b'<html>\n<title> - EXAMINING ON-GOING CHALLENGES AT THE U.S. SECRET SERVICE AND THEIR GOVERNMENT-WIDE IMPLICATIONS</title>\n<body><pre>[Joint House and Senate Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\n  EXAMINING ON-GOING CHALLENGES AT THE U.S. SECRET SERVICE AND THEIR \n                      GOVERNMENT-WIDE IMPLICATIONS\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                       SUBCOMMITTEE ON OVERSIGHT\n                       AND MANAGEMENT EFFICIENCY\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                               AND THE\n\n                   SUBCOMMITTEE ON REGULATORY AFFAIRS\n                         AND FEDERAL MANAGEMENT\n\n                                 OF THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        AND GOVERNMENTAL AFFAIRS\n                          UNITED STATES SENATE\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           NOVEMBER 17, 2015\n\n                               __________\n\n                           Serial No. 114-43\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] \n\n                                     \n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n\n                        U.S. GOVERNMENT PUBLISHING OFFICE\n99-749 PDF                      WASHINGTON : 2016                        \n                  \n_________________________________________________________________________________________ \nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f7908798b7948284839f929b87d994989ad9">[email&#160;protected]</a>  \n\n                 \n                \n                  \n                  \n                  HOUSE COMMITTEE ON HOMELAND SECURITY\n\n                   Michael T. McCaul, Texas, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nPeter T. King, New York              Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nCandice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island\n    Chair                            Brian Higgins, New York\nJeff Duncan, South Carolina          Cedric L. Richmond, Louisiana\nTom Marino, Pennsylvania             William R. Keating, Massachusetts\nLou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey\nScott Perry, Pennsylvania            Filemon Vela, Texas\nCurt Clawson, Florida                Bonnie Watson Coleman, New Jersey\nJohn Katko, New York                 Kathleen M. Rice, New York\nWill Hurd, Texas                     Norma J. Torres, California\nEarl L. ``Buddy\'\' Carter, Georgia\nMark Walker, North Carolina\nBarry Loudermilk, Georgia\nMartha McSally, Arizona\nJohn Ratcliffe, Texas\nDaniel M. Donovan, Jr., New York\n                   Brendan P. Shields, Staff Director\n                    Joan V. O\'Hara,  General Counsel\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n                                 \n                                 ------                                \n\n          SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY\n\n                  Scott Perry, Pennsylvania, Chairman\nJeff Duncan, South Carolina          Bonnie Watson Coleman, New Jersey\nCurt Clawson, Florida                Cedric L. Richmond, Louisiana\nEarl L. ``Buddy\'\' Carter, Georgia    Norma J. Torres, California\nBarry Loudermilk, Georgia            Bennie G. Thompson, Mississippi \nMichael T. McCaul, Texas (ex             (ex officio)\n    officio)\n               Ryan Consaul, Subcommittee Staff Director\n                    Dennis Terry, Subcommittee Clerk\n         Cedric C. Haynes, Minority Subcommittee Staff Director\n                 \n                 SENATE COMMITTEE ON HOMELAND SECURITY \n                        AND GOVERNMENTAL AFFAIRS\n\n                    Ron Johnson, Wisconsin, Chairman\nJohn McCain, Arizona                 Thomas R. Carper, Delaware\nRob Portman, Ohio                    Claire McCaskill, Missouri\nRand Paul, Kentucky                  Jon Tester, Montana\nJames Lankford, Oklahoma             Tammy Baldwin, Wisconsin\nMichael B. Enzi, Wyoming             Heidi Heitkamp, North Dakota\nKelly Ayotte, New Hampshire          Cory A. Booker, New Jersey\nJoni Ernst, Iowa                     Gary C. Peters, Michigan\nBen Sasse, Nebraska\n\n                    Keith B. Ashdown, Staff Director\n              Gabrielle A. Batkin, Minority Staff Director\n           John P. Kilvington, Minority Deputy Staff Director\n                     Laura W. Kilbride, Chief Clerk\n                   Benjamin C. Grazda, Hearing Clerk\n                                 ------                                \n\n       SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT\n\n                   James Lankford, Oklahoma, Chairman\nJohn McCain, Arizona                 Heidi Heitkamp, North Dakota\nRob Portman, Ohio                    Jon Tester, Montana\nMichael B. Enzi, Wyoming             Cory A. Booker, New Jersey\nJoni Ernst, Iowa                     Gary C. Peters, Michigan\nBen Sasse, Nebraska\n                     John Cuaderess, Staff Director\n                  Eric Bursch, Minority Staff Director\n                      Rachel Nitsche, Chief Clerk\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Scott Perry, a Representative in Congress From the \n  State of Pennsylvania, and Chairman, Subcommittee on Oversight \n  and Management Efficiency, Committee on Homeland Security, U.S. \n  House of Representatives:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     2\nThe Honorable James Lankford, a U.S. Senator From the State of \n  Oklahoma, and Chairman, Subcommittee on Regulatory Affairs and \n  Federal Management, Committee on Homeland Security and \n  Governmental Affairs, U.S. Senate:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     5\nThe Honorable Bonnie Watson Coleman, a Representative in Congress \n  From the State of New Jersey, and Ranking Member, Subcommittee \n  on Oversight and Management Efficiency, Committee on Homeland \n  Security, U.S. House of Representatives:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................     7\nThe Honorable Heidi Heitkamp, a U.S. Senator From the State of \n  North Dakota, and Ranking Member, Subcommittee on Regulatory \n  Affairs and Federal Management, Committee on Homeland Security \n  and Governmental Affairs, U.S. Senate..........................     8\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Ranking Member, Committee on \n  Homeland Security, U.S. House of Representatives...............     9\n\n                               Witnesses\n\nMr. Joseph P. Clancy, Director, United States Secret Service, \n  U.S. Department of Homeland Security:\n  Oral Statement.................................................    11\n  Prepared Statement.............................................    13\nMr. John Roth, Inspector General, Office of Inspector General, \n  U.S. Department of Homeland Security:\n  Oral Statement.................................................    21\n  Prepared Statement.............................................    23\nMr. Joel C. Willemssen, Managing Director, Information Technology \n  Issues, U.S. Government Accountability Office:\n  Oral Statement.................................................    28\n  Prepared Statement.............................................    30\n\n                                Appendix\n\nQuestions From Chairman Scott Perry for Joseph P. Clancy.........    65\nQuestions From Ranking Member Bennie G. Thompson for Joseph P. \n  Clancy.........................................................    68\nQuestions From Chairman Ron Johnson for Joseph P. Clancy.........    74\nQuestions From Chairman James Lankford for Joseph P. Clancy......    74\nQuestions From Chairman Scott Perry for John Roth................    76\nQuestions From Ranking Member Bennie G. Thompson for John Roth...    77\nQuestions From Chairman James Lankford for John Roth.............    79\nQuestion From Chairman Ron Johnson for John Roth.................    80\nQuestion From Chairman Scott Perry for Joel C. Willemssen........    81\nQuestions From Ranking Member Bennie G. Thompson for Joel C. \n  Willemssen.....................................................    81\nQuestions From Chairman James Lankford for Joel C. Willemssen....    83\n\n \n  EXAMINING ON-GOING CHALLENGES AT THE U.S. SECRET SERVICE AND THEIR \n                      GOVERNMENT-WIDE IMPLICATIONS\n\n                              ----------                              \n\n\n                       Tuesday, November 17, 2015\n\n       U.S. House of Representatives,      \n        Committee on Homeland Security,    \n   Subcommittee on Oversight and Management\n                            Efficiency, and\n                               U.S. Senate,\n   Committee on Homeland Security and Governmental \n                                           Affairs,\n                     Subcommittee on Regulatory Affairs and\n                                        Federal Management,\n                                                    Washington, DC.\n    The subcommittees met, pursuant to call, at 10:01 a.m., in \nRoom 210, HVC, Hon. Scott Perry [Chairman of the House \nCommittee on Homeland Security, Subcommittee on Oversight and \nManagement Efficiency] presiding.\n    Present from the Subcommittee on Oversight and Management \nEfficiency: Representatives Perry, Watson Coleman, Thompson, \nDuncan, Clawson, Torres, Carter, and Loudermilk.\n    Present from the Subcommittee on Regulatory Affairs and \nFederal Management: Senators Lankford, Heitkamp, Johnson, and \nPeters.\n    Mr. Perry. The House Committee on Homeland Security, \nSubcommittee on Oversight and Management Efficiency and the \nSenate Committee on Homeland Security and Governmental Affairs, \nSubcommittee on Regulatory Affairs and Federal Management will \ncome to order.\n    The purpose of this hearing is to examine failures at the \nU.S. Secret Service and their implications Government-wide.\n    The Chair recognizes himself for an opening statement.\n    In September, the DHS Office of Inspector General, the OIG, \nreleased a report on its 4-month-long investigation into \nimproper access and distribution of information within the \nSecret Service. The findings were alarming.\n    Wide-spread violations of the Privacy Act and an agency \npolicy occurred by Secret Service employees who accessed and \ndistributed information on a Member of Congress\' past \nemployment application and senior management did nothing \nimmediately to stop it.\n    Inspector General John Roth stated that the episode was \ndeeply disturbing. In addition, Director Clancy announced he \nhad a different account of what he initially told OIG. \nInvestigators subsequently had to re-interview Director Clancy \nand issue an addendum to the report.\n    This incident leaves numerous questions unanswered. How did \nthis happen? Why did Secret Service leadership not act and why \nand how did Director Clancy change his account almost \nimmediately after the IG\'s report was released? The American \npeople deserve answers. DHS must hold all employees involved \nappropriately accountable.\n    As disturbing as this incident is, it is only one example \nof other instances where Secret Service employees showed very \npoor judgment and leadership failed to act.\n    Earlier this year, senior agents who may have been under \nthe influence of alcohol compromised an area at the White House \nbeing investigated for a suspicious package. Director Clancy \nwas, again, not immediately informed.\n    Late last year, OIG also reported about a 2011 incident \nwhere agents were diverted to investigate an accident at the \nhome of--correction--an incident at the home of the director\'s \nassistant, which appeared to be a misuse of agency resources \nand violation of the Federal Employee Code of Ethics.\n    The findings in the IG\'s latest report are yet another \nexample of damage to the American people\'s trust in the Secret \nService. When scandal after scandal emerges and the management \nis ill-informed or fails to act, the American people have cause \nfor great concern. We entrust the Secret Service with \ntremendous authorities and tools. When they abuse those \nauthorities, they violate their contract with the American \npeople.\n    Because of the Service\'s recent failures, DHS Secretary Jeh \nJohnson convened a panel of experts late last year to recommend \nchanges to improve the service. The panel made broad \nrecommendations in December 2014 related to training and \npersonnel, perimeter security, technology and operation, and \nleadership. The panel\'s report provided a broad road map to \nbegin reforming the service. I expect Director Clancy to fully \nexplain today what progress has been made in implementing the \npanel\'s recommendations.\n    While Congress has a responsibility to conduct rigorous \noversight of the latest incident, we must also understand what \nis being done to improve the overall management of the Secret \nService.\n    I am also concerned that similar abuses and shortcomings \ncould occur in other Federal law enforcement agencies. It is \nimportant to understand what policies and safeguards, if any, \nare in place to prevent similar abuse regardless of whether it \nis as a Member of Congress or one of our constituents back \nhome. If it happened at the Service, what is to say other \nFederal agencies are any better?\n    Today\'s hearing must be about more than pointing fingers. \nThe American people have high expectations, as they should, for \nthe Secret Service and want the agency to be successful. Their \nmission is absolutely critical to our Nation\'s well-being and, \nas we saw from excellent work by Secret Service personnel \nduring the papal visit, and United States--correction--United \nNations General Assembly, the Service can succeed with proper \nfocus and leadership.\n    I look forward to hearing more from our witnesses on how \nthe Secret Service can best overcome recent obstacles to \nimprove the management and reform the culture of this critical \nagency.\n    [The statement of Chairman Perry follows:]\n                   Statement of Chairman Scott Perry\n                           November 17, 2015\n    In September, the DHS Office of Inspector General (OIG) released a \nreport on its 4-month-long investigation into improper access and \ndistribution of information within the Secret Service. The findings \nwere alarming: Wide-spread violations of the Privacy Act and agency \npolicy occurred by Secret Service employees who accessed and \ndistributed information on a Member of Congress\'s past employment \napplication and senior management did nothing immediately to stop it. \nInspector General John Roth stated that the episode was ``deeply \ndisturbing.\'\' In addition, Director Clancy announced he had a different \naccount of what he initially told OIG. Investigators subsequently had \nto reinterview Director Clancy and issue an addendum to the report.\n    This incident leaves numerous questions unanswered: How did this \nhappen, why did Secret Service leadership not act, and why and how did \nDirector Clancy change his account almost immediately after the IG\'s \nreport is released? The American people deserve answers. DHS must hold \nall employees involved appropriately accountable. As disturbing as this \nincident is, it is only one example of other instances where Secret \nService employees showed very poor judgment and leadership failed to \nact. Earlier this year, senior agents who may have been under the \ninfluence of alcohol, compromised an area at the White House being \ninvestigated for a suspicious package. Director Clancy was again not \nimmediately informed. Late last year, OIG also reported about a 2011 \nincident where agents were diverted to investigate an incident at the \nhome of the director\'s assistant, which appeared to be a misuse of \nagency resources and violation of the Federal employee Code of Ethics.\n    The findings in the IG\'s latest report are yet another example of \ndamage to the American people\'s trust in the Secret Service. When \nscandal after scandal emerges and management is ill-informed or fails \nto act, the American people have cause for great concern. We entrust \nthe Secret Service with tremendous authorities and tools. When they \nabuse those authorities, they violate their contract with the American \npeople.\n    Because of the Service\'s recent failures, DHS Secretary Jeh Johnson \nconvened a panel of experts late last year to recommend changes to \nimprove the Service. The panel made broad recommendations in December \n2014 related to training and personnel; perimeter security, technology, \nand operations; and leadership. The panel\'s report provided a broad \nroad map to begin reforming the Service. I expect Director Clancy to \nfully explain today what progress has been made in implementing the \npanel\'s recommendations. While Congress has a responsibility to conduct \nrigorous oversight of the latest incident, we must also understand what \nis being done to improve the overall management of the Secret Service.\n    I am also concerned that similar abuses and shortcomings could \noccur in other Federal law enforcement agencies. It\'s important to \nunderstand what policies and safeguards, if any, are in place to \nprevent similar abuse regardless of whether it\'s a Member of Congress \nor one of our constituents back home. If it happened at the Service, \nwhat\'s to say other Federal agencies are any better?\n    Today\'s hearing must be about more than pointing fingers. The \nAmerican people have high expectations for the Secret Service and want \nthe agency to be successful. Their mission is absolutely critical to \nour Nation\'s well-being and as we saw from the excellent work by Secret \nService personnel during the papal visit and United Nations General \nAssembly, the Service can succeed with the proper focus and leadership. \nI look forward to hearing more from our witnesses on how the Secret \nService can best overcome recent obstacles to improve the management \nand reform the culture of this critical agency.\n\n    Mr. Perry. The Chair now recognizes the Chairman of the \nSenate Committee on Homeland Security and Governmental Affairs, \nSubcommittee on Regulatory Affairs and Federal Management, the \ngentleman from Oklahoma, Mr. Lankford, for his statement.\n    Senator Lankford. Chairman Perry, thank you very much. \nThanks for holding this joint hearing with our subcommittee, as \nwell.\n    Good morning, everyone. I am trying to think of a more \nawkward situation than how we are currently seated here but I \nam sure there is a way through a separate room; we are so far \naway from each other on this panel setting. I do appreciate \neveryone here. Hopefully this will be an open dialogue as we \nwalk through this process together.\n    I do hope this also sheds some important light on the \nsituation where we are at, not only with the Secret Service but \nGovernment-wide. At the outset, I would like to acknowledge the \nessential role that Secret Service fills and its incredible \ndedication to our country. We do appreciate very much the \nservice the Secret Service brings to our Nation and what it has \ndone historically and what it continues to do.\n    However, recent history of high-profile and embarrassing \nscandals of the Secret Service and the latest DHS inspector \ngeneral findings of wrongdoing can\'t be swept under the rug, as \nI know Secret Service is not doing.\n    IG\'s investigation revealed unauthorized database searches \nof protected information began during a House Oversight and \nGovernment Reform hearing in March of this year. In the days \nthat followed, many in the Secret Service continued to misuse \ntheir authority to access the sensitive employment history of \nChairman Jason Chaffetz.\n    The IG\'s report noted that 60 instances of unauthorized \naccess to the database by 45 Secret Service employees had \nviolated the Privacy Act--excuse me--as well as an internal and \nDHS policies. The report also noted that 18 senior Secret \nService executives failed to stop the unauthorized access or to \ninform Director Clancy about the unauthorized accesses.\n    In fairness, the report does reflect that one special agent \ninstructed her subordinates to cease accessing the database. On \nits face, such wide-spread violations of our law and the \npublic\'s trust are deeply disturbing. The IG did not question \nthose involved if this was the only time they have \ninappropriately used the database.\n    In the internet age, everyone is concerned about the \npossibility that personal information could be stolen or \nmisused. Our elite law enforcement agencies are not above the \nlaw and those responsible must face appropriate consequences. \nBut, to me, there is a much bigger issue.\n    In these days, millions of Americans\' personal data is \nstored across many Government agencies. The GAO report released \nearlier this year on the Government\'s Federal information \nsecurity showed alarming findings. From 2009 to 2014, the \nnumber of information security incidents involving personally-\nidentifiable information reported by Federal agencies has more \nthan doubled.\n    GAO has stated that many agencies have largely failed to \nfully implement the hundreds of recommendations previously made \nto remedy security control vulnerabilities.\n    These security weaknesses continue to exist and the \nprotection of significant personal data of millions of \nAmericans housed by the IRS, HHS, the VA, and other agencies.\n    Just this month, the Social Security Administration\'s \nOffice of the Inspector General released a report showing that \nthe Social Security Administration paid monetary awards to 50 \nemployees who were previously discovered to have accessed \npersonal information of others without authorization.\n    Fifty Federal employees who accessed the personal \ninformation of others without authorization, yet, incredibly, \nin the end, they were rewarded despite breaking the law.\n    In another troublesome example the Senate Homeland Security \nCommittee received testimony this year that a whistleblower was \nretaliated against for shedding light on inadequate suicide \nprevention practices at a V.A. hospital. This whistleblower \nlearned that V.A. employees illegally and improperly accessed \nhis private medical records after he brought to light the \nshameful behavior occurring at the V.A. hospital where he \nserves.\n    The question is now how do we fix this problem so that \nAmericans believe that Government will protect their \ninformation and not use it for nefarious means? I am hopeful \ntoday we can take a step forward to address this issue, and \nwould like to thank Director Clancy, Inspector General Roth, \nand Mr. Willemssen for their testimony today.\n    I look forward to examining these challenges with each of \nyou.\n    [The statement of Chairman Lankford follows:]\n                  Statement of Chairman James Lankford\n                           November 17, 2015\n    Good afternoon. I\'d like to thank Chairman Perry for his \nwillingness to hold this important joint hearing with our subcommittee. \nI\'m hopeful that our efforts here today will shed light on how one of \nour top law enforcement agencies failed to protect sensitive personal \ninformation housed in internal databases.\n    At the outset, it is important to acknowledge the essential \nsecurity role that the Secret Service fills, and its on-going \ndedication to our country. However, the recent history of high-profile \nand embarrassing scandals at the Service and the latest DHS Inspector \nGeneral findings of wrong-doing cannot be swept under the rug. The IG\'s \ninvestigation reveals that unauthorized database searches of protected \ninformation began during a House Oversight and Government Reform \nhearing in March of this year. In the days that followed, many at the \nSecret Service continued to misuse their authority to access the \nsensitive employment history of Chairman Jason Chaffetz. The IG\'s \nreport noted 60 instances of unauthorized access to the database by 45 \nSecret Service employees that violated the Privacy Act as well as \ninternal and DHS policies.\n    The report also noted that 18 senior Secret Service executives \nfailed to stop the unauthorized access or inform Director Clancy about \nthe unauthorized accesses. In fairness, the report does reflect that \none Special Agent instructed her subordinates to cease accessing the \ndatabase. On its face, such wide-spread violations of our law and the \npublic\'s trust are deeply disturbing. The IG did not question those \ninvolved if this was the only time they have inappropriately used the \ndatabase. In the internet age, everyone is concerned about the \npossibility that personal information could be stolen or misused.\n    Our elite law enforcement agencies are not above the law and those \nresponsible must face appropriate consequences. But to me, there is \nalso a much bigger issue for us to examine. These days millions of \nAmericans\' personal data is stored not just on databases at the Secret \nService, but across many Government agencies. A GAO report released \nearlier this year on the Government\'s Federal information security \nshowed alarming findings. From 2009 to 2014 the number of information \nsecurity incidents involving personally identifiable information \nreported by Federal agencies has more than doubled. GAO has stated that \nmany agencies have largely failed to fully implement the hundreds of \nrecommendations previously made to remedy security control \nvulnerabilities.\n    These security weaknesses continue to exist in the protection of \nthe significant personal data of millions of Americans housed by the \nIRS, HHS, the VA and other agencies. Just this month, the Social \nSecurity Administration\'s Office of the Inspector General released a \nreport showing that the Social Security Administration paid monetary \nawards to 50 employees who were previously discovered to have accessed \nthe personal information of others without authorization. Fifty Federal \nemployees who accessed the personal information of others, without \nauthorization and yet incredibly in the end they were rewarded despite \nbreaking the law. In another troublesome example, the Senate Homeland \nSecurity Committee received testimony this year that a whistleblower \nwas retaliated against for shedding light on inadequate suicide \nprevention practices at a V.A. hospital.\n    This whistleblower learned that V.A. employees illegally and \nimproperly accessed his private medical records after he brought to \nlight the shameful behavior occurring at the V.A. hospital where he \nserved. So it\'s not just the Secret Service that has employees who \nillegally accessed private information, this behavior has occurred \nacross Government. The question is how do we fix this problem so that \nAmericans believe that Government will protect their information and \nnot use it to for nefarious means? I am hopeful today we can take a \nstep forward to address this issue.\n    I\'d like to thank Director Clancy, Inspector General Roth, and Mr. \nWillemssen for their testimony today. I look forward to examining these \nchallenges with each of you.\n\n    Mr. Perry. Chair now recognizes the Ranking Minority Member \nof the House Committee on Homeland Security, Subcommittee on \nOversight and Management Efficiency, the gentlelady from New \nJersey, Mrs. Watson Coleman, for her statement.\n    Mrs. Watson Coleman. I want to thank you, Mr. Chairman, and \nChairman Lankford, and Ranking Member Heitkamp for holding \ntoday\'s hearings.\n    Director Clancy, I want to first extend my condolences in \nperson on the loss of your father.\n    Director, Inspector General Roth, and Mr. Willemssen, I \nthank you for your testimony. I also want to thank the men and \nwomen of the Secret Service for their diligence and hard work \nduring the recent papal visit and the 70th anniversary of the \nUnited Nations General Assembly.\n    As a Member of the Committee on Homeland Security and the \nCommittee on Oversight and Government Reform, I am well aware \nof the gravity of the Secret Service\'s mission, particularly \nregarding its duty to protect the President, along with foreign \ndignitaries, and to oversee security at major events \ndomestically and abroad.\n    While I am confident that the overwhelming majority of the \nmen and women of the Secret Service both take their jobs \nseriously and express the highest grade of professionalism, I \nam appalled by the recent reports of operational lapses and \npoor judgment by senior-level management.\n    It is obvious that there is a wide-spread lack of \nconsistent leadership and management within Secret Service. \nHowever, this did not just begin under Director Clancy\'s \nleadership. These issues have plagued the Secret Service for a \nnumber of years.\n    Last year, Secretary Johnson commissioned the independent \npanel to evaluate the Secret Service. According to the panel\'s \nreport, the Secret Service needed to undergo a cultural change, \nand that included having leadership that was capable of \nfostering greater accountability among all staff, of \nmodernizing administrative functions including adjusting the \nhours special agents and uniformed division personnel must \nwork, and improving their training.\n    After the panel dismantled, the inspector general continued \nto corroborate their findings. In 2015 alone, the inspector \ngeneral has issued two memoranda regarding misconduct among \nsenior Secret Service personnel and two Management Advisories.\n    The most recent Management Advisory was issued on October \n21 when personnel were found sleeping on the job. The inspector \ngeneral found that staffing and scheduling practices of the \nSecret Service contributes to officer fatigue and that this can \npose immediate danger to protectees.\n    Instead of addressing the root of the problem of having \noverworked agents, the Secret Service considered the findings \nan isolated incident. Furthermore, the inspector general\'s most \nrecent Management Advisory on improper database access of the \nSecret Service shows that the agency has a deeply-rooted \ncultural problem that is not being addressed.\n    The inspector general found that over 40 agents had \nimproperly accessed the personnel records of a Member of \nCongress through an antiquated database.\n    According to the inspector general\'s findings, Secret \nService leadership including the director and the deputy \ndirector did not recognize the severity of this situation and \ndismissed that data breach as a rumor.\n    The inspector general found that instead of dealing with \nthis situation, the director of the Secret Service discussed \nthe improper database access with former directors at a \nluncheon.\n    What is even far more glaring is the inspector general \nfound that the assistant director of training, appointed by \nDirector Clancy, to manage and direct all aspects of personnel \ncare, development, and operational capacity training for the \nagencies, suggested that the information contained in this \ndatabase be leaked to embarrass a Congressman.\n    Mr. Chairman, while this incident is reprehensible, it is \nnot beneficial for us to be here today to speak about it in \nisolation. We must have a broader, productive discussion about \nthe Secret Services\' management and culture.\n    Finally, I know the Secret Service cannot improve without \nhelp from Congress. Therefore, I need to know too, from the \ndirector what he needs from us, to not only make the adequate \nchanges for staffing, but also the technological advances for \npersonal databases.\n    But I also need to know from the director what his plans \nfor the agency are when he has top-level management that turns \na blind eye instead of addressing issues.\n    With that Mr. Chairman, I yield back the balance of my \ntime.\n    [The statement of Ranking Member Watson Coleman follows:]\n           Statement of Ranking Member Bonnie Watson Coleman\n                           November 17, 2015\n    I also want to thank the men and women of the Secret Service for \ntheir diligence and hard work during the recent Papal Visit and the \n70th Anniversary of the United Nations General Assembly. As a Member of \nthe Committee on Homeland Security and the Committee on Oversight and \nGovernment Reform, I am well aware of the gravity of the Secret \nService\'s mission, particularly regarding its duty to protect the \nPresident along with foreign dignitaries, and to oversee security at \nmajor events domestically and abroad.\n    While I am confident that the overwhelming majority of the men and \nwomen of the Secret Service both take their jobs seriously and express \nthe highest grade of professionalism, I am appalled by the recent \nreports of operational lapses and poor judgment by senior-level \nmanagement.\n    It is obvious that there is a wide-spread lack of consistent \nleadership and management within the Secret Service. However, this did \nnot just begin under Director Clancy\'s leadership. These issues have \nplagued the Secret Service for a number of years. Last year, Secretary \nJohnson commissioned an independent panel to evaluate the Secret \nService.\n    According to the Panel\'s report, the Secret Service needed to \nundergo a cultural change, and that included having leadership that was \ncapable of fostering greater accountability among all staff, of \nmodernizing administrative functions, including adjusting the hours \nSpecial Agents and Uniformed Division personnel must work, and \nimproving their training.\n    After the panel dismantled, the inspector general continued to \ncorroborate their findings. In 2015 alone, the inspector general has \nissued two memoranda regarding misconduct among senior Secret Service \npersonnel and two management advisories.\n    The most recent management advisory was issued on October 21, when \npersonnel were found sleeping on the job. The inspector general found \nthat staffing and scheduling practices of the Secret Service \ncontributes to officer fatigue and this could pose immediate danger to \nprotectees. Instead of addressing the root of the problem of having \noverworked agents, the Secret Service considered the findings an \nisolated incident.\n    Furthermore, the inspector general\'s most recent management \nadvisory on Improper Database Access at the Secret Service shows that \nthe agency has a deeply-rooted cultural problem that is not being \naddressed. The inspector general found that over 40 agents improperly \naccessed the personnel records of a Member of Congress, through an \nantiquated database.\n    According to the inspector general\'s findings, Secret Service \nleadership including the director and the deputy director did not \nrecognize the severity of the situation and dismissed the data breach \nas a rumor. The inspector general found that instead of dealing with \nthe situation, the director of the Secret Service discussed the \nimproper database access with former directors at a luncheon.\n    What is even far more glaring is the inspector general found that \nthe assistant director of training--appointed by Director Clancy to \nmanage and direct all aspects of personnel career development and \noperational capacity training for the agency-suggested that the \ninformation contained in this database be leaked to embarrass the \nCongressman.\n    Mr. Chairman, while this incident is reprehensible, it is not \nbeneficial for us to be here today to speak about it in isolation. We \nmust have a broader, productive discussion about the Secret Service\'s \nmanagement and culture.\n    Finally, I know the Secret Service cannot improve without help from \nCongress. Therefore, I need to know to from the director what he needs \nfrom us to not only make the adequate changes for staffing but also the \ntechnological advancements for personnel databases, but I also need to \nknow from the director what his plans for the agency are, when he has \ntop-level management that turns a blind eye instead of addressing \nissues.\n\n    Mr. Perry. Chair thanks the gentlelady. The Chair now \nrecognizes the Ranking Minority Member of the Senate Committee \non Homeland Security and Governmental Affair\'s Subcommittee on \nRegulatory Affairs and Federal Management, the gentlelady from \nNorth Dakota, Ms. Heitkamp for any statement she may have.\n    Senator Heitkamp. Thank you Chairman Perry and Chairman \nLankford. Welcome Mr. Clancy, Mr. Roth, and Mr. Willemssen. I \nfirst want to say thank you to the brave men and the brave \nwomen who serve in the Secret Service. While I understand the \nlast few months and few years have been marked by high-profile \nincidents of agency misconduct, I know, I know and you know the \nmajority of our agents work hard and put their life on the line \nevery day to protect the White House, past Presidents, \nPresidential candidates, and many administration officials and \nforeign dignitaries.\n    I also know first-hand as a former leader of a law \nenforcement agency what the bad actions of a 2 or 3 or 4 agents \ncan do to the morale of an entire organization. I know that, \njust looking at the faces behind you Mr. Clancy, I know the \neffect that these high-profile discussions have had.\n    I am here in the spirit of, let\'s work together to make the \nSecret Service what the Secret Service should be, the most \ntrusted law enforcement agency in America. Let\'s restore the \nmorale of your agents. Let\'s work together in a management \ncollaboration and cooperation to change this dynamic and once \nagain, have your agents stand tall if they tell their friends \nand their neighbors that they work for the Secret Service.\n    That is a big part of why I am here today--is to remember \nand remind I think everyone on this day that there are \nliterally thousands of men and women who every day walk \nalongside cars, willing to sacrifice their life in protection \nof leaders of this country. Nothing that can be done by one \nperson can take away the bravery of those men and women.\n    So clearly, we have some issues to discuss, there is no \ndoubt about it. Clearly, you have already heard the concerns \nthat we have here today. But my reason for being here and for \nbeing interested in this topic is really to restore the morale \nand restore the integrity of the Secret Service so that all the \nbrave men and women who have done nothing wrong in the Secret \nService can once again hold their heads high.\n    So with that, I yield back the balance of my time.\n    Mr. Perry. Chair thanks the gentlelady. The Chair now \nrecognizes the Ranking Minority Member of the House Committee \non Homeland Security. The gentleman from Mississippi, Mr. \nThompson for his statement.\n    Mr. Thompson. Thank you very much, Mr. Chairman. I thank \nthe Oversight and Management Efficiency\'s Subcommittee and the \nSenate Subcommittee on Regulatory Affairs and Federal \nManagement for holding today\'s hearing. I also welcome Director \nClancy and Inspector General Roth and Director Willemssen \ntoday.\n    I join my colleagues who have already said before me, in \nthanking the men and women of the Secret Service for their \nwork, during both the papal visit and the 70th anniversary of \nthe United Nations. The dedication of the agents and officers \nof the Secret Service is admirable.\n    Unfortunately, their tireless work is time and again \novershadowed by the exposure of symptomatic problems within the \nagency. The issues that lie within the Secret Service existed \nlong before Director Clancy\'s appointment. However, as head of \nthe agency, Congress, the public, and officers and agents he \nleads, hold him accountable.\n    Prior to Director Clancy\'s appointment, serious operational \nlapses and leadership failures led to Secretary Johnson\'s \nappointment of a independent panel to review the Secret \nService. This panel, known as the Protective Mission Panel, had \nseveral glaring findings and recommendations.\n    One of these findings is what I have realized and \narticulated through many years of oversight of the Secret \nService: The law enforcement agency needs to undergo a cultural \nchange that includes leadership that is capable of fostering \ngreater accountability.\n    The panel stated, ``The agency is starved for leadership.\'\' \nUnfortunately, is still seems that as if the Secret Service has \nyet to be fed.\n    Since the Protective Mission panel completed its review, \nthe Office of the Inspector General has led investigations into \nmisconduct involving Secret Service supervisors on more than \none occasion.\n    The inspector general found that in March, at least 4 \nsupervisors turned a blind eye when 2 veteran agents, including \nthe head of the President\'s protective detail, disrupted a bomb \ninvestigation by allegedly driving impaired through a barricade \nat the White House.\n    Last month, the inspector general found that at least 45 \nagents improperly accessed a 1980s mainframe database to \nretrieve information in an attempt to embarrass a Member of \nCongress. Of those agents who may have broken the law by \nimproperly accessing this database, approximately 18 of them \nwere at the GS-15 and SES levels.\n    The findings also concluded the director of the Secret \nService, his deputy director and his chief of staff failed to \ntake seriously that agents were discussing information about \nthe Congressman\'s personnel file.\n    The inspector general also made the finding that the \nassistant director of training--the person appointed by \nDirector Clancy to manage and direct all aspects of personnel, \ncareer development, and professionalism--suggested that the \ninformation found in the database be leaked in retaliation to \nCongressional oversight.\n    The IG\'s findings further illustrate that there is a lack \nof leadership and accountability from the top down. In this \ninstance, very little leadership and accountability was shown. \nDirector Clancy has indicated that the Secret Service will be \nexpanding and undergoing a rigorous and necessary hiring phase. \nThe new hires will be looking to their leaders for guidance.\n    As the Secret Service expands, it is our responsibility as \nMembers of Congress to assist the Secret Service with adequate, \nnecessary funding for its mission. Both the Protective Mission \npanel and the inspector general, have indicated that officer \nfatigue can place protectees at risk.\n    The agency also needs to have the capacity to properly vet \nemployees before they begin work rather than continuing the \npractice of having uncleared personnel working in sensitive \nareas such as the White House.\n    The new recruits should represent America and have \nopportunities for advancement. As of right now, the Secret \nService\'s direct diversity numbers are dismal. Furthermore, it \nwould be hard for the law enforcement agency\'s commitment to \nequal opportunity and inclusion to be taken seriously with a \nclass-action, racial-discrimination lawsuit still hanging over \nthe Secret Service\'s head, and the Secret Service using every \ndelay tactic it can instead of resolving the lawsuit amicably.\n    There must be some sweeping changes made at the Secret \nService. I know the deeply-rooted problems will not cease \novernight, but we must get to the source of them instead of \ncontinuously glossing over, putting on Band-Aids, and going \nforward with business as usual.\n    I look forward to working with the Secret Service to \nadvance its mission. With that I yield back.\n    Mr. Perry. Chair thanks the gentleman. The Chairman reminds \nother Members of the subcommittee that opening statements may \nbe submitted for the record.\n    We are pleased to have a distinguished panel of witnesses \nbefore us today on this important topic. The witnesses\' entire \nwritten statements will appear in the record.\n    The Chair will introduce all of the witnesses first and \nthen recognize each of you for your testimony.\n    Mr. Joseph Clancy was appointed director of the United \nStates Secret Service in February 2015, after serving as acting \ndirector since October 2014. Previously, Mr. Clancy served as \nthe special agent in charge of the Presidential Protective \ndivision. Mr. Clancy began his career with the Secret Service \nin 1984 in the Philadelphia field office.\n    Welcome.\n    The Honorable John Roth assumed the post of inspector \ngeneral for the Department of Homeland Security in March 2014. \nPreviously, Mr. Roth served as the director of the Office of \nCriminal Investigations at the Food and Drug Administration and \nas an assistant U.S. attorney for the Eastern District of \nMichigan.\n    Welcome, Mr. Roth.\n    Mr. Joel Willemssen is managing director for the \ninformation technology issues at the Government Accountability \nOffice, the GAO, where he leads the GAO\'s evaluations of \ninformation technology across the Federal Government.\n    Since joining GAO in 1979, he has led numerous reviews of \ninformation technology systems and management at a variety of \nFederal agencies.\n    Welcome, Joel.\n    Thank you for being here today. The Chair now recognizes \nMr. Clancy for his opening statement.\n\n STATEMENT OF JOSEPH P. CLANCY, DIRECTOR, UNITED STATES SECRET \n         SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Clancy. Good morning, Mr. Chairman, Chairman Lankford, \nChairman Perry, Chairman Johnson, Ranking Member Watson \nColeman, and Ranking Member Thompson, and distinguished Members \nof the committee.\n    Thank you for the opportunity to testify today. I plan to \naddress the findings from the recent OIG report and the many \nimprovements implemented over the past year designed to address \nthe Protective Mission Panel findings.\n    I also look forward to discussing the numerous \norganizational changes we have made at the United States Secret \nService, and would like to express my gratitude and recognize \nthe support of Secretary Johnson and the Congress in making \nmany of these changes possible.\n    I sit before you today a proud representative of the \nthousands of men and women who selflessly execute the mission \nof this agency on a daily basis. Recent accomplishments, \nincluding 4 near-simultaneous Special Security Events \nsurrounding the papal visit and the United Nations General \nAssembly, as well as a number of high-profile cyber \ninvestigations serve to reinforce this feeling.\n    In fact, in addition to initiating protection of two \nPresidential candidates last week, Secret Service personnel are \nat this very moment deployed around the world ensuring the \nPresident\'s safety while in Southeast Asia in yet another \nexample of their commitment and dedication to the mission.\n    Despite the Secret Service\'s many recent successes, I \nrecognize that the primary reason we are here today is to \naddress the misconduct detailed in the OIG\'s report. This \ninvestigation arose from allegations that the Secret Service \nemployees inappropriately utilized an internal database to \naccess the applicant record of an individual who is now a \nMember of Congress.\n    The misconduct outlined in the report is inexcusable and \nunacceptable. This conduct is not supportive of the agency\'s \nunique position of public trust. On behalf of the men and women \nof the Secret Service, I would like to publicly renew my \napology for this breach of trust and affirm my commitment to \nrestoring it.\n    The OIG reported that these employees violated existing \nSecret Service and DHS policies pertaining to the handling of \nthe Privacy-Act-protected information. At the time that these \nviolations occurred, relevant policies and procedures were in \nplace and could be found in a number of locations, including \nthe Secret Service Ethics Guide, the Table of Penalties, policy \nmanuals and required on-line training courses. I was angered by \nthe willful disregard of these policies and I am determined to \nensure that all employees are held to the highest standards of \nprofessional conduct.\n    As I stated on prior occasions, I am committed to ensuring \nthe accountability in this matter regardless of rank or \nseniority. Secretary Johnson and I stand together on this \npoint. To date, several dozen employees have been issued \ndisciplinary proposals relating to these events. More are on \nthe way. The discipline is being administered in accordance \nwith DHS and Secret Service policy, and I am confident that \nthese actions will be fair, appropriate, and completed in a \ntimely fashion.\n    A contributing factor that allowed multiple individuals to \nimproperly access this information was the nature of the \ninformation system that housed the data. Secret Service \nrecognized this deficiency some years ago and began a process \nto modernize its IT infrastructure to allow for such data to be \ncompartmentalized and restrict the access to those with an \nofficial need to know. This process was completed this past \nJune.\n    At this time, the MCI system has been officially retired. \nWith respect to applicant records, the number of employees with \naccess to the new system has been reduced by more than 95 \npercent.\n    Finally, much has been made of my statements and a decision \nof the OIG to reopen the investigation on October 5, 2015. \nPrior to publicly releasing the report on September 30, the OIG \nprovided a draft copy for my review which reflected my \nstatement that I became aware of the rumor on April 1.\n    As my colleagues and I reviewed the draft, I was reminded \nthat I had, in fact, been made aware of the rumor on March 25. \nHowever, let me be clear that what I was made aware of was a \nrumor with no indication of employees\' misconduct or employees \naccessing internal databases. In order to ensure the accuracy \nof the report and knowing the concern it would cause, I took \nthe initiative to contact Mr. Roth prior to the report\'s \npublication to ensure the report was accurate and correct on \nthis point.\n    With respect to the recommendations of the Protective \nMission Panel, tremendous progress has been made in all areas. \nI am proud to say that we have significantly altered the way \nthe Secret Service is structured and managed. We have also made \nstrides in hiring new members of our workforce and expanding \ntraining opportunities for current members.\n    I am also realistic in knowing that many of the changes we \nare making will take time and that we must continue to \ncommunicate these changes to our workforce.\n    In the interest of time, I will point you to my written \ntestimony submitted in advance of this hearing for a more \nthorough description of this process and look forward to \ndiscussing our progress on these recommendations with each of \nyou today.\n    I would like to close by remembering a remarkable leader \nand true friend, former Assistant Director Jerry Parr. Jerry is \nwidely known for the decisive actions he took during the March \n30, 1981, assassination attempt on President Ronald Reagan. The \ndecisions he made that day, including evacuating the President \ndirectly to the hospital, likely saved the life of the \nPresident. As I reflected on his passing, I had the opportunity \nto review a speech he made to a graduating special agent \ntraining class in 1994.\n    He stated, ``An organizational culture is a product of \ntime, successes, sufferings, failures and just plain hard work. \nAfter a hundred years or so, deep roots are developed and a \ncorporate memory evolves. While another agency can purchase \npersons, equipment and technology similar to the Secret \nService, it cannot buy this corporate memory. This is a \npriceless commodity.\'\'\n    As the men and women of this agency traverse these \nchallenging times, it is important to remember that culture \ninvolves more than an agency\'s failures and that the successes \nderived from hard work and dedication will prevail as the \nlasting corporate memory of the Secret Service.\n    Thank you and I welcome any questions you may have.\n    [The prepared statement of Mr. Clancy follows:]\n                 Prepared Statement of Joseph P. Clancy\n                           November 17, 2015\n    Good afternoon, Chairman Lankford, Chairman Perry, Ranking Member \nHeitkamp, Ranking Member Watson Coleman, and distinguished Members of \nthe committees. Thank you for the opportunity to testify today. I look \nforward to discussing the on-going challenges at the United States \nSecret Service (``Secret Service\'\') including those recently outlined \nby the Department of Homeland Security (``DHS\'\') Office of Inspector \nGeneral (``OIG\'\'). I am also prepared to elaborate on the \norganizational changes and improvements implemented over the past year \nto address them. I would like to express my gratitude and recognize the \nsupport of Congress in making many of these changes possible.\n    I proudly sit before you today representing the thousands of men \nand women who selflessly execute the mission of this agency on a daily \nbasis. Over the past 150 years, the Secret Service has established \nitself as one of the most highly-regarded law enforcement agencies in \nthe world. Throughout our history, we have continued to answer the call \nto serve our country, and through our work, have created a tradition of \nexcellence. The cornerstone of our success is the absolute dedication \nto duty displayed by the men and women of this agency.\n investigation into the improper access of a secret service data system\n    I would like at the outset to address the recent investigation by \nthe DHS OIG into allegations that Secret Service employees improperly \naccessed and distributed information in internal databases. The \ninvestigation found that a number of employees violated existing Secret \nService and DHS policies pertaining to the unauthorized access and \ndisclosure of information protected by the Privacy Act of 1974. The \nbehavior these employees exhibited is unacceptable. I am angered by the \nunderlying actions reflected in the OIG\'s findings and am committed to \nensuring that all employees are held to the highest standards of \nprofessional conduct, whether on- or off-duty. Those we protect and the \npublic we serve expect us to live by our oaths and the values we have \nestablished as an agency, and we should demand nothing less from each \nother. We are better than the actions illustrated in this report and \npeople will be held accountable for their actions. We have made \nnecessary changes to technology in order to limit the potential for \nfuture misconduct, and are implementing enhanced training. I will \ncontinue to review policies, practices, and training to address \nemployee misconduct and demand the highest level of integrity of all \nour employees.\nAccountability\n    On behalf of the men and women of the Secret Service, I would like \nto publicly renew my apology for this breach of trust and confidence \nand state my commitment to restoring it. I have heard loud and clear \nthe demand for accountability and need for timely, decisive \ndiscipline--and I agree. I also understand that apologies and \nexpressions of anger are not enough. Secretary Jeh Johnson and I stand \ntogether on this point. Appropriate discipline is being administered in \naccordance with DHS and Secret Service policy. I am confident that the \nactions regarding the individuals involved will be prompt, fair, and \nappropriate.\nTechnology\n    On March 24, 2015, there were technological security deficiencies \nwithin the Secret Service\'s primary internal database that contributed \nto the unauthorized access of information. These internal \nvulnerabilities have been addressed and the potential for similar \nmisconduct in the future mitigated. The Master Central Index (``MCI\'\') \nwas a mainframe application developed in 1984 that served as a central \nsearching application and case management system. More specifically, \nMCI contained records from protective, investigative, and human capital \ndivisions and served as a single access point for investigators and \nadministrators. A significant deficiency of this arrangement was that \nan MCI user had access to all of the data in MCI regardless of whether \nit was necessary for that user\'s job function or not.\n    The Secret Service\'s Information Integration and Technology \nTransformation (``IITT\'\') program was established in fiscal year 2010. \nIn recognition of the limitations of MCI and other mainframe \napplications, the Secret Service initiated the Mainframe Application \nRefactoring (``MAR\'\') project in 2011 to assess the existing 48 \napplications residing on the mainframe and migrate necessary \ncapabilities and accompanying data to a non-mainframe, secure, highly-\navailable and compartmentalized environment. DHS estimated the project \nwould take 10 years to complete. The Secret Service accelerated the MAR \nproject in 2013 and was able to achieve project closure on June 24, \n2015. At that time, all employee mainframe access was revoked. The new \nsystems are completely operational, and all legacy data has been \nmigrated to new platforms where data is locked down and access to data \nis dependent upon job function. Protective, investigative, and human \ncapital records reside in different systems and internal controls have \nnow been implemented to restrict access to those systems in two ways. \nNow access is: (1) Limited to the respective directorates responsible \nfor the information; and/or (2) based on the role of the system user \nwithin the organization. Shutdown of MCI began at the end of July, and \nit was fully powered down on August 12, 2015. Disassembly of the \nmainframe began in August, and it was physically removed from the data \ncenter on September 16, 2015.\nTraining\n    The OIG report also cited the need for improved and more frequent \ntraining related to unauthorized access of sensitive data. We have been \nworking to reiterate and reinforce existing policies and training. This \nincludes the long-standing, existing policy regarding the proper access \nto databases and handling of Privacy Act protected information, which \nis clearly stated in the Secret Service Ethics Guide, in the Table of \nPenalties, and within the Secret Service Manual sections related to \nrules of behavior with respect to the use of information technology. \nEmployees are required to certify annually that they have reviewed \nthese manual sections.\n    At the time of the conduct in question, the Secret Service was \nalready providing a 1-hour briefing to Special Agent and Uniformed \nDivision Training Classes that includes material on the Privacy Act. A \nsenior Government Information Specialist from the Freedom of \nInformation Act and Privacy Act Branch of the Office of Government and \nPublic Affairs teaches the class and focuses, in part, on PII, with \ncomprehensive instructional material on the subject added to the \ncontent in approximately 2012. A 1-hour in-service on-line training \ntitled ``IT Security Awareness\'\' is required as part of the agency\'s \nadherence to the Federal Information Security Management Act \n(``FISMA\'\'). The course outlines the role of Federal employees in the \nprotection of information and in ensuring the secure operation of \nFederal information systems. The Privacy Act is also discussed during \nin-service ethics classes administered to the field by Secret Service \nOffice of Chief Counsel instructors. Further, DHS requires Secret \nService employees to complete annual in-service on-line training \ntitled, ``Privacy at DHS: Protecting Personal Information.\'\' This \ntraining was incorporated into the required curriculum in 2012 and \ncovers proper handling of PII. While the class is annually required, \ndue to the gravity of the findings in the OIG report, I instructed the \nworkforce in an official message on October 16 to retake the class by \nNovember 30.\n    Additionally, at my direction enhanced briefings regarding the \nPrivacy Act are now being provided to Special Agent and Uniformed \nDivision Training Classes by Office of Chief Counsel instructors. A \npermanent curriculum is being developed and a formal class for \ncandidate and in-service employee training is anticipated in the near \nfuture.\n    Finally, I would like to address my statements and the decision of \nthe OIG to reopen the investigation on October 5, 2015. Prior to the \npublic release of the report on September 30, 2015, the OIG provided me \na draft electronic copy of the report for review. I received this draft \nreport from the OIG during the National Special Security Events \n(``NSSEs\'\') in New York City associated with the Pope\'s visit and the \nUN General Assembly. During the process of reviewing the draft, I was \nreminded by a colleague that I had been informed of a rumor regarding \nthe individual\'s application history on March 25. While I myself do not \nrecall hearing of this rumor, several others have confirmed that I did, \nand that it was a general rumor about the individual\'s past \napplication; it did not relate to USSS employees improperly accessing \ndatabases or sharing protected information. In order to ensure accuracy \nwithin the report, on my own initiative I contacted the OIG to correct \nthe record. I did not make the decision to contact the OIG blindly and \nwas fully aware that additional scrutiny would result from my doing so. \nI made this decision because I feel that it is important to be as \nforthcoming, accurate, and complete as possible. I expect this from my \nemployees and expect nothing less from myself.\n    The OIG published an addendum in October reporting its assessment \nof the updated information pertaining to when I was made aware of this \nrumor. Interviews with former directors, my deputy director, and my \nformer chief of staff only serve to corroborate that the information \navailable to me at the time was nothing more than a rumor. The \ninformation was not attributed to a Secret Service data system or \nindicative of any action--inappropriate or otherwise--by any Secret \nService employee. Nothing in the addendum contradicts what I have \nmaintained from the beginning--that at no time prior to April 2, was I \naware that potential misconduct could be the source of this rumor. When \nI did learn of it, I began taking immediate action, contacting the OIG \nand sending an official message to the workforce on the handling of \nsensitive information.\n fulfilling the independent protective mission panel\'s recommendations\n    I would now like to turn to the actions we have taken to implement \nthe recommendations of the independent Protective Mission Panel (the \n``Panel\'\'), which was established by Secretary Jeh Johnson following \nthe events of September 19, 2014 to undertake a broad review of the \nSecret Service\'s protection of the White House complex. The Panel\'s \nwork, aided by full cooperation of the Secret Service and DHS, \nconcluded with the publication of the Report from the United States \nSecret Service Protective Mission Panel to the Secretary of Homeland \nSecurity (the ``Report\'\'), issued on December 15, 2014.\n    The Report memorialized the findings and recommendations of the \nPanel in three general areas: Training and Personnel; Technology, \nPerimeter Security, and Operations; and Leadership. Upon receipt of the \nReport, the Secret Service acknowledged and accepted the Panel\'s \nfindings and recommendations. A number of the issues found in the \nreview were recognized independently prior to the issuance of the \nReport and were being addressed, while those that remained were \nprioritized and incorporated into a strategic action plan designed to \nfully implement the Panel\'s findings as time and resources permitted.\n    I am proud to say that we have significantly altered the way the \nSecret Service is structured and managed since my return to the agency. \nWe have also made strides in hiring new members of our workforce, and \nin expanding training opportunities for current members. I am also \nrealistic in knowing that the changes we are making will take time to \nrealize their full impact, particularly as they relate to staffing \nlevels, and that we must continue to communicate these changes to our \nworkforce. Some of the PMP recommendations will never be closed, as \nthey require a commitment to on-going evaluation, innovation, and \ncontinuous improvement. I am hopeful that the structural changes we \nhave made to the Secret Service will foster an environment where this \nperspective is not only valued, but also encouraged. I am committed to \nthis process and am certain that the Secret Service will emerge a \nstronger agency with the continued support of the Department, the \nadministration, and the Congress.\nTraining and Personnel\n    I recognized early on in my tenure that many of the most serious \nproblems facing the Secret Service can be traced back to inadequate \nstaffing levels. Achieving appropriate staffing levels will allow the \nworkforce to undertake a level of training commensurate with the \nmission and help to address the resultant effect on morale. Once \nunderway, the process is, to some extent, self-repairing in that as \nmorale improves, attrition rates will fall and staffing levels will \ncontinue to increase toward desired levels.\n    In May 2015, to address staffing issues and following a wider \nprofessionalization initiative in which I placed civilian specialists \nin executive-level leadership positions, I implemented a reorganization \neffort aimed at more efficiently recruiting and hiring special agents, \nUniformed Division (``UD\'\') officers, and administrative, professional, \nand technical (``APT\'\') personnel. Both the Human Capital and \nRecruitment Divisions were closed and their collective responsibilities \nwere redistributed to a number of new divisions. The Talent and \nEmployee Acquisition Management Division (``TAD\'\') is one such \ndivision, and this reorganization has allowed its managers to focus \nexclusively on recruiting and hiring diverse applicants to fill special \nagent, UD, and APT positions. In the ensuing months, TAD has \nimplemented a modern recruitment strategy, including embracing social \nmedia as a recruiting tool and budgeting fiscal year (``FY\'\') 2016 \ndollars towards an aggressive advertising campaign aimed at attracting \nqualified applicants to the agency. Further, in order to avoid \nbottlenecks and streamline the process of on-boarding qualified \napplicants, the Secret Service is hiring contractors to serve as a \nstop-gap solution for reviewing hiring qualifications through TAD and \nmonitoring background investigations through the Security Clearance \nDivision (``SCD\'\') until an adequate number of APTs can be hired and \ntrained to perform these functions.\n    Identifying our needs is a key element of supporting appropriate \nstaffing levels because it drives our budget requests and \njustifications. In July, we completed the U.S. Secret Service Human \nCapital Plan for fiscal year 2015 through 2019. This foundational \ndocument identifies our strategy for increasing staffing levels, by \naccounting for mission, training, and work/life balance requirements. \nConsistent with the results of the PMP, our analysis suggests that \nstaffing levels must significantly increase over the next 5 years to \nsupport not only our mission requirements but also our employee \ntraining and work/life balance needs. We look forward to continuing our \nwork with the Department and Congress to secure the financial resources \nnecessary to support these enhanced staffing levels.\n    In response to the PMP recommendation that the Secret Service \nincrease the number of personnel assigned to UD and the Presidential \nProtective Division (``PPD\'\'), we worked closely with the Federal Law \nEnforcement Training Center (``FLETC\'\') to schedule 10 special agent \nclasses with 195 agents and 8 UD classes with 151 officers in fiscal \nyear 2015, a significant increase from years immediately preceding. \nAdditionally, in fiscal year 2016, we have again asked FLETC for \nincreased numbers of trainee classes and hope to bring 12 special agent \nand 12 UD classes on board this year. Today, the recommended personnel \nincrease to PPD is substantially complete, while efforts to reach net \ngains that approach recommended levels in UD continue in the face of \ngreater challenges with respect to attrition and retention. Given this \nchallenge, the Secret Service recently introduced a UD retention bonus \nand is engaged with the Department to develop additional programs \ndesigned to incentivize members of our talented workforce to refrain \nfrom separating prematurely from the agency.\n    A number of the Panel\'s recommendations were directed to training, \nincluding conducting integrated training in realistic conditions, and \nan increase in the overall amount of training received by agents and \nofficers assigned to protective functions. The Secret Service has \nworked diligently to implement integrated training between the various \nunits assigned to the White House complex. Currently, 99% of UD \nofficers and technicians have completed specially created ``Emergency \nAction/Building Defense\'\' training. Training for agents assigned to \npermanent protective details has also increased with special agents on \nthe Presidential Protective Division receiving approximately 25% more \ntraining in fiscal year 2015 than in fiscal year 2014. In order to more \nrealistically simulate the conditions in which our agents, officers, \nand technicians operate, our fiscal year 2016 budget request includes \nfunds directed to the design and construction of a more permanent White \nHouse training facility. Additionally, as staffing levels increase, the \nnumber of training hours that personnel assigned to UD and protective \ndetails receive will continue to increase accordingly. I firmly believe \nthat, given the nature of the Secret Service\'s integrated mission, the \nimportance of the amount and quality of training provided to our \nworkforce cannot be overstated.\nTechnology, Perimeter Security, and Operations\n    For the purposes of today\'s hearing, I will speak generally to the \nPanel\'s recommendations on technology and perimeter security. The Panel \nbelieved strongly, as do I, that operational issues related to the \nprotection of the White House should not be the subject of a detailed \npublic debate in their report or any other fora. I pledge to continue \nto provide you and your staffs with relevant information in the proper \nsetting, at your request, as we move forward implementing these \nrecommendations. My No. 1 priority has been, and is, the protection of \nthe President, Vice President, and their families.\n    To address longer-range future technology needs, the Secret Service \nwill continue to partner with the Department\'s Science and Technology \nDirectorate, the Department of Defense, and our partners in the \nintelligence community to ensure we are researching, developing, and \ndeploying cutting-edge technology.\n    The Secret Service has recognized the need for protective \nenhancements to the White House complex fence and is currently working \nwith stakeholders to create a viable, long-term solution. This multi-\nphase project began with the formation of requirements that are guiding \na formal study aimed at identifying various fence options. These \nrequirements encompassed security concerns identified by the Secret \nService, including efforts to delay intruders, as well as aesthetic and \nhistoric concerns put forward by the National Park Service (``NPS\'\').\n    Working at a highly accelerated pace with the National Capital \nPlanning Commission (``NCPC\'\'), the U.S. Commission of Fine Arts, and \nthe NPS, the Secret Service was able to not only secure approval for, \nbut also complete the installation of an interim improvement to the \nfence that inhibits the ability of individuals to climb it. We also \nworked with NPS to complete a study to identify the options for \npermanent enhancements to perimeter security earlier this year. We are \nmoving forward with the design phase of this project, and look forward \nto working with the NCPC to secure its approval in early 2016.\nLeadership\n    The majority of the recommendations contained in the Report fell \nunder the category of ``Leadership.\'\' Dynamic leadership that \nencourages open communication, rewards innovation, values flexibility, \nrejects insularity, and embraces personal accountability is vital to \nthe agency\'s long-term success. Based upon the Panel\'s review, and my \nown assessments, I implemented several leadership changes in the Secret \nService executive management team earlier this year. These changes were \nnecessary to gain a fresh perspective on how we conduct business. The \nPanel\'s recommendations on leadership have been incorporated into the \nstrategic action plan referenced above.\n    The Panel recommended that the agency should promote specialized \nexpertise in its budget, workforce, and technology functions. This \nassessment has been embraced, and, through a professionalization \ninitiative, many executive positions formerly held by career law \nenforcement agents are now held by civilians with the training and \nexperience necessary to effectively guide an organization of this size. \nFirst and foremost, we established a new chief operating officer (COO) \nposition, a non-law enforcement Senior Executive Service (SES)-level \nposition that is equivalent to the deputy director. Along with the \ncreation of this position, we elevated the Office of the Chief \nFinancial Officer (CFO) to a directorate-level entity, created the \nOffice of Strategic Planning and Policy (OSP), and split the Office of \nHuman Resources and Training (HRT) into two directorate-level offices--\nthe Office of Human Resources (HUM) and the Office of Training (TNG). \nBy splitting HRT into two directorates, we are expecting to achieve \ngreater focus on two key areas of concern for the PMP--staffing and \ntraining. In the revised organizational structure, the CFO, HUM, OSP, \nand the chief information officer (CIO) are now aligned under the COO. \nWe will continue to evaluate our organizational structure and make \nchanges where it is necessary.\n    In addition to the structural changes, we used this opportunity to \nevaluate the skills required for directorate-level leadership positions \nto examine which would be best filled by non-law enforcement \nprofessionals. As a result of this examination, three of our ten \ndirectorates are led by non-law enforcement professionals, including \nthe CFO, OSP, and our Office of Technical Development and Mission \nSupport (TEC). Further, we have enhanced our executive-level \nperspective by appointing non-law enforcement professionals to the SES-\nlevel roles of CIO, deputy CIO, and component acquisition executive \n(CAE), and are in the process of hiring for a newly-created SES-level \ndirector of communications position.\n    One of the principal responsibilities of the CFO has been to start \nthe process for developing a zero-based budget as recommended by the \npanel. This enormous undertaking is underway, and it is my hope that a \nmission-based budget will begin to be implemented in the fiscal year \n2018 budget cycle. Important steps have been taken in furtherance of \nthis goal, including the development of the previously mentioned Human \nCapital Plan, and benchmarking Secret Service analytical capabilities, \nstaff resources, and planning activities with comparable organizations.\n    A common theme within the panel\'s recommendations on leadership was \nthe need for improved internal and external communication. I wholly \nadopt this view and firmly believe that improved communication is \ndirectly related to increased effectiveness and morale. I have affirmed \nthis priority to the executive management team, and my expectation and \nmessage to them is that they do the same within their directorates. The \nagency\'s priorities have been communicated externally through active \nengagement with the Department, the administration, and Congress. This \noutreach will continue, and future operational and managerial decisions \nwill be guided by these priorities.\n    Internally, I have personally visited many of our field offices, \nall former Presidential protective details, and conducted video-\nconferenced town hall meetings with the agency\'s workforce. I have \njoined officers and agents at the White House complex and the Vice-\nPresident\'s residence during their daily roll call. Earlier this year, \nI met with field supervisors for an Investigative Issues Focus Group to \nobtain a better understanding of the issues and concerns of the agents \nin the field. I plan to continue to have an open and honest \nconversation with members of our workforce about their concerns and \ndiscuss what I can do to address them.\n    As part of our outreach to employees, we conducted a Work/Life \nAssessment through a third-party contractor. The results of the 47 \nfocus groups conducted under this effort provided us with a roadmap \nthat allowed us to identify and begin to act upon the concerns of our \nworkforce. In terms of delivering information, we have started sending \nimportant email messages to affected employees\' individual inboxes, \nwhich allows them much easier access to information than was previously \navailable only via official messages accessible exclusively through a \nnetworked connection to the Secret Service email server. Additionally, \nwe have started to leverage multimedia in our approach, including \ncreating videos to communicate major policy changes and initiatives. \nFinally, just weeks ago, we launched a new web-based platform, Spark!, \nwhich we expect will enhance two-way communication between the \nworkforce and leadership by providing a forum to raise ideas, \nsuggestions, and concerns. Employees should have every assurance that I \nwill continue to work to share information and feel it is my \nresponsibility to find solutions to the issues or concerns they voice.\n    Accountability is another issue that I believe the Panel was \nrightly focused on due to its effects on workforce morale and \noperational readiness. Even before the Panel issued its \nrecommendations, as a result of a number of incidents involving \npersonal conduct, my predecessors had already taken important steps to \naddress these issues. These steps were intended to increase \ntransparency, consistency, and fairness in disciplinary actions and \nincluded the following:\n  <bullet> A Professionalism Reinforcement Working Group (``PRWG\'\') was \n        initiated to conduct an objective and comprehensive review of \n        the agency\'s values and professional standards of conduct;\n  <bullet> As a result of the PRWG, we created and published a \n        comprehensive ethics guide, initiated an active schedule of \n        ethics training, conducted integrity training, and implemented \n        a new centralized disciplinary policy including a Table of \n        Penalties (issued on 11/15/2013);\n  <bullet> An ``Inspection Hotline\'\' was created and prominently \n        displayed on the Secret Service\'s Intranet Home page for \n        employees to report misconduct to the Secret Service Office of \n        Professional Responsibility or the DHS OIG and allow the agency \n        or the Department to initiate swift investigative or \n        administrative action;\n  <bullet> Extensive training requirements for new supervisors were \n        created. Training includes mandatory completion of the DHS \n        leadership development program and the agency\'s 40-hour, \n        classroom-based Management and Emerging Leaders seminars. The \n        requirements also include the assignment of a senior-level \n        mentor to guide supervisors in the first year of their \n        assignment;\n  <bullet> The chief integrity officer position was established, and we \n        reinforced the importance of leadership and accountability with \n        supervisors and provided developmental training to over 5,000 \n        employees; and\n  <bullet> The ITG created a Discipline Analysis Report for Calendar \n        Year 2014, which we posted for all employees to view on our \n        intranet site. The posting of this report was the first time \n        the Secret Service made this type of data available for review \n        by the workforce and underscores our commitment to support a \n        culture of transparency within our workforce. We made this \n        decision in response to the concerns raised by the workforce \n        regarding the consistency and fairness of our discipline \n        process.\n    As recommended by the Panel, we firmly believe that we can further \nenhance and improve our performance by partnering with other \norganizations to collect their best practices and leverage their \nknowledge. We have greatly expanded our outreach efforts to learn from \nthe Department of Defense and intelligence community, particularly in \nthe areas of training and technology.\n    In the area of training, the Secret Service completed a number of \njoint training exercises with entities that included representatives \nfrom the military, Federal, State, and local law enforcement and other \nprotective agencies. Our employees benefited from the perspective of \nthe Department of Defense community during training opportunities at \ntheir facilities. In other cases, like the security planning and \npreparation preceding the Papal visit last month, our employees had a \nchance to examine protective methodologies while observing security \nofficials from the Vatican. These efforts were in addition to the \nopportunity to work with the security personnel who traveled with the \nworld leaders that attended the 70th United Nations General Assembly.\n    The Secret Service also has benefited from both existing and newly-\nestablished relationships within the interagency and intelligence \ncommunities and with the Department of Defense related to technology. A \nfew examples where we are currently leveraging these relationships \ninclude the challenges with unmanned aerial vehicles (``UAV\'\') and \ngunshot detection.\n    While the above summarizes our activities in a number of areas, the \ntotality of the actions we have taken since receiving the \nrecommendations of the PMP is substantial. Secret Service employees at \nevery level have been working hard not only to support our mission \nrequirements, but also to establish the foundation for significant \nchanges that will positively impact the Secret Service over the long-\nterm.\n                           mission excellence\n    In addition to working on the implementation of the Panel\'s \nrecommendations, one of my biggest priorities over the past year has \nbeen to restore the Secret Service\'s reputation of mission excellence. \nThousands of special agents, uniformed officers, and civilian staff \nsuccessfully fulfill the integrated mission of this agency every day \nthroughout the world.\n    It is important to remember that protection is only a portion of \nthe integrated mission of the Secret Service. The expertise, maturity, \nand judgment special agents develop as criminal investigators \nconducting counterfeit currency, financial, or cyber crime \ninvestigations are essential to the extremely critical and demanding \nwork of protecting our Nation\'s highest elected leaders, as well as \nthose world leaders who travel to our country.\n    Just 2 months ago, members of the Secret Service came together from \nfield offices across the country and throughout the world to \nsuccessfully execute security plans at 4, near-simultaneous NSSEs while \nalso protecting President Xi Jingping of China during his first state \nvisit to the United States. The planning for the 4 NSSEs spanned over 8 \nmonths. This is the first time in the history of the agency--or this \ncountry--that such a feat has been accomplished.\n    The 4 NSSEs involved a monumental three city tour of Pope Francis \nto Washington, DC, Philadelphia, PA, and New York, NY, as well as the \n70th United Nations General Assembly. Agency personnel coordinated \nsecurity plans for the President, Vice-President, Pope, and \napproximately 160 heads of state and over 80 spouses.\n    In addition to honing personnel who are able to serve as \nspecialists in the planning and staffing of protective operations, the \nintegrated mission serves another purpose. Agents in the field also \nforge strong relationships with local law enforcement partners in \ninvestigations that pay dividends when we need their assistance during \na protective visit. The Secret Service has long recognized that \npartnerships and cooperation act as force multipliers in both our \nprotective and investigative missions. In this instance, with the need \nfor critical support from State and local partners, these relationships \nproved to be invaluable.\n    Plans for the NSSEs in September involved bringing together 2,500 \nadditional Federal law enforcement officers from other Federal \nagencies, the support of dozens of State and local law enforcement \norganizations, screening over 1 million people, and securing over 25 \nindividual sites including the United States Capitol, Central Park and \nMadison Square Garden in New York, and the Benjamin Franklin Parkway in \nPhiladelphia. At the same time, preparations were underway and continue \nto be developed for upcoming Presidential trips with multiple stops in \nAsia, Presidential and Vice-Presidential candidate protection, the two \nNational political conventions, and Presidential and Vice-Presidential \ndebate sites.\n    In addition to the 4 NSSEs, the Secret Service in fiscal year 2015 \nconducted over 6,245 protective visits. Protective details and field \nagents ensured protection for over 5,981 domestic stops and \napproximately 264 international stops. The Secret Service Uniformed \nDivision completed more than 677 magnetometer/X-ray operations \nassignments, and screened more than 2,742,620 members of the public. \nThe Secret Service stopped approximately 2,847 weapons at magnetometer \ncheckpoints from entering secure venues. The protective mission was \nalso supported by over 6,617 protective surveys and approximately 136 \nprotective intelligence arrests.\n    Additionally, Secret Service investigations continue to produce \nNationally and internationally significant results, much of them in \nstrong coordination with the Department of Justice, other law \nenforcement agencies, and our public- and private-sector partners. Two \nrecent cases exemplify the work our agents do daily, in order to \nprotect our Nation\'s financial infrastructure.\n    In October, the Secret Service worked to apprehend and extradite \nyet another alleged cyber criminal--Sergey Vovnenko. Vovnenko is \ncharged with conspiring to hack into the computer networks of \nindividual users and corporations to steal log-in credentials and \npayment card data. According to the indictment, for almost 2 years, \nVovnenko and his conspirators operated an international criminal \norganization that stole data, including user names and passwords for \nbank accounts and other online services, as well as debit and credit \ncard numbers and personally identifiable information. To carry out this \ncrime, Vovnenko allegedly operated a ``botnet\'\' of more than 13,000 \ncomputers infected with malicious computer software programmed to gain \nunauthorized access to other computers and to identify, store, and \nexport information from hacked computers.\n    In the same week that Vovnenko appeared in Federal court in Newark, \nthe Secret Service, in coordination with its partners in the Peruvian \nNational Police, arrested 4 suspects with ties to the production and \ntransportation of counterfeit U.S. currency. At the time of the \narrests, the suspects were traveling to the airport en route the United \nStates and allegedly possessed close to $850,000 of counterfeit U.S. \ncurrency skillfully secreted in suitcase liners. According to Secret \nService records, one of the particular types of counterfeit notes \nseized in this case has a passing history exceeding $34 million dating \nback to 2009. These are just two examples of the agency\'s highly \nsuccessful investigative work for which hard-working personnel should \nbe commended.\n                               conclusion\n    As I look back over the past year, I see an agency in the midst of \nreform. I wish that people could walk in my shoes for a day and see \nwhat I see--a workforce with an uncompromising sense of duty and \ncommitment to its integrated mission.\n    Recently, the Secret Service lost a remarkable leader and true \nfriend in former Assistant Director Jerry Parr. Jerry is widely known \nfor the decisive actions taken during the March 30, 1981 assassination \nattempt on President Ronald Reagan. The decisions he made that day, \nincluding evacuating the President directly to the hospital, likely \nsaved the life of the President. As I reflected on his passing, I had \nthe opportunity to review a speech he made to a graduating special \nagent training class in 1994. In that speech he spoke of culture. He \nsaid:\n\n``An organizational culture is a product of time, successes, \nsufferings, failures, and just plain hard work. After a hundred years \nor so, deep roots are developed, and a corporate memory evolves. While \nanother agency can purchase persons, equipment, and technology similar \nto the Secret Service, it cannot buy this corporate memory. This is a \npriceless commodity.\'\'\n\n    As the men and women of this agency traverse these challenging \ntimes, I am heartened by the corporate memory of this great \norganization. I am confident that through unparalleled dedication of \nour personnel, and the actions we are taking to reform and improve, the \nSecret Service will meet the standard of excellence that we have \nestablished over our history and which our Nation\'s leaders and the \nAmerican people rightly expect of us.\n    Chairman Lankford, Chairman Perry, Ranking Member Heitkamp, and \nRanking Member Watson Coleman, this concludes my written testimony. I \nwelcome any questions you have at this time.\n\n    Mr. Perry. Thank you, Mr. Clancy.\n    The Chair now recognizes Mr. Roth for an opening statement.\n\nSTATEMENT OF JOHN ROTH, INSPECTOR GENERAL, OFFICE OF INSPECTOR \n         GENERAL, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Roth. Chairmen Lankford, Perry, and Johnson, Ranking \nMembers Heitkamp, Watson Coleman, and Thompson and Members of \nthe subcommittee, thank you for inviting me here today to \ntestify.\n    We have conducted a number of investigations, audits, \ninspections of Secret Service programs and operations, and we \nhave a number of on-going projects. My written testimony \ndescribes some of that work and discusses its implications.\n    For my oral remarks, I will discuss our investigation into \nthe allegations that the Secret Service agents improperly \naccessed a restricted database to discover details about \nChairman Jason Chaffetz\' application to the Secret Service, as \nwell as some other on-going work.\n    We found that the Chaffetz application entry contained \nwithin a Secret Service database called the Master Central \nIndex was accessed by Secret Service employees on approximately \n60 occasions between March 25 and April 2 of this year. We \nconcluded that the vast majority of those who accessed the \ninformation did so in violation of the Privacy Act of 1974, as \nwell as Secret Service and DHS policy.\n    We identified one individual who acknowledged disclosing \ninformation protected by the Privacy Act to an outside source. \nHowever, because the number of individuals with access to this \ninformation was so great, we were unable to identify others who \nmay have disclosed protected information to third parties.\n    We found that the access began minutes after Director \nClancy began testifying before the Committee on Oversight and \nGovernment Reform on March 24, and continued in the days \nfollowing. Knowledge of Chairman Chaffetz\' application was \nwide-spread and fueled and confirmed by improper access to the \nSecret Service database at issue.\n    We found that a number of senior managers knew agents were \naccessing the MCI improperly and some of them accessed it \nthemselves. Other senior managers were aware that Chairman \nChaffetz once had applied at the Secret Service but they \napparently did not comprehend the seriousness of what was \ndeveloping. As a result, no one acted until it was too late to \nstop this unauthorized and unlawful activity.\n    Our investigation also revealed that the MCI, a case \nmanagement tool implemented in 1984, did not have the audit and \naccess controls of a modern IT system or appropriately \nsegregate information. Such controls and segregation may have \nprevented or at least minimized the behavior we discovered.\n    This also appears to run counter to the Privacy Act which \nrequires agencies to establish appropriate administrative, \ntechnical, and physical safeguards to ensure the safety and--I \nam sorry, the security and confidentiality of the records.\n    Additionally, the Secret Service must ensure that only \nrelevant records are maintained in these types of databases. \nThe Privacy Act requires that the agency maintain its records \nonly such information about an individual as is relevant and \nnecessary to accomplish a purpose of the agency.\n    The fact that the MCI had records of an unsuccessful \napplication from 12 years earlier which contained sensitive \ninformation, the disclosure of which could lead to identity \ntheft, may violate this provision of the Privacy Act.\n    Finally, although all agents were trained in the use of the \nsystem and received yearly refresher training, it was apparent \nthat many of the agents disregarded that training.\n    The Secret Service recently reported that it retired the \nMCI and migrated all data to about 5 other Secret Service \ninformation systems in September 2015. Our Office of \nInformation Technology Audits is currently conducting a \ntechnical security assessment of the information systems that \nthe Secret Service now uses to store and retrieve this \ninformation. We expect to complete that assessment and issue a \nfinal report in February 2016.\n    Over the past year-and-a-half as part of our independent \noversight effort, we have investigated various incidents \ninvolving allegations of misconduct by Secret Service employees \nand other issues related to the Secret Service\'s organization \nand mission. The results of our investigation and reviews point \nto on-going organizational and management challenges. The \nSecret Service has certainly taken steps to address these \nchallenges but not always successfully.\n    Additionally, we are reviewing 3 incidents involving \npotential security lapses. For each incidence--incident--shots \nbeing fired at the White House from Constitution Avenue, an \nintruder jumping over the fence and entering the White House, \nan armed guard coming in close proximity to the President--we \nare determining whether the Secret Service followed its own \nprotective policies, what actions were taken to correct, \nidentify deficiencies and whether these corrections were \nadequate.\n    The ultimate aim of our review is to determine and \nunderstand the root causes of these lapses. This fiscal year we \nplan to issue 3 reports on these incidents, as well as a \ncapping report that identifies the root causes and includes any \nother necessary overarching recommendations.\n    Mr. Chairman, this concludes my prepared statement. I \nwelcome any questions you or any other Members of the \nsubcommittees may have.\n    [The prepared statement of Mr. Roth follows:]\n                    Prepared Statement of John Roth\n                           November 17, 2015\n    Chairmen Lankford and Perry, Ranking Members Heitkamp and Watson \nColeman, and Members of the subcommittees: Thank you for inviting me \nhere today to discuss our on-going work involving the United States \nSecret Service (Secret Service) and its Government-wide implications. \nWe have conducted a number of investigations, audits, and inspections \nof Secret Service programs and operations, and we have a number of on-\ngoing projects. My testimony today will describe some of that work and \ndiscuss its implications.\n  allegations concerning access to chairman chaffetz\' application file\n    As a result of our investigation, we determined that a Secret \nService database containing sensitive personally identifiable \ninformation pertaining to Congressman Jason Chaffetz, Chairman of the \nHouse Committee on Oversight and Government Reform, was accessed by \nSecret Service employees on approximately 60 occasions between March 25 \nand April 2 of this year.\\1\\ We concluded that a vast majority of those \nwho accessed the information did so in violation of the Privacy Act of \n1974 (Privacy Act), as well as Secret Service and Department of \nHomeland Security (DHS) policy. We also identified one individual who \nacknowledged disclosing information protected by the Privacy Act to an \noutside source. However, because the number of individuals with access \nto this information was so great, we were unable to identify others who \nmay have disclosed protected information to third parties.\n---------------------------------------------------------------------------\n    \\1\\ Memorandum, ``Investigation into the Improper Access and \nDistribution of Information Contained Within a Secret Service Data \nSystem\'\' (September 25, 2015).\n---------------------------------------------------------------------------\n    We found that the access began minutes after Director Clancy began \ntestifying before the Committee on Oversight and Government Reform on \nMarch 24 and continued in the days following. Knowledge of Chairman \nChaffetz\' application was widespread and was fueled and confirmed by \nimproper access to the Secret Service database at issue, the Master \nCentral Index (MCI).\n    We found that a number of senior managers knew agents were \naccessing the MCI improperly. For example, the special agent in charge \nof the Washington Field Office (WFO) became aware on or about March 25 \nthat several of her mid-level WFO supervisors had accessed or were \naware of the Chaffetz record, and she directed her subordinates to \ncease any further access of the MCI record. No other Secret Service \npersonnel at WFO accessed the Chaffetz record after that date, but 25 \nothers around the country did. Likewise, Deputy Assistant Director \nCynthia Wofford of the Office of Strategic Intelligence and Information \nrecalled hearing rumors of the Chaffetz application during the \ndirector\'s March 24 testimony. After unsuccessfully searching the \ninternet for confirmation of the rumor, Wofford accessed the MCI on the \nmorning of March 25 and found the Chaffetz record. She attempted to \nbring this to the attention of Deputy Director Magaw, but he told her \nthat he already knew about it.\n    However, other senior managers were aware that Chairman Chaffetz \nhad once applied to the Secret Service, but they apparently did not \ncomprehend the seriousness of what was developing. None of the senior \nmanagers apparently understood that the rumors were being fueled and \nconfirmed by numerous agents who improperly accessed the protected MCI \nrecord of the Chaffetz application. As a result, no one acted, until it \nwas too late, to stop this unauthorized and unlawful activity.\n    Our investigation also revealed that the MCI, a case management \ntool implemented in 1984 to facilitate the Secret Service\'s \ninvestigative process, did not have the audit and access controls of a \nmodern information technology (IT) system or appropriately segregate \nthe information. Such controls and segregation may have prevented or \nminimized the behavior we discovered. This also appears to run counter \nto the Privacy Act, which requires agencies to ``establish appropriate \nadministrative, technical, and physical safeguards to insure the \nsecurity and confidentiality of records.\'\'\n    Additionally, the Secret Service must ensure that only relevant \nrecords are maintained in these types of databases. The Privacy Act \nrequires that an agency ``maintain in its records only such information \nabout an individual as is relevant and necessary to accomplish a \npurpose of the agency required to be accomplished.\'\' The fact that the \nMCI had records of an unsuccessful application from 12 years earlier, \nwhich contained sensitive information the disclosure of which could \nlead to identity theft, may violate this provision of the Privacy Act. \nFinally, although all agents were trained on use of the system and \nreceived yearly refresher training, it was apparent that many of the \nagents disregarded that training.\n    Our Office of Information Technology Audits is currently conducting \na technical security assessment of the information systems the Secret \nService now uses to store and retrieve investigative and criminal \nhistory information. The Secret Service recently reported that it \nretired the MCI and migrated all data to about 5 other Secret Service \ninformation systems in September 2015. The objectives of our technical \nassessment are to verify that the MCI is no longer in use, identify \nwhich systems currently house MCI data, determine the level of physical \nand system controls implemented to secure the data from further \ninstances of unauthorized access, and identify gaps in the security \nposture. We also intend, to the extent possible, to understand the \nsecurity weaknesses in the MCI when it was operational. We expect to \ncomplete our assessment and issue a final report in February 2016.\n              previous allegations of employee misconduct\n    Over the past several years, as part of our independent oversight \neffort, we have investigated various incidents involving allegations of \nmisconduct by Secret Service employees. We have also reviewed other \nissues related to the Secret Service\'s organization and mission that \nraised the concern of Congress and the public. In sum, the results of \nour investigations and reviews, as well as other incidents we were made \naware of, point to some on-going organizational and management \nchallenges. The Secret Service has certainly taken steps to address \nthese challenges, but not always successfully. These persistent \nchallenges may not be easy to resolve through expeditious action, such \nas suspending employees and issuing new guidance. They may require more \nfundamental change that addresses the root cause of the misconduct.\nAllegation Into Agent Misconduct at the White House Complex on March 4, \n        2015\n    We reviewed the actions of two Secret Service agents who on the \nevening of March 4 had entered an area that had been secured as a \nresult of a suspicious package.\\2\\ We concluded that it was more likely \nthan not that both agents\' judgment was impaired by alcohol. We found \nthat, notwithstanding their denials, both agents were observed by \nuniformed officers as ``not right,\'\' and ``not making sense,\'\' had just \nspent the previous 5 hours in a restaurant/bar in which one ran up a \nsignificant bar tab, and that they drove into a crime scene inches from \nwhat the rest of the Secret Service was treating as a potential \nexplosive device and which, under different circumstances, could have \nendangered their own lives and those of the Uniformed Division (UD) \nofficers responding.\n---------------------------------------------------------------------------\n    \\2\\ Memorandum, ``Investigation Into the Incident at the White \nHouse Complex on March 4, 2015\'\' (May 6, 2015).\n---------------------------------------------------------------------------\n    While each agent had a duty to report the incident to his superior, \nneither did do so. We found that their failure to do so reflected \neither poor judgment or an affirmative desire to hide their activities.\nAllegation Into Misuse of Government Resources to Conduct Employee \n        Protection Operations\n    We also investigated an allegation that under an operation called \n``Operation Moonlight\'\' Secret Service personnel and resources were \ndirected to conduct surveillance and records checks unrelated to the \nSecret Service\'s mission.\\3\\ The complaint alleged that Secret Service \nagents were instructed to use law enforcement databases and conduct \nrotating surveillance shifts on a neighbor of the then-Executive Staff \nAssistant to the former Secret Service Director. We did not find any \ninstances in which Secret Service agents approached the neighbor, nor \ncould we conclude that the neighbor\'s house was ever under direct \nsurveillance.\n---------------------------------------------------------------------------\n    \\3\\ Memorandum, ``Allegations of Misuse of United States Secret \nService Resources\'\' (October 17, 2014).\n---------------------------------------------------------------------------\n    Our ensuing investigation, however, revealed that personnel and \ndatabase resources were misused when Washington Field Office \n``Prowler\'\' teams periodically checked on the executive staff assistant \nat her residence for about 1 week in early July 2011. Our investigation \nalso showed these checks were initiated in response to a private \ndispute and did not occur in the course of official duties or as a \nresult of the executive staff assistant\'s position. In addition, we \ndetermined that the Prowler team agents were not investigating a \npotential assault on the executive staff assistant; the agents commonly \ndescribed undertaking the checks because of an issue she was having \nwith her neighbor.\n    Secret Service personnel told us that the Prowler team checks did \nnot divert resources from essential functions and responsibilities or \nnegatively impact the Secret Service\'s mission. However, the checks on \nthe executive staff assistant in La Plata, Maryland--a 45-minute drive \nfrom the White House--diverted Prowler personnel from the White House \narea and its surroundings when, on 4 of 5 identified days, the \nPresident was departing, arriving, or at the White House.\nAllegations of Secret Service Misconduct in Cartagena, Colombia\n    We also investigated allegations that, in April 2012, during \npreparations for President Obama\'s visit to Cartagena, Colombia, Secret \nService agents solicited prostitutes and engaged in other misconduct.\n    During our investigation, we independently identified Secret \nService personnel who directly supported the Cartagena visit and other \npotential witnesses who may have had information about the Cartagena \ntrip. We identified the personnel directly involved in the incident, as \nwell as the potential witnesses, through documentary sources, including \nofficial travel records, hotel registries, country clearance cables, \npersonnel assignments, and Secret Service and U.S. Embassy records.\n    As part of our investigation, we conducted 283 interviews of 251 \nSecret Service personnel. Based on our interviews and review of \nrecords, we identified 13 Secret Service employees who had personal \nencounters with female Colombian nationals consistent with the \nmisconduct reported. We determined that one of the female Colombian \nnationals involved in the incident was known to the intelligence \ncommunity. However, we found no evidence that the actions of Secret \nService personnel had compromised any sensitive information.\n    Our investigation determined that 12 Secret Service employees met \n13 female Colombian nationals at bars or clubs and returned with them \nto their rooms at the Hotel Caribe or the Hilton Cartagena Hotel. In \naddition, one Secret Service employee met a female Colombian national \nat the apartment of a Drug Enforcement Administration special agent. We \ninterviewed the remaining 12 Secret Service employees who had personal \nencounters with the 13 female Colombian nationals. Through our \ninterviews, we learned that following their encounters, 3 females left \nthe rooms without asking for money, 5 females asked for money and were \npaid, and 4 females asked for money but were not paid. In addition, 1 \nfemale, who asked to be paid but was not, brought a Colombian police \nofficer to the door of the Secret Service employee\'s room; the employee \ndid not answer the door. As a result, she was paid by another Secret \nService employee and left. A fourteenth Secret Service employee, who \nthe Secret Service initially identified as involved in the misconduct, \nwas subsequently determined to have been misidentified.\n    Of the 13 employees accused of soliciting prostitutes in Cartagena, \n3 were returned to duty with memoranda of counseling, after being \ncleared of serious misconduct. Five employees had their security \nclearance revoked because they either knowingly solicited prostitutes, \ndemonstrated lack of candor during the investigation, or both. Five \nemployees resigned or retired prior to the adjudication of their \nsecurity clearance. Several of these last 5 employees appealed their \nadverse personnel actions to the United States Merit Systems Protection \nBoard.\n    After the incident, the Secret Service issued new guidance \nregarding personal behavior, including a directive amending standards \nof conduct with additional policies about off-duty conduct, briefings, \nand supervision on foreign trips.\nOther Misconduct by Secret Service Employees\n    Although we did not investigate them, 6 incidents that occurred \nbetween June 2013 and June 2014 highlighted questionable conduct by \nSecret Service employees that affected the Secret Service\'s protective \nfunction. These incidents took place after the Secret Service \ninstituted new policies (in April 2012) on alcohol use, including \nprohibiting use within 10 hours of reporting for duty and prohibiting \ndrinking at the protectee\'s hotel once a protective visit has begun \n(but permitting drinking ``in moderate amounts\'\' while off-duty during \na protective mission).\n  <bullet> In June 2013, 2 UD officers were found to have consumed \n        alcohol during an overseas mission, in violation of the 10-hour \n        rule regarding alcohol consumption. One of the officers, a \n        second-time offender, handled his rifle while under the \n        influence of alcohol. He received a 28-day suspension; the \n        other officer received a 7-day suspension.\n  <bullet> In November 2013, a supervisory agent was involved in an \n        incident at the Hay Adams hotel in Washington, DC. The \n        supervisor began conversing with a woman at the hotel bar and \n        later accompanied the woman to her room. The woman solicited \n        the help of hotel security when she wanted the agent to leave \n        her room, reporting that he had a gun and she was frightened. \n        The agent left the room without incident. The Secret Service \n        conducted an inquiry and issued a letter of reprimand to the \n        agent.\n  <bullet> In December 2013, 4 UD officers were found to have consumed \n        alcohol during a layover on an overseas mission, in violation \n        of the 10-hour rule regarding alcohol consumption. Four of \n        these officers were issued letters of reprimand; the fifth, a \n        second-time offender, was issued a 14-day suspension.\n  <bullet> In March 2014, a UD officer was involved in a car accident \n        while driving a Government-rented vehicle during official \n        travel supporting a Presidential visit. The officer was found \n        to have consumed alcohol in the hours preceding the accident, \n        in violation of the 10-hour rule regarding alcohol consumption. \n        The officer was ultimately served with a 7-day suspension. This \n        officer was one of 10 others who were out together the evening \n        before the accident. Three of the other officers violated the \n        10-hour rule and a fourth misused a Government-rented vehicle. \n        These officers were issued suspensions ranging from 14 days to \n        35 days. One of the officers resigned.\n  <bullet> In March 2014, an agent was sent back to Washington, DC, \n        after he was found unconscious outside his hotel room in The \n        Hague, Netherlands, while on official travel. When interviewed, \n        the agent said he went out to dinner at a restaurant with other \n        Secret Service personnel, during which he had several drinks. \n        After dinner, he and two other agents had several more drinks. \n        The agent could not remember leaving the restaurant or how he \n        got back to his hotel. All three agents were found to have \n        violated the 10-hour rule regarding alcohol consumption. The \n        agent who was found unconscious resigned from the Secret \n        Service. The other two agents were issued suspensions of 28 \n        days and 30 days.\n  <bullet> In June 2014, a UD officer flying while armed with his \n        Secret Service-issued handgun consumed 2 beers within the 10 \n        hours prior to his flight. He consumed 1 beer at the airport \n        bar after checking in with the gate agent as an armed law \n        enforcement officer. He was issued a 14-day suspension.\n             review of systemic employee misconduct issues\n    Although after the Cartagena incident, the Secret Service \ninvestigated the allegations of misconduct, took action against the \nemployees involved, and issued new guidance on personal behavior, other \nunderlying issues arose during our investigation. In particular, when \nasked how the Secret Service dealt with misconduct allegations in \ngeneral, some employees alleged there was a culture of retaliation and \ndisparate treatment of employees, including directed punishment toward \ncomplainants and those voicing concerns about Secret Service programs \nand operations. Secret Service staff reported that the resulting \nculture may have adversely impacted the employee retention rate. \nIndividuals we interviewed also reported that Secret Service officials \n``whitewashed\'\' allegations of employee misconduct, effectively \ndownplaying and underreporting complaints to the Office of Inspector \nGeneral (OIG) so they would appear to be administrative and not \npotentially criminal. These actions would, in turn, cause the \nallegations to be returned to Secret Service internal affairs for \ninquiry instead of OIG accepting them for investigation.\n    We decided to further examine these more general allegations, which \npointed to potentially more wide-spread problems. In December 2013, we \nissued a report on our review of the Secret Service\'s efforts to \nidentify, mitigate, and address instances of misconduct and \ninappropriate behavior. In our report, we described a situation in \nwhich many employees were hesitant to report off-duty misconduct either \nbecause of fear that they would be retaliated against or because they \nfelt management would do nothing about it. For example, in response to \none survey question, 56 percent of electronic survey respondents \nindicated that they could report misconduct without fear of \nretaliation, meaning that almost half of the workforce may have feared \nretaliation for reporting misconduct.\n    In our survey, we also questioned employees about reporting \nexcessive alcohol consumption. Of the 138 electronic survey respondents \nwho personally observed excessive alcohol consumption, 118 (86 percent) \nindicated they did not report the behavior. Respondents could select \nmultiple reasons for not reporting the behavior. Some frequently cited \nreasons included:\n  <bullet> 66 respondents (56 percent) indicated the employee engaged \n        in the behavior while off-duty.\n  <bullet> 55 respondents (47 percent) did not believe that management \n        supported employees reporting the behavior.\n  <bullet> 47 respondents (40 percent) were afraid of reprisal or \n        retaliation.\n    Additionally, we reported that the Secret Service often \nadministered penalties that were less severe than the range of \nrecommended penalties at other Department law enforcement components. \nWe compared the Secret Service\'s disciplinary response for specific \ninfractions to penalties for similar infractions at U.S. Immigration \nand Customs Enforcement (ICE), the Transportation Security \nAdministration (TSA), and U.S. Customs and Border Patrol (CBP).\n    From 2004 to 2013, the Secret Service administered discipline for a \nsingle offense to one-time offenders 341 times. Most of the time, the \nSecret Service imposed less severe penalties than one or more of these \ncomponents. Specifically:\n  <bullet> In 265 of the 341 instances (78 percent), the Secret Service \n        administered less severe discipline than one or more of TSA\'s, \n        ICE\'s, and CBP\'s tables of penalties showed those components \n        would have administered. In 141 of these 265 instances (53 \n        percent), the Secret Service administered less severe \n        discipline compared to all three components\' tables of \n        penalties.\n  <bullet> For the remaining 76 of the 341 instances (22 percent), the \n        Secret Service administered discipline within or above what \n        TSA\'s, ICE\'s, and CBP\'s tables of penalties showed those \n        components would have administered.\n    As a result of our findings, we identified areas in which the \nSecret Service needed better management controls for reporting \nmisconduct or inappropriate behavior and adjudicating and administering \ndisciplinary actions. We made 14 recommendations to improve the Secret \nService\'s processes for identifying, mitigating, and addressing \ninstances of misconduct and inappropriate behavior. Additionally, we \nsuggested the Secret Service continue to monitor and address excessive \nalcohol consumption and personal conduct within its workforce.\n    The Secret Service concurred with all 14 recommendations and \nimplemented changes to its discipline program. Among the improvements, \nthe Secret Service created a table of penalties for determining \nappropriate corrective, disciplinary, or adverse actions for common \noffenses and established a centralized process within headquarters for \ndetermining and implementing discipline for employee misconduct. \nBecause the Secret Service reformed its administrative discipline \nprocess after our report was issued, we are unable to determine the \nextent to which the pattern of imposing less severe discipline \ncontinues.\n    Correcting underlying shortcomings in the discipline process and \nensuring fair and consistent discipline are vital to the stability of \nany organization. As part of our performance plan for fiscal year 2016, \nwe intend to evaluate the strength of the Department\'s disciplinary \nprocesses. We will focus on the depth and breadth of employees\' \nperceptions and attitudes about misconduct and the application of \ndiscipline, DHS\'s established rules of conduct, and the application of \ndiscipline across the Department.\n other audit and inspection work involving secret service programs and \n                               operations\n    We have also conducted several audit and inspection reports \nregarding Secret Service programmatic responsibilities, outside the \narea of employee misconduct.\nManagement Alert on UD Officer Fatigue\n    We recently issued a management alert in which we identified UD \nofficer safety issues that impact officer safety and the Secret \nService\'s ability to meet its mission.\n    Specifically, during a site visit for an unrelated audit, we \nobserved two UD officers sleeping at their posts. Fatigue from travel, \novertime shifts, and long hours contributed to these incidents. The \nSecret Service referred both officers for disciplinary action. We \nbrought this matter to the attention of the Secret Service because of \nour concern that the staffing and scheduling process does not ensure \nofficers have adequate breaks while on duty and time off between \nshifts. The Protective Mission Panel report, produced after the fence-\njumping incident, raised concerns that the UD was inadequately staffed, \nnecessitating significant overtime. We are concerned that the situation \nhas not improved since that report was issued in December 2014.\nInoperable Alarm at Protectee\'s Residence\n    In October 2014, we visited former President George H.W. Bush\'s \nHouston residence in response to a complaint alleging alarms were \ninoperable. During our visit, we identified issues with the alarm \nsystem at the residence.\n    Specifically, an alarm, which had been installed around 1993, had \nbeen inoperable for at least 13 months. During this time, the Secret \nService created a roving post to secure the residence, but the Secret \nService could not determine the exact time period between when the \nalarm failed and the roving patrol started. We did not identify any \nsecurity breaches that occurred. However, we found problems with \nidentifying, reporting, and tracking alarm system malfunctions, and \nwith repairing and replacing alarm systems. Secret Service officials \nalso told us about security equipment problems, including the need for \nsubstantial repairs and improvements, at other residences of former \nPresidents.\n             future oig work related to the secret service\n    In addition to the work we have already completed, we intend to \nconduct audits or evaluations of a number of other Secret Service \nprograms and operations:\n  <bullet> On-going Reviews of Three Security Lapses.--We are reviewing \n        three incidents, one from November 2011 and two more that took \n        place in September 2014, all of which highlight security lapses \n        that raise serious concerns about the Secret Service\'s ability \n        to accomplish its protective mission. For each incident--shots \n        being fired at the White House from Constitution Avenue in \n        November 2011, an intruder jumping over the fence and entering \n        the White House in September 2014, and an armed guard coming in \n        close proximity to the President in September 2014--we are \n        determining whether the Secret Service followed its own \n        protective policies, what actions were taken to correct \n        identified deficiencies, and whether these corrections were \n        adequate. The ultimate aim of our reviews is to determine and \n        understand the root causes of these lapses, which may point to \n        more fundamental and on-going challenges to the Secret \n        Service\'s mission. This fiscal year, we plan to issue three \n        reports on these incidents, as well as a capping report that \n        identifies root causes and includes any other necessary, \n        overarching recommendations.\n  <bullet> Radio Communications.--We are completing an audit to \n        determine the adequacy of Secret Service radio communications. \n        We will be recommending that the Secret Service upgrade its \n        existing radio communication systems and develop a strategy and \n        time line to continuously upgrade radio communication systems.\n  <bullet> Protective Mission Panel Recommendations.--This fiscal year, \n        we plan to assess the implementation status of recommendations \n        from the Protective Mission Panel to the Secret Service \n        resulting from the September 2014 fence jumping incident.\n  <bullet> Security Clearances.--In response to a Congressional \n        request, we will examine the Secret Service\'s practices of \n        hiring and deploying personnel without completing the security \n        clearance process. Specifically, we will review the process of \n        granting waivers for personnel to begin work without completing \n        the security clearance process, and the safeguards the Secret \n        Service uses to ensure that those personnel are not given \n        access to Classified information during the course of their \n        duties.\n  <bullet> IT Integration and Transformation.--We will conduct an audit \n        to determine the extent to which the Secret Service\'s IT \n        Integration and Transformation (IITT) effort to modernize it \n        outdated IT infrastructure supports its investigative and \n        protective missions, goals, and objectives. Historically, the \n        IITT has faced challenges in planning, staffing, and \n        governance. In 2009, the DHS chief information officer \n        determined the effort lacked adequate planning, the development \n        schedule was too aggressive, and the program scope exceeded the \n        allocated budget. As a result of a prior OIG audit, in March \n        2011, we recommended that the Secret Service develop an IT \n        staffing plan, formalize its Executive Steering Committee, and \n        provide the Secret Service Chief Information Officer with the \n        component-wide IT budget and investment review authority needed \n        to ensure success of the IITT. Since our prior audit, the \n        Secret Service has reduced the scope of the IITT and is working \n        with the DHS Chief Financial Officer to ensure that planned \n        capabilities can be delivered within expected funding levels. \n        We expect to complete our audit and issue a final report in the \n        summer of 2016.\n    Mr. Chairmen, this concludes my prepared statement. I welcome any \nquestions you or other Members of the subcommittees may have.\n\n    Mr. Perry. Thank you, Mr. Roth.\n    The Chair now recognizes Mr. Willemssen for an opening \nstatement.\n\nSTATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, INFORMATION \n    TECHNOLOGY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Willemssen. Thank you Chairman Perry, Chairman \nLankford, Ranking Member Watson Coleman, Ranking Member \nHeitkamp, Chairman Johnson of the full committee, Ranking \nMember Thompson of the full committee, Members of the \nsubcommittees, thank you for inviting GAO to testify today.\n    As requested, I will briefly summarize our statement on \ninformation security across the Federal Government. GAO has had \nlong-standing concerns about the state of information security \nin the Federal Government. We initially identified Federal \ninformation security as a Government-wide high-risk area 18 \nyears ago.\n    We subsequently expanded this high-risk designation to \ninclude computerized systems supporting the Nation\'s critical \ninfrastructure and the protection of privacy and personally \nidentifiable information. The cyber threats facing our country \ncontinue to be very serious.\n    The impact of these threats is highlighted by recent \nincidents involving breaches of sensitive, personally \nidentifiable information and the sharp increase in information \nsecurity incidents reported by Federal agencies over the last \nseveral years, which have risen from about 5,500 in 2006 to \nabout 67,000 in 2014.\n    Given the risks posed by external and internal threats in \nthe increasing number of incidents, it is crucial that Federal \nagencies take appropriate steps to secure their systems and \ndata. However, we and inspectors general have continued to \nidentify significant weaknesses and needed security controls.\n    For example for fiscal year 2014, 19 of 24 major Federal \nagencies declared information security as a material weakness \nor significant deficiency. Most of these agencies have reported \nweaknesses in the key control areas that we track, including \ncontrols intended to prevent, limit, or detect unauthorized or \ninappropriate access to networks and data. In particular, our \nwork has often shown that too many agency employees have too \nmuch unnecessary access to too many systems and databases.\n    Agencies need to implement clear policies on access to \nsensitive information and grant access permissions to users at \nthe minimum level necessary to perform legitimate job-related \ntasks on a need-to-know basis. Deploying effective monitoring \nand accountability mechanisms to track user activities on \nnetworks and systems is also essential to ensuring that \nimproper access and usage are quickly detected and remedied.\n    To address the many information security weaknesses at \nFederal agencies, GAO and inspectors general have made \nthousands of recommendations. Over the last 6 years, GAO has \nmade about 2,000 recommendations to improve information \nsecurity programs and controls.\n    To date about 58 percent of these recommendations have been \nimplemented. Until agencies take actions to address weakness \nand implement GAO and I.G. recommendations, Federal networks \nand sensitive information, including personally identifiable \ninformation, will be at increased risk from internal and \nexternal threats.\n    Actions to implement recommendations will strengthen \nsystems and data security and reduce the risk of cyber \nintrusions or attacks. That concludes the summary my statement \nand I look forward to addressing the questions.\n    Thank you.\n    [The prepared statement of Mr. Willemssen follows:]\n                Prepared Statement of Joel C. Willemssen\n                           November 17, 2015\n    Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and \nWatson Coleman, and Members of the subcommittees: Thank you for \ninviting me to testify at today\'s hearing on on-going challenges at the \nU.S. Secret Service and their Government-wide implications. As \nrequested, my statement today will address cyber threats and security \ncontrol weaknesses affecting Federal systems and information.\n    As you know, the Federal Government faces an evolving array of \ncyber-based threats to its systems and data, as illustrated by \nrecently-reported data breaches at Federal agencies, which have \naffected millions of current and former Federal employees, and the \nincreasing number of incidents reported by agencies. Such incidents \nunderscore the urgent need for effective implementation of information \nsecurity controls at Federal agencies.\n    Since 1997, we have designated Federal information security as a \nGovernment-wide high-risk area, and in 2003 expanded this area to \ninclude computerized systems supporting the Nation\'s critical \ninfrastructure. Most recently, in the February 2015 update to our high-\nrisk list, we further expanded this area to include protecting the \nprivacy of personally identifiable information (PII)\\1\\--that is, \npersonal information that is collected, maintained, and shared by both \nFederal and non-Federal entities.\\2\\\n---------------------------------------------------------------------------\n    \\1\\ Personally identifiable information is information about an \nindividual, including information that can be used to distinguish or \ntrace an individual\'s identity, such as name, Social Security number, \nmother\'s maiden name, or biometric records, and any other personal \ninformation that is linked or linkable to an individual.\n    \\2\\ See GAO, High-Risk Series: An Update, GAO-15-290 (Washington, \nDC: Feb. 11, 2015).\n---------------------------------------------------------------------------\n    In preparing this statement, we relied on our previous work \naddressing cyber threats and Federal information security efforts. The \nprior reports cited throughout this statement contain detailed \ndiscussions of the scope of the work and the methodology used to carry \nit out. All the work on which this statement is based was conducted in \naccordance with generally-accepted Government auditing standards. Those \nstandards require that we plan and perform audits to obtain sufficient, \nappropriate evidence to provide a reasonable basis for our findings and \nconclusions based on our audit objectives. We believe that the evidence \nobtained provides a reasonable basis for our findings and conclusions \nbased on our audit objectives. A list of related GAO products is \nprovided in attachment I.\n                               background\n    As computer technology has advanced, the Federal Government has \nbecome increasingly dependent on computerized information systems to \ncarry out operations and to process, maintain, and report essential \ninformation. Federal agencies rely on computer systems to transmit \nproprietary and other sensitive information, develop and maintain \nintellectual capital, conduct operations, process business \ntransactions, transfer funds, and deliver services.\n    Ineffective protection of these information systems and networks \ncan impair delivery of vital services, and result in:\n  <bullet> loss or theft of computer resources, assets, and funds;\n  <bullet> inappropriate access to and disclosure, modification, or \n        destruction of sensitive information, such as personally \n        identifiable information;\n  <bullet> disruption of essential operations supporting critical \n        infrastructure, National defense, or emergency services;\n  <bullet> undermining of agency missions due to embarrassing incidents \n        that erode the public\'s confidence in Government;\n  <bullet> use of computer resources for unauthorized purposes or to \n        launch attacks on other systems;\n  <bullet> damage to networks and equipment; and\n  <bullet> high costs for remediation.\n    Recognizing the importance of these issues, Congress enacted laws \nintended to improve the protection of Federal information and systems. \nThese laws include the Federal Information Security Modernization Act \nof 2014 (FISMA),\\3\\ which, among other things, authorizes the \nDepartment of Homeland Security (DHS) to: (1) Assist the Office of \nManagement and Budget (OMB) with overseeing and monitoring agencies\' \nimplementation of security requirements; (2) operate the Federal \ninformation security incident center; and (3) provide agencies with \noperational and technical assistance, such as that for continuously \ndiagnosing and mitigating cyber threats and vulnerabilities. The act \nalso reiterated the 2002 FISMA requirement for the head of each agency \nto provide information security protections commensurate with the risk \nand magnitude of the harm resulting from unauthorized access, use, \ndisclosure, disruption, modification, or destruction of the agency\'s \ninformation or information systems.\n---------------------------------------------------------------------------\n    \\3\\ The Federal Information Security Modernization Act of 2014 \n(Pub. L. No. 113-283, Dec. 18, 2014) (2014 FISMA) largely superseded \nthe very similar Federal Information Security Management Act of 2002 \n(Title III, Pub. L. No. 107-347, Dec. 17, 2002) (2002 FISMA).\n---------------------------------------------------------------------------\n    In addition, the act continues the requirement for Federal agencies \nto develop, document, and implement an agency-wide information security \nprogram. The program is to provide security for the information and \ninformation systems that support the operations and assets of the \nagency, including those provided or managed by another agency, \ncontractor, or other source.\n  cyber threats to federal systems continue to evolve amid increasing \n                          numbers of incidents\n    Risks to cyber-based assets can originate from unintentional or \nintentional threats. Unintentional threats can be caused by, among \nother things, natural disasters, defective computer or network \nequipment, software coding errors, and the actions of careless or \npoorly-trained employees. Intentional threats include both targeted and \nuntargeted attacks from a variety of sources, including criminal \ngroups, hackers, disgruntled employees and other organizational \ninsiders, foreign nations engaged in espionage and information warfare, \nand terrorists.\n    These adversaries vary in terms of their capabilities, willingness \nto act, and motives, which can include seeking monetary or personal \ngain or pursuing a political, economic, or military advantage. For \nexample, organizational insiders can pose threats to an organization \nsince their position within the organization often allows them to gain \nunrestricted access and cause damage to the targeted system, steal \nsystem data, or disclose sensitive information without authorization. \nThe insider threat includes inappropriate actions by contractors hired \nby the organization, as well as careless or poorly-trained employees.\n    As we reported in February 2015,\\4\\ since fiscal year 2006, the \nnumber of information security incidents affecting systems supporting \nthe Federal Government has steadily increased each year: Rising from \n5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of \n1,121 percent. Furthermore, the number of reported security incidents \ninvolving PII at Federal agencies has more than doubled in recent \nyears--from 10,481 incidents in fiscal year 2009 to 27,624 incidents in \nfiscal year 2014. (See fig 1.)\n---------------------------------------------------------------------------\n    \\4\\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: \nFebruary 2015). \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    These incidents and others like them can adversely affect National \nsecurity; damage public health and safety; and lead to inappropriate \naccess to and disclosure, modification, or destruction of sensitive \ninformation. Recent examples highlight the impact of such incidents:\n  <bullet> In June 2015, the Office of Personnel Management reported \n        that an intrusion into its systems affected the personnel \n        records of about 4.2 million current and former Federal \n        employees. The Director stated that a separate but related \n        incident involved the agency\'s background investigation systems \n        and compromised background investigation files for 21.5 million \n        individuals.\n  <bullet> In June 2015, the Commissioner of the Internal Revenue \n        Service testified that unauthorized third parties had gained \n        access to taxpayer information from its ``Get Transcript\'\' \n        application. According to officials, criminals used taxpayer-\n        specific data acquired from non-Department sources to gain \n        unauthorized access to information on approximately 100,000 tax \n        accounts. This data included Social Security information, dates \n        of birth, and street addresses. In an August 2015 update, the \n        agency reported this number to be about 114,000 and that an \n        additional 220,000 accounts had been inappropriately accessed, \n        which brings the total to about 330,000 accounts.\n  <bullet> In April 2015, the Department of Veterans Affairs\' Office of \n        Inspector General reported that two contractors had improperly \n        accessed the agency\'s network from foreign countries using \n        personally-owned equipment.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ Department of Veterans Affairs, Office of Inspector General, \nAdministrative Investigation Improper Access to the VA Network by VA \nContractors from Foreign Countries Office of Information and Technology \nAustin, TX, Report No. 13-01730-159 (Washington, DC: April 2015).\n---------------------------------------------------------------------------\n  <bullet> In February 2015, the director of national intelligence \n        stated that unauthorized computer intrusions were detected in \n        2014 on the networks of the Office of Personnel Management and \n        two of its contractors. The two contractors were involved in \n        processing sensitive PII related to National security \n        clearances for Federal employees.\\6\\\n---------------------------------------------------------------------------\n    \\6\\ James R. Clapper, Director of National Intelligence, World-wide \nThreat Assessment of the U.S. Intelligence Community, testimony before \nthe Senate Committee on Armed Services, February 26, 2015.\n---------------------------------------------------------------------------\n  <bullet> In September 2014, a cyber intrusion into the United States \n        Postal Service\'s information systems may have compromised PII \n        for more than 800,000 of its employees.\\7\\\n---------------------------------------------------------------------------\n    \\7\\ Randy S. Miskanic, Secure Digital Solutions Vice President of \nthe United States Postal Service, Examining Data Security at the United \nStates Postal Service, testimony before the Subcommittee on Federal \nWorkforce, U.S. Postal Service and the Census, 113th Congress, November \n19, 2014.\n---------------------------------------------------------------------------\n  <bullet> In October 2013, a wide-scale cybersecurity breach involving \n        a U.S. Food and Drug Administration system occurred that \n        exposed the PII of 14,000 user accounts.\\8\\\n---------------------------------------------------------------------------\n    \\8\\ Department of Health and Human Services, Office of Inspector \nGeneral, Penetration Test of the Food and Drug Administration\'s \nComputer Network, Report No. A-18-13-30331 (Washington, DC: October \n2014).\n---------------------------------------------------------------------------\n  information security weaknesses place federal systems and sensitive \n                              data at risk\n    Given the risks posed by cyber threats and the increasing number of \nincidents, it is crucial that Federal agencies take appropriate steps \nto secure their systems and information. We and agency inspectors \ngeneral have identified numerous weaknesses in protecting Federal \ninformation and systems. Agencies continue to have shortcomings in \nassessing risks, developing and implementing security controls, and \nmonitoring results. Specifically, for fiscal year 2014, 19 of the 24 \nFederal agencies covered by the Chief Financial Officers Act \\9\\ \nreported that information security control deficiencies were either a \nmaterial weakness or a significant deficiency in internal controls over \ntheir financial reporting.\\10\\ Moreover, inspectors general at 23 of \nthe 24 agencies cited information security as a major management \nchallenge for their agency.\n---------------------------------------------------------------------------\n    \\9\\ The 24 agencies are the Departments of Agriculture, Commerce, \nDefense, Education, Energy, Health and Human Services, Homeland \nSecurity, Housing and Urban Development, the Interior, Justice, Labor, \nState, Transportation, the Treasury, and Veterans Affairs; the \nEnvironmental Protection Agency; General Services Administration; \nNational Aeronautics and Space Administration; National Science \nFoundation; Nuclear Regulatory Commission; Office of Personnel \nManagement; Small Business Administration; Social Security \nAdministration; and the U.S. Agency for International Development.\n    \\10\\ A material weakness is a deficiency, or combination of \ndeficiencies, that results in more than a remote likelihood that a \nmaterial misstatement of the financial statements will not be prevented \nor detected. A significant deficiency is a control deficiency, or \ncombination of control deficiencies, in internal control that is less \nsevere than a material weakness, yet important enough to merit \nattention by those charged with governance. A control deficiency exists \nwhen the design or operation of a control does not allow management or \nemployees, in the normal course of performing their assigned functions, \nto prevent or detect and correct misstatements on a timely basis.\n---------------------------------------------------------------------------\n    As we reported in September 2015, for fiscal year 2014, most of the \n24 agencies had weaknesses in the 5 major categories of information \nsystem controls.\\11\\ These control categories are: (1) Access controls, \nwhich limit or detect access to computer resources (data, programs, \nequipment, and facilities), thereby protecting them against \nunauthorized modification, loss, and disclosure; (2) configuration \nmanagement controls, intended to prevent unauthorized changes to \ninformation system resources (for example, software programs and \nhardware configurations) and assure that software is current and known \nvulnerabilities are patched; (3) segregation of duties, which prevents \na single individual from controlling all critical stages of a process \nby splitting responsibilities between 2 or more organizational groups; \n(4) contingency planning,\\12\\ which helps avoid significant disruptions \nin computer-dependent operations; and (5) agency-wide security \nmanagement, which provides a framework for ensuring that risks are \nunderstood and that effective controls are selected, implemented, and \noperating as intended. (See fig. 2.)\n---------------------------------------------------------------------------\n    \\11\\ GAO, Federal Information Security: Agencies Need to Correct \nWeaknesses and Fully Implement Security Programs, GAO-15-714 \n(Washington, DC: Sept. 29, 2015).\n    \\12\\ Contingency planning for information systems is part of an \noverall organizational program for achieving continuity of operations \nfor mission/business operations. \n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n  <bullet> Access controls.--For fiscal year 2014, we, agencies, and \n        inspectors general reported weaknesses in the electronic and \n        physical controls to limit, prevent, or detect inappropriate \n        access to computer resources (data, equipment, and facilities), \n        thereby increasing their risk of unauthorized use, \n        modification, disclosure, and loss. Access controls involve the \n        6 critical elements described in table 1.\n\n  TABLE 1.--CRITICAL ELEMENTS FOR ACCESS CONTROL TO COMPUTER RESOURCES\n \n------------------------------------------------------------------------\n              Element                            Description\n------------------------------------------------------------------------\nBoundary Protection...............  Boundary protection controls logical\n                                     connectivity into and out of\n                                     networks and controls connectivity\n                                     to and from devices that are\n                                     connected to a network. For\n                                     example, multiple firewalls can be\n                                     deployed to prevent both outsiders\n                                     and trusted insiders from gaining\n                                     unauthorized access to systems, and\n                                     intrusion detection and prevention\n                                     technologies can be deployed to\n                                     defend against attacks from the\n                                     internet.\nUser Identification and             A computer system must be able to\n Authentication.                     identify and authenticate different\n                                     users so that activities on the\n                                     system can be linked to specific\n                                     individuals. When an organization\n                                     assigns a unique user account to\n                                     specific users, the system is able\n                                     to distinguish one user from\n                                     another--a process called\n                                     identification. The system also\n                                     must establish the validity of a\n                                     user\'s claimed identity by\n                                     requesting some kind of\n                                     information, such as a password,\n                                     that is known only by the user--a\n                                     process known as authentication.\n                                     Multifactor authentication involves\n                                     using two or more factors to\n                                     achieve authentication. Factors\n                                     include something you know\n                                     (password or personal\n                                     identification number), something\n                                     you have (cryptographic\n                                     identification device or token), or\n                                     something you are (biometric). The\n                                     combination of identification and\n                                     authentication provides the basis\n                                     for establishing accountability and\n                                     for controlling access to the\n                                     system.\nAuthorization.....................  Authorization is the process of\n                                     granting or denying access rights\n                                     and permissions to a protected\n                                     resource, such as a network, a\n                                     system, an application, a function,\n                                     or a file. For example, operating\n                                     systems have some built-in\n                                     authorization features such as\n                                     permissions for files and folders.\n                                     Network devices, such as routers,\n                                     may have access control lists that\n                                     can be used to authorize users who\n                                     can access and perform certain\n                                     actions on the device.\n                                     Authorization controls help\n                                     implement the principle of ``least\n                                     privilege,\'\' which the National\n                                     Institute of Standards and\n                                     Technology describes as allowing\n                                     only authorized accesses for users\n                                     (or processes acting on behalf of\n                                     users) which are necessary to\n                                     accomplish assigned tasks in\n                                     accordance with organizational\n                                     missions and business functions.\nCryptography......................  Cryptography underlies many of the\n                                     mechanisms used to enforce the\n                                     confidentiality and integrity of\n                                     critical and sensitive information.\n                                     Examples of cryptographic services\n                                     are encryption, authentication,\n                                     digital signature, and key\n                                     management. Cryptographic tools\n                                     help control access to information\n                                     by making it unintelligible to\n                                     unauthorized users and by\n                                     protecting the integrity of\n                                     transmitted or stored information.\nAuditing and Monitoring...........  To establish individual\n                                     accountability, monitor compliance\n                                     with security policies, and\n                                     investigate security violations, it\n                                     is necessary to determine what,\n                                     when, and by whom specific actions\n                                     have been taken on a system.\n                                     Agencies do so by implementing\n                                     software that provides an audit\n                                     trail, or logs of system activity,\n                                     that they can use to determine the\n                                     source of a transaction or\n                                     attempted transaction and to\n                                     monitor users\' activities.\nPhysical Security.................  Physical security controls help\n                                     protect computer facilities and\n                                     resources from espionage, sabotage,\n                                     damage, and theft. Examples of\n                                     physical security controls include\n                                     perimeter fencing, surveillance\n                                     cameras, security guards, locks,\n                                     and procedures for granting or\n                                     denying individuals physical access\n                                     to computing resources. Physical\n                                     controls also include environmental\n                                     controls such as smoke detectors,\n                                     fire alarms, extinguishers, and\n                                     uninterruptible power supplies.\n                                     Considerations for perimeter\n                                     security include controlling\n                                     vehicular and pedestrian traffic.\n                                     In addition, visitors\' access to\n                                     sensitive areas is to be managed\n                                     appropriately.\n------------------------------------------------------------------------\nSource: GAO. GAO-16-194T\n\n    For fiscal year 2014, 12 agencies had weaknesses reported in \nprotecting their networks and system boundaries. For example, the \naccess control lists on one agency\'s firewall did not prevent traffic \ncoming or initiated from the public internet protocol addresses of a \ncontractor site and a U.S. telecom corporation from entering its \nnetwork. Additionally, 20 agencies, including DHS, had weaknesses \nreported in their ability to appropriately identify and authenticate \nsystem users. To illustrate, agencies had weak password controls, such \nas using system passwords that had not been changed from the easily \nguessable default passwords or did not expire.\n    Eighteen agencies, including DHS, had weaknesses reported in \nauthorization controls for fiscal year 2014. For example, one agency \nhad not consistently or in a timely manner removed, transferred, and/or \nterminated employee and contractor access privileges from multiple \nsystems. Another agency also had granted access privileges \nunnecessarily, which sometimes allowed users of an internal network to \nread and write files containing sensitive system information. In fiscal \nyear 2014, 4 agencies had weaknesses reported in the use of encryption \nfor protecting data.\n    In addition, DHS and 18 other agencies had weaknesses reported in \nimplementing an effective audit and monitoring capability. For \ninstance, one agency did not sufficiently log security-relevant events \non the servers and network devices of a key system. Moreover, 10 \nagencies, including DHS, had weaknesses reported in their ability to \nrestrict physical access or harm to computer resources and protect them \nfrom unauthorized loss or impairment. For example, a contractor of an \nagency was granted physical access to a server room without the \nrequired approval of the office director.\n  <bullet> Configuration management.--For fiscal year 2014, 22 \n        agencies, including DHS, had weaknesses reported in controls \n        that are intended to ensure that only authorized and fully-\n        tested software is placed in operation, software and hardware \n        is updated, information systems are monitored, patches are \n        applied to these systems to protect against known \n        vulnerabilities, and emergency changes are documented and \n        approved. For example, 17 agencies, including DHS, had \n        weaknesses reported with installing software patches and \n        implementing current versions of software in a timely manner.\n  <bullet> Segregation of duties.--Fifteen agencies, including DHS, had \n        weaknesses in controls for segregation of duties. These \n        controls are the policies, procedures, and organizational \n        structure that help to ensure that one individual cannot \n        independently control all key aspects of a computer-related \n        operation and thereby take unauthorized actions or gain \n        unauthorized access to assets or records. For example, a \n        developer from one agency had been authorized inappropriate \n        access to the production environment of the agency\'s system.\n  <bullet> Continuity of operations.--DHS and 17 other agencies had \n        weaknesses reported in controls for their continuity of \n        operations practices for fiscal year 2014. Specifically, 16 \n        agencies did not have a comprehensive contingency plan. For \n        example, one agency\'s contingency plans had not been updated to \n        reflect changes in the system boundaries, roles, and \n        responsibilities, and lessons learned from testing contingency \n        plans at alternate processing and storage sites. Additionally, \n        15 agencies had not regularly tested their contingency plans.\n  <bullet> Security management.--For fiscal year 2014, DHS and 22 other \n        agencies had weaknesses reported in security management, which \n        is an underlying cause for information security weaknesses \n        identified at Federal agencies. An agency-wide security \n        program, as required by FISMA, provides a framework for \n        assessing and managing risk, including developing and \n        implementing security policies and procedures, conducting \n        security awareness training, monitoring the adequacy of the \n        entity\'s computer-related controls through security tests and \n        evaluations, and implementing remedial actions as appropriate.\n    We have also identified inconsistencies with the Government\'s \napproach to cybersecurity, including the following:\n    Overseeing the security controls of contractors providing IT \nservices.--In August 2014, we reported that 5 of 6 agencies we reviewed \nwere inconsistent in overseeing assessments of contractors\' \nimplementation of security controls.\\13\\ This was partly because \nagencies had not documented IT security procedures for effectively \noverseeing contractor performance. In addition, according to OMB, 16 of \n24 agency inspectors general determined that their agency\'s program for \nmanaging contractor systems lacked at least one required element.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Information Security: Agencies Need to Improve Oversight \nof Contractor Controls, GAO-14-612 (Washington, DC: Aug. 8, 2014).\n---------------------------------------------------------------------------\n    Responding to cyber incidents.--In April 2014, we reported that the \n24 agencies did not consistently demonstrate that they had effectively \nresponded to cyber incidents.\\14\\ Specifically, we estimated that \nagencies had not completely documented actions taken in response to \ndetected incidents reported in fiscal year 2012 in about 65 percent of \ncases.\\15\\ In addition, the 6 agencies we reviewed had not fully \ndeveloped comprehensive policies, plans, and procedures to guide their \nincident response activities.\n---------------------------------------------------------------------------\n    \\14\\ GAO, Information Security: Agencies Need to Improve Cyber \nIncident Response Practices, GAO-14-354 (Washington, DC: Apr. 30, \n2014).\n    \\15\\ This estimate was based on a statistical sample of cyber \nincidents reported in fiscal year 2012, with 95 percent confidence that \nthe estimate falls between 58 and 72 percent.\n---------------------------------------------------------------------------\n    Responding to breaches of PII.--In December 2013, we reported that \n8 Federal agencies had inconsistently implemented policies and \nprocedures for responding to data breaches involving PII.\\16\\ In \naddition, OMB requirements for reporting PII-related data breaches were \nnot always feasible or necessary. Thus, we concluded that agencies may \nnot be consistently taking actions to limit the risk to individuals \nfrom PII-related data breaches and may be expending resources to meet \nOMB reporting requirements that provide little value.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Information Security: Agency Responses to Breaches of \nPersonally Identifiable Information Need to Be More Consistent, GAO-14-\n34 (Washington, DC: Dec. 9, 2013).\n---------------------------------------------------------------------------\n    Over the last several years, we and agency inspectors general have \nmade thousands of recommendations to agencies aimed at improving their \nimplementation of information security controls. For example, we have \nmade about 2,000 recommendations over the last 6 years. These \nrecommendations identify actions for agencies to take in protecting \ntheir information and systems. To illustrate, we and inspectors general \nhave made recommendations for agencies to correct weaknesses in \ncontrols intended to prevent, limit, and detect unauthorized access to \ncomputer resources, such as controls for protecting system boundaries, \nidentifying and authenticating users, authorizing users to access \nsystems, encrypting sensitive data, and auditing and monitoring \nactivity on their systems. We have also made recommendations for \nagencies to implement their information security programs and protect \nthe privacy of PII held on their systems.\n    However, many agencies continue to have weaknesses in implementing \nthese controls in part because many of these recommendations remain \nunimplemented. For example, about 42 percent of the recommendations we \nhave made during the last 6 years remain unimplemented. Until Federal \nagencies take actions to implement the recommendations made by us and \nthe inspectors general--Federal systems and information, as well as \nsensitive personal information about the public, will be at an \nincreased risk of compromise from cyber-based attacks and other \nthreats.\n    In conclusion, the dangers posed by a wide array of cyber threats \nfacing the Nation are heightened by weaknesses in the Federal \nGovernment\'s approach to protecting its systems and information. While \nrecent Government-wide initiatives, including the 30-day Cybersecurity \nSprint,\\17\\ hold promise for bolstering the Federal cybersecurity \nposture, it is important to note that no single technology or set of \npractices is sufficient to protect against all these threats. A \n``defense in depth\'\' strategy that includes well-trained personnel, \neffective and consistently applied processes, and appropriately \nimplemented technologies is required. While agencies have elements of \nsuch a strategy in place, more needs to be done to fully implement it \nand to address existing weaknesses. In particular, implementing our and \nagency inspectors general recommendations will strengthen agencies\' \nability to protect their systems and information, reducing the risk of \na potentially devastating cyber attack.\n---------------------------------------------------------------------------\n    \\17\\ In June 2015, the Federal Chief Information Officer launched \nthe 30-day Cybersecurity Sprint, during which agencies were to take \nimmediate actions to combat cyber threats within 30 days. Actions \nincluded patching critical vulnerabilities, tightening policies and \npractices for privileged users, and accelerating the implementation of \nmultifactor authentication.\n---------------------------------------------------------------------------\n    Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and \nWatson Coleman, and Members of the subcommittees, this concludes my \nstatement. I would be happy to answer your questions.\n\n    Mr. Perry. Thank you Mr. Willemssen. Chair now recognizes \nhimself for some questions beginning with Mr. Roth.\n    Mr. Roth, how many subpoenas regarding the Chaffetz \nincident and the MCI, the Master Central Index, how many \nsubpoenas were issued?\n    Mr. Roth. I believe it was only one subpoena.\n    Mr. Perry. So why if there were multiple individuals that \nadmittedly breached the information and may have compromised it \nwhy would only one subpoena be issued? Why wouldn\'t there be \nmultiple subpoenas issued for multiple individuals?\n    Mr. Roth. Well, most of the information that we received \nwere from Government data systems so no subpoena would be \nnecessary. The only time we have to subpoena information is if \nwe were going to a third party, like a telephone record \nprovider for example.\n    Typically it is our policy in these kinds of circumstances \nto have a level of predication before we go and subpoena \nsomebody\'s personal telephone records. We had predication only \non one individual rather than the hundreds who may have had \naccess to that information.\n    Mr. Perry. Even those who admitted to wrongdoing?\n    Mr. Roth. That is correct.\n    Mr. Perry. Was the Index searched for other improper access \nincidences?\n    Mr. Roth. It was not. The Index itself was created in 1984. \nIt did not have the ability to readily do the kinds of \nforensics that you would do on a modern data system. In fact, \nwhat we were required to do, that is what the administrators of \nthe database were required to do, were actually write scripts \nor programs to be able to find access to this information.\n    It was a highly time-consuming kind of a thing and because \nthe--sort of the necessity for finding answers as quickly as we \ncould, we only restricted it to Chairman Chaffetz\'s name.\n    Mr. Perry. So then, based on that, would it be correct to \nsay that we have absolutely no idea at this point regarding \nthat data system, the Master Central Index, if any other \nAmericans or any other citizens have had similar things occur \nregarding their personally identifiable information, whether it \nwas searched, whether it was divulged. We have no idea?\n    Mr. Roth. That is correct.\n    Mr. Perry. That is a bit unsettling. Director Clancy, are \nyou familiar with Operation Moonlight?\n    Mr. Clancy. Sir, I am familiar with some of the details of \nthat, yes.\n    Mr. Perry. Can you just inform us? I understand you have \ngot thousand of employees. This hearing is not meant to impugn \nor besmirch the credibility of your agency. I think Americans \nhave traditionally and currently, have the highest regard and \nwant to have that. But how does that--something like that \nhappen? Can you?\n    Mr. Clancy. Yes sir.\n    Mr. Perry. So Secret Service agents used Government \ninformation, accessed databases and then used equipment, time, \nmaterial to surveil essentially, a private citizen\'s property \nwithout any due cause of anything. Is that essentially--I mean, \nthat is my narrative but what is yours? Then how does that \nhappen?\n    Mr. Clancy. Sir forgive me as I was not here during that \ntime frame so I am going to rely on some briefings when I first \ncame in as the acting director and it was found as the OIG\'s \nreport illustrates, people made very poor decisions. There was \nmisjudgment. It should not have happened and there were some \nchanges made in our management.\n    Mr. Perry. Well, I will tell you. I looked at--and I \nimagine you are familiar with it. I am just going to read you \nthe subject, is ``Directive 2015-09, Disciplinary and Adverse \nActions\'\'. Right?\n    Mr. Clancy. Yes sir.\n    Mr. Perry. It is from your agency and I guess it is moving \nforward based on what has occurred regarding the information in \nthe data breach. I just wanted to give you a flavor of what I \nsee here: ``An employee is entitled to,\'\' ``the employee is \nentitled to,\'\' ``the employee is entitled to\'\'--I am just kind \nof going through each paragraph----\n    ``The employee will be provided with;\'\' ``the employee \nshall have an opportunity to;\'\' ``the employee is entitled \nto\'\'. You kind-of get my gist, and the reason I say that is--\nwhat I am wondering is and I think what a lot of Americans \nwondering is what are the consequences of the actions of 45 or \n41 employees who accessed Mr. Chaffetz\'s data and then whoever \ndisseminated it up to 60 times?\n    What are the consequences to those individuals? We see what \nthe employee\'s rights are.\n    Mr. Clancy. Yes.\n    Mr. Perry. Right?\n    Mr. Clancy. Yes sir.\n    Mr. Perry. But what are the consequences? How does Mr. \nChaffetz get his reputation back? What is going to happen to \nthese individuals? What is currently happening? Where do things \nstand?\n    Mr. Clancy. Mr. Chairman, Secretary Johnson and I met and \ntalked about this in a true sense of transparency because \nmyself and my executive staff have been all interviewed in this \ncase. We made a joint decision that the Department of Homeland \nSecurity would make the proposals. In this case I will tell \nyou--and I have heard the comments that were made today, of \nreprehensible, disturbing, embarrassing.\n    I agree with everything that has been said here today and \nmy workforce does as well. In fact, this hearing today will \nhelp me get this word out, the importance of protecting PII. We \nhave all this, the training and we have the ethics guides and \nwe go out and train are new recruits but a hearing like this \nputs a definitive stamp on our failures.\n    In this case, the individuals to answer your questions, Mr. \nChairman, in this case, we are proposing, as of today, \napproximately 42--I don\'t--don\'t hold me to that number, \napproximately 42 will be issued a proposal of discipline \nranging from anywhere from 3 days to 12 days of a suspension.\n    Mr. Perry. So that is the maximum? The maximum is 12 days \nof--I am going to--the Chair is going to indulge himself on the \ntime here a little bit. I am following a lot of questioning. So \nthe maximum penalty, the maximum of repercussion for doing--we \nall know that when you look at these computer systems there is \na warning in front that this is to be used for official \nbusiness only and we all know.\n    Look, I hold as your folks do, a Secret security clearance, \nTop Secret security clearance. Everybody in the rooms knows, \neverybody in your agency knows that using this information for \nwhat it was used for was incorrect, improper, unauthorized, \nillegal.\n    The most we can hope for, the most disciplinary--toughest, \ndisciplinary action right now is not a loss or revocation of \nyour Secret security clearance, not the loss of your \nemployment, it is 12 days suspension? I just want to be clear? \nIs that correct?\n    Mr. Clancy. Mr. Chairman, that is for the Grades 15 and \nbelow. Those proposals have been issued as of today I am pretty \nsure on that. The SES-level folks have not had their discipline \nproposed as of this date.\n    Mr. Perry. Is Mr. Lowery an SES-level employee?\n    Mr. Clancy. He is, yes.\n    Mr. Perry. What is the range of options of discipline or \nconsequence for Mr. Lowery, if you can inform--I am not asking \nyou to tell us which one it is because maybe you are still \ncompleting your investigation, but what can we expect?\n    Mr. Clancy. The range goes from a letter of reprimand all \nthe way up to removal.\n    Mr. Perry. Thank you. The Chair now recognizes the \ngentleman from Oklahoma.\n    Senator Lankford. Would like to defer my questioning time \nto the Ranking Member. She has to be on the floor actually, of \nthe Senate in a little bit. Actually working through a bill, so \nI would like to defer my time.\n    Mr. Perry. So ordered.\n    Senator Heitkamp. Thank you, Chairman Lankford.\n    Every one of the--Mr. Clancy--Director Clancy, every \nincident that we know of, there seems like there wasn\'t an \nadult in the room. That there was no one who provided that \nvoice of saying, ``Hey, guys, this is not the way to do this. \nHey, we have a responsibility that is higher.\'\'\n    So while we look at management and we look at resources, \nyou said in your testimony, you talked about how the corporate \nculture of the Secret Service is a priceless commodity.\n    Every day that priceless commodity gets threatened by \nagents not willing to be the adult in the room, not willing to \nbe the person who stands up and says, knock it off. Because you \ncan\'t do it just from a management standpoint. You have got to \nchange the culture at the bottom and I think that is one of the \nconcerns we have.\n    Is that it seems like all of this has happened with a great \nimpunity and almost--you know, you can\'t touch me, you know, as \nthe Chairman just talked about, or it is okay to do this. So, I \nwant to know as we look at management changes, as we look at \nsystemic rules and policies, those rules and policies are only \nas good as the commitment that people at every level within the \nSecret Service have for change.\n    So what are you doing within the Secret Service to build \ncapacity for people to be the adult in the room, to stop this \nat the source and say this is not what we do in the Secret \nService?\n    Mr. Clancy. Thank you, Senator. This discipline system that \nwe have in place now is relatively new. It is approximately 2 \nyears old and then with--which includes a table of penalties. \nIn the past, discipline was handled at a more local level. Now \neverything is funneled up to our Office of Integrity.\n    Senator Heitkamp. I don\'t mean to interrupt but I am not \ntalking about discipline. I am talking about culture and \nobviously consequences are part of changing that culture. But \nwhat about the integrity at every level? Of basically saying we \ndon\'t do this. We don\'t go to hotels and hire, you know, people \nto service us.\n    We don\'t, you know, drive into the White House and disrupt \na major investigation. We don\'t access a Congressman\'s secret \nrecords. We don\'t do that. Who is the person? How are we \ntraining people at every level to stand up and stop this \nbehavior? Because I don\'t think we can do it just having \nhearings like this.\n    I think we have got to restore this priceless commodity \nthat you are talking about, which is the integrity element of \nthe men and women at every level, knowing that it is their \nresponsibility to help maintain the integrity of the Secret \nService.\n    Mr. Clancy. I agree with you, Senator. We have to do more \nin terms of communicating with our people. We can have all the \ntraining exercises and all the on-line training, but for \nexample, I have been to approximately 10 of our field offices, \nall of our protective details. I speak personally to our \nagents. I walk around the White House, talk to the officers.\n    I meet all the recruits prior to their graduation, both \nagent and UD. I tell them what they represent and what is \nexpected of them. But I have got to do more of that as well as \nour staff. We have to just keep communicating, keep \ncommunicating to our people.\n    Again, what the Congress is doing today is a help to us and \nto our agency because again, the seriousness of what we have \ndone in this particular case, resonates by these types of \nhearings.\n    Senator Heitkamp. Thank you, Mr. Chairman. Yield back.\n    Mr. Perry. The Chair thanks the gentlelady.\n    The Chair recognizes Mrs. Watson Coleman from New Jersey.\n    Mrs. Watson Coleman. Thank you, Mr. Chairman.\n    Mr. Director, I want to talk about the Protective Mission \nPanel\'s recommendations. One of the things I think was noted in \nthe panel was that we needed new leadership. We needed \nleadership from outside of this organization that didn\'t have \nthe long-term relationships that might be somehow influenced by \nthe relationships they did have and seeing it in a sort of \ninsular way.\n    You have a 27-year record or experience with the agency. \nClearly, you are an insider. There was a removal of a number of \ndeputies and they were replaced. The majority of the deputies \nthat were replaced were also from within the agency with long \nservice records.\n    My question is: How do we change the culture of the \norganization if the very top leadership has been a part of that \nculture and perhaps only sees this organization from within?\n    Would we have not been better served had you identified the \ncapacity to go to the outside and find people with certain \nskills, leadership abilities, accountabilities that would have \ntranscended the relationships that individuals may have had?\n    Could that possibly have helped us to become more \nefficient, more effective, and more accountable as an agency?\n    Mr. Clancy. Thank you for that question. I will tell you \nthat I respect if you, if many, that thought that this \nposition, the director\'s position, should have been someone \nfrom the outside. There is good reason for that. I understand \nthat.\n    I consider the fact that I left the Service for 3 years, \nworked in private industry, has allowed me to bring in some \noutside views on how to run a business and how to run this \nagency. So what I did do is, first of all, I brought in a chief \noperating officer, a civilian from outside the agency.\n    That COO, chief operating officer, is equivalent to the \ndeputy director. Additionally, we have created a lot of \nsubject-matter expert positions where traditionally, they \nanswer to agents--you know, prior to me arriving here, all of \nthe top-level security was run by agents. Some of them, \ncandidly, were not subject-matter experts.\n    For example, finance. We now have a chief financial officer \nwho does not answer directly to an assistant director who is an \nagent, she is the chief financial officer. Chief technology \nofficer is an engineer, not an agent. The chief strategy \nofficer is a lawyer who is not an agent. There are a few others \nas well.\n    So we have brought in, we are trying to bring in this \noutside perspective to run this business but also move the \nagents into our core mission of protection and investigations.\n    Mrs. Watson Coleman. So talk to me a little bit about your \nability to bring in not only new people into the agency, but \nmore diverse people. Because the information that I have read \nregarding the Secret Service is that it is predominantly white \nmale.\n    There is a small percentage of women and not very--not \nconsistent with across the board in Federal Government. What \nare you doing to address the issue of lack of diversity in \nterms of race and ethnicity and gender in positions? What are \nyou doing to address the long-standing and outstanding issue \nwith the civil rights complaints?\n    Mr. Clancy. Yes.\n    Mrs. Watson Coleman. Moving beyond them as opposed to using \nthe system to delay the implementation of the corrective \nactions that could be taking place. Thank you.\n    Mr. Clancy. In terms of diversity, I think I would ask you \nfirst to look at my executive staff. On that staff of \napproximately 12 people, we have 5 African-Americans, 6 \nfemales. But going down throughout the ranks, you are correct. \nWe are not where we want to be with diversity.\n    So we are targeting universities that provide diversity for \nus. We have shortened our hiring process where we can go to \nthese universities and over a weekend period of time, do a \ntesting, an interview and a polygraph if the first two steps \nare met.\n    But we are targeting specific areas of the country to \nreally work on this diversity because we are deficient in that \narea, certainly with females as well. We are working diligently \nto try to improve that diversity.\n    Mrs. Watson Coleman. Thank you. I yield back for another.\n    Mr. Perry. Chair thanks the gentlelady. The Chair now \nrecognizes Mr. Johnson from Wisconsin.\n    Senator Johnson. Thank you, Mr. Chairman. Inspector General \nRoth, in your written testimony, you state that,``Information \nwas accessed by Secret Service employees on approximately 60 \noccasions between March 25 and April 2nd of this year.\'\' Then \nyou went on to say, ``We concluded that a vast majority of \nthose who accessed this information did so in violation of the \nPrivacy Act of 1974.\'\'\n    What are the penalties for violating the Privacy Act of \n1974?\n    Mr. Roth. There are civil penalties for the agency that is \ninvolved if there is a wide-spread sort of gross negligence \nstandard. So there are civil penalties, that is monetary \npenalties, for the agency involved. For individuals who \naccessed the system--improperly, knowing that it was protected \nunder the Privacy Act that is a misdemeanor, which has a fine \nas a penalty but no custodial sentence.\n    Senator Johnson. Is there any Department of Justice \ninvestigation being undertaken right now to determine whether \nthose misdemeanors were in fact going to--are they going to be \nprosecuted?\n    Mr. Roth. No. During the course of our investigation we \npresented a case, the most compelling case we had and it was \ndeclined by the U.S. attorney\'s office.\n    Senator Johnson. Why would that be?\n    Mr. Roth. There are several reasons. First of all, each \nindividual agent has a Fifth Amendment right to not speak to us \nif in fact he is under criminal jeopardy. So we could not \ninterview individuals, compel their interview, which we \nultimately had to do in this case for a lack of voluntary \ncooperation.\n    So the level of evidence that the Department of Justice had \nwas not sufficient for them to move forward. Additionally, when \none looks at the penalty, it was simply a matter of competing \nresources.\n    Senator Johnson. Director Clancy, you know, I got involved \nin looking into the cultural problems with the Secret Service \nback in early 2012 after the events at Cartagena. This is not \nwhy I ran for the United States Senate, was to look into the \nSecret Service. It is an agency that we all want to have a high \ndeal of credibility and note, as you stated in your testimony, \nthe culture--in many respects is almost, you know, beyond \nreproach.\n    I mean, it is a fabulous agency, they are doing great work. \nBut on the other hand, there is a real cultural problem. What \nare you going to do about it? I mean, I hear communication. I \nunderstand communication but actions speak far louder than \nwords. When we are just talking a disciplinary process when \nthere are violations of the Privacy Act and there are no \nprosecutions of it.\n    There is nobody held to--even the misdemeanor penalties. \nThere is nothing more corrosive in an organization that has a \ncultural problem when misdeeds go unpunished. So what actions \nare going to be taken? This is 3 years now.\n    You know, Cartagena occurred in April 2012. We had 2013 and \n2014 and 2015. Three years later, we have a number of members \nof the Secret Service, violating the Privacy Act, violating DHS \nand Secret Service procedures. It doesn\'t seem like we are \ngetting a handle on the cultural problem within the Secret \nService.\n    Mr. Roth. Senator, Mr. Chairman, thank you for that \nquestion.\n    We have removed people from the Secret Service. You \nmentioned Cartagena, several were removed in that case. As of \ntoday we are in the process of proposing a removal for an \nindividual, unrelated to this. People are removed in the Secret \nService.\n    This Table of Penalties--I know we have referred to it a \nfew times here, but we have used--we have benchmarked that with \nother agencies, so we are--want to be consistent with what is \nbeing done across the board.\n    Just recently, I published for the first time to our entire \nworkforce our integrity, the discipline over the past year, so \nthey can see what types of cases are out there, are supervisors \nbeing disciplined equal to the work force. We are trying to be \ntransparent, again, that communication is critical here, but we \nare trying to be more transparent, and driving home the point \nthat people will be held accountable.\n    In this case, they will be held accountable.\n    Senator Johnson. As the Chairman was pointing out, there \nare an awful lot of protections for the employees, for the \nactual agents, but again, it is hard to see the accountability.\n    Do you find that to be a problem? Are you constrained in \nwhat actions you would like to take, based on all the \nprotections for the agents? I mean, should we have--should we \nbe looking at the law there, and making sure the agencies have \nenough power to actually hold people accountable?\n    Mr. Roth. Well, I think the excepted service would give us, \nwould allow us to speed up that--the proposals in the \ndiscipline process. I know sometimes we are delayed in the \nprocess as we move forward.\n    Senator Johnson. So, you would like some ability to take \nstronger action quicker?\n    Mr. Roth. Yes, yes, Mr. Chairman.\n    Senator Johnson. Good. I think we need to take that into \naccount.\n    Thank you, Mr. Chairman.\n    Mr. Perry. The Chair thanks the gentlemen. The Chair now \nrecognizes the gentleman from Mississippi, Mr. Thompson.\n    Mr. Thompson. Thank you very much, Mr. Chairman.\n    Almost to the Member before me, the conversation has been \nabout the culture of the organization, and I think it speaks to \nwhether or not internally, we can fix it, or do we just cover \nit up?\n    I will get to specifics shortly.\n    Inspector Roth, in your review of the Secret Service, how \nwould you describe the culture within the Service, especially \nat the Executive level?\n    Mr. Roth. As we noted in the report on the access to \nChairman Chaffetz\'s employment record, we found a number of \nsupervisors who, in fact, themselves had access to MCI. To me, \nthat was a very troubling incident; additionally a few people \nthen elevated their concerns, or the fact that this was being \nused to a high enough level of management for something to be \ndone.\n    So that was sort of certainly troubling behavior that we \nidentified.\n    Mr. Thompson. So, let me--so, we had senior-level people \naccessing information, then we had that information being noted \nby people above those individuals. It is your testimony that \nnothing happened?\n    Mr. Roth. That is correct. I will give two examples, if I \nmay.\n    The first was the special agent in charge of the Washington \nfield office, came to understand that some of her employees \nwere accessing the MCI to sort-of understand whether or not \nthat rumor existed.\n    She ordered her individuals--her subordinates to cut it \nout. I think her exact words were knock it off, or quit fooling \naround with the MCI database. In fact, that is what occurred in \nthe Washington field office.\n    Unfortunately, throughout the country, other individuals \nwere doing that, so that would be one example. The second \nexample is the special agent in charge of the Indianapolis \nfield division, who was, frankly, curious why it was that, in \nhis view, Chairman Chaffetz was so hard on Director Clancy.\n    He, just out of idle curiosity, accessed the database \nhimself to discover, in fact, that Chairman Chaffetz was a \nprior applicant.\n    He did nothing with that information, did not elevate it \nup, or do any other kind of conduct. There are number of \nexamples like that.\n    Mr. Thompson. Thank you very much.\n    So, Director Clancy, I hope you sense the membership\'s \nconcern about the culture, and I would hope that going forward, \nyou would take this hearing, as you said, as a moment of \ninstruction to try to fix it.\n    The men and women deserve it; they do a wonderful job. But \nit is about leadership, and I think it is absolutely important.\n    As you know, I have been talking to you since this summer, \na little, small issue to some. It is relative to the fact that \nwe found out that there were 643 employees assigned to duty \nthat require a security clearance. They were working for the \nDepartment without the completion of the clearances.\n    I had asked you for the demographics of those individuals. \nAs of this date, I don\'t have the information.\n    I know you have been busy, but can you give me some \nindication when I can expect to receive the demographics of \nthose 643 employees?\n    Mr. Clancy. Yes, sir. First of all, my apologies that you \nhave not received that information--640 individuals, I am \nassuming may be Department-wide, I think within the Secret \nService, we did have people working that did not have their \nsecurity clearances. I think it was much less than that, but we \nwill get you an answer in the coming days on that----\n    Mr. Thompson. Okay. Well, it was Department-wide over a 5-\nyear period, but my point is, some of us run up on men and \nwomen around the country who indicate that, I am trying to get \nemployed with the Secret Service, but they tell me, I can\'t get \nconsidered for employment, because I haven\'t been cleared.\n    I can\'t go to training, I can\'t do a lot of things. But it \ntroubles some of us when we are already employing people whose \njob requires clearance on the other hand.\n    So, I don\'t know if that is favoritism or what. But it is \nreal concerning.\n    Mr. Clancy. I will follow up on that, sir.\n    I can tell you that we don\'t look at that, diversity, in \nterms of who gets a security clearance, who does not.\n    In this case, the one that you referenced--and I will speak \nfor the Secret Service--we were delinquent as we went through \nthis hiring process, we did not get people their security \nclearances in a timely manner.\n    Some--and they were assigned to positions outside of \nWashington, for the most part. But what we have done, now, is \nwe have brought in some contractors, additional 14 contractors, \nto ensure this never happens again where someone goes through \nour training and--when they get their graduation--when they \ngraduate, they should have their clearance. So that has been \nresolved now within the Secret Service.\n    Mr. Thompson. So--it is your testimony that--there is \nnobody working for the Secret Service right now without a \nsecurity clearance?\n    Mr. Clancy. That is correct. To the best of my knowledge, \nthat is correct.\n    Mr. Thompson. Can you verify that for the committee?\n    Mr. Clancy. Yes. Yes, sir.\n    Mr. Thompson. Thank you. I yield back, Mr. Chair.\n    Mr. Perry. Chairman thanks the gentleman. The Chairman now \nrecognizes the gentleman from Georgia, Mr. Loudermilk.\n    Mr. Loudermilk. Thank you, Mr. Chairman, and thank you all \nfor being here.\n    This is especially troubling for me as we look back over \nthe history of this incredible agency, the Service. It is an \nicon of what I think is American exceptionalism and the actions \nthat we have seen take place--of course, it tarnishes the \nreputation of the Service, but more so, I think it really \ntarnishes the image the American people have of what they have \nalways elevated as the exceptional service, not just in the \nNation, but in the world. I think it is imperative that we \naddress these issues, not just in hindsight but going forward \nto make sure that we restore the trust of the American people, \nthe trust of Congress and the trust of the protectees.\n    Mr. Roth, you said something in your written statement that \nreally struck me here: ``The Secret Service has certainly taken \nsteps to address these challenges, but not always successfully. \nThese persistent challenges may not be easy to resolve through \nexpeditious actions, such as suspending employees and issuing \nnew guidance. They may require more fundamental change that \naddresses the root of the misconduct.\'\'\n    I think that is where we need to focus. What is the root, \nin your opinion? What is the root of the problem?\n    Mr. Roth. When you look at guidance with regard to creating \nan ethical culture, as they say, it comes in 3 sort-of \ndimensions. One is tone at the top, which is not just at the \nvery top, but all through leadership of an organization. The \nleaders have to set the exact right tone. The second is to have \na code of conduct and a code of ethics that is truly \nmeaningful. The third is to enforce that code of conduct, you \nknow, in a way that expresses to the rank-and-file that you \nmean what you say with regard to that tone at the top.\n    So you have to look at all three of those things. As \nDirector Clancy said, I think the middle part, the code of \nconduct was not there until Cartagena, and there have been \nsteps that they have taken since Cartagena to establish a more \nrigorous policy.\n    So that is certainly an improvement that we think is well-\ndeserved or a positive step in the right direction. But again, \nit has to be tone all the way through the organization, as well \nas a meaningful enforcement of that code of conduct.\n    Mr. Loudermilk. I have a time line of misconduct that went \nback just prior to Cartagena, but it goes back to 2011. Up \nuntil that time, I don\'t recall if--there is misconduct in any \norganization, but was there a history like we are seeing now, \nMr. Roth, that you were aware of, prior to the last, you know, \n4 or 5 years?\n    Mr. Roth. I am not aware of it. I just don\'t have any \ninsight into it. Certainly, we are only as good as the audits \nwe do and the investigations we do and we didn\'t have anything \nbefore that.\n    Mr. Loudermilk. Thank you.\n    Mr. Clancy, I applaud your efforts. You have got a \ndifficult task. You have been in the agency for quite a while. \nDo you recall that there was the level or the consistency of \nmisconduct previously in the agency or is this just something \nnew?\n    Mr. Clancy. I think any agency has always had some \nmisconduct, and the Secret Service has had misconduct in the \npast. I think it has--more attention has been brought to this \nmisconduct in the last several years and I--and that is a good \nthing, and I applaud the inspector general\'s office for that. \nThis has to be brought out in the open, these misconduct \nepisodes, otherwise we won\'t correct it. So--yes.\n    Mr. Loudermilk. You also--make sure I understood it right. \nYou said that you are trying to--benchmark your disciplinary \nactions of other agencies. Is that what you were referring to \nlooking at other agencies?\n    Mr. Clancy. Yes, my understanding when the Table of \nPenalties was built out, our legal team worked with other \nagencies to see what they were doing from a discipline \nstandpoint, what their table penalties were. We took their best \nideas, best practices and built ours.\n    Mr. Loudermilk. I would suggest you guys have to be a \nlittle stronger, a little better. It is the nature of the work \nthat you do is so important to this Nation. One last thing, I \nthink we have talked a lot about culture in here in the--and \nthat is true.\n    It is--look, I think what you are getting at is the culture \nof the agency, it is the esprit de corps. It is--you are in the \nSecret Service. You have an obligation to uphold the integrity, \nthe honor, and the dignity of this agency. I think that may be \nwhat is missing somewhere.\n    Just real quickly. I was going over this time line and \nthere seems to be a common element with a lot of these. Look at \nCartagena. Alcohol was involved. June 2/13--of 2013, alcohol. \nNovember 2013, abuse of alcohol. December 2013, alcohol. March, \nalcohol. June 2014, alcohol. There seems to be this continual \ncycle of alcohol abuse associated with this, which from my \nexperience in the military, usually indicates that there is a \nmorale issue. I will let you comment and I will yield back \nafter that.\n    Mr. Clancy. Yes. You are correct, Congressman. We do have a \nmorale issue, and a lot of it is because of our staffing, and \nthat is one of the things we need to do--work with our staffing \nso that if we can build up the staffing level, we can get more \ntraining, which our people want, get a better quality of life, \nwhich will help their morale as well.\n    But again, to your point here today, the accountability in \ndiscipline matters also helps that morale. Are we going to hold \npeople accountable? I will tell you, the episodes since I have \nbeen here--you mentioned the March 4 incident where an \nindividual--two individuals after a retirement party drove onto \nthe White House. I can tell you that retirement parties now \nare--I don\'t know of any that are taking place. People got that \nmessage.\n    This--what we are talking about today, PII. People are \ngetting this message. So unfortunately, it takes these \nsignificant errors--misconduct to resonate sometimes with our \npeople. But I do want to also say one thing. Less than 1 \npercent of our people are involved in this misconduct. It \ntruly--99 percent, as some of you have mentioned today, are \ndoing the right thing. But that is--and they are working very \nhard--but we have to focus on that less-than-1-percent, because \nwe are held at a very high--and rightfully so--we are at a high \nlevel.\n    Mr. Loudermilk. I hope you can get the Service back to the \npoint to where people aren\'t doing the right thing because they \nare afraid of the discipline, but they are doing the right \nthing because they are dedicated to the job, to the Service, to \nthe spirit of the service and their oath to the Constitution.\n    Thank you, sir. Mr. Chairman, I yield back.\n    Mr. Perry. The Chair thanks the gentleman. The Chair now \nrecognizes the gentlelady from California, Mrs. Torres.\n    Mrs. Torres. Thank you, Mr. Chairman. Director Clancy, just \nto be--to have some statistics here on the record. According to \nthe Partnership for Public Service, the agency is 74 percent \nmale. Is that correct?\n    Mr. Clancy. Seventy-five percent. I can--let me just check \nthat real quick. That sounds correct, but I--let me just----\n    Mrs. Torres. Seventy-two percent white, leaving it severely \nout of step with other agencies. Women make up 25 percent of \nthe agency\'s workforce, but only about 11 percent of the agents \nand uniformed officers.\n    Mr. Clancy. You are correct. Yes.\n    Mrs. Torres. You talked about your outreach efforts with \nuniversities in targeting certain areas of the Nation. Have you \nengaged an employment agency to help you or to advise you in \nfinding a more diverse workforce?\n    Mr. Clancy. I am not aware that we have done--taken that \nstep yet. It is a--it is an excellent suggestion that we may \nlook into.\n    I will tell you that when we go to these different areas of \nthe country, we have a very diverse group, recruiting group \nthat goes out to try to encourage females to apply as well as \nacross the board in diversity. So----\n    Mrs. Torres. Are you targeting also the military or----\n    Mr. Clancy. Yes.\n    Mrs. Torres [continuing]. Law enforcement agencies looking \nfor--you know, there are great people working in law \nenforcement.\n    Mr. Clancy. Absolutely. We go to military bases, and again, \nwe run these, what we call ELACs, these Entry-Level Assessment \nCenters, so that, for example, at a military base, if you want \nto apply for a job with the Secret Service, we can do a testing \ninitially. If you pass the test, that very day, we can do a \nsuper interview of you. If again, it looks like you are a good \ncandidate, then we will move you right to a polygraph, all \nwithin a weekend to try to speed up that process.\n    But absolutely, the military bases--and we have found \npersonally that people that have had a military background \nserve us very well.\n    Mrs. Torres. Well, they have a high work ethic.\n    Mr. Clancy. They do.\n    Mrs. Torres. They understand the pecking order, they \nunderstand the need to serve.\n    I am disturbed by the incidents. I am happy to hear that it \nis a reflection on less than 1 percent of the workforce, but by \nno means does it make me feel better or safer. So would you say \nyou have an agent problem or do you have a management problem?\n    Mr. Clancy. It is a management problem, and it starts with \nme. There is no question it is a management problem, it is a \nleadership problem that I have got to find an answer to.\n    Mrs. Torres. Have you taken steps to ensure that when we \nare clamping down on agents, that tougher disciplinary actions \nare taken upon the people who supervise them?\n    Mr. Clancy. Yes. Supervisors are held accountable. Again \nwith this--we put this out--again, trying to be transparent--to \nshow our workforce how----\n    Mrs. Torres. Are there policies in place to ensure that \nwhistleblowers are protected?\n    Mr. Clancy. Yes. Everyone in the service knows that \nwhistleblowers perform a vital function, and they cannot be--\nthere is no retaliation, there is no--you know, you have got to \nlet them go, yes.\n    Mrs. Torres. So there are disciplinary steps that the \nagency takes when the Department rules are violated.\n    Mr. Clancy. Yes.\n    Mrs. Torres. There are disciplinary steps that the \nDepartment takes when our laws are broken.\n    Mr. Clancy. Yes.\n    Mrs. Torres. The agents are read Miranda rights. Is that \nwhat you were referring to in an earlier question?\n    Mr. Clancy. No, they are not read Miranda rights. They are \nread either Kalkines or Garrity, I will let the inspector \ngeneral correct here if I am wrong on that. But that is what \nthey are read, yes.\n    Mrs. Torres. I come from the civilian part of law \nenforcement, so pardon. So criminal charges are filed, whether \nthey are felony charges or misdemeanor charges. What are your \nsteps? What steps do you take during that process?\n    Mr. Clancy. Well, if criminal charges are filed, we \ntypically immediately move to removing the security clearance \nso that this individual can no longer have access to any of the \nprotected facilities, any access to any of our protectees, of \ncourse, or any of our----\n    Mrs. Torres. So what happens to the rest of that immediate \ndepartment that are working with that employee now in the \nprocess of a criminal investigation and their supervisors?\n    Mr. Clancy. If it is a--at that point, we don\'t have--we \nremove all of their badges, we remove their equipment, and then \nit goes through the normal course of the criminal justice \nsystem.\n    Mrs. Torres. My time is out. But I--what I am trying to \nfigure out is if you have a rotten apple, how do you ensure \nthat the whole bowl isn\'t bad?\n    Mr. Clancy. Yes. We can remove them very quickly in that \ncase when there are criminal charges. Mr. Chairman, if I could \njust correct the record for one item. Ranking Member Thompson \nhad asked me about the security clearances. Our agents and \nofficers, some of them that are in training now have not had \ntheir clearances settled. They will by graduation.\n    So anyone who graduates from our academy will have a \nsecurity clearance. But while they are going through training, \nsome of them may not have.\n    Mr. Thompson. But as of this summer when we talked, that \nwas not the case.\n    Mr. Clancy. That is correct. That was not the case. You are \nabsolutely correct. Yes.\n    Mr. Thompson. Thank you.\n    Mr. Perry. The Chair thanks the gentlelady. The Chair now \nrecognizes the gentleman from Florida, Mr. Clawson.\n    Mr. Clawson. Sorry to hear about your dad.\n    Mr. Clancy. Thank you, sir.\n    Mr. Clawson. Greatest generation.\n    Mr. Clancy. It was. I know many here have lost their \nfathers from that generation, and I think we have all learned \nfrom them.\n    Mr. Clawson. Was your dad a vet?\n    Mr. Clancy. He was, yes.\n    Mr. Clawson. Yes, I know all about this. I just lost my mom \nand so, you know, it is the generation that the glass is half-\nfull, put the team first, work hard and go to church on Sunday \nand the rest answers itself, right?\n    Mr. Clancy. Yes, sir. Absolutely.\n    Mr. Clawson. But we were lucky to have those kind of folks.\n    Mr. Clancy. Yes, sir. Thank you.\n    Mr. Clawson. Although, you know, we do a little bit for our \ncountry now, they--without ever saying it, they remind us that \ncompared to what they did, we don\'t do much.\n    Mr. Clancy. That is correct. Yes, sir.\n    Mr. Clawson. I have full respect and admiration for you and \nyour dad.\n    I have always thought of organizational culture as being \nthe combination of performance and behavior, and therefore, how \nyour agency and your employees think of themselves is dependent \non those two things because they all see it.\n    When bad behavior is not dealt with quickly, it impacts \nthat culture and how we view each other because it discourages \ngood performers that--you know, that are doing their job every \nday.\n    Everything tells me that these incidents of bad behavior \nought to be isolated, put up in lights for everyone to see, and \nthat action needs to be taken quickly. That that really is the \nresponsibility of leadership. Therefore when it drags on and \non, when it drags on and on, it really sends a bad message to \nthis corporate culture that you referred to earlier.\n    Why so slow? I mean, you know, systematic, shmistamatic, \nyou know. You are the chief and you have got head of Homeland \nSecurity. You know, I mean, let\'s go. Let\'s take some actions \nso that you can do what is right and preserve the culture for \nyou all your great performers. Am I missing something on that? \nWhy so slow?\n    Mr. Clancy. No, you are correct. Again, certainly if there \nis any criminal activity it is much quicker. We can remove \ntheir security clearance right away. With other types of \nmisconduct as we are talking about in this case it does take \ntime for the full investigation.\n    Again, in transparency we had the OIG handle this \ninvestigation to do a very thorough investigation, and then \nonce the investigation was completed, then we could move \nforward with that discipline.\n    But under Title V, the employees, Federal employees, are \ngiven certain rights, and we follow that process, but \neventually we get to where we need to be. Eventually we do get \nto where we need to be.\n    Mr. Clawson. Well, it is going pretty slow for my taste, \nand I think for the sake of your organization I would be \npushing this as hard as I can, because typical folks that run \nlarge organizations don\'t understand this kind of length of \ntime for--you know, it just festers because you don\'t put it \nbehind you.\n    Mr. Clancy. Yes, sir.\n    Mr. Clawson. So, you know, my point is that is let\'s get \ngoing.\n    I have found in organizational change that if you don\'t \nchange a third of your people in positions of responsibility \nyou won\'t change the culture, because they are going to out-\nwait you. They always out-wait you.\n    If you change more than 50 percent then you may have a \nproblem with the institutional memory that you discussed \nearlier.\n    I am really glad you brought diversity of thought and of \nexperience into your direct reports, but they will out-wait you \nbelow that. So just, you know--no rule of thumb is 100 percent \nfor sure, but if I am sitting in your chair and not changing a \nthird of my managers, and you are thinking you are going to \nchange your organization, good luck. Don\'t believe it.\n    So you know, I don\'t know if you have thought of it in \nnumeric terms, but let\'s get--a performance culture going \nwithout washing away the memory of the successes of the past. I \nam all for having both, and I don\'t think if you implied this \nin your early comments, I don\'t think you--it is one or the \nother. Change your culture, and preserve the successes of the \npast. Does that make sense?\n    Mr. Clancy. It does, yes, sir.\n    Mr. Clawson. Okay. Is there anything about what I have said \nthat you would disagree with?\n    Mr. Clancy. No, I wouldn\'t sir.\n    Mr. Clawson. Okay. Well, look, we want you to succeed. We \ncould talk all day about whether you should be in the job or \nnot, but you are in the job, and we need you to be successful. \nSo anything I can do, our group, we want you to succeed.\n    Look, I really like the tone at the top, so let\'s get them.\n    Mr. Clancy. Yes, sir.\n    Mr. Clawson. Thank you.\n    Mr. Perry. The Chair thanks the gentleman. The Chair thanks \nthe gentleman. The Chair now recognizes the gentleman from \nGeorgia, Mr. Carter.\n    Mr. Carter. Thank you, Mr. Chairman. Thank all of you for \nbeing here.\n    Mr. Clancy, how many times have--when did you get into the \noffice? When did you become the acting director?\n    Mr. Clancy. The acting director, October 6, I believe.\n    Mr. Carter. October 6?\n    Mr. Clancy. Of 2014.\n    Mr. Carter. Of 2014. How many times have you appeared \nbefore Congress since then?\n    Mr. Clancy. I believe this may be my sixth or seventh.\n    Mr. Carter. You know, I have been here since January 6 and \nI think this is the fourth time I have seen you. I am just--I \nmean, obviously, we have got concerns here. There seems to be \nan on-going problem.\n    Mr. Clancy. Yes.\n    Mr. Carter. As you might know, I am very fortunate to have \nthe Federal Law Enforcement Training Center in Glynco, Georgia, \nmy district. I am familiar with the training that takes place \nwith the Secret Service agents down there, and I think they do \nan excellent job, but I also want to remind you of the \nProtective Mission Panel that came out and actually said that \nthe amount of training that the Secret Service agents were \ngetting was far below what is should be.\n    In fact, I think at one time, they said it was equal to \nonly 25 minutes for each 1,300 uniformed officers?\n    Mr. Clancy. Yes.\n    Mr. Carter. What are we doing to change that?\n    Mr. Clancy. Well, you are absolutely correct, and I have \nbeen down to your Federal Law Enforcement Training Center and \nthey do a great job down there, and they help us as we try to \nbuild our staffing levels. In terms of what we have done--\nuniformed division 99% have gone through a building defense \nexercise training mission--it is a 10-hour block.\n    Additionally, approximately 700 of our uniformed officers \nhave gone through a 3-day training period where they do their \nfirearms, their emergency medicine, their control tactics--a \nnumber of things.\n    The agents on the President\'s detail--we have increased the \nnumber of agents on the President\'s detail by November--I am \nsorry, by the second quarter--early January, we will have \nincreased the numbers there by 85, which is what was \nrecommended by the blue-ribbon panel, and that will help their \ntraining.\n    So we have increased training by 85 percent on the \nPresident\'s detail in this past year.\n    Mr. Carter. Okay, well, specifically, let\'s get to what we \nare here about today. That is about Chairman Chaffetz and that \nsituation.\n    Inspector Roth has stated that several of the agents that \nviolated the Secret Service and the Homeland Security policies \nwhen they accessed his records. This was criminal offense, \ndon\'t you think?\n    Mr. Clancy. It is on the books as a criminal offense, yes.\n    Mr. Carter. It is on the books as a criminal offense.\n    Tell me what you have done. Have these people been fired? \nHave they been disciplined at all? A criminal offense by an \nagency that we hold to the highest standard.\n    You know, earlier--I am a little bit frustrated by some of \nthe things I have heard, here. Keep in mind that we, up here, \nare experts at spin. And pivoting. My campaign manager--that \nwas his favorite word--pivot, pivot, pivot.\n    All of a sudden I heard you talking about data. If the data \nhad been better-protected--give me a break. If they wanted to \nsee this, they were gonna see it, I don\'t care how the data was \nprotected.\n    How can you let this go on? Why haven\'t you fired these \npeople? They knew this was wrong. Don\'t you agree? Don\'t you \nagree? They knew this was wrong.\n    Mr. Clancy. I do agree, and certainly, there is misconduct \nhere, the discipline has been proposed for those GS-15 and \nbelow. But the data is also important. As a side step.\n    Mr. Carter. I understand that, I respect that, and I \nacknowledge that it is important, that it be protected.\n    But still, the basic premise here is that they knew what \nthey were doing was wrong.\n    Mr. Clancy. Yes. Looking at the OIG report, they should \nhave known what they were doing was wrong. Some of them, I \nthink, will acknowledge----\n    Mr. Carter. Should have known? To an agency that we \nconsider to be--to hold at the highest level?\n    Mr. Clancy. Right.\n    Mr. Carter. I just can\'t go along with that. I mean, even \nyou yourself said it was inexcusable and unacceptable. It is. \nIt deserves discipline.\n    Look, I am a small businessman. I have got employees as \nwell, and I can tell you, when something like this happens, and \nI am not trying to tell you how to run your business, but you \nknow as well as I do that when you got a cancer, you gotta get \nrid of it. Otherwise, it is going to destroy your whole \nbusiness. You have got to get rid of this cancer here. You have \ngot to set an example. You have got an opportunity right here \nto set an example, because what they did was wrong. They knew \nit was wrong. They deserve discipline. They deserve to be let \ngo.\n    Mr. Clancy. They deserve discipline. We do look at the \nwhole picture here, too. The whole person.\n    Some of these people have spent 28 years with no discipline \nin their history. Some of them self-reported. Some of them--\nthey are obviously all very remorseful.\n    But it was wrong? Yes. But we do look at the whole picture \nand the whole person of their career.\n    Mr. Carter. I get that. I want to make sure that the \npunishment fits the crime and I understand that, and you should \nlook at their whole career. But at the same time, again, you \nhave been here six times since you took office.\n    Mr. Clancy. Yes.\n    Mr. Carter. We want you to succeed. We don\'t want to see \nyou fail.\n    Mr. Clancy. Yes.\n    Mr. Carter. We don\'t want to see you here anymore. That is \nessentially it. We want you to do this. We want you to do well, \nbut we gotta have your help.\n    Mr. Chairman, I yield back.\n    Mr. Perry. The Chair thanks the gentleman.\n    The Chair now recognizes the gentleman from Oklahoma, \nSenator Lankford.\n    Senator Lankford. Gentlemen, thank you. Long day--we have \nstill got a little ways to go, to be able to bounce you some \nquestions, I appreciate it very much. Let me just state a \ncouple things that I picked up from a lot of the conversation \nhere today. Then I want to walk through multiple questions.\n    There are a lot of issues with Secret Service. That has \nbeen well-documented, and I want to talk about that a little \nbit.\n    I would say to you, I do disagree with one of the findings \nof the panel, I do think someone from the inside needs to be \nthere to be able to fix it.\n    Someone from the outside that doesn\'t have the same law-\nenforcement background or doesn\'t have the same sense of \ncorporate identity with Secret Service walks in as an outsider \nand has a different opinion on it. Someone from the inside can \nwalk in and say I am one of us and part of us and can turn some \nthings around.\n    So I appreciate that you are there because there is \nobviously work to be done. I am gonna come back to that in just \na little bit.\n    Mr. Roth, let me ask you a question. Is it your sense that \nfor these individuals that accessed this database it was the \nfirst time for them to access it--this database like this? Did \nanyone ever ask them, you know, gosh, did you just happen to \nsay, gosh, maybe I should go look at Jason Chaffetz\' records? \nSomeone said, well I think, maybe, we could get access to that.\n    Or did this look like this was a pattern of behavior, that \nif they are interested in someone they can go pull it?\n    Mr. Roth. I think it ran the gamut depending on the agent \nwe talked to. Some of them didn\'t think it was wrong at all \nbecause what they called it was ``our database\'\'. It was a \nSecret Service database unlike, NCIC, or TECS, or one of the \nother, sort-of larger criminal databases, this was run by the \nSecret Service and saw nothing wrong with it.\n    Others didn\'t understand that it was wrong until after they \ndid it, and then they realized, well, I probably should not \nhave done it.\n    Senator Lankford. There is a training that happens multiple \ntimes a year, both orally and electronically--there is, your \ncomputer when you start it up there, it says this is for \nofficial use only. It is still your perception that some \nindividuals just kind-of ignored all of that and said it is our \ndatabase, we can do with it what we want.\n    Mr. Roth. That is correct.\n    Senator Lankford. Okay. Well, the problem with that is, if \nthey can pull any Member of Congress, if they can pull any \nindividual there, that also means the new neighbor down the \nstreet, I can go check my records and see if there is, you \nknow, something on the new neighbor down the street. When their \ndaughter starts dating some new guy they can go pull his family \nand go pull the records on it.\n    If this is someone they don\'t like, they can pull the \nrecords.\n    What we saw from the VA--and we will talk about this with \nGAO in just a moment--but the VA became a whistleblower there, \nand we found out that their employees that were then just \npulling records, that were medical records on someone they \ndidn\'t like as a whistleblower in the process.\n    The challenge that we have here is access to data, you \nknow, it is official and nonofficial and how do we actually \ndirect this.\n    So, based on your perception and walking through this with \nSecret Service--is it your perception this has been an on-going \nissue for some employees just to be able to use that database \nas just I can go look at it, whether it is official \nnonofficial, and they blur those lines?\n    Mr. Roth. That is the sense we got from at least some of \nthe agents that we interviewed who had accessed the database.\n    Senator Lankford. Okay. Mr. Willemssen, how do we deal with \nthis? Social Security has identified 50 different individuals \nthat were given merit bonuses at the end of the year, but also \nduring the year had accessed information for unofficial \npurposes and had looked people up.\n    VA has this issue, which we can talk about in greater \nlength--with someone grabbing information to be able to look at \nit--that is a whistleblower.\n    How many agencies have good systems in place to be able to \naudit, at least, how individuals access these sensitive \ndatabases?\n    Mr. Willemssen. This particular access problem is probably \nthe most common issue that we see when we are doing detailed \ninformation security audits. Too many people have access to \nthings they don\'t need access to. It is not part of their job \ndescription. They don\'t have a need to know, but yet, they are \ngiven access.\n    So access is a real issue. It is one that we--I would say \nthat is probably the most frequent one we come up with.\n    Another issue that is interesting in this case is when you \nare collecting PII you--one of the things you do is end up \nscheduling a records notice with NARA--National Archives and \nRecords Administration--to among other things, tell them how \nlong you are going to keep the files before you dispose of it.\n    I was kind-of curious about why an application file from \n2003 would be kept 12 years later. Those kinds of things should \nbe disposed of fairly quickly. Hopefully, that is part of what \nthe Service will be doing going forward.\n    You are supposed to schedule those records out and dispose \nof them at a certain date. Sometimes 1 year, sometimes 5 years.\n    Senator Lankford. Can you pause on that?\n    Mr. Clancy, has that been taken care of at this point? \nThere are two different sets of information. Both the \nelectronic records that are not applicable anymore, and paper \nrecords, because it is my understanding that are still some \noffices though the access point has been changed \nelectronically, if you go into a file room, those old \napplication files may still be there in paper form, as well.\n    Has that been dealt with as well?\n    Mr. Clancy. Yes, we are moving forward too, for example, \nthe applicants. Every 2 years those files will be purged. Right \nnow there is an investigation going on with the inspector \ngeneral, so some of that will be delayed slightly until they\'re \nthrough the investigation, but that is the plan forward. Also, \nagain, with the applicants in mind, 95 percent of the people \nthat had access before no longer will have access because of \nthe new system.\n    Senator Lankford. Is that both paper and electronic for \nthose offices around the country, do they still have access to \npaper records--somewhere in a filing cabinet?\n    Mr. Clancy. I will have to get back to you with a good \nsolid answer on that. I think we have moved away from a lot of \nthe paper, but let me give you a better answer.\n    Senator Lankford. Okay. That would be something wise to be \nable to evaluate as well. Both the electronic version, the \naccess points, and then obviously the paper version to make \nsure that that is also purged. It may be, just if you have \naccess to that room, you also have access to those files, and \nit is part of the challenge here.\n    Let me come back to Mr. Willemssen.\n    Which agency would you identify and say this agency is a \ngood model example of how to handle personal identifiable \ninformation? They are auditing well, they are tracking well, \nthey are a model agency?\n    Mr. Willemssen. Don\'t have one. No model agency.\n    Senator Lankford. That is somewhat depressing.\n    Mr. Willemssen. Yes, it is. Now, the more optimistic note, \nsince the OPM cyber disaster, this has become a major priority. \nOMB has charged up, it has definitely elevated its priority on \nthis. Agency heads now recognize that this is a critical issue \nthat needs to be addressed.\n    You know, and when we first announced the information \nsecurity area as high-risk, first few years I was told, you \nknow, you are Chicken Little, the sky is falling.\n    I don\'t hear that anymore.\n    Senator Lankford. Sky fell.\n    Mr. Willemssen. Yes.\n    Senator Lankford. Okay. So the challenge that we have here \nis dealing with--let me just give you one example of VA. This \nis something GAO has for years and years identified issues with \nVA.\n    Mr. Willemssen. Yes, sir.\n    Senator Lankford. How does this get better? How do we \nprevent unauthorized access of medical information and of \nprivate information for our veterans?\n    Mr. Willemssen. Veterans Affairs has a significantly high \npercentage of systems that are considered high-impact systems--\nthat is, the disclosure of data or modification of the data \nbecause of the medical records, is considered to be very severe \nin terms of its possible impact if it is lost, stolen, or \nreviewed by others.\n    Given that, you have to put much stricter controls in \nplace, including monitoring users and what they are doing, and \nif they have any atypical patterns in use, and the----\n    Senator Lankford. Is this just an audit, or is this an \nalgorithm that is created?\n    Mr. Willemssen. This is an audit and an algorithm. You can \ndo it automatically.\n    Senator Lankford. Right.\n    Mr. Willemssen. It is contained in the National Institute \nfor Standards and Technology guidance for high-impact systems. \nLike I said, VA has a significant percentage of high-impact \nsystems where you have got to put these kind of controls in \nplace to try to prevent the kind of situations that you \ndescribed.\n    Senator Lankford. Mr. Chairman, I would like--I don\'t know \nif we are going to do a second round of questions, but I do \nhave additional questions for Director Clancy as well.\n    Mr. Perry. If you don\'t mind, I will suspend.\n    Thank you, sir, and I will suspend your questions at the \ntime and recognize Mrs. Watson Coleman for a second round.\n    Mrs. Watson Coleman. Mr. Chairman, you know, I know we were \nhere. I know that my colleagues wanted us to sort-of focus on \nwhat happened to Chairman Chaffetz.\n    I think if I were him--if I were he, I would probably want \nthis to just go away now. Take care of the business that needs \nto be taken care of, discipline the people that need to be \ndisciplined, learn the lessons that you need to learn, but, you \nknow, I just really don\'t think he needs to have this or wants \nto have this as a continuing story.\n    But it does speak to other issues that we are identifying, \nand it does speak to a culture or way of thinking or way of \ndoing business or the way we--they--we perceive ourselves on \nthe inside that needs to be addressed. I know you have \nexpectations for that changing.\n    I would like to know any steps that you are actually taking \nto change the culture in the form of action. What happens with \nyour executive level? What happens with the level beneath that, \nthe supervisory level? What happens with the rank-and-file \nlevel?\n    How are you addressing the need to get our agency to think \nmore differently about how we come to work? What we do at work? \nWe don\'t sleep at work. We don\'t sex text under any \ncircumstances. You know, we don\'t look into files that we don\'t \nhave a responsibility, a need to look into.\n    Is there going to be some sort of a fail-safe mechanism \nthat shows when the file is being accessed by someone who \nshouldn\'t be, or has no reason to be? I would like to know some \nsteps that you are taking.\n    Thank you. Thank you, Mr. Chairman.\n    Mr. Clancy. I just think, in terms of the overall culture \nhere, one of the things we are doing is we are trying to have \nour workforce take ownership of this agency. It is their \nagency, and--let me just give you one example.\n    Just 3 or 4 weeks ago, we started a new program. It is a \ncrowdsourcing type of service on our intranet where our agents \nand our officers and all of our employees--professional staff \ncan send in ideas, suggestions, what we should be doing better, \nwhat should we be looking at, and then they get other people \nfrom the workforce looking at that, and they can ``like\'\' that, \nfor--better term, and then it forces the executive staff to \nlook at that.\n    We have seen this as a very positive--already within a few \nweeks, we have had close to 200 hits of--we call it Spark--\nwhere people have taken ownership of their agency.\n    Now, I think that is where we have got to get to that \npoint. It is management, it is my leadership, but additionally, \nit is the individuals who have to take ownership of this \nagency. I will say again, 99 percent of our people do have that \nownership.\n    Mrs. Watson Coleman. So, Mr. Clancy, I have been in the \nExecutive branch of Government, and I know it takes that kind \nof expectation, but it takes a plan of action, and it takes \nwhether or not you are hiring people from the outside who look \nat these issues and work through groups, and you work down \nthrough the organization.\n    So at some point I would like to know if you are planning \nto do those kinds of action steps.\n    Then the last question is--I really do want to know--is \nthere some sort of way that there is a notification of \naccessing information when you are not--when it is out of order \nfor what you are doing, it is not related to your case? Your \nidentification number to get into it signals whether or not you \nare or are not the right person to be accessing this \ninformation? As a follow-up to Senator Lankford\'s concerns.\n    Mr. Clancy. My understanding is--and the other gentlemen in \nhere may be able to answer this better--but it requires \nconstant monitoring and auditing, and there is no automatic \nnotice that someone has accessed someone\'s data \ninappropriately. It has to be constant monitoring.\n    Each----\n    Mrs. Watson Coleman. Who----\n    Mr. Clancy [continuing]. There is an administrator for each \nof these buckets of information, and that administrator has to \ncontrol who has access--who has the need to know that \ninformation.\n    So it is up to the administrator--so with our human \nresources, we have approximately 260 that would have access to \nour applicant data with this new system, and that administrator \nwould have to ensure that anyone else who enters has access \nthey have approved.\n    Mrs. Watson Coleman. Thank you. Did you want to say \nsomething to this, Mr. Roth--respond to this?\n    Mr. Roth. If I may--yes, if I may, just as an example, the \nDHS TECS system is one in which, for example, if Director \nClancy had created a record there and then I accessed that \nrecord, Director Clancy would get an e-mail that I was the one \nwho accessed the record.\n    So not only what Director Clancy was talking about, which \nis--you know, you can run reports by the system administrator, \nbut there are also sort of real-time controls on modern IT \nsystems that weren\'t present in the MCI system.\n    Mrs. Watson Coleman. Thank you, Mr. Chairman. I yield back.\n    Mr. Perry. Chair thanks the gentlelady from New Jersey. \nChair recognizes the gentleman Mr. Lankford.\n    Senator Lankford. Thank you.\n    I think the audit system is gonna be the key. At whatever \npercentage that that is, to be able to have, for this computer \nat this spot, here is everything that you ran, and that they \nknow at some point, someone is going to just spot-audit.\n    You can\'t go through all of it. There is not a need to go \nthrough all of it. But just the simple accountability that sits \nout there somewhere, to know there is an algorithm that is \nrunning, to say, ``hey, there is a search for files that don\'t \nseem to be consistent with official records.\'\'\n    There is a spot audit occasionally, that you may come in \nand face discipline, saying, ``you pulled records from your \nneighbor down the street, or from someone you don\'t like.\'\' All \nthose things, I think, just become important.\n    We have a tremendous number of people that work in the \nFederal workforce that are great people, that generally love \nthe country and love to be able to do what their job is. The \nproblem is these small--as Mr. Clancy, as you mentioned--the 1 \npercent on it.\n    I had to smile as we were walking through some of the \nconversation about Secret Service and picking on Secret Service \ntoday. I hope we are really not picking on you. This has become \nthe latest example of multiple examples, whether that be VA or \nSocial Security or others became the visual example again.\n    But I have to tell you, as I have listened to some of the \nconversation on the dais about challenges with public-relations \nnightmares and employees not doing their job and alcohol abuse \nand everything else, we could, quite frankly, flip the tables, \nand y\'all could hold a hearing on Members of Congress and have \nthe same accusation.\n    I would assure you it is more than 1 percent of the Members \nof Congress have some of these exact same issues. So this issue \nis not--is a human behavior issue, but it is also a \nprofessionalism issue of taking the task seriously.\n    So, Mr. Clancy, I am going to give you an unfair list, and \njust to be able to walk through a few things, and I am going to \ntell you this in advance--as I have tried to start walking \nthrough some of the issues and the recommendations for the \nSecret Service--it is the oldest law--oldest general law \nenforcement entity in our country. It is an incredibly valuable \nresource to our Nation.\n    But my fear is some changes that have been put in place \nover the past several decades--it is not on your watch--have \nbrought about some morale shifts on it. What I am trying to \nfigure out is how do we shift morale back, and how do we get on \ntop of this? Otherwise, it is Whack-a-Mole with the different \nissues all the time.\n    Overtime rules seem to come up over and over again as I \ntalk to different agents and individuals. Getting some sort of \nstandard practice with your counterpart agencies. \nAccountability of leadership, so if there is a bad actor, \neveryone knows that is not tolerable in our agency.\n    When you actually confront issues, everyone knows that is \nthe standard and we are going to live up to it. If there is a \nbad apple, as has been stated, in the group, or someone that is \nflippant about it, everyone kind of works down to that level.\n    Priority of new equipment and technology. I find that \nSecret Service is not getting the top priority for some of the \nnewest technology and newest equipment among our DHS law \nenforcement, and I think it is demeaning. That sends a false \nmessage to Secret Service that they are not as valuable as some \nof the other aspects of DHS.\n    Their responsibilities seem to be getting cluttered instead \nof a clarity, where it has been historically, for protection \nand for counterfeit duties. There seems to be other duties that \nseem to be kind of creeping into it that distract from the core \nmission here.\n    The consistent career track--that seems to be a consistent \ntheme that I have heard over and over again, that the career \ntrack seems to change, so no one really knows what path they \nare on here. Am I off on any of these at this point?\n    Mr. Clancy. No, you are correct, and I will just comment on \nyour last--the career track. We did bring in a workforce of \nagents at different levels to try to look at the best career \ntrack moving forward, and we have just announced, a couple \nmonths ago, the new career track for our agents so that they \ncan plan their future.\n    That has been one of the problems. You don\'t know if you \nare going to come to Washington, or will you be able to go to \nTexas. So we are, again, listening to our workforce, trying to \nfind solutions.\n    Senator Lankford. That is one of the things you can do if \nyou are on the inside and you know full well what is happening. \nBut I would encourage in the career track--and y\'all have \nalready examined this, and go from there--the possibility that \nindividuals that are on a previous career track still could \nfinish that out.\n    Mr. Clancy. Yes.\n    Senator Lankford. They can be grandfathered into that, or, \nif they choose to shift to the other one, they could choose \nthat as well. That gives them the option and not feel like the \nnew guys got the new stuff, or whatever it may be, but also \nhave something to say, ``I started on this, I can actually \ncomplete this and not feel like the rules are changing on me \nagain\'\' as they walk through.\n    This corporate identity is extremely important, and is \nextremely valuable. What I fear is that there is a growing \nsense of lack of importance of people that are incredibly \nimportant to our Nation.\n    I never want Secret Service folks to feel like they just \nguard doors for a living. They don\'t. They have an incredibly \nvaluable role, and the morale, and the--what you set--and the \nrole and the standard that you set will be incredibly important \nfor years to come.\n    If there is a silver lining in this, historically, Secret \nService have had a really bad time when a President was shot. \nNo one has been shot.\n    There are just some things that were messed up, and this is \nunique moment for--publicly for the Secret Service to \nreevaluate again, and go, ``Who are we? Where are we going? \nWhat is our clear task?\'\'\n    I would encourage you, if there are issues in working with \nDHS and in the scheme of things, these committees need to know \nit, because we want to make sure that all of the DHS families \nall feel equal levels of importance.\n    Your Secret Service transitioned pretty quickly, I guess, \nfrom working in the Treasury to DHS and all the restructuring \nand you are now one of many rather than the big dog of \nTreasury. That has both benefits and challenges, and we need to \nknow and to have some way to be able to help communicate in \nthat so that we can help actually engage in this because we are \nnot only advocates, but we are accountability in the process.\n    Today probably feels more like accountability, but we also \nhave the desire to be advocates on these roles. So we will need \nto know that. Is that fair?\n    Mr. Clancy. That is fair, Mr. Chairman. If I could comment \non one thing there, sir.\n    Senator Lankford. Yes, sir.\n    Mr. Clancy. Just to give you some comfort--I know it has \ngiven me comfort, but I went through this papal visit as well \nas the U.N. General Asembly. I traveled with the Pope and I can \ntell you, as I talk to our agents, our officers and our \nprofessional staff, this was a defining moment for our agency. \nAs I talk to these people, I looked in their eyes, they wanted \nto be successful. They know the issues that have been \nhighlighted, and rightfully so, over the past several years.\n    This was an unprecedented time in our history and our \npeople were determined to make this successful and we did this \nfor NSSEs without incident, and our people felt very proud \nabout that and I am very proud of our workforce.\n    Now having said that, we have got to correct these other \nthings too, and we will, but we have got people that are \nworking very hard for the American people.\n    Senator Lankford. Yes, you do, and we acknowledge that and \nwe understand that. But we also don\'t want anything to distract \nit.\n    Mr. Clancy. Yes, sir.\n    Senator Lankford. Mr. Willemssen, let me ask you this as \nwell. When we are talking about databases and we are talking \nabout access points, is there any independent agency or agency \nthat is an Executive agency that you think has a higher risk or \nhas no system of tracking this, old or new, that you look at \nand say these--of the high-risk, these are the highest-risk?\n    Part of my question--are the independent agencies--do we \nknow for certain that they have auditing process? Because they \nhandle incredibly sensitive financial data on Americans.\n    Mr. Willemssen. I would point to those agencies who have \nthe most PII, personally identifiable information, as reason to \nmake sure that they are doing everything they can to protect \nthat.\n    So you start with Social Security Administration, who has \nPII on almost every citizen. Veterans Affairs you have already \nmentioned, definitely an issue. Department of Education, \nprobably somewhat overlooked because they have a tremendous \namount of PII because of the student loans, not only on the \nstudent, but sometimes on the parents.\n    So I would be most concerned about where the PII is the \nmost significant.\n    Senator Lankford. Let me ask you about things like SEC or \nCFPB, fairly new entity for CFPB, they have a tremendous amount \nof data.\n    Mr. Willemssen. Yes.\n    Senator Lankford. Do we know, on their employees, how they \nhave access and the limitations that they have?\n    Mr. Willemssen. We know that they have at least three sets \nof data collection that includes PII, maybe more. Arbitration \ncase records, bank-deposit account and transaction-level data \nand storefront payday loans.\n    Senator Lankford. What is their auditing process for their \nemployees inappropriately accessing that?\n    Mr. Willemssen. That is something we will have--we can \nfollow up on. We did make a recommendation in terms of the--we \npreviously had done work and we made a recommendation related \nto their privacy-impact assessment.\n    Whenever you collect PII, you have got to do a privacy-\nimpact assessment that lets everyone know what are we \ncollecting, why are we collecting it, how are we going to use \nit, how are we not going to use it, and when are we going to \ndispose of it.\n    They had not fully done those when we had done our work, so \nmade a recommendation on that, and that is something I can \nfollow up on and see where they are at.\n    Senator Lankford. I know CFPB has just requested, again, \nanother incredibly large jump in the amount of information that \nthey are gathering on Americans and gathering on databases. \nThat seems to exceed even what was originally designed in Dodd-\nFrank.\n    Mr. Willemssen. Well, it may be more than what we had \nmentioned in our report, then. They may have further expanded \nit.\n    Senator Lankford. It is a fairly recent expansion request \nfor additional information. What we are trying to figure out is \nwho has access to that, how often do they have access to that?\n    Mr. Willemssen. We can follow up for you on the that.\n    Senator Lankford. That would be very helpful to this \nCongress.\n    Mr. Willemssen. Yes, sir.\n    Senator Lankford. Gentlemen, I thank you for your \nparticipation today.\n    Mr. Perry. The Chair thanks the gentleman from Oklahoma.\n    Before I close out, I have got a couple questions. Mr. \nWillemssen, you know, you are from the Government \nAccountability Office and I read through your information. I am \njust wondering if you can provide any clarity on other agencies \nregarding penalties, regarding accountability for actions that \nhave been--that they have engaged in regarding security \nclearances? That might be out of your wheelhouse, and if it is, \nthat is----\n    Mr. Willemssen. Well, I can talk about numerous--some of \nthe major incidents over time. Probably the first major \nincident we had with inappropriate browsing was at the IRS in \nthe mid-1990s. Several employees decided to start browsing \ncelebrities\' tax returns, and actually, as a result of that, \nthere was an act passed, the Taxpayer Browsing Protection Act, \n1997. That, among other things, has penalties of up to a $1,000 \nfine and imprisonment of not more than 1 year.\n    Mr. Perry. Do you know if anybody was ever prosecuted under \nthat? And was subjected to those penalties at all?\n    Mr. Willemssen. Do not know that, sir, but I can--we can \nfollow up on that with the IRS.\n    Mr. Perry. Well, I--actually, I wish you would, just so we \nknow.\n    Director, you also mentioned that--I think you are--there \nare some limitations, right, to what you can do regarding \naccountability, regarding punishment for actions that are \nbeneath the standard? Is that correct?\n    Mr. Clancy. Yes. We are not able to fire at will.\n    Mr. Perry. You are not--okay. So we need to know, the \nmembers of this board and Congress in general needs to know \nwhat you need us to do for you to be successful, for you to \nmanage your force, okay? We need your direct recommendations \nand that is, as I have said so many times in the room, we want \nyou to be successful, and if we are standing in the way, you \nneed to let us know what we can do, what we should do, so that \nyou could be successful.\n    You know, I have served for over 30 years the United States \nmilitary, if you are familiar with the Army, and I guarantee \nyou if there is a question of your security clearance and your \nactivity regarding the security clearance, that is suspended on \nan interim basis, pending an investigation. If you are found to \nhave been at fault, and have breached, that is very serious. It \nincredibly serious for the most minor infractions. It is not \nmeant to be a culture of punishment and fear, but it is meant \nto keep honest people honest and to raise to the level of \nimportance those things that should be important.\n    I would just suggest that maybe that would be something \nthat you might want to look at for suspension of security \nclearances, which I would imagine in your business, a \nsuspension of a security clearance, certainly on an interim \nbasis--maybe on an interim basis, but absolutely on a permanent \nbasis means loss of employment because you can\'t be employed \nwithout it, right? And----\n    Mr. Clancy. That is correct, yes, sir.\n    Mr. Perry. That is correct, right? So that gets to where we \nwant to be. I would also say this. In looking at some of the \ntestimony, we are concerned about how fast you are getting the \ninformation. You are the top dog and you are in charge and I \nget it. But I will tell you this too. Whether it is in my \nfamily, whether or, whether it is in the military, whether I \nwas running my business, bad information, bad news does not get \nbetter with time.\n    There must be a culture of something happened, and who \nneeds to know and we get the information up to the top of the \nchain as quickly as possible because you have got to be able to \ndo your job. You can\'t do it without the information. If your \nsubordinates don\'t know that that is your expectation, then we \nare going to have--we are going to have this continuation of \nthis, which none of us want.\n    You are sitting here in front of us and you are defending \nyour agency and your agents, as we expect you to, as you \nshould. You will probably also note that 95 percent of your \ntime will be spent on 5 percent of your people. Director, I \nhave been out to your operation and I have been well impressed \nand all of us really want to hold up the Secret Service as the \nstandard. We want that. Americans really desperately want that.\n    So these things are incredibly hurtful, so when we hear \nthem in the news, they are hurtful. There is a bigger picture \nhere and I think your agents, your employees need to understand \nit is not their system. It is the taxpayers\' database, and is \nnot their information, it is those individuals\' information.\n    You don\'t own it, those individuals own it. To use it \nwilly-nilly is reprehensible in an age when, as the Senator \ntalked about, your--all these information that the governments \ngather, the information that the private sector is gathering \nand what happens to it and who owns it and the force of law \nunder the ACA, which says you must submit your information.\n    To think and to wonder that somebody might be using that \nfor their personal whatever, that is a problem. That is a \nproblem for the American citizen trusting their Government, and \nyour employees have a direct connection to that. They must--in \nmy opinion, they must understand that.\n    I want to just speak to this--you have been questioned a \ncouple times on diversity and also on filling your ranks and in \nkeeping your people employed and keeping them incentivized and \nso on and so forth. We understand that you have challenges, \njust like everybody does, complying with the law and filling \nyour ranks with the people that you want to have there. We \nunderstand that. I would say from this person\'s perspective, we \nwant you, I want you to get the best. You get the best, all \nright? You get the best to do the job.\n    Finally, I noticed a couple times you said you are trying \nto be consistent with other agencies. I will tell you this, \nsir. I understand where you want to be, but this is the Secret \nService, the premier organization of your type in the United \nStates Government, in the world.\n    How about if you lead? If you can\'t find somebody that \nmeets the standards you want to set in your agency around the \nGovernment agencies, go outside. Make your own standard. If you \nneed help from us, you need to ask for it, all right?\n    Thank you very much for your time here. Gentlemen--again--I \nthank you, the witnesses all for your very valuable testimony \nand for the Members and their questions. Members may have some \nadditional questions for the witnesses and we will ask that you \nrespond to those in writing.\n    Without objection, this subcommittees stand adjourned.\n    [Whereupon, at 12:02 p.m., the subcommittees were \nadjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n        Questions From Chairman Scott Perry for Joseph P. Clancy\n    Question 1a. According to Secret Service officials, USSS policies \nrelated to accessing and disclosing PII are available in the Secret \nService ethics manual distributed to USSS personnel and on the Secret \nService intranet site. In addition, Secret Service employees are \nrequired to recertify their ethics training yearly.\n    What percentage of the workforce actually completes the yearly \nrecertification and what audit measures are in place to ensure the \nworkforce is recertifying?\n    Answer. Employees certify annually that they are aware of a variety \nof agency policies via the SSF 3218, to include the agency manual \nsections on Employee Responsibilities and Conduct, Table of Penalties, \nand Discipline. These forms are subject to audit when agency offices \nare inspected by the Office of Professional Responsibility\'s Inspection \nDivision.\n    With respect to ethics training, in calendar year 2014, the Office \nof Chief Counsel (LEG) provided ethics training to 100% of those \nemployees required to receive it. In calendar year 2015, LEG targeted a \ngoal of 100% compliance and has provided in-person training to a total \nof 587 employees. LEG reports the results of its training efforts \nannually to the Office of Government Ethics.\n    With respect to required on-line training, the table below reflects \nthe percentage of the workforce that has completed each of the 3 \nidentified courses that involve employee conduct and/or treatment of \npersonal information.\n\n                         PRIVACY & PII TRAINING COMPLETIONS FOR USSS IN FISCAL YEAR 2015\n----------------------------------------------------------------------------------------------------------------\n                                                          Privacy at DHS:    Decision Making      IT Security\n                                                             Protecting          Elements          Awareness\n                                                              Personal     -------------------------------------\n                                                            Information       March 2015 was\n                      Course Title                      -------------------  official rollout     This on-line\n                                                            This on-line     for this yearly       course is\n                                                             course is       required on-line  required annually\n                                                         required annually        course\n----------------------------------------------------------------------------------------------------------------\nEmployee Completions *.................................              5,604              5,563              5,385\nPercent of the Workforce Completions for Fiscal Year                   89%                88%               86%\n 2015 (Numbers include active and inactive employees\n with no duplicates)...................................\n----------------------------------------------------------------------------------------------------------------\n* Totals represent ``unique employee completion\'\' (both active/inactive employees with no duplicates).\n\n    The enforcement mechanisms (or audit measures) to ensure the on-\nline courses are completed are multi-tiered:\n    (1) Self-Check.--Employee logs onto learning management system \n        (LMS) regularly to ensure he/she is taking the courses by due \n        date(s).\n    (2) Supervisory Check.--Supervisor logs onto LMS and reviews his/\n        her employee progress and/or the office Training Coordinator \n        provides the supervisor(s) with a non-compliant list.\n    (3) 2nd Supervisory Check (during evaluation process).--Supervisor \n        conducts the employee\'s mid-year and final evaluation, reviews \n        the status of prescribed/required training, and discusses any \n        other training the employee may need or want to improve or \n        develop his/her skill-set.\n    (4) Inspection Division Audit.--All field offices and protective \n        divisions are inspected every 4 years by the Inspection \n        Division (ISP). During the ISP review, on-line training is \n        audited to determine whether all employees have completed \n        mandatory LMS training.\n    Question 1b. What follow-up is conducted for non-compliant \nemployees who fail to complete the training?\n    Answer. Employees found to be non-compliant with required courses \ncould be held accountable in performance evaluations and could be \nsubject to discipline in accordance with the established Table of \nPenalties.\n    Question 1c. How do senior officials hold mid-level management \naccountable for ensuring their subordinates are aware of and operating \nwithin USSS ethics policies?\n    Answer. Senior officials are responsible for communicating their \nexpectations, including adherence to Secret Service ethics policies, to \nmid-level management during regular interactions, mid-year reviews, and \nfinal reviews. Failure on the part of mid-level management to ensure \ntheir subordinates are aware of and operating within those ethics \npolicies could be reflected in the manager\'s performance review and \ncould result in discipline under the Table of Penalties.\n    Question 2a. According to USSS staff, in 2007, an NSA review called \nfor the MCI system to be upgraded. Despite this recommendation, the \nSecret Service did not begin to take any action related to upgrading \nthe system until 2011 and the MCI upgrade was not completed until June \nof this year. Since fiscal year 2011, when the upgrade began, Congress \nhas appropriated over $227 million for USSS IT transformation.\n    How much of this appropriated sum was used to modernize the MCI \nsystem?\n    Answer. The MCI migration was part of the Mainframe Applications \nRefactoring project which utilized approximately $13.49 million to \ncomplete the migration into modernized systems with security controls \nand audit logging. The out-year sustainment costs are $2 million per \nyear.\n    Question 2b. Why did it take so long for MCI to be upgraded and why \ndid USSS wait 4 years after the NSA review to begin the upgrade? Was it \na funding issue, a personnel issue, an acquisition issue, a technical \nissue, or something else?\n    Answer. The MCI upgrade was dependent on the availability of \nmodernization funds to obtain the appropriate assets to complete the \nproject. These funds were needed to obtain the equipment and skilled \npersonnel to take on the effort of transitioning from a period of \ntechnological stabilization to modernization. The Secret Service\'s \nInformation Integration and Technology Transformation (``IITT\'\') \nprogram was established in fiscal year 2010. In recognition of the \nlimitations of MCI and other mainframe applications, the Secret Service \ninitiated the Mainframe Application Refactoring (``MAR\'\') project in \n2011 to assess the existing 48 applications residing on the mainframe \nand migrate necessary capabilities and accompanying data to a non-\nmainframe, secure, highly-available and compartmentalized environment. \nDHS estimated the project would take 10 years to complete. The Secret \nService accelerated the MAR project in 2013 and was able to achieve \nproject closure on June 24, 2015.\n    Question 3a. Since becoming Director, you have launched a series of \ncommunication initiatives to open lines of communication between senior \nmanagement and the rank-and-file USSS employees. These initiatives \ninclude focus groups, an Ombudsman question line, and the new Spark! \ntool. These actions would appear to ``clearly communicate agency \npriorities\'\' and ``create more opportunities for offices and agents to \nprovide input on their mission\'\' as recommended by the Protective \nMission Panel.\n    What kind of buy-in and participation in these initiatives have you \nseen from the rank-and-file employees?\n    Question 3b. What reforms, either completed or in process, have \nbeen brought about as a result of these initiatives?\n    Answer. Given that sub-questions a and b are closely related, the \nSecret Service will address these together.\nSpark!\n    On October 19, 2015, the Secret Service introduced the Spark! \nProgram, which is a crowdsourcing, web-based communication platform \nthat provides every employee with a virtual voice to make suggestions, \nshare ideas, and find solutions to elevate our mission and continue to \nimprove the agency. This new program allows senior management to \ncommunicate directly with the entire workforce on what initiatives are \nbeing pursued and what the agency\'s priorities are as they relate to \nthe posts on the site. The Spark! Program, although still in its \ninfancy, has already seen participation by 3,374 employees, which is \n54% of the workforce.\nFocus Groups\n    In October 2014, the Secret Service selected Eagle Hill Consulting \nas the primary contractor to conduct a Work/Life Integration Assessment \nbeginning in November 2014. Eagle Hill conducted focus group interviews \nthroughout the Nation with Secret Service employees. A survey was \ndistributed garnering participation from approximately 57% of the total \nSecret Service population. Eagle Hill completed its assessment in \nDecember 2015.\n    Throughout this engagement, frequent communication with the Secret \nService workforce has been essential in providing the workforce \ntransparent, accurate information about the status of the work/life \nassessment and its results. Regular updates from the director via e-\nmail and a permanent work/life integration webpage on the Secret \nService intranet inform employees about near-term measures and next \nsteps as the organization responds to critical quality-of-life \nconcerns. For example, an agency-wide communication from the director \nin response to focus group findings conveyed new initiatives to provide \ngreater clarity and transparency regarding the special agent \nreassignment process, career track and promotion guidelines for law \nenforcement personnel, permanent change of station move process, \nhardship policy, and enhancements to the organization\'s telework \npolicy.\n    Now that the Eagle Hill engagement has concluded, focus group \nresults, survey data, and external research into Federal agency work/\nlife best practices will be presented to the Secret Service Executive \nStaff. These efforts will inform a series of final recommendations to \nbe developed by Eagle Hill regarding development of a permanent Work/\nLife Integration Program. Through the recently-established Work/Life \nWorking Group chaired by the deputy director, the organization will \nconsider in detail each of the recommendations and in 2016 begin \ndeveloping appropriate programmatic responses to enhance workforce \nquality of life on a long-term basis.\n    Question 4a. The Protective Mission Panel recommended replacing the \nfence surrounding the White House, stating, ``a better fence can \nprovide time, and time is crucial to the protective mission. Every \nadditional second of response time provided by a fence that is more \ndifficult to climb makes a material difference in ensuring the \nPresident\'s safety and protecting the symbol that is the White House.\'\' \nThe Panel also suggested the fence be replaced as quickly as possible. \nThus far however, the only changes have been the addition of some \nspikes and bike racks which push the fence line out a few feet.\n    Please provide an update on the USSS plans to replace the fence.\n    Answer. In response to the September 19, 2014 incident and the \nfindings of the Protective Mission Panel, the Secret Service pursued \ninterim and long-term actions needed to address White House fence \nvulnerabilities.\n    To immediately increase the difficulty associated with jumping the \nfence, the Secret Service installed temporary security enhancements on \nthe existing fence. These temporary measures were meant to bolster \nsecurity needs while a long-term solution is designed and implemented.\n    To permanently address all identified fence vulnerabilities, the \nSecret Service, through the National Park Service (NPS), initiated an \nengineering study to examine physical changes that would increase the \nstructural integrity of the White House fence against both individuals \nand an organized, dynamic attack. The study concluded on May 28, 2015. \nBased on the results of the study, the Secret Service decided to pursue \nthe design of two different permanent fence options. Both options will \nbe developed concurrently and in enough detail so that they can be \npresented to NPS, the National Capital Planning Commission (NCPC), the \nCommission of Fine Arts (CFA), the District of Columbia State Historic \nPreservation Officer (DC SHPO), and others for consideration. Award of \nthe contract for the permanent fence design took place in September \n2015.\n    Question 4b. When do you expect the project to be completed and at \nwhat cost?\n    Answer. Prior to completion of the study and the latest fence-\njumping incident on November 26, 2015, the Secret Service estimated \nthat design, acquisition/contracting, and construction of the permanent \nfence project would take a minimum of 28 months, potentially longer if \nthe NPS, the NCPC, and the CFA require revisions/modifications to the \nproposed design.\n    After completion of the study, negotiations with the architect/\nengineer responsible for the design of the permanent fence, additional \ndiscussions with NPS (the Government agency with responsibility/\njurisdiction over the fence), as well as a review of the November 26, \n2015 fence-jumping incident, the Secret Service now believes this \nproject will take longer than 28 months.\n    The concepts for the permanent fence design were based in part on \nthe security/anti-climb features incorporated into the interim fence \nupgrades that were present during the November 26, 2015 fence-jumping \nincident. Based on the results of this incident, the Secret Service \nplans to re-evaluate the permanent design concepts, as well as assess \nthe effectiveness of additional features to be incorporated into the \nnew permanent fence.\n    The fiscal year 2016 Consolidated Appropriations Act included $8.2 \nmillion (available for 2 years) for security enhancements to the White \nHouse fence. This estimate was developed prior to the completion of the \nstudy and design phase of the project. Once the permanent design is \ndeveloped and additional details about the permanent fence are known, \nthe Secret Service will be better positioned to provide an estimated \ntotal cost to replace the existing White House fence.\n    Question 5. As stated in the OIG addendum issued in October, Deputy \nDirector Magaw said he informed you on March 25 of the rumor that Rep. \nChaffetz had applied to the Secret Service. Why did you not take \nimmediate steps to learn more information about the nature and validity \nof the rumor? Why did Deputy Director Magaw not inform you that the \nrumor was the result of improper access and distribution of PII \ninformation in the MCI database?\n    Answer. As previously reported to the DHS OIG, on March 25, 2015, \nDeputy Director Magaw notified me of the rumor surrounding \nRepresentative Chaffetz\'s application with the Secret Service. At that \ntime, I had no reason to believe that any Secret Service databases, \nincluding MCI, had been accessed to obtain this information. Like \nDeputy Director Magaw, I believed it to be an unsubstantiated rumor and \nnothing more. In fact, both Deputy Director Magaw and I were not aware \nthat a Secret Service database had been accessed until April 2, 2015. \nThat same day, I sent an official message to the entire workforce \ndirecting them to immediately cease all unauthorized access and \ndissemination of sensitive information.\n    On April 3, 2015, I convened a meeting with his executive staff to \ninform them of the situation. At this meeting, I reiterated the \nimportance of protecting sensitive PII and informed them that any \nviolations to Secret Service policy would not be tolerated.\n    Subsequently, the DHS OIG\'s investigation revealed that subsequent \nto the April 2, 2015 official message, no additional personnel accessed \nRepresentative Chaffetz\'s information.\n    Question 6. Why did Secret Service maintain applicant information \nfrom 12 years prior in its systems? Why was such information not purged \nor sent for archiving?\n    Answer. At the time of the events in question, the Secret Service \nwas still governed by records retention schedules requiring this type \nof information be retained for 20 years. Due to the fact that these \nschedules were vetted, approved, and signed by the National Archives \nand Records Administration (NARA), adherence to these schedules was a \nmatter of legal compliance. New NARA-approved retention schedules have \nnow replaced the legacy schedules, and information relating to \napplicants who are not hired is held only for 2 years, unless a formal \nbackground investigation is conducted. If a formal background \ninvestigation is conducted, the case file is held for 5 years.\n Questions From Ranking Member Bennie G. Thompson for Joseph P. Clancy\n    Question 1. Director Clancy, it was recently reported that a \nUniformed Division officer was arrested for sending pornographic images \nto a minor. Prior to his arrest, the Secret Service Office of \nProfessional Responsibility became aware of the investigation and \nsuspended the officer\'s security clearance and took his service weapon. \nHow did the Secret Service work with the authorities to make sure that \nthe investigation of this officer was not compromised since the Secret \nService took action before the officer was arrested and indicted?\n    Answer. On November 6, 2015, the Maryland State Police (MSP) \ncontacted the Secret Service to advise that they, in conjunction with \nthe Delaware State Police (DSP), and ICE\'s Homeland Security \nInvestigations (HSI) were conducting an investigation into potential \ncriminal misconduct by a USSS employee.\n    That day, representatives from the Office of Professional \nResponsibility contacted the DHS OIG and advised that the USSS employee \nwas assigned to the White House Complex and the allegations against the \nemployee posed significant National security concerns. DHS OIG \nrequested that the USSS not take any administrative action against the \nUSSS employee as law enforcement involved in this investigation was \nplanning to execute a search warrant in less than 2 weeks. However, due \nto the criminal nature of the allegations and the sensitivity of the \nposition held by the employee, the USSS made the decision to \nimmediately suspend the employee\'s security clearance and place him on \nadministrative leave.\n    Question 2. Director Clancy, it was recently reported that 2 USSS \nagents were observed during a routine systems check sleeping at their \nduty stations. This observation was so concerning, the DHS inspector \ngeneral issued a management alert, citing long overtime shifts, travel \nfatigue, and a lack of water as some of the causes. What plans do you \nhave in place to address overtime concerns, particularly in the \nUniformed Division?\n    Answer. The Uniformed Division continues to evaluate overtime usage \nacross all Uniformed Division Branches with the goal of equitably \nminimizing extensive overtime shifts and preserving days off. Each \nUniformed Division Branch manually tracks the overtime accumulation of \neach officer per pay period as a current management practice. Every \neffort is made to staff critical vacant assignments with personnel who \nvolunteer to work overtime prior rather than forcing personnel to work \novertime.\n    The concept of consolidating all Uniformed Division scheduling \noffices to gain efficiencies and cross level overtime between Branches \nis currently under review. In addition, specialty function Uniformed \nDivision personnel are being temporarily reassigned to fill critical \nassignments in an effort to reduce the amount of overtime hours as well \nas cancelled days off.\n    Variable assignments, such as temporary magnetometer screening \ndetails, typically result in short-notice protective travel and incur \novertime for personnel to replace or ``backfill\'\' Uniformed Division \npersonnel on TDY status. The Uniformed Division, as well as the Office \nof Protective Operations, are reviewing current planning practices in \norder to determine temporary magnetometer detail requirements as early \nas possible in the protective advance planning process in order to \nminimize overtime as a result of short-notice TDY travel.\n    Question 3. The Protective Mission Panel suggested an increase of \n200 Uniformed Division officers as well as 85 Protective Division \nofficers. Has the Secret Service increased staffing since this \nrecommendation and by how many? Will this increase in staffing help \ndecrease the number of officers needed for long overtime shifts, \nparticularly in the Uniformed Division?\n    Answer. As of December 7, 2015, 176 UD Officers have been hired in \nfiscal year 2015 and fiscal year 2016. The net gain from the influx of \nthese 176 additional personnel has been 28 additional officers assigned \nto the White House. This represents a staffing increase of 4.8% at the \nWhite House Branch. At this time, we anticipate hiring approximately \n288 total officers in fiscal year 2016.\n    Although Uniformed Division personnel assigned to the White House \nBranch has increased since the Protective Mission Panel report was \nissued on December 15, 2014, the overall number of personnel assigned \nto the Uniformed Division has decreased from 1,345 to the current \nnumber of 1,323, as of December 7, 2015.\n    With respect to the Protective Mission Panel recommendation to \nincrease the Presidential Protective Division by 85 special agents, \nthis will be complete in the 2nd quarter of fiscal year 2016.\n    Question 4. The Protective Mission Panel recommended an \nestablishment of a leadership-development system to identify and train \nthe agency\'s future managers and leaders. How do you identify the \nagency\'s future managers and leaders given that several of the agency\'s \ncurrent managers and leaders have been investigated for misconduct?\n    Answer. When there is an open position in the Senior Executive \nService (SES) ranks, the Secret Service Executive Resources Board (ERB) \nreviews the list of employees who have received SES certification from \nthe Office of Personnel Management.\n    If an SES-certified employee is identified as being a viable \ncandidate to fill the vacancy, the ERB makes a recommendation to the \ndirector for his consideration. If no current SES-certified employee is \nidentified as being a viable candidate to fill the vacancy, the ERB \nmakes a recommendation to the director to announce the vacancy to \nexternal candidates.\n    For non-SES supervisory positions, special agent career progression \nguidelines were established in September 2015, and a career track for \nnon-law enforcement personnel is currently under development.\n    Question 5. As outlined in the latest Federal Employee Viewpoint \nSurvey, the Department of Homeland Security is still struggling in \nareas of morale and leadership. The Secret Service in particular has \nbeen plagued with retention issues. Please describe what plan you have \nin place to address retention and ensure the Service is recruiting top, \ndiverse talent?\n    Answer. A retention incentive program has been implemented for the \nUniformed Division. Under the plan, officers signed retention bonus \nagreements in the amount of 5% of their annual salary and began \nreceiving that bonus, in part, every 90 days they remained on the job. \nTo date, over 90% of the eligible Uniformed Division members have \nexecuted a service agreement and are participating in this program. In \naddition, a comprehensive review of recruitment and retention \nflexibilities available within the Federal Government is currently \nbeing conducted.\n    The Talent and Employee Acquisition Management Division has \ndeveloped and implemented a fiscal year 2016 Recruitment and Outreach \nPlan. The Plan outlines strategies that will guide the recruitment \nactivities necessary to ensure the Secret Service recruits a highly \nqualified and diverse workforce that is representative of America. The \nplan includes traditional outreach, such as attending National and \ndiversity-focused career fairs, information sessions and career fairs \nat Historically Black Colleges and Universities, Hispanic-serving \ninstitutions, and Tribal colleges and universities, liaison with \nmilitary Transition Assistance Program/Army Career Alumni Program (TAP/\nACAP) events, and attending National diversity conferences. In \naddition, new opportunities in social media recruiting are being \nleveraged to attract today\'s engaged candidates on LinkedIn, YouTube, \nTwitter, and internet radio providers such as Pandora and iHeartRadio. \nThe strength of these platforms is their ability to target potential \napplicants with the backgrounds and skill sets we seek.\n    The Entry Level Assessment Center (ELAC) will continue to be used \nto process large groups of Special Agent and Uniformed Division Officer \napplicants through the hiring process. Typically during an ELAC, the \napplicant is administered 2 or more assessments of the hiring process \nin a reduced amount of time. During fiscal year 2016, 6 UD ELACs have \nbeen conducted with more than 460 applicants being processed to date.\n    The Recruitment and Outreach Plan is a living document and will be \nupdated and revised as necessary throughout the fiscal year to meet the \nagency\'s goals in recruitment and hiring.\n    Question 6. It has been often stated that it is very difficult to \ntransition from the Uniformed Division to the President\'s Protected \nDivision. What percentage of agents in fact transfer from the Uniform \nDivision to the Protected Division? What special programs are in place \nto support such a desire to transfer?\n    Answer. Uniformed Division officers do not ever transfer directly \nto a special agent position in the Presidential Protective Division, a \npermanent protective detail. In fact, no one applying for a law \nenforcement position within the Secret Service is hired directly to a \nposition with a permanent protective detail. There is a period during \nwhich the expertise, maturity, and judgment essential to the extremely \ncritical and demanding work of special agents protecting our Nation\'s \nhighest elected leaders is developed in field offices supporting \nprotective operations and conducting counterfeit currency, financial, \nor cyber crime investigations as criminal investigators.\n    Uniformed Division officers do frequently go through the necessary \nprocess to become special agents. Those Uniformed Division officers who \nbecome special agents are required to go back to the Federal Law \nEnforcement Training Center (FLETC) in Glynco, Georgia for the Criminal \nInvestigator Training Program course. After graduation from FLETC they \nreturn to the U.S. Secret Service James J. Rowley Training Center \n(JJRTC) to attend the Special Agent Training Course. Upon successful \ngraduation from the JJRTC the new agent is then assigned to a field \noffice for the first phase of their career. After their initial field \noffice assignment the agent is then transferred to a permanent \nprotective detail, like the Presidential Protective Division or \nProtective Intelligence Division.\n    Question 7. In June of this year, it was reported that several \ndozen USSS Uniform Division Officers were placed on duty at the White \nHouse without completing the requisite security clearance process. In \nfact, over the last 5 years, approximately 643 officers and agents have \nbeen assigned to positions without the requisite security clearance. \nPlease provide the demographical information to include race and gender \nfor each officer and agent assigned to duty without a security \nclearance over the last 5 years.\n    Answer. A report is being compiled and will follow.\n    Question 8. Are agents and officers presently required to have a \ncompleted security clearance before being placed on duty? Please \nprovide the number of agents and officers currently on duty without a \nsecurity clearance, the specific post each agent or officer was \nassigned, the date of the assignment, and the length of time the agent \nor officer remained at this position without a clearance.\n    Answer. There are no agents or officers currently on duty without a \nsecurity clearance. Pursuant to Secret Service policy, SCD-02(01), DHS \nhas authorized the Secret Service to hire employees ``contingent upon \ncompletion of a full-scope background investigation.\'\' Employees may be \nhired under this contingency if the Secret Service has completed the \nmajority of a Single Scope Background Investigation (SSBI) and no \nderogatory information was developed which could adversely impact the \ncandidate\'s ability to hold a Top Secret security clearance during the \ncourse of the SSBI. Employees hired under this contingency status are \nrequired to sign an SSF 4024, Conditional Access to Sensitive but \nUnclassified Information Non-Disclosure Agreement, prior to reporting \nfor duty.\n    Question 9. In your testimony, you reference 14 contractors added \nto Secret Service staff to help adjudicate security clearances. What is \nthe current average amount of time required by your staff to complete a \nsecurity clearance since the addition of the contractors?\n    Answer. In an effort to correct the record, it should be noted that \nthe statement in the testimony does not accurately reflect the number \nof contractors added to Secret Service staff to help adjudicate \nsecurity clearances. The Security Clearances Division (SCD) is in the \nprocess of on-boarding 24 contractors to assist in the security \nclearance process. At this time, 11 are on board. The purpose of the \ncontractors is to process the high volume of applicants to the agency \nto ensure adjudication before the personnel become operational while \nstaying within the 114-day Office of the Director of National \nIntelligence (ODNI) standard.\n    Question 10. The Inspector General\'s memorandum on the improper \ndatabase access states that there was evidence of only 1 individual out \nof 18 executive-level managers who attempted to inform the Director or \nhigher levels of the supervisory chain about the information or attempt \nto remediate the activity. Do you find it concerning that some of your \nsenior leadership, which you personally appointed, did not see error in \nthis behavior?\n    Answer. The DHS OIG investigation found that 18 supervisors at the \nGS-15 or Senior Executive Service level may have known about improper \ndatabase access but only one attempted to inform the director or higher \nlevels of the supervisory chain about the information or attempt to \nremediate the activity. Additional investigation conducted by the \nSecret Service Inspection Division, with the authorization of the DHS \nOIG, included interviews of these supervisors which had not previously \nbeen conducted by the DHS OIG. This supplemental investigation revealed \nthat other supervisors with knowledge of Secret Service employees \nimproperly accessing databases or sharing protected information ordered \ntheir employees to immediately cease and desist accessing the database. \nFurther, the vast majority of supervisors did not receive information \nthat was attributable to a USSS data system, nor did they have any \nawareness that the rumor originated through potential misconduct.\n    Regardless, as I stated in testimony before Congress, I am \ncommitted to ensuring that all employees are held to the highest \nstandards of professional conduct, whether on or off duty. I believe \nthe behavior of the employees who violated existing Secret Service and \nDHS policies pertaining to the unauthorized access and disclosure of \ninformation protected by the Privacy Act of 1974 is unacceptable. I \nalso believe that supervisors who failed to advise employees to cease \nand desist or attempt to inform higher levels of the supervisory chain \nafter obtaining actionable information are also culpable. Those we \nprotect and the public we serve expect us to live by our oaths and the \nvalues we have established as an agency, and we should demand nothing \nless from each other. We are better than the actions illustrated in \nthis report and people, responsible supervisors and line employees \nalike, will be held accountable for their actions.\n    Question 11. Director Clancy, according to your testimony, when you \nheard of Representative Chaffetz\'s application for the Secret Service \nbeing discussed, you dismissed it as a rumor. However, according to the \nOIG\'s memorandum, you discussed this rumor at a luncheon with former \ndirectors of the Secret Service. Instead of investigating, you spread \nthe rumor. What does that say about the culture of professionalism of \nthe Secret Service?\n    Answer. I would like to address my statements and the decision of \nthe OIG to reopen the investigation on October 5, 2015. During the \nprocess of reviewing the draft, I was reminded by a colleague that I \nhad been informed of a rumor regarding the individual\'s application \nhistory on March 25. While I myself do not recall hearing of this \nrumor, several others have confirmed that I did, and that it was a \ngeneral rumor about the individual\'s past application; it did not \nrelate to USSS employees improperly accessing databases or sharing \nprotected information. In order to ensure accuracy within the report, \non my own initiative I contacted the OIG to correct the record. I made \nthis decision because I feel that it is important to be as forthcoming, \naccurate, and complete as possible. I expect this from my employees and \nexpect nothing less from myself.\n    The OIG published an addendum in October reporting its assessment \nof the updated information pertaining to when I was made aware of this \nrumor. Interviews with former directors, my deputy director, and my \nformer chief of staff only serve to corroborate that the information \navailable to me at the time was nothing more than a rumor. The \ninformation was not attributed to a Secret Service data system or \nindicative of any action--inappropriate or otherwise--by any Secret \nService employee. Nothing in the addendum contradicts what I have \nmaintained from the beginning--that at no time prior to April 2 was I \naware that this rumor originated in information obtained through \npotential misconduct. When I did learn of it, I took immediate action, \ncontacting the OIG and sending an official message to the workforce on \nthe handling of sensitive information.\n    Question 12. According to the Inspector General\'s memorandum, the \npersonal file from the data leak was stored on the Secret Service \nMaster Central Index or MCI system. MCI is described as a ``1980s \nvintage, electronic database and system of records.\'\' The National \nSecurity Agency conducted an analysis of the Secret Service data system \nin 2010. NSA concluded that the system was dated and fully operational \nonly 60 percent of the time. Why was the system not updated or removed \nuntil July of this year, only after this particular data leak?\n    Answer. The MCI upgrade was part of the Secret Service\'s broader \neffort to modernize its IT systems. This effort, known as the \nInformation Integration and Technology Transformation (``IITT\'\') \nprogram, was established in fiscal year 2010. In recognition of the \nlimitations of MCI and other mainframe applications, the Secret Service \ninitiated the Mainframe Application Refactoring (``MAR\'\') project in \n2011 to assess the existing 48 applications residing on the mainframe \nand migrate necessary capabilities and accompanying data to a non-\nmainframe, secure, highly-available and compartmentalized environment. \nDHS estimated the project would take 10 years to complete. The Secret \nService accelerated the MAR project in 2013 and was able to achieve \nproject closure on June 24, 2015.\n    Question 13. What plans do you have in place regarding the MCI and \nother outdated systems within the Secret Service? What parameters are \navailable to ensure such a gross mismanagement of access and authority \ndoes not occur again?\n    Answer. On March 24, 2015, there were technological security \ndeficiencies within the Secret Service\'s primary internal database that \ncontributed to the unauthorized access of information. These internal \nvulnerabilities have been addressed and the potential for similar \nmisconduct in the future mitigated. The MCI was a mainframe application \ndeveloped in 1984 that served as a central searching application and \ncase management system. More specifically, MCI contained records from \nprotective, investigative, and human capital divisions and served as a \nsingle access point for investigators and administrators. A significant \ndeficiency of this arrangement was that an MCI user had access to all \nof the data in MCI regardless of whether it was necessary for that \nuser\'s job function.\n    The Secret Service\'s Information Integration and Technology \nTransformation (``IITT\'\') program was established in fiscal year 2010. \nIn recognition of the limitations of MCI and other mainframe \napplications, the Secret Service initiated the Mainframe Application \nRefactoring (``MAR\'\') project in 2011 to assess the existing 48 \napplications residing on the mainframe and migrate necessary \ncapabilities and accompanying data to a non-mainframe, secure, highly \navailable and compartmentalized environment. DHS estimated the project \nwould take 10 years to complete. The Secret Service accelerated the MAR \nproject in 2013 and was able to achieve project closure on June 24, \n2015. At that time, all employee mainframe access was revoked. The new \nsystems are completely operational, and all legacy data has been \nmigrated to new platforms where data is locked down and access to data \nis dependent upon job function. Protective, investigative, and human \ncapital records reside in different systems, and internal controls have \nnow been implemented to restrict access to those systems in two ways. \nNow access is: (1) Limited to the respective directorates responsible \nfor the information; and/or (2) based on the role of the system user \nwithin the organization. Shutdown of MCI began at the end of July, and \nit was fully powered down on August 12, 2015. Disassembly of the \nmainframe began in August 2015, and it was physically removed from the \ndata center on September 16, 2015.\n    Question 14. In the past, you have placed agents and officers on \nadministrative leave, suspended security clearances, and provided \nlimitations on technology when agents are under investigation. Please \nexplain your decision to not take immediate disciplinary action on the \nsenior-level management and the other personnel who were identified as \nimproperly accessing the MCI database.\n    Answer. Disciplinary action is taken only after investigation into \nthe facts and circumstances is complete. In conjunction with this \nincident, the DHS OIG completed its investigation in later September \nand provided the supporting documentation in early October. In this \ninstance, the agency did not have all of the information necessary from \nthe OIG to contemplate disciplinary action until October 7, 2015. Even \nafter receiving the information, in some cases, it was determined \nfurther investigation by our Office of Professional Responsibility was \nrequired.\n    Question 15. In your testimony, you state that the likely maximum \ndisciplinary action each employee involved in the data breach will face \nis 12 days suspension. Does the table of penalties address violations \nof conduct that are also violations of law? Was there a discussion \nwithin the Office of Integrity and/or the Department of Homeland \nSecurity to revoke each individual\'s security clearance? If not, please \nexplain why.\n    Answer. The Table of Penalties does contain penalties that are \napplicable for violations of law. The revocation of security clearances \nis handled by the Security Clearance Division rather than the Office of \nIntegrity. Accordingly, there were no discussions within the Office of \nIntegrity or between the Office of Integrity and the Department of \nHomeland Security regarding the revocation of security clearances.\n    Question 16. The improper database access issue seems to be an \nissue with integrity, which means doing the right thing, even when no \none is looking. Please describe what trainings and communications are \nprovided to Service employees promoting integrity. Please also describe \nhow senior management promotes integrity to the workforce.\n    Answer. All senior executives, most Headquarters-based managers and \nsupervisors, and all field office and protective division special \nagents in charge (SAICs) are required to receive ethics training every \nyear. Training includes the use of nonpublic information.\n    LEG provides in-person training to all Washington, DC-based \nemployees required to receive it (except when exigent circumstances \nwarrant written training). SAICs outside the Washington, DC, area are \nrequired to participate in the Headquarters training sessions by \nvideo--or teleconference. LEG also visits the field offices and \nprotective divisions in one domestic region each year to personally \ntrain the SAICs and all available supervisors. SAICs are encouraged to \ninvite other available employees.\n    With respect to ethics training, in calendar year 2014, the Office \nof Chief Counsel (LEG) provided ethics training to 100% of those \nemployees required to receive it. In calendar year 2015, LEG targeted a \ngoal of 100% compliance and provided in-person training to a total of \n587 employees. LEG reports the results of its training efforts annually \nto the Office of Government Ethics.\n    LEG oversees the publication and issuance of ``Standards of \nEthical, Professional, and Personal Conduct: A Desk Reference for \nUnited States Secret Service Employees.\'\' The desk reference is a \ncomprehensive summary of the statutes, regulations, and policies that \ngovern employee conduct. When the desk reference was first published in \n2013, every employee was issued a printed, bound copy of the book. \nSubsequently, at the initial ethics briefing of the biweekly new \nemployee orientation, LEG has provided new employees with a printout of \nthe guide and referred them to the electronic version available on the \nSecret Service Intranet.\n    Additionally, during the winter of 2012-2013, an instructor-led \ncourse was developed entitled ``Standards of Conduct (Ethics).\'\' In \n2013, this course was incorporated into many new recruit and in-service \ncourses as depicted in the table below:\nBasic Courses\n  <bullet> The basic course instructional blocks were entitled Ethical \n        Decision Making & Standards of Conduct\n    <bullet> Special Agent Training Course.--2.5 hours\n    <bullet> Uniformed Division Training Course.--2.5 hours\n    <bullet> Mixed Basic Training Course.--3 hours\n    <bullet> Protective Detail Training Course.--3 hours\n    <bullet> Counter Assault Team Basic School.--2 hours\n    <bullet> Counter Assault Team Cycle Training.--2 hours\nIn-Service Courses\n  <bullet> The in-service course instructional blocks were entitled \n        Standards of Conduct\n    <bullet> 4th Shift Training.--2 hours\n    <bullet> Firearms Instructor Training Course.--2 hours\n    <bullet> Seminar for First-Line Supervisors.--45 minutes\n    <bullet> SA Reintegration Course.--1.5 hours\n    <bullet> UD In-Service Training Course.--1 hour\n    In addition to instructor-led training, there are also mandatory \non-line ethics courses available to all employees through the Learning \nManagement System (LMS). In April 2012, it became mandatory that all \nemployees traveling overseas to take the on-line course entitled \n``Making Decisions Ethically.\'\' In March 2015, this course was replaced \nwith the on-line ethics course entitled ``Decision Making Elements,\'\' \nwhich became a mandatory, annual requirement for all USSS employees.\n    Question 17. The Secret Service has now replaced the MCI system and \n95% of employees who once had access to the particular database in \nquestion no longer have access. Of the employees who will continue to \nhave access, how many were implicated in this data breach? Please \nexplain your decision to allow these individuals to continue to have \naccess to sensitive information.\n    Answer. As discussed in the response to question 13, the MCI system \nwas fully shut down in August of 2015. All legacy data was migrated to \nnew platforms where data is locked down and access to data is dependent \nupon job function. None of the individuals identified in the DHS OIG \ninvestigation into the improper access and distribution of information \ncontained within a Secret Service database now have access to applicant \ndata information.\n        Questions From Chairman Ron Johnson for Joseph P. Clancy\n    Question 1. Inappropriate use of information systems is likely a \nsecurity violation. What is the status of any on-going security \nclearance investigations and adjudications?\n    Answer. For the employees who were identified by the Department of \nHomeland Security (DHS) Office of Inspector General (OIG) as being \ninvolved in accessing a record containing personally identifiable \ninformation (PII) in the internal database, security clearance warning \nletters are being issued for inappropriate use of information systems.\n    Question 2. What is the reasoning for the Secret Service \nmaintaining records of unsuccessful applications for an extended period \nof time that contain sensitive PII?\n    Does the Secret Service currently maintain similar records of \nunsuccessful applications that are not deemed relevant?\n    Answer. At the time of the events in question, the Secret Service \nwas still governed by records retention schedules requiring this type \nof information be retained for 20 years. Due to the fact that these \nschedules were vetted, approved, and signed by the National Archives \nand Records Administration (NARA), adherence to these schedules was a \nmatter of legal compliance. New NARA-approved retention schedules have \nnow replaced the legacy schedules, and information relating to \napplicants who are not hired is held only for 2 years, unless a formal \nbackground investigation is conducted. If a formal background \ninvestigation is conducted, the case file is held for 5 years.\n    Question 3. Please describe the process to verify that Secret \nService employees have reviewed the Secret Service Ethics Guide on an \nannual basis.\n    Answer. This guide was distributed electronically and in hard copy \nin 2013 in response to one of the Professionalism Reinforcement Working \nGroup (PRWG) recommendations, which reads as follows:\n\n``PRWG Recommendation.--Reinforcement of Ethical Behaviors: The USSS \nnotifies its workforce regarding policy changes on discipline, \nincluding expectations on ethical behavior and conduct through issuance \nof policy directives. However, the USSS should use multiple approaches \nto reinforce the importance of ethical behavior and conduct at all \ntimes. For example, the USSS should consider issuing all current \nemployees and all new employees a user-friendly, easy-to-read manual \nhighlighting the organization\'s core values, compliance principles, \nstandards of conduct, and the expectation that employees adhere to \nstandards of ethical conduct.\'\'\n\n    The ethics guide provides a comprehensive summary of relevant \nstatutes, regulations, and policies. Many of the rules in the ethics \nguide are contained in Secret Service manual sections to which \nemployees certify on an annual basis via SSF 3218.\n      Questions From Chairman James Lankford for Joseph P. Clancy\n    Question 1a. During your testimony you were asked if the Secret \nService maintains paper files with personally identifiable information \n(PII) in addition to the PII stored on electronic databases.\n    Does the Secret Service still maintain paper files in any of its \noffices containing personally identifiable information (PII)?\n    Answer. Yes.\n    Question 1b. If so, who has access to such files and how are those \nfiles stored?\n    Answer. Access to records containing such information is generally \ncontrolled by the access procedures set out under the Privacy Act of \n1974, title 5 of the United States Code, section 552a (Privacy Act). \nSystem of Record Notices (SORNs) required under the Privacy Act which \nimplicate record systems maintained by the Secret Service are published \nby the Department of Homeland Security (DHS), the Office of Personnel \nManagement, and the Equal Employment Opportunity Commission. The SORN \nsets forth the routine uses for access to each system as well as the \nstorage requirements for each system. Copies of Secret Service SORNs as \nmost recently published by DHS are attached.\n    Question 1c. If so, what security controls does the Secret Service \nhave in place to prevent, detect, and respond to the unauthorized \naccess of any paper files containing PII in any of its offices?\n    Answer. Most types of PII records have specific additional \nregulatory storage, handling, and reporting protocols (e.g., storing in \na locked room with access controls/logs). Information put into inactive \nstorage includes a specific notation on National Archives form SF 135 \nthat the files must be protected under the Privacy Act.\n    Question 2. In the context of Secret Service employee removal \nauthority, you testified that you would like greater ability to dismiss \nemployees that violate agency policy and the law.\n    What additional removal authority would assist you in changing the \ncurrent culture and ensure that agency policy and the law is respected?\n    Answer. While we believe that current law allows for a reasonable \nprocess and means to remove employees from Federal employment in \nmisconduct cases, the pace of that removal action is often slow and \ndoes not always foster a culture of accountability. For instance, when \na case has been referred to, and accepted by, the OIG for \ninvestigation, the Secret Service can be delayed in taking action to \naddress instances of employee misconduct, including criminal \nmisconduct. In these instances the Secret Service must wait for the OIG \nto fully complete their investigation and issue a report which may lack \nthe underlying evidence, sworn statements, and sometimes be in a \nredacted format. We believe that, if OIG were to provide the Secret \nService with real-time information concerning evidence developed during \nan OIG investigation, we would, in some cases, be able to take \nexpeditious disciplinary action against employees. For instance, if the \nOIG provided the Secret Service with a sworn statement in which the \nemployee admits to the misconduct, the Secret Service could propose \ndisciplinary action in advance of a receiving a finalized, formal \nreport. In this regard, we will engage with OIG to explore this \npossible change to existing procedure and any other changes that may \nlead to a greater culture of accountability in the Service workforce.\n    Question 3. Concerning the topic of agency whistleblowers, you \nstated ``everyone in the Service knows that whistleblowers perform a \nvital function\'\' and ``there\'s no retaliation\'\' against them.\n    Can you explain the steps the Service is currently taking to ensure \nthat all whistleblowers are properly protected and shielded from \nretaliation?\n    Answer. The Secret Service recognizes its obligation to protect the \nrights afforded to employees in making protected disclosures, including \ndisclosures made to Congress, and values the benefits derived from the \nresulting oversight.\n    The Secret Service is committed to creating open lines of \ncommunication within the agency to ensure concerns raised at any level \nreceive the attention they deserve, and to ensure that employees who \nbring concerns to light are praised for doing so, rather than \nretaliated against.\n    Biennial training on certain Federal anti-discrimination and \n``whistleblower\'\' protections is required by the No FEAR Act for all \nDepartment of Homeland Security (DHS) employees. This No FEAR Act \ncourse was developed by the DHS Office for Civil Rights and Civil \nLiberties\' (CRCL) Equal Employment Opportunity and Diversity Division \nand its CRCL Institute based on an anti-harassment training course \ncreated by the Central Intelligence Agency\'s Office for Equal \nEmployment Opportunity Office.\n    Further, an agency-wide message was issued on October 30, 2015, \nregarding ``Whistleblower Protection Awareness\'\' which referenced \npolicy manual sections related to disclosures to Congress and included \na link to ``information to help employees easily determine what they \nshould report, how to report suspected issues, what training DHS \noffers, [and] what legal protections are available . . . \'\'.\n    Additionally, Secret Service Manual guidelines requiring employees \nto report misconduct or retaliation were reiterated to all employees in \nan official message to the workforce on March 23, 2015. It is important \nthat employees recognize the agency\'s position on this issue, and \nDirector Clancy will continue to emphasize it to the workforce. The \nSecret Service fully respects and supports the rights of \nwhistleblowers, and retaliation of any kind is not and will not be \ntolerated. These rights and protections are clearly stated in the \nSecret Service Ethics Guide, the Table of Penalties, and within the \nSecret Service Manual.\n    Question 4a. Your testimony outlined that recent Secret Service \npolicy now requires the purging of applicant files every 2 years to \nimprove internal protections of personally identifiable information \n(PII) housed on its databases.\n    When did this policy change?\n    Answer. This policy changed on October 1, 2015. Please note, at the \ntime of the events in question, the Secret Service was still governed \nby records retention schedules requiring this type of information be \nretained for 20 years. Due to the fact that these schedules were \nvetted, approved, and signed by NARA, adherence to these schedules was \na matter of legal compliance. New NARA-approved retention schedules \nhave now replaced the legacy schedules, and information relating to \napplicants who are not hired is held only for 2 years, unless a formal \nbackground investigation is conducted. If a formal background \ninvestigation is conducted, the case file is held for 5 years.\n    Question 4b. What additional policies and training does the Secret \nService have in place to ensure PII housed on its databases is not \nimproperly accessed?\n    Answer. A Secret Service Information Resources Management (IRM) \ndirective entitled ``IRM Privacy Act Review\'\' includes policy for \nreviewing new IT systems or changes to existing IT systems to determine \nPrivacy Act impact. Related Secret Service and Department of Homeland \nSecurity (DHS) directives help ensure awareness of and compliance with \nPII regulations, through mechanisms such as the Privacy Threshold \nAnalysis/Privacy Impact Analysis processes.\n    Existing policies and training include longstanding guidance \nregarding the proper access to databases and handling of Privacy Act \nprotected information, which is clearly stated in the Secret Service \nEthics Guide, in the Table of Penalties, and within the Secret Service \nManual sections related to rules of behavior with respect to the use of \ninformation technology. Employees are required to certify annually that \nthey have reviewed these manual sections.\n    Additionally, the Secret Service provides a 1-hour briefing to \nSpecial Agent and Uniformed Division Training Classes that includes \nmaterial on the Privacy Act. A senior Government Information Specialist \nfrom the Freedom of Information Act and Privacy Act Branch of the \nOffice of Government and Public Affairs teaches the class and focuses, \nin part, on PII.\n    A 1-hour in-service on-line training titled ``IT Security \nAwareness\'\' is required as part of the agency\'s Federal Information \nSecurity Management Act (``FISMA\'\') obligations. The course outlines \nthe role of Federal employees in the protection of information and in \nensuring the secure operation of Federal information systems.\n    The Privacy Act is also discussed during in-service ethics classes \nadministered to the field by Secret Service Office of Chief Counsel \ninstructors.\n    Further, DHS requires Secret Service employees to complete annual \nin-service on-line training titled, ``Privacy at DHS: Protecting \nPersonal Information.\'\' This training was incorporated into the \nrequired curriculum in 2012 and covers proper handling of PII.\n    Finally, in August, the agency began including a dedicated block of \ninstruction for the new Special Agent Training Classes regarding the \nRelease of Information. The class provides an overview of the Privacy \nAct and the Freedom of Information Act, reviews employees\' \nresponsibilities under those Acts and the consequences for failing to \nfulfill them, and more generally, discusses the proper release and use \nof information employees have access to. A similar block of instruction \nfor the Uniformed Division Training Classes was added in November. \nFurther, additional training is provided to new hires at Secret Service \nNew Employee Orientation.\n    Question 4c. Has the Secret Service implemented any additional \npolicies and training in response to recent improper and illegal \naccesses?\n    Answer. In light of the DHS OIG report of September 25, 2015, and \nsubsequent addendum of October 22, 2015, specific guidelines have been \nestablished and are effective for processing disciplinary and adverse \nactions resulting from the misuse of Secret Service database systems \nand/or the unauthorized disclosure of sensitive information. \nAdditionally, and as stated above, in August, the agency began \nincluding a dedicated block of instruction for the new Special Agent \nTraining Classes regarding the Release of Information. The class \nprovides an overview of the Privacy Act and the Freedom of Information \nAct, reviews employees\' responsibilities under those Acts and the \nconsequences for failing to fulfill them, and more generally, discusses \nthe proper release and use of information employees have access to. A \nsimilar block of instruction for the Uniformed Division Training \nClasses was added in November. Further, additional training is provided \nto new hires at Secret Service New Employee Orientation.\n           Questions From Chairman Scott Perry for John Roth\n    Question 1a. After you issued the management alert on the Chaffetz \nPII incident, Director Clancy contacted your office in order to revise \nhis recollection of events. This in turn caused you to reopen the \ninvestigation and issue an addendum to the original report.\n    Has this ever occurred in any of your other reviews?\n    Answer. No.\n    Question 1b. Based on the conclusions in your addendum, would you \nbe comfortable updating the original conclusion in your report that \nindicated Director Clancy was not aware of the improper PII access \nuntil April 1? If so, when would you say Director Clancy became aware \nof the incident?\n    Answer. The addendum serves as an update to the original report, \nand concludes that on March 25, Director Clancy learned from at least 3 \nseparate sources that Chairman Chaffetz may have applied to the Secret \nService. We are unable to conclude, because Director Clancy has no \nmemory of it, the degree to which he understood how widely the \ninformation was being disseminated through the Secret Service, or \nwhether he understood that the discussion was being fueled and \nconfirmed by dozens of agents improperly accessing Secret Service data \nsystems.\n    Question 1c. Do you have concerns that Director Clancy provided a \nfalse statement to your investigators when originally interviewed?\n    Answer. The earlier statement was inaccurate in that he originally \nstated that he was ``fairly certain\'\' that he first learned of it on \nApril 1, the day before the media reports. We do not have any evidence \nas to his state of mind at the time he made the statement.\n    Question 2a. On the OIG website, you list management alerts, which \nare designed to ``inform senior DHS managers of conditions which pose \nan immediate and serious threat of waste, fraud, and abuse in agency \nprograms.\'\' Since July 2014, of the 5 of the 15 management alerts have \ninvolved the Secret Service. This is concerning given that the Service \nis significantly smaller than other DHS components.\n    How do the USSS misconduct statistics compare to other agencies \nwithin the Department?\n    Question 2b. In your opinion, and experience, do the Secret Service \nmisconduct statistics compare to other agencies of comparable size \nacross the Federal Government? Is it average, above average, below \naverage?\n    Answer. We have not done a statistical comparison of misconduct \nallegations and cases between Secret Service and other DHS components \nor other agencies in the Federal Government. Certainly the allegations \ninvolving the Secret Service that have come to light since the 2012 \nevents in Cartagena, Colombia are of grave concern and our reviews over \nthe past several years point to on-going organizational and management \nchallenges. During the current fiscal year, we will continue our \noversight of the Secret Service, including a review of its \nimplementation of the recommendations of the Protective Mission Panel. \nIn addition, we intend to evaluate the strength of the Department\'s \ndisciplinary processes. We will focus this review on the depth and \nbreadth of employees\' perceptions and attitudes about misconduct and \nthe application of discipline, DHS\'s established rules of conduct, and \nthe application of discipline across the Department.\n     Questions From Ranking Member Bennie G. Thompson for John Roth\n    Question 1. Since the Protective Mission Panel, you have had to be \ninvolved in investigating the Secret Service for personnel misconduct. \nYou have also issued two management advisories for the agency in 2015. \nBased on your investigations of the Secret Service, what is the agency \nlacking? What does it need to change?\n    Answer. The Secret Service needs to understand the requirements for \nbuilding an ethical culture within their organization, which consists \nof three elements: (1) Leaders (not just the top leader, but all \nthrough the organization) who create a ``tone at the top\'\' and \ndemonstrate their commitment to an ethical culture by both words and \ndeed; (2) a commitment to both the words and the spirit of a meaningful \ncode of conduct; and (3) creating a system of accountability for all of \nthose in the organization--leaders and the rank and file--who deviate \nfrom that.\n    I believe that the Secret Service needs improvement in all three \nareas. That the leadership has not created the appropriate tone is \napparent from the significant number of senior leaders and managers who \ndid nothing once they found out about the conduct. We also had the \ndeputy director of the Secret Service who failed to provide information \nduring his initial interview. This sends the message to the rank and \nfile that such behavior, notwithstanding a written code of conduct, is \nacceptable. While we are satisfied that the Secret Service has taken \nsteps since the Cartagena incident to establish a more uniform \ndiscipline system, I believe that more could be done to ensure that \ndeviations from the code of conduct are addressed.\n    Additionally, for an organization to change--and I believe that the \nSecret Service is in great need of change--the individuals within the \norganization must understand that there is a need for change, and \nindividuals must be empowered to create that change. I do not see \nwithin the upper levels of the organization such an understanding. \nTypically, in those circumstances change does not occur until there is \na disruptive external event that forces the organization to change.\n    Question 2. Your office issues management alerts to senior \nleadership of DHS when your office finds conditions that pose a serious \nconcern. You have issued management advisories for the Secret Service \nin April 2015 and in October 2015. Your October 2015 management \nadvisory actually warns that protectees could be in immediate danger if \nchanges are not made. Looking at the Secret Service overall, what does \nit say about the agency to have two management advisories issued in \nsuch a short period of time?\n    Answer. Both management alerts were ultimately caused by Secret \nService\'s inability to execute basic management functions in support of \nits mission. The April 2015 alert was the result of not replacing an \nalarm system at a Presidential residence that had been installed in \n1993. We found that the Secret Service did not have a formal system to \nreport and track security technical problems, maintenance and repair \nneeds, and upgrades. Likewise, we found that the staffing shortages \nthat we believe led to the officer fatigue issues were caused by the \nlack of a staffing and hiring plan that first would understand the \nnumber of personnel needed to staff the White House Complex without a \nreliance on excessive overtime, and second, would ensure the necessary \nadministrative infrastructure to be able to efficiently hire to the \nproper level.\n    Question 3. In October, you released a management alert after 2 \nagents were observed asleep on the job. You cited long overtime hours \nand fatigue as a reason for your concern. The Secret Service publicly \nstated it does not agree with your findings. Please describe how you \nreached your conclusion and what caused your observations to rise to \nthe level of an alert.\n    Answer. The management alert occurred after we observed agents \nasleep during 2 different site visits, at different locations, weeks \napart, on July 15 and August 11. As auditors are trained to do, we \nlooked to see if there may be a root cause for this. We found that the \novertime for 1 officer for the previous 8 weeks amounted to 157 hours--\nan average of being required to work 60 hours per week for 8 straight \nweeks. The second officer\'s overtime totaled 73 hours for the previous \n6 weeks, for an average of 52 hours per week.\n    We also found that overtime among the Uniform Division has \nsubstantially increased in the last few years. In fiscal year 2013, it \naveraged 362 hours per position; in fiscal year 2015, it averaged 597.4 \nhours per position--a 39% increase in 3 years. We also found that the \nproblem was getting worse, not better. The overtime was necessary \nbecause of a lack of officers; yet, in fiscal year 2015 the Uniform \nDivision lost 162 officers through attrition, but managed to hire only \n152--a net loss of 10 officers. Finally, we found that until recently \nthe Secret Service had not engaged in a staffing plan or model to \nunderstand the staffing level it would need to ensure that it did not \nrely on excessive overtime to accomplish its mission.\n    Question 4. Does the Management Alert issued by your office \nindicate any connection between these incidents and either absent or \nineffective Secret Service policies to ensure sustainable staffing \npractices and work-life balance?\n    Answer. Yes. As I indicated in the answer to the last question, the \nUniform Division officers are being asked to take on an unsustainable \nburden. What concerned us is the lack of effective response from the \nSecret Service leadership. The Protective Mission Panel alerted the \nDepartment to this a year ago, and yet, as evidenced by the failure to \nhire even to the current level of attrition, the Secret Service has not \nresponded in a manner that recognizes the severity of the problem. \nHence, the management alert.\n    Question 5. Improving morale at DHS is of particular priority to \nthis committee and myself. You state in the management alert that USSS \nreported that ``it recognizes that employee morale suffers when \ndecreased staffing levels result in increased overtime and travel \nrequirements, and decreased opportunities for training.\'\' In your time \ninvestigating the Secret Service, have you observed times where morale \nis in fact impacted? What factors would you say contribute to low \nmorale in the Service?\n    Answer. There is significantly low morale within the Secret \nService. As noted in the most recent results of the Federal Employee \nViewpoint Survey, the Secret Service is second to last. We believe that \nthe inability to address the fundamental management issues, including \noutdated technology and insufficient staffing, is a significant driver \nof poor morale.\n    Question 6. Based on your investigation, were personnel within the \nService sufficiently informed of the proper use of USSS computer \nsystems and the care needed for sensitive information, whether via \ntraining, manuals, oral communications, etc.?\n    Answer. Yes. Secret Service policies include Information Technology \nRules of General Behavior that cover employees\' use of all Secret \nService IT systems. The policy requires employees to safeguard \nSensitive, Classified, and privacy-related information against \nunauthorized disclosure to the public. It further requires that all \nSecret Service personnel acknowledge review and understanding of the \nprovisions enumerated in that policy upon entering on duty with the \nSecret Service and annually thereafter. In addition, the Secret \nService\'s Table of Penalties includes penalties for unauthorized use of \na Government computer and disclosure of information in violation of the \nPrivacy Act.\n    Also applicable to the Secret Service are DHS-wide policies \ncontained in the DHS Handbook for Safeguarding Sensitive Personally \nIdentifiable Information, which also prohibits all employees from \nbrowsing files containing Sensitive PII out of curiosity or for \npersonal reasons.\n    In addition to these policies, the log-on screen for the MCI \ndatabase contained specific warnings that the system could be used for \nauthorized Government business only.\n    Question 7. You state in your memorandum that although agents were \ntrained on use of the system and received yearly refresher trainings, \nit was apparent that many of the agents disregarded that training. What \ndid you observe in your investigation that led you to this conclusion?\n    Answer. In response to interview questions by OIG agents, many of \nthe Secret Service employees who authorized Chairman Chaffetz\' MCI \nrecord without authorization insisted that their actions were \nappropriate. Some acknowledged ignoring the warning banner on the MCI \nlogon screen. Others thought that accessing the database, even without \na legitimate business purpose, was okay because it was ``our \ndatabase.\'\'\n    Question 8. Your office only reviewed the MCI system for those \nindividuals who accessed Congressman Chaffetz\' personal file. \nTherefore, it is possible that other individuals were also searched in \nthe database. Based on your review of the system and interviews with \nService employees, do you believe employees frequently utilized the MCI \nsystem improperly, in particular to research individuals? If so, how \nfrequently do you believe this occurs?\n    Answer. Based on our interviews, it appeared that there was a \ncasual attitude about the rules regarding the use of the system. This \nwas obvious in the number of individuals who conducted improper \nsearches of Chairman Chaffetz\' name. We found no reason that this did \nnot occur before for other individuals.\n    Question 9. Based on your experience in accountability and law \nenforcement across the Federal Government, do you have any concerns \nabout these employees\' status while under adjudication? As DHS \nInspector General, would you advise Department and Secret Service \nleadership to change policies related to employees subject to \ndisciplinary review in any way?\n    Answer. The use of paid administrative leave for DHS employees \nfacing misconduct investigations and adjudications is a matter \ncurrently being reviewed by the Government Accountability Office and we \nlook forward to reviewing the analysis and recommendations contained in \nits upcoming report.\n    We should note that as a general matter, Federal law allows \nagencies to suspend an employee indefinitely without pay if there is \nreasonable cause to believe that a crime has been committed for which a \nterm of imprisonment may be imposed. Laws and policies regarding \nemployees subject to disciplinary review should ultimately be balanced \nagainst critical due process safeguards to ensure fairness and \nconsistency to the Federal workforce.\n          Questions From Chairman James Lankford for John Roth\n    Question 1a. During your testimony you indicated that the MCI \ndatabase was unable to audit accesses without a specific program \nwritten for each search term.\n    Since the migration to an updated database system, what audit \ncapability and checks (automatic or manual) are now in place?\n    Answer. We are currently conducting a technical security assessment \nof the Secret Service\'s updated database systems that when complete, \nwill answer this question. Specifically, our Office of Information \nTechnology Audits is reviewing the information systems the Secret \nService currently uses to store and retrieve data and information \npreviously stored in the MCI database. Our assessment is designed: (1) \nTo verify that the MCI is in fact no longer in use, (2) identify which \nsystems currently house MCI data, (3) determine the level of physical \nand system controls implemented to secure the data from further \ninstances of unauthorized access, and (4) identify gaps in the security \nposture. We plan to issue our final report in February 2016, and I look \nforward to discussing our conclusions with you and your staff at that \ntime.\n    Question 1b. Based on your investigation, would a regularly \noccurring, agency-wide OIG audit of PII searches help change Secret \nService culture regarding the protection of PII?\n    Answer. We believe that the best way to prevent future activity of \nthe type we saw here would be for Secret Service to focus to a greater \ndegree on its information security program. Modern data systems with \nappropriate audit and access controls, when coupled with appropriate \nagency processes, policies, and procedures, would prevent unauthorized \naccess to information. Every year, we audit, pursuant to the Federal \nInformation Security Act (FISMA), DHS\' information systems. FISMA \nrequires IGs to perform evaluations of Departmental implementation of \nthe 11 program-level security authorization activities. DHS OIG \nperforms tests to determine how the Department\'s components are \nimplementing these activities.\n    From fiscal year 2013 to the present, Secret Service has done \npoorly on these FISMA reviews compared with other DHS components. For \nexample, as of September 2015, USSS failed to meet the Department\'s \n``security authorizations\'\' target of 100% for ``high value assets\'\' \nand 95% for ``all other FISMA systems\'\' as USSS only scored 75% and 58% \nrespectively. In addition, USSS only scored 38% in ``weakness \nremediation,\'\' where the Department\'s target was 90%.\n    We believe that focusing on modernizing and securing Secret Service \ndata systems, in combination with training and other efforts to create \nan ethical culture (such as a uniformly administered system for dealing \nwith deviations from a defined standard of conduct) are the best way to \nchange the culture with regard to the use of PII.\n    Question 1c. Based on your investigation, what recommendations \nwould you make to change Secret Service culture regarding PII?\n    Answer. As noted in the above question, the systems that the Secret \nService uses to store PII must have audit and access controls that help \nensure the security and confidentially of Privacy Act-protected \nrecords. Training about PII and its appropriate handling and \nsafeguarding should be reinforced and reemphasized. Ultimately, change \nwill come when management does not tolerate the deliberate or grossly \nnegligent mishandling of PII and employees who violate Department and \nSecret Service policies and/or the Privacy Act face disciplinary \nconsequences for their actions.\n    Question 2a. Your testimony reflects that agents seemed to consider \npersonal data on Secret Service databases as theirs to access as they \npleased.\n    What training policy updates have been or should be made to correct \nthis mindset reflected in your investigation?\n    Answer. Our investigation did not determine what changes, if any, \nSecret Service has made to their training policies as a result of this \nincident. Our next FISMA audit will determine the overall level of \ntraining Secret Service personnel receive.\n    Question 3a. The September 2015 Department of Homeland Security \n(DHS) Office of the Inspector General (OIG) report titled \n``Investigation into the Improper Access and Distribution of \nInformation Contained Within a Secret Service Data System\'\' did not \naudit the 45 Secret Service employees for unauthorized access of \npersonally identifiable information on the agency\'s databases prior to \nthe Congressman Chaffetz matter starting on March 25, 2015.\n    Should DHS OIG conduct additional audits of these 45 Secret Service \nemployees for unauthorized accesses prior to this date?\n    Answer. We share the concern that it is possible that these \nspecific employees mishandled or accessed files without authorization \nprior to this specific investigation--whether related to Chairman \nChaffetz or others. Due to the technical limitations of the MCI \ndatabase, it would be nearly impossible for us to conduct additional \naudits of these 45 employees. Moreover, according to the Secret \nService, the MCI mainframe has been disassembled as of September 2015 \nso it is unclear whether additional audits can be performed on the \nsystem.\n            Question From Chairman Ron Johnson for John Roth\n    Question. The DHS OIG concluded that 4 of the 45 Secret Service \nemployees that accessed the PII information of Congressman Chaffetz \nwere authorized to do so. What was the criterion for determining if the \nSecret Service employee that accessed the information of Congressman \nChaffetz in the MCI database was authorized or unauthorized?\n    Answer. To determine whether Secret Service employees were \nauthorized or unauthorized to access Chairman Chaffetz\' information in \nthe MCI database, we analyzed whether they had an official purpose to \naccess the record. Officials who examined the record in connection with \nthe performance of assigned duties and who had to access the record in \norder to perform those assigned duties properly were considered \nauthorized.\n    For example, employees at a specific field office received a press \ninquiry as to whether Chairman Chaffetz had applied to that office. \nWhile the office appropriately declined to comment to the press, as \npart of their due diligence, they accessed the system to determine \nwhether it was true. Likewise, one employee in headquarters was \ndirected by his superior to do so, as part of deciding what management \nsteps to take.\n    However, a number of supervisors accessed the information, \npurportedly to determine whether the talk about Chairman Chaffetz was \ntrue. Accessing the record in that circumstance was inappropriate and \nnot in connection with an official purpose because the truth or falsity \nof the information was irrelevant to directing their subordinates to \nuse Secret Service data systems only for official Government purposes, \nand not to satisfy personal curiosity. This was especially the case \nsince, with a few narrow exceptions, these supervisors did nothing with \nthis information, such as reporting it up the chain to their superiors.\n       Question From Chairman Scott Perry for Joel C. Willemssen\n    Question. Based on your expertise and what you have heard today, \nhow can agencies, and specifically DHS and the Secret Service, ensure \nthey have the proper internal security controls so that only the right \nemployees, with a need to know, can access sensitive information such \nas PII?\n    Answer. Agencies first need to establish and communicate policies \nfor collecting, storing, accessing, using, and retaining personally \nidentifiable information (PII)\\1\\ and other sensitive information. The \npolicies should state when it is appropriate to access such \ninformation, when it is not, and the consequences for willful \nnoncompliance. In addition, managers, supervisors, and employees should \nbe informed and trained regarding their respective responsibilities for \nsafeguarding PII.\n---------------------------------------------------------------------------\n    \\1\\ PII is any information that can be used to distinguish or trace \nan individual\'s identity, such as name, date and place of birth, Social \nSecurity number, or other types of personal information that can be \nlinked to an individual, such as medical, educational, financial, and \nemployment information.\n---------------------------------------------------------------------------\n    In addition, agencies, including the Department of Homeland \nSecurity (DHS) and the Secret Service, can implement several protective \nmeasures to control access to PII and other sensitive information. As \nwe reported in September 2015,\\2\\ access controls limit, prevent, or \ndetect inappropriate access to computer resources, including PII and \nother sensitive information, thereby protecting them from unauthorized \nuse, modification, disclosure, and loss. These controls include \nensuring that only personnel with a need to know are authorized access \nto sensitive information. Agencies implement authorization controls by, \nfor example, uniquely identifying all users, periodically reviewing \nsystem access, disabling accounts of users who no longer need access, \nand assigning the lowest level of permission necessary for a task.\n---------------------------------------------------------------------------\n    \\2\\ GAO, Federal Information Security: Agencies Need to Correct \nWeaknesses and Fully Implement Security Programs, GAO-15-714 \n(Washington, DC: Sept. 29, 2015).\n---------------------------------------------------------------------------\n    Agencies should also implement audit and monitoring controls, which \nestablish individual accountability, monitor compliance with security \npolicies, and investigate security violations. These controls help \ndetermine what, when, and by whom specific actions have been taken on a \nsystem and can be used to monitor users\' access of sensitive \ninformation, including PII. To implement controls for monitoring \naccess, agencies can install software that provides an audit trail or \nlogs of system activity that can be used to determine the source of an \naction or activity.\nQuestions From Ranking Member Bennie G. Thompson for Joel C. Willemssen\n    Question 1. GAO\'s September 2015 report on information security \nspeaks directly to weaknesses in limiting, preventing, and detecting \ninappropriate access to computer resources. Please provide us with \nexamples of what other Federal agencies are doing to better monitor \ninappropriate internal data access.\n    Answer. As we reported,\\3\\ agencies can monitor inappropriate data \naccess by implementing audit and monitoring controls. These controls \nestablish individual accountability, monitor compliance with security \npolicies, and investigate security violations. Audit and monitoring \ncontrols help determine what, when, and by whom specific actions have \nbeen taken on a system and can be used to monitor users\' access to \nsensitive information such as PII. In March 2015, we reported \\4\\ that \nthe Internal Revenue Service (IRS) continued to enhance its audit and \nmonitoring capability. Specifically, IRS had strengthened the audit and \nmonitoring processes of its mainframe by enabling the monitoring of \nchanges to certain controls over the management of data.\n---------------------------------------------------------------------------\n    \\3\\ GAO-15-714.\n    \\4\\ GAO, Information Security: IRS Needs to Continue to Improve \nControls over Financial and Taxpayer Data, GAO-15-337 (Washington, DC: \nMar. 19, 2015).\n---------------------------------------------------------------------------\n    In addition, the Treasury Inspector General for Tax Administration \n(TIGTA) monitors access and refers instances of willful unauthorized \ninspection of taxpayer data for administrative actions or prosecution. \nFor example, according to TIGTA, for fiscal years 2014 and 2015, its \nOffice of Investigations successfully prosecuted 15 investigations. \nSeven of the 15 were for violating the Taxpayer Browsing Protection Act \nof 1997.\\5\\ The remaining 8 were prosecuted for unauthorized access \nrelated to the use of a Government computer.\n---------------------------------------------------------------------------\n    \\5\\ The Taxpayer Browsing Protection Act was enacted on August 5, \n1997, and made willful unauthorized inspection of taxpayer data \nillegal. Pub. L. 105-35, 111 Stat. 1104 (1997).\n---------------------------------------------------------------------------\n    Question 2. Your September 2015 report lists 5 different areas of \npotential weaknesses in agency compliance: Did GAO\'s analysis find \nweaknesses in compliance by DHS in any of these 5 areas, and if so, \nwhich one(s)?\n    Answer. Yes, our analysis of agency, inspector general, and our \nreports identified weaknesses at DHS for all 5 areas. These areas \nincluded controls intended to: (1) Limit unauthorized access to agency \nsystems and information; (2) ensure that software and hardware are \nauthorized, updated, monitored, and securely configured; (3) \nappropriately divide duties so that no single person can control all \naspects of a computer-related operation; (4) establish plans for \ncontinuing information system operations in the event of a disaster, \nand (5) provide a security management framework for understanding risks \nand ensuring that controls are selected, implemented, and operating as \nintended.\n    Question 3. Earlier this year, GAO released a report stating that \nOMB, in consultation with DHS, should enhance its security program \nreporting guidance and located information security weaknesses. Speak \nto your findings as it relates to this particular data leak. What \nimprovements should DHS, and in particular the Secret Service, \nimplement in areas of access control, segregation of duties, and \nsecurity management?\n    Answer. Our findings do not specifically address the incident that \noccurred at the Secret Service. However, the Federal Information \nSecurity Modernization Act of 2014 (FISMA)\\6\\ now requires OMB to \ninclude in its annual report to Congress a summary of major agency \ninformation security incidents, such as the incident at the Secret \nService.\n---------------------------------------------------------------------------\n    \\6\\ The Federal Information Security Modernization Act of 2014 was \nenacted as Pub. L. No. 113-283 (Dec. 18, 2014). FISMA 2014 largely \nsupersedes the very similar Federal Information Security Management Act \nof 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), \nand expands the role and responsibilities of the Department of Homeland \nSecurity, but retains many of the requirements for Federal agencies\' \ninformation security programs previously set by the 2002 law.\n---------------------------------------------------------------------------\n    In September 2015, we reported \\7\\ on the adequacy of the \ninformation security policies and practices of the 24 agencies covered \nby the Chief Financial Officers (CFO) Act of 1990.\\8\\ Like most other \nagencies, DHS had weaknesses in each of the 5 control areas we track, \nincluding access controls, segregation of duties, and security \nmanagement.\n---------------------------------------------------------------------------\n    \\7\\ GAO-15-714.\n    \\8\\ The 24 Chief Financial Officers Act agencies are the \nDepartments of Agriculture, Commerce, Defense, Education, Energy, \nHealth and Human Services, Homeland Security, Housing and Urban \nDevelopment, the Interior, Justice, Labor, State, Transportation, the \nTreasury, and Veterans Affairs; the Environmental Protection Agency; \nGeneral Services Administration; National Aeronautics and Space \nAdministration; National Science Foundation; Nuclear Regulatory \nCommission; Office of Personnel Management; Small Business \nAdministration; Social Security Administration; and the U.S. Agency for \nInternational Development.\n---------------------------------------------------------------------------\n    To improve their access controls, DHS and the Secret Service should \nensure the enforcement of the principle of ``least privilege,\'\' where \nemployees are granted the minimum level of access necessary to perform \ntheir duties. DHS and the Secret Service should also ensure that \nincompatible duties are separated and that employees understand their \nresponsibilities. Separation of duties can be implemented through \nformal operating procedures, supervision, and reviewing access \nauthorizations, among other things.\n    To improve security management activities, both DHS and the Secret \nService should ensure that they fully implement entity-wide information \nsecurity programs so that risks are understood and that effective \ncontrols are selected, implemented, and operating as intended.\n    Question 4. Can you confirm that given the scope of GAO\'s \nengagement, analysts collected information with regard to information-\nsecurity compliance by the Department of Homeland Security overall, and \ndid not collect any information with regard to Secret Service practices \nspecifically?\n    Answer. As part of our audit of Federal agencies\' implementation of \nthe provisions of FISMA, we collected information on the information \nsecurity efforts of the 24 Federal agencies covered by the CFO Act, \nincluding DHS. However, we did not collect or receive any information \nregarding specific security practices at the Secret Service.\n    Question 5. Does it seem reasonable to you to conclude that Secret \nService faces some of the management challenges highlighted in the \nlatest High-Risk Update, and that leaders of the Secret Service must \ndemonstrate the ``continued perseverance\'\' in improving agency \nmanagement culture that the Comptroller General calls for in the \nUpdate?\n    Answer. Yes, it would be reasonable to conclude that the Secret \nService faces some of the same management challenges. For example, in \nthe most recent update to our High-Risk series \\9\\ we lauded DHS\'s \nprogress in strengthening its management functions, but concluded that \nthe Department still faces significant management challenges. Such \nchallenges include improving employee morale, a challenge that the \nSecret Service could also face with its employees.\n---------------------------------------------------------------------------\n    \\9\\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: \nFeb. 11, 2015).\n---------------------------------------------------------------------------\n    For example, according to the Partnership for Public Service\'s 2015 \nrankings of the Best Places to Work in the Federal Government, the \nSecret Service ranked 319 of 320 agency subcomponents Government-wide. \nAdditionally, according the Partnership for Public Service\'s analysis \nof Federal Employee Viewpoint Survey data, employee satisfaction and \ncommitment among Secret Service employees consistently declined from \nfiscal year 2011 through fiscal year 2015.\n    Question 6. In your testimony, you state that this particular \nimproper data access is the most common among agencies--too many \nindividuals having access to a broad range of data unrelated to their \njob responsibilities. What solutions are available to fix this broad \ninformation access and better monitor employees\' use of data systems?\n    Answer. In September 2015, we reported \\10\\ that 22 of the 24 CFO \nAct agencies had weaknesses with limiting, preventing, and detecting \nunauthorized access to agency systems and information. Specifically, 18 \nagencies had weaknesses in controls that are intended to limit user \naccess to only that necessary for performing their work. When granting \naccess to users, agencies should provide only the minimum access \nnecessary for performing their duties. In addition, agencies should \nimplement audit and monitoring controls to monitor users\' access of \nsensitive information such as PII. These controls can help determine \nwhat, when, and by whom specific actions have been taken on a system.\n---------------------------------------------------------------------------\n    \\10\\ GAO-15-714.\n---------------------------------------------------------------------------\n     Questions From Chairman James Lankford for Joel C. Willemssen\n    Question 1a. Your testimony reflects that the Social Security \nAgency has personal identifying information (PII) on nearly every U.S. \ncitizen, and that agencies such as the VA, Department of Education, and \nCFPB also house substantial amounts of PII.\n    What are the most effective means for auditing employee access of \nPII at these agencies?\n    Answer. As we reported in September 2015,\\11\\ agencies should use \naudit and monitoring controls to establish individual accountability, \nmonitor compliance with security policies, and investigate security \nviolations. These controls help determine what, when, and by whom \nspecific actions have been taken on a system and can be used to monitor \nusers\' access of sensitive information, such as personally identifiable \ninformation (PII).\\12\\\n---------------------------------------------------------------------------\n    \\11\\ GAO, Federal Information Security: Agencies Need to Correct \nWeaknesses and Fully Implement Security Programs, GAO-15-714 \n(Washington, DC: Sept. 29, 2015).\n    \\12\\ PII is any information that can be used to distinguish or \ntrace an individual\'s identity, such as name, date and place of birth, \nSocial Security number, or other types of personal information that can \nbe linked to an individual, such as medical, educational, financial, \nand employment information.\n---------------------------------------------------------------------------\n    To monitor users\' access and actions, agencies can install software \nthat provides an audit trail or logs of system activity that can be \nused to determine the source of an action or activity. Agencies can \nalso monitor users\' access by implementing other technologies such as \nnetwork- and host-based intrusion detection systems, security event \ncorrelation tools, and computer forensics. Network-based intrusion \ndetection systems capture or ``sniff\'\' and analyze network traffic in \nvarious parts of a network.\n    Question 1b. Which Government-wide, unimplemented GAO \nrecommendations concerning PII protection should be put into place \nfirst?\n    Answer. We currently have 1 Government-wide PII-related \nrecommendation whose implementation status we are evaluating. This \nrecommendation was made to the Office of Management and Budget (OMB) in \nour 2013 report \\13\\ regarding our finding that the 8 agencies we \nreviewed had inconsistently implemented data breach policies and \nprocedures. We recommended that, to improve the consistency and \neffectiveness of Government-wide data breach response programs, OMB \nshould update its guidance on Federal agencies\' responses to PII-\nrelated data breaches. OMB neither agreed nor disagreed with our \nrecommendation.\n---------------------------------------------------------------------------\n    \\13\\ GAO, Information Security: Agency Responses to Breaches of \nPersonally Identifiable Information Need to Be More Consistent, GAO-14-\n34 (Washington, DC: Dec. 9, 2013).\n---------------------------------------------------------------------------\n    According to OMB, it has set a date of March 16, 2016, for updating \nits PII protection guidance to reflect current best practices and \nrecent lessons learned regarding privacy protections and data breach \nstandards.\n    Question 2a. You testified that it was perplexing to you why the \nSecret Service would still have PII information on Congressman Chaffetz \nfrom 2003, given the National Archives and Records Administration \n(NARA) requirement to properly dispose of such information once it is \nno longer needed.\n    How well are agencies complying with the NARA requirements to \ndispose or archive personal information once it is no longer needed?\n    Answer. We have not performed work specifically addressing the \nextent to which agencies are complying with the National Archives and \nRecords Administration\'s (NARA) requirements for disposing or archiving \npersonnel information that is no longer needed. However, in May 2015, \nwe reported that Federal agencies took actions toward implementing \nrequirements set forth in a NARA and OMB joint directive on managing \nGovernment records.\\14\\ To illustrate:\n---------------------------------------------------------------------------\n    \\14\\ GAO, Information Management: Additional Actions Are Needed to \nMeet Requirements of the Managing Government Records Directive, GAO-15-\n339 (Washington, DC: May 14, 2015).\n---------------------------------------------------------------------------\n  <bullet> Twenty-three of the 24 Federal agencies we reviewed \n        implemented the requirement to develop and begin implementing \n        plans to manage all permanent records in an electronic format.\n  <bullet> Twenty-one of these 24 agencies implemented the requirement \n        to identify for transfer and reporting those permanent records \n        in existence for more than 30 years.\n  <bullet> Twenty of the 24 agencies implemented the requirement to \n        identify all unscheduled records that have not been properly \n        scheduled.\\15\\\n---------------------------------------------------------------------------\n    \\15\\ Scheduling is the means by which agencies identify Federal \nrecords, determine time frames for their disposition, and identify \npermanent records of historical value that are to be transferred to \nNARA for preservation and archiving. Unscheduled records are those \nrecords that have not had their value assessed or their disposition \ndetermined.\n---------------------------------------------------------------------------\n    Nevertheless, 5 agencies we reviewed did not fully meet those \nrequirements, and we recommended that they and NARA take certain \ncorrective actions. We did not make any recommendations to the \nDepartment of Homeland Security (DHS).\n    Question 3a. Under the Federal Information Security Modernization \nAct of 2014 (FISMA) the Office of Management and Budget (OMB) is \nrequired to maintain oversight responsibilities of Federal information \nsecurity programs and ensure minimum security requirements for \nGovernment-wide information security programs and practices.\n    What is your assessment of OMB\'s fulfillment of these \nresponsibilities over the last several years?\n    Answer. During the 12 years from when the Federal Information \nSecurity Management Act of 2002 (FISMA 2002) was enacted into law to \nwhen it was largely replaced by FISMA 2014,\\16\\ Executive branch \noversight of agency information security has evolved. As part of its \nFISMA 2002 oversight responsibilities, OMB issued annual instructions \nfor agencies and inspectors general to meet FISMA 2002 reporting \nrequirements. During that time we made recommendations to OMB for \nimproving its oversight of agencies\' security programs. For example, in \n2013 we recommended \\17\\ that OMB and DHS provide insight into \nagencies\' security programs by developing additional metrics for key \nsecurity areas such as those for periodically assessing risk and \ndeveloping subordinate security plans. We also recommended that metrics \nfor FISMA reporting be developed to allow inspectors general to report \non the effectiveness of agencies\' information security programs. OMB \ngenerally agreed with our recommendations. DHS also agreed with our \nrecommendations and identified the actions it had taken or planned to \ntake to address them.\n---------------------------------------------------------------------------\n    \\16\\ The Federal Information Security Modernization Act of 2014 was \nenacted as Pub. L. No. 113-283 (Dec. 18, 2014). FISMA 2014 largely \nsupersedes the very similar Federal Information Security Management Act \nof 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), \nand expands the role and responsibilities of the Department of Homeland \nSecurity, but retains many of the requirements for Federal agencies\' \ninformation security programs previously set by the 2002 law.\n    \\17\\ GAO, Federal Information Security: Mixed Progress in \nImplementing Program Components; Improved Metrics Needed to Measure \nEffectiveness, GAO-13-776 (Washington, DC: Sept. 26, 2013).\n---------------------------------------------------------------------------\n    In February 2013, we reported \\18\\ that when OMB transferred \nseveral of its oversight responsibilities to DHS through a joint \nmemorandum,\\19\\ it was not clear how the two organizations would share \nthese responsibilities. In that report, we suggested that Congress \nconsider legislation to better define roles and responsibilities for \nimplementing and overseeing Federal information security programs. In \nDecember 2014, Congress passed FISMA 2014 to improve cybersecurity and \nclarify cybersecurity oversight roles and responsibilities, among other \nthings.\n---------------------------------------------------------------------------\n    \\18\\ GAO, Cybersecurity: National Strategy, Roles, and \nResponsibilities Need to Be Better Defined and More Effectively \nImplemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).\n    \\19\\ OMB, Memorandum M-10-28, Clarifying Cybersecurity \nResponsibilities and Activities of the Executive Office of the \nPresident and the Department of Homeland Security (Washington, DC: July \n6, 2010).\n---------------------------------------------------------------------------\n    FISMA 2014 is intended to address the increasing sophistication of \ncybersecurity attacks, promote the use of automated security tools with \nthe ability to continuously monitor and diagnose the security posture \nof Federal agencies, and provide for improved oversight of Federal \nagencies\' information security programs. The act also clarifies and \nassigns additional responsibilities to OMB, DHS, and Federal Executive \nbranch agencies.\n    In carrying out its FISMA responsibilities, OMB has increased its \nefforts to oversee agencies\' implementation of information security. \nFor example, OMB created the Cyber and National Security Team, called \nthe E-Gov Cyber Unit, to strengthen Federal cybersecurity through \ntargeted oversight and policy issuance. In September 2015, we reported \nthat OMB, along with DHS, had increased oversight and assistance to \nFederal agencies in implementing and reporting on information security \nprograms.\\20\\\n---------------------------------------------------------------------------\n    \\20\\ GAO-15-714.\n---------------------------------------------------------------------------\n    In June 2015, in response to the Office of Personnel Management \nsecurity breaches and to protect Federal systems from emerging threats, \nthe Federal Chief Information Officer launched a 30-day Cybersecurity \nSprint.\\21\\ As part of this effort, the Federal Chief Information \nOfficer instructed Federal agencies to immediately take a number of \nsteps to further protect Federal information and assets and to improve \nthe resilience of Federal networks.\n---------------------------------------------------------------------------\n    \\21\\ In June 2015, the Federal Chief Information Officer launched \nthe 30-day Cybersecurity Sprint, during which agencies were to take \nimmediate actions to combat cyber threats within 30 days. Actions \nincluded patching critical vulnerabilities, tightening policies and \npractices for privileged users, and accelerating the implementation of \nmulti-factor authentication.\n---------------------------------------------------------------------------\n    Most recently, in October 2015, OMB issued a cybersecurity strategy \nimplementation plan that is intended to strengthen Federal civilian \nagencies\' cybersecurity.\\22\\ The plan is to address Government-wide \ncybersecurity gaps through five objectives: (1) Prioritized \nidentification and protection of high-value information and assets; (2) \ntimely detection of and rapid response to cyber incidents; (3) rapid \nrecovery from incidents when they occur and accelerated adoption of \nlessons learned from the Cybersecurity Sprint assessment; (4) \nrecruitment and retention of the most highly-qualified cybersecurity \nworkforce; and (5) efficient and effective acquisition and deployment \nof existing and emerging technology. The plan address our \nrecommendation that the White House develop an overarching strategy for \nimproving cybersecurity.\\23\\\n---------------------------------------------------------------------------\n    \\22\\ OMB, Memorandum M-16-04, Cybersecurity Strategy and \nImplementation Plan for the Federal Civilian Government (Washington, \nDC: Oct 30, 2015).\n    \\23\\ GAO, Cybersecurity: National Strategy, Roles, and \nResponsibilities Need to Be Better-Defined and More Effectively \nImplemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).\n---------------------------------------------------------------------------\n    Question 3b. What GAO findings regarding OMB\'s oversight of \nGovernment-wide information security programs demonstrate the greatest \nrisks for exposure of PII?\n    Answer. As previously mentioned, we reported \\24\\ that the 8 \nFederal agencies we reviewed generally developed, but inconsistently \nimplemented, policies and procedures for responding to data breaches \ninvolving PII that addressed key practices specified by OMB and the \nNational Institute of Standards and Technology. We attributed agencies\' \ninconsistent implementation of data breach policies and procedures to \nincomplete guidance from OMB.\n---------------------------------------------------------------------------\n    \\24\\ GAO-14-34.\n---------------------------------------------------------------------------\n    Also, in 2012, we reiterated \\25\\ our previous finding reported in \n2008 \\26\\ that while the Privacy Act, the E-Government Act, and related \nOMB guidance set minimum requirements for agencies, such laws and \nguidance may not consistently protect PII in all circumstances of its \ncollection and use throughout the Federal Government and may not fully \nadhere to key privacy principles. We stressed that unilateral action by \nOMB might not be the best way to strike an appropriate balance between \nthe Government\'s need to collect, process, and share personally \nidentifiable information and the rights of individuals to know about \nsuch collections and be assured that they are only for limited purposes \nand uses. We suggested that Congress consider amending applicable laws \nsuch as the Privacy Act and E-Government Act by:\n---------------------------------------------------------------------------\n    \\25\\ GAO, Privacy: Federal Law Should Be Updated to Address \nChanging Technology Landscape, GAO-12-961T (Washington, DC: July 31, \n2012).\n    \\26\\ GAO, Privacy: Alternatives Exist for Enhancing Protection of \nPersonally Identifiable Information, GAO-08-536 (Washington, DC: May \n19, 2008).\n---------------------------------------------------------------------------\n  <bullet> revising the scope of the laws to cover all PII collected, \n        used, and maintained by the Federal Government;\n  <bullet> setting requirements to ensure that the collection and use \n        of personally identifiable information is limited to a stated \n        purpose; and\n  <bullet> establishing additional mechanisms for informing the public \n        about privacy protections by revising requirements for the \n        structure and publication of public notices.\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'