[Senate Hearing 114-449]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 114-449

      UNDER ATTACK: FEDERAL CYBERSECURITY AND THE OPM DATA BREACH

=======================================================================

                                  HEARING

                               	BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS


                             FIRST SESSION

                               __________

                             JUNE 25, 2015

                               __________

        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
        
[GRAPHIC NOT AVAILABLE FOR TIFF FORMAT]

                       U.S. GOVERNMENT PUBLISHING OFFICE
20-565 PDF                  WASHINGTON : 2016
_______________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected]  



        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin Chairman
JOHN McCAIN, Arizona                 THOMAS R. CARPER, Delaware
ROB PORTMAN, Ohio                    CLAIRE McCASKILL, Missouri
RAND PAUL, Kentucky                  JON TESTER, Montana
JAMES LANKFORD, Oklahoma             TAMMY BALDWIN, Wisconsin
MICHAEL B. ENZI, Wyoming             HEIDI HEITKAMP, North Dakota
KELLY AYOTTE, New Hampshire          CORY A. BOOKER, New Jersey
JONI ERNST, Iowa                     GARY C. PETERS, Michigan
BEN SASSE, Nebraska

                    Keith B. Ashdown, Staff Director
       William H.W. McKenna, Chief Counsel for Homeland Security
             David S. Luckey, Director of Homeland Security
              Gabrielle A. Batkin, Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
      Matthew R. Grote, Minority Senior Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Lauren M. Corcoran, Hearing Clerk
                            
                            
                            
                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Carper...............................................     2
    Senator Tester...............................................    15
    Senator McCain...............................................    18
    Senator Booker...............................................    20
    Senator Ernst................................................    23
    Senator Lankford.............................................    27
    Senator Sasse................................................    30
    Senator Portman..............................................    33
    Senator Ayotte...............................................    38
Prepared statements:
    Senator Johnson..............................................    49
    Senator Carper...............................................    51

                               WITNESSES
                        Thursday, June 25, 2015

Hon. Katherine Archuleta, Director, Office of Personnel 
  Management.....................................................     5
Tony Scott, U.S. Chief Information Officer, Office of Management 
  and Budget.....................................................     7
Andy Ozment, Ph.D., Assistant Secretary, Office of Cybersecurity 
  and Communications, National Protection and Programs 
  Directorate, U.S. Department of Homeland Security..............     8
Hon. Patrick E. McFarland, Inspector General, Office of Personnel 
  Management; accompanied by Lewis F. Parker, Deputy Assistant 
  Inspector General for Audits...................................    11

                     Alphabetical List of Witnesses

Archuleta, Hon. Katherine:
    Testimony....................................................     5
    Prepared statement with attachment...........................    53
McFarland, Hon. Patrick E.:
    Testimony....................................................    11
    Prepared statement...........................................    79
Ozment, Andy, Ph.D.:
    Testimony....................................................     8
    Prepared statement...........................................    71
Scott, Tony:
    Testimony....................................................     7
    Prepared statement...........................................    68

                                APPENDIX

Chart referenced by Senator Carper...............................    90
Statement submitted for the Record from National Treasury 
  Employees Union................................................    91
Responses to post-hearing questions for the Record:
    Ms. Archuleta................................................    95
    Mr. Scott....................................................   107
    Mr. Ozment...................................................   108

 
      UNDER ATTACK: FEDERAL CYBERSECURITY AND THE OPM DATA BREACH

                              ----------                              


                        THURSDAY, JUNE 25, 2015

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:31 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, McCain, Portman, Lankford, 
Ayotte, Ernst, Sasse, Carper, McCaskill, Tester, Heitkamp, 
Booker, and Peters.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. This hearing will come to order.
    Good morning, everyone. I have been told the Director is 
running a little late, so we will get started without her.
    Again, I would like to welcome all of our witnesses. I 
appreciate the time you have put into preparing your testimony. 
It is very informative. This is a very serious issue because 
earlier this month the Office of Personnel Management (OPM), 
announced that over the last year, hackers stole 4.1 million 
Federal employees' personal records. Then just days later, we 
learned the attack was actually far broader, involving some of 
the most sensitive data the Federal Government holds on its 
employees and likely many more records. It is hard to overstate 
the seriousness of this breach. It has put people's lives and 
our Nation at risk.
    This massive theft of data may be the largest breach the 
Federal Government has seen to date. But it is not the first 
data breach affecting Federal agencies or even OPM. 
Unfortunately, I doubt it will be the last. Our Nation is 
dependent on cyber infrastructure, and that makes our future 
vulnerable. But cyber threats against us are going to continue 
to grow in size and sophistication.
    The purpose of this hearing is to lay out the reality of 
that cyber threat and vulnerability. The first step in solving 
any problem is recognizing and admitting you have one. We must 
acknowledge we have a significant cybersecurity problem in the 
Federal Government, especially at OPM. This intrusion on OPM 
networks is only the latest of many against the agency, and OPM 
has become a case study in the consequences of inadequate 
action and neglect.
    Cybersecurity on Federal agency networks has proven to be 
grossly inadequate. Foreign actors, cyber criminals, and 
hacktivists are accessing our networks with ease and impunity. 
While our defenses are antiquated, by comparison our 
adversaries are proving to be highly sophisticated. Meanwhile, 
agencies are concentrating their resources trying to dictate 
cybersecurity requirements for private companies, which in many 
cases are implementing cybersecurity better and cheaper.
    OPM has been hacked five times in the last 3 years and has 
still not responded to effectively secure its network. Today's 
hearing will focus on the two most recent breaches.
    We will hear from the OPM Inspector General (IG), Mr. 
Patrick McFarland, that OPM has continued to neglect 
information security which may have contributed to these 
breaches.
    We will hear from Dr. Andy Ozment about the specifics of 
this attack as well as the Department of Homeland Security's 
(DHS) role in Federal cybersecurity.
    Mr. Tony Scott will testify about efforts on cybersecurity 
across the government and the information security requirements 
of Federal agencies.
    Finally, we will give OPM Director Katherine Archuleta an 
opportunity to explain how this happened on her watch, to let 
us know who she believes is responsible, and to clarify what we 
can expect from OPM going forward.
    There is a bullseye on the back of USA.gov, and it does not 
appear this administration is devoting enough attention to this 
reality. We need leadership to develop and implement an 
effective plan to stop future cyber attacks. Without effective 
cybersecurity, our Nation will not be safe or secure. 
Cybersecurity must be a top priority.
    So, again, I want to thank the witnesses and welcome 
everybody here to the hearing room. I am looking forward to the 
testimony, and with that I will turn it over to our Ranking 
Member, Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman. Thanks for holding 
this hearing, and welcome to all of our witnesses. We 
appreciate your being here and appreciate your service to our 
country.
    A few weeks ago, we learned of a massive data breach at the 
Office of Personnel Management. Personal and financial 
information for more than 4 million current and former Federal 
employees may have been compromised. And if that is not bad 
enough, reports now indicate that background investigation 
information, some of the most sensitive personal information 
the Federal Government holds, may have also been compromised, 
potentially touching millions of additional lives.
    This attack is deeply troubling and could have far-reaching 
consequences for a great number of people. It could have a 
profound impact on our national security as well.
    Understandably, the public and my colleagues are upset, and 
they are frustrated. They want answers, and so do I, and so do 
this Committee. Before we leave here today, I want us to learn 
the answers to at least four questions:
    First, what went wrong?
    Second, what are we doing about it?
    Third, what more needs to be done?
    And, fourth, how can we help, the legislative branch, the 
House and the Senate?
    Ultimately, sustained corrective action will be needed 
before we restore the public's confidence in our government's 
ability to keep their personal information safe and secure. I 
was encouraged to hear that the Office of Management and Budget 
(OMB) recently launched a 30-day cybersecurity sprint to 
further protect Federal systems from cyber attacks. That is a 
good start, but I think we all agree it is not enough.
    As we can see from OMB's most recent annual report card on 
Federal network security--I think we have a table.\1\ There 
should be a table on everybody's desk. I would just bring it to 
your attention.
---------------------------------------------------------------------------
    \1\ The chart referenced by Senator Carper appears in the Appendix 
on page 90.
---------------------------------------------------------------------------
    Senator Carper. As we can see from this table, there is a 
lot of room for improvement. It should be the goal of every 
agency, large and small, to be at the top of this table, not at 
the bottom.
    Having said that, making it to the top of the chart does 
not guarantee immunity from successful cyber attacks. Too many 
of the bad guys are good at what they do, and they are getting 
better all the time. We have to bring our ``A'' game to the 
fight every single day. As we say in the Navy, this is an all-
hands-on-deck moment.
    For those agencies that continue to lag behind, there needs 
to be enlightened leadership, accountability, and a commitment 
to continuing improvements. One valuable cybersecurity tool 
that is available to all Federal agencies is the DHS program 
known as ``EINSTEIN.'' I may hasten to add it is not a panacea. 
It is a system that can record, detect, and block cyber 
threats. And all of us on this Committee have recently heard 
about the importance of EINSTEIN after the OPM breach. The 
system used cyber threat information from the OPM data breach 
to uncover a similar intrusion which we may have never known 
about at the Department of Interior. That is an important 
discovery.
    But finding out about a data breach after they occur is not 
good enough. We want to be able to stop these attacks before 
they can do any damage.
    It is my understanding that the newest version of 
EINSTEIN--we call it ``EINSTEIN 3A.'' I think the ``A'' is for 
``accelerated,'' isn't it?--can do just that. Unfortunately, 
today less than half of all Federal civilian agencies fall 
under the protection of EINSTEIN's most advanced capabilities.
    Let me add again, I recognize that this system is not 
perfect. No one is saying that it is. No system is. But as my 
colleagues and our staff have heard me say many times before, 
if it is not perfect, let us make it better. And from 
everything I have heard, EINSTEIN 3A is another important and 
badly needed step toward that goal?
    That is exactly why Senator Johnson and I, along with our 
staff members, are working on legislation now to authorize and 
improve EINSTEIN with the help of some of our witnesses. This 
legislation will speed up its adoption across the government, 
require use of leading technologies, and improve accountability 
and oversight. I look forward to working with my colleagues on 
this legislation so that we can ensure every agency is equipped 
with the ever improving capabilities needed to fend off cyber 
attacks in the future.
    In closing, I think it is important to recognize the breach 
at OPM follows a long list of major cyber attacks against the 
government and, as we know, our private sector. And there are 
likely more to come. To tackle a challenge this big, we do need 
an all-hands-on-deck approach. What does this mean? Simply, it 
means we need all the people, resources, and authorities that 
we can reasonably muster to be ready to respond.
    We can begin by continuing to fill the top spots in our 
government agencies, something on which this agency has done, 
personally, I think, a superb job. I am proud of the work that 
we have done to provide the top excellent talent to help lead 
the Department of Homeland Security. OPM, however, has been 
without a Senate-confirmed Deputy Director for nearly 4 years.
    I will say that again. The Office of Personnel Management 
has been without a Senate-confirmed Deputy Director for nearly 
4 years. It is not that the administration has not been 
submitting the names of qualified and talented candidates for 
these posts most of the time. For example, this Committee has 
favorably reported out the name of Navy Admiral Earl Gay, the 
President's nominee for this position at OPM, twice--once last 
year and again this year. We have done our job here on this 
Committee to vet him, to report him out. It is time to get him 
confirmed so that the Director and the agency have the help 
they need to right the ship.
    Finally, we could also build on the cybersecurity 
legislation we passed last year and pass new legislation like 
EINSTEIN, like information sharing, like data breach. We have a 
job to do, and we need to do that ourselves. It would also 
fully fund agency security efforts.
    These are all important steps we can take, but they will be 
incredibly difficult to accomplish if we do not work together.
    Thanks, Mr. Chairman. Again, thank you all for being here. 
Let us have a good hearing.
    Chairman Johnson. Thank you, Senator Carper.
    It is the tradition of this Committee to swear in 
witnesses, so if you will all stand and raise your right hand. 
We will wait for the Director.
    Good morning, Director. Raise your right hand. Do you swear 
that the testimony you will give before this Committee will be 
the truth, the whole truth, and nothing but the truth, so help 
you, God?
    Ms. Archuleta. I do.
    Mr. Scott. I do.
    Mr. Ozment. I do.
    Mr. McFarland. I do.
    Chairman Johnson. Thank you. Please be seated.
    Good morning, Director.
    Ms. Archuleta. Good morning, and I apologize.
    Chairman Johnson. I know traffic can be tough in 
Washington, DC, so I appreciate you being able to make it here.
    If you are ready, we can start with you. Our first witness 
is OPM Director Katherine Archuleta. Ms. Archuleta is the 
Director of the Office of Personnel Management, a position she 
has held since November 2013. Prior to serving as Director of 
OPM, Ms. Archuleta was a senior policy adviser to then-
Secretary of Energy Federico Pena. Director Archuleta.

 TESTIMONY OF THE HONORABLE KATHERINE ARCHULETA,\1\ DIRECTOR, 
                 OFFICE OF PERSONNEL MANAGEMENT

    Ms. Archuleta. Chairman Johnson, Ranking Member Carper, and 
Members of the Committee, thank you for the opportunity to 
testify before you today. I understand and I share the concerns 
and frustrations of Federal employees and those affected by the 
intrusion into OPM's information technology (IT) systems. 
Although OPM has taken significant steps to meet our 
responsibility to secure the personal data of those we serve, 
it is clear that OPM needs to dramatically accelerate those 
efforts. I am committed to a full and compliance investigation 
of these incidents, and we continue to move urgently to take 
action to mitigate the longstanding vulnerabilities of the 
agency's systems.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Archuleta appears in the Appendix 
on page 53.
---------------------------------------------------------------------------
    In March 2014, we released our Strategic IT Plan to 
modernize and to secure OPM's aging legacy system. We began 
implementing the plan immediately, and in fiscal years (FY) 
2014 and 2015, we directed nearly $70 million toward the 
implementation of new security controls to better protect our 
systems. OPM is also in the process of developing a new network 
infrastructure environment to improve the security of OPM 
infrastructure and IT systems. Once completed, OPM IT systems 
will be migrated into this new environment from the current 
legacy networks.
    Many of the improvements have been to address critical 
needs, such as the security vulnerabilities in our network. 
These upgrades include the installation of additional 
firewalls; restriction of remote access without two-factor 
authentication; continuous monitoring of all connections to 
ensure that only legitimate connections have access; and 
deploying anti-malware software across the environment to 
protect and prevent the deployment or execution of cyber crime 
tools that could compromise our networks. These improvements 
led us to the discovery of the malicious activity that has 
occurred, and we were able to immediately share the information 
so that other agencies could protect their networks.
    I want to share with the Committee some new steps that I am 
taking in addition to the steps we have already taken.
    First, I will hire a new cybersecurity adviser that will 
report directly to me. This cybersecurity adviser will work 
with OPM's Chief Information Officer (CIO) to manage ongoing 
response to the recent incidents and complete development of 
OPM's plan to mitigate further incidents and assess whether 
long-term changes to OPM's IT architecture are needed.
    Second, to ensure that the agency is leveraging private 
sector best practices and expertise, I am reaching out to the 
chief information security officers (CISO) at leading private 
sector companies that are experiencing their own significant 
cybersecurity challenges, and I will host a meeting with these 
experts in the coming weeks to help identify further steps.
    I believe that all Members of this Committee have received 
a copy of my action plan, and in deference to time limits, I am 
happy to discuss it further during the questioning.
    I would like to address now the confusion regarding the 
number of people affected by two recent related cyber incidents 
at OPM.
    First, it is my responsibility to provide as accurate 
information as I can to Congress, the public, and, most 
importantly, the affected individuals.
    Second, because this information and its potential misuse 
concerns their lives, it is essential to identify the affected 
individuals as quickly as possible.
    Third, we face challenges in analyzing the data due to the 
form of the records and the way they are stored. As such, I 
have deployed a dedicated team to undertake this time-consuming 
analysis and instructed them to make sure their work is 
accurate and completed as quickly as possible.
    As much as I want to have all the answers today, I do not 
want to be in the position of providing you or the affected 
individuals with potentially inaccurate data. With these 
considerations in mind, I want to clarify some of the reports 
that have appeared in the press.
    Some press accounts have suggested that the number of 
affected individuals has expanded from 4 million individuals to 
18 million individuals. Other press accounts have asserted that 
4 million individuals have been affected in the personnel file 
incident and 18 million individuals have been affected in the 
background investigation incident. Therefore, I am providing 
the status as we know it today and reaffirming my commitment to 
providing more information as soon as we know it.
    First, the two kinds of data that I am addressing--
personnel records and background investigations--affected 
different systems in two separate but related incidents.
    Second, the number of individuals with data compromised 
from the personnel records incident is approximately 4.2 
million, as we reported on June 4, and this number has not 
changed, and we have notified these individuals.
    Third, as I have noted, we continue to analyze the 
background investigation as rapidly as possible to best 
understand what was compromised, and we are not at a point 
where we are able to provide a more definitive report on this 
issue.
    That said, I want to address the figure of 18 million 
individuals that has been cited in the press. It is my 
understanding that the 18 million refers to a preliminary, 
unverified, and approximate number of unique Social Security 
numbers in the background investigations data. It is not a 
number that I feel comfortable at this time represents the 
total number of affected individuals. The Social Security 
number portion of the analysis is still under active review, 
and we do not have a more definitive number. Also, there may be 
an overlap between the individuals affected in the background 
investigation and the personnel file incident.
    Additionally, we are working deliberately to determine if 
individuals who have not had their Social Security numbers 
compromised but may have other information exposed should be 
considered individuals affected by this incident. For these 
reasons, I cannot yet provide a more definitive response on the 
number of individuals affected by the background investigations 
intrusion, and it may well increase from these initial reports. 
My team is conducting further analysis with all speed and care, 
and, again, I look forward to providing an accurate and 
complete response.
    Thank you for the opportunity, and I am happy to address 
any questions you may have.
    Chairman Johnson. Thank you, Madam Director.
    Our next witness is Mr. Tony Scott. Mr. Scott is the Chief 
Information Officer for the United States. He was appointed by 
the President in February of this year. His previous roles 
include heading VMware's global information technology group 
and 5 years as chief information officer at Microsoft. Mr. 
Scott.

  TESTIMONY OF TONY SCOTT,\1\ U.S. CHIEF INFORMATION OFFICER, 
                OFFICE OF MANAGEMENT AND BUDGET

    Mr. Scott. Thank you, Chairman Johnson, Ranking Member 
Carper, and Members of the Committee. Thank you for the 
opportunity to appear before you today. I appreciate the chance 
to speak with you about recent cyber incidents affecting 
Federal agencies.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Scott appears in the Appendix on 
page 68.
---------------------------------------------------------------------------
    As Federal CIO, I lead the Office of Management and 
Budget's Office of E-Government & Information Technology, and 
my office is responsible for developing and overseeing the 
implementation of Federal information technology policy. But 
today I want to focus on my team's role in facing our Nation's 
current reality: confronting ever-evolving cybersecurity 
threats.
    Under the Federal Information Security Modernization Act 
(FISMA) of 2014--OMB is responsible for Federal information 
security oversight and policy issuance. OMB executes its 
responsibilities in close coordination with its Federal 
cybersecurity partners, including the Department of Homeland 
Security and the Department of Commerce's National Institute of 
Standards and Technology (NIST).
    Last year, OMB announced the creation of a dedicated 
cybersecurity unit within my office: the E-Gov Cyber Unit. The 
creation of the E-Gov Cyber Unit reflects OMB's focus on 
conducting robust, data-driven oversight of agencies' 
cybersecurity programs, and the monitoring and improving of 
governmentwide responses to major cybersecurity incidents as 
well as issuing Federal guidance consistent with current and 
emerging technologies and risks.
    This is also the team behind the annual FISMA report which 
highlights both successes and challenges facing Federal 
agencies' cyber programs. In fiscal year 2015, the E-Gov Cyber 
Unit is conducting oversight through CyberStat reviews and will 
prioritize agencies with high risk factors as determined by 
cybersecurity performance and incident data. Additionally, the 
unit is driving FISMA implementation by providing agencies with 
the guidance they need in this dynamic environment. One of the 
top fiscal year 2015 policy priorities of the team is updating 
something known as Circular A-130, which is the central 
governmentwide policy document that establishes agency 
guidelines on how to manage information resources, including 
best practices for how to secure those resources.
    As I testified before the House last week, OMB's guidance 
to agencies for implementing the recently passed Federal 
Information Technology Acquisition Reform Act (FITARA), was 
issued, and it strengthens the role of the CIO in agency 
cybersecurity, and that is an important piece.
    To further improve Federal cybersecurity infrastructure and 
protect systems against these evolving threats, OMB launched a 
30-day cybersecurity sprint 2 weeks ago. The sprint team is 
comprised of staff from OMB, National Security Council (NSC), 
DHS, and other agencies. We have over 100 people involved in 
this effort, and at the end of the review, we will create and 
operationalize a set of action plans to further address 
critical cybersecurity priorities and recommend a Federal 
Civilian Cybersecurity Strategy.
    In addition, immediately the 30-day sprint directs agencies 
to immediately deploy priority threat-actor indicators that 
have been provided by DHS to scan systems and check logs, patch 
critical vulnerabilities without delay, tighten policies and 
practices for privileged users, and accelerate the 
implementation of multi-factor authentication, especially for 
privileged users.
    As I mentioned earlier, confronting cybersecurity threats 
is a reality I faced during my time in the private sector and 
continue facing in my new role as Federal Chief Information 
Officer. Because of this, ensuring the security of information 
within the Federal Government's networks and systems will 
remain a core focus of mine and of the administration. We are 
moving aggressively to implement innovative protections and 
respond quickly to new challenges as they arise. In addition to 
our efforts, we also look forward to working with Congress on 
actions that may further protect our Nation's critical networks 
and systems.
    I thank the Committee for holding this hearing and for your 
commitment to improving Federal cybersecurity, and I would be 
pleased to answer any questions you may have.
    Chairman Johnson. Thank you, Mr. Scott.
    Our next witness is Dr. Andy Ozment. Dr. Ozment is the 
Assistant Secretary for Cybersecurity and Communications at the 
Department of Homeland Security where he leads several of the 
Department's key cyber programs. Prior to his service at DHS, 
Dr. Ozment was the President's Senior Director for 
Cybersecurity. Dr. Ozment.

TESTIMONY OF ANDY OZMENT, PH.D.,\1\ ASSISTANT SECRETARY, OFFICE 
 OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND 
   PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Ozment. Chairman Johnson, Ranking Member Carper, 
Members of the Committee, I appreciate the opportunity to 
appear before you today. Like you, my fellow panelists, and 
countless Americans, I am deeply concerned about the recent 
compromise at OPM, and I am dedicated to ensuring that we take 
all necessary steps to protect our Federal workforce and to 
drive forward the cybersecurity of the Federal Government.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Ozment appears in the Appendix on 
page 71.
---------------------------------------------------------------------------
    As a result, I want to focus these remarks on how DHS is 
accelerating our efforts to protect Federal agencies and to 
help Federal agencies better protect themselves.
    To begin with, it is important to note that we are now 
making up for 20 years of underinvestment in cybersecurity 
across the public and the private sectors. At the same time, we 
are facing a major challenge in protecting our most sensitive 
information against sophisticated, well-resourced, and 
persistent adversaries. This is a complex problem without a 
simple solution. If an easy answer were at hand, this would not 
be a national challenge.
    To effectively address this challenge, our Federal agencies 
need to employ defense in-depth. Consider protecting a 
government facility against a physical threat. Adequate 
security is not only a fence, a camera, or building locks, but 
a combination of these measures that, in aggregate, make it 
difficult for an adversary to gain physical access. 
Cybersecurity also requires this defense in-depth, these 
multiple layers of security. No one measure is sufficient.
    Under legislation passed by Congress last year, Federal 
agencies are responsible for their cybersecurity. To assist 
them, DHS provides a common baseline of security across the 
civilian government and helps agencies manage their own cyber 
risk through four key efforts.
    First, we protect agencies by providing a common set of 
capabilities through the EINSTEIN and Continuous Diagnostics 
and Mitigation program (CDM).
    Second, we measure and motivate agencies to implement best 
practices.
    Third, we serve as a hub for information sharing.
    And, fourth, we provide incident response assistance when 
agencies suffer an intrusion.
    In my statement this morning, I will focus on the first 
area, how DHS provides a baseline of security through EINSTEIN 
and CDM. I have described the other three areas in my written 
Statement, and I am happy to take your questions on them.
    Our first line of defense against cyber threats in the 
EINSTEIN system, which protects agencies at their perimeter. 
Returning to the analogy of a physical government facility that 
I mentioned earlier, EINSTEIN 1 is similar to a camera at the 
road onto a facility that records all traffic and identifies 
anomalies in the number of cars entering and leaving.
    EINSTEIN 2 adds the ability to detect suspicious cars based 
upon a watchlist. EINSTEIN 2 does not stop the cars, but it 
does set off an alarm. Agencies report that EINSTEIN 1 and 2 
are screening over 90 percent of all Federal civilian traffic, 
and they played a key role in identifying the recent compromise 
of OPM data hosted at the Department of Interior.
    The latest phase of the program, as Senator Carper 
mentioned, is known as EINSTEIN 3A, and it is akin to a guard 
post at the highway that leads to multiple government 
facilities. It uses classified information to look at the cars 
and compare them to a watch list, and then it actively blocks 
prohibited cars from entering the facility. We are accelerating 
our efforts to protect all civilian agencies et EINSTEIN 3A. 
The system now protects 15 Federal civilian agencies with over 
930,000 Federal personnel, or approximately 45 percent of the 
Federal civilian government, with at least one security 
countermeasure.
    We have added EINSTEIN 3A protections to over 20 percent of 
the Federal civilian government in the past 9 months alone. 
During that time, and since its inception, EINSTEIN 3A has 
blocked nearly 550,000 attempts to access potentially malicious 
websites, which is often associated with potential theft of 
agency data.
    Now, EINSTEIN 3A is currently a signature-based system. It 
can only block attacks or intrusions that it already knows 
about. That is necessary but not sufficient. We are also 
working on adding other technologies to the EINSTEIN 3A 
platform that can block never-before-seen intrusions, because 
EINSTEIN 3A is not just a set of existing capabilities, it is a 
platform upon which we can add other capabilities.
    As we accelerate EINSTEIN deployment, we also recognize 
that security cannot be achieved through only one type of tool. 
That is why we need defense in-depth. EINSTEIN is not a silver 
bullet and will never be able to block every threat. For 
example, it must be complemented with tools that monitor the 
inside of agency networks. Our CDM program helps address this 
challenge.
    Returning again to our analogy of a government facility, 
CDM Phase 1 allows agencies to continuously check the building 
locks inside the facility to ensure they are operating as they 
are intended to. Continuing the analogy, the next two phases 
will monitor personnel on the facility to make sure they are 
not engaging in unauthorized actions and will actively assess 
activity across the facility to detect unusual patterns of 
behavior.
    We have purchased CDM Phase 1 capabilities for eight 
agencies covering over 50 percent of the Federal civilian 
government, and we expect to purchase these capabilities for 97 
percent of the civilian government by the end of this fiscal 
year.
    Now, the deadlines I have just told you for both CDM and 
EINSTEIN are when DHS provides a given capability. It takes 
additional time, months, for agencies to each then implement 
the capability for both EINSTEIN and CDM. And, of course, 
agencies must supplement EINSTEIN and CDM with their own tools 
appropriate to the needs of that existing agency.
    I would like to conclude by noting that Federal agencies 
are a rich target, and they will continue to experience 
frequent attempted intrusions. As our detection methods 
continue to improve, we will, in fact, detect more incidents 
that are already occurring that we do not know about.
    The recent breach at OPM is emblematic of this trend, as 
OPM was able to detect the intrusions by implementing best 
practices. We are accelerating the deployment of the tools we 
have, and we are bringing cutting-edge capabilities online, and 
we are asking our partner agencies and Congress to take action 
and work with us to strengthen the cybersecurity of the Federal 
Government.
    Thank you again for the opportunity to appear before you 
today, and I look forward to any questions.
    Chairman Johnson. Thank you, Dr. Ozment.
    Our next and last witness is Mr. Patrick McFarland. Mr. 
McFarland is the Inspector General (IG) for the Office of 
Personnel Management, a position he has held since 1990, making 
him the longest-serving Inspector General in the Federal 
Government. He has 30 years of service in law enforcement, 
including 22 years at the Secret Service.
    First of all, sir, thank you for your service, and we look 
forward to your testimony. Mr. McFarland.

 TESTIMONY OF THE HONORABLE PATRICK E. MCFARLAND,\1\ INSPECTOR 
 GENERAL, OFFICE OF PERSONNEL MANAGEMENT; ACCOMPANIED BY LEWIS 
    F. PARKER, DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS

    Mr. McFarland. Thank you. Chairman Johnson, Ranking Member 
Carper, and Members of the Committee, my name is Patrick 
McFarland. I am the Inspector General of the Office of 
Personnel Management. Thank you for inviting me to testify 
today at the hearing regarding the IT security audit work 
performed by our office.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. McFarland appears in the Appendix 
on page 79.
---------------------------------------------------------------------------
    I am accompanied by Lewis Parker, my Deputy Assistant 
Inspector General for Audits, who, with your permission, may 
assist in answering any technical questions you may have.
    OPM has a long history of systemic failures to properly 
manage its IT infrastructure which may have ultimately led to 
the breaches we are discussing today.
    First I would like to discuss some of the findings from our 
annual audits under the Federal Information Security Management 
Act. We have identified three general areas of concern, which 
are discussed in detail in my written testimony. They are:
    One, information security governance. This is the 
management structure and process that form the foundation of a 
successful security program. It is vital to have a centralized 
governance structure. OPM has made improvements in this area, 
but we still have some concerns.
    Two, security assessments and authorizations. This is a 
comprehensive assessment of each IT system to ensure that it 
meets the applicable security standards before allowing the 
system to operate. Our 2014 FISMA audit found that 11 of OPM's 
47 systems were operating without a valid authorization.
    Three, technical security controls. OPM has implemented a 
variety of controls to make the agency IT system more secure. 
However, these tools must be used properly and must cover the 
entire IT environment. We are concerned that they do not.
    The second issue I would like to briefly discuss is the 
Flash Audit Alert that I issued last week. In 2014, OPM began a 
massive project to overhaul the agency's IT environment by 
building an entirely new infrastructure called ``the Shell'' 
and migrating all of its systems to that Shell from the 
existing infrastructure. We have two serious concerns with how 
the project is being implemented.
    First, OPM is not following proper IT project management 
procedures and, therefore, does not know the true scope and 
cost of this project. The agency never prepared a project 
charter or conducted a feasibility study or even identified all 
of the applications that will have to be moved from the 
existing IT infrastructure to the new Shell environment.
    Further, the agency did not prepare the mandatory major IT 
business case, formerly known as the ``Exhibit 300.'' This 
document is an important step in the planning of any large-
scale IT project as it forces the agency to conduct a detailed 
cost-benefit analysis as well as a risk evaluation, among other 
things. OPM apparently believes this is simply an 
administrative exercise. We disagree. Because OPM has not 
conducted these very basic planning steps, it does not know the 
true cost of the project and cannot provide an accurate 
timeframe for completion. OPM has estimated that this project 
will cost $93 million; however, that amount includes only 
strengthening the agency's current IT security posture and the 
creation of a new Shell environment. It does not include the 
cost of migrating all of OPM's 50 major IT systems and numerous 
sub-systems to the Shell. This migration will be the most 
costly and complex phase of this project.
    Even if the $93 million figure was an accurate estimate, 
the agency does not have a dedicated funding stream for the 
project. Therefore, it is entirely possible that OPM could run 
out of funds before completion, leaving the agency's IT 
environment more vulnerable than it is now.
    The second major point discussed in the alert relates to 
the use of a sole-source contract. OPM has contracted with a 
single vendor to complete all of the multiple phases of this 
project. Unless there is a specific exception, Federal 
contracts are supposed to be subject to full and open 
competition. However, there is an exception for compelling and 
urgent situations.
    The first phase of this project, which involves securing 
OPM's IT environment, was indeed such a compelling and urgent 
situation. That phase addressed a crisis, namely, the breaches 
that occurred last year. However, later phases, such as 
migrating the applications to the new Shell environment, are 
not urgent. Instead, they involve work, that is essentially a 
long-term capital investment. OPM has indicated that the 
contract for the migration phase has not been awarded. We have 
not been provided documentation that OPM is soliciting bids 
from other contractors for this work, even though this work is 
supposedly underway. This supports our concern that the current 
vendor's contract covers all phases of this project.
    It may sound counterintuitive, but OPM must slow down and 
not continue to barrel forward with this project. The agency 
must take the time to get it right the first time to determine 
the scope of the project, calculate the costs, and make a clear 
plan about how to implement this massive overhaul. OPM cannot 
afford to have this project fail.
    I fully support OPM's efforts to modernize its IT 
environment and the Director's long-term goals. However, if it 
is not done correctly, the agency will be in a worse situation 
than it is today, and millions of taxpayer dollars will have 
been wasted.
    Thank you.
    Chairman Johnson. Thank you, Mr. McFarland. I would like to 
start my questioning with you.
    Looking back at your audits, under the Federal Information 
Security Management Act, if we just start with fiscal year 
2009, you do not have to go much further than the first or 
second page of the executive summary to understand that 
security of the IT systems has been a problem.
    In your November 5, 2009, report, you report ``lack of 
adequate information security governance activities in 
accordance with legislative and regulatory requirements.''
    In your November 10, 2010, report, you say, ``We also 
expanded the material weaknesses related to IT security 
policies to include concerns with the agency's overall 
information security governance and its information security 
management structure.''
    In your November 2011 report, you say, ``We continue to 
believe that information security governance represents a 
material weakness in OPM's IT security program.''
    November 5, 2012--and this is actually pretty troubling 
because in the audit, the Office of Chief Information Officer 
(OCIO) response to your draft audit report indicated that they 
disagreed with the classification of the material weakness 
because of the progress that OPM had made with its IT security 
program and because there was no loss of sensitive data during 
the fiscal year. However, the OCIO's statement is inaccurate as 
there were, in fact, numerous information security incidents in 
fiscal year 2012 that led to the loss or unauthorized release 
of mission-critical or sensitive data. In other words, in the 
2012 report, the Office of Chief Information Officer was in a 
State of denial.
    November 21, 2013, second page of the report, it says, 
``OPM's decentralized governance structure continues to result 
in many instances of noncompliance with FISMA requirements; 
therefore, we are again reporting this issue as a material 
weakness for Fiscal Year 2013.''
    In 2014, probably the best thing you can say in terms of 
improvements is the material weaknesses related to information 
security governance has been upgraded to a significant 
deficiency due to the planned reorganization of OCIO. And, 
again, I am highly concerned about this flash audit. On the 
Infrastructure Improvement Project, your conclusion: ``As a 
result, there is a high risk that this project will fail to 
meet the objectives of providing a secure operating environment 
for OPM's systems and applications.'' You go on to say: ``In 
our opinion, the project management approach to this major 
infrastructure overhaul is entirely inadequate and introduces a 
very high risk of project failure.''
    It is pretty clear that the security of the IT system has 
been a problem, a material problem for quite some time. Now, 
when Director Archuleta came before this Committee in this 
Senate for confirmation, in her written answers to our 
questions, she said, ``If confirmed as Director of OPM, 
improved management of OPM's IT, including proper security and 
data management, will be one of my top priorities. I will work 
with OPM's CIO and IG to ensure that adequate measures are in 
place to protect this vital information.''
    Mr. McFarland, has Director Archuleta ever met with you 
specifically to discuss the results of your FISMA audits?
    Mr. McFarland. No, sir.
    Chairman Johnson. Do you meet with her regularly?
    Mr. McFarland. I meet with her at least once a month.
    Chairman Johnson. To what extent have you ever discussed 
the material problems with the security of the IT systems of 
OPM?
    Mr. McFarland. The memorandum in front of me is dated June 
17 from us to the Director, and it spells out the Flash Audit 
Alert with a lot of information in it, and that was presented 
to her office. One week prior to that, we made sure that the 
chief of staff had a copy to help the flow of information for 
us. But we have not sat down, the Director and I, regarding 
this. We have not heard back other than last Tuesday when we 
received the response to our Flash Audit Alert.
    Chairman Johnson. So do you believe that her statement that 
she would work with OPM's CIO and IG to ensure that adequate 
measures are in place to protect this vital information, do you 
believe she has fulfilled that commitment?
    Mr. McFarland. Well, I do not believe she has fulfilled 
that commitment specifically with me, but I would assume--and 
it may be right, may be wrong--that her explanation entails the 
CIO's involvement with our office.
    Chairman Johnson. Well, here is the problem. We have had 
three material breaches under her watch. In March 2014, the 
Chinese breached OPM looking for background investigations, 
and, of course, the subject of this hearing is the two most 
recent breaches.
    Director Archuleta, do you believe you have fulfilled that 
commitment that you made to this Committee and this Senate that 
you will work with OPM's IG to ensure that adequate measures 
are in place to protect this vital information?
    Ms. Archuleta. I believe I am fulfilling that commitment, 
sir. With regard to the strategic plan that I promised in the 
confirmation, is that we have moved toward that, and your 
concerns about governance are exactly right. There was not a 
governance structure, and it was--one of the first things I did 
was to hire a capable and qualified CIO.
    Chairman Johnson. My time is running out. Why have you not 
met with the Inspector General who is tasked with these audits 
and has given you a lot of--has basically laid out the problem 
for you. Why have you not met and discussed this problem with 
the Inspector General?
    Ms. Archuleta. Thank you. We do meet on a monthly basis, 
and----
    Chairman Johnson. But not to talk about this IT security 
situation.
    Ms. Archuleta. The agenda----
    Chairman Johnson. Which was going to be a top priority of 
your term.
    Ms. Archuleta. Yes. The agenda is set by the IG, and he has 
been very helpful in identifying issues throughout the agency.
    With regard to the Flash Audit, my staff and his staff are 
meeting on Tuesday. We have not had a meeting since his release 
of the Flash Audit, but he and I will followup first with 
staff, and then we have a meeting together. We have not, as Mr. 
McFarland indicated, had the opportunity to meet yet, but I am 
sure it was his intention and always my intention that we would 
sit down and discuss this, as we have with all other issues.
    Chairman Johnson. Have you spoken to the President about 
this breach?
    Ms. Archuleta. Yes, I have spoken to the President.
    Chairman Johnson. When?
    Ms. Archuleta. It was----
    Chairman Johnson. About this breach, about the most recent 
breach of the 4.1 million to possibly 18 million records.
    Ms. Archuleta. I did brief the President on this, and he 
has made it repeatedly clear that cyber threats are one of his 
most serious economic and national security challenges as we 
face the Nation, and he has in his administration pursued a 
comprehensive strategy, including the appointment of Tony 
Scott, boosting our defenses in government, and sharing more 
information. He has also directed the establishment of a Cyber 
Intelligence Center and called on the Congress to pass 
legislation.
    Chairman Johnson. OK. When did you speak with the President 
about this?
    Ms. Archuleta. Approximately 2 weeks ago.
    Chairman Johnson. Do you understand the full gravity of the 
risk to this Nation, the risk to people's lives, government 
officials that are trying to protect this Nation, because of 
the release of this information?
    Ms. Archuleta. Of course I do. I am as upset as you are 
about this. And that is why we have worked from day one to set 
in place the steps that had not existed there before, and I 
think--and if you notice in the plan that I sent you, we have 
taken significant steps toward that. But we are looking at 
nearly 30 years of a legacy system and no improvements prior to 
the time that I got there--not none, but not enough.
    And so as you look at the improvements we have made, 
certainly we have made important steps, but we need to make 
more, and that is why we are asking Congress for their support.
    Chairman Johnson. OK. Senator Carper.
    Senator Carper. I am going to yield my time at this point 
to Senator Tester, who needs to go to an Appropriations 
Committee markup.

              OPENING STATEMENT OF SENATOR TESTER

    Senator Tester. Thank you. Thank you, Mr. Chairman. Thank 
you, Tom Carper. Thank you very much. I appreciate that.
    Director Archuleta, was the cause of the initial breach 
because of the compromised credential of an employee of a 
contractor, KeyPoint Government Solutions?
    Ms. Archuleta. My colleagues would be very much more able 
to respond to that, but, yes, the first issue was a use of 
credential----
    Senator Tester. A compromised credential?
    Ms. Archuleta. A compromised credential.
    Senator Tester. You would agree with that?
    Mr. Ozment. Yes, sir, I would agree with that.
    Senator Tester. Thank you.
    Director Archuleta, do you plan to continue OPM's 
relationship with KeyPoint?
    Ms. Archuleta. Yes, sir. We have found that they have 
responded to all other remediation efforts that we have asked 
them to perform.
    Senator Tester. So it would be fair to say that you believe 
KeyPoint is able to keep its data and credentials secure at 
this point?
    Ms. Archuleta. Yes, sir, I do believe that that is true. 
They have made important strides.
    Senator Tester. OK. IG McFarland, in your estimation has 
KeyPoint sufficiently updated its access to its systems to 
ensure that its data and credentials are secure?
    Mr. McFarland. We do not know that at this time.
    Senator Tester. Who would know that?
    Mr. McFarland. I would hope the CIO would know it.
    Senator Tester. OK. Has OPM updated their systems to ensure 
that data and credentials are secure, IG McFarland?
    Mr. McFarland. I believe, yes, they have been working on 
the tactical aspect of the infrastructure, which is to update 
the present environment.
    Senator Tester. Do you feel that their systems are secure 
at this point?
    Mr. McFarland. No, I do not feel that they are secure at 
this point.
    Senator Tester. OK. IG McFarland, based on what you know so 
far, do you believe that OPM should continue its relationship 
with KeyPoint?
    Mr. McFarland. I would have to have more information. I 
would not be able to answer that right now.
    Senator Tester. OK. Director Archuleta, as part of your 
testimony, you also include recommendations to improve 
cybersecurity at OPM, and, clearly, in these recommendations 
you call on Congress for additional support in order to 
accelerate upgrades for OPM's IT infrastructure. Director, as a 
part of this additional support, are you requesting funding for 
additional IT software developers and IT support personnel?
    Ms. Archuleta. We are very much focused on the additional 
money to improve our security. Yes, it is the primary reason 
for the request for additional funds.
    Senator Tester. OK. And so who have you made that request 
to?
    Ms. Archuleta. We are in the process of developing that 
request. We hope to have it to you by the end of this week, and 
we are working very closely with OMB on that.
    Senator Tester. And do you have any idea how much that will 
be?
    Ms. Archuleta. I do not have the idea right now, sir, but I 
think there has been an initial number that we are focused in 
on, and I would be glad to get that to you by the end of this 
week.
    Senator Tester. OK. You talked about gleaning some of the 
information out of private sector cybersecurity. Are you going 
to--you said that you were going to--in your opening 
testimony--I do not want to put words in your mouth, but what I 
heard was that you were going to go to the private sector to 
find out some methods that they utilized?
    Ms. Archuleta. Yes. The issue of cybersecurity----
    Senator Tester. And if that is correct, just say----
    Ms. Archuleta. Yes, it is correct.
    Senator Tester. Are you going to the financial industry?
    Ms. Archuleta. We will be going throughout the industry, 
and financial, I am sure, will be part of that, sir, yes.
    Senator Tester. OK, because they are getting attacked 
literally every night.
    Ms. Archuleta. Yes.
    Senator Tester. And they seem to be doing a reasonable job 
at this point in time of fending those attacks off.
    Ms. Archuleta. That is the type of expertise we will want 
to know about and learn about.
    Senator Tester. OK. Many times the private sector offers 
employees in software development and IT pretty damn generous 
benefits and pay. Yet at the Federal Government, we have had to 
endure Government shutdowns. In recent years, we have seen 
threat after threat cutting retirement, threat to cut wages, 
not exactly what I would say good recruiting and retention 
efforts.
    How is OPM addressing recruiting problems, not only in your 
supplemental request for dollars but in general?
    Ms. Archuleta. Thank you for that question, sir. I have 
actually been working very closely and had several 
conversations with the private sector that faces this same 
problem. The need for cybersecurity experts and, frankly, IT 
experts is one that both the public and public sector are in 
great need of, and we are working together with them and also 
working with our internal partners in all of the agencies to 
determine ways through hiring flexibilities, recruiting 
flexibilities and salary flexibilities to bring these 
individuals in.
    What we have found is that there is a great deal of 
interest in public service, and this is something that we are 
focused in on, and the recruitment of individuals both at the 
Millennials and mid-career.
    Senator Tester. OK. This is for either you, Mr. Scott, or 
Mr. Ozment. Which one of you said that this is due to an 
underinvestment in cybersecurity over the last 10 years? Was 
that you, Mr. Ozment?
    Mr. Ozment. That was me, sir.
    Senator Tester. OK. So we are sitting here on this side of 
the dais. Some of us are appropriators, but we are all 
concerned about national security. Who should we be listening 
to about where we need to make those investments?
    Mr. Ozment. Ultimately you need to listen to each agency 
and their CIO because they know their environment best. I know 
that what we have come forward, the Department of Homeland 
Security, in our budget request for my organization, also 
supports governmentwide security programs, and we need a 
combination of those governmentwide programs and individual 
agencies.
    Senator Tester. Do we have a plan like that currently? Do 
we have a governmentwide program for cybersecurity that 
actually--the way I visualize it in my head, it actually has 
tentacles out to each agency?
    Mr. Ozment. We have a number of documents that in 
combination lay out our governmentwide approach, in part 
influenced by the recent passing of the FISMA modernization in 
December 2014. And so those documents in aggregate lay out the 
approach that we are taking.
    Senator Tester. Is that effective? I mean, is the 
infrastructure effective to do what we need to do? Or do we 
have to add to--do you understand what I am asking?
    Mr. Ozment. I do. There is always a balance between 
spending your time writing documents and spending your time 
doing the actual work.
    Senator Tester. That is true.
    Mr. Ozment. I think we are at a point right now where we 
have--a lot of guidance has been issued. There has been a lot 
of focus on how we move forward. I think we are at the point 
now where we need to focus on the execution.
    Senator Tester. All right. Thank you all for your 
testimony.
    Thank you, Mr. Chairman, especially you, Mr. Vice Chairman.
    Chairman Johnson. Chairman McCain has got to be somewhere 
else. We are going to let him go next, if that is OK, Senator 
Booker? OK. Senator McCain.

              OPENING STATEMENT OF SENATOR MCCAIN

    Senator McCain. Thank you, Mr. Chairman. I thank Senator 
Booker for his indulgence.
    Ms. Archuleta, the New York Times stated, ``While Mr. Obama 
publicly named North Korea as the country that attacked Sony 
Pictures Entertainment last year, he and his aides have 
described the Chinese hackers in the government records case 
only to Members of Congress in classified hearings. Blaming the 
Chinese in public could affect cooperation on limiting the 
Iranian nuclear program and tensions with China's Asian 
neighbors.''
    Are you ready to state, since it has been in all public 
periodicals, that it was China responsible for this hacking?
    Ms. Archuleta. I think that that would be----
    Senator McCain. That is a pretty simple answer. Are you 
ready to say that it was Chinese hacking or not?
    Ms. Archuleta. I would have to defer to----
    Senator McCain. So the answer is no?
    Ms. Archuleta [continuing]. My colleagues at State. I would 
defer to my colleagues at State to respond to that.
    Senator McCain. So the answer is no, you will not--even 
though it is all in public knowledge that it was China, you are 
not ready to tell this Committee that you know that it was 
China that was responsible for the hacking. Is that true?
    Ms. Archuleta. OPM is not responsible for attribution. We 
rely on our colleagues to talk about that.
    Senator McCain. Your committee--your business is to track 
and to respond to hacking, and--well, I would like to go back 
to the issue--you said you did not know where the figure of 18 
million Social Security numbers came from. This is a Wall 
Street Journal article. ``A senior Federal Bureau of 
Investigations (FBI) official interjected, said it was based on 
her agency's own data, these people said, of 18.2 million.'' 
Are you ready to acknowledge that the FBI's number of 18.2 
million is accurate?
    Ms. Archuleta. As I stated in my opening remarks, sir, I do 
not believe that that is an accurate number, and I will not 
give an accurate----
    Senator McCain. So the FBI is giving us incorrect 
information?
    Ms. Archuleta. I do not have an understanding of where they 
assumed that 18 number, but I will tell you----
    Senator McCain. Have you met with the FBI?
    Ms. Archuleta. My associates have met with the FBI----
    Senator McCain. Your associates have, but you have not.
    Ms. Archuleta. No, sir, I have not met with the FBI.
    Senator McCain. Why wouldn't you, when there is a clear 
situation here of an allegation by the most respected law 
enforcement agency in America of 18.2 million. You are alleging 
that it is 4 million. Wouldn't you sit down with the Director 
of the FBI and say, ``Hey, the American people need to know, 
especially those 14 million between 4 and 18 million that may 
have been breached? ''
    Ms. Archuleta. As the head of the agency, I have many 
people who are working in a number of different issues. This is 
an important question that you have asked me, and since the 
time that number----
    Senator McCain. I guess my question, again, is: Why 
wouldn't you sit down with the FBI people and find out where 
they got their information so----
    Ms. Archuleta. There are many----
    Senator McCain [continuing]. You can corroborate it or deny 
it?
    Ms. Archuleta. My colleagues have met with the FBI, and----
    Senator McCain. But you have not.
    Ms. Archuleta. No.
    Senator McCain. It does not rise to your level of 
attention. I see.
    Now, what about the hundreds of millions of prescription 
drug claims and health records OPM holds to detect fraud in the 
Federal Employee Health Benefits Program (FEHBP)? Are those at 
risk?
    Ms. Archuleta. The enrollment forms are part of the data, 
and as I said in my statement, again, we are analyzing the data 
right now.
    Senator McCain. You will not tell the Committee----
    Ms. Archuleta. It does not----
    Senator McCain [continuing]. Whether they are at risk or 
not?
    Ms. Archuleta. I will share with you that we are analyzing 
this data to see the scope of the impact of this breach.
    Senator McCain. Mr. McFarland, your office has been warning 
OPM about the vulnerability of its data for years. How were 
these warnings received by the agency, and why were they 
apparently ignored until it was too late?
    Mr. McFarland. Well, I do not know why they were ignored, 
but they certainly----
    Senator McCain. But they were ignored.
    Mr. McFarland. Yes, they were ignored, in my estimation.
    Senator McCain. So they just received it, sort of like Ms. 
Archuleta received the information from the FBI. It probably 
may not have risen to the level of her interest.
    Now, Ms. Archuleta, you made an interesting statement. You 
told the Senate Appropriations Committee Tuesday that no one at 
OPM is personally to blame for the data breach. However, you 
told the House panel Wednesday, ``I hold all of us responsible. 
That is our job at OPM to protect the data.'' In other words, 
everybody is responsible, so nobody is responsible. But you are 
responsible, and I wonder whether you think--since you said, 
``I hold all of us responsible,'' do you think you should stay 
in your present position?
    Ms. Archuleta. Senator, I have been working hard from day 
one to correct decades of neglect, and I----
    Senator McCain. Ignoring the----
    Ms. Archuleta [continuing]. Continue to----
    Senator McCain. Ignoring Mr. McFarland's warnings.
    Ms. Archuleta. I have been here for 18 months, sir, and I 
have worked very hard. I think we have taken great strides not 
only within OPM and in partnership throughout government, 
cybersecurity is an enterprise effort in this administration, 
and I work closely with them. I am committed to continuing to 
do that.
    Senator McCain. Well, unfortunately, you were not committed 
to heeding the warnings of Mr. McFarland, apparently, at least 
according to his assessment.
    I guess my final question is, which I am sure you will 
probably obfuscate: When will the American people know, when 
will they know the extent of this penetration which has 
violated the privacy of, at least in the estimation of the FBI, 
18 million people?
    Ms. Archuleta. Thank you for that question, and as I stated 
earlier, we are working as rapidly as we can. I have a team 
that is working--that is devoted to this----
    Senator McCain. And you have no----
    Ms. Archuleta [continuing]. But I will be--I----
    Senator McCain. And you have no estimate for the Committee 
as to when this----
    Ms. Archuleta. When I know that the number is accurate, 
that is the time.
    Senator McCain. But you cannot tell us when you would----
    Ms. Archuleta. When I know the number is accurate.
    Senator McCain. But you cannot tell us when.
    Ms. Archuleta. When they bring me an accurate----
    Senator McCain. I see.
    Ms. Archuleta [continuing]. And I have confidence in that 
number.
    Senator McCain. Ms. Archuleta, I must say that I have seen 
a lot of performances. Yours ranks as one of the most 
interesting.
    I yield back.
    Chairman Johnson. Thank you, Chairman McCain.
    Because Senator Booker did yield, I will let you go before 
Senator Ernst.

              OPENING STATEMENT OF SENATOR BOOKER

    Senator Booker. Thank you very much. These days it is 
surprising to see somebody letting New Jersey go before Iowa. 
[Laughter.]
    Senator Ernst. It is OK.
    Senator Booker. Ms. Archuleta, I understand that the OPM 
Inspector General recommended the shutdown of OPM's IT 
infrastructure system before we knew about the hacks. Did you 
follow the IG's guidance? And if not, why?
    Ms. Archuleta. I did not follow his guidance because I had 
to make a very conscious and deliberate decision as to the 
impact of the shutdown of those systems. I would have had to 
shut down the processing of the annuity checks to retirees. I 
would have had to shut down the system that does background 
investigations for the Federal Aviation Administration (FAA) or 
for the Transportation Security Administration (TSA). It would 
have meant that those individuals and the needs that those new 
hires and the services they would provide would not have been 
able to be provided.
    I made a conscious decision that we would move forward with 
this, but would make improvements as rapidly as possible, and 
we have done that. And the opportunity to work with the IG, I 
would say, is one that I feel is an important part of 
everything that we think about, but I also know that I have 
responsibility in many areas across OPM.
    Senator Booker. OK. Mr. Scott, you are America's Chief 
Information Officer. It is obviously a very important and big 
task, and I want to ask you very specifically: Do you believe 
Ms. Archuleta and Donna Seymour are equipped to lead the 
efforts to shore up OPM's cybersecurity in the wake of these 
attacks? Do you believe that their leadership is capable of 
dealing with this tremendous trial?
    Mr. Scott. I do, sir, and I have spent time on the ground 
with the teams that are in OPM doing the work, both from DHS 
and the OPM teams. They are working really hard and doing the 
right things. I have talked to them about the leadership that 
they are getting from both Director Archuleta and Donna 
Seymour, and they tell me that they are very supportive of the 
efforts and the leadership that they see there. And the one 
comment I would make is I think we need to be careful about 
distinguishing fire starters from fire fighters in this 
particular case, and they have my full support.
    Senator Booker. And you have a tremendous professional 
background. You understand the field not only in the private 
but the public sector. Given you know what you know going on 
around the country and meeting these attacks that are 
happening, frankly, the incredible nature of attacks going on 
on dozens of companies that are all name brands, things we have 
seen in the media, given that whole field, do you think she is 
the person equipped to do the job, as you say, of firefighting?
    Mr. Scott. Yes, sir, and I have been impressed with the 
deployment of the additional tools. I would say, the work that 
is going on in OPM right now would serve as a template and a 
model for work that other agencies need to do as well. We are 
learning on this across the whole Federal Government, and one 
of the goals of my office is to take all those lessons learned 
and apply them broadly across the Federal Government, working 
with my colleagues in DHS and elsewhere. We have to learn from 
this, and we have to be much faster as a Federal Government in 
responding to what is a very rising and fast rising and fast 
morphing set of threats. This is not a small challenge.
    Senator Booker. I appreciate that.
    Ms. Archuleta, there have been at least two instances of 
OPM systems being hacked. Could you just explain please how the 
first and second breaches occurred, what steps you have taken 
to prevent a future breach, and what have you done to protect 
the dedicated public servants who have been affected by this 
breach?
    Ms. Archuleta. Certainly. Thank you for that question. The 
first breach occurred in April to the employee personnel 
records. As a result of the investigation around that, we found 
the second breach later. The forensic part of it I think my 
colleague Andy Ozment would be better able to respond to, but 
since that time, we have instituted even more security measures 
into our system, and at this time we are unaware of any other 
efforts to come into the system. And we are obviously 
monitoring that constantly 24/7 through our center.
    Senator Booker. And if you can answer this question 
quickly, Dr. Ozment will have a chance to add to that question. 
But there have been much pointed questions toward you about the 
discrepancies between the numbers. The first attack, everyone 
was consistent. We knew what those numbers were. This attack, 
they are not being consistently reported, as has been pointed 
out by my colleagues, and we are having these varying numbers. 
Can you just explain why that is, hopefully leaving about 20 
seconds of my 90 seconds----
    Ms. Archuleta. Yes, that is what I mentioned in my opening 
statement, sir. The first incidence was 4.2 million, and we 
have not determined the scope of the second incident yet.
    Senator Booker. And you had some pointed questions as to 
why that is, why are there varying numbers.
    Ms. Archuleta. Because I do want them to be accurate.
    Senator Booker. And so you are holding back giving a number 
until you have all the information.
    Ms. Archuleta. We have a team that is doing the analysis 
even as we speak to make sure that we will announce an accurate 
number.
    Senator Booker. Right, so to be premature would be to be 
inaccurate.
    Ms. Archuleta. That is exactly right.
    Senator Booker. I do have 55 seconds, sir. Could you just 
add a little bit more to what is being done?
    Mr. Ozment. Absolutely. I can speak to the timeline of the 
incident itself. In April, OPM detected this incident because 
they had been rolling out security capabilities over the last 
year and a potentially additional timeframe. So if they had not 
rolled out those capabilities, we would never know that this 
intrusion----
    Senator Booker. So the upgrades you all were doing in order 
to promote better hygiene, in order to do the right things, was 
the reason why we detected the attack that had occurred more 
than a year earlier?
    Mr. Ozment. That is right. So OPM's upgrades are what 
detected the attack. They notified DHS, my organization, 
immediately. We used the information they provided to detect 
the second intrusion at the Department of Interior Data Center. 
And the team since then has been on the ground doing the 
forensics analysis. In May, they were able to assess with high 
confidence that the 4.2 million personnel records had been 
exfiltrated from the Department of Interior Data Center. That 
is OPM's data but at the Department of Interior Data Center.
    In June, they assessed that some amount of information had 
been exfiltrated from OPM itself, but, it is complicated 
databases, and that is the analysis OPM is currently doing to 
figure out what exactly what the data that was taken.
    Senator Booker. Thank you, Dr. Ozment.
    And, Mr. Chairman, thank you for your deference to the 
people in New Jersey.
    Chairman Johnson. Thank you, Senator Booker. Always looking 
out for the folks in New Jersey--and Iowa. Senator Ernst.

               OPENING STATEMENT OF SENATOR ERNST

    Senator Ernst. Thank you. Thank you, Senator Booker, and 
thank you, Ranking Member. Thank you, Mr. Chairman, very much.
    This is a significant data breach. We will talk about this 
all the day, but bottom line, we need to see some action on 
this immediately.
    Mr. McFarland, thank you for being here today. We have 
heard in your testimony, we have seen your Flash Audit Alert 
that was released by your office earlier this month, and in 
that audit alert, you did highlight your serious concerns 
regarding OPM's management of its new IT project, the 
improvement project. And I cannot overstate the importance of 
project management, particularly with respect to projects as 
complex and important as this particular project.
    In fact, just yesterday in this Committee, we did approve a 
bill introduced by Senator Heitkamp and myself which will focus 
on improving program management in the Federal Government, and 
I would be interested to learn from you just a little bit more 
detail about your concerns to OPM's management of this IT 
improvement project.
    Mr. McFarland. Yes, Senator. I think a good start here and 
a good example would be the fact that anyone doing a capital 
investment in the IT world, at least my understanding--and I 
can be corrected if I am wrong--by OMB's regulation is required 
to do a business plan known as Exhibit 300. That has not been 
done by OPM, yet I do hear in the last few days information 
that OPM and OMB are working very closely together. And I do 
not doubt that. But my concern is something as simple and 
straightforward as a business plan, if it is not completed--and 
we hear it is completed by OPM, and then our documentation that 
we requested shows that it has not been done, I would like to 
find out--I do not necessarily want to use this forum for my 
question, but I think it goes to the heart of your question. 
What has happened with this business plan? Has it been done or 
not?
    Senator Ernst. And that to me is significant failure that 
the fact that something so simple as a business plan cannot be 
produced for this project, which left millions of Federal 
employees and their data at risk.
    So, Ms. Archuleta, I do want to followup, because it sounds 
like now there is a request for additional dollars, and what we 
want to ensure is that if the dollars are allocated, that it 
will actually be put toward this project and that we do see 
results and that it is managed wisely. I cannot say that 
dollars we have put forth so far have been utilized maybe to 
the best of the taxpayers' interests.
    So if you could address that, just give us that assurance 
that this will be handled.
    Ms. Archuleta. Thank you. Thank you for that question. In 
his Flash Audit, the Inspector General recommended the 
completion of a major IT business case document for fiscal year 
2017, and I actually look forward to discussing with the 
Inspector General the practical implications of completing such 
a document for submission for fiscal year 2017. We are in an 
urgent situation. I do understand, though, his concerns, and I 
would like to assure him that all of our decisions are being 
tracked, documented, and justified, and that we are working 
very closely with OMB.
    As I mentioned earlier, I think that the Flash Audit 
discussions need to occur between me and the IG, and we will do 
that. Our staffs are meeting next Tuesday, and I am sure Mr. 
McFarland and I will meet immediately following. The important 
thing is that we address his concerns, but I think the other 
thing is that we move quickly. As Tony and Andy have already 
described, we are in a very urgent situation. So we need to 
balance and make sure that we are doing all the things that the 
IG has described, but as well, we understand the urgency of 
moving forward aggressively.
    Senator Ernst. I do appreciate that, but this is rather 
late, and in retrospect we cannot go take back the data that 
has been captured by whoever this person or entity is out there 
that has gotten into the system, who has breached and gotten 
this data.
    One thing that maybe we have not discussed yet is the fact 
that not only do we have millions of Federal records, and 
employee records that were breached, but I know when I filled 
out the applications for security clearances in the military, 
not only was my personal information on those forms, but I had 
to list references on those forms. Their information is also 
included in this.
    So we have not only millions of Federal employees, 
potential Federal employees, but all of their reference's 
information is there as well. How many more millions of people 
are we talking about? Have we alerted those people? And what is 
going to be done to followup on their information as well?
    Ms. Archuleta. Thank you for that question. It is an 
important question, and I agree with you totally. I am as upset 
as you are at the fact that these documents or this information 
has been breached.
    Here is what we are doing, as I mentioned in my testimony, 
and why I cannot give a number right now. When we look at, for 
example, the background investigation, there is a lot of 
information in that. Some of that contains, if there is a--some 
of it does contain personally identifiable information (PII), 
and some of it does not. And so as we are analyzing the type of 
data that is in these files, those are the things that we are 
looking at, because we care as deeply as you do that we notify 
those who have been affected by this, and also understand those 
who have not been affected, even though you may have mentioned 
them in your SF-86. We are doing a complete analysis of that, 
and that is why I am very hesitant not to put out a number 
until we are absolutely sure we have looked at the whole range 
of possible impact.
    Senator Ernst. Thank you today for the testimony.
    Yes, sir?
    Mr. McFarland. Senator, if I may make one other point? Is 
it all right?
    Senator Ernst. Yes.
    Mr. McFarland. The funding is a prime example of our 
concern. It is all over the board. The situation basically is 
in 2015 OPM is dealing with $32 million. In 2016, they are 
asking for another appropriation of another $21,000. In the 
meantime, DHS has provided them $5 million. And the other $67 
million from what I understand, is supposed to come from the 
program areas at OPM. That is so sporadic. It just does not 
hold water from our perspective as to having a funding source 
ahead of time for the full project. It is like playing catchup, 
and the worst part of that is that the OPM program offices are 
going to be tasked to pay for that from their program office 
funds, appropriated funds, for the migration of each of their 
systems, instead of having a big picture of funding very 
clearly for everybody. Plus I think, the OMB is very much in 
favor of having transparency, and this just avoids 
transparency. It subsumes the money coming from program offices 
instead of a dedicated source of funding.
    Senator Ernst. Thank you. I think that is an exceptional 
point.
    Thank you for allowing the additional response.
    Chairman Johnson. Thank you, Senator Ernst. I do want to 
point out, as best as I can determine, the information given to 
me, we spend something like $80 billion per year on IT systems 
in the Federal Government. So this is a problem of management; 
it is a problem of prioritization. And that is why I pointed 
out in my opening statement that this should be a top priority 
of the Federal Government. If it was made a top priority, there 
should be plenty of funding within the current budget to 
provide this kind of security. Senator Carper.
    Senator Carper. It has been raised who was behind this 
hack, this latest hack at OPM, this series of hacks, and 
someone just gave me a copy of an article that quotes FBI 
Director Comey, and it says: ``There are two kinds of big 
companies in the United States. There are those that have been 
hacked by the Chinese and those who do not know they have been 
hacked by the Chinese.''
    It goes on to say that, ``They are prolific. Their strategy 
seems to be we will just be everywhere all the time, and there 
is no way they can stop us.''
    It goes on to say, ``Bonnie and Clyde could not do a 
thousand robberies in the same day in all 50 States from their 
pajamas halfway around the world.'' Those are the words of 
James Comey. I thought I would just share them with all of you 
today as we reflect on our inability to do a perfect job 
protecting our sensitive information within the Federal 
Government.
    I am going to go from here to a hearing on how do we fund 
transportation in our country, and I think there is a corollary 
here, Ms. Archuleta, between your failure to be able to come in 
and in 18 months to turn this around. I think there is a 
corollary here, and I will just use transportation. I think we 
need to be fair, OK? I am a Navy guy, I think my colleagues 
know. We have a tradition in the Navy. If you are the 
commanding officer of the ship, your ship runs aground in the 
middle of the night, you were sound asleep in your wardroom, we 
hold the captain responsible. Some people say that is not fair, 
but that is our tradition in the Navy. You are the captain of 
the ship, and so you are held responsible, whether that is fair 
or not.
    Having said that, I am reminded of a situation where let us 
say--and we are not talking about personnel management. Let us 
say we are talking about transportation in our country. We all 
know we have roads, highways, bridges, and transit systems that 
are decrepit, failing, and we need to do something about it. 
Let us say we confirmed a Secretary of Transportation 18 months 
ago. We do not give that Secretary of Transportation the money, 
which we are not doing, that is needed to be able to fix our 
roads, highways, bridges, and transit systems. And not only 
that, we do not confirm a Deputy to be part of the team, the 
leadership team at the Department of Transportation (DOT). It 
has been 4 years since we have had a Deputy, and, again, in the 
Navy, you have a commanding officer. You are the commanding 
officer. The Deputy is the executive officer, and this 
important agency has been without an executive officer for 4 
years.
    Part of that responsibility is the administration because 
they did not send us somebody, they did not send us a name for 
a long time. But they did last year. They sent us a great guy, 
a Navy guy, Naval Academy, commanded ships, aircraft squadrons, 
has all kinds of credentials, and we need to get him confirmed. 
This Committee has done its job. Now we have to get him 
confirmed so you have the help that you need.
    In terms of the help that you need, this Committee I think 
did some pretty remarkable things last year in terms of 
legislation. We took the old Federal Information Security 
Management Act and we modernized it. That is being implemented 
now. We said the Department of Homeland Security does not have 
the kind of workforce capabilities that they need to hire and 
retain the sort of talent that the need to fight these cyber 
wars. We have addressed that. You are beginning to use those 
skills at DHS.
    We took your ops center, the so-called National 
Cybersecurity and Communications Integration Center (NCCIC), 
and made it real. We authorized it, said this is the real deal, 
and let us just not pay attention to them but let us give them 
the authority they need.
    We said let us look at our Federal information technology 
and our acquisition systems and see what we can do to reform 
them and give them the kind of oomph that they require. We have 
done all those things. We have done all those things. But there 
are some things we have not done. There are some things we have 
not done. I have heard enough on EINSTEIN 3 in the last week 
that I am convinced that that is something we ought to do. And 
EINSTEIN 1 and EINSTEIN 2, good start, but 3, 3A is obviously 
important. Andy, I thought you gave us a real good explanation. 
I want to ask you to come back and just explain again external, 
internal, the idea of the building, the locks, the vault 
inside, and how EINSTEIN 3 actually interfaces with--I think 
you called it CDM, the Continued Diagnostics and Mitigation 
approach, which is more like the inside protection as opposed 
to EINSTEIN 2, which is the outside protection. Would you just 
run that by us again? I thought it was a very helpful 
explanation.
    Mr. Ozment. Certainly. The most important concept here is 
the concept of defense in-depth, that there is no one tool, no 
one security measure that solves the security challenge. Just 
as in a physical building you have multiple layers of 
security--a fence, guards, cameras, locks on doors--you have to 
have the same in cybersecurity.
    EINSTEIN is that perimeter system. It is the fence and the 
guard houses and the cameras around the perimeter of the 
government. It is equally important that you have security on 
the inside. Agencies have to do more of that internal security 
based upon their unique needs and missions, but Continuous 
Diagnostics and Mitigation is a program we have to help 
agencies with that, where we are buying capabilities on behalf 
of those agencies. They choose from a menu that suits them and 
roll it out. And those capabilities will come in three phases.
    The first phase is the equivalent of a guard that goes 
around and checks that all the buildings are locked, that all 
the doors and windows are closed, basic security measures to 
make sure that they are in place.
    The second phase of CDM opens the doors to the buildings 
and checks who is on the inside. Does that person--are they 
authorized to be in this building? Are they doing things that 
they are permitted to be doing?
    And then the third phase is like a very smart security 
guard that goes around and just says, Hey, I see something 
unusual, we need to look at that, because that behavior, that 
thing I see inside this facility, that does not belong here.
    Those are the three phases of CDM looking inside the 
building.
    EINSTEIN, which is that perimeter, the first phase was just 
a camera. Here are the cars coming in and out. Record the cars. 
If there is an unusually large number of cars, set off an 
alarm.
    The second phase added a watch list: Hey, this particular 
blue car is not supposed to enter this facility. Set off an 
alarm.
    The third phase, which we are currently rolling out, is 
like a gate. It is a guard house and a gate. The gate stops the 
malicious car from entering the facility, but the other great 
thing is, because it is a guard house, we can add different 
security capabilities to it. We can add new cameras. We can add 
new gates, additional guards. It is a platform that we can add 
new capabilities to over time.
    So while we are first focused on rolling it out across the 
government and building that first gate, we are also looking to 
the future and saying what other capabilities can we add to 
this guard house.
    Senator Carper. Excellent explanation. Thank you so much.
    Chairman Johnson. Senator Lankford.

             OPENING STATEMENT OF SENATOR LANKFORD

    Senator Lankford. Thank you. Thanks for all your 
preparation and being here. I know this is not what you wanted 
to be able to do today. There are lots of other things you 
would like to be able to do outside on a beautiful day like 
that than be in here with us. But we have a lot of things to be 
able to deal with in the days ahead on this.
    Ms. Archuleta, let me clarify a couple things with you. You 
made the statement about the first intrusion, second intrusion, 
and the 4.2 is from the first intrusion. So just to clarify, 
none of the letters that have gone out have been connected to 
the breach dealing with the background security, so the letters 
that went out, all of them are related to the first breach, 
none of those letters related to the second.
    Ms. Archuleta. That is correct, sir.
    Senator Lankford. OK. You and I had an interaction just a 
couple of days ago, and we were talking about the development 
of the plan. By the way, I mentioned to you we had sent you a 
letter from the Subcommittee that I chair on this Committee, 
and your staff has been very prompt to be able to get back to 
us on that, and I appreciate that, to be able to get back on 
those details.
    One of the questions I had asked about was the 
cybersecurity plan development. You had mentioned your CIO and 
the Chief Technology Officer (CTO) had led the effort to put 
this together, but one thing I am going to need clarification 
on, among 
several--and we will reply back to you formally on this--is the 
contractor that was the adviser, or was there an outside 
adviser to the CIO and CTO when they were putting the cyber 
plan, or did they completely put that plan together in-house?
    Ms. Archuleta. No, our plan was developed in-house. The IT 
security plan was--the IT implementation plan was built in-
house.
    Senator Lankford. OK. Also in our interaction from a couple 
of days ago, I had asked about the statement that has been made 
about authorizing systems. There are 47 total systems that are 
out there, that there were 11 systems that were reported not 
authorized at that point. You said, no, 10 of those had been 
authorized, there is one of them that is an outside contractor 
that has not.
    From the IG's testimony today, I noticed the statement: 
``In April, the CIO issued a memorandum that granted an 
extension of the previous authorizations for all systems whose 
authorization had already expired, and for those scheduled to 
expire through September 2016. Should this moratorium on 
authorizations continue, the agency will have up to 23 systems 
that have not been subject to a thorough security controls 
assessment. The justification for this action was that OPM is 
in the process of modernizing its IT infrastructure and once 
this modernization is complete, all systems would have to 
receive new authorizations anyway. While we support the OCIO's 
effort to modernize its systems, this action to extend 
authorizations is contrary to OMB guidance, which specifically 
States that an `extended' or `interim' authorization is not 
valid. Consequently, these systems are still operating without 
a current authorization, as they have not been subject to the 
complete security assessment process that the authorization 
memorandum is intended to represent. OMB does not require 
authorizations every 3 years if the agency has a mature 
continuing monitoring program in place. Our audit work has 
found that they do not.''
    So the question is: The authorizations that are in place, 
are they done by fiat basically of the agency saying we are 
working on this, or have they actually gone through the actual 
authorization process?
    Ms. Archuleta. We have worked very closely with OMB, and 
they are aware of the process that we are using on these 
authorizations, and that understanding where we are in the 
process of moving toward new systems. So we have complete 
concurrence with OMB on these authorizations. So we are in 
compliance, and we are working on the final one that we noted 
as rapidly as possible.
    Senator Lankford. So the question there on compliance is 
OMB has changed what their typical ruling is----
    Ms. Archuleta. There are circumstances that allow us, 
because of the situation that we are in in terms of migrating 
and because of the legacy of our systems, yes.
    Senator Lankford. OK. Mr. McFarland, any comments on that 
at all?
    Mr. McFarland. Well, that is not my understanding. My 
understanding is that what you just said, Senator, about the 
continuous monitoring exception, if it is mature. OPM does not 
have a mature continuous monitoring program.
    Now, if OMB has made an exception, we have not been 
notified of that.
    Senator Lankford. OK. The very rapid path that you had to 
take to deal with credit monitoring, to be able to notify and 
provide credit monitoring for 4 million people at this point, 
had to come together very quickly. My understanding of the 
contracting on that, you put out on a Thursday, gave 2 days and 
said anyone who wants to bid on this needs to have it finished 
by Saturday and to be able to get the bid on, and you let that 
out immediately the next week on that. The contractor that was 
involved, is that someone that OPM has used before or is 
familiar with? Or how did this process come together that 
quickly? Because that is something obviously pulling that 
together extremely fast.
    Ms. Archuleta. The contracting office actually does handle 
that process, and on May 28, they posted the RFQ, and it closed 
on May 30. And they did receive several responses. We worked 
first with the General Services Administration (GSA) list, and 
we found that there were not vendors on that list that met the 
requirements that we needed, and that is why we moved rapidly. 
We wanted to be sure that we were able to notify individuals 
very quickly, and that is why we used a very rapid turnaround.
    We also find that the companies that were--the types of 
services we were looking for, those companies are used to that 
type of timeline, and so that is why we were able to get the 
three responses that we did.
    Senator Lankford. I do not know what kind of feedback you 
have had so far on this, and this is just one of those 
rolling--once things get hard, they just continue to get harder 
for a while. But the contractor in question that has handled 
this has dealt with numerous website crashes from, obviously, 4 
million people hitting their site and has not been able to 
sustain it. Even some of my own staff that have received a 
letter cannot seem to get on their website and to be able to 
get going on the credit monitoring. So while the contractor 
that was placed in this was fast in the turnaround, they do not 
seem to be able to sustain on the other side of it. Have you 
had any other input on that?
    Ms. Archuleta. I am very frustrated by sort of the initial 
steps that the contractor faced, and we are meeting with them 
on a daily basis to improve the services to our employees. Our 
employees deserve quick answers. They need to begin on a 
website. If they do not, they should not--if they cannot get to 
a call center employee, for example, they should not have to 
wait on the phone, and that is why we instituted a service 
similar to the Social Security Administration (SSA) where there 
are callbacks.
    We think it has worked better, but we have learned a lot 
from this and are noting very carefully as we look at the next 
notifications, what areas we need to improve upon.
    Senator Lankford. The questions will be--every agency head 
across the entire Federal family is going to want your notes 
from the past month, because the best thing that we can do is 
to be able to get our technology up to speed so that we have 
fewer instances like this, but also have preparation for when 
something actually occurs. So I hope you will be able to share 
some of those very quickly written notes, because there is a 
lot that has to be put into place to be able to help clean this 
up.
    Ms. Archuleta. Thank you, sir.
    Senator Lankford. Thank you.
    Chairman Johnson. Senator Sasse.

               OPENING STATEMENT OF SENATOR SASSE

    Senator Sasse. Thank you, Mr. Chairman.
    Director Archuleta, this is the fourth briefing, I believe, 
on this topic in the last week. It is not surprising that new 
details keep coming out, but I think what is frustrating and 
confusing for many of us is that many core elements of the 
timeline have shifted over the week. So I would like to just 
walk through a basic timeline of events and have you help me 
understand if we have some of these facts correct.
    We heard in one setting this week that March 2014 is when 
OPM was first breached. That is not accurate, is it?
    Ms. Archuleta. In March 2014, there was adversarial 
activity in the OPM network that dated back to November 2013, 
and no PII was lost during that.
    Senator Sasse. How was that November 2013 breach detected 
and by whom?
    Ms. Archuleta. We detected that adversarial activity, and 
we worked with DHS on the forensics of that.
    Senator Sasse. OK. Dr. Ozment, that is your understanding 
as well?
    Mr. Ozment. Certainly. I will elaborate on the timeline, if 
you do not mind, because it is quite confusing. There was an 
incident in 2014, March 2014, at OPM. DHS has received a tip 
from an interagency partner and reached out to OPM, and we 
worked together and found that intrusion, as the Director 
noted, and that intrusion dated from November 2013.
    We now, of course, have two incidents or potentially two 
events that are the same incident. The terminology is not great 
here.
    Senator Sasse. That is an important distinction, though, 
isn't it? Because the notifications both to the Congress, 
potentially to folks in the White House, and ultimately to 
whatever the right number is, north of 10 million, all those 
things will be implicated based on whether or not there were 
one or two events.
    Mr. Ozment. There are clearly two events right now: the 
Department of Interior Data Center that hosted the 4.2 million 
OPM personnel records, and the breach at OPM itself where the 
analysis is still occurring to identify how much data was 
stolen. I think the key distinction is, who is the adversary 
and was it the same adversary in both cases, and for that I 
would have to defer to law enforcement and intelligence to 
speak to that. But, clearly two different locations, two 
different sets of data involved.
    Senator Sasse. Thank you.
    Director Archuleta, you said that the attackers got into 
OPM's network through a credential that was given to a KeyPoint 
contract employee who was working on background investigations, 
correct?
    Ms. Archuleta. That is correct, sir.
    Senator Sasse. At yesterday's hearing, we learned that no 
personally identifiable information was stolen in that breach, 
but blueprints for the main frame were. Is that your 
understanding?
    Ms. Archuleta. I think we were talking about--I want to be 
sure which one. That was in March 2014. I think there are two 
different incidences that----
    Senator Sasse. But what was gotten in November 2013?
    Ms. Archuleta. In November of--OK, I am sorry, sir. I 
misunderstood the question. I apologize.
    Senator Sasse. Thanks.
    Ms. Archuleta. As I understand it, in November 2013, while 
no PII was lost, there was an extraction of some manuals. As 
Donna Seymour testified yesterday, as did the representative 
from DHS, those manuals are common manuals that could be bought 
in a store.
    Senator Sasse. And what information was on the main frame 
computers that they got the manuals to?
    Ms. Archuleta. I would have to get back with you, sir, on 
that. I do not know exactly.
    Senator Sasse. I believe it has been reported that it was 
security clearance background information. Dr. Ozment, do you 
think that is correct?
    Mr. Ozment. I would have to defer to OPM on that.
    Senator Sasse. It has been publicly reported that just a 
few months later, in June 2014, USIS, another OPM contractor 
working on security clearance investigations, reported that it 
had also been breached. Is that correct?
    Ms. Archuleta. Yes.
    Senator Sasse. And what was stolen from USIS?
    Ms. Archuleta. There was OPM data impacting approximately 
2.6 thousand individuals.
    Senator Sasse. 2.6 thousand?
    Ms. Archuleta. Yes.
    Senator Sasse. And that was security clearance information, 
but it was on laptops?
    Ms. Archuleta. I believe, sir. I would have to get back 
with you on that.
    Senator Sasse. Earlier this week, you were asked about a 
separate breach at KeyPoint which was discovered in September 
2014. We believe in our office that that breach occurred in 
August 2014 and that 49,000 security clearance holders' records 
were breached. Do you think that is accurate?
    Ms. Archuleta. The adversarial activity dated back to 
December 2013, sir.
    Senator Sasse. OK, but didn't you just a minute ago say 
that the only thing captured in November and December 2013 was 
the manuals?
    Mr. Ozment. Sir, I can jump in and speak to that.
    Senator Sasse. Please.
    Mr. Ozment. The first incident that Director Archuleta is 
referring to is an incident that was detected in March 2014 at 
OPM and the activity at OPM that was detected in March 2014 
dated back to November 2013.
    Separately, the activity at USIS, a contractor to both OPM 
and DHS, dated back to April 2013. Separately, the activity at 
KeyPoint dated back to December 2013.
    Senator Sasse. OK. So in addition to that distinction, you 
said in your testimony that there was an October 2014 Interior 
Department breach. Can you tell me what records were being 
housed at Interior?
    Mr. Ozment. I would defer to OPM in general, but I----
    Ms. Archuleta. It is the employee personnel records.
    Senator Sasse. So this is all non-security clearance 
information from the Interior breach.
    Ms. Archuleta. The 4.2, yes.
    Senator Sasse. OK. And in December 2014, what was the OPM 
breach in December?
    Mr. Ozment. The breach that was--that started in--my 
apologies.
    The most recent OPM investigation where OPM is still 
ascertaining which background investigations were compromised 
was detected in April, but the activity ran from May 2014 
through April, although the intruder was most active on the 
network from June 2014 to January 2015. I am not sure what you 
are referring to with the December 2014 data.
    Senator Sasse. I am trying to confirm that there were 
security clearance background investigations in that breach as 
well. I think one of the reasons we care about this is because 
in March 2014's breach, we have been told that blueprints to 
the main frame were all that were stolen, and then that same 
main frame I believe was hacked in December 2014. And if that 
is true, I am wondering if any systems that did not have the 
manuals taken were actually hacked with secure background 
investigation in December 2014. If not, calling these mere 
``manuals'' is inaccurate.
    Ms. Archuleta. Can we get that information back to you in a 
full list, sir?
    Senator Sasse. Sure.
    Ms. Archuleta. So it would describe it.
    Senator Sasse. We have about a 10-page letter to you on 
Monday, and so we would be grateful for info to that being 
added to that response.
    Ms. Archuleta. We are actively responding, sir. Thank you 
very much.
    Senator Sasse. I have more questions, but I will wait until 
the second round, if the Chairman wants to go first.
    Chairman Johnson. Thank you, Senator Sasse.
    Dr. Ozment, based on Senator Sasse's questions, I mean, 
obviously there has been a lot of activity. You combine the IG 
reports that have been showing the lack of security or the 
material problems with security. Just trying to get this all 
straight, it is difficult.
    Is it true that DHS did write a mitigation plan based on 
that November 2013 attack?
    Mr. Ozment. Yes, Senator. When DHS' Incident Response Team 
goes onsite to any incident, as part of their report out of 
that incident, they say here are some of the steps that we 
recommend that an agency take to bolster its defenses. It is 
not a complete plan. It is not a, ground-up look at a network. 
It is based on what we saw and our time here, we recommend that 
you make the following changes.
    Chairman Johnson. OK. I am not sure our Committee has 
access to that plan, so can you provide that to the Committee, 
please?
    Mr. Ozment. I will take that back, sir.
    Chairman Johnson. I appreciate that. Rather than start a 
second round right away, I will just defer to Senator Portman 
for your first round.

              OPENING STATEMENT OF SENATOR PORTMAN

    Senator Portman. Great. Thank you, Mr. Chairman. Thanks for 
having this hearing. It has been very helpful, I think, for all 
of us to have an exchange of information. It has also been very 
troubling, to be frank with you. And, one of my concerns from 
the start of this has been about the nature of the information 
that these hackers have received and specifically information 
that is very sensitive. As was mentioned earlier in the panel, 
the SF-86 is a form that you have to fill out to get a security 
clearance, and it includes highly confidential information, 
mental health history, issues about your personal life and so 
on that in the wrong hands can be very damaging, not just to 
that individual but also to our national security.
    And so one of the concerns that I would like to raise with 
you today is the extent to which this information you believe 
might be in the hands of our adversaries, and specifically, 
what are we going to do about that?
    I realize that there are some sensitive matters here being 
discussed, but I think this has all been sort of out in the 
public, and if there is something you believe should not be 
discussed in this setting--I know the Chairman is very eager to 
get this information also--we would be happy to talk to you 
about it in a more classified setting.
    So my first question, Dr. Ozment, is to you: Are we any 
closer to knowing what the scope of information was that has 
been accessed on this Federal Investigative Services (FIS) 
systems? Was it the SF-86 forms? Was it investigatory notes and 
supporting documents? They are also part of background 
information. And tell us what we know about that.
    Mr. Ozment. Senator Portman, I will start the answer to 
that question, and with your permission, I will ask Director 
Archuleta to complete it.
    Anytime you are trying to assess the impact of an 
intrusion, you have two activities that have to take place. 
First, the forensic investigators have to figure out 
essentially where did the adversary go, what did they have 
access to, and what did they do with the information they had 
access to. And you are rarely working with full evidence. If 
you think about a physical crime scene, you are looking for 
fingerprint, you are looking--did somebody leave a half-smoked 
cigarette? You are looking for clues, and that is what our 
forensics investigators are doing. It takes time, and 
sophisticated adversaries try to erase their tracks. They wear 
gloves so they do not leave fingerprint. And that is definitely 
the case here.
    Senator Portman. So what do we know?
    Mr. Ozment. So what we know is we continue to look at 
systems and see where were the adversaries, were they on the 
system. We then have to work with OPM, and OPM has to say this 
is what was on the system, which means that, we can say the 
adversary was here. They have to be able to say this is what 
was on the system. And I will ask Director Archuleta to speak 
to that.
    Ms. Archuleta. I am glad to speak to that. In early June, 
our forensics teams advised the interagency--well, they advised 
me, I will just say that, they advised me that there was a high 
confidence that the background investigation records had been 
compromised.
    Senator Portman. OK. Let me ask you another question. Dr. 
Ozment, there has been some discussion regarding whether these 
adversaries might have manipulated data in the background 
investigation databases that we have just heard from the 
Director she has high confidence that those have been breached. 
They could have actually manipulated data in our Federal 
Government systems with regard to these background 
investigations, for example, to change the outcome of a 
clearance adjudication, remove derogatory information, maybe 
add derogatory information.
    Can you tell us anything about that possibility?
    Mr. Ozment. Sir, I can speak broadly. The adversary did 
have the type of access that could allow them to change 
information. I cannot speak to whether that change of 
information would allow them to do any of the things that you 
have specifically suggested there. I will say----
    Senator Portman. Is it possible?
    Mr. Ozment. It is possible to change information. The 
implications of that I cannot speak to. I will say--and I do 
not want to speak for my intelligence community colleagues, but 
I will repeat what they said in a prior session, which is--and 
law enforcement colleagues, which is they view that as 
unlikely.
    Senator Portman. Is it possible that adversaries 
responsible for the breaches have also manipulated the data in 
the background investigation data base itself?
    Mr. Ozment. I can say that the adversaries had the type of 
access that would allow them to manipulate some types of data. 
I do not know specifically what was on the databases that they 
had access to. I would have to defer to OPM for that.
    Senator Portman. Yes. Director Archuleta, one thing we 
talked about earlier is why we have not responded more quickly. 
When did you first learn about these breaches?
    Mr. Ozment. We were notified of the breach that you are 
describing. The first breach occurred--I will talk about both 
incidents. The first breach occurred in April, and----
    Senator Portman. April of this year?
    Ms. Archuleta. April of this year, and we were notified of 
the high--as I mentioned earlier, we were notified of the 
second breach, the high probability of extraction or exposure 
in June.
    Senator Portman. So these background investigations we are 
talking about here, the highly sensitive information, we have 
known since June. Is that correct?
    Ms. Archuleta. Yes, sir.
    Senator Portman. We did not know before that?
    Mr. Ozment. No, sir.
    Senator Portman. We talked earlier about your not having 
met with the Director of the FBI despite these incredible 
discrepancies in the information we are receiving from the two 
agencies. So I would hope the conclusion there is that you all 
are going to get one story for the American people. My 
constituents want to know, including the 10 million people who 
are wondering. Have you met with the Secretary of Defense or 
the Director of National Intelligence (DNI) about this breach 
in the background information database and the potential impact 
it could have on their employees?
    Ms. Archuleta. I have not met with them personally, no.
    Senator Portman. I would think that would be another 
obvious thing to do. I mean, my concern, again, was the concern 
I think every American should share, which is the most 
sensitive information and the most important national security 
agencies has now potentially been compromised. And I would hope 
that the FBI Director who leads our counterintelligence efforts 
as well as Secretary of Defense and DNI would be involved in 
this effort.
    Ms. Archuleta. May I just say that because I have not met 
with him does not mean that they are not engaged in this 
effort. The intelligence community issues are issues I know 
that they are meeting about, but those are not issues, as I am 
on the personnel records, that I am included in. But I do know 
that there have been meetings about that with them.
    Senator Portman. One final question, and this just sort of 
comes to me as we have been listening today to the testimony, 
who should have this information, the most sensitive 
information we talked about. The Department of Defense (DOD) 
used to have it. OPM has it now. Clearly, with these breaches, 
this should be revisited. So I would ask you, Mr. Scott, do you 
believe the Department of Defense is a better place to have 
this sensitive information? Are they better prepared to handle 
it?
    Mr. Scott. I have to say, Senator, I am fairly new to the 
Federal Government, and I do not have a comprehensive view at 
this particular point. This 30-day sprint that we are doing 
will look across a wide range of policy, practice, 
organization, resourcing, and a number of other things, and 
that certainly we can put on our list as something to come back 
with----
    Senator Portman. The Federal Investigative Services is a 
specific area, Mr. Scott. We would appreciate your input as to 
where you think that ought to reside. I do not know if you, Mr. 
Ozment, or you, Ms. Archuleta, have thoughts on that.
    Ms. Archuleta. As a suitability agent, I work very closely 
with our security agent and OMB to really discuss the 
improvements that need to be made throughout the Federal 
investigative background, and we have been working on that 
together and take very seriously that responsibility. I think 
we do a good job at this, and because we do work very closely 
with our partners on it, especially with DOD, to make sure that 
they are getting the type of background investigations and the 
quality and the timeliness that they deserve, and we are 
working very hard at that and making improvements all the time 
to be sure that we are delivering the product they deserve.
    Senator Portman. Thank you. My time has expired.
    Chairman Johnson. Thank you, Senator Portman.
    I just want to kind of get the timeline straight on these 
breaches we are talking about that are the subject of this 
hearing. The breach that involved personnel information 
occurred in December 2014 and was discovered in April of this 
year, about 4 months later. Is that correct, Director 
Archuleta?
    Ms. Archuleta. Yes, sir.
    Chairman Johnson. And the breach that involved all the 
background information, very sensitive national security 
background information, that occurred a year ago in June 2014, 
and basically took 12 months to discover. That was actually 
discovered because we implemented some--is it a dual 
authentication process and we actually prevented them from 
continuing to exfiltrate information?
    Mr. Ozment. Sir, if you will, I will recapitulate the full 
set of dates, because I think you are right, it is extremely 
important.
    The Department of Interior Data Center--and as you know, 
the investigation on all of these continues, so we learn new 
information all the time. All of these were discovered due to 
the April 2015 discovery, so OPM rolled out new security 
technologies, as they had been rolling out new security 
technologies, detected an intrusion on their networks in April 
2015. They gave DHS the cyber threat indicators, similar to 
what is being discussed in information-sharing legislation. We 
used those and identified the breach at the Department of 
Interior.
    The breach at the Department of Interior, the adversary was 
on the network of the Department of Interior from October 2014 
through April 2015. Specific pieces of data were removed in 
December 2014. So that is where the December date is coming 
out, but looking at the whole range of when the adversary was 
on the network, it was October 2014 through April 2015. And I 
would encourage you to think about as the most relevant 
timeframe.
    Chairman Johnson. OK.
    Mr. Ozment. At OPM itself, there are really two key 
timeframes: the timeframe when the adversary was on the 
network, which was May 2014 to April 2015; but the time that 
the adversary was essentially active on the network was only 
June 2014 through January 2015. OPM rolled out a security 
control in January 2015 that stopped the adversary from taking 
further significant action, but it did not detect the 
adversary. So the adversary was largely stopped in January, but 
not detected until an additional control was rolled out in 
April.
    Chairman Johnson. OK. Again, so we found out in mid-April, 
and we announced this on June 4. The public became aware of 
this on June 4.
    Mr. Ozment. So in mid-April, we discovered that the 
adversary was on the network, but not what they had done. And 
so we then commenced the forensics work. The forensics work 
reached a high confidence level more rapidly at the Department 
of Interior. So the Department of Interior, they more rapidly 
finished the forensics--or largely finished the forensics 
investigation and were able to conclude the breach.
    Chairman Johnson. OK. So, again, so I understand. That 
takes time.
    Mr. Scott, in your role within OMB as the Federal 
Government's Chief Information Officer, you did announce the 
cybersecurity sprint last week. I realize you are relatively 
new in the role, just starting in February, and we are not 
going to solve these problems overnight. I have that. Why 
didn't we announce a more robust effort right off the bat, 
basically in April?
    Mr. Scott. So we formed an E-Gov Cyber Unit late last year 
in my office, put that team together, worked closely with DHS 
and so on. And I began with that team to look at the cross-
government data. Some of the elements of what we announced in 
the sprint we actually started before the full sprint was 
announced. So it has been an escalating set of activities.
    Chairman Johnson. So, again, you have expressed a fair 
amount of confidence in Director Archuleta and her team to fix 
this. But, again, I go back to the Federal Information Security 
Management Act audits, and, even in fiscal year 2009, in that 
audit, the first page of the executive summary says, ``The lack 
of policies and procedures was reported as a material weakness 
in fiscal year 2007 and fiscal year 2008.''
    The weakness in our government security systems has been 
known for a long time. I understand that you do not solve these 
problems overnight. I understand that Director Archuleta has 
been in the office about 18 months. But certainly, having been 
a manager in the private sector myself--again, I do not expect 
perfection. I understand the problems are difficult to solve. 
But I am looking for people to prioritize. I am looking at 
people's actions that they took. And the fact that the Director 
did not meet with the Inspector General to specifically discuss 
these IG reports, the fact that she has not yet met with FBI 
Director Comey on these very serious issues really gives me 
pretty great pause in terms of having confidence that the 
current management team in OPM really is up to the task.
    Do you disagree with that? Do you really have that great a 
confidence?
    Again, you are the Federal Government's Chief Information 
Officer. Do you really have confidence in the management team 
of OPM that they are going to be able to solve this problem 
when they have shown such a lack of attention and priority to 
this issue? And let us face it, a record of failure now.
    Mr. Scott. Well, Senator, I think there are several bits of 
evidence I can go back to, many of which you have mentioned 
here. But the history going back to 2009 and 2010 shows that 
there has been a historical set of issues there.
    If I look in at OPM and elsewhere where progress has been 
made, I can see a delineation point from when Director 
Archuleta took place and recruited Donna Seymour into that role 
where there is a dramatic difference in terms of the actions 
that not only were planned, but then began execution. And I 
worry in this particular case that as we deploy more tools 
across the Federal Government and as we are likely to discover 
more of these kinds of issues, that there is a chilling effect 
on anybody wanting to come in and take one of these roles----
    Chairman Johnson. I understand, and, again, that is a real 
problem. I appreciate that you are willing to exit the private 
sector, with your expertise and bring that to bear in terms of 
service to this Nation. But, again, here is my problem. A Flash 
Audit on the Infrastructure Improvement Project, where the 
final conclusion is, ``In our opinion, according to the 
Inspector General, the project management approach for this 
major infrastructure overhaul is entirely inadequate and 
introduces a very high risk of project failure.''
    That does not give me much confidence in the management 
team that is implementing that.
    Inspector General McFarland, do you have confidence in, 
based on your audits, on the work you have done, do you have 
confidence in OPM's current management to really follow through 
on this and provide the security I think this Nation deserves?
    Mr. McFarland. I believe that the interest and the intent 
is there, but based on what we have found, no.
    Chairman Johnson. I have no further questions. Senator 
Ayotte.

              OPENING STATEMENT OF SENATOR AYOTTE

    Senator Ayotte. Thank you. I wanted to ask about--one of my 
staff members received a letter from OPM, and as I understand 
it, in the letter she was asked by a third-party contractor to 
produce information on her credit card and bank accounts, and 
she was also not told about the IRS' IP PIN program, which we 
have spent some time on in this Committee, which allows 
taxpayers who are victims of identity theft or potential 
victims to protect themselves.
    So I was kind of troubled when I learned that this morning 
from her just because here we have a situation where all of 
these records have been breached, and if our solution is to ask 
people to submit additional very personal information on credit 
card bank records, that you would then--either you or your 
third-party contractor would be holding rather than working 
with potential victims of this to, have them seek the proper 
mechanism with the credit reporting agencies. So can you help 
me understand this and why you think this is a good approach? 
Because, let us face it, the fact that we are where we are with 
all these records that have now been breached, I do not think 
people should feel real confident at the moment of giving you 
additional information or a contractor working with the 
government on this.
    Ms. Archuleta. To my knowledge, Senator, we are not asking 
and so I would like to talk to your--we are not asking for that 
information, so I would like to talk to your staff member to 
find out exactly what conversation or what information she got, 
because the registration for the credit monitoring is an action 
that each individual takes. So I would be glad to talk to her. 
I would like very much----
    Senator Ayotte. That would be great. I hope she is not 
already being--her information trying--identity thieves already 
trying to manipulate this because----
    Ms. Archuleta. Yes.
    Senator Ayotte. When she told me that this morning, my jaw 
dropped. And so I want to understand why OPM is not using 
encryption or what steps are being taken to better use 
encryption of people's information given the breadth of 
personal information that OPM is maintaining on so many of the 
people in this country.
    Ms. Archuleta. Certainly. I wish that our systems, all of 
our systems were able to be fitted with the encryption tools, 
but we have an older legacy system, and there are certain 
applications that it would not--we would not be able to use 
encryption. And as Dr. Ozment will say, the encryption, in 
fact, would not have prevented this incident. That is an 
important fact. But that does not mean that we should not move 
forward to indeed apply encryption wherever we can, and we are 
moving forward with that as well as using more modern tools 
such as masking and the hiding of--or redacting of information 
when it is not needed.
    Senator Ayotte. Well, encryption is one tool in the 
toolbox. Does OPM employ a layered approach at all? Because, 
obviously, layering is something that is important when you are 
looking at making sure that there are different ways that 
information is protected as a multi-verification process versus 
relying on one tool in the toolbox.
    Ms. Archuleta. I would have to get back with you, Senator, 
to be sure that I can give you the full information.
    Senator Ayotte. Well, that would be very important, I 
think, because to me the fact that many of the tools that seem 
to be lacking in the use here are already being engaged in the 
private sector, yet the type of personal information that is 
being held by an agency like OPM is just staggering in terms of 
what we are hearing about the breadth of this breach. So I 
would like a followup on that question.
    One thing that I want to understand is that, in January, 
OPM began utilizing this two-factor authentication approach and 
incidentally, and unknowingly, ended the intrusion into the 
data system containing security clearance information. Do you 
believe that had this been in place to begin with the intrusion 
would not have been able to happen in the first place?
    Ms. Archuleta. I would have to ask Dr. Ozment more on the 
forensics side for that, but I know that we have moved very 
rapidly to increase the percentage of unprivileged users with 
two-factor strong--two-factor authentication. We also for 
remote users have a 100-percent--I am sorry, that for--we 
have--requiring two-factor authentication for all remote users.
    Senator Ayotte. And one of the things that I had asked you 
about with my staff member when I told you the information she 
had received--and we touched upon it at the beginning--was 
something we heard a lot of testimony in this Committee on from 
the IRS Commissioner, because, unfortunately, the IRS has been 
breached as well, and they have this IRS IP PIN Program. It 
strikes me that, given the type of information that has been 
breached in this, the victims of this theft can very much 
expect that they could likely be victims of tax fraud going 
forward. So what steps are you taking to ensure that these 
victims have actual and are enrolled in the IRS IP PIN program 
to ensure that we are not having another hearing on I suppose 
potentially millions of individuals who now find themselves to 
be victims of tax fraud as well?
    Ms. Archuleta. I will ask my colleague Tony Scott to talk 
about that. I am not familiar with the IRS.
    Mr. Scott. Yes, the PIN program is actually designed to do 
a different thing, as I understand it, than would be the use 
case for OPM. But I can answer some of the question that you 
asked the Director. They do have a multilayered approach----
    Senator Ayotte. But, Tony--excuse me. I am sorry, Mr. 
Scott.
    Mr. Scott. Yes.
    Senator Ayotte. But let me just say what the IRS--what I am 
trying to say is this, is that we know all this personal 
information has been breached. People are going to be--that are 
the victims of this will be filing their tax returns. If they 
are enrolled in the IRS PIN program, people cannot just file 
the tax return. They are then given a PIN at their physical 
address so, therefore, the identity thieves cannot then use 
this information to then victimize them on the IRS end. And 
this would be something, if I were a victim of this, that I 
would want to have put in place right away because this could 
protect me from potential tax fraud because of the extra step 
that has to be taken.
    So how are we working this with the IRS to make sure these 
victims have access to this program? Because this is a very 
large problem right now.
    Mr. Scott. Sure. I am sorry. I misunderstood your question 
initially. We will look at this cross-agency, not just at the 
IRS but anywhere else citizens need to interact with the 
Federal Government as part of our longer-term recommendation.
    Senator Ayotte. So, forgive me, my time is up, but I think 
looking at it is probably insufficient given how devastating 
this type of use of people's personal information can be. And I 
think that we cannot just look at it. I think we have to come 
up with a plan to give the people who have been victimized the 
opportunity to be part of this program so they then are not 
further victimized by becoming victims of tax fraud.
    Thank you.
    Chairman Johnson. Senator Sasse.
    Senator Sasse. Director Archuleta, here is where I think we 
are. I think this morning we have heard a sketch of a timeline 
that shows attackers persistently coming after confidential 
personnel and background investigation and OPM being caught 
flat-footed for up to 19 months. Has any malware been detected 
on OPM's network since June 8 when the intrusion into security 
clearance databases was discovered?
    Ms. Archuleta. We are unaware of any at this time.
    Senator Sasse. Given how long it took OPM to detect the 
attacks, how can we know that the attacks are over?
    Ms. Archuleta. We worked very closely with our 
cybersecurity experts throughout government, working closely 
not only with DHS but FBI and their hunt teams. So we are 
constantly monitoring our systems.
    Senator Sasse. But couldn't you have given that same answer 
in March and it would have been wrong?
    Ms. Archuleta. As we have developed and installed new 
security systems--in March 2014?
    Senator Sasse. March 2015 you did not have information--you 
had not discovered these attacks that were then on going.
    Ms. Archuleta. We have been working very hard, sir, to put 
in place all of the security measures, and I think in my plan 
there is a long list of things that we have done and been able 
to do. We need more resources to get that done, and that is why 
we have come to Congress to ask for them.
    Senator Sasse. I want to go to Dr. Ozment in a minute, but 
if I can translate, I think what you just said is you do not 
know that the attacks are over. Director Archuleta, I am 
saying----
    Ms. Archuleta. I am sorry. We----
    Senator Sasse. You said you are trying hard. That is 
different than having knowledge that the attacks are over.
    Ms. Archuleta. Sir, we combat over 10 million attempts in a 
month, and so we are working very hard. I can describe to you 
each of the things that we have done. That is why I gave you 
the paper this morning so that you would have that. We have 
worked very hard to do that not just at OPM but with all of our 
colleagues. Cybersecurity is an enterprise endeavor, and that 
is why we work with Tony and Andy and our colleagues at FBI and 
National Security Agency (NSA). We do work with them on this. 
We are combating a very aggressive, a very well funded, and a 
very focused perpetrator.
    Senator Sasse. I agree that we are dealing with persistent 
attackers, but I think you did not say that you have certainty 
that the attacks are over.
    Dr. Ozment, do you believe the attacks are over and that we 
know that with certainty?
    Mr. Ozment. I spend a lot of time with both government and 
private sector cybersecurity experts, and I do not think any 
cybersecurity expert I know would ever say that we can be 
certain that we have blocked all intruders who are trying to 
get into our networks. And I think that is the State of the 
world that we are living in right now. It is not a condition 
unique to OPM. That is a universal truth for cybersecurity.
    Senator Sasse. Mr. Scott, has the malware that was found at 
OPM been discovered on any other agency's networks?
    Mr. Scott. I think it is a better question for Andy, but 
the way it works is these indicators of compromise DHS has, and 
then they circulate to all the other agencies. And part of our 
cyber sprint, we have asked agencies to go back and take a look 
at those.
    Senator Sasse. This is not a blame allocation question----
    Mr. Scott. Right.
    Senator Sasse [continuing]. And not meant to be hostile, 
but isn't your title senior to his? Help us understand what 
your role is if that is a question for Dr. Ozment.
    Mr. Scott. Ours is more policy and guidance. DHS has the 
operational responsibility in the cyber framework.
    Mr. Ozment. And, sir, I can tell you that we have, as Mr. 
Scott highlighted, shared these indicators to departments and 
agencies. We have had at least one department think that they 
had an intrusion, but after further forensics, it turned out 
not to be the case. But we continue to, ask agencies to keep 
using these indicators, keep looking to see if they see 
activity on their networks. And, of course, if anything comes 
up, we work with the agency to investigate it. But we have not 
confirmed anything additional 
since--other than this Department of Interior Data Center and 
OPM itself.
    Senator Sasse. So would that mean that any other known 
Federal intrusions would be visible to this Committee? Are 
there any other cyber attacks against the Federal Government 
that have not been disclosed to this Committee?
    Mr. Ozment. The FISMA 2014 legislation imposed requirements 
for notifying the Congress on cyber intrusions and attacks. To 
my knowledge, any intrusion and attack that would fall into 
those requirements has been notified to you. There is a 
constant low level of activity across the government, where 
sort of the noise of the Internet occurs. You have low-level 
criminal malware. I do not know that that is--I would not 
expect that that is required to be reported and is not 
reported. But the significant activity that is covered by FISMA 
2014, to my knowledge all of that has been reported to the 
Congress.
    Senator Sasse. Thank you. I would like to go back to 
Senator Portman's line of questioning about the SF-86. Director 
Archuleta, there have been many summaries of where we are in 
this attack in the media that have likened this to the Target 
or the Home Depot attack, which is where credit card 
information was stored. Obviously, we are talking about 
something much more serious than that. I want to quote from the 
SF-86 for a second.
    ``In addition to the questions on this form, this inquiry 
also is made about your adherence to security requirements, 
honesty and integrity, vulnerability to exploitation or 
coercion, falsification, misrepresentation, and any other 
behavior or activities or associations that tend to demonstrate 
a person is not reliable, trustworthy, and loyal.''
    As those of us who have been through top secret background 
investigations know, they ask lots of questions about sexual 
history, relationships, associations, anything that could lead 
an individual to be coerced or blackmailed. Can you help us 
understand why this information would have been stored on OPM 
networks to begin with?
    Ms. Archuleta. It is part of the background investigation 
that we do for the clearances at very high levels for 
classified positions, and that is part of the determination for 
the adjudication information.
    One of the things that is important is that--in 
understanding this scope of this breach is to really understand 
how that data was saved. So I want to be sure, again, as I go 
back to my opening statement, is that we are looking at all of 
these files to see how that data was stored and sort of the 
impact and scope of that breach. And that is why we are taking 
much more careful time to do so.
    Senator Sasse. In the sexual history kinds of questioning, 
if people named other parties, would those have been in this 
information?
    Ms. Archuleta. It really is relying on the--I actually do 
not know what is stored in which files. I would be glad to get 
that to you to give you a description. I believe that, again, 
it is how that information is stored and what access the breach 
had to that.
    Senator Sasse. Dr. Ozment, do you think that narrative 
history would be stored?
    Mr. Ozment. I cannot speak to the contents of the 
databases.
    Senator Sasse. I think I need to yield to Mr. Carper. I 
have more questions, but I will wait.
    Chairman Johnson. Senator Carper.
    Senator Carper. Thanks. Thank you for yielding. And, again, 
thank you all for being here. I know you have been here for 
quite a while, and we are grateful for your presence and your 
answers to our questions.
    General McFarland, I am going to ask you to come back in a 
minute--and maybe not right now, but in a minute I am going to 
ask you to come back. You shared a cautionary note with us 
about rushing, maybe rushing so far to address this problem, 
fix this problem, that we actually waste money, and you sounded 
a cautionary note. Why don't you just go ahead and sound that 
cautionary note again? What did you say right at the end of 
your testimony, please? Because we want to move with great 
dispatch, and usually that is good--maybe not always, but you 
gave us some advice that I thought was probably worth 
repeating. What did you say?
    Mr. McFarland. I said it may sound counterintuitive, but 
OPM must slow down and not continue to barrel forward with this 
project. The agency must take the time to get it right the 
first time to determine the scope of the project, calculate the 
costs, and make a clear plan about how to implement this 
massive overhaul. OPM cannot afford to have the project fail.
    Senator Carper. Thank you. I mentioned earlier these four 
legislative steps that we took last year to bolster DHS and 
their ability to fend off government, writ large, cyber 
attacks: the passage of the Federal Information Security 
Modernization Act; the workforce capabilities, strengthening 
the workforce capabilities at the Department of Homeland 
Security; strengthening and making real the ops center for the 
Department of Homeland Security; and also the passage of the 
Federal Information Technology and Acquisition Reform Act 
(FITARA).
    I think in your testimony here and in other hearings we 
have had, almost everybody says those were the right things to 
do. I am not sure we are fully implementing them as quickly as 
we need to, but at least I think on that front we have done our 
job. And we are going to do oversight to make sure that the 
implementation is being done in an appropriate and expeditious 
way.
    Give us our to-do list. Give us a very brief to-do list of 
some things on the heels of what we have done legislatively 
what we need to do. What do we need to do next? And just very 
briefly. 
Director, very briefly.
    Ms. Archuleta. Yes, and as I do that, I would like to 
clarify perhaps a statement that the IG made in terms of the 
additional resources, an answer that he responded to. We 
requested $21 million in the President's Fiscal Year 2016 
budget, but we are currently reevaluating fiscal year 2016 IT 
modernization needs in light of these developments, and so we 
would appreciate the Senate's support. And as I said, we will 
get back to you with that number.
    Senator Carper. All right. Thanks.
    Mr. Scott, give us one thing that ought to be at the top of 
our to-do list.
    Mr. Scott. Sure. I have four very quickly.
    Senator Carper. OK.
    Mr. Scott. The first one is pass the administration's 
proposal for information sharing with the private sector. It 
will help everybody. It will help the Nation.
    Second----
    Senator Carper. I actually introduced, with a slight 
modification, the administration's proposal, and hopefully we 
can get that done. God knows we need to.
    Mr. Scott. Thank you. The second one is do not allow 
exceptions to the FITARA rule. That legislates good governance 
and good practice and helps make the CIO fully accountable in 
each agency.
    Senator Carper. OK.
    Mr. Scott. We will have recommendations coming out of our 
sprint, and I am sure there will be a reallocation of resource 
and priority as a result of those recommendations.
    Senator Carper. All right. Thanks. Dr. Ozment.
    Mr. Ozment. I would second Mr. Scott's highlighting of 
cybersecurity threat indicator sharing legislation. I would 
also really emphasize the importance of passing authorizing 
legislation for EINSTEIN. As you know, it played a key role in 
this incident, and it is an important layer in our layers of 
defense. And one of the impediments has been that some agencies 
are concerned that existing legislation impedes their ability 
to work with us on EINSTEIN. So your clarification of that 
would be greatly appreciated.
    Senator Carper. All right. Thanks.
    Mr. McFarland, General, give us one more thing to put at 
the top of our to-do list. These are helpful ideas.
    Mr. McFarland. I would think that it would be very helpful 
if FITARA and FISMA had more teeth to it from OMB's 
perspective. And instead of getting lists of who is doing this 
or who is doing that, who is delinquent, how far are they 
delinquent, that there would be some accountability against 
people.
    Senator Carper. Good. Mr. Scott, would you respond to that, 
please?
    Mr. Scott. I think those are good recommendations, Senator.
    Senator Carper. OK. Given what we all know about the OPM 
breach, can each of you talk about some of the lessons learned, 
kind of looking back, we are all better Monday morning 
quarterbacks, but some of the lessons learned or the best 
practices that we should be incorporating across the 
government, and why haven't we already taken these steps at 
some of the other agencies. Do you want to go first on that, 
Mr. Scott?
    Mr. Scott. Sure, I would be happy to. Some of the early 
things in this also leverages my experience in the private 
sector. If you look at where the money has gone and where most 
of the effort has gone, it has been to prevent the cyber attack 
from occurring in the first place. Even with multilayered 
approaches, most of that has been on prevention, but it is very 
clear with these persistent adversaries that some things are 
going to get through. They are just nasty, and they keep coming 
at you. And you are always going to have at some point somebody 
getting through.
    And so as a Nation, and especially as a Federal Government, 
we also have to invest in technology that will allow us to 
quickly detect much more rapidly than we have been when there 
is a breach, then contain, and then quickly remediate. And so 
some of our recommendations are likely to be in those areas 
where we have underinvested, even in a history of 
underinvestment in cyber more broadly.
    Senator Carper. Dr. Ozment, same question, just briefly, if 
you would.
    Mr. Ozment. I would just second what Mr. Scott said.
    Senator Carper. That was a short answer.
    The last thing I would say is, to go back to my friend 
Senator Sasse, the question of is this going to be the last 
attack, we all know it is not. Will it be the last attack if 
this was from the Chinese or some other source? We know it is 
not. And one of the takeaways for me here today is this is an 
all-hands-on-deck moment; we all have a responsibility. This is 
a shared responsibility. You have yours, we have ours. And we 
need to not just point fingers at one another, but to actually 
figure out how to join hands and be a team in this all-hands-
on-deck moment. And you have my pledge to do that, and we are 
going to bring our best efforts to bear, and we need for you to 
do that as well.
    Thank you.
    Chairman Johnson. Thank you, Senator Carper.
    Before I close out the hearing by giving the witnesses one 
last opportunity to make a closing comment, I would like to 
throw it over to Senator Sasse. You said you have another quick 
question or two?
    Senator Sasse. Yes, if I could just take 3 minutes, Mr. 
Chairman.
    First, following upon what Senator Carper just said, Mr. 
Scott, did OMB give OPM permission to operate without proper 
cybersecurity protections?
    Mr. Scott. I am not aware of any either giving or denying 
permission in that particular case. What we are doing is 
revising our guidelines. There was an every-3-year 
authorization thing earlier, and that is under review right 
now. And we did issue guidance that allowed for more continuous 
authorization versus a 3-year. But that is subject to revision.
    Senator Sasse. Thank you.
    Dr. Ozment, did you understand--you are now being brought 
in to help cleanup this matter from DHS, but did DHS understand 
OPM's vulnerabilities prior to them being breached?
    Mr. Ozment. One of DHS and my organization's roles is to 
help compile the annual FISMA report to Congress, some of which 
we were handed today or presented today. As part of that, we 
compile agencies' self-reported information on their 
cybersecurity, and all agencies have vulnerabilities, just as 
all companies have vulnerabilities.
    To my knowledge, we were not aware of any specific 
vulnerabilities that were relevant to this incident, but we are 
generally aware that all agencies need to make additional 
progress on cybersecurity.
    Senator Sasse. But given some of the specific 
vulnerabilities at OPM, do you believe that OPM was fully 
honest about its problems with DHS leading up to the breach?
    Mr. Ozment. To my knowledge, yes.
    Senator Sasse. I will close with this last question. The 
Inspector General has criticized OPM for operating a 
``decentralized system'' of cybersecurity because it created 
unique vulnerabilities. Could you explain what that means and 
tell us if you think any other agencies are currently operating 
with similarly decentralized systems? Dr. Ozment, I mean it for 
you, but I did not know--the Inspector General leveled the 
criticism, but I am curious as to whether or not you think 
other agencies have the same vulnerability.
    Mr. Ozment. I am sorry. Would you repeat the entire 
question? I apologize.
    Senator Sasse. You bet. The Inspector General has 
criticized OPM for operating with a ``decentralized system'' of 
cybersecurity which created some unique vulnerabilities. One, I 
wonder if you can translate what that means. And, two, I wonder 
if you think any other agencies have the same decentralized 
system.
    Mr. Ozment. Thank you. I absolutely believe that it is very 
difficult for an agency to secure themselves if their CIO and 
CISO at the agency level are not empowered. I know that that is 
a concern that in part prompted, in fact, the FITARA 
legislation, and I think that is the crux of the matter. If 
they are not sufficiently empowered, if IT authority is 
decentralized within the agency, it is extremely difficult for 
that agency to secure itself.
    Senator Sasse. So I think that means you think that many 
agencies have the same problem.
    Mr. Ozment. I think there are other agencies that need to 
make progress in that area, absolutely.
    Senator Sasse. Thanks.
    Chairman Johnson. Thank you, Senator Sasse.
    Again, I would like to offer the witnesses one last 
opportunity if you have a closing thought or comment. We will 
start with you, Madam Director.
    Ms. Archuleta. Thank you, Chairman. I appreciate the 
opportunity to be here today.
    I would like to take the opportunity to clarify earlier 
comments to Senator McCain about the 18 million number. The 18 
million refers to the preliminary approximate number of unique 
Social Security numbers. It comes from one of the compromised 
systems. However, it is incomplete, and it does not provide an 
accurate picture of the final number, and it is one system 
among several, and the number has not been cross-checked 
against the other relevant systems.
    In closing, I would state that, again, we are reevaluating 
our fiscal year 2016 needs. We are not seeking a fiscal year 
2015 supplemental. And, again, I appreciate the opportunity to 
be here with you today.
    Chairman Johnson. Thank you. Mr. Scott.
    Mr. Scott. Thanks for having us today. I look forward to 
coming back to the Committee with our recommendations at the 
end of the 30-day sprint period and would love to engage in a 
further conversation with you at that point.
    Chairman Johnson. Thank you. Dr. Ozment.
    Mr. Ozment. Thank you. Upon reflection, I would like to add 
to my answer to Senator Tester about Federal cybersecurity 
strategy. We have the skeleton of our path forward, and we can 
and should move out and execute on that skeleton.
    I do think there is also value in continuing to flesh out 
that skeleton, and, in fact, I hope that that is--the 30-day 
surge will help us do that.
    I would also thank Senator Carper again for his remarks and 
reiterate the importance of information-sharing legislation and 
also positive authorization for the EINSTEIN program.
    Chairman Johnson. Thank you, Doctor. Inspector General 
McFarland.
    Mr. McFarland. Yes, I would like to go back to Senator 
Sasse's recent comment and suggest that we work very hard to 
centralize the governance of information technology whenever 
and wherever possible.
    Chairman Johnson. Thank you, Inspector General. Again, 
thank you for your service. Thank you for your independence.
    Mr. McFarland. Thank you.
    Chairman Johnson. I want to thank all the witnesses for the 
time you have spent, for your thoughtful testimony, and your 
answers to our questions.
    The hearing record will remain open for 15 days until July 
10 at 5 p.m. for the submission of statements and questions for 
the record.
    This hearing is adjourned.
    [Whereupon, at 11:59 a.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

                                 [all]