[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


                            OPM: DATA BREACH

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 16, 2015

                               __________

                           Serial No. 114-60

                               __________

Printed for the use of the Committee on Oversight and Government Reform

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]



         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                              ____________
                              
                        U.S. GOVERNMENT PUBLISHING OFFICE
99-659 PDF                    WASHINGTON : 2016                        
              
              
________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].  
             
              
              
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                    Sean McLaughlin, Staff Director
                 David Rapallo, Minority Staff Director
             Troy D. Stock, IT Subcommittee Staff director
 Jennifer Hemingway, Government Operations Subcommittee Staff Director
                    Sharon Casey, Deputy Chief Clerk
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on June 16, 2015....................................     1

                               WITNESSES

The Hon. Katherine Archuleta, Director, U.S. Office of Personnel 
  Management
    Oral Statement...............................................     6
    Written Statement............................................     9
Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and 
  Communications, National Program Preparedness Directorate, U.S. 
  Department of Homeland Security
    Oral Statement...............................................    13
    Written Statement............................................    15
Mr. Tony Scott, U.S. Chief Information Officer, Office of E-
  Goverment and Information Technology, U.S. Office of Management 
  and Budget
    Oral Statement...............................................    22
    Written Statement............................................    24
Ms. Sylvia Burns, Chief Information Officer, U.S. Department of 
  the Interior
    Oral Statement...............................................    27
    Written Statement............................................    29
Ms. Donna K. Seymour, Chief Information Officer, U.S. Office of 
  Personnel Management
    Oral Statement...............................................    32
Mr. Michael R. Esser, Assistant Inspector General for Audits, 
  Office of Inspector General, U.S. Office of Personnel 
  Management
    Oral Statement...............................................    32
    Written Statement............................................    34

                                
                                APPENDIX

ABC News-Feds Eye Link to Private Contractor in Massive 
  Government Hack, Submitted by Rep. Maloney.....................    76
Colleen M. Kelley-NTEU Statement for the Record..................    79
RESPONSE Tony Scott-CIO OMB-Walberg Questions for the Record.....    83

 
                            OPM: DATA BREACH

                              ----------                              


                         Tuesday, June 16, 2015

                   House of Representatives
      Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The committee met, pursuant to call, at 10:11 a.m., in Room 
2247, Rayburn House Office Building, the Honorable Jason 
Chaffetz [chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Jordan, Walberg, 
Amash, Gosar, Massie, Meadows, DeSantis, Mulvaney, Walker, 
Hice, Russell, Carter, Grothman, Hurd, Palmer, Cummings, 
Maloney, Norton, Lynch, Connolly, Cartwright, Kelly, Lawrence, 
Lieu, Watson Coleman, Plaskett, DeSaulnier, Boyle, Welch, and 
Lujan Grisham.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order.
    Without objection, the chair is authorized to declare a 
recess at any time.
    Mr. Cummings will be with us momentarily. Another committee 
assignment is also pressing on his schedule.
    Last week we learned that the United States of America may 
have had what may be the most devastating cyber attack in our 
Nation's history, and that this may have been happening over a 
long period of time.
    As we sit here this morning, there is a lot of confusion 
about exactly what personal information for millions of current 
and former Federal employees and workers were exposed through 
the latest data breach at the Office of Personnel Management.
    OPM initially reported that the personal information of 
more than 4 million Federal employees was exposed during this 
attack. More recent public reports suggest that the breach was 
perhaps much worse than that.
    It is also unclear exactly what information was exposed. We 
would like to know what information was exposed, over what 
period of time, and who has this vulnerability.
    It would also be great to know who had conducted this 
attack. And I think we need to have candor with not only the 
Federal employees, but the American people as well.
    The breach potentially included highly sensitive personal 
background information collected through the security clearance 
applications. We would like clarity on that position as well.
    The loss of this information puts our Federal workforce at 
risk, particularly our intelligence officers and others working 
on sensitive projects throughout the globe. But we are 
concerned about each and every Federal worker and the public 
who has interacted with the Government and entrusted this 
information with the Government. We need to understand why the 
Federal Government, and OPM in particular, is struggling to 
guard some of our Nation's most important information.
    The fact that OPM was breached should come as no surprise 
giving its troubled track record on data security. This has 
been going on for years and it is inexcusable.
    Each year, the Office of Inspector General reviews and 
rates its respective agency's compliance with the Federal 
Information Security standards. According to the last eight 
years of IG reports, OPM's data security posture was akin to 
leaving all the doors and windows open in your house and 
expecting that nobody would walk in and nobody would take any 
information. How wrong they were.
    Since 2007, the OPM Inspector General rated OPM's data 
security as a ``material weakness'' because the agency had no 
IT policies or procedures that can come anywhere close to 
something that could be used as an excuse for securing the 
information.
    It is unbelievable to think the agency charged with 
maintaining and protecting all personal information of almost 
all former and current Federal employees would have so few 
information technology policies or procedures in place.
    Let me just kind of read through some of the reports that 
have happened through the course of the years.
    This is the inspector general from fiscal year 2009: This 
year we are expanding the material weakness to include the 
agency's overall information security governance programs and 
incorporating our concerns about the agency's information 
security management structure. The continuing weakness at OPM's 
information security program result directly from inadequate 
governance. Most, if not all, of the exceptions we noted this 
year resulted from a lack of necessary leadership, policy, and 
guidance.
    Go to fiscal year 2010: We continue to consider the IT 
security management structure insufficient staff and the lack 
of policies and procedures to be a material weakness in OPM's 
IT security program.
    Fiscal year 2011: We continue to believe that the 
information security governance represents a material weakness 
at OPM's IT security program.
    Fiscal year 2012: Throughout fiscal year 2012, the OCIO, 
the Office of the Chief Information Officer, continued to 
operate with a decentralized IT security structure that did not 
have the authority or resources available to adequately 
implement new policies. However, the material weakness remains 
open in this report as the agency's IT security function 
remained decentralized throughout fiscal year 2012, FISMA 
reporting period, and because of the continued instances of 
non-compliance with FISMA requirements.
    It goes on later: The OCIO's response to our draft audit 
report indicated that they disagree with the classification of 
the material weakness because of the program that OPM has made 
with its IT security program and because there was no loss of 
sensitive data during the fiscal year. But as the inspector 
general pointed out, however, the OCIO's statement is 
inaccurate, as there were in fact numerous information security 
incidents in fiscal year 2012 that led to the loss or 
unauthorized release of mission-critical and sensitive data.
    They couldn't even decide and agree that they had lost the 
data back in fiscal year 2012, let alone actually solve the 
problem.
    Go to fiscal year 2013. Again, the inspector general: The 
findings of this audit report highlight the fact that OPM's 
decentralized governance structure continues to result in many 
instances of non-compliance with FISMA requirements; therefore, 
we are again reporting this issue as a material weakness in 
fiscal year 2013.
    Fast forward to fiscal year 2014. This is November of 2014: 
Eleven major OPM information systems are operating without 
valid authorization. This represents a material weakness in the 
internal control structure at OPM's IT security program.
    It goes on: OPM does not maintain a comprehensive inventory 
of servers, databases, and network devices. They didn't even 
know what they have. They don't even know what is in the 
inventory.
    Program offices are not adequately incorporating known 
weakness into plans of action and milestones, and the majority 
of systems are 120 days overdue. OPM continues to implement its 
continuous monitoring plan; however, security controls for all 
OPM systems are not adequately tested in accordance with their 
own policies. Not all OPM systems have conducted contingency 
plan tests in fiscal year 2014. Several information security 
agreements between OPM and contract operated information 
systems have expired. Multi-factor authentication is not 
required to access OPM systems in accordance with the OMB 
memorandum.
    This has been going on for a long time. And yet, when I 
read the testimony that was provided here, we are about to hear 
some say, hey, we are doing a great job. You are not. It is 
failing.
    This went on for years and it did not change. The inspector 
general found that 11 of the 47 major information systems, or 
roughly 23 percent, at OPM lacked proper security 
authorization, meaning the security of 11 major systems was 
completely outdated and unknown. Five of the 11 systems were in 
the Office of the Chief Information Officer, Ms. Seymour. They 
are in your office, which is a horrible example to be setting 
as the person in charge of the agency's data security.
    The IG only recently upgraded OPM to a ``significant 
deficiency.'' In November 2014, FISMA, over 65 percent of all 
systems operated by OPM reside on two of the systems without 
valid authorization. Sitting on two systems, no valid 
authorization, 65 percent of the information.
    For any agency to consciously disregard its data security 
for so long is grossly negligent. And the fact that the agency 
that did this is responsible for maintaining highly sensitive 
information for almost all Federal employees, in my opinion, is 
even more egregious.
    OPM isn't alone. A number of other agencies also suffered 
breaches in the last year. This later cyber hack comes on the 
heels of several data breaches across the Government, including 
the Postal Service, the State Department, the Internal Revenue 
Service, the Nuclear Regulatory Commission, and even the White 
House.
    At the same time, government is spending more and more on 
information technology. Last year, across government, we, the 
American people, spent almost $80 billion on information 
technology, and it stinks. It doesn't work, $80 billion dollars 
later. And the person in charge of security, the person who is 
in charge of making sure there is authentication of our 
systems, even in her own office there isn't the authorization 
needed.
    OPM is not alone in the blame for this failure. The Office 
of Management and Budget has the responsibility for setting 
standards for Federal cybersecurity practices, and it is OMB's 
job to hold agencies accountable for complying and enforcing 
these standards.
    The Department of Homeland Security has been given the lead 
responsibility for serving as the Federal Government's so-
called geek squad to monitor day-to-day cybersecurity 
practices, but the technical tools that DHS has deployed to try 
to protect Federal networks apparently isn't doing the job.
    While DHS has developed EINSTEIN to monitor Government 
networks, it only detects known intruders, proving that it is 
completely useless in the latest OPM hacks.
    The status quo cannot continue. We have to do better. We 
are talking about the most vital information of the most 
sensitive nature of the people that we care about most. The 
people entrust that information to OPM, and through the years 
it has been a complete and total utter failure, to the point we 
find ourselves where millions of Americans are left wondering 
what somebody knows about them. What are they supposed to do?
    And I have read the letter that you have been sending out 
to employees, and it is grossly inadequate. It is grossly 
inadequate, and that is why we are having this hearing today.
    We do appreciate you all being here.
    I think what we are going to do now is I would like to 
recognize the gentleman from Texas who is the chairman of the 
subcommittee that we have on IT. We at the Oversight and 
Government Reform Committee have set up a new subcommittee that 
deals just with IT issues.
    We are honored and pleased to have Mr. Hurd chairing that 
committee, so I will now recognize the gentleman from Texas, 
Mr. Hurd, for five minutes.
    Mr. Hurd. Thank you, Mr. Chairman.
    Not only as the head of the subcommittee, but as a former 
intelligence officer who has been through background 
investigation and whose information probably resides with OPM, 
I am concerned.
    Today's hearing is just another example of the undeniable 
fact that America is under constant attack. It is not bombs 
dropping or missiles launching; it is the constant stream of 
cyber weapons aimed at our data. From private sector 
innovations to military seekers, our enemies are attempting to 
rob this Country on a daily basis, and, unfortunately, they are 
succeeding.
    The worst of these cyber attacks are not coming from the 
caves of Afghanistan or Syria, but from air conditioned office 
buildings in China, Iran, and Russian, far from battlefields. 
These hackers work with impunity, knowing that their actions 
have no consequences.
    This is not only a question of how we can protect our 
networks and data, but of how we define the appropriate 
responses for digital and digital attacks. This is one of the 
questions I have been asking for years and I have continued to 
ask in my role as chairman of the Information Technology 
Subcommittee.
    It is no secret that Federal agencies need to improve their 
cybersecurity posture. We have years and years of reports 
highlighting the vulnerabilities of Federal agencies from 
legacy systems to poor FISMA compliance. And while there have 
been improvements, they have not kept pace with the nature of 
the threats we are facing.
    But until agency leadership takes control of these basic 
cybersecurity measures, things like strong authentication, 
network monitoring, encrypting data, and segmentation, we will 
always be playing catch-up against our highly sophisticated and 
well-resourced adversaries.
    I welcome the witnesses here today and look forward to 
their testimony.
    Thank you, Mr. Chairman. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We will now recognize the gentlewoman from Illinois, the 
ranking member of the subcommittee on IT, Ms. Kelly, for five 
minutes.
    Ms. Kelly. Thank you, Mr. Chair.
    I want to thank our expert witnesses for their 
participation today, and I thank the chairman and ranking 
member for holding this important hearing on the OPM data 
breach.
    As you know, I have the privilege of serving as the ranking 
member of the IT subcommittee. The issue of data breach is 
something that Chairman Hurd and I are quite concerned with, 
and we are looking forward to working with our colleagues to be 
active in addressing this issue.
    All of us here today should be quite concerned. The OPM 
breach has raised significant questions about how adequately 
the personnel information of government employees is stored on 
government networks. We know that every day our government and 
American businesses face a barrage of cyber threats.
    We are reminded of many of the high-profiled breaches on 
some of our Nation's most important companies, but there are 
everyday cyber intrusions of our data that aren't making the 
headlines. Whether it is criminals beyond our borders profiting 
from fraud and identity theft, domestic competitors who steal 
intellectual property to gain advantage, or hacktivists looking 
to make a statement against governments, cyber crime threatens 
our national security and economic prosperity.
    Data breaches probably won't end any time soon, but they 
are something that we can be more aggressive in addressing. As 
we catch on to cyber attackers' methods, these bad actors will 
look to innovate their way around newly integrated cyber 
defenses. This is why we must be just as innovative. That is 
why we must have a frank conversation today and prepare a 
multi-front strategy to ward off and diminish the possibility 
of future data breaches.
    So I thank the committee and our witnesses again for this 
opportunity to examine the OPM attack and, with that, I yield 
back.
    Chairman Chaffetz. I thank the gentlewoman.
    It is our intention to hear the ranking member's, Mr. 
Cummings, statement, but I think what we will do now is swear 
in the witnesses, hear their statements, then we will go to Mr. 
Cummings before we get to questions, if that is okay with 
everybody.
    I will also hold the record open for five legislative days 
for any members who would like to submit a written statement.
    We will now recognize our first panel of witnesses.
    We are pleased to welcome the Honorable Katherine 
Archuleta, who is the Director of Office of Personnel 
Management; Dr. Andy Ozment, Assistant Secretary of the Office 
of Cybersecurity and Communications at the National Program 
Preparedness Directorate at the United States Department of 
Homeland Security; Mr. Tony Scott, U.S. Chief Information 
Officer of the Office of E-Government and Information 
Technology at the U.S. Office of Management and Budget; Ms. 
Sylvia Burns, Chief Information Officer of the United States 
Department of Interior; Ms. Donna Seymour, Chief Information 
Officer of the United States Office of Personnel Management; 
and Mr. Michael Esser, Assistant Inspector General for Audits, 
Office of The Inspector General at the United States Office of 
Personnel Management.
    We welcome you all.
    Pursuant to committee rules, witnesses are all to be sworn 
before they testify. If you will please rise and raise your 
right hand.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    [Witnesses respond in the affirmative.]
    Chairman Chaffetz. Thank you. Please be seated.
    Let the record reflect that all witnesses answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
your limiting your testimony to five minutes. Again, please 
limit your comments to five minutes. I will be a little bit 
generous, but five minutes, if you could, and then your entire 
written statement will be entered into the record.
    At the conclusion of those, then we will hear from Mr. 
Cummings with his opening statement and we will go to questions 
from there.
    So, with that, we will now recognize Ms. Archuleta, the 
Director of the Office of Personnel Management, and you are now 
recognized for five minutes.

                       WITNESS STATEMENTS

         STATEMENT OF THE HONORABLE KATHERINE ARCHULETA

    Ms. Archuleta. Chairman Chaffetz, Ranking Member Cummings, 
and members of the committee, I am here today to talk to you 
about two successful intrusions into OPM's systems and data. 
But first I want to deliver a message to Federal employees, 
retirees, and their families. The security of their personnel 
data is of paramount importance. We are committed to full and 
complete investigation of these incidents and are taking 
actions to mitigate vulnerabilities exposed by their 
intrusions.
    When I was sworn in as Director 18 months ago, I recognized 
that in order to build and manage an engaged, inclusive and 
well-trained workforce, that we would need a thorough 
assessment of the state of information technology at OPM. I 
immediately became aware of vulnerabilities in our aging legacy 
systems and I made the modernization and the security of our 
network one of my top priorities.
    Government and non-government entities are under constant 
attack by evolving and advanced persistent threats and criminal 
actors. These adversaries are sophisticated, well-funded, and 
focused. These attacks will not stop. If anything, they will 
increase.
    Within the last year, we have undertaken an aggressive 
effort to update our cybersecurity posture, adding numerous 
tools and capabilities to our networks. As a result, in April 
of 2015, an intrusion that predated the adoption of these 
security controls was detected. We immediately contacted the 
Department of Homeland Security and the FBI, and together with 
these partners, initiated an investigation to determine the 
scope and the impact of the intrusion. In May, the interagency 
incident response team concluded that the exposure of personnel 
records had occurred, and notifications to affected individuals 
began on June 8th and will continue through June 19th.
    As part of our ongoing notification process, we are 
continuing to learn more about the systems that contributed to 
individuals' data potentially being compromised. These 
individuals were included in the previously identified 
population of approximately 4 million individuals and are being 
appropriately notified. For example, we have now confirmed that 
any Federal employee from across all branches of government 
whose organization submitted service history records to OPM may 
have been compromised, even if their full personnel file is not 
stored on OPM's system.
    During the course of the ongoing investigation, the 
interagency incident response team concluded later in May that 
additional systems were likely compromised. This separate 
incident, which also predated deployment of our new security 
tools and capabilities, remains under investigation by OPM and 
our interagency partners.
    However, there is a high degree of confidence that systems 
related to background investigations of current, former and 
prospective Federal Government employees and those for whom a 
Federal background investigation was conducted may have been 
exfiltrated. While we have not yet determined its scope or its 
impact, we are committed to notifying those individuals whose 
information may have been compromised as soon as practicable.
    Throughout these investigations, we have provided regular 
updates to congressional leadership and the relevant committees 
of these incidents. But for the fact that we implemented new, 
more stringent security tools, we would have never known that 
malicious activity had previously existed on that network and 
would not have been able to share that information for the 
protection of the rest of the Federal Government.
    In response to these incidents and working with our 
partners at DHS, we have immediately implemented additional 
security measures to protect sensitive information and to take 
steps toward building a simplified, modern, and flexible 
network structure. We continue to execute on our aggressive 
plan to modernize OPM's platform and bolster security tools.
    Our 2016 budget request includes an additional $21 million 
above 2015 funding levels to further the support of the 
modernization of our IT infrastructure, which is critical to 
protecting data from the persistent adversaries we face. This 
funding will help us sustain the network security upgrades and 
maintenance initiated in fiscal year 2014 and fiscal year 2015 
to improve our cyber posture, including advanced tools such as 
database encryption, stronger firewalls, storage devices, and 
masking software. The funding will also support the redesign of 
OPM's legacy network.
    Thank you for this opportunity to testify today and I am 
happy to address any questions you may have.
    [Prepared statement of Ms. Archuleta follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 
    
    Chairman Chaffetz. Thank you.
    Dr. Ozment.

                    STATEMENT OF ANDY OZMENT

    Mr. Ozment. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee, I appreciate the opportunity to 
appear before you today.
    Like you, my fellow panelists, and countless Americans, I 
am deeply concerned about the recent compromise at OPM. I am 
personally dedicated to ensuring that we take all necessary 
steps to protect our Federal workforce and to drive forward the 
cybersecurity of the entire Federal Government.
    Director Archuleta and my written statement both spoke to 
the facts of the OPM incident, so I want to focus my remarks on 
how DHS is accelerating our efforts to protect the Federal 
Government.
    This morning I will discuss how the Department of Homeland 
Security is protecting civilians, Federal agencies, and helping 
those agencies better protect themselves.
    Under legislation passed by this Congress last year, 
Federal agencies are responsible for their own cybersecurity. 
However, DHS provides a common baseline of security across the 
civilian government and helps agencies better manage their 
cyber risks through four key efforts. First, we protect 
agencies by providing a common set of capabilities through the 
EINSTEIN and Continuous Diagnostics and Mitigation, or CDM, 
programs. Second, we measure and motivate agencies to implement 
best practices; third, we serve as a hub for information 
sharing. Finally, we provide incident response assistance when 
agencies suffer a cyber intrusion.
    I will focus this morning on the first area, how DHS 
provides a baseline of security across the Federal Government 
through EINSTEIN and CDM. I have described the other three 
areas in my written statement and am happy to take your 
questions on them.
    Our first line of defense against cyber threats is the 
EINSTEIN system, which protects agencies at the perimeter. A 
useful analogy is that of a physical government facility. In 
this analogy with the physical world, EINSTEIN 1 is similar to 
a camera at the entrance to the facility that records the 
traffic coming and going, and identifies anomalies in the 
number of cars.
    EINSTEIN 2 adds the ability to detect suspicious cars based 
upon a watch list and to alert security personnel when a 
prohibited vehicle is identified. EINSTEIN 2 does not stop 
cars, but it does set off an alarm.
    EINSTEIN 1 and 2 are fully deployed in screening 
approximately 90 percent of all Federal civilian traffic, all 
of the traffic that goes through trusted Internet connections.
    The latest phase of the program, known as EINSTEIN 3A, is 
akin to a guard post at the highway that leads to multiple 
government facilities. EINSTEIN 3A uses classified information 
to look at the cars and compare them with a classified watch 
list. It then actively blocks prohibited cars from entering the 
facility.
    We are accelerating our efforts to protect all civilian 
agencies with EINSTEIN 3A. The system now covers 15 Federal 
civilian agencies, with over 930,000 Federal personnel, which 
is approximately 45 percent of the civilian government, and 
those are protected with at least one of two security 
countermeasures. That is about double the coverage we had just 
nine months ago.
    During this time, EINSTEIN 3A has blocked over 550,000 
attempts to access potentially malicious Web sites, which is 
one of our two countermeasures. EINSTEIN played a key role in 
identifying the recent compromise of OPM data at the Department 
of Interior.
    As we accelerate EINSTEIN deployment, we also recognize 
that security cannot be achieved through only one type of tool. 
EINSTEIN will never be able to block every threat. For example, 
it must be complemented with systems and tools to monitor 
inside agency networks. Our CDM program addresses this 
challenge.
    Returning to our analogy of a government facility, CDM 
Phase 1 allows agencies to continuously check building locks 
and security cameras to ensure they are operated as intended. 
Continuing the analogy, the next two phases will monitor 
personnel in the facility to ensure they are not engaged in 
unauthorized activity, and it will assess activity across the 
facility to detect unusual patterns.
    We have provided CDM Phase 1 capabilities to eight 
agencies, covering over 50 percent of the Federal Government, 
and we expect to cover 97 percent of the Government by the end 
of this fiscal year.
    Now, the deadlines I have just told you are when DHS will 
provide a given capability. It will take a few additional 
months for agencies to fully implement their side of both 
EINSTEIN and CDM once they are available. And, of course, 
agencies must supplement EINSTEIN and CDM with additional tools 
appropriate to their needs.
    I would like to conclude by noting that Federal agencies 
are a rich target and will continue to experience frequent 
attempted intrusions. This problem is not unique to the 
government. As our detection methods continue to improve, we 
will in fact detect more incidents, incidents that are already 
occurring and we just didn't know it yet.
    The recent breach of OPM is emblematic of this trend, as 
OPM was able to detect the intrusion by implementing 
cybersecurity best practices recommended by DHS. We are facing 
a major challenge in protecting our most sensitive information 
against sophisticated, well resourced, and persistent 
adversaries.
    Further, the entire Nation is now making up for 20 years of 
under-investment in our Nation's cybersecurity in both the 
public and private sectors. In response, we in the government 
are accelerating the deployment of the tools we have and are 
bringing cutting-edge capabilities online, and we are asking 
our partner agencies and Congress to take action and work with 
us to strengthen the cybersecurity of Federal agencies.
    Thank you again for the opportunity to appear today, and I 
look forward to any questions.
    [Prepared statement of Mr. Ozment follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you.
    Mr. Scott, you have a very impressive background. Your 
joining the Federal Government is much appreciated. We look 
forward to hearing your testimony. You are now recognized for 
five minutes.

                    STATEMENT OF TONY SCOTT

    Mr. Scott. Thank you, Chairman Chaffetz, Ranking Member 
Cummings, members of the committee. Thank you for the 
opportunity to appear before you today. And I appreciate the 
opportunity to speak with you about recent cyber incidents 
affecting Federal agencies.
    I would like to start by highlighting a very important 
point, which has been mentioned already and of which I am sure 
you are aware. Both state and non-state actors who are well 
financed, highly motivated, and persistent are attempting to 
breach both government and non-government systems every day, 
and these attempts are not going away. They will continue to 
accelerate on two fronts, first, the attacks will become more 
sophisticated and, second, as we remediate and strengthen our 
own practices, our detection capabilities will improve. But 
that means we have to be as nimble, as aggressive, and as well-
resourced as those who are trying to break into our systems.
    Confronting cybersecurity threats on a continuous basis is 
our Nation's new reality, a reality that I faced in the private 
sector and am continuing to see here in my new role as Federal 
Chief Information Officer.
    As Federal CIO, I lead the Office of Management and 
Budget's Office of E-Government and Information Technology. My 
office is responsible for developing and overseeing the 
implementation of Federal information technology policy. And 
even though my team has a variety of responsibilities, I will 
focus today's remarks on cybersecurity.
    Under the Federal Information Security Modernization Act of 
2014, most of us know this as FISMA, OMB is responsible for 
Federal information security oversight and policy issuance. OMB 
executes its responsibilities in close coordination with its 
Federal cybersecurity partners, including the Department of 
Homeland Security and the Department of Commerce National 
Institute of Standards and Technology.
    As I mentioned in front of this committee in April, OMB 
also recently announced the creation of the first ever 
dedicated cybersecurity unit within my office. This is the team 
that is behind the work articulated in the fiscal year 2014 
FISMA report which highlighted both the successes and 
challenges facing Federal agencies' cybersecurity programs.
    In fiscal year 2015, the E-Gov Cyber Unit is targeting 
oversight through CyberStat reviews, prioritizing agencies with 
high risk factors as determined by cybersecurity performance 
and incident data. My colleagues will fully address the recent 
cyber incidents affecting the Office of Personnel Management, 
known as OPM.
    In terms of the role of OMB, my office monitors very 
closely all reports of incidents affecting Federal networks and 
systems. We use these reports to look for trends and patterns, 
as well as for areas where our government-wide processes, 
policies, and practices can be strengthened. We then update our 
guidance and coordinate with other agencies to ensure that that 
guidance is implemented.
    As you heard from me last week, the recently-passed Federal 
Information Technology Acquisition Reform Act, known as FITARA, 
and our guidance associated with that legislation strengthens 
the role of the CIO in agency cybersecurity.
    In this case, OPM notified OMB in April 2015 of an incident 
affecting data in transit in its network. OPM reported that 
they were working closely with various government agencies on a 
comprehensive investigation and response to this incident. We 
have been actively monitoring the situation and have engaged in 
making sure that there is a government-wide response to the 
events that OPM.
    To further improve Federal cybersecurity infrastructure and 
to protect systems against these evolving threats, OMB launched 
a 30-day Cybersecurity Sprint last week. The Sprint will focus 
on two areas: first, an interagency team is creating a set of 
action plans and strategies to further address critical 
cybersecurity priorities; second, agencies were directed to 
accelerate efforts to deploy threat indicators, patch critical 
vulnerabilities, and tighten policies and practices for 
privileged users, and to dramatically accelerate implementation 
of multi-factor authentication.
    In closing, I want to underscore a critical point I made at 
the beginning of this testimony: both State and non-State 
actors are attempting to breach government and non-government 
systems in a very aggressive way. It is not going to go away, 
and we are going to see more of it. Ensuring the security of 
information on Federal Government networks and systems will 
remain a core focus of the Administration as we move 
aggressively to implement innovative protections and response 
to new challenges as they arise. In addition to the actions we 
are taking, we also look forward to working with Congress on 
legislative actions that may further protect our Nation's 
critical networks and systems.
    I thank the committee for holding this hearing and for your 
commitment to improving Federal cybersecurity. I would be 
pleased to answer any questions you may have.
    [Prepared statement of Mr. Scott follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you.
    Ms. Burns, you are now recognized for five minutes.

                   STATEMENT OF SYLVIA BURNS

    Ms. Burns. Thank you. Good morning, Chairman Chaffetz, 
Ranking Member Cummings, and distinguished members of the 
committee. My name is Sylvia Burns and I am the Chief 
Information Officer for the U.S. Department of the Interior. I 
appreciate the opportunity to testify regarding DOI's efforts 
to secure and protect agency, customer, and employee data in 
the wake of recently discovered cyber intrusion.
    Additionally, we appreciate having had the opportunity to 
provide a classified briefing on the cyber intrusion for 
members of your committee staff and other congressional staff 
on May 21st, 2015.
    Cyber intruders executed very sophisticated tactics to 
obtain unauthorized access to OPM data hosted in a DOI data 
center which contained sensitive personally identifiable 
information. The incident was and remains under active 
investigation. At present, the effort has not discovered 
evidence that any data other than OPM data was exfiltrated.
    DOI has initiated a major planning effort to address short, 
medium and long-term remediation to strengthen our security 
protections and reduce risks to the Department, our employees, 
our customers, and our partners. DOI takes the privacy and 
security of this data very seriously.
    In April, DHS's U.S. Computer Emergency Readiness Team, US-
CERT, informed DOI about a potential malicious activity which 
was later determined to be a sophisticated intrusion on DOI's 
network. DOI immediately began working with US-CERT, the FBI, 
and other Federal agencies to initiate an investigation and 
determine what information may have been compromised. DOI 
allowed DHS and the other investigating agencies immediate 
access to the DOI computer systems and DOI dedicated people to 
support the investigation.
    Although there is evidence that the adversary had access to 
the DOI data center's overall environment, today the 
investigation has not discovered evidence that any data other 
than OPM data was exfiltrated. However, the investigation 
remains ongoing.
    Concurrent with the investigation, DOI immediately 
initiated a major planning effort to address short, medium and 
long-term remediation to strengthen our cybersecurity 
protections. We undertook those efforts in the context of other 
cybersecurity improvements which were already underway pursuant 
to the Department's commitment to the Administration's 
cybersecurity cross-agency priority goals, as well as DHS's CDM 
program. We have now accelerated our work on preexisting 
efforts while devising and implementing new security measures 
in consultation with the investigating agencies with the 
expertise related to this particular threat.
    Activities underway include working with DHS to scan for 
specific malicious indicators across the entire DOI network. As 
part of DHS's binding operational directive, we are identifying 
and mitigating critical IT security vulnerabilities for all 
internet-facing systems, and at the direction of the Secretary 
and Deputy Secretary we are doing the same for all of DOI's IT 
systems. This includes systems that are for DOI's internal use 
as well as systems for the public and non-DOI users.
    We are acquiring and implementing new capabilities that 
will help us to detect and respond quickly to new intrusions. 
We continue to meet with interagency partners to learn about 
their activities and leverage their knowledge to make 
additional improvements to our cybersecurity posture at DOI. We 
are fully enabling two-factor authentication for all users.
    DOI's existing long-term plan includes several agency-wide 
strategic initiatives, including continuing our commitment to 
DHS's CDM program. We are almost done implementing hardware and 
software asset management, and we will be adding new 
capabilities for application whitelisting, network access 
control, and dashboarding functionality to provide a 
comprehensive view of the Department's security posture.
    We are strengthening DOI's cybersecurity and privacy 
workforce so that we have knowledgeable and experienced people 
to address current and future threats facing the agency. We are 
designing and implementing increased network segmentation so 
that, if an intrusion occurs within one component of our 
network, we can better limit the extent of the exposure. We are 
evaluating data protection technologies, such as information 
rights management, for potential future investments.
    Again, DOI takes the privacy and security of its data very 
seriously. We are committed to supporting and continuing the 
investigation regarding the incident affecting OPM data. 
Furthermore, we will continue to be an active participant in 
the ongoing efforts by the Federal Government to improve our 
Nation's overall cybersecurity posture.
    Chairman Chaffetz, Ranking Member Cummings, and members of 
the committee, this concludes my prepared statement. I would be 
happy to answer any questions that you may have.
    [Prepared statement of Ms. Burns follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you.
    Ms. Seymour, you are now recognized for five minutes.

                 STATEMENT OF DONNA K. SEYMOUR

    Ms. Seymour. My remarks were included with the Director. 
Thank you for having me here today, Chairman Chaffetz and 
Ranking Member Cummings, and I will be happy to answer 
questions.
    Chairman Chaffetz. Mr. Esser, you are now recognized for 
five minutes.

                 STATEMENT OF MICHAEL R. ESSER

    Mr. Esser. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee, good morning. My name is Michael R. 
Esser. I am the Assistant Inspector General for Audits at U.S. 
Office of Personnel Management.
    Thank you for inviting me to testify at today's hearing on 
the IT security audit work performed by the OPM Office of the 
Inspector General.
    Today I will be discussing OPM's long history of systemic 
failures to properly manage its IT infrastructure, which we 
believe ultimately led to the breaches we are discussing today.
    There are three primary areas of concern that we have 
identified through our audits during the past several years: 
information security governance, security assessment and 
authorization, and technical security controls.
    Information security governance is the management structure 
and processes that form the foundation of a successful security 
program.
    For many years, OPM operated in a decentralized manner, 
with the agency's program offices managing their IT systems. 
The agency's CIO had ultimate responsibility for protecting 
these systems, but often did not have the access or control to 
do so. The program office staff responsible for IT security 
frequently had no IT background and performed this function in 
addition to their other full-time roles.
    As a result of this decentralized structure, many security 
controls remained unimplemented or untested, and all of our 
FISMA audits between 2007 and 2013 identified this as a serious 
concern.
    However, in 2014, OPM took steps to centralize IT security 
responsibility with the CIO. This new structure has resulted in 
improvement in the consistency and quality of security 
practices at OPM. Although we are optimistic about these 
improvements, it is apparent that the OCIO is still negatively 
impacted by years of decentralization.
    The second topic is security assessments and authorization. 
This is a comprehensive assessment of each IT system to ensure 
that it meets the applicable security standards before allowing 
the system to operate.
    OPM has a long history of issues related to system 
authorization as well. In 2010 and 2011 we noted serious 
concerns in this area, but, after improvements were made, 
removed it as an audit concern in 2012.
    However, problems with OPM system authorizations have 
reappeared. In 2014, 21 OPM systems were due to receive a new 
authorization, but 11 were not authorized by year-end. 
Recently, the OCIO has temporarily put authorization efforts on 
hold while it modernized OPM's IT infrastructure in response to 
security breaches, and so it is likely that the number will 
increase. While we support the effort to modernize systems, we 
believe that authorization activities should continue.
    The third topic relates to OPM's use of technical security 
controls. OPM has implemented a variety of controls and tools 
to make the agency's IT systems more secure. However, such 
tools are only helpful if they are used properly and cover the 
entire technical infrastructure. We have concerns that they are 
not.
    For example, we were told that OPM performs vulnerability 
scans on all computer servers using automated scanning tools. 
Although OPM was performing the scans, our audit also found 
that some were not done correctly and that some servers were 
not scanned at all.
    One significant control that is lacking altogether is the 
requirement for PIV credentials for two-factor authentication 
to access information systems. We also determined that OPM does 
not have an accurate centralized inventory of all servers and 
databases. Even if all OPM security tools were being used 
properly, OPM cannot fully defend its network without a 
comprehensive list of assets.
    In closing, it is clear that even though security 
responsibility is now highly centralized under the OCIO, the 
recent security breaches indicate that OPM still has 
significant work to do to identify all of the assets and data 
that it is tasked with protecting and then take the steps to do 
so.
    Thank you for your time, and I am happy to answer any 
questions you may have.
    [Prepared statement of Mr. Esser follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you.
    We now recognize the ranking member, Mr. Cummings of 
Maryland, for five minutes.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    The recent cyber attack against the Office of Personnel 
Management is the latest in a series of aggressive attacks 
against our Nation in both the public and private sectors.
    I want to put up a slide that lists some of the most 
significant breaches over the past few years.
    [Slide shown.]
    Mr. Cummings. Anthem, 80 million people; JPMorgan, 76 
million people; Target, 70 million people; OPM, at least 4 
million so far. Then there was the Postal Service, Sony 
Pictures, and USIS. This is not a comprehensive list by any 
means.
    Ladies and gentlemen, when you see this list, the picture 
is clear: the United States of America is under attack. 
Sophisticated cyber spies, many from foreign countries, are 
targeting the sensitive personal information of millions, 
millions of Americans. They are attacking our government, our 
economy, our financial sector, our healthcare system, and 
virtually every single aspect of our lives.
    For more than two years I have been pressing for our 
committee to investigate these cyber attacks, so I thank the 
chairman for holding today's hearing, and I hope we will hold 
similar hearings on many of these other attacks as well.
    With respect to the attack against OPM, my primary concern 
is who was targeted, government workers, and what foreign 
governments could do with this information. I have several 
questions for OPM.
    How many Federal employees were indeed affected? What kind 
of information was compromised? And what steps are being taken 
to help these employees now? I also want to know how these 
attackers got inside of OPM's networks.
    Last year, cyber attackers penetrated the networks of USIS 
and Keypoint, two contractors that perform background checks 
for security clearances on behalf of OPM.
    One of the most critical questions we have today is, did 
these cyber attackers gain access to OPM's data systems using 
information they stole from USIS or Keypoint last year. Did 
they get the keys to OPM's network from one of its contractors?
    Mr. Chairman, I asked you to invite both Keypoint and USIS 
representatives here to testify today. You agreed to invite 
USIS, but last night they refused, just as they have refused 
repeated requests for information over the past year. They did 
not offer someone else they thought would be appropriate; they 
simply refused.
    I do not say this lightly, Mr. Chairman, but I believe USIS 
and its parent company may now be obstructing this committee's 
work. We have suggested previously that the committee hold a 
transcribed interview. Given the history of noncompliance at 
USIS, I believe this may be one of the only ways to obtain the 
information we are seeking.
    Mr. Chairman, over the past two years I have also been 
pressing to investigate ways to better protect personal 
information that belongs to the American people: their 
financial records, their medical records, their credit card 
information, their Social Security numbers, and a host of other 
information they want to keep secure.
    I sought advice from some of the Nation's top information 
security experts in private business and government. These 
experts warn that we cannot rely primarily on keeping the 
attackers out. We need to operate with the assumption that the 
attackers are already inside. They are already there.
    Last week, one of the world's foremost cybersecurity firms, 
Kaspersky Labs, was penetrated in a cyber attack, and, 
according to FireEye, one of the companies my staff spoke with, 
the average amount of time a hacker remains undetected is more 
than 200 days. That is a lot of time.
    Obviously, we need strong firewalls and other defenses to 
keep attackers out. But experts recommend much more aggressive 
measures to wall off or segregate data systems to minimize the 
impact of inevitable data breaches in the future. Practices 
like data masking, redaction and encryption must become the 
norm rather than the exception.
    Finally, we need to remember who the bad guys are here. 
They are not U.S. companies or Federal workers who are trying 
to keep our information safe. The bad guys are the foreign 
nations and other entities behind these devastating attacks.
    According to law enforcement officials, North Korea, China, 
Russia, and Iran are the most advanced persistent threats to 
this Nation's cybersecurity. So, as we move forward today, I 
want to caution everyone that as much as we want to learn about 
this attack, we have to do so in a responsible way. A lot of 
the information about the attack is classified, and the last 
thing we want to do is give our enemies information or 
compromise active law enforcement investigations.
    We are having a classified briefing for members at 1:00 
p.m. today, so I encourage everyone to attend.
    As I close, Mr. Chairman, I want to thank you again for the 
bipartisan approach that you have taken on this issue, and I 
hope we can continue to investigate these and other breaches to 
identify common threats against our Country and the best ways 
to counter them.
    With that, I yield back.
    Chairman Chaffetz. Thank you.
    I now recognize myself for five minutes.
    Ms. Archuleta, my question for you is, how big was this 
attack? How many Federal workers have been compromised? We have 
heard 4 million, we have heard 14 million. What is the right 
number?
    Ms. Archuleta. During the course of the ongoing 
investigation into the cyber intrusion of OPM, the compromise 
of personnel records of current and former Federal employees 
that we announced last week, that number is approximately 4.2 
million. In addition, in the investigation of that breach, we 
discovered, as I mentioned in my testimony, an additional OPM 
system was compromised, and these systems included information 
based on the background investigations of current, former, and 
prospective Federal Government employees, as well as other 
individuals.
    Because different agencies feed into OPM background 
investigation systems in different ways, we are working with 
the agencies right now to determine how many of their employees 
were affected. We do not have that number at this time, but we 
will get back to you once we have more information.
    Chairman Chaffetz. What is your best estimate? Is the 14 
million wrong or accurate?
    Ms. Archuleta. As I said before, we do not have an estimate 
because this is an ongoing investigation.
    Chairman Chaffetz. How far back does it go? You are talking 
about former employees, current employees, and potential 
employees, so how far back does this information go that was in 
your system?
    Ms. Archuleta. Thank you for that question, Mr. Chaffetz. I 
would have to respond again because it is an ongoing 
investigation----
    Chairman Chaffetz. It has nothing to do with impeding an 
investigation. You should know what information you have and 
what you don't. So this is not going to slow down any 
investigation. People have a right to know. The employees have 
a right to know. How far back does your information and 
database go that was compromised?
    Ms. Archuleta. The legacy systems date back to 1985, but I 
do not----
    Chairman Chaffetz. So anything that is 1985----
    Ms. Archuleta. No, sir, that would not be correct.
    Chairman Chaffetz. You don't know. Does it include military 
personnel?
    Ms. Archuleta. As I said, this is an ongoing investigation.
    Chairman Chaffetz. It is a yes or no question. Does it 
include military personnel?
    Ms. Archuleta. I would be glad to discuss that in a 
classified setting.
    Chairman Chaffetz. Does it include contractor information?
    Ms. Archuleta. Again, I would be glad to discuss that in a 
classified setting.
    Chairman Chaffetz. There is nothing classified as to what 
information this includes. Does it include CIA personnel?
    Ms. Archuleta. I would be glad to discuss that in a 
classified setting.
    Chairman Chaffetz. Does it include anybody who has filled 
out SF 86, the Standard Form 86?
    Ms. Archuleta. The individuals who have completed an SF 86 
may be included in that, and we can provide additional 
information in a classified setting.
    Chairman Chaffetz. Why wasn't this information encrypted?
    Ms. Archuleta. The encryption is one of the many tools that 
systems can use. I will look to my colleagues at DHS for their 
response.
    Chairman Chaffetz. No, I want to know from you why the 
information wasn't encrypted. This is personal, sensitive 
information; birth dates, Social Security numbers, background 
information, addresses. Why wasn't it encrypted?
    Ms. Archuleta. Data information encryption is valuable----
    Chairman Chaffetz. Yeah, it is valuable. Why wasn't it?
    Ms. Archuleta.--and is an industry best practice. In fact, 
our cybersecurity framework promotes encryption as a key 
protection method.
    Chairman Chaffetz. Why didn't you----
    Ms. Archuleta. Accordingly, OPM does utilize encryption----
    Chairman Chaffetz. We didn't ask you to come read 
statements. I want to know why you didn't encrypt the 
information.
    Ms. Archuleta. An adversary possessing proper credentials 
can often decrypt data. It is not feasible to implement on 
networks that are too old. The limitations on encryptions are 
effectiveness is why OPM is taking other steps such as limiting 
administrator's accounts and requiring multi-factor 
authentication.
    Chairman Chaffetz. Okay, well, it didn't work, so you 
failed. Okay? You failed utterly and totally. So the inspector 
general, November 12th, 2014, we recommend that the OPM 
director consider shutting down information systems that do not 
have current and valid authorization, and you chose not to. 
Why?
    Ms. Archuleta. I appreciate the report by the IG. We work 
very closely with our IG and take very seriously----
    Chairman Chaffetz. Okay, but he had a very serious 
recommendation to shut down the system. That is how bad it was. 
And you said no.
    Ms. Archuleta. I would like to turn that over to my 
colleague.
    Chairman Chaffetz. No, I would like you to answer that 
question. It says we recommend that the OPM director consider 
shutting it down. Your response back from the Office of Chief 
Information Officer, ``The IT program managers will work with 
the ISSOs to ensure that OPM systems maintain current ATOs and 
that there are no interruptions to OPM's mission operation.'' 
Basically, you said no.
    The inspector general was right. Your systems were 
vulnerable. The data was not encrypted. It could be 
compromised. They were right last year. They recommended, it 
was so bad, that you shut it down, and you didn't, and I want 
to know why.
    Ms. Archuleta. There are many responsibilities we have with 
our data, and to shut down the system we need to consider all 
of the responsibilities we have with the use of our systems.
    Chairman Chaffetz. So you made a conscious decision knowing 
that it was vulnerable, that all these millions of records of 
Federal employees was out there? The inspector general pointed 
out the vulnerability and you said no, we are not making a 
change.
    Ms. Archuleta. As the director of OPM, I have to take into 
consideration all of the work that we must do. It was my 
decision that we would not, but continue to develop the system 
and making sure that we have the security within those systems.
    Chairman Chaffetz. And did you do that? You didn't. You 
didn't, did you? That didn't happen, did it?
    Ms. Archuleta. The recommendation to close down our systems 
came after the adversaries were already in our network.
    Chairman Chaffetz. When did they get in network?
    Ms. Archuleta. It was as a result of our security systems 
that we were able to detect this intrusion.
    Chairman Chaffetz. When did they get into the system?
    Ms. Archuleta. We detected the intrusion in April.
    Chairman Chaffetz. Of?
    Ms. Archuleta. Of 2015.
    Chairman Chaffetz. But in November 2014 you didn't know if 
they were in there, did you?
    Ms. Archuleta. No, we did not. We did not have the security 
systems installed at that time. It was because we were able to 
add those security systems that we were able to detect.
    Chairman Chaffetz. So you detected the system? It wasn't a 
software provider? You found it yourself?
    Ms. Archuleta. OPM detected the intrusion.
    Chairman Chaffetz. So The New York Times and the others who 
wrote that were wrong?
    Ms. Archuleta. That is correct.
    Chairman Chaffetz. Two more questions, with your indulgence 
here. How many people have received letters?
    Ms. Archuleta. There is a rolling number as we work from 
the first date of notification, January 8th, we will complete 
the notification to 4.2 million by June 19th. I am sorry I 
don't have the exact number as of today. I would be glad to get 
that information for you.
    Chairman Chaffetz. One last question, with everybody's 
indulgence here.
    Ms. Archuleta, there was a data breach at OPM in July of 
2014, okay? This is what you said about Ms. Seymour. In 
December, I was very fortunate to bring Donna Seymour, from the 
Department of Defense, onboard. She has great experience with 
the IT world and has brought her talents to OPM. It was because 
of her leadership and her dedicated employees that we were able 
to make sure that none of this personal identifiable 
information was compromised.
    This was July of 2014. You cited her and the data breach as 
making sure that none of the personal identifiable information 
got out the door. Now that it has been hacked, are you going to 
give her that same amount of credit?
    Ms. Archuleta. I do give her that same amount of credit, 
sir. When I began my tenure as the Director of OPM, one of my 
first priorities was to develop an IT strategic plan and to 
develop the important pillar of cybersecurity within our 
systems. We have worked very hard since that time, and as we 
update these legacy systems it is important that we recognize 
that there is a persistent and aggressive effort on the part of 
these actors to not only intrude in our system, but systems 
throughout government and, indeed, in the private sector.
    Chairman Chaffetz. Well, you have completely and utterly 
failed in that mission if that was your objective. The 
inspector general has been warning about this since 2007. There 
has been breach after breach. He recommended shutting it down 
last year and you, you made a conscious decision to not do 
that. You kept it open. The information was vulnerable and the 
hackers got it.
    I don't know if it was the Chinese, the Russians, or 
whoever else, but they have it, and they are going to prey upon 
the American people. That is their goal and objective, and you 
made a conscious decision to leave that information vulnerable. 
It was the wrong decision. It was in direct contradiction to 
what the inspector general said should happen, and he had been 
warning about it for years.
    Ms. Archuleta. I would note that in the IG's report that he 
acknowledges the fact that we have taken important steps in 
reforming our IT systems. Advanced tools take time.
    Chairman Chaffetz. So what kind of grade would you give 
yourself? Are you succeeding or failing?
    Ms. Archuleta. Cybersecurity problems take decades.
    Chairman Chaffetz. We don't have decades. They don't take 
decades.
    Ms. Archuleta. I am sorry, cybersecurity problems are 
decades in the making. The whole of government is responsible, 
and it will take all of us to solve the issue and continue to 
work on them. My leadership with OPM is one that instigated the 
improvements and changes that recognized the attack.
    Chairman Chaffetz. I yield back.
    I recognize the ranking member, Mr. Cummings, for as much 
time as he wants.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Ms. Seymour, this data breach is particularly concerning 
because the individuals who were targeted were government 
employees and the suspected attackers are foreign entities. I 
am concerned that this breach may pose a national security 
threat.
    According to a statement from OPM, the personal information 
of approximately 4 million current and former Federal employees 
was compromised in this breach. What can you tell us about the 
type of personal information that was compromised in this 
breach?
    Ms. Seymour. Thank you for the question, sir. The type of 
information involved in the personal records breach includes 
typical information about job assignments, some performance 
ratings, not evaluations, but performance ratings, as well as 
training records for our personnel. The information involved in 
the background investigations incident involves SF 86 data, as 
well as clearance adjudication information.
    Mr. Cummings. So, Social Security numbers?
    Ms. Seymour. Yes, sir. Social Security number, date of 
birth, place of birth; typical PII that would be in those types 
of files.
    Mr. Cummings. Ms. Seymour, it was reported on Friday that, 
in addition to this breach, hackers had breached highly 
sensitive information gathered in background investigations of 
current and former Federal employees. Is that true?
    Ms. Seymour. Yes, sir, that is.
    Mr. Cummings. Do you know how far back that goes?
    Ms. Seymour. No, sir, I don't. The issue is that these are 
longitudinal records, so they span an employee's career. So I 
do not know what the oldest record is.
    Mr. Cummings. So it is possible that somebody could be 
working for the Federal Government for 30 years and that their 
information over that 30 years could have been breached?
    Ms. Seymour. Yes, sir, these records do span an employee's 
career.
    Mr. Cummings. So what can you tell us about the type of 
information that may have been compromised in the second 
breach?
    Ms. Seymour. I believe that that would be a discussion that 
would be better had in our classified session this afternoon, 
sir.
    Mr. Cummings. Thank you. I am going to come back to you.
    Dr. Ozment, these suspected cyber spies from a foreign 
state went after sensitive detailed information about Federal 
employees. What could they do with this information? I am 
talking to you, yes.
    Mr. Ozment. Ranking member, I am going to have to defer 
that question to the intelligence community, who will be a 
participant in our classified briefing this afternoon at 1:00.
    Mr. Cummings. All right.
    Experts advise taking steps to mitigate damage from cyber 
spying attacks by using tools such as data segmentation, data 
masking, and encryption; and the chairman asked about 
encryption. I know from past OPM testimony before the committee 
that OPM has been a leader in deploying those tools.
    Now, Ms. Seymour, it is kind of hard to understand how 
cyber spies could have accessed more than 4 million records if 
you were using those tools to the fullest. Ms. Archuleta has a 
lot of faith and confidence in you, as the chairman just 
stated. Can you explain what happened?
    Ms. Seymour. Thank you, Mr. Cummings, for the question. A 
lot of our systems are aged, and implementing some of these 
tools take time, and some of them we cannot even implement in 
our current environment. That is why, under Director 
Archuleta's leadership, we have launched a new program where we 
are building a new environment, a new architecture, a modern 
architecture that allows us to implement additional security 
features.
    In our legacy environment, we have installed numerous 
technologies, and that is how we discovered this breach in the 
first place. So we are shoring up what we have today, and then 
we are building for the future so that we can become more 
secure and provide these types of protections to our data and 
our systems.
    Mr. Cummings. Well, in the meantime, if we are going to 
collect and we are going to store sensitive personal 
information, we must make it unusable to our adversaries, if 
they are cyber spies, are able to steal it. Would you agree? 
OPM, as well as American businesses, have to do a better job of 
protecting sensitive information. Would you agree, ma'am?
    Ms. Seymour. Yes, sir.
    Mr. Cummings. Now, Ms. Seymour, do you have the tools now 
to do that? Are you trying to tell us you don't?
    Mr. Seymour. OPM has procured the tools, both for 
encryption of its databases, and we are in the process of 
applying those tools within our environment. But there are some 
of our legacy systems that may not be capable of accepting 
those types of encryption in the environment that they exist in 
today, and that is why it is important for us to focus very 
aggressively, very proactively on building out that new 
architecture so that, in the future, we will be able to 
implement those tools for all of our databases.
    Mr. Cummings. Now, when you talk about the future, I mean, 
what are you talking about? Are you talking about three months, 
three years?
    Ms. Seymour. We began our program after the March 2014 
incident. We worked very closely with our interagency partners 
to devise a very aggressive and very comprehensive plan. We 
have been implementing that plan since then. We are delivering 
what we call our shell, which is the new architecture, we are 
delivering that this fall and we will begin looking at our 
business systems applications and how we can migrate those into 
the new architecture.
    Mr. Cummings. Ms. Seymour, this is the question: We are 
collecting data right now. There is people's data that is out 
there. And I am talking about, in the meantime, where are we? 
In other words, I know you are trying to do some things, but 
that doesn't make Federal employees feel pretty good. It 
doesn't make me feel good.
    So tell me more. Are you saying that we are just vulnerable 
and we don't know when we are going to be able to deploy the 
types of systems that you just talked about?
    Ms. Seymour. No, sir. We have done a number of things.
    Mr. Cummings. I am not talking about what you have done. I 
am talking about what is going on today.
    Ms. Seymour. That is exactly what I am offering, sir.
    Mr. Cummings. All right.
    Ms. Seymour. We have implemented two-factor authentication 
for remote access to our network. That means that without a PIV 
card or some other type of device that our users cannot log 
into our network remotely. We have implemented additional 
firewalls in our network. We have tightened the settings of 
those firewalls. We have reduced the number of privileged users 
in our account and we have even further restricted the access 
privileges that those users have.
    We have made a number of other steps to increase the 
security of our existing network. We began that work back last 
March and it has continued, and we continue to work with DHS 
and our agency partners to test those systems and make sure 
that they are working appropriately.
    Mr. Cummings. Now, Mr. Esser, the Office of Inspector 
General conducted an audit in 2014, the chairman was talking 
about this, of OPM's information security programs and found 
several weaknesses. Can you briefly identify what those 
weaknesses were that you found?
    Mr. Esser. Yes, sir. The most critical weaknesses that we 
identified in our FISMA report from 2014 were the continued 
information security governance problems that have existed 
since 2007, the decentralization of the controls over systems. 
That, however, is an area that is certainly close to being 
improved to a full extent.
    Another area of weaknesses were the security assessments 
and authorization, which is each system that OPM owns should go 
under an assessment every three years and be authorized for 
usage. We identified 11 systems at the end of 2014 that had not 
been authorized that were due to be authorized.
    The technical security controls was another big area that 
we identified. While OPM has implemented a number of strong 
tools and is improving in that area, our concern is that some 
of those tools were not being used properly and that they do 
not have a complete and accurate inventory of databases and 
servers that those tools should be applied against.
    Mr. Cummings. So the chairman asked Ms. Archuleta a 
question of how she thought she'd done. Based upon that, what 
grade would you give?
    Mr. Esser. I don't know that I could give a grade.
    Mr. Cummings. So of all the things that you just stated, 
there are certain things that were not done, is that right?
    Mr. Esser. Yes, sir.
    Mr. Cummings. Did any of them lead to this breach, the 
things that were not done?
    Mr. Esser. I don't know the exact details of how this 
breach occurred, so I really can't answer that question. 
Certainly there are a lot of weaknesses at OPM that they are in 
the process of trying to address.
    Mr. Cummings. And last, but not least, do you have a silver 
bullet to address this issue, sir?
    Mr. Esser. No, sir, I do not. There are very sophisticated 
attackers out there and there is no one silver bullet I think 
that can be applied that will prevent these types of things 
from happening.
    Mr. Cummings. You heard me asking Ms. Seymour about the 
fact that we are constantly collecting information, and it 
seems as if we are just vulnerable and that there are certain 
areas that we may not be able to defend ourselves in. Is that 
an accurate statement?
    Mr. Esser. Certainly, there are a lot of things that can be 
done to make our systems more secure. Is there something that 
can be done to make them impenetrable? Not that I am aware of.
    Mr. Cummings. Thank you very much.
    Chairman Chaffetz. I now recognize the gentleman from 
Michigan, Mr. Walberg, for five minutes.
    Mr. Walberg. Thank you, Mr. Chairman. I appreciate the 
witnesses being here.
    This morning we have certainly heard that there is no 
silver bullet, and I don't think we expected the answer to be, 
yes, there is a silver bullet. We are concerned that, knowing 
what has been going on, having clear evidence that hackers have 
been attempting for quite some time and then, at least those of 
us here who trust on agencies and people like yourselves who 
know the issues, that some more efforts could have been 
successful in stopping the most recent attacks.
    We have heard today that networks aren't compartmentalized, 
segmented, in certain cases encrypted; that with the recent 
attacks, exterior perimeter has been breached, the attacker 
often remains undetected for months. That is concerning. As a 
result of that, able to exploit vulnerabilities within the 
networks without passing through, and this is most concerning 
to me, additional inspection or security measures.
    So, Mr. Scott, as I understand, in the private sectors 
there have been shifts towards zero trust model. Ultimately, 
given OMB's role in setting metrics for agencies, my question 
is can you tell me, tell us what OMB is doing to set IT 
security metrics to limit the number of workloads, application 
tiers to the networks?
    Mr. Scott. Thank you for the question.
    I think there are a number of things that I would point to 
in addition to the measures that you just talked about. The 
first one is to share across the Federal Government not only 
the lessons learned from OPM, but what we see from other 
attacks, whether successful or not, private and public, and 
make sure that all agencies are up to speed with the latest 
information on the methods of attack, the tools that are used, 
and so on.
    Mr. Walberg. That is a weakness right now, is what you are 
telling me, that that is not happening?
    Mr. Scott. It has been historically. The ability for the 
Government and the private sector to share information has been 
a hindrance in our ability to thwart these things.
    But I will say that the specific measure that you 
mentioned, the segmentation and zero trust, is something that 
is more easily applied to very modern architectures. It is not 
as easily applied to some of the oldest and old legacy systems 
that we have. And I think that is going to be a challenge for 
all agencies where the architecture itself just doesn't lend 
itself to the application of certain technologies.
    The best answer, I think, in terms of what we have and 
where we go is a model that we are promoting and encouraging 
across the agencies, which is defense in depth. It is a number 
of different measures to that if one thing doesn't work, you 
have the next layer that helps; and if that doesn't work, you 
have the next layer. And zero trust is applicable in some of 
those environments and, frankly, is very difficult or 
impossible to apply in others.
    Mr. Walberg. How far are we from that?
    Mr. Scott. I would say years and years comprehensively. But 
one of the things that we are working on right now is 
prioritizing based on the highest value assets that the Federal 
Government has so that we are going after the most valuable 
stuff first and make sure that is protected the best way we 
can.
    Mr. Walberg. Ms. Seymour, with the millions of current and 
former Federal employees, a lot of them in my district, that 
sign on to do the work that we give to them, we appreciate the 
work, it is not something they make up. We ask them to do the 
Federal jobs that the agencies, the departments that they work 
under have been asked to do. They don't expect that their life 
will be compromised, their history will be compromised, their 
records be compromised.
    When did OPM begin letting victims know of the breach and 
the risk to their identities?
    Ms. Seymour. Thank you for your question, sir. I too am a 
Federal employee and very concerned about this matter; it is 
grave and serious, so I appreciate that.
    We began notifying personnel on June 8th, and will continue 
to make those notifications through June 19th. That is for the 
personnel records security incident that we have.
    We have not yet been able to do the analysis of the data 
that is involved with the background investigations incident. 
That is ongoing, and as soon as we can narrow the data that is 
involved in that incident, we will make appropriate 
notifications for that one as well.
    Mr. Walberg. Okay. Thank you.
    Chairman Chaffetz. Thank you. I thank the gentleman.
    I now recognize the gentlewoman from New York, Mrs. 
Maloney, for five minutes.
    Mrs. Maloney. I want to thank the chairman and ranking 
member for calling this hearing, and all of our panelists for 
your public service.
    As one who represents the city that was attacked by 9/11, 
we lost thousands on that day and thousands more are still 
dying from health-related causes from that fateful day. But I 
consider this attack, I call it an attack on our Country, a far 
more serious one to the national security of our Country.
    I would like to ask Mr. Ozment from Homeland Security, 
would you characterize this as a large-scale cyber spying 
effort? That is what it sounds like to me. What is it?
    Mr. Ozment. I think to speak to whether or not this was a 
spying effort, we would have to talk to any understanding of 
who the adversaries were and what their intent was, and I think 
that is a conversation better reserved for a couple of hours 
from now.
    Mrs. Maloney. Do you believe it is a coordinated effort? 
They appear to be attacking health records, employment records, 
friendship, family, whole backgrounds. It seems to be a large 
sphere of information not only from the Government, but private 
contractors, individuals; and sometimes it appears targeted 
towards Americans who may be serving overseas in sensitive 
positions. But would you consider this a coordinated effort? 
Can you answer that or is that classified?
    Mr. Ozment. Thank you, Representative. I would defer that 
question to the classified briefing.
    Mrs. Maloney. Okay. Thank you.
    Mr. Ozment. But what I would say, if you are willing, is 
that----
    Mrs. Maloney. I will be at the 1:00 meeting. Thank you.
    Now, I want to refer to this article, and I would like to 
place it in the record. I think it is an important one; it came 
from ABC News.
    If I could put it in the record.
    Chairman Chaffetz. Without objection, so ordered.
    Mrs. Maloney. It reports that there seems to be looking at 
and gathering information on an SF 18 form, which is a Standard 
Form 18, which is required for any employee seeing classified 
security clearances, so that would be people in important 
positions in our Government. And I won't ask any questions on 
it, I will just wait until later at this classified briefing, 
but I am extremely disturbed.
    This article also points out that it is not only 
individuals that they are going after; they are going after 
contractors and those that serve the Government. It mentions in 
other reports Lockheed Martin, where they went after their 
secure ID program.
    Is that true, Mr. Ozment?
    Mr. Ozment. I can't speak to whether any adversaries have 
gone after specific private sector companies.
    Mrs. Maloney. Okay. All right. Then we won't get into that.
    But other press reports said that there was Northrop 
Grumman, L3, that they were hit by cyber attacks, and other 
Government contractors. Now, one that probably hit Congress is 
one in 2013, where the FBI warned that a group called Anonymous 
hacked into the U.S. Army, Department of Energy, Department of 
Health and Human Services, and many agencies by exploiting a 
weakness in Adobe systems.
    Now, I have the Adobe system in my office, so that means 
they could have hacked into my office, and probably every other 
congressional office.
    Then they talk about going into healthcare. They go into 
the Blue Cross Blue Shield system of all the Federal employees. 
So it seems like they want a comprehensive package on certain 
millions of Americans, many of whom are serving our Country, I 
would say at negotiating tables in Commerce, State Department, 
probably Defense, and every other aspect of American life and 
the world economy.
    But, Mr. Scott, you have been before this committee before 
and you announced you were going to review the agencies' 
cybersecurity programs to identify risks and implement gaps. I 
wonder if you could report on what you learned from this review 
and any specific changes in cybersecurity policies, procedures, 
or guidance. If you can report on that. Or that may be 
classified too. But anything you can share with us on what you 
have been doing to act to build some firewalls?
    Mr. Scott. Sure. Well, thank you for the question.
    So we are conducting regular CyberStat reviews with each of 
the agencies, and it is along the key lines of many of the 
topics we have talked about here: two-factor patching, 
minimizing the number of system administrators; all of the I 
will call hygiene factors that we think lead to good 
cybersecurity.
    Mrs. Maloney. My time has expired, but anything you want to 
give to the committee in writing, we would appreciate it. Thank 
you.
    Mr. Scott. We would be happy to do so. Thank you.
    Chairman Chaffetz. I thank the gentlewoman.
    I ow recognize the gentleman from North Carolina, Mr. 
Meadows, for five minutes.
    Mr. Meadows. Thank you, Mr. Chairman.
    Ms. Archuleta, let me come to you. You have been in your 
current position since 2013, is that correct?
    Ms. Archuleta. I was sworn in in November 2013.
    Mr. Meadows. So in 2013 you, according to your testimony, 
made cyber security the highest priority. I think that is how 
you opened up your testimony, that the security of Federal 
employees was your highest priority. Is that correct?
    Ms. Archuleta. Yes, sir.
    Mr. Meadows. All right. So help me reconcile, then, if it 
is your highest priority, how, when the most recent IG's report 
that came out that took security from being a material weakness 
is how it was characterized before you got there, to 
significant deficiency, how would you reconcile highest 
priority and significant deficiency as being one and the same?
    Ms. Archuleta. Thank you for your question.
    As I mentioned earlier, one of the first things that we 
did, or I did, for OPM was to develop, within 100 days, an IT 
strategic plan, and the issues that the IG just mentioned, in 
terms of IT governance and IT leadership, as well as IT 
architecture, IT agility, IT data, and IT cybersecurity, were 
all strong components of this IT plan; and the IG recognized 
those steps and the strategic plan that we developed.
    Mr. Meadows. But he did recognize it.
    I only have five minutes, so I can't let you just ramble on 
with all of these things. So let me ask you how, if he 
recognized that, would he still characterize it as significant 
deficiencies?
    Ms. Archuleta. As we were instituting the improvements that 
we were making, he was also, at the same time, conducting his 
audit. His audit was conducted in the summer of 2014, when we 
were beginning to implement our strategic plan, and the IG has 
continued to work with us and we have taken his recommendations 
very seriously.
    Mr. Meadows. You have taken them seriously, so have you 
implemented all of them? Yes or no? Just yes or no.
    Ms. Archuleta. We have implemented many of them and are in 
the process of implementing others.
    Mr. Meadows. So have you implemented all of those?
    Ms. Archuleta. As I said, sir, I have implemented many of 
them and continue to work----
    Mr. Meadows. So you will implement all of them?
    Ms. Archuleta. We are looking at each of those 
recommendations very seriously.
    Mr. Meadows. Not looking. Will you implement? Can you 
assure the Federal workers that you are going to implement all 
the recommendations that the IG recommended to you, yes or no?
    Ms. Archuleta. We are working very closely with the IG to--
--
    Mr. Meadows. I will take that as a no.
    All right, so let me go on further, then, because I am very 
concerned that here we have not even notified most of the 
Federal employees. We have known about it. They continue to not 
be notified, and yet here you are saying that you have 
different priorities. Because when Chairman Chaffetz asked you 
about why did you not shut it down, you said, well, OPM has a 
number of other responsibilities. Is that correct? That was 
your answer to Chairman Chaffetz.
    Ms. Archuleta. We house a variety of data, not just data on 
employee personnel files. We also house health care data; we 
employ other records, and the result----
    Mr. Meadows. So what you are saying is it was better that 
you supplied that and put Federal workers at risk versus making 
it, according to your words, the highest priority to make sure 
that the information was not compromised. If it is your highest 
priority, why didn't you shut it down like Mr. Chaffetz asked 
and like was recommended? Why didn't you shut it down?
    Ms. Archuleta. In our opinion, we were not able to shut it 
down in view of all of the responsibilities we hold at OPM. We 
do take seriously----
    Mr. Meadows. So, in your opinion, protecting Federal 
workers then could not have been your highest priority, because 
there were competing, I guess, priorities, and you said it was 
better that you continued on with the others versus protecting 
the Federal workforce.
    Ms. Archuleta. As I said, the recommendations that the IG 
gave to us are ones that we take very seriously, sir. I don't 
want to characterize that we didn't. In fact, we did take them 
in ongoing conversations.
    Mr. Meadows. Okay. There is a quote that says what we 
occasionally have to look at, no matter how beautiful the 
strategy, we have to occasionally look at the results. And the 
results here are pretty profound that we have security risks 
all over. And I would encourage you to take it a little bit 
more serious and, indeed, make it your highest priority.
    I yield back. Thank you, Mr. Chairman.
    Chairman Chaffetz. Thank the gentleman.
    Now recognize the gentleman from Massachusetts, Mr. Lynch, 
for five minutes.
    Mr. Lynch. Thank you, Mr. Chairman.
    I want to thank our panel for your help.
    I want to associate myself with the remarks of the ranking 
member and the chairman today, which doesn't always happen.
    Chairman Chaffetz. Duly noted.
    Mr. Lynch. I would like to ask unanimous consent if I might 
enter into the record the remarks of Colleen M. Kelly, National 
President of the National Treasury Employees Union, and also a 
letter from J. David Cox, who is the President of the American 
Federation of Government Employees, AFL-CIO.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Lynch. I want to also read the first three paragraphs. 
This is a letter from the president of the American Federation 
of Government Employees, AFL-CIO, J. David Cox, to the 
Honorable Katherine Archuleta.
    It says, Dear Honorable Archuleta, I am writing in 
reference to the data breach announced by the Office of 
Personnel Management. And this was dated last week. In the days 
since the breach was announced, very little substantive 
information has been shared with us, despite the fact that we 
represent more 670,000 Federal employees in departments and 
agencies throughout the executive branch.
    OPM has attempted to justify the withholding of information 
on the breach by claiming that the ongoing criminal 
investigation restricts your ability to inform us of exactly 
what happened, what vulnerabilities were exploited, who was 
responsible for the breach, and how damage to affected 
individuals might be repaired and compensated.
    Based on sketchy information that OPM has provided, we 
believe that the central personnel data file was the targeted 
database and that the hackers are now in possession of all 
personnel data for every Federal employee, every Federal 
retiree, and up to 1 million former Federal employees. We 
believe the hackers have every affected person's Social 
Security number, military record, veteran status, address, 
birth date, job and pay history, health insurance, life 
insurance, email, pension information, age, gender, race, union 
status, and a lot more.
    Worst of all, we believe the Social Security numbers were 
not encrypted, a basic cybersecurity failure that is absolutely 
indefensible and outrageous.
    So, Ms. Archuleta, were the Social Security numbers 
encrypted?
    Ms. Archuleta. OPM is in the process of----
    Mr. Lynch. Ms. Archuleta, is that an I don't know?
    Ms. Archuleta. I don't believe that the Social Security----
    Mr. Lynch. Can we just stick to a yes or no?
    You know what, this is one of these hearings where I think 
I am going to know less coming out of this hearing than I did 
when I walked in because of the obfuscation and the dancing 
around that we are all doing here.
    Matter of fact, I wish that you were as strenuous and hard 
working at keeping information out of the hands of hackers as 
you are keeping information out of the hands of Congress and 
Federal employees. It is ironic. You are doing a great job 
stonewalling us, but hackers not so much.
    So were the Social Security numbers encrypted, yes or no?
    Ms. Archuleta. No, they were not encrypted.
    Mr. Lynch. There you go. There you go. Now we are getting 
somewhere.
    That is pretty basic, though. That is pretty basic, 
encrypting Social Security numbers.
    So all this happy talk about these complex systems we are 
going to come up with, you are not even encrypting people's 
Social Security numbers. That is a shame.
    Let me ask you about this Standard Form 86. Now, for those 
of you, obviously you know that Standard Form 86 is what we 
require employees to fill out if they are going to receive a 
security clearance. So these are people who have sensitive 
information. And we drill down on these folks. This is a copy 
of the application. It is online if people want to look at it; 
it is 127 pages online.
    And we ask them everything; what kind of underwear they 
wear, what kind of toothpaste. I mean, it is a deep dive. And 
that is for a good reason, right? Because we want to know, when 
people get security clearance, that they are trustworthy. There 
is information here if you have ever been arrested; your 
financial information is in here. There is a lot of information 
in this form.
    They hacked this. They hacked this. They got this 
information on Standard Form 86. So they know all these 
employees and everything about them that we ask them in the 
Standard Form 86.
    Isn't that right, Ms. Seymour?
    Ms. Seymour. I believe that is a discussion that would best 
be held until this afternoon, sir.
    Mr. Lynch. That is probably a yes.
    Like I say, I think you have to be honest with your 
employees, and I think that, in order to protect them, we need 
to let them know what is going on, because they have the email 
addresses in here as well, several, your first, your second, 
your third email address; and all that information is out 
there. So we need to be a little bit more, not a little bit 
more, we need to be more forthcoming with our own employees. 
These are people who work for us, and a lot of them deserve a 
lot more protection than they are getting right now from the 
United States Government and from the Office of Personnel 
Management.
    I see my time has expired. I appreciate the indulgence of 
the chairman and I yield back.
    Chairman Chaffetz. I thank the gentleman.
    Now we recognize the gentleman from South Carolina, Mr. 
Mulvaney, for five minutes.
    Mr. Mulvaney. Thank you, Mr. Chairman.
    Many of us are often uncomfortable asking questions in this 
type of setting, because obviously we don't want to ask 
questions the answers to which should be kept confidential. So 
I encourage you in advance, if I ask you something that we 
should talk about in a different setting, that is an acceptable 
answer.
    But I sort of feel like in Mr. Lynch in that I don't know 
if I get my hands around exactly what we are learning. So let's 
start with this. I am going to follow up on a question that Mr. 
Meadows asked of Ms. Archuleta, which is, he asked you if you 
were going to implement all of the IG's recommendations. You 
said you were working with the IG.
    Whether or not that was a yes or no answer, I agree with 
Mr. Meadows, probably closer to no, so let me address it like 
this. Can you name for me some of the IG recommendations that 
you are pushing back against or that you are not interested in 
implementing?
    Ms. Archuleta. I don't have the specific recommendations in 
front of me, and I would be very glad to come back and talk 
about that.
    Mr. Mulvaney. Okay.
    Ms. Archuleta. But what I would like to say, sir, is that 
as we look at the recommendations by the IG, we work with him 
so that he can fully understand where we have moved in our 
security efforts and also to understand his observations. And 
that is the normal audit process and we continue to go through 
that with him and update him on a regular basis.
    Mr. Mulvaney. And we get IGs in here all the time and that 
makes perfect sense. What bugs me, Ms. Archuleta, is that back 
in the end of 2014 they recommended, in fact, it was their 
third recommendation, that all active systems in OPM's 
inventory have a complete and current authorization. Your 
response to that was saying, ``We agree that it is important to 
maintain up to date and valid ATOs for all systems, but we do 
not believe that this condition rises to the level of a 
material weakness.''
    Do you believe that your opinion on that has changed since 
November of 2014, Ms. Archuleta?
    Ms. Archuleta. I appreciate all of the information and the 
recommendations that the IG has given us, and we will continue 
to work with him----
    Mr. Mulvaney. I didn't ask you that. Do you still believe 
now, knowing what you know now, that that condition did not 
rise to the level of material weakness?
    Ms. Archuleta. Sir, we are working with a legacy system.
    Mr. Mulvaney. I didn't ask you that, Ms. Archuleta.
    Ms. Archuleta. As to the recommendations that he has made 
to us, we are working through those to the best of our ability.
    Mr. Mulvaney. That is what frightens me, Ms. Archuleta, 
that this is the best of your ability.
    Let me see if I can just get some summary information here 
as I go back and try to explain to folks back home. I have 
heard that it was just people in the executive branch. I open 
this to anybody who might be able to answer this. Are we still 
saying that the only people whose data was exposed were folks 
who worked within the executive branch of Government?
    Ms. Seymour. Sir, this is an ongoing investigation, and as 
we uncover new information we are happy to share it with you.
    Mr. Mulvaney. Right.
    Ms. Seymour. We are not necessarily restricted to the 
executive branch because there are people who work in the 
executive branch today who worked in the legislative branch----
    Mr. Mulvaney. And I got that notice, Ms. Seymour. I got the 
notice and it says if you work in the executive branch or you 
have ever worked in the executive branch, then there is a 
chance they got your data, but if you have never worked for the 
executive branch, then you don't have to worry.
    Are you still comfortable with that statement?
    Ms. Seymour. No, sir. This is an ongoing investigation and 
we are learning new facts every day.
    Mr. Mulvaney. And that is a fair answer. Now, the original 
number we heard publicly was 4 million. Is it still 4 million? 
I have heard 14 today a couple times. What is the current 
estimate of the number of current or previous employees who 
have been affected?
    Ms. Seymour. Approximately 4 million is the number that we 
are making notifications of today. We continue to investigate, 
especially in the background investigations incident, so that 
we can understand that data and begin to make notifications 
there as well.
    Mr. Mulvaney. All right, I have a question. I don't think 
it has been asked yet. I think it is for Mr. Ozment or whoever 
else understands the IT systems.
    When we used to do this in the private sector, we used to 
differentiate between someone who had hacked into our system 
and someone who actually stole something form us, because there 
are two levels of involvement there.
    So I guess my question to you, Mr. Ozment, is have you been 
able yet to make the distinction between just where the hackers 
were and they had access and things were exposed, and where 
possibly they actually downloaded data.
    Mr. Ozment. Thank you, Representative.
    That is an important distinction and one that we spend a 
lot of our investigative time examining. For the personnel 
records, the approximately 4.2 million records, the incident 
response team, led by DHS but with interagency partners, has 
concluded with a high probability that that data was 
exfiltrated, meaning that it was removed from the network by 
the adversary who took it. And we are continuing to investigate 
the information related----
    Mr. Mulvaney. Very briefly, Mr. Ozment. I appreciate that. 
I don't mean to cut you off and I wish we had more time to do 
that. Let me ask this one question. I heard about the data. I 
heard Mr. Lynch ask about the Social Security numbers. It 
sounds like that might have been exfiltrated. Health data. Do 
we collect health data on our employees?
    Ms. Archuleta, if I come to work for you or for the 
Government, do I give you my health records?
    Ms. Archuleta. Not your health records, but the information 
regarding your health carrier is the information that we 
receive and who you would include in the----
    Mr. Mulvaney. Okay, so it is not----
    Ms. Archuleta. No, not your health----
    Mr. Mulvaney. So it is not specific medications, it is not 
specific conditions.
    Ms. Archuleta. No.
    Mr. Mulvaney. It is just who my health insurance company 
is.
    Ms. Archuleta. Exactly.
    Mr. Mulvaney. Thank you, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    We now recognize the gentleman from Virginia, Mr. Connolly, 
for five minutes.
    Mr. Connolly. Thank you, Mr. Chairman.
    You know, what is so jarring about this hearing is that 
sort of in bloodless and bureaucratic language we are talking 
about the compromise of information of fellow Americans and, 
from the Federal employee point of view, the most catastrophic 
compromise of personal information in the history of this 
Country. Social Security records.
    Ms. Archuleta, you mentioned that not health information, 
but health carrier. That is a roadmap to other information 
hackers can get.
    Security clearances. Security clearances are deeply 
personal and often involve, do they not, Ms. Seymour, 
unconfirmed negative information, even rumors. I think so-and-
so has a drinking problem. That gets in that report even if it 
is not confirmed. Is that not correct?
    Ms. Archuleta. Sir, I am not a Federal investigator and I 
am not familiar with all of the precise data that is in those.
    Mr. Connolly. Well, let me confirm for you. It was a 
rhetorical question, really. It is correct.
    How do we protect our employees? Dr. Ozment, when I heard 
your testimony, it almost sounded like you were saying is that 
the good news here is we detected the hack. But the object here 
isn't effective detection, though that is part of the process; 
it is prevention and preemption to protect our citizens, 
including Federal employees.
    You talked about EINSTEIN and you championed its merits. 
Was EINSTEIN in place at OPM when this hack occurred?
    Mr. Ozment. Sir, I share your deep concern about the loss 
of this information and agree that that is a terrible outcome.
    Mr. Connolly. A terrible outcome?
    Mr. Ozment. Absolutely. As a Federal employee whose 
information is itself a part of this database, I feel----
    Mr. Connolly. It might even be personally devastating, Dr. 
Ozment, not just a terrible outcome.
    Mr. Ozment. That is correct, sir.
    What I would tell you on this is that EINSTEIN was critical 
in this incident. As OPM implemented their new security 
measures and detected the breach----
    Mr. Connolly. Was EINSTEIN in place at the time of this 
breach?
    Mr. Ozment. EINSTEIN 1 and 2 have been in place at OPM. 
EINSTEIN 3 is not yet available for OPM.
    Mr. Connolly. Okay, I only have two minutes. I want to 
understand your answer. So did it successfully detect a breach 
had occurred?
    Mr. Ozment. It did not detect the breach that OPM caught on 
their own networks, because just as the cyber threat 
information sharing legislation we are focused on acknowledges, 
you first have to have the threat information. EINSTEIN 1, once 
we had that threat information, we used EINSTEIN 1 and 2 to 
detect a separate breach that we were then able to work.
    Mr. Connolly. I am sure every Federal employee who had his 
or her information compromised is comforted by your answer, Dr. 
Ozment.
    Ms. Archuleta, what was the time gap between discovering 
there had been a breach and the actual breach itself?
    Ms. Archuleta. We discovered the breach in April of 2015.
    Mr. Connolly. This year. And when did t he breach occur?
    Ms. Archuleta. We suspected it happened earlier in 2014.
    Mr. Connolly. So some time late last year?
    Ms. Archuleta. Yes, sir.
    Mr. Connolly. Okay. So whoever were the hackers, presumably 
an agency of the Chinese government, according to published 
reports confirmed by U.S. officials, it is not a classified 
piece of information. The details of it may be, but our 
Government, I believe, has confirmed, without attribution, in 
public records that it was a systematic effort by the People's 
Liberation Army, which has been notorious for hacking all over 
the West, that got its hands on this data.
    So they had four months in which to do something with this 
data, is that correct, maybe five?
    Ms. Archuleta. I can't make a comment on attribution.
    Mr. Connolly. I didn't ask you to. I just asked whether 
they had four or five months to do something with this data.
    Ms. Archuleta. The period between when we believe the 
breach occurred and our discovery, yes.
    Mr. Connolly. All right.
    I am going to, real quickly, if the chairman allows, ask 
Mr. Scott one last question. The head of CERT, the director of 
CERT says if the agency implemented three steps, we could 
prevent about 85 percent of breaches.
    And I am going to hold in abeyance new investments and new 
technology because Ms. Seymour talks about legacy systems, and 
I had always hoped that the Chinese didn't know how to hack 
into COBOL. But that is a different matter.
    Okay, the three things are minimize administrator 
privileges; two, utilize application whitelisting; and, three, 
continuously patch software, which, interestingly, does not go 
on.
    Would you just comment? What is your professional take on 
those three recommendations?
    Mr. Scott. I think those recommendations are great, and 
there are a number of other things as well, some of which I 
have talked about today. I think the one point I would make is 
there is no one measure that you could say that is going to 
prevent all attacks or even prevent an attack. It is really 
defense in depth is your best measure, and that is what we are 
really looking at emphasizing.
    Mr. Connolly. Thank you, Mr. Chairman.
    Chairman Chaffetz. Thank you.
    We now recognize the gentleman from North Carolina, Mr. 
Walker, for five minutes.
    Mr. Walker. Thank you, Mr. Chairman.
    I certainly agree with my colleague from Virginia in his 
description this is a catastrophic compromise.
    Ms. Archuleta, it appears that OPM did not follow the very 
basic cybersecurity best practices, specifically such as 
network segmentation and encryption of sensitive data. Should 
the data have been encrypted? Can you address that?
    Ms. Archuleta. At that time, the data was not encrypted, 
and as Dr. Ozment has indicated, encryption may not have been a 
valuable tool in this particular breach. As I said earlier, we 
are working closely to determine what sorts of additional tools 
we can put into our system to prevent further breaches.
    Mr. Walker. You said may not have been. But that didn't 
answer the question should have been encrypted and could that 
have been another line of defense?
    Ms. Archuleta. I would turn to my colleagues from DHS to 
determine the use of encryption, but I will say that it was not 
encrypted at the time of the breach.
    Mr. Ozment. I would note that if an adversary has the 
credentials of a user on the network, then they can access data 
even if it is encrypted, just as the users on the network have 
to access data, and that did occur in this case, so encryption 
in this instance would not have protected this data.
    Mr. Walker. I want to delve a little further in just a 
moment, but let me ask this.
    Ms. Archuleta, what consequences should CIO's face for 
failing to meet such a baseline of cybersecurity standard on 
their networks? May I hear your thoughts on that?
    Ms. Archuleta. I believe that the CIO is responsible for 
the implementation of a solid plan and I believe that my CIO 
has been doing that. We are working with a legacy system that 
is decades old, and we are using all of our financial and human 
resources to improve that system. Cybersecurity is a 
government-wide effort and we all must work together to improve 
the systems that we have government-wide.
    Mr. Walker. I am not sure that the American people are 
content with the pace of how we are all working together.
    I want to speak a little bit to EINSTEIN. I have heard 
several different comments today regarding it and my question 
is even if EINSTEIN is a necessary component to effectively 
defending the system, I believe the private sector is really 
already moving on this kind of technology. Is that a fair 
question? And what is the DHS doing to keep pace with its 
attackers? Dr. Ozment?
    Mr. Ozment. EINSTEIN is absolutely a necessary, but not 
sufficient, tool for protecting department and agency networks. 
As Mr. Scott has noted several times, we need a defense in 
depth strategy. We are supplementing EINSTEIN with continuous 
diagnostics and mitigations at the agencies, and we are also 
looking with EINSTEIN at taking what is currently a signature 
focus system and adding capabilities to let it detect 
previously unknown intrusions.
    But as you do that you also receive more false positives. 
In other words, you receive more indications that an intrusion 
occurred even if it did not occur. So we have to do that 
carefully so we are not overwhelmed by essentially bad data.
    Mr. Walker. And it seems to be that you are more excited or 
more confident in the EINSTEIN, what is it, 3A version? Is that 
going to be more solid as far as keeping the attackers out?
    Mr. Ozment. EINSTEIN 3A will be a step forward. It uses 
classified information and is modeled on a similar Department 
of Defense program. It is still a signature-based program, but 
it will rely upon classified information obtained from the 
intelligence community to help us detect adversaries and block 
them.
    Mr. Walker. And I even heard you earlier say something 
about how even that system needs to be supplemented with 
others, is that correct?
    Mr. Ozment. That is correct. Again, no single system here 
will solve this problem.
    Mr. Walker. And there lies my problem, because even on the 
DHS's own Web site, when talking about EINSTEIN 3, it says it 
``prevents malicious traffic from harming networks.''
    Now, if that is not all-inclusive, should not we be 
understanding that before today's hearing? Why are we just now 
getting this information that this may not be enough to prevent 
such, as we said earlier, catastrophic compromise?
    Mr. Ozment. I can't speak to the web page you are referring 
to, but I can say that we have been very consistent and I have 
been very consistent in all my interactions with Congress to 
highlight that we do need to a defense-in-depth strategy and 
that no one tool will solve all of our problems.
    Mr. Walker. And who is responsible for posting this 
information on the Web site of the DHS?
    Mr. Ozment. We will look into that and get back to you, 
sir, and make updates as necessary.
    Mr. Walker. Thank you, Mr. Chairman. I yield back.
    Chairman Chaffetz. Thank you.
    Now recognize the gentleman from Pennsylvania, Mr. 
Cartwright, for five minutes.
    Mr. Cartwright. Thank you, Mr. Chairman.
    I thank the chairman and the ranking member for calling 
this hearing.
    Director Archuleta, I know there have been much bigger data 
breaches than this one, but I am concerned, and I share the 
sentiments of Mr. Connolly from Virginia. This is extremely 
troubling. We are talking about 4 million-plus Federal workers, 
people who dedicate their entire careers, indeed, their entire 
lives, to our Country, and now their personal information has 
been compromised through absolutely no fault of their own.
    If I understand your testimony, the personal information of 
about 4 million current and former employees was potentially 
compromised, and I want to ask you, as your investigation 
continues, do you believe that that number is going to be 
bigger than 4 million?
    Ms. Archuleta. Thank you for your question. In my opening 
statement I described two incidences.
    Mr. Cartwright. No, it is a yes or no question, or I don't 
know.
    Ms. Archuleta. No. Because of the two incidents, the first 
incident is 4.2 million, and an ongoing investigation led us to 
understand that the Federal investigative background checks----
    Mr. Cartwright. You know what I mean when I say it is a yes 
or no question, right?
    Ms. Archuleta. Yes, sir.
    Mr. Cartwright. Okay. Do you think it could be more than 
4.2 million?
    Ms. Archuleta. Yes, sir.
    Mr. Cartwright. Okay.
    Now, Ms. Seymour, let me turn to you for some more detailed 
responses.
    Your IT professionals discovered the breach in April and 
also, as Mr. Connolly mentioned, they believe the hack may have 
begun back in December, am I correct in that?
    Ms. Seymour. Yes, sir, it began in 2014.
    Mr. Cartwright. Now, something else happened in December of 
2014; OPM's contractor, Keypoint, revealed that it was targeted 
in an earlier cyber attack. Now, this is the contractor that 
does the majority of your agency's background check 
investigations, am I correct in that?
    Ms. Seymour. They do a number of our background 
investigations, sir. I am not sure of the numbers.
    Mr. Cartwright. And in that case the attack against 
Keypoint was successful; personal information was, in fact, 
compromised, correct?
    Ms. Seymour. Yes, sir.
    Mr. Cartwright. On Friday, ABC News issued a report 
entitled ``Feds Eye Link to Private Contractor in Massive 
Government Hack.'' This article says this, ``The hackers who 
recently launched a massive cyber attack on the U.S. 
Government, exposing sensitive information of millions of 
Federal workers and millions of others, may have used 
information stolen from a private government contractor to 
break in to Federal systems.'' The article goes on, ``The 
hackers entered the U.S. Office of Personnel Management, OPM's 
computer systems after first gaining access last year to the 
systems of Keypoint Government Solutions.''
    It continues, ``Authorities, meanwhile, believe hackers 
were able to extract electronic credentials or other 
information from within Keypoint systems and somehow use them 
to help unlock OPM systems, according to sources. The hackers 
then rummaged through separate segments of OPM systems, 
potentially compromising personal information of not only the 4 
million current and former Federal employees.''
    Ms. Seymour, I know we are having our classified briefing 
later, and I thank you for coming to that, but can you comment 
on these reports? Did these hackers actually get what they 
wanted in the previous attack against OPM's contractor, 
Keypoint, so they could then go after OPM itself?
    Ms. Seymour. I believe that is a discussion that we should 
have in a classified setting, sir.
    Mr. Cartwright. Fair enough.
    Now, we know that OPM's other contractor, USIS, was also 
breached last year and that its information was also 
compromised. Can you tell us if those hackers got information 
in the USIS breach that they were then able to use in the 
attack against OPM?
    Ms. Seymour. Again, that is a discussion we should have 
later, sir.
    Mr. Cartwright. I understand. I certainly don't want you to 
disclose classified information here.
    Let me close by asking a final question to the whole panel, 
and I will let each of you answer. Federal agencies and private 
companies are only as strong as their weakest link. Last year 
we saw breaches of two contractors, Keypoint and USIS. Now we 
have reports that these hackers are getting into OPM 
information because of what they learned in those hacks.
    Agencies have leverage over their contractors using the 
provisions in the contracts and the billions of taxpayer 
dollars that they pay out to the company, so I want to ask each 
of you how can agencies use that leverage to improve 
cybersecurity practices of contractors so that they do a better 
job of safeguarding the information that they are entrusted 
with.
    Go ahead, right on down the line, starting with you, Ms. 
Archuleta.
    Ms. Archuleta. What we can do with the contractors that we 
engage is to make sure that they have the security systems that 
match the Federal Government's and that they are using the same 
sort of types of systems.
    I want to be sure that I understand your question. The 
contractors that we employ as individuals or as companies
    Mr. Cartwright. The contractors as companies.
    Ms. Archuleta. In our contracts with the companies, we are 
now working to make sure that they are adhering to the same 
standards that we have in Federal Government, as outlined in 
our rules.
    Mr. Cartwright. Dr. Ozment?
    Mr. Ozment. Representative, DHS, for its own contract, as 
one example, has been working to build in additional 
cybersecurity requirements. I would also point you to the 
FedRAMP effort, government-wide effort to establish a baseline 
of cybersecurity requirements for cloud contractors to the 
Government.
    Mr. Cartwright. Mr. Scott?
    Mr. Scott. Yes. I think as my colleague, Anne Rung, and I 
testified last week, we also are strengthening the Federal 
contract procurement language and creating contract language 
that any agency can use as a part of their standard contracts.
    Mr. Cartwright. Thank you.
    Ms. Burns?
    Ms. Burns. I think it is about beefing up the security 
clauses in all contracts so that they cover the full extent of 
what we need, and then doing the monitoring and follow-up that 
you need to do to ensure that the contractors are adhering to 
those clauses of the contract.
    Mr. Cartwright. Right.
    Ms. Seymour?
    Ms. Seymour. I agree with everything that my colleagues 
have put forth, but I will add that site inspections are also 
important, and those are some of the things that we do at OPM 
with our contractors, as well as continuous monitoring. Looking 
at a system every third year is not ample. That is not a best 
practice and we need to move more towards looking at different 
security controls at different intervals of time.
    The other option that we do use is our IG also does 
inspections of our contractor companies.
    Mr. Cartwright. Mr. Esser?
    Mr. Esser. I agree with what the other witnesses stated. 
Like Ms. Seymour just said, we, as the IG, go out and we do 
audits of contractors, health insurance companies, the 
background investigation companies, as well. So we can be used 
and see ourselves in that role.
    Mr. Cartwright. Mr. Chairman, I thank you for your 
indulgence. I also want to note that USIS was invited here 
today, but refused----
    Chairman Chaffetz. I appreciate the gentleman. You are 
almost three minutes over time. We have classified that we have 
to go to and we have members that still have an effort.
    Mr. Cartwright. Yield back.
    Chairman Chaffetz. Thank you. Appreciate it.
    I now recognize Mr. Russell from Oklahoma for five minutes.
    Mr. Russell. Thank you, Mr. Chairman.
    I am baffled by all of this. Upon receipt or upon your 
appointment of the directorship of OPM, Director Archuleta had 
stated that she was committed to building an inclusive 
workforce. Who would have thought that that would have included 
our enemies.
    In this testimony here today, we heard statements that we 
did not encrypt because we thought they might be able to 
decrypt or decipher. That is just baffling to me.
    There was another statement I heard earlier today that said 
had we not established the systems, we would never have known 
about the breach. That is tantamount to saying if we had not 
watered our flower beds, we would have never seen the muddy 
footprints on the open windowsill.
    I mean, this is absolute negligence that puts the lives of 
Americans at risk, and also foreign nationals that interact 
with these Americans. Of particular concern are the SF 86 
forms, of which I am very familiar, with my background prior to 
coming to Congress.
    We had Sean Gallagher from Ars Technica, who summed it up 
probably best. He said that this breach was a result of 
inertia, a lack of internal expertise, and a decade of neglect.
    Director Archuleta, why did you not shut down 11 of the 21 
systems that had no security assessment and authorization?
    Ms. Archuleta. Sir, as I mentioned before, there are 
numerous priorities that go into employee safety and security, 
including making sure that our retirees receive their benefits 
or that our employees get paid. There are numerous 
considerations that we had to----
    Mr. Russell. Would one of those considerations be 
encrypting Social Security numbers? I mean, does it take a 
degree in IT in cybersecurity to encrypt Social Security 
numbers? I didn't think so.
    Did your cybersecurity strategic plan including leaving 
half of OPM's systems without protection when you formulated 
it? Was that part of the plan?
    Ms. Archuleta. No, sir.
    Mr. Russell. Then why was it not made a priority?
    Ms. Archuleta. The systems that the IG referred to in our 
plan, those systems that he recommended that we shut down, he 
recommended that we shut them down because they were without 
authorization. All of our systems are now authorized and they 
are operating.
    I have to say that we are looking at systems that are very, 
very old, and we can take a look at encryption and other steps 
that could be taken, and certainly we are doing that, but as we 
look at this system, we are also having to deal with decades 
of----
    Mr. Russell. Well, I understand that, but I also understand 
there is an old saying we had in the military: poor is the 
workman who blames his tools. Missions can be accomplished even 
with what you have, and measures could have been done had this 
been made a priority. What I see now is why did OPM have no 
multi-factor authentication for users accessing the system from 
outside OPM? There was no multi-faceted means. If they get into 
the system, they have free rein, is that correct?
    Ms. Archuleta. We have implemented multiple factors. Ms. 
Seymour has mentioned multi-factor authentication with our 
remote users and are working now.
    Mr. Russell. And when was that put in place, before or 
after the breach?
    Ms. Archuleta. This began in January of 2015.
    Mr. Russell. Okay. So stolen credentials could still be 
used to run free in the system, is that correct?
    Ms. Archuleta. Prior to the time of the two-factor 
authentication, obviously, it takes time to implement all of 
these tools. I am as distressed as you are about how long these 
systems have gone neglected when they have needed much 
resources, and it is in my administration that we have put 
those resources to it. We have to act quickly, which we are 
doing, and we are also working with our partners across 
government.
    As I said before, cybersecurity is an issue that all of us 
need to address across the Federal Government.
    Mr. Russell. Was a priority made to these outside systems 
that were most vulnerable that would allow this type of free 
run?
    Ms. Archuleta. I am sorry, sir, would you repeat the 
question?
    Mr. Russell. Was a priority made to these outside accessing 
systems to OPM's database that once they get in them they have 
a free rein, a free run?
    Ms. Archuleta. Yes, it was a priority, sir, but as I said 
before, legacy system, it takes time.
    Mr. Russell. It didn't take our enemies time.
    Thank you, Mr. Chairman. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    Now recognize the gentleman from California, Mr. Lieu, for 
five minutes.
    Mr. Lieu. Thank you, Mr. Chairman.
    Director Archuleta, under your watch, last March, OPM 
database containing the crown jewels of American intelligence 
was breached. This year the same exact database was breached. A 
third database containing over 4 million Federal employees' 
data unencrypted was breached.
    The IG has said that at OPM your technology systems are 
either materially weak or seriously deficient, and my question 
to you, just a very simple yes or no, is do you accept 
responsibility for what happened?
    Ms. Archuleta. I accept responsibility for the 
administration of OPM and the important role of our IT systems 
in delivering the services, and I take very seriously my 
responsibilities in overseeing the improvements to a decades-
old legacy system.
    Mr. Lieu. I don't really quite know what that means. I 
asked for a yes or no. But that is fine, you have answered it.
    I am going to reserve the balance of my time to make a 
statement. Having been a member of this oversight committee, 
and as a computer science major, it is clear to me there is a 
high level of technological incompetence across many of our 
Federal agencies. We have held hearings where it showed that 
Federal agencies couldn't procure, implement or deploy IT 
systems without massive bugs or massive cost overruns.
    We have held hearings where at least one Federal agency, in 
this case the FBI, had a fundamental misunderstanding of 
technology, where they continue to believe they can put in back 
doors to encryption systems just for the good guys and not for 
hackers, which you cannot do. We had over 10 federal data 
system breaches last year.
    So there is a culture problem and there is a problem of 
civilian leadership not understanding we are in a cyber war. 
Every day we are getting attacked in both the public and 
private sector. The U.S. military understands this; that is why 
they stood up an entire cyber command. But until our civilian 
leadership understands the gravity of this issue, we are going 
to continue having more data breaches.
    Let me give you some examples of this culture problem. You 
have heard today there was unencrypted Social Security numbers. 
That is just not acceptable. That is a failure of leadership.
    Look at the various IG reports over the years showing 
material weaknesses and then look at last year's IG report, 
page 12, that says as of November of last year, OPM had not yet 
done a risk assessment. That is ridiculous, especially since 
you knew in March your system was breached. That is a failure 
of leadership. And this goes beyond just OPM.
    Now, Mr. Scott, you have only been here a few months, so 
you are going to get a pass on this, but I want to know why was 
it that it wasn't until last Friday that agencies were ordered 
to put in basic cybersecurity measures? Why wasn't this done 
last year? Why wasn't this done years before? There is a 
failure of leadership above that of OPM.
    And when there is a culture problem, what have we done in 
the past? Especially in the area of national security, you 
can't have the view that, oh, this is legacy system, oh, we 
have these excuses. In national security it has to be zero 
tolerance. That has to be your attitude. We can't have these 
breaches.
    The CIA can't go around saying, you know, every now and 
then our database of spies is going to get breached. That 
cannot happen.
    And when you have a culture problem, as we have hard here, 
in the past, when agencies have had this, leadership resigns or 
they are fired. At the DEA, leadership left. We had this happen 
at the Secret Service; we had this happen at the Veterans 
Administration. And we, as a government, do that for two 
reasons: one is to send the signal that the status quo is not 
acceptable. We cannot continue to have this attitude, where we 
make excuse after excuse.
    You know, I have heard a lot of testimony today. The one 
word I haven't heard is the word sorry. When is OPM going to 
apologize to over 4 million Federal employees that just had 
their personal data compromised? When is OPM going to apologize 
to the Federal employees that had personally devastating 
information released through the SF 86 forms? I haven't heard 
that yet.
    And when there is a culture problem, we send a signal to 
others that the status quo is unacceptable and leadership has 
to resign. Another reason we do that is because we want new 
leadership in that is more competent.
    So I am looking here today for a few good people to step 
forward, accept responsibility, and resign for the good of the 
Nation. I yield back.
    Chairman Chaffetz. I thank the gentleman. Well said.
    Now recognize the chairman of the IT subcommittee, Mr. 
Hurd, of Texas, for five minutes.
    Mr. Hurd. Thank you, Mr. Chairman.
    It is my hope that every agency head and every CIO of these 
agencies are listening or watching or will read the testimony 
after this event, and that the first thing they do when they 
wake up tomorrow is pull out the GAO high risk report that 
identifies areas that they have problems with, they read their 
own IG report and start working to address those remediations.
    I have been at this job for 21 weeks, similar to Mr. Scott, 
and one of the things you hear from people, they are frustrated 
with their Government. Intentions are great.
    Ms. Archuleta, you said at the beginning that the security 
of Federal employee is paramount. I believe you believe that, 
but the execution has been horrific. Intentions are not enough. 
We have to have execution. And this is the thing that scares 
me.
    So my question, let's start with you, Ms. Archuleta. Did 
the hackers use a zero day vulnerability to get into your 
network?
    Ms. Archuleta. I think that would be better answered in a 
classified setting.
    Mr. Hurd. Well, if it was a zero day vulnerability, I hope 
everybody has been notified of this zero day; not only the 
Government, but the private sector. We shouldn't be keeping 
secret a zero day vulnerability.
    I know a little something about protecting secrets; I spent 
almost my adult life in the CIA doing that. This is something 
that we need to get out. What I have read is that EINSTEIN did 
detect the breach after the appropriate indicators of 
compromise was loaded into it.
    So my question is how long did, in Federal Government, did 
somebody have access to these indicators of compromise and why 
did it take however much that time to get it into EINSTEIN's 
system, and has that been promoted to every other agency that 
is using EINSTEIN 2?
    Mr. Ozment. Representative, OPM, once they implemented 
their security measure and discovered this breach, gave us the 
indicators of compromise immediately and we loaded it into 
EINSTEIN immediately. That is, we loaded it into EINSTEIN 2 to 
both detect and we looked back through history to see if any 
other traffic back in time had indicated a similar compromise. 
That is how we found an intrusion into OPM related to this 
incident that led to our discovery of the breach of the 
personal records.
    We also put it into EINSTEIN 3 so that agencies covered by 
EINSTEIN 3 would be protected against a similar activity moving 
forward. And then we held a call with all the Federal CIOs and 
disseminated these indicators to them and asked them to search 
their networks for these indicators.
    Mr. Hurd. Has that been done?
    Mr. Ozment. That has been done.
    Mr. Hurd. Okay.
    Ms. Seymour, you talk about legacy systems and the 
difficulty of protecting those. What are some of those legacy 
systems and what programming software is used to develop those 
systems?
    Ms. Seymour. These are systems, sir, that have been around 
for going close to 25, 30 years.
    Mr. Hurd. So it was written by COBOL?
    Ms. Seymour. COBOL systems. One of the things I would like 
to offer is that Director Archuleta and I actually were brought 
here to solve some of these problems.
    Mr. Hurd. When did you start your job?
    Ms. Seymour. In December of 2013.
    Mr. Hurd. And why did we wait to implement two-factor 
authentication until after the attack?
    Ms. Seymour. We have not waited, sir.
    Mr. Hurd. So two-factor authentication was being deployed 
prior?
    Ms. Seymour. These are two decades in the making. We are 
not going to solve them all in two years. And if we continue--
--
    Mr. Hurd. See, what is where I disagree with you, okay? 
Again, we have to stop thinking about this that we have years 
to solve the problem. We don't. We should be thinking about 
this in days.
    Ms. Archuleta, how much overtime have you signed off on 
since this hack, of people that are dealing with the 
compromise?
    Ms. Archuleta. My CIO team works 24/7.
    Mr. Hurd. So if I walk into your building at 8 p.m. at 
night, there are going to be people drinking Red Bull, working 
furiously in order to solve this problem?
    Ms. Archuleta. I am very proud of the employees that are 
working on this issue, and they have been working 24/7.
    Mr. Hurd. Mr. Scott, you have inherited a mess, my man, and 
we are looking to you, and whatever this committee can do to 
help you to ensure things like this doesn't happen, to ensure 
that these agencies and the CIOs of the agencies are 
implementing the recommendations of the IG, the recommendations 
of the GAO, we are here to do that. And we are going to 
continue to drag people up here and answer these questions, 
because that is our responsibility.
    I recognize that you are not going to stop anybody from 
penetrating your network. But how quickly can you identify 
them, can you quarantine them, and can you kick them off the 
network? Those are the three metrics we should be using about 
the health of our systems, and we are woefully inadequate.
    I yield back the time I do not have. Thank you, sir.
    Chairman Chaffetz. Thanks.
    Mr. DeSantis, of Florida, is now recognized for five 
minutes.
    Mr. DeSantis. Thank you, Mr. Chairman.
    Ms. Archuleta, in your testimony you said, and I think this 
is the direct quote, ``we have now confirmed that any Federal 
employee from across all branches of Government whose 
organization submitted service history records to OPM may have 
been compromised, even if their full personnel file was not 
stored on OPM's system.''
    What do you mean by service history?
    Ms. Archuleta. Their careers. They may have been in a 
different position earlier than perhaps as they move around 
Government, so it may be someone whose current job would not be 
in the system, but because of their service history their 
information would be dated back, and it is for retirement 
purposes.
    Mr. DeSantis. Okay, so a potentially broader breach.
    I tell you, an SF 86, I remember filling that out when I 
was a young officer in the Navy, and it is by far the most 
intrusive form that I have ever filled out. It took me days. I 
had to go do research on myself to try to figure out. And it is 
not just that you are doing a lot of personal and sensitive 
data about the individual applicant, the SF 86 asks about 
family members, it asks about friends, spouse, relatives, where 
you have lived, who you knew when you lived in these different 
places. It also asks you to come clean about anything in your 
past life.
    So, to me, people have said that this is crown jewels 
material in terms of potential blackmail. So this is a very, 
very serious breach.
    My question for Ms. Archuleta, were cabinet level officials 
implicated in this breach?
    Ms. Archuleta. Sir, this type of information would be 
better discussed in a classified setting.
    Mr. DeSantis. Understood. What about people in the military 
and intelligence communities?
    Ms. Archuleta. As I mentioned earlier, I believe that this 
is something that we could respond to in a classified setting.
    Mr. DeSantis. Okay. So you don't disagree with my 
characterization of the SF 86 and that the compromise, let's 
just say theoretical if you don't want to say what actually 
happened here, that that is a major, major breach that will 
have ramifications for our Country?
    Ms. Archuleta. As I said, we will discuss this with you in 
the classified setting.
    Mr. DeSantis. Okay. SF 86 forms also require applicants to 
list foreign nationals with whom they are in close contact, so 
that means China now has a list, for example, of Chinese 
citizens worldwide who are in close contact with American 
officials. They can, and will, obviously us that information 
for espionage purposes.
    So what are the security implications of that type of 
information falling into enemy hands? That could be for 
anybody.
    Mr. Ozment. Sir, that is a question that we will discuss in 
the hearing this afternoon.
    Mr. DeSantis. Okay. Now, some reports say that not only 
were the hackers pursuing information on Federal employees, but 
also password and encryption keys that could be used for trade 
secret theft and espionage. And I guess you will have more to 
say about that in a classified setting, but at least for this 
forum can you say that that is a significant risk; that is not 
the type of information that we would want the enemy to have 
and it can, in fact, be very damaging, correct?
    Mr. Ozment. Again, sir, we are going to defer discussion on 
that until the classified briefing in a few minutes.
    Mr. DeSantis. Okay. And I get that and I will be there and 
I will listen intently. But it really concerns me because this 
is really a treasure trove for our enemies, potentially. And 
the fact that this system was hacked and we didn't even know 
about it for a long time, that is really, really troubling.
    If you ask people if they want to serve in these sensitive 
positions and they think that by filling out these forms they 
are actually going to put themselves or their family 
potentially at risk because the Government is not competent 
enough to maintain that secretly, that is a major problem as 
well. So the information can be used against the Country, then 
you are also, I think, going to have a chilling effect on 
people wanting to get involved if we don't get a handle on 
this.
    So I look forward to hearing from the witnesses in a 
classified setting and I yield back the balance of my time.
    Chairman Chaffetz. Thank you.
    Now recognize the gentleman from Alabama, Mr. Palmer, for 
five minutes.
    Mr. Palmer. Thank you, Mr. Chairman.
    Ms. Seymour, does the employee exposure extend only to 
those who filled out Standard Form 86, or does it include 
others as well?
    Ms. Seymour. Our investigation is ongoing, sir.
    Mr. Palmer. Well, ma'am, apparently it does, because I have 
two employees who have never filled out a Standard Form 86, and 
they have a letter from you informing them of the possibility 
that their data may have been compromised. So I will ask you 
again, and it is a yes or no, does it extend beyond the people 
who filled out an SF 86?
    Ms. Seymour. My answer to that is yes, sir. There are two 
incidents that we have come here to talk with you today.
    Mr. Palmer. Why didn't you answer yes to start with?
    Ms. Seymour. Because you were talking about SF 86s, sir.
    Mr. Palmer. No. I made it clear. I asked you, did the 
exposure extend beyond those who filled out SF 86, and you said 
the investigation was ongoing. Apparently, you have 
investigated enough to send a letter to employees who didn't 
fill out those forms, so thank you for your yes answer.
    In your judgment, Ms. Archuleta, how likely is it that the 
hackers were able to access these personnel files through an 
employee account?
    Ms. Archuleta. Sir, we will be able to discuss that with 
you during the classified session.
    Mr. Palmer. Well, let me be a little bit more specific. Are 
you familiar with The Wall Street Journal article that 
indicated that it was possible that the breach occurred through 
personal email accounts, because employees were using the 
Federal system and that early in 2011 the Immigration and 
Customs Enforcement agency noticed a significant up-tick in 
infections and privacy spills, and they asked for a directive 
or they put out a directive that Federal employees could not 
use the Federal system to access their personal emails? But the 
American Federation of Government Employees filed a grievance 
with the federal arbitrator claiming that that was something 
that needed to be bargained and needed to be part of the 
collective bargaining agreement.
    The arbitrator dismissed ICE's security arguments in 75 
words, claiming that the law didn't give the Federal agencies 
exclusive discretion to manage the IT systems, so ICE wasn't 
able to shut that off. Do you have any comment on that?
    Ms. Archuleta. No, sir. Again, those are issues that we 
will be able to discuss in the classified hearing.
    Mr. Palmer. Well, it is being discussed in The Wall Street 
Journal.
    I think for now, since we need to head to the hearing, I 
will yield the balance of my time.
    Thank you, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    Now recognize the gentleman from Georgia, Mr. Hice, for 
five minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    Mr. Esser, what are the risks that are associated with not 
having a valid system authorization?
    Mr. Esser. Well, the risks are evident that not having a 
valid authorization essentially could be a symptom of weak 
controls over operating systems and applications, and lead to 
things such as a breach.
    Mr. Hice. Okay. With all the things that we are talking 
about here today, Ms. Seymour, you were obviously fully aware 
of these risks and OPM was aware of these risk?
    Ms. Seymour. Yes, sir, I was aware of these reports.
    Mr. Hice. Okay.
    Now, I kind of hate going back to this because it has come 
up several times already today, but still I am waiting for an 
answer. The inspector general put out his report last November 
expressing great alarm, recommending that OPM consider shutting 
down the systems because of the risks that you knew about, Ms. 
Archuleta knew about, and yet these recommendations were 
ignored.
    Now, I am going to come back to you with this because, 
quite frankly, Ms. Archuleta has tried to dodge this question 
and dance all around it. I want to come straight up with you. 
Why were those recommendations not followed?
    Ms. Seymour. Two reasons, sir. One is an authorization to 
operate is merely the documentation of the security controls of 
a system and their effectiveness. That does not mean simply 
because you don't have an authorization that those tools don't 
exist.
    The other effort is, as the IG was doing its audit, we were 
taking all of those vulnerabilities into play. We had already 
developed a security plan that we were in the process of 
implementing, and the IG admits in their report that we were in 
the process of implementing many of those controls.
    Mr. Hice. Did the plan that you were in process of 
implementing work? Obviously, it didn't. Would shutting it down 
have worked?
    Ms. Seymour. The controls that we put in place allowed us 
to stop the remote access to our network, and they also allowed 
us to detect this activity that had occurred prior to the IG 
report.
    Mr. Hice. But the vulnerability was still there and your 
plan failed.
    Ms. Seymour. There are vulnerabilities in every system. 
What we do is a risk management process, sir, where we look at 
the vulnerabilities as well as the business that we must 
conduct.
    Mr. Hice. Mr. Esser, let me come back to you. Currently, 
what are the consequences of owners of OPM IT system? 
Currently, what are the consequences now if they operate 
without a valid authorization?
    Mr. Esser. There are essentially no consequences. We report 
that in our FISMA audits, but other than that there are no 
official sanctions in place. It is something that gets 
publicized, and that is the extent.
    Mr. Hice. So it sounds to me like this thing is still not 
being taken seriously. If there are no consequences for 
operating without authorization, why in the world are we still 
operating without authorization? Or is that occurring?
    Ms. Seymour. Sir, I have extended the authorizations that 
we had on these systems. Because we put a number of security 
controls in place in the environment, we have increased the 
effectiveness of the security around those systems.
    Mr. Hice. But there are no consequences for not operating 
on a system with authorization, so how seriously are you taking 
it?
    Ms. Seymour. There are consequences.
    Mr. Hice. What are they?
    Ms. Seymour. Those consequences are if you aren't doing the 
assessments, documenting them, while that is evidence that 
those assessments have been done, the assessments themselves 
are more important; the scanning of the network, the tools that 
are in place.
    Mr. Hice. That is not the consequences. What are the 
consequences? You said there are consequences. I want to know 
what they are.
    Ms. Seymour. The consequences that we have are we report to 
OMB on a quarterly basis about the status of our security and 
our network.
    Mr. Hice. That doesn't sound like consequences; that sounds 
like just reporting that you are required to do anyway. There 
are no consequences involved in those reports.
    Mr. Esser, again, are there measures that need to be taken 
to get the whole thing up to the standard it ought to be? I 
mean, is there anything that you would recommend?
    Mr. Esser. Yes. Yes. We do recommend that the CIO, the 
agency take the steps that in a lot of cases they are beginning 
to take. The centralization of the IT governance is well along 
the way. What they also need to do is get a full inventory of 
the assets that they are responsible for protecting.
    The shell project that Ms. Seymour has alluded to earlier 
is also something that we support. We also have some concerns 
about the way the project has been started and managed, but 
overall we support the idea behind the shell project.
    Chairman Chaffetz. We appreciate the gentleman.
    We now recognize the gentlewoman from New Mexico, Ms. Lujan 
Grisham, for five minutes.
    Ms. Lujan Grisham. Thank you, Mr. Chairman. Thank you for 
having this important hearing.
    I want to thank the panel for taking this conversation and 
these questions so seriously.
    In New Mexico, we are one of the States that has one of the 
largest percentage or per capita Federal employees in the 
Country, in the top five, so I have 50,000 Federal employees in 
my home State, and I am on their side by being incredibly 
concerned about this and, quite frankly, many other data 
breaches.
    The growing sophistication, frequency, and the impact on 
both public and private entities by cyber attacks continue to 
be a very serious threat. In fact, two days after my first 
election, one of the key briefings by one of the national labs 
which is in my district on Kirkland Air Force Base is the 
continuing growing concern with cybersecurity issues and their 
aggressive responses both to be proactive as much as they can 
and to appropriately be reactive once you have an identifiable 
breach.
    Given the data breach at OPM and at Home Depot and at 
Target, Anthem, it is clear to me that not only does the 
Federal Government have a role in protecting Federal employees 
and the information that you have, but we have a role in 
working to protect the public in general from these serious and 
continuing series of cyber attacks.
    But I recognize also that this is a very challenging effort 
and that there is not a simple solution. If there was, we could 
stop this hacking altogether and have the magic bullet. And as 
much as I want you to do that, I don't want to minimize the 
fact that I recognize that that is more difficult to say than 
do. No, it is easy to do; it is not so easy to do. But my 
concerns are growing given that even the best in the Country 
are facing significant cyber attacks, including Kaspersky Lab, 
who we are relying on for innovative and appropriate 
technologies to implement.
    So given that diatribe and given all the questions that you 
have had about accountability, about the serious nature, here 
is really my question. The Federal Government is not known for 
being, and I mean no disrespect by this, but just stating the 
facts, it is not a proactive, very reactive body just by the 
nature of how large it is, how broad our mission is, and how we 
are dependent on whatever the resources are and the priorities 
are at any given time.
    Given that climate and the role to protect the general 
public and your role to protect Federal employee information, 
what can you do that is different, that puts you in a position 
to be much more proactive, particularly given the nature of 
cyber attacks? Quite frankly, they have already hacked in as 
you are making the next modifications.
    Anyone on the panel. Mr. Scott, that may be a question that 
is primarily for you, but I would be interested in anybody's 
response.
    Mr. Scott. Sure. I can think of several things in the short 
run that actually we already have underway, but probably long-
term the biggest thing is to double down on replacing these 
legacy sort of old systems that we have. One of the central 
problems here is you have old stuff that just was not designed 
or built in an era when we had these kinds of threats, and it 
is, in some cases, very, very hard to sort of duct tape and 
band aid things around these systems.
    It doesn't mean there is nothing you can do, but 
fundamentally it is old architectures that need to be replaced 
and security needs to be designed into the very fabric of the 
architecture of the hardware, the software, the networks, the 
applications. And the faster we can do that, the faster we are 
on a better road.
    Ms. Lujan Grisham. And given your role to do that in 
Federal Government, I am not clear today what percentage of 
legacy systems and old architecture platforms that we are still 
operating under and which departments are more at risk than 
others. What is the time frame for getting that done and what 
is a reasonable course for this committee to take to make sure 
we have accountability in Federal Government to move forward 
exactly in that effort?
    Mr. Scott. Well, I think the first thing is we are going to 
be very transparent with you in terms of the OMB reports in 
terms of where we are at on that journey as we go through our 
work over the course of the year. Several of the members of 
this committee have said they are going to pay very close 
attention to that, which I encourage.
    Chairman Chaffetz. The gentleman will suspend.
    Our time is so tight to our 1:00 o'clock briefing. We would 
like a full and complete answer. There will be questions for 
the record and we will continue to follow up, and I hope you 
understand.
    Mr. Scott. Be happy to.
    Chairman Chaffetz. We need to give time to Mr. Grothman 
from Wisconsin, who is now recognized for five minutes.
    Mr. Grothman. I am glad we have established that the 
Federal Government is not a proactive, reactive body. It is 
something for us to always remember, no matter what bill moves 
around here. It is something to remember about the Federal 
Government.
    But be that as it may, the first question I have for you 
guys, this is kind of a significant story here. Just out of 
curiosity, just to see how the Federal Government operates, has 
anybody lost their job over this or have there been any 
recriminations in that regard?
    Ms. Archuleta. No, sir.
    Mr. Grothman. Okay. Next question, I don't care who answers 
it. As I understand, it took months for the State Department to 
root out the Russian hackers in their unclassified systems. 
Now, apparently the Chinese hackers are known for leaving 
behind time-delayed malware. Do we know for sure that these 
people are out of the system by now or could they still be 
poking around?
    Mr. Ozment. Representative, we have a joint interagency 
team led by DHS, with participation by the FBI and National 
Security Agency, who have worked with OPM and the Department of 
Interior on this incident. They have accessed that they have 
fully removed the adversary from these networks, but it is 
extremely difficult to have 100 percent certainty in these 
cases.
    Mr. Grothman. Okay, so it could be, but you think probably 
out.
    Mr. Ozment. Yes, sir.
    Mr. Grothman. Okay. Final question. Apparently there are 
rumors that people are now selling some of these files. Is this 
a threat or do we know if it is going on? And if it is going 
on, are we doing anything to counter that?
    Mr. Ozment. Sir, I think that the impact and such are 
questions better suited for the classified briefing we are 
about to have.
    Mr. Grothman. Okay. I yield the remainder of my time.
    Chairman Chaffetz. Thank you.
    I want to thank the panelists and everybody that is here. I 
think you understand, on a bipartisan basis, how seriously we 
take this situation.
    To those Federal employees who are affected, one of the 
things that should come out is that in the letter, the very end 
of the letter, if you receive one of these letters, it does 
note that the Office of Personnel Management is not going to 
call you. They are not going to contact you to provide 
additional information. There will be some very bad actors that 
are going to try to take advantage of this bad situation and 
exploit it for their own personal gain. They have already done 
that. They are going to do it again and there are going to be 
others that are going to try to do that.
    To all of our Federal employees, please do not fall victim 
yet again to somebody who is going to send you an email or make 
a call and try to prey upon you further. It was noted in the 
letter. It is worth noting here from the pulpit.
    Again, we look forward to the 1:00 classified briefing. We 
are going to have to hustle.
    The committee now stands adjourned. Thank you.
    [Whereupon, at 12:50 p.m., the hearing was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
                                 
                                 [all]