letter from usis to representatives providing answers to questions i asked more than seven months ago. seven months ago! the letter disclosed the breach at usis affected not only dhs employees but our immigration agencies, our intelligence community, and even our police officers here on capitol hill. but it took them seven months. the night before the hearing to give me that information. but not only to give me the information but members of congress that information. my immediate concern was for the employees at the agency and i hope they were all alerted

promplypromp promptly. there is no doubt that usis officials would have never provided that information unless they were called here to testify today. so i thank you again, mr. chairman. i have difficult questions for usis. i want to know why this company paid millions of dollars in bonuses to its top executives after the justice department was sued against the company for allegedly defrauding the american taxpayers of hundreds of millions of dollars. i can hardy wait for the answer. i want to know why usis used these funds for bonuses instead of investing inadequate cyber security protections for highly

sensitive information our nation entrusted to it. ms. archuleta, i want to know if you received one of those bonuses. because i would love to know how much it was and what the justification for it was. i understand you just returned from italy. welcome back. this is probably the last place you want to be. i understand you are leaving the company in a matter of weeks but i want to know why usis has refused for more than a year to provide answers to our questions about the board of directors of its parent company integrity. i have important questions for you and one of them last week was whether the cyber attackers

are able to penetrate opm's network using information they obtained from one of its contractors. as i ask last week: did they get the keys to opm's network from the contractors. yesterday ms. archuleta testified and i quote the leverage of compromised key point user to gain access access to opm's network. so the link in this case was key point. i want to know how this happened. i appreciate that opm continues to have confidence in your company. i also want to know why people point apparently did not have adequate logging capabilities to monitor the extent of data that was stolen.

why didn't you invest in these safe guards? mr. chairman to your credit one of the first hearings you called, after becoming chairman was on the risk of third party contractors to our nation's cyber security. at that hearing on april 20th multiply experts explained that federal agencies are only as strong as their weakest link. if contractors have inadequate safeguards they place our government systems and government workers at risk. i understand we have several individuals sitting on the bench behind the panel witnesses who may be called to answer questions, if necessary. mr. joab who is the cio of key point and mr. osman from the department of homeland security. thank you, mr. chairman, for allowing them to be here. as we move forward it is

critical we work together. we need to share information, recognize what outdated legacy systems need to be updated, and acknowledge positive steps when they do occur. above all, we must recognize that our real enemies are outside of these walls. they are the foreign nation states and other actors that are behind these devastating attacks. with that i yield back. >> thank the gentlemen. i will hold the record open for five legislative dates for members who want to submit a written statement. we have barbara comstock and i our the member be allowed to fully participate. we recognize the witnesses. i will pleased to have katherine

archuleta, and we have the honor patrick mcfarland donna seymour and we have the director of the us computer emergency ready team. mr. eric hess the chief executive officer of key point solutions and rob. all witnesses must be sworn so please stand and raise your right hand. did you swear the testimony you are about to give will be the truth, the whole truth, and nothing but the truth?

thank you let the record reflect that all witnesses answered in the affirmative. we will start first with the director of the office of personal management ms. archuleta. >> chairman chaffetz ranking member cummings, and members of the committee. thank you for the continue to testify before you again today. i understand and share the concerns and the frustrations of federal employees and those affected boo the intrusions. opm has taken significant steps to meet responsibility secure personal data of those we serve, it is clear that opm needs to dramatically e celerate those

efforts. i testified last week and i am committed to a full and complete investigation of these incidents. we continue to move urgently to take action to mitigate the long standing vulnerabilities of the agency's systems. in march of 2014 we released our strategic plan to modernize and secure opm's aging legacy system. we began implementing the plan immediately and in fiscal years 2014 and 2015 we directed nearly $70 million for the implementation of new security controls to better protect our systems. opm is also in the process of developing a new network infrastructure environment to improve the security of opm's infrastructure and it systems. once completed, opm it systems will be migrated into this new

environment from his current legacy networks. many of the improvements have been to address needs such as security vulnerabilities in the network including the up grades of additional fire walls, restrictions of remote access without without authentic and deploring anti mal-ware software to find cyber tools that could compromise our networks. these improvements led us to discover the malicious activity that occurred and we were able to share the information immediately so other agencies could protect their network. i want to discuss data

encryption as well. opm does utilize encryption when possible. i have been advised by security experts that encryption in this instance would not have prevented the theft of this data because the muactors were able to steal information and could have decrypted the data. our security team is building new systems with technology that will allow opm not only to better identify intrusion but encrypt even more of the data. in addition to new policies that were already implemented to centralize duties the it plan recognizes that further progress was needed and the iog's '14 report credited opm for progress in bolstering our security policy and procedures and

committing critical resource do is the effort. with regard to the information security governance the iog noted that opm had significant positive changes and removed the label of internal weakness. regarding the weaknesses found are authorization, the oig recommend i consider shutting down 11-47 systems because they didn't have current and valid authorization. that would mean retirees couldn't get paid and new security clearance couldn't be issued. of the systems raised in the 2014 audit, 11 of the systems were expired and of them, one a contractor system is presently expired. all other systems raised in the

'14 audit were extended or provided a limited authorization. opm is giving credit monitoring for the 4.2 million current, former, and civilian employees. we are continuing to work to make the sign up experience quick quicker and reducing call for wait times and increasing serve capacity and increasing call service hours. i have taken steps for to make sure measures are in place even for privilege users including removing remote access to requiring authentic behavior.

i will be hiring a new cyber security advisor that will report directly to me. they will work with opm cio to manage ongoing response to the recent incidences complete development of the plan to mitigate future instances and assess if long-term changes the arctic arcticture a needed. this individual is expected to be serving by august 1. to insure the agency is leveraging best practices, i am reaching out chief information security officers at leading private sector communities that experience their own cyber challenges and host a meeting with these experts in the coming weeks to help identify further steps the agency can take. public and private sectors both

face the challenges and we should face them together. i would like to address the confusion regarding the number of people affected by two relate related cyber instances at opm. it is my responsible to provide as accurate information as i can to congress the public and more importantly the affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affect affected individuals as quickly as possible. third, we face challenges in analyzing the data, due to the form of the record and the way they are stored. as such i have deployed a dedicated team to undertake this

time consuming analysis and in instructed them to make sure their work is completed as quickly as possible. i do not want to be in a position of providing you or the affect affected vinyls with potentially inaccurate data. with these considerations in mind, i want to clarify some of the reports that have appeared in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individuals to 18 million individuals. other press accounts have asserted that 4 million individuals have been affected in the personal file incident and 18 million individuals have been affected in the background information incident. therefore, i am providing the status as we know it today. and reaffirming my commitment to

providing more information as soon as we know it. first, the two kind of data i am addressing personal records and background investigations, were affected in two different systems in the two recent incidents incidents. second, the number of individuals with data compromised from the personal record incident is approximately 4.2 million as reported on june 4th. this number has not changed and we have notifyeified those individuals. third, as i noted we continue to analyze the background investigation data as rapidilyly to understand what was compromised and we are not at the point of providing a more definitive report. i want to address the figure of 18 million individuals that has

been sited in the press. it is my understanding it is referring to a preliminary, unverified and and approximate social security numbers. it does not represent the total number of affected individuals. the social security part of the analysis is still under review and we don't have a more definitive number. also, there may be an overlap between the individuals affected in the background and the personal file incident. we are working deliberately to determine if individuals who have not had their social security number compromised but might have other information exposed should be considered

affected by this incident. for this reason i cannot provide a more definitive response. it may increase from the initial reports. my team is conducting this further analysis with all due speed and and again i look forward to providing an accurate and complete response as soon as possible. thank you, mr. chairman for this opportunity to testify before you today and i am happy to be here along with my cio to address any questions you have s. >> mr. mcfarland, you are recognized for five minutes. >> chairman chaffetz ranking member cummings, and members of the committee good morning. i am inspector general of the u.s. office of personal management. thank you for inviting me to testify at today's hearing.

lewis parker my partner is here with me and with your permission he may assist in answering technical questions. in 2014 opm began a massive project to overhaul the it environment by building a new infrastructure called the shell and migrating all of its systems to the shell from the existing infrastructure. before i discuss the oig's exam of the progress i would like to make one point. there have been statements saying the overhaul was necessary because opm's current legacy technology can't be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has already taken to secure the agency's current it environment. i just want to emphasis we agree

the overhaul is necessary the urgency is not so great the project can't be managed in a controlled manner. last week my office issued a flash audit alert discussing two significant issues related to the program. my written testimony describes the issues in detail i will only give a summary for you this morning. first, we have serious concerns with how the project is being implemented. opm is not following proper it project management procedures and doesn't know the true scope and cost of the project. the agency has not prepared a project charter, conducted a feasibility study, or identified all of the applications that will have to be moved from the existing structure to the new shell environment. further the agency is not prepared to mandatory major

business case formally known as exhibit 300. this document is an important step in the planning of any large scale it project as it is the probably vehicle for speaking approval and funding. it is a necessary process for enforcing proper management techniques. because opm has not conducted these basic planning steps it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm estimated the project will cost $93 million but that only includes strengthening the current administration. it doesn't include the cost of migritting all of opm's almost 50 major systems and numerous

subsist subsist subsist sub-systems to the shell. even if $93 million was an accurate estimate the agency doesn't have a dedicated funding stream for the project therefore it is entirely possible that opm could run out of fund before completion leaving the agency's ip environment more vulnerable than it is now. opm has set an unrealistic time frame for the completion. the agency believes it will take 18-24 months to migrate all of the systems to the shell. it is difficult to imagine how they will meet the goal when it doesn't have a comprehensive list of all of the systems that need to be migrated. further, this process is inherently difficult and there are likely to be significant challenges ahead. the second major point deiscussed

is sole contractors. they have contacted a single vendor for all four parts. there is an exception for compelling and urgent systems but the first phase involves securing opm's environment is indeed a compelling and urgent operation. that phase addressed the breachers that occurred last year. the later phases like migrate{ing and the application of the new shell is not as urgent. it may sound counter intuitive but opm should step back and complete the assessment of the current architecture and develop a business case proposal and

then when funding and approval is secure opm should move forward with the project in a controlled manner using sound project management techniques. opm cannot afford to have this project fail. i fully support opm's effort to modernize the environment and director's long term goals. but if it is not done correctly the agency will be in a worst situation than it is today and millions of taxpayer dollars will have been wasted. >> ms. seymour, was your statement with the director or you have one? >> it was with the director. >> i would ask consent to enter into the record a letter given from the office of personal management dated today and signed by ms. archuleta dealing with the number of records. without objection we will enter

that into record. we will recognize ann barron-dicamillo. >> good morning. i appear to talk about the role the united states emergency computer and readiness team played in this role. like many americans, i feel a victim of these incident and i am concerned about the numerousic -- numerous hacks. i understand both the scope and the problem we face and the challenges in securing critical networks. cyber security is a true team sport. many different agencies are responsible for aspects of security including intelligence

law enforce, department of homeland security, as well as individual system owners and individual users as well. my organization within dhs is part of the national sketch security and integration center. the u.s. focuses on analyzing the cyber risk sharing information about threats and vulnerabilities and responding to significant incidents. we focus on incidents facing the government and political private networks. our role is largely voluntary in both roles. we rely on relationships to build relationships. when an entity believes they have been the victim of a cyber incident they often invite us to assess the scope and suggestions on improving the process going forward.

we first learned in 2013 about the compromise from the opm and we were part of the response team that assessed the scope of the activity. throughout that time we shared information with the governmental partners as well as private sector partners so they too can better protect themselves. and we create systems that could look at other federal agencies. on may 28th 2014 it was concluded the suspicious actor was removed from the network and we provided steps to take to increase their own security. it is important to note there is no silver bullet to secure networks from a sophisticated

actors. the internet was designed with ease of use rather than security in mind. opm did some things well and was weak in other areas. i understand they just started an effort to improve their cyber security. the incident report included several mitigation recommendations. from what i observed opm made an effort to adopt the u.s. recommendations beginning last summer. it was opm in april of 2015 who discovered the current intrusion on its own network using the tools recommended by our business. we created new signatures to look for similar intrusions of other agencies. this is how the malicious access to opm data was discovered. this newly discovered threat was

shared with our private sector partners and other trusted partners around the community. our inner response team has been working with opm to assess the nature and scope of the incident. there are a few things i can share. we were able to use the einstein capabilities to detect the intrusions in the part that houses the records. some opm personal data was compromised, this is the 4.2 million number director archuleta referenced today. as a result of the april 2015 investigation, opm continued to conduct investigations and discovered evidence of an additional compromise and we led another response team to assess

and found background information was exposed and possibly infiltrated. that is under investigation. we learned the ongoing implementation of two sectors, which was a protection measure, may have mitigated continued effects. although i am appearing today ready to provide information to this committee i do so with some concern. as i mentioned, we rely on cooperation to believe they may be victims of malicious activity. agencies and private entities who believe they may be vims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us the bhoel of government of future incident. we need private companies to

continue to work with government and share information about sbieber threats er swieber cyber threats. thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging. i'm president and chief exec ty officer of kpee point government solutions. since 2004 key point has provided field work services for the background investigation to a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat

every present and ever changing cyber threats. we're committed to the highest levels of protections. the recently announced breach of the opm is the focus of this hearing. i would like to make clear that we see no eidence sgges suggesting the incursion into opm systems last year is what facilitates the recent announced opm breach. there is no evidence that keypoint was responsible for that breach. the press reported that hackers stole opm credentials assigned to a keypoint employee and that leveraging access to opm systems. as director archuleta noted senator yesterday there's no evidence suggesting keypoint is responsible for or directly involved with the incursion to be clear. be completed working on an opm system, not a keypoint system. i know that during this hearing the incursion of keypoint system that was discovered last

september will also be discussed. before going into more detail i would like to note keypoint has maintained its authority to operate ato from opm and dhs. this means we've met stringent information as required to post under our federal contract. keypoint only maintains personal information that is required under our contractual obligations. we like government agencies faced aggressive well-funded and ever evolving threats that require as -- requirements in order to protect sensitive information in our charge. let me say a few words about the early incursion of keypoint. december 2014 the "washington post" reported opm had announced it would notify 40000 federal workers their personal information may have been exposed to as a result, i emphasize the word me because in the report after the extensive analysis of the incursion we find no evidence of exfiltration of sensitive personal data.

last august following public reports of the data security breach at another federal contractor providing background checks, chief administration officer donna seymour asked keypoint to invite the nested computer emergency relief team or us-cert don't you just keypoint network and keypoint agree. a team from the department of homeland security national cybersecurity assessment and technical services conducted risk vulnerabilities assessment and conduct conducted for network and application vulnerability test of keypoint systems including intro and external penetration testing. they provide a number of findings add in the engagement which will resolve on the team was on site as well as recommendations for the future. while the team found issues, they were resolved and the team found no malware on keypoint system. then in september us-cert informed keypoint edit found indications of success could malware and detected a detectable by commercial

antivirus onto computers. us-cert provide keypoint with mitigation recommendations to remove the malware and other recommendations for hardening its network to prevent future compromise. keypoint acted quickly and begin implementing the recommendations. keypoint conducted an internal investigation of the data security issues identified by us-cert. and concluded the malware in question was not functioning correctly potentially caused by errors made during its installation on keypoint system. 90 just search investigation no hours found evidence of exfiltration of personally identifiable information. i attended a classified briefing at opm where i learned more about the opm breach. in this study i cannot go into details and workers and and everything however i can reiterate that we see no evidence between the incursion of keypoint at the opm breach subject to the shooting. we are always striving to ensure keypoint defenses are strong as

possible and we welcome u.s. cert recommendation strengthening the security of a system. we been working close with opm to improve our information security posture in light of the new advanced persistent threats. opm present us with a 90 day network hardening plan. we completely. we've been working to make our systems more resilient and strong light of making us-cert us-cert recommendations and in those inhibiting privet we put into place are full the point of multifactor authentication security information, enhanced intrusion detection systems of the authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our atos, and this includes an audit from an independent party. we will continue to fort tpaoeu protections of our systems. our adversaries are constantly

working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing key point to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes. >> thank you. my name is robert gee annetta, and i am currently the chief investigation officer. i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014 usi performed

background investigation work for the united states office of personnel management. when i started to working at usis, they would perform background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the comprehensive response plan per response to the plan. usis's responses included the

investigations firm to lead the investigation and remediation efforts. usis instructed them to leave no stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant technical details about how the attack occurred what the attack attacker did within the systems and when data was compromised. this was shared with opm and other government agencies. in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing

contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable information for how many federal employees and retirees? >> we have -- >> move your microphone closer, please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no i asked you -- you have personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees and personally identifiable information within the files depends on whether

they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get at? >> i will ask mrs. seymour -- no come on you are the head of the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will. you wrote as a proprietor of sensitive data including personal identify blg information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier in my testimony mr. chairman,

we are reviewing the number and the scope of the breach and the impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86, that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified if you fill out an sf86, how many people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a

simplying of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database and they are also identifying other individuals i would like to know on average how many people that is. is that fair? >> we are not calculating on average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request it was because you had 32 million employees identified and former employees, correct? >> that -- the number of employees that we have yes, we are asking for support for our cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory

as we can, sir. that changes on a daily basis? >> changes on a daily basis? you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program since then and we know where those are and we know the pii in them. >> to my members of the committee here we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm became aware of an attack on its networks. i would like to enter into the

record, a chinese attack, 2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this panel.

>> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity that dated back to november of 2013, and i also know that no pii was lost. >> no that's a different question. the question i asked is did they have access? whether they exfill traeutd it is a different question. >> i said there was add srau saeur annual activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your security? >> with the security systems, yes. >> so yes, it was a breach of security, yes? >> they were able to enter our systems. the security tools that we had in place at that time were not

sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay but at the time at the time it was a breach of security, right? >> yes there was a breach into our system. >> was there any information lost? >> as i just said to you there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information. >> you believe i have the information? >> yes. >> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfill

traeutd pii i am asking you did they take any other information? >> i will get back to you -- >> i know you know the answer to this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network and they did have access to documents and they did take documents from the network. >> what were those documents? >> outdated security documents about our systems and manuels about our systems? >> what kind of manuels? >> about the servers and environment? >> is that like a blueprint for the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel

manuals manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel manuals manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes i do. >> so ms. archuleta when we rewind the tape and look at the interview you did on july 21st you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said and i quote there was no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii.

>> it was misleading and a lie and was not true. when this plays out we're going to find that this was the step that allowed them to come back and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you mr. mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last

hearing on this subject members on both sides wanted to ask for ms. archuleta's resignation and i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right and we are being fair. this is my question. you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer.

you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion with regard to experts? do you understand what i am say? you have your set of experts and they have their set and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our committee to ask for ms. archuleta archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made recommendations and that those recommendations had been simply disregarded. can you help us with that mr.

mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good. you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely. of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on and they did, in my estimation as normal and usual an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on

auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give a whole list of things that she is doing or about to do i think, naming a new cyber officer and whatever and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns. we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to explain your answer to that question is that we -- we are i guess, very frustrated that we

asked answers of opm and it takes a long time to get the answers. we ask definitive questions and we don't necessarily get definitive answers. we know for a fact that the things that we have reported are factual. we don't take a backseat to that at all. our people have done this for a long time they know what they are doing but, yes it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right. your company has a lot to answer. according to the justice department, usis perpetrated a

multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital police, and our integrities developed out tkoeld out bonuses. last week the committee invited the integrities chairman to testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other sub sid airies.

do you know how they responded? >> i understand they declined. >> yes, they refused. al teg raw tea is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me? >> i can ask. >> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with

the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from vacation from italy. did you get a bonus by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in 2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again i am the chief

information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than 16 months ago name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors. i know the chairman is steve duh leash. >> you are still working for usis is that right? >> how long will you be there? >> indeterm tphupbt but in the next month or so i will be departing. >> will you try to get me those names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta there has been a

discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning, you estimated about 2.4 million, is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees and that's 2.4 and then you add -- >> i don't know exactly, but it's about half and half. >> the second figure you started to debate about was 18 million which has been reported by the media, and that would deal with breach of social security numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir.

>> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records? >> that was the number he used yes. >> so you really don't know, then, how many records have been breached beyond the 4.2? >> no, sir that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached my staff, and then thinking about the other people downtown and the agencies and we have a responsibility to protect their personal information, and over the weekend in fact monday i spoke the day at an embassy being briefed on a bunch of issues, and then brought to my

attention was people insensitive positions that they were notified by you all a breach of their records. so our overseas personnel insensitive positions have also been subject to the breach sprebgt? >> employee personnel records -- >> how many data is there? address, and personal information about these individuals. you think a little bit about people in the glass places here and you want everybody safe. i was stunned to find out that some of the people, united states citizens serving overseas were notified that their personnel records have been breached and information is available on them and they are in possible situations that could be compromised by that information, but you have notified them, right? >> we have notified the 4.2 million -- >> those are the people.

they mentioned to this me. i was there on other subjects, but they expressed concern -- >> i am as concerned as you are about this because these are the individuals who have been -- whose data -- >> these people are on the front line, and they are overseas and representing us and i could hear concern in their voice about what has taken place. i have read sit chinese hackers, does anybody know? was it the chinese? do we know for sure? do you know for sure? >> that is classified information, sir. >> so you have some idea but it's classified? >> it's classified and i can't comment here. >> whether it's chinese or some group that could give this6é information to people who would want to do harm, then that means some of those people to me are at risk? >> sir, every employee is

important to me, not whether they are serving in kansas city or overseas. >> no but yesterday morning before i left eye visited a site of a terrorists act in one of the capitals and i saw well that place still had not been open and it has been months sithat trori you've been there the longest ms. barron-dicamillo, is that the truth? since about 12 if it's about 12, if it's because i'm sorry speak with you have been in position since 2012 in opm? >> no. i work for department of homeland security. >> but you're responsible overseeing opm's -- >> so dhs shared responsible for cybersecurity. we are partnering with departments and agencies to ensure the cybersecurity of the dot gov and partners. we work with them -- >> when did we first find out

about this breach? >> it was notified by third party partner to us in march 2014. >> 2014. so when you came on ms. seymour about 2014? >> i came on board in december of 2013. >> so you were there. they talked about his bonus. finally, are you ses speakers yes, sir spirit did you get a bonus? >> yes, sir can i did. >> how much? >> i do not know the exact amount but about $7000 spent with your private or public you're getting a possible some of this was going on. >> no recognize the gentleman from new york for five minutes. >> thank you. i am trying to get this straight. opm was breached directly to is that correct? i'm going to ask ms. seymour information officer. opm was breached twice directly correct? >> that's correct.

>> and one occurred in december of 2014 detected in april 2015 in the security breach, when were the two breaches? when were the two breaches the dave's? >> the first opm breach goes back to come we discovered in march of 2014 and the breach actually occurred in -- >> you discovered it in march 2014. >> yes ma'am and the breach actually occurred, the adversary have access back in november of 2013. >> okay and then the second breach was when? ever two breaches? >> that is correct. the second breach we discovered in april of 2015 and the date that breach goes back to his

october of 2014. i'm sorry june of 2014. >> who discovered this breach? hundred opm discovered this breach? >> the first breach we were alerted by dhs. >> so you did not discover it. the department of homeland security discovered it? >> yes ma'am. >> wait a minute. this is important homeland security discovered it, okay. and then the second one who discovered it? >> opm discovered it on its own in april 2015. by then we had put significant security measures in our network. >> when did you report these breaches? who did you report them to? >> on april 15 when we discovered the most recent breach we reported that two u.s. cert and to --

>> to? >> u.s., the computer emergency readiness team dhs. spent you did it to dhs. did you report to congress to? >> we reported to the fbi and we made our business required notification to congress as well. >> that was april 15. what about the first one? >> for the first breach, again dhs notified us of that activity in our network and so they already knew about that one. and yes we made notifications to congress about one as well. >> when? >> i'm sorry i don't have that date in my notes. i would be happy to get you --

>> could you please get back to the committee for us? did you notify the contractors of the breach? >> at the first breach there was not an awareness of of what the adversaries were targeting and that this may go beyond opm. i know that our staffs at my staff my security staff had conversations with the security staffs at the contractor organizations. i also know that the indicators of compromise that dhs had were provided to other government organizations, were put into einstein as well as the communications that they would normally -- >> but the breaches were correct. i want to understand the end reaction with the contractor. now, when they preached you, to

go into opm? i'm asking both mr. hess and mr. kildee. when you and your system do that connect into opm or was it held in your system? >> within our intrusion in june 2014 come in with within our systems. >> so it was within your systems. so the 4 million identities that they had an information they had it came from opm working from the contractors? are the one and the same or are they separate? >> these are separate incidents. so with the breach at usis the way that opm does business with its contractors is different from the other agencies maybe business with both keypoint and with usis. so the approximately 49,000 i believe it was individuals who we notified based on the keypoint incident. they were other agencies who

made notifications both on the usis companies on the usis and the keypoint incident. and we are getting to is about the personal records that are the incident at opm -- >> what i'd like to get in writing is exactly what information came out of opm? what information came out of the contractors? is it one and the same? you are a final database so want to understand the connection in how the breaches occurred and how they interconnect. >> thank you. thank you gentleman. now recognize mr. turner for five minutes. >> thank you, mr. chairman. ms. archuleta and ms. seymour this would remind you are under oath. i had a series of questions that follow onto ms. maloney's questions. it was reported in "the wall street journal" that a company

named cytec has related that they were involved in discovering the breach, that apparently has been according to this article, link to chinese hackers. opm's press secretary said the assertion aside to kosovo responsible for the discovery of intrusion into opm's network during a product demonstration isn't i could get cytec related they were invited by opm that -- ms. seymour? ms. seymour? to have your attention? they were invited in by opm and that their equipment was run on opm and that their equipment indicated that there had been an intrusion of your system, that they notified you. but your response officially from opm is that it's inaccurate, they were not involved. ms. archuleta, i believe you asked this briefly previously and you said they were not involved. remind you both your under oath. anybody want to change their

answer? was cytec involved? ms. archuleta? >> no, they were not. >> ms. seymour? >> no, they were not. >> was cytec ever brought in to run a scan on opm secret? >> cytec was engaged with opm and we had we were looking at using their tool in our network. we gave them come it was my understanding we gave them some information to demonstrate whether their tool would find information on a network and that, in doing so they did indeed find those indicators on our network. >> great. thanks to ms. seymour. i am on the intelligence committee and cytec ceo and vice president came in a brief the intelligence committee staff and it relates are given access to your system, random processes in the process discovered it.

i think you're confirmed this now were you present it was denied any involvement. they want to relate again what exactly did cite tech data? were they given access to your system? did they run it on your system? >> here's what i understand. opm discovered this activity on its own and speak that wasn't part of the question ms. seymour. i'm assuming you have greater and understand that you actually know, considering to the chief information officer and are testified before us as other separate and there's been a news article on this so please tell us clear what access was cytec given to your system? >> i'll be happy to answer your question. i can't explain to you how cytec had access. opm discovered the breach and we're doing market research and we were also, we had purchased licenses for cytec. we wanted to see if that toolset would also discover what we had already discovered. so yes and they put their tools on a network and yes, they found

that information as well spend so you are taking think what you need is that you brought them in and said shazam, you got it, to? seems highly unlikely. >> we do a lot of research before we decide what tools to buy. >> at that point you have not removed the system from your system? i think a union with there. he brought them in and a assistant discovered it which means you would have to vent and tenuously running and that personal information would've been still at risk, correct? >> no, sir. we had laid in our honor system that we're watching that we had quarantined. >> and jewish quarter d. nhtsa was no longer operating? >> that's correct. >> okay. clear going to have to give us all an additional briefing answer with the intel committee staff exactly who did this. because cytec is relating what they did is very compelling and quite frankly what you say sounds highly suspicious, that

you would a profit and can trick them to see if they could discover, something evolved disco. why would you need and if you discovered a? and further tricked into so you don't have a system on your system any more? it's contradicts insinuates that it defies logic the other thing i want to ask you ms. archuleta, on your test 86 once or compromised, when you say they form a sound somewhere. -- sf-86. this is the sacred reform people looking to work a nation street and get clearance have to fill it. not just social security but there also security number is all over this. i have wright-patterson air force base in my district are there's a number of people to fill those out who serve their country what he doing about the additional information that is in this form that is being released and is out there about these individuals? >> i filled out exactly the same form and -- >> i didn't ask that. it's not just about identity theft. this is not just their credit

card and checking accounts. what are you doing about the rest of the information about counseling and assisting in? >> i just used it by way of example that understand what is in the form. personally and as director of opm and because at opm as you we devote a background investigations, and i'm pretty aware of what's in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what information was taken from those forms and how we can begin to notified individuals who are affected by that. that form is very complicated and that is what i am very, very careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has pii and other information so you want to be sure that as well as at how we protect the individuals who completed those forms that we're doing everything we can and we are

looking at a wide range of options to do that. this is an effort that has been doing, those which are together throughout government, not just opm. we are all concerned about the data was lost at result of this breach by these hackers were able to come into our systems. i will repeat again, but for the fact that we found this, this malware would still be in our systems. >> mr. chairman, i just what you think of released acknowledging cytec had access to the equipment and did run and get identified is even though they previously denied psychics involvement. thank you. >> no recognize the gentleman from the district of columbia for five minutes. >> trembling. actually i have a question for ms. barron-dicamillo, but first i want to ask ms. archuleta members had been concerned about

the 4.2 million number that you try to string data for the record that is not a phone number. it almost surely will go up it is that the case? >> there are two incidents. in the first incident, that number is 4.2 million. and the second incident we have not reached a number. >> the number is going to go up. i understand and i am receiving calls from federal employees about opm's promise of 18 months i believe it is free credit monitoring. is it true that federal employees must pay for this service after that time? >> the services that we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months which is a standard industry practice.

as we look at that second notification we are looking at our whole range of options. >> transport visit -- ms. archuleta, there's a great deal of concerned not so much about the paper the amount of time. but the 18 months may be too short a period of time given how much you don't know and we don't know. >> we're getting tremendous information back from not only -- >> are you prepared to extend the time if necessary extend the time is necessary because i've asked my experts to include this feedback that we've received on a number different considerations speak out as the are you prepared to extend the 18 months in light of what happened to the employees, if necessary? >> as i said we don't know the scope of the impact, the scope of -- >> precisely for that reason ms. archuleta, i've got to go on. if the scope is greater as we get more information, will you

correlate that to extending the amount of time that federal employees have for this credit monitoring? >> congresswoman, i will get back with you as to how we are what range of options we have as we look -- >> when you get back to us within two weeks on that? ms. archuleta we have people out there, all of us have constituents out there who have been directly affected. you won't even tell me that you prepared to extend the time for credit monitoring. what kind of satisfaction can they get from opm? i'm just asking you that is necessary. >> congresswoman i am concerned that you were asked to -- >> no what you're not going to answer that question. are you willing to answer this question quacks a report having to wait long periods of time sometimes hours, to even get anybody on the phone from opm. can you assure me that if a

federal employee calls, they can get a direct answer forth with today if they call? and if not what he going to do about? >> are already taking steps. with the contractor has actually implemented is a system similar to what sosa security is using. so if he did a busy tone also can leave the number and they will get a callback and we -- >> within way period of time ms. archuleta? >> for example i've heard a gentlemen told me this morning that a leftist number and he was called back in an hour. so that individual doesn't have to wait on the phone. >> ms. archuleta, unit the chairman know before the end of this week what is the wait time for a return call. that was a subject of great concern. >> we get those numbers every day. >> we can even assure them that you 18 months they going to get credit monitoring. that's very unsatisfactory

answer i want you to know. i want to ask ms. barron-dicamillo, we understand much of this is classified and we keep hearing we can't tell you things because it's classified of course the press is signed at lots of stuff. as they reported that law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that occurred at a keypoint. someone to ask you, ms. barron-dicamillo and they don't want to discuss, i'm not asking anything classified, in the course of your own investigation you assert into keypoint data breach did you find that hackers were able to move around the company network prior to detection? >> indicates that the keypoint investigation speak with yes. >> yes, they were able to move

around and the keypoint network. we had an interagency response team that spent time reviewing the keypoint network after a customer technical assistance -- >> even for the domain local? >> correct. we were there in august of 2014. the on site assessment team was able to discover -- >> what does that allow a hacker to do if you can get to the domain local? >> they had access to the network speedy keypoint? >> yes, from that point in time through the fall of 2013. so during the time they were able to leverage certain malware to escalate privileges for the entry point. so they entered the network come we're not quite sure because of lack of logging company couldn't find -- >> but they can get the background speed the gentlelady's time has expired. >> they could not. they were not able there was

no there wasn't a i was associate with 27000 individuals associate with that case i believe. it was potentially exposed because of lack of evidence were able to confirm that soviet potential access but we were not able to confirm exfiltration of that data. >> think the gentlelady. >> thank you mr. chairman. >> i now recognize myself for five minutes of questioning. let me ask ms. archuleta, what they believe was against the intent behind the attack? we're talking about the attack. what you think the intent was? >> you have to ask my partners and that is good about that. i don't know, i'm not an expert in what -- >> ms. seymour, maybe you could respond to? >> that would be better place with dhs and perhaps with others. >> let me start, ms. seymour giving the idea as to why the ethnic? >> opm does not account for attribution or the purpose to which this data would be used.

>> ms. barron-dicamillo speaks i would have to discuss those issues for the any close setting. as i did yesterday with a staff because the details around that is something that would be more appropriate for a closed classified setting. >> ms. archuleta, how would you assess opm's communication with current and former federal employees regarding the breach? at this point in time how would you assess the? >> i believe that we are very we went to work very hard with our contractor to make sure that we're delivering the service that we want. we have asked of him throughout this process to make improvement. we have demanded improvements and are holding them accountable to deliver the services we contracted for. ms. seymour is in communications with them. i do not i do not want our employees to sit and wait on payphone. i do not want them to have to

wonder whether the data has been breached. i want to serve him in every way that we can and that is why we are demanding from our contractor the services that the contractor said they would deliver. we are working very hard on that, and each day give them the appropriate feedback from what we're hearing from our employees. >> federal news radio conducted an online survey about the data breach. you probably aren't with us. one of the questions asked response was to rate opm's communication with current and former federal employees about the data breach. the results showed that 78% of respondents rated at opm's communication was poor. an additional 12% rated it as fair. only 3% ascribed as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that and we expect you to make sure that who you have contracted with improves that spent those numbers don't make me happy.

>> those are terrible numbers. >> i didn't everything i can to make sure we're doing everything for our employees. i care deeply about our employees. >> let me move on. ms. barron-dicamillo, some news reports indicate that hackers may now be in possession of the personal file of every federal employee, avril federal retirement and if you're wondering former federal employees. if true, that means that hackers have every affected person social steady number, address, date of birth, job and a history and more. for years we have been hearing about the risk of it cyber pearl harbor. is this a cyber pearl harbor? >> the impact associate with the data breach that was confirmed the records that were taken out of the personal records is what we would call on a severity scale a significant impact. >> significant impact. what does significant impact in the?

>> meaning that the data, it does correlate with other data sources, could be a good impact the environment as well as the individual. >> environment meaning? >> the fact that they were able to take the data out of the environment. that's a significant impact to the environment and ensuring their able to mitigate the building that the hacker used to get into used to get and that if i put at the fact that data was exfiltrate is considered to be of high significant impact. >> so it has blown up it has blown up a lot of things, protection security. it's a pearl harbor. >> that's not a term i'm comfortable with using but when a severity scale that we use -- >> it's pretty significant? >> medium to high significant yes. >> let me ask ms. seymour.

do you think issuing a request for quotes on may 28 anastasia deadline of may 292 potential contractors was a reasonable opportunity to respond? in this significant issuance of cybersecurity. cybersecurity. >> article was able to notify individuals as quickly as possible. so we worked with a gsa schedule. we contacted to schedule holders. we also put it on ed biz ops for other opportunities. we received quotes from both scheduled for as well as non-schedule holders and so our goal was to make sure that we could notify individuals as quickly as possible. >> that was quick. may be too quick. my time has expired. i now recognize the gentleman from massachusetts mr. lynch. >> thank you mr. chairman it

and again i want to thank the witnesses for participating today. ms. archuleta, you testified before the senate, let me ask you at the outset who is ultimately responsible for protecting the personal identification information of employees at opm? >> -- >> or that are covered by opm federal employees. >> yes, the responsibly of the records is with me and my cio. >> okay. so he also testified that no one was to blame, is that right? >> i think my full stable as i believe that the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our systems. .. focused actor who has spent much funds to get into our systems, and i have worked the rest of my team was i

have worked since day one to improve legacy systems -- >> i understand you are blaming the perpetrators that those are the people responsible, is that basically what you are saying? >> the action was caused by a very focusedrepeated answers. let me just -- the assistant general testified that a number of the system that were hacked were not old or legacy systems but newer systems. is that your understanding? this isn't the old stuff. this is the new stuff. >> yes, that is correct. >> and the former chief and department of homeland security said the breaches were bound to happen given opm's failure to update cyber society. is that your assessment mr.

mcfarland? >> i can it made the possibility much bigger yes. >> he said if i had walked in as the chief information officer and saw the lack of protection for very sensitive data the first thing we would have worked on was how to protect that data. i am concerned about the flash audit you put out. and you your determination was you believe what they are doing will fail? >> the approach they are taking will fail i believe. they are going too fast. and thought doing the basics. and if that is the case, then we are going to have a lot of problems down the road. >> let me ask you crudely

describeing this they are creating a protective shell and then we will migrate applications under the shell and because they are under the shell they will be impervious to hacking. it doesn't seem like we should have to wait until the last application is under the shell until we find out if the shell is working. will that give us an opportunity to look at the early stages of this product? >> i am not sure if it will give us that opportunity or not. what is important from our perspective is they have the opportunity, opm has the opportunity right now, to do certain things that will increase this security a great deal. that should not be abandoned and displaced in place of. i don't mean to imply it is.

but it should not be in place of speeding through, you know the rest of the project to get it done. the crisis part may not seem this way to a lot of people but the actual crisis at opm is rover. the best thing to do is move appropriately for restructuring. >> do you think the estimate of $93 million is accurate? >> i don't think it is anywhere close to accurate. >> i don'teter either. it doesn't include the migration function where they pull the information in. >> as an example, the financial system we have, sea bass in

2009 we had to migrate a very small fraction. >> i now recognize the gentlemen from south carolina mr. gowdy for five minutes. >> i want to read a regulation. if new or unanticipated threats are discovered by the government contractor or if existing safeguards have ceased to function the discover shall immediately bring attention to

the other party. >> i don't the exact text but it is civilly worded. >> what is a new or uninticipated threat or hazard? mr. hess? >> that would be an indication of failure of the system or any protections. >> when chairman chaffetz was having trouble getting information because it is on the purpose of loss information that is not what the phrase it isn't

a loss. >> not as i would define it. what about cease to function? what does that mean? >> it is self-explanitory. gl it seemed like to me to. >> what was does the word immediately mean? >> without delay.

>> so it says immediately bring the attention to the other party. mr. archuleta, i heard about a march 2014 data breach did i hear that right? >> you did. >> when did you bring that to the attention of mr. hess or giannetta? >> i would have to give that information back to you. i don't have it in my notes. perhaps ms. seymour knows. >> do you know if it was immediately? >> i would expect it was immediate. >> let's find out. ms. seymour, do you think? >> no, sir, i don't but i don't think we immediately notified the contractors of the breach to the network because he didn't have any question as to whether it was affecting them. it was to our network at the

time. >> mr. hess and giannetta, is that your understanding they were under no duty to bring that to your attention? not all at once. it is your language and you are looking at the regulation, do you think you should have been notified of the march brief? >> absolutely. >> well why? i heard one person say she didn't know and the other say it was none of your business. so why should you have been notified despite the plain language of the contract? why do you think it was important you be notified? >> so we could take more appropriate actions to protect data. >> were you notified? >> i was not. >> were you notified immediately? >> no. >> what do you have to say about that ms. seymour? >> i believe that is accurate

sir. >> i am with you there. i guess my question is why? why despite the plain language of the contract and regulation why didn't you immediately notify the contractors? >> we worked with dhs and partners to understand the potential compromise to our system. >> was dhs one of your contractors? >> no, sir. >> i didn't think so. why didn't you notify the contractor? >> at the time we were still investigating what happened in the network. >> what does the word immediate mean to you? >> without undo. >> did you do so? >> no, sir, we did not. >> does the regulation say after you talk to dhs or figure out what happened? that is not in my version. is it in yours?

>> i have not read that one. >> you know why? because it doesn't exist. the only one that exist says to immediately notify the contractor, you are saying you didn't do it and my question is why. >> i cannot answer that question. >> who can? >> i will take that back -- >> to whom will you take it? >> i believe i would take to back to my staff to see if we have processes in place -- >> do you think it is staff's responsibility to notify the contractor? >> we have processes in place for making notifications -- >> who is ultimately responsible for that purpose? who failed to meet the contractual obligations? >> i would have to read the regulations, sir. >> i just read it. >> i would like to read the full context of it. >> you think the context is different from what i just read? >> i would want to read it.

>> did you read the contract? >> i have read most of the parts of the contract sir. >> well i cannot speak for the chairman, but my guess is he and others would be interested in who failed to honor the contract and obligations. >> i will recognize the gentlemen from california mr. roof. >> i am concerns about the failures of leadership and the failures of contractors in particular usi circumstancesess. this looks like it was fraud and i want to know how up the fraud went know if the parent company knew about it the hedge fund companyies who funded this knew about it. let me start with mr. mcfarland. according to the justice department filing and i quote beginning in at least march of

2008 and continuing through at least september 2012 usis management esdevised a scheme to increase the company's revenue and profits. you assisted in this investigation in the case, correct? >> that is correct. >> as i understand it the parent company paid bonuses to top executives during the period of fraud that amounted to nearly $30 million. to your knowledge as usis or integrity paid the government back for those bonuses? >> i am not positive but i believe not. >> let me enter an article from "the wall street journal" how the executives got paid off before the screener went abrupt. >> without objection so ordered. >> i asked the second one to be

entered which is an article from the "washington post" saying they filled a file in bankruptcy court from $44 million from parent company. >> without objection so ordered. >> now let me ask you have upgraded systems to catch the breaches it would have cost less than $30 million, is that correct? sdwl >> not having investigated the depth of all of the parent companies we were focused on the network with the findings and estimates being higher than $30 million for the recommendations and that number could be as high as $50 million. >> now i want to ask, ms. giannetta about the bonuses awarded during the fraud. who won the board review with the deplorable performance and

gave $1 billion bonuses? was it the board? who made the decision? >> my role began at usis in 2013 as the chief information officer. i don't have knowledge, direct or indirect, of who approved -- >> you don't know parent company or hedge fund manager? >> i don't know. >> okay. we will send you written questions after the hearing and i want your commitment they will provide answers within 30 days. will you commit to that? >> certainly. >> all right. and let me turn now to ms. mcfarland, you issued a report in november of 2013 and one in november 2014 correct?

on opm? >> sorry i didn't hear the first question. >> you issued two reports november 2013 and november 2014 on opm? >> you are speaking on -- yes. >> these two reports, would you agree with me 2014 reports are quite similar to a 2013 report because opm failed to implement many recommendations? >> i think there were many carry overs, yes. >> and this isn't a difference of opinion. you had opm violating standards the administration put in. for example, in 2014 you report on page 24 opm was not compliant with 11-11 that required factoring authentication. and you said they were not

compliant with the risk assessment standards. you would agree opm was not following these standards, correct? >> yes. >> do you take responsibility for not following the rules? >> it can't be yes or no. >> it was found you were not following the opm guidance. >> i have to take into consideration when an audit is conducted by the auditor, i have to make an informed decision about his recommendations. it is not an issue of whether i disagree with him -- >> this isacking, documenting

and justifying all of our steps in -- >> my time is up. i take it you don't actually take responsibility. i yield back. >> i now recognize mr. meadows. >> ms. seymour let me come to you because there seems to be some conflicting information before this committee. on april the 22nd you indicated it was the adversary's modern technology and the opm's antiquated system that helped thwart in your words, thwart hackers at the first opm attack. is that correct? >> yes, sir. >> last week you testified repeatedly that it was the opm's antiquated systems that were the

problem and the chief reason that the system was not secure and didn't do just the basic cybersecurity measures of incryption and network protection. so i guess my question to you ms. seymour which is it? is it the fact the old system helped you or the old system hurt you? those are two conflicting pieces of testimony. >> i don't believe they are conflicting, sir. in the first incident the old technology thwarted the actor because they did not know what they were doing in that environment. why immediately put in place a plan to provide better -- >> so you caught them immediately? >> no we immediately put in place a plan so that we could improve the security posture. what we did was we moved to build a new architecture where we could put additional security controls.

we also at the very same time put security controls in our current environment. >> okay. >> we did not wait. >> well, you say you didn't wait once you found the problem, but is there a -- >> sir -- >> hold on. let me ask the question. is there in the security i.t. cybersecurity technology chief operators, is there anyone who would apply for a job who would suggest not to do incryption of sensitive data? >> incryption is not a panacea. >> i didn't ask that. is there anybody in your job or similar job that would say we're going to protect everything. let's leave it unincrypted. can you think of anyone? because i've been asking all over the united states. i can't fund anybody. >> i'm trying to explain the

situation. our databases are very large. our applications are not >> so what we -- >> you are saying this is was a volume problem not a management problem. you are under oath. that is concerning because you are saying you just didn't have the resources to handle the large volume of information? >> it is not a resource issue. it is whether the applications are built so they can -- they are not inencrypted today. we purchased to tool sets and are in the process of encrypting pieces of the data breach. we are focus on the sensitive information. >> what do we tell the millions of federal workers that now because their system has been breached now you are going to encrypt it? do you feel like you have done your job? >> i came on board and recognized issues and worked to

make a plan. >> you both came in in 2013. >> at the end of 2013. >> how long did it take you to buy equipment to start encrypting? >> june of 2014. so you bought equipment in june of 2014. when did you start encrypting? >> we have a couple databases encrypt encrypted -- >> how many? >> we have numerous and it takes time, resources and we have to test before we can go on. >> when you applied for the job and were going through your senate conformation you said you would make it technology your number one priority. again on this committee you said it was your number one priority.

can you explain to the federal workers and those who had their personal information breached how making it your number one priority when you were confirmed in 2013 is still to be believed? or was it what you said during a conformation hearing and you never intended to act on it. >> i believe the record will show i have acted on it. i am dealing with a legacy system that has been in place for 30 years. we are working as hard as we can. in 18 months we have made significant progress but so have our aggressors. cyber security is an enterprise responsibility and i am working with all of my partners across government and i have shown we have prioritized this even as early as 2014-2015 in the budget and resources we directed toward that. i don't take this responsibility

lightly and as i pledged in my conformation hearing, pledged last week and pledge today i can taking this seriously and just as upset as you about about every employer impacted by this. we are dedicating resources throughout government. not just opm. but every level. >> i appreciate that and the patience. >> thank you, mr. meadows. i would like to recognize ms. watson-coleman. >> thank you for being here. i have a couple questions and would like the shortest answers possible. with regard to the 4 million employees those are retireees and employees we know how many

that is. with regard to the individual's information who was in the system because background checks were being done we don't know how many and everyone of those individuals didn't get a job so we have some people's information who are not employed by the federal government. is that true? >> yes that is true. if there was a background requested. >> in that second breach of that universe that is so large that information was breached through a breach in the security of key point? is that true? >> yes, there was a credential used and that is how they got in. >> who is trying to enough all of the people compromised through the latter breach?

is it key point trying to cleanup the mess? >> >> we have a forensic team doing the forensics on this. >> mr. mcfarland made a number of recommendations and i believe i was left with the feeling he didn't believe that opm was moving in the right direction on the right path to get to where it needs to go. i was informed that his recommendations or finding are a result of auditors and specialist in this area. so i have two questions for you: number one is are you using experts in the same kinds of skill sets that mr. mcfarland is using and looking at the same things he is looking at number one and number two do you agree with his recommendations and if not on what areas do you

disagree? >> the flash audit i can take by way of example. i respect the inspector general's diligence in over seeing this topic. there are areas we have areas of agreement and areas we need to have further conversation about. the terms of the existing contracts and the use of full and and and open competition i would like to say the awards we use are legal and we will continue to insure future contracts and processes entered into will be legal. i understand he is concerned about the source contact of tactical and shell he talked about. i understand the concerns and would like to remind him the contracts are negotiations and cleanup hasn't been awarded. we will consult with that. where we have areas we need to

consider together and by the way the ig meet on a monthly bases and our staff on a weekly bases or at least biweekly and i look forward to discussing the major it case and figure out the timelines. >> tell me what you think is the time frame for the ig's office, and your office, and mr. mcfarland you may weigh in necessary to get to where we need to get? naught they will be implemented but agree what needs to be done. do we have any idea? >> i would ask donna to talk about the tactical and shell process. we are trying to do it as rapidly as possible and move out of the legacy network.

the issue about the migration and the cleanup will continue to discuss. but we are trying to rapidly move toward that shell. >> do we still have contracts with key point? >> yes. >> and this is to mr. hess how many contracts with how many departments? >> our primary contracts are through homeland and opm. >> and so are your contracts active and coming to an end or are you at the end of the contracts? >> they are all active contracts. >> mr. mcfarland, should we be ceasing our relationship with key point? >> based on what i know at this point i have no reason to believe we should. >> that we should? >> no i have no