>> okay. thank you very much. i yield back. >> now recognize the gentleman from virginia, mr. griffith. >> thank you, mr. chairman.

speaking of medicare part d, no one was required by law or forced a penalty to subscribe to that, isn't that correct? >> no. but we did auto enroll medicaid dual eligibles into medicare part d. >> it is a different animal than what we're dealing with now because of americans are told they can have their insurance so they will have to sign up through the exchanges. so i do appreciate that but there is a difference. one of the things when you get a time to take a look at the report, i think it's a symptom of the problems this website has had is that you were not included in the briefings on the report that has come to light in the last 24 hours. when you get a chance to read that one of the things you'll see is a filter ought to be one person overseeing all the different parts. listening to the vendors who previously testified before this committee it looked like they were each building their own part and in the last month they had excluded altogether.

in the last two weeks -- two weeks things are changing. you really want to have, you want to defined your policy requirements prior to finishing the design and starting to build. wouldn't you agree with that? >> that is the logical thing to do. >> but in reality we have heard testimony in this committee that they were changing policy. we know the big change on july 2 when all of a sudden the employer mandate was allegedly delayed, the president signed an executive order, delay that employer mandate. further, we know from testimony that there were changes being made as close to the launch as two weeks before. so based on that it would be the logical conclusion that you have significant problems, wouldn't it? >> with the luxury of hindsight, i can see that there are

contributors to the way the system performed when it was unveiled. but that's not, you know, i need to focus on fixing this thing. >> i know your focus is to fix it now, but also when you take a look at it, when you're still defining a policy requirements as late as two weeks prior to launch, it's very difficult to design and then to build and then to test a system and have it work, whether it's for security component or the performance component. it would be logical to do it in the proper order. when you do the a logical you're liable to have problems. i know what you would agree with that if he were freed after opposite. i also noticed no one person was ever appointed to head this up while you're in charge of part of it come and you're in charge of making part of it work. looks like there's at least six

different representatives from different agencies that had a hand in a losing what was going on, and no one had control over the other, is that correct? >> i think it was a governance committee that was formed. >> isn't that interesting? and sometimes when you're trying to launch a big project like the shift of one general in charge of the operation. wouldn't that be logical? >> i would say that for the technical pieces, i was responsible for making sure that the technical pieces were organized. >> last month this committee uncovered a september 27 memorandum indicating that healtcare.gov launched without a full security control assessment. administrator have had to a test she was a schmidt security risk. and tells what those risks are specifically. >> first of all, i think the

incomplete testing -- it was fully security tested, three rounds of testing, so that when marilyn tavenner signed the authority to operate on september 27, it had no, i find that it gone through the appropriate security test. >> so you didn't, so what she said was not accurate, that it had, did not have a full security control assessment? she was mistaken when she testified in front of a? >> i think there's a part of that sentence that needs clarification. i think what we are trying to say was that the security control assessment was not tested for a full entire system of which we were still -- remember, we were still building financial management aspects of the. i think was an acknowledgment that 100% of the system was not complete at that time. >> and it's still not complete today, and the people of america want to know what's the security going to be if it's not complete

on -- >> the october 1 pieces that were necessary, such as insurance security privacy for those functions that i mentioned were tested spent i appreciate that but what can we expect january 1? i apologize. i yield back. >> by the way, our prayers are with the family of centigrade in -- >> you saw my statement. if i might take a moment of personal privilege but i do appreciate your prayers. we were in opposite party which is like on this committee you form friendships and he served with me in the virginia house of delegates before he went on to the senate and went on to run for other offices by the still sitting senator. it obvious has shaken everybody in virginia. he is a good man and our prayers are with them and i encourage everybody to say a prayer for him and his family. >> thank the gentleman. now the turn to mr. tonko for five minutes. >> thank you, mr. chairman. i would like to continue on the

recent questioning of the documents. document that my republican colleagues have released. mr. chao, the stock that was signed i believe september 27 and it's an authority to operate memorandum, operate to federally-facilitated marketplace for six months. can you tell us, our atl is commonly used. >> yes. the last official site of to authorize a federal system to go into operations. >> can you tell us why administrator tavenner signed this ato rather than perhaps other officials that might report to the administrative? >> i think the span of the

stakeholders involved across the agency, we have not had a system that had this unprecedented involvement of so many components so that the recommendation by our chief information officer was to make a recommendation for the administrator to actually sign off on this because she runs the entire agency. >> and the fact that she signed it is good news. it's an indication i would believe that officials at the highest level at cms were briefed on in taking responsibility for site security? >> correct, yes. >> as i understand it, this document describes security testing for the healthcare.gov website. it says that security testing of the marketplace was ongoing since its inception, and didn't september 2013. in fact, it says and i quote, throughout the three rounds of security control assessment

testing, all of the security controls have been tested on different versions of the system, is that correct? >> correct. >> the document goes on to say because this system readiness complete security assessment of all the security controls and one complete version of the system was not performed. this lack of testing and i quote exposed the level of uncertainty that can be deemed as a high risk. >> i didn't actually -- i had recommended as part of that decision memo and i think at that time, as i mentioned earlier, its semantics. not 100% of the system is built so you can't really consciously say you have it all available in one place. to fully test because not everything was needed for october 1. only essential pieces involving healthcare.gov were tested for security. >> so the document that indicate at cms -- in its place at cms

did put in place a number of mitigation measures. and they concluded that these measures would mitigate security threats to our want to take a moment to ask you about the september 27 adl and other risks were identified are being addressed. can you just describe the recommendations in that september 27 member speak with you mean in terms of mitigation? >> yes. >> on a daily basis we run antivirus scans every three minutes. malware scans every three minutes. data is a continuous effort. threat protection analysis against known that ip is. i mentioned that in opening remarks, that it's continuous. on a weekly basis we monitor operating system compliance, infrastructure system compliance. we conduct penetration testing, authenticated an unauthenticated markopolos security teams.

have a 24 by seven secure the operations team. we conduct additional penetration testing authenticated an unauthenticated by another group of sacred professionals of cms the report under our chief information secure the officer. we also conduct application software, assurance testing which is occurring biweekly. on a monthly basis we produce a plan of action and milestones that keeps track and report on any discovered weaknesses during all this monitoring. >> so cms is taking action that was recommended at the ato? >> correct. >> do you have confidence these and other measures you are taking to protect the security of americans personal information? >> i have high confidence. >> i understand it here, the remedial actions and the ongoing security testing are protecting the security of the website?

>> yes. >> and so perhaps the message coming from our republican colleagues is that they don't want the website to work and they want to prevent people from going on the website went back wearing security has been provided for? >> i think without over and above because we are very sensitive and we appreciate the nervousness around this program with people's information. >> winformation. >> we appreciate you building the security of the website. and respond the actions recommended in the ato memo. thank you so much. i yield back. >> the gentleman's time has expired. mr. johnson. >> thank you, mr. chairman. mr. cao, i spent 30 years in information technology. i've been a chief information officer of publicly traded companies as well as the director of the cio staff at u.s. special operations command and i know the pressures that

delivering on a system of this complexity. i know the pressures that are there. i assume that you and i have a common goal here today, and that is to make sure that the american people hear the truth. is that an accurate statement of? >> correct. >> given that then, would it be okay if you and i have an understanding because this is to the i.t. guys talking to one another. if i ask you question that you don't understand, would you ask me for clarification so that we can get to the bottom of it? because we want to dig down here into some things that are pertinent. >> yes, sir. >> under fisma, i.t. systems are required to stellar security baselines, incorporate them into applications and networks and testing to see that they are incorporated correctly. the use and review of this testing plan is typically known

as a security control assessment. several of these control assessment for healthcare.gov were either not completed or otherwise ignored. so are you someone with the for security control assessments that were completed on the various aspects of the federally-facilitated marketplace? >> not in intricate detail but i think going back to what you said about ignored or missed, i think the most important thing to remember is that on -- >> are you from and with the security control assessments of? >> i've read the most important one and that's the one -- >> have you read all four of the? >> not all four of them speak can you turn to tap number four of the dr. novotny you have in front of you lacks this is the security control assessment complete on october 112013. argued my with the findings of the security control assessment?

>> yes. >> you testified a little earlier that it was your opinion based on what you need at the time that the security control assessments, that security had been adequately addressed when administrator tavenner sign the document authorizing the operation of the website, is that correct? >> yes. >> but yet you just testified that you're not aware and you didn't read the security control assessments. so how can you make that assertion that security had been adequately addressed when you hadn't even read the control assessment yourself? >> i am thinking that there

might be some mismatch inversion here. yours is final report october 11 for health insurance exchange, august-september. i have the federally-facilitated marketplace decision security port -- >> i'm talking about the one -- >> can we ask the witnesses the couple of it? i'm happy difficulty hearing in. >> i'm sorry. but i've got to move on because i don't have time to look through the binder. who develops the scope of a security control assessment before the contractor performs a? >> we have contractors that design are testing. do you need an application like the data services hub or the website to be complete in order to test it for purposes of a control security control assessment? >> i think that depends on, you know, we don't like testing the security -- >> i can assure you we don't.

>> in terms of using live data. so prior to going to production, we tend to conduct security -- >> let me ask you a question. let's put up a slide the are you familiar with the term sql injection? sql injection is a process that hackers use to gain access to sql databases, relation and databases through sql. this is a screenshot directly off healthcare.gov that you see. if you put a; in the search box and you get all of those different breakdowns of sql injection. can you give me any idea how vigorous the testing was around sql injection? are you aware that users have potential hackers have the capability to go in through sql injection and manipulate these? >> i can't speak to the exact

that situation. i think some of the folks that are coming up behin behind me oe of the mighty specifically -- >> i can assure you, mr. chairman, that is so very strict concerns about the secured aspects of this system. with that i yield back. >> the gentleman's time has expired. i now recognize ms. schakowsky for five minutes. >> i also want to focus on this particular system. we've heard this morning, just heard about the risks that the contract, contractor need identified when performed security control assessments for different components of healthcare.gov. and at first glance they can seem alarming. but my understanding is that all of these issues were mitigated for the functions on the website to launch on october 1.

it's important to stand the general point of security testing, to identify any potential issues so they can be addressed before they become real problems. asking needed to perform these assessments gave the contract to the opportunity to identify and resolve any security vulnerabilities before anyone's personal information could be put at risk. so, mr. chow, does that sound to you like an active description through the security control assessments involving iterative process where problems are identified and the mitigated? >> yes, that's correct. >> i want to walk through some of these secured assessments determine whether the high risk that need identified have, in fact, been addressed. in january and february of 2013, meter provide basic a control assessment of the eidm, the

account creation function on healthcare.gov. according to the final report, need identified several high risk landings. so mr. chao, with these high-risk findings result and mitigated before the october 1 start of open enrollment in the federal marketplace? >> yes, they were. >> and the fact is they were noted, that fact is noted in the mitre report. so mitre also performed executd control assessment of the data services hub in august, 2013. and again identified several high-risk findings. were these findings resolved and also mitigated before the october 1 launch? >> yes. and the hub received authority to operate in august. >> yes, and the fact is, and that fact was noted in the

report. i also wanted to discuss the security control assessment that mitre perform over august and september 2013 with the health insurance exchange. mr. chao, were all high risks identified in this assessment, mitigated before october 1? >> yes. >> thank you. and what your answers confirm is that the system worked. mitre identified potentially high security risks, and cms major that their mitigated before it would be, major problems. mitre reports do not show a flawed system. they show that cms conducted security control assessments to identify problems, and then fixed those problems. and i hope that my republican colleagues will keep these findings in mind when they talk about the security of healthcare.gov. we don't want to alarm the public about security risks that have already been addressed by

cms and its contractors. it seems to me that identifying risks that were named, it's important also to note that they were all fixed before the launch on october 1. and i thank you very much for your testimony. i yield back. >> gentlelady yield. now recognize the gentleman from north carolina, ms. ellmers, for five minutes. >> thank you, mr. chairman. and thank you, mr. chao for being with us today. mr. chao, i have a question about the subsidies and questions about some miscalculations that could be happening on the exchange. press reports have indicated that some subsidies are being miscalculated. in fact, one individual, the president identified as a beneficiary of obamacare now can't afford it. mr. chairman, i ask unanimous consent to submit an article

from cnn to the committee for the report for the record. without -- okay. this is a single mom, has a teenage son with adhd, went on the washington state exchange, had gotten an insurance quote for what she would pay at a gold price. then she received notification -- the quote was actually higher for a silver plan, more confusion, went on. then even a cheaper plan at bronze level for $324. in other words, she ended up being a lot more. i guess my question for you is, you know, is this happening on the healthcare.gov site or the federal marketplace? >> i think there are a lot of inputs to how an advanced

premium tax credit is calculated. a person can come back and make some modifications to the income levels, to their household composition. washington is a state-based markopolos like it was the to that particular case, but it think that healthcare.gov allows people the flexibility to try several ways to determine what their tax credit -- >> okay. there again i'm just going based on the article but it doesn't seem to be bad she has gone back making changes. it sounds to me like, no, there were miscalculations that she was notified of. so again my question is this is happening in the federal exchanges? >> i would me some specifics to be able to answer that. i think that if anyone ever does have issues with believing the subsidies were in correctly calculate, they could certainly call our call center to try to

find out if it was correct or not. >> so that basically -- i'm just asking how someone would address that or how that would happen if there were miscalculations. then you could speak to someone personally and speedy yes. we both a call center and what we have alleged those support workers. >> do you know if this is what was happening? have you heard any reports of -- >> i think the army calls to the call centers for many different reasons. i can't tell you there were 10 cases today or -- >> we can move on. i appreciate that. cgi, the contractor responsible for building healthcare.gov, can you explain your role within in the last weeks of september. were you in contact with them? were you working with them one on one? were you in the office? >> yes. i actually, i moved down to herndohundred and live in a hotl since september 102 about the

last week of october. >> so you were actually there in their offices working out of their offices? >> yes. >> one of the things -- i have about a minute left on my time. the president announced a text search to fix the website. who is involved in the search? >> their -- top part is involved, and there are two fellows, one by the name of mikey dickerson, and another either name of greg gerchman. >> do you know about their compensation? how are they being compensated? >> i have knows -- i have no insight into the. >> did they have to sign an agreement? >> i don't know. >> who do these individuals report to? >> i'm not actually i'm not sure who they have a contract with.

>> but you are in charge of the technical component to healthcare.gov, and they don't report to you? >> they are part of a tech research team that's being led by jeff sines spent suggested with a person that they are reporting to? >> right. >> thank you very much. thank you, my time is expired. >> gentlelady yield. now go to mr. olson for five minutes. >> i think the chair, and welcome, mr. chao. as you imagine, folks back home in texas have one simple question. why? why? whited healthcare.gov on octob october 1 with most to come clean this up, and every contractor write the code into an existing said stop, stop, stop, stop. we need more time. this breaking document is frightening.

page four of the document, terms like limited testing. parallel stacking of all phases. stacking is vertical. not parallel. interest time and scope of testing. launch at full waldin. a previous e-mail wha would youd your word and this is a quote, crashed the plane, take off. with all due respect, it never got to the runway. it was still waiting at the ramp there with the pilots, the bags, the fuel waiting for new tires. using your analogy and my records as a naval aviator, healthcare.gov was a quote unquote hangar queen. never ready to fly. i do want to talk about the folks back home i worked for are most concerned about protections

of personal health information. with so little testing they are concerned about the lack of seek a control assessments, s. c. a.'s. and my question, i will refer to the document briefing there and please turn to tab number two. my question concerns can you guys said this is your firm that you need to part mitigation plan. in part two, basically you said one of the recommended steps is to quote conduct a full sca test on the fs ends in a stable environment where also the controls can be tested within 60-90 days of going life october 1. they will not be completed by november 30. so i can expect a full test of the sca within 60 days of open

rome a? how can it happen and losing 30 days off that? >> i think the 60-90 days refers to includes the inclusion of the final piece that needs to be built. what we mentioned earlier which i just want to say that it's after 30% of the systems are left to be developed, not 70%. that 30% represents the payment aspect and accounting aspects of making payments in the marketplace for all market place but not just the federally-facilitated marketplace. that has to be in place for the genuine first effective date enrollments. so i think once we have that completed we could do a full sca across our entire system. >> the doctor says october 1 rollout 60-\90{l1}s{l0}\'90{l1}s{l0} after that. apparently going back to november 1 at the earliest. i do see how you need to 60 days and 90 days of testing for going life again. one for the question about the

sca's. how many did you identify before the rollout on october 1? no, have been identified after the rollout? endowment us to other? what's the figure my constituents should be worried about? >> that are no hi-fi news in the sca test as of the october 1 rollout. as i mentioned earlier i read a list of mitigation activities and we go over and above any system that we put into -- we deploy and put into operations and monitor on a daily basis. >> when can you assure us a full sca will be conducted systemwide? ever? >> when the last pieces of the system are completely built, which is not, i do want people to think that there has been a full sca. full sca has been conducted on the pieces that were needed for october 1 for eligibility moment. we have still to build a financial measure aspect of the

system, which includes our accounting system and payment system, education system. those also executed testing involved as well. >> the full testing, the whole system, when do you expect that to occur, what big? >> i don't have an exact date, but it should be sometime in december. >> so 2013, not 2014, 2015, 2016? >> correct spent 2013, okay. one final question. referring back to the e-mail from july 16 about needing to feel more confident about the healthcare.gov. i'm assuming that sometime in the last four months you got that confidence. what day that confidence? what was the trigger mechanism when the happened? think i did same thing about having more confidence. i'm always cautious. which is why i was trying to say earlier that until this is fixed, until the vast majority

of people have a good expense going to do with people who want to enroll get enrolled, particularly for january 1, i'm going to continue to focus on that, along with the rest of the team. you know, so it's not really about confidence level right now. it's about focusing on fixing the problem. >> the hangar queen is still at the hangar. i yield back the bounce of my time. >> -- the balance of my time spent what we're going to do is give each side five more total minutes to get a couple of clarifying questions. if anybody from my side needs that real quick will do that. ms. degette. >> mr. chao, i want to thank you for coming and spending the morning with us. i'm going to try to be quick because i'd like you to get back to whatever you're going and make this thing work, okay? the first thing i want to clear up, because even though i thought we established it, my friends on the other side

continue to ask you about this mckinsey document at tab one. i just want to clarify, you weren't part of this rape teen evaluation, right? >> correct. >> and you didn't really see this document until today, is that correct? >> correct. >> there were a lot of questions people ask you, hypothetical questions people ask you about this evaluation that you really don't know the answer to because you were not involved in the process, and you didn't see the document until today, right? >> correct. >> now, as i understand it, this evaluation was done in march-april 2013, is that your understanding as well, this mckinsey evaluation? >> approximately that time. >> and do you have any knowledge of what that evaluation was supposed to be for? is a snapshot in time, or do you

even know? >> from the interviews that i had with mckinsey, it was about really two things. one was, i spent some time helping mckinsey understand the program. meaning how it worked, where we were in terms of status and schedule. i don't -- i suppose it's also includes a point in time kind of an assessment because i educated them on exactly what was happening up to the date. >> on page four of this assessment, i don't really want you to respond to this because you weren't involved in the document, but i do want to point out there were a lot of questions that were asked today about the current situation involving requirements, multiple definitions of success, et cetera. but the people who are asking those questions today didn't talk about the last thing, which is in bold letters in the box

that says cms has been working to mitigate challenges resulting from program characteristics. this was in march or april. and so without talking about this document necessary, but i think what your job is really, to identify issues throughout and try to mitigate them, is that right? >> correct. >> that's what you tried to do throughout the? >> it is a constant mitigation set of activities. >> and the administration has said, it's going to try to have the federal exchange site working for 80% of people by the end of november, is that right? that's what we've been reading in the press. >> that's what the press quoted. i think we have been saying the vast majority. >> he believed that a reasonable goal at this point? >> i think that's an attainable goal given what i've seen so far. >> do you think it's going to happen? >> i don't think there's any guarantees.

i think we're still in a stage where we are trying to apply as much a due diligence acquiring additional assistance, attacks urge, looking at performance, fixing the functional defects along with making sure that security monitoring is an ongoing basis. i think there's still a lot of moving parts that it wouldn't be prudent to give aid 100% guarantee about where we'd be at on an exact date but we are on the right track. >> what i will say to you is truly, and you've heard this from all of us, all of us were disappointed that it didn't work on october 1. i'm sure you were, to. >> very. >> and so we need this to be essentially working, asap. for one thing, people who want insurance coverage as of january 1 have to sign-up by december 15. so if it's not working for the vast majority of people by the

end of november, that's going to be hard to do, understood? >> we certainly understand. >> one last thing. someone had asked or made the assertion that 60% of the site was not working but i'm told that's not really accurate. that is truly about 30% that's not working. most of that is the backend, which is the payment to insurance companies so that sentences are the part that has to be working at this moment, is that correct? >> it's still being developed and tested. spent but that's the payment to the insurance companies? >> right. which involves testing to treasure and others. >> thank you, mr. chairman. >> recognize what's over five minutes to let me follow up. what you're saying is 30% is yet to develop on the payment and. on october 1, the day it went live, how much of the site was developed at that time? >> probably -- well, 1% of all the priorities that were set for by the business for october 1,

it was up and running. >> but what about the other part? >> i think there was a reprioritization associate with shop employer, shop employee and the spanish website at -- >> but it was crushing for everybody. we've heard it wasn't designed for that many people. it never had ended in testing. you are saying it was 100% ready? >> no. >> i want to understand spent it was 100% built. >> but just not working? >> yet, working, functionally and -- >> if a car is built but you can't run the car, then the car is not built. if the website is not working it's not built spent on not going to sit and try to do that it was working well, so i do speed but you said 100% built. i needed to because you said you wish you had more time. you just said to ms. degette

that your job was to identify issues and mitigate them. and since would've liked to have more time and your job was to mitigate them, which have liked to have seen this whole report from mckinsey that identified ththe problems we did not defind about? >> i don't -- actually i don't think it was necessary because i think this report was for really for marilyn tavenner and others. and it was written for that level of consumption, and that audience. >> but you haven't seen it or you don't know? or do you know? >> i'm just assuming. >> stick with the faction no. seeing is from our john, -- all have briefings on this. are those any people you work with? >> i've been in meetings with several of those.

>> since march and april? >> yes. >> and none of them raise any of these concerns to you who come into identify just up it was your job to identify these issues and mitigate them. that none of them identified with all these interviews, the 200 documents reviewed that there were these problems? >> within my day-to-day operational requirements to manage the contract to manage the schedule, to manage staff and -- >> what you don't measure you get manage and so i'm concerned that this list of people who you work with were not communicating to you this document that you something existed because you were interviewed on it yourself. but here we have this messy rollout that didn't work, that crashed, only six people signed up the first day. still concerned about problems and yet it's puzzling to me why these key people just didn't talk to you about it? they gave you know hints that this existed?

>> perhaps i just was not included in their discussions. >> if you knew then what you know now, would you have spoken up more with regard to rolling out this website on october 1? >> i wish i had the luxury of a time machine to go back and change things but i can't do that. >> but it is a matter that -- did you ask someone at that time for more time? >> no. >> why not? >> because my direction -- >> from? >> from the marilyn tavenner is to have the system and deliver a system on october 1. >> she had been in on these briefings from mckinsey that said the research problems. she was in at least two of them i believe. and this was at hhs headquarters on a -- able for. and also at the eisenhower executive office building on

april 6. she was briefed on these problems but she said moving forward on october 1 and you as a man in charge of making sure this works, she didn't tell you? that those problems existed. is that what you're saying today? >> i can't comment on that. >> either she told you osha didn't. i'm just curious spent i don't think she told in the context of a breaking. i think we have status babies all the time which we talked about ways to mitigate and -- >> so you met with her frequent over those months but she never brought up any of these concerns are? >> not in the mckinsey report, no. i think we talked about issues and priorities for october 1. >> i see. well, i have no further questions. so, mr. chuck, i appreciate you spending so much time with us today. we are going to take a real five -- the real quick five minute break. we will be back in five minutes. again, thank you, mr. chao. >> thank you.

>> all right. this hearing has reconvened. i would now like to introduce the witnesses on the second time for today's hearing and thank you all for being so patient and waiting to our first witness is jason providakes. he is with center for connected government admire corporation is director of the centers for medicare and medicaid services alliance to modernize medicare. our second witness is maggie bauer. she is the senior vice president of health services at creative computing solutions inc., also note as see csi. has extensive operations management can sit experience, i.t. infrastructure, software, lifecycle and end-user support on services that will drive performance-based programs. arthur witness is david gensler. is the founder, president and chief information officer in for granted good evening. is more than 15 years of i.t.

expense and the overseas the overall customer center vision and direction of for gratitude to i will not support in the witnesses. you are all aware that the committee is holding an investigative hearing and when it is doing so as a practice of taking has been under oath, do you have any objection to testifying under oath? all the witnesses are negative there. a chair then advises you that under the rules of the house and the rules of the committee you are entitled to devised by council. do any of you desire to be advised by counsel today? all the witnesses said no. in that case would you please rise, raise your right hand and i will swear you in. [witnesses were sworn in] spirit all the witnesses responded i do. you are under oath and subject of the penalties set forth in title 18 section 1001 of the united states code. we now get a five minute opening

summary of your statement. >> good morning, chairman murphy and ranking member degette. my name is jason providakes and the pentagon have of the mitre corporation. i served as the director of the not-for-profit public funded research and develop center operated by mitre and sponsored by the department of health and human services. mitre is charted in the public interest to applied systems and unix skills and defense technology to address issues of critical national importance. we account this for operations research and develop and centers that support our government sponsors, scientific research and develop a. analysis and systems engineering and integration as well. known as the funded research development centers, they operate under a set of rules and constraints prescribed by the federal acquisition regulation. the rules are designed to preserve the objectivity come independence and freedom from conflicts of interest. we operate the centers for seven

federal agency sponsors who are awarded the contract to operate the cms alliance to modernize health care center about a year ago. following a competitive bid. the center is charged with assisting cms and modernizing its operations and supporting the implementation of health reform and expansion of health care to millions of americans. mitered serves as the tentacle independent objective advisor to cms. we been supporting cms et cetera since about 2005 on a contract basis prior to the establishment of the new center. revised health i.t., could you policies and provide if i wished an objective a violation of business models and a this new technology. as part of this effort to establish healthcare.gov, cms asked us to conduct security assessments on parts of the site. i appreciate the opportunity to clarify what our role was in assisting cms on healthcare.gov. we provide cms with information

security support and guidance under two contracts, the office of information systems and enterprise information systems group. pursuant to task -- past issues of the contract me to perform a total of 18 security control assessments or sca's. for components across the range of cms enterprise systems. most of these were performed on supporting infrastructure and development components. six of the sca's were directly related to healthcare.gov. there were performed between september 2012 and septembe september 2013. mitre performs this task as part of the overall support for cms enterprise security maintenance. a limited amount of that support is in the form of external penetration testing relative to cms websites, including healthcare.gov. mitre is not in charge of security or healthcare.gov. we were not asked nor did we perform end-to-end security

testing. we have no view on the overall safety or security status of healthcare.gov. mitre did not and does not recommend approval or disapproval of an authority to operate. deciding whether and when to grant an aco -- the direction the government assessment overall risk posture but in this case the government made its decisions based on a large set of inputs and factors among which were six sca's perform by mitre. we do not have visibility into the many of the factors that went into the government decision to cms did not advise mitre whether or when 8 ato so granted for the marketplace components being tested. in this case the government made decisions based on a large set of data. again, we were not asked to conduct independent testing to find a set a specific parameters established by cms. we worked alongside the cms contractor and, of course, the

testing to immediate risk as high and almost in all cases we succeeded. our testing was accomplished in accordance with standard methodologies. any cheese whiz has component security control risks against cms defined sector to control parameters on a high to moderate to low skill and we recommended appropriate mitigation. on sites you could control, testing that would begins on monday and perhaps up within a week. to test against cms defines security control parameters. over the course of five days of testing, mitre identifies the risk and assigns priorities for risk judged to be high and moderate levels. secure detesting is designed to flush out and pin point the security weakness of the digital information system. this enables mediations to be applied and also allows the system operator to make necessary business judgments and trade-offs about the overall system. because our role in performing the security control test was limited in both time and scope,

mitre has no insight into how assessed security control risks were handled or what other risks may have service subsequent to the david kessinger judgment about the potential impact of such a big risk on overall system operation or performance or business judgments made by cms is part of the operating authority. to our broader partnership with the federal government we remain consistent to working to enhance the care and delivery of healthcare for all americans. i would be happy to respond to questions. >> now turn to ms. bauer for opening statement. >> good afternoon, chairman murphy, ranking member degette. my name is maggie bauer and a senior vice president at creative computing solutions inc., see csi. i have respond before see csi's federal health contracts including the centers for medicare and medicaid services, veterans affairs, the apartment of health and human services national institutes of health and the military health service.

in addition to health within services see csi dollars programs and project management service, service, cybersecurity services and enterprise systems engineering. expo so to the federal government. ccsi was founded in 1992 and august 2012 cms awarded ccsi a contract to provide security oversight of the cms the cloud. it refers to seem as a virtual data center which of systems and applications that support the affordable care act. program security as a subcontractor sort function as a fully integrated team. ccsso on this contract is to put security operations monitoring and management including 24 by seven security monitoring from a secure operations an otherwise known as soft. we monitor the premier firewall and network devices for the the cloud and we scan applications

for security incidents. these scans do not measure or a tract of a vote of downtimes. if we detected anomaly we follow the cms approved incident response plan procedures for identified security incidents such as network security configuration flaws or vulnerabilities in the network, security devices or an application. our contact does not extend to remediating security incidents. our scope of work includes configuration, tuning, monitoring and management of cms, government furnished equipment that resides in the verizon security monitoring some. we would log files and conduct analysis, provide reporting on security incidents. all of this under the direction and supervision of cms. activities involving the development, ma scaling, testing, release or administration of the federal actions program, healthcare.gov, the federal exchange, or the

federally-facilitated marketplace are not within the scope of our contract. i would be pleased to answer any questions you have. thank you. >> mr. amsler, you're recognized for five minutes. >> chairman murphy, ranking member degette, members of the subcommittee, good afternoon and thank you for inviting me to testify at this hearing on the security of the website, healthcare.gov. i am the president and chief information officer of foreground security. i also founded the company. we provide cybersecurity consulting, training and services for both private sector and government agencies. our clients include fortune 100 companies, smaller but highly targeted firms, and government agencies. we defend our customers against an increasingly integrate threat and threat actors to an integrated approach that entails building security architecture and assessing, monitoring and responding to attacks against

our customer's environment. foreground security is a small but growing, dedicated cybersecurity business located in virginia and florida. are roughly 100 employees are highly trained and committed to serving our clients. foreground security is one of the companies hired to help develop a robust, operational security management program for the new virtual data center created to let the affordable care act. where a subcontractor to our teammate, creative computer solutions inc., or ccsi which is a prime contractor for the centers for medicare and medicaid services. our role with ccsi includes a number of objectives relate to security if i'm up healthcare.gov. i think the role as encompassing three phases. first is the creation of the security monitoring environment. this entails getting key staff in place, identifying needed security monitoring of software and hardware, and building out a

dedicated security operations center from which all monitoring is performed. second, going to security money capabilities identified in phase one into the cloud environment itself. this has been the most challenging part of our contract because we've had to construct security mounting capability while the system itself is being built. our work on this phase continues. and third is actually monitoring the environment. which itself can be thought of as having two components. one is day to day. ..

>> perspective is important. while our work for cms is essential, it is narrowly focused, and we're not involved this the design of the site, developing the software that runs it or its administration. to that end, we do not monitor the site for performance purposes. in addition to the other companies represented today here on this panel, we are just one team. verizon, urs, cgi and qssi all play key roles in developing and testing the security of healthcare.gov. i am proud of the work that foreground security has undertaken and continues to

undertake ford to allow families and individuals looking for health insurance to use the healthcare.gov web site. secure in the knowledge that their personal information is being protected with state of the art monitoring of defenses. to this point, foreground security has fulfilled its obligations to cms on time and under budget. we are dedicated to secure the operation of healthcare.gov and take extremely seriously our obligations to the public trust. i welcome any questions you may have. >> thank you, mr. amsler. a couple questions i want to begin with, first of all be, start with you. you were here throughout mr. childs' testimony, all three of you were. do you have any concerns about the comments made by mr. chao? >> i wouldn't have any -- >> mr. providakes? >> no concerns. >> you had said that verizon, tear mark, crs and qssi all

played key role this is developing and testing the security of healthcare.gov. are you also referring to ms. bauer's company? >> i view them as one of us. >> i taught in her testimony she said they were not that involved, so let me ask you, with this many companies involved, who did you all report to? >> our customer was cms and the security -- >> is there a person? >> our direct government technical lead's name is tom shank weiler. >> and with regard to this, with all these companies playing key roles this developing testing and security, is that typical to have so many companies involved as opposed to one that's tried to do end work on this? >> we've experienced all sizes of implementations, this one is, obviously, certainly one of the largest i've ever seen undertaken. i've certainly seen lots of people involved, but probably not this many. >> mr. providakes, is this typical to have so many companies involved in dealing

with the security on this site? >> not nearly the number of companies involved, but having two or three is not untypical to have on the complexity -- >> i just wonder if that added to the complexity of trying to monitor the security of the site. >> if it's well managed from a program perspective -- if was it well managed? >> i would not know. >> there your perspective? >> i don't -- we weren't involved in that level -- >> ms. bauer, were you involved this that level, and was it well managed from your point of view? >> management from cms has been on a very regular basis. we have daily meetings, in fact, since healthcare.gov went live, those meetings actually began or ramped up, i should say, to hourly and then backed away to about every four hours, and now they're on a shift basis -- >> you said activities involving administration of the federal exchange system, the federal exchange or the federally-facilitied marketplace

are not within the scope of your contract, so you were not involved in the security issues involved with those web sites? >> the security, yes, but not the development, scaling or testing of the -- >> were you involved with the testing of the security? >> yes. >> and was it working? >> yes. >> at october 1? >> everything that was under our scope -- >> under your scope. >> yes. >> but in terms of how it relates to other parts, you don't know? >> i would not know that. >> okay. mr. amsler, were your parts working okay, and was that also tested in regard to the others? >> congressman, to be clear, as far as our work is concerned, our focused work around operational monitoring, curt and some testing -- security and some testing, we absolutely were working. i can't speak to the rest of the groups and the teams that were involved in development or even the -- >> what i'm trying to find out was that typical, atypical, and would you be concerned about how your parts