b'<html>\n<title> - IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND INVESTIGATIONS BUREAU</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND \n                         INVESTIGATIONS BUREAU\n\n=======================================================================\n\n                                 HEARING\n\n                               BEFORE THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                            FEBRUARY 2, 2017\n\n                               __________\n\n                           Serial No. 115-12\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                       http://oversight.house.gov\n                       \n                       \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n26-358 PDF                  WASHINGTON : 2017                     \n          \n----------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, \nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2047504f604355535448454c500e434f4d0e">[email&#160;protected]</a>                       \n                       \n                       \n              Committee on Oversight and Government Reform\n\n                     Jason Chaffetz, Utah, Chairman\nJohn J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, \nDarrell E. Issa, California              Ranking Minority Member\nJim Jordan, Ohio                     Carolyn B. Maloney, New York\nMark Sanford, South Carolina         Eleanor Holmes Norton, District of \nJustin Amash, Michigan                   Columbia\nPaul A. Gosar, Arizona               Wm. Lacy Clay, Missouri\nScott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts\nTrey Gowdy, South Carolina           Jim Cooper, Tennessee\nBlake Farenthold, Texas              Gerald E. Connolly, Virginia\nVirginia Foxx, North Carolina        Robin L. Kelly, Illinois\nThomas Massie, Kentucky              Brenda L. Lawrence, Michigan\nMark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey\nRon DeSantis, Florida                Stacey E. Plaskett, Virgin Islands\nDennis A. Ross, Florida              Val Butler Demings, Florida\nMark Walker, North Carolina          Raja Krishnamoorthi, Illinois\nRod Blum, Iowa                       Jamie Raskin, Maryland\nJody B. Hice, Georgia\nSteve Russell, Oklahoma\nGlenn Grothman, Wisconsin\nWill Hurd, Texas\nGary J. Palmer, Alabama\nJames Comer, Kentucky\nPaul Mitchell, Michigan\n\n                   Jonathan Skladany, Staff Director\n                    William McKenna, General Counsel\n                      Julie Dunne, Senior Counsel\n                         Michael Flynn, Counsel\n                    Sharon Casey, Deputy Chief Clerk\n                 David Rapallo, Minority Staff Director\n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on February 2, 2017.................................     1\n\n                               WITNESSES\n\nMs. Kathleen McGettigan, Acting Director, U.S. Office of \n  Personnel Management\n    Oral Statement...............................................     6\n    Written Statement............................................     8\nMr. David DeVries, Chief Information Officer, U.S. Office of \n  Personnel Management\n    Oral Statement...............................................    13\nMr. Cord Chase, Chief Information Security Officer, U.S. Office \n  of Personnel Management\n    Oral Statement...............................................    13\nMr. Charles Phalen, Director, National Background Investigations \n  Bureau\n    Oral Statement...............................................    13\nMr. Terry Halvorsen, Chief Information Officer, U.S. Department \n  of Defense\n    Oral Statement...............................................    14\n    Written Statement............................................    16\n\n                                APPENDIX\n\nFebruary 9, 2016, Worldwide Threat Assessment by Mr. James \n  Clapper, submitted by Mr. Lynch................................    60\nResponse from the Office of Personnel Management to Questions for \n  the Record.....................................................    93\n\n \n IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND \n                         INVESTIGATIONS BUREAU\n\n                              ----------                              \n\n\n                       Thursday, February 2, 2017\n\n                  House of Representatives,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The committee met, pursuant to call, at 9:02 a.m., in Room \n2154, Rayburn House Office Building, Hon. Jason Chaffetz \n[chairman of the committee] presiding.\n    Present: Representatives Chaffetz, Jordan, Amash, Massie, \nMeadows, DeSantis, Ross, Blum, Hice, Grothman, Hurd, Palmer, \nComer, Mitchell, Cummings, Maloney, Lynch, Connolly, Kelly, \nLawrence, Plaskett, Demings, Krishnamoorthi, and Raskin.\n    Chairman Chaffetz. The Committee on Oversight and \nGovernment Reform will come to order.\n    And without objection, the chair is authorized to declare a \nrecess at any time.\n    I appreciate you all being here. We have a very important \nhearing. We have a number of members that, I\'m sure, will be \nhere but will be a little bit late. There is the National \nPrayer Breakfast, and getting across town at this time of day \nis a very difficult task, so----\n    But, nevertheless, I\'m glad to have you here and look \nforward to this important hearing.\n    Two years ago, the Office of Personnel Management suffered \none of the most damaging data breaches in the history of the \nFederal Government. This went on for some time, and there are \nstill additional details that need to be learned.\n    But the counterintelligence value of the data that was \nstolen will last for an untold amount of time, a generation or \nso. So it troubles me to hear reports that maybe some of the \nthings that led to this haven\'t necessarily been changed at the \nOffice of Personnel Management.\n    We have a number of questions that I think we need to \nexplore. For example, are legacy systems still in use for \nbackup investigations? Is OPM employing good cybersecurity \npractices such as dual factor authentication and network \nsegmentation? What is the plan to transition all of OPM\'s \nsystems off this legacy technology? When will OPM stop using \nunsecured and vulnerable legacy technologies such as Cobalt and \nstart using maybe some modernized solutions that can be put on \nthe cloud?\n    How is OPM protecting the inside of the network and not \njust building the cyberwalls higher? Will OPM adopt a zero-\ntrust model as part of their cybersecurity strategy? You can\'t \nsteal what you can\'t access, and a zero-trust model makes life \nmuch harder for the hackers. These are some of the questions \nwe\'ll continue to ask and explore.\n    We said it in the committee\'s data breach report, and I\'ll \nsay it again, chief information officers matter. They really do \nmatter. That\'s why we have two of them on the panel today. \nFederal agencies, particularly CIOs, must recognize their \npositions are on the frontline of defense against these cyber \nattacks. And as the government, we\'re on notice. Leadership at \nthe Federal agencies must be vigilant about the ever-present \nnational security threats targeting their IT systems. And \nespecially in OPM\'s case where the IT systems are protecting \nsome of the most vulnerable information held by the Federal \nGovernment.\n    The National Background Investigation Bureau, also known as \nNBIB, N-B-I-B, was partly born from the failures at the Office \nof Personnel Management. When OPM last testified before the \ncommittee, in February of 2016, the NBIB had just been \nannounced. During the hearing, questions were raised about the \naccountability and how this new organization would operate \ngiven the split responsibilities with OPM overseeing the NBIB \nand the Department of Defense overseeing the IT security of the \nNBIB.\n    Today, we\'d like answers to those questions and assurances \nthat we\'re moving in the right direction and also, as to when \nthe new organization will be fully operational with a secure IT \nenvironment.\n    Was the creation of the NBIB simply a rebranding effort, or \ndoes the NBIB represent real change? At our last hearing, we \ntalked about how the many security clearance processes failed \nto check social media information of the applicants. The day \nbefore our follow-up hearing in May of 2016, the director of \nNational Intelligence issued a new policy permitting the \ncollection of publicly available social media information in \ncertain cases. We\'d like to understand how this policy is being \nimplemented and if it is effective.\n    Finally, the clearance process seems to be getting worse \nwhile the reform process continues. My understanding is at \nleast--based on an OPM management memo of October 2016, there\'s \na backlog--at least then--there was a backlog of 569,000 cases. \nThat\'s quite a list. It does beg the question as to why we have \nto have so many background checks, but where are we at in terms \nof the backlog? And why, despite all the reform activities, is \nthe clearance process taking longer?\n    In fiscal year 2015, it took an average of 95 days to \nprocess a secret clearance and 179 days for a top secret \nclearance. In fiscal year 2016, it took an average of 166 days \nto process a secret clearance and 246 for a top secret \nclearance. That\'s quite a jump in the timeline that it takes in \norder to get there.\n    More than a decade ago, the security clearance data and \nprocesses were transferred from the Department of Defense to \nOPM, and now there\'s talk of transferring this process back to \nthe Department of Defense. We also have the newly created NBIB \nwhere OPM and DOD have a shared responsibility. And we need to \nget this right, make sure that we have stopped just moving the \norganizational boxes around.\n    As we continue our oversight of the transition of \nresponsibilities from OPM to the NBIB, we need to continue to \nask about the efficiency and making sure, at the end of the \nday, that we\'re protecting and securing the United States of \nAmerica.\n    So there are a tremendous amount of number of people that \nare working on IT issues. We will have additional hearings and \ndiscuss that.\n    I personally do believe--and this is--at some point, I \nwould like to draw this out from you--attracting and retaining \nIT professionals has got to be a challenge for the government. \nIt\'s a challenge in the private sector. It\'s a challenge across \nthe board.\n    I was fortunate enough to have a newly minted son-in-law, \nwho is in the IT field. And the opportunities for him for \nemployment were unbelievable. I\'ve never seen anything like it, \nwhich is good as his father-in-law. That\'s a good thing.\n    But on a serious note, I do think we have to address, on \nthe whole of government--not just this particular field, but \nthe whole of government--how do we attract and retain IT \nprofessionals, because we do need so many of them, and there\'s \nso much vulnerability for the country as a whole.\n    So this is an important hearing, and I appreciate you being \nhere. And now I\'d like to recognize the ranking member, Mr. \nCummings.\n    Mr. Cummings. Thank you very much, Mr. Chairman. I want to \nthank you for calling this hearing.\n    And as I listen to you talk about the IT people, Mr. \nChairman, this is very important that we all let Federal \nemployees know how important they are, and that we do \neverything in our power to provide them with the types of \nsalaries and work security that they need. That\'s one of the \nthings that would help to attract them and keep them.\n    Today\'s hearing is on the process our Nation uses to \nconduct background checks for Federal employees, who are \nseeking very important security clearances so they can have \naccess to our most guarded secrets.\n    This hearing could not come at a more critical time. \nYesterday, I sent a letter requesting a Pentagon investigation \nof the President\'s national security adviser, Lieutenant \nGeneral Michael Flynn, for his potentially serious violation of \nthe United States Constitution. I was joined by the ranking \nmembers of the committees on Armed Services, Judiciary, \nHomeland Security, Foreign Affairs, and Intelligence.\n    General Flynn has admitted that he received payment to \nappear at a gala in December of 2015 hosted by Russia Today, \nthat country\'s State-sponsored propaganda outlet.\n    During that event, General Flynn dined with Russian \nPresident, Vladimir Putin. As our letter explains, the \nDepartment of Defense warns its retired officers that they may \nnot accept any direct or indirect payment from foreign \ngovernments without congressional approval, because they \ncontinue to hold offices of trust under the emoluments clause \nof the United States Constitution.\n    On January 6, intelligence officials issued their report \ndetailing Russia\'s attack on the United States to undermine our \nelection. This report concluded with high confidence that the \ngoal was to, quote, ``undermine public faith in the United \nStates\' democratic process,\'\' end of quote.\n    This report described as, quote, ``The Kremlin\'s principle \ninternational propaganda outlet,\'\' end of quote. It explained--\nand I quote--that ``The Kremlin\'s staff\'s RT and closely \nsupervises RT\'s coverage recruiting people who can convey \nRussian\'s strategic messaging because of their ideological \nbeliefs,\'\' end of quote.\n    It is extremely concerning that General Flynn chose to \naccept payment for appearing at an event hosted by the \npropaganda arm of the Russian Government at the same time that \nthe country was engaged in an attack against this Nation in an \neffort to undermine our election. Something is wrong with that \npicture.\n    But it is even more concerning that General Flynn, who \nPresident Trump has now chosen to be his national security \nadviser, may have violated the Constitution in the process. We \ndo not know how much General Flynn was paid for this event and \nfor his dinner with President Putin, whether it was $5,000, \n$50,000, or more. We don\'t know. We do not know whether he \nreceived payments from Russian or other foreign sources or on \nseparate occasions or whether he sought approval from the \nPentagon or Congress to accept these payments. We don\'t know.\n    Related to today\'s hearing, we do not know what effect this \npotentially serious violation of the Constitution should or \nwill have on General Flynn\'s security clearance.\n    Security clearance holders and those applying for security \nclearances are required to report their contacts with foreign \nofficials. We do not know what, if anything, General Flynn \nreported about his contacts with officials from Russia or other \ncountries. We do not know if he reported this one payment or \nany other payment he may have received. These are the questions \nthat need to be answered.\n    We also have questions about the individuals who may seek \nto join the administration and obtain access to classified \ninformation while they are currently under investigation.\n    For example, there have been reports that President Trump\'s \nformer campaign chairman, Paul Manafort, has been advising the \nWhite House recently while at the same time he\'s, reportedly, \nunder FBI investigation for his dealings with Russian \ninterests. We want to know how security clearances are handled \nif the existing clearance holders or new applicants are under \ncriminal investigation. Does the FBI allow these individuals to \ncontinue to have access to classified information, or is there \na process to place a hold on someone\'s clearance or application \nuntil the investigation resolves the questions?\n    Finally, President Trump claims that Democrats only became \ninterested in Russian hacking for political reasons and that, \nfor example, we have no interest in cyber attacks against OPM. \nHe stated, and I quote, ``They didn\'t make a big deal of \nthat,\'\' end of quote.\n    The President is one million percent wrong. I and other \nDemocrats worked aggressively on this committee\'s investigation \nof the attacks on OPM. We held multiple hearings, including one \nthat I requested. We conducted extensive interviews and \nbriefings with key witnesses. We reviewed more than 10,000 \npages of documents, and we issued two reports from the majority \nand minority staff.\n    I called for expanding our investigation to other agencies, \nincluding the State Department, the postal service, which were \nboth attacked.\n    I called for investigating the cyber attacks on financial \ninstitutions like JPMorgan Chase. Our intelligence agencies had \nwarned us--I called for investigating the cyber attacks on the \nNation\'s biggest for-profit hospital chain, Community Health \nSystems, which had the largest hacking-related health \ninformation breach ever reported.\n    And I called for investigating the cyber attacks on retail \ncompanies, including Home Depot, Target, and Kmart. So the \nPresident\'s claim that we are focusing on Russia\'s hacking for \npolitical reasons is ludicrous. Our intelligence agencies have \nwarned us that if we do not act now, our adversaries, including \nRussia, are determined to strike again. We need to get answers \nto these questions immediately, and I thank all of our \nwitnesses for being with us today.\n    And, again, Mr. Chairman, I thank you for this hearing. And \nI yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll hold the record open for 5 legislative days for any \nmembers who would like to submit a written statement.\n    I now would like to recognize the panel of witnesses. We\'re \npleased to welcome Ms. Kathleen McGettigan, who is the acting \ndirector of the United States Office of Personnel Management.\n    Ms. McGettigan is accompanied by David DeVries--DeVries, \nsorry--chief information office of the United States Office of \nPersonnel Management; Mr. Cord Chase, chief information \nsecurity officer at the United States Office of Personnel \nManagement, and Mr. Charles Phalen, director of the National \nBackground Investigations Bureau, or NBIB. Their expertise on \nthis issue will be very important to this subject matter, so \nthey will all--everybody will be sworn in.\n    We\'re also honored to have Mr. Terry Halvorsen is the chief \ninformation officer at the United States Department of Defense. \nIt\'s my understanding Mr. Halvorsen is retiring at the end of \nthe month, and we could think of no better gift for you than \nhaving to testify before Congress.\n    It\'s such a joy. I know you\'re looking forward to it \npersonally. So happy birthday, Merry Christmas, and happy \nretirement for coming to testify before Congress. But we thank \nyou, sir for your----\n    Mr. Halvorsen. Thank you.\n    Chairman Chaffetz. --for your service to this country and \nat the Department of Defense. And we really do appreciate your \nexpertise and look forward to hearing your testimony. And we \nwish you well.\n    And, again, thank you for your service and your willingness \nto be here today. You probably could have squirmed out of this \none if you really wanted to, but you stepped up to the plate \nand took this assignment, so thank you, sir, for being here.\n    Again, we welcome you all. Pursuant to committee rules, all \nwitnesses are to be sworn before they testify. So if you would \nplease rise and raise your right hand.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth and nothing \nbut the truth, so help you God?\n    Thank you. You may be seated. Let the record reflect that \nthe witnesses all answered in the affirmative.\n    Your entire written statement will be made part of the \nrecord, but we would appreciate it if you could keep your \ncomments to 5 minutes. And like I said, your whole record--your \nwhole testimony and any supplements you have will be made part \nof the record.\n    Ms. McGettigan, you are now recognized for 5 minutes.\n\n                       WITNESS STATEMENTS\n\n                STATEMENT OF KATHLEEN MCGETTIGAN\n\n    Ms. McGettigan. Good morning, Mr. Chairman, Ranking Member, \nand distinguished members of the committee. Thank you for the \nopportunity for my colleagues and myself to testify on behalf \nof the Office of Personnel Management.\n    As you said, I am joined today by Mr. Charles Phalen, the \ndirector of the National Background Investigations Bureau, Mr. \nDave DeVries, OPM\'s chief information officer, and Mr. Cord \nChase, OPM\'s chief information security officer.\n    While I am presently the acting director of OPM, I do have \nover 25 years of service at the agency.\n    OPM recognizes how critical the topics of today\'s hearing \nare to the Federal Government and to our national security, and \nI look forward to our having a productive conversation about \nthe NBIB transition, the security clearance process, and \ninformation technology security.\n    As you know, the NBIB was established on October 1st, 2016, \nand is the primary provider of background investigations for \nthe Federal Government.\n    Charlie has a distinguished career in multiple roles at \nsenior levels in the Federal Government and private industry. \nHis career has been focused on national security. His \nexperience includes serving in capacities at the CIA, including \nas director of security and with the FBI as assistant director \nleading its security division.\n    NBIB is designed with an enhanced focus on national \nsecurity, customer service, and continuous process improvement. \nIts new organizational structure is aimed at leveraging record \nautomation, transforming business processes, and enhancing \ncustomer engagement and transparency.\n    In late 2014, OPM\'s market capacity for contract \ninvestigation services was drastically reduced by the loss of \nOPM\'s largest field contractor. This resulted in an \ninvestigative backlog. This backlog was exacerbated by the \ncybersecurity incidents at OPM that were announced in 2015.\n    Looking forward, it is an NBIB priority to address the \ninvestigative backlog while maintaining a commitment to \nquality.\n    To accomplish this, NBIB is focusing efforts in three \nprimary areas: First, we are working to increase capacity by \nhiring new Federal investigators and increasing the number of \ninvestigative field work contracts.\n    Second, NBIB is focusing on policy and process changes to \nensure efficient operations.\n    Third, NBIB has actively worked with customer agencies to \nprioritize the cases that are most critical to our national \nsecurity.\n    Information technology also plays a central role in NBIB\'s \nability to enhance the background investigation process. While \nstill in development, NBIB\'s new system, NBIS, will be operated \nand maintained by DOD on behalf of NBIB.\n    On OPM\'s behalf, this effort is being led by our new chief \ninformation officer, David DeVries. Dave joined us in September \nof 2016. He is the DOD\'s principle deputy CIO, and he has a \nstrong relationship with his former agency.\n    As we work to strengthen the infrastructure and security of \nNBIB, we are also working on fortifying our entire technology \necosystem.\n    As the Federal Government modernizes how it does business, \nOPM has focused on bracing new tools and technology to deliver \noptimum customer service and enhanced security.\n    OPM enhanced its cybersecurity efforts from multiple \nangles. We have added cybersecurity tools and security updates. \nWe\'ve implemented staff and agencywide training we\'ve hired \ncritical personnel and, finally, we continue to collaborate \nwith our interagency partners.\n    Touching on efforts I\'ve just outlined, our cybersecurity \ntools and security updates include 100 percent multifactor user \nauthentication to access OPM\'s network. This is done via the \nuse of PIV cards and major IT system compliance initiatives. \nFurthermore, OPM recognizes that cybersecurity is not just \nabout technology, but it is also about people.\n    OPM has added seasoned cybersecurity and IT experts to its \nalready talented team. OPM has hired a number of new senior IT \nmanagers and leaders and realigned and centralized its \ncybersecurity program and resources under the chief information \nsecurity officer. In this capacity, Cord is responsible for \ntaking the steps necessary to secure and control access to \nsensitive information. OPM also strengthened its threat \nawareness by enrolling in multiple information and intelligence \nsharing programs.\n    In conclusion, the necessary key partnerships and plans \nhave been developed to build out NBIB and improve the security \nand efficiency of OPM\'s IT systems. These structural and \nprocess improvements will enable us to improve timeliness, \nreduce the background investigation. Equally productive is the \nCIO\'s holistic approach which ranges from bringing on qualified \npersonnel to adopting new tools and procedures that enhance the \nsecurity of OPM\'s networks and data.\n    Thank you for the invitation to testify before you today, \nand we welcome any questions you may have.\n    [Prepared statement of Ms. McGettigan follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you. Thank you for your testimony.\n    Mr. DeVries, you are now recognized for 5 minutes.\n    My understanding is maybe yourself, Mr. Chase, and Mr. \nPhalen, I don\'t know if you have opening statements or if you \ncare to say anything, but I\'ll recognize each of you. If you \ndon\'t have anything, we\'ll just--Mr. DeVries, do you have----\n\n                   STATEMENT OF DAVID DEVRIES\n\n    Mr. DeVries. Thank you, Mr. Chairman.\n    I\'d like to just take this opportunity to thank you for the \nopportunity to come here. As the brief bio was read there, I \ndid come from 30 years in the Army. I transitioned in in 2009 \nto become a senior executive within DOD, and where I spent the \nlast 2-1/2 years as the principle deputy for the DOD CIO.\n    Broad range here, I was asked to come here to OPM and \naccepted that and arrived here in September of 2016. And it\'s a \npleasure being here today, and I enjoy the opportunity to \nanswer your questions here. Thank you.\n    Chairman Chaffetz. Thank you.\n    Mr. Chase.\n\n                    STATEMENT OF CORD CHASE\n\n    Mr. Chase. Thank you very much for the opportunity----\n    Chairman Chaffetz. If you can all bring that--I\'m sorry. \nYou\'ve got to bring the microphones up close, uncomfortably \nclose to make sure we can all hear you.\n    Mr. Chase. Again, thank you very much for the opportunity \nto speak today. One of the things that I want to make clear is \nI ran into the fire to help with the events that occurred in \n2015. In the rebuilding process, we\'ve made a lot of \nadvancements, but it\'s only to get us to a standard \nenvironment. By no means am I up here saying, we\'re successful \nor we\'ve won anything, that we\'re doing our best to improve the \nenvironment to secure the information within OPM and NBIB.\n    With that, there are quite a few items that I\'d be happy to \ndiscuss with all of you on those improvements, and that\'s all I \nhave at this point.\n    Chairman Chaffetz. Thank you.\n    Mr. Phalen.\n\n\n                  STATEMENT OF CHARLES PHALEN\n\n    Mr. Phalen. Thank you, Mr. Chairman. I\'m happy to be here \nand join with you today in a good conversation on this.\n    To echo a little bit what Ms. McGettigan mentioned, we are \nfocused in our--as we begin our--or end our 4th month as an \nentity on three key things.\n    One is recovering and increasing our capacity to do \nbackground investigations, improving our capability to gather \ninformation that is relevant to background investigations and, \nfinally, working on those innovations that will help us in \npartnership with the security executive agent and the \nsuitability executive agent to look at what an investigation \nwill look like as we move down into the future.\n    A key to this is building an organizational structure \nbeyond what existed on September 29th and adding capabilities \nin terms of investments and in terms of innovation, and then \nvery importantly, working in partnership with DOD as we build \nout an information technology systems that will be able to \nenhance and inform security investigations across our entire \nspectrum of about 100 customers across the Federal Government.\n    With that, I\'m very happy to be here. Thank you for the \nopportunity today.\n    Chairman Chaffetz. Thank you.\n    Mr. Halvorsen, you are now recognized for 5 minutes.\n\n\n                  STATEMENT OF TERRY HALVORSEN\n\n    Mr. Halvorsen. Good morning, Mr. Chairman, Ranking Member, \nand distinguished members of the committee. Thank you for the \nopportunity to testify before the committee today on the \nDepartment\'s information technology and cybersecurity support \nto the National Background Investigations Bureau.\n    I am Terry Halvorsen, the Department of Defense chief \ninformation officer. You have my opening statement. I think \nmost of you are familiar with my responsibilities, so in the \ninterest of time, I\'ll cut this a little short.\n    The department is responsible for the development and \nsecuring the NBIB IT systems. We have brought the full \nexpertise of the department both in IT and cybersecurity \nresources to bear on this problem, and it is our objective to \nreplace the current background investigations information \nsystem with a more reliable, flexible, and secure system in \nsupport of the NBIB.\n    Defense information system under the DOD\'s CIO\'s oversight \nhas established the National Background Investigations Systems \nProgram Management Office to implement this effort. The PMO is \nresponsible for the design, develop, and operation of the IT \nsystems capabilities needed to support the investigative \nprocess to include ensuring that the cybersecurity protections \nand resiliency of these capabilities. The alignment of the \nsystems under DOD assures we leverage all national security \nsystems expertise and capability to protect the background \ninvestigation data. And I assure you, we are doing that.\n    The Department has made significant headway on this \nimportant mission, since I previously testified before this \ncommittee last February, and we are on track to deliver the \ncapabilities needed in an iterative fashion using DOD expertise \nand best industry practices.\n    In fiscal year 2016, the Department funded preacquisition \nactivities to better posture for official standup and funding \nin fiscal year 2017. I would like to thank Congress and members \nof this committee for supporting the Department\'s funding \nrequest for NBIB IT infrastructure and cybersecurity \nmodernization. As you know, the fiscal year 2000 continuing \nresolution did include new start authority for the NBIB, and we \nthank you for that.\n    Today, several of the NBIB\'s prototypes are enabling the \nDepartment to work with industry and other partners to discover \ncapabilities that we will provide with a more efficient, \neffective, and secure background investigation system in the \nfuture.\n    Throughout this process, we are actively partnering with \nindustry, integrating commercial feedback into the process to \nensure we are focusing on capabilities and keeping up with the \nchanging pace of technology.\n    I am pleased with the current progress on NBIS that the \nDepartment and our partners have made to date. I look forward \nto seeing what this organization will accomplish as it makes \nprogress toward delivering several prototype capabilities by \nthe end of fiscal year 2017 and an initial operating capability \ncovering the full investigative process in the fourth quarter \nof 2018.\n    This is an important opportunity for the Federal Government \nto strengthen the security of the IT infrastructure that \nsupports the Federal background investigating process. This \napproach utilizes the Department\'s recognized IT cybersecurity \nexpertise, best industry practices while maintaining a \nstreamline centralized governmentwide approach to the \ninvestigative services that the NBIB provides today for more \nthan 100 different Federal agencies.\n    Thank you for this committee\'s continued support, and I \nlook forward to your questions.\n    [Prepared statement of Mr. Halvorsen follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Chairman Chaffetz. Thank you.\n    I will now like to recognize the gentleman from Texas, the \nchairman of the subcommittee on Information Technology, Mr. \nHurd.\n    Mr. Hurd. Thank you, Mr. Chairman. I want to thank you and \nthe ranking member for the continued diligence on this \nimportant issue.\n    Mr. Phalen, I\'ve got some basic questions for you. Sorry \nfor the basicness of the questions.\n    You\'re in charge, right?\n    Mr. Phalen. Yes, sir.\n    Mr. Hurd. Do you have a technical background?\n    Mr. Phalen. I do not have a technical background.\n    Mr. Hurd. Who is the person directly reporting to you that \nis responsible for preventing another attack that we saw, like \nthe one we saw a number of months ago?\n    Mr. Phalen. So it is not a direct chain----\n    Chairman Chaffetz. Sorry. Mr. Phalen, if you could move \nthat microphone. Straighten it up and right--right up next--\nthere you go. Thank you.\n    Mr. Phalen. There you go. Okay thank you.\n    There\'s no one specifically in my chain of command that is \nimmediately responsible. We rely on Mr. DeVries and Mr. Chase \nas the CIO and CISO to provide the security for the systems \nthat we are operating today.\n    Mr. Hurd. Copy.\n    So Mr. Chase, you are in charge.\n    Mr. Chase. That is correct, for cybersecurity.\n    Mr. Hurd. Well, thank you for running into the fire.\n    Mr. Chase. Thank you.\n    Mr. Hurd. I recognize the difficulty of the task. In your \nbrief remarks, you talked about the first step was getting OPM \nup to a baseline.\n    Mr. Chase. Correct.\n    Mr. Hurd. Can you take 90 seconds and explain that \nbaseline?\n    Mr. Chase. Sure. That\'s a good question. So one of the \nthings, when I came on board, was to set an appropriate \nstrategy and a pathway forward. So it was the stabilization \nphase. So we understood that there were quite a few systems \nthat were out of compliance. So we knew that we had to take \nsteps to get those back into compliance.\n    We also had another layer of engineering tasks, which \nincluded network segmentation, making sure that we had the \nappropriate monitoring tools in place, and then the tuning \nprocess to support that.\n    Throughout fiscal year 2016, we were able to get those \naccomplished but, again, to a standard baseline where we feel \ncomfortable that we can control our environment and we \nunderstand where we were with the IT system boundaries and the \nIT system boundary inventories.\n    Mr. Hurd. So of the IG GAO, they\'ve all done reviews, \nthere\'s been a number of outstanding issues. Many of the \noutstanding issues for years had been on the IG report and the \nGAO high-risk report.\n    Of those documents, how many of those vulnerabilities, that \nhave been identified, are still outstanding?\n    Mr. Chase. So there are still items that are outstanding, \nand we prioritized them based on their criticality----\n    Mr. Hurd. What\'s the highest priority--highest priority \nvulnerability that\'s still outstanding?\n    Mr. Chase. So the IT system compliance was the most \nsignificant vulnerability that was identified in the Fiscal \nYear 2016 FISMA report, as well as the IT security officer \nhiring process, which is something we were able to accomplish \nat the end of this year as well.\n    Mr. Hurd. Good copy.\n    You talked about segmentation. And we saw after the \nbreaches in 2014 and 2015, the hackers were able to basically \nmove, you know, without--with impunity through the network. And \nmy question is what have you done to make life harder on the \nhackers that once they get past your defenses?\n    And I will say my--you know, I begin with the presumption \nof breach, you give an attacker enough time, they have enough \nresources, they are going to get in, so what do you do once \nthey get in, and how have you improved segmentation across the \nOPM network.\n    Mr. Chase. So I consider it a level of effort, so I\'m \ntrying to make it as hard as possible for them to get in. \nUnderstanding that OPM is a customer-oriented agency and has to \ncommunicate. Some of the segmentation that we have done is \nidentify all of our major systems and high-valued assets within \nour environment, as well as, all the privileged and \nnonprivileged users.\n    We segmented those between each other and set the \nappropriate firewalls and monitoring tools to ensure that one \ncan\'t get to the another and vice versa, and if there are \nattempts to get between the other, the other is stopped and \nflagged, and there\'s a follow-up with that event itself.\n    Mr. Hurd. In my remaining minutes, I want to ask a \nquestion. And I don\'t mean to be indelicate. Why did we get to \nthis situation? And I ask that question in order to learn from \nthis experience so we can take those lessons learned and apply \nit across the Federal Government.\n    Mr. Chase. So I\'m going to say I came post breach, and I \nknow there\'s quite a few lessons learned. There was a majority \nand minority reports issued, there\'s all the audits that were \nissued, and that\'s what I\'ve been going off of and, again, \ntrying to apply those to prioritize the next steps to be able \nsuppress the threat and the risks within OPM.\n    Mr. Hurd. So why--you\'ve been there now for enough time. \nYou\'ve seen the problems. You\'ve probably been shocked by some \nof the deficiencies within the network. Why do you think that \nnetwork got to where it was?\n    Mr. Chase. I would say based on those reports and \ninformation that was put in front of me, there were systematic \nfailures within OPM that led to it.\n    Mr. Hurd. Mr. Chairman, I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll now recognize the ranking member of the subcommittee \non IT, Ms. Kelly from Illinois, for 5 minutes.\n    Ms. Kelly. Thank you, Mr. Chair.\n    And thank you all for your testimony here today. This is \nactually the committee\'s third hearing on the OPM data breach.\n    The data breach compromised the information of millions of \nFederal employees. The committee responded almost immediately \nand did an extensive bipartisan investigation into the \nincident. In total, committee staff reviewed more than 10,000 \npages of documents, interviewed multiple witnesses, and had \nnumerous briefings from both Federal and nonFederal entities. I \napplaud the work we have done on the OPM data breach, but I \nmust address the elephant in the room.\n    We are holding a hearing about hacking by a sophisticated \nactor, likely a State actor for a hack that occurred more than \na year ago. But this committee has chosen not to take any \naction to investigate the recent Russian hacking and propaganda \ncampaign to impact our election.\n    Only last month, the NSA, FBI, and CIA concluded with a \nhigh degree of confidence that Russia successfully hacked \ngroups throughout our Nation in an effort to influence our \nelection. In the face of this report from our top intelligence \nagencies, we have done zero oversight into this issue. There\'s \nnot been a single hearing or request.\n    My wonderful chairman on the IT subcommittee asked Mr. \nChase about lessons learned.\n    Mr. Halvorsen, I would like to ask you about lessons \nlearned after the vulnerabilities were exposed in the OPM data \nbreach.\n    Mr. Halvorsen. We certainly took the vulnerabilities that \nwere exposed in the database, and I can assure you that both in \nthe OPM legacy systems, the work they\'re doing today and in the \nnew systems, we are taking those lessened learn and making sure \nthat the systems we are building new are built from the ground \nup with cybersecurity baked in, and that we\'ve assumed from the \nbeginning that this system could be penetrated.\n    So there\'s a condition we have that you might hear in the \nNavy termed, it\'s set conditions ZEBRA, it means close the \nwatertight doors. We are making sure that the new system will \nbe segmented enough that we can close the doors. Because \nthere\'s two things you want to stop. Certainly, you want to \nstop people from getting in, but when they get in, you don\'t \nwant your answer to be you\'ve got to shut the system down. \nThat\'s a victory.\n    So we\'re designing this system so that we can fight--and \nthat is the correct word--fight through any attempt to breach \nthis system. And if we get breached, be able to block and \ncontain and then eradicate any malware system loss that gets in \nhere.\n    Ms. Kelly. Thank you.\n    Did the subsequent investigations help in understanding how \nthings could be improved?\n    Mr. Halvorsen. Absolutely.\n    Ms. Kelly. Anybody else want to answer that?\n    Mr. Halvorsen. Yes, they did.\n    Ms. Kelly. And any of the other witnesses?\n    Mr. Chase. I concur.\n    Mr. DeVries. Concur.\n    Ms. Kelly. Thank you.\n    I believe these OPM investigations went a long way in \nassuring the American public that everything possible was being \nlooked at to prevent this from happening again. But it is clear \nthat politics have prevented this committee from being willing \nor able to do the necessary objective and nonpartisan oversight \non the Russian attack. That\'s why I, and every one of my \ndemocratic colleagues in the House, have signed on to \nlegislation to establish an independent bipartisan commission \nto investigate foreign interference in the 2016 elections. \nThank you for your response.\n    And, Chairman, I yield back.\n    Chairman Chaffetz. Will the gentleman--gentlewoman yield \nfirst?\n    Ms. Kelly. Of course.\n    Chairman Chaffetz. As I\'ve said publicly, and the \ngentlewoman should know, given that it involves sources and \nmethods, the United States Congress is organized such that the \nHouse Intelligence Committee takes the lead on those things. We \ncan investigate anything at any time, but I do have limits in \nthat I cannot investigate sources and methods which clearly is \nthe purview of the House Intelligence Committee.\n    I would also suggest that we were the first committee to \ncreate a subcommittee specifically on information technology. \nWe were the first to dive into the OPM data breach, and we have \nbeen pushing from the Department of Education and others to \nmake sure that we do have the proper defenses in place. And to \nsuggest that it\'s only one particular country would be naive at \nbest. And it could be everything from a guy in a van down by \nthe river down to a Nation State.\n    Ms. Kelly. We know it was the Russians in this particular \ninstance.\n    Chairman Chaffetz. And I think that should be investigated. \nI have said as much publicly, and I\'ve also--I think everybody \nshould know, every Member of Congress should know that the \nHouse Intelligence Committee is really the only organization \nwithin Congress that is set up to be able to do that.\n    Mr. Cummings. Would the gentlelady yield, please?\n    Ms. Kelly. Yes, I will.\n    Mr. Cummings. Very briefly, Congressman Swalwell and I, \nover a month ago--as a matter of fact, in December, filed a \nbill which asks that we have a 9/11-type investigation. And the \nreason why we did that is because we didn\'t want it to get \nmired in a political battle like the Benghazi Committee did, \nSelect Committee.\n    And it would be patterned after the 9/11 commission so that \nwe would bring America\'s best experts to the table. It would be \nan equal number of Democrats, an equal number of Republicans, \nand that they would look at this thing carefully--and with the \nchair\'s indulgence, I need to explain this--and they would come \nback with recommendations. They would have subpoena power.\n    Then we refiled that bill in January when the new session \ncame in. Every single Democrat in the Congress signed on to \nthat bill. Not one signal Republican signed on. And one of the \nreasons why we did that is because we felt we didn\'t move to \ncommon ground; we need to move to higher ground, that this was \nsuch a serious attack on our democracy, and our election \nprocess, that it deserved that kind of attention. And so that \nbill is still out there. Only Democrats have signed on.\n    One of the things we were concerned about is the chairman \nof the Intelligence Committee, Mr. Nunes, was a part of the \ntransition team for President Trump. And we just felt that we \nneeded to take the complete thing out and let an independent \nbody do it. And I just wanted to explain that to the \ngentlelady.\n    Thank you very much. And thank you for yielding. Nice job, \nby the way.\n    Chairman Chaffetz. I\'ll now recognize the gentleman from \nFlorida, Mr. DeSantis, for 5 minutes.\n    Mr. DeSantis. Thank you, Mr. Chairman.\n    Ms. McGettigan, I know after the OPM breach there\'s several \nmonths people were, kind of, notified. But I\'ve had people, \nconstituents, just wonder, I mean, what has been done to \nmitigate the potential damage to people whose files were \ncompromised?\n    Ms. McGettigan. Thank you for that question.\n    We have entered into--in December, we entered into a \ncontract and identity protection contract. We expanded the \ncoverage that we already had. And we are moving toward having \ncoverage for 10 years. The current contract covers all those \naffected by the two breaches, and it runs out in December of \n2018 during----\n    Mr. DeSantis. What would that mean, just for somebody who \nhad their stuff compromised?\n    Ms. McGettigan. I\'m sorry. We have identity protection \nservices and credit monitoring. So people have received--people \nwho were affected have received information on how to sign up \nfor the credit monitoring, although they are covered by \ninsurance whether they sign up or not.\n    And currently, the ceiling on the insurance we have \nexpanded to $5 million, and we are moving toward complying with \ncongressional direction to have the contract go for 10 years of \ncredit monitoring.\n    Mr. DeSantis. Okay. Good. I mean, I think that we in this \ncommittee--and I applaud the chairman for being on this issue. \nAnd we hear about these other hacks and stuff. This was \ncatastrophic. I mean, you\'re talking about these files with the \namount of information that\'s there, and I had to go through it \nin the military, and other people, perhaps, you guys have gone \nthrough it, too, there is a lot, a lot of information there, \nand it\'s a massive vulnerability. So I hope that what\'s being \ndone is going to be effective.\n    Let me ask--this may be Mr. Chase or maybe someone else \nwant to take this. If OPM suffers another compromise and NBIB \napplications and its systems are breached, who makes the final \ncall as to whether or not the compromised applications are \ntaken offline or continue to run?\n    Mr. Halvorsen. If it\'s in the new systems that are \ndeveloped, that is me.\n    Mr. DeSantis. Do you agree with that?\n    Mr. DeVries. For the new system, yes. Right now we\'re \ncurrently operating underneath the existing legacy system.\n    Mr. DeSantis. What\'s the answer----\n    Mr. DeVries. The answer is the CIO gets the report of it \nfrom the CISO, and the director makes the call on it.\n    Mr. DeSantis. Okay. Let me ask you this, because the \nmajority staff on this committee had a report indicating that \nthere were certain tools following some of the previous \nbreaches that were bought, and then they there were delayed in \nterms of their deployment for a variety of reasons, but one of \nthem, that they had to make certain notification to relevant \nunions.\n    So what kind of notifications is the IT security team \nrequired to make before deploying these tools, and what is the \npurpose of the notifications?\n    Mr. Chase. So from post breach coming in, any tool that we \ngo out on the street to market and do our research on is fully \nvetted internally. We have a procurement office inside of OPM \nthat works with us to make sure that the appropriate language \nis put into that, and then we move to the process of deploying \nthat tool.\n    Mr. DeSantis. But in terms of the delays, have there been \ndelays because of notification requirements?\n    Mr. Chase. I\'m not aware of that specific statement.\n    Mr. DeSantis. Okay. Had there been other barriers or \nchallenges in trying to timely deploy some of these tools, \nbureaucratic roadblocks?\n    Mr. Chase. Again, post breach, based on the situation--and, \nagain, I mentioned earlier stabilizing, the procurement office \nhas been very, very flexible with me and making sure that they \ncan give us the time----\n    Mr. DeSantis. But this was so--the implication is there may \nhave been a problem prebreach?\n    Mr. Chase. I\'m not aware outside of what I\'m reading in \nthose reports.\n    Mr. DeSantis. Do you think that it was a problem?\n    Mr. DeVries. I have no firsthand knowledge of that, but \njust from the acquisition side and having been in this field \nfor many years, yes.\n    Mr. DeSantis. Okay.\n    Well, I will yield back the balance of my time.\n    Chairman Chaffetz. I thank the gentleman.\n    I now recognize the gentleman from Massachusetts, Mr. Lynch \nfor 5 minutes.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    And I want to thank our witnesses for your great work and \nfor your willingness to help us. I want to revisit the issue \nraised by Ms. Kelly about the unwillingness or the inability of \nthe committee to really investigate what\'s going on with the \nRussian hacking.\n    But before I get into that, let\'s talk a little bit about \nthe issue that brings you here.\n    In June and July of 2015, OPM publicly disclosed that its \ninformation technology systems had been experiencing massive \ndata breaches over some time, compromising the Social Security \nnumbers, birthdates, home addresses, background investigation \nrecords, and other highly sensitive personal information \nbelonging to about 22 million individuals.\n    These cyber breaches were not only devastating in terms of \ntheir impact on the financial security of their victims, \nrather, they also posed a grave national security threat as the \nextensive security clearance questionnaires, about an 80-page \ndocument, that really drills down on folks and was filled--were \nfilled out by nearly 20 million Americans who have security \nclearance rights and privileges, and the names and the \ninformation of those individuals were included among the data.\n    I had asked--that was a--that was a terrible--you know, \nsome people call that a--like a cyber Pearl Harbor, because all \nour folks who are actually actively interested in working on \nour national security organizations, you know, basically, they \nwere giving up. And so I asked at a very basic level, I asked, \nMs. Archuleta, who was running the OPM at the time, I said, \nhave you actually gone back and encrypted the Social Security \nnumbers of these employees? Were they encrypted? And she said, \nno, they were not. So--so all those Social Security numbers of \nthose 22 million people went out.\n    And then a year later, we had one of her successors--not \nher successor, but one of the people under her, I asked, again, \nhave we encrypted the Social Security numbers of the people, \nthe 22 million people? And they said there are still--there are \nstill vulnerabilities we still haven\'t been able to do that.\n    So let me ask, have we encrypted at least the Social \nSecurity numbers of these 22 million people?\n    Mr. DeVries. Sir, I\'ll take that for the record. Yes, we \nhave begun a vigorous program in 2016 to encrypt the databases. \nSo it\'s not just encrypting the Social Security number, but it \nis the databases that contain those critical information.\n    Mr. Lynch. Are we done with that yet?\n    Mr. DeVries. We are not completely done across the whole \nOPM environment, but the HVA systems we have gone through, and \nI have one remaining system to be done, and that is scheduled \nfor next month. To complete the----\n    Mr. Lynch. What percentage of the 22 million have been \nencrypted? Can you give me an estimate on that?\n    Mr. DeVries. Of the NBIB system, which contains those \nrecords there, all but one have been encrypted.\n    Mr. Lynch. So what\'s lacking in percentage?\n    Mr. DeVries. One major database there on the mainframe.\n    Mr. Lynch. All right. You\'re not answering my question, \nbut--look, we need to get that done. Okay?\n    Let me go on to the Russian thing. Look, we\'ve got--I \nunderstand that the chairman\'s resistance on sources and \nmethods, I get that. But we have--and I would like to introduce \nthese into the record.\n    First of all, I would like to introduce into the record my \nletter from December 15th--14th asking for a hearing on the \nRussian hacking.\n    Secondly, I\'d like to enter into the record an FBI \ninvestigation regarding Russian malicious cyber activity. They \ndid a whole investigation on this. It\'s called ``grisly \nsteppe,\'\' s-t-e-p-p-e. I want to enter into the record a \nbackground to assessing Russian activities and intention into \nrecent U.S. elections, the analytical process and cyber \nincident attribution. That\'s produced by the offices of the \ndirector of National Intelligence.\n    I would like to submit for the record, a statement for the \nrecord, worldwide threat assessment by James R. Clapper, \ndirector of the National Intelligence, February 9, 2016.\n    I ask for unanimous consent.\n    Chairman Chaffetz. Without objection, so ordered.\n    Mr. Lynch. Thank you. So we have enough here. Just with \nthis here, we have enough here to do an investigation. And this \nis just the stuff that is unclassified that the intelligence \ncommunity has put out there. We don\'t have to talk about----\n    Chairman Chaffetz. Will the gentleman yield?\n    Mr. Lynch. Yes. Sure I\'ll yield.\n    Chairman Chaffetz. Two points. Number one, sources and \nmethods are the sole jurisdiction of the intelligence \ncommunity.\n    Number two, have you really thought this through? Do you \nreally think it\'s appropriate for this committee to investigate \nthe specific hack of the DCCC?\n    Mr. Lynch. Absolutely.\n    Chairman Chaffetz. Because if you are going to do an \ninvestigation of the DCCC, we\'re going to have to dive into a \npolitical party\'s infrastructure operation\'s data. I don\'t \nthink that\'s appropriate. If you----\n    Mr. Lynch. Let me--well----\n    Chairman Chaffetz. Here\'s the difference. Here\'s the \ndifference----\n    Mr. Lynch. Reclaiming my time. Actually, you know, you\'re \nusing all my time here.\n    Look, look they hacked--they hacked the American election. \nThat is worth looking into----\n    Chairman Chaffetz. There\'s no evidence of that. And \nPresident Obama said that that wasn\'t even possible.\n    Mr. Lynch. This is high confidence. This is our own FBI, \nhigh confidence that they hacked the election, that they \ninterfered with the election. It may not have been outcome \ndeterminative. I\'m not saying that. But based on the FBI, based \non the office of--the director of national security, they\'re \nsaying, yeah. And also, the CIA, they\'re in agreement that the \nelections were hacked.\n    Now, I\'m not saying they affected the outcome, but they \ntried. It may have been just chaos that they wanted to create, \nbut they interfered with our elections. And if we\'re turning a \nblind eye to that, that\'s a shame. That\'s a shame. That\'s core \nto our democracy.\n    And look, if we\'re just going to say, oh, that\'s somebody\'s \nwork, that\'s not anybody else\'s work. That\'s our work. There \nare plenty of reports here we can talk about, and we ought to \ndo it publicly, about the damage done to the confidence in our \nelectoral system. That\'s what\'s important here.\n    People have to--people have to fear that we have an \nintegrity--a certain integrity in our own systems and that \nother countries are not allowed to interfere with that. That\'s \na red line. We should not allow that. And it should be a very \nserious obligation of this committee to make sure that doesn\'t \nhappen again.\n    And we need all the committees of jurisdiction to work on \nthis. We\'re a committee of unlimited jurisdiction. The \ngentleman has said that quite frequently. That\'s the strength \nof this committee. And I think this is--look, they hacked our \nelection. This should be bipartisan. This should not be \nDemocrat versus Republican.\n    Chairman Chaffetz. The gentleman\'s time--the gentleman\'s \ntime is well expired.\n    As I said, I do think there should be--as I said when it \nhappened, there should be an investigation. There should be a \nprosecution. They should go out----\n    Mr. Lynch. These are the investigation of the committee.\n    Chairman Chaffetz. Hold on. The gentleman\'s time has \nexpired.\n    The Intelligence Committee is the only one that can look at \nsources and methods. That is the rule of the House.\n    Mr. Lynch. We won\'t look at sources and methods. We\'ll just \nlook at what the agencies themselves have made public.\n    Chairman Chaffetz. The gentleman\'s time has expired.\n    And if you are going to do a proper investigation, as this \ncommittee did, with the breach at the Office of Personnel \nManagement, you have to look at the two sides of the breach, \nthose that were trying to do it, which this committee could not \nlook at in the OPM breach. Again, that is the purview of the \nHouse Intelligence Committee.\n    But we could look at those that were breached and how inept \ntheir systems were and how bad it was set up and how the \ninspector general was warning of these things. That, we did do.\n    Mr. Lynch. We had nine separate investigations of Hillary \nClinton, nine separate investigations----\n    Chairman Chaffetz. The gentleman\'s--the gentleman is out of \nthe order. The gentleman\'s time is expired. I gave you well \nmore than 5 minutes.\n    What I think is inappropriate. And I\'m trying to answer the \nquestion. It would be wholly inappropriate for the United \nStates Congress, for us to dive into the DCCC. You might want \nto do an investigation yourself of the DCCC. I don\'t think that \nthe United States Congress should be diving into their \nindividual private systems of a political party. I think that\'s \ntoo broad--if you want me to start issuing subpoenas of the \nDCCC, I\'m probably not going to do it, but go ahead and suggest \nit.\n    Mr. Lynch. How about some of the FBI----\n    Chairman Chaffetz. The gentleman\'s time has expired.\n    Mr. Lynch. You asked me a question.\n    Chairman Chaffetz. No, I did not. I did not.\n    Mr. Lynch. And I\'m trying to respond. You asked me if I \nwanted----\n    Chairman Chaffetz. I did not ask--the gentleman is out of \norder.\n    Mr. Cummings. Would the chairman yield? Would the chairman \nyield? I think we need to calm down here a little bit.\n    Mr. Chairman, you have made some statements, and I just ask \nyou to give him the courtesy of a minute and a half just to \nrespond.\n    Chairman Chaffetz. No, I will not. I will not.\n    Mr. Cummings. Well, would the gentleman let me finish? \nThank you.\n    This has been an attack on our democracy, Mr. Chairman. And \nMr. Lynch is one of our greatest members, and the passion that \nhe has expressed is not limited to him, it\'s to many Americans. \nThey feel as if all of our--the things that underpin our \ndemocracy have been attacked over and over again.\n    And as I said yesterday, we keep saying we\'re going to wait \ntill certain things happen with President Trump. They are \nhappening now.\n    Chairman Chaffetz. Can I ask that----\n    Mr. Cummings. And if the gentleman would just give me 30 \nmore seconds.\n    And all I was saying is I was hoping that in--I mean, as a \ncourtesy to the gentleman, I just wanted him to be able to \nrespond.\n    Chairman Chaffetz. I\'d like to ask you a question, if you \ndon\'t mind, to my ranking member. Does the ranking member \nbelieve that this committee should do an investigation of the \nDCCC?\n    Mr. Cummings. I think that we can look at certain things. I \nknow I am very familiar with sources and methods, but I think \nwhat the gentleman is saying is let\'s just look at the things \nthat are--that are unclassified. And apparently, he has his \nreports in his hand, and we can see where we go from there.\n    Number two, as I said before, in answering the chairman\'s \nquestion, we have a bill that would--I think, would resolve \nthis issue very nicely.\n    I think the thing that I\'m most concerned about, and I\'m \nsure Mr. Lynch is concerned about is that we cannot just turn a \nblind eye to when we have 17 intelligence agencies who \nunanimously agree that there has been hacking with regard to \nour elections.\n    And there seems to be--one of the things that I\'ve noticed, \nthis has been an effort, not by you, Mr. Chairman, but by \nothers to say, okay. It didn\'t affect the results. We don\'t \neven have to get there. Forget it. I accept President Trump as \nmy President. I\'m looking forward to meeting with him next \nweek. But, the idea that Russia could come in and interfere \nwith our elections, all of us should be going berserk. I mean, \nwe should be--I mean, just really, really upset. And so all I\'m \nsaying to you is that I think all the gentleman is saying, is \nhe\'s got documents that you\'ve already entered into the record \nthat are unclassified, want to look at those. Now, how far we \ncan go is another thing.\n    But, again, Mr. Chairman, you and I know what happened with \nthe Benghazi Committee. Basically, it became a partisan fight.\n    Chairman Chaffetz. I\'ll--hold on. The gentleman\'s time is \nexpired here. You\'re going well--you\'re going well outside the \nscope of this----\n    Mr. Cummings. No, I\'m not.\n    Chairman Chaffetz. Yes. Yes.\n    Mr. Cummings. I\'m not and I would pray that you not do an \nIssa on me.\n    Chairman Chaffetz. I\'ve given you ample time. I\'ve given \nyou more time----\n    Mr. Cummings. Don\'t do an Issa on me, please. Don\'t do \nthat.\n    Chairman Chaffetz. No. I\'m asking you a simple question. I \njust want an answer to a simple question. If you don\'t want to \nanswer it, it\'s fine.\n    Mr. Cummings. I\'ve answered it. I\'ve told you.\n    Chairman Chaffetz. I\'m going to ask one more time.\n    Mr. Cummings. Yes. I\'ve answered you. Okay? Yes. I just \nanswered you.\n    Chairman Chaffetz. I just wanted----\n    Mr. Cummings. I just answered you.\n    Chairman Chaffetz. Okay. I\'m just saying----\n    Mr. Cummings. You\'re not listening. What I said was what \nthe gentleman asked. All he asked--he said, take the \nunclassified information. Do not turn a blind eye to an attack \non our electoral system. Let\'s look--let\'s go as far as we can. \nWhen you take it to the Intelligence Committee, what you\'ve \ndone is you\'ve gotten Mr. Nunes, who is on the transition--who \nis on the transition committee for President Trump.\n    And as much as I like him, I want--as the gentleman asks, \nhe wants an investigation that will have integrity. And I--I \nappreciate integrity over and over again. Like I\'ve said to \nyou, Mr. Chairman, and to our committee members, when you deal \nwith integrity and transparency, it\'s like money in the bank.\n    Mr. Cummings. And so I would just ask you to just work with \nus and see what we can come up with. That\'s all.\n    Chairman Chaffetz. My last point. My last point. I don\'t \nthink it\'s appropriate. I disagree with the attack on the \nintegrity of the Intelligence Committee. I disagree with that. \nI think they are of integrity. I think Mr. Schiff and Mr. Nunes \nare men of integrity and they run that committee appropriately. \nAnd I\'m sorry you don\'t feel that way.\n    Mr. Cummings. I didn\'t--now, see, now you done put \nsomething in my mouth. Let me be real clear. No, no, no, no, \nno.\n    Chairman Chaffetz. I get to make my point. I\'ll let you----\n    Mr. Cummings. No, you said something that\'s not accurate. \nWhat I said was--I\'m not questioning the integrity of Mr. Nunes \nor Mr. Schiff. Mr. Schiff--both of them I have a lot of respect \nfor. What I\'m saying is what the gentleman said, is that we \nwant a report--when people look at the situation--I\'ll be very \nbrief. When people look at the report and they see somebody on \nthe transition team for Mr. Trump, then it becomes \nquestionable. All I\'m saying to you as to the world, we want--\nthat\'s why we filed the bill that we filed. And that\'s why \nwe\'re asking for more like an independent investigation. That\'s \nall.\n    Chairman Chaffetz. Last point. Last point. Last point. And \nwe\'re going to recognize Mr. Meadows. We\'ve gone way past the \ntime here.\n    Mr. Cummings. Thank you.\n    Chairman Chaffetz. And I ask this rhetorically. Do the \nDemocrats truly want this committee to do an investigation of \nthe DNC and the DCCC?\n    Mr. Lynch. Yes, we do.\n    Chairman Chaffetz. Wow. Okay. We\'re now going to \nrecognize----\n    Mr. Lynch. A lot of these emails, they\'re already public. \nThey\'re already public. They leaked them. We already know what \nthey are, those damaging ones.\n    Chairman Chaffetz. Let\'s recognize the gentleman from North \nCarolina, Mr. Meadows.\n    Mr. Meadows. Thank you, Mr. Chairman. We\'re going to \nrefocus on the focus of this hearing. I wish that we would have \nas much passion that is concerned about the well-being of the \n22,000 people that got hacked, the potential security breaches \nthat are there, instead of losing or winning an election. I \nwish we\'d have as much passion about that. Let\'s start to focus \non the real aspects of what we need to be doing.\n    There are other hacks with the IRS. Let\'s focus on the \nhardworking American taxpayers. You know, I\'m sick and tired of \nhearing the repeated talking points over and over again. There \nis no one who will work in a more bipartisan way to get to the \ntruth than me. But I disapprove of the talking points that \ncontinue to get repeated to undermine the credibility of a duly \nelected President.\n    Mr. Cummings. Will the gentleman yield?\n    Mr. Meadows. No, I will not.\n    Let me go into this particular issue. When we\'re looking at \nthis, you mention that you have 100 percent dual authentication \nthroughout the system. Is that correct?\n    Ms. McGettigan. Yes, sir. That\'s my understanding. Yes, \nsir.\n    Mr. Meadows. All right. And you\'re filling some very big \nshoes. I happen to be a fan of Ms. Cobert. She actually--we \ncome from very different sides of the aisle, but she was always \nvery responsive to this committee and to me personally. And so \nI want to make sure that we can clarify, perhaps, your \ntestimony. Because the 100 percent dual authentication is \nreally just at the front door. Is it not? Because we have \nindications from the IG that there is still a whole lot within \nthe system, that if they get in the front door, that only 2 of \n46 systems inside would require that. Is that your \nunderstanding? You may want to refer--I think the CIO wants to \njump in here.\n    Ms. McGettigan. I think I will defer to Mr. DeVries.\n    Mr. DeVries. Thank you, sir.\n    Ms. McGettigan. Thank you.\n    Mr. DeVries. Sir, we have multifactual authentication in \nthere for the users, the standard users who come onto the \nnetwork. That is correct, 100 percent to get onto the networks, \nthey require their----\n    Mr. Meadows. But once in----\n    Mr. DeVries. No, once they get in, they are still then \nauthorized--their access is based upon those attributes and \ntheir roles of what they\'re assigned to. So they\'re not given--\n--\n    Mr. Meadows. So how do you respond to the IG that said only \n2 of 46 systems would actually, of the major applications, \nwould require PIV authentication? Is that not accurate?\n    Mr. DeVries. I\'d like to go back and look at that. I\'ll \ndefer to my CISO here, but that is--that does not ring true to \nhow we----\n    Mr. Meadows. Because this isn\'t my first rodeo. I\'ve been \nhere with a number of folks. In fact, I called for the \nresignation of the OPM director when there were similar terms \nthat I\'m hearing today that give me concern that we\'re making \nprogress. And I guess, how do we define success? At what point \nwill we have all the major applications? And Mr. Lynch talked \nabout the encryption.\n    Mr. DeVries. Correct.\n    Mr. Meadows. Now, we\'ve been promised encryption over and \nover and over again. And yet even today, we\'re not there with--\nso are all the Social Security numbers encrypted today?\n    Mr. DeVries. No, sir.\n    Mr. Meadows. Okay. When will they be encrypted?\n    Mr. DeVries. But I have----\n    Mr. Meadows. Just timeframe. When will they be encrypted, \nall the Social Security numbers? I mean, that\'s basic. I\'ve got \nencryption better than that on my home computer, and here we \nare, we have--is it a lack of resources?\n    Mr. DeVries. Sir, it was somewhat due to that and also \nschedule change here on the mainframe. That\'s the only one that \nis--that was delayed. And I\'ve reenergized that one back in \nthere. That is 2017.\n    Mr. Meadows. So when is it going to be done?\n    Mr. DeVries. End of 2017, sir.\n    Mr. Meadows. And so we will have everything encrypted by \nthe end of 2017. Fiscal year?\n    Mr. DeVries. The HVA system, the high value assets, which \nincludes the Social Security numbers and so forth, will be \nencrypted this year. Yes.\n    Mr. Meadows. All right. In terms of segmentation, how do \nyou segment a legacy system? Either one of you can answer it.\n    Mr. Chase. So, again, as a part of our strategy, we looked \nat all the systems and all the IT system inventories that we \nhad out there. We determined which ones----\n    Mr. Meadows. So are you going from a zero trust?\n    Mr. Chase. That\'s the idea, is to use that zero trust \ntenet. Absolutely.\n    Mr. Meadows. So you rushed into the fire----\n    Mr. Chase. Ran into it, sir.\n    Mr. Meadows. --and so as you ran into the fire, you decided \nfrom a zero trust aspect that you\'re going to look at every \nsingle system.\n    Mr. Chase. Absolutely.\n    Mr. Meadows. All right. So we can tell all of those \nemployees or potential employees or those who have had their \npersonal life history looked at that by the end of 2017, that \nyou have great assurance that we have the most up-to-date, \nsophisticated cybersecurity protection that they will ever see \nand it will be segmented in a way that if somebody gets in the \nfront door, that they won\'t be able to go through the whole \nsystem. Is that correct?\n    Mr. Chase. That is correct. And there\'s also many, many \ncompensating controls that reside in the network. So we have \nour network analysis tool, we have our data loss prevention \ntool. We have malware detection tools. And then we actually \nhave a 24/7 security operation center that is on glass watching \nfor those events to come through.\n    Mr. Meadows. I yield back. I thank the chairman.\n    Chairman Chaffetz. I thank the gentleman.\n    I will now recognize the gentlewoman from Florida, Mrs. \nDemings, for 5 minutes.\n    Mrs. Demings. Thank you, Mr. Chairman.\n    I want to say good morning to all of you and thank you for \nbeing here. Before I get into my question, I feel compelled to \nmake this comment. I spent 27 years in law enforcement. I \nserved as the chief of police. So I am very concerned about the \nissue that we\'re discussing today. Security breaches of any \nkind, I believe, deserve every bit of attention and every bit \nof passion. I\'ve been here a little shy of a month, but what I \ndid not sign up for is what I believe was the blatant \ndisrespect that was displayed to each other by my colleagues. \nAnd so I believe if we\'re going to solve our Nation\'s problems, \ncivility has to be at the center of it.\n    And with my question, Director Phalen, last November, the \nNew York Times and other media outlets reported that while \nmeeting with the Prime Minister of Japan, then President-elect \nTrump allowed his daughter and son-in-law to sit in during all \nor part of the meeting. In reporting about this meeting, the \nTimes found, and I quote, ``That anyone present for such a \nconversation between two heads of state should, at a minimum, \nhave security clearance. What we do not--we do not know whether \nPresident Trump has stopped this practice of allowing family \nmembers who do not have security clearances from attending \nmeetings with dignitaries and other foreign officials.\'\'\n    Director, I ask you, what are the security risks for having \nindividuals who do not have the appropriate security clearances \npresent during classified meetings or briefings? Thank you very \nmuch.\n    Mr. Phalen. Thank you, Representative. Thank you for the \nquestion. The determination as to whether an individual has a \nsecurity clearance is left to the head of the agency with whom \nthey are employed or otherwise contracted with. And, of course, \nthe situation between a President-elect and the President is a \ndifferent situation. The President has the ability to grant a \nclearance or grant access to classified information to anyone \nwho they please. It is at their discretion.\n    And the--I am not aware of any of the details around the \nmeeting that occurred with the leadership of Japan. I just \ndon\'t know any of the details about that, whether anything of \nclassified nature was discussed or not. But it would--in the \ncurrent situation, it would be the President\'s discretion to \nallow individuals even without clearances to know or have \naccess to classified information.\n    Mrs. Demings. So each department would make that \ndetermination. Is that what you said? There are no basic \ngeneral guidelines for persons to have security clearances in \ncertain situations or positions?\n    Mr. Phalen. There are general guidelines and there are--\nspecifically, there are investigative standards which we follow \nwhen conducting an investigation. The agency who ultimately \ngrants the clearance follows an adjudication set of guidelines, \nwhat are the key factors that one would look at when making a \ndetermination whether this individual is eligible or should be \neligible to receive classified information. And then as a \nseparate act, the agency then--if the answer\'s affirmative, \nthey are eligible, the agency would make a determination as to \nwhether to actually brief them into a national security program \nor not, give them that clearance.\n    Mrs. Demings. Okay. Thank you very much.\n    Chairman Chaffetz. Does the gentlewoman----\n    Mr. Connolly. Would----\n    Chairman Chaffetz. Does the gentlewoman yield back?\n    Mr. Connolly. Would my friend yield?\n    Mrs. Demings. I yield. I\'m sorry. Thank you. I yield.\n    Chairman Chaffetz. She\'s yielding. To Mr. Connolly or----\n    Mr. Connolly. To Mr. Cummings.\n    Ms. Demings. To Mr. Cummings.\n    Mr. Cummings. I just wanted to let Mr. Meadows know, when I \nasked you to yield, the only thing I was going to say is before \nyou got here, and I will share this with you, in my opening \nstatement, I talked about all the efforts that we have made in \nthis committee with regard to the other breaches. I listed them \none by one, all the many things that we\'ve done. And I said it \nin a way that--because President Trump has said that we \nsuddenly got excited about the Russian hacking. But I laid it \nout. And again, I will share my opening--it was a courtesy to \nyou, because I didn\'t want anybody to think that this is \nsomething new to us.\n    We\'ve spent, in a bipartisan way, hours upon hours upon \nhours upon hours trying to deal with these. And I give the \ncredit--give a lot of credit to the chairman. And that\'s all I \nwas tying to tell you.\n    Mr. Meadows. Will the gentleman yield?\n    Mr. Cummings. And I didn\'t want the public to be left with \nthe impression that we haven\'t been working on these acts. \nEvery single time.\n    Mr. Meadows. Will the gentlemen yield?\n    Mr. Cummings. Of course. I only have----\n    Chairman Chaffetz. It\'s the gentlewoman\'s time.\n    Mr. Meadows. Will the gentlewoman yield for just a comment? \nA nice comment.\n    Mrs. Demings. Yes. Yes. Certainly. Please, Mr. Meadows.\n    Mr. Connolly. We\'ll be the judge of that.\n    Mr. Meadows. The gentleman from Maryland is a good friend, \nand a trusted one. And in the passion of my not yielding back \nto him, I don\'t want anything to be inferred about our \nrelationship and our willingness to work in a bipartisan way. \nAnd I apologize for my passion in not yielding. But I also want \nto stress that our friendship and our willingness to get to the \nbottom line of it is unyielding and unchanging. And I thank the \ngentlewoman.\n    Chairman Chaffetz. The gentlewoman yields back.\n    We\'ll now recognize the gentleman from Ohio, Mr. Jordan, \nfor 5 minutes.\n    Mr. Jordan. I thank the chairman.\n    Mr. Halvorsen, you are the chief information officer for \nthe entire Department of Defense?\n    Mr. Halvorsen. That is correct.\n    Mr. Jordan. And in your testimony, your written testimony, \nyou said that, ``DOD CIO is responsible for all matters \nrelating to the Department of Defense information enterprise, \nincluding cybersecurity for the Department. In this capacity, \nDOD CIO is responsible for oversight of the Department\'s \nefforts to design, build, operate, secure, defend a new IT \nsystem to support the background investigative processes for \nthe NBIB.\'\' Is that all accurate?\n    Mr. Halvorsen. It is.\n    Mr. Jordan. Okay. Are you familiar, then, with the December \n6 Washington Post story, front page, Pentagon Hid Study \nRevealing $125 Billion in Waste? Are you familiar with that \narticle?\n    Mr. Halvorsen. I am familiar with that article.\n    Mr. Jordan. Do you--well, let me ask you--let me go back \nand ask you this: Do you have the resources you need to do \neverything I just read in your testimony, help NBIB which has \n100 Federal agencies that\'s got to make decisions about--\nregarding individuals who work there and everything at the \nDepartment, do you have the resources you need to do your job?\n    Mr. Halvorsen. We have the resources to make sure that we \ndevelop and design an NBIB new system that is secure and can \nattack and defend the data.\n    Mr. Jordan. And so you think you got adequate resources to \ndo everything you\'re tasked to do.\n    Mr. Halvorsen. I think I have adequate resources to \neverything I\'m tasked to do specific to this NBIB issue.\n    Mr. Jordan. But not overall? Is that what you\'re saying?\n    Mr. Halvorsen. Well, I don\'t think anybody here would say \nthey have all of the resources----\n    Mr. Jordan. You always want more. I get that. But you are \nfamiliar with the story that was on the front page of the \nWashington Post last month, or 2 months ago?\n    Mr. Halvorsen. I am.\n    Mr. Jordan. And the findings of the McKinsey & Company \nstudy, $125 billion in waste at the Pentagon, do you agree with \nthat--those findings? Or, I mean, they talked about as many \nfull-time employees in back office personnel and in purchasing \nbureaucracy, as many employees there as we actually have--\nalmost as many people there as we have in troops in the field \nor troops in total. Do you agree with what you know about that \nstudy?\n    Mr. Halvorsen. We were--do I personally agree with that \nstudy? I do not. Is that the reason I\'m here to testify? No. So \nif you want more data on that, I will take any questions you \nhave for the record.\n    Mr. Jordan. Okay. Were you--were you interviewed or talked \nto in the course of the study by McKinsey & Company? Did they \ntalk to you?\n    Mr. Halvorsen. I have talked to McKinsey & Company, yes.\n    Mr. Jordan. Multiple times? I mean, I\'m just kind of \ncurious.\n    Mr. Halvorsen. For the study, I believe once. But I\'ll get \nthat confirmed. But I have talked to McKinsey in the course of \nmy business.\n    Mr. Jordan. The article reports here on the front page here \nabove the fold, the report issued in January 2015 identified a, \nquote, ``clear path for the Defense Department to save $125 \nbillion over 5 years.\'\' I think this is important too. What the \nstudy said, what the article reports that the study said was \nthat this savings in bureaucracy waste and other areas is money \nthat could go into weapon systems and our troops. Frankly, \nwhere I think most Americans would want their tax dollars and \nresources to go.\n    The article continues, ``The plan would not have required \nlayoffs of civil servants or reductions in military personnel. \nInstead it would have streamlined the bureaucracy through \nattrition and early retirements, curtailed high priced \ncontractors,\'\' and the last clause says, ``and made better use \nof information technology.\'\'\n    Do you have any idea what they\'re referring to there, make \nbetter use of information technology?\n    Mr. Halvorsen. Yeah, I do. I mean, if you\'re asking me do \nwe think we could do better with information technology, I \nthink I testified in numerous hearings that do I believe we \nshould continue to adopt best commercial practices? Should we \nbring more commercial systems on into DOD and other government? \nI said we should. I believe there are ways to reduce some money \nin our IT business. Do I think that number is correct, \npersonally? I do not.\n    Mr. Jordan. So a little bit ago you said you didn\'t agree \nwith the study. Now you sound like you do agree with a lot of \nparts of the study.\n    Mr. Halvorsen. No.\n    Mr. Jordan. Is it both or----\n    Mr. Halvorsen. No. I said I agree that there are \nefficiencies to be found in the IT systems. By doing what we \nare doing, I think we will achieve some. I do not think the \nnumbers in the study, my personal opinion, they\'re not correct. \nI will take any more questions you have----\n    Mr. Jordan. So you think the $125 billion number is a \nlittle high. Would you hazard a guess at what kind of savings \ntaxpayers could see if part of what McKinsey found in their \nstudy was implemented and how we could better get money to \nweapon systems and to troops?\n    Mr. Halvorsen. No, I will not hazard a guess.\n    Mr. Jordan. Okay. Mr. Chairman, I just think this is an \nimportant area where we need to--I know it\'s not the sole focus \nof and not the primary focus, I should say, of this hearing \ntoday, but this is an area we need to study. If we can get more \nmoney into upgraded weapon systems and to our troops, and if we \ngot this potential of waste, even the chief information officer \nsays there\'s some waste there. Maybe not to the degree that the \narticle reports, but certainly any we can find and savings we \ncan find I think makes sense.\n    With that I yield back.\n    Chairman Chaffetz. Thank you. Point well taken.\n    I now recognize the gentleman from Maryland, Mr. Raskin, \nfor 5 minutes.\n    Mr. Raskin. Mr. Chairman, thank you very much.\n    I wanted to start actually by responding, Mr. Chairman, to \nthe question that you posed about whether or not the Democratic \nNational Committee would be a proper object for inquiry and \ninvestigation by this committee. And my first reaction to it, I \nthink, was sympathetic to you, which is no, not really, because \nit\'s not part of the government. It\'s a private entity for most \npurposes. When you think about the Democratic National \nConvention, where it\'s going to be located, who\'s going to \nspeak at it, that\'s a private matter. It\'s a private \nassociation.\n    On the other hand, it struck me that the Supreme Court has \nsaid that political parties are public instrumentalities \ncapable of State action for certain purposes. So when you go \nback and look at Smith v. Allwright, Terry v. Adams, the white \nprimary line of cases, the Supreme Court said a political party \ncould not exclude from participation people based on race. So \nthe Equal Protection Clause applied directly to political \nparties, that they were not private entities for those \npurposes. They were public instrumentalities.\n    And in lots of other cases, the Supreme Court has treated \npolitical parties as public instrumentalities and kind of \npublic carriers for the purposes of effective action in \ndemocracy. And I think if you look at it from a global \nperspective, that is the role that political parties play. The \nDNC, the RNC, they are organizing political activity for tens \nor hundreds of millions of people. And so if they are cyber \nvulnerable, I think it makes the whole country cyber \nvulnerable, and then it casts a cloud over democratic \ngovernment itself.\n    So that\'s why, in the end, I think it is a complicated \nquestion you raise, but I would side with the ranking member \nand with the other members who were speaking on this side of \nit.\n    Let me pose a question. As a new member of this committee \nwho was--I was not here for the original OPM breach, and so all \nof this is a bit new to me. But I want to ask the question. We \nknow from the national intelligence community about the fact \nthat they believed with high confidence that there was an \norganized campaign by Russia to subvert the 2016 election and \nto compromise the 2016 election. I\'ve also heard that there\'s \ncertain other countries where certain kinds of hacking are \ncommon or concentrated, like Nigeria, apparently, is a place \nwhere there\'s a lot of cyber hacking and phishing attacks going \non.\n    Do you have a list of the most common enemies or culprits \nof our cybersecurity that you use? And I know, Ms. McGettigan, \nif that\'s something you can answer.\n    Ms. McGettigan. I\'ll defer to Mr. DeVries to answer that.\n    Mr. DeVries. Member, if I could----\n    Mr. Raskin. Please.\n    Mr. DeVries. If I could, I would like to defer to Mr. Chase \nhere for the expertise on it. We do have the network \nmonitoring, but we are part of the greater ecosystem of that \nfrom DHS.\n    Mr. Raskin. All right. Let\'s cut to the chase.\n    Mr. Chase. Thank you. No pun intended.\n    So one of the things that I just want to make clear is \nwe\'re a customer service oriented agency. And so we rely on our \npartners from Department of Homeland Security, FBI, and other \ncomponents within DOD. The potential attribution or the knowing \nof a bad actor is not our job. My job is to focus the staff at \nOPM to protect the data that resides in there.\n    Mr. Raskin. Okay. So I guess--right. You\'re a customer \nservice agency and you want to serve the various government \nagencies that interact with you. The problem, of course, is now \nwe\'ve got these outside entities that are trying to invade and \nundermine and so on. Do we know who those entities are? Is \nthere like an FBI most wanted list of the cyber saboteurs all \nover the world or in this country? I mean, the national \nintelligence community tells us it\'s Russia, but then we hear \nfrom other people, no, it\'s a fat guy on a couch someplace. I \ndon\'t know why it\'s always a fat guy. Why couldn\'t it be a \nskinny guy on a couch. But anyway, it might be a guy on a couch \nor it might be Russia, but it might be Nigeria. Where it is \ncoming from? And does that list exist? And is there any attempt \nto really get to the bottom of it?\n    Mr. Chase. And, again, I\'ll try to answer more directly. So \nDHS and FBI provide those reports in unclassified and \nclassified formats.\n    Mr. Raskin. Okay. Do you believe as experts in the field \nthat there is going to be a technological answer to this so we \ncan actually create a secure cyber environment? Or, you know, \nis this a Sisyphean task? We go up two steps and we fall back \nthree steps. I mean, are we really--is it an uphill fight, I \nguess is what I\'m asking. Mr. Halvorsen.\n    Mr. Halvorsen. Right now it is an uphill fight. I do \nbelieve technology will get us some of the solutions. But I \nthink this is much like any area in technology. We will make \nstrides forward. The people who want to use technology for bad \nwill make strides forward. And it will be a continuing analysis \nand engagement that is not going to end anytime soon.\n    Mr. Raskin. Thank you very much, Mr. Chairman. I yield \nback.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll now recognize Mr. Comer who\'s new to our committee. \nWe\'re pleased to have him here. The gentleman from Kentucky.\n    Mr. Comer. Thank you, Mr. Chairman.\n    Chairman Chaffetz. Sorry. The microphone button there. Talk \nbutton. There we go.\n    Mr. Comer. Thank you, Mr. Chairman.\n    My question is for Mr. DeVries. Sir, I would like to follow \nup with you on the IT infrastructure project that OPM abandoned \nlast year. The committee\'s understanding is that you are no \nlonger leasing two new data centers for OPM\'s new IT \nenvironment, but rather, are repurposing the hardware and \nequipment meant for the IT environment that the contractor \nImperatis built. My question is, is this accurate?\n    Mr. DeVries. Yes, sir it is.\n    Mr. Comer. Okay. How much did OPM pay the contractor for \nthe new IT infrastructure project before terminating the \ncontract May 2016?\n    Mr. DeVries. Sir, I would have to get back to you with the \nexact amount that was consumed there. I do not have that number \nwith me today here.\n    Mr. Comer. Why was the contract terminated?\n    Mr. DeVries. Sir, as I completed my assessments coming on \nboard as the CIO, that effort was to build a new infrastructure \nto move the legacy stuff into. They went out on the contract. \nThat contractor went out of business. They did not show up to \nwork in May, and we terminated the contract after that. We then \nrepositioned the equipment back in because we had purchased \nthat, as we had purchased the design and engineering diagrams. \nWe have what we paid for. Now just turning it back on.\n    Mr. Comer. It\'s my understanding that the first two phases \nof that were completed, and after approximately $45 million of \ninvestment, OPM abandoned the project. But you say that we have \nwhat we paid for or did we lose what we paid for?\n    Mr. DeVries. Sir, we have evolved that, and I\'m now \nbuilding on that capability that we purchased then. Yes, sir.\n    Mr. Comer. So is OPM still operating the legacy IT \nenvironment? Is that correct?\n    Mr. DeVries. Sir, I will say no. We have evolved a lot over \nthe past year, and that was part of my assessment coming \nonboard was to take a look at what the network was, where are \nour high value assets, where are our centers of gravity, if you \nwill, and what\'s the protection there. Mr. Chase has talked \nabout some of the defense and depth that we\'ve put in place. So \nit is not the same legacy infrastructure that it was in 2015. \nNot by a long shot.\n    Mr. Comer. So are we--can we be assured that this \nenvironment is more secure today than prior to the data \nbreaches?\n    Mr. DeVries. Absolutely. Mr. Chase and I would not be here \nif it was not.\n    Mr. Comer. Okay. I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll now recognize the gentlewoman from the Virgin \nIslands, Ms. Plaskett, for 5 minutes.\n    Ms. Plaskett. Thank you, Mr. Chairman. And thank you all \nfor being here this morning to testify.\n    I wanted to--I appreciated your testimony this morning on \nall of the topics. And it seems to be very wide ranging, of the \ndiscussion that we\'re having this morning. But we are all here \nbecause protecting our Nation\'s security from insider threats \nand external threats is of paramount importance, of course, to \nyou all and us as Members of Congress. So I wanted to discuss \nthe security clearance process and how individuals are granted \naccess to sensitive information.\n    Director Phalen, for you specifically, how would NBIB \nhandle the clearance process for someone under active FBI \ninvestigation? What happens with that application?\n    Mr. Phalen. When an agency puts an individual in for a \nclearance, it starts with a determination by that agency that \nthis individual needs a clearance for whatever work they\'re \ngoing to be doing. The individual\'s information is sent to NBIB \nor to some other----\n    Ms. Plaskett. And what if you find out that the person is \nunder active FBI investigation? What happens at that point?\n    Mr. Phalen. If we in the process of conducting the \ninvestigation determine an individual\'s under active \ninvestigation, we would notify the requester of what we \nunderstand to be the investigation, and we would continue the--\nour part of the investigation, unless we were told to stop \nbased on some decision by the requester.\n    Ms. Plaskett. Now, in knowing that you\'re going to continue \nthe investigation of someone who is under an active FBI \ninvestigation, would that be one of the factors in \ndisqualifying an individual from a security clearance?\n    Mr. Phalen. Not necessarily. And it would not be our \ndetermination. It would be the determination of the requesting \nagency, who is either the requesting agent themselves, if they \nhave independent adjudication authority, or the--in the DOD \nworld, the consolidated adjudication facility. These are the \nindividuals that make the ultimate determination as to whether \nan individual is eligible for access to----\n    Ms. Plaskett. Got you. So you\'re processing the \napplication, you\'re giving them the information, and then the \nagency head then makes the determination whether or not the \nperson has the security clearance?\n    Mr. Phalen. Ultimately, yes.\n    Ms. Plaskett. So for the ultimate decisionmaker for \ngranting a security clearance for a senior White House staffer, \nwho would that person be?\n    Mr. Phalen. The chief of the White House Security Office is \nthe adjudication authority.\n    Ms. Plaskett. And so the chief of the security office for \nthe White House is the determiner for an individual in the \nsenior White House level having a security clearance.\n    Mr. Phalen. Yes.\n    Ms. Plaskett. And who places that person in that office? \nThe chief officer. Is that an independent? Is that appointed by \nthe President? Is that a career person? Who is that individual?\n    Mr. Phalen. I actually don\'t know right now. I can find \nthat answer----\n    Ms. Plaskett. I would really love to know that answer. \nBecause is it possible for the ultimate decisionmaker to make a \ndecision to grant an individual a national security clearance \nif the person is under an FBI investigation? You\'re saying yes, \nthat\'s possible.\n    Mr. Phalen. It is possible.\n    Ms. Plaskett. And the reason I\'m asking that is because of \ncourse--you know, of course there\'s a reason I\'m asking. Right? \nThere would--according to multiple reports, several members of \nthe Trump campaign and incoming Trump administration may \ncurrently be under FBI investigation for their connections with \nthe Russians; the very country implicated in the hacking that \neveryone seems to be interested in here today.\n    So President Trump\'s National Security Adviser, Michael \nFlynn, is reportedly being investigated by the FBI for phone \ncalls with a Russian diplomat. And the New York Times reported \nthat the FBI\'s investigating communication and financial \ntransactions between Russia and the former campaign manager, \nPaul Manafort.\n    So my question is, if these individuals become now senior \nWhite House staffers who need security clearance as having sit \non this National Security Council, along with Steve Bannon, if \nthose individuals are under FBI investigation, they may still \nget a national security clearance?\n    Mr. Phalen. That is certainly possibly. And I would \ndistinguish between someone who is under investigation and \nsomeone who has been charged or convicted with a crime.\n    Ms. Plaskett. Of course. As a lawyer, I know you\'re \ninnocent until proven guilty. But an active FBI investigation \nwould raise some eyebrows. Would it not? Because the FBI would \nnot begin an investigation on my, you know, freshman student \nwho has cheated on a test or something. They usually start FBI \ninvestigations for pretty serious things.\n    Mr. Phalen. It would be a noteworthy item on an \nadjudication, yes.\n    Ms. Plaskett. Okay. Mr. Chairman, I think we need the \nanswer to some of the questions that we\'ve been asking here.\n    And so do you know, Director Phalen, which or any of the \nsenior White House staffers who have access to senior material \nare under criminal investigation by the FBI?\n    Mr. Phalen. I do not know that, no.\n    Ms. Plaskett. Okay. Thank you.\n    Chairman Chaffetz. If the gentlewoman yields back, Ms. \nMcGettigan, she is the acting director of OPM, if you could get \nback to Ms. Plaskett about who specifically is in charge, I \nthink the gentlewoman asked a reasonable question here, who are \nthe people that make those determinations, and get back to--\nwill you make that commitment----\n    Ms. McGettigan. Yes, we will.\n    Chairman Chaffetz. --that you\'ll get back to her?\n    Ms. McGettigan. We will get back to you.\n    Chairman Chaffetz. Okay.\n    Ms. Plaskett. Thank you. Thank you very much, Mr. Chairman. \nAs well if you would find out how do we find out----\n    Chairman Chaffetz. Ask her.\n    Ms. Plaskett. It would be great to know in that process, \none, who the decisionmaker is, and is there a list of \nindividuals who are under FBI investigation. If the chairman \nand the ranking member would receive that, that would be very \nhelpful in making that determination, what are the factors.\n    Ms. McGettigan. Okay.\n    Ms. Plaskett. Thank you.\n    Ms. McGettigan. We will follow up. Thank you.\n    Chairman Chaffetz. And I would open up to any member, if \nthey have questions for OPM, Ms. McGettigan is the acting \ndirector.\n    Mr. Connolly. Mr. Chairman, I just--I assume at some point \nMs. McGettigan\'s going to actually answer a question as opposed \nto always getting back to us.\n    Chairman Chaffetz. Okay. She wasn\'t ever even asked a \nquestion in that series, so I think that\'s a little \ninappropriate. But let me--and she did make a commitment to get \nback to the committee. I think that\'s reasonable.\n    Mr. Connolly. Yes, I heard.\n    Chairman Chaffetz. So I\'ll now recognize myself for 5 \nminutes.\n    And I guess this question will go to Mr. Chase. Tell me \nabout the authority to operate. There have been some questions \nabout this in the past. The inspector general found that the \nauthorities to operate were a material weakness in fiscal year \n2016. The IG reported that 18 major systems still did not have \ncurrent authorities to operate in place. What is the current \nstate of those ATOs?\n    Mr. Chase. So all the ATOs----\n    Chairman Chaffetz. If you can move that microphone a little \ncloser. I apologize, sir.\n    Mr. Chase. So all the ATOs are currently compliant.\n    Chairman Chaffetz. Can you put some meat on the bones? \nDefine that for us.\n    Mr. Chase. So in fiscal year 2016, again, our strategy was \nto identify and understand all the systems. It was identified \nthat quite a few of them were out of compliance. So we took on \ntwo major initiatives at OPM. One was a sprint in February of \n2016 to look at all the systems, to include the HVAs, to ensure \nthe best pathway forward to get them compliant. The next phase \nof that was marketing within OPM and the agency heads and the \nacting director at the time to ensure that everybody in the \nagency knew the importance to get everybody into compliance.\n    Chairman Chaffetz. Would the ATO--you said all of them. \nWould that include the PIPs?\n    Mr. Chase. That is correct, sir.\n    Chairman Chaffetz. It would. Okay.\n    Mr. Chase. That was not reflected in the fiscal year 2016 \nFISMA report, and has been recently.\n    Chairman Chaffetz. Everything within the NBIB, do those all \nhave current valid ATOs?\n    Mr. Chase. Yes, sir.\n    Chairman Chaffetz. Okay. Let me switch over here, if we \ncould, to Ms. McGettigan and--or maybe, Mr. Phalen, you might \nbe the right person--actually, let me ask you, Mr. Phalen. What \nis the current state of the ability to look at the social \nmedia? We\'ve been talking in this committee over the last \ncouple of years, actually, with OPM about during background \ncheck investigations looking at social media. What are you \ndoing or not doing in that process?\n    Mr. Phalen. Thank you, Mr. Chairman. Two points to make on \nthat. Number one, in April of 2016, the security executive \nagent sent out a directive that would allow us--allow an \ninvestigation to use social media publicly available on \nelectronic information in order to inform an investigation. We \nat NBIB or its predecessor, the Federal Investigative Service, \nhave been using on a targeted basis social media inquiries to \nhelp resolve issues when they come up during an investigation. \nWe are in the middle of a short pilot to understand how we can \nincorporate it into a formal--into a more consistent use during \nan investigation.\n    In other words, how do we collect the information, get it \ndisambiguated, and make sure it is accurate and of any value, \nand then provide it to an investigator who is in the field \nconducting an investigation to help enhance that.\n    Chairman Chaffetz. Can you define ``short pilot?\'\' Because \nI think we\'ve been talking about this for a couple years. And \nthis doesn\'t seem to be very short.\n    Mr. Phalen. So a number of pilots have been conducted by a \nnumber of agencies to look at the value of social media. And \nmost concluded--most have reached the similar conclusion, there \ncan be valuable information in collecting social media.\n    Chairman Chaffetz. Okay. Can you just hold on here. This is \nwhat drives people crazy about government. You had to conduct a \nstudy to find out if looking at social media would be valuable? \nAnd the conclusion is it might be yes? Come on. Every single \ntime there\'s a terrorist attack, what\'s the very first thing \nthe investigative body does? They go look at their social \nmedia. And more often than not, they say, oh, my goodness. If \nsomebody had just looked at this.\n    Why in the world do we need--we\'re still doing a pilot? Let \nme answer the question for you. Yes. Looking at publicly \navailable social media should be part of the background check. \nIt\'s a joke to think that you\'re not looking at social media. \nAnd the idea that we even have to think about this, by its very \ndefinition, it is social. It is open. It\'s there. Facebook. You \ncan go--come on. Instagram. Twitter. Every single time we go \nand do an interview for somebody, we go check their social \nmedia. Why do you have to do another pilot?\n    Mr. Phalen. The pilot was not to determine whether or not \nthere\'s any value in social media. The pilot that we are \ncurrently running is how do we incorporate it into a standard \nbackground investigative process. And the largest pole in this \ntent here is not can we collect the information. It is not is \nthere going to be valuable information in there. It becomes how \ndoes it get incorporated in a manner that is cost effective to \nour customer base. And--because the collection is the easy \npart. The analysis of it becomes harder. And the more data \nthat\'s out there, the more difficult the analysis becomes.\n    I believe that this is a relevant data source. We believe \nit is a relevant data source. We\'re going to continue to \nexploit it. This pilot was a very short one to determine how we \ncan build it into an--our current investigative process. And as \nwe move down the road, how it will become more of a mainstay \nfor this investigative process.\n    Chairman Chaffetz. Have you considered implementing a \npolicy to require the disclosure of online user names or social \nmedia identities as part of the clearance process?\n    Mr. Phalen. We have not at this point.\n    Chairman Chaffetz. Why not?\n    Mr. Phalen. That would be a decision to be made by the \nsecurity executive agent to ask for that information.\n    Chairman Chaffetz. Here\'s my personal take on this, and \nthen we\'ll go to Mr. Connolly. The United States of America, \nthe people of the United States of America, are about to \nentrust somebody with a security clearance that allows that \nindividual to look at and understand information that the rest \nof the public doesn\'t get to look at. Right? That is the very \nnature of a security clearance. We\'re doing this, we\'re giving \nthis person special privileges because we trust them.\n    I would think it would be reasonable that in return for \nthat--you don\'t have to apply or try to get a job with a \nsecurity clearance. There\'s nobody that forces you to do that. \nIt\'s optional. But you would think in return for that they \nwould say: Yes. Here\'s my Instagram account. And I would go so \nfar to say: Here\'s my password if you want to go look at my \nprivate Instagram. That is a reasonable thing to look at when \nyou\'re trying to go back and do a background check.\n    Some of these background checks are so thorough. You\'re \nlooking at bank records. You\'re looking at education. You\'re \ninterviewing neighbors. You\'re talking and trying to figure out \nas much as you can about this information. A very costly, \nexpensive, laborious process. And yet we\'re not even--we\'re so \nbashful we won\'t even say: We\'re going to be looking at your \nInstagram. Is that okay, you know? And if it\'s not, then maybe \nwe shouldn\'t be giving them a security clearance. That\'s my \ntake on it.\n    It\'s very frustrating this takes so long. Because every \ntime we have a problem, what\'s the very first thing the FBI and \nother law enforcement want to do? They want to dive into their \nsocial media. That\'s the best way for them to figure out what \nhas been going, what is the attitude, who are they \ncommunicating with. And if we\'re going to give a security \nclearance, it seems reasonable.\n    I\'m past my time. I\'ll now recognize the gentleman from \nVirginia, Mr. Connolly.\n    Mr. Connolly. I thank the chair. I also would say to the \nchair, I caution him, I don\'t think it\'s appropriate for him to \ncharacterize an intervention or a question by a member of this \ncommittee. I don\'t do that to him. And I expect him not to do \nit to me. And if we\'re going to get into that, two can play the \ngame.\n    Ms. McGettigan, a question maybe you can answer. OPM, is it \ngoing to migrate to the required XML format, the transaction \nsubmissions and background checks instead of using legacy \nsystems? I thought I heard Mr. DeVries say we\'re pretty much \ndone with the legacy systems. Have we fully migrated to the \nrequired XML system?\n    Ms. McGettigan. I will have to defer that to Mr. DeVries.\n    Mr. Connolly. You don\'t know the answer?\n    Ms. McGettigan. I do not.\n    Mr. Connolly. Mr. DeVries.\n    Mr. DeVries. No, sir, we have not.\n    Mr. Connolly. Why not?\n    Mr. DeVries. So the whole legacy system is comprised of \neight different systems which ask questions and interact and \nportray in conducting the investigation through them. A lot of \nthe language on, especially I think it was a member here \nbrought up the word PIPs, which is the main database system \nthat maintains it there, that is on--written in language that \nis no longer supported. And I\'m trying to move it out of there.\n    It is not just merely a case of just taking something and \nputting it out to XML. We have employed XML in terms of the \ninterface going into the customer. We have put that into all \ntheir front-facing applications there. And in that time, we\'ve \nalso put other protections in there, like masking of the Social \nSecurity number and other techniques. So yes, to the customer \nfacing one, as we have on other OPM systems, we have put the \nXML piece into it.\n    Mr. Connolly. Ms. McGettigan, what is OPM and NBIB doing to \nensure that if data is exfiltrated from the NBIB, NBIS systems, \nthat the data will be protected and its location and attempted \nuse not--will not only be prevented but visible to the NBIS for \naction? What are you doing to protect that in the exfiltration \nprocess?\n    Ms. McGettigan. Again, sir, I\'ll----\n    Mr. Connolly. Can\'t hear you.\n    Ms. McGettigan. I apologize. Again, sir, I will have to \ndefer to Mr. DeVries or Mr. Halvorsen.\n    Mr. Connolly. So again you can\'t answer the question.\n    Mr. DeVries.\n    Ms. McGettigan. I cannot.\n    Mr. Connolly. Does the acting director of OPM get involved \nin these cyber issues at all?\n    Ms. McGettigan. I do get involved somewhat, but not in the \ndetails.\n    Mr. Connolly. Have you had any experience with the breach \nor responding to the breach in your period of time under Beth \nCobert or Ms. Archuleta before that?\n    Ms. McGettigan. I--when the breach occurred, I was in \nanother area of the organization. I was in Human Resource \nSolutions. I was not the chief management officer at that time, \nso I was not intimately involved. I was involved from another \narea of the--I had no responsibility for that.\n    Mr. Connolly. Mr. DeVries, what are we doing about that \nexfiltration, protecting that data so it\'s not breached?\n    Mr. DeVries. Yes, sir. Sir, on a macro prospective, let\'s \nstart with the worthy employee or the individual who\'s going to \nbe investigated. He enters his records or his information into \nthe e-QIP through the SF--Standard Form 86. That information is \nstored securely. It\'s on an encrypted database. That is what \ngets queued up to go to the investigators once they are awarded \nthat work, if you will, from the NBIB. With my coming on board \nin September, we changed that process.\n    In the past, when the companies would get their task orders \nto do these investigations, and we just talked about the \ncontract that was awarded out to the four new companies, two of \nthose were existing ones and there are two new ones in there, \nthe investigators no longer can download that information to \ntheir company information stores. It stays as part of the \ngovernment, and we\'ve incorporated a new security thing there \nwhere when they pull the records in, it is on a different \nencrypted system under their hard drive, and they authenticate \nthemselves with a verification card that is issued by OPM and \nNBIB to them.\n    Mr. Connolly. I only have 30-something seconds, so let me \nask another question. What are we doing to boost the capacity \nto decrease the enormous backlog on security background checks? \nMr. Phalen.\n    Mr. Phalen. Yes, sir. We have done two things of large \nproportion. Number one, as was referenced earlier, we have \nstarted a new contract period and doubled the number of \ncompanies that are available to provide the contract \ninvestigations. And that, we believe, will have a significant \nimpact on our ability to work off the backlog. At the same \ntime, in fiscal 2016, we hired 400 new Federal investigators \ninto the service. And we plan on, in 2017, adding another 200. \nAnd we are already seeing the fruits of that addition to work \noff the capacity.\n    Mr. Connolly. I think this is on top of many topics we\'re \ntalking about. This is really important. I get complaints all \nthe time, especially from private sector companies with \nenormous numbers of jobs at the ready they cannot fill because \nof this backlog. And so the more we can do to streamline, \nexpedite, while making sure it\'s still accurate, I think is \nreally critical moving forward.\n    Thank you.\n    Mr. Phalen. Yes, sir. I agree.\n    Mr. Connolly. I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll now recognize the gentleman from Alabama, Mr. Palmer.\n    Mr. Palmer. Thank you, Mr. Chairman.\n    I know you\'re new on the job, Ms. McGettigan, and if \nthere\'s anyone on the panel who can answer this, I\'d appreciate \nit. Does OPM allow employees to access personal email accounts, \nFacebook, do any other personal business using the Federal \nserver?\n    Ms. McGettigan. Employees are allowed to do limited access \nfor personal and business. Access their bank accounts, what \nhave you. So there\'s limited access for personal business. \nLimited use.\n    Mr. Palmer. Are you aware that it was reported that the \nImmigration and Customs Enforcement agency just a couple of \nyears ago, I think it preceded maybe by a year or so the breach \nof the data systems at OPM, they had numerous cases where the \nbreaches were coming--or the attacks were coming through the \nuse of personal email utilizing the Federal server? Are you \naware of that?\n    Ms. McGettigan. No, sir, I was not.\n    Mr. Palmer. Well, it\'s an area that concerns me where--and \nemployees, and not only employees, but high ranking officials, \nand I don\'t know that you could answer this, if there are any \nOPM directors or other high-ranking officials using personal \nemail accounts--or accessing personal accounts using the \nFederal server or using personal accounts to do business. We \nknow that\'s been a problem in other agencies, most notably the \nState Department.\n    One of the things that concerns me is that it doesn\'t \nappear to me that we\'ve made the maximum effort to protect \nourselves from cyber intrusion. And for the record, I\'d like to \npoint out that James Clapper made the point, the Director of \nNational Intelligence, that it was the Chinese, not the \nRussians, that we believe hacked OPM. But I think this may have \nbeen asked earlier.\n    OPM is still not fully compliant with the requirements for \nthe use of personally identifiable verification cards, the PIV \ncards. Where are we on that?\n    Mr. DeVries. Sir, I\'ll take that. Sir, we are 100 percent \ncompliant for the PIV cards for the users to access the \nnetwork.\n    Mr. Palmer. So is it a chip-based card?\n    Mr. DeVries. Yes, sir, it is.\n    Mr. Palmer. And multifactor verification?\n    Mr. DeVries. Multifactor verification.\n    Mr. Palmer. So we\'ve got that across the board?\n    Mr. DeVries. It needs the card and then you need the \npersonal identification that you put your PIN in for. Correct, \nsir.\n    Mr. Palmer. Let me ask you this: In regard to hiring people \nwho handle your data systems, and particularly to protect \nagainst cyber attacks, how long does it take to process an \napplicant? For instance, I\'ve got a--there\'s a gentleman in--at \nthe University of Alabama, Birmingham, one of the top people in \nthe country on this, Gary Warner, and he\'s turning out some of \nthe best experts in cybersecurity. And the day they graduate--\nit\'s almost the day they graduate, they can get a job with \nVisa, MasterCard. But it seems to take months to even get in \nthe system for the Federal Government. Is that an issue at OPM?\n    Ms. McGettigan. Well, yes, sir, it is an issue in terms of \nthe background investigations. We are very much backlogged. We \nare committed to reducing that backlog. And we have--to that \nend, we have just--we have just awarded contracts to increase \nour capacity, the field contracts to increase our capacity. And \nwe are on a path to reduce that--to reduce that backlog. But it \nwill take time, and employees of OPM or prospective employees \nof OPM are also waiting for background investigations.\n    Mr. Palmer. Well, I know that--and I wasn\'t here for the \nopening of this hearing--that there seems to be a tendency to \ntry to make this--politicize this. And if that\'s where some \nmembers want to go with it, that\'s fine. But I think the \nseriousness of the breach at OPM requires that we do our jobs \nto make sure that our data systems are secure.\n    And one of the things that I might suggest and encourage \nyou to consider is doing the background checks on these top \nstudents while they\'re still in school so that when they \ngraduate, we\'re not going to lose them to the private sector. I \nthink that we put ourselves at great exposure by not having \nquicker access to the best people that are available to protect \nour data systems.\n    Is that something that OPM might consider? Could we \nexpedite the process? Because it\'s unreasonable to think that \nsomeone could get a really good job somewhere else and then \nhave to wait months to get an interview.\n    Ms. McGettigan. Yes, sir. We do have some programs. We have \na program, Presidential Management Fellow Program, where we \nhave people apply--recent graduates apply. And they are vetted \nand then they become finalists. We do not do--to my knowledge, \nbackground investigations are always done at the--once the \nperson receives a conditional offer of employment. So it\'s the \noffer of employment that triggers the background investigation.\n    Mr. Palmer. Well, I thank you for coming today.\n    And I just want to make this last point, Mr. Chairman, that \nI think the point that needs to be made is that the purpose of \nthis hearing is to make sure that our data systems are secure. \nAnd I think this committee will do whatever we need to do to \nmake that possible.\n    I yield back.\n    Chairman Chaffetz. I thank the gentleman.\n    We\'ll now recognize the gentleman from Wisconsin, Mr. \nGrothman.\n    Mr. Grothman. Thank you.\n    Mr. DeVries, we\'ll ask you a question again. You know, the \nGAO recently found----\n    Chairman Chaffetz. Mr. Grothman, my apologies. My \napologies. We need to go to the Democratic first. Mrs. \nLawrence. I failed to recognize her. The gentlewoman is \nrecognized for 5 minutes.\n    Mrs. Lawrence. I know you would never purposely not \nrecognize me, Mr. Chairman.\n    Yesterday, Ranking Member Cummings sent a letter to the \nDefense Secretary about potentially serious violation of the \nConstitution by Lieutenant Governor Michael Flynn, the \nPresident\'s national security adviser. General Flynn had \nadmitted that he was paid to attend an event sponsored by the \nRussian-backed television network known as RT. And he dined \nwith the Russian President Putin. RT has been described by the \nNSA, CIA, and FBI, and I quote: ``The Kremlin\'s principal \ninternational propaganda outlet. It receives funding, staffing, \nand direction from the Russian Government.\'\'\n    Director Phalen, your staff provided the Standard Form 86 \nfor security clearance holders. One question on the form, and I \nquote: ``Have you or any member of your immediate family in the \npast 7 years had any contact with a foreign government, its \nestablishment, or its representatives, whether inside or \noutside of the U.S.?\'\'\n    My question to you, why are these individuals asked this \nquestion?\n    Mr. Phalen. Thank you, Representative, for that question. \nThe reason these questions are asked is to ensure that the \nindividual who is making an adjudicative decision understands \nwhat relationships an individual may have with a foreign \ngovernment or foreign representative. And the nature of that \nquestion is to get to the heart of what that relationship may \nbe. It could be benign, it could be not benign. But this would \nbe the judgment of the adjudication organization. Our goal \nwould be, based on the response to that question, to gather as \nmuch information as we can get to----\n    Mrs. Lawrence. The form also asks the question, and I \nquote: ``Have you in the past 7 years provided advice or \nsupport to any individual associated with a foreign business or \nforeign organization?\'\'\n    So my question to you is, do you know if General Flynn has \na clearance?\n    Mr. Phalen. I have not checked the record. I believe he \ndoes have a clearance, but I don\'t know that authoritatively. \nAnd if I could add, that the investigation of General Flynn, \ngiven his role in the White House, would generally be conducted \nby the FBI and not by NBIB.\n    Mrs. Lawrence. So you don\'t know if he has a clearance, \ncorrect?\n    Mr. Phalen. I don\'t know authoritatively, but I believe he \ndoes.\n    Mrs. Lawrence. Do you know if he ever reported to the \nappropriate authorities?\n    Mr. Phalen. I do not know that.\n    Mrs. Lawrence. Do you know if General Flynn ever reported \nhow much he paid--how much he was paid for his trip?\n    Mr. Phalen. I do not know that.\n    Mrs. Lawrence. So you\'re stating within the government that \nwould be the FBI that would answer that question?\n    Mr. Phalen. The--his reporting chain, if his clearance was \nstill through the Department of Defense, would have been back \nthrough a Department of Defense security office, and they would \nbe the organization that would have that on the record. It \nwould be up to the FBI, if they were doing the investigation, \nto go back and reach out to the Department of Defense and ask \nif that had been reported.\n    Mrs. Lawrence. Do you know if that reach-out has happened?\n    Mr. Phalen. I do not know.\n    Mrs. Lawrence. Mr. Chairman, we need to get answers to \nthese basic questions. And I am requesting that the committee \nsend a letter requesting a copy of General Flynn\'s security \nclearance application, as well as any and all updates he may \nhave submitted.\n    Will the chair agree to that?\n    Chairman Chaffetz. Send me the request.\n    Mrs. Lawrence. I appreciate it.\n    Mrs. Lawrence. We have a responsibility, and we have been \ntalking about this. And, Mr. Chairman, you have been a staunch \nleader in this, and this is an area I feel that we need \nquestions answered. Thank you so much.\n    Chairman Chaffetz. I now recognize the gentleman from \nWisconsin, Mr. Grothman.\n    Mr. Grothman. Okay, Mr. DeVries. GAO found that personnel \nmanagement had not yet completed and submitted a data center \noptimization plan. And, originally, that was supposed to be \ndone in September of last year. Do you know when that plan will \nbe completed, or has it been completed?\n    Mr. DeVries. Thank you, sir. I appreciate that question \nbecause that\'s one that\'s near and dear to my heart.\n    I came onboard as the CIO in September. We did not publish \nthat one, because it was not complete. I completed the \nassessment on it, and we\'re finalizing that. And that should be \ndone back up to OMB by the end of this quarter here.\n    Mr. Grothman. By the end of?\n    Mr. DeVries. This quarter.\n    Mr. Grothman. Okay. So the next couple months. Okay. Do you \nknow what the savings goal you have for a plan like that is?\n    Mr. DeVries. Sir, I do not have the savings goal in terms \nof the final numbers yet. That\'s part of the assessment that\'s \nstill ongoing right now.\n    Mr. Grothman. Okay. How many data centers do you own now?\n    Mr. DeVries. Today, sir, I own seven. We closed down two, \nand we\'re about ready to move out of our third one here in the \nnext 2 months.\n    Mr. Grothman. Oh, that\'s good. What do we have left? What \nare the ones that are left?\n    Mr. DeVries. And then I have five left. And I\'m going down \nto two.\n    Mr. Grothman. Okay. Good.\n    Let me give you another question. During the data discovery \nbreach and mitigation process, your relationship with the \ninspector general was strained. There was a lack of \ncommunication, time--there wasn\'t timely reporting, I think the \nIG wasn\'t informed really what you would consider on a timely \nbasis. I understand things have improved since that time. How \nwould you characterize your relationship with the inspector \ngeneral today?\n    Mr. DeVries. On behalf of the CIO office, I\'ll say it\'s \nvery good. I say that because we meet monthly with his staff \nand my staff to go through what their concerns are, what their \nfindings are, what our status is of reporting back to those \nfindings. It\'s a very good relationship. They hold nothing \nback.\n    And I\'d like to defer now the final question to my chief \ninformation security officer, because he deals with them much \nmore frequently.\n    Mr. Grothman. Okay.\n    Mr. Chase. Is that okay, Representative?\n    Mr. Grothman. Sure. Yeah.\n    Mr. Chase. So one of the things when I came onboard was to \nestablish a good relationship with the inspector general. We \nmeet on a weekly basis to talk about all the progress. And so--\nand I know I mentioned it earlier, but I\'ll say it again, is \neverything from the compliance efforts that we did to the \nengineering rollouts, so there\'s a lot of things going on that \nI wanted to make sure that the inspector general is abreast of. \nAnd so with that, they\'ve given us guidance on what\'s \nappropriate to align to their FISMA report metrics and \nreporting. And it\'s been helpful not only for me but my staff \nbehind me to see why that relationship is one that pays \ndividends in the long run.\n    Mr. Grothman. Good. And if there was a breach today, how \nquickly would the inspector general know?\n    Mr. Chase. As quickly as everybody else.\n    Mr. Grothman. Okay.\n    Mr. DeVries. Sir, I make that first phone call to the \ndirector, the second one is to the OIG, so it\'s realtime----\n    Mr. Grothman. Okay. Thank you.\n    I yield the remainder of my time.\n    Chairman Chaffetz. The gentleman yields back.\n    I now recognize the ranking member, Mr. Cummings.\n    Mr. Cummings. Thank you very much, Mr. Chairman.\n    Director Phalen, according to the website, the National \nBackground Investigations Bureau, NBIB, is now responsible for \nconducting, and I quote: ``Approximately 95 percent of the \ntotal background investigations governmentwide.\'\'\n    Is that right?\n    Mr. Phalen. Yes, sir, that is.\n    Mr. Cummings. Out of the total number of background \ninvestigations that NBIB is responsible for conducting, does \nthat include political appointees in the Trump administration?\n    Mr. Phalen. Generally not.\n    Mr. Cummings. Not?\n    Mr. Phalen. Generally not.\n    Mr. Cummings. Okay.\n    Mr. Phalen. Yes.\n    Mr. Cummings. And why not?\n    Mr. Phalen. By tradition, that work has been given to the \nFBI to conduct those investigations by the White House.\n    Mr. Cummings. And so a--now, guideline A of the \nadjudicative guideline states that individuals seeking a \nsecurity clearance must have unquestioned allegiance to the \nUnited States, and lays out a series of examples of \ndisqualifying factors that investigators and adjudicators will \nuse to determine eligibility.\n    Based on some of the questions on that SF86, I think many \npeople often think of association with groups seeking to \noverthrow the U.S. Government by violent means, like violent \nanarchists or terrorist groups. When we think of this \nguideline, is that fair?\n    Mr. Phalen. Yes, that would be a major piece of that \ncategory. Yes, sir.\n    Mr. Cummings. But the disqualifying factors in the \nguideline may include much more than that. Do they not? They \ninclude whether a person associates with or shares the \nviewpoint of those who advocate using illegal or \nunconstitutional means to prevent government personnel from \nperforming their official duties or others from exercising \ntheir constitutional rights. Is that correct?\n    Mr. Phalen. Those are--those are questions to be considered \nin an adjudication, yes, sir.\n    Mr. Cummings. And it could--and it could conclude--include \npersons who associate or share the viewpoint of those who use \nillegal or unconstitutional means to, quote, ``gain attribution \nfor perceived wrongs caused by Federal, State, or local \ngovernment,\'\' end of quote. Is that correct?\n    Mr. Phalen. Those would be adjudicative questions, yes, \nsir.\n    Mr. Cummings. If your investigations uncovered negative or \nderogatory information in any of those areas, I imagine that \nyou could raise concern with regard to them. Is that correct?\n    Mr. Phalen. They would be noted in the investigation, and \nthey would be forwarded to an adjudicative--adjudication \nauthority to make a determination as to whether that individual \nshould be cleared.\n    Mr. Cummings. So I want to walk you through a few short \nexamples. If someone said that they were a Boy Scout or Girl \nScout, would that raise a concern under guideline A? Of course \nnot. Is that right?\n    Mr. Phalen. No, sir.\n    Mr. Cummings. What if someone described themselves as a \nLeninist, which refers to the Russian revolutionary who was not \na fan of our democratic government, should that raise concerns \nfor your investigators?\n    Mr. Phalen. It would, and the investigator should pursue \nthat avenue of discussion with the subject as to what that \nmeans.\n    Mr. Cummings. What if someone said that his goal was to, \nquote, ``destroy the State,\'\' unquote, what response would that \nelicit?\n    Mr. Phalen. That would elicit a very strong line of \nquestioning with that individual and with others to determine \nwhat he means by that, so that we can give a full picture to \nthe adjudicator.\n    Mr. Cummings. What if somebody said, quote, ``I want to \nbring everything crashing down and destroy all of today\'s \nestablishment,\'\' end of quote, should that raise a concern?\n    Mr. Phalen. That would be noteworthy in an adjudication, \nyes, sir.\n    Mr. Cummings. Chairman, each of these phrases were \nreportedly used by Steve Bannon to describe his views and his \ngoals, according to Ronald Radosh of The Daily Beast. Mr. \nBannon has since reportedly denied saying those things, but I \nimagine an investigator would still have concerns about them. I \nimagine that they would also want to see numerous reports about \nracism rampant on the news website Mr. Bannon used to run.\n    Mr. Chairman, this is--this is a very serious problem. The \nPresident has picked Mr. Bannon to be his chief strategist and \nsenior counselor. Not only that, the President just reorganized \nthe National Security Council and gave Mr. Bannon a permanent \nseat at the table, while removing the chairman of the Joint \nChiefs of Staff and director of National Intelligence. This is \nat least--I mean, it causes us to--we should wonder about this \nand question it.\n    Do you--if--you may have answered this earlier. If somebody \nis under criminal investigation--and I know that we now have a \nliaison. Tell me how that works, a criminal liaison to try to \nwork with--what happens when you find out somebody is under \ncriminal investigation?\n    Mr. Phalen. Depending what the criminal--criminal \ninvestigation is and the immediate seriousness of the nature, \nwe may immediately contact the requesting agency that is asking \nfor the clearance to give them sort of a heads-up that this is \nout there. And they may or may not determine at that point they \nwant to terminate the request for a clearance. Otherwise, we\'ll \ncontinue the investigation.\n    The fact that--going further down the road, an adjudicator \nwould be faced with this question, this is an individual under \ncriminal investigation, it would be up to them to understand \nwhat that investigation is about and to make a judgment whether \nor not that investigation or what is surrounding it would be \ndisqualifying for access to classified information, whether--\nessentially, whether it shows an inability to be trusted to \nhold onto classified information.\n    Mr. Cummings. So, in other words, the person could still \nget a--get a clearance?\n    Mr. Phalen. Yes.\n    Mr. Cummings. And I would assume that if that person were \nthen later on convicted of an offense, then that probably his \nclearance would be withdrawn. Is that right?\n    Mr. Phalen. If----\n    Mr. Cummings. And who would do that?\n    Mr. Phalen. The organization that issued the clearance \nwould be the organization to rescind the clearance. And--based \non what they see. And they would make--and if it had already \nbeen issued, an individual is convicted, it would be up to that \norganization to determine whether or not that conviction has \nany impact on their ability to be trusted.\n    Mr. Cummings. My last question. The--I just gave some \nquotes that are attributed to Mr. Bannon. Would--I mean, if \nthey--if you were to raise--if those questions were raised, \nwould anyone go and then--and then the--say, Mr. Bannon, or \nwhoever may have said those kind of things, denied them, would, \nthen, you--would--would somebody go back to look to see if \nthose statements were made in other--in the periodicals, \nwhatever? And how might that affect the security clearance of \nthat person? Do you understand my question?\n    Mr. Phalen. I believe I do. We--if--if we--first, if we \nwere faced with an individual who had made statements that \nappeared to be counter to the United States, that would be an \nissue we would pursue with the subject themselves, to start \nwith. And to use your example, if that individual said, no, I \nnever really said that, I don\'t really feel that way, we would \nuse, to the best of our ability, whatever sources we can find \nto get to--to do issues resolution, to determine whether--what \nthe truth is, to the extent that we can, so that we can give as \nfull a picture as we can to the official that has to make that \nultimate decision.\n    Mr. Cummings. And if you discovered that, unequivocally, \nthat the person had not been honest with you, what might--\neffect that have?\n    Mr. Phalen. That would, again, be passed on to the \nadjudication authority, and they would have to determine \nwhether that makes a difference or not.\n    Mr. Cummings. Mr. Chairman, thank you for your indulgence.\n    Chairman Chaffetz. Thank you.\n    I\'ll now recognize the gentlewoman from New York, Mrs. \nMaloney.\n    Mrs. Maloney. Thank you, very much.\n    Chairman Chaffetz. Your microphone. Microphone.\n    Mrs. Maloney. You know, I\'m really concerned about \ncybersecurity. And if Congress is serious about helping \nagencies improve their cybersecurity, it must call on the \nPresident to rescind, in my opinion, his across-the-board \nhiring freeze. How in the world can you move forward if you \ncan\'t even hire the people that can do the job? Such--this \nfreeze that he\'s put in place, in my opinion, undermines the \nFederal Government\'s ability to recruit, develop, and maintain \na pipeline of cybersecurity talent that\'s needed to strengthen \nFederal cybersecurity. And if there was a field that didn\'t \nchange every 24 hours, it\'s cybersecurity. You have to get the \nyoungest, brightest, latest people that are involved in it.\n    So I am concerned about this freeze that he put in place, I \nthink it was roughly 2 weeks ago. And he\'s taken other steps \nthat will make it more difficult for Federal agencies to \nimprove the area of cybersecurity. So I--and then he issued \nthis memoranda ordering across-the-board hiring freeze in the \nFederal Government. And I want to quote from it. And I quote: \n``As part of this freeze, no vacant positions existing at noon \non January 22, 2017, may be filled, and no new positions may be \ncreated.\'\'\n    So it seems to me that when it comes to improving \ncybersecurity, a hiring freeze is one of the most \ncounterproductive policies that you could ever put in place.\n    And after the 2015 cybersecurity at OPM, Federal CIO Tony \nScott and then OMB Director Shaun Donovan put in place a \ncybersecurity strategy and implementation plan for the entire \ngovernment. And I quote: ``The vast majority of Federal \nagencies site a lack of cyber and IT talent as a major resource \nconstraint that impacts their ability to protect information \nand assets.\'\'\n    And so I\'d just like to ask Mr. DeVries, as the CI--CIO of \nOPM, can you highlight some of the challenges that OPM has \nfaced when it comes to recruiting and hiring cybersecurity \nspecialists? And, obviously, you can\'t do anything if you can\'t \nhire anybody. So could you give us some insights there?\n    Mr. DeVries. Thank you very much for that question. That is \na--that is pertained to OPM. It\'s pertained to the Federal \nworkspace and the Federal cybersecurity and IT professionals. \nThat is a concern to all of us of how do I keep the pipeline \ncoming in there.\n    I will tell you, from my experience just coming onboard in \nOPM in September, we have, for example, five hiring actions out \nthere, and we had about a 60 percent--we did not get to them \nfast enough before they went someplace else. We have completed \nthat. We have filled those things. But, again, that\'s our \nchallenge across the Federal spaces, how do I recruit and \nretain these folks.\n    I will tell you, it comes from the passion of the heart. \nThey come onboard. If I give them meaningful experiences, \ntraining they will stay. I think we\'re also working across the \nFederal space of how do I help improve the rotation, if you \nwill, from Federal service back to industry and then back in \nagain. We need to make--we have made strides on it. We need to \ncontinue to work on that together.\n    Mrs. Maloney. Well, I--I\'ve got to say that cybersecurity \nis really tied to the security of the Nation. And I think--I \ndon\'t see how you can do your job if you can\'t hire people.\n    So I would respectfully like to request that the chairman \nthink about maybe asking for a waiver for the cybersecurity \narea in hiring. Number one, as Mr. DeVries pointed out, it\'s \nhard to hire them, because they\'re in great demand all over the \ncountry right now, that is a prime focus of the country. And so \nwe need to work in this for the good of the country.\n    And I--we\'re all individuals. I\'m going to write the \nPresident my own letter and request that he waive it for the \narea of cybersecurity.\n    But can you just go over some of the agencies, how does \nthis hinder your ability and capability to improve when it \ncomes to securing IT systems when you\'re not able to hire \npeople? How does this affect you?\n    Ms. McGettigan. Congresswoman, it terms of the hiring \nfreeze, this is a 90-day freeze, and there are many exemptions \nto that freeze, primarily in terms of national security, public \nhealth, and public safety.\n    Mrs. Maloney. But isn\'t this national security, \ncybersecurity?\n    Ms. McGettigan. Well, agency heads are able to make that \ndetermination and to exempt those positions that are deemed to \nbe national security.\n    Mrs. Maloney. So that\'s taken care of?\n    Ms. McGettigan. If they are not--if they have a position, a \ncybersecurity position, that they would not feel was national \nsecurity, they can come to OPM and we will review their request \nfor an exemption from that.\n    Mrs. Maloney. Have any people asked for exemptions?\n    Ms. McGettigan. At this point, no. I\'m not aware \nspecifically that anyone has come into OPM. I haven\'t seen any \nrequests.\n    Mrs. Maloney. Okay. My time has expired. Thank you.\n    Chairman Chaffetz. Thank you.\n    Just a few wrap-up questions.\n    Mr. DeVries, could you please provide the committee all the \nNCAPs or other pen test reports conducted in the last year? Is \nthat something you can provide the committee?\n    Mr. DeVries. Yes, sir, we can.\n    Chairman Chaffetz. Okay. Thank you. We appreciate it if \nyou\'d do that.\n    And then, Mr. Phalen, one of the--one of the sad realities \nof what happened when Director Archuleta was in place is this \nhack had legacy systems online that dated back to 1985. And my \nunderstanding is, even if you applied for a job and didn\'t get \na job with the Federal Government, and you did it after 1985, \nyou might have been in that system.\n    What are you doing to take sort of the nonactive records so \nthey\'re not online and, thus, accessible to some hacking? Have \nyou made any adjustments there?\n    Mr. Phalen. To be honest, sir, I don\'t know. I know we have \ndone a tremendous amount, you\'ve heard it earlier today, in \nsecuring the systems. And I\'m very comfortable that we have \nboth the barriers on the front end and the ability to, my \nwords, fight sort of an active shooter online on the network, \nshould it appear. I don\'t believe we\'ve taken a tremendous \namount of this and put it offline, because it is--it needs to \nbe accessible for any future work that we do.\n    Chairman Chaffetz. To a degree. I mean, you know, if \nsomebody retired in 1991 and then all of a sudden we have a \nhack in 2014, it does kind of beg the question why is that \nsystem--Mr. Halvorsen looks like he has something.\n    Mr. Halvorsen. Yes. The new system will have tiered storage \non it both in terms of what\'s live, what goes back, and it will \ntake into consideration some of the things you said. If you are \noffline for a while, that will go into a different storage \nsystem, and it will be much harder to access.\n    Chairman Chaffetz. It just--it seems like one of the \nlessons we should have learned for the nonactive employees--\nagain, there may be a period of time. You all are more experts \non it than we are, but after a certain amount of time, maybe it \nshould be, you know, more sitting in some mountain somewhere as \nopposed to online.\n    Two last questions. Who\'s in charge? When there\'s conflict, \ndisagreement, when there is an attack, who ultimately is in \ncharge?\n    Mr. Chase. So through my program, we actually have a \nprocess that we implemented based on the lessons learned from \nthe 2015 breach, and there is a communication path that routes \nup into the director\'s office through the CIO with the severity \nand any data or details related to that incident.\n    Chairman Chaffetz. So who--who is in charge?\n    Mr. Chase. So----\n    Chairman Chaffetz. Who ultimately makes the hard decision \nif there\'s a disagreement, a question? You\'ve got the DOD. \nYou\'ve got OPM. Something\'s not--who is the ultimate \ndecisionmaker?\n    Mr. DeVries. So I\'d like to take that on. If it\'s on the \ncurrent system that OPM and I, as the CIO, am responsible for, \nI do that.\n    Chairman Chaffetz. Okay.\n    Mr. DeVries. On the new system, within the NBIS, as we \ntransition to it, DOD will.\n    Chairman Chaffetz. Okay. So that would be Mr. Halvorsen or \nwhoever his replacement is?\n    Mr. DeVries. Correct.\n    Mr. Halvorsen. That is correct.\n    Chairman Chaffetz. Okay. Last question. Mr. Halvorsen, you \nhave the freedom of retirement there running around the corner \nhere. So given that, your years of service, your perspective, \nyour expertise, summarize for us, what should the Congress \nunderstand? What are your greatest frustrations and concerns \nand your best suggestions that you can offer us?\n    Mr. Halvorsen. Well, first, I\'ll thank Congress. As you \nknow, working through many of the members here, we did get the \ncyber accepted service law, which I do think was the first \nthing that we needed to get done to recruit and move past some \nof the things that were blocking our ability.\n    I do think we are going to have to reevaluate the pay scale \nfor cybersecurity personnel and some other key positions. We do \nrely on patriotism. We can recruit people a lot for that, but \nthe pay disparities are getting out of hand. I mean, I will \ntell you, I have lost six or seven people this year, very good, \nbasically, because they could not anymore turn down the offers. \nAnd I can\'t counsel them against that after a certain point.\n    Chairman Chaffetz. I\'m totally convinced that you\'re right. \nAnd I hope that this Congress--I plan on helping to champion \nsome legislation to give more realistic assessment to provide \nthat flexibility, because I do think you\'re right.\n    Mr. Halvorsen. And I think the other more most important \nthing that we do, and I have said this before, I will keep \nsaying it, I do think the secret weapon of our country is, to \nkeep our security, keep our edge in warfighting is better use \nof our industry and commercial mobility and agility.\n    You have seen--we talk about this in DOD. We are embarking \nto bring as much commercial into these activities. We are doing \nit with this system as the build of the new. We need to \ncontinue that, and we need to continue that against--across the \nforeign government--I mean, across the Federal Government \nspace. That also means we will have to work and raise the bar \nfor industry on security.\n    While I\'ll be the first to say that DOD included, we have \nto get better in our security practices. And I am heartened by \nwhat I see in my discussions with the commercial community. \nThey are starting to take that to heed, and we are seeing a \nrise in their ability to protect data. We need to encourage \nthat and open up our dialogue with the commercial sector on how \nbest to do that and share more information.\n    Chairman Chaffetz. Thank you, again, Mr. Halvorsen. We \nthank you for your service, and we wish you nothing but the \nbest of luck in whatever your future endeavors take you. And \nthank you again for your service.\n    Let me recognize Mr. Cummings, and we\'ll close the meeting.\n    Mr. Cummings. Thank you. Thank you. I want to thank all of \nour witnesses for being here today. You certainly have been \nextremely helpful. And I want to--you know, I just hope that \nthe--I want to express my appreciation to all the people that \nwork with you, because I know that you all have teams of people \nwho give their blood, their sweat, their tears, because they \nwant America to remain the greatest country in the world.\n    Mr. Halvorsen, again, I want to join in with the chairman \nand thank you for your service.\n    I have a brother who is a former Air Force officer, who is \nnot a cyber expert, so he talks to me all the time about the \ndemand for these folks who are good. I also have sat on the \nNaval Academy Board of Visitors for the last 12 years. And one \nthing that we\'ve done in the Naval Academy it\'s now mandatory \nthat every student have--I know you probably already know \nthis--have extensive cyber lessons as part of our curriculum, \nand so we see the significance of it.\n    I want to ask you this: One of the things that we wrestle \nwith is Federal employees feel that they are under attack \nconstantly. We\'ve seen recently where all kinds of measures \nhave been put forth that really make them feel pretty insecure. \nAnd I\'m just wondering, how do you--I mean, first of all, talk \nabout, briefly, the people that you\'ve worked with and what \nthey bring to the table. Because a lot of people, I think, get \nthe impression sometimes that the people who work for the \nFederal Government are not giving a lot and not giving their \nbest and not feeding their souls, as I often say.\n    I just want--you know, you\'re on your way out. You\'ve had \nan opportunity to work with a lot of people. And I\'m sure one \nof the saddest parts is probably a bittersweet thing, you \ncreated a family. I always tell my children that whenever you \nget a job, you also create a family of people who are looking \nout for you and who care about you and who you--sometimes \nyou\'re with more than you\'re with your own family.\n    So could you just talk about some of the, just generally, \nthe people that you\'ve worked with, sir? Because I know that \nyou could not have done what you\'ve been able to accomplish \nwithout a support system. If you might, just very briefly.\n    Mr. Halvorsen. Well, you know, I will tell you, having both \nbeen in the military and in Federal service, highest respect \nfor the Federal workforce. They do exceptional work. They put \nin a lot of hours. They do their best on everything they can \ndo. But I\'m also going to comment, I see that also in the \ncommercial workspace when I bring the people in. I do think \nthis is a leadership issue. And if you make your--any of your \nemployees, whether they\'re Federal, military, or commercial, \nfeel a part of the team and you listen to that team, they will \ngive you everything they\'ve got to get--to get the work done. \nAnd that--I have 37 years, that\'s what I have seen in the \nFederal Government and in that workspace.\n    Mr. Cummings. And I think when you show people that you \ntruly care about them--not just about them, but their families \nand their welfare--I tell the people that come to work with us \non the OGR, if they are not better when they leave me, then \nI\'ve failed. In other words, if they are--their skill level is \nnot higher, if they\'re not more proficient, if they\'re not more \neffective and efficient, then I\'ve done something wrong. \nBecause I want to invest in them. Because I want to be a part \nof their destiny. I want to touch their futures. Even when I\'m \ndancing with the angels, I want to know that they\'ve gone on to \ndo great things, because our Nation really needs the very, very \nbest.\n    And so I can tell you that working with the chairman, we \nsaw that. We--in working with the--then I\'ll be finished. I \ngive the chairman a lot of credit, because when we looked at \nthe Secret Service, he and I made a concerted effort to say to \nthe Secret Service we wanted the elite of the elite. We wanted \nthe very, very best, and we wanted to create that culture.\n    And I think we\'re moving toward this, Mr. Chairman. I don\'t \nknow that we\'ve gotten there yet, but we\'re trying to get \nthere. But--and we\'ve done that in a number of agencies in a \nbipartisan way.\n    And, again, I just--you know, the only reason I raise the \nquestion, Mr. Halvorsen, is because I just want the public to \nbe reminded that, you know, there\'s a vast array of Federal \nemployees that keep our country the great country that it is.\n    And, again, I want to thank all of you and everybody who \nback you all up for doing what you do. And, now, we still have \na lot of work to do, as you\'ve all made very, very clear, but I \nbelieve that, you know, we can--we can get it done.\n    And thank you, Mr. Chairman.\n    Chairman Chaffetz. Thank you. And thank you all. And please \nlet them know, the men and women who work within your \ndepartments and groups, how much we do appreciate it. It\'s a \ntough job, but it\'s a very important job, and we do appreciate \nit.\n    Thank you. The committee stands adjourned.\n    [Whereupon, at 11:28 a.m., the committee was adjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'