security issues with the website. he was a primary spokesperson for the white house about the website and security. on october 10, mr. park read an online article by david kennedy, a white house hacker who has testified twice before this committee. mr. kennedy's article was entitled, "is the affordable care website secure? probably not". mr. park commented in an e-mail how he was advised that quote, these guys are on the level, end quote. we're asking mr. park to explain his role in developing the $2 billion website and what the administration knew about the security risk of the website. as of today, the white house still has failed to provide this committee with all the documents that are subject to the subpoena. the ones we do have paint a far different picture than that of the office of science and technology policy. as i mentioned, the committee has not received all the e-mails and other documents that were

subject to the subpoena, so another hear beiing may well be necessary. i want to thank dr. paul brown for his tireless efforts on this subject as well as so many other subjects that have come before this sub committee. we appreciate his public service and his dedication over the years to his constituents, to congress and to our country. so chairman brown, thank you, again, for all you've done. we appreciate all your great work, and i look forward to today's hearing. >> thank you, mr. smith. as i announced earlier, mr. swaulwell will be joining us in a bit. and he will give his opening statement at that time. and then ask his questions in due order. if there are members who wish to submit additional opening statements, your statements will be added to the record at this point. at this time, i'd like to introduce today's witness, mr.

todd park, the former chief technology officer of the united states. an assistant to the president. prior to this role, mr. park served as chief technology officer for the u.s. department of health and human services. and before entering federal service, mr. park co-founded athena health and co-led its development into one of the most impressive health i.t. companies in the industry. as our witness should know, spoken testimony is limited to five minutes, after which, the members of the committee will have five minutes eve to ask questions. mr. park, it is the practice of the sub committee on oversight to receive testimony under oath. if you'll now please stand and raise your right hand. do you solemnly swear and affirm to tell the whole truth and nothing but the truth so help you god? >> i do. >> thank you, you may be seated. let the record reflect that the witness answered in the affirmative in his taking the

oath. i now recognize mr. park for five minutes to present your testimony, sir. >> thank you, sir. chairman brown, thank you for your service. chairman smith, ranking member swaulwell, ranking member johnson and members of the committee good morning. i'm looking forward to the opportunity to offer testimony to you today. to begin, i'd like to provide some context for my time as u.s. chief technology officer that will be helpful in addressing questions you've asked me to answer. i'm a private sector i.t. entrepreneur by background and have been blessed with significant success in that arena. only in america can the son of two brave immigrants from korea have the kind of business-building experiences that i have been blessed to have. i love this country very much and it has been the greatest honor of my life to serve it. in march 2012, after two and a half years working at the u.s. department of health and human services i joined cto. my primary job was to serve as a technology policy and innovation

adviser across a broad portfolio of issues, working on open data policy and initiatives. wireless spectrum policy, how to advance a free and open internet, how to harness and prevent human trafficking and more. my role was not to oversee the internal federal i.t. budget and operations. however, given my back grounl at h.h.s. and as a health i.t. entrepreneur i was asked to provide assistance to cms which was the agency in charge of the development of the new healthcare.gov including the market place for health insurance. i provided assistance to cms in a few different capacities. for example, i served as one of three co-chairs of a steering committee organized by the office of budget and providing a neutral venue in which cms and others could work through interagencies. i assisted with a red team exercise in early 2013 to help identify actions to improve

product execution as well as some associated follow-on work that summer. from time to time, i helped connect people to each other, served as a spokesperson of sorts and provided help on specific questions. however, to properly calibrate your expectations of my knowledge of cms's involvement of healthcare.gov, i was not a project manager who was managing and executing the day in and day out operational work of the marketplace. this was the responsibility of cms. i didn't have the kind of comprehensive, deep detailed information of the project that a hands-on manager would have and which i have had in other projects. i assisted cms while executing my overall duties as white house technology adviser working on a broad range of technology issues as i described earlier. as the marketplace rolled out in the fall of 2013, as the extent

of operational issues with the site became clear, it became an all hands on deck moment and i along with others dropped everything i was doing and increased my work dramatically, shifting into the turn around effort and working with the tech surge which dramatically improved the site. i worked around the clock even sleeping on office floors. my focus was helping to reduce the amount of time the site was down, improve the speed, the ability to handle high user volume and improve user functionality. enabling millions to sign up through the site many of whom had previously been uninsured. at the end of the day on april 25th, 2014, i went back to my u.s. cto day job and my involvement in healthcare.gov accordingly scaled back dramatically. as another cont contextual noteo

not have the expertise in cyber security that those who previously testified before this committee have. responsibility for healthcare.gov rests with cms. my involvement has been rather tan jengs. the sub group was staffed and led by agency personnel who occasionally asked the overall committee co-chairs to help facilitate cooperation but who drove to the answers themselves. there were a small number of other occasions when i was asked to serve as a spokesperson of sorts. to function as a liaison or to provide my general thoughts for whatever they were worth, but, again, i am not a cyber security expert. as a final contextual note, as of the end of august of this year in order to stay married i

stepped down and returned to silicon valley, following my wife's long-standing desire to do so. i focus on the best tech talent in the nation to serve the american people which is vital to the government to radically improve how the government has services. thank you for allowing me to provide context for my testimony today, and i look forward to answering your questions as best i can. >> thank you for your testimony. reminding members that committee rules limit questioning to five minutes. the chair at this point will open the first round or the round of questions. chairman recognizes himself for five minutes. mr. park, let's clarify

something. you claiming in your opening statement today that you did not have, to quote you, quote, comprehensive, detailed knowledge, unquote, of development, testing and cyber security of healthcare.gov website and that you, quote, assisted cms with this work as an adviser, unquote. yet, if you refer to tab eight in your binder there, you read along from the highlighted sections of one of your subpoenaed e-mails, dated june 26, 2013. sent to marilyn tavenner about, quote, a deep dissection with henry chow. specifically you wrote, marilyn, i'm also going to visit with henry, a team for one of our evening deep dive sessions to get up to speed on the latest

status of i.t. and testing. there's no substitute for an evening deep dive. so i'll bring healthy food and snacks to baltimore and camp out with henry and team for a few hours, unquote. mr. park, please explain to me how you define deep detailed knowledge and then contrast that with a deep dive experience with mr. chow in that last for several hours. >> sir, i'd be delighted to. so in my practical experience, when you have really detailed comprehensive knowledge of a project, that comes from being the project manager. that comes from being the person who's in charge of running things. you know what's going on. you know each access of what's going on in an ongoing basis. and that's a role i've served in my private sector life, but that was not the role i was serving

on the health care marketplace. that was cms's responsibility. what happened here is on a few occasions i spent time with the folks who were actually running the project and asked a series of questions and got information, but that level of knowledge pales in comparison to the really deep details and knowledge you would have as the project manager running the thing on an ongoing basis. >> so you had some supervisory function there. do you agree with kathleen sebelius' assessment that the rollout of the website was a debacle? >> the rollout was unacceptable, sir. >> you acknowledge in your opening statement that you were one of three white house co-chair men of the exchanges steering committee. and that at least met on a monthly basis. what was your role in these meetings? would you say that you were the leader of this white house trio? >> i would say that i was one of the three co-chairs.

it was actually principally led and organized by the office of management and budget. and the role of the committee was to focus on providing a neutral venue where agencies could come together and work on support of the data services hub. >> well, on april 11, 2013 in an e-mail september at 2:31 p.m. in tab one of your binder, the subject coordination on aca, one of the co-chairs, mr. steven van rokel expressed his concerns about your closeness to the centers for medicaid and medicare services by writing this, quote, cms is not being inclusive and is not leading a coordinated effort that will lead to success. i'm also worried that you are

getting a too cms-centric picture. i would love nothing else than this not to be the case to assure it is on a path we want to be on and that existing efforts will deliver what we want, unquote. your response to him, sent the same day at 4:58 states, quote, hey, brother, thanks so much for the note and the chat. any apologies for not staying in a sighter synch with you on this. we'll make sure that we stay in close synch going forward, unquote. to be clear, this is the same cms that the office of science and technology policy has told the committee in various letters is in a quote, far better position to discuss this standards that are in place for the website, unquote. you did not deny this closeness to mr. van rokel. and indeed, your closeness to

individuals such as henry ciao, chief information officer at cms and michelle snider, then chief operating officer at cms and the number two official is evidence in many e-mails that we have seen in your conversations with him. if you are not the leader, then why was mr. van rokel looking toward you for guidance. and if you are so close to cms that it concerned your co-chair, then surely you were in just fine a position to answer our questions about the website and should have done so a year ago. >> so, sir, thank you for the opportunity to discuss this particular e-mail. as i recall, i think this was precipitated by the fact that i had assisted, as i said in my opening testimony with a red team exercise cms had engaged in to basically assess risks and identify mitt gaytive actions to

bit gait those risks in early 2013. steve was actually not involved with that, and he was expressing, concerned about the fact that he wasn't synched up and was worried about a variety of different things. what i can say, as actually the e-mail says, is that we, i did synch up, we were going to, and then i can report that we did synch up on the red team results and recommendations. and the path forward on the steering committee and otherwise and his concerns basically were dealt with in a way that was satisfactory to him. >> my time has expired. i now recognize ms. johnson for five minutes. >> thank you very much, mr. chairman. mr. park, mr. brown summarized your explanation regarding deep dives by saying you had some

supervisory responsibilities. did you indeed have supervisory responsibilities? >> i would not douefine it that way. i was an adviser for cms. >> how would you describe your work on healthcare.gov during your tenure there at cto? >> yes, so we're talking about the new healthcare.gov, the marketplace, i'll, again, describe it as i referred to in my opening testimony. i assisted cms in a few different capacities, serving as a co-chair of this interagency steering committee, finding a venue for agencies to work together on issues as part of the hub. assisting with the red team exercise and followup to the red team exercise that summer. serving on, from time to time as a spokesperson, as a liaison, as

someone who could help with questions. again as an assistant, as an adviser at cms, and certainly not as the person who is the hands-on project manager running the thing. i was doing this assistant's work as i was fulfilling my much broader portfolio of duties as technology policy and innovation adviser at the white house. >> could you give me a litt little idea as to what that broader responsibility for being the chief technology officer over and above or around or in conjunction with or whatever way you want to put it, for the program for the health care? >> yes, ma'am. so as uscto, my job was to be a tech policy and innovation adviser at the white house, focused on how can technological innovation build a brighter future, create a brighter future for the country and for the american people. so there was a wide range of

initiatives that i worked on and championed. so you mentioned one in your opening statement, mentioned a few, but the open data policy, open data initiatives work of the administration which really focused on opening up the information and knowledge of the federal government, such as weather data, health data, energy data, policy data, et cetera, as machine-readable fuel and returning it back to american people and entrepreneurs and researchers to turn it into all kinds of incredible new product services and companies to help people and create jobs. i also was one of the creators, leaders of the presidential intervention fellows program, which was an effort to bring in the most amazing tech entrepreneurs from outside government and team them with government to work on projects like blue button which has enabled well over 100 million americans to be able to download

copies of their own health information. i did a whole bunch of work in figuring out how we could tap into the ingenuity of the private sector and non-private sector, to fight the evil of human trafficking, to help with disaster response and other activities, how to advance a free and open internet, how do you massively improve the supply of and innovation of wireless spectrum. and more. it's the most amazing experience i've ever had. >> it appears to me that though you were a person that could be asked a question or included in a loop, that your responsibilities were really very broad and really had no key responsible, responsibility toward healthcare.gov. >> so there was a churnk of my time that i reserved for basically being helpful, being

an adviser on issues that came up. beyond the initiatives i was championing or coaching. that's the bucket in which i put being helpful to cms on healthcare.gov, which i did try to do in the capacities that i described. >> thank you very much. i yield back, mr. chairman. >> thank you, ms. johnson. i recognize the full committee chairman, mr. smith, five minutes. >> thank you mr. chairman. mr. park, thank you for being here today. >> thank you, sir. >> as i understand it, you were given notice on several occasion that there were problems with the obamacare website. so my question is, did you believe that the website was secure when it was first made operational? >> so i think, you know, over the course of any large-scale product there are issues and challenges that m could up. so. >> did you think the website was secure before it was

operational? >> i did, sir. >> despite the warnings you got? despite the briefings you had you still thought it was secure? >> my understanding was that it was. >> what did you think, yourself? >> again, i'm not an expert. >> did you discount the briefings in the notice that you had gotten? >> so which briefings and notices are you referring to? >> there was the red team, e-mails and then other indications that you knew that there were problems. >> so the red team exercise didn't really focus on security. the red team focused on how the project was being run. >> i have, let me, the mckinzie report's what i'm talking about. >> yes. i'm referring to the same report, sir. yeah. so it didn't really focus on security. it focused on how it was operating and running generally.

>> but it still pointed out problems, and you still decided that they were not significant enough, i guess, to, notice that it shouldn't be operational? >> the mckinzie report again, addressed the general project and talked about -- >> again, they pointed out the problems, but you discounted the problems? >> each of the issues, the risks was tied to an action to mitigate that risk, deal with that risk. >> so you think all the risks were addressed before the website was made operational? >> i think the risks identified by the red team report, my understanding is that they were addressed. >> well, that's amazing, because both then and more recently, all the various studies that were conducted, not a one found that the website was secure. not a one found that the website was without risk. more recently, the u.s. government accountability office found, quote, healthcare.gov had weaknesses when it was first

deployed, including incomplete security plans and priefssy documentation. and a lack of an alternative processing site to avoid major service disruptions, end quote. this also finds weaknesses remain both in the processes use for managing information and security so forth. so you have these outside studies showing it was not secure at the beginning and remains insecure. do you think the website is secure today despite all these warnings by independent entities? >> cms is the best source of information about the detailed security -- >> you discount the government accountability office's review? i mean, that's, the language i just read to you are direct quotes from the gao. >> so, sir, i'm not an expert in this arena. i don't want to comment on -- >> you said repeatedly you were an adviser. as an adviser, do you advise people that the website is

secure today? >> that's not the area where i really concentrated my advisory work. >> well, knowing what you know now, do you consider the website to be secure today? >> so based on my understanding, i would use it. i have my family -- >> no, i didn't ask you if you'd use it. it's easy for you to say yes. do you think the website is secure today? >> my understanding is -- >> would you advise the american people to use the website today? >> my understanding is that it is. >> despite all these reports saying it's not you still think it is? >> the best source of information about that is cms. >> they're obviously biased. they've got an in-house conflict of interest to say anything else. do you discount all these third-party entities, these credible organizations saying that it's insecure. do you disagree with them? >> sir, again, i would just refer to you cms. >> you're asking the people that developed the plan whether it's secure. what else are you going to say?

i was asking you as an adviser. whether you thought these independent reports were accurate or not. >> i, i can't say that i actually got through -- >> okay. last question. did you advise the white house at any point or brief the white house about the, about obamacare's rolling out? >> sir, can you repeat the question? >> did you at any point brief the president or the white house about the obamacare website before it went operational? >> so, as i can recall -- >> and roughly how many times if you did. >> as i can recall, i gave a briefing to senior white house officials about the results of the red team review. >> how many times did you brief white house personnel? >> so i met with senior white house advisers. >> how many times roughly?

>> i can recall two? >> okay. and during either of those times, two or more times, did you ever say anything to them about the problems that were inherent in the system or about any of the warnings that you'd received? >> so in the, both the red team briefing from early 2013 and the follow on in july -- >> again, my question was fairly specific. did you alert the white house staff to any problems with the website? >> so we were very clear, yes, about the risks identified. >> you did make it clear to the white house that there were risks. >> that wrer were risks and here were the actions to mitigate those wrifks. >> and that the actions had been taken or not been taken yet. >> at the time of the red team risks, we present both the risks and the action and in july we saw that the actions had been taken. >> so you notify the white house of the risks and you came back later and said that you had remedied those risks even

despite white house people saying there were problems. >> this is how it was being run, and again just to be super clear, i briefed on the mckinzie work to senior white house officials that there were risks that needed to be dealt with and there were actions that were needing to be taken to mitigate those risks and then -- >> thank you, that answered my question. thank you mr. park. thank you mr. chairman. >> thank you, chairman smith. now recognize mr. peters for five minutes. >> thank you mr. chairman, and thank you for your service on the committee. we wish you the best going forward. >> thank you. >> there's been some suggestion, some discussion on the security of healthcare.gov in reference to a hack in over the summer. and it's not necessarily true that that means that the information, that the site is insecure. hhs worked with the department of homeland security to analyze the effects of the package found on the site, and according to

the director for u.s. computer emergency readiness at dhs, this type of malware is not designed to extract information. there's no indication that any data was compromised as a result of the intrusion. i would like mr. chairman, unanimous consent to enter into the record a letter from ms. tavenner to congressman issa in which ms. tavenner states that no one has maliciously accessed personally identifiable information from healthcare.gov. >> being no objections, so ordered. >> in your testimony, you mentioned that you were not the project manager of healthcare.gov, but you functioned as the project manager for other projects in the private sector. >> yes, sir. >> i thought it would be helpful to discuss the kinds of activities that a project manager does. and you founded athena health with jonathan bush, incidentally

the cousin of former president george bush? >> yes. my best friend. >> provides health care practices and medical records which makes it more effective, correct? >> yes, sir. >> since you built the company, can you describe what was involved in building the company from the ground up, what tasks were involved in developing a new i.t. company? >> thank you, sir. so i think others who have had similar experiences would share, you know, it's a big, complex undertaking. you put together the best team that you can. you raise initial money. you put together the best plan you can. and that's about to have 17 seconds of contact with reality. you put together a prototype of your product and figure out the base of customers using it, what the real issues are and opportunities are and it's an

all-consuming thing, and you have in your head each key access, effort how conditions are changing, how plans are changing constantly. >> is it fair to say that when you're on project management you're very hands-on at athena. had very detailed knowledge of the project based on your day to day engagement? >> absolutely. >> so what is the difference in that role at athena health and the role you played as cto with the health care marketplace? >> it's night and day, sir as anyone who has built a company or led a large issue would tell you. i, again, did advise and assist cms in a few different capacities i've described. in my testimony and earlier. testimony and earlier. the, but, again, it's it's very

different from being the project leader, the project manager actually running the day to day and having the kind of comprehensive detailed, multi-access knowledge that you have in that context. >> in one of the e-mails that the committee has provided you describe yourself as a consignificant larry. is that what you mean? >> as an adviser, yeah. >> i do think it strikes me that the role of project manager is fairly well-defined as different from what you were doing. i think that's pretty clear. i just offer that one of the mistakes we make here in congress is pulling people out of the bureaucracy and beating them up when, you know, we're all really trying to get to the same, same place. we'd like to get, our government to be functioning, a health care website that's functioning. and i would just observe that i've seen this in the armed services committee, too. we're trying to get the best

technology people we can to come work for the federal government. in the defense side, we have a great need for cyber warriors. and it's, we have to be very sensitive about how we treat people like you and like those folks who can be in the private sector making much more money, who are willing to give up their time, to delay their careers, to step out of them and help the government. and i want to thank you for your service. i want you to know that appreciate it and hope that you're able to help or continue to recruit the very, very best to come help us in this effort and other efforts throughout the government. thank you, mr. chairman i yield back. >> thank you, sir. >> thank you, mr. peters. now i recognize you for five minutes. >> mr. park, when you testified before the committee on oversight and government reform you repeatedly claimed ignorance about any issues about healthcare.gov prior to the website's launch. you testified that you have quote, no detailed knowledge of

what happened preoctober 1, unquote. you further testified that you were, quote, deeply familiar with the development and not deeply familiar with the development and testing regimen that happened prior to october 1. but the e-mail record tells a very different story. on june 11, you e-mailed staff at cms, asking to check in on how things are going with respect to marketplace i.t. development and testing. on june 26, you said you would visit henry chow of cms and his team one hour deep dive sessions. then on june, on july 12, henry chow referenced a briefing that you were doing for the president. if you were preparing to brief the president and doing deep dives with cms staff in june and july of 2013, how can you claim to have no knowledge of issues prior to october 1 of that year? >> so, thank you for the

opportunity to answer your question. so what i said at the hearing last november was i didn't have really detailed knowledge, really detailed knowledge, if i recall correctly, of what actually happened in the run-up to october 1st. and as i've described previously, when i say really detailed knowledge base of what actually happened, that's the kind of knowledge that come the from being the hands-on project manager running the thing. and not the kind of knowledge that one would have as an adviser who, on a series of occasions, meets with the people who are running the thing and asks questions. so that's, that's what i would say. >> well, obviously, on the june 11 e-mail where you said you were going to check in on how things were going with respect to marketplace i.t. development

and testing, you know, you just didn't ask that question out of the blue. obviously you were detailed to or decided to try to check up on this. and then i don't know what goes on at deep dive briefings. i imagine there's quite a bit of detail that goes on, but i guess it kind of boggles my mind that if you didn't know the detail of that why were you asked to go and brief the president? or wasn't he interested in really the detail of what was going on, just whether it was going well or not? >> could you just refer me again to the e-mail you're talking about? >> i referred to two e-mails. you i mailed the staff at cms to check in on how things were going with respect to i.t. marketplace development and testing. and then july 26 you said you would visit henry chowan h and

team for a one-hour deep dive session. >> could you refer me to the tabs in the binder? >> i don't know if you have the same binder i have. but this is the tab on the deep dive session, number eight. >> so, again, just speaking to this session, the difference between the really detailed knowledge base that you have as a hands-on project manager and the knowledge that you have from asking people on the project a set of questions over the course of a few hours is, again, just night and day. and also, i think, to address something you asked earlier. the,'s recall, the trigger event

for the check in that you described was to follow up on the red team recommendations, was back to how the project should be managed and make sure those recommendations had been implemented by cms, so that was the trigger event for the, for the inquiry. >> well, you denied involvement in your testimony before the ogr committee. but obviously, you were involved, because you asked how things were going. and you asked for a deep-dive briefing, and you came in to brief the president on this. and, you know, it seems a complete disconnect between you claiming ignorance and, you know, i don't think that what you did, the information you did get filled you in. you certainly weren't ignorant, and i, how can you say that, when you came in to brief the

president you briefed him from a base of ignorance? >> so, again, just to respectfully, something you said earlier, i don't think i have said. >> mm-hm. >> to the committee last november that i had no involvement. whatsoever. what i said was i didn't have a really detailed knowledge base of what actually happened in response to a question about something or other. but, so, again, the point i want to make was that i didn't have that level of really detailed knowledge. i did have the kind of involvement that i described in my testimony earlier. >> well, my last question is, what did you tell the president about the healthcare.gov when you briefed him? >> so, at the red team briefing

in early 2013? and then in the followup, as i can recall, the gist was here, the red team recommendations in terms of the risks identified and what to do about them. and then in the followup in the summer, as i can recall, the briefing again to senior white house officials was that cms implemented the key red team recommendations. >> did you brief the president? or senior white house officials with somebody other than the president there? >> at those two meetings, as i recall, the president was there. >> thank you. >> thank you. i will now recognize mr. cramer for five minutes. >> thank you, mr. chairman. thank you, mr. park. mr. park, i want you to look at tab five in the binder, if you would, please. >> thank you, sir. >> so this is an e-mail that has

become a little bit famous today, i noticed. it's an e-mail from michelle snider to you, dated september 29, posted at 6:22 p.m. and in this e-mail, which, by the way ends by her asking you to delete it, she writes, quote, just so you know, she decided in january we are going no matter what. hence the really cruel and uncaring martha has occurred since january when she threatened me with a demotion or forced retirement if i didn't take this on. do you really think she has enough understanding of the risks to fight for delay? no and hell no. for just one moment, let's be honest with each other, unquote. now i think it's a reasonable inference that the she in the e-mail is marilyn statavennetav.

because she's responding from an e-mail from you that day that says quote, mt said that she appreciates the additional info we will generate tonight, but that shy and she alone will make the decision to go or not, end quote. mr. park, what were these risks that ms. snider referenced in her e-mail that she asked you to delete? >> so, at the time, what i recall was doing was helping cms basically get hardware, additional hardware in place to provide additional server capacity for the marketplace. and that was the issue that we were talking about. >> so the risk was there wasn't enough hardware? in other words, you testified that you thought everything was ready to go. that you were confident, this is september 29, i mean, the risk was hardware?

>> so the risk, i think that are being referred to in this e-mail is that, based on what we had been talking about where i'd been asked to be helpful. and the hardware did actually get to where it needed to go. in an operation that, that worked pretty well. >> so, in the same e-mail chain about three hours earlier, she asked you this question. that's, by the way, located on tab six. >> oh, thank you, sir. >> sure. she asked the question, a series of questions. but one of them is should we go live on october 1. i'll remind you, this is september 29. so she's asking pretty close, should we be going live on october 1. >> could you ask it one more time? who's asking who? >> it's the same e-mail chain. you ask, i'm sorry, you ask ms. snider a series of questions, such as should we go. when you asked that question, you had some concern it seemed

to me earlier that day about whether they should even go live. >> so, again, as i recall as i'm looking at the e-mail, i was suggesting a set of questions for her to think about. as an adviser. and, again, this was really focused on the task of getting the hardware in place. >> did you account same question of anyone else, maybe henry chow or somebody in the white house, marilyn tavenner? or was this just between you and ms. snider? did you raise this question with other people that might be in a position to, to do something more about it? >> so, i think michelle was actually, as i recall, pretty central to us. and so i was injecting this set of questions as questions i thought would be good for cms to think through. in the run up. >> so some of these risks that ms. snider was raising that you

think -- did it ever get, did you ever share beyond that, because clearly there's this confidence, it appears, between you and her. i mean, she references other parts of this the rant. she refers to, you know, probably or possibly losing her job if she raises these risks with the wrong people. in fact, she did, of course announce her resignation not too long after all this. what i'm trying to get at is, as an adviser, was your advice only given to this one person? or were others higher up the chain considering that earlier you testified, you know, you did, of course, brief the president himself. was there other concern raised by other people to these risks that seemed to be so central between you and ms. snider? >> so, so with respect to what we're talking about here, which as i recall are risks associated with not having enough server

capacity, the cms senior management team, office of health reform at the white house were following what was happening very closely. >> and that gave you all the confidence in the world that that extra server space was all that was necessary? >> the question i got asked to be helpful on was getting hardware to the datacenter for additional service for server capacity, and that operation did end up being successful, as i recall. >> all right. my time is expired mr. chairman. >> thank you. now i recognize mr. posey for five minutes. >> thank you, mr. chairman. mr. park, in an e-mail chain with a subject heading "how serious are you about using homestead air force base to get the equipment to culpepper "it's located in your tab 12. >> thank you, sir.

>> you and mr. henry chow work with mrs. laura fashing to discuss several last-minute options to transport some hardware or computer equipment by either private ground, private jet, cargo or even air force jets. for someone claiming to not have a detailed knowledge base of what actually happened pre-october 1, you seem to be all in on a lot of aspects of operations related to the health care gov w care.gov website. so i'm wondering whose idea was it to procure the equipment and spending taxpayers money to transport computer equipment by plane. >> when i say really detailed knowledge base of what actually happened prior to october 1, i'm not talking about like one

narrow aspect of what happened. i'm talking about the full breadth of what happened over the course of the project. as i said, i did assist and advise cms in different capacities. this was one where what happened is cms contacted me and said we think we have, long story short, a need for additional hardware to get the datacenter. and they were the ones who teed up the notion of potentially military option and i volunteered to help look into that for them. >> okay. is it routine for a white house official or actually an assistant to the president, as you were at the time, to be engaged in last-minute discussions with a contractor about the delivery of computer equipment? and why and how did you get involved in that? >> so, my style is to try to help in every way i possibly can. and so i got asked to help with this. and i threw myself into trying

to help. and although the military option ended up not being used, didn't have to be used, there's private transport, the operation to get hardware there worked out. >> it sounds like a pretty detailed knowledge base. >> not of the whole project and how it was working. this is one very specific, very narrow aspect of one episode in time. >> you also appear to be the point of contact for most interactions with technology companies. and the people such as pallen tear, red hat, alex carp, and even gartner, a company used to put the messaging on healthcare.gov at the same time as a committee on homeland security on september 11, 2013. in fact, a gartner analyst provided a quote that statements made in a cms letter to a ranking member of homeland

security committee represent current best practices for the protection of sensitive and regulated data insistence. that's on page 14. >> thank you, sir. >> wondering how often you reach out to such companies or people to talk about aspects of healthcare.gov website for either pr purposes or technical purposes. >> not that often, as i can recall. but on several occasions, yes. >> and what others do you recall? >> well, so, so you mentioned this one. i speak to red hat. so what happened there was that cms asked me to be on the phone with them as they asked for additional red hat resources to be applied and just to communicate that this was a top

priority of the government, which i volunteered to do. i can talk to the pallen tear example. they were part of my role as a facilitatotor. i connected pallen tear to cms, that was a discussion, in high level about seeker security. >> that's a little bit beyond the scope of advisory, wouldn't you think? >> not in my experience, no. >> arranging contractors to get together and? >> no, actually, it's assisting, as i said, in a few different capacities. >> what did they have to say about the website? did they ever provide feedback to you on the security or aspects of the website? >> so, as i can recall, the pallen tech conversation, they said here's what you should be thinking about. and cms basically said that accords with what we're thinking about. and that's what i recall of the call. >> that's the only time you're aware of any security issue at

all? >> in that call, basically, it was a very high-level call, and pallen tear said just not with any particular knowledge, healthcare.gov, here are the things that represent cyber security best practices and cms, cms said yeah, that makes sense, that's what we're thinking too. >> you had mentioned that, you know, you would use the website. just out of curiosity, are you enrolled in obamacare? >> i am not, but i continue to get my insurance through the federal government, but my true duty in government, which has been the greatest experience of my life, will at some point end. and i'm very excited about enrolling in covered california, which is the marketplace in california when i do enroll. >> the people who wrote in said don't feel about that. >> thank you mr. posey. now mr. johnson from ohio, you're recognized. >> thank you, mr. chairman. good morning, mr. park.

>> morning, sir. >> you and i share something in common. my background is 30 years in information technology. i have never been a chief technical officer, but i certainly have been a program manager, project manager, chief information officer. even had chief technical officers work for me. so god bless you. so i certainly understand from where you come. and i must confess to you, mr. park, that i find it a little bit disingenuous that you would qualify or classify your role in all of this as simply an adviser. you know, in 2008, when the president issued a position paper on the use of technology and innovation, he talked about standing up the nation's first chief technology officer, and to quote from what came directly from at that time, the campaign

website, said that the cto will ensure the safety of our networks and will lead an interagency effort, working with the chief technology and information officers of each of the federal agencies to ensure that they use best in class technologies and share best practices. in november of 2008, the president reiterated his intentions, and, again, quoting from the president-elect's website, that he would appoint the nation's first chief technology officer to ensure the safety of our networks. before that, it said ensuring the security of our networks. so whether you envisioned your role being an adviser, the president said you were responsible. that's what ensuring means. as a cio, as a project manager, i know what ensuring means. it was your job to ensure the

safety and security of those networks, at least according to what the president was telling the american people. so i want to go to your role as the co-chair of the aca-it exchange steering committee. if i look at that document, the charter that set that up, one of the responsibilities in there is to direct the formulation of work groups to identify the barriers and recommend fixes and those kinds of things. and two of those working groups were directly righted lly rela sharing and security harmonization. what was your role then as the co-chair? you either misrepresented your knowledge of cyber security to the president, or you didn't do your job. which was it? >> so, thank you for the

opportunity to address a couple different questions embedded in there. and i respect your service to the country. so the position has evolved quite a lot over the years, and what i can represent is what i did in the role. and cyber security ops for the federal government has very much not been part of my role. >> i don't want to use the whole time, i don't want to use the whole time just pontificating, mr. park. when you were with athena health, was cyber security a part of what you considered important and standing up that cloud basis te system? >> sure. >> it was. on september, on september 2 of 2013, you sent an e-mail to christopher jennings. it said hi, chris, here are the cyber security background points

for you. the first three are the points cms put together previously, which i'm sure you've already seen. think are followed by a couple points about next steps currently under way. so, are you trying to tell this committee that, that you knew nothing about the security failures and the security risks associated with healthcare.gov? >> would you mind pointing me to the e-mail that you were referring to? >> i'm not sure where it is in your tab. i've got it here. i don't know where it is in your tab. >> well, okay. let me just speak to, i think, the episode i think you're talking about. but long story short, since we have little time left, the content that was put together

for office of health reform on cyber security was conat any time supplied by cms and hhs. >> but, but mr. park, there you are being disingenuous again. you are the nation's cto, appointed by the president to ensure the safety and security of our networks. you can't just say this was cms's responsibility. and let me remind you that you can delegate responsibility to people that do the actual coding to project managers and program managers, but you can't delegate accountability. >> so -- >> you are responsible. you are accountable to the president, to the american people. now you testified this morning that you briefed the president several times. did you ever, once, tell the president that you had concerns about the security of the system in your role as chief technical officer? >> to go back to the fundamental

misunderstanding. in my role as u.s. cto, i haven't been the cyber security operations hasn't been a focus. >> but it was as co-chair of the steering committee. it was clearly in the charter. you did have that responsibility. >> i was co-chair on, on one of three committees. and there is a privacy sub group. it was self-propelled and driven by them. the point of us as co-chairs was to provide a neutral venue where agencies could get together and do that work. >> that's not my reading of the charter, but my time has expired, mr. chairman, and i'll yield back. >> thank you, in johnson, now i recognize my friend eric swaulwell for five minutes. >> thank you, mr. chairman. i also would like to take an opportunity to thank you for your service. you've served as four years as chairman of this committee. you've always conducted yourself

with dignity and courtesy, and i know it has been shared with me privately. so i wanted to thank you for that. today may be a day of disagreement, but i sincerely agree that if we conduct this hearing fairly, as we have in the past, that we will emerge as a more, we will emerge with a better understanding of what mr. park did and most importantly, did not do with respect to healthcare.gov. fairness is technically important because this hearing has the feeling, quite frankly, as a former prosecutor, of a trial. and the only witness of about us is mr. park. the title of the hearing implies that we are going to examine his involvement in the development of the healthcare.gov website, but most significantly, a staff report released by you, mr. chair, and chairman smith on october 28 functions as a prosecutor's memorandum that makes very damning allegations.

as a former prosecutor, i believe that allegations made against mr. park could place him in legal jeopardy. he deserves a chance to tell his own story and put these allegations to rest, and i believe he can do that.