>> they are all from the report that was not published, and as they put up a slide i want to first -- this particular slide, these slides were provided to us after we initially interviewed you. this was a memo never sent. would you please tell us why this memo was never sent? >> so, this was a memo that i initially was drafting this into the chief information officer -- >> right. and you chose not to send it because of -- >> because events have taken place the next week with common

with the chief information officer. >> in other words, -- >> so overcome my event. >> it is still a good one for us to look at because it's consistent with the recommendations and are thought at the time. and slide one, of the draft, you wrote ffm does not reasonably meet the cms security requirements, which are intended to minimize cms business risk, is that correct? >> during the security assessment that was conducted in september, the security testing was not able to be completed. they were able to test completely -- >> but these are your words of? >> yes. >> additionally you said there's also no confidence that personal identifiable information will be protected, correct? >> again, during testing speed

but these are your words. >> i drafted this initial memo. >> these are consistent with what you were saying in the september 25 from? >> this memo is catching the briefing we given the mr. charest and mr. baitman specs of the other two witnesses knew that these are your words, but paraphrase what you told them, there's also no confidence that personal identifiable information will be protected. >> again, it was the result of the security testing in that regard. >> you wrote -- go put that up to the independent assessor was forced to test different modules in multiple environments. in other words, no end-to-end, you know, as it was going to be launched testing, correct? >> yes. >> in slide one see, you wrote complete end-to-end testing of ffm never occurred, that's

correct? >> that's right. >> that's best practices of course, right? >> you have. >> you testified in your opening of september 18 end-to-end testing was completed and that's why you now have confidence that at least the snapshot of the site as it was that day would meet the requirements subject to additional changes that occur in maintenance and modification of? >> on the testing that was conducted september 18, yes. >> in slide 1-c you are the majority of the efforts were focused on testing expected functionality of the application not security, is that correct? >> yes. >> again, in slide 1-c you wrote several factors contributed to the modules and there interconnects. can you expect that this could be a problem? ideas you're saying is, you're concerned about the area, is

that right? >> again, this is a memo i was drafting but i didn't completed so some of these things have not been done. >> slide 1-c also says valid test data was not provided prior to testing to give a true environment, correct? >> yes. normally it is, it is putting the system for the security testers beforehand so it doesn't delay testing. >> it's common to get real data or elucidated that is substantially real in both size and in cells and information in order to do real assessment and that wasn't done, is that correct? >> yes, it was just a delay in getting the test data put in. >> so the two witnesses here were aware of essentially this information when you made your recommendation that it wasn't,

our leisure uncomfortable with one that it was ready because there was a lack of indian testing and the like, correct? >> my responsibility as the chief information she could officer is to give an assessment to the chief information officer on a risk that was discovered during -- >> and mr. charest of course was aware of this concern plus independent does. mr. baitman, yesterday's testimony utah's -- you told us that a recommended less than full rollout in a meeting september 10, essentially saying with what the problems and so on best practices in your opinion would've been to roll out a portion of this rather than the size and scope it was rolled out on october 1. you didn't characterize it completely as a recommendation that it was certainly something you put out. in retrospect, would you prefer that to get in the way this site launched? in other words, more like a beta in order to mitigate what we now

know was pretty much a bad launch? >> as you point out it wasn't actually a recommendation but it was a discussion topic for the meeting and was based upon my experience, having seen this being done elsewhere. sometimes is referred to as a beta launch. it would be a controlled and measured launch. in retrospect i don't know that i can say because i didn't have direct knowledge of the system, the operational development. >> thank you. mr. cummings. >> take you very much mr. chairman. over the past few months, there were a number of extraordinarily unfounded claims about the security of healthcare.gov. this scare factor appears to be part of a campaign to frighten people away from healthcare.gov's website or i would to make sure we separate fact from fiction today until the american people the whole truth. i would like to go down the line with each of you and ask whether

there has been any successful tv attacks against the website. mr. charest, let me start with you. you oversee hhs this incident response team, is that right? >> yes or. >> if there is an attack on healthcare.gov you would know about it, right? >> yes or. >> to date i want you to look at me now, has there been a single successful security attack against health.gov by domestic hacker, foreign, bad actor, or any other malicious individual group? >> no, sir. there've been no reported attacks of any type, any osha sent in either domestic or foreign. >> mr. baitman, let me turn to you. you are the chief information officer at hhs. my constituents are looking at you, depending on your information. have there been any successful attacks against the website? >> there have been no reported attacks on this website.

>> ms. fryer, you are the chief information she could officer for seamless. have the bikini successful attacks against the website? >> no, no successful attacks. >> you all agree over the past three and half months since the website has been lied, there have been no successful attacks against the website? i think this is a very, very critical point. last november that cio testified before the house and commerce committee, this company is one of the contractors that conducts continuous security monitoring of the website, the cio testified that nobody would guarantee with 100% certainty that healthcare.gov was secured from external hackers. do you all agree with that? >> yes or. >> yes, i do. >> and he stated this, and i

quote, he said i also would say the same thing about facebook or any banking website as well, in this quote. dr. charest, mr. baitman, during your interviews with the committee staff he told us that you agreed with this statement. you have both worked in the private sector. can you both explain why healthcare.gov is no more risky than commercial sites like facebook? >> yes, sir. in essence you are always very abilities. there's a number of vulnerabilities. all of these sites have underlying infrastructure, third party software, all of these variables coming together create an environment which can be compromised at any time. they have to be vigilant, as a defender we have to defend against every possible attack. and the attacker in essence has to find the one way in which we have not defended. so they are all always at some level of risk.

>> mr. baitman, we get anything to add or do you agree or disagree? >> i agree. no site is perfect and we need to be vigilant which is why we of layers of security. >> now, although there have been no successful attacks against healthcare.gov to date, we have to keep in mind that there are constant attempts by malicious individuals and groups, both domestic and foreign, that attack large complex of government i.t. systems. we are also concerned about that, oath republicans and democrats. while we have to remain one step ahead of the hackers, i think you'd for putting all this up, clearing all this up, our job is to ensure that the american people have accurate information of that they are not wrongfully deterred from continuing to health care coverage they need and deserve. i want to go do briefly, ms. fryer. the chairman asked you some questions. i want to summarize as a close. i want to make sure that have this right so let me ask you a series of very recent questions.

the draft memorandum that he talked about, you're familiar, right? did you ever send a member into anybody, anybody? >> no, i did not. >> you never send it to your boss? >> no. >> you never sent to administrator tavenner? >> no. >> so you never pressed the send button? >> no spin during her interview with the committee staff you explain you stop working on the memo and put it aside after you found out that your superiors were moving forward, septembe september 27, which included the mitigation methods we had been discussing, is that right? >> yes. >> did you ever finalize your draft memo? >> no. >> you never finished it. do you know if all of the information in the memorandum is accurate? >> no, sir. i'm still validating the information. >> very well. thank you, mr. chairman.

>> thank you. mr. mica. >> well, just a commentary. i heard the ranking member start out, i'm as concerned. i come from a family that didn't have health care at times in our life and there are about 42-45 million americans that don't have health care. and yet we rolled out a flawed system. everyone from the president of the united states to members of congress on both sides of the aisle said the rollout from a technical standpoint was a meltdown and a fiasco. that was accessing it. we signed up about 1 million people. i'm one of the unwilling participants in that, and others had no other choice, really. but we not 6 million people off of the health care system. this is a great record of success. we probably leapt 41-44 million

people still without health care. i just had to comment when i heard that. ms. fryer, you didn't backtrack this memo of the 24th, -- you did, in fact, drafted this memo the 24th, right? >> yes. >> this platform basically doesn't mee need the same as security requirements which are intended to minimize cms business risks, enterprise risk or the application risk. there's also no confidence that the personal identifiable information will be protected. you wrote that on the 24th, right? >> yes. >> the 27th, what happened? ms. tavenner, didn't she sign the authority to operate? on the 27th she signed the authority to operate. is that the event that overcame this? you wrote the memo. who did you share the contents

of the memo that there wasn't a choice when this -- bad enough to think would work from a tactical standpoint or millions of people who want health care couldn't access the system. i was stirred by a waitress the other day and she said, i wanted to get on a. i still don't have because i couldn't access it. but it was flawed from the standpoint of being able to access it our work from an operational standpoint, right? >> my responsibility -- >> at least initially. >> my responsibly was to bring my management -- >> you are security. but you wrote that it was ready for prime time rollout for security, right? music events that overtook this, the event was, in fact, that ms. tavenner, and she signed the ato. did you sign the ato? >> no, i did not. not my responsibility.

>> you put a little caveat to protect your rear end kind of. you put a paragraph at the end of the ato. didn't you? >> my responsibly is to brief the cio on -- >> the lady -- the gentleman will suspend. >> mr. chairman, i would like to suggest that we all speak the gentlelady will state her point of parliamentary inquiry, please. >> personal privilege. >> point of personal privilege. please state it. >> i think we should show respect to the persons who are -- >> that is not a point of personal privilege. please state the point of privilege. >> i am offended. >> if the gentlelady can organize an actual procedure request, we will reconsider it at the time. the gentleman may continue. >> i understand, and again, protecting yourself, i made use a term that some member found offensive, protecting your rear end, everybody does it around

here. ms. fryer, last september you testified that prior to october 1 launched the recommended again to deny the exchanges authority to operate, also known as the ato which a document necessary to the website. for the record, is that accurate? >> yes. >> why did you make this recommendation? >> and testing in september, there were some issues that were encountered during the testing so there was a level of uncertainty as to the known risk. >> who did you make the recommendation to? >> my responsibility is to make the recommendation to my management and the chief information officer of the cms. >> ms. fryer, you also testified that you communicated your recommendation to mr. trinkle, and to share your concern, is that correct? >> yes. >> did he sign the authority to operate, again, the ato? >> no, we did not.

>> he did not. when did you learn mr. trinkle was also not culpable enough to sign the ato. stick it was probably during our conversation, during the security testing whenever problems that were being encountered pashtun encountered. >> and on september 20 when i briefed him and, mr. trenkle and mr. baitman. >> kitty kelley why he decided not to sign the ato? >> no, he did not. >> did you brief administrator tavenner on the security risk in the federal exchange? >> no, i did not. >> the gentleman's time has expired. >> you may answer. >> no, sir. i never briefed -- >> could you repeat the question? >> did you counsel with ms. tavenner on security issues state was no, i did not. >> the gentleman for massachusetts is recognized. >> thank all the witnesses for

working, for being here today. essentially what we've established is whether memorandum that allows the majority of early to raise the specter of problems only to find out it was never sent to anyone because those issues have been addressed and dealt with and now we have a system that is not had any successful attack, hack attack since then but we continue to go over and over and over this because if we do go over and over maybe somebody will think there is a real problem. but let's talk about the real problem. we spent time doing that on this committee, oversight committee, ma hearings and subpoena documents and conducted interviews, mr. baitman, ad nauseam with respect you at least. the good news is there been no successful attacks against the website but everyday people do attempt from time to time. so i have a modest suggestion. why don't we try to find out who was doing that? this is an oversight investigatory committee. it seems to me if we have a website and people want to of health care but there are people trying to prevent them from

doing that, by that i don't reference my colleagues, referenced the people who are trying -- although many people are tiresome of the efforts, i'm talking of people are trying to get into the system and destroy it. we ought to go after the bad guys on that basis there are reports, wide range of reports describe some of the malicious groups are organizing tried to do this but one example is a group that developed a program called destroy obamacare but do you agree with that statement? >> yes, i've seen reports of the. >> apparently what they were doing was trying to have a denial of service tool. can when you explain what that is? >> yes or. in the case of destroy obamacare, the basic premise is to flood the website with potentially even appropriate traffic that such that legitimate users cannot access the site. it's overloaded in essence.

>> so the spectrum being raised is trying to be true by people taking overt action, would that be right to? >> yes. >> reports indicate these are right wing groups motivated not by financial gain but by sort of the political animus. they disagree with the affordable care act so they been unintentionally blocking applicants of getting access and giving the right info to them under the law. is it a crime, dr. charest, for them to do this? >> i'm not an attorney i believe it is spent who investigates those type of attacks? >> in the event -- and we did investigate destroy obamacare code, not the actors, that's not our role but the attacks are prevented to be rudimentary but we did report as will report all the -- to the inspector general and they would indeed investigate if appropriate. >> would investigate who the individuals leading this attack on? >> that's my understanding.

they would have to tell you their procedures. >> and perhaps that's a good action this committee would be to meet with those people and find out where they're going and what they're finding out. does your incident response team, in terms of taking up his allegations to look to see with undermine it must have looked his age can trace back on the site where it may originate over the site is hosted? >> yes or. we all trace back will recall the debate and control, all the elements of the attack as best as we can and then we will share that with dhs, law enforcement and others as appropriate. >> do you think if the right people investigating this they would be to locate or find who these people are? >> it's possible that these things are fairly mercurial. ip addresses are rapidly changing as websites come up and down pretty often. the reality is though that very often they are found spend it's because of that material aspect,

cosseted backstage of the need for layered security, correct? >> yes. >> and that security once again has been successful to date in stopping any successful hacking attack speak with yes or. today it has. >> but because of all systems, public or private, we have to be vigilant and it is exactly what you all are doing, correct? >> yes, sir. around-the-clock. >> i think i would ask that the committee consider an investigation pursuing those who are making attempts to attack and hack this site whether for political enemas or any other means on the. i think that would be an appropriate activity for us to do. that seems to be the real danger here, indifferent with peoples rights of health care under the plan. >> the gentleman is absolute right. cybersecurity is part of our core jurisdiction. mr. conroy and i also spoke this morning at a cloud computing conference. so that is an area of not only interest but a willingness to

put staff and deist time into. if i may, mr. cummings and i have been discussing, i'll be brief, the fact that we need to link in as part of our committee jurisdiction other areas of practice law within federal government, but also a recognition that those things have to be rippled out to private corporations, the banking community, certainly target has been mentioned here but it wasn't the only commercial site hacked during this breed of time. so i joined with the gentleman and you can count on there being a series of briefings and possible committee hearings spent i thank the chairman. yield back. >> we now go to the gentlemen from michigan. >> thank you, mr. chairman. and thanks to the witnesses for being here. ms. fryer, we've dealt with the memo, and your ultimate decision not to send it but i think there's still questions that are there and can't be just simply

out of sight out of mind issue. so let me ask you a question. in your testimony last month before the committee, you characterize the mitigation plan, identified the risk decision memo as quote added protection to compensate for those unknown risks. what did you mean by this, specifically those unknown risks speak with the security testing in september was not to the level that was expected. so they weren't able to test fully for the confidentiality and integrity areas. so in order to compensate, compensate and control, we added, those were additional protections for the overall marketplace system. >> is the mitigation able to effectively address the vulnerabilities in the nearly half of the modules that make up the marketplace that were not fully security tested? >> it was later protections, layered protection was put into place to mitigate the risks of

those -- you can't mitigate unknown risks. so again, we have those protections in place spent based upon that let me go on, ms. fryer and mr. charest, is it true a good security control assistant makes it easier to create a good, tight mitigation plan? >> i would say so, yes or spent would you agree, ms. fryer? >> yes, i do. >> is it true that the more understood the risk, the better it is to create a plan to address those risks? >> yes, sir, it is spent just establishing a pattern here. >> it is. >> isn't possible to mitigate unknown risks speak with i don't know of any way to do that. >> no, sir. >> how difficult is it to mitigate unknown risk?

>> there are always unknown risks, so when you say how to mitigate a specific unknown risk, obviously it is unknown to what you do is you create an environment as we have which is a strategy, the infrastructural component. it's the methodology that utilized for your i.t. systems. it's the preponderance of all of these elements and then those teams that are assigned to watch those that will allow you to in essence address unknown risks. >> but clearly, with this testimony, to advance the rollout with unknown risks out there, with unclear mitigation, certainly appears i think to this committee to be a concern with addressing and worth having these hearings over. >> would the gentleman yield? i think the jump and makes a good point and i might note that

ms. fryer had made it clear that there were tests that could've been done that would have caused the unknown risk to be less unknown. >> i concur. mr. baitman, ms. fryer had a discussion with you about the security risk of healthcare.gov, correct? >> there was a videoconference call i think you're probably referring to september 20. >> you had a discussion. >> that's right. >> what did ms. fryer tell you in that video conference call? >> as i recall, the cio of cms at the time was tony trenkle, and i believe tony said that both he and ms. fryer were uncomfortable with signing the ato. spent did you relate that discomfort with anyone about healthcare.gov who had the authority to operate within hhs?

>> i'm sorry, i didn't understand. >> did you relate ms. fryer's discomfort with the risk in signing the authority to operate with hhs? >> yes, i did. >> did you tell this information to anyone, including ned hall and/or jim thorpe? >> i shared it with a few people. net hollands and deputy secretary, yes. >> what did you tell them? >> i thought it was noteworthy that the chief information to get officer for cms had expressed that she was uncomfortable signing it. on the other hand, i didn't consider it a red flag, so i wanted to share it with them but ms. fryer wasn't the operation security person, and cms has an official who is responsible for that. so i thought he was probably in a better position to know what changes have been made and what was going to launch on october 1. >> the gentleman's time has expired.

when i go to the gentleman from massachusetts, mr. lynch, for five minutes. >> thank you, mr. chairman. i thank the ranking member as well. mr. baitman, i want to go back, some previous washington i'm not sure if those mr. cummings or mr. tierney, but talked about the beta approach that you refer to. i just want to be clear on this. during her interview with the committee, you had said earlier that your suggestion about the beta approach was the on your sort of general experience in the private sector with the rollout of i.t. systems, again, in the private sector, is that correct? >> that is correct. >> so you explain your suggestion had nothing to do with security concerns with regard to the website? >> no, i did not any direct knowledge of functional or security issues. it was more of a, this is a big,

large complex system and this is, you know, an approach that will minimize any challenges. >> okay. i just wanted to be clear. in fact, you told us in your previous testament on september 10 that had no specific knowledge of any security concerns with the best website. is that still correct? >> no specific concerns, no. >> i do want pashtun i know we're talking about the technology, and i want a moment of complete disclosure o of the against the affordable care act for whole slew of reasons. him however this is not one of them. this was supposed to be the easy part, this rollout of getting everybody up and on the system. so it is discouraging. i've had a chance to meet with -- but i do want to say this is the law. i voted against it because i didn't think it was being done the right way. people can differ on that, but i

see my role going forward as one of making sure the people i represent have decent, affordable, high quality health care. that's my role going forward and i think that should be everyone's goal here. but i had an opportunity to sit with the folks are running the massachusetts connector, the health connector, and some of the folks that are going out to sign everybody up, and i have one question. i read the security document for the massachusetts health connector, and, of course, i can't locate it right now, but anyway, what did you say in the security section regarding personally identifiable information, it talks about all the precautions they are taking. but then it says, it's sort of an odd wrinkle, it says, it talks about the precautions they're taking but this is,

however, once you voluntarily submit personally identifiable information to us, the health connector, related to your use of the poor, its dissemination is governed by the public record law. the fair information practices act of massachusetts general law, 66 a. and so forth. and they had this one called out in bold. it says for this reason part or all of the information you send us may be provided to a member of the public in response to a public records request. i don't think that's so we intended when we pas passed thaw in massachusetts but i know there are a whole lot of laws all across, probably in all 50 states and the digit of columbia that have the public records accessibility. i'm not sure if mr. charest or ms. fryer are you, mr. baitman, might have some comment on that. is that something that we're going to have to go back all 50

states and say, we don't mean that your personal information should be accessible to a records request? have you thought about that? >> i have to say i don't think i'm in a position to answer that, unfortunately. >> ms. fryer? >> same year. >> okay. mr. charest? >> i am from massachusetts and, unfortunately, i still can't address it. >> there's three strikes and i'm out i guess. well, i just want to say i appreciate your efforts and your good work on this. and i yield back the bows of my time. >> would the gentleman yield speak was sure i would. >> one quick follow-up. you said ms. barr is concerned did not raise a red flag. do you really mean that her being uncomfortable with the launch didn't raise a red flexible because even though she was knowledgeable, she wasn't

quote the one in charge? >> is what i mean, yes spent i wish you would've said that yesterday in the testimony. mr. meehan is recognized for five minutes spent i thank you, mr. chairman. what is a successful attack? >> it could be defined in a number of ways but basically where the attacker actually has penetrate the system and/or compromise the system, or as we call it exfiltrate it, meaning taken away something away from the system. >> at this point in time then, this is the testimony, i'm kind of interested in, on the record, mr. chairman, or the ranking member went through this with both you and the ms. fryer. and it is your testimony that there has been no reported successful attack? >> that is correct. >> i know from my work with

chairing the cybersecurity committee for homeland, a million hits a day on our banking systems and things like this, chinese hackers now. the record indicates that chinese hackers came in in november and try to get into the system. last time they've ever done it? >> i just want to -- there are attends all the time by would be attackers to. >> what am trying to say, we would have maybe 30, 40, 50,000 navigators around the united states dealing with personally identifying information. we are chinese hackers doing millions of attacks a day. sophisticated russians. with sophisticated networks that broke in to target. they didn't know with the most secure systems, they did know for quite a bit of time, did they? but somehow there hasn't been a successful attack since this has rollout, this system?

>> that is correct, sir. >> all right. i'm still struggling with the idea of how this thing was approved, the ato decision was made from my work with fisma. let me ask you specifically, was there a security assessment plan that was done prior to the ato decision? ms. barr, was of a security assessment plan completed and done by hhs part to the decision it was made? >> so let me clarify. is a security test plan that was created before the testing was conducted in september. and yes, there was a security control assessment report that was completed after the testing. >> have you turned over that plan and that assessment to this

committee? >> i can't answer that question. >> will you turn over that plan and that assessment to this committee? >> i would have to bring that back to my -- >> why is that the difficult question? will you turn it over to my committee on cybersecurity, homeland security? >> i believe that those documents have been turned over. they are sensitive document but usually we don't like to have them out there, but i believe -- >> it's my understanding that, in fact, the testing proceeded the completion of those documents, the plan and the final assessment. is that accurate? >> the testing is conducted and then the security control assessment report is delivered by the contractor. >> mitre didn't have access to the full -- doesn't it need access to the full scope of the network? >> i didn't understand that question, scope --

>> do they have full access to the information system in the environment of the operation? >> i have access -- >> did they have, did might or it was the contractor, is it your testimony that during the period of time and they were supposed to be preparing this report which is required under the law under fisma, did might or have proper access to information system and environment of operations specifically? >> that was the system that was being tested, yes. >> wasn't the system being tested or the full system? not the system that was being tested because what we had was parts of the system being tested. fisma doesn't authorize parts of the system being tested. it requires under the law the entirety of the system. >> they tested what was in scope of the security test plan that was provided by -- >> that's why want to see the sake of the test plan.

not for the parts of the security but the entirety of the system. was the security test plan dealing with the entirety of the system prior to the ota been made? >> the gentleman's time has expired. you may answer, and i think include the worst end to end perhaps the thing that is appropriate. >> if i understand, you're requesting this feature to test plan and -- >> i want the security test plan. i want the security assessment and then i want the remediation that was why the contractor, and hhs in which they resolve all of those issues. and i want to know that they were all done prior to the approval of the ota which is required under the fisma lock. >> yes, sir. and i will bring that back. >> thank you. i will note for the committee that we were unaware of december 18 study the it was not provide even the we believe it would be appropriate pursuant to

the subpoena that was already in place. and it is my intention to issue a new subpoena to make sure there is no doubt that that document that we were not aware of as of yesterday had not been provided. and for the record, those documents have not been provided by hhs. mr. connolly. >> thank you, mr. chairman. it is my understanding that an unredacted copy of the test results was subpoenaed and was provided to this committee, is that correct, ms. fryer? >> yes, i believe the testing document -- if it's the december 1, like i said i have to bring that request back. >> okay. >> mr. connolly? if i may. this is off the clock but i want to make sure you question is clear. mitre corporation pursuant to subpoena supplied us documents, neither hhs or cms has provided such documents. >> thank you for the clarification. mr. baitman, let me express my

regret that you are given so little notice before being asked to testify here today. for a committee that insists on better compliance from various federal agencies, and in a timely fashion sometimes we seem to have a double standard, or it might be perceived that way. i want to ask about security. i have didn't want to hurt some of the statements, especially the opening statement of chairman, it sounded scary to me. it sounded like only healthcare.gov represents a security, a potential security, cybersecurity threats that could come from a everybody's health care in america. and, of course, as you indicated, mr. charest, cybersecurity attacks are going on all the time in the private sector as was in the public sector. again here is to stay ahead of it and develop systems to try to prevent it, to track it down,

and that's going to be an ongoing battle for ever, for everybody because of the nature of technology. do you think that's a fair statement? >> yes, sir. we believe we have excellent job security. >> i want to ask about, because several of us were asking for clarification of protocols to safeguard sensitive documents. ms. fryer and mr. baitman, if i'm hearing you correctly, there is reason to be concerned about providing us with very sensitive documents that could somehow be compromised. obviously unwittingly. nobody on this committee would ever leak anything to the press. but leaving it around accident or whatever could, in fact, lead to the very result, this hearing is all about trying to deter which is the compromise of consumer information.

i quote the president and ceo of mitre who wrote the chairman of the committee and said in the wrong hands, this information could cause irreparable harm to the basic security architecture of healthcare.gov. and potentially the security of other cms data networks. is that a fair concern, mr. baitman, ms. fryer? >> i believe it is a fair concern. i think that some documents could, if they were made public, provide a roadmap to an attack. >> the very thing we're having a hearing about today, we could, again, unwittingly actually be part of the problem if we don't establish clear guidelines, clear protocols for the security of such information. fair statement, ms. fryer? >> yes. these are sensitive documents. >> so if someone were to leak them, for example, someone got into, i don't know, a subpoena

for example, and somebody decided, as the ranking member, a phrase he used, cherry pick information and leak it to the press, again, not that that would ever happen here on this committee, but if that were to happen, it could actually leak or compromise and degradation of the city system you're trying to put in place, is that correct? >> yes, it is. >> mr. baitman, do you want to comment on that? you come from the private sector. you are looking sort of a little different air level on these issues, looking at how cms and your other department are handling it. are you comfortable that we have strict protocols in place on this committee, for example, such that your concern would be a big? >> i'm not the money with protocol. >> ms. fryer? >> again, i don't know about

your protocols. protocols. >> you don't know about our protocols, so mr. charest? >> no, sir. i'm not familiar with protocols but i am concerned. >> allegedly we have asked an outside security agency to look at your security measures. are you familiar with that? do you know who that outside -- the democrats as far as i know were not informed as to who that was and whether they'll come to some kind of conclusion. you were here seven hours, mr. baitman. did anyone talk to you about that? >> i was unaware of that spent so are we. i think you. my time is up. >> gentlemen from oklahoma, mr. lankford, is recognized. >> thank you, mr. chairman. mr. baitman, i want to follow up on the statement you made earlier that the chairman had also mentioned about ms. fryer and tony trenkle made statements or recommendations to say that they were not comfortable giving authority to operate based on

security issues. you said that's not a red flag because someone else has responsibly for the. who is that of the person? >> well, as i understand it, the healthcare.gov project was built across the various parts of cms, some of which were not under mr. trenkle's leadership. they also had a cms official who was responsible for all operational security for healthcare.gov, and that person was on the ground and, obviously, more closely focused on that. ultimately, though i thought it was appropriate that ms. tavenner, as the administrator for cms, be the individual -- because the project was large and been done across certain parts -- >> as a leader that i've staff around as well, i gather the information from multiple step in have to make the final decision, even the ms. fryer's

recommendation and tony trenkle statement about the security is not readiness is a high risk. was that given to ms. tavenner before she made her decision? >> i actually don't know. >> would you assume that would be given to her? >> i would assume she would be briefed, yes. >> it would be an issue to me to make a decision and then to find out later that i've staff around me that had recommended this was a bad issue but that information never landed on my desk because someone stopped it. so you passed on the information ms. fryer and tony trenkle given to you and it was the responsibly to pass on to ms. tavenner? >> as i said, the project was run within cms so i assume that various parts of cms were running the project. >> right. but you are on the phone with been getting information cink's sigir is not ready, we're at a high risk. do that stop you or did you say -- someone else will pick that up the?

>> during that conversation they actually told me that they were going to bring the decision whether or not the a deal would be signed to ms. tavenner spent who is that they? >> tony trenkle who was the cio at the time and teresa fryer. >> ms. fryer, were you part of the responsibly of reporting that to ms. tavenner? >> no, i was not. >> do you know how that was reported to her or if it was? >> i don't know that spent you don't know if tony trenkle passed that on as will? >> no, i don't. >> in october of this laughter, secretary sebelius said in an ideal world we would get a lot more testing but we didn't have the luxury of that nfl launch go time was october 1. chief operating officer michelle snyder was also asked why october 1 was asked -- was chosen as a launch date. the launch date. ms. fryer, easy-to-understand october 1 was required via the

law to be launched at? >> no, i don't know that answer. >> did anyone repeat i.t. we have security issues and can but we have to go october 1, that's the long? >> they did not. >> mr. charest, were you aware of any provision that october 1 was the launch big? >> no, sir. >> did anyone states you we've got to because the law requires this? [inaudible] >> mr. baitman can did you have any knowledge of the statute required october 1? >> i don't have any knowledge. when i joined hhs it was already ordained october 1 was the date. >> do you know any reasons with security questions and issues october 1 if that's not a statute if we have issues maybe we should stall this until we deal with some of the security issues until we are ready to go? >> we work on a federated structure so cms had direct knowledge of what the requirements were. >> is there any possible that there may be unmistakably about october 1 date that the

secretary states in october that the law requires us, that administration was working on in disbelief that the law required october 1? >> i can't speak for why other people have their opinions. >> mr. baitman, you testified you, you want to use a phased rollout. was that suggestion taken? >> it was a beta launch. no, that wasn't the approach that was taken. >> did you asked why? obviously by mid-october in quiet moments at your house, surely you have some thoughts, probably would've been better to do a beta rollout. give any idea why that suggestion was ignored or delayed? >> as to meeting you are referring to, cms indicated an cms was in the best position to know, that they were confident we would be ready october 1. >> conference seems to be misplaced. i yield back.

>> gentlelady from illinois, ms. duckworth, is recognized. >> thank you, mr. chairman. i strongly believe what my constituent our data with the government, the lack they should be concerned about is that the personal data is being compromised. security should be a top party for any government website. i'd like them to sort of bear with me as we go through exactly what is in place to make sure that i have a better understanding because we sort of talked about different things. ms. fryer, could you walk me through the security precautions question mentioned there were many different layers that are in place. could you explain what those three layers of protection are and what procedures and processes are used to? >> there's the operational security, the day-to-day activities. there's code software review. that's the operational marketplace security team that doesn't those activities. they also have continuous monitoring. they have a group that has continuous monitoring tools in

place as well as come and then there's my group that is the oversight, who are the eight for cms and we also have continuous monitoring tools in place as well as penetration tests the try to go in and hack into the system. and penetrate the system. hhs also as tools and insight into our system. so there's a layered protection of security for all of our cms system. >> so basically you're saying it's not just the people who report to you but there are other groups of government employees and contractors who oversee and conduct day-to-day security activities, right? >> yes. many business, information systems to get it owners that have the day-to-day security activities as well as my office. >> are their systems in place, for example, with cms to ensure that the code is security tested on an ongoing basis, not just when it is implemented but in

ongoing basis with secure code? >> yes. any time a change is made to a system they have to do code reviews. there's a very strict management process that is followed before the change is put into production. >> i also understand there is penetration detection, weekly scanning and penetration testing of grimmer devices such as firewalls, is that correct the? >> yes. that's above and beyond best practices. we do weekly scans of all the primitive devices and all the extra webpage servers that are related to marketplace. >> touching on what you're saying about the best practices, are you confident that the security systems and procedures that are in place are well within -- on going with similar types of security that is needed

for other websites? >> yes, i do. >> mr. baitman, how does that compare to industry? >> i would say the federal government has a practices consider government generally exceeding industry. >> okay, thank you. have all of these layers been in place since the web site was launched in october? >> yes. >> still in place an ongoing? >> yes. >> does cms have a security team dedicated to ensuring that these multiple layers of protection are overlapping? >> yes. that was part of the ato memo. myself, i'm part of that team. >> how often does that team meet, talk to one another, review the procedures? >> on a weekly basis. >> on a weekly basis. can you sort of talk about how these multiple layers helps to protect confidential consumer information and how they interact? for example, i signed up for

health care reform and by the way, save $60. i went from $295 a month for my health complain to $239 a month for the exact same plans i'm pretty happy i got the savings. but when i put all the information in, how do i know that i'm protected? i know this is a very broad question but can you sort of sketch how those different layers work with each other? >> well, if there is hackers coming in from the inside with many protections to detect these attacks as mentioned before there's been no successful attacks. but attacks are being made all the time on the website. so we have these tools in place to detect anomalies, you know, all these tools. even if, you know, one tool doesn't pick it up we have this layer of protection.

so we have other very schools in place to detect. >> so you could, for example, if there's a pattern that emerges or certain things that are happening you could identify something is going on here that's unusual. we need to take a closer look at? >> yes. we have tools that will pick up anomalies. >> mr. meadows, gentleman from north carolina. >> thank you, mr. chairman. i want to follow up on ms. duckworth's questioning there, if i could, mr. chair, this question is you. she went through a long list of all the security that has been implemented. you were very, it seemed like cautious in the way you say that there was no malicious attack. has there been inadvertent personal information that has been shared with someone else in this particular website? >> yes, sir, there has.

>> how many times has that happened? personal information from someone else getting shared with an inappropriate person. >> i don't know the exact count, but in the early stages of the launched there were a number, i think somewhere less than 10, but there were some that were reported both in the media and to us. >> somewhere less than 10. interesting that you wouldn't know the exact number because you are very emphatic that there had been zero malicious attacks, but inadvertent disclosure, you can't give us an exact number. >> i in fact haven't the categories and for me so if you'd like me to give you -- >> just the number. >> no problem. >> so how many total disclosures of personal information to other people have we had? >> we tried to find these incidents -- >> total number. >> it would appear from the numbers i have in front of me that are 13 category one which is where we put potential --

>> thirteen -- total number. total numbers. 13 speak with yasser. >> no others. so it wasn't less than 10. it was more than 10. >> well, no, not necessary because the 13 in the category don't always mean there was disclosure. they also could be exposure but not disclosure. >> exposure but not disclosure, okay. we will say that for another day. because i think what the american people want is honesty. and transparency. and to you testified less than 10 and more than 13, and -- but more problematic for me is for you to lead this group to say that there were no malicious intent, and yet knowing full well that there's been disclosure. they just want honest and transparency. wouldn't you agree, ms. fryer, that's important?

>> yes. >> in that you testified before, so in your preparation today, have you met with attorneys to prep you on your testimony? >> i've been briefed on what to expect. >> how long has that briefing taken place? how much time did you spend in that prep? how many days at? >> it was over -- it was over a few days, a couple hours. >> okay. the many hours does it take to be briefed to tell the truth? >> it doesn't. >> okay. so why would that have gone on? have you ever been told, well, we would prefer that you don't answer a question that way by an attorney? >> no, sir. ..

continues today; is that correct? so how do you based on a security analysis done in september assure that the models are being written as we speak are secured? >> again there's the operational security the marketplace security team has in place every time they do a security development that any time

changes to code they have all types of different security testing that is done on a day-to-day basis. >> so we will have additional security risks that have to be assessed? >> that doesn't mean to say there have to be additional security risks. >> when is the next assessment going to take place? >> we are requiring one every quarter. >> and you will submit that to the committee? and when will the next one have been? >> we are scheduling that for the books. >> thank you. >> the gentle lady from california. >> mr. chairman, thank you. let me say at the outset how delighted i am that the committee recognizes the importance of protecting the security of personally identifiable information.

one of the next hearings that we should have is the breach that took place with 110 billion americans who were impacted and marcus that was impacted as well. i understand there are a couple other retailers. its brief and happens in fortune 100 companies, and we should do our due diligence by making sure that efforts in the commercial sector are being as secure as possible. having said that, let's focus on the testing that took place, the most recent that took place. ms. fryer, when you were here december 17th, that testing was ongoing at the time. lander standing is that hasn't been completed is that correct?

>> yes, ma'am. >> since it has been completed can you say with certainty in the stable environment that the security concerns are successfully tested and it is a full end to end security test? >> it is a full comprehensive test and it is completed. >> having completed that, is it your understanding as well that it was completed under the standards? >> so the purpose of the testing is to identify the former about the peace and the i.t. system so they could be free mediated, is that fair? >> yes. >> does the fact that the testing site in size vulnerabilities mean the system is less risky? >> of the security control is to discover the vulnerabilities so

they can be mitigated. >> so just like target needs to do these assessments to determine if there is a vulnerability that is appropriate for you to do that within the aca? >> yes, ma'am. >> the testing has been done and you have seen the results of that testing. i have a question for all three of you. if you have any reason to believe the consumer information submitted in the system is not secure at this time based on the testing? >> malae do not. >> no i do not. >> so, this is like giving the system a clean bill of health. knowing full well that target and neiman-marcus and any other companies hacked into, there are persons out there are around the world attempting to hack into

the systems that at this point in time having done the systems, we can say with confidence that the system is not subject to being breached, is that right? there's always the chance for. >> the testing was completed successfully and had a good result, so we are confident that the risks have been identified and mitigated. i guess my question is has there been a data breach on the system? >> for the two years that i've been there, not that much. >> how about the status of them? >> i can't answer that. >> okay. i think that completes my -- actually i have one more question. this committee has a bipartisan measure that is referred to as

the federal information technology acquisition reform act. would give much more authority in terms of hiring personnel and being in control of their operation. d.c. that as appropriate and helpful at doing your job? >> it would look at some of the challenges we have not just with this project but other software projects the government has done and identify solutions so that we do a better job managing the i.t. going forward. >> are you suggesting that we should add to it? are you familiar with that? >> i am somewhat familiar, but getting the specifics -- >> maybe you could do as a fever and a review and make any recommendations you think would be appropriate to augmented that bipartisan -- >> with the gentlelady yield? i think the question is a good one and perhaps the other witnesses could answer the

question of do they think that a budget authority and the single point of accountability would enhance these projects. so perhaps ask that question and give a more illustrative answer. >> i think that you give greater accountability when you have one person that is clearly in charge >> i agree with mr. baitman that would give more authority if one person had more budget authority. >> i also believe that to be true and would increase efficiency and have other ancillary effect. >> thank you very much mr. fryer. mr. baitman, we are now here today to examine whether the health care website is safe to use. we have already established that

website was certainly not safe to use on october 1st and is likely not safe to use today either. while you claim of the web site meets and exceeds industry standards and claims no breach of the website has occurred, contradictory evidence is abundance and overwhelming. this includes well documented examples of security problems of systematic ekstrand carelessness. for example an e-mail disclosure of the border devotee was identified that will allow an attacker to enumerate e-mail accounts for individuals. in another example, a user logged in to the healthcare.gov website and salles information from a completely different persons profiled. for another example, security researchers discovered an open web site a redirection which allows users to visit the web site, thinking they were going to the legitimate healthcare.gov website, but instead be

redirected to a malicious website that would completely hack their computer. this was only fixed after it was discovered when the web site was online. ms. fryer, you recommended denying the necessary authority to launch healthcare.gov, correct? >> yes, sir. >> if officials had accepted your recommendation, would you have been prepared to suggest an alternative date, or would it have been an indefinite delay? >> again that wasn't -- >> what you have recommended an alternative date for an indefinite delay? >> that's not my responsibility. i can't answer that. >> if you had done -- what would you have done, had your recommendation had been accepted? if you had one. you are who the i.t. person. would you recommend a delay or

alternative? >> am i nei responsibility is not to determine whether or not a system goes into operation. again it is to identify the risk and make sure they are being mitigated. >> so you identify the risk, but you don't make any recommendations? >> i briefed the chief information officer on the security risks and there are many other risks that have to be taken into consideration when the system is going operational. >> what the gentleman yield for a second? i'm not sure that you were in the room, but 77 days after the launch, the gentlelady ms. fryer did testify that she has confidence that the testing she would have asked for and so one has been properly mitigated. so i think an answer to your question to a certain extent is 77 days would have been enough. >> do you know whether she was

informed of your concerns and recommendations on the security risk? >> i didn't hear the question. >> jul pronounced that currently? >> thank you, that she was confirmed of your concerns and recommendations? >> i don't know that. >> had she been formed -- excuse me, let me take that back. do you acknowledge what security agent did this on your concerns? >> i can't answer that. >> do you know if she spoke with any security experts prior to overruling? >> the gentle lady from new mexico. >> thank you. i want to thank the panel for being here. it's clear that we are all concerned about securing the

financial and health-related information on the web site. wetherille was the health care website or any other application by the federal government that's going to be one of our priority concerns for our constituents, so i appreciate your attention, and your willingness to engage directly in this hearing. like everyone, i am happy that there hasn't been any significant or malicious security breaches to date so that we are not seeing a significant problem with the security measures taken to date to protect the information for the consumers and the end users. but i want to make sure that the goal of the conversation is that we continue to do whatever oversight and enhance those security tests and measures all the time because every day those risks are greater because people figure out a better and more enhanced ways to get access to the denver region and given i'm

from the state that has a particularly high and injured population, we are going to have a higher user rate i hope in the marketplace is and the exchanges. i want to go back to a couple things. to my understanding, the federal information security act, the defined of the security control standards for all government information technology security systems. is the healthcare.gov compliant with all the standards set forth? >> security testing was conducted in accordance. >> and artie hhs implementing additional controls or best practices beyond what it's called for? >> we are exceeding the industry best practices as well as we have the controls in place. >> that's important to me because during the last hearing on healthcare.gov, it was clear that there were inherent risks on any electronic system and so getting the sense that you're going beyond that and looking

and best practices is critical. can you give me the sense about what exactly you're doing to continue to monitor and mitigate the risks from the website? >> we are keeping in place those beyond the additional requirements of the weekly scanning and monitoring tools on the marketplace servers. >> that's what i'm trying to get at. give me a concrete example of what you are doing. >> we are continuing those that are in the mitigation plan and then there's the operational day-to-day security that is in place as well by the other group. >> i appreciate that and i would also encourage you to lead in the best practices and do everything in your power to go back and describe that. that is my opinion and i would

guess the opinion of many more that you would do everything to enhance the mitigation plan to the highest degree and leave that for the country given the importance and the value of the information on the web site. thank you. >> there were no more questions, were there? i want to inform everyone there is a vote on the floor and we are going to stay as long as we can. mr. baitman will not be here when we reconvene. we are not going to be back in time for that so we are going to go as quickly as we can. >> of the memo that you wrote but didn't send dated september 24, 2013 testified earlier the reason you didn't send this because there were subsequent events that happened that caused you not to send it is that correct? why didn't you send it the day that you wrote? things happened after the fact that tells you why don't need to send it. when you wrote this you believe

everything you wrote, correct? >> yes i was being prepared. usually it would go up to the chief information officer. >> calling asking is on september 24th, the date on the memo when you wrote there is no confidence that personal identify when formation will be protected that's a pretty big statement. why didn't you send it that day? >> this was to capture what was already -- >> something that important -- again you said it happened the next week that caused me not to send it. but on that day, you believe everything you wrote here. these are big statements. did someone talk to you and tell you don't send that man of? >> no sir. a decision had been made to elevate to maryland. >> but it doesn't change the fact that you were going to send this directly by the chain of command.

i just wonder why you didn't send it. if i write all this stuff down and also based on testimony we had at a previous hearing your the only one that read the report prior to this memo. i would assume that had a big impact on what you wrote the things you did. all we want to know is why -- if i have this information i know this thing is not ready. i do this hard-hitting memo that says this isn't even close to being secure. no testing done and then i don't send it. >> as a part of the package that wasn't going on. >> let me change this a little bit. you were interviewed a month ago by the committee and the young lady behind you look and they need you on that interview is that correct? and you were interviewed last week? >> that's correct. >> and you were interviewed two days ago is that correct? >> that is correct. >> in the interviews, we learned you said that there was a

meeting on september 10th. where the leadership folks were there and absent the meeting, mr. baitman, you had a conversation and here's the transcript. after the meeting you never recommended a delayed rollout. jury answer was that is my recollection of a delayed rollout of healthcare.gov. you answered that's my recollection. today's ago when we talked to mr. baker -- i wasn't in your interview but mr. baitman said that isn't accurate. do you support the statement she made a few days ago? >> yes i do. >> mr. baitman, he said you said to him in a conversation after the meeting you recommend not ruling it out, is that accurate? >> that is accurate. >> you recommended not ruling out healthcare.gov? >> no that is not.

>> so which one is lying and which one is telling the truth? he said you -- now you worked with him for awhile, mr. baitman? you have a good working relationship? >> we have a great working relationship. >> is that true, you have a good working relationship? you understand when he communicates to you? >> yes i do. >> your recollection was you recommended not rolling out healthcare.gov. he says that's not at all what happened in that conversation. >> with all due respect, that's not -- in my testimony i was asked the question several times to clarify what i meant by the delayed rollout and i hope i made clear and i would like to make it clear here to you, sir, i didn't know exactly what he meant when this took place and there was probably less than two minutes literally and was four months ago. i didn't ask him the details. to me as a professional over 30 days a delayed rollout could have been a fait is exactly what i was thinking and he didn't

offer. i don't know what he meant and that is my recollection. is that there is no the late rollout. >> not sitting down to do what he wanted to do. >> you agreed with that. ms. fryer agreed with that. it wasn't done. >> okay. prior to coming today did the three of you sit down and talk about what was going to take place at today's hearing and discuss what kind of answers you might give and questions you might receive? >> yes i did. >> you worked it out after you had this disagreement and then you said there wasn't you sat down and talked this out. >> that is and what happened. >> mr. chairman i am out of tiny and yelled back. >> mr. cartwright. >> thank you mr. chairman. i want to start off by giving a

chance to more fully respond. my colleague just basically said one of the two of you is not telling the truth. and i want to give each of you the chance to talk about that. >> let me begin. as i said earlier at the september 10th meeting, it was a discussion topic about the rollout. simply a discussion topic. after the meeting i mentioned it to kevin and that meeting was four months ago. i talked to him ten times a day in the operational capacity. this wasn't a high prayer each topic and i am sure that the words could have changed over time. >> thank you for that. >> i would just say i don't believe that what i said is inconsistent with what i

understand mr. baitman said was an alternative rollout schedule. there are different terms used and i may have processed it that way but fundamentally we are saying the same thing. >> my understanding is mr. baitman's recommendation had nothing to do with security; is that correct, gentlemen? >> it simply had to do with my observation from seeing how other companies had ruled out large complex systems. >> ms. fryer, i didn't mean to leave you out. you are the chief information security officer at cms and in that capacity raised concerns in september about the status of the security testing for the website; is that right? and during your interview with committee staff, you explained that in the role as the chief information security officer, your job is to make recommendations to your boss as

the information officer at the time, is that right? >> yes, sir. >> you explant that your role was and to make the final decision on whether to go forward; am i correct on that? >> that's correct. >> the chief information officer was a career executive with decades of experience; is that true? did you have respect for him and tell you his experience and expertise? >> yes i did. >> you told us during your interview during the two years in your possession, he often accepted your recommendations, but there were other instances when he did not. and those were unrelated to feed healthcare.gov website; am i correct? >> yes, sir. >> in this case, he decided to recommend to the administrator that she go forward with the authority to operate. but the was only after strong

mitigation strategies for added in order to mitigate against the risks that you identified. sitting here today, do you believe that you provided the information necessary to enable him to make an informed decision about moving forward? >> i provided him the risks that were discovered during testing from a security perspective, and as the chief information officer, she takes that and and there's many other teams that provide other risks. there's the business risks and all of that is taken away when we put a system into operation. >> you said that during your interview in his capacity as the chief information officer and a broad perspective on the serious risks for the federal the facilitated marketplace. so when he was making his evaluation you were one of

several sources for which she was receiving information -- is dutrow? >> yes. ceramica ultimately, the administrator signed the authority based on her recommendation from her chief information officer. so in your view of the appropriate rules and authorities of the various officials, do you believe that his actions, complied? >> again he was the one responsible for whether or not the system goes into operation. i cannot answer what path he took. >> i think all of you for coming. >> thank you mr. chairman as we entered our number three.

the questions want to keep you up for military services. by understand you spent some time in the state of georgia over any time you want to come back during your brain and pocketbook. >> i want to talk about a meeting that took place back constantly fourth and i don't believe that either of you were there. was a meeting with tony. you prepared a slide for the presentation on the high risks and i want to ask you to help me understand this. this is about the authority to connect agreements and what i want to look at this from my reading of the slide it says 17 states didn't have authority to connect agreements on

september 23rd and the recommendation was to go ahead and allow these states to have operation of 40 notwithstanding the risks that are listed below include things like one or more reviews and other words no review of the security documentation has been completed and even more troubling, the third risk is accepting risks on behalf of its federal partners, the dhs which could have implications in the data breach. in my reading this correctly to say that in many cases those of security had taken place, but it was the decision of the cms to

assume the risk to allow the states to connect on the number one. >> they did establish a baseline by the chief information officer. >> there was such an authority with the slide says in most cases and we are willing to waive that responsibility and assume that prescott and 90 days you were not involved in the decision making after all. >> it was in the state based security. >> is that something that you had seen before? there wasn't one colleague that has the authority to accept the risks on my behalf of my

constituents? it just seems incredibly unusual. cms is accepting risks on behalf of the irs and the department of homeland security. is this something that you have seen before? we've talked about best practices and this seems alarming to me. am i misreading? this is a hour powerpoint presentation and i have to assume it some discussion between cms and those entities that took place. >> we talked a lot about best practices. is it best practices while the formal testing has not been completed and occurred and while in most cases not even one review of the security documentation has been completed

and the weaknesses are not known? is it the best practices to allow folks to connect to hhs and the irs and the dhs, or was this an extraordinary exception and if we go back and read you another ten years of the documentation we are likely not to see anything else like this again? you are the experts. >> these are the best practices and i know they had the baseline requirements. again i cannot speak -- >> mr. baitman, had you been in this meeting at the time would this have raised red flags? >> i didn't have the background so i wouldn't be able to answer that. all of the decisions have a degree of risk and there probably were discussions that mitigated that risk. i wish we had time to talk about whether it was a legal deadline

or just a politically desirable deadline and what we need to pursue the risks on behalf of the american people that as you said we are going to do more of these rollouts in the future and what ever we can learn on this one will no doubt make us better next time. >> i now recognize myself for five minutes. you have a limited launch and until after you were aware of the significant problems with the development and after you heard of the concerns with the security testing? >> it wasn't a recommendation was a discussion topic on december 10th, and, you know, i wasn't informed of any specific issues. >> let me keep going. do you or anybody ever recall the time when they were elevated to the administrator of the agency because both the chief

information security officer and chief information officer refused to sign? >> i'm not aware of any. >> do you have the state security that was identified by the security control. do any of you recall what left of the main risk for proceeding as a lack of complete security testing? >> we do have systems that have indicated there were issues raised on security testing and that is a risk. ..

implementation of -- >> but you are in charge of the review of it, correct? >> in charge of the review during the critical assessment state. the into the security control assessments that are conducted. >> what percentage of the data, when it goes from the computer to the server, it's done over a secure layer. none of you know the answer to that question? how much of this data is

encrypted? >> the data -- >> what percentage of the data is encrypted? >> it is encrypted. >> what percentage of the? >> it would be 100% of the data. >> you just said you don't know what percentage is done over an ssl. >> you're asking what percentage during testing. >> i want to know of the alkali decide when some of industry signs up, is it all done over an ssl? >> they don't send information over -- depends on if it's a state based marketplace -- >> if you're using healthcare.gov, is that information encrypted or not? >> yes. >> what percentage of the? >> it's encrypted, 100%. >> was it on day one? >> yes. that was the requirement to be in place. >> but you don't know what percentage was done over a secure socket layer which is somewhat similar same is

encrypted or not you said you didn't know. >> i'm not involved in the operation of day-to-day security. i have almost 200 business systems in siemens. i don't -- that's why we have -- >> when i ask you encrypt so that you wouldn't know the answer to? >> i don't know if every system at siemens. >> we're talking about healthcare.gov. who does know the answer to? >> the information security system officer it's the group with the day-to-day development and implementation of future requirements for healthcare.gov. >> it scares the living daylights out of me 19 know the definitive answer about as a sales. if anybody else cares off anything, we have a vote on the floor. does anybody else have something to offer regarding that point? listen, we need this stuff to be encrypted 100% of it, 100% of the time. i thank you all for your participation today. this hearing is adjourned.

>> earlier today former joint chiefs of staff chairman admiral mike mullen spoke at an event hosted by the concern veterans of america. he discussed cybersecurity threats and other things he says keep him up at night. here's a quick look. >> i list five. one is the debt. to pay czar -- certainly in my life we've been talking about fixing that our problems with it for a good 20, 30 years. there have been some significant efforts undertaken in terms of them in particular charter schools et cetera and education reform. but by enlarge still in very bad shape and it's almost like -- there's a parallel to the debt that you have to have resources to invest for the future. if you don't have them, and i couldn't have much of a future. we have to have an education

system which is functioning at a very, very junior or very, very -- at the beginning, if you will. i think the competitive advantage that america has is right here. if we invest in that we will be okay. if it continues to erode, which is not going to be competitive. and you can't, at least i set sometime in the education sector, you can't scale charter schools to the public school system in the country. i don't know what the answer is. on what you believe you've got to do procedures. they were the most impactful people in my life. among coaches and parents and pastors, et cetera. i think somehow we have to channel that. we don't pay them very well. i taught for a year up at princeton and i didn't run into a princeton graduate who was going to go teach, quite frankly. that doesn't mean there aren't any, but it's not the path that so many because it's not valued

in our country. i think we need to turn that around, all again this very slow erosion will wake up one day and we will wonder what happened. third thing is the political paralysis here. i've been in washington mostly since the mid '90s. i asked friends, historians, well, are quick to say we been through this before. two years ago i asked this question and i said when? 1938 or 1939. so that wasn't overly uplifting in that conversation. but about a year ago i asked the same question of another historian, and he said we have. when was the last time? well, the civil war. so the point is this is really tough and i think everybody knows that. i don't know how it gets broken. i worry we will continue to dig the hole, if you will. i hope that somehow that the

leadership in the country writ large can figure out a way to get us moving in a much more positive direction before we have some cataclysmic event. so that concerns me a great deal. the fourth is cyber. i won't talk much about cyber but cyber scares me to death. i thought that threat when i was chairman. i understand how capable it is, how lethal the potential is. not just from a security, from the pentagon perspective but literally from a national perspective. is capable of shutting down our created, shutting down our financial system, impacting significantly our logistics. it almost has no bounds. i thought that target incident over christmas which the initial report were 49, a couple days later it went to 70 million. it speaks to the scale of the capability in the cyber world. that many that quickly.

and i talk about some of the leaders, leaders need to understand this. not the tech types. you've got have been because lying leaders make decisions on people and investments and on policies. so that's a huge concern. the last of this just veterans. we're not doing very well for our veterans who fought these wars. just because i was chairman in the iraq and afghanistan war, i focus not exclusively but heavily on iraq and afghanistan. they're coming back to a very, very tough employment numbers. the economy is, while it's bumping along and getting a little better, hiring them throughout the country is very difficult. they are unemployment numbers are about 18-24 euros, or about twice the national average. half of them are married. a need to put food on the table. i'm not convinced you can get from washington quite frankly. there's issues associate with it. what i try to do is engage local

leaders in communities throughout the country, someone get got to leave in the urban community or rural committed to customer support for veterans focus on health, education, and employment. and remember, that the spouses have been extraordinary as well in wars. typically they are two income families so they have huge capabilities they can offer. i find the quote unquote sea of goodwill out there on part of the market people. you just need local leaders to galvanize that and then we need some pretty significant progress in certain parts of the country. but i do worry they're coming home, they're leaving the military, about 1000 a day, which is normal, and we are hiring about 100 a day. it's better than it was in vietnam and better in the past in many ways, but we are just beginning. and i think as we come out of afghanistan, america didn't have to buy into these wars. america doesn't have a stake in

these wars, so combat troops are at it a few months and america will accelerate away from our veterans. getting visibility and making sure this young group, and its 2.2 million men and women, the best i've ever seen, i did it for a few decades, hands down they are the best. they will make a difference in the future. i see them by the thousands. they will make a huge differen difference. investing in them is a great investment. so that's where i spent a lot of my free time. >> a portion of an event hosted earlier today by the group concerned veterans of america. you can see the entire event later or anytime online at c-span.org. >> tomorrow on "washington journal," a look at issues relating to the u.s. auto industry. after that, former administrator

of the national highway traffic safety administration will discuss current auto safety concerns and how advanced technology in cars is impacting safety on the road. we will be live from the washington auto show with remarks from representatives of general motors, ford, and toyota. plus your comments. "washington journal" live at 7 a.m. eastern on c-span. >> i didn't see myself as someone who has a message for my world. i do see myself as a person trying to understand my case and try to situate myself. i think idea came to me, the idea the book came to me when i was giving some lectures at the u.s. air force academy in colorado. and among very nice, broad minded, liberal young air force officer come have lots of chats with me which i find very interesting.

he told me, he told me he was a liberal. full of strange, radical fundamentalist. he tells me he's a liberal and he tells me he's for immigration which -- but he said, when people come to this country they should learn the native language. and i didn't think he was speaking about comanche its i said yes, i quite agree. everybody should learn spanish. >> the settlement and evolution of the united states from hispanic perspective. "our america" saturday night at 10 eastern and sunday at nine on "after words." part of booktv this weekend on n c-span2. and online at booktv's book club you've got time to wait in a mark levin the liberty amendment. read the book and join the conversation, go to booktv.org

and click on book club to enter the chat room. >> did i feel prepared? yes, i really do. first of all i wasn't elected so it didn't make that much difference. i did notice though the difference between being the vice president's wife and the president's wife these huge because the vice president's wife can say anything. nobody cares. the minute you say one thing as president's wife, you've made the news. that was a lesson i had to learn pretty quickly. >> watch our program on barbara bush at a website, c-span.org/firstladies or see it saturday on c-span at 7 p.m. eastern. live monday our cities continued with first lady hillary clinton. >> last week on capitol hill a house committee to examine threats to homeland security in the expansion of islamist extremism in the middle east.

other topics include the obama administration's counterterrorism policy, border security in the south, cybersecurity and lessons learned from iraq and afghanistan. witnesses included former senator joe lieberman, retired general jack team, former representative jane harman and seth jones of the rand corporation. this is about two hours 40 minutes. >> the committee on homeland security will come to order. the committee's meeting today to examine the danger to the homeland from the threat of extremism. i now recognize myself for an opening statement. today, the president's rhetoric on the threat of al qaeda and its franchises are in stark contrast to the reality we are witnessing in the middle east

and northern africa. whether or not the downplaying of the spread of these islamist extremist groups and the real threat they pose, which are metastasizing from the civil war in syria, is to further a political agenda or to simply to avoid the conflict altogether, i believe this false narrative greatly endangers our national security. protecting this nation requires that we correctly identify the threats against it. it also requires that the united states lead on the world stage. i am increasingly concerned that we are doing very little of both. the administration has labeled the fort hood massacre, in my home state, work place violence, explained benghazi away with a protest to a video as opposed to an al qaeda-driven attack, and removed words like violent islamist extremism from their vernacular. with each attack, the administration appears to

distance itself from who's behind it. president obama repeatedly tells us that al-qaeda is on its heels and on the run. in may of last year, the president said that osama bin laden is dead, and so are most his top lieutenants. there have been no large-scale attacks on the united states, and our homeland is more secure. killing bin laden was an important accomplishment, but it has not put al-qaeda on its heels or secured the homeland. in fact, peter bergen wrote in an article last week that, al-qaeda appears to control more territory in the arab world than it has done at any time in its history. foremost in the narrative, is the administration's frequent use of the core al-qaeda concept. this is a false construct in my judgement and misleading for a number of reasons.

today, there is no central al qaeda nucleus. references to a core al-qaeda imply that its defeat would dismantle terrorist efforts around the world and eliminate the terrorist threat to the homeland. this is not the case. over time, the term al-qaeda has come to symbolize an ideology of hate toward the west with a goal of establishment of a caliphate, rule by sharia law and the pathway there through violent jihad. we're seeing it's spread play out in the middle east, in africa, and in the caucuses. although many terrorist groups subscribe to this ideology, we must understand that they are independent organizations, planning and conducting operations without the oversight of an al-qaeda central command. the only core is the ideology itself, and defeat of an ideology requires more than just drone strikes.

the failure to recognize this truth prevents us from understanding the real threat from islamic extremism and clouds our judgment in fighting against it. ultimately, you cannot defeat an enemy you are unwilling to define. the second part of the false narrative is our increasing willingness to abdicate our responsibility as a world leader. in the aftermath of world war ii, president truman said, the peoples of the earth face the future with grave uncertainty, composed almost equally of great hopes and great fears. in this time of doubt, they look to the united states as never before for good will, strength, and wise leadership. again today, the people of the world face the future with grave uncertainty, and they still look to the united states for stable leadership. we are witnessing a worldwide rebalancing, as we have before

in modern history. this time, however, it is exacerbated by a sunni-shia sectarian conflict that has consumed the middle east, causing great unrest across the region, and is forcing countries around the world to intercede. yet our steadfast leadership is notably absent. terrorist groups are multiplying. they are spreading like wildfire across northern africa. foreign fighters are pouring into syria at an alarming rate, while syria itself is being pulled apart by saudi arabia and iran. red lines are drawn and crossed, diminishing our world standing and forcing other countries to act where we have failed. our negotiations with iran damaged our relationship with saudi arabia and israel. american forces pulled out of iraq and al-qaeda has taken over

fallujah, once the symbol of the united states' commitment to stability in iraq. we are pulling out of afghanistan, where not so long ago the 9/11 masterminds plotted against the united states. in egypt we have been indecisive with our support, while radical elements are growing. our lack of leadership has damaged our standing in the world, and created a power vacuum being filled by terrorists who are prospering in our absence. president kennedy told us that our strength as well as our convictions have imposed upon this nation the role of leader in freedom's cause. i believe that statement is as true today as it was then. it is through our stable leadership and clearly identifying our enemies that we will secure the homeland and protect the american people.

i look forward to this distinguished panel's testimony and today's discussion. and i want to thank all the witnesses for being here today. chernow recognizes the ranking member, the gentleman from mississippi, mr. thompson. >> thank you, mr. chairman. i also welcome our witnesses today, ms. harman, good to see you. as you know you are original member of this body when it was a select committee. without any jurisdiction. we still have a little bit around. we're working on that, too. today's hearing seeks to examine whether u.s. policy to address unrest in the middle east, the splintering of al qaeda and the withdrawal of u.s. forces from afghanistan and iraq adversely affect homeland security in the united states. such an examination must begin

with an authoritative statement of this administrations policies and actions in each area. however, because there is no witness from the administration for us to question about these policies, it is unclear how this hearing will aid this committee's understanding of these critical issues, or help inform our oversight of the policies necessary to impact this nation's homeland security. it appears that this hearing begins with the assumption that can maintain safety and security within its borders, this nation must use its military to address every threat outside of its shores. given such a perspective, the united states would be in a position of constantly engaging in military action abroad. after $1.5 trillion, and 6000 american lives lost, the are many in this country who want us to consider a viable exit

strategy. there are also many people he believed that the safety of this nation can be secured by means that are tailored to each circumstance based on a realistic assessment of the threats. as we consider the threat, we must acknowledge our current posture. most experts agree that the death of osama bin laden have substantially weakened al qaeda. its capabilities of scale -- al qaeda is more decentralized, more dependent on its affiliates, and has come to rely on its ability to radicalize and recruit distant recruits to carry out attacks but the lack of a clear organizational and leadership structure has severely diminished the groups the ability to develop joint plan and wage large scale attacks. i'm not advocating that america return to a pre-september 11 posture. i don't know anyone who would advocate such a position.

however we must plan based on the facts as they are not the facts as they were. as a legislative body we must ask serious questions about our homeland security policies and posture, and our posture should be given the ongoing dismantling of al qaeda. the congressional research service has said that some of the questions we should ask in all the costs associated with continued military presence and the challenges of restoring the readiness of our forces. we must discuss a strategy that protects u.s. interest as well as integration efforts across u.s. government agencies in support of a broad u.s. political strategy. as we consider our policies, we need to ask about the national security apparatus that has developed in this country. the revelations about the

massive collection of information and operation of the fisa court have caused people to question how the secular these have improved our homeland. i understand the administration will announce its plans to revamp the nsa surveillance program. i look forward to hearing about those plans. this committee needs to be part of the discussion about the effects that these metadata collection programs have on our homeland security. mr. chairman, i agree that we need to take a serious look at how world events and into our homeland security policy. this congress must be willing to legislate and make changes in the laws that affect homeland security of this nation. however, before we legislate we need to be willing to discuss the law and the underlying policies with all the relevant parties, the congress in the administration in the room. i look forward to having that

discussion. i also look forward to the administration being invited here to testify about how they are overseas policy will affect our homeland security. with that, mr. chair, i yield back spent i think the ranking member. other members are reminded that opening statements may be submitted for the record. we are pleased to take about four distinct witnesses with us to discuss this important topic. first, we are delighted to have senator joseph lieberman. he represents the state of connecticut in the united states senate from 1989-2013. in the months after september 11, senator lieberman led the fight to create the department of homeland security which led to the creation of this committee and the senate committee on homeland security. which he chaired until his retirement from congress last year. next, we have our dear friend who serve on this committee, she actually was sort of my boss, if you will.

she was the chairwoman of the intelligence subcommittee as i was ranking member. congresswoman jane harman. it's great to see you here today. she represented california's 36th district in the u.s. house of representatives from 1993-2011. served on multiple congressional committees, boards and commissions, including this committee. and the house permanent select committee on intelligence, and the house committee on the armed services. she is currently the president of the woodrow wilson international center for scholars and as a member of the defense policy board and the homeland security advisory committee, among others. it's great to see you. next, we are pleased to have a very distinguished witness, general jack keane retired 4-star general who completed 37 years in public service, in december of 2003 culminating chief of staff and vice chief of

staff of the u.s. army. he currently serves as chairman of the board of the institute for the study of war, and sits on the board of directors for met life and general dynamics. i thank you, sir, for being here. next is doctor seth jones, the associate director of the international security and defense policy center at the rand corporation. he served as officer and advisor to the commanding general of the u.s. special forces in afghanistan as well as representative for commander of u.s. special operations command to the assistant secretary of defense for special operations. the witnesses for written statements will be included in the record. the chair now recognizes senator lieberman for his testimony. >> thank you, chairman mccaul, ranking member thompson. it's great to be back before you. thank you for convening this hearing. thanks for inviting me to testify, and thanks for putting in the great company of the of