error rate from 6 percent to below 1 percent and you have cut the average weight time for page loading from 8 seconds to 1 seconds. what do the improvements look like to the average user? >> they are transparent to the user and the user gets to the task of filling out information and finding out if they are asking for a premium tax credit a and they are calculated timely and proceeding in the application so they can apply some or none of the tax credit so they can look at the offsets and what the final premium should be to go through the process in a speedy faction

compared to what they experiences on day one. >> has the website maintenance improved? >> yes, they are used to make the changes you have heard about. ...

>> even ahead of what massachusetts was. people got closer to the deadline, the "l.a. times" reported that a number of states that use their own systems are attracting enrollment targets for 2014 because of a sharp increase in november. california, and they enrolled 31,000 people in private plans last month nearly double that in the first two weeks of this month and several other states are outpacing their enrollment estimates and minnesota enrollment was tripling the rate of the first half grades we see an acceleration, even in the federal marketplace, we show that "the new york times" reported that this is double the private plan enrollment and is the first two weeks of november.

and we are seeing improvements and the increase of people going back on the site successfully is a very encouraging situation. rather than just attack the health care law and undermine it, we ought to try to make it work and we are anxious to make sure that you do your job and the website and all of that gets to be working. call upon us, because we are able to act in that regard. >> the gentleman's time has expired and you are not recognized for five minutes. >> thank you, mr. chairman. thank you for being here. in response to one of the questions about this. about a breach in the system that you responded to. you responded to you can not talk about it with the required of a classified briefing. did i hear you correctly? >> that if i was in instructed by her department. >> very well, i would like to ask that classified briefing

with the bipartisan staff occurred. mandate your commitment on trying to make that happen? >> yes, sir. >> okay, so the much talked about red team discussion document from "the washington post", which you have not seen and i appreciate that. you were interviewed in response to the question, and this includes those who are dialing in. >> yes, approximately in the april time frame. >> the timeframe that this is being developed. do you recall what you talked about? two i think primarily while i was intimating to the mckinsey team, it was a scheduled challenge because we had just started this submission and working with the issuers they were very nervous.

>> what is to hp? >> qualified health plans and i apologize. >> no problem. >> during that month, it was a rapid process to collect all of the qualified health plan data that you see on health care.gov as well as in the state pleased marketplaces and i was remarking on how that is unprecedented to only give an issue where the amount of time to submit the data and we need to make adjustments in the windows so that they could come back in and make corrections. yes, that is an example of what i talked about in terms of schedule challenges that we were trying to undertake, some kind of large-scale fairly complex compared to what has been happening in the landscape today. but this was new and we were working on a short timeframe. >> yes, those are legitimate concerns. on page one of this document, it

highlighted that the working group determined that extending this should not be part of the analysis and therefore work with a boundary condition of october october 1, it has a launch date and it didn't matter what the commissions on the groundwater. come heck or high water, october 1, we have to go live. quite frankly, were you given that impression by anyone on your team as you work through this? >> not necessarily characterized in that way. >> my time is limited. who would have made a decision like that? that it does not matter. like the old saying that it doesn't matter anyway. but who would make a decision like that? >> i think the decision ultimately is made by a team of folks and she works with an administrator she set the

deadlines for my work. >> some of the people that were referenced that people who have had discussions in the white house building, people like these, do you know if they were involved in these decisions? >> i cannot speak to that. >> have you been in meetings with them? >> yes. >> could you characterize those meetings? >> the ones that i remember were dealing with coordination with the irs on the federal tax information requirements and security protections and the privacy act. >> at any point during those meetings are, what the concerns that we may not be ready trying to immigrate all of these parts by october 1? >> not in that context. >> in any context?

>> concerns about whether agencies are working together, but not really in the context of october 1. >> one of the other things that keeps coming up repeatedly in this report is that there were evolving requirements and not a consistent and plane. there were multiple definitions of success and in spite of all the concerns brought up by their reporter, it must launch a full volume and it almost sounds like a recipe for disaster. that meant? you are changing the definition as it goes along. you're not allowed to change the date. and you have to launch it at full volume and that's a tall order, is in the? >> it is. yet how does it make you feel know that to know that there is this kind of a report out there and that other people know about it, people in the white house within the agency, and you have been the primary point man out there and nobody discussed it with you. how does that make you feel?

>> i'm actually not terribly hurt were surprised by exactly. the information contained within is something that i live on a day-to-day basis to try to deliver a working system. >> you're playing into everyone's worst fear is what it's like to be in the bureaucracy. let me ask you this. one of the things brought up in this report is there's not a single implementation leader. do you feel during a time that there has been a single implementation leader you could look to for advice and direction through this? >> i think i looked through several because of -- >> name one of them. >> okay, we need to follow but that. we will submit those questions for the record. >> we now recognize mr. green. >> thank you, mr. chairman. i have concerning questions about the health care.gov.

but i just wanted to say it's frustrating for those of us on the side of the aisle who supported it and worked a lot of times on the drafting of different versions of your portable kiar to see what had happened. without the rollout and that is what we need to deal with this, having been here through the prescription drug plan for seniors and that is the way you can get to the numbers that you really need. so hopefully that will happen. but the law is still there last saturday in our district, we had the numbers of uninsured folks in the country and our congressional district, 42% of our constituents don't have insurance or employer. so they would not be qualified to go through the aca. and we actually tested it by paper and i have to admit that i can remember except when medicare was rolled out. and let me give you this.

and the secretary later said that we actually have 800 family show up on a saturday morning and signed in with multiple attendees per family in nearly 300 people sent a follow up appointments after a navigator and we had 88 of the certified navigators they are and we don't know how many applications were completed because the numbers are being tallied in hhs and the regional office out of dallas. there are people who want to do it. if we have to do it by paper, we will do it. that's a frustration that we have. we want this work because there are millions in the country that need this. the majority in the house may not understand that. but in our district they do. and i don't know if you have a comment. >> i think that we take to heart the matter and i think that everyone working on this is absolutely serious about improving this experience because we know that in

districts like yours, there are a number of people who need and want to enroll in use this benefit. so we are certainly working very hard to make that happen. >> without success, there's a lot of smaller successes as well. in this includes working with media companies and maybe get the message out. i have a question about health care.gov. the important goal that we both share a part of this success of information of a portal care, people can access the care when they need it and part of this goal requires federal and state exchange for security and the american people can trust their information and privacy won't be compromised. how has the date it and roll applicants and process those used by other agencies? such as social security or the irs? >> how is the data hub different? >> yes, then the other agencies that are easily have up and

running ways. >> i think what makes it different is the ssa is the eligible agency for medicare. so every night the field offices no data about this into the medicare program and we have received a very large file from them every night of the process for two to three hours to update our systems so that providers can see the new medicare beneficiaries in the system. that is lots of data moving between two organizations and it is stored and time intensive. the data services hub goes out for a request of that data and it reads the data where the source says that it transfers the back to the sequestered in a secure fashion and does not remember the contents of the data. it facilitates that without moving massive millions of records of data all at once all

the time every day. it only transfers and updated but job done. >> we have gone through to medicare enrollment with the internet, when we shifted from having no end to the social security office in paperwork and you can do it online now. >> yes, yes to i assume that there were glitches when i first started. >> yes yes of course we didn't have a deadline for a rollout or things like that. it was built upon the times we had time to problem solve. and we didn't have that time. >> i still remember in the '90s, we put up the electronic benefits statement and after a few months, we had to take it down and it didn't come back till a few months later. >> thank you, mr. chairman.

>> the gentleman from louisiana. >> thank you, mr. chairman. i appreciate you having this hearing. and i appreciate you coming to testify before the committee that we have had hearings like this trying to find out how the rollout was going to work. and we have gotten testimony time and again from the administration of that the rollout was going to be fine. i think that what is frustrating is when this report came out, it is reported that really chronicles the problems that were happening months ago in march and april, at the same time that the administration officials are telling us that things are going to be fine. saying that everything would be fine with october 1 when ahead. there are many things that trouble me. but first, you say you haven't seen this reported and i have read through it, read through a number of these items and things he pointed out in the report that they were telling to

somebody in the cms and these are things that should have been just basic testing requirements, and i used to write software and i actually wrote test plans and many of these are just basic common sense things and if we made one line of code change, we would test that over and over in multiple ways, let alone major changes. what this talked about was chaos at the cms and nobody is in charge. they talk about the fact that you have multiple people making multiple changes to the system just weeks prior to this testing prior to the rollout without testing and did you have a test plan? whether or not you read this reported, were you all making changes -- big changes all the way through and retesting any of those changes were just saying that they told us october 1, roll it out no matter what.

>> you've asked a lot of questions. so let me try to recall how to address them. i think that certainly, yes, if you have this experience in software development community have this before you can have good test cases in which to run the tests and i think it is a dynamically changing environment in which we have had more time, if we had more time in the time would've been devoted to solidifying these requirements are translated. >> there were three years. this is something that got put on the desk. the law passed in the sign-up law in 2010. there was a lot of time to report it. the major requirements are changing weeks before, some of them for political reasons by the obama administration. so you can just say that we just didn't have enough time. somebody -- somebody in that, it wasn't you, it was -- who knows who allies.

it's a meme making these changes in saying that lets make big changes and untested because we want to roll this thing out no matter what. >> having the written test cases, we know that the requirements come from the business side where the policy side. they are subject to change soon at the wall did not change the wall as fast. forty-three years that lott did not change, balaam was there. we do have those requirements were. to make changes in requirements come he also want to make it in her testimony. >> this includes a high level of expression and certainly can't develop coater test cases and there needs to be significant amounts of changes into lower-level details. literacy those requirements and translate them into test data to exercise the system as well as build a system as well. >> they talked about the contract note received absolutely conflicting direction

within the cms and that is not a requirement change. one person says this and another says something different. that is chaos within the obama administration where they are changing things in multiple or changing are changing the minoan struck anyone. >> i can't beat how big they characterized it. and we have these requirements and extract exchange requirements and oversight requirements and then we have this report lays out this that is going on. reports are being preached to people in the white house and president obama didn't know

about it in which case people directly into this thing would be a disaster interested and tell him where the president was misleading people anyway. either way, the president know about this, misreports at the white house absolutely new it was part of it. and this was just like buying a tv from amazon and that is what the president said it is someone right underneath them new bits, and they didn't tell him, he ought to go and fire those people every single one of them, or hold them accountable and stated he didn't know about it. and we will see what the president says. >> can you just clarify an answer they gave to the gentleman here. as i said something about what time he would've done more testing or something along these lines? the would've liked more time? >> i think that's what i mean by

there is a schedule of challenges that you you're trying to maximize the time you have left. as you are trying to extract a requirement in policy that is being finalized. the longer it takes, the longer it takes to translate. >> we now recognize them them for five minutes. >> thank you, mr. chairman. i want to follow the little bit on the line of questioning. whether you had three years to prepare for this. and what was the deadline for them to talk about doing their online exchanges were the federal exchange? >> i think that the time frame was the end of 2012 and one was the deadline for those to decide we would enter into a partnership partnership of the federal government? >> i believe it was the end of

april 2013. >> cms did not have and there was probably no way to guess three years ago only 14 years were going to set their own exchanges. it was in the anticipation of far more states would do their own exchanges? >> we were hoping so. >> so it wasn't until this year that they understood the magnitude of the volume of work at the website was going to have to accommodate. >> yes. >> and that is a clear binary description. >> we are talking about two separate issues. and there is some kind of outside attack. and i don't know why anyone would want to attack the federal of exchange.

in this includes information that has been there about now. and i think that's one thing we are most interested in here. and there really isn't very much information on the website that would be considered a private thing in nature. and our people who are working with the exchange now subject to and wobbled to a more reach of their privacy than they were the system and insurance companies had pages of health information, including every doctor they had ever visited and every medical procedure they have undergone over a certain period of time? and would you say that was over

this over the federal exchange. >> this includes health information that was involved in that process. >> i think there was where they're there with a security problem and no evidence then. and there hasn't been any evidence presented great am glad about that. and this includes those two be participating more actively. the press reports have said that the administration that 80% will be able to get on the site and smoothly sign-up and enroll for health coverage as of the end of this month and that doesn't mean that the remaining 20% would not be able to access affordable

quality health insurance. >> i can't speak to the exact percentages, but i think that there is a recognition, weatherby health care.gov or any system if you walk into a field office, how many people can actually be part of one visit is for the greater majority of people. and this includes navigation of the process and i think that that has been probably what we are referred to. and as of last friday, 38,000 kentuckians are enrolled in health insurance and 41% are under the age of 35 and over

452,000 visitors and i think that most importantly over a thousand businesses have actually begun the process of signing up and over 300 have actually enrolled in have been qualified to offer coverage in soap kentucky is doing well and i hope the federal exchange will do just as well. >> the gentleman yields back. >> the chairman had this as well and i believe you said you would've liked to have had more time for the testing. did you request more time from anyone? >> because i was given a target of october 1 of which i had to

stay on schedule for. we have to do believe for october 1? >> i believe we did everything we could to make sure that the right priorities were set. >> to believe the system was october 1? >> it was. it wasn't performing as well as we would have liked. >> we did deliver this system was part of it. >> using this as part of the rollout? >> i think that there are problems and defects. >> and it doesn't seem to be how serious the failure of the rollout has been, so here we are. one of the concerns we have is making sure that personally identifiable information for those who sign up is protected.

and on the report that you have, page 11, or getting getting you to take a look at that on this reported. >> okay. >> at the bottom of page 11, was that the chavez has options that could be implemented to help mitigate the risks and at the bottom it says name a single implementation and the governance process and has there been a single implementation leader named? >> i do not think about is the way it has been characterized before, but i think. >> that is not saying that she is supposed to be the single implementation leader there. saturday we got?

>> pendency that until this minute. >> and i went to the health care.gov site and to get to the other fraud or marketplace and it takes a couple of steps this would need to be attracted to this. but if you need to look at this, is how report suspected fraud in one of two ways and it lists a breakdown of one-way, which is to use the federal trade commission my an efficient system and i tried and that was not very successful. and this includes the federal trade commission to eat uses

more about this. and this includes the call center, so if you are the victim of that, so who would you call under that scenario? >> this includes the marketplace call center if you are in a federally facilitative marketplace. in this includes how you handle this appropriately. what does that and whether there has been an identity theft? >> i think there needs to be some analysis and collection of information to make sure the type of situation occurred in and make a decision going forward. >> this is a critical matter. >> i think that it is a situation that is dependent and

i really can't -- a human not comfortable. >> you had said earlier that steps are being taken for unauthorized access and they really fit in and on authorized manner and what protections are safeguarded and put in here with navigators that there has been no background check in with the was required in the state and how has that been handled? >> when we issue this, for example, we sign this with a straight that there are rules of behavior in certain requirements with signing that agreement.

>> i have to check on that. >> okay. >> thank you, you have five minutes. >> mr. chairman, thank you. have any of those happened? >> when someone was minister maliciously using that, would that be a problem? >> can you repeat that again? >> and they were using information and waited there were not allowed to use their, would not be considered a crime? >> just yet and i would hope that this committee it would be a part of the to prosecute anyone that is hacking this website. it wasn't too long ago that this committee had this and there was

-- there were some of my republican colleagues encouraging citizens of the united states to sign up for a lifeline with a website and the accuracy of what the program was about. and the website was taken down in this committee, we are looking into the matter. and it appears that this data was being collected i think that we need to be careful with how we are doing that. we need to get to the facts of what is happening in with that being said, two things. there is a jail but was reported

ajo report entitled that cybersecurity threats impact the nation i would like to ask for this. >> this includes the homeland security department talking about the nation's threats and intelligence community and homeland security in the white house and members of congress. this has been talked about event. and the article describes the analysis conducted in 2013 by mckinsey and company that identify potential risks for health care.gov in the report shadow this as well. you see the report at the time it was published in march and april of 2013?

>> no, demonstratives of her to say you're not the best person to comment on why the report was done and now the cns has found the findings? >> just. >> erases because it illustrates a number of problems and in particular, the perception that was created in this includes finding the facts and i surely hope that that is not the case and i believe that, not to be true. but we need work together to get to the bottom of this. and so with that being said, what efforts is the department of health and human services undertaking to address the ongoing threats? >> we have listed it as part of our strategy daily and weekly with security testing which is something that we always do more frequently. in this includes the trust and

confidence that we have obtained from people to come and use the site. >> this coordinating with other agencies to maintain the website that will also gather personal information? >> i think that we work with all of our key partners that are connected to the hub to make sure that we function and what we call a harmonized privacy and security framework and along with the states, that we have a processing program in place to handle certain situations in which there are incidents that need to be in managed about the potential data breaches, so we have a program and policy in place in coordinating across this. >> okay, with that, mr. chairman, is ideal that my time, i just hope that it is very -- to the president, that

we are not happy with the rollout right now. we need to get this working, there's too many vulnerable americans need access and we need to get our coverage. and i think it is a great step forward that no longer will individuals have to report the kind of illnesses that have been have in the past so that they can get care in the future future and what better your backs from africa, without objection, we are submitting it to the record. we recognize the gentleman from colorado. >> thank you. we recognize it's time for the committee today and last time that the individual met with him to discuss solutions that may be possible in light of the poster doctor of debacle, have you had any conversations about changes you can make health care.gov to assist the insurance industry? >> as a part of a strategy. i haven't spoken to the issues, they are part of those meetings, but i think that as part of a

strategy we have the experiences of consumers and that involves the keep third parties that are part of this but the agency brokers and working with issuers to fix aspects of the system to make it work. >> have you had any discussions about this with the ability to directly involved or anyone in your agency? >> we have this director moment into health care.gov or part of that to accommodate that. >> the future has been turned on or not turn on? >> it was not working well. like many other things. we have but we have been performing this and optimizing this with issuers to get director moment. >> only in terms of the result.

>> there is a series of security handoffs as well. >> that as a yes. >> just. >> i thank you for that. >> going back to the question, would that happen in the future to that question and giving direct information about vulnerability? >> it is not direct access. it is by the applicant and this person has been given authorization for a consent to work with them. >> it is a yes as well? >> they will be giving this information and subsidy access. they'll get a calculator. that is a marketplace. >> only as a result of the

marketplace and in that data and not touching that eligible data themselves. >> they have been reviewing this it was not completed as we discussed here. what portion remained to be created and launched on october october 1? >> i don't have an exact percentage. i think that some of these asked about this and i looked at it in terms of marketplace system. >> junger talked about this? >> i think it's a set of those that need to be a part of it. you have to authenticate individual netsuke function. >> 50%, 40%? >> i think it is -- it's an approximation we are probably sitting between 60 and 70% because we still have to deal

with us this and we start to build the payment system. >> still needs to be part of it. >> the online application, verification has been getting enrolled in that is 100% there. >> we are 60% away from being complete. >> the accounting system, i'm not sure if. >> these are still being felt and how are they going to be built? >> is it difficult to review this while they were operated?

>> it is pretty difficult ballots in a version. >> no, it doesn't involve us. >> we are trying to derive this came in and that doesn't affect the health care operations. >> how long we have to test that? >> that depends on this and is it appropriate given the performance of health care.gov to wants this before they go live? >> we are testing this. >> mr. chairman, i have souther other questions and i thank you for your time. >> thank you. we now recognize mr. welch for five minutes. >> thank you for the hearing. there is a mutual desire to get this to work.

and one is to fix the rollout and the other is to use it to read it litigate the battle of the law of the land. and i know that that is your job. we had a big battle in this congress and i was not here were the passage of medicare part d. it was a largely partisan vote. and most of the democrats were against it. in a very tense vote. and it must acquire a computer program and a website.

and there were concerns about having it work and i just want to ask you a little bit about that history so we have this today. not at all as an excuse. because there is real unity about needing to get this fixed. but it is part of the actions that we take about getting this fixed were trying to derail this with the overall health care program. american law when transamerica will have to judge. but can you give us a sense of what is going on inside the agency when you were prepared for the medicare party website in 2005, and were there concerns and issues that needed to be addressed then? >> biggest and most prominent example that i can recall was the concern around the auto assignment and auto enrolling in medicare and medicaid dual-eligibles receive a part be

benefit in switching them over as of january 1 or it and we had sent these out to the sponsors around november and it was a realization that pharmacists and pharmacies are helping these beneficiaries require some access to information to help them navigate this new change. and we scrambled and we developed a method for them to actually get authorizations to the enrollment data for the dual-eligibles are enrolled. another point of sale, they can not do things such as these just

to fill figure out what plan they might be in. >> that's an example that i recall is a mass scrambled time crunch and lots of, you know, working on the clock been pushing many people, not just on the contractor were satisfied. >> it's not so much a technical issue and you introduce a new business process. and this is part of the administrative aspect and people are talking about the data system that is involved support that and it's more than just a technical issue.

and as we ultimately succeeded with this part of medicare, we can succeed in terms of the technical website issues with health care.gov. >> certainly. i think it comes with being focused and driven to get at the root of the problem and it is very solvable. and we have shown that. >> okay, thank you and i yield back. >> the chairman yields back. the gentleman from virginia, mr. griffith. >> we did auto enroll this. >> this is a different animal than what we are dealing with now because a lot of americans are being told they can have their insurance and they will

have to sign up for the exchanges? >> guess. >> one of the things is a symptom of the problem that this website has happened. is that you were not included in the briefings on the report that has come to light in last 24 hours. and one thing is that they thought there ought to be one person overseeing all of the different parts and this includes those who testified before the committee. in another part shows us that on a timeline we really want to have your policy requirements prior to finishing the design and when you agree with that? >> and that is a wonderful thing to do.

and they were changing policy and we know that all of a sudden the president signed the executive order and they delayed the employer mandate and we know that from testimony that there were changes being made as close to two weeks before. and that would be part of the significant problems, wouldn't? >> with the luxury of hindsight, i can see that there are contributors is the way the system was unveiled. and i need to focus on fixing the thing. >> correct. >> when you are still defining this policy requirement, it is

very difficult to design and then to build and test a system whether it is the security component were performance component in an ou would be free to answer that honestly. when you are in charge of this and making part of this work. it looks like there is a least six different representatives from different agencies that had a hand in overseeing what was going on and no one had control over the other. >> and governance committee was formed. >> okay, isn't that interesting. and sometimes when you have a big project from you have to have one product.

without illogical. >> i would say that for the technical pieces i was responsible for making sure that the technical pieces were organized. >> they said that health care.gov launched without a full assessment. and she was aware that the once considered this security risk. can you tell us about that recently? >> i think that the incomplete testing was fully secure through three rounds of testing so when we saw find it it had no findings and have gone through the appropriate security test as well. >> okay, so you didn't -- so what she said was not accurate? that it had -- that he did not

have a full security control assessment and she was mistaken? >> is a part of that that might be a part of this for clarification and i think that we are trying to say is that security control assessment was not tested for a full entire system of what's we were still -- remember, we still have financial management and it was an acknowledgment that 100% of the system was not complete at that time. >> okay. and it's still not complete today and the people want to know what is the security going to be. >> october 1, the pieces that were necessary, such as insurance security privacy for those functions that i have mentioned. >> and i appreciate that. so what can we expect for january the first? >> by the way, our prayers are with the family of the state senator who is in critical condition.

>> i do appreciate your occurs. >> he moved on and ran onto other parts of this is a sitting senator. and it obviously has shaken everyone in virginia and our prayers are with him and i encourage everyone to say a prayer for him and his family. to i think the gentleman. >> by collies have released and it is an authority to operate the federally facilitated marketplace for six months and

implement a security mitigation plan. are they commonly used in federal data systems? >> yes, it is the last official i not to authorize the federal system to go into the operations >> can you tell us while he signed this. >> i think that this has not been a system that had this unprecedented involvement so that the recommendations was to make a recommendation and if that is the fact that she sign

that is good news, i would believe that officials at the highest level would have to be briefed on this and taking responsibility for this security. >> yes, correct. >> this is security testing that was ongoing since its inception. and all of the controls have been tested on these different versions. >> this includes all the security controls and it is not performed. but this lack of testing has exposed this that can be deemed as a high risk.

>> i did not actually -- i had recommended as part of a memo and it is semantics, not 100% is build on this and so you can't say they have it all able to test. because not everything is needed for october 1. only essential pieces involving health care.gov are part of this and in its place if ms did put in its place a number of measures.

>> and on a daily basis we run every three minutes and the data monitoring is a continuous effort and we have penetration testing and marketplace security teams. then we have conducted additional penetration testing for unauthenticated by another group of professionals and there

are milestones and keep track of reports with discovered weaknesses. >> this includes the other opportunities you're taking for her protecting. >> yes, sir. >> this includes the ongoing security testing for websites. we are very sensitive and we appreciate the nervousness around these programs for

information i appreciate the recommendations in the atl mama. >> thank you. the time is expired. and we have the chief information officer and this is part of the publicly traded companies as well as the staff of the u.s. special operations command and this includes delivering on a system of this complexity and i know the pressures that are there. and i assume that you and i have a common goal here today and that is to make sure that the american people hear the truth. and is that an accurate

statement? >> yes, that's correct. and if i ask you a question that you don't understand, would you ask me for clarification so that we could get to the bottom of it because we want to dig down into some things that are pertinent? >> the agencies are operating as part of the security this security baselines and incorporating them into applications and networks and test them to feel that they are incorporated correctly. the use and review of this testing plan is typically known as security control assessment. several of these for health care.gov were either not completed or otherwise ignored. ..

>> yes. >> okay. >> you testified earlier that it was your opinion based on what you knew at the time that the security control assessments that that security had been adequately addressed when

administrator signed the contract. >> yes. >> you did not read the security control assessment, so how can you make that assertion that security had been adequately addressed when you hadn't read the control assessments yourself? >> i'm thinking there's mismatch versions here. yourings says final report october 2011 and august 2013 report, i have the decision security port -- >> i'm talking about the one -- >> can we ask the witness to speak up a little? i'm having difficulty hearing him. >> i'm sorry. >> but i've got to move on. i don't have time to look

through the binder. who develops the scope before the contractor performs it? >> we have independent contractors that design our testing. >> do you need an application like the data services or the website to be complete in order to test it for purposes of a control -- security control assessment? >> i think that depends, you know, we don't like testing security -- >> i assure you that we don't. >> in terms of using live data, you know, so prior to going to production, we tend to conduct security -- >> let me ask a question. let's put up a slide. are you familiar with the term "sequel injection"? >> uh-huh. >> you know, sequel injury excused is a process used to gain access to related data bases through a sequel. this is a screen shot directly

off of healthcare.gov that you see. if you put a semicolon in the search box, you get all those different break dops of se qeel injection. can you give me any idea how vigorous testing was, and are you aware that users have potential -- potential hackers have the capability to go in through sequel injection and manipulate these strings? >> i can't speak to the exact situation. folks behind me, the panel can specifically -- >> i assure you, mr. chairman, that i still have very serious concerns about the other security aspects of this system. with that, i yield back. >> the time expired. >> i want to also focus on this particular system that the

contractor -- i'm here, mr. chair. okay. we heard this morning, just heard, about the risks that the contractor neither identified when it performed security control assessments for different components of healthcare.gov, and it can seem alarming but my understanding is that all these issues were mitigated for the functions on the website that lunch launchedded on october 1st. it's important to understand the general point of security testing to identify potential issues so they can be addressed before they become real problemsment asking neither to perform these assessments gave the contractors to identify and resolve any security vulnerabilities before anyone's personal information could be put at risk. mr. chow, does that sound to you like an accurate distinction?

do the security control assessments involve a process where problems are identified and mitigated? >> yes, that's correctly characterized. >> mr. chow, i want to walk through key security assessments to determine whether high risks that neither identified have, in fact, been addressed. in january and february of 2013, neither performed a security control assessment of the account creation function on healthcare.gov. according to the final report, neither identified several high risk findings, so, mr. chow, were the high-risk findings resolved and mitigated before the october 1st start of open enrollment in the federal market place? >> yes, they were. >> and the fact is that they were noted in the -- that that fact is noted in the media

report. okay, performed a security control assessment of the data services hub in august 2013, and, again, identified several high-risk findings. were these findings resolved and also mitigated before the october 11 #st launch? >> yes. and the hub received an authority to operate in august. >> yes, and the fact is that was -- that fact was noted in the report. i want to discuss the security control assessment that was performed august and september of 2013 with the health insurance exchange. mr. chow, were all high risks identified in this assessment, mitigated before october 1st? >> yes. >> thank you. what your answers confirm is that the system works. they identified potentially high security risks and cms made sure

they were mitigated before they would become major problems. the media reports do not show a flawed system. they show that cms conducted security control assessments to identify problems and then fixed those problems. i hope that my republican colleagues will keep these findings in mind when they talk about the security of health care.gov. we don't want to alarm the public about security risks that have already been addressed by cms and its contractors. it seems to me that identifying risks that were named, it's important also to note that they were all fixed before the launch on object 1st, and i thank you very much for your testimony. i yield back. >> thank you. >> the gentle lady yields back, and i recognize the gentlelady

from north carolina. >> thank you. thank you, mr. chow, for being with us today. i have a question about the subsidies and questions about miscalculations that could be happening on the exchange. press reports indicated that some subsidies are miscalculated. in fact, one individual, the president identified as a beneficiary of obamacare now can't afford it, and, mr. chairman, i'd ask unanimous consent to submit an article from cnn to the committee for the report for the record. okay. this is a single mom, has a teenage son with adhd, went on the washington state exchange, had gotten an insurance quote for what she would pay at a gold price; then she received

notification that it was -- the quote was actually higher for a silver plan, more confusion went on; then a cheaper plan at bronze level for $324. in other words, she paid a lot more. i guess my questioning for you is, you know, is this happening on the healthcare.gov site or the federal marketplace? >> i think there's a lot of inputs to how an advanced tax credit is calculated. a person can come back and make modifications to their income levels, to their household composition, and washington's a state-based marketplace. i can't speak to that particular case, but i think that healthcare.gov allows people the flexibility to try several ways to determine what their tax credit -- >> okay. there, again, going based off the article, it doesn't seem to

be that she has gone back to make any changes. it sounded to me like, you know, there's miscalculations service notified of, and, again, my questioning is, is this happening in the federal exchange? >> i would need some specifics to be able to answer that. >> okay. >> i think that if anyone ever does have issues with that belief, call the call center to find out if it was correct or not. >> so that's basically -- i'm just asking how someone would address that or how that would happen if there were miscalculations, then you could speak to someone personally? >> yes. we have both the call center and eligibility support workers. >> do you know if this is what's happening? >> i -- >> have you heard any reports of -- >> i think there's many calls to the call cementer for many different reasons. i don't know exactly. i can't tell you there's ten cases today or -- >> okay. >> but --

>> we can move on. i appreciate that. cji, the contractor responsible for building healthcare.gov, can you explain your role with them in the last weeks of september? did you contact them, working with them one-on-one? were you in their office? >> yes. actually, i moved down and lived in a hotel since september 10th to about the last week of october, and i worked at cji almost every day. >> so you were actually there in their offices working out of their offices? >> yes. >> i have about a minute left on the time. the president announced a tax surge to fix the website. who's involved in the surge? >> their top park is involved, and there are two fellows, one

is mikey dickerson -- >> do you know about the compensation? how are they compensated? >> i have no insight to that. >> do they have a contract, or do they have to sign an agreement? >> i don't know. >> who do the individuals report to? >> i'm not -- actually i'm not sure who they have a contract with. >> so you are in charge of the technical component to healthcare.gov, and they don't report to you? >> they'll part be a part of a team led by jeff zines. >> okay, jeff is the person they are reporting to? >> right. >> okay. thank you very much. mr. chairman, my time expired. >> gentle lady yields back, now we go to mr. olson for five minutes. >> i thank the chair, and

welcome, mr. chair. as you imagine, sir, folks back home in texas too have a simple question, why, why, why did healthcare.gov on october 1st with every contractor and doing the testing said stop, stop, stop, stop. we need more time. this red team document is frightening. read page 4 of the document. terms like "limited testing," "parallel stacking". stacking is vertical, not parallel. launch at full volume. the e-mail, which you said you're worried, and this is a quote, crash the plane, takeoff.

with all do respect, sir, it never got to the runway. it was still waiting at the ramp there, the pilots, the bag, the fuel, waiting for new tires. use a good analogy and my record as a naval aveuater, healthcare.gov was a quote-on-quote hanger queen, never ready to fly. i do want to talk about the folks back home i work for are most concerned about the protection that is their personal health information. with so little testing, they are concerned about the lack of security assessments, scas, and my question refers to, i'll refer to the document brief there. please turn to tab 2, sir. my question concerns -- you guys said this is a document you wrote that you needed two-part mitigation plan.

part two is basically, you said, what recommended steps is to, quote, conduct a full test on the fsn stable environment where all security controls can be tested within 40-90 days of going live on october 1st. the fsm would not be completed by novak djokovic -- november 30th, so how do you expect the full test? how can that happen? you're losing 30 days off the bat? >> that 60 to 90 days refers to the inclusion of the final piece that needs to be built. i just want to say that it's 30% of the systems are left to be developed, not 70%, and that 30% represents the payment aspect and accounting aspects of making

payments in the marketplace, for all marketplaces, not just facilitated marketplaces, but that functionality has to be in place for the jan 1st effective date enrollments, and i think once we have that completed, we can do a full sca across the entire system. >> the third document says october 1st rollout, 60 days after that, going back to november 1st. i don't see how you get testing before we go live again. one further question, how many scas to identify this before the roll on october 1st have been identified after roll out, how many still out there, what's the scope my constituents should be worried about? >> the most important aspect is there are no high findings in the test as of the october 1st rollout, and i read off a list of mitigation activities that we go over and above any system that we put into -- we deploy

and put an operations and monitor on a daily basis. when can you assure us a full sca will be conducted, system wide? ever? >> when the last pieces of the system are completely built. i don't want people to think there has not been a full sca. sca has been conducted on pieces needed for october 1st for eligibility enrollment. we have yet to build a financial management aspect of the system which includes our accounting system, payment system, and reconciliation system. those will also have security testing involved as well. >> and the full testing, the whole full testing, when expect that to occur, sir? what date? >> i don't have an exact date. it should be in december. >> 2013, 20 # 14, 2015, 2016? >> correct. >> 2013.

okay, sir. one final question. referring back to the e-mail from july 16th about needing to feel more confident about the healthcare.gov. i'm assuming that sometime in the last four months, you got that confidence. what gave that confidence? what was the trigger mechanism? when did that happen? something changed. >> i didn't say anything about having more confidence. i'm always cautious. which is why i was trying to say that earlier that until this is fixed, until the vast majority of people who are having a good experience going through here and people who want to enroll get enrolled, particularly for january 1st, i'm going to continue to focus on that along with the rest of the team, and, you know, so it's not about confidence level right now, but focusing on fixing the problem. >> we're not buying it. the queen is still at the hanger. i yield back the balance of my time.

>> each side has five more minutes for clarifying questions. we'll do that real quick. >> thank you, mr. chairman. mr. chow, i want to thank you for coming and spending the morning with us. i'm going to try to be quick because i'd like you to get back to wherever you're going to make this thing work, okay? the first thing i want to clear up, because even though i thought we established it, my friends on the other side continue to ask you about this mckenzie document on tab 1. i want to clarify, you were not part of the red team evaluation; right? >> correct. >> and you didn't really see this document until today; is that correct? >> correct. >> so there were a lot of questions people asked you, hypothetical questions people asked you about the evaluation that you really don't know the

answer to because you were not involved in the process, and you didn't see the document until today; right? >> right. >> now, as i understand it, this evaluation was done in march-april 20 13, is that your understanding as well? >> approximately that time. >> and do you have any knowledge of what that evaluation was supposed to be for? was it a snapshot in time, or do you even know? >> from the interviews that i had with mckenzie, it was about really two things. one was i spent some time helping mckenzie understand the program. >> uh-huh. >> meaning how it worked, where we were in terms of status and schedule. i don't -- i suppose it's also includes a point in time kind of an assessment because i educated them on exactly what was

happening up to the date. >> up to that time. now, on page 4 of the assessment, i don't really want you to respond to this because you were not involved in the document, but i want to point out that there were a lot of questions that were asked today about the current situation evolving requirements, multiple definitions of success, ect., but the people who were asking the questions today didn't talk about the last thing which is in bold letters in the box that says cms has been working to mitigate challenges resulting from program characteristics. this was in march or april, and so with that, talking about the document necessarily, but i think what your job is, really, to identify issues throughout and try to mitigate them; is that right? >> correct. >> that's what you've tried to do throughout? >> it is a constant mitigation set of activities. >> and the administration has

said, is going to try to have the federal exchange site working for 80% of the people by the end of november; is that right? that's what we've been reading in the press. >> that's what the press quoted. i think what we've been saying is the vast majority of -- >> all right. do you believe that's a reasonable goal at this point? >> i think that's an attainable goal begin what i've seen so far. >> do you think it's going to happen? >> i don't think there's any guarantees. i think we're still in a stage where we're trying to apply as much due diligence acquiring additional assistance, the tech surge, looking at performance, fixing the tucksal defects along with making sure security monitoring is an ongoing basis, so i think there's still a lot of moving parts that it wouldn't be prudent to give a hundred percent guarantees about where we're going to be at on an exact -- i think we're on the right track.

>> okay, but what i say to you is truly, and you've heard this from all of us, all of us were disappointed that it didn't work on october 1st. i'm sure you were too. >> very. >> and so we -- we need this to be essentially working, asap. for one thing, people who want insurance coverage as of january 1st have to sign up by december 15th, so if it's not working for the vast majority of people by the end of november, that's hard to do. understood? >> we certainly understand that. >> okay. one last thing, someone had asked you the question or asserted that 60% of the site was not working, but i'm told that's not accurate, that it's really about 30% that's not working, and most of that is the back end, which is the payment to insurance companies so that's not necessarily the part that has to be working at this moment; is that correct? >> it's still being developed and tested.

>> okay. >> right. >> but that's the payment to the insurance companies; right? >> correct, testing with treasury and others. >> thank you, mr. chairman. >> thank you. i recognize myself for five minutes. i want to follow up that the 30% is yet to develop on the payment end. on october 1, the day it was live, how much of the site was developed at that time? >> probably -- well 100% of the priorities that were set for -- by the business for october 1st was up and running. >> okay, be u what about the other parts? >> i think there was a repriorization with shop employee -- >> but it was crashing for everybody. we heard it was not designed for that many people, didn't pass the stress test, never had end-to-end testing, and you said it was a hundred percent ready? >> no. >> i want to understand. >> it was a hundred percent

built. >> but not working? >> yeah, working, functionally. >> well then it's not built. if a car is built, but you can't run the car, it's not built. if a website is not working, it's not built. >> i'm not going to sit here and try to tell you that it was working well so -- >> but you said it was 100% built. you wish you had more time, you said before, and you said that your job was to identify issues and mitigate them, and since you would have liked to have more time, and your job was to mitigate them, would you have liked to have seen this whole report from mckenzie that identified a problem so you didn't have to find them out? >> i don't -- actually, i don't think it was necessary. i think this report was for really for maryland and others, and it was written for that level of consumption, and that audience.

>> you have not seen it, so you don't know, or do you know 1234 >> i'm just assuming. >> stick with the facts you know. from march on, maryann,my chemo, bill core, mike hash, kathleen, michelle, maryland, and ellen all had briefings on this. are those any people you work with? >> i've been in meetings with several of those. >> several of them, since march and april? >> yes. >> and none of them raised any of these concerns to you, and you identify yourself your job is to identify issues and mitigate them. none of the documents reviewedded there were these problems? >> within my day-to-day operational, you know, requirements to manage the contract to manage the schedule, to manage staff -- >> but what you don't measure, you can't manage. i'm concerned that this list of

people who you work with were not communicating to you this document that you knew something existed because you were interviewed on it yourself, but here we have this messy rollout that didn't work, that crashed, only six people sign up the first day, and it was still a concern about problems, and yet it's puzzling to me why the key people didn't talk to you about it. they gave you no hints this existed? >> perhaps. >> i want to change things, but i can't do that. >> it is a matter that -- did you ask for more time? >> no. >> why not?

>> we wanted to deliver a system. >> she had been in on the briefings from mckenzie said there were serious problems. she was in at least two of them, i believe, and april 4, she was there, also at the eisenhower executive office building, april 6, and you were in charge of making sure this works, she didn't tell you? that those problems existed, is that what you're saying today? >> i can't comment on that. >> either she told you, or she didn't tell you. i'm just curious. >> i don't think she told me in the context of the briefing. i think we have status meetings all the time talking about ways to mitigate -- >> you met frequently over the

months, but she never brought up the extent of the concerns? >> not in the mckenzie report, no. >> okay. >> i think we talked certainly about issues and priorities for october 1st. >> i see. well, i have no further questions, so, mr. chow, i appreciate you spending so much time with us today. we're going to take a real quick five minute break because the witnesses have been sitting for a while. we'll be back in five minutes, and, again, thank you, mr. chairman chow. >> thank you. >> all right. this hearing has reconvened. i'd like to introduce the witnesses for the second pam of the hearing, and thank you, all, for being so patient and waiting. the first witnesses is jason, senior haven't and general manager for the senate for connected government. he's also the directer of the centers for medicare and medicaid services alliance to modernize medicare. our second witness is maggie

bower, senior vice president at creative computing solutions, inc, also known as csi. she has extensive operation of management experience in consulting, program management, i.t. infrastructure services, software development, life cycle, and end user support on service level drive performance based programs. third witness is david, a founder, president, and chief information officer at foreground security inc with more than 15 years of i.t. security experience overseeing the overall customer centered vision and direction of security, industry leading officerrings and day-to-day operations. i'll swear in the witnesses. you're aware that the committee is holding an investigative hearing, and we have the practice to take testimony under oath. do you have any objections to testifies under oath? all witnesses are negative there. the chair advice z you under the rules of the house and rules of

the committee, you are entitled to be advised by counsel. do you want to be advised today? all the witnesses said no. in this case, please rise, i'll swear you in. you swear the testimony you're about to give is the truth, the whole truth, and nothing but the truth? and all the witnesses responded, i do. you're under oath and in section 1001 of the united states code, and we now give a five-minute opening summary of your statements p p. >> all right, well good morning. i'm jason, and i'm here today on behalf of the miter corporation, serving as director of the non-for-profit solely funded research operation center sponsored by the u.s. department of health and human services. we're chartered in the public interest to apply systems engineering skills and advanced technology to address issues of critical and national

importance. we accomplish this through research and centers that support the government sponsored with scientific research and development and assist in systems and engineering integration as well. known as slowly funded research centers, they operate under a set of rules and constrainted prescribed by the federal acquisition regulations. the rules are designed to preserve the ffrdc's objectivity, independence, and freedom from conflict of interest. we operate the centers for seven federal agency sponsors who are awarded cart to operate the alliance toed moderate the center over a year ago. the center's charged with assisting cms in modernizing operations and supporting implementation of health reform and expansion of health care to millions of americans. we serve as a ten kl independent objective adviser to cms. we have been supporting cms successfully since 2005 on a contract basis prior to the

establishment of the new center. we advice in help i.t., develop future policies, perform evaluation of business models, and assess new technology. as part of the efforts to establish healthcare.gov, we conducted security assessments on parts of the site, and i appreciate the opportunity to clarify what our role was in the assisting cms on healthcare.gov. we provide cms with information security support and guidance under two contracts, the office of information systems and enterprise information systems group. pursuant to tasks issued under those contracts, we performed a total of 18 security control assessments or scas. for components across the range of cms enterprise systems, most of these were performed on supporting infrastructure and development components. six of the scas were directly related to healthcare.gov. they were performed between

september of 2012 and september of 2013. we performed various tasks if the support for security maintenance. a limited amount of that support is in the form of exterm pep traition testing relative to cms websites including healthcare.gov. we are not in charge of security for healthcare.gov. we were not asked, nor did we perform end-to-end security testing. they did not recommend approval or disapproval of an authority to operate. deciding whether and when to grant ato is a tucks that derives from the government's assessment of overall risk posture. in this case, the government made its ato decisions based on a large set of inputs and factors, among which six scas were performed.

we do not have visibility into other factors going into the ato decision. cms did not advise whether or when they were granted on the components tested. in this case, the government made the decisions based on a large set of data. again, we were not asked to test end-to-end testing, but vairs parts of healthcare give. under the parameters that were established by cms. we worked alongside the contractor, and, ofng, the testing to mediate risks, and almost in all cases, we succeeded. our testing was accomplished in accordance with the methodologies, conducted control risks against cms defined security control parameters on a high to moderate to low scale and had recommendations. on site security control, testing typically begins op a monday and wraps up within a week. a test against cms define security parameters.

over the course of five days of testing, we modify the risk and have mediation for risks judged to be high and moderate levels. security testing is designed to flush out and pin point security weakness of a digital information system. this enables direct mediations to be applied and allows the system operator to make necessary business judgments and tradeoffs about the overall system. because our role in performing the security control tests was limited in both time and scope, we have no insight into how a set security control risks were handled or what other risks may have surfaced subsequent to the date of testing. judgment about the potential impact of the set security control risk on overall system operation or performance or business judgments made by cms is part of the operating authority. to our broader partnership in the federal government who are committed to cms to enhance care and delivery of health care to

all americans, i'm happy to respond to your questions. thank you. >> turning to ms. bauer for opening statement. >> thank you. i'm a senior vice president at creative computing solutions inc, ccsi. i have responsibility for the federal health contracts including the centers for medicaid and medicare services, veterans' affairs, department of health and human services, national institutes of health, and the military health service. in addition to health-related services, ccsi delivers programs and project management services, cyber security services, and enterprise systems engineering exclusively to the federal government. ccs was i was founded in 1992. in august of 2012, we awarded a contract to provide security oversight of the cms e-cloud. the e-cloud refers to cms's virtual data center hosting

applications that support the affordable care agent. foreground security is our sub contractors, and we function as a fully integrated team. ccsi's role is to provide operations monitoring and management including 24 by 7 by 365 security monitoring from a secure operation center, otherwise known as a sock. we monitor the fire walls and network devices for the e-cloud, and we scan applications for security incidents. these scans do not measure or attract availability of down time or latency. if there's an anomaly, we follow the incident response plan procedures for identifying security incidents like network security configuration flaws or as a rule -- as a-- as a rule inerts in the network. they do not remediate security incidence. the scope of work including

configuration, tuning, monitoring and management of cms, government furnished equipment that resides in the verizon marked monitoring zone. we review logged files, analysis, reporting on security incidents, all of this under the direction and supervision of cms. activities involving the development, scaling, testing, release or administration of the federal exchange program, healthcare.gov, the federal exchange, or the market place are not within the scope of the contract. pleased to answer any question that you have. thank you. >> thank you. you are recognized for five minutes. >> thank you, sir. chairman murphy, ranking member degette, members of the subcommittee, good afternoon, and thank you for inviting me to testify at this hearing on security of the website, healthcare.gov. i'm the president and chief information officer of foreground security.

i founded the company. we provide cyber security consulting, training, and services for both private sector and government agencies. our clients include fortune 100 companies, smaller, highly targeted firms and government agencies. we defend our customers against an increasingly delicate threat and an approach with building ark architecture in aseesing, monitoring, and responding to attacks in the customer's environments. we're a small, growing, dedicated cyber security business located in virginia and florida. our roughly a hundred employees are highly trained and committed to serving our clients. fore ground security is one of the companies hired to help develop a robust operational security management program for the new virtual data center created to implement the affordable care act. we are a subcontractor to the

team, creative computer solutions inc, or ccsi. our role with ccsi includes a number of objectives relating to security environment of healthcare.gov. i think of the role as encompassing three phases. first is the creation of the security monitoring environment. this entails getting key stats in place, identifying needed security monitoring software and hardware, and building out a dedicated security operation center or stock. our work comets. third is monitoring the

environment. that can be thought of as having two components. one is day-to-day, continuously searching for malicious activities like reporting and defending against them when they do occur. the other is monitoring known malicious actors or groups in advance of attacks to proactively identify the techniques or tactics they may be using or planning to use to compromise the environment. these are our main end state responsibilities relating to the security environment. we worked very closely with cms and verizon and all phases of the work. cms reviews and approves any capability we place in the environment, and verizon tera marks as the host of the environment determines what security measures are placed in the virtual data center. perperspective on the role is important. while our work for cms is essential, it's narrowly focused, and we're not involved in the design of the site,

developing the software that runs it, or its administration. to that end, we do not monitor the site for performance purposes. foreground security is just one member of the security team, and in addition to the other companies represented today here on this panel, verizon, teramark, and others play key roles in developing and testing the security of healthcare.gov. i'm proud of the work that foreground security's undertaken and continues to undertake in order to allow families and individuals looking for health insurance to use the healthcare.gov website. secure in the knowledge their personal information is being protected with state of the art monitoring and defenses. to that appointment, fore ground security fulfilled obligations to cms on time and under budget. we are dedicated to secure the operation of healthcare.gov and take extremely seriously our obligation to the public trust. i welcome any questions you may

have. >> thank you, mr. amsler. a couple question. first of all, you were here throughout mr. chow's testimony, all three of you were, do you have any concerns or comments that was made by mr. chow? >> i wouldn't have any specific concerns. >> no. >> no concerns. >> all right. mr. amsler, you said in addition to the other companies representedded today on this panel all played key roles in developing and testing the security of healthcare.gov. are you also referring to ms. bauer's company? >> i view them as a teammate, as one of us. >> i thought in the testimony, she said that they were not that involved. i have to ask you, with this many companies involved, who did you all report to? >> our customer was cms and the security team -- >> is there a person? >> our direct government technical lead is tom

shankweller. >> with regard to this, with all of these companies involved playing key roles in developing and testing security, is that typical to have so many companies involved opposed to one doing the end-to-end work on this? >> well, we have -- we've experienced all sizings of implementations. this one, obviously, certainly, one of the largest that i've seen undertaken. i've certainly seen a lot of people involved, but probably not this many. >> is this typical? >> i don't know a number of companies, but having two or three is not untypical to have on a complexity of the site. >> add to the complexity of monitoring the security of the site? >> if it's well-managed from a program perspective. >> was it well managed? >> i would not know. >> from your perspective? >> i don't -- we were not involved in that level of insight on that. >> i see.

were you involved in that level, and was it well managed from your point of view? >> our management from cms has been on a very regular basis. we have daily meetings. in fact, since healthcare.gov was live, those meetings actually began or revved up, i should say, to hourly, and then backedded away to every four hours, and now on a shift basis, three times a day. >> the activity involving the scaling, testing, the federal exchange program system, the federal exchange of the market place or are not within the scope of the contract, so you were not involved in the security issues involved with those websites? >> translator: security, yes, but not the development, scaling, or testing of the healthcare.gov application, per se. >> were you involved with the text of the security? >> yes. >> and was it working? >> yes. >> at october 1? >> everything that was under our scope. >> under your scope. >> yes. >> but in terms how it relates to other parts, you don't know? >> i would not know that. >> mr. amsler, how about you?

were your parts working okay, your individual part, and was that tested with regard to the others? >> congressman, to be clear, as far as our work is crched, we focus on operational monitor, security, and some testing. we absolutely were working. i can't speak to the rest of the groups and the teams involved in development or the fca. >> i want to know if that's typical, and are you concerned about how your parts worked in conjunction with the site overall, or is that not typically a question you would ask? >> well -- >> if you design a part for a car, you know your part's working, but you want to know if the car works? >> absolutely. >> that's what i ask you. would you have liked to know then, if your segments worked on their own, but you don't know whether it worked with the whole system or security; is that correct? >> that would be correct. >> yes. >> okay. cms adopted a security controls

you develop; correct? >> that's correct. >> are the controls embedded in applications at the direction of cms? >> they were aseesed, but, yes, embedded for configuration changes to be based on the controls. >> at what point of the application development phase should security controls begin to be embedded into the application? >> well, that's a production phase. when we test, generally, when we test, we assume we look at the production-ready version of the application, and we apply those cms security controls we talked about and assess those against the production ready version of that application. >> embedded into the ark architecture of healthcare.gov? >> the overall cms security controls are to be applied across all the systems of c -- of healthcare.gov. >> should be embedded into healthcare.gov? >> it should be. >> were they? >> i have no way of knowing that. >> do you know if they were? >> i don't know.

>> i would not know the answer to that. >> okay, you worked on the security parts, but you don't know if they were embedded or tested, would you like to have seen that? >> some parts. >> correct. >> correct. >> thank you. i now give -- yield for five minutes. >> thank you, mr. chairman. as mr. chow testified, it's part of cms's protocols that they hire independent contractors to test different parts of the security aspects of the site. is that your understanding as well? >> yes, it is. >> is it yours? >> yes. >> yours, mr. amsler? >> yes. >> so i want to ask you first, you testified, your company was not hired to do the -- to perform end-to-end security testing; is that correct? >> that's correct. >> what your job was to assess and identify risks in specific components of healthcare.gov to work with cms and address those

concerns and report on the findings and results; is that correct? >> that's correct. >> am i correct in virtually all cases, when you did identify high risk in healthcare.gov components, cms was able to mitigate risks before the system went live? >> yes, almost all the high risks were mitigated. >> and -- and you said in your testimony, in your written testimony, you are not in charge of security for healthcare.gov. we were not asked, nor did we perform end-to-end security testing. we have no view of the overall safety or security status of healthcare.gov. that's because you were only asked to do a narrow assessment of part of it; right? >> a narrow assessment in scope and a time that is -- >> and time. >> time. >> now, i just want to ask you, what's your personal view of the overall safety or security of healthcare.gov having worked on this at least some aspects of it? >> well, just my personal perspective -- >> uh-huh.

>> knowing the cms experience in the past as henry chow alluded to, they do a solid job in terms of securing their systems historically. >> and what you were doing was part of the same types of things systems cms has done; is that right? >> that's correct. >> ms. bauer, as i understand it, mr. amsler, you are a subcontractor of ms. bauer's company; is that right? >> yes. >> so what you folks do is your company -- ccsi monitors the fire walls and network devices for the e-cloud that hosts healthcare.gov and scans the website's application for security as a rule nernlts; is that correct? >> that's correct. >> and on october 22nd, you briefed this committee, and i want to ask you, at that time, had you detected any activity that you would consider to be out of the ordinary for a system like 24? >> not out of the ordinary, no. >> okay.

are you continuing to monitor the website moving forward? >> yes, we continue to perform all the functions of our contract. >> and why is that? >> i'm sorry? >> why are you continuing to monitor the functions? >> because that's the scope of the contract. >> okay. >> monitoring. >> have you detected any activity since october 22 that you consider to be out of the ordinary? >> we would detect activity on a daily, if not hourly basis, that's part of the nature of the security monitorings, whether it's extreme or out of the ordinary, there's nothing that's been brought to my attention. >> would that be, then, reported to cms? >> yes. there's an incident response plan, and we follow the procedures of the plan. >> have you seen anything that would indicate some terrible problem with the website vis-a-vis security? >> nothing that i've seen or that's been escalated to me, no. >> okay. there's another contractor, as i understand, that's also asked to look at other aspects, and that's verizon. they are not here today.

is that your understanding as well? >> yes, yes. >> so is, ms. bauer, has your company worked with cms before on security issues? >> no, we have not, but we have other security work. >> okay. okay. mr. amsler, what about your company? >> not directly for cms, but other hhs. >> okay. you wouldn't know whether this is kind of mirrors other security activity with cms, but you're telling me that with what your company did before, you're seeing a similar concern and readiness for security applications? >> well, what i said was that following cms's approach towards security, they do execute, you know, 10, 20, 70scas a year that we excute for cms. part of the process is before they execute an ato, they look for input of the scas which is a fairly rigorous process, a

definition to gin a parameter in a moment of time that we would conduct the scas, first cms has input to the ato process. >> all right. okay. thank you, thank you, mr. chairman, i appreciate it. >> i have a clarification. you were asked a question about cms and their work, and you used the word "hishistorically," and were you referring to the healthcare.gov website or in the past? >> in the past, broadly across in terms of the security rigor they apply across their system. >> thank you. mr. olson, you are recognized for five minutes. >> i thank the chair, i mostly thank the witnesses for patience in being here so long. very brief questions, i mean obamacare -- sorry, healthcare deutsche up and running is not rocket scientists, and that's good because if it were, we'd be waiting to lain on the moon over 50 years later. you may not have seen the mckenzie report, the red team report, have you seen that?

>> i have not. >> i'll get copies to you. i have questions about the report, and i apologize if you have not seen it, but it compares on page 34, ideal large scale programs and current states of healthcare.gov, and i want you to answer yes or no questions. do you agree with the at the same statements of the report? the large scale program developments with the risks of healthcare.gov. the first obvious situation clear articulation of requirements and success metrics in healthcare.gov all requirements and multiple definitions of success. do you agree with those assessments that it's ideal? yes or no, sir. putting you on the spot. >> very difficult to answer the question. hypothetical? >> yes, sir. it's clear articulation, and has that happened on healthcare.gov? >> that's what we'd love, articulated, up front, build to,

design to, test to. that would be great, it's rare, but great. >> involving requirements with healthcare.gov, is that a problem? >> i'm not sure of the number of -- i think there were a number of requirements for healthcare.gov. >> ms. bauer? >> i would just have looked at it briefly -- >> i apologize. >> i agree with the description of ideal situation; however, i wouldn't have insight into the current situation because that involves the development of healthcare.gov. >> mr. amsler? >> i would -- ideal, i agree with ideal, again, we were not involved in those aspects. i couldn't speak to it. >> how about the program there ideal is requirements design, build, and testing, division of phases, and what the current situation is parallel stacking of all phases. do you agree? i apologize for not pronouncing your name. >> that's all right. it creating challenges to the

program office to deliver that. >> parallel stacking? >> it would significant challenge to do that. >> ms. bauer? >> i agree with the statement. >> mr. amsler? >> agree. >> okay. how about operation and testing is ideal. i think we agree with that. what happened is insufficient time and scope of end-to-end testing, do you agree with those statements, yes or no? >> in -- i guess in the context you put it, you're saying is there a limited end-to-end testing? begin the fact there's ahearted date, i smiez to have limited testing. doesn't mean you couldn't have done it, but there's limited time to do it. >> ms. bauer? >> generally, i agree. i would have no insight, though, into the increpts with regards to the schedule, but you can create milestones and achieve, ideally, about any goal if you create milestones and achieve them on the way to the goal.

>> mr. amsler? >> end-to-end testing for me is pure security. that's the world we live in, the only world we live in, and we can achieve a lot of testing along the way, but i generally shoot for ideal. ideal would be end-to-end testing. .

>> yes or no, ma'am? >> yes. >> i'm actually very happy with my current health care. [laughter] oh, boy, you try to open -- >> feel bad you can't keep it. >> gentleman's time is expired. you have a clarifying question. >> thank you. the question that he was asking you folks were on this mackenzie document we spent so many time talking abo