[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


                   PROTECTING AMERICANS' IDENTITIES:
                     EXAMINING EFFORTS TO LIMIT THE
                     USE OF SOCIAL SECURITY NUMBERS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY

                                 OF THE

              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                                AND THE

                    SUBCOMMITTEE ON SOCIAL SECURITY

                                 OF THE

                      COMMITTEE ON WAYS AND MEANS
                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              MAY 23, 2017

                               __________

                          Serial No. 115-SS02

                               __________

         Printed for the use of the Committee on Ways and Means
         
         
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
                               
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
33-427                     WASHINGTON : 2019                     
          
-----------------------------------------------------------------------------------          


                      COMMITTEE ON WAYS AND MEANS

                      KEVIN BRADY, Texas, Chairman

SAM JOHNSON, Texas                   RICHARD E. NEAL, Massachusetts
DEVIN NUNES, California              SANDER M. LEVIN, Michigan
PATRICK J. TIBERI, Ohio              JOHN LEWIS, Georgia
DAVID G. REICHERT, Washington        LLOYD DOGGETT, Texas
PETER J. ROSKAM, Illinois            MIKE THOMPSON, California
VERN BUCHANAN, Florida               JOHN B. LARSON, Connecticut
ADRIAN SMITH, Nebraska               EARL BLUMENAUER, Oregon
LYNN JENKINS, Kansas                 RON KIND, Wisconsin
ERIK PAULSEN, Minnesota              BILL PASCRELL, JR. New Jersey
KENNY MARCHANT, Texas                JOSEPH CROWLEY, New York
DIANE BLACK, Tennessee               DANNY DAVIS, Illinois
TOM REED, New York                   LINDA SANCHEZ, California
MIKE KELLY, Pennsylvania             BRIAN HIGGINS, New York
JIM RENACCI, Ohio                    TERRI SEWELL, Alabama
PAT MEEHAN, Pennsylvania             SUZAN DELBENE, Washington
KRISTI NOEM, South Dakota            JUDY CHU, California
GEORGE HOLDING, North Carolina
JASON SMITH, Missouri
TOM RICE, South Carolina
DAVID SCHWEIKERT, Arizona
JACKIE WALORSKI, Indiana
CARLOS CURBELO, Florida
MIKE BISHOP, Michigan

                     David Stewart, Staff Director

                 Brandon Casey, Minority Chief Counsel

                                 ______

                    SUBCOMMITTEE ON SOCIAL SECURITY

                      SAM JOHNSON, Texas, Chairman

TOM RICE, South Carolina             JOHN B. LARSON, Connecticut
DAVID SCHWEIKERT, Arizona            BILL PASCRELL, JR., New Jersey
VERN BUCHANAN, Florida               JOSEPH CROWLEY, New York
MIKE KELLY, Pennsylvania             LINDA SANCHEZ, California
JIM RENACCI, Ohio
JASON SMITH, Missouri
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman

JOHN DUNCAN, Tennessee               ELIJAH CUMMINGS, Maryland
DARRELL ISSA, California             CAROLYN MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
MARK SANFORD, South Carolina         Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL GOSAR, Arizona                  STEPHEN LYNCH, Massachusetts
SCOTT DESJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              ROBIN KELLY, Illinois
VIRGINIA FOXX, North Carolina        BRENDA LAWRENCE, Michigan
THOMAS MASSIE, Kentucky              BONNIE WATSON COLEMAN, New Jersey
MARK MEADOWS, North Carolina         STACEY E. PLASKETT, Virgin Islands
RON DESANTIS, Florida                VAL BUTLER DEMINGS, Florida
DENNIS ROSS, Florida                 RAJA KRISHNAMOORTHI, Illinois
B. MARK WALKER, North Carolina       JAMIE RASKIN, Maryland
ROD BLUM, Iowa                       PETER WELCH, Vermont
JODY HICE, Georgia                   MATT CARTWRIGHT, Pennsylvania
STEVE RUSSELL, Oklahoma              MARK DESAULNIER, California
GLENN GROTHMAN, Wisconsin            JOHN SARBANES, Maryland
WILL HURD, Texas
GARY PALMER, Alabama
JAMES COMER, Kentucky
PAUL MITCHELL, Michigan

                     David Stewart, Staff Director

                 Brandon Casey, Minority Chief Counsel

                                 ______

                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY

                       WILL HURD, Texas, Chairman

PAUL MITCHELL, Michigan              ROBIN KELLY, Illinois
DARRELL ISSA, California             JAMIE RASKIN, Maryland
JUSTIN AMASH, Michigan               STEPHEN LYNCH, Massachusetts
BLAKE FARENTHOLD, Texas              GERALD E. CONNOLLY, Virginia
STEVE RUSSELL, Oklahoma              RAJA KRISHNAMOORTHI, Illinois


                            C O N T E N T S

                               __________
                                                                   Page

Advisory of May 23, 2017 announcing the hearing..................     2

                               WITNESSES

Gregory C. Wilshusen, Director, Information Security Issues, 
  Government Accountability Office...............................    13
Marianna LaCanfora, Acting Deputy Commissioner, Office of 
  Retirement and Disability Policy, Social Security 
  Administration.................................................    29
David DeVries, Chief Information Officer, Office of Personnel 
  Management.....................................................    38
Karen Jackson, Deputy Chief Operating Officer, Centers for 
  Medicare and Medicaid Services.................................    43
John Oswalt, Executive Director for Privacy, Office of 
  Information and Technology, Department of Veterans Affairs.....    55

                       SUBMISSIONS FOR THE RECORD

American Joint Replacement Registry, letter......................   105
Electronic Privacy Information Center, statement.................   107
National Council of Nonprofits, statement........................   110

                        QUESTIONS FOR THE RECORD

Hearing Deliverables.............................................    80
The Honorable Sam Johnson:
  United States Office of Personnel Management...................    82
  Centers for Medicare and Medicaid Services.....................    86
  Office of Retirement and Disability Policy.....................    90
  Office of Information and Technology...........................    95
  United States Government Accountability Office.................   100

 
                   PROTECTING AMERICANS' IDENTITIES:
                     EXAMINING EFFORTS TO LIMIT THE
                     USE OF SOCIAL SECURITY NUMBERS

                              ----------                              


                         TUESDAY, MAY 23, 2017

             U.S. House of Representatives,
                       Committee on Ways and Means,
                           Subcommittee on Social Security,

                             joint with the

      Committee on Oversight and Government Reform,
                    Subcommittee on Information Technology,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 2:00 p.m., in 
Room 1100, Longworth House Office Building, the Honorable Tom 
Rice presiding.
    [The advisory announcing the hearing follows:]

 
             ADVISORY FROM THE COMMITTEE ON WAYS AND MEANS

                    SUBCOMMITTEE ON SOCIAL SECURITY
                    

           FROM THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                 SUBCOMMITTEE ON INFORMATION TECHNOLOGY

                                                CONTACT: (202) 225-1721
FOR IMMEDIATE RELEASE
Wednesday, May 23, 2017
SS-02

              Chairman Johnson and Chairman Hurd Announce

                 Joint Oversight Hearing on Protecting

              Americans' Identities: Examining Efforts to

                Limit the Use of Social Security Numbers

    House Ways and Means Social Security Subcommittee Chairman Sam 
Johnson (R-TX) and House Oversight and Government Reform Information 
Technology Subcommittee Chairman Will Hurd (R-TX) announced today that 
the Subcommittees will hold a joint hearing entitled ``Protecting 
Americans' Identities: Examining Efforts to Limit the Use of Social 
Security Numbers.'' The hearing will focus on efforts by federal 
agencies to reduce the use of Social Security numbers, and the 
challenges these agencies face in doing so. The hearing will take place 
on Tuesday, May 23, 2017 in 1100 Longworth House Office Building, 
beginning at 2:00 PM.
      
    In view of the limited time to hear witnesses, oral testimony at 
this hearing will be from invited witnesses only. However, any 
individual or organization may submit a written statement for 
consideration by the Committee and for inclusion in the printed record 
of the hearing.
      

DETAILS FOR SUBMISSION OF WRITTEN COMMENTS:

      
    Please Note: Any person(s) and/or organization(s) wishing to submit 
written comments for the hearing record must follow the appropriate 
link on the hearing page of the Committee website and complete the 
informational forms. From the Committee homepage, http://
waysandmeans.house.gov, select ``Hearings.'' Select the hearing for 
which you would like to make a submission, and click on the link 
entitled, ``Click here to provide a submission for the record.'' Once 
you have followed the online instructions, submit all requested 
information. ATTACH your submission as a Word document, in compliance 
with the formatting requirements listed below, by the close of business 
on June 6, 2017. For questions, or if you encounter technical problems, 
please call (202) 225-3625.
      

FORMATTING REQUIREMENTS:

      
    The Committee relies on electronic submissions for printing the 
official hearing record. As always, submissions will be included in the 
record according to the discretion of the Committee. The Committee will 
not alter the content of your submission, but we reserve the right to 
format it according to our guidelines. Any submission provided to the 
Committee by a witness, any materials submitted for the printed record, 
and any written comments in response to a request for written comments 
must conform to the guidelines listed below. Any submission not in 
compliance with these guidelines will not be printed, but will be 
maintained in the Committee files for review and use by the Committee.
    All submissions and supplementary materials must be submitted in a 
single document via email, provided in Word format and must not exceed 
a total of 10 pages. Witnesses and submitters are advised that the 
Committee relies on electronic submissions for printing the official 
hearing record.
    All submissions must include a list of all clients, persons and/or 
organizations on whose behalf the witness appears. The name, company, 
address, telephone, and fax numbers of each witness must be included in 
the body of the email. Please exclude any personal identifiable 
information in the attached submission.
    Failure to follow the formatting requirements may result in the 
exclusion of a submission. All submissions for the record are final.
      
    The Committee seeks to make its facilities accessible to persons 
with disabilities. If you are in need of special accommodations, please 
call 202-225-1721 or 202-226-3411 TTD/TTY in advance of the event (four 
business days' notice is requested). Questions with regard to special 
accommodation needs in general (including availability of Committee 
materials in alternative formats) may be directed to the Committee as 
noted above.
Note: All Committee advisories and news releases are available at 
        http://www.waysandmeans.house.gov/

                                 

           OPENING STATEMENT OF ACTING CHAIRMAN RICE

    Mr. RICE. Good afternoon and welcome to today's hearing on 
the Federal Government's use of Social Security numbers.
    Unfortunately, Chairman Sam Johnson was unable to be here 
with us today to discuss one of his favorite topics: ending the 
unnecessary use of Social Security numbers. I know everyone 
here joins me in wishing Chairman Johnson a speedy recovery.
    I would like to welcome Chairman Hurd of the Oversight and 
Government Reform Committee's IT Subcommittee and all of the IT 
Subcommittee members for joining us in the Ways and Means 
Committee hearing room today.
    Back in 1936, when Social Security began issuing Social 
Security numbers, they were only used to track earnings and 
administer the Social Security Program. Back then, it wasn't 
much thought about keeping your number a secret, but today, 
Social Security numbers are the keys to the kingdom for 
identity thieves. Social Security and identity security experts 
make a point of telling Americans how important it is to 
protect their numbers. Social Security numbers are valuable 
targets for identity theft because of their regular use by both 
Federal Government and private sector as a unique identifier, 
especially by the financial industry.
    Time and again, we are reminded to protect our Social 
Security cards in order to avoid identity theft and to be 
careful with what documents we throw away in the trash. Our 
Social Security numbers are connected to so many personal 
aspects of our lives, from our Social Security benefits and 
finances to our medical histories and our education. But in 
recent years, privacy concerns have become more and more 
critical.
    When I was in law school back in the dark ages, our grades 
used to be posted on the wall to keep secret whose grades they 
were by Social Security number. Of course, they were posted 
alphabetically. So it wasn't that hard to figure out whose was 
whose. In fact, one of my very good friends in law school's 
last name was Ziegler, and he was the smartest guy in the 
class, and he always made an A and blew the curve. So everybody 
just gave him a hard time. But his Social Security number was 
always the one at the bottom of the list. And until not long 
ago, I probably could recite to you Mr. Ziegler's Social 
Security number.
    While colleges and universities have since changed their 
ways, the Federal Government has yet to fully catch up. Just 
over 10 years ago, under President Bush's leadership, the 
Office of Management and Budget issued a memorandum for the 
safeguarding of personally identifiable information, including 
the Social Security number. The memo called for Federal 
departments and agencies to reduce or replace the use of Social 
Security numbers across the Federal Government.
    Unfortunately, while some progress has been made in 
reducing the use of Social Security numbers, 10 years later, 
there is still much work to be done. This hearing is about 
making sure that Social Security numbers are only used when 
necessary and that the Federal Government is doing what it can 
and what it should to make sure that, when Social Security 
numbers are used and collected, they are kept safe.
    The Office of Personnel Management hack in 2015 is an 
example of what happens when the Federal Government collects 
Social Security numbers but does not keep them safe. And that 
negligence comes with a cost to both the affected individuals 
and to the taxpayers. The American people rightly deserve and 
expect that the Federal Government protect their Social 
Security numbers and only use them when necessary.
    I thank all of our witnesses for being here. I look forward 
to hearing from you about how your agencies are working to 
tackle this challenge and what more needs to be done.
    I now recognize Mr. Larson for his opening statement.

            OPENING STATEMENT OF HON. JOHN B. LARSON

    Mr. LARSON. Thank you, Mr. Chairman.
    We join with you in certainly wishing our dear friend and 
colleague Sam Johnson a speedy recovery and would like to add 
how fortunate we are on the Ways and Means Committee to have 
two iconic American heroes serving on the same committee. When 
you think about Sam Johnson and his service to this country and 
all that he endured on behalf of this Nation, nearly beaten to 
death by the Viet Cong and then you think about John Lewis and 
all he endured in this country and nearly beaten to death in 
his own country, so we have these two iconic legends. And I am 
so proud to serve with Sam and was happy that he asked me to 
introduce with him the Social Security Must Avert Identity 
Loss, or H.R. 1513, that required the Social Security 
Administration to remove Social Security numbers from mailed 
notices. And Mr. Johnson, as I think everybody on the committee 
knows, is such an incredible gentleman. We also have taken 
every opportunity in the subcommittee to renew a request, A, 
that I hope the committee will travel to Plano, Texas, and that 
we have an opportunity to, in as much as Mr. Johnson has 
indicated this is his last term, to have a meeting there in 
Plano, Texas, that would honor Mr. Johnson and the committee in 
this particular topic area that he is so vitally concerned 
about.
    I also want to recognize Chairman Hurd, who is with us, and 
the lead Democrat, Robin Kelly, for being here in our meeting 
room as well.
    Since 2014, hundreds of millions of Americans have lost 
their personally identified information, including their Social 
Security numbers, to large-scale cyber attacks. The number was 
originally created in 1936 for the purpose of running the 
Nation's new Social Security system. However, its usefulness as 
a unique governmental identifier has made it near ubiquitous 
across government and the private sector. To date, the Social 
Security Administration has not suffered any large-scale data 
breach, but ongoing vigilance is needed, including adequate 
support for updating and modernizing the Social Security 
Administration's IT structure.
    All together, the Social Security Administration has been 
able it to remove the 9-digit SSN from about one-third of the 
mailings it sends out. Moving forward, they have committed to 
removing them from the remaining notices wherever they revise a 
notice, which requires computer upgrades. The severe 
constraints on Social Security Administration's budget, 
however, are preventing the agency from removing numbers from 
all the notices right away. As they estimated, it would cost 
$14 million to do so immediately rather than piecemeal.
    More alarmingly, since 2010, the number of beneficiaries 
has grown by 13 percent as the baby boomers enter retirement, 
but Social Security's operating budget has fallen by more than 
10 percent in that same period. The Social Security 
Administration simply cannot serve more and more people with 
less and less money each year. Social Security Administration 
is already struggling to serve its beneficiaries at the level 
they deserve. My constituents are experiencing multiyear wait 
times on disability appeals and hearings. Their phone calls are 
going unanswered. They face delays in correcting errors in 
their benefits and payments.
    To make matters worse, the President's fiscal year 2018 
budget released today also attacks Social Security benefits for 
those with disabilities as much as $70 billion over 10 years.
    Mr. Chairman, I would like to submit for the record the 13 
times that Donald Trump promised not to cut Social Security, 
Medicare, and Medicaid.
    [The following was received from Mr. Larson:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] 

                                 

    Mr. LARSON. President Trump has promised repeatedly and 
explicitly throughout the campaign not to cut Social Security 
or Medicare. This broken promise should be especially alarming 
to millions of people who voted for the President, who spent 
their working lives paying premiums into the system, believing 
those benefits would be there for them in retirement or should 
they become disabled.
    The bottom line is this: Social Security is the Nation's 
insurance program. It is not an entitlement. It is the 
insurance that individuals have paid for throughout a lifetime. 
The problems with Social Security at its core--this issue that 
we're taking up today, especially as it relates to theft is 
vitally important to protect people's identity. But equally 
important and the responsibility of this committee is actuarial 
soundness.
    This is the most efficient government-operated program in 
the history of the Nation. Ask any private sector insurance 
company if they could have a 99-percent loss ratio. They would 
die for that. And there's no product on the open market where 
you could produce old age and survivors benefits, disability, 
and a pension plan, and survivors benefits. That is the 
uniqueness of Social Security. That is why it is America's 
insurance plan that our citizens have paid for. This is not an 
entitlement, and we'll continue to make that point. I hope 
later this year, Mr. Chairman--and Mr. Johnson has been very 
gracious about saying that we'll get an opportunity to have 
hearings on our bills that will look at expanding and making 
solvent, well into the next century Social Security for all of 
its American citizens. It's the Nation's insurance program.
    Mr. RICE. Thank you.
    I now recognize Mr. Hurd for his opening statement.

               OPENING STATEMENT OF CHAIRMAN HURD

    Mr. HURD. Thank you, Mr. Chairman.
    In the 2 years plus that I've been in Congress, I've 
learned one thing, and that is that Americans expect the 
Federal Government to protect their personal information. 
Sadly, as evidenced by the devastating data breach at OPM, 
which affected more than 20 million people, this is simply not 
the case.
    American people deserve better from their government. If 
stolen, we all know that Social Security numbers can be used to 
perpetuate identity theft or worse. You never know what a piece 
of personal information the bad actors need to achieve their 
goals, whether they are looking to steal money or threaten the 
national security of our Nation. The Oversight Committee 
recently held a hearing on the IRS data breach where bad actors 
hacked in the Department of Education and stole income 
information from financial aid applications and then used that 
information to file fraudulent tax returns with the IRS.
    All of the agencies appearing before us today collect and 
retain a wealth of information on individual Americans, 
particularly Social Security numbers. It is essential that we 
reduce the unnecessary use of Social Security numbers, both on 
printed forms and electronically, in transition and at rest. In 
fact, tomorrow, the House is scheduled to consider 
Representative Valadao's Social Security Number Fraud 
Prevention Act of 2017, which was passed out of committee on a 
voice vote and prohibits agencies from sending Social Security 
numbers by mail, unless the head of the agency deems it 
absolutely necessary.
    The Social Security Administration has 174 million wage 
earners and records on pretty much everybody living and dead. 
It is a treasure trove of information that must be protected.
    The Veterans Administration has health records on over 8 
million veterans and their families. I can imagine a few other 
records as intimate as an individual's health record. The VA 
currently uses Social Security numbers as a patient identifier.
    Protecting these numbers is critically important for all 
Americans, but given that Social Security numbers are 
frequently exchanged with our most at-risk members of society, 
such as our seniors, disabled, and veterans, we must take 
utmost precaution to prevent the unnecessary risk of exposure 
for these populations.
    One of recommendations that came out of the committee's 
investigation of the OPM breach was that agencies reduced their 
use of Social Security numbers in order to mitigate the risk of 
identity theft. As agencies undertake this transition, it is 
essential that they rethink how they use, collect, and store 
Social Security numbers and indeed all pieces of personal 
information they collect.
    I am proud to be here today with my colleagues from the 
Oversight Committee as well as my colleagues from the Ways and 
Means Committee in this important joint hearing to examine 
what's working and what we can do better. Today, I hope to 
learn more about what efforts the Federal Government is taking 
to reduce its collection, use, and storage of Social Security 
numbers. And thank you for being here today, and I look forward 
to hearing from all of our witnesses.
    Mr. RICE. Thank you.
    I now recognize Ms. Kelly for her opening statement.

             OPENING STATEMENT OF HON. ROBIN KELLY

    Ms. KELLY. Thank you, Chairmen Rice and Hurd and Ranking 
Member Larson, for holding this important hearing.
    Originally created to track the earnings of individuals and 
determine eligibility for Social Security benefits, the Social 
Security number has become the principal method used to verify 
an individual's identity. But the proliferation of their use 
poses serious challenges to data security and identity theft 
protection.
    In 2007, when the Office of Management and Budget 
recognized that reducing the use of Social Security numbers at 
agencies could reduce the risk of identity theft, 10 years ago 
this week, OMB issued a memorandum directing agencies to reduce 
their use of Social Security numbers by examining where their 
collection was unnecessary and creating plans to end such 
collection within 18 months. Now, on the 10-year anniversary of 
the guidance, we have the opportunity to examine the challenges 
that have stymied agencies' efforts while learning from those 
agencies who have had success in their initiative.
    The Social Security Administration no longer prints Social 
Security numbers on statements, cost-of-living notices, or 
benefits checks. The Centers for Medicare and Medicaid Services 
is in the middle of efforts to remove the numbers from all 
Medicare cards by April 2019. Likewise, the Department of 
Veterans Affairs has ceased printing Social Security numbers on 
prescription bottles, certain forms, and correspondence, and is 
working to find an alternate means of identification that will 
maintain patient safety while reducing the visibility of Social 
Security numbers on patient wristbands.
    These concrete steps represent real progress, and I commend 
the agencies on their work so far. But barriers still exist to 
full implementation of the OMB's guidance. One of those 
barriers is the lack of a strong coordinative approach from OMB 
itself. GAO found that the 2007 memorandum did not define 
unnecessary use, nor did it outline requirements such as 
timeline or performance goals. As a result, many agencies were 
vague and subject to varied interpretation over the years. 
Additionally, OMB did not require agencies to update their 
inventories of Social Security number collection points, making 
it difficult to determine whether agencies were actually 
reducing collection and use. OMB must provide clear direction 
to agencies and strengthen its monitoring of compliance.
    In addition to poor coordination by OMB, Federal efforts to 
reduce Social Security numbers used have faced other 
challenges. Agencies are statutorily and legally required to 
collect Social Security numbers for identity verification in a 
number of programs. And Social Security numbers remain the 
standard for identity verification across government programs. 
OPM briefly took steps to address this issue by working to 
create an alternate identifier in 2008 and again in 2015. 
However, a lack of approved funding prevented these efforts 
from going forward. Until Congress refines the requirements 
mandating Social Security number collection and an alternate 
governmentwide identifier is created, significant reductions in 
Social Security numbers use seems unlikely.
    Outdated legacy IT systems also cause agencies to struggle 
to obtain their reduction goals. Agencies do not have the funds 
to replace these systems and start anew. This subcommittee has 
spoken at great length about the need to update the Federal 
Government's IT infrastructure. And we must put our money where 
our mouth is. I'm concerned that across-the-board budget and 
personnel cuts proposed by the Trump administration will take 
us in the opposite direction and make it harder to accomplish 
our Social Security number reduction goals.
    I hope my colleagues will keep this and the need to protect 
Americans from identity theft in mind as we discuss fiscal year 
2018 budget proposals. I look forward to hearing from our 
witnesses today, and I yield back the balance of my time. Thank 
you.
    Mr. RICE. Thank you. As is customary, any member is welcome 
to submit a statement for the hearing record. Before we move on 
to our testimony today, I want to remind our witnesses to 
please limit their oral statements to 5 minutes. However, 
without objection, all of the written testimony will be made 
part of the hearing record.
    We have 5 witnesses today. Seated at the table are: Gregory 
Wilshusen, Director of Information Security Issues, Government 
Accountability Office; Marianna LaCanfora, Acting Deputy 
Commissioner, Office of Retirement and Disability Policy, 
Social Security Administration; David DeVries, Chief 
Information Officer, Office of Personnel Management; and Karen 
Jackson, Deputy Chief Operating Officer, Centers for Medicare 
and Medicaid Services; and, finally, John Oswalt, Executive 
Director for Privacy, Office of Information and Technology, 
Department of Veterans Affairs. Welcome to you all and thank 
you for being here.
    Pursuant to the committee on Oversight and Government 
Reform rules, all witnesses will be sworn in before they 
testify. Please rise and raise your right hand.
    [Witnesses sworn.]
    Mr. RICE. Please be seated.
    Mr. Wilshusen, welcome and thanks for being here. Please 
proceed. If I butchered your name, I'm sorry.

   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
       SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. WILSHUSEN. No, you did perfect. Thank you, Chairmen 
Rice and Hurd, Ranking Members Larson and Kelly, and Members of 
the Subcommittee. Thank you for inviting me today to testify at 
today's hearing on executive branch efforts to reduce the 
unnecessary use of Social Security numbers.
    My statement is based on our draft report on Federal 
efforts to reduce the collection, use, and display of these 
numbers. We have provided a draft report to 25 agencies for 
comment. We anticipate issuing the final report to you later 
this summer after we receive agency comments.
    Before I begin, if I may, I'd like to recognize several 
members of my team who were instrumental in developing my 
statement or performing the work underpinning it. With me is 
John de Farrari and Marisol Cruz, who led this work, and 
Quintin Dorsey. In addition, Andrew Beggs, Shaunyce Wallace, 
Dave Plocher, Priscilla Smith, and Scott Pettis made 
significant contributions.
    Beginning in 2007, OPM, OMB, and the Social Security 
Administration undertook several actions aimed at reducing or 
eliminating the unnecessary collection, use, and display of 
Social Security numbers on a governmentwide basis. However, 
these actions have had limited success. OPM issued guidance to 
agencies and acted to eliminate or mask Social Security numbers 
on personnel forms used throughout the Federal Government. It 
also promulgated a draft regulation to limit Federal 
collection, use, and display of Social Security numbers, but 
withdrew the proposed rule because no alternate Federal 
employee identifier was available that would provide the same 
utility.
    In 2007, OMB required agencies to establish plans for 
eliminating the unnecessary collection and use of Social 
Security numbers. OMB also began requiring agency reporting on 
reduction efforts as part of its annual FISMA reporting 
process. In 2007, the Social Security Administration developed 
an online clearinghouse on agency's best practices for 
minimizing the use and display of Social Security numbers. 
However, this clearinghouse is no longer available.
    At the individual agency level, each of the 24 CFO Act 
agencies report taking a variety of steps to reduce the 
collection, use, and display of Social Security numbers. These 
steps included developing and using alternate identifiers; 
masking, truncating, or blocking the display of these numbers 
on printed forms, correspondence, and computer screens; and 
filtering email to prevent transmittal of unencrypted numbers.
    However, agency officials noted that Social Security 
numbers cannot be completely eliminated from Federal IT systems 
and records in part because no other identifier offers the same 
degree of universal awareness and applicability. They 
identified three other challenges. First, several statutes and 
regulations require collection and use of Social Security 
numbers. Second, interactions with other Federal agencies and 
external entities require the use of the number. And a third 
challenge pertained to technological hurdles that can slow 
replacement of the numbers in information systems.
    Reduction efforts in the executive branch have also been 
limited by more readily addressable shortcomings. Lacking 
direction from OMB, many agencies' reduction plans did not 
include key elements, such as timeframes or performance 
indicators, calling into question the plans' utility.
    In addition, OMB has not required agencies to maintain up-
to-date inventories of Social Security number collections and 
has not established criteria for determining when the number's 
use or display is unnecessary, leading to inconsistent 
determinations and definitions across the agencies.
    OMB has also not ensured that all agencies have submitted 
up-to-date progress reports and has not established performance 
metrics to measure and monitor agencies' efforts.
    Accordingly, in our draft report, we are making five 
recommendations to OMB to address these shortcomings. Until OMB 
and agencies adopt better and more consistent practices, their 
reduction efforts will likely remain limited and difficult to 
measure. Moreover, the risk of Social Security numbers being 
exposed and used to commit identity theft will remain greater 
than it need be.
    Chairman Rice, Chairman Hurd, Ranking Members Larson and 
Kelly, this concludes my statement. I'd be happy to answer your 
questions.
    [The prepared statement of Mr. Wilshusen follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    

                                 
    Mr. RICE. Thank you, sir.
    Ms. LaCanfora, welcome and thanks for being here. Please 
proceed.

 STATEMENT OF MARIANNA LACANFORA, ACTING DEPUTY COMMISSIONER, 
  OFFICE OF RETIREMENT AND DISABILITY POLICY, SOCIAL SECURITY 
                         ADMINISTRATION

    Ms. LACANFORA. Acting Chairman Rice, Chairman Hurd, Ranking 
Member Larson, Ranking Member Kelly, and Members of the 
Subcommittees, thank you, for inviting me to discuss the 
history of the Social Security number, how the Social Security 
Administration uses it to administer its programs, and efforts 
to reduce the number's use. I am Mariana LaCanfora, Acting 
Deputy Commissioner for Retirement and Disability Policy.
    There's a rich history surrounding the Social Security 
number. Those responsible for implementing the new Social 
Security Program understood that crediting earnings to the 
correct individual would be critical to the program's success. 
Names alone would not ensure accurate reporting. Accordingly, 
in 1936, we designed the 9-digit SSN and SSN card to allow 
employers to accurately report earnings.
    Today, over 80 years since the program's inception, we have 
issued around 500 million unique numbers to eligible 
individuals. The SSN continues to be essential to how we 
maintain records. Without it, we could not carry out our 
mission. However, the SSN and SSN card were never intended, nor 
do they serve, as identification. We strongly encourage other 
agencies and the public to minimize their use.
    We also provide electronic verifications of SSNs to our 
Federal and State partners to prevent improper payments. In 
2016, we performed over 2 billion automated SSN verifications.
    Although we created the SSN, its use has increased 
dramatically by other entities over time. A 1943 executive 
order require Federal agencies to use the SSN. Advances in 
computer technology and data processing in the 1960s further 
increased the use of the number. Congress also enacted 
legislation requiring the number for a variety of Federal 
programs. Use of the SSN grew not just in the Federal 
Government but throughout State and local governments to banks, 
credit bureaus, hospitals, educational institutions, and other 
parts of the private sector.
    As use of the SSN has become more pervasive so has the 
opportunity for misuse. We have taken numerous measures to help 
protect the integrity of the SSN.
    In 2001, we removed the full SSN from two of our largest 
mailings: the Social Security statement and the Social Security 
cost-of-living adjustment notice. These notices account for 
about a third of the roughly 352 million notices that we send 
out each year.
    In 2007, OMB issued a memo requiring agencies to review 
their use of the SSN and identify unnecessary use of the 
number. We recognized that although we need the SSN to 
administer our programs, we could and did refine all of our 
personnel policies to reduce reliance on the number.
    Still, we recognize that we need to do more. Two-thirds of 
our notices have the Social Security number. Our notice 
infrastructure is complex. About 60 different applications 
generate notices and every notice is created to respond to an 
individual's unique circumstances. Nevertheless, we are 
committed to replacing the SSN with a beneficiary notice code, 
or BNC, as we modify existing notices or create new ones. The 
BNC is a secure, 13-character, alphanumeric code that helps our 
employees identify the notice and the beneficiary and respond 
to inquiries quickly. We initially developed the BNC for use in 
the Social Security cost-of-living adjustment notice.
    Additionally, next year, we will replace the SSN with the 
BNC on benefit verification letters as well as appointed 
representative and Social Security post-entitlement notices. 
Together these mailings account for 42 million annual notices.
    We take great care to protect the integrity of the SSN and 
the personal information of the public we serve.
    Thank you for the opportunity to describe our efforts. I'd 
be happy to answer any questions.
    [The prepared statement of Ms. LaCanfora follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    

                                 
    Mr. RICE. Thank you, Ms. LaCanfora.
    Mr. DeVries, welcome and thanks for being here. Please 
proceed.

 STATEMENT OF DAVID DEVRIES, CHIEF INFORMATION OFFICER, OFFICE 
                    OF PERSONNEL MANAGEMENT

    Mr. DEVRIES. Thank you, Chairman Rice, Chairman Hurd, 
Ranking Member Larson, Ranking Member Kelly, and Members of the 
Subcommittees, thank you for the opportunity to appear before 
you today to represent the Office of Personnel Management with 
respect to reducing the use of Social Security numbers as a 
personal identifier.
    In 1962, the Civil Service Commission adopted the SSN to 
identify Federal employees. Over time, the SSN became universal 
to almost every piece of paper or its digital form in a Federal 
employee's official personnel file. It became a de facto 
personnel identifier. The SSN was used for routine personal 
actions to record training, to request health benefits, and for 
many other purposes.
    In 2007, OPM issued guidance to Federal agencies to develop 
consistent and effective measures for use in safeguarding of 
Federal employees' SSNs. The intent of these measures was to 
minimize the risk of identity theft and fraud in two ways, one 
by eliminating the unnecessary use of SSN as an identifier and 
by strengthening the protection of personal information, 
including SSNs, from theft or loss. Examples of the measures 
that we recommended were eliminating the unnecessary printing 
display of the Social Security number on forms, reports, and 
your computer displays, and restricting access to only those 
individuals who had a need to know, and they were notified of 
their additional responsibilities to safeguard that. We also 
included privacy and confidentiality statements to go along 
with the--and, finally, we came up with how do you mask it or 
how do you take the Social Security numbers out of the forms 
itself there.
    Internal to the OPM, we examined our internal policies with 
respect to the use of SSNs and, in 2012, issued an addendum to 
our information security and privacy policy. The updated policy 
identifies acceptable uses of the SSN, describes how the 
authorized use will be documented, and presented alternatives 
for SSN. This internal policy addendum notes that acceptable 
use of the SSN are only those that are provided for by law, 
executive order, require interoperability with organizations 
outside the OPM, or are required by operational necessities to 
achieve agency mission. For example, the SSN is a single 
identifier that is consistent across the security investigation 
process and may be necessary to complete an individual's 
background investigation. But it is now protected in both 
transit and in storage.
    OPM has taken other efforts to reduce the use of SSNs since 
issuing the 2012 policy. OPM modified the USAJOBS and the USA 
Staffing Systems so that neither collect SSNs from applicants. 
We also undertook an effort in 2016 to understand which IT 
systems maintain SSNs and how they use those to communicate 
with other programs. The initial inventory was completed in 
September 2016, and we are now using it to validate the 
progress made and identify other opportunities. In addition, we 
are updating the internal 2012 policy this year.
    It is difficult to completely eliminate the Federal use of 
SSNs without a governmentwide coordinated effort and dedicated 
funding. SSNs are generally the common element linking 
information among agencies, OPM shared service providers, and 
benefit providers. In the fall 2016, OMB and OPM proposed the 
program unique identifier, or PUID, initiative to reduce the 
use of SSNs in many government systems and programs. The PUID 
initiative sought to facilitate the exchange of information 
without SSNs. This would be accomplished by providing an 
alternative numbering scheme to uniquely identify records 
across various programs and agencies. An initial proof of 
concept shows potential for continued study.
    Members of the subcommittee, thank you for having me here 
today to discuss OPM's rule in reducing the use of SSNs and for 
your interest and support in this important issue here. 
Safeguarding the PI of our Federal employees and others whose 
information we hold is of paramount importance to OPM. I would 
be happy to address any questions you may have. Thank you.
    [The prepared statement of Mr. DeVries follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    

                                 
    Mr. RICE. Thank you, Mr. DeVries.
    Ms. Jackson, thank you for being here. You can proceed.

  STATEMENT OF KAREN JACKSON, DEPUTY CHIEF OPERATING OFFICER, 
            CENTERS FOR MEDICARE & MEDICAID SERVICES

    Ms. JACKSON. Chairman Rice and Hurd, Ranking Members Larson 
and Kelly, and Members of the Subcommittees, thank you for this 
opportunity to discuss the Centers for Medicare and Medicaid 
Services' work to safeguard the personally identifiable 
information of the beneficiaries whom we serve, including our 
ongoing work to eliminate use of the Social Security number on 
Medicare cards.
    This effort is an important step in protecting 
beneficiaries from becoming victims of identity theft, one of 
the fastest growing crimes in the country. As we all know, 
identity theft can disrupt lives, damage credit ratings, and 
result in inaccuracies in medical records. Thanks to 
congressional leadership and, in particular, Chairman Johnson, 
whom I am sorry is not here today, and members of the Ways and 
Means Committee, and based on the recommendations of our 
colleagues from the Government Accountability Office, CMS will 
eliminate the Social Security number-based identifier on 
Medicare cards by April 2019, as Congress directed us, as part 
of the Medicare Access and CHIP Reauthorization Act of 2015, 
known as MACRA. We very much appreciate Congress providing us 
with the resources necessary to undertake this important 
project.
    Beginning in April 2018, all newly enrolled Medicare 
beneficiaries will receive a Medicare card with a new Medicare 
Beneficiary Identifier, known as the MBI. At the same time, CMS 
will begin distributing the new Medicare cards to our current 
beneficiaries. This new Medicare number will have the same 
number of characters as the current 11-digit Social Security 
number-based health insurance claim number, known as the HICN, 
but will be visibly different and distinguishable from the 
HICN. With the introduction of the MBI, for the first time, CMS 
will have the ability to terminate the Medicare number and 
issue a new number to a beneficiary in instances where they are 
a victim of identity theft or their Medicare number has been 
compromised in some way.
    Transitioning to the MBI will help beneficiaries to better 
safeguard their personal information by reducing the exposure 
of their Social Security numbers. CMS has already removed the 
Social Security number from many types of our communications, 
including the Medicare summary notices that are mailed to 
beneficiaries on a quarterly basis. We have prohibited private 
Medicare Advantage Plans and Medicare Part D prescription drug 
plans from using Social Security numbers on their enrollees' 
insurance cards.
    Many people wonder why CMS has used an identifier based on 
the Social Security number in the first place. When the 
Medicare program was established in 1965, it was actually the 
Social Security Administration who administered the program. 
While CMS is now responsible for management of Medicare, the 
Social Security Administration still enrolls beneficiaries and 
both CMS and the Social Security Administration rely on 
interrelated systems to coordinate eligibility for Medicare 
benefits and for Social Security benefits.
    Currently, healthcare providers use the HICN when they 
submit claims in order to receive payment for healthcare 
services and also for supplies. And CMS and its contractors use 
the HICN to process those claims, authorize payments, and to 
issue some beneficiary communications.
    We're in the process of making changes to over 75 of our 
affected systems to replace those systems' indicators with the 
MBI over the HICN, and we have developed the software that will 
generate MBIs and assign them to beneficiaries. We are working 
with our key partners, such as SSA, Railroad Retirement Board, 
States and territories, the Indian Health Service, the 
Department of Defense, Department of Veterans Affairs, 
healthcare providers, and other key stakeholders--there are a 
lot of them--to ensure that beneficiaries continue to receive 
access to services and our partners will be able to process 
using the new MBI.
    We are implementing an extensive and phased outreach and 
education program for the estimated 60 million beneficiaries 
who will be receiving new cards, as well as to providers, 
private health plans, other insurers, clearinghouses, and other 
stakeholders. This fall, we will tell Medicare beneficiaries 
they will be receiving a new card, instruct them on when they 
will be receiving it, and what to do with their old cards.
    We are also working to make sure that physicians and other 
healthcare providers are prepared to serve patients throughout 
the transition by creating information for providers both for 
them to update their records with the new MBI and also for them 
to help remind beneficiaries that they need to bring their new 
cards with them when they see their doctors.
    We know from other successful large-scale implementations 
that it helps to allow time for all stakeholders to adjust to 
the changes. And so, beginning in April of 2018, when we begin 
to mail out the cards, CMS will have a 21-month long transition 
period, during which our systems will accept transactions both 
containing the MBI and also the HICN.
    Throughout our programs, we are committed to safeguarding 
personal information. Redesigning the Medicare card to remove 
the Social Security number-based identifier is a very important 
step for CMS in helping to combat identity theft and further 
protect our beneficiaries.
    Thank you very much for your interest in our progress 
today, and I look forward to answering your questions.
    [The prepared statement of Ms. Jackson follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]   


                                 
    Mr. RICE. Thank you, Ms. Jackson.
    Mr. Oswalt, thank you for being here. You can proceed.

   STATEMENT OF JOHN OSWALT, EXECUTIVE DIRECTOR FOR PRIVACY, 
   OFFICE OF INFORMATION TECHNOLOGY, DEPARTMENT OF VETERANS 
                            AFFAIRS

    Mr. OSWALT. Good afternoon, Chairman Rice, Chairman Hurd, 
Ranking Member Larson, Ranking Member Kelly, and distinguished 
Members of the Subcommittees. Thank you for this opportunity to 
participate in your joint hearing on government use of Social 
Security numbers across the government and VA, and the steps 
that VA has taken to find ways to reduce, eliminate Social 
Security numbers from VA's systems.
    VA's mission is to serve with dignity and compassion 
America's veterans and their families. This mission is 
contingent upon accurate and timely information being readily 
available. If we are to advocate for veterans, ensure they 
receive the medical care, benefits, social support, and lasting 
memorials they have rightfully earned in service to our Nation, 
VA most properly identify, verify, and coordinate this 
protected information entrusted to us.
    The Department interfaces with many other Federal agencies, 
including but not limited to, the Department of Defense, the 
Social Security Administration, the Internal Revenue Service, 
and the Department of Education.
    VA's primary uses of SSNs are threefold: One, locate 
veterans and their dependents to ensure correct identification 
associated with the delivery of healthcare and services; second 
identify employees for employment related recordkeeping; and, 
three, ensure 100 percent accuracy in patient identification. 
Mistaken identity in the delivery of healthcare can result in 
catastrophic and tragic outcomes. Until such time when the 
comprehensive and equally accurate means to do so is 
established and implemented, the use of SSNs remains the best 
means of ensuring patient identification.
    In addition, SSNs must be used if required by law or 
regulation for purposes such as background investigations, 
income verification, and the matching of computer records 
between government agencies.
    Elimination of the SSN use is not solely a function of 
information technology, IT. The business processes used by the 
Veterans Health Administration, VHA; the Veterans Benefit 
Administration, VBA; and VA offices require a complete overhaul 
in how they establish absolute identity verification inside VA 
and, equally important, outside VA.
    IT solutions to eliminate SSN use can only occur after our 
integrated and comprehensive review of SSN's use and its 
interconnectedness is complete. VA recognizes the growing 
threat posed by identity theft and the impact on veterans, 
dependents, and employees. In 2009, VA created and implemented 
the enterprisewide Social Security reduction effort--Social 
Security Number Reduction Effort. The goal of an SSNR is to 
gather and catalog SSN use, leading to the reduction and/or 
elimination of the SSN as the VA's primary identifier, all 
while maintaining the 100 percent requirement for proper 
veteran patient identification.
    For example, VHA has eliminated the full SSN use on 
appointment letters, routine correspondence, and the veteran's 
health identification card. VA mailout pharmacy has eliminated 
the SSN from prescription bottles and mailing labels. As a 
whole, VA has removed SSNs from several forms where such use 
was deemed not necessary. VBA is modifying an existing contract 
to replace SSNs with barcode labels on all outgoing 
correspondence. Completion of that effort is expected in 
November of this year.
    As VA migrates away from SSN use, the Office of Information 
Technology is collaborating with stakeholders to continue 
expanding the use of the Master Veteran Index, MVI, a registry 
of veterans, their beneficiaries and other eligible persons. 
MVI serves as the authoritative identity source within VA and 
generates an assigned and integrated control number, or ICN, 
for each veteran. The use of MVI as a unique identifier 
continues to expand with the ultimate goal being replacement of 
the SSN as a primary identifier.
    There are many challenges facing VA regarding the 
elimination of the unnecessary collection and use of the SSN. 
This includes an enterprisewide system analysis that needs to 
be conducted to find and identify the large volume of interface 
systems that VA needs for clinical care and administrative 
functions, undertaking a robust education and retraining 
program for employees to implement any now unique identifier--
this has already begun, but it will take time to integrate 
fully into our work processes--and acceptance by the veteran 
committee community. A change of this magnitude across the 
entire VA system will require substantial outreach and 
education.
    VA has made considerable progress toward eliminating 
unnecessary use of SSNs and continues to reduce the use of SSNs 
with the goal to replace it with an alternative primary 
identifier. This concludes my testimony, and I'm prepared to 
answer any questions you or other Members of the Subcommittee 
may have. Thank you.
    [The prepared statement of Mr. Oswalt follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]    

                                 
    Mr. RICE. Thank you, Mr. Oswalt.
    We now turn to questions. As is customary for each round of 
questions, I will limit my time to 5 minutes, and I will ask my 
colleagues to also limit their questioning time to 5 minutes as 
well.
    Mr. Oswalt, I want to start with you. You were just 
speaking of the hurdles that the VA has to cross to eliminate 
the Social Security number and, of course, how critical it is 
that we make sure that we identify each patient, as their lives 
are in the balance, right, and make sure they get the right 
medication and so forth.
    So you were saying that, as a replacement for the Social 
Security number, you started implementing an ICN. What you 
didn't tell us is how long it's going to take to get that done. 
What would be your best estimate for when you can get that 
done?
    Mr. OSWALT. Well, the MVI, which is the registry of all 
certain types of identifiers, has been in place in various 
incarnations since 1999.
    Mr. RICE. So you don't use Social Security numbers anymore?
    Mr. OSWALT. We do use Social Security, but its use as a 
primary identifier is still in the VA processes. The ICN is 
generated by all the information that the MVI collects. So 
using that ICN as a means to identify a veteran as their 
information traverses the system or a machine talking to a 
machine; that has happened to a large extent already. It's 
primarily the SSN use is when there's a human-to-human 
interface between the clinician and the patient.
    Mr. RICE. Do you still have their Social Security numbers 
on their little wristbands?
    Mr. OSWALT. Yes, we do. There is an effort underway, I 
believe, on a pilot level. Right now, we are seeking to 
eliminate the full SSN with the goal of being a complete 
elimination, and there's also a barcode----
    Mr. RICE. Do you have any kind of timetable for that?
    Mr. OSWALT. Sir, I would have to take that and provide that 
for the record because I'm not aware of the project status.
    Mr. RICE. Thank you, Mr. Oswalt.
    Ms. Jackson, your testimony was very interesting and 
exciting to me. You said, by 2018, you will eliminate Social 
Security numbers from the Medicare cards. You are moving at 
lightning speed for the Federal Government. Thank you for your 
efforts.
    Mr. DeVries, you said something that was very interesting 
to me. You have stopped collecting Social Security numbers for 
applicants for employment for the Federal Government?
    Mr. DEVRIES. Correct, sir. When an applicant is going to 
enter into or wants to come into the Federal Government and 
they go to the USAJOB site, we no longer collect their Social 
Security number from them at that time, correct.
    Mr. RICE. When do you collect their Social Security 
numbers?
    Mr. DEVRIES. So we don't collect it. The agency--once we 
match up the job applicants against the job posting, to what we 
call U.S. Staffing, and the agency takes that referral list and 
the list of applicants and they narrow it down and they make 
the selection, when they bring that person on to make them 
employment offer, that's when the agency that's hiring them 
collects that from them then.
    Mr. RICE. I know they would use their Social Security 
number for tax withholdings and such. What else would they use 
the Social Security number for when they were looking to hire 
somebody?
    Mr. DEVRIES. So it is mostly that. It is your status of 
employment and then the benefits that come with it, whether it 
be the pay and then reporting back to the IRS and the Social 
Security side of the house.
    Mr. RICE. Do you do criminal background checks in any 
agency of the government?
    Mr. DEVRIES. So, once you become an employee and if your 
position requires that, then, when you submit for the 
background investigation, that would also be the primary use. 
And similar to what we do in the VA, though, once it gets into 
the background investigation system, then it is a different 
number that becomes the controlling number for it.
    Mr. RICE. And since this massive hacking that occurred 
several years ago, I assume you've implemented a lot more 
protections to prevent that from happening again.
    Mr. DEVRIES. Yes, sir.
    Mr. RICE. Ms. LaCanfora, gosh, amazing statistics. Did I 
hear you correctly that you respond, that you verify 2 billion 
requests per year? Is that right?
    Ms. LACANFORA. Two billion verifications, yes.
    Mr. RICE. Wow. So that would be like six for every single 
living person in the country.
    Ms. LACANFORA. Yes. It is worth noting that more than half 
of those are Federal and State agencies that are verifying 
numbers with us, and that can happen multiple times throughout 
a year if they are processing, for example, an application for 
benefits.
    Mr. RICE. All right.
    OMB has required agencies to eliminate the unnecessary use 
of Social Security numbers, but they never defined what 
necessary use is. How does each of your agencies define 
necessary use? I'll start with you, Mr. Wilshusen.
    Mr. WILSHUSEN. Actually, I don't know how my agency has 
defined unnecessary use. What we did in terms of our audit of 
the other agencies is determine to what extent that they have 
defined unnecessary use. We found that of the 24 CFO Act 
agencies, a number of them, four I believe, did not define what 
``unnecessary use'' is and another eight didn't have it 
documented or did not have a formal definition. Rather the 
agencies, based it on the judgment of the individuals who are 
making the particular assessment on Social Security use.
    Mr. RICE. Thank you, sir.
    Mr. Larson.
    Mr. LARSON. Thank you, Mr. Chairman.
    And I want to thank the witnesses again.
    What a credit to government service you are, and I thank 
you for being here today.
    Just a couple of questions. First, it has got to be 
incredibly hard to operate an agency that is the largest 
insurer in the Nation and to do so with a 99-percent loss 
ratio, the envy of any private sector insurance company. Kudos 
to you. Not without its problems and complexities, one of which 
we are exploring here today in terms of making sure we get 
after fraud and abuse. And as we said many times on the 
committee, anyone who abuses this system, a sacred trust, ought 
to get the ultimate penalty. And I'm all for strengthening 
anything that we can do to further crack down on this.
    What we've heard in your testimony today is a couple of 
things that strike me. Number one, we have a 13-percent 
increase overall with the baby boomers coming through the 
system, and yet you have had a 10-percent overall cut in your 
budget. One has to ask, how are you able to manage with these 
increases and the complexity of the problems that you face, 
including hacking?
    Now, listen I am one of those people that would also concur 
that, hey, listen, some--you don't always--you know, cuts in 
service, if they are replaced by technology that is current, 
can overcome those things. But it seems to me like you're also 
saddled with legacy IT that needs to be updated and improved, 
and yet there aren't the resources that we funneled you to do 
that. Is that a fair assessment?
    Ms. LACANFORA. You have cited some of our challenges, yes. 
I think I will mention, though, that we are embarking on a very 
ambitious IT modernization plan. We know that we cannot 
continue to operate the way that we are operating.
    Mr. LARSON. When you say you are embarking on it, do you 
have the money for it? And where are we going? It seems like a 
lot of the problems and concerns that we are confronted with, 
especially in the area of veterans, et cetera--and I noticed 
the wristband concerns that were brought up in terms of 
identification--that if we have the resources, and certainly we 
have the technological capability, why wouldn't we protect what 
is the government's leading program to protect and assist its 
citizens? Could you--do you need more money?
    Ms. LACANFORA. I think our budget folks are coming up to 
brief your staff on the 2018 budget, but I will say that the 
2018 budget attempts to balance service and stewardship, as 
well as improving the efficiency with which we operate--the IT 
modernization plan that I mentioned is something that we are 
looking forward to advancing, and we're considering that to be 
an agency priority. So we are going to dedicate the funding to 
support that. Part of that will help us to modernize our 
communications infrastructure and remove the SSN from the 
remaining notices.
    Mr. LARSON. What it is very alarming to us--and I know that 
my colleagues on the other side of the aisle share this as 
well--is that we know how vital this program is to all of our 
citizens. We know and everyone can attest to the long waits on 
disability in terms of processing claims. It seems the country, 
as gifted as we are with IT, this ought to be something that we 
ought to be able to solve rather easily. So it is further 
frustrating when we continue to see cuts in the budget and 
quite alarming today when we have the President's budget is 
revealed with about a $70 billion cut in Social Security, 
which, to me, is unconscionable, especially given the 
President's previous statements about preserving and saving, if 
not expanding, these benefits to keep pace actuarially where 
they should be from where we were in 1983, when we actually 
last looked at this from in a business actuarially sound 
position. I really believe that we can close a lot of these 
gaps with appropriate technology and assistance from the rank 
and file, who I would also note, according to testimony in 
previous hearings, that frontline members in Social Security 
offices are our best line of defense against fraud and abuse 
and waste. And they don't get enough credit. And continuing to 
cut the budget, instead of looking at investments in both IT 
and where we can be more efficient and successful, I think is 
where we need to go. Thank you.
    Mr. RICE. Just to clarify, the President is not talking 
about cutting benefits. He's talking about cutting 
administrative costs.
    Mr. Schweikert.
    Mr. SCHWEIKERT. Thank you, Mr. Chairman.
    Forgive me, who would be the most technical of all of you. 
All right. I need you to work through something with me and 
correct me if I'm not hearing something correctly. I have a 
BNC. I have a PUID. I have an MBI. I have an ICN. Are these all 
on a common registry that, a derivation table, that you tag in 
technology and you pull back and tag?
    Mr. DEVRIES. No, sir
    Mr. SCHWEIKERT. In that case, forgive me, and look, I've 
only been reading the testimony and the things here, but what I 
see is absurd technologywise. Without a common central token 
system--and forgive me, but if you use Apple Pay here, Apple 
Pay does not hold your credit card number. What it does is it 
creates a one-time-use token. The token hands off, matches, is 
handed back a number, reflects back. You all have IT budgets. 
You're trying to solve a problem, but in many ways--I need you 
to walk me through--it's my fear that the problem may have just 
gotten worse because I have the VA now with one set of numbers. 
I have Medicare with a different set of numbers. I have OPM 
with a different set. I'm now going to have Social Security 
with another blind identifier. Have we just made the problems 
much worse at least for the customer service aspect?
    Mr. DEVRIES. Sir, if I could, let me address that to a 
limited degree here. What you just heard here was exactly the 
case. We took the one common field--it is called 9-digit Social 
Security number--that grew up for decades. It became ubiquitous 
in every form that we filled out. And then we said we can't 
show that, we can't display it out, we have to cut the use of 
that to where it is not publicly used----
    Mr. SCHWEIKERT [continuing]. Blind it.
    Mr. DEVRIES. We created a scheme for each of these things. 
I came from several years inside DOD. And so when I become a 
DOD member, I become a veteran at the end of that thing, yet I 
get a different number. Now I am a civil servant; I get a 
different number yet. How do we unite that thing? That's where 
we need the unification at the top there to help drive the 
standardization of these things and then how do you link them 
back, because, at the end of day, I still need to tie the 
different benefits that come at it from the various employment 
opportunities and----
    Mr. SCHWEIKERT. Does everyone see what I'm observing is we 
may be actually, in our attempt to blind these numbers, 
creating another cascade effect that's going to create a whole 
new level of complication, and that is when my veteran happens 
to also be working on his Medicare, who also is dealing with a 
Social Security dispute, that may be wanting to go back to work 
for the Federal Government at the Park Service, and now I have 
a handful of different numbers.
    Off just the top of my head--and I'm on the edge of my 
technical expertise--I could come to you right now and, whether 
it be in a distributed ledger model, but some sort of common 
tokenization, where I hand this number, I get the hand off, and 
I would get a constant match. It wouldn't stop you all from 
doing what you're doing, but we would have to actually build a 
common unified clearinghouse data system that would reflect all 
the numbers and then hand back the one-time-use token. But that 
may be a unifying solution to solve actually a number of our 
problems, which is I can actually take you all the way to 
Social Security earned income tax credit fraud and a whole 
number of other things that could actually help on. Am I way 
out of my league here from your area of expertise? Am I seeing 
a unifying problem here?
    Mr. DEVRIES. You are correct, sir. In my opening remarks, I 
talked about the program unique identifier. The concept there 
was to keep the Social Security number as the gold place. You 
protect that. You surround it, but you don't bring it out. And 
then you have programs, and so each of these could be a unique 
program. And they would have structures to their numbering 
schemes, and they own the numbering schemes, just like we 
talked about today here, but then it gets associated back to 
it, and that's what gets shared out. If his Medicare card gets 
confiscated or lost, we cut him a new one; it does not start 
the whole process.
    Mr. SCHWEIKERT. Obviously, it would be easier if every time 
someone used a Medicare benefit, they had a chip card that 
handed off a new token, but the fact of the matter is you are 
not going to design the same thing where I type in this time 
the unique number; it hands off. It may be worth a conversation 
for those who are interested in this type of technology. Maybe 
as the committee here, we need to sort of--it is going to take 
some resources, but there has to be a unified theory we could 
get to make this simpler.
    I yield back Mr. Chairman.
    Mr. RICE. Thank you.
    Ms. Kelly.
    Ms. KELLY. Thank you, Mr. Chairman.
    Social Security numbers have become used as a principal 
method of identity verification in and across agencies. 
However, that very fact makes them lucrative targets for 
identity thieves.
    Mr. Wilshusen----
    Mr. WILSHUSEN. Wilshusen.
    Ms. KELLY. You testified that SSNs are particularly risky 
because they can, quote, ``connect an individual's PII across 
many agencies' information systems and databases.'' Can you 
explain how the widespread use of Social Security numbers 
increases the risk of identity theft?
    Mr. WILSHUSEN. Certainly. And thank you for the question. 
One of the reasons is that they are available, and if the 
numbers are not properly secured, they are vulnerable to theft. 
In our work on information security at Federal agencies, we 
looked at the examination of--or examined the security controls 
over the agency's information. We have often found that the 
security controls are not effective to the extent to where they 
can adequately protect the confidentiality, integrity, and 
availability of the information and systems at those agencies. 
So, by having stores of Social Security numbers in a particular 
agency and they are not adequately protected, then that 
information can be stolen and used not only at that agency but 
can be used as an identifier for that individual at other 
agencies and indeed in the private sector as well.
    Just last year, in fiscal year 2016, agencies reported 
about 8,300 incidents involving PII to the US-CERT for fiscal 
year 2016. So it's a present problem.
    Ms. KELLY. How could the use of such an alternate 
identifier reduce the risk of identity theft?
    Mr. WILSHUSEN. Well, for one, it may limit the extent to 
which an alternative ID may be used to identify that individual 
with other databases at other entities. So it's an opportunity 
to limit the extent that that identifier can be used across 
various different organizations.
    Ms. KELLY. And you talked about in your testimony no such 
identifier was available. Can you expound on that?
    Mr. WILSHUSEN. Well, there are other identifiers but none 
that's universally as accepted and applicable as the Social 
Security number. We did report that, in certain instances and 
at certain organizations, including DOD and VA or VHA, they've 
started to use an alternate identifier other than Social 
Security numbers to provide their members and require one.
    Ms. KELLY. Despite OPM's failure to implement an alternate 
in 2008, the agency proposed a program unique identifier 
initiative in 2015 to provide an alternative way for 
identifying records in government systems.
    Mr. DeVries, is that correct? And can you elaborate on 
that?
    Mr. DEVRIES. Ma'am, could I get the last part of your 
question there?
    Ms. KELLY. I asked about the proposed program unique 
identifier initiative in 2015 to provide an alternate way for 
identifying records in government systems. And can you 
elaborate on that?
    Mr. DEVRIES. Yes, ma'am.
    So, again, going back to, from a program perspective, if 
you define a program as being a functional area of interest, so 
like say CMS, VA, DOD and some other ones, there are benefits 
and other things that must get reported and attributed back to 
the individual. When I was born, I got a Social Security 
number. I went up and I worked as a teenager. I went to 
college. I started in the work force. Along the way, I accrued 
these different benefits. But each one gets recorded in their 
own way. So, by uniting--and kind of going with what we talked 
about before with a ledger that says here's the program owner 
for this numbering scheme and we standardize the numbering, 
then you can reuse those things. And, again, just as he pointed 
out, we would not--if you lose your Medicare card, you lose the 
connectivity of what that thing represented in the Medicare 
business but not across the whole financial institutions and 
all the other ones.
    The challenge is, how do I work that thing not only at the 
Federal level at the agencies here but then down to the 
agencies that report into us and also to the State and local 
government things. Because everything is coded into these 
various programs, the Social Security Administration talked 
about the number system she has. They keep on exploding when 
you go down to the State and local government side of the house 
too. And all those have to be linked together there at some 
point in time. But I think we can take it one phase at a time.
    Ms. KELLY. I worked for the State of Illinois, and it was 
the same issue there. And I wonder, do States change it on 
their own one by one or how does that--do they decide to make 
changes? Because I think, before I left, they did can make some 
changes because they had Social Security numbers on everything.
    Mr. DEVRIES. I'll let my esteemed colleagues talk here, but 
within the Department of Defense, where we have moved from 
moving away from Social Security numbers on all of our ID cards 
and so forth, that did not happen overnight. It came with 
putting out a standard, coming up with a schema, as we talked 
about, and then enforcing it.
    Mr. RICE. Thank you Ms. Kelly.
    Mr. Mitchell.
    Mr. MITCHELL. Thank you, Mr. Chair.
    Mr. Wilshusen, let me start with you. One of the things 
that I haven't seen referenced here is the use of Social 
Security numbers and the hacking that goes on with the IRS. It 
probably won't surprise you to know that I--among how many 
million others of Americans have had their Security number 
hacked for IRS purposes.
    The solution to that was we'll issue a PIN number. So you 
get a PIN number mailed to you so you can file your taxes.
    Do you know what happened this year on that?
    Mr. WILSHUSEN. I understand that those PIN numbers were 
also compromised to some extent.
    Mr. MITCHELL. They were. So I didn't get a PIN number.
    I can only begin to describe to you the entertainment of 
trying to file my taxes, as well as I don't know how many other 
million of Americans, when in fact they don't have PIN numbers 
that will work either and they can't file electronically or any 
other way with their Social Security number.
    The reason I raise it is the point that Mr. Schweikert 
raised, which is, if, in fact, rather than independent agencies 
creating their own identifiers, a PIN number, all of the 
acronyms--I don't know if anybody is watching this or will 
watch this tape, but most Americans, their eyes will glaze over 
with acronyms--the private sector has a variety of approaches 
to creating an identifier, a token system. I'm shocked, at this 
point, there hasn't been substantial conversations as to why we 
don't set a centralized process so someone can trigger that and 
create a token for not only benefits but when they pay their 
taxes. Why is that not a more active effort at this point in 
time rather than individual efforts?
    Mr. WILSHUSEN. I think that's definitely a possibility. But 
I think you also touch upon the fact that these numbers, 
regardless of their provenance, if you will, need to be 
adequately protected by agencies in their information systems. 
And we have found traditionally that the security controls over 
agency systems need to be improved.
    Mr. MITCHELL. Oh, I wouldn't disagree with you one bit.
    You've got two issues. One is the user using their number 
and the agency securing it. And those are two separate dilemmas 
in the problem. But we seem to be making one harder by issuing 
all kinds of different identifiers, which in the case of the 
IRS, that was compromised as well.
    So what's to prevent being compromised, this additional 
effort we've made and all the money we've put into it, rather 
than have an encrypted token-based system that allows you to do 
that? And that technology has existed in the private sector for 
a fair amount of time. So I would encourage the agencies to 
begin actively, and we should talk about it further, Mr. Chair, 
about how it is we actually encourage doing something that is 
integrated that secures it to a token system that's encrypted. 
At least protects that end, the user end.
    If I can real quick, Mr. Oswalt, before my time runs out, I 
was looking through your testimony and listening to you--I 
returned a little late from the floor to hear everyone, and I 
apologize. There's some notations here that I guess troubled me 
a bit. VA is currently evaluating the elimination of Social 
Security numbers from correspondence.
    I'm trying to find a polite way to word my response on 
that. It's nice that they're evaluating that. How long does it 
take VA to evaluate that?
    Mr. OSWALT. Sir, since we began the SSN reduction effort, I 
mean, a number of correspondence and forms generally have been 
scrubbed. If there's a compelling business need for it, we 
would--it would remain. We have an SSN number review board that 
reviews things from a departmentwide standpoint. I can't attest 
right now--I can submit it for the record--what forms and 
letters, correspondence still has that. But as I said in my 
oral testimony----
    Mr. MITCHELL. I've only got a couple minutes. Let me ask 
for the record that you do submit the number of forms, 
correspondence, and what their purpose is and what their 
justification is for the record.
    Because I don't understand why it is on correspondence we 
are sending out, that we still put the Social Security number 
on there. And in fact, if we are putting the Social Security 
number, are we putting the whole Social Security number? My 
goodness gracious, guys.
    Question number two for you, you made a comment about the 
Social Security numbers still being on their wristbands. Now, 
my guess is everybody in the room has been in the hospital for 
one purpose or another or been to a lab, and you get a 
wristband. I haven't seen a Social Security number on a 
wristband in a medical institution in close to a decade, maybe 
7 years. Why in the world would you still put it on when 
they're hospitalized?
    Mr. OSWALT. There is a barcoded SSN that allows the 
clinician to talk to a machine to the barcode. So that's used 
as a form of patient identification and verification. As I 
think I mentioned in my oral testimony, there's a pilot at a 
number of VA sites underway where we're using the last four. 
Eventually, we'll move away from the full human-readable SSN, 
and the integration control number, the ICN, will replace that.
    Mr. MITCHELL. Thank you, Mr. Chair. I yield back.
    Thank you, sir.
    Mr. RICE. Thank you, Mr. Mitchell.
    Mr. Pascrell.
    Mr. PASCRELL. Thank you, Mr. Chairman. Thank you for having 
this hearing.
    Ms. Jackson, I sat on the Ways and Means Health 
Subcommittee. We had extensive conversations with the Social 
Security agency about the process for removing Social Security 
numbers from Medicare cards. Hearing again about this process 
is enough to make your head spin. At the time we had this 
dialogue, it was quite clear that Social Security, quote-
unquote, ``did not have the funding to do this.'' That's what 
you said to us.
    Now, can you explain how what seems like a pretty simple 
task of removing of Social Security numbers from Medicare cards 
can be such a challenge that CMS'--to the system that you use 
in terms of information technology? Tell me what's going on.
    Ms. JACKSON. Thank you very much for the opportunity to 
speak to that.
    We have, at CMS, been looking into the removal of the 
Social Security number from the Medicare card for a number of 
years. But it was not until Congress gave us the resources to 
be able to implement the system changes both in our internal 
systems and also in the data exchanges and the updates that we 
must do with the Social Security Administration, with the 
Railroad Retirement Board, who also use a HICN-based 
identification card, updating information in our internal 
systems as well as informing providers, healthcare providers, 
and Medicare beneficiaries about their need to use a new card 
when they both provide care on the healthcare provider side and 
for billing purposes and also when a beneficiary goes to 
receive care from their doctor or from their hospital.
    To move forward with implementation of the Medicare 
beneficiary identifier, we have made system changes over the 
past couple of years. We hit a major milestone this past 
weekend in assigning new Medicare beneficiary identifiers to 
all Medicare beneficiaries, which now will allow us to begin 
the testing process with all of our systems and our data 
exchange partners to then be able to mail the card and begin 
the transition period.
    We expect to have this completely implemented by April of 
2019, with the beginning of mailing of cards in April of 2018.
    The transition period for us is very important so that all 
stakeholders are able to receive the new MBI, submit bills and 
claims using the new MBI, and to assure that healthcare is 
still available and provided to Medicare beneficiaries.
    Mr. PASCRELL. The new identifiers will be the same number 
as the past?
    Ms. JACKSON. No. The new identifier, it's an 11-digit code. 
But it is an alphanumeric code that is randomly assigned--was 
randomly assigned when we did the enumeration over the weekend, 
and does not look anything like the current health insurance 
claim number.
    Mr. PASCRELL. So we've done it with some resources, and you 
proved it could be done, and the system will be complete in 
2019?
    Ms. JACKSON. That's correct.
    Mr. PASCRELL. Am I correct in saying that?
    Ms. JACKSON. Yes.
    Mr. PASCRELL. That's pretty big. And you're standing by 
that?
    Ms. JACKSON. I am standing by that.
    Mr. PASCRELL. Good.
    Ms. JACKSON. We actually will be ready to receive the MBI 
on claim submissions by April of 2018.
    Mr. PASCRELL. Thank you.
    Mr. DeVries, in your testimony--where are you? Oh, there 
you are. Am I pronouncing that correctly, sir?
    Mr. DEVRIES. Yes, sir.
    Mr. PASCRELL. You stated that it was difficult to 
completely eliminate the Federal use of Social Security numbers 
without a governmentwide, coordinated effort and dedicated--you 
said--dedicated funding. That's what you said, right?
    Mr. DEVRIES. Yes, sir.
    Mr. PASCRELL. Okay. Can you explain how OPM would use 
additional funding to try to achieve the goal of limiting the 
Federal Government's use of Social Security numbers?
    Mr. DEVRIES. In the case of OPM, where we exchange the 
important data between a Federal retiree with the Social 
Security and the IRS for tax purposes there, that underlying 
thing would still be coded and still be exchanging through the 
Social Security number. But, again, the communication that goes 
out to the Federal retiree benefit is a different number. We do 
in fact do that today for the retirement services, where you 
get a different control number when you become a Federal 
retiree. And that's how all action is tracked back to you.
    In terms of the money to change the systems, it is--we're 
operating systems today, and, just as CMS probably experienced, 
you need an infusion of money to do coding and other changes 
and testing, as you prepare this parallel highway, if you will, 
of how we're doing it there.
    Mr. PASCRELL. Thank you.
    Mr. Chairman, may I just add this into the record? I heard 
from one of our members--and I need to correct the record--said 
that the President's budget does not cut Social Security 
benefits. But it does. In the budget, it cuts Social Security 
disability by up to $64 billion. I think the record needs to be 
corrected. And maybe the Congressman who said it needs to be 
corrected.
    Mr. RICE. Thank you, sir.
    Mr. Hurd.
    Mr. PASCRELL. You're welcome. Thank you.
    Mr. HURD. Thank you, Chairman.
    Mr. Oswalt, I was confused by an earlier exchange. Do we 
know how many documents within the VA have the Social Security 
number printed on it?
    Mr. OSWALT. We know what we know right now. It's an 
ongoing, expanding effort. There is a Social Security number 
reduction tool.
    Mr. HURD. I get that. So, correct me if I'm wrong, there's 
a bunch of forms that the VA sends out. We should know how many 
those are. One of the data elements on that form is Social 
Security. Why does it take years to go through each form and 
delete that data element or not show it on the underlying form?
    Mr. OSWALT. Sir, I would have to submit for the record the 
history of why it's taken so long. But there are a number of 
instances where it's in the----
    Mr. HURD. Ms. Jackson, how many forms does your 
organization have that print the Social Security number on it?
    Ms. JACKSON. With the implementation of the Medicare 
Beneficiary Identifier, we won't have any forms that will issue 
the Social Security number. Over the past couple of years, we--
--
    Mr. HURD. So you're saying 2019 is when we're going to be 
successful in achieving that. Again, we currently, right now, 
there is X number of forms that produce, when they're printed 
out, on that form, it includes the Social Security number, 
correct?
    Ms. JACKSON. No, sir. I'm sorry. I should have been 
clearer. Our correspondence with Medicare beneficiaries, we 
have truncated the Social Security number on all of that 
correspondence, with the exception of one document, which is 
our Medicare premium billing form. That still does include the 
health insurance claim number. I'm sorry. I can't remember if 
it is truncated. That will be the document that will be 
replaced with the MBI when we implement.
    Mr. HURD. Great.
    Ms. LaCanfora, how many forms does your organization 
produce that has the full Social Security number on it?
    Ms. LACANFORA. Currently, we send out about 233 million 
notices or forms of correspondence each year that still have 
the Social Security number.
    Mr. HURD. Is it that many unique, or is it five different 
kinds of correspondence?
    Ms. LACANFORA. There's over a thousand separate types of 
notices.
    Mr. HURD. So we have a thousand documents, and one of those 
elements, when it gets printed out, is Social Security number. 
Why can you not just delete that when you run a batch?
    Ms. LACANFORA. So we have deleted the number or removed the 
number and replaced it with a beneficiary notice code on over a 
hundred million notices and we have another 42 million that 
we're doing in fiscal year 2018. The challenge that we have is 
twofold. One is that there are 60 separate disparate systems 
that produce those 1,000-plus notices. So the resources needed 
to make the changes are significant.
    Beyond that, the other significant issue or challenge that 
we have is that the Social Security number was created to do 
business with our agency. And so, when we mail out a notice to 
someone and they, for example, are being told that they have an 
overpayment, they might pick up the phone and call us. And we 
have got to be able to quickly identify who they are and what 
their issues are.
    Mr. HURD. Mr. DeVries, Estonia has done this. Estonia has 
moved to a system where it is a tokenization. Now, they're 1.3 
million people, so the size of my hometown of San Antonio. A 
little bit different. But they've achieved the ability to have 
this interoperable number across all of their government 
agencies. We've talked about tokenization here. In your role 
with OPM, what do you need--ultimately, it's a shared service. 
And how do we implement a shared service at OPM when it comes 
to an identifier across all the Federal Government?
    Mr. DEVRIES. Chairman Hurd, that's a great question. I'm 
not sure the exact answer, because what you're talking about is 
through the token and the bitchain type technology and so 
forth. That's the one I think that we need to work with 
industry closer on and bring that to the Federal Government 
side of the house, because it's not the same thing as it is on 
the industry side of the house. I'm desperately trying to reach 
out there for it. We're still stymied by how do you bring that 
technology in and infuse it into--it's really our application 
systems. It's not our hardware systems. It's the applications 
that are writing it and changing that.
    Mr. HURD. Mr. Wilshusen, in the last 30 minutes of my time, 
you reference legacy IT being a barrier. What do we need to do 
in order to prevent that from being a barrier?
    Mr. WILSHUSEN. Well, that's one of the problems in terms of 
with legacy systems. Often they may not be able to handle newer 
numbers. And so, in order to be able to do that, it requires 
significant system change or modification.
    Mr. HURD. I yield back, Chairman.
    Mr. RICE. Thank you, sir.
    Mr. Lynch.
    Mr. LYNCH. Thank you, Mr. Chairman.
    I thank the witnesses for your help with the committee's 
work.
    Mr. DeVries, back in 2015, I think it was July, OPM 
disclosed that its information technology systems had 
experienced a massive data breach, compromising the Social 
Security numbers, names, addresses, background information, 
birth dates, and the background investigation records for about 
22 million people who had applied for sensitive positions with 
the FBI, CIA, NSA. And we had a hearing subsequent to that 
breach. And I actually asked your predecessor, Ms. Archuleta, I 
asked her if she was even taking the most rudimentary steps to 
protect Social Security numbers; are we even encrypting them 
within the system at OPM? And I was very sad to hear her 
testify that, no, at that time, in 2015, we were not 
encrypting. And I urged them to do that.
    Then, a year later, we had a followup hearing with Ms. 
Cobert. I think she had some operational responsibility there. 
I asked her the same question a year later if that job was 
complete. She testified that, no, it was not complete.
    And so we come full cycle here, and you're here. And I got 
to ask you: Now, Ms. Cobert said our system did not allow 
encryption of Social Security numbers. And I just want you to 
tell me something good. Tell me that we've encrypted these 
Social Security numbers. You know, it would be laughable if it 
wasn't so serious.
    Mr. DEVRIES. It is serious.
    Mr. LYNCH. I read an article last Sunday in The New York 
Times where a bunch of our sources in China are being killed 
off, either killed or imprisoned, U.S. sources, foreign 
intelligence sources. And, you know, I gotta think that--well, 
that hack was attributed to the Chinese Government. The hack 
actually came after--at least we found out about it after many 
of these people were executed in China for cooperating with the 
United States Government. They were shot as spies or imprisoned 
as spies. But you see, especially with sensitive information 
like this for secure positions, we're really exposing our 
personnel, our intelligence officers, and anyone who cooperates 
with them to grave, mortal threat. And so we've really got to 
step up our game here.
    So let me go back to my question. Are we encrypting these 
Social Security numbers?
    Mr. DEVRIES. Representative Lynch, yes, we are. Regarding 
the background investigations records incident, I have all the 
databases that contained the Social Security numbers and other 
PIs encrypted, with the exception of one database that resides 
in the mainframe, which is now sitting behind other security 
controls and detection systems. And that is scheduled for 
completion, which is a little bit more of a challenge because 
it's on the mainframe, to be completed this calendar year.
    Mr. LYNCH. Okay. So we had this hack about 10 days ago, 
this ransomware attack. It was basically not stealing our 
information, but preventing people from utilizing that. Most of 
the impact was overseas. They tell me that that was because 
many of the--much of that software was bootlegged software, 
that Microsoft Windows--well, they bought it bootleg so that 
the fixes and all that were not available for those people. But 
are we--do you feel that we have major vulnerability from that 
type of hack as far as our user population goes?
    Mr. DEVRIES. Sir, I would say yes. And I think that's the 
lowest common denominator that we all got to take steps to keep 
on educating, both the families at home as well as the 
workforce itself. Within OPM, there was no choice. Their 
systems are patched. That's a call that the Director supports, 
and I make it as the CIO, and I think that is the right 
approach to take, just as you would in any kind of corporation 
there.
    Mr. LYNCH. All right.
    Mr. Chairman, thank you for your courtesy. I yield back the 
balance of my time.
    Mr. RICE. Thank you, sir.
    Ms. Sanchez.
    Ms. SANCHEZ. Thank you, Mr. Chairman.
    And I want to thank the witnesses for being here with us 
today to talk about this important issue.
    Identity theft affects over 12 million Americans per year, 
and it costs the victims just over $350 on average. That's on 
average. You hear cases of it taking people years and a lot 
more money to sort of get it straightened out. And I've been 
one of those people that have, unfortunately, been a victim of 
identity theft.
    Social Security numbers and other personal information, 
like dates of birth, are--that information is very coveted by 
hackers who steal that personally identifiable information from 
breaches of the Office of Personnel Management, from health 
insurance companies, the United States Postal Service, and even 
retailers like Target. And while I'm encouraged with the Office 
of Management and Budget's initiative when they issued the 2007 
memo calling for agencies to reduce collected and retained 
information and to strengthen the security of sensitive 
information, these recent hacks show that OPM and other 
agencies are still fundamentally very ill-prepared, and many 
Americans' sensitive information is still very vulnerable to 
attack.
    That's why, you know, reducing the superfluous collection 
and retention of Social Security numbers is so important. It's 
troubling to see that, after 10 years, Government 
Accountability Office reports show that only 2 of 24 agencies 
examined met the requirements for a complete plan to reduce 
unnecessary usage of Social Security numbers. And it's even 
more troubling that the Office of Management and Budget has 
provided very little guidance to agencies to help with the 
transition. In addition, to exacerbate matters, the President's 
budget proposal guts agency personnel and operating budgets, 
further limiting their capacity to protect information and to 
improve their systems.
    Whether it's a lack of funding or a lack of guidance, 10 
years after the issuance of the memo, we should be in a better 
position to safeguard Americans' personal information.
    And I know--I recognize that there are clear barriers that 
agencies face in reducing the collection of Social Security 
numbers. For example, in many cases, States mandate the 
collection of that information. I just wanted to note, before I 
delve into questions, that I think it's interesting that today 
we're discussing the progress of agencies to reduce the 
collection of Social Security numbers when tomorrow this same 
committee will be marking up a bill to add a new requirement on 
an agency to collect and verify Social Security numbers. So, on 
the one hand, we are saying, ``Don't collect them and don't 
collect them superfluously,'' and then, on the other hand, we 
are going to be mandating the collection of that information. 
And I think it's both ironic and hypocritical of us on this 
dais to be doing both things.
    But aside from that comment, Mr. DeVries, in the GAO's 
report, it mentions that OPM proposed using an alternate 
Federal employee identifier but withdrew that regulation 
because the identifier wasn't available. What are the barriers 
to creating a new identifier for Federal employees or for 
agencies to use in their administration of benefits?
    Mr. DEVRIES. Representative Sanchez, thank you for that 
question. Again, I think the complexity or the barriers to 
overcome here is the size and complexity of the government. 
Just as the witnesses here at the table represent a few of the 
agencies, every agency really has a collection thing that kind 
of ties back to an individual and the benefits that get tied to 
it, whether it be their pay, their benefits, medical and so 
forth. How do you then create that architecture--and again, 
going back to what Chairman Hurd talked about, you would have 
to have that architecture in hand as you begin to even talk 
about the token to use or the other bitchain type stuff. How do 
you then promulgate that down? My colleague to my left here 
talked about how they rolled out the whole Medicare new number 
there. It is not done overnight. It's a process. It's based 
upon the architecture there.
    Ms. SANCHEZ. And cuts in funding, how does that affect the 
ability to protect sensitive information effectively?
    Mr. DEVRIES. So, in every agency, there is probably just 
enough dollars to make that go. When I am going to try and do 
something else, I have got to have that infusion to create 
something that goes alongside what I am currently operating and 
bring in something new. And I must turn off what I just got rid 
of.
    Ms. SANCHEZ. Would you say that right now you are operating 
with the very best equipment that money can buy?
    Mr. DEVRIES. No, ma'am.
    Ms. SANCHEZ. Would you say that the equipment that you have 
to work with, on a scale of 1 to 10 in terms of modern and 
efficient, where would it lie on that scale?
    Mr. DEVRIES. Ma'am, I would say, from an overall 
architecture and operating perspective, I would say it would be 
about a 0.3 or a 0.4.
    Ms. SANCHEZ. So further budget cuts not necessarily helpful 
to rectifying that?
    Mr. DEVRIES. No.
    Ms. SANCHEZ. Thank you. No more questions.
    Mr. RICE. Thank you, Ms. Sanchez.
    The Federal Government needs to ensure it is doing all it 
can to protect Americans' identities and that Social Security 
numbers are not being used unnecessarily. While progress has 
been made, based on what we have heard today, there is still a 
long way to go.
    Thank you to our witnesses for their testimony.
    Thank you also to our members for being here.
    With that, the subcommittee stands adjourned.
    [Whereupon, at 3:35 p.m., the subcommittees were 
adjourned.]
    [Questions for the Record follow:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]