he fiscal year. the deadlines are when dhs will provide the capability and will takes additional months to agencies to deploy einstein and cdm once available. agencies must supplement with additional tools appropriate to their needs. i'd like to conclude by noting that federal agencies are a rich target and will continue to experience frequent attempted intrusions. this problem is not unique to the government. as our detection methods continue to improve we will detect more incidents. incidents that are already occurring and we didn't know it yet. the recent breach is emblematic of this trend. we are facing a major challenge in protecting our most sensitive information against economist kated, well resourced and persistent adversaries. further, the entire nation is now making up for 20 years of underinvestment in our nation's cyber security in both the

public and private sectors. in response, we in the government are accelerating the deployment of the tools we have and are bringing cutting edge capabilities online. we are asking our partner agencies and congress to take action and work with us to strengthen the cyber security of federal agencies. thank you again for the opportunity to appear today and i look forward to any questions. >> thank you, mr. scott. you have a very impressive background, your joining of the federal government is much appreciated. we look forward to hearing your testimony. now recognize for five minutes. >> thank you, chairman chaffets, ranking member cummings members of the committee, thank you for the opportunity to appear before you today. and i appreciate the opportunity to speak with you about recent cyber incidents affecting federal agencies. i'd like to start by highlighting a very important point which has been mentioned already and of which i'm sure

you're aware. but both state and non-state actors who are well financed, highly motivated and persistent are attempting to breach both government and non-government systems every day. these attempts are not going away. they will continue to accelerate on two fronts. first, the attacks will become more sophisticated. and second, as we remediate and strengthen our own practices our detection capabilities will improve. but that means we have to be as nimble, as aggressive and as well resourced as those who are trying to break into our systems. confronting cyber security threats on a continuous basis is our nation's new reality. a reality that i based in the private sector and am continuing to see here in my new role as federal chief information

officer. ied my office is responsible for developing and overseeing the implementation of federal information technology policy. and even though my team has a variety of responsibilities, i'll focus today's remarks on cyber security. under the federal security -- information security modernization act of 2014 most of us know this as fizz ma. we're responsible for federal security oversight. -- including the department of homeland security, and the department of commerce national institute of standards and technology. as i mentioned in front of this committee in april omb also recently announced the creation of a first ever dedicated cyber security unit within my office.

this is the team that's behind the work articulated in the fiscal year 2014 fiz ma report which highlighted both the successes and challenges facing federal agencies's cyber security programs. in fy 2015 they're prioritizing agencies with high-risk factors, as determined by cyber security performance and incident data. my colleagues will fully address the recent cyber incidents affecting opm. in terms of the role of omb, my office monitors very closely all reports of incidents affecting federal networks and systems. we use these reports to look for trends and patterns as well as for areas where our government-wide processes, policies, and practices can be strengthened.

we then update our guidance and coordinate with other agencies to ensure that guidance is implemented. as you heard from me last week, the recently passed acquisition reform act known as fittara and our guidance associated with that legislation, strengthens the role of the cio in agency cyber security. in this case, opm notified omb in april 2015 of an incident affecting data in transit in its network. opm reported they were working closely with various government agencies on a comprehensive investigation in response to this incident. we have been actively monitoring the situation and have been engaged in making sure that there's a government-wide response to the events at opm. to further improve federal cyber security infrastructure and to protect systems against these evolving threats, omb launched a 30-day cyber security sprint last week. the sprint will focus on two

areas. first, an inner agency team is creating a set of action plans and strategies to further address critical cyber security priorities. second, the agencies were directed to accelerate efforts to deploy threat indicators, patch critical vulnerabilities, and tighten policies and practices for privileged users. and to dramatically accelerate implementation of multi-factor authentication. in closing, i want to underscore a critical point i made at the beginning of this testimony. both state and non-state actors are attempting to breach government and non-government systems in a very aggressive way. it's not going to go away and we're going it see more of it. ensuring the security of information on federal government networks and systems will remain a core focus of the administration, as we move aggressively to implement innovative protections and

respond to new challenges as they arrive. in addition to the actions we are taking we also look forward to working with congress on legislative actions that may further protect our nation's critical networks and systems. i thank the committee for holding this hearing and for your commitment to improving federal cyber security. i'd be pleased to answer any questions you may have. >> thank you, mrs. burns, you're recognized for five minutes. >> thank you. >> good morning, chairman chaffets ranking member cummings, and distinguished members of the committee. my name is sylvia burns and i'm the chief information officer for the u.s. department of the interior. i appreciate the opportunity to testify regarding doi's efforts to secure and protect agency customer, and employee data, in the wake of recently discovered cyber intrusion. additionally, we appreciate having had the opportunity to provide a classified briefing on the cyber intrusion for members of your committee staff and other congressional staff on may

21st 2015. cyber intruders executed very sophisticated tactics to obtain unauthorized access to opm data hosted in a doi data center which contained sensitive personally identifiable information. the incident was and remains under active investigation. at present the effort has not discovered evidence that any data other than opm data was exfiltrated. doi has initiated a major planning effort to address, short, medium and long-term remediation to strengthen protections and reduce risks to the department our employees, our customers, and our partners. we take the privacy and security of this data very seriously. in april dhs's emergency readiness team informed doi about a potential malicious activity which was later determined to be an intrusion on

doias network. we began immediately working with the fbi and other federal agencies to initiate an investigation and determine what information may have been compromised. doi allowed dhs and the other investigating agencies immediate access to the doi computer systems and people to support the investigation. although there's evidence the adversary had access to the overall environment, today, the investigation has not discovered evidence that any data other than opm data was exfiltrated. however, the investigation remains ongoing. con current with the investigation, doi immediately initiated a major planning effort to address short medium and long-term remediation, to strengthen our cyber security protections. we undertook those efforts in the context of other cyber security improvements which were already under way pursuant to the department's commitment to the administration's cyber security, cross-agency priority

goals, as well as dhs's cdm program. we have now accelerated our work on preexisting evidence while devising new security measures in consultations with the investigating agencies. activities under way include working with dhs to scan for specific malicious indicators across the entire doi network. as part of dhs's binding operational directive, we are identifying and mitigating critical i.t. security vulnerabilities for all internet-facing systems and as the direction of the secretary and deputy secretary, we're doing the same for all of doi's systems. for internal use and systems for the public and non-doi users. we continue to meet with interagency partners to learn about their activities and leverage their knowledge to make

additional improvements to our cyber security posture at doi. we are fully enabling two-factor authentication for all users. doi's existing long-term plan include several strategyinitiatives. we are almost done implementing hardware and software management. and will be providing a comp hence of view of the department's security posture. we are streppingtenning doi's private security and workforce so we can knowledgeable and experienced workforce to face threats facing the agency. if an intrug occurs within one component of the network, we can better limit the extent of the exposure. again, doi takes the privacy and

security of its data very seriously. we are committed to supporting and continuing the investigation regarding the incident affecting opm data. furthermore, we will continue to be an active participant in the ongoing efforts by the federal government to improve our nation's overall cyber security posture. chairman chaffets, ranking member cummings and members of the committee rs this concludes my prepared statement. i would be happy to answer any questions that you may have. >> thank you. mrs. seymour, you're recognized for five minutes. >> my remarks were included with the director. thank you for having me here today, chairman chaffets and ranking member cummings and i'll be happy to answer questions. >> mr. esser you're recognized for five minutes. >> good morning. my name is michael r. esser i'm the assistant inspector general at the u.s. office the personnel management. thank you for inviting me to

testify at today's hearing on the i.t. security audit work performed by the opm office of the inspector general. today i will be discussing opm's language history of systemic failures to properly manage its i.t. strauk, which we believe ultimately led to the breaches we are discussing today. there are three primary areas of concern that we have identified through our audits during the past several years. information security governance security assessment and authorization, and technical security controls. information security governance is the management structure and processes that form the foundation of a successful security program. for many years, opm operated in a decentralized manner with the agency's program offices managing their i.t. systems. the agency cio had ultimate responsibility for protecting these systems but often did not have the access or control to do

so. the program office staff spokesman for i.t. security frequently had no i.t. background and performed this function in addition to their other full-time roles. as a result of this decentralized structure, many security controls remained unimplemented or untested. and all of our fiz ma audits between 2007 and 2013 identified this as a serious concern. however, in 2014 opm took steps to centralize i.t. security responsibility with the cio. this new structure has resulted in improvement in the consistency and quality of security practices at opm. although we are optimistic about these improvements, it is apparent that the ocio is still negatively impacted by years of decentralization. the second topic is security assessments and authorization. this is a comprehensive assessment of each i.t. system to ensure that it meets the

applicable security standards before allowing the system to operate. opm has a long history of issues related to system authorization as well. in 2010 and 2011 we noted serious concerns in this area, but after improvements were made, removed it as an audit concern in 2012. however, problems with opm's system authorizations have reappeared. in 2014 21 opm systems were due to receive a new authorization, but 11 were not authorized by year end. recently, the ocio has temporarily put authorization efforts on hold while it modernizes opm's i.t. infrastructure in response to security breaches. so it's likely the number will increase. while we support the effort to modernize systems, we believe that authorization activity should continue. the third topic relates to opm's

use of technical security controls. opm has implemented a variety of tools to make the information more secure. however, such tools are only helpful if used properly and cover the entire technical infrastructure. we have concerns that they are not. for example, we were told that opm performs vulnerability scans on all computer servers using automated scanning tools. although opm was performing the scans, our audit found that some were not done correctly and that some servers were not scanned at all. one significant control that is lacking altogether is the requirement for p. i d. credentials for two-factor authentication to access information systems. we determined that opm does not have an accurate centralized enven tore of all servers and databases. even if all opm's security tools

were being used properly, opm cannot fully defend its network without a comprehensive list of assets. in closing, it is clear that even though security responsible is highly centralized under the ocio, the recent security breaches indicate that opm still has significant work to do to identify all of the assets and data that it is tasked with protecting. and then take the steps to do so. thank you for your time, and i am happy to answer any questions you may have. >> thank you. now recognize the ranking member, mr. cummings of maryland for five minutes. rch thank you very much mr. chairman. the recent siper attack against the office of personnel management is the latest in a series of aggressive attacks against our nation involving the public and private sectors. i want to put up a slide that lists some of the most significant breaches over the

past two years. anthem 80 million people. jpmorgan 76 million people. target, 70 million people. opm, at least 4 million so far. then there was the postal service, sony pictures and usis. this is not a comprehensive list by any means. ladies and gentlemen, when you see this list, the picture is clear. the united states of america is under attack. sophisticated cyber spies, many from foreign countries are targeting the sensitive personal information of millions -- millions of americans. they're attacking our government, our economy, our financial sector, our health care system, and virtually every

single aspect of our lives. for more than two years, i've been pressing to investigate these cyber attacks. i thank the chairman for holding today's hearing. and i hope we will hold similar hearings on many of these other attacks as well. with respect to the attack against opm, my primary concern is who was targeted. government workers. what foreign governments could do with this information. i have several questions for opm. how many federal employees were indeed affected? what kind of information was compromised? and what steps are being taken to help these employees now? i also want to know how these attackers got inside of opm's networks. last year, cyber attackers penetrated the networks of usis and key point two contractors that perform background checks for security clearances on

behalf of opm. one of most critical questions we have today is, did these cyber attackers gain access to opm's data systems using information they stole from usis or sea point last year? did they get the keys to opm's network from one of its contractors? mr. chairman, i asked you to invite those representatives here to testify today. you agreed to invite usis, but last night, they refused. just as they have refused repeated requests for information over the past year. did not offer someone else they thought would be appropriate. they simply refused. i do not say this lightly, mr. chairman, but i believe usis and its parent company may now be obstructing this committee's

work. we have suggested previously that the committee hold a transcribed interview, given the history of non-compliance at usis, i believe this may be one of the only ways to obtain the information we are seeking. mr. chairman over the past two years, i've always been pressing to investigate ways to better protect personal information that belongs to the american people, their financial records their medical rorecords, their credit card information, their social security numbers and a host of other information they want to keep secure. i sought advice from some of the nation's top information security experts in private business and government. these experts warn that we cannot rely primarily on keeping the attackers out. we need to operate with the sump

shun that the attackers are already inside. they're already there. last week, one of the world's foremost security firms was penetrated in a cyber attack. according to fire eye, one of the company's staff that i spoke with, the average amount of time a hacker remains undetected is more than 200 days. that's a lot of time. honestly, we need strong fire walls and other defenses to keep attackers out. but experts recommend much more measures to wall off or segregate data systems to inmiz the impact of inevitable data breaches in the future. practices like data masking, redaction, and encryption must become the norm, rather than the exception. finally, we need to remember who the bad guys are here.

they're not u.s. companies or federal workers who are trying to keep our information safe. the bad guys are the foreign nations and other entities behind these devastating attacks. according to law enforcement officials, north korea, china, russia and iran are the most advanced persistent threats to this nation's cyber security. so, as we move forward today, i want to caution everyone that as much as we want to learn about this attack, we have to do so in a responsible way. a lot of the information about the attack is classified. and the last thing we want to do is give our enemies information or compromise active law enforcement investigates. we're having a classified briefing for members at 1:00 p.m. today so i encourage everyone to attend. and as i close, mr. chairman, i want to thank you again for the

bipartisan approach that you've taken on this issue. and i hope we can continue to investigate these and other breaches to identify common threats against our country and the best ways to counter them. with that, i yield back. >> thank you, mrs. archuleta how big was that attack. how many federal workers have been compromised? we heard 4 million, we heard 14 million? what's the right number? your microphone please. >> during the course of the ongoing investigation into the cyber intrusion of opm, the compromise of personnel records of current and former federal employees that we announced last week, that number is approximately 4.2 million. in addition in the investigation of that breach, we discovered, as i mentioned in my testimony, an additional opm

system was compromised. these systems included information bade on the background investigations of current, former and prospective federal government employees as well as other individuals. because different agencies feed into opm background investigation systems in different ways we are working with the agencies right now to determine how many of their employees were affected. we do not have that number at this time, but we will get back to you once we -- >> what's your best estimate? is the 14 million number wrong or accurate? >> as i said before, we do not have an estimate, because this is an ongoing investigation. >> how far back does it go? the information that you're talking about you're talking about former current and potential employees, so how far back does this information go that was in your system? >> thank you for that question, mr. chaffets. i would have to respond again,

because it's an ongoing -- >> it has nothing to do with an investigation. you should know what information you have and what you don't. people have a right to know. the employees have a right to know. how far back does jour information database go that was compromised? >> the legacy systems date back to 1985. but i do -- >> so anything that's -- >> no, sir that would not be correct. >> you don't know? does it include military personnel? >> as i said, this is an -- >> yes or no does it include military personnel? >> i would be glad to discuss that in a classified setting. >> does it include contractor information? >> again, i would glad to discuss that in a classified setting. >> there's nothing classified about whatever information that includes. does it include cia personnel? >> i would be glad to discuss that in a classified setting. >> does it include the standard form sf 86?

>> the individuals who have completed an sf 86 may be included in that. we can provide additional information in a classified setting. >> why wasn't this information encrypted? >> um the encryption is one of the many tools that systems can use. i'll look to my colleagues at dhs for their response. >> no, i want to know from you why the information wasn't encrypted. it's personnel, sensitive information, birth dates, social security numbers, background information, addresses. why wasn't it encrypted? >> data information encryption is a valuable -- >> yeah it's valuable. why wasn't it? >> and is an industry best practice. our cyber security framework promotes encryption as a key protection method. accordingly opm does utilize -- >> we didn't ask you to come read statements. i want to know why you didn't encrypt information.

>> an adversary possessing proper credentials can often decrypt data. it's not feasible to implement on networks that are too old. the limitations on encryptions is effective on the effectiveness is why opm is taking other steps such as limiting administrators' accounts and requiring multi factor authentication. >> okay, it doesn't work. so you failed. you failed utterly and totally. so the inspector general november 12th 2014, we recommend that the opm director recommend shutting down systems that do not have current and valid systems. and you chose not to. why? >> i appreciate the report by the i.g. we work closically with our. >> --

>> he had a very serious recommendation to shut down the system and you said no. >> i'd like to turn that over to my -- >> no i'd like you to answer that question. it says, we recommend the opm director consider shutting it down. your response back to the office -- from the office of the chief information officer the i.t. program managers will work with the isso's to ensure they maintain current ato's and there are no interruptions -- so basically you said no. the inspector general was right. your systems were vulnerable. the data was not encrypted. it could be compromised. they were right last year. they recommended that you shut it down and you didn't. and i want to know why. >> there are many responsibilities we have with our data. and to shut down the system, we

need to consider all of the responsibilities we have with the use of our systems. >> so you made a conscious decision knowing that it was vulnerable that all these millions of records for federal employees was out there, the inspector general pointed out the vulnerability, and you said, no, we're not making a change? >> as the director of opm i have to take into consideration all of the work that we must do. it was my decision that we would not but continue to develop the system and making sure that we have the security within those systems. the recommend -- >> and did you do that? you didn't, did you? that didn't happen did it? >> the recommendation after -- the recommendation to close down the systems came after the adversaries were already in the network. >> when did they get in the network? >> it was as a result of our security systems that we were

able to detect the intrusion. >> when did they get into the system? >> we detected the intrusion in april. >> of? >> 2015. >> so but how did you know in november 2014 that they were -- you didn't know if they were in there, did you? >> no, we did not. we did not have the systems in -- we did not have the security systems installed at that time. it was because we were able to add the systems that we were able to detect. >> so you detected it it wasn't a software provider? you found it yourself? >> opm detected the intrusion. >> so the "new york times" and the others who wrote about it were wrong? >> that's correct. >> how many people have received alerts? letters? >> there's a rolling notification as of january 8, we'll complete the notification by 4.2 million. by june 19th i don't have the

exact number. i'd be glad to get that information for you. >> one last question with everybody's indulgence here. miss archuleta there was a data breach at opm in july of 2014. okay? this is what you said about miss seymour. in december i was very fortunate to bring donna seymour from the department of defense on board. she has great experience and brought her talents to opm. it was because of her leadership and her dedicated employees that we were able to make sure that none of this personally identifiable information was compromised. this was july of 2014. you cited her and the data breach as making sure that none of the personally identifiable information got out the door. now that it has been hacked, are you going to give her that same amount of credit? >> i do give her that same

credit. when i began my tenure as director of opm, one of my first priorities was to develop an i.t. strategic plan and to develop an important pillar of cyber security within our systems. we have worked very hard since that time. and as we update these legacy systems, it's important that we recognize that there is a persistent and aggressive effort on the part of these actors to not only intrude in our system but systems throughout government and indeed in the private sector. >> well you have completely and utterly failed in that mission if that was your objective. the inspector general has been warning about this since 2007 and there have been breach after breach. he recommended shutting it down last year, and you made a conscious decision to not do that. you kept it open. the information was vulnerable, and the hackers got it. i don't know if it's the chinese, the russians, or whatever else. but they've got it, and they're going to prey upon the american people. that's their goal and objective

and you made the decision to leave that information vulnerable. it was the wrong decision, in direct contradiction to what the inspector general said should happen and he had been warning about it for years. >> in the ig's report he acknowledges the fact that we've taken important steps in reforming our i.t. systems. advanced tools take time. >> so what kind of grade would you give yourself? are you succeeding or failing? >> i am -- i am -- cyber security problems take decades. >> we don't have decades! they don't take decades. >> i'm sorry. cyber security problems are decades in the making. whole of government is responsible. and it will take all of us to solve the issue and continue to work on them. my leadership in this particular, with opm is one that instigated the improvements

and changes that were recognized, that recognized the attack. >> yield back. recognize the ranking member mr. cummings for as much time as he wants. >> thank you very much, mr. chairman. miss seymour, this data breach is particularly concerning, because the individuals who were targeted are government employees and the suspected attackers are foreign entities. i'm concerned that this breach may pose a national security threat. according to a statement from opm, the personal information of approximately four million current and former federal employees was compromised in this breach. what can you tell us about the type of personal information that was compromised in this breach? >> thank you for the question sir. the type of information involved in the personnel records breach

includes typical information about job assignments, some performance ratings not evaluations, but performance ratings, as well as training records for our personnel. the information involved in the background investigations incident involves sf-86 data as well as clearance adjudication information. >> so, social security numbers? >> yes, sir. social security number, date of birth, place of birth, typical pii, that would be in those types of files. >> miss seymour, it was reported on friday that in addition to this breach hackers had reached highly sensitive information gathered in background investigations of current and former federal employees. is that true? >> yes, sir, that is. >> do you know how far back that

goes? >> no, sir i don't. these are -- the issue is that these are longitudinal records, so they span an employee's you know, career, and so i do not know what the oldest record is. >> so it's possible that somebody could be working for the federal government for 30 years and their information over that 30 years could have been breached? >> yes, sir. these records do span an employee's career. >> so what can you tell us about the type of information that may have been compromised in the second breach? >> i believe that would be a discussion that would be better had in our classified session this afternoon, sir. >> thank you, i'm going to come back to you. dr. ozment, these suspected cyber spies from a foreign state went after sensitive detailed information about federal employees. what could they do with this

information? i'm talking to you, yes. >> ravening member, i'm going to have to defer that question to the intelligence community who will be participating this afternoon at 1:00. >> all right. experts advise taking steps to mitigate damage from cyber spying attacks by using tools such as data segmentation, data masking, and encryption. the chairman asked about encryption. i know from past opm testimony before the committee that opm has been a leader in deploying those tools. miss seymour, it's kind of hard to understand how cyber spies could have accessed more than four million records if you were using those tools to the fullest. and miss archuleta has a lot of faith and confidence in you as the chairman just stated. can you explain what happened? >> thank you, mr. cummings, for

the question. a lot of our systems are aged. and implementing some of these tools take time, and some of them we cannot even implement in our current environment. that is why under director archuleta's leadership, we have launched a new program where we are building a new environment a gnaw architecture, a modern architecture that allows us to implement additional security features. we have, in our legacy environment, we have installed numerous technologies and that is how we discovered this breach in the first place. so we are shoring up what we have today and then we are building for the future so that we can become more secure and provide these types of protections to our data and our systems. >> well, in the meantime, if we're going to collect and store sensitive personal information we must make it unusable to our

adversaries so that cyber spies are unable to steal it? would you agree? opm has to do a better job protecting sensitive information. would you agree? >> yes, sir. >> miss seymour, do you have the tools now to do that? are you trying to tell me you don't? >> opm has procured the tools, both for encryption of its databases, and we are in the process of implying those tools within our environment, but there are some of our legacy systems that may not be capable of accepting those types of encryption in the environment that they exist in today. that is why it's important for us to focus, very aggressively very proactively on building out that new architecture, so that in the future, we will be able to implement all of those tools for all of our databases. >> when you talk about the future are you talking about

three months three years if. >> we began our program after the march 2014 incident. we worked very closely with our inter-agency partners to devise a very aggressive and very comprehensive plan. we have been implementing that plan since then. we are delivering what we call our shelf which is the new architecture. we're delivering that this fall and we will begin looking at our business systems applications and how we can migrate those into the new architecture. >> miss seymour this is the question. we're collecting data right now. there are people's data that's out there and i'm talking about in the meantime where are we? in other words, i know you're trying to do some things. but that doesn't make federal employees feel pretty good. doesn't make me feel good.

so, tell me more. are you saying that weigh are just vulnerable and we don't know when we're going to be able to deploy the types of systems that you just talked about? >> no, sir. we've done a number of things. >> i'm not talking about what you've done. i'm talking about -- again, i'm talking about what's going on today. >> that's exactly what i'm offering, sir. >> all right. >> we have implemented two-factor authentication for remote access to our network. that means that without a card or some other type of device, that our users cannot log into our network remotely. we have implemented additional fire walls in our network, we have tightened the settings of those fire walls. we have reduced the number of privileged users in our account. and we have even further restricted the access privileges that those users have. we have made a number of other

steps to increase the security of our existing network. we began that work back last march and it has continued. and we continue to work with dhs and our agency partners to test those systems and make sure that they are working appropriately. >> mr. esser the office of inspector general conducted an audit in 2014 the chairman was talking about this, of opm's security information and programs and found several weaknesses. can you briefly identify the weaknesses that you found? >> yes, sir. the most critical weaknesses that we identified in our report from 2014 were the continued information security governance problems that have existed since 2007, the decentralization of the controls over systems. that, however, is an area that

is certainly close to being improved to a full extent. another area of weakness were the security area and authorize which is, each system that opm owns, should go under an assessment every three years and be authorized for usage. we identified 11 systems at the end of 2014 that had not been authorized, that were due to be authorized. the technical security controls was another big area that we identified. while opm has implemented a number of strong tools and is improving in that area our concern is that some of those tools were not being used properly and that they do not have a complete and accurate inventory of databases and servers, that those tools should be applied against. >> so the chairman asked miss

archuleta a question of how she'd thought she'd done. based upon that, what grade would you give? >> i don't know that i can give a grade. >> well, so of all the things that you just stated, there were certain things that were not done, is that right? >> yes, sir. >> did any of them lead to this breach, the things that were not done? >> i don't know the exact details of how this breach occurred, so i really can't answer that question. certainly there's a lot of weaknesses at opm that they're in the process of trying to address. >> and last but not least, do you have a silver bullet to address this issue, sir? >> no, sir i do not. there is very sophisticated attackers out there and there's no one silver bullet, i think, that can be applied that will

prevent these types of things from happening. >> and you heard me ask miss seymour about the fact that we're constantly collecting information, and it seems as if we're just vulnerable, is that it? there are certain areas that we may not be able to defend ourselves in? is that an accurate saying? >> certainly there's a lot of things that can be done to make our systems more secure. is there something that can be done to make them impenetrable? not that i'm aware of. >> thank you very much. >> now recognize the gentleman from michigan, mr. walberg, for five minutes. >> thank you, mr. chairman. i appreciate the witnesses being here. this morning we've certainly heard that there's no silver bullet and i don't think we expected the answer to be yes, there's a silver bullet. we are concerned that, knowing

what's been going on, having clear evidence that hackers have been attempting for quite some time, and at least those of us here who trust on agencies and people like yourselves who note the issues, that some more efforts could have been successful in stopping the most recent attacks. we've heard today that networks aren't compartmentalizes, segmented, in certain cases encrypted, that with the recent attacks, exterior perimeter has been breached, the attacker often remains undetected for months that's concerning. as a result of that able to exploit vulnerabilities within the networks without passing through, this is most concerning to me, additional inspection or security measures.

so, mr. scott, as i understand in the private sectors, there have been shifts toward zero trust model. ultimately given omb's role in setting metrics for agencies, my question is, can you tell me, tell us what omb is doing to set i.t. security metrics to limit the number of workloads application tiers, to the networks? >> thank you for the question. i think there's a number of things that i would point to in addition to the measures that you just talked about. the first one is to share across the federal government, not only the lessons learned from opm, but what we see from other attacks, whether successful or not, private and public approximate -- and make sure that all agencies are up to date

on the methods of attack and the -- >> that's a weakness now? >> it has been historically, the ability for the government and the private sector to share information has been a hindrance in our ability to thwart these things. but i'll say that the specific measure that you mentioned, the segmentation and zero trust is something that is more easily applied to very modern architectures. it's not as easily applied to some of the oldest, and old legacy systems that we have. and i think that's going to be a challenge for all agencies where the architecture itself just doesn't lend itself to the application of certain technologies. the best answer i think, in terms of what we have and where we go, is a model that we're promoting and encouraging across the agencies which is defense

in depth. it's a number of different measures so that if one thing doesn't work you have the next layer that helps. and if that doesn't help you have next zero trust is applicable in some of those environments. and frankly it is very difficult or impossible to apply. >> how far are we from that? >> i would say years and years comprehensively. but one of the things we're working on right now is prioritizing based on the highest value assets that the federal government has so we are going after the most valuable stuff fuft and make sure that is protects the best way we can. >> miss seymour with the millions of current and former federal employees, a lot of them in my district, that sign on to do the work that we give to them them, we appreciate the work it is not something we make up we ask them to do the federal jobs

that the agencies, the departments they work under have been asked to do and they don't expect their life will be compromised, their history and their life will be compromised and when did they know about the risk of the breach to their lives. >> i too am a federal employee and it is serious and so i note appreciate that. and we started the notification on june 8th and we will continue. we have not been able to do the analysis of the data involved with the background investigations incident. that is ongoing. and as soon as we can narrow the data that is involved in that incident we will make

appropriate notifications for that one as well. >> thank you. >> now recognize the gentle woman from new york, miss maloney for five minutes. >> i want to thank the chairman and rachging member for calling this hearing and the panelists for your public service. as one would represents the city that was attacked by 9/11, we lost thousands on that day and thousands more are still dying from health-related causes from that fateful day. but i consider this attack, i call it an attack on our country, a far more serious one to the national security of our country. and i am would like to ask mr. ozment from homeland security, would you characterize this as a large-scale cyber spying effort? that is what it sounds like to

me? what is it? >> i think to speak to whether or not this was a spying effort, we would have to talk to the understanding of who the adversaries were and what their intent was and that is a conversation better saved for -- >> do you believe it is a coordinated effort. they appear to be attacking health records, employment, friendship, family, whole background. it seems to be a large sphere of information not only from the government but private contractors, individuals. and sometimes it appears targeted towards americans who may be serving overseas in sensitive positions. but would you consider this a coordinated effort or is that classified. >> thank you. would you defer that to the classified. >> thank you. i'll be at the 1:00 briefing. thank you. i want to refer to this article

that i would like to place in the record and i think it is support one and it came from abc news and it reports if i could -- >> without objection. it is so ordered. >> and it reports that this seem to be looking at and gathering information on an sf 18 form which is a standard form 18 required for any employee seeking classified security clearances. so that would be people in important positions in our government. and i won't ask you questions. i'll just wait until later at this classified briefing. but i am extremely disturbed. this article also points out it is not only individuals that they are going after, they are going after contractors and those that serve the government. and it mentioned in other records lockheed martin where they went offer the secure i.d.

program. is that true there ozment? >> i can't speak whether any adverse adversaries have gone after private sector companies. >> then we won't get into that. then then they says northrup grumman, l-3, they were hit by cyber attacks and other government contractors. one that probably hit congress is one in 2013 where the fbi warned that a group called anonymous hacked into the u.s. army department of energy, department of health and human services and many agencies by exploiting a weakness in adobe systems. now i have the adobe system in my office and so that means they could have hacked in my office and probably every other congressional office. and then they talk about going into health care. they go into the blue cross blue shield system of all of the

forward employees. so it seems they want a come comprehensive package on certain millions of americans many of whom are serving our country, i would say, at negotiating tables and commerce state department, probably defense and every other aspect of american life and the world economy. but mr. scott, you have been before this committee before and you announced you were going to review the agency's cyber security programs to identify risks and im -- implement gaps and i wonder if you could report on what you learned from this review. and any specific changes in cyber security policies, procedures or guidance if you can report on that? or that may be classified too? but anything you can share with us on what you've been doing to

act to build some fire walls? >> well sure. thank you for the question. so we're conducting rell cyber stat reviews with each of the agencies. and it is along the key lines of many of the topics we've talked about here. to factor patching minimizing the number of system administrators, all of the -- i'll call it hygiene factors that we think lead to good cyber security. >> my time is expired but anything you want to give to the committee in writing, we would appreciate it. >> we would be happy to thank you. >> now recognize the gentlemen mr. meadows for five minutes. >> miss archuleta let me come to you you've been in your current position since 2013, is that correct? your mic? >> i was sworn in in november, 2013. >> so in 2013 you -- according

to your testimony made cyber the highest priority, i think that is how you opened up your testimony, that the security of federal employees was your highest priority is that correct? >> yes, sir. >> all right. so help me reconcile then if it is your highest priority how, when the most recent i.g. report came out that took security from being a material weakness, is how it was characterized before you got there to significant deficiency how would you reconcile highest priority and significant deficiency as being one in the same? >> thank you for your question. as -- as i mentioned earlier one of the first things that we did or i did for opm was to

develop 100 -- within 100 days an i.t. strategic plan and the issues that the i.g. just mentioned in terms of the i.t. governance and leadership and i.t. agility and data and strategy were all components of the plan and the i.g. recognized the steps and the strategic plan that we developed. >> i only have five minutes so i can't let you ramble on with all of these things. so let me ask you how, if he recognized that, would he still characterize it as significant deficiencies? >> as we were instituting the improvements we were making, he was also at the same time conducting his audit. his audit was conducted in the summer of 2014, when we were beginning to implement our

strategic plan. he has -- the i.g. has continued to work with us and we've taken his recommendations very seriously. >> you have taken them seriously. have you implemented all of them? yes or no? yes or no. >> we have implemented many of them. >> have you implemented all of those? >> as i said sir, we've implemented many of them. >> so you will implement all of them. >> we're looking at each of them seriously. >> not implemented. can you assure the federal workers you are going to implement all of the recommendations that the i.g. recommended to you yes or no. >> we are working very closely with the i.g. to -- >> i'll take that as a no. so let me go on further then. because i'm very concerned that here we have not even notified most of the federal employees that have -- we've known about it. they continue to not be notified and yet here you are saying that

you have different priorities. because when chairman chaifetz asked why did you not shut it down you said opm has a number of other responsibilities is that correct. that was your answer to chairman chaffetz. >> we house variety data not just personnel files but we house health care data and employ other records -- >> so you are saying it was better that you supplied that and put federal workers at risk versus making it -- according to your words -- the highest priority to make sure that the information was not compromised. if it is your highest bry ort, why didn't you shut it down like mr. chaffetz asked and like was recommended. why didn't you shut it down. >> in my opinion we were not able to shut it down in view of all of the responsibilities we hold at opm. we do take sighusually --

>> so in your opinion protecting federal workers could not be your highest priority because there were competing priorities and you said it was better than you continue on with the others versus protecting the federal work force. >> as i said, the recommendations that the i.g. gave to us are ones we take very seriously, sir. i don't want to characterize that -- that we didn't. that, in fact we did take -- >> okay. let me -- there is a quote that says what we occasionally have to look at no matter how beautiful the strategy we have to occasionally look at the results. and the results here are pretty profound that we've got security risk all over. and i would encourage you to take it a little bit more serious and indeed make it yu highest priority. i yield back. thank you mr. chairman. >> now recognize the jae from massachusetts mr. lynch for five

minutes. >> thank you mr. chairman and i want to thank the panel for your help. i want to associate myself with the remarks of the ranking member and the chairman today which doesn't always happen. >> duly noted. >> i would like to ask unanimous consent if i might enter into the record the remarks of colleen m kelly president of the nationalal treasury association -- excuse me, national treasury employees union and a letter from j.d. cox, the president of the american federation of employees, afl/cio. >> without objection. >> i want to read the first plea paragraphs. this is a letter from the president of the american federation of government employees, afl/cio j. david cox to the honorable cathleen archuleta. i'm writing in reference to the dahha breach announced by the office of personal management. and this is dated last week. in the days since the breach was

announced, very little substantive information has been shared with us. despite the fact that we represent more than 670,000 federal employees and agencies throughout the executive branch. opm has attempted to justify the with holding of information on the breach by claiming that the ob going criminal investigation restricted your ability to inform us of exactly what happened. what vulnerabilities were exploited. who was responsible for the breach and how damage to affected individuals might be repaired and compensated. based on sketchy information that opm has provided we believe that the central personnel data file was the targeted data base and the hackers are now in possession of all personnel data for every federal employees every federal retiree and up to 1 million former federal employees. we believe the hackers have -- have every person's social security number veteran record, access brother date, health

insurance, life insurance, e-mail age, gender, race, unan status and a lot more and worst of all we believe the social security numbers were not encrypted. a basic cyber security failure that issin defensible and outrageous. and so were the social security numbers, were they encrypted in? >> opm is in the process -- >> is that an i don't know? >> i don't believe that those -- >> can we stick to a yes or no. this is one of those hearings where i think i'm going to less know coming out of this hearing than i did when i come in because of the dancing around we're all doing here. as a matter of fact, i wish that you were as strenuous and hard working at keeping information out -- out of the hands of hackers as you are keeping

information out of the hands of congress. and forward employees. it is ironic. you're doing a great job stonewalling us but hackers not so much. so were the social security numbers, were they encrypted, yes or no. >> no they were not encrypted. >> there you go. there you go. now we're getting somewhere. that is pretty basic. en crypting social security numbers. so all of this happy talk about the complex systems we're coming up with, you're not evenen crypting people's social security numbers. that is ashame. and now let mess ask about the stand and form 86. stand and form 6-is what we require employees to fill out if they are going to receive security clearance so people with sensitive information and we drill down on these folks. this is a copy of the application. it is online if you want to look

at it. it is 127 pages online and we ask them everything, what kind of underwear they wear, and what kind of toothpaste it is a deep dive and that is for a good reason. because we want to know when people get security clearance that they are trustworthy and there is -- there is information here, have you ever been arrested, do you have -- you have financial information in here, there is a lot of information in this form. they hacked this. they hacked this. they got this information. on standard form 86. so they know all of the employees -- and everything about them that we ask them in the standard form 86 is that right, miss seymour? >> i believe that is a discussion that would best be held until this afternoon, sir. >> that is probably a yes. like i say you know, i think you have to be honest with yu employees. and i think that we need -- in order to protect them, we need

to let them know what is going on. because the e-mail addresses in here as well, several. your first, your second, your third e-mail address and all of that information is out there. so we need to be a little bit more -- we need to be more forthcoming with our employees. these are people that work for us. and a lot of them deserve more protection than they are getting right now from the united states of government and the office of personal management. i see my time is expired. i appreciate the indulgence of the chairman and yield back. >> now recognize the gentleman from south carolina, mr. mulvaney for five minutes. >> thank you, mr. chairman. and many of us are uncomfortable asking questions in this type of setting because we don't want to ask questions the answers to which should be kept confidential so i encourage you in advance if i ask something that we should talk about in a different setting, that is a acceptable answer and mr. lynch,

i don't know if i can get my hands around wra we are learning and i'll follow up on mr. meadows and miss archuleta and he asked if you will implement all of the i.g.'s recommendations and he asked and you said no and let me ask this can you name the recommendations that you are pushing back against that you are not worth implementing. >> i don't have the specific list in front of me and i could come back and talk about that. but i would like to say that as we look at the recommendations by the i.g., we work with him so we can fully understand where we have moved in our security efforts and also to understand his observations. and that is the normal audit process. and we continue to go through that with him. >> and i get that. >> on a regular basis. >> and we get i.g.'s in here all

of the time and that makes sense. but what bugs me miss archuleta in the end of 2014, it was the third recommendation, that all active systems in the opm inventory have an active representation and you agree it is important to maintain up to date ipos but do not believe it rises to a material weakness, end quote. do you believe your opinion of that has changed since the end of 2014, miss archuleta. >> i believe all of the information and the recommendations that the i.g. has given us and we'll continue to work with -- >> knowing what you know now, that that condition did not rise to the level of material weakness? >> sir, we are working with a legacy system that has the recommendations that he has made to us we are working through those to the best of aur ability. >> that is what frightens me this is the best of your

ability. let me see if i can get some summary information here as i go back and try to explain to folks back home. i heard it was just people in the executive branch. i hope this to anybody who could answer this briefly. are we still saying that the only people whose data was exposed are those who work in the executive branch of the government. >> this is an on going investigation and as we uncover new information we're happy to share it with you. >> right. >> we are not necessarily restricted to the executive branch because there are people who work in the executive branch today who worked in the legislative branch. >> and i got that notice. and -- i got that notice and it said if you worked in the executive branch, there is a chance they got your data but if you didn't work in the executive branch, you don't have to worry.

are you still comfortable with that statement. >> nos. this is an on going investigation and we're learning new facts every day. >> we heard 4 million. i heard 14 today. and what is the current estimate of the current or previous numbers that were effected. >> currently 4 million is what we are notified of today and we are making an investigation so we can understand that data and begin to make notifications there as well. >> i have a question, i don't think it has been asked yet and i think it is for mr. ozment or whoever else understands the i.t. systems when we did this in the private sector, we differentiated between someone who hacked into our system and someone who stole something from us because there are two levels of involvement and so have you been able to make the distinction between where the hackers were and had access of where things were exposed and where they possibly downloaded

data? >> thank you, representative. that is an important distinction and one we spent a lot of our investigative time examining. for the personnel records the approximately 4.2 million records, the incident respond team led by dhs and the partners learned it was ex fill traited, meaning it was removed by the network by the adversary who took it and we are continuing to investigative the information. >> i appreciate you. i don't mean to cut you off. and i wish we had more time. and i heard about the data and it heard about the social security numbers and that might have been ex filt rated. and health data do we collect health data on our employees. if i come to work for you do i give you my health records? >> not the health records but the information regarding your

health carrier -- not your health. >> not specific medications or conditions, just who my health insurance company is. >> exactly. >> thank you, mr. chairman. >> now recognize the gentleman from virginia, mr. connelly for five minutes. >> thank you. what is so jarring about this hearing is that in bloodless and bureaucratic language we're talking about the compromise of information of fellow americans, and from the federal employee point of view the most catastrophic compromise of personal information in the history of this country. social security records. miss archuleta, you mentioned not health information but health carrier, that is a road map to other information hackers can get. security clearances. security clearances are deeply personal. and often involved, miss

seymour, unconfirmed negative information, and even rumors. i think so and so has a drinking problem. that gets into that report even if it is not confirmed isn't that correct. >> sir i'm not a federal investigator and not familiar with the precise data in those forms. >> let me confirm for you. it was a het errorical question really. it is correct. it is -- how do we protect our employees. dr. ozment when i heard your testimony it almost sounded like you were saying that the good news here is we detected the hack. but the object here isn't effective detection though that is part of the process. >> it is prevention and preemption to protect our citizens, including federal employees. you talked about einstein and you championed its merits.

was einstein in place at opm when this hack occurred? >> sir, i share your deep concern about the loss of this information and agree that that is a terrible outcome. >> a terrible outcome. >> absolutely. as a federal employee whose information is itself a part of the data base. >> it might even be personally devastated dr.s soment, not just a terrible outcome. >> that is correct, sir. what i would tell you on this is that einstein was critical in this incident. as opm implemented the new security measures and detected the breach. >> was einstein in place at the time of the breach. >> einstein one and two was in place and einstein three is not yet available for opm. >> i've only got two minutes. i want to understand your answer. so did it successfully detect a breach had occurred?

>> it did not detect the breach that opm caught on their own networks because just as the cyber threat information sharing legislation we are focused on acknowledged acknowledged, you first have to have the threat information. einstein one once we had the threat information, we used einstein one and two to detect a separate breach we were able to work. >> i'm sure every federal employee who had his or her information compromised is comforted by your answer dr. ozment. miss archuleta, what was the time gap between discovering there was a breach and the actual breach itself? >> we discovered the breach in april of -- >> of this year. and when did the breach occur? >> we -- we suspected it happened earlier, in 2014. >> so sometime late last year?

>> yes, sir. >> okay. so whoever -- the hackers, presumably an agency of the chinese government, according to published reports confirmed by u.s. officials, not a classified piece of information, the details of it may be, but our government i believe has confirmed without attribution in public records that it was a systematic effort by the people's liberation army which is notorious for hacking all over the west that got its hand on this data. so they had four months in which to do something with this data is that correct, maybe five? >> i can't make a comment on the -- on the attribution. >> i didn't ask you to. i just asked whether they had four or five months to do something with this data? >> the period between when

discovery of the -- the time that we believe the breach occurred and our discovery, yes. >> all right. i'm going to real quickly if the chairman allows, mr. scott, one last question. the head of cert the director of cert said if the agency impleaed three steps we could provent 85 breaches and i'll hold in advance now technology because miss lease talked about new procedures and i didn't think they knew how to hack into cobalt. so would you just comment, what is your take professional take on the three recommendations? >> i think those recommendations are great. and there is a number of other things as well, some of which i've talked about today. i think the one point i would make is there is no one measure

that you would say, that is going to prevent all attacks or even prevent a attack. it is really defense and depth is your best measure and that is what we're really looking at emphasizing. >> thank you mr. chairman. >> thank you. and i'll recognize the gentleman from north carolina mr. walker for five minutes. >> thank you mr. chairman. i certainly agree with my colleague from virginia and his description this is a catastrophic compromise. miss archuleta it appear that's opm did not follow the basic tsunami security best practices such as network segmentation and encorruption of sensitive data. should the data had been encrypted, should you address that. >> that the data was not encrypted and as dr. ozment

indicated, encorruption may not have been a valuable tool in this breach. we are working to see what additional tools we can put into our system to -- >> and you said may not have been but that didn't answer the question. should it have been encrypted and would that be another line of defense. >> i would turn to my college to determine the use of encorruption but it was not encrypted at the time of the breach. >> if an adversary has the credentials of a user on the network, they can have access to the data and that did occur in this case so encorruption would not protect this data. >> and let me ask this. what consequence should the cia meet for failing to meet such a

baseline of cyber security on the network. may i hear your thoughts on that. >> i believe that the cio is responsible for the implementation of a solid plan and i believe that my cio has been doing that. we are working with a legacy system that is decades old and using all of our financial and human resources to improve that system. this is an effort -- this is a cyber security -- it is a government-wide effort and we all must work together to improve the systems that we have government wide. >> and i'm not sure that the american people are content with the pace of how we are all working together. i want to speak a little bit to this einstein. i've heard several different comments today regarding it. and the question is even if einstein is a necessary component to defending the system i believe the private sector is already moving on this kind of technology. is that a fair question and what is the dhs doing to keep pace

with attackers. >> einstein is sufficient but not a good tool for detecting deficiency. and we are supplementing einstein with diagnostics and mitigations at the agencies and looking at einstein at taking what is is a signature focus system and adding capabilities to detect previously unknown intrusions but as you do that he receive more false positives and in other words you receive more indications that an in trugs occurred even if it did not occur and we have to do that carefully so we are not overwhelmed by bad data. >> and it seems that you are more excited or more confident in the ieb stein -- einstein 3-a version and is that going to be more solid to keep the attackers out. >> it is a step forward. it is classified and modelled on a department of defense program. it is still a signature base program but it will rely on

classified information to detect adversaries and block them from intrusion intrusion. >> and i heard you say how that system needs to be supplemented with others is that correct. >> that is correct. no single system here will solve this proegs. >> and in this lies my problem. because even on the dhs wednesday and talking about einstein three it said it prevents malicious traffic from harming networks. if that is all inclusive shouldn't we understand that before today's hearing. why are we now getting information that this should not be enough to prevent a catastrophic compromise. >> i can't speak about the web page you are referring to and i have been consistent in all of my interactions with congress to highlight we do need a defense in depth strategy and no one tool will be responsible for all of the problems. >> and who is responsible for

posting this information on to the wednesday. >> we'll look into that and get back to you as necessary. >> thank you, i yield back. >> now recognize mr. cartwright for five minutes. >> thank you. and i thank the chairman and the ranking member for calling this hearing. director archuleta, i know there have been much bigger data breaches than this one but i am concerned and i share the sentiment of mr. connelly from virginia, this is extremely troubling and we're talking about 4 million plus federal workers, people who dedicate their entire careers indeed their entire lives to our country and now their personal information has been compromised through absolutely no fault of their own. if i understand your testimony, the personal information of about 4 million current and former employees was potentially compromised and i want to ask you, as your investigation continues, do you believe that

that number is going to be bigger than 4 million? >> thank you for your question. in my opening statement i described two incidences. >> no, it is a yes or no question or i don't know? >> no. because of the two incidences the first is 4.2 million and an ongoing investigation led us to understand that the federal investigative -- >> you know what i mean is i say it is a yes or no question. >> yes, sir. >> do you think it would be more than 4.2 million people. >> yes, sir. >> miss seymour let me turn to you for more detailed responses. your i.t. professionals discovered the breach in april and as mr. connelly mentioned they believe the hack may have begun back in december am i correct in that? >> yes, sir. this began in 2014. >> and something else happened in december of 2014.

the oep contractor key point revealed it was targeted in an earlier cyber attack. this is the contractor that does the majority of your agency's background check investigations, am i correct in that? >> they do a number of our background investigations, sir. i'm not sure of the numbers. >> and in that case the attack against key point was successful, personal information was, in fact, compromised, correct? >> yes sir. >> on friday abc news issued a report entitled feds eye link to private contractor in massive government hack. this article says this the hackers who recently launched a massive cyber attack on the u.s. government exposing sensitive information of millions of federal workers and millions of others may have used information stolen from a private government contractor to break into federal systems. the article goes on. the hackers entered the u.s.

office of personnel management, opm computer after first gaining access last year of key point government solutions. it continues. authorities, meanwhile, believe hackers were able to extract electronic credentials or other information from within key point systems and somehow use them to help unlock op systems according to sources. the hackers rummaged through separate segments of opm systems and compromising the 4 million current and federal employees. miss seymour, i know we're having our classifying briefing later and i thank you for coming to that, but can you comment on these reports. did the hackers get what they wanted in the previous attack against op m contractor key point so they could then go

after opm itself. >> i believe that is a discussion we should have in a classifying setting, sir. >> fair enough. and we know the other contractor ufis was breached last year and its information was also compromised. can you tell us if those hackers got information in the usis breach that they were able to use in the attack against op m. >> against that is a discussion we should have later. >> i understand. i certainly don't want you to disclose classified information here. but let me end with a final question to the whole panel. private companies are only as strong as the weakest link. last year we saw weakest links of fine point and now agencies have leverage over contractors using the provisions in the contracts and the bill yonz of

taxpayer dollars they pay out to the companies so i want to ask each of you, how can agencies use that leverage to improve cyber security practices of contractors so they do a better job of safeguarding the information that they are entrusted with. go ahead. right on down the line. starting with you, miss archuleta? >> what we can do with the contractors that we engage is to make sure they have the security systems that match the federal governments and they are using the same sort of systems. in addition -- i want to be sure i understand your question, the contractors that we employee as individuals or as companies? >> the contractors as companies. >> that in our contracts with the companies that we are now working to make sure that they are adhering to the same standards that we have in federal government as outlined

in our rules. >> dr. ozment. >> representative dhs for its own contract has been working to build additional cyber security requirement and i would report you to the fed ramp a government baseline security requirements for cloud contractors to the government. >> mr. scott. >> yes i think as my colleague ann wrung and i testified last week, we are are also strengthening the federal contract procurement language and creating contract language that any agency can use as a part of their standard contracts. >> thank you. miss burns. >> i think it is about beefing up the security clauses in all contracts so they cover the full extent of what we need and doing the monitoring and follow newspaper that you need -- the follow up to make sure they are adhering to the clauses of

the contract. >> miss seymour. >> i agree with everything my colleagues put forth and i will add that site inspections are important and that is something we do at oep and monitoring and looking at something every third year is not ample and that is not a best practice and we need to move more toward looking at different security controls at different intervals of time and the other option that we do use is our i.g. also does inspections of our contractor companies. >> mr.esser. >> i agree with what the other witnesses stated. and as miss seymour d just said we do go out and do audits of contractors, background investigation companies as well so we can be used and see ourselves in that role. >> mr. chairman, i thank you for your indulgence. and i want to note that usis was invited. >> i appreciate. you're almost 3 minutes over

time. we have classified that we have to go to and members with questions. >> yield back. >> i now recognize mr. russell from oklahoma for five minutes. >> thank you mr. chairman. i'm baffled by all of this. upon receipt -- or upon your appointment of directorship of oep, director archuleta said he was built to an collusive work force and who would have thought that included our enemies. in testimony today we heard statements that we did not encrypt because we thought they might be able to decrypt or decipher. that is just baffling to me. there was another statement i heard earlier today that said had we not established the systems we would never have known about the breech. that is tent amount to saying --

tant amount to say if we would have never ordered the muddy flowerbeds we wouldn't have seen the footprints on the muddy sill this puts us at rick and foreign nationals that interaction. and at corner are the form 86 forms which i'm familiar with in my background prior to coming to congress. we had sean gallagher who summed it up probably best. he said this breach was a result of inner shaw, a lack of in ternal expertise and a decade of neglect. director, why did you not shut down 11 of the 31 computer systems that did not have -- >> microphone. as i mentioned before there are

numerous priorities that go into employee safety and security including making sure that our retirees receive their benefits or that our employees get paid. there is numerous considerations that we had to -- >> would one of the considerations be encrypting social security numbers. does it take a degree in i.t. and cyber security to encrypt social security numbers? i didn't think so. did your cyber security strategic plan include leaving half of opm plans without security. >> nos. >> then why was it not made a priority? >> the systems that the i.g. referred to in our plan is that -- those systems that he recommended we shut down, he recommended that we shut them down because they were without

authorization. all of our systems are now authorized and they are operating. i have to say that we are looking at systems that are very very old. and we can take a look at encorruption and other steps that can be taken and we are certainly doing that but as we look at this system we are also having to deal with decades of -- >> and i understand that. but i also understand there is an old saying that we had in the military, poor is the workman who blames his tools. missions can be accomplished, even with what you have. and measures could have been done had this been made a priority. and what i see now is why diddome had no multifaceted means. if they get into the system, they have free rein, is that correct. >> we have implemented

multifactors and miss seymour has multifaceted with our remote users. >> and when was that put in place, before or after the breach. >> this began in january of 2015. >> so stolen credentials could still be used to run free in the system is that correct? >> prior to the time of the two factor authentication it would take -- it takes time to implement all of these tools. i am as distressed as you are about how long the systems have gone -- have gone neglected when they've needed much resources and it is my administration that we have put the resources to it. and we have acted quickly which we are doing and we are working with our partners across government. as i said before cyber security is an issue that all of us need to address across the dish was a

priority made to the outside systems that were most vulnerable that would allow the free rub. >> would you repeat the question. >> was a priority made to the outside accesssing systems to the opm data access that they have a free rein, a free run. >> yes. but as i said before, with the legacy systems, it takes time. >> it didn't take our enemies time. thank you, i yield lack. >> now recognize the gentleman from california mr. lieu, for five minutes. >> dr. archuleta under your waech, last march, opm data was breached. and this year the same data base was breached and a third data braes contained over 4 million federal employee data base information was breached and my question to you, it is a simple

yes or no, do you accept responsibility for what happened? >> i accept responsibility for the administration of opm and the important role of our i.t. systems in delivering the systems and i take very seriously my responsibilities in overseeing the improvements to a decades old legacy system. >> i don't really quite know what that i asked for a yes or no. but that is you've answered it. i'm going to reserve the balance of my time to make a statement. having been a member of this over committee and computer science major, it is clear to me, there is a high level of technology incompetence across many of our federal agencies. we've held hearings showing federal agencies couldn't implement or deploy i.t. systems without massive bugs or cost overruns. we've held hearings where one agency, the fbi had a

fundamental misunderstanding of technology put back doors to for guys and for the over breaches and is culture problem civilian not understanding we're in a cyber we're attacked sector. u.s. military understands up entire and until understand issue continue data breaches. more understanding of thisunencrypted we see and look at 12, it as of of last year yet a assessment.

especially since you knew march system wasbreached. that is of and goes just only a few you'll a why last friday agencies and wasn't done last years failure leadership and there problem have we done in the past in especially the area of national security? you can't have the view this is legacy system and excuses. national security breaches. can't around every then our will spies data can't and when a

problem the past when agencies have this, leadership resigns or their fired. at the dea. leadership left and this happened at the secret service and at the veterans administration and we as the government have this one to send a signal that the status quo is not acceptable. we cannot continue to have this attitude where we make excuse after excuse. and i've heard a lot of testimony today but the one word i haven't heard is the word sorry. when is opm going to apologize to ore 4 million employees. and when are they going to apologize to the employees that are personally devastating information released through the form 86 and we send a signal to others that the status quo is unacceptable and we want new leadership in that is more kpot ebt. so i'm looking here today for a

few good people to step forward, accept responsibility and offered to for the good of the nation. i yield back. >> thank you the gentleman. well said. now recognize the chairman of the i.t. sub-committee, mr. hurd of texas, for five minutes. >> thank you mr. chairman. it is my hope that every agency head and every cio of these agencies are listening or watching or will read the testimony after this event and that the first thing they do when they wake up tomorrow is pull out the gao high risk report and identifies high risk areas and read their own report and work to address those remediations. i've been at this job for 21 weeks. similar to mr. scott and one of the things you hear from people, their frustrated with their government.

one, intentions agreat. miss archuleta, you said at the beginning, that the security is paramount and that is paramount. i believe you believe that. but the execution has been horrific. intentions are not enough. we have to have execution. and this is the thing that scares me. so my question and let's start with you miss archuleta, was did the hackers use a zero vulnerability to get into your network? >> i think that would be better answered in a classified setting. >> well, if it was a zero vulnerability, i hope everybody has been notified of the zero day, not only the government but the private sector. we shouldn't be keeping secret a zero day vulnerability. i spent my adult life in the cia doing that. that is something we need to get out and if we haven't because i

read that einstein did detect the breach after the appropriate indicators of compromise was loaded into it. so my question is, how long did the federal government did somebody have access to these indicators as a compromise and why did it take however much of that time to get it into the einstein system and has that been promoted to every other agency that is using einstein too? >> representative opm once they discovered the breach gave us the indicators of compromise immediately and we loaded it into einstein immediately. that is we loaded into einstein two to detect and looked back through history to see if any other traffic back in time had indicated a similar compromise, that is how we found an in trugs into opm that led to the discovery of the breach of the personal records and we also put into einstein three so agencies

covered by einstein three would be protected against a similar activity moving forward and we held a call with all of the federal cio's and disseminated them and asked them to search their networks. >> has that been done? >> that has been done. >> so miss seymour, you talk about legacy systems and the difficulty of protecting those. what are some of the legacy systems and what programming software has been used to develop those systems? >> these are systems, sir, that have been around for going close to 25, 30 years. >> so it was written by cobalt. >> cobalt systems. one of the things i would like to offer is that director archuleta and i actually were brought here to solve some of these problems. >> when did you start your job. >> in december of 2013. >> and why did we wait to implement two factor

implementation until after this hack. >> we have not waited. >> so it was being deployed prior. >> these are two deck atds in the making. we're not going to solve them in two years. >> that is where i disagree with you. because, again we have to stap thinking that we have years to solve the problem. we don't. we should be thinking about this in days. miss archuleta, how much over time have you signed off on since this hack of people that are dealing with the compromise? >> the -- my cio team works 24/7. >> so if i walk into your building at 8:00 p.m. at night, there will be people drinking red bull working furiously in order to solve this problem. >> i'm very proud of the employees working on this issue and they have been working 24/7. >> mr. scott you've inherited a mess, my man. and we're looking for you and whatever this committee can do

to ensure this doesn't happen and make sure the cio of the agencies are implementing the recommendations of the ig and the cia and we're going to continue to dras people -- drag people up here to answer these questions because that is our responsibility. and i recognize you can't stop everybody from penetrating the network but how quickly can you identify them and quarentine them and kick them off the network. those are the three networks we should be using about the health of our network and we're woefully inadequate. i yield back the time i don't have. >> mr. desantos is recognized for five minutes. >> thank you, mr. chairman. miss archuleta, in your testimony, you said, we've confirmed that any federal employee across all branchs of government who organization submitted history service records to opm may have been

compromised even if their service history has not been recorded. what do you mean by that. >> they may have been in a different position earlier perhaps as they move around government. so it may be someone who is -- whose job would not be -- current job would not be in the system but because of the service history their information would be dated back and it is for retirement purposes. >> so potentially broader breach. i'll tell you with sf 86, i remember filling that out when i was a young officer in the navy and it is by far the most intrusive form that i've ever filled out. it took me days. hi to go do research on myself to try to figure out and it is not just that you are doing a lot of personal and sensitive data about the individual applicant, the sf 86 asks about family members, it asks about friends, spouse, relatives

where you've lived who you knew when you lived in different places, it also asked you to come clean about anything in your past life and so to me people have said that this is crown blackmail. and so this is a very, very serious breach. my question for ms. archuleta, were cabinet level officials implicated in this breach? >> sir, this type of information would be better discussed in a classified setting. >> understood. what about people in the military and intelligence communities? >> as i mentioned earlier, i believe that this is something that we could respond to in a classified setting. >> and so you don't disagree with my characterization of the sf 86 in that the compromise, let's just say theoretical if you don't want to say what actual i happened here, that

that is a major, major breach that will have ramifications for our country? >> as i said, we'll discuss this with you in the classified setting. >> sf 86 forms require applicants to list foreign nationals with whom they're are in close contact with. china has a list of chinese citizens worldwide who are in close contact with american officials. they can and will obviously use that information for espionage purposes. what are the security implications of that type of information falling into enemy hands? that could be for anybody. >> sir, that is a question that we will discuss in the hearing this afternoon. >> okay. now, some reports say that not only were the hackers pursuing information on federal employees but also password and encryption keys that could be used for trade secret theft and espionage. i guess you'll have more to say about that in a classified

setting. at lease for this forum, can you say that that is a significant risk, that is not the type of information that we would want the enemy to have and it can in fact be very damaging, correct? >> again, sir, we're going to defer discussion of that until the classified briefing. >> and i get that. and i'm -- i will be there and i will listen intently. but it really concerns me because this is a really a treasure trove for her enemies potentially. and the fact that this system was hacked and we didn't even know about it for a long time, you know, that is really, really troubling. and i think that the american people -- i mean, if you ask people to want to serve in these sensitive positions and they think that by filling out these forms they're actually going to put themselves or their family potentially at risk because the government is not competent enough to maintain that secretly, that is a major problem as well. so the information can be used

against the country. then you're also, i think, going to have a chilling effect on people wanting to get involved if we don't get a handle on this. i look forward to hearing from the witnesses in a classified setting and i yield back the balance of my time. >> recognize the gentleman from alabama, mr. palmer for five minutes. >> thank you, mr. chairman. ms. seymour, does the employee exposure extend to only those that filled out standard form 86, or does it include others as well? >> our investigation is ongoing, sir. >> ma'am, apparently it does because i have two employees who have never filled out a standard form 86 and they have a letter from you informing them of the possibility that their data may have been compromised. i'll ask you again, and it's a yes or no. does it extend beyond the people who filled out an sf 86? >> my answer to that is yes, sir. there are two incidents we've come here to talk to you about today. >> why didn't you answer yes to start with? >> you were talking about sf 86s

sir. >> i made it clear, i asked you did the exposure extend beyond those who filled out sf 86. and you said the investigation was ongoing. apparently you've investigated enough to send a letter to employees who didn't fill out those forms. so thank you for your yes answer. is there -- in your judgment, ms. archuleta, how likely is it that the hackers were able to access these personnel files through an employee account? >> sir, we'll be able to discuss that with you during the classified session. >> let me be a little more specific. are you familiar with "the wall street journal" article that indicated that it was possible that the breach occurred through personal e-mail accounts, because employees were using the

federal system. and that early in 2011 the immigration customs enforcement agency noticed a significant uptick in infections and privacy spills and they asked for a directive or put out a directive that federal employees could not use the federal system to access their personal e-mails. but the american federation of government employees filed a grievance with the federal arbitrator claiming that was something that needed to be bargained and needed to be part of the collective bargaining agreement. and the arbitrator dismissed security arguments in 75 words claiming the law didn't give federal agencies exclusive discretion to manage the security systems. i.c.e. wasn't able to shut that off. do you have any comment on that? >> no, sir. again those are issues that we'll be able to discuss in the classified hearing.

>> well it's being discussed in "the wall street journal." i think for now, since we need to head to the hearing, i will yield the balance of my time. thank you, mr. chairman. >> now recognize the gentleman from georgia, mr. hice for five minutes. >> thank you, mr. chairman. mr. esser what are the risks with not having a valid system authorization? >> the risks are evident that not having a valid authorization essentially could be a symptom of weak controls over operating systems and applications. and lead to things such as a breach. >> okay. with all the things that we're talking about here today, and ms. seymour you were obviously fully aware of these risks and opm were aware of the risks? >> yes, sir.

i was aware of these reports. >> okay. now, this is -- i kind of hate going back to this because it's come up several times already today. but still, i'm waiting for an answer. the inspector general of course put out his report last november expressing great alarm recommending that opm consider shutting down the systems because of the risks that you knew about, ms. archuleta knew about. and yet these recommendations were ignored. i'm going to come back to you with this because quite frankly ms. archuleta has tried to dodge this question and dance all around it. i want to come straight up with you, why were those recommendations not followed? >> two reasons, sir. one is an authorization to operate is merely the documentation of the security controls of a system and their effectiveness.

that does not mean simply because you don't have an authorization that those tools don't exist. the other effort is as the ig was doing its audit, we were taking all of those vulnerabilities into play. we had already developed a security plan that we were in the process of implementing. and the ig admits in their report that we were in the prowess is of implementing many of those controls. >> did the plan that you were in the process of implementing work? obviously it didn't. would shutting it down have worked? >> the controls that we put in place allowed us to stop the remote access to our network and they also allowed us to detect this activity that had occurred prior to the ig report. >> but the vulnerability was

still there, and your plan failed. >> there are vulnerabilities in every system. what we do is a risk management process, sir, where we look at the vulnerabilities as well as the business that we must conduct. >> mr. esser, let he come back to you. what currently are the consequences of owners of consequences of owners of opm i.t. system, currently what are the consequences now if they operate without a valid authorization? >> there are essentially no consequences. we report that in our audits. but other than that, there are no official sanctions in place. it is something that gets publicized and that's the extent. >> it sounds to me like this thing is still not being taken seriously. no consequences for operating without authorization. why in the world are we still operating without authorization, or is that occurring? >> sir, i have extended the authorizations that we had on

these systems because we put a number of security controls in place in the environment. we have increased the effectiveness of the security around those systems. >> but there's in consequences for not operating on a system with authorization? so how serious are you taking it? >> there are consequences. >> what are they? >> those consequences are if you, if you aren't doing the assessments, documenting them is while that is evidence that those assessments have been done, the assessments themselves are more important. the scanning of the network, the tool -- >> that's not the consequences. what are the consequences. you said there with consequences. i want to know what they are. >> the consequences that we have are we report to omb on a quarterly basis about the status of our security and our network. >> that doesn't sound like consequences. that sounds like just reporting that you're required to do