b"<html>\n<title> - FINANCIAL SERVICES AND GENERAL GOVERNMENT APPROPRIATIONS FOR FISCAL YEAR 2016</title>\n<body><pre>[Senate Hearing 114-]\n[From the U.S. Government Publishing Office]\n\n\n \n  FINANCIAL SERVICES AND GENERAL GOVERNMENT APPROPRIATIONS FOR FISCAL \n                               YEAR 2016\n\n                              ----------                              \n\n\n                         TUESDAY, JUNE 23, 2015\n\n                                       U.S. Senate,\n           Subcommittee of the Committee on Appropriations,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to notice, at 10:33 a.m., in \nroom SD-124, Dirksen Senate Office Building, Hon. John Boozman \n(chairman) presiding.\n    Present: Senators Boozman, Lankford, Coons, Mikulski, and \nMoran.\n\n                     OFFICE OF PERSONNEL MANAGEMENT\n\nSTATEMENT OF KATHERINE L. ARCHULETA, DIRECTOR\nACCOMPANIED BY:\n        MICHAEL R. ESSER, ASSISTANT INSPECTOR GENERAL FOR AUDITS\n        RICHARD A. SPIRES, CHIEF EXECUTIVE OFFICER, RESILIENT NETWORK \n            SYSTEMS, INC.\n\n               OPENING STATEMENT OF SENATOR JOHN BOOZMAN\n\n    Senator Boozman. The hearing will come to order.\n    The massive breach of the Office of Personnel Management \n(OPM) systems may be the most devastating cybersecurity attack \nin our Nation's history. Unfortunately, while the news reports \nabout these incidents have been shocking, they should not be \nsurprising. The OPM incident follows several across Government \nand is only the latest example of the Federal Government's \ninability to protect itself from cybersecurity threats.\n    Today's hearing before the Subcommittee on Financial \nServices and General Government is intended to elicit further \ninformation about the recent OPM data breaches. It is also a \ntime to discuss the enormous challenges facing the Federal \nGovernment as it attempts to ensure this does not happen again.\n    The Government spends approximately $82 billion a year on \ninformation technology. Given the cost of these projects and \ntheir impact on our economy and national security, members of \nthe subcommittee have an ongoing commitment to conduct \noversight. We must ensure that hard-earned tax dollars of \nmillions of Americans are being spent wisely and effectively.\n    Just last year, the subcommittee held a hearing with OPM \nDirector Archuleta, former Chief Information Officer (CIO) \nSteve VanRoekel, former General Services Administration (GSA) \nAdministrator Dan Tangherlini, and the Director of Information \nTechnology (IT) Management Issues at the Government \nAccountability Office (GAO) David Powner. Given the enormous \nresources and important security issues at stake, the \nsubcommittee considered it imperative that the Office of \nManagement and Budget (OMB) and Federal agencies appropriately \nmanaged these projects.\n    We're all well aware of examples of projects that ended in \nspectacular failure, as with the initial rollout of \nhealthcare.gov. While that kind of crisis makes news, we should \nalso be troubled by the accounts that don't grab headlines, \nincluding initiatives with ongoing costs that grow each year \nafter year without demonstrating effective results or \nsufficient security.\n    We must have safeguards in place to ensure that oversight \nof these projects are consistent, that problems are anticipated \nbefore they occur, and, most importantly, that someone is \nactually accountable and responsible. All too often, large \ncomplex IT projects drag on for years, outlasting the \nadministration that initiated them and the employees \nresponsible for managing them.\n    In the Financial Services and General Government bill \nalone, billions have been spent over the years on tax system \nmodernization at the Internal Revenue Service (IRS), work that \nhas been continuing for decades and is still incomplete. Even \nfor projects now on track, past problems generate millions in \nadditional costs and years of delay.\n    And as we have seen recently at IRS and once again with the \nOPM breach, both of which have compromised the personal data of \nmillions of Americans, billions of Federal dollars spent are no \nguarantee of security. Across the Government, IT projects too \nfrequently go over budget, fall behind schedule, and do not \ndeliver value to taxpayers.\n    Responsibility for oversight is often fragmented throughout \nthe agency owning the project, and OMB does not conduct \nappropriate review and management. Whether issues related to \nprogram requirements, performance, spending, or security, lots \nof people are involved, but often no clear lines of \naccountability are drawn.\n    What has happened at OPM is devastating. Millions of \nAmericans and their families and friends have been affected. \nGiving those impacted limited free credit monitoring and \nidentity theft insurance will not be enough to address the \nlong-term consequences that we may see for years to come.\n    But also troubling is the knowledge that OPM is just the \nmost recent example of the Government's systemic failure to \nprotect itself. According to GAO, we should have serious \nconcerns for the future. The number of information security \nincidents reported by Federal agencies has exploded in recent \nyears.\n    Constant vigilance is required, and GAO has found that \nGovernment systems may not be prepared for the job. Nineteen of \n24 major Federal agencies have reported deficiencies in \ninformation security controls. The Inspector General (IG) at 23 \nof those agencies cited information security as a major \nmanagement challenge.\n    How many headlines of serious data breaches will it take to \nimplement the steps necessary to protect ourselves? And at what \npoint do some in Washington recognize that growing the \nbureaucracy without actually governing is a recipe for this \ntype of disaster.\n    The Obama administration views the Federal Government as \ncapable of tackling almost every problem that the Nation faces. \nYet while attempting to grow the size and scope of the Federal \nGovernment at every turn, the administration fails to follow \nthrough on the tasks it is already responsible for. If you \nbounce from one bigger Government solution to another without \ncarrying out your basic responsibilities, this is what happens.\n    It's easy to suggest more money is the solution. That seems \nto be the response the administration leans on every time \nthere's a problem. But it is often the wrong choice, especially \nin situations like this where it appears that the problem is \nsomething much greater than a lack of resources.\n    The American people have lost faith in their institutions. \nThe last thing they will do is trust Washington to solve a \nproblem when it can't even protect the personal information of \nthose it employs.\n    There needs to be a dramatic change in the status quo.\n    What I hope to hear from our witnesses today is not the \nsame stale line that more money is needed, but an explanation \nas to why the Federal Government failed to do the basic job of \nprotecting personal data of millions of employees with the vast \nresources it already has in hand, what it's doing right now to \nresolve this problem, and what is being done to ensure that we \nare prepared for the next attack.\n    I hope with your help we can learn from this incident and \nidentify ways to improve and protect our security. I appreciate \nthe interest of all my colleagues and our shared commitment to \ndoing what we can to work together to try and address this so \nimportant issue. We cannot afford not to.\n    Senator Coons.\n\n               STATEMENT OF SENATOR CHRISTOPHER A. COONS\n\n    Senator Coons. Thank you, Chairman Boozman.\n    I'd like to welcome our witnesses, OPM Director Katherine \nArchuleta, Assistant OPM Inspector General Michael Esser, and \nformer Department of Homeland Security (DHS) and the Internal \nRevenue Service (IRS) Chief Information Officer Richard Spires.\n    We are here today, as the chairman has laid out, to review \ninformation technology spending and data security at the Office \nof Personnel Management. As part of that review, we need to \ndiscuss recent cybersecurity attacks that have put Federal \nemployee information and our national security at real risk.\n    We also need to address the late-breaking inspector general \naudit that expresses concerns about OPM's IT modernization \nproject. But while we conduct this subcommittee oversight of \nOPM and its spending and response, I also urge us to put this \nin the context of larger cybersecurity challenges that face our \nGovernment and our society as a whole, and progress, or lack \nthereof, by Congress in strengthening our Nation's cyber \ndefenses and in providing needed funding for Federal \ncybersecurity and IT initiatives.\n    Regarding the cyber incidents at OPM, one breach involved \npersonnel data of roughly 4 million Federal employees stored on \nInterior Department networks. During the breach, investigators \nfound another intrusion where information from background \ninvestigations was allegedly stolen.\n    I understand OPM only recently became aware of the security \nclearance theft and that the investigation is still underway. \nSo while we may be limited in exactly what we can discuss in \nthis context, I'm very hopeful we can have a productive and \nongoing conversation.\n    The fact these security breaches happened is, frankly, \nterrible. They force us to grapple with the reality that in our \ninterconnected world, we're more vulnerable than ever, and we \nneed to do more to protect our public employees' vital personal \ninformation from foreign attackers.\n    After we've investigated why these cyber attacks were able \nto break through, we need to be willing to do what's necessary \nto ensure they don't happen again. These attacks don't just \ncompromise the information of millions of Federal employees, \nbut our Nation's security, as well.\n    It's further troubling the IG's office has found that OPM \nhas not fully complied with the Federal Information Security \nManagement Act, which mandates information security \nrequirements for all Federal agencies. While OPM has made \nrecent improvements, we need to remain vigilant.\n    Both Director Archuleta and the OPM CIO have only been on \nthe job roughly a year and a half. And to their credit, they \nhave made IT security a priority. But they need to clearly \nunderstand that the job is not done.\n    OPM has indicated to the subcommittee most of its IT \nsecurity systems are aged and at the end of their useful life. \nFor some, security patches are no longer provided by the \noriginal vendor. In fiscal year 2014, OPM began a 3-year IT \nsystem modernization and is seeking a third installment of $21 \nmillion to complete that project this year. And we have to \nunderstand that without that funding, the investment of the two \nprevious years can't be meaningfully completed.\n    I was alarmed by the IG's allegations about mismanagement \nof the modernization projects to date and hope that OPM's \nrepresentatives will speak to these assertions directly here \ntoday.\n    Last, I just wanted to emphasize, I think we need to \nprevent another round of sequestration. OPM's fiscal year 2016 \nbudget request includes a $32 million increase over last year's \nenacted level, virtually all of which would address IT \ninfrastructure improvements. Sequestration could critically \nthreaten those investments and even the livelihoods of our \nemployees.\n    While some of these cuts might be weathered in the short \nterm, they can have serious long-term impacts. And I think we \nneed to work together to ensure Federal agencies are prepared \nas best they can be to protect against cyber threats.\n    The Federal Government is at constant threat of cyber \nattacks. It successfully wards off millions of attempted \nattacks a year. And I think we need to work together to protect \nthe Nation's economic and national security interests by coming \ntogether to deal with these vital cybersecurity issues.\n    Chairman Boozman, thank you for holding this hearing, and \nI'm eager to continue to work together as we consider the needs \nof our Federal agencies in combating cyber threats.\n    Senator Boozman. Thank you, Senator.\n    Senator Mikulski. Mr. Chairman, may I just make a few \ncomments and observations?\n    Senator Boozman. You sure can. You can comment all you \nlike.\n    Senator Mikulski. First of all, Mr. Chairman, I really want \nto thank you for your leadership in convening this hearing. I \nthink America wants to know, certainly our Federal employees \nwant to know, what happened and what is the impact on them, and \nwhat is the impact on the Nation.\n    I would strongly recommend to the chair that, after this \nhearing and then also the briefing we'll receive this \nafternoon, the chair and the ranking consider having a \nclassified briefing, because as a member of both the Intel \nCommittee and someone who has been involved on this, there are \nthings that are best discussed that you need to know for your \nresponsibilities in a setting. And Senator Cochran and I would \nbe happy to cooperate with you in establishing that. You'll \nknow more this afternoon.\n    The second point is, what has happened at OPM, and also \nwhat happened to the breaches at the Army, shows that this is a \nserious national issue. It affects not only OPM, but every \nagency, and also shows that national security and its impact is \nnot limited to the Department of Defense (DOD).\n    Mr. Chairman, I also want to remind the committee or bring \nto their attention, we tried to deal with this in 2012. Under \nthe leadership of Senators Lieberman and Collins, there was a \nbipartisan effort to have a cybersecurity bill that dealt with \nnew authorities for key agencies to establish standards for \ncritical infrastructure, create an info-sharing regime to \nprotect both dot-gov and dot-com, and giving DHS authority to \nunite Federal resources across all levels of Government to have \nboth the authorities to make sure they have the resources to \nknow how to do the right job.\n    Exactly what you're saying, sir. Let's not just throw money \nat it. Let's get value and security for the dollar.\n    That was stopped because the Chamber of Commerce \nestablished a massive lobbying campaign, because they were \nworried that we would overregulate. Well, we are where we are.\n    So we need to do a lot of work. We had a bipartisan study \ngroup. They had people like Blunt, Coats, Collins, those of us \non Intel and Approps. So maybe we need to resurrect that \nbecause it's OPM today, it'll be another agency tomorrow. We've \ngot to make sure our cyber shields are up, we're fit for duty, \nand we're fit to protect our people.\n    So I just wanted to refresh everybody of that. And of \ncourse, my Federal employees need to know what happened, how do \nthey protect themselves. And we need to know how to protect \nAmerica.\n    So thank you, Mr. Chair.\n    Senator Boozman. Thank you, Senator. And I think the \nsuggestion of the classified briefing is an excellent one.\n    And also, this is, certainly, not a partisan issue. This is \nsomething that's been going on for a long, long time through \nsuccessive administrations.\n    We have three witnesses appearing before us today: \nKatherine Archuleta, director of the Office of Personnel \nManagement; Michael Esser, Assistant IG for Audits at OPM; and \nRichard Spires, CEO of Resilient Network Systems and former \nChief Information Officer at DHS and IRS.\n    Director Archuleta, I invite you to present your testimony.\n\n              SUMMARY STATEMENT OF KATHERINE L. ARCHULETA\n\n    Ms. Archuleta. Chairman Boozman, Ranking Member Coons, and \nmembers of the subcommittee, Government and nongovernment \nentities are under constant attack by evolving and advanced \npersistent threats and criminal actors. These adversaries are \nsophisticated, well-funded, and focused.\n    Unfortunately, these attacks will not stop. If anything, \nthey will increase.\n    Although OPM has taken significant steps to meet our \nresponsibility to secure personnel data, it is clear that OPM \nneeds to accelerate these efforts, not only for those \nindividuals personally, but also as a matter of national \nsecurity.\n    My goal as director is to leverage cybersecurity best \npractices and protect the sensitive information entrusted to \nthe agency, modernizing our IT infrastructure to better \nconfront emerging threats, and to meet our mission and our \ncustomer service expectations.\n    OPM has undertaken an aggressive effort to update its \ncybersecurity. For fiscal year 2014 and 2015, we committed \nnearly $67 million toward shoring up our IT infrastructure. In \nJune of 2014, we began to completely redesign our current \nnetwork while also protecting our legacy network.\n    These projects are ongoing, on schedule, and on budget. We \nimplemented state-of-the-art practices, such as additional \nfirewalls, two-factor authentication for remote access, and \nlimited privilege access rights. We are also increasing the \ntypes of methods utilized to encrypt our data.\n    As a result of these efforts, in April 2015, an intrusion \nthat predated the adoption of these security controls affecting \nOPM's IT systems and data was detected by our new cybersecurity \ntools. OPM immediately contacted DHS and the FBI. And together, \nwe initiated an investigation to determine the scope and the \nimpact of the intrusion.\n    In early May, the interagency incident response team shared \nwith relevant agencies that the exposure of personnel records \nhad occurred.\n    In early June, OPM informed Congress and the public that \nnotification actions would be sent to affected individuals \nbeginning on June 8 through June 19.\n    We are continuing to learn more about the systems that \ncontributed to individuals' data potentially being compromised.\n    For example, we have now confirmed that any Federal \nemployee from across all branches of Government whose \norganization submitted service history records to OPM may have \nbeen compromised, even if their full personnel file is not \nstored in OPM's system. These individuals were included in the \npreviously identified population of approximately 4 million \ncurrent and former Federal employees, and have been included in \nthe notification.\n    Later in May, the interagency incident response team \nconcluded that additional systems were likely compromised. This \nseparate incident, which also predated the development of our \nnew security tools and capabilities, continues to be \ninvestigated by OPM and our interagency partners.\n    Based on this continuing investigation in early June, the \ninteragency response team shared with relevant agencies that \nthere was a high degree of confidence that OPM systems related \nto background investigations of current, former, and \nprospective Federal Government employees, and for those for \nwhom a Federal background investigation was conducted, may have \nbeen compromised.\n    While we have not yet determined its scope and its impact, \nwe are committed to notifying those individuals whose \ninformation may have been compromised as soon as practicable.\n    But for the fact that OPM implemented new, more stringent \nsecurity tools in its environment, we would never have known \nthat malicious activity had previously existed in the network.\n    In response to these incidents, OPM, working with our \npartners at DHS, has immediately implemented additional \nsecurity measures to protect the sensitive information we \nmanage. We continue to execute our aggressive plan to modernize \nOPM's platform and bolster security tools. We are on target to \nfinish a completely new modern and secure datacenter \nenvironment by the end of fiscal year 2015, which will \neventually replace our legacy network.\n    OPM's 2016 budget request included an additional $21 \nmillion above 2015 funding levels to further support the \nmodernization of our IT infrastructure, which is critical to \nprotecting data from persistent adversaries that we face. This \nfunding will help sustain the network security upgrades and \nmaintenance initiated in fiscal years 2014 and 2015 to improve \nOPM's cyber posture, including advanced tools, such as database \nencryption and stronger firewalls and storage devices.\n    We discovered these intrusions because of our increased \nefforts in the last 18 months to improve cybersecurity at OPM, \nnot despite them.\n\n                           PREPARED STATEMENT\n\n    I am dedicated to ensuring that OPM does everything in its \npower to protect the Federal workforce and to ensure that our \nsystems will have the best security posture the Government can \nprovide.\n    Thank you and I appreciate the opportunity to testify \ntoday. I am happy to address any questions you may have.\n    [The statement follows:]\n              Prepared Statement of Katherine L. Archuleta\n            a review of it spending and data security at opm\n    Chairman Boozman, Ranking Member Coons, and members of the \nsubcommittee:\n\n    Government and non-government entities are under constant attack by \nevolving and advanced persistent threats and criminal actors. These \nadversaries are sophisticated, well-funded, and focused. Unfortunately, \nthese attacks will not stop--if anything, they will increase. Although \nOPM has taken significant steps to meet our responsibility to secure \nthe personal data of those we serve, it is clear that OPM needs to \ndramatically accelerate these efforts, not only for those individuals \npersonally, but also as a matter of national security. When I was sworn \nin as the Director of the U.S. Office of Personnel Management (OPM) 18 \nmonths ago, I immediately became aware of security vulnerabilities in \nthe agency's aging legacy systems and I made the modernization and \nsecurity of our network and its systems one of my top priorities. My \ngoal as Director of OPM, as laid out in OPM's February 2014 Strategic \nInformation Technology (IT) Plan, has been to leverage cybersecurity \nbest practices to protect the sensitive information entrusted to the \nagency, while modernizing our IT infrastructure to better confront \nemerging threats and meeting our mission and customer service \nexpectations.\nStrengthening and Enhancing OPM's Data Security\n    Over the last 18 months, OPM has undertaken an aggressive effort to \nupdate its cybersecurity posture, adding numerous tools and \ncapabilities to its networks. For fiscal years 2014 and 2015 we have \ncommitted nearly $70 million towards shoring up our IT infrastructure. \nIn June 2014, we began to completely redesign our current network, \nwhile also protecting our legacy network to the maximum extent possible \nin the interim. These projects are ongoing, on schedule, and on budget. \nThe first phase of this project was to deploy the tools required to \naddress critical vulnerabilities on the existing network. As part of \nthis effort, in January 2015 we implemented state of the art practices, \nsuch as additional firewalls, two-factor authentication for remote \naccess, and limited privileged access rights. Currently, we are also \nincreasing the types of methods utilized to encrypt our data. These \nmethods cover not only data at rest, but data in transit, and data \ndisplayed through masking or redaction.\n    As a result of these efforts to improve our security posture, in \nApril 2015, an intrusion that predated the adoption of these security \ncontrols affecting OPM's IT systems and data was detected by our new \ncybersecurity tools. OPM immediately contacted the Department of \nHomeland Security (DHS) and the Federal Bureau of Investigation (FBI) \nand, together with these partners, initiated an investigation and \nforensic analysis to determine the scope and impact of the intrusion. \nShortly thereafter, OPM notified congressional leadership and select \ncommittees of this incident. In early May, the interagency incident \nresponse team shared with relevant agencies that the exposure of \npersonnel records had occurred. That very same day, we worked to brief \ncongressional leadership and select committees. In early June, OPM \ninformed Congress and the public that notifications would be sent to \naffected individuals beginning on June 8 through June 19. We refer to \nthis incident as the intrusion affecting personnel records.\n    As part of the ongoing investigation and analysis, we are \ncontinuing to learn more about the systems that contributed to \nindividuals' data potentially being compromised. For example, we have \nnow confirmed that any Federal employee from across all branches of \nGovernment whose organization submitted service history records to OPM \nmay have been compromised--even if their full personnel file is not \nstored on OPM's system. These individuals were included in the \npreviously identified population of approximately four million current \nand former Federal employees and are being appropriately notified.\n    During the course of the ongoing investigation, the interagency \nincident response team concluded--later in May--that additional systems \nwere likely compromised, also at an earlier date. In late May, OPM and \nthe interagency notified Congressional leadership and select committees \nof this separate intrusion. This separate incident--which also predated \ndeployment of our new security tools and capabilities--continues to be \ninvestigated by OPM and our interagency partners. Based on this \ncontinuing investigation, in early June, the interagency response team \nshared with relevant agencies that there was a high degree of \nconfidence that OPM systems related to background investigations of \ncurrent, former, and prospective Federal Government employees, and \nthose for whom a Federal background investigation was conducted, may \nhave been compromised. We are currently working with our interagency \npartners to continue to offer classified briefings for members and \nstaff on the status of this investigation. While we have not yet \ndetermined its scope and impact, we are committed to notifying those \nindividuals whose information may have been compromised as soon as \npracticable. This separate incident is one that we refer to as the \nintrusion affecting background investigations.\n    But for the fact that OPM implemented new, more stringent security \ntools in its environment, we would have never known that malicious \nactivity had previously existed on the network, and would not have been \nable to share that information for the protection of the rest of the \nFederal Government. In response to these incidents, OPM, working with \nour partners at DHS has immediately implemented additional security \nmeasures to protect the sensitive information it manages and to take \nsteps toward building a simplified, modern, and flexible network \ninfrastructure.\nDriving Continued Progress on IT Modernization\n    We continue to execute on our aggressive plan to modernize OPM's \nplatform and bolster security tools. We are on target to finish a \ncompletely new modern and secure data center environment by the end of \nfiscal year 2015 which will eventually replace our legacy network. \nOPM's 2016 budget request included an additional $21 million above 2015 \nfunding levels to further support the modernization of our IT \ninfrastructure, which is critical to protecting data from the \npersistent adversaries we face. This funding will help us sustain the \nnetwork security upgrades and maintenance initiated in fiscal year 2014 \nand fiscal year 2015 to improve OPM's cyber posture, including advanced \ntools such as database encryption and stronger firewalls and storage \ndevices.\nConclusion\n    As we are all aware, Government and non-government entities are \nunder constant attack by evolving and advanced persistent threats and \ncriminal actors. Again--we recognize that these attacks will increase. \nWe are working with an interagency team to identify and rapidly \nimplement protections that will decrease our risk; however, as we \naddress critical immediate needs we also need to continue our work to \naddress long-term strategic challenges that affect our ability to \nensure the security of our networks in light of this persistent threat. \nAs our OIG has noted, OPM has been challenged for several years in \nbuilding and maintaining a strong management structure and the \nprocesses needed for a successful information technology security \nprogram. OPM agrees with this assessment which is why I prioritized \ndevelopment of the agency's Strategic IT Plan and have prioritized its \nimplementation.\n    We discovered these intrusions because of our increased efforts in \nthe last 18 months to improve cyber security at OPM, not despite them. \nI am dedicated to ensuring that OPM does everything in its power to \nprotect the Federal workforce, and to ensure that our systems will have \nthe best cyber security posture the Government can provide.\n    We thank you for your support of our ongoing efforts to strengthen \nour IT security and I appreciate the opportunity to testify today. I am \nhappy to address any questions you may have.\n\n    Senator Boozman. Mr. Esser.\n\n                 SUMMARY STATEMENT OF MICHAEL R. ESSER\n\n    Mr. Esser. Chairman Boozman, Ranking Member Coons, and \nmembers of the committee, good morning. My name is Michael \nEsser, and I am the Assistant Inspector General for Audits at \nthe U.S. Office of Personnel Management. Thank you for inviting \nme to testify at today's hearing on the IT audit work performed \nby the OPM Office of the Inspector General.\n    Senator Boozman. Can you put your microphone on? It's on? \nJust pull it closer then.\n    Mr. Esser. Today I will be discussing OPM's long history of \nsystemic failures to properly manage its IT infrastructure, \nwhich we believe may have ultimately led to the breaches we are \ndiscussing today, as well as issues related to OPM's current IT \nmodernization project.\n    There are three primary areas of concern that we have \nidentified through our Federal Information Security Management \nAct (FISMA) audits during the past several years: information \nsecurity governance, security assessment and authorization, and \ntechnical security controls.\n    Information security governance is the management structure \nand processes that form the foundation of a successful security \nprogram. For many years, OPM operated in a decentralized manner \nwith the agency's program officers managing their IT systems. \nThis decentralized structure had a negative impact upon OPM's \nIT security posture, and all of our FISMA audits between 2007 \nand 2013 identified this as a serious concern.\n    By 2014, steps taken by OPM to centralize IT security \nresponsibility with the CIO had resulted in many improvements. \nHowever, it is apparent the OCIO is still negatively impacted \nby the many years of decentralization.\n    The second concern is security assessments and \nauthorization. This process includes a comprehensive assessment \nof each IT system to ensure that it meets the applicable \nsecurity standards before allowing the system to operate. We \nidentified problems related to system authorizations in 2010 \nand 2011, but removed it as an audit concern in 2012. However, \nproblems with OPM system authorizations have reappeared. In \n2014, 21 OPM systems were due to receive a new authorization \nbut 11 were not authorized by year-end.\n    In addition, the Office of the Chief Information Officer \n(OCIO) has recently put authorization efforts on hold until it \ncompletes the current modernization project. This action to \nextend authorizations is contrary to OMB guidance, which \nspecifically states that an extended or interim authorization \nis not valid. It is also worth noting that OMB no longer \nrequires systems to be authorized every 3 years, but that is \nassuming that agencies have implemented a mature continuous \nmonitoring program.\n    Our FISMA auditing determined that OPM does not have a \nmature program. Therefore, we still expect OPM systems to have \ncurrent authorizations.\n    The third concern relates to OPM's use of technical \nsecurity controls. OPM has implemented a variety of controls \nand tools to make the agency's IT systems more secure. While \nthis is obviously a positive step, we are concerned these tools \nare not being implemented properly and did not cover the entire \ntechnical infrastructure as we found that OPM does not have an \naccurate centralized inventory of all servers and databases.\n    Even if all the security tools were being used properly, \nOPM cannot fully defend its network without a comprehensive \nlist of assets.\n    Also, there has been much discussion of the difficulty in \nsecuring OPM systems as they are old legacy systems. While this \nis true in many cases and many OPM systems are mainframe based, \nit is our understanding that some of the systems impacted by \nthe breaches are, in fact, modern systems for which most of the \ntechnical improvements necessary to secure them could be \naccomplished.\n    In addition to the issues identified in our FISMA audits, I \nwould also like to briefly address OPM's IT modernization \nproject, which will overhaul its entire infrastructure and \nmigrate all systems to a new data center environment. We \nrecently issued a flash audit alert discussing this project and \nour concerns related to project management and the use of a \nsole source contract for the duration of the effort.\n    One area of significant concern that we identified is that \nOPM does not have a dedicated funding source for the entire \nproject. Its estimate of $93 million includes only the initial \nphases of the project, which covers tightening up the security \ncontrols and building a new shell environment. The $93 million \nestimate does not include the cost of migrating approximately \n50 major IT systems to this new shell environment. The cost of \nthis work is likely to be substantial, and the lack of a \ndedicated funding source increases the risk that the project \nwill fail to meet its objectives.\n\n                           PREPARED STATEMENT\n\n    In closing, it is clear that OPM has a great deal of work \nto do to strengthen its IT security posture. We fully support \nthe concept of OPM's IT modernization project. However, \nespecially for a task of this magnitude, it is imperative that \nOPM follow solid IT project management best practices to \nprovide the project the best chance for success.\n    Thank you for your time. I'm happy to answer any questions \nyou may have.\n    [The statement follows:]\n                 Prepared Statement of Michael R. Esser\n           it spending and data security at opm june 23, 2015\n    Chairman Boozman, Ranking Member Coons, and members of the \nsubcommittee:\n\n    Good morning. My name is Michael R. Esser. I am the Assistant \nInspector General for Audits at the U.S. Office of Personnel Management \n(OPM). Thank you for inviting me to testify at today's hearing \ndiscussing the information technology (IT) spending and data security \nat OPM. Specifically, today I will be discussing the audits that the \nOffice of the Inspector General (OIG) conducts in accordance with the \nFederal Information Security Management Act, commonly known as \n``FISMA.'' Although OPM has made progress in certain areas, some of the \ncurrent problems and weaknesses were identified as far back as fiscal \nyear 2007. We believe this long history of systemic failures to \nproperly manage its IT infrastructure may have ultimately led to the \nbreaches we are discussing today.\nOIG's FISMA Work\n    FISMA requires that OIGs perform annual audits of their agencies' \nIT security programs and practices. These audits are conducted in \naccordance with guidance issued each year by the U.S. Department of \nHomeland Security (DHS) Office of Cybersecurity and Communications. \nToday I will talk about three of the most significant concerns \nhighlighted in our fiscal year 2014 FISMA report. However, it is \nimportant to note that our report contained a total of 29 \nrecommendations covering a wide variety of IT security topics. Only 3 \nof these 29 recommendations have been closed to date, and 9 of the open \nrecommendations are long-standing issues that were rolled-forward from \nprior year FISMA audits.\n            1. Information Security Governance\n    Information security governance is the management structure and \nprocesses that form the foundation of a successful information \ntechnology security program. Although the DHS FISMA reporting metrics \ndo not directly address security governance, it is an overarching issue \nthat impacts how the agency handles IT security and its ability to meet \nFISMA requirements, and therefore we have always addressed the matter \nin our annual FISMA audit reports.\n    This is an area where OPM has seen significant improvement. \nHowever, some of the past weaknesses still haunt the agency today.\n    In the fiscal year 2007 FISMA report, we identified a material \nweakness \\1\\ related to the lack of IT security policies and \nprocedures. In fiscal year 2009, we expanded the material weakness to \ninclude the lack of a centralized security management structure \nnecessary to implement and enforce IT security policies. OPM's Office \nof the Chief Information Officer (OCIO) was responsible for the \nagency's overall technical infrastructure and provided boundary-level \nsecurity controls for the systems residing on this infrastructure. \nHowever, each OPM program office had primary responsibility for \nmanaging security controls specific to its own IT systems. There was \noften confusion and disagreement as to which controls were the \nresponsibility of the OCIO, and which were the responsibility of the \nprogram offices.\n---------------------------------------------------------------------------\n    \\1\\ An IT material weakness is a severe control deficiency that \nprohibits the organization from adequately protecting its data.\n---------------------------------------------------------------------------\n    Further, the program office personnel responsible for IT security \nfrequently had no IT security background and were performing this \nfunction in addition to another full-time role. For example, this meant \nthat an employee whose job was processing retirement applications may \nhave been given the additional responsibility of monitoring and \nmanaging the IT security needs of the system used to process those \napplications.\n    As a result of this decentralized governance structure, many \nsecurity controls went unimplemented and/or remained untested, and OPM \nroutinely failed a variety of FISMA metrics year after year. Therefore, \nwe continued to identify this security governance issue as a material \nweakness in all subsequent FISMA audits through fiscal year 2013.\n    However, in fiscal year 2014, we changed the classification of this \nissue to a significant deficiency, which is less serious than a \nmaterial weakness. This change was prompted by important improvements \nthat were the result of changes instituted in recent years by OPM. \nSpecifically, in fiscal year 2012, the OPM Director issued a memorandum \nmandating the centralization of IT security duties to a team of \nInformation System Security Officers (ISSO) that report to the OCIO. In \nfiscal year 2014, the OPM Director approved a plan to further \nrestructure the OCIO that included funding for additional ISSO \npositions. The OCIO also established a 24/7 security operations center \nresponsible for monitoring IT security events for the entire agency; \nhowever, OPM has not yet implemented a mature continuous monitoring \nprogram.\n    This new governance structure has resulted in improvement in the \nconsistency and quality of security practices for the various IT \nsystems owned by the agency. Although we are optimistic that these \nimprovements will continue, it is apparent that the OCIO continues to \nbe negatively impacted by years of decentralized security governance, \nas the technical infrastructure remains fragmented and therefore \ninherently difficult to protect.\n            2. Security Assessment and Authorization\n    A Security Assessment and Authorization (Authorization) is a \ncomprehensive process under which the IT security controls of an \ninformation system are thoroughly assessed against applicable security \nstandards. After the assessment is complete, a formal Authorization \nmemorandum is signed indicating that the system is cleared to operate \nin the agency's technical environment.\n    The Office of Management and Budget (OMB) mandates that all major \nFederal information systems have a valid Authorization (that is, that \nthey have all been subjected to this process) every 3 years unless a \nmature continuous monitoring system is in place (which OPM does not yet \nhave). Although, as mentioned, IT security responsibility is being \ncentralized under the OCIO, it is still the responsibility of OPM \nprogram offices to facilitate and pay for the Authorization process for \nthe IT systems that they own.\n    OPM has a long history of issues related to system Authorizations. \nOur fiscal year 2010 FISMA audit report contained a material weakness \nrelated to incomplete, inconsistent, and poor quality Authorization \npackages. This issue improved over the next 2 years, and was removed as \nan audit concern in fiscal year 2012.\n    However, problems with OPM's system Authorizations have recently \nresurfaced. In fiscal year 2014, 21 OPM systems were due for \nAuthorization, but 11 of those were not completed on time and were \ntherefore operating without a valid Authorization.\\2\\ This is a drastic \nincrease from prior years, and represents a systemic issue of \ninadequate planning by OPM program offices to assess and authorize the \ninformation systems that they own.\n---------------------------------------------------------------------------\n    \\2\\ The OIG is the co-owner of one of these IT systems, the Audit \nReports and Receivables Tracking System. This system has been \nreclassified as a minor system on the OPM general support system (GSS), \nand cannot be Authorized until the OCIO Authorizes the GSS.\n---------------------------------------------------------------------------\n    Although the majority of our FISMA audit work is performed towards \nthe end of the fiscal year, it already appears that there will be a \ngreater number of systems this year operating without a valid \nAuthorization. In April, the CIO issued a memorandum that granted an \nextension of the previous Authorizations for all systems whose \nAuthorization had already expired, and for those scheduled to expire \nthrough September 2016. Should this moratorium on Authorizations \ncontinue, the agency will have up to 23 systems that have not been \nsubject to a thorough security controls assessment. The justification \nfor this action was that OPM is in the process of modernizing its IT \ninfrastructure and once this modernization is complete, all systems \nwould have to receive new Authorizations anyway.\n    While we support the OCIO's effort to modernize its systems, this \naction to extend Authorizations is contrary to OMB guidance, which \nspecifically states that an ``extended'' or ``interim'' Authorization \nis not valid. Consequently, these systems are still operating without a \ncurrent Authorization, as they have not been subject to the complete \nsecurity assessment process that the Authorization memorandum is \nintended to represent.\n    There are currently no consequences for failure to meet FISMA \nstandards, or operate systems without Authorizations, at either the \nagency level or the program office level. The OIG simply reports our \nfindings in our annual FISMA audit, which is delivered to OPM and then \nposted on our Web site. OMB receives the results of all FISMA audits, \nand produces an annual report to Congress. There are no directives or \nlaws that provide for penalties for agencies that fail to meet FISMA \nrequirements.\n    However, at the program office level, OPM has the authority to \ninstitute administrative sanctions. This could be an effective way to \nreduce non-compliance with FISMA requirements. We recommended that the \nperformance standards of all OPM major system owners include a \nrequirement related to FISMA compliance for the systems they own. Since \nOMB requires a valid Authorization for all Federal IT systems, we also \nrecommended that the OPM Director consider shutting down systems that \nwere in violation. None of the systems in violation were shut down.\n    Not only was a large volume (11 out of 47 systems) of OPM's IT \nsystems operating without a valid Authorization, but several of these \nsystems are among the most critical and sensitive applications owned by \nthe agency.\n    Two of the OCIO systems without an Authorization are general \nsupport systems that host a variety of other major applications. Over \n65 percent of all systems operated by OPM (not including contractor-\noperated systems) reside on one of these two support systems, and are \ntherefore subject to any security risks that exist on the support \nsystems.\n    Furthermore, two additional systems without Authorizations are \nowned by OPM's Federal Investigative Services, which is responsible for \nfacilitating background investigations for suitability and security \nclearance determinations. Any weaknesses in the IT systems supporting \nthis program office could potentially have national security \nimplications.\n    As I explained, maintaining active Authorizations for all IT \nsystems is a critical element of a Federal information security \nprogram, and failure to thoroughly assess and address a system's \nsecurity weaknesses increases the risk of a security breach. We believe \nthat the volume and sensitivity of OPM systems that are operating \nwithout an active Authorization represents a material weakness in the \ninternal control structure of the agency's IT security program.\n            3. Technical Security Controls\n    As previously stated, our fiscal year 2014 FISMA report contained a \ntotal of 29 audit recommendations, but two of the most critical areas \nin which OPM needs to improve its technical security controls relate to \nconfiguration management and authentication to IT systems using \npersonal identity verification (PIV) credentials.\n    Configuration management refers to the policies, procedures, and \ntechnical controls used to ensure that IT systems are securely \ndeployed.\n    OPM has implemented a variety of new controls and tools designed to \nstrengthen the agency's technical infrastructure by ensuring that its \nnetwork devices are configured securely. However, our fiscal year 2014 \nFISMA audit determined that all of these tools are not being utilized \nto their fullest capacity. For example, we were told in an interview \nwith OPM personnel that OPM performs monthly vulnerability scans on all \ncomputer servers using its automated scanning tools. While we confirmed \nthat OPM does indeed own these tools and that regular scan activity was \noccurring, our audit also determined that some of the scans were not \nworking correctly because the tools did not have the proper \ncredentials, and that some servers were not scanned at all.\n    OPM has also implemented a comprehensive security information and \nevent management tool designed to automatically correlate potential \nsecurity incidents by analyzing a variety of devices simultaneously. \nHowever, at the time of our fiscal year 2014 FISMA report, this tool \nwas receiving data from only 80 percent of OPM's major IT systems.\n    During this audit we also determined that OPM does not maintain an \naccurate centralized inventory of all servers and databases that reside \nwithin the network. Even if the tools I just referenced were being used \nappropriately, OPM cannot fully defend its network without a \ncomprehensive list of assets that need to be protected and monitored.\n    This issue ties back to the centralized governance issue I \ndiscussed earlier. Each OPM program office historically managed its own \ninventory of devices supporting their respective information systems. \nEven though the OCIO is now responsible for all of OPM's IT systems, it \nstill has significant work ahead in identifying all of the assets and \ndata that it is tasked with protecting.\n    With respect to PIV authentication, OMB required all Federal IT \nsystems to be upgraded to use PIV for multi-factor authentication by \nthe beginning of fiscal year 2012. In addition, OMB guidance also \nmandates that all new systems under development must be PIV-compliant \nprior to being made operational.\n    In fiscal year 2012, the OCIO began an initiative to require PIV \nauthentication to access the agency's network. As of the end of fiscal \nyear 2014, over 95 percent of OPM workstations required PIV \nauthentication to access the OPM network. However, none of the agency's \n47 major applications required PIV authentication. Full implementation \nof PIV authentication would go a long way in protecting an agency from \nsecurity breaches, as an attacker would need to compromise more than a \nusername and password to gain unauthorized access to a system. \nConsequently, we believe that PIV authentication for all systems should \nbe a top priority for OPM.\n    Some of the other areas where we identified technical control \nweaknesses include:\n\n  --Operating system baseline configurations;\n  --Configuration change control;\n  --Tracking the status of known security vulnerabilities;\n  --Patch management;\n  --Termination of idle VPN connections, and;\n  --Continuous monitoring of security controls.\n\n    Finally, there has been much discussion of the problems with \nsecuring OPM's systems, as they are old, ``legacy'' systems. While this \nis true in many cases, and many of OPM's systems are mainframe-based, \nsome systems that were impacted by the breaches are in fact more modern \nsystems for which most of the technical improvements necessary to \nsecure them could be accomplished.\nOPM's Modernization Project\n    In April 2014, the agency began a full overhaul and modernization \nof its technical infrastructure, which will involve implementing \nadditional IT security controls and then migrating the entire \ninfrastructure to a completely new environment (referred to as the \nShell). The OIG did not become aware of this project until nearly a \nyear later, in March 2015, when we met with officials from the OPM's \nOffice of the Chief Financial Officer and the OCIO to discuss questions \nrelated to the special $21 million funding request for this project \ncontained in the President's fiscal year 2016 budget.\n    On June 17, 2015, we issued a Flash Audit Alert detailing concerns \nrelated to project management as well as the use of a sole source \ncontract for the entire project. One specific issue discussed in the \nFlash Audit Alert was funding for the project.\n    OPM informed us that the current estimate for this project was \napproximately $93 million. However, after our auditors began their \nreview, we learned that this cost estimate did not include the costs \nfor migrating existing applications to the new Shell. That work is \nlikely to be, by far, the most expensive part of the project. Migrating \napplications involves modifying all of the current systems--including \nall of the legacy systems that are frequently mentioned--so that they \ncan operate in the new Shell environment. In 2009, OPM undertook a \nsimilar effort with its financial system application, and it cost $30 \nmillion and took 2 years. There are approximately 50 major systems that \nhave to be migrated to the Shell, and many smaller ones.\n    Moreover, I am very concerned with the lack of an adequate funding \nplan for this project. Although there is a $21 million special request \nin the President's fiscal year 2016 budget, and DHS has committed $5 \nmillion to the project, there is no comprehensive plan to fund the \nremaining costs of the project. Instead, we were told, in essence, that \nthe OCFO would find the remaining funds somewhere, meaning a very heavy \nburden will fall upon program offices that are already stretched thin. \nThe annual appropriations of program offices are meant to fund their \ncore mission responsibilities, not subsidize a major agency-wide IT \ninfrastructure project.\n    This last issue has also become significantly problematic for our \nown office. Because we were unaware that OPM had undertaken this \nimmense project, we were unable to include the related costs in our \nfiscal year 2016 budget request. The project will impose three types of \ncosts upon us: (1) increased oversight costs, (2) the payment of the \nspecial assessment since we are a user of OPM IT services, and (3) the \ncosts of modifying OIG-owned systems that reside on OPM's network so \nthat they are compatible with the new IT environment.\nConclusion\n    As discussed above, OPM has a history of struggling to comply with \nFISMA requirements. Although some areas have improved, such as the \ncentralization of IT security responsibility within the OCIO, other \nproblems persist. Until OPM's security weaknesses are resolved, OPM \nsystems will continue to be an inviting target for attackers.\n    If OPM's new modernization project is implemented appropriately, we \nbelieve that it will significantly improve OPM's IT operations, \nincluding its IT security posture. However, there are several issues, \nincluding significant budgetary concerns, which must be addressed. If \nthey are not, we fear that there is a high risk this project will fail \nto meet its stated objectives.\n    Thank you for your time and I am happy to answer any questions you \nmay have.\n\n    Senator Boozman. Thank you, Mr. Esser.\n    Mr. Spires.\n\n                 SUMMARY STATEMENT OF RICHARD A. SPIRES\n\n    Mr. Spires. Good morning, Chairman Boozman, Ranking Member \nCoons, and members of the subcommittee.\n    I'm honored to testify today. And since I served as the \nChief Information Officer of the Internal Revenue Service (IRS) \nand later the Department of Homeland Security (DHS), I hope my \nin-the-trenches experience is of value regarding \nrecommendations I will make on how the Federal Government can \nmore effectively safeguard data and improve its cybersecurity \nposture.\n    Most Federal Government agencies find themselves \nsusceptible to data breaches and compromises of core mission IT \nsystems because of three primary root causes.\n    First, lack of IT management best practices. The very best \ncybersecurity defense is the result of managing your IT \ninfrastructure and software applications well. But beginning in \nthe 1990s and up to the present, the Federal Government has not \nproperly managed IT, having failed to effectively adapt with \nthe changes in IT technology and the evolving cybersecurity \nthreat.\n    As examples of these failures, when I served in Government, \nwe would all too routinely discover IT systems outside of the \nIT organization's purview that have been deployed without the \nproper IT security testing and accreditation. The highly \ndistributed approach to IT management across Government, and I \nwould point out that Mr. Esser in his testimony already \nreferred to decentralization within the OPM environment itself, \nhas led to the deployment of thousands of data centers. Federal \nagencies struggle with managing and maintaining this dispersed \ninfrastructure and disparate systems.\n    The resulting complexity of vastly different systems and \nunderlying IT infrastructures makes it virtually impossible to \nproperly secure such an environment.\n    Second, lack of IT security best practices. While well \nintentioned and appropriate for the time, the 2002 Federal \nInformation Security Management Act (FISMA) skewed the approach \nfor Government IT information security. The law forced the \nChief Information Security Officers (CISOs) to look at the \ncontrols for individual systems, when in reality viewing \nsystems in isolation hid the impact of larger enterprise \nsecurity posture.\n    Further, until very recently, systems would be certified \nand accredited based on a 3-year cycle, which is a significant \nissue when looking at the rapid evolution of technology in the \ncyber threat environments.\n    Third, a slow and cumbersome acquisition process. When I \nwas at DHS, I was a proponent of continuous diagnostics and \nmitigation, or the continuous diagnostics and mitigation (CDM) \nprogram. But it is dismaying to see how long it took, 2-plus \nyears, just to implement phase one. That does not include the \nadditional competitive process for an agency to obtain \ncapabilities. Sophisticated adversaries will exploit any and \nall vulnerabilities. The Government is even more vulnerable \nwhen it takes months, not years, to be able to deploy new IT \nsecurity capabilities.\n    My recommendations to address these root causes: First, \neffectively implement the Federal IT Acquisition Reform Act, or \nFITARA. This law is meant to address the systemic problems in \nmanaging IT effectively, and the main intent of the law is to \nempower the agency CIO to address these issues.\n    So far, I am pleased with the approach of the OMB and the \nnew CIO Tony Scott are taking to support FITARA's rollout. \nCongress can support these efforts by demanding aggressive \nimplementation of FITARA by agencies, development of measures \nfor assessing FITARA's impact, and transparency in reporting \nongoing progress.\n    Effective implementation of FITARA is the Government's best \nhope to address decades of IT mismanagement.\n    Second, drive adoption of IT security best practices. There \nhas been positive movement with the updated FISMA law and the \nmove to continuous monitoring. Yet I recommend the Government \nrethink how it is measuring success, with focus along three \nlines.\n    There is a continuing need to pursue cybersecurity tools to \nprevent intrusion, but even more importantly, detect them \nquickly when intrusions do occur. Yet the Government needs to \nassume that sophisticated adversaries will still gain access.\n    The root of all trust is verified identity, and the \nGovernment needs to step back and rethink how it is rapidly \nimplementing ubiquitous use of multi-factor identity \nauthentication, along with the behavioral detection systems to \nidentify insider threats or compromise credentials.\n    Finally, the Government needs to target additional \nprotection of an agency's most sensitive information. Through \nfocused effort and the use of available data protection \ntechnologies, the Government can attain high assurance that \nonly the trusted parties have access to an agency's most \nsensitive information. This would go a long way toward \nthwarting additional major and damaging data breaches.\n    Certainly, the data breaches at OPM are terrible for the \nGovernment and for those millions of us who may be negatively \nimpacted in the future. However, this episode and the need to \nimplement FITARA and the new FISMA law can be the impetus for \nmuch-needed and sustained change.\n\n                           PREPARED STATEMENT\n\n    It is critical to make enough progress during the next 18 \nmonths to ensure that leadership commitment to needed changes \nin IT management and security are sustained into the next \nCongress and administration.\n    Thank you for the opportunity to testify today.\n    [The statement follows:]\n                Prepared Statement of Richard A. Spires\n    Good morning Chairman Boozman, Ranking Member Coons, and members of \nthe subcommittee. I am honored to testify today in regards to the \nrecent Office of Personnel Management (OPM) data breaches, while \naddressing issues and making recommendations regarding approaches on \nhow the Federal Government can more effectively safeguard data and \nimprove its cybersecurity posture.\n    Serving as the CIO of a major department (DHS) as well as the CIO \nfor a large bureau (IRS) in the Department of Treasury, I had ample \nopportunity to understand the dynamics inherent in Federal Government \ninformation technology (IT), including how Government agencies \ngenerally dealt with their IT security vulnerabilities. While at the \nIRS and DHS, I worked closely with the Chief Information Security \nOfficers (CISOs) at both organizations to implement approaches that \nwould address these security vulnerabilities. I also worked across the \nFederal Government on these issues, serving for a period as the Vice \nChair of the Federal CIO Council and also as the Co-Chair of the \nCommittee for National Security Systems. Given the gravity of this \nissue, I hope that my testimony is of value to Congress and the \nadministration in helping to address systemic weaknesses in how the \nFederal Government protects data and its IT systems from compromise.\n    Please note that I never worked at OPM and while I will allude to \nsome of the alleged details of the recent OPM data breaches, my \ntestimony describes broader systemic issues that must be addressed if \nwe are to better protect our Government's data and IT systems. In fact, \nI would urge Congress and the administration to avoid a tactical \napproach that addresses narrow technical fixes based on these latest \nbreaches--the weaknesses that led to these types of breaches are deeply \nrooted and require sweeping changes in our approach to IT and \ncybersecurity management and practices. Further, the weaknesses in the \nFederal Government's IT security posture are almost always based on IT \npractices that have been in place over many years. I served in the Bush \nand Obama administrations and saw the same systemic problems in both. \nThis should not be viewed as a political issue, but a call to action to \nfix a set of issues that can not only have a beneficial impact on \nsecuring data and systems, but improve IT management and delivery of \nsystems as well.\n    My testimony will first focus on identifying the root causes that \nhave led to a situation allowing massive data breaches of sensitive \ndata and personally identifiable information (PII) to occur in \nGovernment. I will then provide a set of recommendations to address \nthese root causes that can, based on my experience, be implemented over \na 2-to-3 year timeframe. As I describe below however, there is a window \nof opportunity to drive these changes that Congress and the \nadministration cannot afford to miss.\n     root causes of it security and data protection vulnerabilities\n    The situation in which most Federal Government agencies find \nthemselves susceptible to data breaches and compromises of core mission \nIT systems, are the result of three primary root causes, which include:\n1. Lack of IT Management Best Practices\n    The very best cybersecurity defense is the result of managing your \nIT infrastructure and software applications well. During the decades of \nthe 1970s and 1980s, agencies could build and deploy IT systems with \nlittle regard to security issues. This was not necessarily a management \nfailure since there were very few security issues to be concerned with \nprior to the broad use of the Internet and the rise of the ubiquitous \ndata networks. However, beginning in the 1990s and up to the present, \nthe Federal Government has not properly managed its IT. The Government \nhas failed to effectively adapt with the changes in IT and the evolving \ncybersecurity threat.\n    As example of these failures, when I served at IRS and then at DHS, \nwe would all-too-routinely discover IT systems outside of the IT \norganizations purview that had been developed and deployed without the \nproper IT security testing and accreditation. This highly distributed \napproach to IT management has led to the deployment of thousands of \ndata centers across the Federal Government. Federal agencies today \nstruggle with managing and maintaining this dispersed infrastructure \nand disparate systems. In far too many instances, hardware and software \nassets are not systematically tracked, software is not routinely \nupdated and patched, and critical hardware and software has reached \nend-of-life and, in some cases, is no longer even supported by the \nvendors. And while I am big proponent of cloud technology, I am \nconcerned that many agencies are not necessarily using cloud \ncapabilities to streamline and simplify their infrastructure, but \nrather creating new IT ``stovepipe'' infrastructures. This complexity \nof maintaining a sea of vastly different systems in an ocean of \ndiffering underlying IT infrastructures makes it increasingly \nimpossible to properly secure such a complex IT environment.\n    Worse, when the Government did realize it had these issues and \nattempted to fix them, entrenched interests made it exceptionally \ndifficult to effect the necessary changes. For instance, a number of \nlaws have been passed that attempted to address IT management \npractices, most notably the Clinger-Cohen Act of 1996, which mandated a \nstrong agency CIO that could begin to rationalize IT within an agency. \nYet Clinger-Cohen is viewed as failed legislation in the Federal IT \ncommunity since in reality, none of the agency CIOs have the authority \ngranted by Clinger-Cohen. Components, Bureaus, and program offices have \ngenerally resisted efforts to bring more oversight and discipline to IT \nmanagement and operations under the theory that it impedes mission and \nbusiness progress for agencies. Unfortunately, we are paying a huge \neconomic cost for those decisions resulting in inefficiency, \nduplication and unsecure IT systems and infrastructure. And what is now \nworse; we will likely pay a greater cost in the exposure of PII of \nmillions of current and former Government employees, and potentially a \ncost to our national security.\n2. Lack of IT Security Best Practices\n    While well intentioned and appropriate for its time, the Federal \nInformation Security Management Act (FISMA) skewed the approach for \nGovernment IT information security. Originally passed in 2002, it set a \ncourse for how IT security effectiveness has been measured in \nGovernment. While there are some good components of the law, the \nunintended consequence is that it forced CISOs to look at the controls \nfor individual systems when in reality, IT systems across the \nGovernment were already becoming more interconnected and viewing \nsystems in isolation hid the impact on the larger enterprise security \nposture. Further, based on OMB guidance, FISMA was implemented during a \nperiod when the cyber-threat was still emerging and the evolution of \ntechnology hadn't yet recognized the necessity of a security \ndevelopment lifecycle. In fact, until very recently, systems would be \ncertified and accredited based on a 3-year cycle, which, while perhaps \nmanageable, is comical when looking at the rapid evolution of \ntechnology and the cyber-threat environment. And furthermore, the law \nrequired the generation of paper-based reports, which diverted time, \nresources and personnel from effective security efforts. At both IRS \nand then DHS, I was consistently reluctant to put my confidence in the \nyearly FISMA report since it did not reflect the reality of the true \nsecurity posture of our overall IT environment. That can only be done \nby proper use of tools that continuously monitor the IT environment and \nare able to react and mitigate threats in near-real time.\n3. Slow and Cumbersome Acquisition Process\n    The problem is exacerbated for Government when funds are available \nto invest in IT security, yet it is ponderously slow and difficult to \nbuy commercial solutions to help address vulnerabilities. When I was at \nDHS, I was a proponent of the continuous diagnostics and mitigation \n(CDM) program, but it was dismaying to see how long it took (2 plus \nyears) just to implement Phase 1, and then for agencies to go through \nan additional competitive process within the CDM program itself to \nobtain capabilities. I am all for fair competition, but with \nsophisticated adversaries that will exploit any and all \nvulnerabilities, the Government is even more vulnerable when it takes \nmany months (if not years) to be able to deploy new IT security \ncapabilities.\n    recommendations for addressing it security and data protection \n                            vulnerabilities\n    Clearly the Federal Government's overall IT security posture is \npoor, yet there is some momentum building that can result in \nfundamental changes that greatly improve that posture over a couple of \nyears. While it is disappointing to have such large and damaging data \nbreaches occur at OPM, I hope that the Congress and the administration \nuse this opportunity as a call to action for needed IT and IT \nprocurement reform. Below are four recommendations to address the root \ncauses for the IT security and data protection vulnerabilities outlined \nabove.\n1. Effectively Implement the Federal IT Acquisition Reform Act (FITARA)\n    In December 2014 Congress passed and the President signed FITARA, \nwhich was included in the 2015 National Defense Authority Act (NDAA). \nFITARA is meant to address the systemic problems in managing IT \neffectively in an agency and while there are a number of provisions, \nthe main intent of the bill is to empower the agency CIO to address \nthese problems. Foremost of these problems include duplication of IT \ninfrastructure and systems, lack of the use of best practices in IT \nacquisition, and the implementation of proper procedures to ensure IT \nsecurity is properly addressed throughout an agency's IT organization \nand infrastructure.\n    To ensure that FITARA does not suffer the same fate as Clinger-\nCohen, a successful roll-out within agencies is critical. I am very \npleased to see the approach OMB and the new Federal CIO, Tony Scott, \nare taking to support this roll-out. OMB just issued its final guidance \nto agencies for implementation of FITARA. In developing this guidance, \nOMB sought significant outside input, including guidance from former \nGovernment CIOs, CFO, CAOs, CHCOs, and COOs and importantly, OMB asked \nfor public comment on this draft guidance, which will improve content, \nunderstanding, and buy-in over the longer term.\n    I recently testified at a hearing on FITARA and its role in \nimproving IT acquisitions to the subcommittees for Information \nTechnology and Government Operations of the House Committee on \nOversight and Government Reform.\\1\\ I am not going to repeat much of \nthat testimony, but I want to highlight the following:\n---------------------------------------------------------------------------\n    \\1\\ Richard Spires written testimony for that hearing is available \nat https://oversight.house.gov/wp-content/uploads/2015/06/Spires-\nStatement-6-10-FITARA.pdf.\n\n        ``In terms of accountability, it has to start with the \n        Administration and rests with OMB and the agencies. In \n        particular, OMB must help ensure that the agency CIOs have the \n        capability to perform their job and have the support from \n        agency leadership to give them the chance to drive the required \n        change to effectively implement FITARA. Further, the agency \n        leadership must be supportive of the agency CIO, having the \n        individual's back, particularly in agencies that are operating \n        in a federated environment\n        (this is particularly an issue in the cabinet-level \n        departments). Congress . . . can support these efforts by \n        demanding aggressive implementation of FITARA by agencies, \n        development of measures for assessing FITARA's impact, and \n        transparency in reporting of ongoing progress, while also \n---------------------------------------------------------------------------\n        highlighting obstacles in agencies to be overcome.''\n\n    There is much confusion regarding IT security and the best way to \nprotect data and systems. There is no single product or service that \noffers complete protection, and in my experience, without IT management \nbest practices implemented across an agency, many of the security tools \nare simply ineffective. IT management best practices are foundational \nto success, and effective implementation of FITARA is the Government's \nbest hope to address decades of mismanagement.\n2. Drive Adoption of IT Security Best Practices\n    To the Government's credit, there has been a fairly aggressive \nshift in thinking from the traditional FISMA reporting approach to \ncontinuous monitoring of IT systems and the overall IT environment. I \nwas also pleased to see that Congress passed much needed reform in the \nFISMA Modernization Act of 2014 last December, and I hope Congress will \nclosely work with the executive branch to ensure that implementation \ndelivers enhanced security.\n    That being said, when I look at the current Cross-Agency Priority \n(CAP) cyber-security goals,\\2\\ I feel the Government is still behind \ncurrent IT security best practices. For example, if you look at the \noverall objectives, the CAP goals will typically consider objectives of \nless than 100 percent as success, such as 95 percent for automated \nasset management or 75 percent for strong authentication. Higher \nnumbers are certainly better than lower ones in these metrics, but we \nare dealing with adversaries that are advanced and persistent, that \nwill almost certainly find the holes and exploit them--it is simply a \nmatter of time. Likewise the Einstein system can aid agencies in \ndetecting threats, and the promise of Einstein 3A is the proactive \nblocking of malicious traffic. However, Einstein is only helpful if the \ntraffic is actually going through the system--in many agencies today, \nthere are Internet connections that are not monitored by Einstein and I \nposit that this is another example of poor IT management. The \nGovernment has invested hundreds of millions of dollars in the Einstein \nprogram yet agencies continue to posture and delay implementation. In \neffect, these approaches have led the Federal Government to establish a \nvirtual ``Maginot Line'' as its key IT security strategy.\n---------------------------------------------------------------------------\n    \\2\\ A description of the CAP cybersecurity goals and the status can \nbe found at http://www.performance.gov/node/3401/\nview?view=public#overview.\n---------------------------------------------------------------------------\n    Based on the current situation and what I see evolving in the \ncybersecurity industry, I recommend a rethinking of how we are \nmeasuring success, with focus along three lines:\n\n  --There is without a doubt a continuing need to pursue cybersecurity \n        tools to prevent intrusions, but perhaps even more importantly, \n        detect them quickly when intrusions do occur. The Einstein \n        program identifies and protects against known ``signatures'' or \n        characteristics of malicious activities, thereby preventing \n        those intrusions. However, more advanced protective \n        capabilities are required to prevent intrusions that the \n        Government is not yet aware of, thereby further reducing the \n        Government's attack surface. With enhanced automated \n        protection, network defenders can then focus on detecting and \n        remediating only the most sophisticated and potentially \n        dangerous attacks--rather than trying to decide which of the \n        seemingly endless alerts to pursue today. The cybersecurity \n        industry has made great strides in these areas in the last few \n        years, and Government should be using the most advanced tools \n        for prevention and detection that leverage threat intelligence \n        from users all over the world.\n  --Even with the most advanced prevention tools, the Government needs \n        to assume that sophisticated adversaries will still gain \n        access. So alternative approaches are needed, and in \n        particular, ones that relies on creating more trust in online \n        interactions. The root of all trust is verified identity. I \n        must know that it is who I believe it to be, and in the online \n        world, multi-factor authentication methods are key to doing \n        that. There are a plethora of newly available technologies to \n        enable multi-factor authentication for both internal \n        (Government) as well as external users. And some of these \n        solutions can integrate with antiquated systems. The Government \n        needs to step back and rethink how it very rapidly implements \n        ubiquitous use of multi-factor identity authentication. Even \n        though the root of trust is identity, there is more to the \n        trust equation. In the ``physical'' world, I trust another \n        because I have high confidence they will act in a manner that I \n        expect. Some of the most damaging data breaches have come from \n        individuals that where properly authenticated and authorized to \n        use systems and access data. Their behavior, however, was not \n        in keeping with what was expected. This is commonly called the \n        insider-threat problem. There are new technologies and \n        capabilities today that can bring in other context, such as an \n        audit log or behavioral analysis systems to assess someone's \n        trustworthiness on a regular basis. These additional factors, \n        beyond those used to assess authenticity, are key to fully \n        establishing and monitoring trust.\n  --Finally, the Government needs to target additional protection of an \n        agency's most sensitive information, whether it be data sets or \n        documents. Tools and products exist that enable agencies to \n        protect information, independent of the likely insecure \n        environment in which they operate. Agencies should focus on \n        their most valuable information. I do recognize that there are \n        limitations given some of the antiquated systems in which such \n        information resides, but by focusing efforts on the most \n        sensitive information, the Government could ensure, within two \n        to 3 years, that only trusted parties have access to an \n        agency's most sensitive information. This would go a long way \n        toward thwarting additional major and damaging data breaches.\n3. Attract, Train, and Retain Talented Cybersecurity Professionals\n    Even the best cybersecurity tools in the world require talented \npeople who know how to use them. The shortage of cybersecurity \nprofessionals across the country continues to be significant problem. \nThis is particularly an acute problem for the Federal Government. While \nthe mission is very attractive to many cyber professionals, the hiring \nprocess and compensation models are not competitive with what \nindividuals can make in the private sector. Even with direct hiring \nauthority, the Government is not getting the talent it needs. The \nGovernment needs more investment in training for current staff and the \nflexibility to hire that is competitive with the private sector. I do \ncommend Congress for incorporating new flexibility for DHS to hire and \npay cyber professionals into S.1691 also passed last December. Congress \nshould monitor how DHS uses this authority, and consider expanding the \nauthorities to other departments and agencies to help address the \nGovernment's cybersecurity personnel shortage.\n4. Develop a Streamlined IT Cybersecurity Acquisition Process\n    It is difficult to implement state-of-the-art IT cyber security \nsolutions if you have no way to rapidly evaluate them before \npurchasing. The CDM and Einstein programs could potentially serve as \ngovernmentwide vehicles for this process, but it has taken significant \ntime to put them in place and I recommend an approach that enables \nindividual agencies to rapidly bring in solutions and try them in a \ntest-bed environment. After thorough testing and based on what works \nbest, agencies should be able to roll security solutions into \nproduction. This approach would ideally encompass traditional \ncybersecurity vendors, but also new vendors that have little to no \nGovernment experience--they are an incredible source of technical \ninnovation. The Government is simply not getting the best solutions \nthrough the existing acquisition process. I recommend that Office of \nFederal Procurement Policy (OFPP) work with the General Services \nAdministration (GSA) and DHS to put a more streamlined CDM in place--\none that would enable rapid addition of new capabilities as they become \navailable in the commercial market.\n                               conclusion\n    Certainly the data breaches at OPM are terrible for the Government \nand for those millions of us that may be negatively impacted in the \nfuture. Viewed through the right lens however, this episode can be the \nimpetus for much needed and sustained change. And given the need to \nimplement FITARA, the current administration has a golden opportunity \nto set the correct foundation for success moving forward. This should \nnot be viewed as a political issue but rather requires sustained \nleadership focus and commitment, and I am pleased to see such \nleadership currently coming from both Congress and the administration. \nIt is critical to make enough progress during the next 18 months to \nensure that leadership commitment to FITARA, FISMA Modernization and to \nother needed changes in IT security are sustained into the next \nCongress and administration.\n    Thank you for the opportunity to testify today.\n\n    Senator Boozman. Thank you, Mr. Spires, for your testimony.\n    At this time, we had planned on proceeding with our \nquestioning. Each Senator will have 7 minutes. I hope we have \ntime to accommodate two rounds of questioning.\n    We have a vote called right now. It is only one vote. So \nwhat we would like to do is suspend, allow members to vote, and \nthen come back and start immediately with the question period.\n    With that, we will adjourn.\n    [Recess.]\n    Senator Boozman. The committee will come to order. Again, I \napologize for the delay. The only thing we have to do around \nhere is vote, and so there is just no way of knowing. You \nschedule these things and, certainly, that trumps everything, \nwhich it should.\n    Director Archuleta, according to news reports about the \nsecond OPM breach pertaining to OPM's security clearance \nsystem, hackers had access to sensitive data for a year. These \nsystems contain extensive personal and family financial \ninformation for current, former, and perspective Federal \nemployees and contractors.\n    Will a notification be provided to individuals whose \ninformation was potentially compromised in the latest breach?\n\n                              NOTIFICATION\n\n    Ms. Archuleta. Yes, sir. We are working on determining the \nscope of that breach, even as we speak. And as we determine \nthat, at the same time, we are developing a notification \nprocess to reach those individuals.\n    We are taking into account what we have learned from the \nfirst notification and looking at the wide range of options we \nwould have in that notification process.\n    Senator Boozman. Will notifications be provided to family \nmembers and other individuals whose information was contained \nin the security clearance system solely due to their \nrelationship with the security applicant?\n    Ms. Archuleta. Sir, I can say that we are taking into \nconsideration all of the individuals that were affected by this \nbreach. As that notification plan is developed, I would welcome \nthe opportunity to come up and detail it for you.\n    Senator Boozman. How did you decide that 18 months of \ncredit monitoring and identity theft insurance is sufficient \nprotection for affected Federal employees?\n    Ms. Archuleta. This is an industry best practice. We are, \nagain, in the second notification really examining that to see \nwhat the range of options may be.\n    Senator Boozman. Will OPM offer the same protection to \nindividuals whose information was stored on security clearance \ndatabases, or does this heightened level of compromised \ninformation warrant additional protections?\n    Ms. Archuleta. Again, sir, this is what we are looking at \nwith our partners across Government to make sure that we \nexamine the wide range of options that we need to consider.\n    Senator Boozman. What additional steps do you plan to take \nto protect the victims, given the long-term effects these \nbreaches pose?\n    Ms. Archuleta. We are looking at steps we can take to \nprotect their data including the notification process. I am as \nupset as they are about what has happened and what these \nperpetrators have done with our data. So we are examining not \nonly the notifications that we must do, but also the \nprotections and the remedies we must put in place.\n    Senator Boozman. Those are important questions. Those are \nthe kinds of things we are getting from our Federal workers. I \nknow you will have a lot more other questions related to that. \nBut it is so important that we try to get information to those \nthat have been affected.\n    Ms. Archuleta. I understand.\n    Senator Boozman. Mr. Spires, the administration has ordered \na 30-day sprint to perform vulnerability testing and to patch \nsecurity holes. Is 30 days sufficient time to correct more than \na decade of negligence of outdated systems and failed attempts \nat modernization?\n    Mr. Spires. I'm sure you would not be surprised for me to \nsay no, it is not sufficient time to fix the systems and the \nsituation we find ourselves in.\n    I think it is a good thing, though, to put in place a \nprocess by which planning should take place, so that we can \nstart to get our arms around what should be done agency by \nagency to put us in a much better posture.\n    Senator Boozman. As we get into these things, Mr. Spires \nand Mr. Esser, do you expect us to find significant problems as \nfar as breaches with the other agencies?\n    Mr. Spires. First, I should say you will find significant \nproblems with them not following IT security best practices, \nincluding FISMA, and not that that alone would necessarily \nindicate breaches. But given the situation we find ourselves in \nacross most Federal agencies, I would expect you to find \nsignificant breaches, yes.\n    Senator Boozman. Mr. Esser.\n    Mr. Esser. I would concur with Mr. Spires.\n    We have been seeing breach after breach this year, health \ninsurance companies, background investigations, contractors, \nand Government entities, so it would not surprise me to see \nmore.\n    Senator Boozman. Mr. Spires, again, looking at the scope of \nthe problem, how long do you feel like it will take the \nGovernment to actually do things we need to do to protect \nourselves from these outside threats?\n    Mr. Spires. Well, let me say, I think we should take an \nordered approach to this problem. So in my mind, what agencies \nshould first be doing is identifying the sensitive datasets \nthey have and putting those in some type of bucketed priority \norder, and coming up with plans to protect those sensitive data \nsets.\n    The reason I say it that way is to think that we can go \ninto these large agencies that have, as I said, decades of \nmismanagement and essentially decentralized IT and fix that \nquickly I think is just naive. So this notion of doing it by \nprotecting sensitive data sets, then there is data technology \ntoday and encryption and the like, to do that at the data set \nor document level. And then also, you have to worry about the \nidentity problem. It does no good if you have encrypted the \ndata, but then the credentials of someone that can get to the \ndata have been compromised. So you also need to work on the \nidentity problem.\n    That is where things like multi-factor authentication \nmodels come in, which, by the way, there are many new \ntechnologies that make this much faster and easier to roll out \nthan it was 4 or 5 years ago.\n    Also, this notion that says even if someone has been \nauthenticated and authorized, that doesn't necessarily mean \ntheir behavior is correct, right? The insider threat problem, \nwe have to watch that.\n    So this notion of starting to bring in behavioral detection \nsystems or ways in which we can monitor the behavior of, \nparticularly, privileged users. Those that have root access to \nthe systems and data are the ones that, frankly, we need to \nmonitor.\n    Senator Boozman. Very good.\n    Director Archuleta, we have heard numerous accounts of \nfrustration with CSIdentity Corporation (CSID), including long \nwait times, repeated Web site crashes, and inaccurate \ninformation reported to victims. What steps are you taking to \noversee the services provided by the contractor?\n\n                          CONTRACTOR OVERSIGHT\n\n    Ms. Archuleta. CSID has tremendous experience in these \ntypes of notifications. The served Sony, as you know, with \ntheir large breach. We believe they have the capability and \ncapacity to handle this.\n    Senator Boozman. But when you call in now, the wait times \nare very, very long. I don't know that they have experienced \nanything of this magnitude.\n    Ms. Archuleta. Thank you, sir. I am as angry as you are \nabout that. I want to be sure they are doing everything they \ncan to reduce wait times. That is why I have instructed my CIO \nand her team to work with that contractor to improve daily the \nservices they are giving to our employees.\n    An employee should not have to experience that. That is why \nwe are demanding from our contractor that they improve their \nservices.\n    I do believe, sir, because of the conflation of two \nincidences, that we have had an unusual high number of phone \ncalls. But that is not an excuse. Our contractor should be able \nto perform to that number, and we are demanding that it do so.\n    Senator Boozman. Thank you.\n    Senator Coons. Thank you, Chairman Boozman.\n    Ms. Archuleta, if I might, if OPM had completed its planned \nIT upgrades, would this breach have been prevented? Would these \nconsequences have been prevented?\n    And if OPM had been in full compliance with FISMA, would \nany of the breaches in 2014 or 2015 still have occurred?\n\n                              IT UPGRADES\n\n    Ms. Archuleta. My CIO has advised me that even if there had \nbeen 100 percent FISMA compliance, there is no guarantee that \nsystems won't get breached. That is why an IT strategic plan \nand the implementation of an IT plan is so important. Risk \nmanagement is the answer to what we need to do. We need to be \nable to detect and mitigate. That is what our plan is designed \nto do, as we move from a legacy system to the new shell system.\n    Yes, I believe we need to act very rapidly to move from \nthis decades-old system to a new system. We need to make sure \nthat we are tracking, documenting, and justifying all we do. \nBut we also need to be sure we are acting as quickly as we can \nto protect the records that have been entrusted to us.\n    Senator Coons. Ms. Archuleta, of all of the Federal \nemployees who have been affected, as the co-chair of the Senate \nLaw Enforcement Caucus, I am particularly concerned about \nFederal law enforcement officers and their families, because \nthey have credible reasons to be concerned. The criminals they \npreviously apprehended or investigated might have motivation to \nseek out their homes or their families.\n    What are you doing specifically to promptly respond to \ntheir concerns or inquiries? Not to suggest they're the only \nfolks with real concerns, but in some ways they are one of the \nsubsets of Federal employees who I think have very real, very \nlegitimate and pressing concerns.\n    Ms. Archuleta. On the top line, what I can assure you, \nSenator, is that we are working across Government to analyze \nthe scope of this breach. We will be able to discuss more with \nyou in the classified session.\n    But I can tell you that we are working very closely with \nour law enforcement partners.\n    Senator Coons. I am eager to follow up with you on that and \nto get some reassurance about the swiftness with which gravely \nconcerned Federal employees of all backgrounds are able to get \nupdates and more information about their path forward.\n    Your fiscal year 2016 budget request was submitted before \nthe discovery of the most recent incident and before we had any \nsense of the scope. Are there additional tools or enhancements \nthat you need in order to deal with the critical issues that \nare now well and widely known? And how might you seek an \namendment to the budget request?\n\n                               IT FUNDING\n\n    Ms. Archuleta. Thank you, Senator, for that question.\n    We are analyzing right now with OMB and my CFO to determine \nwhat the request might look like. I hope to be able to get back \nto you by the end of the week.\n    Senator Coons. Thank you.\n    Last question for you, if I might: If you had actually \nencrypted Federal employees' Social Security numbers or their \npersonally identifying information, would that have prevented \nthe disclosure of their personally identifiable information to \nhackers once they compromised the system?\n\n                               ENCRYPTION\n\n    Ms. Archuleta. This is a question that has been asked of my \ncolleagues who are experts in cybersecurity. They have informed \nme that in this particular case, the encryption would not have \nprevented the breach.\n    Encryption is an important tool, and that is why we \ncontinue to build the encryption methods within our system. But \nin this particular case, it would not have prevented it.\n    Senator Coons. My question was not whether it would have \nprevented the breach. It was whether it would have prevented \nthe accessibility and use of personally identifying information \nonce the system was breached.\n    Ms. Archuleta. No. It would not have in this case.\n    Senator Coons. In response to the question about FISMA \ncompliance and if IT upgrades had been completed and \nencryption, Mr. Spires, Mr. Esser, any difference of opinion or \nany insights you might offer for us about FISMA and whether \nFISMA compliance would have produced a different outcome here?\n    Mr. Spires. As I stated in my verbal testimony, sir, the \nissue with FISMA, the old FISMA 2002 law, was that it was \nreally around a set of technical controls that would be checked \nevery 3 years. Given the environment we live in, that is just \nnot even close to being appropriate.\n    We are moving toward a continuous diagnostics model, which \nis the correct model, where you are monitoring all of your \nsystems and monitoring your complete environment, looking for \nintrusions, looking for improper behavior.\n    But I would even echo the point that even that is not \nenough in today's environment. You need to bring in the data \nprotection, like encryption capabilities, and you need to \nupgrade the capabilities to better understand who is actually \naccessing your system.\n    Those are all critical necessities in order to protect data \ntoday.\n    Senator Coons. Would it be reasonable for us to have \nexpected that OPM could achieve data security given the \nresources they currently have available to them?\n    Mr. Spires. I am not sure I'm in a good position to answer \nthat question. I will go back to my point of a focused effort \non protecting sensitive data with the right encryption and the \nright access control capabilities. If you put the focus there, \nI think most Federal agencies would have the funds, have the \nresources to be able to accomplish that.\n    Senator Coons. We have seen significant data breaches for \nHome Depot, JPMorgan, Target, Sony, Neiman Marcus, just to name \na few. Many of them have invested in cutting-edge cybersecurity \nand systems.\n    Is the private sector having any more success in mitigating \ncyber breaches than the public sector is?\n    Mr. Spires. I don't know if I would make a sweeping comment \non that. I think it depends a lot on the actual company, and it \nvaries greatly. I would make another point here.\n    I think one of the big differences between the Government \nand the private sector is that the private sector has the \nability to very rapidly acquire the newest capabilities that \nare being offered by the cybersecurity, if you will, product \ncompanies or industry.\n    One of the things I would like to see is the Government \nagencies being able to bring in, in a test-bed environment, be \nable to pilot new capabilities as they come to market. That \nwould really help Government agencies to adopt the newest \ncapabilities.\n    Senator Coons. You referenced in your previous testimony \nthe Federal IT Acquisition Reform Act (FITARA) and your \nconcerns about slow and cumbersome procurement, and I look \nforward to exploring that further with you in the next round of \nquestions.\n    Thank you, Mr. Chairman.\n    Senator Boozman. Senator Lankford.\n    Senator Lankford. Thank you all for being here. We have a \nlot to cover to be able to help not only resolve things for the \nfuture, but also be able to unpack fully what has happened in \nthe past.\n    Mr. Esser, there are several comments that you made on it. \nWhat is the most pressing issue that you have discovered in the \nflash report you have done, based on the vulnerabilities that \nstill exist and what needs to be finished?\n    I am not asking you to expose publicly vulnerabilities that \nstill exist, but on the list, how many things still need to be \naddressed and need to be addressed immediately?\n    Mr. Esser. Senator, I think one of the most important \nthings that needs to be addressed is the two-factor \nauthentication to access systems. This has been a longstanding \nproblem at OPM. They have made improvements. They have \nimplemented this to affect workstation access. But the actual \nsystems that are being used by employees need to be implemented \nalso and require two-factor authentication.\n    Senator Lankford. I saw from your report and, quite \nfrankly, the Chief Information Officer had also listed the same \nthing in 2012.\n    Let me just read this real quickly. The initiative to \nrequire personal identity credential authentication to access \nthe agency network, as of the end of 2014, 95 percent of OPM \nworkstations required personal identity verification access for \nthe network. However, none of the agency's 47 major \napplications require personal identity verification \nauthentication.\n    Is that still correct?\n    Mr. Esser. To the best of our knowledge, it still is.\n    Senator Lankford. Ms. Archuleta, tell me about that and \njust the process of transition.\n\n                           IG RECOMMENDATIONS\n\n    Ms. Archuleta. Yes, two points there. The multifactor \nauthentication for remote users, we are 100 percent at that \npoint now. With regard to all other users, we are working very \nrapidly to increase that. I have asked my CIO to increase that \neffort. I'm sorry I don't have the percentages in my mind right \nnow, but I would be glad to get back to you where we stand as \nof this date.\n    But I do know we are working rapidly to do that.\n    Senator Lankford. A 95 percent figure you think is pretty \nclose as far as the workstations, 100 percent for those working \nremote, 95 percent of workstations, but it is still these 47 \nmajor applications that are still exposed, I guess?\n    Ms. Archuleta. I would like to get back to you, Senator, on \nthat, to give you the full details on that.\n    Senator Lankford. Okay. Then there is a question on the \nissue of security assessment and authorization.\n    Obviously, that is a requirement from OMB. This ongoing \nissue of these 47 different groups that are here, it says 11 \nwere not completed or time or were operating without a valid \nauthorization.\n    What can you tell me about that?\n    Ms. Archuleta. I can tell you that all but one of those \nsystems has been authorized or extended. They are operating \nwith authorization, and we are working on the final one that \nwas with the contractor.\n    Senator Lankford. There is a systemic problem there, \nobviously, of trying to find out why they weren't already \nthrough the authorization, to make sure that authorization is \ndone on time and on schedule. Has that issue been fixed?\n    I know rapidly people stepped in and said, okay, let's try \nto fix this, where the authorizations haven't been done. What \nabout the process for future, to make sure those continue to be \ndone on time?\n    Ms. Archuleta. I would like to have my CIO get that \ninformation so I could give it back to you, sir.\n    Senator Lankford. I'll be glad to have that. Give me a \ntimeframe when I can get that back.\n    Ms. Archuleta. By the end of the week, sir.\n    Senator Lankford. That would be great.\n    There is also an outstanding letter that I sent to your \noffice June 10. I am the chairman of the Committee on Homeland \nSecurity Governmental Affairs that has the Federal workforce in \nit, as you and I have discussed in the past.\n    On June 10, I sent a letter that has yet to be acknowledged \nfrom your staff that they have received that letter, much less \nget an answer to it. There were some very basic questions that \nare still unanswered on it, none of them that would require a \nclassified setting. But there are some basic responsive \nanswers.\n    I have letters already on the record from the Federal \nAviation Administration (FAA), for instance, and a tremendous \nnumber of employees that live in my district that have asked \njust some very basic questions. The folks from GE have asked \nsome very basic questions. They have yet to get a response even \nto say it has been acknowledged. They just want to know some \ntiming.\n    I know the letters have gone out nationwide. But people \nwant to know there is actually somebody working on some of \nthese other issues because there will be many for a while.\n    Ms. Archuleta. Senator, I apologize to you if you have not \nreceived that response. I know that I have asked my staff to \nrespond to that, and I know that it is forthcoming. But I will \nmake sure you have that letter today.\n    Senator Lankford. Great. Thank you.\n    Let's talk a little bit about cost issues dealing with the \nappropriations side.\n    Do we have a ballpark cost to OPM yet, the letter that has \ngone out to contact everyone to let them know, hey, possibly \nyour information has been breached?\n    There are really two cost factors sitting out here that our \ncommittee has to consider. One is the cost of distributing that \nletter out to all those individuals. The second one is the cost \nfor the credit report, credit screening and protection that is \nhappening, that has been extended.\n    Do you have a cost estimate for those two?\n\n                             CONTRACT COST\n\n    Ms. Archuleta. I have a general cost as we take a look at \nthe take-up rate on credit monitoring, that will adjust it, but \nit is approximately anywhere from $19 million to $21 million.\n    Senator Lankford. Okay, so $19 million to $21 million.\n    And then what is the estimated cost on just the letter \ngoing out?\n    Ms. Archuleta. That is the total cost, sir, between emails \nand letters, so I do not have the breakdown. I would be glad to \nget that for you.\n    Senator Lankford. Are you aware that some agencies, \nactually the Web site you link people to to get more \ninformation, some agencies have actually blocked that \ninternally. So those individuals when they try to go are \nblocked for fear there may be phishing scams that are going on.\n    So have you started working with other agencies on that?\n    Ms. Archuleta. Yes, we worked closely with departments and \nagencies because of some security protocols they might have. So \nwe worked closely with them and their CIOs and other top \nofficials.\n    Senator Lankford. Finally, this issue of the inventory of \nservers and databases and different workstations that are out \nthere, the central control issue is important, obviously, for \nkeeping up security and technology upgrades, and making sure \nsoftware is continually upgraded, and everyone has a consistent \nsecurity presence there.\n    When there is a server there, it creates tremendous \nvulnerabilities. They just have to find one of those.\n    How is that going with unifying that structure, because \nthat is not a legacy issue. That is more just an inventory \nissue.\n    Ms. Archuleta. I respect the inspector general's opinion on \nthis, but my CIO has told me that we have indeed have an \ninventory of system and data, and I would welcome the \nopportunity to discuss this with you and with him further.\n    Senator Lankford. Great. We will look forward to getting \nthat report and getting a chance to find out more about that.\n    Ms. Archuleta. Thank you, Senator.\n    Senator Lankford. That is one of those significant \nvulnerabilities.\n    Ms. Archuleta. Thank you, sir.\n    Senator Moran. Mr. Chairman, thank you and Senator Coons \nfor conducting this hearing.\n    Welcome to our three witnesses.\n    Ms. Archuleta, I am going to begin with you. I just have a \nseries of questions that I hope are relatively short responses. \nI will work my way through them as quickly as I can.\n    What is the current estimate of the total number of files \nor employees breached?\n\n                                OPM DATA\n\n    Ms. Archuleta. In the employee personnel files, we estimate \nthat to be a little over 4 million.\n    Senator Moran. At least according to press reports, those \nnumbers may grow. What else may occur? What may you discover?\n    Ms. Archuleta. It is an ongoing investigation. We will \ncontinue that investigation with our partners. At this point, \nwe know it is a little over 4 million.\n    Senator Moran. Are those words interchangeable, 4 million \nemployees and 4 million files? Does that mean the same thing?\n    Ms. Archuleta. That is approximately 4 million people who \nhave been affected by it.\n    Senator Moran. What is the total possible for the number of \nemployees affected? You say we estimate it today to be 4 \nmillion and it may grow. What is the maximum number of files \nthat could have been breached?\n    Ms. Archuleta. I want to separate incident one and incident \ntwo. So incident one is the one I am describing, the employee \npersonnel files. We have estimated that to be a little over 4 \nmillion, as I have described.\n    Senator Moran. But what is the total number of employees \nthat could be affected by that?\n    Ms. Archuleta. That is the number.\n    Senator Moran. That is the number?\n    Ms. Archuleta. That is the number.\n    Senator Moran. All right.\n    Ms. Archuleta. So as we look at the second incident, we \nhave not determined the scope of that. I don't have a number \nfor you on that.\n    Senator Moran. How many files do you have management over?\n    Ms. Archuleta. As you know, a Federal background \ninvestigation file may have a number of different names and \nPersonally Identifiable Information (PII) within it. That is \nwhy I cannot give you a specific number on that one.\n    We are working, as I said, to get that number. I will bring \nit to you as soon as I have it.\n    Senator Moran. Let me ask this one more time to make sure \nthat you and I are on the same page.\n    Ms. Archuleta. Okay, I apologize if I am not fully \nunderstanding.\n    Senator Moran. No, it may be inarticulation on my part.\n    You have a certain number of files within your agency \nsubject to this kind of breach. What is the total number of \nfiles that potentially could be breached?\n    Ms. Archuleta. That is what we are investigating right now, \nsir.\n    Senator Moran. Let me ask it this way, how many files are \nthere at OPM?\n    Ms. Archuleta. Well, there are millions of files. We are a \ndata center, so there are millions of files. The forms SF-86 or \nthe background investigations contain numerous names. That is \nwhy I want to be careful to make sure the number I do give to \nyou I'm confident about.\n    Senator Moran. All right.\n    You indicated you have taken significant steps. I wrote \nthat down as part of your testimony. ``We have taken \nsignificant steps.'' Yet the OIG says that only three of 29 \nrecommendations have been closed. Let me look at his testimony. \n``Only three of these 29 recommendations have been closed to \ndate. Nine of these open recommendations are longstanding \nissues that were rolled forward from prior year FISMA audits.''\n    How do you reconcile, ``We have taken significant steps,'' \nand yet the OIG report says there are longstanding problems and \nonly three of 29 have been addressed?\n\n                           IG RECOMMENDATIONS\n\n    Ms. Archuleta. We work very closely with our IG. As I said \nbefore, we work with him to make sure that we have complete and \nopen transparency with him. We meet on a regular basis. He \ncontinues to assist us in identifying the areas of improvement. \nAnd the issues he has brought to us, we are working through.\n    The 2014 audit that he performed for us and provided to us, \nwe are working through the steps that he has outlined for us. I \nknow we are not in agreement with all of them, but we do \nbelieve that the conversation and the transparency that we have \nbetween us will be helpful for resolving all of them.\n    Senator Moran. Mr. Esser, do you agree with Ms. Archuleta \nthat the agency has taken significant steps to correct its \nproblems?\n    Mr. Esser. Yes, I do. I think that they have made great \nstrides over the years to improve some of the issues we have \nreported.\n    For example, the decentralization issue, which went back to \n2007, in this past year's FISMA audit, we decreased the \nseverity of that finding from a material weakness to a \nsignificant deficiency.\n    In addition, there are a number of other areas where they \nput in tools and made strides to improve security.\n    With that said, there are a number of longstanding issues \nin our FISMA reports that are open and that we hope to see \nmovement on.\n    Senator Moran. Mr. Spires, let me give you an opportunity. \nIf you were still in the former capacity at this agency instead \nof the IRS or Homeland Security, let me first start with a \nbroader question. Based upon your understanding of the facts \ninvolved here and your best judgment, was the breach or \nbreaches that have occurred at OPM, were they predictable, \nbased upon what we knew, looking at, for example, the OIG \nreport? If you saw those reports, is this an outcome that could \nbe expected?\n    Mr. Spires. I think it is an outcome that could be \nexpected, sir.\n    Senator Moran. Do you have a sense based upon either Ms. \nArchuleta's testimony or your independent knowledge and what \nyou have heard of Mr. Esser and their reports, would you say \nthat the OPM officials have taken significant steps to solve \ntheir problems?\n    Mr. Spires. It does sound like they are doing a number of \nthe things correctly. I think the centralization of IT is a \nvery good step. They're talking about a modernization program \nthat would upgrade their IT infrastructure.\n    That being said, I go back to my earlier point that if I \nhad walked in there as a CIO--and again, I am speculating a \nbit--and I saw the kinds of lack of protections on very \nsensitive data, the first thing that we would have been working \non is how to protect that data, not even talking about \nnecessarily the systems. How is it we get better protections \nand then control access to that data better?\n    I think that is probably where the focus needs to shift \nhere, based on what I am hearing.\n    Senator Moran. Meaning that out to be a priority, the first \neffort.\n    Mr. Spires. Yes.\n    Senator Moran. Ms. Archuleta, does anyone at OPM take \npersonal responsibility for these breaches, or is this just \nconsidered a problem with the system?\n    Is this a problem with individuals not performing their \nduties? Or it is just that this is the system we inherited, \nwe're working on it, and no one, in particular, is responsible \nfor the outcome?\n\n                          STATE OF FEDERAL IT\n\n    Ms. Archuleta. I think Mr. Esser and Mr. Spires said it \nvery correctly. This is decades of lack of investment in the \nsystems that we inherited when I came in. From the very \nbeginning of my tenure, I have been focused on this.\n    We are working to install not only the architectural \nstrategies, but also to install the detection systems and be \nable to remediate.\n    But as both of my colleagues have mentioned, we have legacy \nsystems that are very old. Oftentimes, we have to test to be \nsure we can even add those protection systems into the legacy \nsystem.\n    If there is anyone to blame, it is the perpetrators. Their \nconcentrated, very well-funded, focused, aggressive efforts to \ncome into our systems not just at OPM, but as both of my \ncolleagues have said, across the whole enterprise, is one we \nare concerned about and one we are working with our colleagues.\n    We are going to take every step we possibly can at OPM to \ncontinue to protect. That is why we are trying to move out of \nthe legacy system.\n    Senator Moran. To date, you don't consider anyone at OPM, \nany of your staff or employees or people responsible for IT and \nsecurity to be personally responsible? It is a problem with the \nsystem that has been inherited?\n    Ms. Archuleta. This is an enterprise-wide problem, and \ncybersecurity is the responsibility of all of us who head \norganizations. That is why, with the Tony Scott's assistance \nand with his efforts, we are going to address this on an \nenterprise-wide basis as well as OPM.\n    Senator Moran. So no one is personally responsible?\n    Ms. Archuleta. I don't believe anyone is personally \nresponsible. I believe that we are working as hard as we can to \nprotect the data of our employees, because that is the most \nimportant thing we can do.\n    I take it very seriously. I'm angry, as you are, that this \nhas happened to OPM. I'm doing everything I can to move as \nquickly as I can to protect the systems.\n    Senator Moran. Thank you very much.\n    Ms. Archuleta. Thank you, sir.\n    Senator Boozman. Mr. Esser, Ms. Archuleta mentioned that \nthe problem is with the legacy systems, which I think we would \nall understand. However, isn't it true that several of the \nbreaches were not to legacy systems, and with the right tools \nin place they would not have been breached?\n    Mr. Esser. Yes, sir. Based on our audit work.\n    Senator Boozman. So the idea that this is all legacy \nsystems is really not the case.\n    Mr. Esser. Well, there are many legacy systems at OPM. I \ndon't want to give the wrong impression. I mean, that is a \nfact. But based on the work that we have done in our audits and \nongoing work that we are doing, it is our understanding that a \nfew of the systems that were breached are not legacy systems. \nThey are modern systems that current tools could be implemented \non.\n    Senator Boozman. Okay, very good. I think that is really \nimportant.\n    Concerns are being raised about the contract secured to \nprovide credit-monitoring services to the victims of the first \nbreach. We don't know the scope of the second breach and what \nservices will be provided for additional victims.\n    Mr. Esser, in your flash audit, you raised concerns about \nOPM's sole-sourced contract to manage OPM's infrastructure \nimprovement project related to subsequent phases of the \nproject. Do you have additional work planned to oversee OPM's \ncontracting and procurement practices?\n    Mr. Esser. It is, certainly, something that we are \nmonitoring and following the reports and gathering information. \nWe haven't planned any audits of that at this time, but it is \nsomething we may do.\n    Senator Boozman. Very good.\n    Mr. Spires, you describe a number of root causes that have \nled to the current issues the Government faces in IT security, \nand you have offered a number of recommendations.\n    Can you just tell us again a couple of key recommendations \nthat would make a difference over the next year or two?\n    Mr. Spires. Yes, I would really like to reemphasize FITARA. \nI thank Congress for passing it for the good of the Nation. We \nneed to figure how to manage our IT more effectively.\n    I would say that is the single root cause that has led to \nthese kind of situations we find ourselves in with these data \nbreaches. It's not that I'm just one to say we need to have all \nthe power reside with the CIO. But what we need are CIOs that \nhave the authority to really bring best practices and not allow \nsystems or practices to continue that jeopardize the security \nof our data and our systems.\n    That has been the problem for decades. We still have real \ncultural problems. I mean, I am out of Government now for 2 \nyears, but based on many discussions I have had with brethren \nthat are still CIOs and still in Government, the cultural \nissues loom large here.\n    We need to take this incredibly seriously. And I would urge \nyou as a subcommittee to provide your own oversight of the \nimplementation of FITARA.\n    Senator Boozman. Do we need additional legislation?\n    Mr. Spires. I am not convinced. I think we do need the \ngeneral cyber legislation about how we better share information \nbetween the Government and the private sector. I think that is \nsomething that Congress should continue to work on.\n    I think we have, between the FITARA act and between the \nupdated FISMA act, I think we have enough tools on the \nlegislative side. I think it is now a leadership and management \nset of issues within the administration, with the proper \noversight of Congress.\n    Senator Boozman. Very good.\n    Mr. Esser, along the same line, what would you identify as \nthe most significant weaknesses or the underlying causes? What \ndo you see as the priority we need to do in the next 2 or 3 \nyears?\n    Mr. Esser. Specific to OPM, I think the project they are \nundertaking to modernize the IT systems is the right way to go. \nThat definitely needs to be done. We fully support that \nproject.\n    We do have some concerns, as expressed in our flash audit \nalert, regarding some of the project management issues related \nto it, and the sole-source contracting. But in general, we \nthink it is definitely the right path to follow.\n    Senator Boozman. So how will you all be involved? Mr. \nSpires talked about oversight. Certainly, that is something we \nwill do in this committee. How will you be involved in that \nprocess?\n    Mr. Esser. We are continuing our oversight of the \nmodernization project. The flash audit alert was issued this \nweek. It was just an interim report, so to speak. We are going \nto continue our audit work throughout the length of this \nproject.\n    Senator Boozman. Mr. Spires, the administration's cyber \ngoals are an effort to drive significant and rapid improvement \nand changes, yet that is not working. Do you recommend any \nchanges to the goals?\n    Mr. Spires. Yes, I would first comment that I think having \ngoals is, certainly, appropriate, but let's take one example, \nthis notion we all talked about, this need for multifactor \nauthentication, to be able to much better protect the \ncredentials of those who use these systems that are legitimate. \nYet when you look at the cyber goal and you look at the use of, \nfor instance, the Homeland Security Presidential Directive 12 \n(HSPD-12) Personal Identity Verification (PIV) card and trying \nto get the 75 percent usage within the civilian Federal agency \nas the goal, let's go back to the adversaries. They only need \none way in, right? And 75 percent just doesn't cut it in this \nworld anymore.\n    So we need to rethink, I think, the objectives there. Go \nback to the prioritization of protecting data, doing the \nmultifactor authentication. Those should be the highest goals.\n    That does not mean we shouldn't be working to continue to \nbring in the right kind of capabilities to better protect our \nsystems. We need to do that as well. But I think it is time to \nrethink those goals and to reset them along those sets of \npriorities.\n    Senator Boozman. Mr. Esser, you mentioned that one of your \nfindings was that OPM didn't exactly know what inventory they \nhave. Is that being corrected? Or do we still not know the \nnumber of units, servers, hardware components, etc.?\n    Mr. Esser. Based on our latest work, that is still our \nunderstanding. Director Archuleta commented a little while ago \nthat they do have a complete inventory of systems, so we would \nbe more than happy to work with them and look at that and do \nour audit work related to that.\n    Senator Boozman. But if that is a case, that has just \nrecently happened?\n    Mr. Esser. Yes, sir.\n    Senator Boozman. Okay, thank you very much.\n    Senator Coons. Mr. Chairman, I will defer to the vice chair \nof the full committee.\n    Senator Boozman. Senator Mikulski.\n    Senator Mikulski. Thank you very much.\n    Mr. Spires, could you tell me, has Kaspersky been \npenetrated? I understand even top-notch security firms \nthemselves sometimes have a cyber shield that can be \npenetrated.\n    Mr. Spires. I do not have any more information than what I \nread in the news, Senator, but I read that as well.\n    Senator Mikulski. Which indicates that this is an \ninternational problem.\n    Mr. Spires. It certainly is.\n    Senator Mikulski. It really shows that, despite best \nefforts of highly skilled professionals--that is not to excuse \nwhere we are--but your advice to us is to get with it, and get \nwith it pretty quick.\n    Mr. Spires. You summed it up very well.\n    Senator Mikulski. Would you recommend that this be across \nall Government agencies that OPM was hit, et cetera.\n    Mr. Spires. My experience having served on the Federal CIO \ncouncil and worked with many of the agencies is that OPM is not \nsome kind of outlier here. Many Federal agencies have similar \nissues to what OPM faces, as far as their IT management and \ncybersecurity posture.\n    Senator Mikulski. Thank you very much.\n    Ms. Archuleta, the Federal employees, Maryland is the home \nto 130,000 Federal employees, and they work at everything from \nthe National Institutes of Health to the National Security \nAgency. Most people at the National Security Agency are \ncivilian employees.\n    What do I tell my employees, because they are quite \napprehensive? What is the impact of this on them? Can you talk \nabout this? What is the impact on them? How are you in \ncommunication? Should they be afraid that another shoe will \ndrop, and it could drop on them and their credit ratings or \nwhatever?\n\n                              NOTIFICATION\n\n    Ms. Archuleta. Yes, and I do want to say I care very much, \nas you do, Vice Chairwoman, about our Federal employees. What \nthis breach has done is exposed their data, as you know. And \nI'm very concerned about that.\n    That is why, in terms of the first incident, we have been \nworking hard to not only begin, but also to improve our \nnotification system and to provide both identity theft and \ncredit monitoring for them.\n    We have received much feedback from our employees. We are \nusing that feedback.\n    Senator Mikulski. So have I. They are pretty apprehensive \nand agitated.\n    Ms. Archuleta. I know. I'm angry, too. I'm angry that this \nhas even happened. I have worked very hard toward correcting \ndecades of inattention, and I will continue to do so.\n    I will tell you that I'm very concerned about protecting \nthe data of our employees, and that as we move into incident \ntwo, I am going to use their feedback, their concerns, to \ninform us so we can look at the wide range of options we will \nhave available to us with these notifications.\n    Senator Mikulski. Do you have kind of a council of Federal \nemployee organizations that you meet with that could tell you \nthe view from the employee up, so that you really hear what \nthey are saying?\n    People like myself, Senator Cardin, Senator Kaine, Senator \nWarner, we are very proud of the fact that the capital region \nis the home to so much talent that works on so many pressing \nnational interests, from the cure for cancer to protect our \ncountry against predatory attacks. Now they are worried about \npredatory attacks against them.\n    Do you meet with them and get this advice, while we are \ntrying to sort out the best way to have cyber shields on our \ndot-gov?\n    Ms. Archuleta. We are doing several things, Vice Chairwoman \nMikulski. Thank you for that question.\n    We are working with our Chief Human Capital Officers (CHCO) \nCouncil, which are our Human Capital Officers.\n    Senator Mikulski. I don't know what Chico is. That's where \nI bought some of my jackets.\n    Ms. Archuleta. Mine, too.\n    The human capital officers for each of the agencies, as \nwell as all of the department heads and leaders. And we have \ntried to adjust the notification system so it is customized to \nthe employees.\n    We are also listening to our unions, our union \nrepresentatives, and seeking their input, and other stakeholder \ngroups, to see how we can better improve our notification \nsystem, not just in the long term, but during this period from \nJune 8 to June 19, to take their feedback every day around call \ncenters, about how we can provide Frequently Asked Questions \n(FAQs) on Web sites, and we could work directly with department \nheads and agencies, so they are assisting us in the \nnotification process.\n    We take very, very seriously what we owe to our employees. \nI will continue to do that and to make sure that, in the second \nincident, we are using their input.\n    Senator Mikulski. I think that is absolutely crucial.\n    Mr. Chairman, I would like to really thank you also for \nhaving the IG at the table. When I chaired the committee, it \nwas administrative procedure that all my subcommittees either \nhad an IG come on what were the hotspots for agencies or at \nleast submit written testimony. The fact that you are utilizing \nthat is really crucial.\n    We will have a lot to talk about this afternoon. Better \ntalk privately.\n    Mr. Esser, thank you so much for your service. We so value \nthe work of our inspectors general. They have been enormously \nhelpful to me both as chair and vice chair of the committee to \nreally get value for our dollar, to identify management \nhotspots.\n    And we really want to thank you for the identification not \nonly of the problem but also the recommendation for the \nsolutions. So thank you very much, and all of the IGs.\n    Mr. Esser. You are very welcome, Senator.\n    Senator Boozman. Thank you, Senator.\n    Senator Lankford.\n    Senator Lankford. Thank you.\n    Mr. Spires, let me ask you a follow-up question. You said \nthat, coming from the CIO council before, that many Federal \nagencies have similar issues.\n    I have a twofold question. One is define what issues mean \non this. And second, give me a percentage when you say ``many'' \nother agencies. Again, I'm not asking you to articulate what \nare the security issues and specifically where are \nvulnerabilities. I am not asking you to do that. Give me a \nguess here of how many agencies we are dealing with and what \nthose issues are.\n    Mr. Spires. I would say many agencies of the Federal \nagencies have a similar kind of problem that Mr. Esser alluded \nto about decentralization of IT.\n    In and of itself, it is not necessarily a bad thing. But it \nhas been very, very difficult for many of these agencies as \nthey rolled out systems, and then have to support these \nsystems, the complexity factors have grown so significantly \nthat it is just very, very difficult for them to get their arms \naround systems.\n    I mean, at DHS, to call out DHS specifically, we would do \ninventories and try to, if you will, find all of the systems \nthat we had. I think that we did a relatively good job at that. \nBut every year, we would find more. Well, try to secure that.\n    I say that is the first thing, that most agencies, I \nbelieve, have that problem. I don't want to put a percentage on \nit, because I don't know how to measure that as far as a \npercentage. But I would say most of the major agencies have \nthis problem that the CIO would not be able to sit here and say \nthat they have a good handle on their true inventory of IT \nsystems.\n    Senator Lankford. What about use of credentials?\n    Mr. Spires. I give a world of credit to DOD for having \nrolled out that Common Access Card (CAC) card years ago and \nhaving the leadership and wherewithal to make that happen. Most \nGovernment agencies are still struggling to roll out what we \ncall the Homeland Security Presidential Directive 12 (HSPD-12) \nprogram, or the Personal Identity Verification (PIV) card, the \nsmart card, and then use it for logical access control.\n    It is still an issue. If you go to the cap goals and look \nat where we are at, it is still an issue at most of the \nagencies on the civilian side.\n    Senator Lankford. Authorizations?\n    Mr. Spires. Again, I think you're hitting the hotspots \nhere. Many systems we would find, they wouldn't have \nauthorizations because they were out in the field and they were \nnot under the CIO's control. Or what I also didn't like, which \nis kind of hiding the ball a little bit here, is you could do \nan interim authority to operate, and some of those would last \nway too long. There would be weaknesses in the systems, and it \nwould be difficult to clear those weaknesses.\n    So again, I cannot put numbers on that, sir. But, \nhopefully, I have given you a sense of where I feel many \nagencies are today.\n    Senator Lankford. My question to that related to \nappropriations. None of those seem like big dollar items. Those \nare more management or current inventory, structure, process, \nthe wonderful term of hygiene for our systems. Am I hitting \nthat?\n    Mr. Spires. I want to be a little careful here.\n    Senator Lankford. If we have a monitor with an orange \nscreen on it, I get it. We have some old systems out there. But \nI'm asking, the initial security side of this, the first rung \nseems to be how we are handling the information in the \ninventory.\n    Mr. Spires. I would agree with your sentiment that says we \ncould manage this a lot more effectively, and we do not \nnecessarily need new dollars to do that.\n    Some of the issues, though, that go to true modernization, \nyou do need investment.\n    Senator Lankford. Sure.\n    Ms. Archuleta, let me ask you a question. You had in your \nwritten testimony, and in your oral testimony as well, you kind \nof talked through the timeline of how things went. In some \nareas, you were very specific of how things moved and in what \norder. There are a couple of terms that jumped out to me there.\n    Let me read this back to you. It says, ``As a result of \nthese efforts to improve our security posture, in April 2015, \nan intrusion that predated the adoption of these security \ncontrols affecting OPM's IT systems and data was detected by \nour new cybersecurity tools. OPM immediately contacted the \nDepartment of Homeland Security and Federal Bureau of \nInvestigation.''\n\n                        INTERAGENCY NOTIFICATION\n\n    Could you give me definition of ``immediately''? Is it that \nsame day, week, month?\n    Ms. Archuleta. That same day.\n    Senator Lankford. Same day. Great.\n    Then you had the same issue there. You talked about the \nscope and impact of the intrusion. Shortly thereafter, OPM \nnotified congressional leadership.\n    What is our timeframe?\n    Ms. Archuleta. We have a 7-day requirement, which we met.\n    Senator Lankford. Okay, so met it within that 7 days.\n    Ms. Archuleta. Yes.\n    Senator Lankford. Terrific. Thank you.\n    The contractor that was involved in this, that had \nresponsibility for strategic IT in the security plan, who was \nthat contractor? What were the assurances that they gave early \non during the conversation in the contracting process to say we \nwill provide security structure, management? I'm looking for \nwhat they said they would do and what they actually did.\n    Who was the contractor, first?\n\n                          CONTRACTOR SECURITY\n\n    Ms. Archuleta. I want to be very clear that while the \nadversary leveraged a compromised KeyPoint user credential to \ngain access to OPM's network, we don't have any evidence that \nwould suggest that KeyPoint as a company was responsible or \ndirectly involved in the intrusion. We have not identified a \npattern or material deficiency that resulted in the compromise \nof the credentials.\n    Since last year, we have been working with KeyPoint and \nthey have taken strides in securing its network and have been \nproactive in meeting additional security controls that we have \nasked them to use to protect all of the background data.\n    Senator Lankford. So the question is then with KeyPoint, \nthe security controls they put in now, were these security \ncontrols that were discussed earlier that were just not \nfulfilled, or were these things that weren't considered?\n    Ms. Archuleta. I think I understand, but let me be sure. \nOur detection in April discovered an intrusion into our system \nin late 2014. The detection was in 2015; we discovered an \nintrusion into our system in late 2014.\n    Senator Lankford. What I am trying to drive at is, then \nthere were changes in security protocols. Were those changes \nrecommended before, or are these entirely new?\n    Ms. Archuleta. They were ones we had planned and were \ninstalling as we progressed through our improvements. \nUnfortunately, we didn't have them in place soon enough. We are \nworking, as I said, with a legacy system. We were testing many \nof our security tools. And as a result of actually being able \nto install this particular security tool, we were able to \ndetect it.\n    Senator Lankford. And that plan had been in place how long?\n    Ms. Archuleta. It is part of our IT security plan, which we \ndeveloped in----\n    Senator Lankford. The 2012 plan?\n    Ms. Archuleta. It is 2014.\n    Senator Lankford. Okay. Thank you.\n    Ms. Archuleta. Thank you, sir.\n    Senator Boozman. Senator Coons.\n    Senator Coons. Thank you, Chairman Boozman.\n    Ms. Archuleta, you're in the midst of a major IT \nmodernization project. How much do you expect that total \nproject to cost? What elements are included in that amount?\n\n                          OPM IT MODERNIZATION\n\n    Ms. Archuleta. There are four steps that we are using for \nthat plan.\n    The tactical--that is, what are the tools we are going to \nneed to protect our systems even as we move forward? We are \nbuilding a new shell. It will be the platform. The third and \nfourth are the migration and then the disposal of the legacy \nsystem.\n    We are at the tactical step right now. In June of 2014, we \nhired a contractor to assist us in the development of the \nshell. We are moving toward that.\n    We, as I said, have identified $67 million in 2014 and 2015 \nthat would enable us to move toward that. We're asking for an \nadditional $21 million in the 2016 budget to aid us.\n    We are working closely with OMB to determine if another \nrequest should be made.\n    Senator Coons. Has a major IT business case been prepared \nas OMB requires for IT projects?\n    Ms. Archuleta. Yes, it has. We worked very close with OMB. \nThis is one of the points that the IG brought out in his flash \naudit. I can assure the IG that we, in fact, have been working \nvery, very closely with OMB.\n    This is an urgent issue. We are moving as fast as we can, \nmaking sure that we track, we justify and document all that we \nare doing consistent with the OMB standards that have been \ngiven to us.\n    We have a budget that we worked very closely with OMB to \ndeliver.\n    Senator Coons. In response to the IG audit, one of the \nconcerns was why you would give a sole-source contract, if I \nunderstand correctly, to a single contractor to manage all four \nphases of this very large project.\n    What type of contract is it? Is it a fixed-cost project? \nWhat steps are you considering in light of the audit?\n\n                            OPM CONTRACTING\n\n    Ms. Archuleta. As I said before, there are oftentimes \nplaces where we have areas of agreement and areas where we \nwould like to have further consideration with the auditor.\n    In his flash audit, the inspector general encouraged the \nuse of either existing contracts or the use of full and open \ncompetition. I would like to assure you and the inspector \ngeneral that the processes followed in awarding the already \nexisting contracts have been perfectly legal, and that we will \ncontinue to ensure that any further contracts and processes \nentered into will also be perfectly legal.\n    He also expressed concern that the sole source contract \nused in the tactical and shell phases should not be used for \nmigration and the cleanup phases that I described earlier. I \nunderstand his concerns. I would like to remind the inspector \ngeneral that the contracts for migration and cleanup have not \nyet been awarded.\n    Where we would like to have further discussion with the \ninspector general is the timeline, the practical timeline, for \nour major IT business case. He is suggesting that we move that \nout to fiscal year 2017. I would like to move that much \nquicker, given what we have already experienced.\n    I assure the inspector general and everyone here that all \nof our decisions are being tracked, documented, and justified.\n    He has made a number of recommendations regarding \ncontracting and standards that rely on external sources for \nassistance, and I believe the Federal Government and through \nthe good work that Tony Scott is providing to us and all of our \npartners in Government have strong solutions to offer. I am \ngoing to look forward to talking more to him about his \nsuggestion.\n    Senator Coons. Have you had a chance to look at other \nagencies that have had successful IT projects to use as a \nmodel? As you mentioned, have you some sources of valuable \ninsight into how to manage multi or multiphase expensive and \ntime-critical IT projects.\n    Have you looked at whether having an outsider contractor \nmanaging the project or breaking it into more bite-size pieces \nmight achieve some of your goals?\n    Ms. Archuleta. Well, we are looking at all of our options, \ncertainly. This is a very serious issue. I am taking it very \nseriously and looking to all of the resources I have available \nto me. I will, certainly, do that.\n    I believe that the Federal CIO is an important asset to us, \nas are our partners at the Department of Homeland Security, \nNational Security Agency, and the Federal Bureau of \nInvestigation. So we are looking to those. And I welcome the \nInspector General's suggestions. And as I move forward through \nthis process, I will be listening to him carefully, as well as \nmy partners across the Government.\n    Senator Coons. I appreciate that response.\n    Mr. Spires, you were the former CIO at DHS and IRS, both of \nwhich have had very cumbersome, difficult, and often challenged \nIT projects. Were you able to do turnaround on some of the \nlegacy IT failures there? What advice do you have for OPM, as \nthey engage in another expensive, complex, multiyear \nmodernization effort?\n    Mr. Spires. Sure. First, I would make the note that it is \nalways about a team effort, in order to deliver these kinds of \nprograms. I actually joined IRS and took over the modernization \nprogram. At the time, it was on the GAO high-risk list, and I \nam pleased to say that, as a team effort, it took a long time, \nbut we were able to improve our processes to the point where \nrecently that program was removed from the high-risk list, \nwhich is quite an accomplishment.\n    Let me just say that I have reviewed many programs. We \ncould have a long discussion about how to appropriately manage \nIT programs. I will make a couple of points very quickly.\n    One thing that is very critical is the overall governance \nframework that you put in place. You need to get the right \nstakeholders in the room to work together to make this happen. \nAll too often in Government, I have seen issues where that does \nnot happen.\n    The other thing I would say is don't over-rely on \ncontractors. You need to have a program management office of \nGovernment officials that have the requisite experience and \nskill set to be able to run these programs.\n    And I'm not picking on OPM. I don't know much about their \nmodernizations at all. But I have found the smaller agencies, I \nthink, struggle more with this because they do not have the \nheritage of having learned those lessons within the agencies \nthemselves.\n    Senator Coons. Thank you. I see my time has expired.\n    Mr. Spires, Mr. Esser, Ms. Archuleta, thank you for your \ntestimony today.\n    I'm grateful for the input of the IG and for your offer to \ncontinue to work with us and consult with us as we move forward \nto try to offer critically needed reassurances, particularly to \nlaw enforcement, but all Federal employees, and to find timely \nand cost-effective solutions to this and other cyber \nchallenges.\n    Senator Boozman. Senator Moran.\n    Senator Moran. Chairman, thank you very much.\n    Mr. Spires, based upon what you heard today, your knowledge \nof Government agencies and their cybersecurity issues, is this \na management issue or is this a resource issue?\n    Mr. Spires. It is more of a management issue, sir.\n    Senator Moran. Why do you say that?\n    Mr. Spires. Because of the dispersed nature of the way IT \nhas been run in a lot of agencies, there are so many let's say \ninefficiencies that have crept into the system that I don't \nbelieve we effectively spend the IT dollars we receive.\n    So I believe with the proper drive towards management, you \ncan actually drive a lot of savings from the existing budgets. \nBut caveat that. When you are talking about new modernization \nprograms, sometimes with the right business case, it does make \nsense to invest in those.\n    Senator Moran. Based on your response to Senator Coons, I \nassume there is a natural inclination when these issues arise \nthat the easy thing to do is to hire a contractor. Within the \nagency, we do not know this stuff, it is not our primary \nmission, let's just get somebody in here who takes care of \nthis.\n    This committee, when Senator Udall was its chairman, we \nworked on FITARA and issues related to how to improve the role \nCIOs play in an agency, in part trying to compensate for, I \nthink, an attitude that we are not tech folks, somebody else is \nresponsible for that.\n    Ms. Archuleta, describe to me how you work with your CIO. \nLet me ask a question first about this.\n    The first breach I think you were aware of goes back to \nJune 2014. As I recall, you and others testified in front of \nthis committee in May of 2014, and the following month, June, \nOPM became aware of a breach.\n\n                          TIMELINE OF BREACHES\n\n    Ms. Archuleta. Yes. The first breach that we discussed with \nyou was----\n    Senator Moran. I don't think you discussed this in May. If \nyou knew about it, I do not think we knew about it.\n    Ms. Archuleta. Okay. I'm sorry, sir.\n    I want to look and make sure I have my months right. March \n2014 was when we identified some adversarial activity. But \nthere was no PII that was lost in that.\n    In June 2014, which is what you may be referring to, USIS \nwas breached. There was OPM data that was compromised. It \nimpacted about 2,600 individuals.\n    In August of 2014, KeyPoint Government solutions, was \nbreached. That breach compromised approximately 49,000 \nindividuals.\n    In April of 2015 was the breach that I described earlier, \nas well as the one in May.\n    Senator Moran. So let me make sure I understand what you \njust said. There were three breaches that occurred prior to the \ntwo that we are now talking about.\n    Ms. Archuleta. There was the OPM network in March, June of \n2014 USIS, in August KeyPoint.\n    Senator Moran. What changed at OPM? You obviously then \nbecame aware on three occasions somebody is trying to intrude \non our system. What then did OPM do after realizing that?\n\n                          OPM IT MODERNIZATION\n\n    Ms. Archuleta. If I could just go back a little bit, \nbecause I want to reassure you, to my colleague's point, that \none of the first actions I took as OPM director was to hire \nDonna Seymour. The second action I took was to develop an IT \nstrategic plan that had exactly the pillars my colleagues \ndescribe.\n    So for IT leadership, look to OPM's CIO. IT governance is \nmy whole leadership team we must buy into the design and the \nstructure of the IT plan and its development. And for IT \narchitecture, what was it going to take for us to build out the \nsystems that we needed, in view of our legacy system?\n    Regarding IT data, we needed to be informed. We needed to \nknow that what we were doing was right and that we were doing \nthis in a way that was analytical. We also had as an important \npillar IT security, obviously very, very important. As we were \nbuilding out, even as we were working on our strategic plan, \none of the most important pillars was IT security.\n    Since Donna Seymour came in as CIO, and because of her \nexperience, and as Mr. Spires says, the experience we have in \nGovernment, we brought her from the Department of Defense and \nthe Department of Transportation, that she was able to apply \nthose skills and that talent to identifying not only what our \nstrategic steps are but how we could begin to develop them.\n    The first thing we needed to look at was what we could \nplace on that legacy system, and what would it take to do that?\n    That is where she has begun and what she continues to do \nthroughout her tenure.\n    Senator Moran. Your point is, not necessarily following the \nthree breaches that we just talked about, but from your \narrival, your priority was to get a CIO and begin \nimplementation of a plan?\n\n                         OPM IT STRATEGIC PLAN\n\n    Ms. Archuleta. I will tell you, Senator, that from the \nfirst time I was briefed on our IT infrastructure during my \nconfirmation preparation, I knew that there was a problem. And \nthat is why, in my confirmation hearing, I said it would be a \ntop priority, and I promised your colleagues that I would \ndevelop an IT strategic plan, which I did, and produce within \nthe first 100 days. I was also wise enough to hire Donna \nSeymour.\n    Senator Moran. The IT strategic plan that you just \nmentioned, is that something we could see?\n    Ms. Archuleta. Absolutely, sir. It is on our Web site. I \nwill make sure you get a hard copy as soon as possible.\n    Senator Moran. Mr. Chairman, let me see if I have \nadditional follow-up.\n    Following that IT strategic plan, is there a new plan as a \nresult? It is just implementing this one?\n    Ms. Archuleta. As you know, a plan is dynamic, and as we \nlearn things, that plan changes. But we are following it. We \nare making sure every component--governance, leadership--making \nsure that we're making sound decisions on the architecture, \nthat we are building and making sure it is based on clear \nanalytics, and that cybersecurity is an important component of \nall of that.\n    Senator Moran. Are there benchmarks that are now in place \nwithin that plan so that we see whether we are making progress, \nbenchmark by benchmark?\n    Ms. Archuleta. I would like to come back to you and show \nyou what those benchmarks are, sir.\n    Senator Moran. Okay.\n    Let me ask about notification. You indicated in your \ntestimony, and I wrote this down as well, ``as soon as \npracticable.'' And I understand the value of that phrase.\n    The President's proposed legislation for notification to \noccur within 30 days of a breach, how do you think practicable \nfits with the 30-day requirement?\n    Ms. Archuleta. Within the proposed legislation, \n``practicable'' is included in there. I can assure you we are \ntrying to do everything we can to come as close to that date as \nwe possibly can.\n    Senator Moran. All right.\n    Is there anyone who oversees IT security outside of OPM? \nWhat is the relationship with OMB?\n    Ms. Archuleta. It is a very close relationship. We work \nvery closely with the Federal CIO who has responsibility for \nthis, Tony Scott. He has been at OMB for about 90 days now. He \nhas been engaged with us from the very beginning. He and Donna \nhave a strong relationship, and he has a strong adviser role to \nus.\n    Senator Moran. Prior to his arrival 90 days ago, was there \nsomeone filling that responsibility as well?\n    Ms. Archuleta. I don't know that, sir, but I would be glad \nto get that information back to you.\n    Senator Moran. Okay. Thank you very much.\n    Ms. Archuleta. Thank you, sir.\n    Senator Boozman. Thank you, Senator Moran.\n    Thank you all for being here. Again, I apologize for the \nearlier delay. This is such an important hearing. I think this \nis one of the most important hearings we will have this year. \nWe will be following up in the not-too-distant future, again \nmaking sure things are moving in the right direction.\n    I want to thank you all for participating. I also want to \nthank my staff and Senator Coons' staff for the excellent job \nthey have done in preparing for the hearing.\n    At this time, I ask unanimous consent that statements by \nthe National Treasury Employees Union and the Government \nEmployees AFL-CIO be included in the hearing record.\n    [The information follows:]\n      Prepared Statement of the National Treasury Employees Union\n\n                 Colleen M. Kelley, National President\n\n    Chairman Boozman, Ranking Member Coons and distinguished members of \nthe subcommittee, I would like to thank you for the opportunity to \nshare our members' perspectives on the recent announcements of agency \ndata breaches impacting Federal employees. I commend you for holding \nthis hearing on an extremely urgent issue for the Federal workforce. As \nPresident of the National Treasury Employees Union (NTEU), I have the \nhonor of representing over 150,000 Federal workers in 31 agencies.\n    Mr. Chairman, as you can imagine, there is great fear and outrage \non the part of Federal employees and retirees in the wake of the U.S. \nOffice of Personnel Management's (OPM) announcements on June 4, and \nmore recently on June 12, that millions of current and former Federal \nemployees may have had personally identifiable information (PII) \ncompromised owing to breaches in databases containing various personnel \nrecords. Federal employees have had a difficult few years, facing \nmulti-year pay freezes, furloughs, sequestration, and this type of \nexposure of personal information is the final straw. Such exposure is \nsimply unacceptable.\n    It is important to note that these breaches follow wide-scale \nbreaches of health insurance carriers earlier this year that included \nFederal employees enrolled in several Federal Employees Health Benefits \nProgram (FEHBP) plans, and multiple announcements of agency breaches in \n2014 affecting background investigation and suitability records. \nFederal employees are required to provide significant amounts of \npersonal data to their employing agencies, for general employment \npurposes, as well as for suitability and security clearance purposes. \nNTEU asks that this subcommittee act to ensure that agencies have the \nability to immediately safeguard Federal employees' information going \nforward. It should come as no surprise that employees are questioning \nthe idea of submitting this type of detailed personal information to \ntheir agencies in the future, and are particularly pointing to the \nsuitability and security clearance process, forms, and storage as areas \nthat need to be immediately changed. We also ask the subcommittee to \nkeep these breaches in mind as serious consideration of so-called \n``Continuous Evaluation'' (CE) policies move forward in the security \nclearance and suitability reform areas, as well as for oversight \npurposes of the Administration's Insider Threat program.\n    At the moment, a principal outstanding concern for Federal \nemployees and retirees is the confusion about what exact type of \nindividual data and information was in fact compromised, and of whom. \nIn its first statements, OPM confirmed that a breach had potentially \ncompromised names, dates and places of birth, Social Security numbers, \nand addresses. However, a multitude of media and other public \nstatements followed maintaining that the exposure was far greater in \nnumber and the information even more intrusive--that the type of \ninformation that may have been accessed by outsiders involved \ninformation about family members, beneficiary information from employee \nbenefit programs, bank accounts, data submitted and stored from \nDeclarations of Federal Employment and Standard Forms 85 and 86 \\1\\ \n(among others) as part of routine background investigations, including \ndetailed financial information and medical history, home addresses and \nother PII and data for annuitants. Late on June 12, OPM informed NTEU \nthat this was indeed the case--that the worst case scenario for \nindividuals' privacy--be they Federal civilians, military personnel, \ncontractors or other individuals simply appearing in various documents, \nand our Nation's national security has occurred. However, NTEU wants to \nbe clear that which employees have been affected by this apparent \nwider, and more serious breach, is still unknown to us and most \nimportantly to the affected individuals.\n---------------------------------------------------------------------------\n    \\1\\ Questionnaires for Public Trust, Non-Sensitive, and National \nSecurity Positions.\n---------------------------------------------------------------------------\n    OPM's statements issued to us and to agency heads still do not \ncontain any information about whether individuals who do not possess \nsecurity clearances, but who provide detailed information for \nsuitability determinations and Standard Form 85 for critical non-\nsensitive positions, are also included in this breach. Not knowing \nwhose data, and what exactly has been accessed and compromised, is \ncreating widespread confusion and anxiety, on top of the general \nfrustration of having one's personal information compromised be it from \na foreign power, a thief, or otherwise ill-intended individual. \nEmployees deserve to know what exact databases and information was \nhacked, and they need to be in a position to act, given the high level \nof risk they and their families are facing. It will also be important \nto address whether spouses, siblings, and other relatives, as well as \nformer non-Federal coworkers and acquaintances whose PII and contact \ninformation is provided, also had their information compromised, and \nwhether there are plans to notify these members of the public, and to \nprovide them with credit and identity protection services. We do not \ncurrently have any notification details to share with our members \nconcerning the latest news from OPM, which again is unacceptable. I ask \nthis subcommittee to ensure that the notification plan for all of these \naffected individuals is made public, and that it is put into action \nimmediately.\n    Given that more than a week has passed since this wider breach was \nannounced, NTEU believes it is time to immediately extend blanket \ncredit monitoring and identity theft protection services to the entire \nFederal workforce. We understand that the forensic investigation may \ntake time, and that there are serious national security implications to \nthis breach, so in order to best protect employees going forward, a \nblanket extension is needed. Since large numbers of employees (OPM \nestimates 2.1 million) have just received these services as part of the \nfirst OPM reported breach, it should be a relatively small number of \nadditional employees who need this coverage extended to them.\n    OPM responded positively to NTEU's initial request that Federal \nemployees be allowed to use Government computers in order to be able to \ncontact CSID, the OPM-selected contractor, for credit monitoring \npurposes and to enroll in the identify theft protection services. \nAdditionally, OPM also acted on NTEU's request to ensure access to \nGovernment computers for those employees who do not regularly use \ncomputers on the job. While OPM has encouraged agencies to do these \nthings, NTEU urges agency heads and this subcommittee to ensure that \nthis access is indeed granted.\n    It is critically important for employees and retirees to be able to \naccess and enroll in protection services as soon as possible. While \nNTEU is aware that OPM's contractor-provided notifications have begun \nto be emailed and mailed directly to active employees for the first \nbreach, we are aware of various difficulties that may exist in reaching \naffected annuitants and former employees, whose mailing addresses are \nnot actively maintained by employing agencies or OPM. Additionally, \nmany of our members are reporting extensive problems when attempting to \nenroll in the CSID-provided services--ranging from not being able to \nreach an operator on the toll-free line, to the Web site crashing or \nfreezing when they are attempting to enter the required enrollment \ninformation, to the rejection of assigned pin numbers and passwords, to \nthe inability to establish required connectivity to the CSID Web site, \nto official email notifications going into spam filters, and to family \nmembers receiving the employee's notification letter, at an address \nthat the employee has never lived at, or used for any purpose. In \nshort, the CSID notification and enrollment process has been a disaster \nfor many NTEU members.\n    A major concern for employees is the delay in notification from the \ntime of the actual discovery of the breaches. It is imperative that \naffected individuals receive swift notification of any type of breach \ncompromising PII and other information. Any delay in notification only \nincreases the likelihood of individuals experiencing identity theft and \nsuffering financially. As you know, Mr. Chairman, NTEU represents \nemployees at U.S. Customs and Border Protection (CBP), and in September \n2014, the Department of Homeland Security (DHS) became aware of a \nbreach involving KeyPoint, a contractor providing background \ninvestigations and support. The overall volume and sensitive type of \ninformation that is provided by employees undergoing a background \ninvestigation--either as a new hire or for a periodic reinvestigation--\nis significant, and includes extremely personal details of employees, \ntheir family members, and of their friends, and even of their coworkers \nand acquaintances. However, it was not until June 4, 2015 that DHS \nbegan providing and notifying CBP employees of their ability to enroll \nin credit monitoring and identity theft protection services. A nine \nmonth delay is simply unacceptable for all individuals involved. \nMoreover, two simultaneous, ongoing employee notification processes of \ncompromised employee personnel records at CBP is leading, not \nsurprisingly, to major confusion in the workplace.\n    Mr. Chairman, I also want to share that I have requested that, as \nwe move forward, serious consideration be given by the administration \nto providing both the credit monitoring services and the identity theft \nprotection services for a significantly extended period of time beyond \nthe current 18 months. Given how long these breaches may have gone \nundetected, and since the exact identities and data compromised is not \nyet known, NTEU believes these items to be prudent courses of action. \nAs an example, following this year's Blue Cross Blue Shield healthcare \nbreaches, carriers provided 24 months of protective services to \naffected enrollees. Additionally, we ask that blanket coverage be \nprovided now to those individuals affected in the second breach. \nSerious compromises of data and personal information demand serious \nresponses from the U.S. Government for the protection of its most \nvaluable asset, its people.\n    I again thank the subcommittee for the opportunity to provide \nNTEU's views on these alarming employee data breaches, and for your \nwork to identify the source of these intrusions, as well as to identify \nthe compromised employee records and personal information. And, most \nimportantly to help ensure that this does not happen again. However, \nfor the information already compromised, time is of the essence, and \nclear guidance and immediate notification, with adequate levels of \nprotection, is warranted. Ultimately, NTEU members want to be assured \nthat their information, and their family members' information, is not \nat risk because of their profession. Our members deserve to be able to \ntrust that the Government can properly secure their private \ninformation.\n                                 ______\n                                 \nPrepared Statement of the American Federation of Government Employees, \n                                AFL-CIO\n         opm information technology spending and data security\n    Chairman Boozman, Ranking Member Coons, the American Federation of \nGovernment Employees, AFL-CIO (AFGE) which represents more than 670,000 \nFederal employees, would like to thank the subcommittee for holding \nthis important hearing on the recent data breaches to the Office of \nPersonnel Management's electronic employee data systems. Unfortunately, \nin the days since the breach was originally announced, the number of \nindividuals who are or have been employed by the Federal Government, \nand potentially had their personal data hacked continues to increase. \nVery little substantive information has been shared with Federal \nemployees, despite AFGE's numerous requests for specific information in \nan effort to help those affected by the data breach. All individuals \naffected by the OPM data breach deserve nothing less than a clear path \nforward that allows them to take immediate action to protect themselves \nfrom the misuse of their stolen personal information, successfully \nmonitor their credit, and continue their work as Federal employees with \nconfidence that the necessary precautions will finally be taken to \nprotect their personal data.\n    OPM must commit to answering the most basic of questions regarding \nthe breach. The fact that OPM continues to refuse to answer simple \nquestions about the dimensions of the breach have made the Federal and \nDC Government employees and retirees that AFGE represents deeply \nskeptical of any information coming from OPM. AFGE understands the \nsensitive nature of the current criminal investigation that is \nunderway, however, there are some questions and issues that the agency \nhas a moral responsibility to answer. For example, one question that \nstill has not been adequately addressed by OPM is whether or not the \ndata that was stolen can be linked to Federal employees' bank accounts \nor direct deposit information. Federal employees deserve answers to all \nof their questions so they can take appropriate action.\n    Based on the information that OPM has provided, AFGE believes that \nthe Central Personnel Data File was the targeted database, and the \nhackers are now in possession of all personnel data for every Federal \nemployee, every Federal retiree, up to one million former Federal \nemployees, as well as similar data for their family members. We believe \nthat hackers have every affected person's Social Security number(s), \nmilitary records and veterans' status information, address, birth date, \njob and pay history, health insurance, life insurance, and pension \ninformation; age, gender, race, union status, and more. In fact, at the \nHouse of Representatives Oversight and Government Reform hearing held \non June 16, 2015, OPM Director Katherine Archuleta testified that \nFederal employees' Social Security numbers were not encrypted, and thus \nwere compromised. This is a cyber-security failure that is absolutely \nindefensible and outrageous. While OPM has informed Federal employees \nthat they will provide 18 months of credit monitoring and $1 million in \nliability insurance, AFGE believes that a mere 18 months of credit \nmonitoring is entirely inadequate, either as compensation or protection \nfrom harm. Federal employees will suffer the consequences of the OPM \ndata breach far longer than 18 months. In order to protect the personal \ndata of the millions of individuals affected by the data breach from \nthis point forward, OPM owes employees and their family members free \nlifetime credit monitoring and liability insurance that covers the \nentirety of any loss attributable to the breach. With the personal \ninformation of millions of people stolen, we cannot underestimate the \nlong-term threats to Federal employees' personal finances, credit, and \nphysical safety.\n    AFGE also requests that OPM reconsider the decision to enter into \ncontact with Winvale/CSID, a contractor given responsibility for \nanswering affected employees' questions involving their stolen personal \ninformation. Based on our membership feedback, Federal employees have \nnot been able to speak with an actual person when they have questions. \nAt the very least, the terms of the contract should have included \nguaranteed access to points of contact that can answer specific, \npersonal questions that affected Federal employees may have regarding \nthe data breach. Federal employees who have been victimized by this \nbreach deserve more than a Web site that is difficult to navigate and \ncall center contractors who do not know the answers to questions that \ngo beyond a Frequently Asked Questions (FAQ) template. Those affected \nshould have access to OPM employees who can respond to questions that \nare unique to their individual situations.\n    AFGE has also received numerous complaints from Federal employees \nwho describe their horrendous experience trying to access assistance \nfrom the contractor hired to perform credit monitoring. These \ncomplaints range from reports of the Web site constantly crashing to \nthe information the contractor produces being inaccurate and out of \ndate. A recent report on Federal News Radio noted, CSID is ``. . . \nthought of as a company that helps others get on the General Services \nAdministration (GSA) schedules, prepare proposals and the like, and \ntheir GSA schedules are for things such as lab equipment and IT \nsoftware services, but there is nothing about credit monitoring, \ninsurance or similar offerings . . . interestingly enough Winvales's \nWeb site now says they provide credit monitoring services, but their \nprofile on Bloomberg does not mention it at all.'' \\1\\\n---------------------------------------------------------------------------\n    \\1\\ Federal News Radio, OPM Contract for Credit Monitoring Services \nCalled Into Question; http://www.Federalnewsradio.com/520/3875508/OPM-\ncontract-for-credit-monitoring-services-called-into-question.\n---------------------------------------------------------------------------\n    Accuracy and accessibility are the entirety of the service that \nWinvale/CSID is supposed to be providing. Thus far, Federal employees \nhave not been able to rely on the accuracy and accessibility of the \ncredit monitoring services that have been provided. Yet, OPM gave \nWinvale/CSID what appears to be a sole-source $20 million contract with \nfour 1 year renewal options. These issues need to be addressed and \nFederal employees must have reliable credit monitoring services \nimmediately.\n    AFGE has received disturbing reports that agencies are denying \nFederal employees the time to deal with the impact of the data breach. \nAt numerous agencies, employees are forbidden to use their government \ncomputers for any purpose other than a work assignment. They are \nforbidden from using their government computers to access personal \nemails or any non-work related Web sites for any reason. Federal \nemployees dealing with this breach need to be able to visit their \nbanks, Social Security offices, mortgage holder's offices, the \nmanagement offices of their apartment complexes, and other creditors in \norder to deal with the fallout of having to change credit card and bank \naccount information. Many agencies' computer firewalls prevent \nemployees from being able to handle these kids of transactions online. \nTherefore, agencies should grant employees time during normal business \nhours to take preventive measures such as contacting their financial \ninstitutions and businesses as notification of their current situation. \nAdditionally, it is extremely important that OPM ensure that agencies \nare meeting all of their collective bargaining obligations on \nprocedures for accommodating employees trying to deal with the breach.\n    Federal employees trusted OPM with their personal information and \nthe agency failed them. Their personal information was not properly \nguarded, and as a result, Federal Government workers and their families \nmust now live with the threat of having the most intimate details of \ntheir lives exposed, and illegally used against them. The Government \nmust now earn back the trust of these employees and future public \nservants. AFGE thanks the subcommittee for holding this hearing.\n\n                     ADDITIONAL COMMITTEE QUESTIONS\n\n    Senator Boozman. If there are no further questions, the \nhearing record will remain open until next Tuesday, June 30, at \nnoon, for subcommittee members to submit any statements or \nquestions to the witnesses for the record.\n    [The following questions were not asked at the hearing, but \nwere submitted to the Agency for response subsequent to the \nhearing:]\n             Questions Submitted to Katherine L. Archuleta\n               Questions Submitted by Senator Jerry Moran\n                              data breach\n    Question. At last week's hearing, you indicated that OPM estimated \nthe total number of individual impacted by this most recent data breach \nto be approximately 4 million. Media reports suggest that an internal \nmemo from OPM suggests that as many as 18 to 30 million individuals \ncould be impacted by the series of breaches dating from March 2014 \nuntil present. Can you please provide the most up-to-date information \nregarding the number of individuals impacted directly by this breach? \nWhat percentage of the total number of OPM's records are considered to \ncontain national security information or sensitive information \nnecessary for identity theft or fraud? Of that, what percentage of \nthose records were included in this breach? In addition, please provide \nany information you see fit that can be helpful to quantify the \nseverity of this breach.\n    Answer. In April 2015, OPM discovered that the personnel data of \n4.2 million current and former Federal Government employees had been \nstolen. This means information such as full name, birth date, home \naddress, and Social Security Numbers were affected. This number has not \nchanged since it was announced by OPM in early June, and individuals \nwho were affected should have already received a notification.\n    While investigating this incident, in early June 2015 OPM \ndiscovered a separate but related incident where additional information \nhad been compromised, including background investigation records of \ncurrent, former, and prospective Federal employees and contractors. OPM \nand the interagency incident response team have concluded with high \nconfidence that sensitive information, including the Social Security \nNumbers (SSNs) of 21.5 million individuals, was stolen from the \nbackground investigation databases. This includes 19.7 million \nindividuals that applied for a background investigation, and 1.8 \nmillion non-applicants, primarily spouses or co-habitants of \napplicants. Some records also include findings from interviews \nconducted by background investigators and approximately 1.1 million \ninclude fingerprints. Usernames and passwords that background \ninvestigation applicants used to fill out their background \ninvestigation forms were also stolen. Notifications for this incident \nhave not yet begun.\n    Question. You indicated in your testimony last Tuesday that there \nwere three separate breach incidences that caught the attention of OPM \nlast year. In March 2014, you explained that OPM successfully detected \na breach attempt but that no personal information had been obtained. \nLater that summer, two government security clearance contractors were \nbreached. In June 2014, 25,000 records, which included highly-sensitive \nsecurity clearance information, were obtained from security contractor \nU.S. Investigations Services (USIS). Two months later, another security \nclearance contractor, KeyPoint Government Solutions, suffered an even \ngreater breach. This time over 48,000 records were obtained. In each \nsuccessful breach incidence, OPM was required to issue notification \nletters to affected individuals. OPM clearly knew that this sensitive \nsecurity clearance information was a target of hackers. It was later \nrevealed that this sensitive information may have been used to \ninfiltrate the OPM network. Was this security clearance information \nused to gain access to the OPM network? Please offer a detailed \ndescription of your response to these serious breaches. What security \nprocedures and improvements were put in place? How often did you meet \nwith your CIO and other top security officials within OPM to discuss \nthese breaches and develop a response strategy? Please provide a \ncalendar of those meetings and the topics discussed. Please describe \nany new policies OPM required to access the OPM network following the \nbreaches.\n    Answer. The adversary gained access to OPM systems through the \nagency's Local Area Network by employing stolen user credentials from a \ncontractor. OPM has already taken a series of 23 concrete steps to \nimprove information security, as outlined in its recent Cybersecurity \nAction Report. These include:\n\n  --Implementing two factor strong authentication for all privileged \n        users, and increasing the percentage of unprivileged users with \n        two factor Strong Authentication;\n  --Restricting remote access for network administrators and \n        restricting network administration functions that can be \n        performed remotely;\n  --Reviewing all Internet connections to ensure that only legitimate \n        business activities have access to the Internet;\n  --Deploying new hardware and software tools, including 14 essential \n        tools to secure the network;\n  --Deploying anti-malware software tools across the environment to \n        protect against cybercrime activities that could compromise the \n        agency's networks;\n  --Establishing a 24/7 Security Operations Center, staffed by \n        certified professionals, to monitor the network for security \n        alerts;\n  --Implementing continuous monitoring to enhance the ability to \n        identify and respond, in real time or near real time, to cyber \n        threats;\n  --Installing more firewalls that allow the agency to filter network \n        traffic more effectively;\n  --Working with the intelligence community and other stakeholders to \n        identify high value cyber targets within the OPM network where \n        bulk PII data are present, and mitigate the vulnerabilities of \n        those targets to the extent practicable;\n  --Modernizing OPM's IT network technology and architecture; and\n  --Tightening policies and practices for privileged users.\n\n    These actions have put OPM in a much stronger and more secure \nposture than it was when then-Director Archuleta assumed her role. OPM \nsystems currently thwart millions of intrusion attempts that target its \nnetworks every month. In addition to these past and ongoing activities, \nOPM has recently identified several additional actions to bolster its \nsecurity and modernize IT systems. These include:\n\n  --Deploying two factor Strong Authentication for all unprivileged \n        users (Complete);\n  --Expanding continuous monitoring and completing implementation of \n        the Continuous Diagnostics and Mitigation program by March \n        2016;\n  --Establishing requirements for future contracts, as appropriate, to \n        ensure access to contractor systems in the event of an incident \n        (Complete);\n  --Completing a review of encryption of databases (Complete);\n  --Hiring a new cybersecurity advisor (In progress);\n  --Consulting with outside technology and cybersecurity experts to \n        identify further steps the agency can take to protect its \n        systems and information Complete);\n  --Migrating to a new IT environment capable of significantly \n        increased security controls (In progress); and\n  --Establishing regular employee and contractor training on \n        appropriate cyber hygiene and practices (In progress).\n\n    Question. In December 2014, one of the breached security \ncontractors, U.S. Investigations Services (USIS) has accused the OPM of \nneglecting to share information that might have helped the contractor \ndetect the breach that occurred in June 2014. Did OPM reveal to its \ncontractor, USIS, that it had recently suffered a cyberattack? If not, \nwhy did OPM not share this information? To what extent did OPM's \ncontinued refusal to adopt IT best practices and OMB-required IT \nprocedures contribute to these potential security vulnerabilities at \nthe contractor level? Was it required that OPM share critical \ninformation about the March 2014 attack?\n    Answer. OPM did not disclose to USIS that OPM systems had been \nbreached in March 2014. In our opinion, there was no clear requirement \nthat OPM notify USIS of the breach.\n    Question. One significant factor that may have led to this breach \nis the repeatedly ignorance of OMB policies and IT best practices. As \nAssistant Inspector General Esser indicated in testimony, the fiscal \nyear 2014 FISMA report offered OPM 29 recommendations covering a wide \nvariety of IT security topics; however, OPM has only adopted 3 of those \n29 recommendations to date. The fiscal year 2014 audit also revealed \nthat 11 of 47 OPM IT systems were operating without a valid \nAuthorization, including some of the most critical and sensitive \napplications owned by the agency. One tool available to OPM is the \nability to institute administrative sanctions to correct this gross \nnegligence. The OIG explains this could be an effective way to reduce \nnon-compliance with FISMA requirements.\n    Answer. Within the past year OPM has taken great strides in \nimproving the enterprise. Much of the recommendations issued by DHS in \n2014 have been achieved and OPM is on track to meet or exceed all \nFederal mandates including leading in the FISMA Cyberstat, DHS TIC v2, \nand HSPD-12.\n\n    The following are some of the accomplishments:\n\n  --Implemented Level 4 two factor authentication for all privileged \n        and non-privileged users. The requirement of utilizing PIV for \n        all users has made OPM a leader in complying with the HSPD-12 \n        mandate and significantly reduces the attack surface of the \n        network.\n  --Restricted remote access for network administrators and restricted \n        network administration functions that can be performed \n        remotely.\n  --Reviewed all connections and associated Access Control Lists (ACLs) \n        to ensure only legitimate business connections have access to \n        the Internet. This includes blocking privileged users' access \n        to the Internet.\n  --Required administrators to authenticate through a privileged user \n        management appliance in order to perform all administrative \n        functions. Direct access to servers or databases cannot be \n        achieved by users or administrators.\n  --Deployed new hardware and software tools to secure the network. \n        Including:\n\n    --Endpoint protection to detect and prevent malicious and \n            unauthorized software from installing and running on \n            endpoints and servers.\n    --Web Application Firewalls to monitor traffic to and from Web \n            applications and prevent common attacks such as DDOS, \n            cross-site scripting, SQL injection, and session hijacking.\n    --Endpoint anti-virus/malware scanning to quickly detect and block \n            viruses and malware.\n    --Automated threat response to unify, automate, and orchestrate \n            incident responses to ensure speed and decisiveness.\n    --Network Access Control to detect and limit unauthorized access \n            from devices that do not meet OPM policy.\n    --Business critical data and database compliance by providing \n            visibility into data access and tracking users' activity \n            and data sets.\n    --Advanced firewall services to better protect and filter network \n            traffic on the internal and external perimeter.\n    --Network risk and vulnerability monitoring and assessments to \n            identify areas of weakness in the network architecture.\n    --Inbound and outbound SSL inspection to audit and monitor \n            encrypted malicious traffic.\n    --Deployed network and email data loss prevention solution to \n            detect data exfiltration.\n    --Implemented anti-phishing and anti-malware inspection and \n            prevention of email traffic.\n\n  --Deployed additional firewalls to segment and monitor internal \n        traffic.\n  --Implemented continuous monitoring to enhance the ability to \n        identify and respond, in real time or near real time, to cyber \n        threats.\n  --Centralized security management and accountability into the Office \n        of the CIO and staffed it with security professionals who are \n        fully trained and dedicated to information security on a full-\n        time basis.\n  --Conducted a comprehensive review of IT security clauses in \n        contracts to ensure that the appropriate oversight and \n        protocols are in place.\n\n    Question. A number of current and former Federal employees have \nexpressed confusion and concern about the credit monitoring process, \nwhich requires the input of sensitive information online. These workers \nhave also complained about frustrating multi-hour wait times to speak \nwith CSID representatives on the phone. Many are unfamiliar with the \nvender, CSID, and the process to enroll in credit monitoring services. \nWhat assurances can you provide that the information submitted by \nimpacted individuals will be safe and secure with this contractor? Does \nthis contractor use secure technologies, such as encryption, to protect \nsensitive information? Are you aware of any phishing attacks or other \nscams to obtain sensitive information from impacted individuals? Has \nthe contractor made a commitment to improve wait times or increase \ntheir ability to address claims being made by impacted individuals?\n    Answer. CSID is the engine behind eight of the top 10 identity \ntheft protection companies. CSID fully encrypts critical values in \nproduction databases to prevent the exposure of sensitive information \nstored in the database to unauthorized persons. CSID employs policies, \nprocedures, and protection standards meeting or exceeding those in the \nindustry for securing Personal Identifiable Information (PII). CSID is \nrequired to comply with standards around data, systems, process, and \npersonnel resources consistent with the same standards held for all \nthree credit bureaus. The contract provides that OPM may conduct onsite \ninspections--see clause 15.31 1752.239-86 Contractor System Oversight/\nCompliance (Sep 2014). CSID is subjected to regular vulnerability \nscans, penetration tests, annual PCI audits, credit bureau audits, and \nother security related exercises that allow CSID to meet these \ncompliance standards. OPM's contract with Winvale includes additional \nclauses regarding the Privacy Act and other matters involving sensitive \ninformation processing and storage. With any publicly announced data \nbreach there are attempts by bad actors to exploit the situation. OPM \nhas gone to extensive lengths via our Web site and guidelines issued to \nagencies to provide tools for affected individuals to validate \ncommunications. CSID, in communication with OPM, has added significant \nnumbers of trained staff to their call centers, and the average wait \ntime is now less than one minute.\n    Question. Earlier this year, an American healthcare company \nsuffered a massive breach that involved roughly 80 million records. In \nthat instance, the company decided to provide 24 months of credit \nmonitoring services. Why did OPM choose to offer 18 months of credit \nmonitoring services to impacted individuals? What is the total \nestimated cost to provide both breach notification and credit \nmonitoring services to 4 million figure you provided as the number of \nimpacted individuals? What would be the cost to provide breach \nnotification and credit monitoring services to 18 million impacted \nindividuals, as has been the number suggested in media reports this \nweek?\n    Answer. A careful and thoughtful analysis of the risks presented by \nthe personnel records incident as well as a review of the services \navailable, precedent, and industry best practices led OPM to conclude \nthat 18 months is the appropriate duration for the comprehensive suite \nof services offered to help Federal employees.\n    Question. During your testimony, you mentioned the development of \nan OPM IT plan that was drafted within the first 100 days of your \ntenure at the agency. Will you please share that plan? What elements of \nthe plan outlined OPM's timeline for securing sensitive personnel data?\n    Answer. A copy of the OPM Strategic IT Plan was sent to your \nsubcommittee. The Information Security section (page 17) details three \nphases that ensure our information security policies are rigorous and \ncost effective based on a risk assessment methodology that considers \nboth current and potential threats.\n    Question. One of the witnesses at last Tuesday's hearing testified \nthat the most important thing OPM could do is secure sensitive \ninformation immediately. How does OPM plan to develop this capability? \nDoes OPM plan to build its own security tools? To what extent has OPM \neither requested proposals for commercially available security software \nor tools?\n    Answer. OPM continues to take aggressive action to strengthen its \nbroader cyber defenses and IT systems. As outlined in its recent \nCybersecurity Action Report, in June, OPM identified 15 new steps to \nimprove security, work with outside experts, modernize its system, and \nensure accountability. OPM is currently completing a comprehensive \nreview of its IT systems to find and address any potential \nvulnerabilities. It is bringing in experts from in and outside of the \nGovernment to help with these efforts, including a new cybersecurity \nadvisor. OPM is also working with interagency partners on a review of \nkey questions related to information technology governance, policy, \nsecurity, and other aspects of the security clearance process, \nincluding where such data should be housed in the future.\n                   information technology governance\n    Question. Describe the role of your agency's Chief Information \nOfficer (CIO) in the development and oversight of the IT budget for \nyour agency. How is the CIO involved in the decision to make an IT \ninvestment, determine its scope, oversee its contract, and oversee \ncontinued operation and maintenance? How often do you meet with your \nCIO and other top IT security professionals within your agency? Please \nprovide a detailed summary of meetings you have had with your CIO and \nher team since you entered the agency in November 2013.\n    Answer. The CIO is involved in every aspect the IT budget \ndevelopment process at OPM. The OPM CIO is responsible for all major IT \ninvestments from scoping to oversight of the delivery of services on a \ncontract. The CIO discusses these decisions through standing weekly, \nand sometimes daily, meetings with the OPM Director.\n    Question. What formal or informal mechanisms exist in your agency \nto ensure coordination and alignment within the CXO community (i.e., \nthe Chief Information Officer, the Chief Acquisition Officer, the Chief \nFinance Officer, the Chief Human Capital Officer, and so on)?\n    Answer. The Chief Operating Officer serves as a leader in OPM to \nfocus the efforts of the CXO positions. Each of these interests is \nrepresented in OPM's strategic plan as a supporting function to the \nprimary business missions of OPM. The OPM strategic plan addresses the \npriorities of the agency and ensures alignment of resources toward the \nstated goals. The COO hosts a weekly staff meeting so CXO executives \ncan share ideas, work through challenges, and determine the best way \nforward for OPM.\n    Question. According to the statistics from your office, 46 percent \nof the more than 80,000 Federal IT workers are 50 years of age or older \nand more than 10 percent are 60 or older. Just 4 percent of the Federal \nIT workforce is under 30 years of age. Does the makeup of your agency \nreflect such demographic imbalances? How is OPM addressing this talent \nissue?\n    Answer. Our objective, given the current fiscal environment, is to \nraise and leverage awareness of the Federal cybersecurity workforce \nacross Government. This includes ensuring that the public knows these \npositions are available and how to apply for them.\n\n  --This awareness is being done primarily by working with technology \n        departments at colleges and universities to educate students \n        and staff about the Pathways Program and the hiring \n        flexibilities available to agencies to recruit and onboard STEM \n        graduates.\n  --The Presidential Management Fellowship (PMF) program and the new \n        PMF-STEM portfolio attract applicants with cybersecurity skills \n        in disciplines such as computer science, computer engineering \n        and computational analytics.\n  --Our outreach guidance provides Federal agencies with up-to date \n        information on how to message their opportunities, encourages \n        them to work within their communities to strengthen the local \n        talent pipeline in their communities, and provides workforce \n        planning tools that enable them to plan for and get the \n        workforce they need.\n\n    OPM also has the leadership role for the Administration's \nInitiative to Close Cybersecurity Skill Gaps.\n\n  --This collaborative governmentwide strategy involves partnering with \n        the Office of Management and Budget and the Office of Science \n        and Technology in the Executive Office of the President as well \n        as interagency councils and the Federal agencies.\n  --Currently, we are mapping the existing Federal cybersecurity \n        workforce using OPM's new Cybersecurity Data Element Standard \n        that recognizes the value of the NICE Framework.\n  --Our goal is that this new dataset in fiscal year 2015 and beyond \n        will be a driving force that aids Federal agencies in getting \n        the workforce they need.\n  --The re-categorizing of Federal positions with cybersecurity work \n        will tell us what skills are in demand and what skills need to \n        be refreshed or developed.\n  --Our job announcements will be designed to get the candidate quality \n        desired by our hiring managers.\n  --Our training and development opportunities will be better designed \n        to attract and retain the workforce we need.\n\n    Question. One theme you mentioned in your testimony was related to \nOPM's legacy IT system. How much of the OPM budget goes to \nDemonstration, Modernization, and Enhancement of IT systems as opposed \nto supporting existing and ongoing programs and infrastructure? How has \nthis changed in the last 5 years?\n    Answer. OPM's annual IT Spend from fiscal year 2012 to fiscal year \n2016 for Development, Modernization and Maintenance (DME) and \nOperations and Maintenance (O&M) as reported to OMB is outlined below.\n\n  --Fiscal Year 2012: DME: $63,724,442; O&M: $201,539,995;\n      Total: $265,264,437;\n\n  --Fiscal Year 2013: DME: $97,273,199; O&M: $211,815,787;\n      Total: $309,088,986;\n\n  --Fiscal Year 2014: DME: $69,299,462; O&M: $281,880,002;\n      Total: $351,179,464;\n\n  --Fiscal Year 2015: DME: $110,724,682; O&M: $257,968,435;\n      Total: $368,693,117;\n\n  --Fiscal Year 2016: DME: $61,670,770; O&M: $310,075,505;\n      Total: $371,746,275\n\n    Question. What are the 10 highest priority IT investment projects \nthat are under development in your agency? Of these, which ones are \nbeing developed using an ``agile'' or incremental approach, such as \ndelivering working functionality in smaller increments and completing \ninitial deployment to end-users in short, 6-month timeframes? Please \ndescribe how the OPM IT plan developed in your first 100 days at the \nagency reflects this encouraged development method.\n    Answer. The table below shows the high priority IT projects that \nare currently under development at OPM. The IT Strategic Plan has \nserved as a catalyst for the Investment Teams to make the transition to \nAgile and/or incremental development a top priority. Ultimately, moving \ndevelopment from a waterfall to agile methodology allows for more \nefficient and effective project management and is paramount to the \nlong-term success of projects at OPM.\n\n------------------------------------------------------------------------\n                                                         Using Agile\n    #            Project             Investment          Development?\n------------------------------------------------------------------------\n1         USAJOBS.............  USAJOBS............  Yes\n2         Enterprise Case       ECMS...............  Yes, it is a\n           Management System                          contract\n           (ECMS).                                    requirement for\n                                                      the implementation\n                                                      of the software\n                                                      which is currently\n                                                      in the acquisition\n                                                      stage.\n3         Shell--Infrastructur  Enterprise           Yes, the migration\n           e Improvement         Infrastructure       of existing\n           Project.              Operations (EIO).    applications to\n                                                      Shell will be done\n                                                      using an agile\n                                                      methodology.\n4         Legacy Migration....  EPIC Transformation  No. Project is on\n                                                      hold.\n5         Electronic Official   eOPF...............  Yes\n           Personnel Folder\n           (eOPF).\n6         EHRI Data Warehouse.  EHRI Data Warehouse  Yes\n7         Retirement Data       eOPF...............  Yes\n           Repository.\n8         New USA Staffing....  USA Staffing System  Yes\n9         Legacy USA Staffing   USA Staffing System  Yes\n           to include core USA\n           Staffing,\n           Application\n           Manager, On\n           Boarding Manager\n           and Selection\n           Manager.\n10        USA Performance.....  USA Performance....  Yes\n------------------------------------------------------------------------\n\n\n    Question. To ensure that steady State investments continue to meet \nagency needs, OMB has a longstanding policy for agencies to annually \nreview, evaluate, and report on their legacy IT infrastructure through \nOperational Assessments. What Operational Assessments have you \nconducted and what were the results?\n    Answer. As per OMB's requirement, the major investments listed \nbelow are in the O&M stage and have conducted an Operational Analysis \n(OA) or Post-Implementation Review (PIR). All of the OAs and PIRs touch \non number issues and are many pages long (10+). Hence forth, it is \ndifficult to summarize in a few sentences as to whether all aspects of \nthe investment are performing well.\n\n  --USAJOBS\n  --USA Staffing System\n  --Enterprise Infrastructure Operations (EIO)\n  --EHRI electronic Official Personnel Folder (eOPF)\n  --EHRI Data Warehouse\n  --Consolidated Business Information System (CBIS)\n\n    Question. What are the 10 oldest IT systems or infrastructures \nmaintained by the Office of Personnel management? How old are they? \nWould it be cost-effective to replace them with newer IT investments?\n    Answer. The applications that are the oldest are in OPM's \nRetirement Services and Federal Investigative Services. Retirement \nServices has more than 60 applications dating back to the mid-1980's. \nOPM's modernization plan is replacing these applications with newer IT. \nOur goal is to move into a more modern infrastructure environment and \nto move off of the main frame.\n    Question. How does OPM's IT governance process allow for your \nagency to terminate or ``off ramp'' IT investments that are critically \nover budget, over schedule, or failing to meet performance goals? \nSimilarly, how does your agency's IT governance process allow for your \ndepartment/agency to replace or ``on-ramp'' new solutions after \nterminating a failing IT investment?\n    Answer. OPM established an Investment Review Board (IRB) as the \nauthoritative body to review and recommend investment priorities to the \nOPM Director for IT spending. The current IRB charter States that one \nof the IRB functions is to: ``Monitor ongoing information technology \ninvestments against their projected costs, schedules, and benefits, and \ntake action to recommend continuation, modification, or termination.'' \nThe IRB is comprised of senior management of all OPM offices which meet \non a quarterly or as-needed basis to receive IT Investment assessment \nbriefings. If a new solution or replacement is required, the IRB would \nreceive a Business Case from the IT Investment. The IRB would review \nand provide disapproval or approval of the Business Case.\n    Question. What IT projects has your agency decommissioned in the \nlast year? What are your agency's plans to decommission legacy IT \nprojects this year?\n    Answer. OPM has not decommissioned any IT projects in the last \nyear. However, OPM has initiated multiple IT projects to replace \nnumerous legacy IT projects. These include the Shell project which will \nincorporate numerous technology upgrades to the OPM IT infrastructure; \nand the Enterprise Case Management System (ECMS) project which will \nreplace legacy case management systems.\n    Question. The newly-enacted Federal Information Technology and \nAcquisition Reform Act of 2014 (FITARA, Public Law 113-291) directs \nCIOs to conduct annual reviews of their department's IT portfolio. \nWhile OPM is not subject to FITARA, does OPM conduct these types of IT \nportfolio reviews? If so, please describe your agency's efforts to \nidentify and reduce wasteful, low-value or duplicative information \ntechnology (IT) investments as part of these portfolio reviews.\n    Answer. OPM is subject to FITARA and agrees with its efforts to \ncentralize the oversight process for IT investments. The required \nelements of FITARA will position OPM to address previous issued IG \nfindings and recommendations. OPM believes this shift will greatly \nstrengthen its efforts to ensure effective and efficient spending on IT \ninvestments.\n    Through improved governance and oversight of IT investments and \ninitiative development, OPM is reducing the redundancy of systems and \ncapabilities across the enterprise. For example, an enterprise case \nmanagement system has been put into place, which will remove \nduplication and assist in fulfilling mission critical needs for FIS and \nRetirement Services.\n    Question. In 2011, the Office of Management and Budget (OMB) issued \na ``Cloud First'' policy that required agency Chief Information \nOfficers to implement a cloud-based service whenever there was a \nsecure, reliable, and cost-effective option. How many of the agency's \nIT investments are cloud-based services (Infrastructure as a Service, \nPlatform as a Service, Software as a Service, etc.)? What percentage of \nthe agency's overall IT investments are cloud-based services? How has \nthis changed since 2011?\n    Answer. OPM's new infrastructure is essentially a cloud based \nservice. It will be infrastructure as a service to our program offices, \nincluding software, storage, and security as a service. We are moving \nto a total cloud based methodology. As OPM in its modernization plan is \ncollapsing the five data centers that it currently operates into two \ncommercial data centers, we are building our cloud service as a high \nsecurity center.\n    Question. Provide short summaries of three recent IT program \nsuccesses--projects that were delivered on time, within budget, and \ndelivered the promised functionality and benefits to the end user. How \ndoes your agency define ``success'' in IT program management? What \n``best practices'' have emerged and been adopted from these recent IT \nprogram successes? What have proven to be the most significant barriers \nencountered to more common or frequent IT program successes?\n    Answer. USAJOBS utilizes modern user-centered design practices, \nagile software development, data analytics, and DevOps to deliver high-\nvalue features and enhancements every 9-12 weeks. Leveraging human-\ncentered design methodology, USAJOBS engages users early and often in \nthe design process to ensure that features are designed and developed \nto provide the best possible user experience. USAJOBS employs Agile \nsoftware development practices to rapidly adjust to changing customer \npriorities, allowing the program office to always be working on the top \nuser priority and deliver completed software features after every three \nweek sprint.\n    USAJOBS creates a measurement plan for all new features, defining \nmeasurable goals that can be captured in real-time. Gone are \nspreadsheets, static PowerPoints, and manual performance monitoring--\nUSAJOBS monitors all key performance indicators via a real-time \nanalytics dashboard that is populated by our data warehouse. Since 2013 \nUSAJOBS has taken methodical steps to increase the efficiency of our \ndevelopment pipeline by employing DevOps best practices. Practices like \ncontinuous integration, automated testing, and automated security \nscanning have decreased the technical overhead surrounding software \ndeployments and increased our security posture. These best practices \nhave increased customer satisfaction, changed user behaviors and \nreduced support costs while gaining efficiencies in delivering value to \nthe customer. The following three IT programs are examples of how OPM \nhas successfully applied IT best practices to deliver systems that \nreflect Federal agencies business needs and priorities:\n\n  --USA Staffing is OPM's Talent Acquisition System for Federal \n        agencies. Created by OPM and informed by the experience of more \n        than 50 agencies, USA Staffing helps agencies acquire, assess, \n        certify, select, and onboard qualified candidates in alignment \n        with Merit System Principles and Veterans Preference. USA \n        Staffing is tightly integrated with USAJOBS and compliant with \n        Federal hiring regulations and Federal Information Technology \n        (IT) requirements. Through Agile IT, USA Staffing and USAJOBS \n        share technical solutions, such as user authentication and \n        document upload processes, and collaborate to carry out joint \n        research on governmentwide priorities, including encryption \n        solutions.\n  --OPM's HR Solutions (HRS) and Chief Information Officer (CIO) \n        completed a multi-year project (launched in September 2012) to \n        upgrade USA Staffing. OPM initiated the Upgrade to: (1) ensure \n        modern technologies are in place to support capacity demands; \n        (2) improve speed to mission by enabling USA Staffing to be \n        more responsive to customer requirements and OPM initiatives; \n        and (3) expand data analytics that can be used by management to \n        improve the hiring process. Of note, USA Staffing accounted for \n        78 percent of Federal job postings on USAJOBS in fiscal year \n        2014.\n\n    Barriers to success include the lengthy hiring process which often \n        delays necessary hires, and the Federal contracting process \n        which inhibits the Agile System Development Life Cycle.\n\n  --USA Performance (USAP) was developed in direct response to the \n        overwhelming need across Government for an automated \n        performance management tool. USAP addresses a critical gap in \n        available technology to appropriately automate this fundamental \n        human resources function in all Federal agencies. USAP uses the \n        latest IT development principles (Agile) and technology to \n        build a cost-effective and desirable system. These principles \n        include focusing on the most valuable functionality with \n        constant stakeholder input and engaging in frequent planning to \n        ensure successful software delivery. USAP operates in 4 week \n        sprints to develop and test new functionality. As such, the \n        system (initially released in July 2014) was developed on \n        schedule (less than 16 months) and under budget estimates. \n        Since the initial release, USAP has had six subsequent releases \n        to enhance functionality. In the first 6 months of planning, \n        USAP convened key representatives from 10 Federal agencies to \n        capture requirements for designing USAP and gain better \n        understanding of their business needs. USAP also facilitates \n        frequent usability testing with potential end users from a \n        variety of agencies on system features as the features are \n        being developed. This results in faster approval, increased \n        satisfaction, and easier adoption by pilot agencies. Through \n        continuous stakeholder involvement, the development team and \n        the programmers can focus on developing the highest value \n        functions in the tool. OPM continues to facilitate monthly \n        advisory board meetings for agencies to provide input and \n        feedback on USAP enhancements and other changes now that \n        agencies are using the tool. USAP is an evolving, growing \n        system. As a result of these development principles, USAP \n        anticipates continued program success. USAP has been \n        acknowledged outside of OPM for its innovation and efforts to \n        revolutionize performance management. In 2014, USAP won the \n        Nextgov Bold Award, the People's Choice Award, and received \n        third place from HCMG for ``Best Implementation of an \n        Enterprise Technology System.''\n                                 ______\n                                 \n          Questions Submitted by Senator Christopher A. Coons\n    Question. Do you know exactly what your requirements are for the IT \nmodernization project so that the contractor is not in the driver's \nseat to determine your requirements for you (which has led other \nagencies' IT projects to their downfall)?\n    Answer. Yes. OPM's Federal employees created the requirements for \nShell and the phased approach that would be used to implement the plan \nbefore hiring contractor assistance with execution of the plan.\n    Question. Have you reviewed other agencies' successful IT projects \nto use as a model?\n    Answer. Yes. OPM consulted with other Federal agencies to hear of \nlessons learned and leading practices prior to full development of \nrequirements, scope and budget.\n    Question. GAO has recommended that for IT projects to be \nsuccessful, they should be broken down into smaller segments, which \nallows for better oversight of the project, increasing odds of avoiding \nschedule delays and cost overruns. Do you feel that this project is \ndesigned in that manner or are there improvements that can be made in \nthat regard?\n    Answer. Yes. OPM's IT Modernization Plan was broken down into 4 \nphases to better manage requirements, budgets and execution. The four \nphases are:\n\n  --Phase 1--Tactical: Deployment of expanded security tools to \n        strengthen existing OPM network.\n  --Phase 2--Shell: Design and deploy new data center infrastructure.\n  --Phase 3--Migration: Re-architect OPM applications to make best use \n        of Shell and current technologies and to find efficiencies \n        across applications through reuse.\n  --Phase 4--Decommission: Remove hardware from existing network as \n        applications move to Shell.\n\n    Question. Has the Chief Information Officer had experience handling \nprojects of this dimension?\n    Answer. Yes. Mrs. Seymour served as the Executive Director, \nEnterprise Human Resource Information Systems where she was responsible \nfor providing Department of Defense wide information technology \nsolutions to meet the needs of 35,000 HR specialists, DOD civilian \nemployees, and military and civilian managers and leaders. She began \nher Federal career in 1978 and has concentrated primarily in the area \nof information technology, especially its ability to transform the \nworkforce and business of the Federal Government, acquisition, \nfinancial management, and human resources management.\n    Question. Do you expect this project to be on OMB's IT Dashboard?\n    Answer. Yes, the 10 highest priority projects currently are or are \nexpected to be on OMB's IT Dashboard.\n\n                         CONCLUSION OF HEARINGS\n\n    Senator Boozman. With that, the subcommittee hearing is \nadjourned.\n    [Whereupon, at 12:44 p.m., Tuesday, June 23, the hearings \nwere concluded, and the subcommittee was recessed, to reconvene \nsubject to the call of the Chair.]\n</pre></body></html>\n"