b"<html>\n<title> - EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE</title>\n<body><pre>[House Hearing, 115 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n          EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                           COMMITTEE ON HOUSE\n                             ADMINISTRATION\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED FIFTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             APRIL 12, 2018\n\n                               __________\n\n      Printed for the use of the Committee on House Administration\n      \n      \n      \n      \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]     \n \n \n\n\n                       Available on the Internet:\n                         http://www.govinfo.gov\n                         \n                         \n                         \n                               _________ \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE\n                   \n 32-657                     WASHINGTON : 2018                               \n                         \n                         \n                         \n                   Committee on House Administration\n\n                  GREGG HARPER, Mississippi, Chairman\nRODNEY DAVIS, Illinois, Vice         ROBERT A. BRADY, Pennsylvania,\n    Chairman                           Ranking Member\nBARBARA COMSTOCK, Virginia           ZOE LOFGREN, California\nMARK WALKER, North Carolina          JAMIE RASKIN, Maryland\nADRIAN SMITH, Nebraska\nBARRY LOUDERMILK, Georgia\n\n\n\n\n\n          EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE\n\n                              ----------                              \n\n\n                        THURSDAY, APRIL 12, 2018\n\n                          House of Representatives,\n                         Committee on House Administration,\n                                                   Washington, D.C.\n    The Committee met, pursuant to call, at 11:16 a.m., in Room \n1310, Longworth House Office Building, Hon. Gregg Harper \n[Chairman of the Committee] presiding.\n    Present: Representatives Harper, Davis, Comstock, Walker, \nLoudermilk, Brady, Lofgren, and Raskin.\n    Staff Present: Sean Moran, Staff Director; Kim Betz, Deputy \nStaff Director/General Counsel; Cole Felder, Deputy General \nCounsel; Dan Jarrell, Legislative Clerk; Erin McCracken, \nCommunications Director; Jamie Fleet, Minority Staff Director; \nKhalil Abboud, Minority Deputy Staff Director; and Eddie \nFlaherty, Minority Chief Clerk.\n    The Chairman. I now call to order the Committee on House \nAdministration for purposes of today's hearing on shared \nemployees. A quorum is present, so we may proceed. The meeting \nrecord will remain open for 5 legislative days so that Members \nmay submit any materials they wish to be included therein.\n    My opening remarks will be brief.\n    Today's hearing will focus on the practice by which \nmultiple member offices share employees to perform \nadministrative functions, such as finance or information \ntechnology services. The practice of sharing employees began in \nthe mid to late 1990s and continues today. However, there had \nbeen concerns about the lack of oversight and supervision \nshared employees have in their duties. The Office of Inspector \nGeneral audited the practice in 2008, and again, in 2012.\n    Today's hearing will provide this Committee with the \nopportunity to understand the history of the practice of \nsharing employees. Further, it will allow us the opportunity to \nreview the current reporting and disclosure requirements \nimposed on shared employees and determine their effectiveness. \nFinally, the hearing will allow the Committee to understand the \nadditional actions the House should take to ensure that all \nrisks are addressed.\n    I yield to my colleague and the Ranking Member, Mr. Brady, \nfor purposes of an opening statement.\n    Mr. Brady.\n    Mr. Brady. Thank you, Mr. Chairman, for holding--and thank \nyou for holding this hearing today.\n    Mr. Chairman, I have worked on the shared employees issue \nsince I became Chairman in 2007. I had hearings on this topic, \nand we marked up new regulations to deal with this issue. I \nalso supported the efforts of Chairman Lungren in 2012 to \nmeasure if what we were doing was working. We have more work to \ndo.\n    I won't support an overall limit on the number of offices \nthat share technology and finance staff that can support. We \nshould discuss that limit. I also support a background check as \na condition of access to the network. We need to explore what \nthese background checks measure and what we do with the \nresults.\n    I am very glad you have asked these witnesses here today. \nWe have a fine group of House office in front of us. I consider \nPhil and Paul friends and look forward with our new inspector \ngeneral once I learn how to pronounce your last name.\n    I look forward to the testimony, and I yield back the \nbalance of my time.\n    The Chairman. The gentleman yields back.\n    Does any other Member wish to be recognized for the \npurposes of an opening statement?\n    Seeing none, we are honored to have yet another \ndistinguished panel of witnesses before us, and I will now \nintroduce those to the Committee.\n    Phil Kiko was sworn in as the Chief Administrative Officer \nof the House of Representatives on August the 1st of 2016. This \nis the second time Mr. Kiko is serving at the CAO. In the mid \n1990s, Mr. Kiko joined the then-newly formed CAO, and his \nassociate administrator for procurement and purchasing to help \nestablish the procurement office. Mr. Kiko has a long record of \ndedicated service, both in the House and throughout the Federal \nGovernment.\n    Most recently, Mr. Kiko served as staff director and \ngeneral counsel for two House committees, including serving on \nthis Committee from 2011 to 2012. Mr. Kiko also has worked in \ntwo other House committees and served as chief of staff at a \nMember's congressional office.\n    I would also like to introduce Paul Irving, our Sergeant-\nat-Arms. Paul Irving was sworn in as the Sergeant-at-Arms at \nthe U.S. House of Representatives on January the 17th of 2012 \nduring the second session of the 112th Congress. He is the 36th \nperson to hold this post since 1789. Mr. Irving previously \nserved as an assistant director of the U.S. Secret Service from \n2001 to 2008 and served as a special agent with the Secret \nService for 25 years.\n    I would now like to introduce Michael Ptasienski, House \nInspector General. Michael Ptasienski was appointed as the \nfifth inspector general of the United States House of \nRepresentatives on February the 15th of 2018. Mr. Ptasienski \npreviously served in the Office of Inspector General of the \nHouse as the Deputy Inspector General, advisory and \nadministrative services, and as the director, management \nadvisory services.\n    He has been serving in the House since 2008. Prior to \njoining the House, Mr. Ptasienski spent more than 15 years \nworking in consulting and management roles in the financial \nservices industry, and has several professional certifications \nin accounting, auditing, risk management, and project \nmanagement.\n    Again, I want to thank each of you for being here today \nwith us. The Committee has received each of your written \ntestimony. At the appropriate time, I will recognize you for 5 \nminutes to present a summary of that submission. You know how \nthis drill works with the timer that is there.\n    We look forward to hearing from each of you. This is a very \nimportant hearing for us going forward. And the Chair now \nrecognizes the Chief Administrative Officer, Phil Kiko, for 5 \nminutes.\n\n  STATEMENTS OF HON. PHILIP KIKO, HOUSE CHIEF ADMINISTRATIVE \n  OFFICER, UNITED STATES HOUSE OF REPRESENTATIVES; HON. PAUL \n    IRVING, HOUSE SERGEANT-AT-ARMS, UNITED STATES HOUSE OF \n  REPRESENTATIVES; AND MICHAEL PTASIENSKI, INSPECTOR GENERAL, \n             UNITED STATES HOUSE OF REPRESENTATIVES\n\n                 STATEMENT OF HON. PHILIP KIKO\n\n    Mr. Kiko. Thank you for the opportunity to participate in \ntoday's hearing. The activity of certain shared employees and \ntheir technical service is one of the first issues that was \nbrought to my attention when I became CAO. The House shared \nemployees account for less than 1 percent of the estimated \n10,000 House employees. Collectively, they work for roughly 75 \npercent of House offices.\n    Unlike the majority of House employees, the oversight \nstructure of the technical services they provide is fractured \nand decentralized. Because they are not employees of any House \nofficer, we are limited in our ability to take swift corrective \naction when non-compliance with House policies and technical \nstandards are detected.\n    The problem is simple. Decentralized oversight leads to \nnon-compliance and abuse of policies intended to protect the \nHouse. The solution is slightly more complicated, and one the \nHouse has been grappling with for the last decade. With that, \nat the direction of the Committee, in February 2017, the House \nofficer working group convened, and in June of last year, \nissued a report identifying over 2,000 gaps in the management \nstructure, the subsequent risk to the House, and reforms to \nmitigate those risks.\n    These gaps, in a broad perspective, relate to supervision \nand oversight of shared employees, or lack thereof, the \ndelegation of tasks between shared employees, and the fact that \nthey are sharing workloads and have informal supervisory \nagreements regardless of the employing authority. Improper \nvetting of the employees, and perhaps most problematic, the \ninability to enforce compliance with House information security \npolicies. For example, the unauthorized assets to office data \nor commingling of data, the use of unsecured software, cloud \nservice, email accounts, and equipment.\n    Many of these gaps are not necessarily new, but the risks \nassociated with the gaps have changed and need to be addressed, \nparticularly the risk that impact the House cybersecurity \nefforts. Cyber attacks, as you know, against the House, average \n300 to 500 million each month. And the bookend to the outside \nthreat is the insider threat.\n    Tremendous efforts are dedicated to protecting the House \nagainst to these outside threats; however, these efforts are \nundermined when employees do not adhere to and thumb their nose \nat our information security policy. And that is a risk, in my \nopinion, we cannot afford.\n    The working group concluded the most effective way to \nmitigate the risk of shared employee was to change the \nemployment structure itself. And after the working group \npresented its recommendations, a Committee task force led by \nRepresentative Davis was created. It hosted multiple bipartisan \nlistening sessions with Members on this topic, and I attended \nevery one of those meetings. Members expressed a strong desire \nto retain shared employees as some of their duties can involve \ninformation that is sensitive in nature. However, Members were \nunder the impression that, due to the technical nature of the \nduties shared employees, whether IT or financial, underwent a \nmore vigorous vetting process, and they were also open to the \nCAO having a more hands-on oversight on compliance with House \nstandards.\n    With this valuable feedback, a strategy was developed with \nthe committee to mitigate risk and significantly modify the \nemployment structure. It included the development of strict \nadministrative standards for IT and shared financial \nadministrators that would standardize the adherence to House \npolicies and add additional oversight and compliance measures.\n    The CAO would be the centralized oversight entity with \nenforcement capabilities while preserving Member choice in \nhiring. It mirrors the current contractor model in that it \nallows for vetting individuals who will have privileged access \nto the House network, and it creates the ability to immediately \nrevoke access for those who comply with House IT and financial \npolicies. It doesn't mean they are revoked forever. It is \nrevoked until they comply. Critical oversight capabilities that \nMember offices I do not think have the bandwidth to deal with.\n    The CAO stands ready to roll up its sleeves with the \nCommittee and to close the gaps and greatly use the risks that \nare inherent in the current model.\n    Thank you very much.\n    [The statement of Mr. Kiko follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]       \n    \n    \n    The Chairman. Thank you, Mr. Kiko.\n    The Chair will now recognize Sergeant-at-Arms Paul Irving, \nfor 5 minutes for the purposes of an opening statement.\n\n                 STATEMENT OF HON. PAUL IRVING\n\n    Mr. Irving. Chairman Harper, Ranking Member Brady, and \ndistinguished Members of the Committee, I appreciate the \nopportunity to participate in the Committee's hearing today \nregarding the use of shared employees in the House.\n    As you know, the House Sergeant-at-Arms serves as the \nChamber's principal law enforcement officer. And from this \nperspective, shared employees present unique challenges.\n    Shared employees have access to systems, offices, and \npersonnel of multiple Members, and can potentially create a \ngreater risk than an employee who has access to only one \noffice's systems. Shared employees may also have access to \nsensitive information technology or financial records.\n    As the House of Representatives has moved towards greater \nautomation and increased use of digital technology, the \nvulnerabilities and risks have likewise increased. The risks \nposed by shared employees can be minimized by requiring \nbackground checks as well as robust internal controls. I would \nalso recommend that shared employees be issued different ID \ncards.\n    Because of the greater risk of shared employees, it is \ncritical that a shared employee be thoroughly vetted by the \noffices. However, Members are generally free to set the terms \nand condition of employment in their office. When an employee \nworks for a single Member office, the Member can monitor the \nindividual's performance and determine the level of trust and \nresponsibility that should be vested in that individual. In \ncertain respects, the Member assumes the risks of hiring the \nindividual.\n    When an employee is shared among many Member offices, each \nMember is not as closely situated to monitor the individual's \nperformance. The relationship between the Member and staffer is \nmore attenuated, and knowledge about the employee's background \nis minimal. Thus, each Member potentially faces greater risk \nfrom the individuals who have access to sensitive information, \ntechnology, or financial data, as the Member is not as well \npositioned to vet or closely monitor the activities of the \nemployee.\n    Currently, the Capitol Police provides criminal background \nchecks for Members' offices upon request. When developing a \npolicy concerning background checks, the Committee may wish to \nadopt or consider the scope, frequency of the investigation, \nand the adjudication or background of the background check.\n    Background checks are not a panacea, but they can serve as \nindicators that an individual is trustworthy or, conversely, \npotentially susceptibility to influences that could have \nnegative repercussions for the entire House.\n    In addition to developing a uniform standard for background \nchecks, it is also essential that there be uniformity in \noversight as well as the institution of internal controls to \nensure that all shared employees strictly adhere to the \npolicies and procedures related to this unique position.\n    The CAO has put together a strategy for developing internal \ncontrols and ensuring the maintenance and uniformity of \nstandards of shared employee conduct. I would support these \nrecommendations by the CAO regarding the continued development \nand enforcement of these procedures.\n    I would also encourage all House offices to require strict \nadherence to the established standards as a condition of \nemployment. Should an employee fail to comply with these \nstandards, I fully support the CAO being granted the authority \nto revoke a shared employee's access to the House network.\n    One final area that can be leveraged to tighten security of \nshared employees is to provide a slightly different ID card to \nshared employees. Currently, ID cards are issued under one \noffice, while a shared employee may work for many offices. \nCapitol Police officers can have difficulty identifying \nappropriate access when an individual's ID differs from the \noffice in which they are working. If an ID card clearly denotes \nthe employee of the shared staff, the officer can easily \nrecognize that the individual might require further follow-up.\n    In sum, I want to thank the Committee for giving me the \nopportunity to testify today, and I am ready to answer any \nquestions you may have.\n    Thank you.\n    [The statement of Mr. Irving follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n   \n    \n    The Chairman. Thank you, Mr. Irving.\n    The Chair will now recognize our House Inspector General, \nMichael Ptasienski, for 5 minutes.\n\n                STATEMENT OF MICHAEL PTASIENSKI\n\n    Mr. Ptasienski. Thank you Chairman Harper, Ranking Member \nBrady, and Members of the Committee. I am honored to be here \ntoday in my capacity as Inspector General of the House.\n    My testimony today concerns two areas of shared employees: \nfinancial administrators and shared IT support staff.\n    Shared employees fill administrative and technical support \nroles for both Member offices and Committees through part-time \npositions. This model allows congressional offices to get the \nback office help they need without having to hire full-time \nstaff. It does, however, introduce some significant risks.\n    Since 2007, we have conducted a considerable amount of work \nthat has highlighted risks associated with these types of \nshared employees. Specifically, we identified risks associated \nwith inadequate management oversight of shared employee \nactivities, a lack of segregation of duties within offices, and \nshared employee non-compliance with applicable laws and House \nrules.\n    A particular concern is the role of the IT administrator. \nBy its very nature, this role is highly sensitive and carries \nwith it a whole host of risks.\n    The Office of Inspector General first noted risks \nassociated with the shared employees in 2007 after a financial \nshared employee was able to defraud three Member offices for \nover $169,000. In this case, an employee had the authority to \nmake purchases and controlled where items were delivered. In \naddition, they completed, approved, submitted, and--submitted \nvouchers for reimbursement. The same staffer also reviewed the \noffice monthly financials and maintained all the office \nrecords.\n    This highlights a lack of segregation of duties. One \nemployee should never have the ability to order items, receive \nthe items, pay invoices, submit their own reimbursements, and \nreconcile the books.\n    Some shared employees may be on the payroll for as many as \n20 offices. In addition, there have been cases where shared \nemployees worked together in teaming relationships. These teams \ncollectively handled the work of multiple offices. As a result, \nindividuals may be performing duties for an office while being \nneither a paid employee or contractor for that Member.\n    In 2008, the CHA adopted Resolution 110-7 and subsequently \npublished the shared employee manual in 2009, which placed \nspecific limitations on shared employees that were based upon \nemployment laws, House rules, and CHA's policies. This manual \noutlined several new requirements, including having shared \nemployees sign an acknowledgment that they understood and would \ncomply with the applicable rules and guidelines.\n    Not all shared employees, however, have been complying with \nthese requirements. During a follow-up audit in 2012, we found \nthat 45 percent of shared employees had not signed the required \nacknowledgment for understanding and complying with the manual. \nIn addition, some shared employees continued to work as both an \nemployee of the House, and as a contractor. And as recently as \n2016, we found shared employee teaming relationships still \nexist.\n    In any office, the system administrator is someone you \nplace a great deal of trust in. This role is inherently risky \ndue to the level of system access they have. They essentially \nhold the keys to the kingdom, they can create accounts, grant \naccess, view, download, update, and delete virtually any \ninformation within the office. Because of this high-level \naccess, an incompetent or rogue system administrator could \nconflict considerable damage to an office and potentially \ndisclose sensitive information, grant access to others, perform \nupdates, or simply delete files.\n    In the case of shared employees, this high level access \nspans multiple offices. We have seen that shared employees \ntypically have a great deal of autonomy in conducting their \nwork. In the case of IT administrators, they are generally an \noffice's sole IT subject matter expert, and others may not have \ncomplete insight into the actions that they perform.\n    The existence of shared employee teaming relationships \nfurther increases the risk of having individuals who are not \nofficially employed by a Member having access to their systems \nand data without the Member's knowledge.\n    Mr. Chairman, I thank you, Ranking Member Brady, and the \nMembers of the Committee for this opportunity to highlight some \nof the risk and control weaknesses we have noted in the current \nshared employee model.\n    We look forward to continuing to provide advice to this \nCommittee on issues of importance to the House.\n    At this time, I would be happy to any answer questions you \nhave.\n    The Chairman. Thank you, Mr. Ptasienski.\n    [The statement of Mr. Ptasienski follows:]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n    \n    The Chairman. We now have time for Committee Members to ask \nquestions of each of you. Each Member is allotted 5 minutes to \nquestion the witnesses.\n    I will begin by recognizing myself for 5 minutes.\n    Mr. Kiko, I have a couple questions I would like to direct \nto you.\n    The House officer working group identified and the \nlistening sessions confirmed the importance of protecting \nMember choice as it relates to certain services needed by \nMember offices.\n    In your opinion, how do we effectively mitigate the risk to \nthe House that were identified in your June 30 memo and \naddressed in the working group's recommendations, while at the \nsame time, continuing to recognize Members' employing \nauthority? And are those two goals mutually exclusive of each \nother?\n    Mr. Kiko. No, I don't think they are. And what really came \nout of the working sessions--or the Member sessions headed by \nCongressman Davis was the fact that Members were very \ninterested in having some choice. I certainly understand that. \nSo what we sort of are thinking about is that the Members can \nhire shared employees. But the shared employees have to--the \nother thing that came out of that was that there was some \nunderstanding that maybe some of the employees were technically \nadept. They were required to follow all the House procedures \nand standards. So what we sort of thought we could do as--the \nCAO could establish standards for IT and financial services \nthat everybody would have to adhere to. Then we would--and it \nwould be standard. It would be the same for everybody. We would \nhave standard compliance with regards so we could check to make \nsure that everybody's complying with what these standards are.\n    And then on the other side of the ledger, the Members would \nbe able to hire who they wanted. But as part of those \nemployee's performance standards, maybe there could be \nsomething in there that say they have comply, you know, with \nHouse policies. And then if they wouldn't, we could deny \naccess, or we could tell the Member about it or elevate it to \nthe Committee. But I think that is the way you can have it both \nways.\n    The Chairman. Okay. On January 19th of 2018, Ranking Member \nMr. Brady wrote to me highlighting a number of steps he \nbelieves can be implemented immediately to mitigate some of the \nrisk.\n    Have you discussed these suggestions with HIR? And how do \nthese steps fit in with the recommendations identified in your \nJune 30, 2017 memo?\n    Mr. Kiko. I think a lot of those--in Mr. Brady's letter, I \nthink of lot of those can be. Almost every one of them--all of \nthem can be implemented. The one issue that we would have to \nwork on a little bit is, you know, having a separate email \nfor--every shared employee has a separate email account, and \nhow would they email that, where would it go to? Would it--how \ndo you separate it? Would it go into one server, or could it be \ndisaggregated? We don't know.\n    But all those are fine. We agree with all those, and we can \nimplement all of them.\n    The Chairman. And I am sure other Members will ask about \nthis as well. But for you, Mr. Kiko, and for you, Mr. Irving, \nhow important and how effective will the background checks be \nthat you anticipate having?\n    Mr. Irving may be the one to answer that.\n    Mr. Irving. The background check, as I testified, is not a \npanacea, but certainly important as a vetting process to \ndetermine, you know, who would be most suitable to work on our \nsensitive systems.\n    Background checks take on a number of forms. Capitol Police \nwill start off with an NCIC check, criminal history check, a \ncredit check.\n    I would recommend that we explore a little deeper level of \ncheck as well, to maybe former employers to see if there were \nany anomalies, especially if it was on the financial side or IT \nside.\n    Not only--I wouldn't just focus on the background--the \nbackground check, but the adjudication of the check is \nimportant. Who actually is going to determine whether the \nemployee is suitable. And we need to, I think, put some \nobjective measure into that.\n    And then last but not least, probably a check every 5 to 7 \nyears or so just to make sure that we check to see if the \nemployee has had any issues, you know, since employment.\n    The Chairman. Thank you, Mr. Irving.\n    The Chair will now recognize Ranking Member Mr. Brady for 5 \nminutes for purposes of questions.\n    Mr. Brady. Thank you Mr. Chairman.\n    My question is for all or anyone who would like to answer.\n    One of the ideas that I won't support is limiting the \nnumber of offices that shared technology and finance staff \nsupport. However, if you impose this limit on the overall \nnumber, you are going to raise the cost of the services \nprovided to each office. So my question for all of you is do \nyou support limiting the overall number of offices shared \ntechnology and finance staff can work for? And do you think \nthere is a way we can help those offices that would experience \nan increase in cost, absorb that cost as we transition to this \nmodel?\n    Anyone.\n    Mr. Kiko. I support limiting the number of offices shared \nemployees can support. Limits reduce the risk and the problem \nof diffused supervision. Where you set the limit is the hard \nquestion. Is it 10? Is it 20? Is it 5?\n    I do think that that the CAO can maybe help with that \ntransition in a couple of ways. One is on the financial side. \nThere are two initiatives that we are going to do that may \nwork, and maybe e-voucher or something that replaces the \nexisting scan paper. And the other is maybe if we launch a new \nfinancial portal to get offices more information, you know, \nthat they could--there wouldn't be the need right now. A lot of \nthe financial processes are very paper-intensive. We are trying \nto eliminate that.\n    But the issue of limiting offices I think is the--is how do \nyou do that, and where do you draw the line on limiting the \nnumber of offices for shared employees? I don't know where that \nis. There has been as many as 20, 30. So that is all I have.\n    On the IT side, I think that, you know, in the end, it \nwould be great if the CAO would provide services, that you \nwouldn't need shared employees for IT services. We sort of hope \nthat we would be able to do that in the future. I am not sure \nwe are there yet, but we are trying to head that way.\n    Mr. Brady. Mr. Irving.\n    Mr. Irving. Not to place more of a burden on my esteemed \ncolleague, Mr. Kiko, but certainly, some of this can be \ncentrally managed. When we look at IT systems, I think a lot of \nthat--those are services that the House offers, and I think \nthat some of those services can be centrally managed which \nwould, in fact, cut down on the number of shared employees.\n    Mr. Brady. Thank you.\n    Do we know how many--how many average--do shared \nemployees--how many Congresspeople that they work for? I mean, \nis there an average that they work for 30? 20? 10? I mean, do \nthey vary?\n    Mr. Kiko. I don't really know. I don't know that answer at \nthis point. I think there are some that are more and there are \nsome that are very few. But I don't have the exact answer right \nnow. I should have, but----\n    Mr. Brady. It is hard to imagine that they work for, like, \n20 and 15 Congresspeople and do an effective job. I mean----\n    Mr. Kiko. Yeah. I think it sort of depends up each \nindividual offices, what are they doing and how much is being \nrequired of each office. That is what I don't know.\n    Mr. Brady. Well, again, Mr. Kiko, for you--this question is \nfor you. I think that you are doing an excellent job as our \nCAO. And do you have an estimate of how much money it would \ncost for your office to support the technology functions that \nshared employees and vendors currently provide our office?\n    Mr. Kiko. Well, I sort of looked into that a little bit, \nand I sort of believe that--we estimate that it would cost \nabout $125,000 for 10 offices. So that is about 12,000. If we \nwould--we would have an employee in HIR, they would support 10 \noffices. And so that would be about 12,500 or 13,000, 14,000 \nannually. So that is what we would think it would be if we \nwould support it ourselves.\n    Mr. Brady. Thank you.\n    Thank you, Mr. Chairman. And thank all of you. And I am \nvery happy and proud to work with all of you. You do an \nexcellent job.\n    Thank you.\n    The Chairman. Thank you, Mr. Brady.\n    The Chair will now recognize the Vice Chairman of the \nCommittee, the gentleman from Illinois, Mr. Davis, for 5 \nminutes.\n    Mr. Davis. Thank you, Mr. Chairman, and thank you to each \nof the witnesses. I appreciate, Mr. Chairman, you tasking us \nwith running the listening sessions that were bipartisan \nlistening sessions. We had Members come in, Members who had \nshared employees, Members who were just concerned about the \nprocess, to get to know a little better about what these \nprocesses were. And I think Mr. Kiko laid out very effectively \nin his opening statement some of the concerns that Members had, \nand also, some of the perceptions Members had of possible \nbackground checks and other details that they thought may have \nbeen run through your office, the CAO, but in reality, they \nweren't done. So that is what gets me to my first question.\n    Mr. Kiko, you mentioned a number of compliance mechanisms \nthat were suggested during those Member listening sessions and \nafterwards to help mitigate the risk of shared employees. And \nthese suggestions included a badging authority through the \nSergeant-at-Arms. And thank you, Mr. Irving, for mentioning \nthat in your opening statement too. CAO developed committee-\napproved technology administration standards and financial \nadministration standards; CAO control access to all enterprise \nsystems; enforcement of new standards through the CAO \ncontrolled access to enterprise systems; CAO authority to \nterminate access for any shared IT or finance employee who is \nnon-compliant with standards that currently exist; background \nchecks, although at differing levels, as mentioned by Mr. \nIrving, for all IT and finance shared employees.\n    Would you describe, Mr. Kiko, how these implement--how \nthese mechanisms could be implemented and enforced?\n    Mr. Kiko. Well, I think that--I think the first thing we \nhave to do is to standardize, you know, what are the \nrequirements for shared employees, whether it is IT or \nfinancial. And those standards should be high. It should be, \nyou know, what is the normal industry standard for this kind of \na function. Obviously, you have to apply it to the House.\n    And with regards to--and then there has to be a monitoring \nmechanism that the CAO would have to do. They could do spot \nchecks on compliance. We are not talking about spot checks on \ngetting into Member emails and stuff. We are just trying to see \nare they complying--you know, maybe every month. Are they \ncomplying with whatever the standards that we set, and the \nexpectations that we set? And then if people are not, then we \neither give them a warning that they need to--they need to come \ninto compliance. If they don't, we deny access or we elevate \nit.\n    Some of that stuff could be worked out with the Committee \non what you want. I would say that is how you would implement \nit. It would require--it may require, you know, one employee, \nor two in the CAO's office, to make sure, you know, that \neverything is being done correctly.\n    Mr. Davis. I see a few of your employees sitting behind \nyou.\n    Do you feel that the CAO has the ability to implement these \nsuggested changes?\n    Mr. Kiko. Yes, I do. Yeah.\n    And I tried to limit the number of people that came here.\n    Mr. Davis. Well, you brought--Clocker was one too many. But \nthat is okay.\n    Mr. Irving, I am very glad you mentioned the single badging \nauthority. Can you expand somewhat on how you think that might \nhelp address some of the IG considerations that have been \nbrought up before?\n    Mr. Irving. It would just be one facet. When individual \nMembers hire, their badge indicates where they are assigned or \nwhat Member they are employed by. A shared employee that has \naccess to many Member offices is in a different category. And \nif a Capitol Police officer sees them in one area versus \nanother, if someone questions them, not knowing that they are a \nshared employee could cause them to not follow up when they \nprobably should follow up.\n    So only one other area of--just another facet. Certainly \nnot in and of itself, something that is going to satisfy \neverything.\n    Mr. Davis. Great. Thank you.\n    One last question, Mr. Kiko. When we had our Member \nlistening sessions, we talked about the lack of a compliance, \ncomplete compliance for the background and financial disclosure \ninformation and compliance measures that shared employees--the \ncompliance rate they were at before the listening sessions. \nAfter you sent out some correspondence to the existing shared \nemployees, what is the compliance rate right now for the \ndisclosures and other information that we are requiring of them \nalready?\n    Mr. Kiko. You mean on the financial disclosure?\n    Mr. Davis. The financial disclosures.\n    Mr. Kiko. I am not exactly sure what that is, because we \ndid follow up. But that is more of an Ethics Committee issue.\n    Mr. Davis. Well, what about the information that you had?\n    Mr. Kiko. The information that we had is that, you know, \nmost people are now in compliance, if not all. And I have had \nto send some emails out to people. Either you are going to get \nin compliance or we are going to cut you off. I did have one of \nthose.\n    Mr. Davis. And you saw a great response to that of those \nwho may not have been compliant?\n    Mr. Kiko. We are okay on this now.\n    Mr. Davis. Thank you.\n    The Chairman. The gentleman yields back.\n    And I would like to give a thank you to Rodney Davis as our \nVice Chairman who has done yeoman's work and countless hours of \nworking with--I know with each of you and working on this \nissue. So, Mr. Davis, we thank you for that outstanding work \nthat I know we will bring to a conclusion at some point. And \nyou will probably be happy when that happens. But we couldn't \nbe in this position for the good of the House without your \neffort, so we appreciate it.\n    The Chair will now recognize the gentlewoman from \nCalifornia, Ms. Lofgren, for 5 minutes.\n    Ms. Lofgren. Well, thank you very much. And thanks to each \nof you for your important testimony. And to you, Mr. Chairman \nand Mr. Brady, for convening this important hearing.\n    I think it is important to make a distinction between the \nkinds of shared employees that we have. There are technical \nshared employees that go from office to office, and they are \nprimarily doing financial accounting work and IT work. And then \nthere are, like, policy shared employees where the shared \nemployee is actually moved around the payroll, but it is really \nfor a shared policy goal. For example, you know, the \nProgressive Caucus or the Freedom Caucus might share the \nexpense of a salary. Or State delegations have--you know, share \nthe expense of a salary.\n    In 1995, it used to be, prior to 1995, that you could \njust--each office could contribute and just hire the person \nrather than going through this roll-around. I am not sure that \nwhat we did made any sense, honestly. It just increased the \npaperwork when it comes to policy issues. And that might be \nsomething to look at, Mr. Chairman.\n    But when it comes to the shared employees who are doing IT \nwork or financial services, that is where we have the problem. \nAnd I think it is important to make that distinction. Other \nMembers have raised important issues relative to financial \nservices.\n    I wanted to focus on the IT function. You know, for years, \non a bipartisan basis, we have worked, Mr. Kiko, with your \noffice, centralized services, ranging from magazine \nsubscriptions to cybersecurity. It really doesn't make sense to \nhave individual offices go out and buy their own furniture. We \ncentralized that function. And so one of the concerns and, \nfrankly, one of the complaints I have heard, and I suspect it \nis a resource issue for you, is that the CAO can be slow to \nsupport products that our consumers have moved to. And when \nthat happens, Members and staff start using these products \nanyway. And then they circumvent security rules and \nregulations, because that is the product that they find useful.\n    And so I am wondering what HIR is doing to keep current \nwith the latest tools available in the market? How do you \nidentify those tools? Assess their security vulnerabilities, \ntrain your support staff to help with them? What role does HIR \ncurrently play in minimizing the risks that the status quo \nposes to the House, understanding that Members are going to \nmove to new technology, and is that a resource issue for you?\n    Mr. Kiko. Well, we are constantly--we try to be on the \ncutting edge of new technology that Members are using. Many \ntimes a Member office will ask us about a new technology, and \nthen we try to vet it. We try to see where the security issues \nare, you know, whether there is any problems, whether problems \nhave been identified, you know, in the private sector when they \nhave used stuff.\n    I have not checked to see whether this is a resource issue. \nBut I know it is a very big problem, because, you know, we have \nall these technologies that Members would like to use. And then \nwe read in the paper or we hear, you know, from some of our, \nyou know, investigations and research that we do that there is \na problem, you know, and stuff that has to be patched and all \nthat, so--but it is a constant issue of, as you say, Members \nwant the--some Members want the best and the latest. And \nsometimes stuff is vetted. If we find out that stuff isn't \nvetted correctly, we try to hurry up and try to do it to make \nsure there is not a problem, you know, with a whole----\n    Ms. Lofgren. Right.\n    Let me ask you this: When you hire HIR staff, I think you \nexamine their professional credentials, their certifications, \ntheir training for the function you are hiring them to perform.\n    Mr. Kiko. Yeah. It is very rigorous.\n    Ms. Lofgren. And by the way, I think the IT staff I have \ninterfaced with are excellent. They do a good job.\n    Now, when Member offices hire shared IT staff, are they \nrequired to meet the same training and certification that your \nown staff is?\n    Mr. Kiko. There is not a requirement for Members' offices, \nbecause they are the employing authority.\n    Ms. Lofgren. Right. Maybe we should look at making those \ncertifications a requirement if you are going to access the \nsystem.\n    Mr. Kiko. I support that.\n    Ms. Lofgren. I am also interested in terms of shared IT \nstaff. There is a concern that they don't always implement \nnecessary upgrades or modifications or software patches.\n    Does HIR staff ever perform those duties if a shared IT \nstaff drops the ball to protect our system?\n    Mr. Kiko. Yeah, we do. And we are, for the most part, \nresponsible for that. But if a shared IT employee calls us, we \nwill do it. It happens frequently.\n    Ms. Lofgren. I see my time has expired.\n    Thank you, Mr. Chairman.\n    The Chairman. Thank you, Ms. Lofgren.\n    The Chair will now recognize the gentlewoman from Virginia, \nMrs. Comstock, for 5 minutes.\n    Mrs. Comstock. Thank you. And I thank the Chairman and the \nVice Chairman for the work they have done on your going through \nand finding out the holes in the policies and you all working \nwith that. So I really appreciate that in going forward.\n    And I know, you know, the public is rightfully, you know, \nvery upset about how this was handled in the past and that this \negregious example that is now being criminally investigated was \nallowed to occur. And I know, because of the criminal \ninvestigation, you aren't allowed to talk about that. But could \nyou just address, you know, for public purposes, that as that \ncriminal case goes forward and as that is resolved, that any \nadditional suggestions or changes that might be apparent \nthrough what we learn from now can be addressed and making sure \nthat whatever holes they were allowed to get through, I think \nit seems like we have identified a lot of them from what we \nknow, but given that is still going forward, and we don't know \neverything, could you just assure for the public that that will \nbe sort of an ongoing review when that is wrapped up?\n    Mr. Irving. Congresswoman, I think everything that we have \ndiscussed today and the purpose of this hearing certainly is to \nget us there. And I will tell you that I am very, very \nconfident that the CAO is putting measures in place and doing \neverything he can to put measures in place with the support of \nthis Committee to mitigate some of those issues that caused us \nto be where we are today.\n    So, no, I am confident that we are certainly making a lot \nof progress. Ultimately, as you know, it is the balance between \nthe Member interest and the governmental interest, the House \ninterest, in really trying to come to a good place.\n    So I think we have accomplished a lot, even in the time \nduring which this investigation has been ongoing.\n    And with that, I will ask Mr. Kiko if he wants to follow \nup. But I hope that satisfies you.\n    Mr. Kiko. No. I will just say that the abuses by certain \nshared employees have provided the CAO, and I think the \nCommittee, with a roadmap on what needs to be closed. And that \nis what I want to do is to close the gaps.\n    Mrs. Comstock. All right. No, and I appreciate that--you \nknow, to the extent that that roadmap is public now, that you \nhave been able to address that and just wanted to make sure, as \nwe get more information, you know, that may not apparent at \nthis point, that we can follow up on that.\n    So I thank you for the work you are doing on that front.\n    And I yield back.\n    The Chairman. The gentlewoman yields back.\n    The Chair will now recognize Mr. Raskin for 5 minutes.\n    Mr. Raskin. Mr. Chairman, thank you very much, and thanks \nto all of our distinguished witnesses today. All of you have \ndiscussed different risks that the current situation presents \nto the House, including risks involving oversight, \ncybersecurity, physical security, money, and so on.\n    Do you believe that your offices have sufficient authority \nnow under existing House rules to address those risks, or does \nthe Committee need to consider providing additional authority \nto you in order to deal with it?\n    And maybe we just go right down the line.\n    Mr. Kiko. I would just say that, you know, we are in the \nprocess of working with the Committee to reduce the risk by \ngiving the CAO a little more oversight authority over abuses. \nNow, this is just for the CAO purposes. And I think that if we \nhave more authority and we can, you know, set standards, do \ncompliance, I think that will greatly reduce the risk in \ncooperation with the Member and working with the Committee. \nBecause right now, we don't really--because these are Member \nemployees and we don't have a lot of authority to deal with \nthat, and it just hasn't happened, even though we found about \nhow the abuses can be--how the weak spots can be exploited, we \nthink that will go a long ways.\n    Mr. Raskin. Let me just follow up quickly with you, then.\n    Would it make sense--obviously, what we have got, you know, \ncherished traditions of Member autonomy and some constitutional \nbackground to that with the speech and debate clause, but would \nit make sense for us to generate more authority in your office \nor in some constellation of these offices, to deal with shared \nemployees on the theory that if a Member wants to go outside of \nthe usual situation of having an employee reporting directly to \nher?\n    Mr. Kiko. I mean, I wouldn't be opposed to that. That is \nsort of a fine line, you know, between CAO and Member autonomy. \nBut I am in favor of exploring that. I think it would help.\n    Mr. Raskin. Mr. Irving.\n    Mr. Irving. I am certainly in agreement with the CAO. I \nthink that, as I alluded to earlier, when the governmental \ninterest is so heavy and when we get to cybersecurity, we \nreally have a governmental interest. We certainly have to \nrecognize the Member interest as well. But I am in favor of \ngiving the CAO those--the authority so that, for example, to \nCongresswoman Lofgren's point earlier on standards, maybe we \nneed to make sure that even though the Member is the employing \nauthority, if they want to bring someone on to do IT, for \nexample, they should comply with certain standards, have \ncertain background. And the same with the internal controls. I \nthink the CAO needs every internal control available to him or \nher to ensure that these employees are, in fact, complying with \nrules and regulations, and then have the authority, certainly, \nto take certain action even though they are employed by a \nMember. And I know it is a very, very careful balance.\n    Mr. Kiko. I don't want anybody to get the impression I am \ntrying to grab more authority. I am trying to grab more power. \nThat is not the case here. I am just trying to walk a very fine \nline in conjunction with the Committee to see, you know, where \nthat sweet spot is. That is what I am trying to do.\n    Mr. Raskin. Great. Thank you.\n    Mr. Ptasienski. I think the--as the Chief Administrative \nOfficer said, I think they are the primary organization looking \nat--or monitoring compliance with a lot of these finance and \ntechnology policies. And as such, they have got a tough job in \ntrying to enforce those. And I think if there is--if he can't, \nand his folks, as they interact with offices, get people to \ncomply with those policies, if he needs a stick, he may need a \nstick in some areas, and we would support that.\n    We put a lot of pressure as we make recommendations to the \nCAO to fix the various issues and so forth. And I have full \nappreciation for the tough job that they have in balancing some \nof the particularities of here working in the House.\n    Mr. Raskin. Thank you very much.\n    I yield back, Mr. Chairman.\n    The Chairman. The gentleman yields back.\n    The Chair will now recognize the gentleman from North \nCarolina, Mr. Walker, for 5 minutes.\n    Mr. Walker. Thank you Mr. Chairman.\n    My time is centered basically around one area regarding the \nworking group. And I wanted to get your thoughts on that, both \nto Mr. Kiko and Mr. Irving, on the--briefly, you have described \nthe objectives of the working group, how it conducted its work. \nAnd I know it has reached, I believe, six conclusions.\n    Could you talk about how that factors into your \nrecommendations?\n    Mr. Kiko, let's start with you.\n    Mr. Kiko. Yeah. I think that on our recommendations we \ninitially had said that we--you know, we went through all the \nabuses. We went through previous IG reports. The IG was part of \nthe working group, and we initially had recommended an \nindependent contractor model rather than--you know, as a way to \npreserve--as a way that we could better--feel better served, \nclose the gaps with regards to risks.\n    You know, we have CMS services in the House. Some of them \nare employees that work for them, and they also provide IT \nservices. We use that model because we have a direct \nrelationship with the contractor, and if somebody's not working \nout, then we call the contractor and we cut it off.\n    But when we started the--you know, we met with Mr. Davis' \ngroup, there was concerns about that model. And so we decided \nto do the model that I just described where we would work in \nconjunction with Members' offices.\n    Does that make sense?\n    Mr. Walker. Yes.\n    Mr. Irving. And I will certainly agree with Mr. Kiko. \nInitially, our view was how do you put as much control, \ninternal control and control over access to sensitive networks. \nSo, you know, myopically we can say, well, we should just \ncontrol the employee, but knowing that Members do want to hire \nsome of their own people, we had to work with that and \nrecognize that and appreciate that.\n    And I think we are in a good spot where we have--we are \nable to satisfy both concerns, which is ensure that our \ninternal controls are safe, internal mechanisms for \ncybersecurity, but also allow Members the ability to continue \nto let Members, you know, hire people that they feel \ncomfortable with.\n    The key is just ensuring that we have those internal \ncontrols, and sticking to them and that Members respect the \nCAO's authority to, you know, to--in a sense, discipline \nemployees that may not be abiding by the rules.\n    Mr. Walker. So, Mr. Irving, do you put more emphasis on the \ndiscipline in the internal controls, or do you place more \nemphasis--and Mr. Kiko can respond to this as well--on reducing \nthe overall amount of privileged or shared employees? What is \nyour ultimate recommendation?\n    Mr. Irving. I would turn this over to Mr. Kiko, but my \ncomment is, I would have as few people have access to those \nsensitive networks as possible. That is first and foremost. But \nsome will need to, certainly depending on the Member and the \ncommittee they are on, et cetera. So those I would make sure \nthat Mr. Kiko has the authority to ensure that those internal \ncontrols are met.\n    But I don't know, Phil, if you wanted to elaborate on that.\n    Mr. Kiko. I mean, I would just like there--from my \nperspective, there be a justification for the access that we \nare supposed to have. I am not necessarily trying to have \nlimits, you know, at least on privileged access.\n    You know, people, other than shared employees have access. \nI just think there needs to be a good justification for what \naccess there is, and also that they comply with whatever \nstandards that we have. I am not really trying to grind them \ndown into not--you know, into a number.\n    Mr. Walker. That is fair. Fair argument.\n    Mr. Chairman, I yield back.\n    The Chairman. The gentleman yields back.\n    The Chair will now recognize the gentleman from Georgia, \nMr. Loudermilk, for 5 minutes.\n    Mr. Loudermilk. I thank you, Mr. Chairman.\n    I appreciate the panel being here. I am a little confused \nthough. Again, a guy with a military background, I am sitting \nhere looking, Mr. Kiko is a chief, Paul is a sergeant, and you \nare a general. So I am not sure which one outranks who here.\n    But, hey, I appreciate the work that has been done here \nbecause this is an issue of grave concern, but also it is a \nbalancing act. Because I think, as several Members have \nexpressed, one of the strengths of our--this legislative body \nis the autonomy of each individual office, as compared to when \nI was in the State legislature.\n    Our staff was appointed to us, the limited staff we had. \nThe Speaker of the House actually controlled who our employees \nwere, and it really limited the autonomy you have. And I think \nthat is one of the strengths that we have here is we are able \nto actually operate as our own entity without due influence--\nundue influence from the outside entities or leadership.\n    However, that strength also becomes a weakness when it \ncomes to the finances, and particularly IT. And as the \ngentlelady from California spoke about, you know, policy not so \nmuch a concern other than the access to the IT resources. So I \nhave, in the last few days, tried to strike where is that \nbalance?\n    On the IT side specifically, I had a couple questions, and \nI kind of like the direction that we are going. I spoke to Mr. \nDavis yesterday about what Mr. Kiko had defined earlier as a \ndirection we may be going.\n    One of the--we brought up certification. You know, from an \nIT perspective, I can appreciate that. I think it is important \nthat, you know, who you hire does know what they are doing, or \nmaybe from the accounting and the finance side requiring a \nlicensing or a certification, you know.\n    But still, that is more of a job performance aspect to me \nis that you--and being in the IT field, I am going to be able \nto decipher whether you really know what you are doing or not. \nMy concern comes to the cybersecurity side and nondisclosure.\n    When we share employees, there is also an aspect to the \nautonomy is, I don't want that shared employee sharing with \nother offices what is going on with my office as well as \ndisclosing to some entity privacy information.\n    Do we have or have we considered a confidentiality \nnondisclosure agreement that each of these shared employees \nhave to sign, or some training to go through that spells out \nthe penalties that--especially if they disclose, you know, \ninformation that we have on constituents or information we are \nworking on.\n    And I will open that up to anyone. Is that something we \nhave, or is that something that has been discussed?\n    Mr. Kiko. Well, I know we have a shared employee manual, \nand it requires nondisclosure. And so when the--you know, that \nis a requirement to be a shared employee that you are not \nsupposed to disclose other Members' information. That is \nalready a requirement that the Committee, at the request of the \nIG, had done and it is already in.\n    I don't know if there is a--they have to sign off that they \nreceived and they are going to comply with everything that is \nin the shared employee manual, but that is in that manual now. \nIt is not a specific letter, but that is part of the manual as \nwe----\n    Mr. Loudermilk. Does that spell out what penalties are, \ni.e., you can go to jail?\n    Mr. Kiko. There aren't any penalties.\n    Mr. Loudermilk. Is that something that maybe we should look \nat?\n    Mr. Kiko. Well, the only penalty would be termination, but \nperhaps. I am willing to pursue that, whatever the Committee \nwould want to do.\n    Mr. Loudermilk. Mr. Irving.\n    Mr. Irving. I think that goes along--Congressman, it is an \nexcellent theme for some of the prior questions in terms of \nwhat can we do to enhance our internal controls and our policy. \nI think that is certainly one that I would endorse that we need \nto strengthen.\n    Mr. Loudermilk. Okay. I appreciate that.\n    One other question, wherever we get to with this, is this \nsomething that we would look at doing a new Member orientation \nto make sure that every new Member that is coming in is fully \naware of the rules and responsibilities not only of the shared \nemployee, but their requirements as well? That may be something \nfor a staffer.\n    Mr. Kiko. We would be willing to have that as part--and \nparticipate if that is what the committee wanted to do.\n    Mr. Loudermilk. Okay. I yield back.\n    The Chairman. The gentleman yields back.\n    I will recognize Mr. Davis for a follow-up remark.\n    Mr. Davis. Mr. Kiko, once again--actually, I am glad my \ncolleague Mr. Loudermilk brought up compliance and \nnondisclosure.\n    Now, when we had our Member listening sessions, we did \ndiscuss--and hopefully, as a plan of action moving forward, we \nmight be able to implement some penalties for noncompliance up \nto termination for noncompliance.\n    Do you think that would be easier to administer under the \ncurrent shared employee rules and regulations, or under maybe \nsome of the proposed changes we talked about today, running \nthose compliance measures through the CAO, Sergeant-at-Arms, \nand House Administration?\n    Mr. Kiko. I mean, I think we should take a look at that. I \nthink that however we can make compliance easier we should do. \nI don't--I think termination now, it is the shared employee, it \nis the Member's responsibility to terminate. And it still will \nbe, but----\n    Mr. Davis. It will still be the Member's responsibility to \nterminate, but you would be able to, hypothetically, under the \npossible proposed guidelines, be able to revoke ID badges?\n    Mr. Kiko. Yes, we can revoke everything and then they can \nstill be employed, but it would be a much different role.\n    Mr. Davis. Yeah.\n    Mr. Kiko. And you could give the Committee some more \nauthority, too, on those kind of things when they see that.\n    Mr. Davis. Well, thank you for that suggestion.\n    And I just, again, want to say thank you. I know each of \nyou have worked hard on this issue.\n    Phil, you have been in the room with us listening to \nMembers. I truly appreciate the fact that through your \ntestimony today, based upon previous suggestions and previous \nmemos that have come out, that you listen to the Members.\n    And that is something that I just cannot say thank you \nenough for, because our job is to address the Members' concerns \nand do it in a way that is also going to address their \nemployees' concerns.\n    I look out in the audience, and raise your hand if you are \na shared employee. I hope each and every one of you understand \nthat your Member's concerns were heard.\n    And I look out and I see one of my shared employees sitting \nhere watching this, this hearing. Obviously, this is of concern \nto those who were already at that status.\n    But please understand, we have to do a better job of \nensuring that we have better compliance, we have better \nstandards, and so those of you who are working very hard as a \nshared employee right now can continue to do that job in the \nfuture, and not let those who aren't determine your fate, too.\n    So thank you again, everyone.\n    And thank you, Mr. Chairman, for the opportunity.\n    The Chairman. The gentleman yields back.\n    The Chair will now recognize the gentlewoman from \nCalifornia, Ms. Lofgren, for a closing remark.\n    Ms. Lofgren. Yes. Just a quick question, but before I do, \nyou know, we have examined ways to improve the shared employee \nsituation, but we really, really said there is some value to it \nas well, because if you have to hire in each office a \nspecialist on IT, that doesn't make a lot of sense.\n    So having some shared expertise, whether it is located in \nthe CAO's office, or whether it is shared employees, does make \nsense. We just need to make sure that the protections are in \nplace, that there is no risk to our security system or to any \nof the requirements that are--we have adopted in the House.\n    In the June 2017 memo outlining recommendations, there was \na discussion that shared employees, both in finance and \ntechnology, do work with nongovernment-furnished equipment \noften at home, and that this could pose a risk to the House. I \nwould say that that work at home is not limited to shared \nemployees. I mean, full-time House employees do that as well.\n    I can think of circumstances where that would pose no risk \nto the House, but you identified a potential risk to the House. \nCould you outline what that would be and what steps we should \ntake to mitigate those risks?\n    Mr. Kiko. Well, I just think any--you know, technically \neverybody is supposed to do work on House equipment, you know. \nIf you are going to do work, you do use the VPN if you are \nsupposed to communicate.\n    And if you don't, you are opening yourself up, your systems \nup to people that are trying to hack in. There is a lot of \nevidence of people that are trying to use these kind of \nsystems, you know. They are trying to hack in.\n    Ms. Lofgren. Well, but if I can, you know, the staff, they \nwork weekends, they work nights.\n    Mr. Kiko. Right.\n    Ms. Lofgren. You know, you are writing a speech, you are \nwriting questions for the hearing tomorrow night. They are on \ntheir home computer helping to write--draft questions for you \nfor a witness.\n    Mr. Kiko. I think--yeah. I mean, I think that is very \ndifficult, obviously, to enforce, but to the extent that people \ncan use their own House, you know, equipment to do that, it \nreduces the risk. That is about all I can say.\n    Ms. Lofgren. Well, I guess, I don't see the risk on the \npolicy issues that are--I mean, each Member is going to assess \ntheir risk, whether the question gets out or not is a different \nissue to whether our systems have been penetrated and security \nissues posed. Am I right, Paul?\n    Mr. Irving. I absolutely agree with you. There is no \nquestion we have to differentiate between the risk the Member \nfeels, let's say, to their data versus something that is a \nviolation of House policy, which may not be.\n    But, again, if you are at home working on your home \nnetwork, it is not going to be as secure as abiding by certain \nof our policies. But, no, you are absolutely correct. There is \ngoing to be the assumption of risk there, and that may be just \nfine for the individual Member.\n    Ms. Lofgren. All right. Thank you, Mr. Chairman for \nallowing me to follow up on that.\n    The Chairman. Thank you very much, Ms. Lofgren.\n    And I want to thank each of you because I know how much you \nall care about the institution of the House. You want it to \nwork at the best level, and we have--certainly appreciated that \nhard work that you have had.\n    Again, I want to say thank you to the Ranking Member Brady \nfor his work.\n    And all of the staff, on both sides, have--are committed to \ngetting this right.\n    And I particularly, again, want to thank Mr. Davis for his \ncontinued work on this issue. It is a serious matter on how we \nimprove the employees' safety features, let's say, particularly \nas it relates to the IT issues.\n    And while I will not discuss details of an ongoing criminal \ninvestigation, our goal is to make sure that we secure the \nHouse for the future, so that nothing like that happens again.\n    So with that, thank you for your attendance.\n    Without objection, all Members will have 5 legislative days \nto submit to the Chair additional written questions for the \nwitnesses, which we will forward to you and ask that you answer \npromptly if you get them so that those answers can then be made \na part of the record.\n    Without objection, this hearing is adjourned.\n    [Whereupon, at 12:20 p.m., the Committee was adjourned.]\n    \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    \n    \n\n    \n</pre></body></html>\n"