that there are numerous things that give us sitings of lines in september 3rd that clearly, this thing wasn't ready for security in september 3rd. and when our people questioned you about september 27th and there was no end-to-end and security concerns, you want to say you were taken out of context. but both september 3rd and september 27th, what we find is there was no end-to-end testing. any point of vulnerability is a point to access. anything that can reach into the data base, in fact, could be a significant security risk and has nothing to do with whether or not a module is about shopping. isn't that true? >> that's correct. >> okay. yield back. and at this point, i recognize the government from tennessee, mr. cooper next.

>> thank you, mr. chairman. i'm worried that the net effect of this hearing might be to exaggerate the security difficulties of the web site. our own pentagon is attacked many times a day. so the entire internet probably should be more secure. we've got to acknowledge some system problems and then there are other issues we can deal with. another concern is the witnesses being badgered. and i would like to offer witnesses, perhaps mr. bateman, an opportunity to respond. i believe in fairness. american people do not want to see a kangaroo court here.

i perjly had the privilege of hearing mr. park speak before. they told me they had never heard a speaker who understood business better, who got it and it was a real tribute to me that someone of your calendar was willing to work for the federal government. that instilled faith in the process. we are the best nation on earth. we've got to act like it. but the american spirt is the can-do, the we can fix it attitude. not the blame game. if there are witnesses who would like to say a few words, because you've been treated unfairly, in my opinion, i would like this to be an equal playing field. >> have i cut off anyone's answer here today? >> will i be able to keep my time? >> of course. >> you cut off the ranking member. >> i cut him off a minute into

question and answer after he exceeded his five minutes. but no witness here today has been cut off. every witness has been allowed to complete their entire answer. i just want to understand, ka kangaroo courts is quite an accusation. no witness has been cut off. every witness has been allowed to complete their entire answer. that's the cloegsest thing to anything. this is not a partisan hearing. i will not have it accused of being a partisan hearing. we have a web site that the american people have seen doesn't work. we're trying to get to an understanding of why it didn't work so that it doesn't happen again. and these happen to be experts. and, for the most part, we're relying on them to be the people fixing it. the gentleman is recognized.

>> thank you, mr. chairman. this is a hearing on a broken web site by a broken committee. and the air is thick with innuendo. in some cases, the witnesses have perhaps, already been abused. sometimes by leaks. whether deliberate or not. so let's no cuss on fixing the problems. and i think mr. baitman was about to speak. >> thank you, mr. cooper. there's one thing i'd like to clarify in response to my comments. we found vulnerableties and there will always be vulnerab vulnerableties. banks, online shopping sites all have issues because they're continually making changes to their code. that introducing vulnerable i thes. and it's up to us on a continual

basis, all software goes through koptous improvement. so what we're doing right now is continually improving our software and on an on going basis, identifying vulnerableties that exist. >> any other witness? >> what i would like to say if i come across as being defensive, i apologize. but i am being defensive not in terms of me. i am being defechbsive in terms of the truth. and i believe that that's what this committee is trying to get to. in fact, i think that's what you said in the beginning. so when i detect that there's distortions or misuse that i spend nine hours with your staff, basically being deposed. i am going to be defensive because that is not the truth. that's all i want to make clear.

to my knowledge, and i could be wrong because my colleagues have many talents. to my knowledge, none of us could do a web site on our own. we're not software engineers. so, when we swear witnesses as we do, when we put them in a very uncomfortable position deliberately. in some cases, when we subpoena them, it creates tension and is going to slow the fix of the website. so, i worry about that and the chairman and mr. conley have already collaborated on what sounds like an excellent bill to fix overall federal i.t. i was very impressed when mr. van rokel pointed out it's an $82 million issue, but 0.6% of that. why don't we focus on the larger issue and fix it? because as i said earlier, it's much better to light a candle than to curse the darkness.

>> the gentlemen would yield, maybe we could close on a positive note. both mr. palner who has talked about stress testing end to end and mr. van rokel who knows that microsoft never put a new operating system up that wasn't stress end to end. it still had bugs and vulnerabilities and when ever you create a new driver, you create a new one that has to be tested, but stress testing end to end was something this committee wanted to know at the onset. why it hadn't been done because it is a best practice, which geo has kindly made clear. and i believe it's in the record. we are trying to get to the point where best practices will always be used and in this case,

not because of these individuals per se, they're here as experts, but this development over three and a half million years shortcuted some best practices ab it's not the first time and it won't be the last time, but it's won where as i said in the opening statement. it's so important when the american people are focused for us to say you can expect better from your government in the future and i don't mean on you know, healthcare.gov. i mean on that $82 billion worth of i.t. >> let's see about getting your bill to the floor. >> boy, i'll tell you, that's something we all would like to do. >> you are in the majority party. >> you know, i'll tell you what. i'll get it to the floor in the house. if you'll help me in the senate, we'll get this done. >> i have lots of influence in the senate. be happy to help. >> thank you. >> with that, rewe mechanism recognize the jae gentleman from michigan who knows a great deal about health care websites from

his state. >> thank you, mr. chairman and to the panels as well, thank you freshman being here. you have plenty to do. i wish you didn't have to be here today, but when i receive letters on top of letters and contacts in six town hall meetings that i held last week lix this one from rachel haines in'den rapids, michigan where he talked about the fact of being cut off from her insurance, her husband and five children. she say i hated the idea of getting on the website as i believe insurance is a private matter. i did it any way. she goes on to tell of ultimately being hung up on. i believe this whole act that

was put into law under the cover of darkness with the simple votes from the other side of the al and now take offense at us having hearings like this, is the reason to have this hearing today. because people like rachel are concerned not only about security, but on a website that doesn't work for her. i want to go back to some concerns in the mitre report and i want to ask first question, mr. chow was in earlier stalt statements to question just before me, indicated when asked why he didn't push back on opening this thing up on october 1st, he didn't ask why. so i'm going to go to mr. bateman. why did we have to open up on

october 1st? but the question i would ask here, mitre is responsible for conducting the security control assessment for the federal exchange. is that correct? >> that's my understanding. >> according to mitre, the final security assessment for the federal exchange occurred from late august through mid september. is that your understanding? >> it is. mr. baitman, to the best of your knowledge, did mitre conduct a complete security test of the federal marketplace? >> i can't answer that. i don't have disability end to it. >> i'd like a document put that that deals with this. if you see there, ffm, the website, the marketplace complete percentage, 66% complete. that's it.

66%. this document was obtained by committee we have in place. let me ask this question, mr. baitman. is it a problem that mitre wasn't fully able to test one third of the exchange? >> i can't answer that. this prokt was run and managed by cms. they're responsible for the security. >> in the security control assessment dated october 11st, 2013, and of which a preliminary copy was given to cms, on september 23rd, 2013, mitre writes they were unable to adequately test the confidentiality and integrity of the system in full. they go on to say mitre also writes the application at the time of testing was not functionally complete. what are the dangers of conducting a component on an

incomplete system? >> well, you could have vulnerabilities that go untested. there's a lot of dates that don't add up. my understanding is that mitre conducted their assessment in august and cement and it was later september, so there's data all over the place. the bottom line to your point though is it wasn't done on a complete system. >> i just want to point out that's a cgi component. see on the bottom, it says -- >> yeah, i understand that. >> that to their knowledge, there has not been a comprehensive test of the entire system. what are the dangers posed by not conducting a complete integrated security test of all the system components? >> in order to ensure your data is complete. >> based on what you know, were

americans sensitive personal information at risk when healthcare.gov opened? >> i don't know what happened from mid september on. that's the only caveat i'd lake to say. >> can you enshoe, could you then ensure -- >> if you could wrap up. >> last question, can you ensure the american people that the website will work on november 30th? >> the gentleman my answer. >> that's not my responsibility. >> if anyone else wants to answer until november 30th, they may. >> the team set a goal of having healthcare.gov function

smoothly. >> is this new information? >> thank you. okay. >> the gentleman from nevada. >> thank you, mr. chairman and to the ranking member and other committee members. and our witnesses. this is an important hearing. our constituents are rightfully concerned about their right to be able to access affordable health care. on the website and while the rollout has been problematic, what's been more troubling is the fact this has been turned into more of a game than it has been about how we can work together to fix the problems on the site. my concern is one of security of personal information. i also sit on the homeland security committee. we're having a hearing also this morning on this subject.

so, i want to ask about the potential security risks to consumers. mr. choi, do you agree that protect i protecti protecting information on healthcare.gov and is something that can be achieved? >> i think it's something that as the federal agency come plied with -- specifications for securing people's data, for and then following hippa's kind of requirements for confidentiality, integrity and availability of data. >> can you explain how cms protects consumer's information? >> i think one of the things that is very obvious when you

come to healthcare.gov, if you go to the get insured side, one of the first things you have to do is register to establish an account. we've mentioned that registrations are up to about 17,000 per hour right now. and that process allows you to accomplish what we call a level one assurance of assurance account. that's similar to something like what you would establish in terms of opening up a g-mail or yahoo! account. it's very basic information. >> move on to the next question. we're very limited on our time. >> basically, the answer is it's about authenticating you. it's about are you who you say you are before we let you into the system and that is one major step in insuring people's privacy are protected so they only see their own data. >> and is healthcare.gov, any

more or less risky to consumers than other sites, including private company information in the banking world or using credit cards to purchase information over the internet? >> i can't speak for what privacy frame works and programs apply to -- but we follow the guidelines and requirements set forth and we use independent security testing contractors to ensure we comply. >> mr. park, you've spent some time with this website. >> that hasn't been my focus. i'm dedicated to security matters. >> based on your review, do you believe the site poses any unreasonable risks to consumers?

>> my understanding is that cms is aplying best practices of the site and they have a great track record in protecting the privacy of americans. >> can you explain why you believe consumers should have confidence their information is secure as it passes through the hub? >> i didn't code the hub itself, but one thing that should be pointed out is that the cybersecurity is part of everything we do. we built a culture of assessment and mitigation all about assessing the level of risk. it's low to high and then you put into place technology to mitigate that risk.

so the banking industry, financial industries outside of government use the same standards and we hold government to those standards. this is ongoing. you hear i'm sure in the homeland security committee a lot in the fact we have cybersecurity and what we do there, you have to do ongoing tests. you have to rapidly respond and assessments are never done. you have to just stay vigilant. >> this is not about playing offense or defense. it's about us getting this job done on behalf of the american people and working together. i am rather insulted by this republican playbook that talks about obama care, the loss of insurance and what this means.

this is not working -- >> the gentleman will suspend. the gentleman from oklahoma is is recognized. >> thank you, mr. chairman. >> gentlemen, thank you. this is probably not a fun day for you. didn't get up and go, gosh, i can't wait for this day. i get that and i want to say thank you because all of you could make a lot more money in the private sector. you've chosen to serve people. i just want to say thank you to you as well for what you're doing because you have made a conscious choice. let me walk through a couple of things just to be able to get some of the reality on it. about an hour and a half ago, i went on my ipad and went to healthcare.gov and hit this button that says create account and it doesn't go anywhere. it just changes colors and doesn't go anywhere. for about an hour and a half, i've occasionally hit that

button. this is the frustration and the struggle and that y'all have the frustration with, we get that. we have the questions as we walk through this process of what happens. mr. park, you were asked earlier about the november 30th timeline. when everything would be ready and available. you said it is our goal. can you give me more specific? are we going to hit november 30th? >> thank you for your question and kind words at the beginning as well. so, the goal laid out is for the site not to be perfect. >> functional people can logon. >> so that the vast majority of americans can use the site. that's the goal we're gunning for. >> here's the issue. around 5 million people have received a cancellation letter. i have multiple constituents that have sent me copies of their letters, all of them end with your insurance policy concludes december the 31st if they cannot get on and log into this site by december 15th, they

will not have access to insurance january 1 and they will be uninsureded. people currently insured will not as of january 1. i get that's the goal. the comment's been made we're trying to fix a plane that's in the air. i fully understand the complexities of that. the challenge is many of us said park the plane for a year. let's get it right before we launch this thing. the authorization to operate and some of the committee staff you mentioned, that was a long day

as well. there was a back and forth on this ato coming out that mr. james kerr and yourself had edited there. you wrote do to issues, the security control assessment was only partially completed. during that conversation, you listed things like unauthorized access. first to identify information. at that point. am i tracking this correctly? >> yeah, those are examples i was asked to provide. >> the problem is that you're trying to mitigate on things you don't know. i understand about mitigating on

risk. on day one, marilyn tavier is signing a document saying there are risks out there. >> what you do is under risk base approach look at the probability of a particular risk occurring and you prioritize and for example, one of the mitigation steps was to conduct weekly security testing and to report back to the administrator on the results of that security testing. >> during that testing process, did you find some data was misrouted? once it was launched? are insurance companies getting information that's incorrect? >> there were cases in which insurance company was getting data that were not incorrectly routed to them but incorrectly formatted within a transaction. >> do you know who briefed marilyn tavenner on the security risk? do you know who sat down with her? >> it was our chief information officer and chief information security officer.

>> two other questions. is there a way to track what personal information any employees can see we're working on this? we have a lot of contractors involved in this and all of the contractors who they even are. is there a way to track? there's personally identifiable information and is there something in place that tracks what people can see as far as personally identifiable information. >> if you call the center -- >> i'm talking about people working on the back end. >> the gentleman's time is expired. you can finish the question. >> in certain cases yes, like if you're in a testing environment. a very few people touch a production environment. they wouldn't even have access to that live data. sometimes when we use testing data, you want to see the results so you do have

developers having access to that information. it's not live people's data. >> i thank the gentleman from oklahoma. for the record, mr. chao, i want to point out, those items that you identified as particular inherent risks were identified by you prior to the september third memo that was introduced, the gentleman from virginia had indicated it was after that memo but for the record, you indicated those prior to that memo being introduced by committee. >> i don't quite understand what you're trying to say there because it was -- the question was asked what examples and in the context. september 27th. you're saying september 3rd. >> you mentioned these risks because of the failure to do integrated security testing prior to this -- >> i don't believe i said failure. >> this is the problem. >> this is the problem. i don't have the transcript in front of me.

i cannot confirm with you. i was not given an you want to make corrections if there were corrections to be made. you can tell me what you want. but all i can say to the best of my knowledge, i don't recall saying that. i need to see my transcript. >> the gentleman from vermont, distinguished gentleman from vermont is recognized. >> thank you, mr. chairman. >> first, i want to join mr. langford in thinking each of you for the incredible effort you're putting into to try to fix a very serious problem. thank you. second, you don't have to be an opponent or supporter of the health care law to acknowledge that there are significant

rollout problems associated with the website. and those of us who are supporters and i'm a strong supporter of the health care law, are absolutely committed to providing the support you need to make this thing work. there's really four issues that we have royaling around. one is the website. what do we have to do to fix it? it's got to be fixed. what's the impact of these cancellation notices that a lot of americans are receiving, they thought they had health care and assured they could keep the policy they had and the problem gets compounded if the website is not working. and then third is the individual mandate that is subtext of the debate and essential to the law, and the fourth is the i.t. purchasing. are there some lessons that we can learn? i tend to think it's important to move ahead on the issa connelly legislation. that's the context that we're

in. you're here to help us fix the problem and we've got to get that down. >> i want to start by asking, mr. park, if you can make comments about you're repeating a little bit, what are the specific things we can do to get this fixed? i understand all of us would like to have a hard and firm date where everything is going to be perfect. but what we're dealing with is the real world and we wanted to be functional for the vast majority of americans. what are the abc that you need to do and hopefully not require you to sleep on the floor in the office at night? >> thank you so much for the question. the team is taking all of the right steps under the leadership. first of all, the teams are monitoring across the site to understand performance of the system and where there are issues and where they are focused. secondly, i would help with that data, the team has undertaken an aggressive program improvements to actually improve the facility through tunings and configurations and et cetera which has resulted to other things, system response times going down from eight seconds to less than a second. thirdly, the team or