scott follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you.\n    Ms. Burns, you are now recognized for five minutes.\n\n                   STATEMENT OF SYLVIA BURNS\n\n    Ms. Burns. Thank you. Good morning, Chairman Chaffetz, \nRanking Member Cummings, and distinguished members of the \ncommittee. My name is Sylvia Burns and I am the Chief \nInformation Officer for the U.S. Department of the Interior. I \nappreciate the opportunity to testify regarding DOI\'s efforts \nto secure and protect agency, customer, and employee data in \nthe wake of recently discovered cyber intrusion.\n    Additionally, we appreciate having had the opportunity to \nprovide a classified briefing on the cyber intrusion for \nmembers of your committee staff and other congressional staff \non May 21st, 2015.\n    Cyber intruders executed very sophisticated tactics to \nobtain unauthorized access to OPM data hosted in a DOI data \ncenter which contained sensitive personally identifiable \ninformation. The incident was and remains under active \ninvestigation. At present, the effort has not discovered \nevidence that any data other than OPM data was exfiltrated.\n    DOI has initiated a major planning effort to address short, \nmedium and long-term remediation to strengthen our security \nprotections and reduce risks to the Department, our employees, \nour customers, and our partners. DOI takes the privacy and \nsecurity of this data very seriously.\n    In April, DHS\'s U.S. Computer Emergency Readiness Team, US-\nCERT, informed DOI about a potential malicious activity which \nwas later determined to be a sophisticated intrusion on DOI\'s \nnetwork. DOI immediately began working with US-CERT, the FBI, \nand other Federal agencies to initiate an investigation and \ndetermine what information may have been compromised. DOI \nallowed DHS and the other investigating agencies immediate \naccess to the DOI computer systems and DOI dedicated people to \nsupport the investigation.\n    Although there is evidence that the adversary had access to \nthe DOI data center\'s overall environment, today the \ninvestigation has not discovered evidence that any data other \nthan OPM data was exfiltrated. However, the investigation \nremains ongoing.\n    Concurrent with the investigation, DOI immediately \ninitiated a major planning effort to address short, medium and \nlong-term remediation to strengthen our cybersecurity \nprotections. We undertook those efforts in the context of other \ncybersecurity improvements which were already underway pursuant \nto the Department\'s commitment to the Administration\'s \ncybersecurity cross-agency priority goals, as well as DHS\'s CDM \nprogram. We have now accelerated our work on preexisting \nefforts while devising and implementing new security measures \nin consultation with the investigating agencies with the \nexpertise related to this particular threat.\n    Activities underway include working with DHS to scan for \nspecific malicious indicators across the entire DOI network. As \npart of DHS\'s binding operational directive, we are identifying \nand mitigating critical IT security vulnerabilities for all \ninternet-facing systems, and at the direction of the Secretary \nand Deputy Secretary we are doing the same for all of DOI\'s IT \nsystems. This includes systems that are for DOI\'s internal use \nas well as systems for the public and non-DOI users.\n    We are acquiring and implementing new capabilities that \nwill help us to detect and respond quickly to new intrusions. \nWe continue to meet with interagency partners to learn about \ntheir activities and leverage their knowledge to make \nadditional improvements to our cybersecurity posture at DOI. We \nare fully enabling two-factor authentication for all users.\n    DOI\'s existing long-term plan includes several agency-wide \nstrategic initiatives, including continuing our commitment to \nDHS\'s CDM program. We are almost done implementing hardware and \nsoftware asset management, and we will be adding new \ncapabilities for application whitelisting, network access \ncontrol, and dashboarding functionality to provide a \ncomprehensive view of the Department\'s security posture.\n    We are strengthening DOI\'s cybersecurity and privacy \nworkforce so that we have knowledgeable and experienced people \nto address current and future threats facing the agency. We are \ndesigning and implementing increased network segmentation so \nthat, if an intrusion occurs within one component of our \nnetwork, we can better limit the extent of the exposure. We are \nevaluating data protection technologies, such as information \nrights management, for potential future investments.\n    Again, DOI takes the privacy and security of its data very \nseriously. We are committed to supporting and continuing the \ninvestigation regarding the incident affecting OPM data. \nFurthermore, we will continue to be an active participant in \nthe ongoing efforts by the Federal Government to improve our \nNation\'s overall cybersecurity posture.\n    Chairman Chaffetz, Ranking Member Cummings, and members of \nthe committee, this concludes my prepared statement. I would be \nhappy to answer any questions that you may have.\n    [Prepared statement of Ms. Burns follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you.\n    Ms. Seymour, you are now recognized for five minutes.\n\n                 STATEMENT OF DONNA K. SEYMOUR\n\n    Ms. Seymour. My remarks were included with the Director. \nThank you for having me here today, Chairman Chaffetz and \nRanking Member Cummings, and I will be happy to answer \nquestions.\n    Chairman Chaffetz. Mr. Esser, you are now recognized for \nfive minutes.\n\n                 STATEMENT OF MICHAEL R. ESSER\n\n    Mr. Esser. Chairman Chaffetz, Ranking Member Cummings, and \nmembers of the committee, good morning. My name is Michael R. \nEsser. I am the Assistant Inspector General for Audits at U.S. \nOffice of Personnel Management.\n    Thank you for inviting me to testify at today\'s hearing on \nthe IT security audit work performed by the OPM Office of the \nInspector General.\n    Today I will be discussing OPM\'s long history of systemic \nfailures to properly manage its IT infrastructure, which we \nbelieve ultimately led to the breaches we are discussing today.\n    There are three primary areas of concern that we have \nidentified through our audits during the past several years: \ninformation security governance, security assessment and \nauthorization, and technical security controls.\n    Information security governance is the management structure \nand processes that form the foundation of a successful security \nprogram.\n    For many years, OPM operated in a decentralized manner, \nwith the agency\'s program offices managing their IT systems. \nThe agency\'s CIO had ultimate responsibility for protecting \nthese systems, but often did not have the access or control to \ndo so. The program office staff responsible for IT security \nfrequently had no IT background and performed this function in \naddition to their other full-time roles.\n    As a result of this decentralized structure, many security \ncontrols remained unimplemented or untested, and all of our \nFISMA audits between 2007 and 2013 identified this as a serious \nconcern.\n    However, in 2014, OPM took steps to centralize IT security \nresponsibility with the CIO. This new structure has resulted in \nimprovement in the consistency and quality of security \npractices at OPM. Although we are optimistic about these \nimprovements, it is apparent that the OCIO is still negatively \nimpacted by years of decentralization.\n    The second topic is security assessments and authorization. \nThis is a comprehensive assessment of each IT system to ensure \nthat it meets the applicable security standards before allowing \nthe system to operate.\n    OPM has a long history of issues related to system \nauthorization as well. In 2010 and 2011 we noted serious \nconcerns in this area, but, after improvements were made, \nremoved it as an audit concern in 2012.\n    However, problems with OPM system authorizations have \nreappeared. In 2014, 21 OPM systems were due to receive a new \nauthorization, but 11 were not authorized by year-end. \nRecently, the OCIO has temporarily put authorization efforts on \nhold while it modernized OPM\'s IT infrastructure in response to \nsecurity breaches, and so it is likely that the number will \nincrease. While we support the effort to modernize systems, we \nbelieve that authorization activities should continue.\n    The third topic relates to OPM\'s use of technical security \ncontrols. OPM has implemented a variety of controls and tools \nto make the agency\'s IT systems more secure. However, such \ntools are only helpful if they are used properly and cover the \nentire technical infrastructure. We have concerns that they are \nnot.\n    For example, we were told that OPM performs vulnerability \nscans on all computer servers using automated scanning tools. \nAlthough OPM was performing the scans, our audit also found \nthat some were not done correctly and that some servers were \nnot scanned at all.\n    One significant control that is lacking altogether is the \nrequirement for PIV credentials for two-factor authentication \nto access information systems. We also determined that OPM does \nnot have an accurate centralized inventory of all servers and \ndatabases. Even if all OPM security tools were being used \nproperly, OPM cannot fully defend its network without a \ncomprehensive list of assets.\n    In closing, it is clear that even though security \nresponsibility is now highly centralized under the OCIO, the \nrecent security breaches indicate that OPM still has \nsignificant work to do to identify all of the assets and data \nthat it is tasked with protecting and then take the steps to do \nso.\n    Thank you for your time, and I am happy to answer any \nquestions you may have.\n    [Prepared statement of Mr. Esser follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you.\n    We now recognize the ranking member, Mr. Cummings of \nMaryland, for five minutes.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    The recent cyber attack against the Office of Personnel \nManagement is the latest in a series of aggressive attacks \nagainst our Nation in both the public and private sectors.\n    I want to put up a slide that lists some of the most \nsignificant breaches over the past few years.\n    [Slide shown.]\n    Mr. Cummings. Anthem, 80 million people; JPMorgan, 76 \nmillion people; Target, 70 million people; OPM, at least 4 \nmillion so far. Then there was the Postal Service, Sony \nPictures, and USIS. This is not a comprehensive list by any \nmeans.\n    Ladies and gentlemen, when you see this list, the picture \nis clear: the United States of America is under attack. \nSophisticated cyber spies, many from foreign countries, are \ntargeting the sensitive personal information of millions, \nmillions of Americans. They are attacking our government, our \neconomy, our financial sector, our healthcare system, and \nvirtually every single aspect of our lives.\n    For more than two years I have been pressing for our \ncommittee to investigate these cyber attacks, so I thank the \nchairman for holding today\'s hearing, and I hope we will hold \nsimilar hearings on many of these other attacks as well.\n    With respect to the attack against OPM, my primary concern \nis who was targeted, government workers, and what foreign \ngovernments could do with this information. I have several \nquestions for OPM.\n    How many Federal employees were indeed affected? What kind \nof information was compromised? And what steps are being taken \nto help these employees now? I also want to know how these \nattackers got inside of OPM\'s networks.\n    Last year, cyber attackers penetrated the networks of USIS \nand Keypoint, two contractors that perform background checks \nfor security clearances on behalf of OPM.\n    One of the most critical questions we have today is, did \nthese cyber attackers gain access to OPM\'s data systems using \ninformation they stole from USIS or Keypoint last year. Did \nthey get the keys to OPM\'s network from one of its contractors?\n    Mr. Chairman, I asked you to invite both Keypoint and USIS \nrepresentatives here to testify today. You agreed to invite \nUSIS, but last night they refused, just as they have refused \nrepeated requests for information over the past year. They did \nnot offer someone else they thought would be appropriate; they \nsimply refused.\n    I do not say this lightly, Mr. Chairman, but I believe USIS \nand its parent company may now be obstructing this committee\'s \nwork. We have suggested previously that the committee hold a \ntranscribed interview. Given the history of noncompliance at \nUSIS, I believe this may be one of the only ways to obtain the \ninformation we are seeking.\n    Mr. Chairman, over the past two years I have also been \npressing to investigate ways to better protect personal \ninformation that belongs to the American people: their \nfinancial records, their medical records, their credit card \ninformation, their Social Security numbers, and a host of other \ninformation they want to keep secure.\n    I sought advice from some of the Nation\'s top information \nsecurity experts in private business and government. These \nexperts warn that we cannot rely primarily on keeping the \nattackers out. We need to operate with the assumption that the \nattackers are already inside. They are already there.\n    Last week, one of the world\'s foremost cybersecurity firms, \nKaspersky Labs, was penetrated in a cyber attack, and, \naccording to FireEye, one of the companies my staff spoke with, \nthe average amount of time a hacker remains undetected is more \nthan 200 days. That is a lot of time.\n    Obviously, we need strong firewalls and other defenses to \nkeep attackers out. But experts recommend much more aggressive \nmeasures to wall off or segregate data systems to minimize the \nimpact of inevitable data breaches in the future. Practices \nlike data masking, redaction and encryption must become the \nnorm rather than the exception.\n    Finally, we need to remember who the bad guys are here. \nThey are not U.S. companies or Federal workers who are trying \nto keep our information safe. The bad guys are the foreign \nnations and other entities behind these devastating attacks.\n    According to law enforcement officials, North Korea, China, \nRussia, and Iran are the most advanced persistent threats to \nthis Nation\'s cybersecurity. So, as we move forward today, I \nwant to caution everyone that as much as we want to learn about \nthis attack, we have to do so in a responsible way. A lot of \nthe information about the attack is classified, and the last \nthing we want to do is give our enemies information or \ncompromise active law enforcement investigations.\n    We are having a classified briefing for members at 1:00 \np.m. today, so I encourage everyone to attend.\n    As I close, Mr. Chairman, I want to thank you again for the \nbipartisan approach that you have taken on this issue, and I \nhope we can continue to investigate these and other breaches to \nidentify common threats against our Country and the best ways \nto counter them.\n    With that, I yield back.\n    Chairman Chaffetz. Thank you.\n    I now recognize myself for five minutes.\n    Ms. Archuleta, my question for you is, how big was this \nattack? How many Federal workers have been compromised? We have \nheard 4 million, we have heard 14 million. What is the right \nnumber?\n    Ms. Archuleta. During the course of the ongoing \ninvestigation into the cyber intrusion of OPM, the compromise \nof personnel records of current and former Federal employees \nthat we announced last week, that number is approximately 4.2 \nmillion. In addition, in the investigation of that breach, we \ndiscovered, as I mentioned in my testimony, an additional OPM \nsystem was compromised, and these systems included information \nbased on the background investigations of current, former, and \nprospective Federal Government employees, as well as other \nindividuals.\n    Because different agencies feed into OPM background \ninvestigation systems in different ways, we are working with \nthe agencies right now to determine how many of their employees \nwere affected. We do not have that number at this time, but we \nwill get back to you once we have more information.\n    Chairman Chaffetz. What is your best estimate? Is the 14 \nmillion wrong or accurate?\n    Ms. Archuleta. As I said before, we do not have an estimate \nbecause this is an ongoing investigation.\n    Chairman Chaffetz. How far back does it go? You are talking \nabout former employees, current employees, and potential \nemployees, so how far back does this information go that was in \nyour system?\n    Ms. Archuleta. Thank you for that question, Mr. Chaffetz. I \nwould have to respond again because it is an ongoing \ninvestigation----\n    Chairman Chaffetz. It has nothing to do with impeding an \ninvestigation. You should know what information you have and \nwhat you don\'t. So this is not going to slow down any \ninvestigation. People have a right to know. The employees have \na right to know. How far back does your information and \ndatabase go that was compromised?\n    Ms. Archuleta. The legacy systems date back to 1985, but I \ndo not----\n    Chairman Chaffetz. So anything that is 1985----\n    Ms. Archuleta. No, sir, that would not be correct.\n    Chairman Chaffetz. You don\'t know. Does it include military \npersonnel?\n    Ms. Archuleta. As I said, this is an ongoing investigation.\n    Chairman Chaffetz. It is a yes or no question. Does it \ninclude military personnel?\n    Ms. Archuleta. I would be glad to discuss that in a \nclassified setting.\n    Chairman Chaffetz. Does it include contractor information?\n    Ms. Archuleta. Again, I would be glad to discuss that in a \nclassified setting.\n    Chairman Chaffetz. There is nothing classified as to what \ninformation this includes. Does it include CIA personnel?\n    Ms. Archuleta. I would be glad to discuss that in a \nclassified setting.\n    Chairman Chaffetz. Does it include anybody who has filled \nout SF 86, the Standard Form 86?\n    Ms. Archuleta. The individuals who have completed an SF 86 \nmay be included in that, and we can provide additional \ninformation in a classified setting.\n    Chairman Chaffetz. Why wasn\'t this information encrypted?\n    Ms. Archuleta. The encryption is one of the many tools that \nsystems can use. I will look to my colleagues at DHS for their \nresponse.\n    Chairman Chaffetz. No, I want to know from you why the \ninformation wasn\'t encrypted. This is personal, sensitive \ninformation; birth dates, Social Security numbers, background \ninformation, addresses. Why wasn\'t it encrypted?\n    Ms. Archuleta. Data information encryption is valuable----\n    Chairman Chaffetz. Yeah, it is valuable. Why wasn\'t it?\n    Ms. Archuleta.--and is an industry best practice. In fact, \nour cybersecurity framework promotes encryption as a key \nprotection method.\n    Chairman Chaffetz. Why didn\'t you----\n    Ms. Archuleta. Accordingly, OPM does utilize encryption----\n    Chairman Chaffetz. We didn\'t ask you to come read \nstatements. I want to know why you didn\'t encrypt the \ninformation.\n    Ms. Archuleta. An adversary possessing proper credentials \ncan often decrypt data. It is not feasible to implement on \nnetworks that are too old. The limitations on encryptions are \neffectiveness is why OPM is taking other steps such as limiting \nadministrator\'s accounts and requiring multi-factor \nauthentication.\n    Chairman Chaffetz. Okay, well, it didn\'t work, so you \nfailed. Okay? You failed utterly and totally. So the inspector \ngeneral, November 12th, 2014, we recommend that the OPM \ndirector consider shutting down information systems that do not \nhave current and valid authorization, and you chose not to. \nWhy?\n    Ms. Archuleta. I appreciate the report by the IG. We work \nvery closely with our IG and take very seriously----\n    Chairman Chaffetz. Okay, but he had a very serious \nrecommendation to shut down the system. That is how bad it was. \nAnd you said no.\n    Ms. Archuleta. I would like to turn that over to my \ncolleague.\n    Chairman Chaffetz. No, I would like you to answer that \nquestion. It says we recommend that the OPM director consider \nshutting it down. Your response back from the Office of Chief \nInformation Officer, ``The IT program managers will work with \nthe ISSOs to ensure that OPM systems maintain current ATOs and \nthat there are no interruptions to OPM\'s mission operation.\'\' \nBasically, you said no.\n    The inspector general was right. Your systems were \nvulnerable. The data was not encrypted. It could be \ncompromised. They were right last year. They recommended, it \nwas so bad, that you shut it down, and you didn\'t, and I want \nto know why.\n    Ms. Archuleta. There are many responsibilities we have with \nour data, and to shut down the system we need to consider all \nof the responsibilities we have with the use of our systems.\n    Chairman Chaffetz. So you made a conscious decision knowing \nthat it was vulnerable, that all these millions of records of \nFederal employees was out there? The inspector general pointed \nout the vulnerability and you said no, we are not making a \nchange.\n    Ms. Archuleta. As the director of OPM, I have to take into \nconsideration all of the work that we must do. It was my \ndecision that we would not, but continue to develop the system \nand making sure that we have the security within those systems.\n    Chairman Chaffetz. And did you do that? You didn\'t. You \ndidn\'t, did you? That didn\'t happen, did it?\n    Ms. Archuleta. The recommendation to close down our systems \ncame after the adversaries were already in our network.\n    Chairman Chaffetz. When did they get in network?\n    Ms. Archuleta. It was as a result of our security systems \nthat we were able to detect this intrusion.\n    Chairman Chaffetz. When did they get into the system?\n    Ms. Archuleta. We detected the intrusion in April.\n    Chairman Chaffetz. Of?\n    Ms. Archuleta. Of 2015.\n    Chairman Chaffetz. But in November 2014 you didn\'t know if \nthey were in there, did you?\n    Ms. Archuleta. No, we did not. We did not have the security \nsystems installed at that time. It was because we were able to \nadd those security systems that we were able to detect.\n    Chairman Chaffetz. So you detected the system? It wasn\'t a \nsoftware provider? You found it yourself?\n    Ms. Archuleta. OPM detected the intrusion.\n    Chairman Chaffetz. So The New York Times and the others who \nwrote that were wrong?\n    Ms. Archuleta. That is correct.\n    Chairman Chaffetz. Two more questions, with your indulgence \nhere. How many people have received letters?\n    Ms. Archuleta. There is a rolling number as we work from \nthe first date of notification, January 8th, we will complete \nthe notification to 4.2 million by June 19th. I am sorry I \ndon\'t have the exact number as of today. I would be glad to get \nthat information for you.\n    Chairman Chaffetz. One last question, with everybody\'s \nindulgence here.\n    Ms. Archuleta, there was a data breach at OPM in July of \n2014, okay? This is what you said about Ms. Seymour. In \nDecember, I was very fortunate to bring Donna Seymour, from the \nDepartment of Defense, onboard. She has great experience with \nthe IT world and has brought her talents to OPM. It was because \nof her leadership and her dedicated employees that we were able \nto make sure that none of this personal identifiable \ninformation was compromised.\n    This was July of 2014. You cited her and the data breach as \nmaking sure that none of the personal identifiable information \ngot out the door. Now that it has been hacked, are you going to \ngive her that same amount of credit?\n    Ms. Archuleta. I do give her that same amount of credit, \nsir. When I began my tenure as the Director of OPM, one of my \nfirst priorities was to develop an IT strategic plan and to \ndevelop the important pillar of cybersecurity within our \nsystems. We have worked very hard since that time, and as we \nupdate these legacy systems it is important that we recognize \nthat there is a persistent and aggressive effort on the part of \nthese actors to not only intrude in our system, but systems \nthroughout government and, indeed, in the private sector.\n    Chairman Chaffetz. Well, you have completely and utterly \nfailed in that mission if that was your objective. The \ninspector general has been warning about this since 2007. There \nhas been breach after breach. He recommended shutting it down \nlast year and you, you made a conscious decision to not do \nthat. You kept it open. The information was vulnerable and the \nhackers got it.\n    I don\'t know if it was the Chinese, the Russians, or \nwhoever else, but they have it, and they are going to prey upon \nthe American people. That is their goal and objective, and you \nmade a conscious decision to leave that information vulnerable. \nIt was the wrong decision. It was in direct contradiction to \nwhat the inspector general said should happen, and he had been \nwarning about it for years.\n    Ms. Archuleta. I would note that in the IG\'s report that he \nacknowledges the fact that we have taken important steps in \nreforming our IT systems. Advanced tools take time.\n    Chairman Chaffetz. So what kind of grade would you give \nyourself? Are you succeeding or failing?\n    Ms. Archuleta. Cybersecurity problems take decades.\n    Chairman Chaffetz. We don\'t have decades. They don\'t take \ndecades.\n    Ms. Archuleta. I am sorry, cybersecurity problems are \ndecades in the making. The whole of government is responsible, \nand it will take all of us to solve the issue and continue to \nwork on them. My leadership with OPM is one that instigated the \nimprovements and changes that recognized the attack.\n    Chairman Chaffetz. I yield back.\n    I recognize the ranking member, Mr. Cummings, for as much \ntime as he wants.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Ms. Seymour, this data breach is particularly concerning \nbecause the individuals who were targeted were government \nemployees and the suspected attackers are foreign entities. I \nam concerned that this breach may pose a national security \nthreat.\n    According to a statement from OPM, the personal information \nof approximately 4 million current and former Federal employees \nwas compromised in this breach. What can you tell us about the \ntype of personal information that was compromised in this \nbreach?\n    Ms. Seymour. Thank you for the question, sir. The type of \ninformation involved in the personal records breach includes \ntypical information about job assignments, some performance \nratings, not evaluations, but performance ratings, as well as \ntraining records for our personnel. The information involved in \nthe background investigations incident involves SF 86 data, as \nwell as clearance adjudication information.\n    Mr. Cummings. So, Social Security numbers?\n    Ms. Seymour. Yes, sir. Social Security number, date of \nbirth, place of birth; typical PII that would be in those types \nof files.\n    Mr. Cummings. Ms. Seymour, it was reported on Friday that, \nin addition to this breach, hackers had breached highly \nsensitive information gathered in background investigations of \ncurrent and former Federal employees. Is that true?\n    Ms. Seymour. Yes, sir, that is.\n    Mr. Cummings. Do you know how far back that goes?\n    Ms. Seymour. No, sir, I don\'t. The issue is that these are \nlongitudinal records, so they span an employee\'s career. So I \ndo not know what the oldest record is.\n    Mr. Cummings. So it is possible that somebody could be \nworking for the Federal Government for 30 years and that their \ninformation over that 30 years could have been breached?\n    Ms. Seymour. Yes, sir, these records do span an employee\'s \ncareer.\n    Mr. Cummings. So what can you tell us about the type of \ninformation that may have been compromised in the second \nbreach?\n    Ms. Seymour. I believe that that would be a discussion that \nwould be better had in our classified session this afternoon, \nsir.\n    Mr. Cummings. Thank you. I am going to come back to you.\n    Dr. Ozment, these suspected cyber spies from a foreign \nstate went after sensitive detailed information about Federal \nemployees. What could they do with this information? I am \ntalking to you, yes.\n    Mr. Ozment. Ranking member, I am going to have to defer \nthat question to the intelligence community, who will be a \nparticipant in our classified briefing this afternoon at 1:00.\n    Mr. Cummings. All right.\n    Experts advise taking steps to mitigate damage from cyber \nspying attacks by using tools such as data segmentation, data \nmasking, and encryption; and the chairman asked about \nencryption. I know from past OPM testimony before the committee \nthat OPM has been a leader in deploying those tools.\n    Now, Ms. Seymour, it is kind of hard to understand how \ncyber spies could have accessed more than 4 million records if \nyou were using those tools to the fullest. Ms. Archuleta has a \nlot of faith and confidence in you, as the chairman just \nstated. Can you explain what happened?\n    Ms. Seymour. Thank you, Mr. Cummings, for the question. A \nlot of our systems are aged, and implementing some of these \ntools take time, and some of them we cannot even implement in \nour current environment. That is why, under Director \nArchuleta\'s leadership, we have launched a new program where we \nare building a new environment, a new architecture, a modern \narchitecture that allows us to implement additional security \nfeatures.\n    In our legacy environment, we have installed numerous \ntechnologies, and that is how we discovered this breach in the \nfirst place. So we are shoring up what we have today, and then \nwe are building for the future so that we can become more \nsecure and provide these types of protections to our data and \nour systems.\n    Mr. Cummings. Well, in the meantime, if we are going to \ncollect and we are going to store sensitive personal \ninformation, we must make it unusable to our adversaries, if \nthey are cyber spies, are able to steal it. Would you agree? \nOPM, as well as American businesses, have to do a better job of \nprotecting sensitive information. Would you agree, ma\'am?\n    Ms. Seymour. Yes, sir.\n    Mr. Cummings. Now, Ms. Seymour, do you have the tools now \nto do that? Are you trying to tell us you don\'t?\n    Mr. Seymour. OPM has procured the tools, both for \nencryption of its databases, and we are in the process of \napplying those tools within our environment. But there are some \nof our legacy systems that may not be capable of accepting \nthose types of encryption in the environment that they exist in \ntoday, and that is why it is important for us to focus very \naggressively, very proactively on building out that new \narchitecture so that, in the future, we will be able to \nimplement those tools for all of our databases.\n    Mr. Cummings. Now, when you talk about the future, I mean, \nwhat are you talking about? Are you talking about three months, \nthree years?\n    Ms. Seymour. We began our program after the March 2014 \nincident. We worked very closely with our interagency partners \nto devise a very aggressive and very comprehensive plan. We \nhave been implementing that plan since then. We are delivering \nwhat we call our shell, which is the new architecture, we are \ndelivering that this fall and we will begin looking at our \nbusiness systems applications and how we can migrate those into \nthe new architecture.\n    Mr. Cummings. Ms. Seymour, this is the question: We are \ncollecting data right now. There is people\'s data that is out \nthere. And I am talking about, in the meantime, where are we? \nIn other words, I know you are trying to do some things, but \nthat doesn\'t make Federal employees feel pretty good. It \ndoesn\'t make me feel good.\n    So tell me more. Are you saying that we are just vulnerable \nand we don\'t know when we are going to be able to deploy the \ntypes of systems that you just talked about?\n    Ms. Seymour. No, sir. We have done a number of things.\n    Mr. Cummings. I am not talking about what you have done. I \nam talking about what is going on today.\n    Ms. Seymour. That is exactly what I am offering, sir.\n    Mr. Cummings. All right.\n    Ms. Seymour. We have implemented two-factor authentication \nfor remote access to our network. That means that without a PIV \ncard or some other type of device that our users cannot log \ninto our network remotely. We have implemented additional \nfirewalls in our network. We have tightened the settings of \nthose firewalls. We have reduced the number of privileged users \nin our account and we have even further restricted the access \nprivileges that those users have.\n    We have made a number of other steps to increase the \nsecurity of our existing network. We began that work back last \nMarch and it has continued, and we continue to work with DHS \nand our agency partners to test those systems and make sure \nthat they are working appropriately.\n    Mr. Cummings. Now, Mr. Esser, the Office of Inspector \nGeneral conducted an audit in 2014, the chairman was talking \nabout this, of OPM\'s information security programs and found \nseveral weaknesses. Can you briefly identify what those \nweaknesses were that you found?\n    Mr. Esser. Yes, sir. The most critical weaknesses that we \nidentified in our FISMA report from 2014 were the continued \ninformation security governance problems that have existed \nsince 2007, the decentralization of the controls over systems. \nThat, however, is an area that is certainly close to being \nimproved to a full extent.\n    Another area of weaknesses were the security assessments \nand authorization, which is each system that OPM owns should go \nunder an assessment every three years and be authorized for \nusage. We identified 11 systems at the end of 2014 that had not \nbeen authorized that were due to be authorized.\n    The technical security controls was another big area that \nwe identified. While OPM has implemented a number of strong \ntools and is improving in that area, our concern is that some \nof those tools were not being used properly and that they do \nnot have a complete and accurate inventory of databases and \nservers that those tools should be applied against.\n    Mr. Cummings. So the chairman asked Ms. Archuleta a \nquestion of how she thought she\'d done. Based upon that, what \ngrade would you give?\n    Mr. Esser. I don\'t know that I could give a grade.\n    Mr. Cummings. So of all the things that you just stated, \nthere are certain things that were not done, is that right?\n    Mr. Esser. Yes, sir.\n    Mr. Cummings. Did any of them lead to this breach, the \nthings that were not done?\n    Mr. Esser. I don\'t know the exact details of how this \nbreach occurred, so I really can\'t answer that question. \nCertainly there are a lot of weaknesses at OPM that they are in \nthe process of trying to address.\n    Mr. Cummings. And last, but not least, do you have a silver \nbullet to address this issue, sir?\n    Mr. Esser. No, sir, I do not. There are very sophisticated \nattackers out there and there is no one silver bullet I think \nthat can be applied that will prevent these types of things \nfrom happening.\n    Mr. Cummings. You heard me asking Ms. Seymour about the \nfact that we are constantly collecting information, and it \nseems as if we are just vulnerable and that there are certain \nareas that we may not be able to defend ourselves in. Is that \nan accurate statement?\n    Mr. Esser. Certainly, there are a lot of things that can be \ndone to make our systems more secure. Is there something that \ncan be done to make them impenetrable? Not that I am aware of.\n    Mr. Cummings. Thank you very much.\n    Chairman Chaffetz. I now recognize the gentleman from \nMichigan, Mr. Walberg, for five minutes.\n    Mr. Walberg. Thank you, Mr. Chairman. I appreciate the \nwitnesses being here.\n    This morning we have certainly heard that there is no \nsilver bullet, and I don\'t think we expected the answer to be, \nyes, there is a silver bullet. We are concerned that, knowing \nwhat has been going on, having clear evidence that hackers have \nbeen attempting for quite some time and then, at least those of \nus here who trust on agencies and people like yourselves who \nknow the issues, that some more efforts could have been \nsuccessful in stopping the most recent attacks.\n    We have heard today that networks aren\'t compartmentalized, \nsegmented, in certain cases encrypted; that with the recent \nattacks, exterior perimeter has been breached, the attacker \noften remains undetected for months. That is concerning. As a \nresult of that, able to exploit vulnerabilities within the \nnetworks without passing through, and this is most concerning \nto me, additional inspection or security measures.\n    So, Mr. Scott, as I understand, in the private sectors \nthere have been shifts towards zero trust model. Ultimately, \ngiven OMB\'s role in setting metrics for agencies, my question \nis can you tell me, tell us what OMB is doing to set IT \nsecurity metrics to limit the number of workloads, application \ntiers to the networks?\n    Mr. Scott. Thank you for the question.\n    I think there are a number of things that I would point to \nin addition to the measures that you just talked about. The \nfirst one is to share across the Federal Government not only \nthe lessons learned from OPM, but what we see from other \nattacks, whether successful or not, private and public, and \nmake sure that all agencies are up to speed with the latest \ninformation on the methods of attack, the tools that are used, \nand so on.\n    Mr. Walberg. That is a weakness right now, is what you are \ntelling me, that that is not happening?\n    Mr. Scott. It has been historically. The ability for the \nGovernment and the private sector to share information has been \na hindrance in our ability to thwart these things.\n    But I will say that the specific measure that you \nmentioned, the segmentation and zero trust, is something that \nis more easily applied to very modern architectures. It is not \nas easily applied to some of the oldest and old legacy systems \nthat we have. And I think that is going to be a challenge for \nall agencies where the architecture itself just doesn\'t lend \nitself to the application of certain technologies.\n    The best answer, I think, in terms of what we have and \nwhere we go is a model that we are promoting and encouraging \nacross the agencies, which is defense in depth. It is a number \nof different measures to that if one thing doesn\'t work, you \nhave the next layer that helps; and if that doesn\'t work, you \nhave the next layer. And zero trust is applicable in some of \nthose environments and, frankly, is very difficult or \nimpossible to apply in others.\n    Mr. Walberg. How far are we from that?\n    Mr. Scott. I would say years and years comprehensively. But \none of the things that we are working on right now is \nprioritizing based on the highest value assets that the Federal \nGovernment has so that we are going after the most valuable \nstuff first and make sure that is protected the best way we \ncan.\n    Mr. Walberg. Ms. Seymour, with the millions of current and \nformer Federal employees, a lot of them in my district, that \nsign on to do the work that we give to them, we appreciate the \nwork, it is not something they make up. We ask them to do the \nFederal jobs that the agencies, the departments that they work \nunder have been asked to do. They don\'t expect that their life \nwill be compromised, their history will be compromised, their \nrecords be compromised.\n    When did OPM begin letting victims know of the breach and \nthe risk to their identities?\n    Ms. Seymour. Thank you for your question, sir. I too am a \nFederal employee and very concerned about this matter; it is \ngrave and serious, so I appreciate that.\n    We began notifying personnel on June 8th, and will continue \nto make those notifications through June 19th. That is for the \npersonnel records security incident that we have.\n    We have not yet been able to do the analysis of the data \nthat is involved with the background investigations incident. \nThat is ongoing, and as soon as we can narrow the data that is \ninvolved in that incident, we will make appropriate \nnotifications for that one as well.\n    Mr. Walberg. Okay. Thank you.\n    Chairman Chaffetz. Thank you. I thank the gentleman.\n    I now recognize the gentlewoman from New York, Mrs. \nMaloney, for five minutes.\n    Mrs. Maloney. I want to thank the chairman and ranking \nmember for calling this hearing, and all of our panelists for \nyour public service.\n    As one who represents the city that was attacked by 9/11, \nwe lost thousands on that day and thousands more are still \ndying from health-related causes from that fateful day. But I \nconsider this attack, I call it an attack on our Country, a far \nmore serious one to the national security of our Country.\n    I would like to ask Mr. Ozment from Homeland Security, \nwould you characterize this as a large-scale cyber spying \neffort? That is what it sounds like to me. What is it?\n    Mr. Ozment. I think to speak to whether or not this was a \nspying effort, we would have to talk to any understanding of \nwho the adversaries were and what their intent was, and I think \nthat is a conversation better reserved for a couple of hours \nfrom now.\n    Mrs. Maloney. Do you believe it is a coordinated effort? \nThey appear to be attacking health records, employment records, \nfriendship, family, whole backgrounds. It seems to be a large \nsphere of information not only from the Government, but private \ncontractors, individuals; and sometimes it appears targeted \ntowards Americans who may be serving overseas in sensitive \npositions. But would you consider this a coordinated effort? \nCan you answer that or is that classified?\n    Mr. Ozment. Thank you, Representative. I would defer that \nquestion to the classified briefing.\n    Mrs. Maloney. Okay. Thank you.\n    Mr. Ozment. But what I would say, if you are willing, is \nthat----\n    Mrs. Maloney. I will be at the 1:00 meeting. Thank you.\n    Now, I want to refer to this article, and I would like to \nplace it in the record. I think it is an important one; it came \nfrom ABC News.\n    If I could put it in the record.\n    Chairman Chaffetz. Without objection, so ordered.\n    Mrs. Maloney. It reports that there seems to be looking at \nand gathering information on an SF 18 form, which is a Standard \nForm 18, which is required for any employee seeing classified \nsecurity clearances, so that would be people in important \npositions in our Government. And I won\'t ask any questions on \nit, I will just wait until later at this classified briefing, \nbut I am extremely disturbed.\n    This article also points out that it is not only \nindividuals that they are going after; they are going after \ncontractors and those that serve the Government. It mentions in \nother reports Lockheed Martin, where they went after their \nsecure ID program.\n    Is that true, Mr. Ozment?\n    Mr. Ozment. I can\'t speak to whether any adversaries have \ngone after specific private sector companies.\n    Mrs. Maloney. Okay. All right. Then we won\'t get into that.\n    But other press reports said that there was Northrop \nGrumman, L3, that they were hit by cyber attacks, and other \nGovernment contractors. Now, one that probably hit Congress is \none in 2013, where the FBI warned that a group called Anonymous \nhacked into the U.S. Army, Department of Energy, Department of \nHealth and Human Services, and many agencies by exploiting a \nweakness in Adobe systems.\n    Now, I have the Adobe system in my office, so that means \nthey could have hacked into my office, and probably every other \ncongressional office.\n    Then they talk about going into healthcare. They go into \nthe Blue Cross Blue Shield system of all the Federal employees. \nSo it seems like they want a comprehensive package on certain \nmillions of Americans, many of whom are serving our Country, I \nwould say at negotiating tables in Commerce, State Department, \nprobably Defense, and every other aspect of American life and \nthe world economy.\n    But, Mr. Scott, you have been before this committee before \nand you announced you were going to review the agencies\' \ncybersecurity programs to identify risks and implement gaps. I \nwonder if you could report on what you learned from this review \nand any specific changes in cybersecurity policies, procedures, \nor guidance. If you can report on that. Or that may be \nclassified too. But anything you can share with us on what you \nhave been doing to act to build some firewalls?\n    Mr. Scott. Sure. Well, thank you for the question.\n    So we are conducting regular CyberStat reviews with each of \nthe agencies, and it is along the key lines of many of the \ntopics we have talked about here: two-factor patching, \nminimizing the number of system administrators; all of the I \nwill call hygiene factors that we think lead to good \ncybersecurity.\n    Mrs. Maloney. My time has expired, but anything you want to \ngive to the committee in writing, we would appreciate it. Thank \nyou.\n    Mr. Scott. We would be happy to do so. Thank you.\n    Chairman Chaffetz. I thank the gentlewoman.\n    I ow recognize the gentleman from North Carolina, Mr. \nMeadows, for five minutes.\n    Mr. Meadows. Thank you, Mr. Chairman.\n    Ms. Archuleta, let me come to you. You have been in your \ncurrent position since 2013, is that correct?\n    Ms. Archuleta. I was sworn in in November 2013.\n    Mr. Meadows. So in 2013 you, according to your testimony, \nmade cyber security the highest priority. I think that is how \nyou opened up your testimony, that the security of Federal \nemployees was your highest priority. Is that correct?\n    Ms. Archuleta. Yes, sir.\n    Mr. Meadows. All right. So help me reconcile, then, if it \nis your highest priority, how, when the most recent IG\'s report \nthat came out that took security from being a material weakness \nis how it was characterized before you got there, to \nsignificant deficiency, how would you reconcile highest \npriority and significant deficiency as being one and the same?\n    Ms. Archuleta. Thank you for your question.\n    As I mentioned earlier, one of the first things that we \ndid, or I did, for OPM was to develop, within 100 days, an IT \nstrategic plan, and the issues that the IG just mentioned, in \nterms of IT governance and IT leadership, as well as IT \narchitecture, IT agility, IT data, and IT cybersecurity, were \nall strong components of this IT plan; and the IG recognized \nthose steps and the strategic plan that we developed.\n    Mr. Meadows. But he did recognize it.\n    I only have five minutes, so I can\'t let you just ramble on \nwith all of these things. So let me ask you how, if he \nrecognized that, would he still characterize it as significant \ndeficiencies?\n    Ms. Archuleta. As we were instituting the improvements that \nwe were making, he was also, at the same time, conducting his \naudit. His audit was conducted in the summer of 2014, when we \nwere beginning to implement our strategic plan, and the IG has \ncontinued to work with us and we have taken his recommendations \nvery seriously.\n    Mr. Meadows. You have taken them seriously, so have you \nimplemented all of them? Yes or no? Just yes or no.\n    Ms. Archuleta. We have implemented many of them and are in \nthe process of implementing others.\n    Mr. Meadows. So have you implemented all of those?\n    Ms. Archuleta. As I said, sir, I have implemented many of \nthem and continue to work----\n    Mr. Meadows. So you will implement all of them?\n    Ms. Archuleta. We are looking at each of those \nrecommendations very seriously.\n    Mr. Meadows. Not looking. Will you implement? Can you \nassure the Federal workers that you are going to implement all \nthe recommendations that the IG recommended to you, yes or no?\n    Ms. Archuleta. We are working very closely with the IG to--\n--\n    Mr. Meadows. I will take that as a no.\n    All right, so let me go on further, then, because I am very \nconcerned that here we have not even notified most of the \nFederal employees. We have known about it. They continue to not \nbe notified, and yet here you are saying that you have \ndifferent priorities. Because when Chairman Chaffetz asked you \nabout why did you not shut it down, you said, well, OPM has a \nnumber of other responsibilities. Is that correct? That was \nyour answer to Chairman Chaffetz.\n    Ms. Archuleta. We house a variety of data, not just data on \nemployee personnel files. We also house health care data; we \nemploy other records, and the result----\n    Mr. Meadows. So what you are saying is it was better that \nyou supplied that and put Federal workers at risk versus making \nit, according to your words, the highest priority to make sure \nthat the information was not compromised. If it is your highest \npriority, why didn\'t you shut it down like Mr. Chaffetz asked \nand like was recommended? Why didn\'t you shut it down?\n    Ms. Archuleta. In our opinion, we were not able to shut it \ndown in view of all of the responsibilities we hold at OPM. We \ndo take seriously----\n    Mr. Meadows. So, in your opinion, protecting Federal \nworkers then could not have been your highest priority, because \nthere were competing, I guess, priorities, and you said it was \nbetter that you continued on with the others versus protecting \nthe Federal workforce.\n    Ms. Archuleta. As I said, the recommendations that the IG \ngave to us are ones that we take very seriously, sir. I don\'t \nwant to characterize that we didn\'t. In fact, we did take them \nin ongoing conversations.\n    Mr. Meadows. Okay. There is a quote that says what we \noccasionally have to look at, no matter how beautiful the \nstrategy, we have to occasionally look at the results. And the \nresults here are pretty profound that we have security risks \nall over. And I would encourage you to take it a little bit \nmore serious and, indeed, make it your highest priority.\n    I yield back. Thank you, Mr. Chairman.\n    Chairman Chaffetz. Thank the gentleman.\n    Now recognize the gentleman from Massachusetts, Mr. Lynch, \nfor five minutes.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    I want to thank our panel for your help.\n    I want to associate myself with the remarks of the ranking \nmember and the chairman today, which doesn\'t always happen.\n    Chairman Chaffetz. Duly noted.\n    Mr. Lynch. I would like to ask unanimous consent if I might \nenter into the record the remarks of Colleen M. Kelly, National \nPresident of the National Treasury Employees Union, and also a \nletter from J. David Cox, who is the President of the American \nFederation of Government Employees, AFL-CIO.\n    Chairman Chaffetz. Without objection, so ordered.\n    Mr. Lynch. I want to also read the first three paragraphs. \nThis is a letter from the president of the American Federation \nof Government Employees, AFL-CIO, J. David Cox, to the \nHonorable Katherine Archuleta.\n    It says, Dear Honorable Archuleta, I am writing in \nreference to the data breach announced by the Office of \nPersonnel Management. And this was dated last week. In the days \nsince the breach was announced, very little substantive \ninformation has been shared with us, despite the fact that we \nrepresent more 670,000 Federal employees in departments and \nagencies throughout the executive branch.\n    OPM has attempted to justify the withholding of information \non the breach by claiming that the ongoing criminal \ninvestigation restricts your ability to inform us of exactly \nwhat happened, what vulnerabilities were exploited, who was \nresponsible for the breach, and how damage to affected \nindividuals might be repaired and compensated.\n    Based on sketchy information that OPM has provided, we \nbelieve that the central personnel data file was the targeted \ndatabase and that the hackers are now in possession of all \npersonnel data for every Federal employee, every Federal \nretiree, and up to 1 million former Federal employees. We \nbelieve the hackers have every affected person\'s Social \nSecurity number, military record, veteran status, address, \nbirth date, job and pay history, health insurance, life \ninsurance, email, pension information, age, gender, race, union \nstatus, and a lot more.\n    Worst of all, we believe the Social Security numbers were \nnot encrypted, a basic cybersecurity failure that is absolutely \nindefensible and outrageous.\n    So, Ms. Archuleta, were the Social Security numbers \nencrypted?\n    Ms. Archuleta. OPM is in the process of----\n    Mr. Lynch. Ms. Archuleta, is that an I don\'t know?\n    Ms. Archuleta. I don\'t believe that the Social Security----\n    Mr. Lynch. Can we just stick to a yes or no?\n    You know what, this is one of these hearings where I think \nI am going to know less coming out of this hearing than I did \nwhen I walked in because of the obfuscation and the dancing \naround that we are all doing here.\n    Matter of fact, I wish that you were as strenuous and hard \nworking at keeping information out of the hands of hackers as \nyou are keeping information out of the hands of Congress and \nFederal employees. It is ironic. You are doing a great job \nstonewalling us, but hackers not so much.\n    So were the Social Security numbers encrypted, yes or no?\n    Ms. Archuleta. No, they were not encrypted.\n    Mr. Lynch. There you go. There you go. Now we are getting \nsomewhere.\n    That is pretty basic, though. That is pretty basic, \nencrypting Social Security numbers.\n    So all this happy talk about these complex systems we are \ngoing to come up with, you are not even encrypting people\'s \nSocial Security numbers. That is a shame.\n    Let me ask you about this Standard Form 86. Now, for those \nof you, obviously you know that Standard Form 86 is what we \nrequire employees to fill out if they are going to receive a \nsecurity clearance. So these are people who have sensitive \ninformation. And we drill down on these folks. This is a copy \nof the application. It is online if people want to look at it; \nit is 127 pages online.\n    And we ask them everything; what kind of underwear they \nwear, what kind of toothpaste. I mean, it is a deep dive. And \nthat is for a good reason, right? Because we want to know, when \npeople get security clearance, that they are trustworthy. There \nis information here if you have ever been arrested; your \nfinancial information is in here. There is a lot of information \nin this form.\n    They hacked this. They hacked this. They got this \ninformation on Standard Form 86. So they know all these \nemployees and everything about them that we ask them in the \nStandard Form 86.\n    Isn\'t that right, Ms. Seymour?\n    Ms. Seymour. I believe that is a discussion that would best \nbe held until this afternoon, sir.\n    Mr. Lynch. That is probably a yes.\n    Like I say, I think you have to be honest with your \nemployees, and I think that, in order to protect them, we need \nto let them know what is going on, because they have the email \naddresses in here as well, several, your first, your second, \nyour third email address; and all that information is out \nthere. So we need to be a little bit more, not a little bit \nmore, we need to be more forthcoming with our own employees. \nThese are people who work for us, and a lot of them deserve a \nlot more protection than they are getting right now from the \nUnited States Government and from the Office of Personnel \nManagement.\n    I see my time has expired. I appreciate the indulgence of \nthe chairman and I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    Now we recognize the gentleman from South Carolina, Mr. \nMulvaney, for five minutes.\n    Mr. Mulvaney. Thank you, Mr. Chairman.\n    Many of us are often uncomfortable asking questions in this \ntype of setting, because obviously we don\'t want to ask \nquestions the answers to which should be kept confidential. So \nI encourage you in advance, if I ask you something that we \nshould talk about in a different setting, that is an acceptable \nanswer.\n    But I sort of feel like in Mr. Lynch in that I don\'t know \nif I get my hands around exactly what we are learning. So let\'s \nstart with this. I am going to follow up on a question that Mr. \nMeadows asked of Ms. Archuleta, which is, he asked you if you \nwere going to implement all of the IG\'s recommendations. You \nsaid you were working with the IG.\n    Whether or not that was a yes or no answer, I agree with \nMr. Meadows, probably closer to no, so let me address it like \nthis. Can you name for me some of the IG recommendations that \nyou are pushing back against or that you are not interested in \nimplementing?\n    Ms. Archuleta. I don\'t have the specific recommendations in \nfront of me, and I would be very glad to come back and talk \nabout that.\n    Mr. Mulvaney. Okay.\n    Ms. Archuleta. But what I would like to say, sir, is that \nas we look at the recommendations by the IG, we work with him \nso that he can fully understand where we have moved in our \nsecurity efforts and also to understand his observations. And \nthat is the normal audit process and we continue to go through \nthat with him and update him on a regular basis.\n    Mr. Mulvaney. And we get IGs in here all the time and that \nmakes perfect sense. What bugs me, Ms. Archuleta, is that back \nin the end of 2014 they recommended, in fact, it was their \nthird recommendation, that all active systems in OPM\'s \ninventory have a complete and current authorization. Your \nresponse to that was saying, ``We agree that it is important to \nmaintain up to date and valid ATOs for all systems, but we do \nnot believe that this condition rises to the level of a \nmaterial weakness.\'\'\n    Do you believe that your opinion on that has changed since \nNovember of 2014, Ms. Archuleta?\n    Ms. Archuleta. I appreciate all of the information and the \nrecommendations that the IG has given us, and we will continue \nto work with him----\n    Mr. Mulvaney. I didn\'t ask you that. Do you still believe \nnow, knowing what you know now, that that condition did not \nrise to the level of material weakness?\n    Ms. Archuleta. Sir, we are working with a legacy system.\n    Mr. Mulvaney. I didn\'t ask you that, Ms. Archuleta.\n    Ms. Archuleta. As to the recommendations that he has made \nto us, we are working through those to the best of our ability.\n    Mr. Mulvaney. That is what frightens me, Ms. Archuleta, \nthat this is the best of your ability.\n    Let me see if I can just get some summary information here \nas I go back and try to explain to folks back home. I have \nheard that it was just people in the executive branch. I open \nthis to anybody who might be able to answer this. Are we still \nsaying that the only people whose data was exposed were folks \nwho worked within the executive branch of Government?\n    Ms. Seymour. Sir, this is an ongoing investigation, and as \nwe uncover new information we are happy to share it with you.\n    Mr. Mulvaney. Right.\n    Ms. Seymour. We are not necessarily restricted to the \nexecutive branch because there are people who work in the \nexecutive branch today who worked in the legislative branch----\n    Mr. Mulvaney. And I got that notice, Ms. Seymour. I got the \nnotice and it says if you work in the executive branch or you \nhave ever worked in the executive branch, then there is a \nchance they got your data, but if you have never worked for the \nexecutive branch, then you don\'t have to worry.\n    Are you still comfortable with that statement?\n    Ms. Seymour. No, sir. This is an ongoing investigation and \nwe are learning new facts every day.\n    Mr. Mulvaney. And that is a fair answer. Now, the original \nnumber we heard publicly was 4 million. Is it still 4 million? \nI have heard 14 today a couple times. What is the current \nestimate of the number of current or previous employees who \nhave been affected?\n    Ms. Seymour. Approximately 4 million is the number that we \nare making notifications of today. We continue to investigate, \nespecially in the background investigations incident, so that \nwe can understand that data and begin to make notifications \nthere as well.\n    Mr. Mulvaney. All right, I have a question. I don\'t think \nit has been asked yet. I think it is for Mr. Ozment or whoever \nelse understands the IT systems.\n    When we used to do this in the private sector, we used to \ndifferentiate between someone who had hacked into our system \nand someone who actually stole something form us, because there \nare two levels of involvement there.\n    So I guess my question to you, Mr. Ozment, is have you been \nable yet to make the distinction between just where the hackers \nwere and they had access and things were exposed, and where \npossibly they actually downloaded data.\n    Mr. Ozment. Thank you, Representative.\n    That is an important distinction and one that we spend a \nlot of our investigative time examining. For the personnel \nrecords, the approximately 4.2 million records, the incident \nresponse team, led by DHS but with interagency partners, has \nconcluded with a high probability that that data was \nexfiltrated, meaning that it was removed from the network by \nthe adversary who took it. And we are continuing to investigate \nthe information related----\n    Mr. Mulvaney. Very briefly, Mr. Ozment. I appreciate that. \nI don\'t mean to cut you off and I wish we had more time to do \nthat. Let me ask this one question. I heard about the data. I \nheard Mr. Lynch ask about the Social Security numbers. It \nsounds like that might have been exfiltrated. Health data. Do \nwe collect health data on our employees?\n    Ms. Archuleta, if I come to work for you or for the \nGovernment, do I give you my health records?\n    Ms. Archuleta. Not your health records, but the information \nregarding your health carrier is the information that we \nreceive and who you would include in the----\n    Mr. Mulvaney. Okay, so it is not----\n    Ms. Archuleta. No, not your health----\n    Mr. Mulvaney. So it is not specific medications, it is not \nspecific conditions.\n    Ms. Archuleta. No.\n    Mr. Mulvaney. It is just who my health insurance company \nis.\n    Ms. Archuleta. Exactly.\n    Mr. Mulvaney. Thank you, Mr. Chairman.\n    Chairman Chaffetz. I thank the gentleman.\n    We now recognize the gentleman from Virginia, Mr. Connolly, \nfor five minutes.\n    Mr. Connolly. Thank you, Mr. Chairman.\n    You know, what is so jarring about this hearing is that \nsort of in bloodless and bureaucratic language we are talking \nabout the compromise of information of fellow Americans and, \nfrom the Federal employee point of view, the most catastrophic \ncompromise of personal information in the history of this \nCountry. Social Security records.\n    Ms. Archuleta, you mentioned that not health information, \nbut health carrier. That is a roadmap to other information \nhackers can get.\n    Security clearances. Security clearances are deeply \npersonal and often involve, do they not, Ms. Seymour, \nunconfirmed negative information, even rumors. I think so-and-\nso has a drinking problem. That gets in that report even if it \nis not confirmed. Is that not correct?\n    Ms. Archuleta. Sir, I am not a Federal investigator and I \nam not familiar with all of the precise data that is in those.\n    Mr. Connolly. Well, let me confirm for you. It was a \nrhetorical question, really. It is correct.\n    How do we protect our employees? Dr. Ozment, when I heard \nyour testimony, it almost sounded like you were saying is that \nthe good news here is we detected the hack. But the object here \nisn\'t effective detection, though that is part of the process; \nit is prevention and preemption to protect our citizens, \nincluding Federal employees.\n    You talked about EINSTEIN and you championed its merits. \nWas EINSTEIN in place at OPM when this hack occurred?\n    Mr. Ozment. Sir, I share your deep concern about the loss \nof this information and agree that that is a terrible outcome.\n    Mr. Connolly. A terrible outcome?\n    Mr. Ozment. Absolutely. As a Federal employee whose \ninformation is itself a part of this database, I feel----\n    Mr. Connolly. It might even be personally devastating, Dr. \nOzment, not just a terrible outcome.\n    Mr. Ozment. That is correct, sir.\n    What I would tell you on this is that EINSTEIN was critical \nin this incident. As OPM implemented their new security \nmeasures and detected the breach----\n    Mr. Connolly. Was EINSTEIN in place at the time of this \nbreach?\n    Mr. Ozment. EINSTEIN 1 and 2 have been in place at OPM. \nEINSTEIN 3 is not yet available for OPM.\n    Mr. Connolly. Okay, I only have two minutes. I want to \nunderstand your answer. So did it successfully detect a breach \nhad occurred?\n    Mr. Ozment. It did not detect the breach that OPM caught on \ntheir own networks, because just as the cyber threat \ninformation sharing legislation we are focused on acknowledges, \nyou first have to have the threat information. EINSTEIN 1, once \nwe had that threat information, we used EINSTEIN 1 and 2 to \ndetect a separate breach that we were then able to work.\n    Mr. Connolly. I am sure every Federal employee who had his \nor her information compromised is comforted by your answer, Dr. \nOzment.\n    Ms. Archuleta, what was the time gap between discovering \nthere had been a breach and the actual breach itself?\n    Ms. Archuleta. We discovered the breach in April of 2015.\n    Mr. Connolly. This year. And when did t he breach occur?\n    Ms. Archuleta. We suspected it happened earlier in 2014.\n    Mr. Connolly. So some time late last year?\n    Ms. Archuleta. Yes, sir.\n    Mr. Connolly. Okay. So whoever were the hackers, presumably \nan agency of the Chinese government, according to published \nreports confirmed by U.S. officials, it is not a classified \npiece of information. The details of it may be, but our \nGovernment, I believe, has confirmed, without attribution, in \npublic records that it was a systematic effort by the People\'s \nLiberation Army, which has been notorious for hacking all over \nthe West, that got its hands on this data.\n    So they had four months in which to do something with this \ndata, is that correct, maybe five?\n    Ms. Archuleta. I can\'t make a comment on attribution.\n    Mr. Connolly. I didn\'t ask you to. I just asked whether \nthey had four or five months to do something with this data.\n    Ms. Archuleta. The period between when we believe the \nbreach occurred and our discovery, yes.\n    Mr. Connolly. All right.\n    I am going to, real quickly, if the chairman allows, ask \nMr. Scott one last question. The head of CERT, the director of \nCERT says if the agency implemented three steps, we could \nprevent about 85 percent of breaches.\n    And I am going to hold in abeyance new investments and new \ntechnology because Ms. Seymour talks about legacy systems, and \nI had always hoped that the Chinese didn\'t know how to hack \ninto COBOL. But that is a different matter.\n    Okay, the three things are minimize administrator \nprivileges; two, utilize application whitelisting; and, three, \ncontinuously patch software, which, interestingly, does not go \non.\n    Would you just comment? What is your professional take on \nthose three recommendations?\n    Mr. Scott. I think those recommendations are great, and \nthere are a number of other things as well, some of which I \nhave talked about today. I think the one point I would make is \nthere is no one measure that you could say that is going to \nprevent all attacks or even prevent an attack. It is really \ndefense in depth is your best measure, and that is what we are \nreally looking at emphasizing.\n    Mr. Connolly. Thank you, Mr. Chairman.\n    Chairman Chaffetz. Thank you.\n    We now recognize the gentleman from North Carolina, Mr. \nWalker, for five minutes.\n    Mr. Walker. Thank you, Mr. Chairman.\n    I certainly agree with my colleague from Virginia in his \ndescription this is a catastrophic compromise.\n    Ms. Archuleta, it appears that OPM did not follow the very \nbasic cybersecurity best practices, specifically such as \nnetwork segmentation and encryption of sensitive data. Should \nthe data have been encrypted? Can you address that?\n    Ms. Archuleta. At that time, the data was not encrypted, \nand as Dr. Ozment has indicated, encryption may not have been a \nvaluable tool in this particular breach. As I said earlier, we \nare working closely to determine what sorts of additional tools \nwe can put into our system to prevent further breaches.\n    Mr. Walker. You said may not have been. But that didn\'t \nanswer the question should have been encrypted and could that \nhave been another line of defense?\n    Ms. Archuleta. I would turn to my colleagues from DHS to \ndetermine the use of encryption, but I will say that it was not \nencrypted at the time of the breach.\n    Mr. Ozment. I would note that if an adversary has the \ncredentials of a user on the network, then they can access data \neven if it is encrypted, just as the users on the network have \nto access data, and that did occur in this case, so encryption \nin this instance would not have protected this data.\n    Mr. Walker. I want to delve a little further in just a \nmoment, but let me ask this.\n    Ms. Archuleta, what consequences should CIO\'s face for \nfailing to meet such a baseline of cybersecurity standard on \ntheir networks? May I hear your thoughts on that?\n    Ms. Archuleta. I believe that the CIO is responsible for \nthe implementation of a solid plan and I believe that my CIO \nhas been doing that. We are working with a legacy system that \nis decades old, and we are using all of our financial and human \nresources to improve that system. Cybersecurity is a \ngovernment-wide effort and we all must work together to improve \nthe systems that we have government-wide.\n    Mr. Walker. I am not sure that the American people are \ncontent with the pace of how we are all working together.\n    I want to speak a little bit to EINSTEIN. I have heard \nseveral different comments today regarding it and my question \nis even if EINSTEIN is a necessary component to effectively \ndefending the system, I believe the private sector is really \nalready moving on this kind of technology. Is that a fair \nquestion? And what is the DHS doing to keep pace with its \nattackers? Dr. Ozment?\n    Mr. Ozment. EINSTEIN is absolutely a necessary, but not \nsufficient, tool for protecting department and agency networks. \nAs Mr. Scott has noted several times, we need a defense in \ndepth strategy. We are supplementing EINSTEIN with continuous \ndiagnostics and mitigations at the agencies, and we are also \nlooking with EINSTEIN at taking what is currently a signature \nfocus system and adding capabilities to let it detect \npreviously unknown intrusions.\n    But as you do that you also receive more false positives. \nIn other words, you receive more indications that an intrusion \noccurred even if it did not occur. So we have to do that \ncarefully so we are not overwhelmed by essentially bad data.\n    Mr. Walker. And it seems to be that you are more excited or \nmore confident in the EINSTEIN, what is it, 3A version? Is that \ngoing to be more solid as far as keeping the attackers out?\n    Mr. Ozment. EINSTEIN 3A will be a step forward. It uses \nclassified information and is modeled on a similar Department \nof Defense program. It is still a signature-based program, but \nit will rely upon classified information obtained from the \nintelligence community to help us detect adversaries and block \nthem.\n    Mr. Walker. And I even heard you earlier say something \nabout how even that system needs to be supplemented with \nothers, is that correct?\n    Mr. Ozment. That is correct. Again, no single system here \nwill solve this problem.\n    Mr. Walker. And there lies my problem, because even on the \nDHS\'s own Web site, when talking about EINSTEIN 3, it says it \n``prevents malicious traffic from harming networks.\'\'\n    Now, if that is not all-inclusive, should not we be \nunderstanding that before today\'s hearing? Why are we just now \ngetting this information that this may not be enough to prevent \nsuch, as we said earlier, catastrophic compromise?\n    Mr. Ozment. I can\'t speak to the web page you are referring \nto, but I can say that we have been very consistent and I have \nbeen very consistent in all my interactions with Congress to \nhighlight that we do need to a defense-in-depth strategy and \nthat no one tool will solve all of our problems.\n    Mr. Walker. And who is responsible for posting this \ninformation on the Web site of the DHS?\n    Mr. Ozment. We will look into that and get back to you, \nsir, and make updates as necessary.\n    Mr. Walker. Thank you, Mr. Chairman. I yield back.\n    Chairman Chaffetz. Thank you.\n    Now recognize the gentleman from Pennsylvania, Mr. \nCartwright, for five minutes.\n    Mr. Cartwright. Thank you, Mr. Chairman.\n    I thank the chairman and the ranking member for calling \nthis hearing.\n    Director Archuleta, I know there have been much bigger data \nbreaches than this one, but I am concerned, and I share the \nsentiments of Mr. Connolly from Virginia. This is extremely \ntroubling. We are talking about 4 million-plus Federal workers, \npeople who dedicate their entire careers, indeed, their entire \nlives, to our Country, and now their personal information has \nbeen compromised through absolutely no fault of their own.\n    If I understand your testimony, the personal information of \nabout 4 million current and former employees was potentially \ncompromised, and I want to ask you, as your investigation \ncontinues, do you believe that that number is going to be \nbigger than 4 million?\n    Ms. Archuleta. Thank you for your question. In my opening \nstatement I described two incidences.\n    Mr. Cartwright. No, it is a yes or no question, or I don\'t \nknow.\n    Ms. Archuleta. No. Because of the two incidents, the first \nincident is 4.2 million, and an ongoing investigation led us to \nunderstand that the Federal investigative background checks----\n    Mr. Cartwright. You know what I mean when I say it is a yes \nor no question, right?\n    Ms. Archuleta. Yes, sir.\n    Mr. Cartwright. Okay. Do you think it could be more than \n4.2 million?\n    Ms. Archuleta. Yes, sir.\n    Mr. Cartwright. Okay.\n    Now, Ms. Seymour, let me turn to you for some more detailed \nresponses.\n    Your IT professionals discovered the breach in April and \nalso, as Mr. Connolly mentioned, they believe the hack may have \nbegun back in December, am I correct in that?\n    Ms. Seymour. Yes, sir, it began in 2014.\n    Mr. Cartwright. Now, something else happened in December of \n2014; OPM\'s contractor, Keypoint, revealed that it was targeted \nin an earlier cyber attack. Now, this is the contractor that \ndoes the majority of your agency\'s background check \ninvestigations, am I correct in that?\n    Ms. Seymour. They do a number of our background \ninvestigations, sir. I am not sure of the numbers.\n    Mr. Cartwright. And in that case the attack against \nKeypoint was successful; personal information was, in fact, \ncompromised, correct?\n    Ms. Seymour. Yes, sir.\n    Mr. Cartwright. On Friday, ABC News issued a report \nentitled ``Feds Eye Link to Private Contractor in Massive \nGovernment Hack.\'\' This article says this, ``The hackers who \nrecently launched a massive cyber attack on the U.S. \nGovernment, exposing sensitive information of millions of \nFederal workers and millions of others, may have used \ninformation stolen from a private government contractor to \nbreak in to Federal systems.\'\' The article goes on, ``The \nhackers entered the U.S. Office of Personnel Management, OPM\'s \ncomputer systems after first gaining access last year to the \nsystems of Keypoint Government Solutions.\'\'\n    It continues, ``Authorities, meanwhile, believe hackers \nwere able to extract electronic credentials or other \ninformation from within Keypoint systems and somehow use them \nto help unlock OPM systems, according to sources. The hackers \nthen rummaged through separate segments of OPM systems, \npotentially compromising personal information of not only the 4 \nmillion current and former Federal employees.\'\'\n    Ms. Seymour, I know we are having our classified briefing \nlater, and I thank you for coming to that, but can you comment \non these reports? Did these hackers actually get what they \nwanted in the previous attack against OPM\'s contractor, \nKeypoint, so they could then go after OPM itself?\n    Ms. Seymour. I believe that is a discussion that we should \nhave in a classified setting, sir.\n    Mr. Cartwright. Fair enough.\n    Now, we know that OPM\'s other contractor, USIS, was also \nbreached last year and that its information was also \ncompromised. Can you tell us if those hackers got information \nin the USIS breach that they were then able to use in the \nattack against OPM?\n    Ms. Seymour. Again, that is a discussion we should have \nlater, sir.\n    Mr. Cartwright. I understand. I certainly don\'t want you to \ndisclose classified information here.\n    Let me close by asking a final question to the whole panel, \nand I will let each of you answer. Federal agencies and private \ncompanies are only as strong as their weakest link. Last year \nwe saw breaches of two contractors, Keypoint and USIS. Now we \nhave reports that these hackers are getting into OPM \ninformation because of what they learned in those hacks.\n    Agencies have leverage over their contractors using the \nprovisions in the contracts and the billions of taxpayer \ndollars that they pay out to the company, so I want to ask each \nof you how can agencies use that leverage to improve \ncybersecurity practices of contractors so that they do a better \njob of safeguarding the information that they are entrusted \nwith.\n    Go ahead, right on down the line, starting with you, Ms. \nArchuleta.\n    Ms. Archuleta. What we can do with the contractors that we \nengage is to make sure that they have the security systems that \nmatch the Federal Government\'s and that they are using the same \nsort of types of systems.\n    I want to be sure that I understand your question. The \ncontractors that we employ as individuals or as companies\n    Mr. Cartwright. The contractors as companies.\n    Ms. Archuleta. In our contracts with the companies, we are \nnow working to make sure that they are adhering to the same \nstandards that we have in Federal Government, as outlined in \nour rules.\n    Mr. Cartwright. Dr. Ozment?\n    Mr. Ozment. Representative, DHS, for its own contract, as \none example, has been working to build in additional \ncybersecurity requirements. I would also point you to the \nFedRAMP effort, government-wide effort to establish a baseline \nof cybersecurity requirements for cloud contractors to the \nGovernment.\n    Mr. Cartwright. Mr. Scott?\n    Mr. Scott. Yes. I think as my colleague, Anne Rung, and I \ntestified last week, we also are strengthening the Federal \ncontract procurement language and creating contract language \nthat any agency can use as a part of their standard contracts.\n    Mr. Cartwright. Thank you.\n    Ms. Burns?\n    Ms. Burns. I think it is about beefing up the security \nclauses in all contracts so that they cover the full extent of \nwhat we need, and then doing the monitoring and follow-up that \nyou need to do to ensure that the contractors are adhering to \nthose clauses of the contract.\n    Mr. Cartwright. Right.\n    Ms. Seymour?\n    Ms. Seymour. I agree with everything that my colleagues \nhave put forth, but I will add that site inspections are also \nimportant, and those are some of the things that we do at OPM \nwith our contractors, as well as continuous monitoring. Looking \nat a system every third year is not ample. That is not a best \npractice and we need to move more towards looking at different \nsecurity controls at different intervals of time.\n    The other option that we do use is our IG also does \ninspections of our contractor companies.\n    Mr. Cartwright. Mr. Esser?\n    Mr. Esser. I agree with what the other witnesses stated. \nLike Ms. Seymour just said, we, as the IG, go out and we do \naudits of contractors, health insurance companies, the \nbackground investigation companies, as well. So we can be used \nand see ourselves in that role.\n    Mr. Cartwright. Mr. Chairman, I thank you for your \nindulgence. I also want to note that USIS was invited here \ntoday, but refused----\n    Chairman Chaffetz. I appreciate the gentleman. You are \nalmost three minutes over time. We have classified that we have \nto go to and we have members that still have an effort.\n    Mr. Cartwright. Yield back.\n    Chairman Chaffetz. Thank you. Appreciate it.\n    I now recognize Mr. Russell from Oklahoma for five minutes.\n    Mr. Russell. Thank you, Mr. Chairman.\n    I am baffled by all of this. Upon receipt or upon your \nappointment of the directorship of OPM, Director Archuleta had \nstated that she was committed to building an inclusive \nworkforce. Who would have thought that that would have included \nour enemies.\n    In this testimony here today, we heard statements that we \ndid not encrypt because we thought they might be able to \ndecrypt or decipher. That is just baffling to me.\n    There was another statement I heard earlier today that said \nhad we not established the systems, we would never have known \nabout the breach. That is tantamount to saying if we had not \nwatered our flower beds, we would have never seen the muddy \nfootprints on the open windowsill.\n    I mean, this is absolute negligence that puts the lives of \nAmericans at risk, and also foreign nationals that interact \nwith these Americans. Of particular concern are the SF 86 \nforms, of which I am very familiar, with my background prior to \ncoming to Congress.\n    We had Sean Gallagher from Ars Technica, who summed it up \nprobably best. He said that this breach was a result of \ninertia, a lack of internal expertise, and a decade of neglect.\n    Director Archuleta, why did you not shut down 11 of the 21 \nsystems that had no security assessment and authorization?\n    Ms. Archuleta. Sir, as I mentioned before, there are \nnumerous priorities that go into employee safety and security, \nincluding making sure that our retirees receive their benefits \nor that our employees get paid. There are numerous \nconsiderations that we had to----\n    Mr. Russell. Would one of those considerations be \nencrypting Social Security numbers? I mean, does it take a \ndegree in IT in cybersecurity to encrypt Social Security \nnumbers? I didn\'t think so.\n    Did your cybersecurity strategic plan including leaving \nhalf of OPM\'s systems without protection when you formulated \nit? Was that part of the plan?\n    Ms. Archuleta. No, sir.\n    Mr. Russell. Then why was it not made a priority?\n    Ms. Archuleta. The systems that the IG referred to in our \nplan, those systems that he recommended that we shut down, he \nrecommended that we shut them down because they were without \nauthorization. All of our systems are now authorized and they \nare operating.\n    I have to say that we are looking at systems that are very, \nvery old, and we can take a look at encryption and other steps \nthat could be taken, and certainly we are doing that, but as we \nlook at this system, we are also having to deal with decades \nof----\n    Mr. Russell. Well, I understand that, but I also understand \nthere is an old saying we had in the military: poor is the \nworkman who blames his tools. Missions can be accomplished even \nwith what you have, and measures could have been done had this \nbeen made a priority. What I see now is why did OPM have no \nmulti-factor authentication for users accessing the system from \noutside OPM? There was no multi-faceted means. If they get into \nthe system, they have free rein, is that correct?\n    Ms. Archuleta. We have implemented multiple factors. Ms. \nSeymour has mentioned multi-factor authentication with our \nremote users and are working now.\n    Mr. Russell. And when was that put in place, before or \nafter the breach?\n    Ms. Archuleta. This began in January of 2015.\n    Mr. Russell. Okay. So stolen credentials could still be \nused to run free in the system, is that correct?\n    Ms. Archuleta. Prior to the time of the two-factor \nauthentication, obviously, it takes time to implement all of \nthese tools. I am as distressed as you are about how long these \nsystems have gone neglected when they have needed much \nresources, and it is in my administration that we have put \nthose resources to it. We have to act quickly, which we are \ndoing, and we are also working with our partners across \ngovernment.\n    As I said before, cybersecurity is an issue that all of us \nneed to address across the Federal Government.\n    Mr. Russell. Was a priority made to these outside systems \nthat were most vulnerable that would allow this type of free \nrun?\n    Ms. Archuleta. I am sorry, sir, would you repeat the \nquestion?\n    Mr. Russell. Was a priority made to these outside accessing \nsystems to OPM\'s database that once they get in them they have \na free rein, a free run?\n    Ms. Archuleta. Yes, it was a priority, sir, but as I said \nbefore, legacy system, it takes time.\n    Mr. Russell. It didn\'t take our enemies time.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    Now recognize the gentleman from California, Mr. Lieu, for \nfive minutes.\n    Mr. Lieu. Thank you, Mr. Chairman.\n    Director Archuleta, under your watch, last March, OPM \ndatabase containing the crown jewels of American intelligence \nwas breached. This year the same exact database was breached. A \nthird database containing over 4 million Federal employees\' \ndata unencrypted was breached.\n    The IG has said that at OPM your technology systems are \neither materially weak or seriously deficient, and my question \nto you, just a very simple yes or no, is do you accept \nresponsibility for what happened?\n    Ms. Archuleta. I accept responsibility for the \nadministration of OPM and the important role of our IT systems \nin delivering the services, and I take very seriously my \nresponsibilities in overseeing the improvements to a decades-\nold legacy system.\n    Mr. Lieu. I don\'t really quite know what that means. I \nasked for a yes or no. But that is fine, you have answered it.\n    I am going to reserve the balance of my time to make a \nstatement. Having been a member of this oversight committee, \nand as a computer science major, it is clear to me there is a \nhigh level of technological incompetence across many of our \nFederal agencies. We have held hearings where it showed that \nFederal agencies couldn\'t procure, implement or deploy IT \nsystems without massive bugs or massive cost overruns.\n    We have held hearings where at least one Federal agency, in \nthis case the FBI, had a fundamental misunderstanding of \ntechnology, where they continue to believe they can put in back \ndoors to encryption systems just for the good guys and not for \nhackers, which you cannot do. We had over 10 federal data \nsystem breaches last year.\n    So there is a culture problem and there is a problem of \ncivilian leadership not understanding we are in a cyber war. \nEvery day we are getting attacked in both the public and \nprivate sector. The U.S. military understands this; that is why \nthey stood up an entire cyber command. But until our civilian \nleadership understands the gravity of this issue, we are going \nto continue having more data breaches.\n    Let me give you some examples of this culture problem. You \nhave heard today there was unencrypted Social Security numbers. \nThat is just not acceptable. That is a failure of leadership.\n    Look at the various IG reports over the years showing \nmaterial weaknesses and then look at last year\'s IG report, \npage 12, that says as of November of last year, OPM had not yet \ndone a risk assessment. That is ridiculous, especially since \nyou knew in March your system was breached. That is a failure \nof leadership. And this goes beyond just OPM.\n    Now, Mr. Scott, you have only been here a few months, so \nyou are going to get a pass on this, but I want to know why was \nit that it wasn\'t until last Friday that agencies were ordered \nto put in basic cybersecurity measures? Why wasn\'t this done \nlast year? Why wasn\'t this done years before? There is a \nfailure of leadership above that of OPM.\n    And when there is a culture problem, what have we done in \nthe past? Especially in the area of national security, you \ncan\'t have the view that, oh, this is legacy system, oh, we \nhave these excuses. In national security it has to be zero \ntolerance. That has to be your attitude. We can\'t have these \nbreaches.\n    The CIA can\'t go around saying, you know, every now and \nthen our database of spies is going to get breached. That \ncannot happen.\n    And when you have a culture problem, as we have hard here, \nin the past, when agencies have had this, leadership resigns or \nthey are fired. At the DEA, leadership left. We had this happen \nat the Secret Service; we had this happen at the Veterans \nAdministration. And we, as a government, do that for two \nreasons: one is to send the signal that the status quo is not \nacceptable. We cannot continue to have this attitude, where we \nmake excuse after excuse.\n    You know, I have heard a lot of testimony today. The one \nword I haven\'t heard is the word sorry. When is OPM going to \napologize to over 4 million Federal employees that just had \ntheir personal data compromised? When is OPM going to apologize \nto the Federal employees that had personally devastating \ninformation released through the SF 86 forms? I haven\'t heard \nthat yet.\n    And when there is a culture problem, we send a signal to \nothers that the status quo is unacceptable and leadership has \nto resign. Another reason we do that is because we want new \nleadership in that is more competent.\n    So I am looking here today for a few good people to step \nforward, accept responsibility, and resign for the good of the \nNation. I yield back.\n    Chairman Chaffetz. I thank the gentleman. Well said.\n    Now recognize the chairman of the IT subcommittee, Mr. \nHurd, of Texas, for five minutes.\n    Mr. Hurd. Thank you, Mr. Chairman.\n    It is my hope that every agency head and every CIO of these \nagencies are listening or watching or will read the testimony \nafter this event, and that the first thing they do when they \nwake up tomorrow is pull out the GAO high risk report that \nidentifies areas that they have problems with, they read their \nown IG report and start working to address those remediations.\n    I have been at this job for 21 weeks, similar to Mr. Scott, \nand one of the things you hear from people, they are frustrated \nwith their Government. Intentions are great.\n    Ms. Archuleta, you said at the beginning that the security \nof Federal employee is paramount. I believe you believe that, \nbut the execution has been horrific. Intentions are not enough. \nWe have to have execution. And this is the thing that scares \nme.\n    So my question, let\'s start with you, Ms. Archuleta. Did \nthe hackers use a zero day vulnerability to get into your \nnetwork?\n    Ms. Archuleta. I think that would be better answered in a \nclassified setting.\n    Mr. Hurd. Well, if it was a zero day vulnerability, I hope \neverybody has been notified of this zero day; not only the \nGovernment, but the private sector. We shouldn\'t be keeping \nsecret a zero day vulnerability.\n    I know a little something about protecting secrets; I spent \nalmost my adult life in the CIA doing that. This is something \nthat we need to get out. What I have read is that EINSTEIN did \ndetect the breach after the appropriate indicators of \ncompromise was loaded into it.\n    So my question is how long did, in Federal Government, did \nsomebody have access to these indicators of compromise and why \ndid it take however much that time to get it into EINSTEIN\'s \nsystem, and has that been promoted to every other agency that \nis using EINSTEIN 2?\n    Mr. Ozment. Representative, OPM, once they implemented \ntheir security measure and discovered this breach, gave us the \nindicators of compromise immediately and we loaded it into \nEINSTEIN immediately. That is, we loaded it into EINSTEIN 2 to \nboth detect and we looked back through history to see if any \nother traffic back in time had indicated a similar compromise. \nThat is how we found an intrusion into OPM related to this \nincident that led to our discovery of the breach of the \npersonal records.\n    We also put it into EINSTEIN 3 so that agencies covered by \nEINSTEIN 3 would be protected against a similar activity moving \nforward. And then we held a call with all the Federal CIOs and \ndisseminated these indicators to them and asked them to search \ntheir networks for these indicators.\n    Mr. Hurd. Has that been done?\n    Mr. Ozment. That has been done.\n    Mr. Hurd. Okay.\n    Ms. Seymour, you talk about legacy systems and the \ndifficulty of protecting those. What are some of those legacy \nsystems and what programming software is used to develop those \nsystems?\n    Ms. Seymour. These are systems, sir, that have been around \nfor going close to 25, 30 years.\n    Mr. Hurd. So it was written by COBOL?\n    Ms. Seymour. COBOL systems. One of the things I would like \nto offer is that Director Archuleta and I actually were brought \nhere to solve some of these problems.\n    Mr. Hurd. When did you start your job?\n    Ms. Seymour. In December of 2013.\n    Mr. Hurd. And why did we wait to implement two-factor \nauthentication until after the attack?\n    Ms. Seymour. We have not waited, sir.\n    Mr. Hurd. So two-factor authentication was being deployed \nprior?\n    Ms. Seymour. These are two decades in the making. We are \nnot going to solve them all in two years. And if we continue--\n--\n    Mr. Hurd. See, what is where I disagree with you, okay? \nAgain, we have to stop thinking about this that we have years \nto solve the problem. We don\'t. We should be thinking about \nthis in days.\n    Ms. Archuleta, how much overtime have you signed off on \nsince this hack, of people that are dealing with the \ncompromise?\n    Ms. Archuleta. My CIO team works 24/7.\n    Mr. Hurd. So if I walk into your building at 8 p.m. at \nnight, there are going to be people drinking Red Bull, working \nfuriously in order to solve this problem?\n    Ms. Archuleta. I am very proud of the employees that are \nworking on this issue, and they have been working 24/7.\n    Mr. Hurd. Mr. Scott, you have inherited a mess, my man, and \nwe are looking to you, and whatever this committee can do to \nhelp you to ensure things like this doesn\'t happen, to ensure \nthat these agencies and the CIOs of the agencies are \nimplementing the recommendations of the IG, the recommendations \nof the GAO, we are here to do that. And we are going to \ncontinue to drag people up here and answer these questions, \nbecause that is our responsibility.\n    I recognize that you are not going to stop anybody from \npenetrating your network. But how quickly can you identify \nthem, can you quarantine them, and can you kick them off the \nnetwork? Those are the three metrics we should be using about \nthe health of our systems, and we are woefully inadequate.\n    I yield back the time I do not have. Thank you, sir.\n    Chairman Chaffetz. Thanks.\n    Mr. DeSantis, of Florida, is now recognized for five \nminutes.\n    Mr. DeSantis. Thank you, Mr. Chairman.\n    Ms. Archuleta, in your testimony you said, and I think this \nis the direct quote, ``we have now confirmed that any Federal \nemployee from across all branches of Government whose \norganization submitted service history records to OPM may have \nbeen compromised, even if their full personnel file was not \nstored on OPM\'s system.\'\'\n    What do you mean by service history?\n    Ms. Archuleta. Their careers. They may have been in a \ndifferent position earlier than perhaps as they move around \nGovernment, so it may be someone whose current job would not be \nin the system, but because of their service history their \ninformation would be dated back, and it is for retirement \npurposes.\n    Mr. DeSantis. Okay, so a potentially broader breach.\n    I tell you, an SF 86, I remember filling that out when I \nwas a young officer in the Navy, and it is by far the most \nintrusive form that I have ever filled out. It took me days. I \nhad to go do research on myself to try to figure out. And it is \nnot just that you are doing a lot of personal and sensitive \ndata about the individual applicant, the SF 86 asks about \nfamily members, it asks about friends, spouse, relatives, where \nyou have lived, who you knew when you lived in these different \nplaces. It also asks you to come clean about anything in your \npast life.\n    So, to me, people have said that this is crown jewels \nmaterial in terms of potential blackmail. So this is a very, \nvery serious breach.\n    My question for Ms. Archuleta, were cabinet level officials \nimplicated in this breach?\n    Ms. Archuleta. Sir, this type of information would be \nbetter discussed in a classified setting.\n    Mr. DeSantis. Understood. What about people in the military \nand intelligence communities?\n    Ms. Archuleta. As I mentioned earlier, I believe that this \nis something that we could respond to in a classified setting.\n    Mr. DeSantis. Okay. So you don\'t disagree with my \ncharacterization of the SF 86 and that the compromise, let\'s \njust say theoretical if you don\'t want to say what actually \nhappened here, that that is a major, major breach that will \nhave ramifications for our Country?\n    Ms. Archuleta. As I said, we will discuss this with you in \nthe classified setting.\n    Mr. DeSantis. Okay. SF 86 forms also require applicants to \nlist foreign nationals with whom they are in close contact, so \nthat means China now has a list, for example, of Chinese \ncitizens worldwide who are in close contact with American \nofficials. They can, and will, obviously us that information \nfor espionage purposes.\n    So what are the security implications of that type of \ninformation falling into enemy hands? That could be for \nanybody.\n    Mr. Ozment. Sir, that is a question that we will discuss in \nthe hearing this afternoon.\n    Mr. DeSantis. Okay. Now, some reports say that not only \nwere the hackers pursuing information on Federal employees, but \nalso password and encryption keys that could be used for trade \nsecret theft and espionage. And I guess you will have more to \nsay about that in a classified setting, but at least for this \nforum can you say that that is a significant risk; that is not \nthe type of information that we would want the enemy to have \nand it can, in fact, be very damaging, correct?\n    Mr. Ozment. Again, sir, we are going to defer discussion on \nthat until the classified briefing in a few minutes.\n    Mr. DeSantis. Okay. And I get that and I will be there and \nI will listen intently. But it really concerns me because this \nis really a treasure trove for our enemies, potentially. And \nthe fact that this system was hacked and we didn\'t even know \nabout it for a long time, that is really, really troubling.\n    If you ask people if they want to serve in these sensitive \npositions and they think that by filling out these forms they \nare actually going to put themselves or their family \npotentially at risk because the Government is not competent \nenough to maintain that secretly, that is a major problem as \nwell. So the information can be used against the Country, then \nyou are also, I think, going to have a chilling effect on \npeople wanting to get involved if we don\'t get a handle on \nthis.\n    So I look forward to hearing from the witnesses in a \nclassified setting and I yield back the balance of my time.\n    Chairman Chaffetz. Thank you.\n    Now recognize the gentleman from Alabama, Mr. Palmer, for \nfive minutes.\n    Mr. Palmer. Thank you, Mr. Chairman.\n    Ms. Seymour, does the employee exposure extend only to \nthose who filled out Standard Form 86, or does it include \nothers as well?\n    Ms. Seymour. Our investigation is ongoing, sir.\n    Mr. Palmer. Well, ma\'am, apparently it does, because I have \ntwo employees who have never filled out a Standard Form 86, and \nthey have a letter from you informing them of the possibility \nthat their data may have been compromised. So I will ask you \nagain, and it is a yes or no, does it extend beyond the people \nwho filled out an SF 86?\n    Ms. Seymour. My answer to that is yes, sir. There are two \nincidents that we have come here to talk with you today.\n    Mr. Palmer. Why didn\'t you answer yes to start with?\n    Ms. Seymour. Because you were talking about SF 86s, sir.\n    Mr. Palmer. No. I made it clear. I asked you, did the \nexposure extend beyond those who filled out SF 86, and you said \nthe investigation was ongoing. Apparently, you have \ninvestigated enough to send a letter to employees who didn\'t \nfill out those forms, so thank you for your yes answer.\n    In your judgment, Ms. Archuleta, how likely is it that the \nhackers were able to access these personnel files through an \nemployee account?\n    Ms. Archuleta. Sir, we will be able to discuss that with \nyou during the classified session.\n    Mr. Palmer. Well, let me be a little bit more specific. Are \nyou familiar with The Wall Street Journal article that \nindicated that it was possible that the breach occurred through \npersonal email accounts, because employees were using the \nFederal system and that early in 2011 the Immigration and \nCustoms Enforcement agency noticed a significant up-tick in \ninfections and privacy spills, and they asked for a directive \nor they put out a directive that Federal employees could not \nuse the Federal system to access their personal emails? But the \nAmerican Federation of Government Employees filed a grievance \nwith the federal arbitrator claiming that that was something \nthat needed to be bargained and needed to be part of the \ncollective bargaining agreement.\n    The arbitrator dismissed ICE\'s security arguments in 75 \nwords, claiming that the law didn\'t give the Federal agencies \nexclusive discretion to manage the IT systems, so ICE wasn\'t \nable to shut that off. Do you have any comment on that?\n    Ms. Archuleta. No, sir. Again, those are issues that we \nwill be able to discuss in the classified hearing.\n    Mr. Palmer. Well, it is being discussed in The Wall Street \nJournal.\n    I think for now, since we need to head to the hearing, I \nwill yield the balance of my time.\n    Thank you, Mr. Chairman.\n    Chairman Chaffetz. I thank the gentleman.\n    Now recognize the gentleman from Georgia, Mr. Hice, for \nfive minutes.\n    Mr. Hice. Thank you, Mr. Chairman.\n    Mr. Esser, what are the risks that are associated with not \nhaving a valid system authorization?\n    Mr. Esser. Well, the risks are evident that not having a \nvalid authorization essentially could be a symptom of weak \ncontrols over operating systems and applications, and lead to \nthings such as a breach.\n    Mr. Hice. Okay. With all the things that we are talking \nabout here today, Ms. Seymour, you were obviously fully aware \nof these risks and OPM was aware of these risk?\n    Ms. Seymour. Yes, sir, I was aware of these reports.\n    Mr. Hice. Okay.\n    Now, I kind of hate going back to this because it has come \nup several times already today, but still I am waiting for an \nanswer. The inspector general put out his report last November \nexpressing great alarm, recommending that OPM consider shutting \ndown the systems because of the risks that you knew about, Ms. \nArchuleta knew about, and yet these recommendations were \nignored.\n    Now, I am going to come back to you with this because, \nquite frankly, Ms. Archuleta has tried to dodge this question \nand dance all around it. I want to come straight up with you. \nWhy were those recommendations not followed?\n    Ms. Seymour. Two reasons, sir. One is an authorization to \noperate is merely the documentation of the security controls of \na system and their effectiveness. That does not mean simply \nbecause you don\'t have an authorization that those tools don\'t \nexist.\n    The other effort is, as the IG was doing its audit, we were \ntaking all of those vulnerabilities into play. We had already \ndeveloped a security plan that we were in the process of \nimplementing, and the IG admits in their report that we were in \nthe process of implementing many of those controls.\n    Mr. Hice. Did the plan that you were in process of \nimplementing work? Obviously, it didn\'t. Would shutting it down \nhave worked?\n    Ms. Seymour. The controls that we put in place allowed us \nto stop the remote access to our network, and they also allowed \nus to detect this activity that had occurred prior to the IG \nreport.\n    Mr. Hice. But the vulnerability was still there and your \nplan failed.\n    Ms. Seymour. There are vulnerabilities in every system. \nWhat we do is a risk management process, sir, where we look at \nthe vulnerabilities as well as the business that we must \nconduct.\n    Mr. Hice. Mr. Esser, let me come back to you. Currently, \nwhat are the consequences of owners of OPM IT system? \nCurrently, what are the consequences now if they operate \nwithout a valid authorization?\n    Mr. Esser. There are essentially no consequences. We report \nthat in our FISMA audits, but other than that there are no \nofficial sanctions in place. It is something that gets \npublicized, and that is the extent.\n    Mr. Hice. So it sounds to me like this thing is still not \nbeing taken seriously. If there are no consequences for \noperating without authorization, why in the world are we still \noperating without authorization? Or is that occurring?\n    Ms. Seymour. Sir, I have extended the authorizations that \nwe had on these systems. Because we put a number of security \ncontrols in place in the environment, we have increased the \neffectiveness of the security around those systems.\n    Mr. Hice. But there are no consequences for not operating \non a system with authorization, so how seriously are you taking \nit?\n    Ms. Seymour. There are consequences.\n    Mr. Hice. What are they?\n    Ms. Seymour. Those consequences are if you aren\'t doing the \nassessments, documenting them, while that is evidence that \nthose assessments have been done, the assessments themselves \nare more important; the scanning of the network, the tools that \nare in place.\n    Mr. Hice. That is not the consequences. What are the \nconsequences? You said there are consequences. I want to know \nwhat they are.\n    Ms. Seymour. The consequences that we have are we report to \nOMB on a quarterly basis about the status of our security and \nour network.\n    Mr. Hice. That doesn\'t sound like consequences; that sounds \nlike just reporting that you are required to do anyway. There \nare no consequences involved in those reports.\n    Mr. Esser, again, are there measures that need to be taken \nto get the whole thing up to the standard it ought to be? I \nmean, is there anything that you would recommend?\n    Mr. Esser. Yes. Yes. We do recommend that the CIO, the \nagency take the steps that in a lot of cases they are beginning \nto take. The centralization of the IT governance is well along \nthe way. What they also need to do is get a full inventory of \nthe assets that they are responsible for protecting.\n    The shell project that Ms. Seymour has alluded to earlier \nis also something that we support. We also have some concerns \nabout the way the project has been started and managed, but \noverall we support the idea behind the shell project.\n    Chairman Chaffetz. We appreciate the gentleman.\n    We now recognize the gentlewoman from New Mexico, Ms. Lujan \nGrisham, for five minutes.\n    Ms. Lujan Grisham. Thank you, Mr. Chairman. Thank you for \nhaving this important hearing.\n    I want to thank the panel for taking this conversation and \nthese questions so seriously.\n    In New Mexico, we are one of the States that has one of the \nlargest percentage or per capita Federal employees in the \nCountry, in the top five, so I have 50,000 Federal employees in \nmy home State, and I am on their side by being incredibly \nconcerned about this and, quite frankly, many other data \nbreaches.\n    The growing sophistication, frequency, and the impact on \nboth public and private entities by cyber attacks continue to \nbe a very serious threat. In fact, two days after my first \nelection, one of the key briefings by one of the national labs \nwhich is in my district on Kirkland Air Force Base is the \ncontinuing growing concern with cybersecurity issues and their \naggressive responses both to be proactive as much as they can \nand to appropriately be reactive once you have an identifiable \nbreach.\n    Given the data breach at OPM and at Home Depot and at \nTarget, Anthem, it is clear to me that not only does the \nFederal Government have a role in protecting Federal employees \nand the information that you have, but we have a role in \nworking to protect the public in general from these serious and \ncontinuing series of cyber attacks.\n    But I recognize also that this is a very challenging effort \nand that there is not a simple solution. If there was, we could \nstop this hacking altogether and have the magic bullet. And as \nmuch as I want you to do that, I don\'t want to minimize the \nfact that I recognize that that is more difficult to say than \ndo. No, it is easy to do; it is not so easy to do. But my \nconcerns are growing given that even the best in the Country \nare facing significant cyber attacks, including Kaspersky Lab, \nwho we are relying on for innovative and appropriate \ntechnologies to implement.\n    So given that diatribe and given all the questions that you \nhave had about accountability, about the serious nature, here \nis really my question. The Federal Government is not known for \nbeing, and I mean no disrespect by this, but just stating the \nfacts, it is not a proactive, very reactive body just by the \nnature of how large it is, how broad our mission is, and how we \nare dependent on whatever the resources are and the priorities \nare at any given time.\n    Given that climate and the role to protect the general \npublic and your role to protect Federal employee information, \nwhat can you do that is different, that puts you in a position \nto be much more proactive, particularly given the nature of \ncyber attacks? Quite frankly, they have already hacked in as \nyou are making the next modifications.\n    Anyone on the panel. Mr. Scott, that may be a question that \nis primarily for you, but I would be interested in anybody\'s \nresponse.\n    Mr. Scott. Sure. I can think of several things in the short \nrun that actually we already have underway, but probably long-\nterm the biggest thing is to double down on replacing these \nlegacy sort of old systems that we have. One of the central \nproblems here is you have old stuff that just was not designed \nor built in an era when we had these kinds of threats, and it \nis, in some cases, very, very hard to sort of duct tape and \nband aid things around these systems.\n    It doesn\'t mean there is nothing you can do, but \nfundamentally it is old architectures that need to be replaced \nand security needs to be designed into the very fabric of the \narchitecture of the hardware, the software, the networks, the \napplications. And the faster we can do that, the faster we are \non a better road.\n    Ms. Lujan Grisham. And given your role to do that in \nFederal Government, I am not clear today what percentage of \nlegacy systems and old architecture platforms that we are still \noperating under and which departments are more at risk than \nothers. What is the time frame for getting that done and what \nis a reasonable course for this committee to take to make sure \nwe have accountability in Federal Government to move forward \nexactly in that effort?\n    Mr. Scott. Well, I think the first thing is we are going to \nbe very transparent with you in terms of the OMB reports in \nterms of where we are at on that journey as we go through our \nwork over the course of the year. Several of the members of \nthis committee have said they are going to pay very close \nattention to that, which I encourage.\n    Chairman Chaffetz. The gentleman will suspend.\n    Our time is so tight to our 1:00 o\'clock briefing. We would \nlike a full and complete answer. There will be questions for \nthe record and we will continue to follow up, and I hope you \nunderstand.\n    Mr. Scott. Be happy to.\n    Chairman Chaffetz. We need to give time to Mr. Grothman \nfrom Wisconsin, who is now recognized for five minutes.\n    Mr. Grothman. I am glad we have established that the \nFederal Government is not a proactive, reactive body. It is \nsomething for us to always remember, no matter what bill moves \naround here. It is something to remember about the Federal \nGovernment.\n    But be that as it may, the first question I have for you \nguys, this is kind of a significant story here. Just out of \ncuriosity, just to see how the Federal Government operates, has \nanybody lost their job over this or have there been any \nrecriminations in that regard?\n    Ms. Archuleta. No, sir.\n    Mr. Grothman. Okay. Next question, I don\'t care who answers \nit. As I understand, it took months for the State Department to \nroot out the Russian hackers in their unclassified systems. \nNow, apparently the Chinese hackers are known for leaving \nbehind time-delayed malware. Do we know for sure that these \npeople are out of the system by now or could they still be \npoking around?\n    Mr. Ozment. Representative, we have a joint interagency \nteam led by DHS, with participation by the FBI and National \nSecurity Agency, who have worked with OPM and the Department of \nInterior on this incident. They have accessed that they have \nfully removed the adversary from these networks, but it is \nextremely difficult to have 100 percent certainty in these \ncases.\n    Mr. Grothman. Okay, so it could be, but you think probably \nout.\n    Mr. Ozment. Yes, sir.\n    Mr. Grothman. Okay. Final question. Apparently there are \nrumors that people are now selling some of these files. Is this \na threat or do we know if it is going on? And if it is going \non, are we doing anything to counter that?\n    Mr. Ozment. Sir, I think that the impact and such are \nquestions better suited for the classified briefing we are \nabout to have.\n    Mr. Grothman. Okay. I yield the remainder of my time.\n    Chairman Chaffetz. Thank you.\n    I want to thank the panelists and everybody that is here. I \nthink you understand, on a bipartisan basis, how seriously we \ntake this situation.\n    To those Federal employees who are affected, one of the \nthings that should come out is that in the letter, the very end \nof the letter, if you receive one of these letters, it does \nnote that the Office of Personnel Management is not going to \ncall you. They are not going to contact you to provide \nadditional information. There will be some very bad actors that \nare going to try to take advantage of this bad situation and \nexploit it for their own personal gain. They have already done \nthat. They are going to do it again and there are going to be \nothers that are going to try to do that.\n    To all of our Federal employees, please do not fall victim \nyet again to somebody who is going to send you an email or make \na call and try to prey upon you further. It was noted in the \nletter. It is worth noting here from the pulpit.\n    Again, we look forward to the 1:00 classified briefing. We \nare going to have to hustle.\n    The committee now stands adjourned. Thank you.\n    [Whereupon, at 12:50 p.m., the hearing was adjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n                                 \n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'