[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


 IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND 
                         INVESTIGATIONS BUREAU

=======================================================================

                                 HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            FEBRUARY 2, 2017

                               __________

                           Serial No. 115-12

                               __________

Printed for the use of the Committee on Oversight and Government Reform



[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


         Available via the World Wide Web: http://www.fdsys.gov
                       http://oversight.house.gov
                       
                       
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
26-358 PDF                  WASHINGTON : 2017                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected].                       
                       
                       
              Committee on Oversight and Government Reform

                     Jason Chaffetz, Utah, Chairman
John J. Duncan, Jr., Tennessee       Elijah E. Cummings, Maryland, 
Darrell E. Issa, California              Ranking Minority Member
Jim Jordan, Ohio                     Carolyn B. Maloney, New York
Mark Sanford, South Carolina         Eleanor Holmes Norton, District of 
Justin Amash, Michigan                   Columbia
Paul A. Gosar, Arizona               Wm. Lacy Clay, Missouri
Scott DesJarlais, Tennessee          Stephen F. Lynch, Massachusetts
Trey Gowdy, South Carolina           Jim Cooper, Tennessee
Blake Farenthold, Texas              Gerald E. Connolly, Virginia
Virginia Foxx, North Carolina        Robin L. Kelly, Illinois
Thomas Massie, Kentucky              Brenda L. Lawrence, Michigan
Mark Meadows, North Carolina         Bonnie Watson Coleman, New Jersey
Ron DeSantis, Florida                Stacey E. Plaskett, Virgin Islands
Dennis A. Ross, Florida              Val Butler Demings, Florida
Mark Walker, North Carolina          Raja Krishnamoorthi, Illinois
Rod Blum, Iowa                       Jamie Raskin, Maryland
Jody B. Hice, Georgia
Steve Russell, Oklahoma
Glenn Grothman, Wisconsin
Will Hurd, Texas
Gary J. Palmer, Alabama
James Comer, Kentucky
Paul Mitchell, Michigan

                   Jonathan Skladany, Staff Director
                    William McKenna, General Counsel
                      Julie Dunne, Senior Counsel
                         Michael Flynn, Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 2, 2017.................................     1

                               WITNESSES

Ms. Kathleen McGettigan, Acting Director, U.S. Office of 
  Personnel Management
    Oral Statement...............................................     6
    Written Statement............................................     8
Mr. David DeVries, Chief Information Officer, U.S. Office of 
  Personnel Management
    Oral Statement...............................................    13
Mr. Cord Chase, Chief Information Security Officer, U.S. Office 
  of Personnel Management
    Oral Statement...............................................    13
Mr. Charles Phalen, Director, National Background Investigations 
  Bureau
    Oral Statement...............................................    13
Mr. Terry Halvorsen, Chief Information Officer, U.S. Department 
  of Defense
    Oral Statement...............................................    14
    Written Statement............................................    16

                                APPENDIX

February 9, 2016, Worldwide Threat Assessment by Mr. James 
  Clapper, submitted by Mr. Lynch................................    60
Response from the Office of Personnel Management to Questions for 
  the Record.....................................................    93

 
 IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND 
                         INVESTIGATIONS BUREAU

                              ----------                              


                       Thursday, February 2, 2017

                  House of Representatives,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The committee met, pursuant to call, at 9:02 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Jordan, Amash, Massie, 
Meadows, DeSantis, Ross, Blum, Hice, Grothman, Hurd, Palmer, 
Comer, Mitchell, Cummings, Maloney, Lynch, Connolly, Kelly, 
Lawrence, Plaskett, Demings, Krishnamoorthi, and Raskin.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order.
    And without objection, the chair is authorized to declare a 
recess at any time.
    I appreciate you all being here. We have a very important 
hearing. We have a number of members that, I'm sure, will be 
here but will be a little bit late. There is the National 
Prayer Breakfast, and getting across town at this time of day 
is a very difficult task, so----
    But, nevertheless, I'm glad to have you here and look 
forward to this important hearing.
    Two years ago, the Office of Personnel Management suffered 
one of the most damaging data breaches in the history of the 
Federal Government. This went on for some time, and there are 
still additional details that need to be learned.
    But the counterintelligence value of the data that was 
stolen will last for an untold amount of time, a generation or 
so. So it troubles me to hear reports that maybe some of the 
things that led to this haven't necessarily been changed at the 
Office of Personnel Management.
    We have a number of questions that I think we need to 
explore. For example, are legacy systems still in use for 
backup investigations? Is OPM employing good cybersecurity 
practices such as dual factor authentication and network 
segmentation? What is the plan to transition all of OPM's 
systems off this legacy technology? When will OPM stop using 
unsecured and vulnerable legacy technologies such as Cobalt and 
start using maybe some modernized solutions that can be put on 
the cloud?
    How is OPM protecting the inside of the network and not 
just building the cyberwalls higher? Will OPM adopt a zero-
trust model as part of their cybersecurity strategy? You can't 
steal what you can't access, and a zero-trust model makes life 
much harder for the hackers. These are some of the questions 
we'll continue to ask and explore.
    We said it in the committee's data breach report, and I'll 
say it again, chief information officers matter. They really do 
matter. That's why we have two of them on the panel today. 
Federal agencies, particularly CIOs, must recognize their 
positions are on the frontline of defense against these cyber 
attacks. And as the government, we're on notice. Leadership at 
the Federal agencies must be vigilant about the ever-present 
national security threats targeting their IT systems. And 
especially in OPM's case where the IT systems are protecting 
some of the most vulnerable information held by the Federal 
Government.
    The National Background Investigation Bureau, also known as 
NBIB, N-B-I-B, was partly born from the failures at the Office 
of Personnel Management. When OPM last testified before the 
committee, in February of 2016, the NBIB had just been 
announced. During the hearing, questions were raised about the 
accountability and how this new organization would operate 
given the split responsibilities with OPM overseeing the NBIB 
and the Department of Defense overseeing the IT security of the 
NBIB.
    Today, we'd like answers to those questions and assurances 
that we're moving in the right direction and also, as to when 
the new organization will be fully operational with a secure IT 
environment.
    Was the creation of the NBIB simply a rebranding effort, or 
does the NBIB represent real change? At our last hearing, we 
talked about how the many security clearance processes failed 
to check social media information of the applicants. The day 
before our follow-up hearing in May of 2016, the director of 
National Intelligence issued a new policy permitting the 
collection of publicly available social media information in 
certain cases. We'd like to understand how this policy is being 
implemented and if it is effective.
    Finally, the clearance process seems to be getting worse 
while the reform process continues. My understanding is at 
least--based on an OPM management memo of October 2016, there's 
a backlog--at least then--there was a backlog of 569,000 cases. 
That's quite a list. It does beg the question as to why we have 
to have so many background checks, but where are we at in terms 
of the backlog? And why, despite all the reform activities, is 
the clearance process taking longer?
    In fiscal year 2015, it took an average of 95 days to 
process a secret clearance and 179 days for a top secret 
clearance. In fiscal year 2016, it took an average of 166 days 
to process a secret clearance and 246 for a top secret 
clearance. That's quite a jump in the timeline that it takes in 
order to get there.
    More than a decade ago, the security clearance data and 
processes were transferred from the Department of Defense to 
OPM, and now there's talk of transferring this process back to 
the Department of Defense. We also have the newly created NBIB 
where OPM and DOD have a shared responsibility. And we need to 
get this right, make sure that we have stopped just moving the 
organizational boxes around.
    As we continue our oversight of the transition of 
responsibilities from OPM to the NBIB, we need to continue to 
ask about the efficiency and making sure, at the end of the 
day, that we're protecting and securing the United States of 
America.
    So there are a tremendous amount of number of people that 
are working on IT issues. We will have additional hearings and 
discuss that.
    I personally do believe--and this is--at some point, I 
would like to draw this out from you--attracting and retaining 
IT professionals has got to be a challenge for the government. 
It's a challenge in the private sector. It's a challenge across 
the board.
    I was fortunate enough to have a newly minted son-in-law, 
who is in the IT field. And the opportunities for him for 
employment were unbelievable. I've never seen anything like it, 
which is good as his father-in-law. That's a good thing.
    But on a serious note, I do think we have to address, on 
the whole of government--not just this particular field, but 
the whole of government--how do we attract and retain IT 
professionals, because we do need so many of them, and there's 
so much vulnerability for the country as a whole.
    So this is an important hearing, and I appreciate you being 
here. And now I'd like to recognize the ranking member, Mr. 
Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman. I want to 
thank you for calling this hearing.
    And as I listen to you talk about the IT people, Mr. 
Chairman, this is very important that we all let Federal 
employees know how important they are, and that we do 
everything in our power to provide them with the types of 
salaries and work security that they need. That's one of the 
things that would help to attract them and keep them.
    Today's hearing is on the process our Nation uses to 
conduct background checks for Federal employees, who are 
seeking very important security clearances so they can have 
access to our most guarded secrets.
    This hearing could not come at a more critical time. 
Yesterday, I sent a letter requesting a Pentagon investigation 
of the President's national security adviser, Lieutenant 
General Michael Flynn, for his potentially serious violation of 
the United States Constitution. I was joined by the ranking 
members of the committees on Armed Services, Judiciary, 
Homeland Security, Foreign Affairs, and Intelligence.
    General Flynn has admitted that he received payment to 
appear at a gala in December of 2015 hosted by Russia Today, 
that country's State-sponsored propaganda outlet.
    During that event, General Flynn dined with Russian 
President, Vladimir Putin. As our letter explains, the 
Department of Defense warns its retired officers that they may 
not accept any direct or indirect payment from foreign 
governments without congressional approval, because they 
continue to hold offices of trust under the emoluments clause 
of the United States Constitution.
    On January 6, intelligence officials issued their report 
detailing Russia's attack on the United States to undermine our 
election. This report concluded with high confidence that the 
goal was to, quote, ``undermine public faith in the United 
States' democratic process,'' end of quote.
    This report described as, quote, ``The Kremlin's principle 
international propaganda outlet,'' end of quote. It explained--
and I quote--that ``The Kremlin's staff's RT and closely 
supervises RT's coverage recruiting people who can convey 
Russian's strategic messaging because of their ideological 
beliefs,'' end of quote.
    It is extremely concerning that General Flynn chose to 
accept payment for appearing at an event hosted by the 
propaganda arm of the Russian Government at the same time that 
the country was engaged in an attack against this Nation in an 
effort to undermine our election. Something is wrong with that 
picture.
    But it is even more concerning that General Flynn, who 
President Trump has now chosen to be his national security 
adviser, may have violated the Constitution in the process. We 
do not know how much General Flynn was paid for this event and 
for his dinner with President Putin, whether it was $5,000, 
$50,000, or more. We don't know. We do not know whether he 
received payments from Russian or other foreign sources or on 
separate occasions or whether he sought approval from the 
Pentagon or Congress to accept these payments. We don't know.
    Related to today's hearing, we do not know what effect this 
potentially serious violation of the Constitution should or 
will have on General Flynn's security clearance.
    Security clearance holders and those applying for security 
clearances are required to report their contacts with foreign 
officials. We do not know what, if anything, General Flynn 
reported about his contacts with officials from Russia or other 
countries. We do not know if he reported this one payment or 
any other payment he may have received. These are the questions 
that need to be answered.
    We also have questions about the individuals who may seek 
to join the administration and obtain access to classified 
information while they are currently under investigation.
    For example, there have been reports that President Trump's 
former campaign chairman, Paul Manafort, has been advising the 
White House recently while at the same time he's, reportedly, 
under FBI investigation for his dealings with Russian 
interests. We want to know how security clearances are handled 
if the existing clearance holders or new applicants are under 
criminal investigation. Does the FBI allow these individuals to 
continue to have access to classified information, or is there 
a process to place a hold on someone's clearance or application 
until the investigation resolves the questions?
    Finally, President Trump claims that Democrats only became 
interested in Russian hacking for political reasons and that, 
for example, we have no interest in cyber attacks against OPM. 
He stated, and I quote, ``They didn't make a big deal of 
that,'' end of quote.
    The President is one million percent wrong. I and other 
Democrats worked aggressively on this committee's investigation 
of the attacks on OPM. We held multiple hearings, including one 
that I requested. We conducted extensive interviews and 
briefings with key witnesses. We reviewed more than 10,000 
pages of documents, and we issued two reports from the majority 
and minority staff.
    I called for expanding our investigation to other agencies, 
including the State Department, the postal service, which were 
both attacked.
    I called for investigating the cyber attacks on financial 
institutions like JPMorgan Chase. Our intelligence agencies had 
warned us--I called for investigating the cyber attacks on the 
Nation's biggest for-profit hospital chain, Community Health 
Systems, which had the largest hacking-related health 
information breach ever reported.
    And I called for investigating the cyber attacks on retail 
companies, including Home Depot, Target, and Kmart. So the 
President's claim that we are focusing on Russia's hacking for 
political reasons is ludicrous. Our intelligence agencies have 
warned us that if we do not act now, our adversaries, including 
Russia, are determined to strike again. We need to get answers 
to these questions immediately, and I thank all of our 
witnesses for being with us today.
    And, again, Mr. Chairman, I thank you for this hearing. And 
I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We'll hold the record open for 5 legislative days for any 
members who would like to submit a written statement.
    I now would like to recognize the panel of witnesses. We're 
pleased to welcome Ms. Kathleen McGettigan, who is the acting 
director of the United States Office of Personnel Management.
    Ms. McGettigan is accompanied by David DeVries--DeVries, 
sorry--chief information office of the United States Office of 
Personnel Management; Mr. Cord Chase, chief information 
security officer at the United States Office of Personnel 
Management, and Mr. Charles Phalen, director of the National 
Background Investigations Bureau, or NBIB. Their expertise on 
this issue will be very important to this subject matter, so 
they will all--everybody will be sworn in.
    We're also honored to have Mr. Terry Halvorsen is the chief 
information officer at the United States Department of Defense. 
It's my understanding Mr. Halvorsen is retiring at the end of 
the month, and we could think of no better gift for you than 
having to testify before Congress.
    It's such a joy. I know you're looking forward to it 
personally. So happy birthday, Merry Christmas, and happy 
retirement for coming to testify before Congress. But we thank 
you, sir for your----
    Mr. Halvorsen. Thank you.
    Chairman Chaffetz. --for your service to this country and 
at the Department of Defense. And we really do appreciate your 
expertise and look forward to hearing your testimony. And we 
wish you well.
    And, again, thank you for your service and your willingness 
to be here today. You probably could have squirmed out of this 
one if you really wanted to, but you stepped up to the plate 
and took this assignment, so thank you, sir, for being here.
    Again, we welcome you all. Pursuant to committee rules, all 
witnesses are to be sworn before they testify. So if you would 
please rise and raise your right hand.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth and nothing 
but the truth, so help you God?
    Thank you. You may be seated. Let the record reflect that 
the witnesses all answered in the affirmative.
    Your entire written statement will be made part of the 
record, but we would appreciate it if you could keep your 
comments to 5 minutes. And like I said, your whole record--your 
whole testimony and any supplements you have will be made part 
of the record.
    Ms. McGettigan, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                STATEMENT OF KATHLEEN MCGETTIGAN

    Ms. McGettigan. Good morning, Mr. Chairman, Ranking Member, 
and distinguished members of the committee. Thank you for the 
opportunity for my colleagues and myself to testify on behalf 
of the Office of Personnel Management.
    As you said, I am joined today by Mr. Charles Phalen, the 
director of the National Background Investigations Bureau, Mr. 
Dave DeVries, OPM's chief information officer, and Mr. Cord 
Chase, OPM's chief information security officer.
    While I am presently the acting director of OPM, I do have 
over 25 years of service at the agency.
    OPM recognizes how critical the topics of today's hearing 
are to the Federal Government and to our national security, and 
I look forward to our having a productive conversation about 
the NBIB transition, the security clearance process, and 
information technology security.
    As you know, the NBIB was established on October 1st, 2016, 
and is the primary provider of background investigations for 
the Federal Government.
    Charlie has a distinguished career in multiple roles at 
senior levels in the Federal Government and private industry. 
His career has been focused on national security. His 
experience includes serving in capacities at the CIA, including 
as director of security and with the FBI as assistant director 
leading its security division.
    NBIB is designed with an enhanced focus on national 
security, customer service, and continuous process improvement. 
Its new organizational structure is aimed at leveraging record 
automation, transforming business processes, and enhancing 
customer engagement and transparency.
    In late 2014, OPM's market capacity for contract 
investigation services was drastically reduced by the loss of 
OPM's largest field contractor. This resulted in an 
investigative backlog. This backlog was exacerbated by the 
cybersecurity incidents at OPM that were announced in 2015.
    Looking forward, it is an NBIB priority to address the 
investigative backlog while maintaining a commitment to 
quality.
    To accomplish this, NBIB is focusing efforts in three 
primary areas: First, we are working to increase capacity by 
hiring new Federal investigators and increasing the number of 
investigative field work contracts.
    Second, NBIB is focusing on policy and process changes to 
ensure efficient operations.
    Third, NBIB has actively worked with customer agencies to 
prioritize the cases that are most critical to our national 
security.
    Information technology also plays a central role in NBIB's 
ability to enhance the background investigation process. While 
still in development, NBIB's new system, NBIS, will be operated 
and maintained by DOD on behalf of NBIB.
    On OPM's behalf, this effort is being led by our new chief 
information officer, David DeVries. Dave joined us in September 
of 2016. He is the DOD's principle deputy CIO, and he has a 
strong relationship with his former agency.
    As we work to strengthen the infrastructure and security of 
NBIB, we are also working on fortifying our entire technology 
ecosystem.
    As the Federal Government modernizes how it does business, 
OPM has focused on bracing new tools and technology to deliver 
optimum customer service and enhanced security.
    OPM enhanced its cybersecurity efforts from multiple 
angles. We have added cybersecurity tools and security updates. 
We've implemented staff and agencywide training we've hired 
critical personnel and, finally, we continue to collaborate 
with our interagency partners.
    Touching on efforts I've just outlined, our cybersecurity 
tools and security updates include 100 percent multifactor user 
authentication to access OPM's network. This is done via the 
use of PIV cards and major IT system compliance initiatives. 
Furthermore, OPM recognizes that cybersecurity is not just 
about technology, but it is also about people.
    OPM has added seasoned cybersecurity and IT experts to its 
already talented team. OPM has hired a number of new senior IT 
managers and leaders and realigned and centralized its 
cybersecurity program and resources under the chief information 
security officer. In this capacity, Cord is responsible for 
taking the steps necessary to secure and control access to 
sensitive information. OPM also strengthened its threat 
awareness by enrolling in multiple information and intelligence 
sharing programs.
    In conclusion, the necessary key partnerships and plans 
have been developed to build out NBIB and improve the security 
and efficiency of OPM's IT systems. These structural and 
process improvements will enable us to improve timeliness, 
reduce the background investigation. Equally productive is the 
CIO's holistic approach which ranges from bringing on qualified 
personnel to adopting new tools and procedures that enhance the 
security of OPM's networks and data.
    Thank you for the invitation to testify before you today, 
and we welcome any questions you may have.
    [Prepared statement of Ms. McGettigan follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you. Thank you for your testimony.
    Mr. DeVries, you are now recognized for 5 minutes.
    My understanding is maybe yourself, Mr. Chase, and Mr. 
Phalen, I don't know if you have opening statements or if you 
care to say anything, but I'll recognize each of you. If you 
don't have anything, we'll just--Mr. DeVries, do you have----

                   STATEMENT OF DAVID DEVRIES

    Mr. DeVries. Thank you, Mr. Chairman.
    I'd like to just take this opportunity to thank you for the 
opportunity to come here. As the brief bio was read there, I 
did come from 30 years in the Army. I transitioned in in 2009 
to become a senior executive within DOD, and where I spent the 
last 2-1/2 years as the principle deputy for the DOD CIO.
    Broad range here, I was asked to come here to OPM and 
accepted that and arrived here in September of 2016. And it's a 
pleasure being here today, and I enjoy the opportunity to 
answer your questions here. Thank you.
    Chairman Chaffetz. Thank you.
    Mr. Chase.

                    STATEMENT OF CORD CHASE

    Mr. Chase. Thank you very much for the opportunity----
    Chairman Chaffetz. If you can all bring that--I'm sorry. 
You've got to bring the microphones up close, uncomfortably 
close to make sure we can all hear you.
    Mr. Chase. Again, thank you very much for the opportunity 
to speak today. One of the things that I want to make clear is 
I ran into the fire to help with the events that occurred in 
2015. In the rebuilding process, we've made a lot of 
advancements, but it's only to get us to a standard 
environment. By no means am I up here saying, we're successful 
or we've won anything, that we're doing our best to improve the 
environment to secure the information within OPM and NBIB.
    With that, there are quite a few items that I'd be happy to 
discuss with all of you on those improvements, and that's all I 
have at this point.
    Chairman Chaffetz. Thank you.
    Mr. Phalen.


                  STATEMENT OF CHARLES PHALEN

    Mr. Phalen. Thank you, Mr. Chairman. I'm happy to be here 
and join with you today in a good conversation on this.
    To echo a little bit what Ms. McGettigan mentioned, we are 
focused in our--as we begin our--or end our 4th month as an 
entity on three key things.
    One is recovering and increasing our capacity to do 
background investigations, improving our capability to gather 
information that is relevant to background investigations and, 
finally, working on those innovations that will help us in 
partnership with the security executive agent and the 
suitability executive agent to look at what an investigation 
will look like as we move down into the future.
    A key to this is building an organizational structure 
beyond what existed on September 29th and adding capabilities 
in terms of investments and in terms of innovation, and then 
very importantly, working in partnership with DOD as we build 
out an information technology systems that will be able to 
enhance and inform security investigations across our entire 
spectrum of about 100 customers across the Federal Government.
    With that, I'm very happy to be here. Thank you for the 
opportunity today.
    Chairman Chaffetz. Thank you.
    Mr. Halvorsen, you are now recognized for 5 minutes.


                  STATEMENT OF TERRY HALVORSEN

    Mr. Halvorsen. Good morning, Mr. Chairman, Ranking Member, 
and distinguished members of the committee. Thank you for the 
opportunity to testify before the committee today on the 
Department's information technology and cybersecurity support 
to the National Background Investigations Bureau.
    I am Terry Halvorsen, the Department of Defense chief 
information officer. You have my opening statement. I think 
most of you are familiar with my responsibilities, so in the 
interest of time, I'll cut this a little short.
    The department is responsible for the development and 
securing the NBIB IT systems. We have brought the full 
expertise of the department both in IT and cybersecurity 
resources to bear on this problem, and it is our objective to 
replace the current background investigations information 
system with a more reliable, flexible, and secure system in 
support of the NBIB.
    Defense information system under the DOD's CIO's oversight 
has established the National Background Investigations Systems 
Program Management Office to implement this effort. The PMO is 
responsible for the design, develop, and operation of the IT 
systems capabilities needed to support the investigative 
process to include ensuring that the cybersecurity protections 
and resiliency of these capabilities. The alignment of the 
systems under DOD assures we leverage all national security 
systems expertise and capability to protect the background 
investigation data. And I assure you, we are doing that.
    The Department has made significant headway on this 
important mission, since I previously testified before this 
committee last February, and we are on track to deliver the 
capabilities needed in an iterative fashion using DOD expertise 
and best industry practices.
    In fiscal year 2016, the Department funded preacquisition 
activities to better posture for official standup and funding 
in fiscal year 2017. I would like to thank Congress and members 
of this committee for supporting the Department's funding 
request for NBIB IT infrastructure and cybersecurity 
modernization. As you know, the fiscal year 2000 continuing 
resolution did include new start authority for the NBIB, and we 
thank you for that.
    Today, several of the NBIB's prototypes are enabling the 
Department to work with industry and other partners to discover 
capabilities that we will provide with a more efficient, 
effective, and secure background investigation system in the 
future.
    Throughout this process, we are actively partnering with 
industry, integrating commercial feedback into the process to 
ensure we are focusing on capabilities and keeping up with the 
changing pace of technology.
    I am pleased with the current progress on NBIS that the 
Department and our partners have made to date. I look forward 
to seeing what this organization will accomplish as it makes 
progress toward delivering several prototype capabilities by 
the end of fiscal year 2017 and an initial operating capability 
covering the full investigative process in the fourth quarter 
of 2018.
    This is an important opportunity for the Federal Government 
to strengthen the security of the IT infrastructure that 
supports the Federal background investigating process. This 
approach utilizes the Department's recognized IT cybersecurity 
expertise, best industry practices while maintaining a 
streamline centralized governmentwide approach to the 
investigative services that the NBIB provides today for more 
than 100 different Federal agencies.
    Thank you for this committee's continued support, and I 
look forward to your questions.
    [Prepared statement of Mr. Halvorsen follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chairman Chaffetz. Thank you.
    I will now like to recognize the gentleman from Texas, the 
chairman of the subcommittee on Information Technology, Mr. 
Hurd.
    Mr. Hurd. Thank you, Mr. Chairman. I want to thank you and 
the ranking member for the continued diligence on this 
important issue.
    Mr. Phalen, I've got some basic questions for you. Sorry 
for the basicness of the questions.
    You're in charge, right?
    Mr. Phalen. Yes, sir.
    Mr. Hurd. Do you have a technical background?
    Mr. Phalen. I do not have a technical background.
    Mr. Hurd. Who is the person directly reporting to you that 
is responsible for preventing another attack that we saw, like 
the one we saw a number of months ago?
    Mr. Phalen. So it is not a direct chain----
    Chairman Chaffetz. Sorry. Mr. Phalen, if you could move 
that microphone. Straighten it up and right--right up next--
there you go. Thank you.
    Mr. Phalen. There you go. Okay thank you.
    There's no one specifically in my chain of command that is 
immediately responsible. We rely on Mr. DeVries and Mr. Chase 
as the CIO and CISO to provide the security for the systems 
that we are operating today.
    Mr. Hurd. Copy.
    So Mr. Chase, you are in charge.
    Mr. Chase. That is correct, for cybersecurity.
    Mr. Hurd. Well, thank you for running into the fire.
    Mr. Chase. Thank you.
    Mr. Hurd. I recognize the difficulty of the task. In your 
brief remarks, you talked about the first step was getting OPM 
up to a baseline.
    Mr. Chase. Correct.
    Mr. Hurd. Can you take 90 seconds and explain that 
baseline?
    Mr. Chase. Sure. That's a good question. So one of the 
things, when I came on board, was to set an appropriate 
strategy and a pathway forward. So it was the stabilization 
phase. So we understood that there were quite a few systems 
that were out of compliance. So we knew that we had to take 
steps to get those back into compliance.
    We also had another layer of engineering tasks, which 
included network segmentation, making sure that we had the 
appropriate monitoring tools in place, and then the tuning 
process to support that.
    Throughout fiscal year 2016, we were able to get those 
accomplished but, again, to a standard baseline where we feel 
comfortable that we can control our environment and we 
understand where we were with the IT system boundaries and the 
IT system boundary inventories.
    Mr. Hurd. So of the IG GAO, they've all done reviews, 
there's been a number of outstanding issues. Many of the 
outstanding issues for years had been on the IG report and the 
GAO high-risk report.
    Of those documents, how many of those vulnerabilities, that 
have been identified, are still outstanding?
    Mr. Chase. So there are still items that are outstanding, 
and we prioritized them based on their criticality----
    Mr. Hurd. What's the highest priority--highest priority 
vulnerability that's still outstanding?
    Mr. Chase. So the IT system compliance was the most 
significant vulnerability that was identified in the Fiscal 
Year 2016 FISMA report, as well as the IT security officer 
hiring process, which is something we were able to accomplish 
at the end of this year as well.
    Mr. Hurd. Good copy.
    You talked about segmentation. And we saw after the 
breaches in 2014 and 2015, the hackers were able to basically 
move, you know, without--with impunity through the network. And 
my question is what have you done to make life harder on the 
hackers that once they get past your defenses?
    And I will say my--you know, I begin with the presumption 
of breach, you give an attacker enough time, they have enough 
resources, they are going to get in, so what do you do once 
they get in, and how have you improved segmentation across the 
OPM network.
    Mr. Chase. So I consider it a level of effort, so I'm 
trying to make it as hard as possible for them to get in. 
Understanding that OPM is a customer-oriented agency and has to 
communicate. Some of the segmentation that we have done is 
identify all of our major systems and high-valued assets within 
our environment, as well as, all the privileged and 
nonprivileged users.
    We segmented those between each other and set the 
appropriate firewalls and monitoring tools to ensure that one 
can't get to the another and vice versa, and if there are 
attempts to get between the other, the other is stopped and 
flagged, and there's a follow-up with that event itself.
    Mr. Hurd. In my remaining minutes, I want to ask a 
question. And I don't mean to be indelicate. Why did we get to 
this situation? And I ask that question in order to learn from 
this experience so we can take those lessons learned and apply 
it across the Federal Government.
    Mr. Chase. So I'm going to say I came post breach, and I 
know there's quite a few lessons learned. There was a majority 
and minority reports issued, there's all the audits that were 
issued, and that's what I've been going off of and, again, 
trying to apply those to prioritize the next steps to be able 
suppress the threat and the risks within OPM.
    Mr. Hurd. So why--you've been there now for enough time. 
You've seen the problems. You've probably been shocked by some 
of the deficiencies within the network. Why do you think that 
network got to where it was?
    Mr. Chase. I would say based on those reports and 
information that was put in front of me, there were systematic 
failures within OPM that led to it.
    Mr. Hurd. Mr. Chairman, I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We'll now recognize the ranking member of the subcommittee 
on IT, Ms. Kelly from Illinois, for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chair.
    And thank you all for your testimony here today. This is 
actually the committee's third hearing on the OPM data breach.
    The data breach compromised the information of millions of 
Federal employees. The committee responded almost immediately 
and did an extensive bipartisan investigation into the 
incident. In total, committee staff reviewed more than 10,000 
pages of documents, interviewed multiple witnesses, and had 
numerous briefings from both Federal and nonFederal entities. I 
applaud the work we have done on the OPM data breach, but I 
must address the elephant in the room.
    We are holding a hearing about hacking by a sophisticated 
actor, likely a State actor for a hack that occurred more than 
a year ago. But this committee has chosen not to take any 
action to investigate the recent Russian hacking and propaganda 
campaign to impact our election.
    Only last month, the NSA, FBI, and CIA concluded with a 
high degree of confidence that Russia successfully hacked 
groups throughout our Nation in an effort to influence our 
election. In the face of this report from our top intelligence 
agencies, we have done zero oversight into this issue. There's 
not been a single hearing or request.
    My wonderful chairman on the IT subcommittee asked Mr. 
Chase about lessons learned.
    Mr. Halvorsen, I would like to ask you about lessons 
learned after the vulnerabilities were exposed in the OPM data 
breach.
    Mr. Halvorsen. We certainly took the vulnerabilities that 
were exposed in the database, and I can assure you that both in 
the OPM legacy systems, the work they're doing today and in the 
new systems, we are taking those lessened learn and making sure 
that the systems we are building new are built from the ground 
up with cybersecurity baked in, and that we've assumed from the 
beginning that this system could be penetrated.
    So there's a condition we have that you might hear in the 
Navy termed, it's set conditions ZEBRA, it means close the 
watertight doors. We are making sure that the new system will 
be segmented enough that we can close the doors. Because 
there's two things you want to stop. Certainly, you want to 
stop people from getting in, but when they get in, you don't 
want your answer to be you've got to shut the system down. 
That's a victory.
    So we're designing this system so that we can fight--and 
that is the correct word--fight through any attempt to breach 
this system. And if we get breached, be able to block and 
contain and then eradicate any malware system loss that gets in 
here.
    Ms. Kelly. Thank you.
    Did the subsequent investigations help in understanding how 
things could be improved?
    Mr. Halvorsen. Absolutely.
    Ms. Kelly. Anybody else want to answer that?
    Mr. Halvorsen. Yes, they did.
    Ms. Kelly. And any of the other witnesses?
    Mr. Chase. I concur.
    Mr. DeVries. Concur.
    Ms. Kelly. Thank you.
    I believe these OPM investigations went a long way in 
assuring the American public that everything possible was being 
looked at to prevent this from happening again. But it is clear 
that politics have prevented this committee from being willing 
or able to do the necessary objective and nonpartisan oversight 
on the Russian attack. That's why I, and every one of my 
democratic colleagues in the House, have signed on to 
legislation to establish an independent bipartisan commission 
to investigate foreign interference in the 2016 elections. 
Thank you for your response.
    And, Chairman, I yield back.
    Chairman Chaffetz. Will the gentleman--gentlewoman yield 
first?
    Ms. Kelly. Of course.
    Chairman Chaffetz. As I've said publicly, and the 
gentlewoman should know, given that it involves sources and 
methods, the United States Congress is organized such that the 
House Intelligence Committee takes the lead on those things. We 
can investigate anything at any time, but I do have limits in 
that I cannot investigate sources and methods which clearly is 
the purview of the House Intelligence Committee.
    I would also suggest that we were the first committee to 
create a subcommittee specifically on information technology. 
We were the first to dive into the OPM data breach, and we have 
been pushing from the Department of Education and others to 
make sure that we do have the proper defenses in place. And to 
suggest that it's only one particular country would be naive at 
best. And it could be everything from a guy in a van down by 
the river down to a Nation State.
    Ms. Kelly. We know it was the Russians in this particular 
instance.
    Chairman Chaffetz. And I think that should be investigated. 
I have said as much publicly, and I've also--I think everybody 
should know, every Member of Congress should know that the 
House Intelligence Committee is really the only organization 
within Congress that is set up to be able to do that.
    Mr. Cummings. Would the gentlelady yield, please?
    Ms. Kelly. Yes, I will.
    Mr. Cummings. Very briefly, Congressman Swalwell and I, 
over a month ago--as a matter of fact, in December, filed a 
bill which asks that we have a 9/11-type investigation. And the 
reason why we did that is because we didn't want it to get 
mired in a political battle like the Benghazi Committee did, 
Select Committee.
    And it would be patterned after the 9/11 commission so that 
we would bring America's best experts to the table. It would be 
an equal number of Democrats, an equal number of Republicans, 
and that they would look at this thing carefully--and with the 
chair's indulgence, I need to explain this--and they would come 
back with recommendations. They would have subpoena power.
    Then we refiled that bill in January when the new session 
came in. Every single Democrat in the Congress signed on to 
that bill. Not one signal Republican signed on. And one of the 
reasons why we did that is because we felt we didn't move to 
common ground; we need to move to higher ground, that this was 
such a serious attack on our democracy, and our election 
process, that it deserved that kind of attention. And so that 
bill is still out there. Only Democrats have signed on.
    One of the things we were concerned about is the chairman 
of the Intelligence Committee, Mr. Nunes, was a part of the 
transition team for President Trump. And we just felt that we 
needed to take the complete thing out and let an independent 
body do it. And I just wanted to explain that to the 
gentlelady.
    Thank you very much. And thank you for yielding. Nice job, 
by the way.
    Chairman Chaffetz. I'll now recognize the gentleman from 
Florida, Mr. DeSantis, for 5 minutes.
    Mr. DeSantis. Thank you, Mr. Chairman.
    Ms. McGettigan, I know after the OPM breach there's several 
months people were, kind of, notified. But I've had people, 
constituents, just wonder, I mean, what has been done to 
mitigate the potential damage to people whose files were 
compromised?
    Ms. McGettigan. Thank you for that question.
    We have entered into--in December, we entered into a 
contract and identity protection contract. We expanded the 
coverage that we already had. And we are moving toward having 
coverage for 10 years. The current contract covers all those 
affected by the two breaches, and it runs out in December of 
2018 during----
    Mr. DeSantis. What would that mean, just for somebody who 
had their stuff compromised?
    Ms. McGettigan. I'm sorry. We have identity protection 
services and credit monitoring. So people have received--people 
who were affected have received information on how to sign up 
for the credit monitoring, although they are covered by 
insurance whether they sign up or not.
    And currently, the ceiling on the insurance we have 
expanded to $5 million, and we are moving toward complying with 
congressional direction to have the contract go for 10 years of 
credit monitoring.
    Mr. DeSantis. Okay. Good. I mean, I think that we in this 
committee--and I applaud the chairman for being on this issue. 
And we hear about these other hacks and stuff. This was 
catastrophic. I mean, you're talking about these files with the 
amount of information that's there, and I had to go through it 
in the military, and other people, perhaps, you guys have gone 
through it, too, there is a lot, a lot of information there, 
and it's a massive vulnerability. So I hope that what's being 
done is going to be effective.
    Let me ask--this may be Mr. Chase or maybe someone else 
want to take this. If OPM suffers another compromise and NBIB 
applications and its systems are breached, who makes the final 
call as to whether or not the compromised applications are 
taken offline or continue to run?
    Mr. Halvorsen. If it's in the new systems that are 
developed, that is me.
    Mr. DeSantis. Do you agree with that?
    Mr. DeVries. For the new system, yes. Right now we're 
currently operating underneath the existing legacy system.
    Mr. DeSantis. What's the answer----
    Mr. DeVries. The answer is the CIO gets the report of it 
from the CISO, and the director makes the call on it.
    Mr. DeSantis. Okay. Let me ask you this, because the 
majority staff on this committee had a report indicating that 
there were certain tools following some of the previous 
breaches that were bought, and then they there were delayed in 
terms of their deployment for a variety of reasons, but one of 
them, that they had to make certain notification to relevant 
unions.
    So what kind of notifications is the IT security team 
required to make before deploying these tools, and what is the 
purpose of the notifications?
    Mr. Chase. So from post breach coming in, any tool that we 
go out on the street to market and do our research on is fully 
vetted internally. We have a procurement office inside of OPM 
that works with us to make sure that the appropriate language 
is put into that, and then we move to the process of deploying 
that tool.
    Mr. DeSantis. But in terms of the delays, have there been 
delays because of notification requirements?
    Mr. Chase. I'm not aware of that specific statement.
    Mr. DeSantis. Okay. Had there been other barriers or 
challenges in trying to timely deploy some of these tools, 
bureaucratic roadblocks?
    Mr. Chase. Again, post breach, based on the situation--and, 
again, I mentioned earlier stabilizing, the procurement office 
has been very, very flexible with me and making sure that they 
can give us the time----
    Mr. DeSantis. But this was so--the implication is there may 
have been a problem prebreach?
    Mr. Chase. I'm not aware outside of what I'm reading in 
those reports.
    Mr. DeSantis. Do you think that it was a problem?
    Mr. DeVries. I have no firsthand knowledge of that, but 
just from the acquisition side and having been in this field 
for many years, yes.
    Mr. DeSantis. Okay.
    Well, I will yield back the balance of my time.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from Massachusetts, Mr. Lynch 
for 5 minutes.
    Mr. Lynch. Thank you, Mr. Chairman.
    And I want to thank our witnesses for your great work and 
for your willingness to help us. I want to revisit the issue 
raised by Ms. Kelly about the unwillingness or the inability of 
the committee to really investigate what's going on with the 
Russian hacking.
    But before I get into that, let's talk a little bit about 
the issue that brings you here.
    In June and July of 2015, OPM publicly disclosed that its 
information technology systems had been experiencing massive 
data breaches over some time, compromising the Social Security 
numbers, birthdates, home addresses, background investigation 
records, and other highly sensitive personal information 
belonging to about 22 million individuals.
    These cyber breaches were not only devastating in terms of 
their impact on the financial security of their victims, 
rather, they also posed a grave national security threat as the 
extensive security clearance questionnaires, about an 80-page 
document, that really drills down on folks and was filled--were 
filled out by nearly 20 million Americans who have security 
clearance rights and privileges, and the names and the 
information of those individuals were included among the data.
    I had asked--that was a--that was a terrible--you know, 
some people call that a--like a cyber Pearl Harbor, because all 
our folks who are actually actively interested in working on 
our national security organizations, you know, basically, they 
were giving up. And so I asked at a very basic level, I asked, 
Ms. Archuleta, who was running the OPM at the time, I said, 
have you actually gone back and encrypted the Social Security 
numbers of these employees? Were they encrypted? And she said, 
no, they were not. So--so all those Social Security numbers of 
those 22 million people went out.
    And then a year later, we had one of her successors--not 
her successor, but one of the people under her, I asked, again, 
have we encrypted the Social Security numbers of the people, 
the 22 million people? And they said there are still--there are 
still vulnerabilities we still haven't been able to do that.
    So let me ask, have we encrypted at least the Social 
Security numbers of these 22 million people?
    Mr. DeVries. Sir, I'll take that for the record. Yes, we 
have begun a vigorous program in 2016 to encrypt the databases. 
So it's not just encrypting the Social Security number, but it 
is the databases that contain those critical information.
    Mr. Lynch. Are we done with that yet?
    Mr. DeVries. We are not completely done across the whole 
OPM environment, but the HVA systems we have gone through, and 
I have one remaining system to be done, and that is scheduled 
for next month. To complete the----
    Mr. Lynch. What percentage of the 22 million have been 
encrypted? Can you give me an estimate on that?
    Mr. DeVries. Of the NBIB system, which contains those 
records there, all but one have been encrypted.
    Mr. Lynch. So what's lacking in percentage?
    Mr. DeVries. One major database there on the mainframe.
    Mr. Lynch. All right. You're not answering my question, 
but--look, we need to get that done. Okay?
    Let me go on to the Russian thing. Look, we've got--I 
understand that the chairman's resistance on sources and 
methods, I get that. But we have--and I would like to introduce 
these into the record.
    First of all, I would like to introduce into the record my 
letter from December 15th--14th asking for a hearing on the 
Russian hacking.
    Secondly, I'd like to enter into the record an FBI 
investigation regarding Russian malicious cyber activity. They 
did a whole investigation on this. It's called ``grisly 
steppe,'' s-t-e-p-p-e. I want to enter into the record a 
background to assessing Russian activities and intention into 
recent U.S. elections, the analytical process and cyber 
incident attribution. That's produced by the offices of the 
director of National Intelligence.
    I would like to submit for the record, a statement for the 
record, worldwide threat assessment by James R. Clapper, 
director of the National Intelligence, February 9, 2016.
    I ask for unanimous consent.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Lynch. Thank you. So we have enough here. Just with 
this here, we have enough here to do an investigation. And this 
is just the stuff that is unclassified that the intelligence 
community has put out there. We don't have to talk about----
    Chairman Chaffetz. Will the gentleman yield?
    Mr. Lynch. Yes. Sure I'll yield.
    Chairman Chaffetz. Two points. Number one, sources and 
methods are the sole jurisdiction of the intelligence 
community.
    Number two, have you really thought this through? Do you 
really think it's appropriate for this committee to investigate 
the specific hack of the DCCC?
    Mr. Lynch. Absolutely.
    Chairman Chaffetz. Because if you are going to do an 
investigation of the DCCC, we're going to have to dive into a 
political party's infrastructure operation's data. I don't 
think that's appropriate. If you----
    Mr. Lynch. Let me--well----
    Chairman Chaffetz. Here's the difference. Here's the 
difference----
    Mr. Lynch. Reclaiming my time. Actually, you know, you're 
using all my time here.
    Look, look they hacked--they hacked the American election. 
That is worth looking into----
    Chairman Chaffetz. There's no evidence of that. And 
President Obama said that that wasn't even possible.
    Mr. Lynch. This is high confidence. This is our own FBI, 
high confidence that they hacked the election, that they 
interfered with the election. It may not have been outcome 
determinative. I'm not saying that. But based on the FBI, based 
on the office of--the director of national security, they're 
saying, yeah. And also, the CIA, they're in agreement that the 
elections were hacked.
    Now, I'm not saying they affected the outcome, but they 
tried. It may have been just chaos that they wanted to create, 
but they interfered with our elections. And if we're turning a 
blind eye to that, that's a shame. That's a shame. That's core 
to our democracy.
    And look, if we're just going to say, oh, that's somebody's 
work, that's not anybody else's work. That's our work. There 
are plenty of reports here we can talk about, and we ought to 
do it publicly, about the damage done to the confidence in our 
electoral system. That's what's important here.
    People have to--people have to fear that we have an 
integrity--a certain integrity in our own systems and that 
other countries are not allowed to interfere with that. That's 
a red line. We should not allow that. And it should be a very 
serious obligation of this committee to make sure that doesn't 
happen again.
    And we need all the committees of jurisdiction to work on 
this. We're a committee of unlimited jurisdiction. The 
gentleman has said that quite frequently. That's the strength 
of this committee. And I think this is--look, they hacked our 
election. This should be bipartisan. This should not be 
Democrat versus Republican.
    Chairman Chaffetz. The gentleman's time--the gentleman's 
time is well expired.
    As I said, I do think there should be--as I said when it 
happened, there should be an investigation. There should be a 
prosecution. They should go out----
    Mr. Lynch. These are the investigation of the committee.
    Chairman Chaffetz. Hold on. The gentleman's time has 
expired.
    The Intelligence Committee is the only one that can look at 
sources and methods. That is the rule of the House.
    Mr. Lynch. We won't look at sources and methods. We'll just 
look at what the agencies themselves have made public.
    Chairman Chaffetz. The gentleman's time has expired.
    And if you are going to do a proper investigation, as this 
committee did, with the breach at the Office of Personnel 
Management, you have to look at the two sides of the breach, 
those that were trying to do it, which this committee could not 
look at in the OPM breach. Again, that is the purview of the 
House Intelligence Committee.
    But we could look at those that were breached and how inept 
their systems were and how bad it was set up and how the 
inspector general was warning of these things. That, we did do.
    Mr. Lynch. We had nine separate investigations of Hillary 
Clinton, nine separate investigations----
    Chairman Chaffetz. The gentleman's--the gentleman is out of 
the order. The gentleman's time is expired. I gave you well 
more than 5 minutes.
    What I think is inappropriate. And I'm trying to answer the 
question. It would be wholly inappropriate for the United 
States Congress, for us to dive into the DCCC. You might want 
to do an investigation yourself of the DCCC. I don't think that 
the United States Congress should be diving into their 
individual private systems of a political party. I think that's 
too broad--if you want me to start issuing subpoenas of the 
DCCC, I'm probably not going to do it, but go ahead and suggest 
it.
    Mr. Lynch. How about some of the FBI----
    Chairman Chaffetz. The gentleman's time has expired.
    Mr. Lynch. You asked me a question.
    Chairman Chaffetz. No, I did not. I did not.
    Mr. Lynch. And I'm trying to respond. You asked me if I 
wanted----
    Chairman Chaffetz. I did not ask--the gentleman is out of 
order.
    Mr. Cummings. Would the chairman yield? Would the chairman 
yield? I think we need to calm down here a little bit.
    Mr. Chairman, you have made some statements, and I just ask 
you to give him the courtesy of a minute and a half just to 
respond.
    Chairman Chaffetz. No, I will not. I will not.
    Mr. Cummings. Well, would the gentleman let me finish? 
Thank you.
    This has been an attack on our democracy, Mr. Chairman. And 
Mr. Lynch is one of our greatest members, and the passion that 
he has expressed is not limited to him, it's to many Americans. 
They feel as if all of our--the things that underpin our 
democracy have been attacked over and over again.
    And as I said yesterday, we keep saying we're going to wait 
till certain things happen with President Trump. They are 
happening now.
    Chairman Chaffetz. Can I ask that----
    Mr. Cummings. And if the gentleman would just give me 30 
more seconds.
    And all I was saying is I was hoping that in--I mean, as a 
courtesy to the gentleman, I just wanted him to be able to 
respond.
    Chairman Chaffetz. I'd like to ask you a question, if you 
don't mind, to my ranking member. Does the ranking member 
believe that this committee should do an investigation of the 
DCCC?
    Mr. Cummings. I think that we can look at certain things. I 
know I am very familiar with sources and methods, but I think 
what the gentleman is saying is let's just look at the things 
that are--that are unclassified. And apparently, he has his 
reports in his hand, and we can see where we go from there.
    Number two, as I said before, in answering the chairman's 
question, we have a bill that would--I think, would resolve 
this issue very nicely.
    I think the thing that I'm most concerned about, and I'm 
sure Mr. Lynch is concerned about is that we cannot just turn a 
blind eye to when we have 17 intelligence agencies who 
unanimously agree that there has been hacking with regard to 
our elections.
    And there seems to be--one of the things that I've noticed, 
this has been an effort, not by you, Mr. Chairman, but by 
others to say, okay. It didn't affect the results. We don't 
even have to get there. Forget it. I accept President Trump as 
my President. I'm looking forward to meeting with him next 
week. But, the idea that Russia could come in and interfere 
with our elections, all of us should be going berserk. I mean, 
we should be--I mean, just really, really upset. And so all I'm 
saying to you is that I think all the gentleman is saying, is 
he's got documents that you've already entered into the record 
that are unclassified, want to look at those. Now, how far we 
can go is another thing.
    But, again, Mr. Chairman, you and I know what happened with 
the Benghazi Committee. Basically, it became a partisan fight.
    Chairman Chaffetz. I'll--hold on. The gentleman's time is 
expired here. You're going well--you're going well outside the 
scope of this----
    Mr. Cummings. No, I'm not.
    Chairman Chaffetz. Yes. Yes.
    Mr. Cummings. I'm not and I would pray that you not do an 
Issa on me.
    Chairman Chaffetz. I've given you ample time. I've given 
you more time----
    Mr. Cummings. Don't do an Issa on me, please. Don't do 
that.
    Chairman Chaffetz. No. I'm asking you a simple question. I 
just want an answer to a simple question. If you don't want to 
answer it, it's fine.
    Mr. Cummings. I've answered it. I've told you.
    Chairman Chaffetz. I'm going to ask one more time.
    Mr. Cummings. Yes. I've answered you. Okay? Yes. I just 
answered you.
    Chairman Chaffetz. I just wanted----
    Mr. Cummings. I just answered you.
    Chairman Chaffetz. Okay. I'm just saying----
    Mr. Cummings. You're not listening. What I said was what 
the gentleman asked. All he asked--he said, take the 
unclassified information. Do not turn a blind eye to an attack 
on our electoral system. Let's look--let's go as far as we can. 
When you take it to the Intelligence Committee, what you've 
done is you've gotten Mr. Nunes, who is on the transition--who 
is on the transition committee for President Trump.
    And as much as I like him, I want--as the gentleman asks, 
he wants an investigation that will have integrity. And I--I 
appreciate integrity over and over again. Like I've said to 
you, Mr. Chairman, and to our committee members, when you deal 
with integrity and transparency, it's like money in the bank.
    Mr. Cummings. And so I would just ask you to just work with 
us and see what we can come up with. That's all.
    Chairman Chaffetz. My last point. My last point. I don't 
think it's appropriate. I disagree with the attack on the 
integrity of the Intelligence Committee. I disagree with that. 
I think they are of integrity. I think Mr. Schiff and Mr. Nunes 
are men of integrity and they run that committee appropriately. 
And I'm sorry you don't feel that way.
    Mr. Cummings. I didn't--now, see, now you done put 
something in my mouth. Let me be real clear. No, no, no, no, 
no.
    Chairman Chaffetz. I get to make my point. I'll let you----
    Mr. Cummings. No, you said something that's not accurate. 
What I said was--I'm not questioning the integrity of Mr. Nunes 
or Mr. Schiff. Mr. Schiff--both of them I have a lot of respect 
for. What I'm saying is what the gentleman said, is that we 
want a report--when people look at the situation--I'll be very 
brief. When people look at the report and they see somebody on 
the transition team for Mr. Trump, then it becomes 
questionable. All I'm saying to you as to the world, we want--
that's why we filed the bill that we filed. And that's why 
we're asking for more like an independent investigation. That's 
all.
    Chairman Chaffetz. Last point. Last point. Last point. And 
we're going to recognize Mr. Meadows. We've gone way past the 
time here.
    Mr. Cummings. Thank you.
    Chairman Chaffetz. And I ask this rhetorically. Do the 
Democrats truly want this committee to do an investigation of 
the DNC and the DCCC?
    Mr. Lynch. Yes, we do.
    Chairman Chaffetz. Wow. Okay. We're now going to 
recognize----
    Mr. Lynch. A lot of these emails, they're already public. 
They're already public. They leaked them. We already know what 
they are, those damaging ones.
    Chairman Chaffetz. Let's recognize the gentleman from North 
Carolina, Mr. Meadows.
    Mr. Meadows. Thank you, Mr. Chairman. We're going to 
refocus on the focus of this hearing. I wish that we would have 
as much passion that is concerned about the well-being of the 
22,000 people that got hacked, the potential security breaches 
that are there, instead of losing or winning an election. I 
wish we'd have as much passion about that. Let's start to focus 
on the real aspects of what we need to be doing.
    There are other hacks with the IRS. Let's focus on the 
hardworking American taxpayers. You know, I'm sick and tired of 
hearing the repeated talking points over and over again. There 
is no one who will work in a more bipartisan way to get to the 
truth than me. But I disapprove of the talking points that 
continue to get repeated to undermine the credibility of a duly 
elected President.
    Mr. Cummings. Will the gentleman yield?
    Mr. Meadows. No, I will not.
    Let me go into this particular issue. When we're looking at 
this, you mention that you have 100 percent dual authentication 
throughout the system. Is that correct?
    Ms. McGettigan. Yes, sir. That's my understanding. Yes, 
sir.
    Mr. Meadows. All right. And you're filling some very big 
shoes. I happen to be a fan of Ms. Cobert. She actually--we 
come from very different sides of the aisle, but she was always 
very responsive to this committee and to me personally. And so 
I want to make sure that we can clarify, perhaps, your 
testimony. Because the 100 percent dual authentication is 
really just at the front door. Is it not? Because we have 
indications from the IG that there is still a whole lot within 
the system, that if they get in the front door, that only 2 of 
46 systems inside would require that. Is that your 
understanding? You may want to refer--I think the CIO wants to 
jump in here.
    Ms. McGettigan. I think I will defer to Mr. DeVries.
    Mr. DeVries. Thank you, sir.
    Ms. McGettigan. Thank you.
    Mr. DeVries. Sir, we have multifactual authentication in 
there for the users, the standard users who come onto the 
network. That is correct, 100 percent to get onto the networks, 
they require their----
    Mr. Meadows. But once in----
    Mr. DeVries. No, once they get in, they are still then 
authorized--their access is based upon those attributes and 
their roles of what they're assigned to. So they're not given--
--
    Mr. Meadows. So how do you respond to the IG that said only 
2 of 46 systems would actually, of the major applications, 
would require PIV authentication? Is that not accurate?
    Mr. DeVries. I'd like to go back and look at that. I'll 
defer to my CISO here, but that is--that does not ring true to 
how we----
    Mr. Meadows. Because this isn't my first rodeo. I've been 
here with a number of folks. In fact, I called for the 
resignation of the OPM director when there were similar terms 
that I'm hearing today that give me concern that we're making 
progress. And I guess, how do we define success? At what point 
will we have all the major applications? And Mr. Lynch talked 
about the encryption.
    Mr. DeVries. Correct.
    Mr. Meadows. Now, we've been promised encryption over and 
over and over again. And yet even today, we're not there with--
so are all the Social Security numbers encrypted today?
    Mr. DeVries. No, sir.
    Mr. Meadows. Okay. When will they be encrypted?
    Mr. DeVries. But I have----
    Mr. Meadows. Just timeframe. When will they be encrypted, 
all the Social Security numbers? I mean, that's basic. I've got 
encryption better than that on my home computer, and here we 
are, we have--is it a lack of resources?
    Mr. DeVries. Sir, it was somewhat due to that and also 
schedule change here on the mainframe. That's the only one that 
is--that was delayed. And I've reenergized that one back in 
there. That is 2017.
    Mr. Meadows. So when is it going to be done?
    Mr. DeVries. End of 2017, sir.
    Mr. Meadows. And so we will have everything encrypted by 
the end of 2017. Fiscal year?
    Mr. DeVries. The HVA system, the high value assets, which 
includes the Social Security numbers and so forth, will be 
encrypted this year. Yes.
    Mr. Meadows. All right. In terms of segmentation, how do 
you segment a legacy system? Either one of you can answer it.
    Mr. Chase. So, again, as a part of our strategy, we looked 
at all the systems and all the IT system inventories that we 
had out there. We determined which ones----
    Mr. Meadows. So are you going from a zero trust?
    Mr. Chase. That's the idea, is to use that zero trust 
tenet. Absolutely.
    Mr. Meadows. So you rushed into the fire----
    Mr. Chase. Ran into it, sir.
    Mr. Meadows. --and so as you ran into the fire, you decided 
from a zero trust aspect that you're going to look at every 
single system.
    Mr. Chase. Absolutely.
    Mr. Meadows. All right. So we can tell all of those 
employees or potential employees or those who have had their 
personal life history looked at that by the end of 2017, that 
you have great assurance that we have the most up-to-date, 
sophisticated cybersecurity protection that they will ever see 
and it will be segmented in a way that if somebody gets in the 
front door, that they won't be able to go through the whole 
system. Is that correct?
    Mr. Chase. That is correct. And there's also many, many 
compensating controls that reside in the network. So we have 
our network analysis tool, we have our data loss prevention 
tool. We have malware detection tools. And then we actually 
have a 24/7 security operation center that is on glass watching 
for those events to come through.
    Mr. Meadows. I yield back. I thank the chairman.
    Chairman Chaffetz. I thank the gentleman.
    I will now recognize the gentlewoman from Florida, Mrs. 
Demings, for 5 minutes.
    Mrs. Demings. Thank you, Mr. Chairman.
    I want to say good morning to all of you and thank you for 
being here. Before I get into my question, I feel compelled to 
make this comment. I spent 27 years in law enforcement. I 
served as the chief of police. So I am very concerned about the 
issue that we're discussing today. Security breaches of any 
kind, I believe, deserve every bit of attention and every bit 
of passion. I've been here a little shy of a month, but what I 
did not sign up for is what I believe was the blatant 
disrespect that was displayed to each other by my colleagues. 
And so I believe if we're going to solve our Nation's problems, 
civility has to be at the center of it.
    And with my question, Director Phalen, last November, the 
New York Times and other media outlets reported that while 
meeting with the Prime Minister of Japan, then President-elect 
Trump allowed his daughter and son-in-law to sit in during all 
or part of the meeting. In reporting about this meeting, the 
Times found, and I quote, ``That anyone present for such a 
conversation between two heads of state should, at a minimum, 
have security clearance. What we do not--we do not know whether 
President Trump has stopped this practice of allowing family 
members who do not have security clearances from attending 
meetings with dignitaries and other foreign officials.''
    Director, I ask you, what are the security risks for having 
individuals who do not have the appropriate security clearances 
present during classified meetings or briefings? Thank you very 
much.
    Mr. Phalen. Thank you, Representative. Thank you for the 
question. The determination as to whether an individual has a 
security clearance is left to the head of the agency with whom 
they are employed or otherwise contracted with. And, of course, 
the situation between a President-elect and the President is a 
different situation. The President has the ability to grant a 
clearance or grant access to classified information to anyone 
who they please. It is at their discretion.
    And the--I am not aware of any of the details around the 
meeting that occurred with the leadership of Japan. I just 
don't know any of the details about that, whether anything of 
classified nature was discussed or not. But it would--in the 
current situation, it would be the President's discretion to 
allow individuals even without clearances to know or have 
access to classified information.
    Mrs. Demings. So each department would make that 
determination. Is that what you said? There are no basic 
general guidelines for persons to have security clearances in 
certain situations or positions?
    Mr. Phalen. There are general guidelines and there are--
specifically, there are investigative standards which we follow 
when conducting an investigation. The agency who ultimately 
grants the clearance follows an adjudication set of guidelines, 
what are the key factors that one would look at when making a 
determination whether this individual is eligible or should be 
eligible to receive classified information. And then as a 
separate act, the agency then--if the answer's affirmative, 
they are eligible, the agency would make a determination as to 
whether to actually brief them into a national security program 
or not, give them that clearance.
    Mrs. Demings. Okay. Thank you very much.
    Chairman Chaffetz. Does the gentlewoman----
    Mr. Connolly. Would----
    Chairman Chaffetz. Does the gentlewoman yield back?
    Mr. Connolly. Would my friend yield?
    Mrs. Demings. I yield. I'm sorry. Thank you. I yield.
    Chairman Chaffetz. She's yielding. To Mr. Connolly or----
    Mr. Connolly. To Mr. Cummings.
    Ms. Demings. To Mr. Cummings.
    Mr. Cummings. I just wanted to let Mr. Meadows know, when I 
asked you to yield, the only thing I was going to say is before 
you got here, and I will share this with you, in my opening 
statement, I talked about all the efforts that we have made in 
this committee with regard to the other breaches. I listed them 
one by one, all the many things that we've done. And I said it 
in a way that--because President Trump has said that we 
suddenly got excited about the Russian hacking. But I laid it 
out. And again, I will share my opening--it was a courtesy to 
you, because I didn't want anybody to think that this is 
something new to us.
    We've spent, in a bipartisan way, hours upon hours upon 
hours upon hours trying to deal with these. And I give the 
credit--give a lot of credit to the chairman. And that's all I 
was tying to tell you.
    Mr. Meadows. Will the gentleman yield?
    Mr. Cummings. And I didn't want the public to be left with 
the impression that we haven't been working on these acts. 
Every single time.
    Mr. Meadows. Will the gentlemen yield?
    Mr. Cummings. Of course. I only have----
    Chairman Chaffetz. It's the gentlewoman's time.
    Mr. Meadows. Will the gentlewoman yield for just a comment? 
A nice comment.
    Mrs. Demings. Yes. Yes. Certainly. Please, Mr. Meadows.
    Mr. Connolly. We'll be the judge of that.
    Mr. Meadows. The gentleman from Maryland is a good friend, 
and a trusted one. And in the passion of my not yielding back 
to him, I don't want anything to be inferred about our 
relationship and our willingness to work in a bipartisan way. 
And I apologize for my passion in not yielding. But I also want 
to stress that our friendship and our willingness to get to the 
bottom line of it is unyielding and unchanging. And I thank the 
gentlewoman.
    Chairman Chaffetz. The gentlewoman yields back.
    We'll now recognize the gentleman from Ohio, Mr. Jordan, 
for 5 minutes.
    Mr. Jordan. I thank the chairman.
    Mr. Halvorsen, you are the chief information officer for 
the entire Department of Defense?
    Mr. Halvorsen. That is correct.
    Mr. Jordan. And in your testimony, your written testimony, 
you said that, ``DOD CIO is responsible for all matters 
relating to the Department of Defense information enterprise, 
including cybersecurity for the Department. In this capacity, 
DOD CIO is responsible for oversight of the Department's 
efforts to design, build, operate, secure, defend a new IT 
system to support the background investigative processes for 
the NBIB.'' Is that all accurate?
    Mr. Halvorsen. It is.
    Mr. Jordan. Okay. Are you familiar, then, with the December 
6 Washington Post story, front page, Pentagon Hid Study 
Revealing $125 Billion in Waste? Are you familiar with that 
article?
    Mr. Halvorsen. I am familiar with that article.
    Mr. Jordan. Do you--well, let me ask you--let me go back 
and ask you this: Do you have the resources you need to do 
everything I just read in your testimony, help NBIB which has 
100 Federal agencies that's got to make decisions about--
regarding individuals who work there and everything at the 
Department, do you have the resources you need to do your job?
    Mr. Halvorsen. We have the resources to make sure that we 
develop and design an NBIB new system that is secure and can 
attack and defend the data.
    Mr. Jordan. And so you think you got adequate resources to 
do everything you're tasked to do.
    Mr. Halvorsen. I think I have adequate resources to 
everything I'm tasked to do specific to this NBIB issue.
    Mr. Jordan. But not overall? Is that what you're saying?
    Mr. Halvorsen. Well, I don't think anybody here would say 
they have all of the resources----
    Mr. Jordan. You always want more. I get that. But you are 
familiar with the story that was on the front page of the 
Washington Post last month, or 2 months ago?
    Mr. Halvorsen. I am.
    Mr. Jordan. And the findings of the McKinsey & Company 
study, $125 billion in waste at the Pentagon, do you agree with 
that--those findings? Or, I mean, they talked about as many 
full-time employees in back office personnel and in purchasing 
bureaucracy, as many employees there as we actually have--
almost as many people there as we have in troops in the field 
or troops in total. Do you agree with what you know about that 
study?
    Mr. Halvorsen. We were--do I personally agree with that 
study? I do not. Is that the reason I'm here to testify? No. So 
if you want more data on that, I will take any questions you 
have for the record.
    Mr. Jordan. Okay. Were you--were you interviewed or talked 
to in the course of the study by McKinsey & Company? Did they 
talk to you?
    Mr. Halvorsen. I have talked to McKinsey & Company, yes.
    Mr. Jordan. Multiple times? I mean, I'm just kind of 
curious.
    Mr. Halvorsen. For the study, I believe once. But I'll get 
that confirmed. But I have talked to McKinsey in the course of 
my business.
    Mr. Jordan. The article reports here on the front page here 
above the fold, the report issued in January 2015 identified a, 
quote, ``clear path for the Defense Department to save $125 
billion over 5 years.'' I think this is important too. What the 
study said, what the article reports that the study said was 
that this savings in bureaucracy waste and other areas is money 
that could go into weapon systems and our troops. Frankly, 
where I think most Americans would want their tax dollars and 
resources to go.
    The article continues, ``The plan would not have required 
layoffs of civil servants or reductions in military personnel. 
Instead it would have streamlined the bureaucracy through 
attrition and early retirements, curtailed high priced 
contractors,'' and the last clause says, ``and made better use 
of information technology.''
    Do you have any idea what they're referring to there, make 
better use of information technology?
    Mr. Halvorsen. Yeah, I do. I mean, if you're asking me do 
we think we could do better with information technology, I 
think I testified in numerous hearings that do I believe we 
should continue to adopt best commercial practices? Should we 
bring more commercial systems on into DOD and other government? 
I said we should. I believe there are ways to reduce some money 
in our IT business. Do I think that number is correct, 
personally? I do not.
    Mr. Jordan. So a little bit ago you said you didn't agree 
with the study. Now you sound like you do agree with a lot of 
parts of the study.
    Mr. Halvorsen. No.
    Mr. Jordan. Is it both or----
    Mr. Halvorsen. No. I said I agree that there are 
efficiencies to be found in the IT systems. By doing what we 
are doing, I think we will achieve some. I do not think the 
numbers in the study, my personal opinion, they're not correct. 
I will take any more questions you have----
    Mr. Jordan. So you think the $125 billion number is a 
little high. Would you hazard a guess at what kind of savings 
taxpayers could see if part of what McKinsey found in their 
study was implemented and how we could better get money to 
weapon systems and to troops?
    Mr. Halvorsen. No, I will not hazard a guess.
    Mr. Jordan. Okay. Mr. Chairman, I just think this is an 
important area where we need to--I know it's not the sole focus 
of and not the primary focus, I should say, of this hearing 
today, but this is an area we need to study. If we can get more 
money into upgraded weapon systems and to our troops, and if we 
got this potential of waste, even the chief information officer 
says there's some waste there. Maybe not to the degree that the 
article reports, but certainly any we can find and savings we 
can find I think makes sense.
    With that I yield back.
    Chairman Chaffetz. Thank you. Point well taken.
    I now recognize the gentleman from Maryland, Mr. Raskin, 
for 5 minutes.
    Mr. Raskin. Mr. Chairman, thank you very much.
    I wanted to start actually by responding, Mr. Chairman, to 
the question that you posed about whether or not the Democratic 
National Committee would be a proper object for inquiry and 
investigation by this committee. And my first reaction to it, I 
think, was sympathetic to you, which is no, not really, because 
it's not part of the government. It's a private entity for most 
purposes. When you think about the Democratic National 
Convention, where it's going to be located, who's going to 
speak at it, that's a private matter. It's a private 
association.
    On the other hand, it struck me that the Supreme Court has 
said that political parties are public instrumentalities 
capable of State action for certain purposes. So when you go 
back and look at Smith v. Allwright, Terry v. Adams, the white 
primary line of cases, the Supreme Court said a political party 
could not exclude from participation people based on race. So 
the Equal Protection Clause applied directly to political 
parties, that they were not private entities for those 
purposes. They were public instrumentalities.
    And in lots of other cases, the Supreme Court has treated 
political parties as public instrumentalities and kind of 
public carriers for the purposes of effective action in 
democracy. And I think if you look at it from a global 
perspective, that is the role that political parties play. The 
DNC, the RNC, they are organizing political activity for tens 
or hundreds of millions of people. And so if they are cyber 
vulnerable, I think it makes the whole country cyber 
vulnerable, and then it casts a cloud over democratic 
government itself.
    So that's why, in the end, I think it is a complicated 
question you raise, but I would side with the ranking member 
and with the other members who were speaking on this side of 
it.
    Let me pose a question. As a new member of this committee 
who was--I was not here for the original OPM breach, and so all 
of this is a bit new to me. But I want to ask the question. We 
know from the national intelligence community about the fact 
that they believed with high confidence that there was an 
organized campaign by Russia to subvert the 2016 election and 
to compromise the 2016 election. I've also heard that there's 
certain other countries where certain kinds of hacking are 
common or concentrated, like Nigeria, apparently, is a place 
where there's a lot of cyber hacking and phishing attacks going 
on.
    Do you have a list of the most common enemies or culprits 
of our cybersecurity that you use? And I know, Ms. McGettigan, 
if that's something you can answer.
    Ms. McGettigan. I'll defer to Mr. DeVries to answer that.
    Mr. DeVries. Member, if I could----
    Mr. Raskin. Please.
    Mr. DeVries. If I could, I would like to defer to Mr. Chase 
here for the expertise on it. We do have the network 
monitoring, but we are part of the greater ecosystem of that 
from DHS.
    Mr. Raskin. All right. Let's cut to the chase.
    Mr. Chase. Thank you. No pun intended.
    So one of the things that I just want to make clear is 
we're a customer service oriented agency. And so we rely on our 
partners from Department of Homeland Security, FBI, and other 
components within DOD. The potential attribution or the knowing 
of a bad actor is not our job. My job is to focus the staff at 
OPM to protect the data that resides in there.
    Mr. Raskin. Okay. So I guess--right. You're a customer 
service agency and you want to serve the various government 
agencies that interact with you. The problem, of course, is now 
we've got these outside entities that are trying to invade and 
undermine and so on. Do we know who those entities are? Is 
there like an FBI most wanted list of the cyber saboteurs all 
over the world or in this country? I mean, the national 
intelligence community tells us it's Russia, but then we hear 
from other people, no, it's a fat guy on a couch someplace. I 
don't know why it's always a fat guy. Why couldn't it be a 
skinny guy on a couch. But anyway, it might be a guy on a couch 
or it might be Russia, but it might be Nigeria. Where it is 
coming from? And does that list exist? And is there any attempt 
to really get to the bottom of it?
    Mr. Chase. And, again, I'll try to answer more directly. So 
DHS and FBI provide those reports in unclassified and 
classified formats.
    Mr. Raskin. Okay. Do you believe as experts in the field 
that there is going to be a technological answer to this so we 
can actually create a secure cyber environment? Or, you know, 
is this a Sisyphean task? We go up two steps and we fall back 
three steps. I mean, are we really--is it an uphill fight, I 
guess is what I'm asking. Mr. Halvorsen.
    Mr. Halvorsen. Right now it is an uphill fight. I do 
believe technology will get us some of the solutions. But I 
think this is much like any area in technology. We will make 
strides forward. The people who want to use technology for bad 
will make strides forward. And it will be a continuing analysis 
and engagement that is not going to end anytime soon.
    Mr. Raskin. Thank you very much, Mr. Chairman. I yield 
back.
    Chairman Chaffetz. I thank the gentleman.
    We'll now recognize Mr. Comer who's new to our committee. 
We're pleased to have him here. The gentleman from Kentucky.
    Mr. Comer. Thank you, Mr. Chairman.
    Chairman Chaffetz. Sorry. The microphone button there. Talk 
button. There we go.
    Mr. Comer. Thank you, Mr. Chairman.
    My question is for Mr. DeVries. Sir, I would like to follow 
up with you on the IT infrastructure project that OPM abandoned 
last year. The committee's understanding is that you are no 
longer leasing two new data centers for OPM's new IT 
environment, but rather, are repurposing the hardware and 
equipment meant for the IT environment that the contractor 
Imperatis built. My question is, is this accurate?
    Mr. DeVries. Yes, sir it is.
    Mr. Comer. Okay. How much did OPM pay the contractor for 
the new IT infrastructure project before terminating the 
contract May 2016?
    Mr. DeVries. Sir, I would have to get back to you with the 
exact amount that was consumed there. I do not have that number 
with me today here.
    Mr. Comer. Why was the contract terminated?
    Mr. DeVries. Sir, as I completed my assessments coming on 
board as the CIO, that effort was to build a new infrastructure 
to move the legacy stuff into. They went out on the contract. 
That contractor went out of business. They did not show up to 
work in May, and we terminated the contract after that. We then 
repositioned the equipment back in because we had purchased 
that, as we had purchased the design and engineering diagrams. 
We have what we paid for. Now just turning it back on.
    Mr. Comer. It's my understanding that the first two phases 
of that were completed, and after approximately $45 million of 
investment, OPM abandoned the project. But you say that we have 
what we paid for or did we lose what we paid for?
    Mr. DeVries. Sir, we have evolved that, and I'm now 
building on that capability that we purchased then. Yes, sir.
    Mr. Comer. So is OPM still operating the legacy IT 
environment? Is that correct?
    Mr. DeVries. Sir, I will say no. We have evolved a lot over 
the past year, and that was part of my assessment coming 
onboard was to take a look at what the network was, where are 
our high value assets, where are our centers of gravity, if you 
will, and what's the protection there. Mr. Chase has talked 
about some of the defense and depth that we've put in place. So 
it is not the same legacy infrastructure that it was in 2015. 
Not by a long shot.
    Mr. Comer. So are we--can we be assured that this 
environment is more secure today than prior to the data 
breaches?
    Mr. DeVries. Absolutely. Mr. Chase and I would not be here 
if it was not.
    Mr. Comer. Okay. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We'll now recognize the gentlewoman from the Virgin 
Islands, Ms. Plaskett, for 5 minutes.
    Ms. Plaskett. Thank you, Mr. Chairman. And thank you all 
for being here this morning to testify.
    I wanted to--I appreciated your testimony this morning on 
all of the topics. And it seems to be very wide ranging, of the 
discussion that we're having this morning. But we are all here 
because protecting our Nation's security from insider threats 
and external threats is of paramount importance, of course, to 
you all and us as Members of Congress. So I wanted to discuss 
the security clearance process and how individuals are granted 
access to sensitive information.
    Director Phalen, for you specifically, how would NBIB 
handle the clearance process for someone under active FBI 
investigation? What happens with that application?
    Mr. Phalen. When an agency puts an individual in for a 
clearance, it starts with a determination by that agency that 
this individual needs a clearance for whatever work they're 
going to be doing. The individual's information is sent to NBIB 
or to some other----
    Ms. Plaskett. And what if you find out that the person is 
under active FBI investigation? What happens at that point?
    Mr. Phalen. If we in the process of conducting the 
investigation determine an individual's under active 
investigation, we would notify the requester of what we 
understand to be the investigation, and we would continue the--
our part of the investigation, unless we were told to stop 
based on some decision by the requester.
    Ms. Plaskett. Now, in knowing that you're going to continue 
the investigation of someone who is under an active FBI 
investigation, would that be one of the factors in 
disqualifying an individual from a security clearance?
    Mr. Phalen. Not necessarily. And it would not be our 
determination. It would be the determination of the requesting 
agency, who is either the requesting agent themselves, if they 
have independent adjudication authority, or the--in the DOD 
world, the consolidated adjudication facility. These are the 
individuals that make the ultimate determination as to whether 
an individual is eligible for access to----
    Ms. Plaskett. Got you. So you're processing the 
application, you're giving them the information, and then the 
agency head then makes the determination whether or not the 
person has the security clearance?
    Mr. Phalen. Ultimately, yes.
    Ms. Plaskett. So for the ultimate decisionmaker for 
granting a security clearance for a senior White House staffer, 
who would that person be?
    Mr. Phalen. The chief of the White House Security Office is 
the adjudication authority.
    Ms. Plaskett. And so the chief of the security office for 
the White House is the determiner for an individual in the 
senior White House level having a security clearance.
    Mr. Phalen. Yes.
    Ms. Plaskett. And who places that person in that office? 
The chief officer. Is that an independent? Is that appointed by 
the President? Is that a career person? Who is that individual?
    Mr. Phalen. I actually don't know right now. I can find 
that answer----
    Ms. Plaskett. I would really love to know that answer. 
Because is it possible for the ultimate decisionmaker to make a 
decision to grant an individual a national security clearance 
if the person is under an FBI investigation? You're saying yes, 
that's possible.
    Mr. Phalen. It is possible.
    Ms. Plaskett. And the reason I'm asking that is because of 
course--you know, of course there's a reason I'm asking. Right? 
There would--according to multiple reports, several members of 
the Trump campaign and incoming Trump administration may 
currently be under FBI investigation for their connections with 
the Russians; the very country implicated in the hacking that 
everyone seems to be interested in here today.
    So President Trump's National Security Adviser, Michael 
Flynn, is reportedly being investigated by the FBI for phone 
calls with a Russian diplomat. And the New York Times reported 
that the FBI's investigating communication and financial 
transactions between Russia and the former campaign manager, 
Paul Manafort.
    So my question is, if these individuals become now senior 
White House staffers who need security clearance as having sit 
on this National Security Council, along with Steve Bannon, if 
those individuals are under FBI investigation, they may still 
get a national security clearance?
    Mr. Phalen. That is certainly possibly. And I would 
distinguish between someone who is under investigation and 
someone who has been charged or convicted with a crime.
    Ms. Plaskett. Of course. As a lawyer, I know you're 
innocent until proven guilty. But an active FBI investigation 
would raise some eyebrows. Would it not? Because the FBI would 
not begin an investigation on my, you know, freshman student 
who has cheated on a test or something. They usually start FBI 
investigations for pretty serious things.
    Mr. Phalen. It would be a noteworthy item on an 
adjudication, yes.
    Ms. Plaskett. Okay. Mr. Chairman, I think we need the 
answer to some of the questions that we've been asking here.
    And so do you know, Director Phalen, which or any of the 
senior White House staffers who have access to senior material 
are under criminal investigation by the FBI?
    Mr. Phalen. I do not know that, no.
    Ms. Plaskett. Okay. Thank you.
    Chairman Chaffetz. If the gentlewoman yields back, Ms. 
McGettigan, she is the acting director of OPM, if you could get 
back to Ms. Plaskett about who specifically is in charge, I 
think the gentlewoman asked a reasonable question here, who are 
the people that make those determinations, and get back to--
will you make that commitment----
    Ms. McGettigan. Yes, we will.
    Chairman Chaffetz. --that you'll get back to her?
    Ms. McGettigan. We will get back to you.
    Chairman Chaffetz. Okay.
    Ms. Plaskett. Thank you. Thank you very much, Mr. Chairman. 
As well if you would find out how do we find out----
    Chairman Chaffetz. Ask her.
    Ms. Plaskett. It would be great to know in that process, 
one, who the decisionmaker is, and is there a list of 
individuals who are under FBI investigation. If the chairman 
and the ranking member would receive that, that would be very 
helpful in making that determination, what are the factors.
    Ms. McGettigan. Okay.
    Ms. Plaskett. Thank you.
    Ms. McGettigan. We will follow up. Thank you.
    Chairman Chaffetz. And I would open up to any member, if 
they have questions for OPM, Ms. McGettigan is the acting 
director.
    Mr. Connolly. Mr. Chairman, I just--I assume at some point 
Ms. McGettigan's going to actually answer a question as opposed 
to always getting back to us.
    Chairman Chaffetz. Okay. She wasn't ever even asked a 
question in that series, so I think that's a little 
inappropriate. But let me--and she did make a commitment to get 
back to the committee. I think that's reasonable.
    Mr. Connolly. Yes, I heard.
    Chairman Chaffetz. So I'll now recognize myself for 5 
minutes.
    And I guess this question will go to Mr. Chase. Tell me 
about the authority to operate. There have been some questions 
about this in the past. The inspector general found that the 
authorities to operate were a material weakness in fiscal year 
2016. The IG reported that 18 major systems still did not have 
current authorities to operate in place. What is the current 
state of those ATOs?
    Mr. Chase. So all the ATOs----
    Chairman Chaffetz. If you can move that microphone a little 
closer. I apologize, sir.
    Mr. Chase. So all the ATOs are currently compliant.
    Chairman Chaffetz. Can you put some meat on the bones? 
Define that for us.
    Mr. Chase. So in fiscal year 2016, again, our strategy was 
to identify and understand all the systems. It was identified 
that quite a few of them were out of compliance. So we took on 
two major initiatives at OPM. One was a sprint in February of 
2016 to look at all the systems, to include the HVAs, to ensure 
the best pathway forward to get them compliant. The next phase 
of that was marketing within OPM and the agency heads and the 
acting director at the time to ensure that everybody in the 
agency knew the importance to get everybody into compliance.
    Chairman Chaffetz. Would the ATO--you said all of them. 
Would that include the PIPs?
    Mr. Chase. That is correct, sir.
    Chairman Chaffetz. It would. Okay.
    Mr. Chase. That was not reflected in the fiscal year 2016 
FISMA report, and has been recently.
    Chairman Chaffetz. Everything within the NBIB, do those all 
have current valid ATOs?
    Mr. Chase. Yes, sir.
    Chairman Chaffetz. Okay. Let me switch over here, if we 
could, to Ms. McGettigan and--or maybe, Mr. Phalen, you might 
be the right person--actually, let me ask you, Mr. Phalen. What 
is the current state of the ability to look at the social 
media? We've been talking in this committee over the last 
couple of years, actually, with OPM about during background 
check investigations looking at social media. What are you 
doing or not doing in that process?
    Mr. Phalen. Thank you, Mr. Chairman. Two points to make on 
that. Number one, in April of 2016, the security executive 
agent sent out a directive that would allow us--allow an 
investigation to use social media publicly available on 
electronic information in order to inform an investigation. We 
at NBIB or its predecessor, the Federal Investigative Service, 
have been using on a targeted basis social media inquiries to 
help resolve issues when they come up during an investigation. 
We are in the middle of a short pilot to understand how we can 
incorporate it into a formal--into a more consistent use during 
an investigation.
    In other words, how do we collect the information, get it 
disambiguated, and make sure it is accurate and of any value, 
and then provide it to an investigator who is in the field 
conducting an investigation to help enhance that.
    Chairman Chaffetz. Can you define ``short pilot?'' Because 
I think we've been talking about this for a couple years. And 
this doesn't seem to be very short.
    Mr. Phalen. So a number of pilots have been conducted by a 
number of agencies to look at the value of social media. And 
most concluded--most have reached the similar conclusion, there 
can be valuable information in collecting social media.
    Chairman Chaffetz. Okay. Can you just hold on here. This is 
what drives people crazy about government. You had to conduct a 
study to find out if looking at social media would be valuable? 
And the conclusion is it might be yes? Come on. Every single 
time there's a terrorist attack, what's the very first thing 
the investigative body does? They go look at their social 
media. And more often than not, they say, oh, my goodness. If 
somebody had just looked at this.
    Why in the world do we need--we're still doing a pilot? Let 
me answer the question for you. Yes. Looking at publicly 
available social media should be part of the background check. 
It's a joke to think that you're not looking at social media. 
And the idea that we even have to think about this, by its very 
definition, it is social. It is open. It's there. Facebook. You 
can go--come on. Instagram. Twitter. Every single time we go 
and do an interview for somebody, we go check their social 
media. Why do you have to do another pilot?
    Mr. Phalen. The pilot was not to determine whether or not 
there's any value in social media. The pilot that we are 
currently running is how do we incorporate it into a standard 
background investigative process. And the largest pole in this 
tent here is not can we collect the information. It is not is 
there going to be valuable information in there. It becomes how 
does it get incorporated in a manner that is cost effective to 
our customer base. And--because the collection is the easy 
part. The analysis of it becomes harder. And the more data 
that's out there, the more difficult the analysis becomes.
    I believe that this is a relevant data source. We believe 
it is a relevant data source. We're going to continue to 
exploit it. This pilot was a very short one to determine how we 
can build it into an--our current investigative process. And as 
we move down the road, how it will become more of a mainstay 
for this investigative process.
    Chairman Chaffetz. Have you considered implementing a 
policy to require the disclosure of online user names or social 
media identities as part of the clearance process?
    Mr. Phalen. We have not at this point.
    Chairman Chaffetz. Why not?
    Mr. Phalen. That would be a decision to be made by the 
security executive agent to ask for that information.
    Chairman Chaffetz. Here's my personal take on this, and 
then we'll go to Mr. Connolly. The United States of America, 
the people of the United States of America, are about to 
entrust somebody with a security clearance that allows that 
individual to look at and understand information that the rest 
of the public doesn't get to look at. Right? That is the very 
nature of a security clearance. We're doing this, we're giving 
this person special privileges because we trust them.
    I would think it would be reasonable that in return for 
that--you don't have to apply or try to get a job with a 
security clearance. There's nobody that forces you to do that. 
It's optional. But you would think in return for that they 
would say: Yes. Here's my Instagram account. And I would go so 
far to say: Here's my password if you want to go look at my 
private Instagram. That is a reasonable thing to look at when 
you're trying to go back and do a background check.
    Some of these background checks are so thorough. You're 
looking at bank records. You're looking at education. You're 
interviewing neighbors. You're talking and trying to figure out 
as much as you can about this information. A very costly, 
expensive, laborious process. And yet we're not even--we're so 
bashful we won't even say: We're going to be looking at your 
Instagram. Is that okay, you know? And if it's not, then maybe 
we shouldn't be giving them a security clearance. That's my 
take on it.
    It's very frustrating this takes so long. Because every 
time we have a problem, what's the very first thing the FBI and 
other law enforcement want to do? They want to dive into their 
social media. That's the best way for them to figure out what 
has been going, what is the attitude, who are they 
communicating with. And if we're going to give a security 
clearance, it seems reasonable.
    I'm past my time. I'll now recognize the gentleman from 
Virginia, Mr. Connolly.
    Mr. Connolly. I thank the chair. I also would say to the 
chair, I caution him, I don't think it's appropriate for him to 
characterize an intervention or a question by a member of this 
committee. I don't do that to him. And I expect him not to do 
it to me. And if we're going to get into that, two can play the 
game.
    Ms. McGettigan, a question maybe you can answer. OPM, is it 
going to migrate to the required XML format, the transaction 
submissions and background checks instead of using legacy 
systems? I thought I heard Mr. DeVries say we're pretty much 
done with the legacy systems. Have we fully migrated to the 
required XML system?
    Ms. McGettigan. I will have to defer that to Mr. DeVries.
    Mr. Connolly. You don't know the answer?
    Ms. McGettigan. I do not.
    Mr. Connolly. Mr. DeVries.
    Mr. DeVries. No, sir, we have not.
    Mr. Connolly. Why not?
    Mr. DeVries. So the whole legacy system is comprised of 
eight different systems which ask questions and interact and 
portray in conducting the investigation through them. A lot of 
the language on, especially I think it was a member here 
brought up the word PIPs, which is the main database system 
that maintains it there, that is on--written in language that 
is no longer supported. And I'm trying to move it out of there.
    It is not just merely a case of just taking something and 
putting it out to XML. We have employed XML in terms of the 
interface going into the customer. We have put that into all 
their front-facing applications there. And in that time, we've 
also put other protections in there, like masking of the Social 
Security number and other techniques. So yes, to the customer 
facing one, as we have on other OPM systems, we have put the 
XML piece into it.
    Mr. Connolly. Ms. McGettigan, what is OPM and NBIB doing to 
ensure that if data is exfiltrated from the NBIB, NBIS systems, 
that the data will be protected and its location and attempted 
use not--will not only be prevented but visible to the NBIS for 
action? What are you doing to protect that in the exfiltration 
process?
    Ms. McGettigan. Again, sir, I'll----
    Mr. Connolly. Can't hear you.
    Ms. McGettigan. I apologize. Again, sir, I will have to 
defer to Mr. DeVries or Mr. Halvorsen.
    Mr. Connolly. So again you can't answer the question.
    Mr. DeVries.
    Ms. McGettigan. I cannot.
    Mr. Connolly. Does the acting director of OPM get involved 
in these cyber issues at all?
    Ms. McGettigan. I do get involved somewhat, but not in the 
details.
    Mr. Connolly. Have you had any experience with the breach 
or responding to the breach in your period of time under Beth 
Cobert or Ms. Archuleta before that?
    Ms. McGettigan. I--when the breach occurred, I was in 
another area of the organization. I was in Human Resource 
Solutions. I was not the chief management officer at that time, 
so I was not intimately involved. I was involved from another 
area of the--I had no responsibility for that.
    Mr. Connolly. Mr. DeVries, what are we doing about that 
exfiltration, protecting that data so it's not breached?
    Mr. DeVries. Yes, sir. Sir, on a macro prospective, let's 
start with the worthy employee or the individual who's going to 
be investigated. He enters his records or his information into 
the e-QIP through the SF--Standard Form 86. That information is 
stored securely. It's on an encrypted database. That is what 
gets queued up to go to the investigators once they are awarded 
that work, if you will, from the NBIB. With my coming on board 
in September, we changed that process.
    In the past, when the companies would get their task orders 
to do these investigations, and we just talked about the 
contract that was awarded out to the four new companies, two of 
those were existing ones and there are two new ones in there, 
the investigators no longer can download that information to 
their company information stores. It stays as part of the 
government, and we've incorporated a new security thing there 
where when they pull the records in, it is on a different 
encrypted system under their hard drive, and they authenticate 
themselves with a verification card that is issued by OPM and 
NBIB to them.
    Mr. Connolly. I only have 30-something seconds, so let me 
ask another question. What are we doing to boost the capacity 
to decrease the enormous backlog on security background checks? 
Mr. Phalen.
    Mr. Phalen. Yes, sir. We have done two things of large 
proportion. Number one, as was referenced earlier, we have 
started a new contract period and doubled the number of 
companies that are available to provide the contract 
investigations. And that, we believe, will have a significant 
impact on our ability to work off the backlog. At the same 
time, in fiscal 2016, we hired 400 new Federal investigators 
into the service. And we plan on, in 2017, adding another 200. 
And we are already seeing the fruits of that addition to work 
off the capacity.
    Mr. Connolly. I think this is on top of many topics we're 
talking about. This is really important. I get complaints all 
the time, especially from private sector companies with 
enormous numbers of jobs at the ready they cannot fill because 
of this backlog. And so the more we can do to streamline, 
expedite, while making sure it's still accurate, I think is 
really critical moving forward.
    Thank you.
    Mr. Phalen. Yes, sir. I agree.
    Mr. Connolly. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We'll now recognize the gentleman from Alabama, Mr. Palmer.
    Mr. Palmer. Thank you, Mr. Chairman.
    I know you're new on the job, Ms. McGettigan, and if 
there's anyone on the panel who can answer this, I'd appreciate 
it. Does OPM allow employees to access personal email accounts, 
Facebook, do any other personal business using the Federal 
server?
    Ms. McGettigan. Employees are allowed to do limited access 
for personal and business. Access their bank accounts, what 
have you. So there's limited access for personal business. 
Limited use.
    Mr. Palmer. Are you aware that it was reported that the 
Immigration and Customs Enforcement agency just a couple of 
years ago, I think it preceded maybe by a year or so the breach 
of the data systems at OPM, they had numerous cases where the 
breaches were coming--or the attacks were coming through the 
use of personal email utilizing the Federal server? Are you 
aware of that?
    Ms. McGettigan. No, sir, I was not.
    Mr. Palmer. Well, it's an area that concerns me where--and 
employees, and not only employees, but high ranking officials, 
and I don't know that you could answer this, if there are any 
OPM directors or other high-ranking officials using personal 
email accounts--or accessing personal accounts using the 
Federal server or using personal accounts to do business. We 
know that's been a problem in other agencies, most notably the 
State Department.
    One of the things that concerns me is that it doesn't 
appear to me that we've made the maximum effort to protect 
ourselves from cyber intrusion. And for the record, I'd like to 
point out that James Clapper made the point, the Director of 
National Intelligence, that it was the Chinese, not the 
Russians, that we believe hacked OPM. But I think this may have 
been asked earlier.
    OPM is still not fully compliant with the requirements for 
the use of personally identifiable verification cards, the PIV 
cards. Where are we on that?
    Mr. DeVries. Sir, I'll take that. Sir, we are 100 percent 
compliant for the PIV cards for the users to access the 
network.
    Mr. Palmer. So is it a chip-based card?
    Mr. DeVries. Yes, sir, it is.
    Mr. Palmer. And multifactor verification?
    Mr. DeVries. Multifactor verification.
    Mr. Palmer. So we've got that across the board?
    Mr. DeVries. It needs the card and then you need the 
personal identification that you put your PIN in for. Correct, 
sir.
    Mr. Palmer. Let me ask you this: In regard to hiring people 
who handle your data systems, and particularly to protect 
against cyber attacks, how long does it take to process an 
applicant? For instance, I've got a--there's a gentleman in--at 
the University of Alabama, Birmingham, one of the top people in 
the country on this, Gary Warner, and he's turning out some of 
the best experts in cybersecurity. And the day they graduate--
it's almost the day they graduate, they can get a job with 
Visa, MasterCard. But it seems to take months to even get in 
the system for the Federal Government. Is that an issue at OPM?
    Ms. McGettigan. Well, yes, sir, it is an issue in terms of 
the background investigations. We are very much backlogged. We 
are committed to reducing that backlog. And we have--to that 
end, we have just--we have just awarded contracts to increase 
our capacity, the field contracts to increase our capacity. And 
we are on a path to reduce that--to reduce that backlog. But it 
will take time, and employees of OPM or prospective employees 
of OPM are also waiting for background investigations.
    Mr. Palmer. Well, I know that--and I wasn't here for the 
opening of this hearing--that there seems to be a tendency to 
try to make this--politicize this. And if that's where some 
members want to go with it, that's fine. But I think the 
seriousness of the breach at OPM requires that we do our jobs 
to make sure that our data systems are secure.
    And one of the things that I might suggest and encourage 
you to consider is doing the background checks on these top 
students while they're still in school so that when they 
graduate, we're not going to lose them to the private sector. I 
think that we put ourselves at great exposure by not having 
quicker access to the best people that are available to protect 
our data systems.
    Is that something that OPM might consider? Could we 
expedite the process? Because it's unreasonable to think that 
someone could get a really good job somewhere else and then 
have to wait months to get an interview.
    Ms. McGettigan. Yes, sir. We do have some programs. We have 
a program, Presidential Management Fellow Program, where we 
have people apply--recent graduates apply. And they are vetted 
and then they become finalists. We do not do--to my knowledge, 
background investigations are always done at the--once the 
person receives a conditional offer of employment. So it's the 
offer of employment that triggers the background investigation.
    Mr. Palmer. Well, I thank you for coming today.
    And I just want to make this last point, Mr. Chairman, that 
I think the point that needs to be made is that the purpose of 
this hearing is to make sure that our data systems are secure. 
And I think this committee will do whatever we need to do to 
make that possible.
    I yield back.
    Chairman Chaffetz. I thank the gentleman.
    We'll now recognize the gentleman from Wisconsin, Mr. 
Grothman.
    Mr. Grothman. Thank you.
    Mr. DeVries, we'll ask you a question again. You know, the 
GAO recently found----
    Chairman Chaffetz. Mr. Grothman, my apologies. My 
apologies. We need to go to the Democratic first. Mrs. 
Lawrence. I failed to recognize her. The gentlewoman is 
recognized for 5 minutes.
    Mrs. Lawrence. I know you would never purposely not 
recognize me, Mr. Chairman.
    Yesterday, Ranking Member Cummings sent a letter to the 
Defense Secretary about potentially serious violation of the 
Constitution by Lieutenant Governor Michael Flynn, the 
President's national security adviser. General Flynn had 
admitted that he was paid to attend an event sponsored by the 
Russian-backed television network known as RT. And he dined 
with the Russian President Putin. RT has been described by the 
NSA, CIA, and FBI, and I quote: ``The Kremlin's principal 
international propaganda outlet. It receives funding, staffing, 
and direction from the Russian Government.''
    Director Phalen, your staff provided the Standard Form 86 
for security clearance holders. One question on the form, and I 
quote: ``Have you or any member of your immediate family in the 
past 7 years had any contact with a foreign government, its 
establishment, or its representatives, whether inside or 
outside of the U.S.?''
    My question to you, why are these individuals asked this 
question?
    Mr. Phalen. Thank you, Representative, for that question. 
The reason these questions are asked is to ensure that the 
individual who is making an adjudicative decision understands 
what relationships an individual may have with a foreign 
government or foreign representative. And the nature of that 
question is to get to the heart of what that relationship may 
be. It could be benign, it could be not benign. But this would 
be the judgment of the adjudication organization. Our goal 
would be, based on the response to that question, to gather as 
much information as we can get to----
    Mrs. Lawrence. The form also asks the question, and I 
quote: ``Have you in the past 7 years provided advice or 
support to any individual associated with a foreign business or 
foreign organization?''
    So my question to you is, do you know if General Flynn has 
a clearance?
    Mr. Phalen. I have not checked the record. I believe he 
does have a clearance, but I don't know that authoritatively. 
And if I could add, that the investigation of General Flynn, 
given his role in the White House, would generally be conducted 
by the FBI and not by NBIB.
    Mrs. Lawrence. So you don't know if he has a clearance, 
correct?
    Mr. Phalen. I don't know authoritatively, but I believe he 
does.
    Mrs. Lawrence. Do you know if he ever reported to the 
appropriate authorities?
    Mr. Phalen. I do not know that.
    Mrs. Lawrence. Do you know if General Flynn ever reported 
how much he paid--how much he was paid for his trip?
    Mr. Phalen. I do not know that.
    Mrs. Lawrence. So you're stating within the government that 
would be the FBI that would answer that question?
    Mr. Phalen. The--his reporting chain, if his clearance was 
still through the Department of Defense, would have been back 
through a Department of Defense security office, and they would 
be the organization that would have that on the record. It 
would be up to the FBI, if they were doing the investigation, 
to go back and reach out to the Department of Defense and ask 
if that had been reported.
    Mrs. Lawrence. Do you know if that reach-out has happened?
    Mr. Phalen. I do not know.
    Mrs. Lawrence. Mr. Chairman, we need to get answers to 
these basic questions. And I am requesting that the committee 
send a letter requesting a copy of General Flynn's security 
clearance application, as well as any and all updates he may 
have submitted.
    Will the chair agree to that?
    Chairman Chaffetz. Send me the request.
    Mrs. Lawrence. I appreciate it.
    Mrs. Lawrence. We have a responsibility, and we have been 
talking about this. And, Mr. Chairman, you have been a staunch 
leader in this, and this is an area I feel that we need 
questions answered. Thank you so much.
    Chairman Chaffetz. I now recognize the gentleman from 
Wisconsin, Mr. Grothman.
    Mr. Grothman. Okay, Mr. DeVries. GAO found that personnel 
management had not yet completed and submitted a data center 
optimization plan. And, originally, that was supposed to be 
done in September of last year. Do you know when that plan will 
be completed, or has it been completed?
    Mr. DeVries. Thank you, sir. I appreciate that question 
because that's one that's near and dear to my heart.
    I came onboard as the CIO in September. We did not publish 
that one, because it was not complete. I completed the 
assessment on it, and we're finalizing that. And that should be 
done back up to OMB by the end of this quarter here.
    Mr. Grothman. By the end of?
    Mr. DeVries. This quarter.
    Mr. Grothman. Okay. So the next couple months. Okay. Do you 
know what the savings goal you have for a plan like that is?
    Mr. DeVries. Sir, I do not have the savings goal in terms 
of the final numbers yet. That's part of the assessment that's 
still ongoing right now.
    Mr. Grothman. Okay. How many data centers do you own now?
    Mr. DeVries. Today, sir, I own seven. We closed down two, 
and we're about ready to move out of our third one here in the 
next 2 months.
    Mr. Grothman. Oh, that's good. What do we have left? What 
are the ones that are left?
    Mr. DeVries. And then I have five left. And I'm going down 
to two.
    Mr. Grothman. Okay. Good.
    Let me give you another question. During the data discovery 
breach and mitigation process, your relationship with the 
inspector general was strained. There was a lack of 
communication, time--there wasn't timely reporting, I think the 
IG wasn't informed really what you would consider on a timely 
basis. I understand things have improved since that time. How 
would you characterize your relationship with the inspector 
general today?
    Mr. DeVries. On behalf of the CIO office, I'll say it's 
very good. I say that because we meet monthly with his staff 
and my staff to go through what their concerns are, what their 
findings are, what our status is of reporting back to those 
findings. It's a very good relationship. They hold nothing 
back.
    And I'd like to defer now the final question to my chief 
information security officer, because he deals with them much 
more frequently.
    Mr. Grothman. Okay.
    Mr. Chase. Is that okay, Representative?
    Mr. Grothman. Sure. Yeah.
    Mr. Chase. So one of the things when I came onboard was to 
establish a good relationship with the inspector general. We 
meet on a weekly basis to talk about all the progress. And so--
and I know I mentioned it earlier, but I'll say it again, is 
everything from the compliance efforts that we did to the 
engineering rollouts, so there's a lot of things going on that 
I wanted to make sure that the inspector general is abreast of. 
And so with that, they've given us guidance on what's 
appropriate to align to their FISMA report metrics and 
reporting. And it's been helpful not only for me but my staff 
behind me to see why that relationship is one that pays 
dividends in the long run.
    Mr. Grothman. Good. And if there was a breach today, how 
quickly would the inspector general know?
    Mr. Chase. As quickly as everybody else.
    Mr. Grothman. Okay.
    Mr. DeVries. Sir, I make that first phone call to the 
director, the second one is to the OIG, so it's realtime----
    Mr. Grothman. Okay. Thank you.
    I yield the remainder of my time.
    Chairman Chaffetz. The gentleman yields back.
    I now recognize the ranking member, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    Director Phalen, according to the website, the National 
Background Investigations Bureau, NBIB, is now responsible for 
conducting, and I quote: ``Approximately 95 percent of the 
total background investigations governmentwide.''
    Is that right?
    Mr. Phalen. Yes, sir, that is.
    Mr. Cummings. Out of the total number of background 
investigations that NBIB is responsible for conducting, does 
that include political appointees in the Trump administration?
    Mr. Phalen. Generally not.
    Mr. Cummings. Not?
    Mr. Phalen. Generally not.
    Mr. Cummings. Okay.
    Mr. Phalen. Yes.
    Mr. Cummings. And why not?
    Mr. Phalen. By tradition, that work has been given to the 
FBI to conduct those investigations by the White House.
    Mr. Cummings. And so a--now, guideline A of the 
adjudicative guideline states that individuals seeking a 
security clearance must have unquestioned allegiance to the 
United States, and lays out a series of examples of 
disqualifying factors that investigators and adjudicators will 
use to determine eligibility.
    Based on some of the questions on that SF86, I think many 
people often think of association with groups seeking to 
overthrow the U.S. Government by violent means, like violent 
anarchists or terrorist groups. When we think of this 
guideline, is that fair?
    Mr. Phalen. Yes, that would be a major piece of that 
category. Yes, sir.
    Mr. Cummings. But the disqualifying factors in the 
guideline may include much more than that. Do they not? They 
include whether a person associates with or shares the 
viewpoint of those who advocate using illegal or 
unconstitutional means to prevent government personnel from 
performing their official duties or others from exercising 
their constitutional rights. Is that correct?
    Mr. Phalen. Those are--those are questions to be considered 
in an adjudication, yes, sir.
    Mr. Cummings. And it could--and it could conclude--include 
persons who associate or share the viewpoint of those who use 
illegal or unconstitutional means to, quote, ``gain attribution 
for perceived wrongs caused by Federal, State, or local 
government,'' end of quote. Is that correct?
    Mr. Phalen. Those would be adjudicative questions, yes, 
sir.
    Mr. Cummings. If your investigations uncovered negative or 
derogatory information in any of those areas, I imagine that 
you could raise concern with regard to them. Is that correct?
    Mr. Phalen. They would be noted in the investigation, and 
they would be forwarded to an adjudicative--adjudication 
authority to make a determination as to whether that individual 
should be cleared.
    Mr. Cummings. So I want to walk you through a few short 
examples. If someone said that they were a Boy Scout or Girl 
Scout, would that raise a concern under guideline A? Of course 
not. Is that right?
    Mr. Phalen. No, sir.
    Mr. Cummings. What if someone described themselves as a 
Leninist, which refers to the Russian revolutionary who was not 
a fan of our democratic government, should that raise concerns 
for your investigators?
    Mr. Phalen. It would, and the investigator should pursue 
that avenue of discussion with the subject as to what that 
means.
    Mr. Cummings. What if someone said that his goal was to, 
quote, ``destroy the State,'' unquote, what response would that 
elicit?
    Mr. Phalen. That would elicit a very strong line of 
questioning with that individual and with others to determine 
what he means by that, so that we can give a full picture to 
the adjudicator.
    Mr. Cummings. What if somebody said, quote, ``I want to 
bring everything crashing down and destroy all of today's 
establishment,'' end of quote, should that raise a concern?
    Mr. Phalen. That would be noteworthy in an adjudication, 
yes, sir.
    Mr. Cummings. Chairman, each of these phrases were 
reportedly used by Steve Bannon to describe his views and his 
goals, according to Ronald Radosh of The Daily Beast. Mr. 
Bannon has since reportedly denied saying those things, but I 
imagine an investigator would still have concerns about them. I 
imagine that they would also want to see numerous reports about 
racism rampant on the news website Mr. Bannon used to run.
    Mr. Chairman, this is--this is a very serious problem. The 
President has picked Mr. Bannon to be his chief strategist and 
senior counselor. Not only that, the President just reorganized 
the National Security Council and gave Mr. Bannon a permanent 
seat at the table, while removing the chairman of the Joint 
Chiefs of Staff and director of National Intelligence. This is 
at least--I mean, it causes us to--we should wonder about this 
and question it.
    Do you--if--you may have answered this earlier. If somebody 
is under criminal investigation--and I know that we now have a 
liaison. Tell me how that works, a criminal liaison to try to 
work with--what happens when you find out somebody is under 
criminal investigation?
    Mr. Phalen. Depending what the criminal--criminal 
investigation is and the immediate seriousness of the nature, 
we may immediately contact the requesting agency that is asking 
for the clearance to give them sort of a heads-up that this is 
out there. And they may or may not determine at that point they 
want to terminate the request for a clearance. Otherwise, we'll 
continue the investigation.
    The fact that--going further down the road, an adjudicator 
would be faced with this question, this is an individual under 
criminal investigation, it would be up to them to understand 
what that investigation is about and to make a judgment whether 
or not that investigation or what is surrounding it would be 
disqualifying for access to classified information, whether--
essentially, whether it shows an inability to be trusted to 
hold onto classified information.
    Mr. Cummings. So, in other words, the person could still 
get a--get a clearance?
    Mr. Phalen. Yes.
    Mr. Cummings. And I would assume that if that person were 
then later on convicted of an offense, then that probably his 
clearance would be withdrawn. Is that right?
    Mr. Phalen. If----
    Mr. Cummings. And who would do that?
    Mr. Phalen. The organization that issued the clearance 
would be the organization to rescind the clearance. And--based 
on what they see. And they would make--and if it had already 
been issued, an individual is convicted, it would be up to that 
organization to determine whether or not that conviction has 
any impact on their ability to be trusted.
    Mr. Cummings. My last question. The--I just gave some 
quotes that are attributed to Mr. Bannon. Would--I mean, if 
they--if you were to raise--if those questions were raised, 
would anyone go and then--and then the--say, Mr. Bannon, or 
whoever may have said those kind of things, denied them, would, 
then, you--would--would somebody go back to look to see if 
those statements were made in other--in the periodicals, 
whatever? And how might that affect the security clearance of 
that person? Do you understand my question?
    Mr. Phalen. I believe I do. We--if--if we--first, if we 
were faced with an individual who had made statements that 
appeared to be counter to the United States, that would be an 
issue we would pursue with the subject themselves, to start 
with. And to use your example, if that individual said, no, I 
never really said that, I don't really feel that way, we would 
use, to the best of our ability, whatever sources we can find 
to get to--to do issues resolution, to determine whether--what 
the truth is, to the extent that we can, so that we can give as 
full a picture as we can to the official that has to make that 
ultimate decision.
    Mr. Cummings. And if you discovered that, unequivocally, 
that the person had not been honest with you, what might--
effect that have?
    Mr. Phalen. That would, again, be passed on to the 
adjudication authority, and they would have to determine 
whether that makes a difference or not.
    Mr. Cummings. Mr. Chairman, thank you for your indulgence.
    Chairman Chaffetz. Thank you.
    I'll now recognize the gentlewoman from New York, Mrs. 
Maloney.
    Mrs. Maloney. Thank you, very much.
    Chairman Chaffetz. Your microphone. Microphone.
    Mrs. Maloney. You know, I'm really concerned about 
cybersecurity. And if Congress is serious about helping 
agencies improve their cybersecurity, it must call on the 
President to rescind, in my opinion, his across-the-board 
hiring freeze. How in the world can you move forward if you 
can't even hire the people that can do the job? Such--this 
freeze that he's put in place, in my opinion, undermines the 
Federal Government's ability to recruit, develop, and maintain 
a pipeline of cybersecurity talent that's needed to strengthen 
Federal cybersecurity. And if there was a field that didn't 
change every 24 hours, it's cybersecurity. You have to get the 
youngest, brightest, latest people that are involved in it.
    So I am concerned about this freeze that he put in place, I 
think it was roughly 2 weeks ago. And he's taken other steps 
that will make it more difficult for Federal agencies to 
improve the area of cybersecurity. So I--and then he issued 
this memoranda ordering across-the-board hiring freeze in the 
Federal Government. And I want to quote from it. And I quote: 
``As part of this freeze, no vacant positions existing at noon 
on January 22, 2017, may be filled, and no new positions may be 
created.''
    So it seems to me that when it comes to improving 
cybersecurity, a hiring freeze is one of the most 
counterproductive policies that you could ever put in place.
    And after the 2015 cybersecurity at OPM, Federal CIO Tony 
Scott and then OMB Director Shaun Donovan put in place a 
cybersecurity strategy and implementation plan for the entire 
government. And I quote: ``The vast majority of Federal 
agencies site a lack of cyber and IT talent as a major resource 
constraint that impacts their ability to protect information 
and assets.''
    And so I'd just like to ask Mr. DeVries, as the CI--CIO of 
OPM, can you highlight some of the challenges that OPM has 
faced when it comes to recruiting and hiring cybersecurity 
specialists? And, obviously, you can't do anything if you can't 
hire anybody. So could you give us some insights there?
    Mr. DeVries. Thank you very much for that question. That is 
a--that is pertained to OPM. It's pertained to the Federal 
workspace and the Federal cybersecurity and IT professionals. 
That is a concern to all of us of how do I keep the pipeline 
coming in there.
    I will tell you, from my experience just coming onboard in 
OPM in September, we have, for example, five hiring actions out 
there, and we had about a 60 percent--we did not get to them 
fast enough before they went someplace else. We have completed 
that. We have filled those things. But, again, that's our 
challenge across the Federal spaces, how do I recruit and 
retain these folks.
    I will tell you, it comes from the passion of the heart. 
They come onboard. If I give them meaningful experiences, 
training they will stay. I think we're also working across the 
Federal space of how do I help improve the rotation, if you 
will, from Federal service back to industry and then back in 
again. We need to make--we have made strides on it. We need to 
continue to work on that together.
    Mrs. Maloney. Well, I--I've got to say that cybersecurity 
is really tied to the security of the Nation. And I think--I 
don't see how you can do your job if you can't hire people.
    So I would respectfully like to request that the chairman 
think about maybe asking for a waiver for the cybersecurity 
area in hiring. Number one, as Mr. DeVries pointed out, it's 
hard to hire them, because they're in great demand all over the 
country right now, that is a prime focus of the country. And so 
we need to work in this for the good of the country.
    And I--we're all individuals. I'm going to write the 
President my own letter and request that he waive it for the 
area of cybersecurity.
    But can you just go over some of the agencies, how does 
this hinder your ability and capability to improve when it 
comes to securing IT systems when you're not able to hire 
people? How does this affect you?
    Ms. McGettigan. Congresswoman, it terms of the hiring 
freeze, this is a 90-day freeze, and there are many exemptions 
to that freeze, primarily in terms of national security, public 
health, and public safety.
    Mrs. Maloney. But isn't this national security, 
cybersecurity?
    Ms. McGettigan. Well, agency heads are able to make that 
determination and to exempt those positions that are deemed to 
be national security.
    Mrs. Maloney. So that's taken care of?
    Ms. McGettigan. If they are not--if they have a position, a 
cybersecurity position, that they would not feel was national 
security, they can come to OPM and we will review their request 
for an exemption from that.
    Mrs. Maloney. Have any people asked for exemptions?
    Ms. McGettigan. At this point, no. I'm not aware 
specifically that anyone has come into OPM. I haven't seen any 
requests.
    Mrs. Maloney. Okay. My time has expired. Thank you.
    Chairman Chaffetz. Thank you.
    Just a few wrap-up questions.
    Mr. DeVries, could you please provide the committee all the 
NCAPs or other pen test reports conducted in the last year? Is 
that something you can provide the committee?
    Mr. DeVries. Yes, sir, we can.
    Chairman Chaffetz. Okay. Thank you. We appreciate it if 
you'd do that.
    And then, Mr. Phalen, one of the--one of the sad realities 
of what happened when Director Archuleta was in place is this 
hack had legacy systems online that dated back to 1985. And my 
understanding is, even if you applied for a job and didn't get 
a job with the Federal Government, and you did it after 1985, 
you might have been in that system.
    What are you doing to take sort of the nonactive records so 
they're not online and, thus, accessible to some hacking? Have 
you made any adjustments there?
    Mr. Phalen. To be honest, sir, I don't know. I know we have 
done a tremendous amount, you've heard it earlier today, in 
securing the systems. And I'm very comfortable that we have 
both the barriers on the front end and the ability to, my 
words, fight sort of an active shooter online on the network, 
should it appear. I don't believe we've taken a tremendous 
amount of this and put it offline, because it is--it needs to 
be accessible for any future work that we do.
    Chairman Chaffetz. To a degree. I mean, you know, if 
somebody retired in 1991 and then all of a sudden we have a 
hack in 2014, it does kind of beg the question why is that 
system--Mr. Halvorsen looks like he has something.
    Mr. Halvorsen. Yes. The new system will have tiered storage 
on it both in terms of what's live, what goes back, and it will 
take into consideration some of the things you said. If you are 
offline for a while, that will go into a different storage 
system, and it will be much harder to access.
    Chairman Chaffetz. It just--it seems like one of the 
lessons we should have learned for the nonactive employees--
again, there may be a period of time. You all are more experts 
on it than we are, but after a certain amount of time, maybe it 
should be, you know, more sitting in some mountain somewhere as 
opposed to online.
    Two last questions. Who's in charge? When there's conflict, 
disagreement, when there is an attack, who ultimately is in 
charge?
    Mr. Chase. So through my program, we actually have a 
process that we implemented based on the lessons learned from 
the 2015 breach, and there is a communication path that routes 
up into the director's office through the CIO with the severity 
and any data or details related to that incident.
    Chairman Chaffetz. So who--who is in charge?
    Mr. Chase. So----
    Chairman Chaffetz. Who ultimately makes the hard decision 
if there's a disagreement, a question? You've got the DOD. 
You've got OPM. Something's not--who is the ultimate 
decisionmaker?
    Mr. DeVries. So I'd like to take that on. If it's on the 
current system that OPM and I, as the CIO, am responsible for, 
I do that.
    Chairman Chaffetz. Okay.
    Mr. DeVries. On the new system, within the NBIS, as we 
transition to it, DOD will.
    Chairman Chaffetz. Okay. So that would be Mr. Halvorsen or 
whoever his replacement is?
    Mr. DeVries. Correct.
    Mr. Halvorsen. That is correct.
    Chairman Chaffetz. Okay. Last question. Mr. Halvorsen, you 
have the freedom of retirement there running around the corner 
here. So given that, your years of service, your perspective, 
your expertise, summarize for us, what should the Congress 
understand? What are your greatest frustrations and concerns 
and your best suggestions that you can offer us?
    Mr. Halvorsen. Well, first, I'll thank Congress. As you 
know, working through many of the members here, we did get the 
cyber accepted service law, which I do think was the first 
thing that we needed to get done to recruit and move past some 
of the things that were blocking our ability.
    I do think we are going to have to reevaluate the pay scale 
for cybersecurity personnel and some other key positions. We do 
rely on patriotism. We can recruit people a lot for that, but 
the pay disparities are getting out of hand. I mean, I will 
tell you, I have lost six or seven people this year, very good, 
basically, because they could not anymore turn down the offers. 
And I can't counsel them against that after a certain point.
    Chairman Chaffetz. I'm totally convinced that you're right. 
And I hope that this Congress--I plan on helping to champion 
some legislation to give more realistic assessment to provide 
that flexibility, because I do think you're right.
    Mr. Halvorsen. And I think the other more most important 
thing that we do, and I have said this before, I will keep 
saying it, I do think the secret weapon of our country is, to 
keep our security, keep our edge in warfighting is better use 
of our industry and commercial mobility and agility.
    You have seen--we talk about this in DOD. We are embarking 
to bring as much commercial into these activities. We are doing 
it with this system as the build of the new. We need to 
continue that, and we need to continue that against--across the 
foreign government--I mean, across the Federal Government 
space. That also means we will have to work and raise the bar 
for industry on security.
    While I'll be the first to say that DOD included, we have 
to get better in our security practices. And I am heartened by 
what I see in my discussions with the commercial community. 
They are starting to take that to heed, and we are seeing a 
rise in their ability to protect data. We need to encourage 
that and open up our dialogue with the commercial sector on how 
best to do that and share more information.
    Chairman Chaffetz. Thank you, again, Mr. Halvorsen. We 
thank you for your service, and we wish you nothing but the 
best of luck in whatever your future endeavors take you. And 
thank you again for your service.
    Let me recognize Mr. Cummings, and we'll close the meeting.
    Mr. Cummings. Thank you. Thank you. I want to thank all of 
our witnesses for being here today. You certainly have been 
extremely helpful. And I want to--you know, I just hope that 
the--I want to express my appreciation to all the people that 
work with you, because I know that you all have teams of people 
who give their blood, their sweat, their tears, because they 
want America to remain the greatest country in the world.
    Mr. Halvorsen, again, I want to join in with the chairman 
and thank you for your service.
    I have a brother who is a former Air Force officer, who is 
not a cyber expert, so he talks to me all the time about the 
demand for these folks who are good. I also have sat on the 
Naval Academy Board of Visitors for the last 12 years. And one 
thing that we've done in the Naval Academy it's now mandatory 
that every student have--I know you probably already know 
this--have extensive cyber lessons as part of our curriculum, 
and so we see the significance of it.
    I want to ask you this: One of the things that we wrestle 
with is Federal employees feel that they are under attack 
constantly. We've seen recently where all kinds of measures 
have been put forth that really make them feel pretty insecure. 
And I'm just wondering, how do you--I mean, first of all, talk 
about, briefly, the people that you've worked with and what 
they bring to the table. Because a lot of people, I think, get 
the impression sometimes that the people who work for the 
Federal Government are not giving a lot and not giving their 
best and not feeding their souls, as I often say.
    I just want--you know, you're on your way out. You've had 
an opportunity to work with a lot of people. And I'm sure one 
of the saddest parts is probably a bittersweet thing, you 
created a family. I always tell my children that whenever you 
get a job, you also create a family of people who are looking 
out for you and who care about you and who you--sometimes 
you're with more than you're with your own family.
    So could you just talk about some of the, just generally, 
the people that you've worked with, sir? Because I know that 
you could not have done what you've been able to accomplish 
without a support system. If you might, just very briefly.
    Mr. Halvorsen. Well, you know, I will tell you, having both 
been in the military and in Federal service, highest respect 
for the Federal workforce. They do exceptional work. They put 
in a lot of hours. They do their best on everything they can 
do. But I'm also going to comment, I see that also in the 
commercial workspace when I bring the people in. I do think 
this is a leadership issue. And if you make your--any of your 
employees, whether they're Federal, military, or commercial, 
feel a part of the team and you listen to that team, they will 
give you everything they've got to get--to get the work done. 
And that--I have 37 years, that's what I have seen in the 
Federal Government and in that workspace.
    Mr. Cummings. And I think when you show people that you 
truly care about them--not just about them, but their families 
and their welfare--I tell the people that come to work with us 
on the OGR, if they are not better when they leave me, then 
I've failed. In other words, if they are--their skill level is 
not higher, if they're not more proficient, if they're not more 
effective and efficient, then I've done something wrong. 
Because I want to invest in them. Because I want to be a part 
of their destiny. I want to touch their futures. Even when I'm 
dancing with the angels, I want to know that they've gone on to 
do great things, because our Nation really needs the very, very 
best.
    And so I can tell you that working with the chairman, we 
saw that. We--in working with the--then I'll be finished. I 
give the chairman a lot of credit, because when we looked at 
the Secret Service, he and I made a concerted effort to say to 
the Secret Service we wanted the elite of the elite. We wanted 
the very, very best, and we wanted to create that culture.
    And I think we're moving toward this, Mr. Chairman. I don't 
know that we've gotten there yet, but we're trying to get 
there. But--and we've done that in a number of agencies in a 
bipartisan way.
    And, again, I just--you know, the only reason I raise the 
question, Mr. Halvorsen, is because I just want the public to 
be reminded that, you know, there's a vast array of Federal 
employees that keep our country the great country that it is.
    And, again, I want to thank all of you and everybody who 
back you all up for doing what you do. And, now, we still have 
a lot of work to do, as you've all made very, very clear, but I 
believe that, you know, we can--we can get it done.
    And thank you, Mr. Chairman.
    Chairman Chaffetz. Thank you. And thank you all. And please 
let them know, the men and women who work within your 
departments and groups, how much we do appreciate it. It's a 
tough job, but it's a very important job, and we do appreciate 
it.
    Thank you. The committee stands adjourned.
    [Whereupon, at 11:28 a.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]