all men are created. they are endowed by their creator with certain enable rights. among those are life liberty, the pursuit of happiness. i always add that pursuit of happiness thing that's nothing frivolous. that's something serious. it's something difficult to obtain. now, i have been blessed in this country, like so many republicans and conservatives are serving we start from humble begins. we take advantage of the unlimited opportunities this nation presents us and we rise and live and achieve the american dream and we are grateful for it and we give back. i'll tell you the number one reason i've been able to obtain what success i've been able to garner is because i had two loving parents of great and deep

faith. if everyone american could make that same statement. if every american could enjoy the opportunity i had by having two loving parents of great and deep faith, this nation would be in a wonderful state today. a wonderful state. i often get asked as a business person never involved in politics, never any aspirations to be a politician. by the way i'm not one. i'm a citizen of legislature. how did you decide to run for the united states senate? let me quick tell you the story because it sets up my final comments. i was asked to give a speech at a tea party in october 2009. i was serving on the chamber,

working on education on a volunteer basis in oshkosh. one of the members is putting on the tea party, she asked me, would you come as a business person, talk about the harmful negative effect of regulation on business. i said well i'm happy to speak. even though i'd never given a speech before in my life. certainly not a political speech. i said, i'll come speak but that's not what i want to talk about. a few weeks before she asked me, i heard the president of the united states talking about doctors. drgs, they'll look at a fee schedule and they'll decide to take off -- amputate a foot or take out a set of tonsils basically for a few set of bucks. calling doctors needy, grubbing fill in the blanks. in particular for my wife jane and i, it was offensive because our first daughter was born with a pretty serious congenital

heart defect. her aorta and pulmonary artery were reversed. so at 1:30 in the morning, one of those doctors came in, used his skill, his dedication, performed a procedure and saved a life. eight months later when her heart was the size of a small plum and seven hours of open-heart surgery, a team of incredible incredibly dedicated skilled professionals changed the chambers of her heart. on may 4th this year she just turned 32. she first became a nurse at rush medical center in chicago working in the neonalgts intensive care unit. now she's a nurse practitioner.

she's been accepted to a program at johns hopkins to advance her profession. she took care of these 1 1/2 pound little babies. that some are willing to destroy. i gave that speech, i told that story. afterwards people came up to me and said i like your speempction why don't you run for office? my answer was pretty consistent. because i'm not crazy. what would want to subject themselves to this process? but then they passed obamacare and i watched our sent and deficits soar over $1 trillion. i started recognizing the fact we are mortgaging our children's future and we have to do something about it. now, how do we start solving these problems? let me give you just the first step.

the first step in solving any problem is you have to define, it have you to identify it, but you first have to admit you have it. right now we have in the oval office what i call the denier in chief. whether it's on debt and deficit, whether calling isis the jv team, whether saying vladimir putin is looking for an off-ramp when he's looking for an on-ramp, whether it's willing to do a deal with the ayatollahs that i wouldn't trust as far as i can throw him, we have a real problem. so we need to find a serious president. we need to let more citizen legislators, more people that are coming here to serve the nation and not serve themselves. [ applause ]

so, how do we find those people? how do we get those kind of people elected? well it starts with what i thanked you for, involvement. have you to talk to your friend, your family, your neighbors. have you to talk to total strangers. have you to engage them in the process. have you to make them understand how precious this nation is and how it is worth preserving. let me just give you a little hint in terms of how you should start any political conversation. you know, i come from a business background. i've done a lot of negotiating. i'll guarantee you i didn't start those negotiations arguing. which by the way is exactly how president obama started his new relationship with congress. something that's probably the most divisive act he was do, executive amnesty. what i would do on the front of negotiations is lay out all the areas of agreement. it was a good technique. it developed a relationship with my negotiating partner. it allowed me to develop a level

of trust so when you finally came to those necessary areas of disagreement, it was a whole lot easier finding common ground. here's a way to start all political conversations with an area of agreement, state. goal. here's a goal i think every american agrees with. we all want a safe, we was a prosperous, we want a secure america. we are all concerned about each other. we all want every american to have the opportunity to build the life for themselves and their family. with have enormous challenges facing this nation. you're lucky, i don't have the time -- i would have the powerpoint. i could lay out the financial problems facing this nation. i could have taken the smiling faces in this crowd and turned them into frowns. we have enormous challenges. as we start to discuss the

solutions for those challenges, it's extremely helpful if we're not questioning each other's motives. i don't question the motive of the other side. i hope they don't question mine. my parents were wonderful people. they taught me that all works has value. i grew up with the understanding that my parents told me probably the greatest compliment you could ever give another person. that's a really hard worker. that's what it's going to take. it's going to take strong families, renewed faith the ability to create an economy that creates the jobs so that people have the dignity to perform the work to be able to pursue happiness and preserve life and liberty. that's what it's going to take. let me end on this note. i was at a lincoln day dinner in

eau claire wisconsin. i give a powerpoint presentation. i give it, let me put it this way, the opposite of sunshine. these individuals were talking about all the problems facing this nation. you know just being really debbie downers. i said time-out here you guys. listen. this is reverse. this isn't right. i should be depressing you. stop it, stop it schm! i'll stipulate, we have enormous challenges facing this nation. so ask me a simple question. with all these problems facing this nation ask me why i'm willing to run again. they dutifully did. i gave them a pretty simple answer. because i'm not willing to give up hope. i'm not willing to throw in the towel on america and neither should you. so god bless your efforts and

god bless america. take care. [ applause ] >> the next man needs no introduction to you but i'll give him one anyway. senator ted cruz of texas -- [ applause ] is responsible for that throng of cameras. he was elected in 2012 in what many also billed as a hopeless, uphill battle an ego trip. don't even do it he was told. and the establishment sent all

the king's horses and all the king's men and all their money against ted cruz and he defeated a sitting governor not once but twice. first in the primary and then the runoff representing texas. before that, senator cruz was the solicitor general for the state of texas and holds many distinctions in that role and otherwise as having briefed and argued over a dozen supreme court cases before the highest court in the land. and he his wife heidi reside in houston with their two daughters, caroline and katherine. senator cruz among his finest accomplishments, he's probably best known as having stood on his feet for 21 hours during a filibuster to stop the funding of obama care. the criticism he took ranged from your a show horse not a workhorse, to you're going to

cost the republicans the majority in the house and you can kiss the senate good bye. perhaps he should take credit for the republicans winning the senate. and the house majority increasing. senator cruz is known as a world class debater, having won national championships while in undergrad at principle ton before going to harvard law school. i'm sure we're all excited to see those debate skills unfold later this summer, in two short months. ladies and gentlemen as i said about senators rubio and paul, senator cruz also on march 23rd of this year had a special announcement for all of us. he is running for the republican nomination to perfect united states. i'm sure he'll share with you now more about that and more about his solid track record on the issues that motivate, animate and inspire you. ladies and gentlemen please join me in welcoming senator ted cruz.

[ applause ] >> thank you so much, kellie ann. god bless the faith and freedom coalition. and god bless concerned women of america. i'm thrilled to be back with so many friends today. you know, today the body of christ is in mourning. i want to begin by just reflecting on the horrific tragedy of last night. at the emanuel a.m.e. church, that a sick and deranged person came and preyed with an

historically black congregation for an hour and then murdered nine innocent souls. christians across our nation, across the world believers across the world are lifting up the congregants at emanuel a.m.e. and i want to start with a moment of silence remembering those who were murdered last night. it's a new morning. a new morning and we're gathered here today focused on our country. focused on the threats facing our nation. we have leaders in our midst. this is a gathering of leaders.

every one of you, ralph reed, what an extraordinary leader ralph reed is. [ applause ] he is tenacious. i'm pretty sure he never sleeps. and i have photographic proof that even if he does sleep when he sleeps, he's smiling. he brings a spirit of joy and utter determination to the task at hand of motivating people of faith to stand up and take our nation back. i also to want say a word about my friend penny nance. penny is extraordinary. concerned women of america are an army of women on the ground in all 50 states standing up for our nation.

i'll tell you, i am profoundly optimistic we're going to turn our nation around. and the reason i'm optimistic is because of our leaders here today. the reason i'm optimistic is because each and every one of you standing up and leaving and taking on the forces of darkness the threats that face our nation. what i want to do this afternoon, there are many, many issues we could talk about. we could talk about jobs and the economy, we could talk about taxes and regulatory reform but i want to talk about an issue that i think will be front and center in 2016 and that is religious liberty. i believe 2016 will be the religious liberty election. religious liberty has never been more threatened in america than right now today. let's talk about religious liberty both at home and abroad.

at home like many of the men and women in this room i've spent decades fighting to defend religious liberty. when i was solicitor general of texas i was proud to defend the ten amendments monument on the capitol grounds. [ applause ] we went to the u.s. supreme court and we won 5-4. i was proud to defense the pledge of allegiance, the words one nation under god. we went to the supreme court and we won unanimously. and then in private practice i was proud to join with my good friend kelly shackelford in representing over 3 million veteran, pro bono for free, defending the mojave desert

veterans memorial. a lone white latin cross erected over 70 years ago to memorialize those who gave their lives in world war i. the aclu sued to tear down that monument and they won in the district court they won in the court of appeals. the court of appeals literally ordered that a plywood box be built around the monument to hide it because they said you could not gaze upon a cross on federal lands. i'll till this they're right in one thing, the cross has power. [ applause ] and i was proud to represent 3 million veterans before the u.s. supreme court defending that monument and we won 5-4.

the battles today have only intensified. religious liberty. in fact, just this week i think the epa has named religious liberty an endangered species. that would be funnier if it weren't so profoundly true. every one of us our hearts broke a couple months ago in indiana and arkansas. indiana and arkansas the battle over religious liberty there was heartbreaking. the perfect storm of the modern democratic party and big business came together. there was a time when religious liberty brought us together. when it was a bipartisan priority. where we might say, you know, democrats and republicans, we'll disagree on marginal tax rates,

but when it comes to defending the protections of the first amendment, for every one of us to worship and seek out and follow the lord god all mighty with our hearts, minds and souls, on that we stand as one. sadly that is no longer the case. the modern democratic party has decided their commitment to mandatory gay marriage in all 50 states trumps any willingness to defend the first amendment. two decades ago congress passed the religious freedom restoration act. had the support of such famed right-wing nut cases as ted kennedy, chuck schumer and joe biden. was signed into law a democrat. that law was identical substantively to the law arkansas and indiana took up.

today's democratic party aided by their friends in the media, aided even more by big business that thought it was good business to throw christians overboard and abandon civil liberty, pounded upon leaders. i'll tell you what was saddest, just how many republicans ran for the hills. i think indiana was as ronald reagan would have put it a time for choosing. as william barrett travis in texas put it when he drew a line in the sands you choose which side of the line you're on. more than a few republicans sadly, even more than a few republicans running for president in 2016 chose that moment somehow to go rearrange their sock drawer. i'll tell you this i will

never, ever, ever shy from standing up and defending the religious liberty of every american. [ applause ] let me tell you the story of a couple i met in iowa. dick and betty oguard. a wonderful couple. they have a farm with an old historic church on that farm. for years they hosted weddings in this church and they made a business of catering the weddings. that's how they helped provide for their livelihood. a couple years ago two gay men wanted to have a wedding in their church. now, they are devote mennonites. they said, i'm sorry we cannot host this. this is inconsistent with our

faith. the oguards found themselves drawn into litigation extended legal battle. ultimately they wrote a check for $5,000 and promised never again to host a wedding in that church. religious liberty is under assault. now, all of us are aware in a couple of weeks the supreme court is going to issue a decision on marriage. i would encourage everyone here to be lifting up in prayer the court that they not engage in an act of neighboringed and lawless judicial activism, tearing down the marriage laws adopted pursuant to the constitution.

but to underscore the threat to religious liberty one need look no further than an exchange during that oral argument where justice alito asked the obama solicitor general, if the obama administration prevails and you insist this court to strike down the marriage laws of every state, would the next step be that the irs will start going after christian schools, christian universities, christian charities, and next after that christian churches? any institutions that follow a biblical teaching of marriage, or for that matter, jewish schools, mormon schools any institution that follows religious teachings. and the answer from the obama administration to the u.s.

supreme court is yes, that is a very real possibility that the next step is the irs coming after schools, universities, charities. this is a time we decide who we are, what we believe. we are a nation founded by men and women fleeing religious oppression. we are a nation founded -- there is a reason religious liberty is the first protection and first in the bill of rights because it's all foundational. we cannot stand unless we first are on our knees. [ applause [ [ applause ] and whoa look at religious liberty at home, abroad, it's

even worse. abroad right now we're seeing religious persecution at a level that is horrify. and we have a president who refuses to acknowledge it. you cannot defeat radical islamic terrorists with a president who's unwilling to utter the words radical islamic terrorism. we remember several months ago the horrific attack in paris that the president inexplicably described as a, quote, random act of violence. when radical islamists with butcher knives go into a kosher deli seeking to murder jews because of their jewish faith

there ain't nothing random about that. it is a naked and transparent act of anti-semitism and religious big on thet bigotry and it needs to be called out for precisely what it is. when isis beheaded 21 koptic christians, the white house put out a statement that said they were killed because of their egyptian citizenship. you know pope francis powerfully observed their blood confesses jesus christ. in kenya, 147 christians were murdered by al shabab.

radical islamic terrorists and just to make it transparently clear for this administration, they sorted among the people and asked if you were a muslim, you were spared. if you were a christian, you were shot in the back of the head execution style. 147 christians on good friday. if you go to the white house and read the statement on the mass car in kenya, you will search in vein for the words christian or islam. we must speak the truth. the truth has power. it has power when we speak up for pastor adini wrongfully in prison. [ applause ]

it had power when the men and women in this room spoke up for miriam ibrahim, wrongfully in prison. it has power when the men and women in this room stand up and speak out for the nation of israel. can you imagine six years ago if i would have told you that prime minister netanyahu would come to address a joint session of congress and the president, vice president and the entire cabinet would boycott the prime minister of israel. that's how bad things have gotten. and yet the world tells us, weep ing may endure for the night but

joy cometh in the morning. and i'll tell you this morning is coming. morning is coming. andle men and women in this room are going to play a critical role. our country's at a crossroads. if people at faith stand up and lead, if the leaders in this room, each and every one of you in your communities, you have a circle of of influence, friends family pastors, as you reach out, there are about 90 million evangelical christians in america. 50 million evangelicals are staying home. 50 million. reagan democrats, blue collar working class catholics, up and down the midwest up into new england, if we're going to turn the country around, the work that ralph and penny are doing the work that every one of you are doing to turn out people of

faith, it's a real simple formula. if people of faith show up, if we stand for our faith and our liberty and the constitution, we will win and turn the country around. so so i'm going to close with a quick mention. i mentioned morning is coming. we can find the date morning will come. it will be january 20, 2017. on january 20, 017, a little old man walks up to the front gate of the white house. young marine standing there, standing guard. the little old man says excuse me, sir, is barack obama here?

and the marine says, i'm sorry barack obama is no longer president of the united states. [ applause ] january 21st the same little old man comes up to the same marine and says, sir, is barack obama still here? no, sir, barack obama is no longer president of the united states. the third day he comes up now january 22nd same little old man, same marine. he says, excuse me sir, is barack obama here? at this point the marine is frustrated. he sighs, he says, sir, i've told you three days in a row, barack obama is no longer president of the united states. little old man with a twinkle in his eyes he goes, i know that. i just love hearing you say it.

[ applause ] and the marine stands to attention, salutes and says, see you tomorrow, sir! morning is coming and it is thanks to each and every one of you. god bless you and god bless the united states of america.

>> they've asked me to be the skunk at the garden party. we have a wonderful capper for today's luncheon. my friend, congressman steve king, representing the 4th district of iowa. he was first elected to congress in 2002. after having been a small business owner audited by the irs. congressman king and his wife marilyn have three grown sons and seven grandchildren, and counting. congressman king represents ames, ft. dodge, mason city, sioux city and the spencer areas. he's known for his steadfast -- his steadfast support of additional marriage life,

strong nation defense and constitutional principles. in 2012 congressman king defeated a former first lady and a wife of a sitting cabinet secretary in president obama's cabinet. despite the success of the cynical so-called war on women and many other races. and he won by eight points. congressman king has spent the last couple of years trying to have senator ted cruz as his warm-up band, and today he succeeded. the fabulous congressman steve king. [ applause ] >> thank you all very much. thank you, thank you. thanks, kellie ann, for that introduction. you all known kellie ann. we've been friends for a long

time. i always think when i have a conversation with her i want to tape-record it first, and i want to play it back at 33 instead of 45 and i want to listen three times and take notes and i still miss something. there's so much information that comes out of her. it's just so relevant. and i appreciate that. and, of course, i'm -- i have this privilege of being -- well they now tell me i'm dean of the iowa congressional delegation. i liked my youth before i became a dean. now i still feel i have my youth intact, however. it is a wonderful thing to see this presidential race come together. it's something i've been involved in for a long time, each of the presidential races cycle after cycle. after a while you see the rhythm of this and you get a sense of how it's shaping up. this is an unpredictable arena that we have.

and often i have young people that come in and hand me their resume apply for a job and i look at them and they say what is your major? i'm a major in political science. well, how are you going to deal with this bad news? political science is not a science. probably isn't even an art. it's kind of a messy operation. and you have to have some ability to anticipate what human nature is what human needs are and how they're going to react to it. and to the extent you can do that and the extent that not only can you see it and be able to analyze it and position yourself, but to the extent you can influence others is the way our voices are heard. i want to tell you, as much as i've looked at this political art rather than a science everybody's voice is heard in some way or another. all the things you do when you're at church and you're together and you step out afterwards, those conversation have taken place, those voices

are heard. it changes the way people do things and how they think. if you're at school if you're at work f you're at play, if you're out shopping, whatever you do if you go to the ball game, you talk to the people next to you and we're constantly imparting our values to the people around us. now, some people are ignored. some people are ignored rightfully. and others will be speaking suck sixty truth and ignored anyway. to give you a sense of that this is one of the -- one of my favorite things that have happened in my public life. that is that i was at the republican booth at the state fair in des moines two, three years ago and a young man came up to me and across the countrier and he said, i -- he said, you won't remember me but i want to re-introduce myself. my name is michael. i've forgotten his last name. he said you were -- four years ago you were down -- he said i was waiting tables down at

applebees four years ago and he came in late as our last customer. he said, you spent a lot of time talking to me. he said, one of the things you said to me and one of the things you said to me was that if god tapped you on the shoulder tonight and said, i'm going to give you a single do-over in life, you told me the answer that i would give would be i'd have twice as many kids, because that's how you count your blessings. he was a young man. he told me he and his young wife didn't man a family but he told his wife that story. he said, now i've brought my wife and three kids here to introduce them to you. wow. if we think our voice isn't heard -- i forgot about that conversation. i won't now. i'll never forget about that conversation. we have that going on.

also we have the presidential race going on. of course, in iowa, new hampshire, south carolina. i've gotten involved in that. i try to -- four years ago we did an event march 26th at the marriott hotel in downtown des moines, filled it up with presidential candidates and other people in there to provide the constitutional guardrails. we went on from 9:00 in the morning until -- c-span left us about 5:00 that night but we carried on until about 8:30. the idea is we would do an event in iowa, new hampshire and south carolina to tie the early states together. we did do that, and jim demint joined me in each of those states. he was the host in south carolina. we started out again january 24th in iowa this cycle and held an event there and -- at the hoyt sherman. it was another good chance. it seemed to launch the presidential cycle. we've had a number of larger events across the country. i've since been to new hampshire. i've since been to south

carolina. i recognize how important the early states are. thankfully the early states do exemplify a lot of the values we share here in this hotel. and when i hook around at my neighbors, solid faithful people, never had a bad neighbor where i live and we lived in that house since 1978 and i see the activists that come out. and i know what you believe in. and it's just been something that brought me out to work with you. but i can go clear back into the well -- in the early '80s and maybe even before that standing up for life and for marriage, in particular. and -- [ applause ] i recall in 1996 i was a delegate to the national convention in san diego. and i opened up my little program. it was a little trifold like this. i hook add it thursday afternoon at 3:00. in the protest zone would be the christian women for choice. now, i'd never run across anybody that was a christian

woman for choice before. and that inner voice said to me, kind of the tap on the shoulder steve, there they are. so, i was compelled to walk that couple, three blocks down there and go into that chain-like fence enclosed place and they had a platform stage with big speakers on it. and i said i want to find the leader of the christian women for choice. i was curious, what kind of scripture are they going to quote to me? well, we ended up in this nose-to-nose debate, just knocking heads on that. and out of that came this principle, is human life sacred in all of its forms? yes. it couldn't be denied by her or the people that piled up with her. second one is, then at what moment does life begin? and out of that, of course came at the moment of conception. and i have over and over again delivered that to high schools, to entire school auditoriums since i was elected to state

senate as well as congress and no one could debate that. i said in the debate, she doesn't know when her life began, but i know when her life began. so i wanted to mention the marriage side of this. we have a mark on us in iowa. you know that the iowa state supreme court imposed same-sex marriage in iowa. some of you joined me on this, and we went on the judge bus and around and we voted three of those supreme court justices off that bench. never happened in the history of our state. voted them out of office. [ applause ] now we have a supreme court poised here in this metro area in this city to perhaps do what the supreme court justices did in what what. and i see that there's a movement i support, which there comes a time for civil disobedience in this country. there is nothing in the constitution that says that somehow our founding fathers or the ratifiers of the

constitution and the various amendments along the way, including the 14th amendment, they had deftly written into the ee num ragss, that there was going to be some constitutional right for same-sex marriage. that can't be allowed to stand. [ applause ] and i reminded them, i wrote an op-ed a little while ago and i reminded them, you had the dred scott decision, they were going to end slavery with the supreme court ending of dred scott. that caused a civil war 6,000 people killed to end slavery. then you can fast forward to roe versus wade, 1973. what happens with that? the supreme court decides they are going to side for us a huge profound social question, not rooted in law or constitution, they made it up as they went along and i could give you the can case law going back ahead of that to get there.

what happens? we march in this city january 22nd every year until we come back here to celebrate the end of roe versus wade. we don't need a marriage decision that's piled on top of dred scott and roe versus wade. that's my point. i want to make sure the supreme court justices hear that before they issue a decision this month. then i just wanted to tell you where i am on the presidential race. there are a lot of candidates. i like them. they're good people. can and i know most of them personally. i have great respect for them putting themselves up in front. my warm-up act included, ted cruz. i thought, how am i going to decide? i don't know. but i am looking for air full spectrum constitutional conservative. that would be ted. he carries that mantel pretty well. i'm a fair taxer so maybe i'll

order off mike huckabee's tax menu. i love the way rubio talks about american exceptionalism. so, i'll pull some of that out thereof. lindsey graham has a good sense of humor and strong on national defense, so i'll take his sense of humor. he lightens things up a little bit. and, you know, donald trump was pretty strong on immigration here the last couple of days. i'm just sure i can walk up there to that table and order off the menu or pick it out of the buffet. we will put together a great president. when we put a great president together and get him nominated, or her because carly has impressed me as well. very sincerely has. most succintly inspiring of all the candidates time after time. we have a big job. we have to identify the best of all of these, the full constitutional conservative that will defend this country, defend life, defend marriage, defend the constitution, grow this economy. more importantly, a president whom god will use to restore the

soul of america. that's our mission. [ applause ] that's our mission and that's my prayer. i ask you do that same thing. let's just pray to god that he leads us down this path and raises up a leader whom he will use to restore the soul of america. thank you very much. god bless you. [ applause ] >> ladies and gentlemen, how about a collective round of applause for all of our speakers today at lunch. they're terrific. and i'm going to speak for them and the faith and freedom coalition majority conference in telling you thank you very much for being at this lunch for

your interest in the legislative activities that are about to commence, and certainly just for being who you are. major contributors to a big mission here to keep our country strong. thank you for being principled people of faith. thank you for not shying away when you're ridiculed for those reasons. which is the personal equivalent of you can't win is that's a ridiculous idea and what are you doing? with god over there. for those who take their daily nourishment from the bible and not from inside the beltway, hats off to you. we can use more of it. i'd like to thank you for being here to ask god's blessing upon each of you and your loved ones. safe travels if you're returning somewhere. and i would like to wrap by telling you you'll now get instructions as to the next legislative session, which sounds really exciting. make sure you make your voices heard up there on capitol hill and certainly in the elections in 2015 and '16. god bless you. thank you.

>> good afternoon, everyone. i hope you enjoyed the lunch. nice lineup of new faces that probably no one's heard their names before. i'm going to close this up. i'm patrick pertill director of legislative affairs for the faith and freedom coalition and i'm opening the washington office here now. thank you. [ applause ] >> i just wanted to let you know with what we have planned for the rest of the day. we have got directly out of this room the stairs that you came down, if you go up and then up the next flight out the front of the hotel they've moved the buses, that's where the buses won't be. so -- okay. sounds good. directly to the right of the porminade, folks directing you where the folks will be. we'll find them. we have four bustos take everyone up to capitol hill. we're hoping to have the buses

loaded about 2:00. if you go up and ride the buses with us i want to let you know we'll have packets on the buses for you. this is a packet of information that just kind of tells you -- it's got a map of capitol hill list of the members and of the members and senators offices. just basic information to help you find your way around up there. and then there will be a folder like this which any of the offices you're going to visit we'd ask you leave this with them. it has some information on bills we're very interested in and some bills i think you'll be very interested in as well. if you're going to go to one office, take one. if you plan on making it to your senators and your representative, go ahead and take three. as many as you need to go ahead skm drop them off. if you're not going to ride the buses with us we have these packets outside if you plan on making your own way up to capitol hill today. and don't forget there is the reception this evening on capitol hill in hc8 beginning at 5:00. i wanted to -- we'll tell you more on the buses but to get

into hc8 you're going to have to enter in through the south side entrance on the house of representatives on the capitol building. you've got to be at that entrance by about 4:30 if you want to get through because you have to be badged for hc8 in the capitol hill capitol. if you missed that, don't panic. you can go down through the visitor center which is directly under the capitol. the welcome desk is open with longer hours there. don't panic. but it's easier if you're there at 4:30 on the south side of the capitol. look forward to seeing you up there. here are some of our feature featured programs this weekend.

saturday night supreme court justice ruth bader ginsburg. a production of a new mu vee about her life and career. and sunday night at 6:35 a profile interview with presidential candidate texassm senator ted cruz. on book tv on cspan-2 saturday morning at 10:00 eastern we're live for the annual roosevelt reading festival at the fdr presidential library and museum. chris fe o sullivan on christopher's envoy. and molly give up till manning on how books help the morale of our military in world war ii. on sunday night at 9:00 on "afterwards," mona on the need of a sexual revolution in the middle east. and this weekend on american history tv on cspan 3 we're live from the gettysburg college civil war institute summer conference on the end and aftermath beginning at 8:30

eastern saturday morning with history professor joan joa. and sunday morning we continue our live coverage beginning at :30 with city college of new york with gregory downs on the consequences of war. later, a dpisdiscussion with history professor william blare. get our complete schedule at cspan.org. this weekend the cspan cities tour has partnered with comcast to learn about key west, florida. earnest hemmingway wrote several novels at this home in key west. >> they found this house for sale. they bought it for $8,000 in 1931. and pauline actually converted this hay loft into his first formal writing studio. here he fell in love with

fishing. he fell in love with the clairetive, his writing. he knocked out the first rough draft of a farewell to arms in the first two weeks from arriving in key west. he had a line, if you really want to write start with one true sentence. >> to a true writer each book should be a new beginning or he tries again for something that is beyond attainment. he should always try for something that has never been done or the others have tried and failed. >> key west is also

of hawaiian shirts to the president with the thought that if the president's wearing our shirt we're going to sell a lot of shirts. and so president truman wore those free shirts that first year and then organized what they called the loud shirt contest. and that was the official uniform of key west. >> watch all of our events from key west saturday at 5:00 p.m. eastern on c-span 2's book tv and sunday afternoon at 2:00 on american history tv on c-span 3. office of personnel management director kathrine arch let ta says the number of people impacted by two recent cyber breaches is likely to grow. she testified before the house oversight and government reform

committee yesterday.s she says more than 4 million utes federal personnel are b affected. this hearing is about two and a half hours. without objection to chair authorize a recessum at any time.ntaril mr. cummingsy. will be with us momentarily as another committeeeek, w assignments alsoe pressing on his schedule. last week wethe learned that the united states of america may i have had what may be the most this devastating cyber attack m in our lon nation's history. and that this may have been th happening over a long period of time. as we sit here thisonal morning i there's a lot of confusion about exactly what personal information for millions of current or former federal

employee workers were exposed through the latest data breach at the office of personnel management. initially reported that the personal information of 4 million federal employees was exposed during this attack.ports su more recent public reports suggest that the breach was perhaps much worse than that.orse m it'san also unclear exactly what information was exposed.has we would like to know what information was exposed, over what period of time and who has this vulnerability?we nee it would also be great to know who had conducted this attack. i think we need to have candor le. with not only the federal employees but the american ound people as well. the breach potentially included hrough highly sensitive personal background information collected through the security clearance applications. we would like claritytion on that position as well.orce the loss of this information sk puts our federal workforce at risk particularly our intelligence officers and others working on sensitive projects throughout the globe. but we're concerned about each and every federal worker and the public who has interacted with ti the government andon entrusted

this information with the government. wehy t need to understand why the federal government and opm in particular strictly guarding some of our nation's most important information. g the factiv opm was breached should come as no surprise giveng on its trouble track record on security. this has been going on for years and it's inexcusable. agency compliance with the federal information security standards. according to this latest -- the last eight years of i.g. reports, opm's data security posture was akin to leaving all the doors and windows in your house and expecting that nobody would walk in and nobody would take any information. how wrong they were. since 2007 the opm inspector a mat general raided eropm's data security as "a material weakness." because the agency had no i.t. could policies or procedures that b could come anywhere close to uring something that could be used as is

un an excuse for securing the information. it's unbelievable to think thege agency charged with maintaining and protecting all our personal information of almost all former and current federal employees place. would have so few information technology policies or procedures in place. this year we are expanding the material weakness to include theg conc agency's overall information security governance programs incorporating our concerns aboutir the agency's security management structure. the continuing weakness at opm's information securitythe lack of policies

and procedures is a material witness in their security program. fiscal year 2011, we continue to believe that the information security, this represents a material weakness at opm. >> we continue to believe the information security governance hrough at ouopm's i.t. program. fiscal year 2012 throughout fiscal year 2012 the ocio the office of the chief information officer, continued to operate ntrali with a decentralized i.t. ble to security structure that did not have the authority or resources available to adequately implement new policies.the however, theag material witness remains open in this report as the agency's i.t. security function remained decentralized throughout fiscal year 2012. and because of the continued instances of noncompliance with fsma requirements. goes on later, however, the ocio's statement is inaccurate

as there were in fact -- let me go back. the ocio's response to our draft audit report indicated that the cause disagree with theof classification of the material weakness.cause because of the program that opm loss has made with its i.t. security program and because there was no loss of sensitive data during the fiscal t heyear. but as the inspector general pointed out however the ocio's statement is inaccurate as there was in fact numerous informationthat security incidents in fiscal year 2012 that led to the loss that t or unauthorize edd. they couldn't agree on the data in 2012 let alone actually solve the problem. go to fiscal year 2013. again, the inspector general the findings of this audit report highlight the fact that opm's governance structure continues to result in manyn re instances of noncompliance therefore again reporting this issue as a material weakness in fiscal year

2013. fast forward to 2014. this is november of 2014. 11 major opm administrations operating without valid authorization. the controlled structured i.t. security program. it goes on.vices, opm does not maintain a comprehensive inventory of ventor servers, y.databases and i.t. devices. they didn't even know what they ceown weak have. they don't evenin know what's in the inventory. product offices are not -- into plans of actions and milestones and the majority of systems e to i contained are over 120 days overdue. however security. not all opm systems have inform conductedat contingency plans in fiscal year 2014.

several information security agreements between opm and contract operated information systems have expired. multifactor awe they wantuthentication is not for required to enact in when i accordance with the memorandum. this has been going on for a at was long time. p and yet when i read the testimony that was provided here we're about to hear some, hey, we're doing a great job.this you're not. it's failing. this went on for years and did not change. roughly 23% at opm lacked proper security authorization meaning the security of 11 major systems was completely outdate edd.

the person in charge of the agency's data security. the i.g. only ntrecently upgraded to significant deficiency. 201 in november 2014 over 65% of all systems operated by opm reside on two of the systems without valid authorization. sitting on two systems, no valid authorization, 65% of the information. clear . y disregards data security for so long, that is negligent. the fact that the agency that did this is responsible for maintaining highly sensitive information for all -- for almost all federal employees it in mind opinion is egregious. other agencies also suffered breaches. the latest clever hack comes on the heels of other government agencies, the state department the internal revenue department

and even the white house. and at the same time, the government is spending more on information technology. last year, we the american people spent almost $80 billion on information technology and it stinks, it does not work. $80 billion later, and the person in charge of security the person in charge of making sure that there is authentication of systems, even in her own office there is authorization needed. -- there is no authorization you. opm is not alone in the blame for this failure. the office of budget has the response ability for setting standards for these practices. it is -- job to hold these agencies accountable. the department of homeland security has been given the lead responsibility for this, the

geek squad, to monitor day-to-day practices, but the technical tools that have been deployed is not doing the job. while dhs has developed einstein to monitor networks, and only detects known in traders -- intruders. it is completely useless in the latest hacks. this status quo cannot continue. we are talking about the most vital information of the most sensitive nature of the people that we care about most. the people who trust that information to opm, and through the years it has been a total failure. to the point that we find ourselves, millions of americans wondering, what some -- what somebody knows about them. what are they supposed to do?

i have read the letter that you have sent to -- it's grossly inadequate. it's grossly inadequate. that's why we're having this hearing here today. we do appreciate you all being here. i think what we're going to do now is i'd like to recognize the gentleman from texas who's the chairman of the subcommittee that we have at the oversight mr. hurd for five minutes. -- >> with opm, i'm concerned. today's hearing is just another example of the undeniable fact that america's under constant attack. it's not bombs dropping or missiles launching. it's the constant stream of

cyber weapons aimed at our data. from private sector invasions to military secrets our enemies are attempting to rob this country on a daily basis. and unfortunately they are succeeding. the worst of these cyber attacks are not coming from the caves of afghanistan or syria, but from air-conditioned office buildings in china iran and russia far from battlefields. these hackers work with impunity knowing that their actions have no consequences. this is not only a question of how we can protect our networks and data, but of how we define the appropriate responses for digital and digital attacks. this is one of the questions i've been asking for years and i've continued to ask in my role as chairman of the information technology subcommittee. it's no secret that federal agencies need to improve their cyber security posture. we have for years and years of reports highlighting the vulnerabilities at federal agencies from legacy systems to poor compliance. and while there have been improvements, they have not kept pace with the nature of the threats we are facing. but until agency leadership

takes control of these basic cyber security measures, things like strong authentication, network monitoring encrypting data and seg menation, we will always be playing catchup against our highly sophisticated and well resourced adversaries. i welcome the witnesses here today and look forward to their testimony. thank you, mr. chairman. i yield back. >> i thank the gentleman. we'll now recognize the gentlewoman from illinois, the ranking woman of the subcommittee and i-team miss kelly for five minutes. >> thank you mr. chair. i want to thank our expert witnesses for participation today and i want to thank the chairman and ranking member for holding this important hearing on the opm data breach. as you know i have the privilege of serving as a ranking member of the i.t. subcommittee. the issue of data breach is something that chairman hurd and i are quite concerned with and we are looking forward to working with our colleagues to be active in addressing this issue. all of us here today should be quite concerned. the opm breach has raised significant questions about how adequately the personal

information of government employees is stored on government networks. we know that every day our government and american businesses face a barrage of cyber threats. we're reminded of many of the high profile breaches on some of our nation's most important companies. but there are every day cyber intrusions of our data that aren't making the headlines. whether it's criminals beyond our borders profiting from fraud and identity theft, to domestic competitors who steal intellectual property to gain advantage or hacktivists looking to make a statement against governments. cyber crime threatens our national security and economic prosperity. data breaches probably won't end any time soon, but they're something we can be more aggressive in catching. these bad actors will look to innovate their way around newly integrated cyber defenses. this is why we must be just as innovative. that's why we must have a frank conversation today and prepare a

multifront strategy to ward off and diminish the possibility of future data breaches. so i thank the committee and our witnesses again for this opportunity to examine the opm attack and with that i yield back. >> thank the gentlewoman. it is our intention to hear the ranking member mr. cummings statement, but i think what we will do now is swear in the witnesses, hear their statements and then go to mr. cummings before we get to questions. if that's okay with everybody. i will hold -- i will also hold the record open for five legislative days for any members who would like to submit a written statement. we'll now recognize our first panel of witnesses. pleased to welcome the honorable kathrine archiletta. dr. andy osmond at the national program's preparedness at the united states department of homeland security. mr. tony scott u.s. chief information officer of the office of e-government and information technology at the u.s. office of management and

budget. miss sylvia burns, chief information officer of the united states department of interior. miss donna seymour, chief information officer of the united states office of personnel management. and mr. michael yeesser at the united states office of personnel management. we welcome you all pursuant to committee rules witnesses are all to be sworn before they testify. if you will please rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth the whole truth and nothing but the truth? thank you. please be seated. let the record reflect that all witnesses answered in the affirmative. in order to allow time for discussion, we would appreciate your limiting your testimony to five minutes.

we will -- again, please limit your comments to five minutes. i'll be a little bit generous, but five minutes if you could. and your entire written statement will be entered into the record. at the conclusion we'll hear from mr. cummings and go to opening statements. with that we'll recognize the director of the office of personnel management. and you are now recognized for five minutes. >> chairman chaffetz ranking member cummings and members of the committee, i'm here today to talk to you about two successful intrusions into opm's systems and data. but first i want to deliver a message to federal employees, retirees and their families. the security of their personal data is of paramount importance. we are committed to full and complete investigation of these incidents and are taking actions to mitigate vulnerabilities

exposed by these intrusions. when i was sworn-in as director 18 months ago i recognize that in order to build and manage an engaged, inclusive and well-trained workforce that we would need a thorough assessment of the state of information technology at opm. i immediately became aware of vulnerabilities in our aging legacy systems. and i made the modernization and the security of our network one of my top priorities. government and nongovernment entities are under constant attack by evolving advanced and persistent threats in criminal actors. these adversaries are sophisticated, well-funded and focused. these attacks will not stop if anything they will increase. within the last year we have undertaken an aggressive effort to update our cyber security

posture adding numerous tools and capabilities to our networks. as a result in april of 2015 an intrusion that pre-dated the adoption of these security controls was detected. we immediately contacted the department of homeland security and the fbi. and together with these partners initiated an investigation to determine the scope and the impact of the intrusion in may the inner agency response team concluded that the exposure of personnel records had occurred. and notifications to effected individuals began on june 8th and will continue through june 19th. as part of our ongoing notification process, we are continuing to learn more about the systems that contributed to individuals data potentially

being compromised. these individuals were included in the previously identified population of approximately 4 million individuals and are being appropriately notified. for example we have now confirmed that any federal employee from across all branches of government whose organization submitted service history records to opm may have been compromised even if their full personnel file is not stored on opm's system. during the course of the ongoing investigation the inner agency incident response team concluded later in may that additional systems were likely compromised. this separate incident which also predated deployment of our new security tools and capabilities remains under investigation by opm and our inner agency partners. however, there is a high degree

of confidence that systems related to background investigations of current former and prospective federal government employees and those for whom a federal background investigation was conducted may have been exfiltrated. while we have not yet determined its scope or its impact we are committed to notifying those individuals whose information may have been compromised as soon as practical. but for the fact that we implemented new, more stringent security tools we would have never known that malicious activity had previously existed on that network. and would not have been able to share that information for the protection of the rest of the federal government in response

to these incidents and working with our partners at dhs, we have immediately implemented additional security measures to protect sensitive information and take steps towards building a simplified modern and flexible network structure. we continue to execute on our aggressive plan to modernize opm's platform and bolster security tools. our 2016 budget requests includes an additional $21 million above 2015 funding levels to further the support of the modernization of our i.t. infrastructure, which is critical to protecting data from the persistent adversaries we face. this funding will help us sustain the network security upgrades and maintenance initiated in fiscal year 2014 and fiscal year 2015 to improve our cyber posture including advanced tools such as database

encryption, stronger fire walls storage devices and masking software. the funding will also support the redesign of opm's legacy network. thank you for this opportunity to testify today. and i'm happy to address any questions you may have. >> thank you. dr. osmond? >> chairman chaffetz and ranking members of the committee. like you my fellow panelists and countless americans i am deeply concerned about the recent compromise at opm. i'm personally dedicated to ensuring we take all necessary steps to protect our federal workforce and to drive forward the cyber security of the entire federal government. director in my written statement both spoke to the facts of the opm statement, so i want to focus my remarks on how to focus on protecting the federal government. this morning i will discuss how the department of homeland security is protecting civilian federal agencies and helping those agencies better protect

themselves. under legislation passed by this congress last year, dhs provides a common baseline of security across the civilian government and helps agencies better manage their cyber risks through four key efforts. first, we protect agencies by providing a common set of capabilities through the einstein and continuous diagnostics and mitigation or cdm programs. second, we measure and motivate agencies to innovate best practices. third, we serve as a hub for information sharing and we provide assistance when agencies suffer a cyber intrusion. i will focus this morning on the first area how dhs provides a baseline of security across the federal government through einstein and cdm. i've described the other three areas in my written statement and i'm happy to take your questions on them. our first line of defense against cyber threats is the einstein system which protects agencies at the perimeter.

a useful analogy is that of a physical government facility. in this analogy with the physical world einstein i is similar to a camera at the entrance of a facility that records the traffic coming and going and identifies anomalies in the number of cars. einstein 2 adds the ability to detect suspicious cars based upon a watch list and to alert security personnel when a prohibited vehicle is identified. einstein 2 does not stop cars, but it does set off an alarm. one and two are fully deployed in screening traffic that goes through trusted internet connections. the latest phase of the program known as einstein 3a is akin to the guard post at the highway that leads to multiple government facilities. it actively blocks prohibited cars from entering the facility. we are accelerating our efforts to protect all civilian agencies

with einstein 3a. the system now covers 15 federal civilian agencies with over 930,000 federal personnel, which is approximately 45% of the civilian government. and those are protected with at least one of two security countermeasures. that is about double the coverage we had just nine months ago. during this time einstein 3a has blocked over 550,000 attempts to access potential lima lishs websites, which is one of our two countermeasures. einstein played a key role in identifying the recent compromise at the opm data of the department of the interior. we also recognize that security cannot be achieved through only one type of tool. einstein would never be able to block every threat. for example, it must be complemented with systems and tools to monitor inside agency networks. our cdm program addresses this challenge. returning to our analogy of a government facility, cdm phase 1 allows agencies to continuously

check building blocks and security cameras to ensure they're operating as intended. continue to detect unusual patterns. we have provided cdm phase 1 capabilities to eight agencies covering over 50% of the federal government. and we expect to cover 97% of the government by the end of this fiscal year. now, the deadlines i've just told you are when dhs will provide a given capability it will take a few additional months for agencies to fully implement their side once they are available. of course agencies must supplement einstein and cdm with additional tools appropriate to their needs. i'd like to conclude noting federal agencies are a rich target and will continue to experience frequent attempted intrusions. this problem is not unique to the government as our detection methods continue to improve we will in fact detect more

incidents. incidents that are already occurring and we just didn't know it yet. the recent breach at opm -- recommended by dhs. we are facing a major challenge in protecting our most sensitive information against sophisticated well-resourced and persistent adversaries. further, the entire nation is now making up for 20 years of underinvestment in our nation's cyber security in both the public and private sectors. in response we in the government are accelerating the deployment of the tools we have and are bringing cutting edge capabilities online. and we are asking our partner agencies in congress to take action and work with us to strengthen the cyber security of federal agencies. thank you again for the opportunity to appear today. and i look forward to any questions. >> thank you, mr. scott. you have a very impressive background. you're joining the federal government is much appreciated. we look forward to hearing your

testimony. you're now recognized for five minutes. >> thank you, chairman chaffetz, ranking member cummings members of the committee. thank you for the opportunity to appear before you today. and i appreciate the opportunity to speak with you about recent cyber incidents effecting federal agencies. i'd like to start by highlighting a very important point, which has been mentioned already and of which i'm sure you're aware. but both state and nonstate actors who are well-financed highly motivated and persistent are attempting to breach both government and non-government systems every day. and these attempts are not going away. they will continue to accelerate on two fronts. first the attacks will become more sophisticated. and second as we remediate and strengthen our own practices our detection capabilities will

improve. that means we have to be as nimble and aggressive and as well resourced as those who are trying to break into our systems. confronting cyber security threats on a continuous basis is our nation's new reality. a reality that i faced in the private sector and am continuing to see here in my new role as federal chief information officer. as federal cio i lead the office of management and budget office of e-government and information technology. my office is responsible for developing and overseeing the implementation a federal information technology policy. and even though my team has a variety of responsibilities, i'll focus today's remarks on cyber security. under the federal security information security modernization act of 2014, most of us know this as fisma

responsible for oversight and policy issuance. executes its responsibilities in close coordination with its federal cyber security partners including the department of homeland security and the department of commerce national institute of standards and technology. as i mentioned in front of this committee in april omb also recently announced the creation of the first-ever dedicated cyber security unit within my office. this is the team that's behind the work articulated in the fiscal year 2014 fisma report which highlighted both the successes and challenges facing federal agencies cyber security programs. in fy2015 is targeting through cyber stat reviews prioritizing agencies with high risk factors determined by cyber security performance and incident data.

my colleagues will fully address the recent cyber incidents effecting the office of personnel management. my office monitors very closely all reports of incidents effecting federal networks and systems. look for trends and patterns as well as for areas for our government wide processes policies and practices can be strengthened. and we then update our guidance and coordinate with other agencies to ensure that that guidance is implemented. and as you heard from me last week, the recently passed federal information technology acquisition reform act and our guidance associated with that legislation strengthens the role of the cio in agency cyber security. in this case opm notified omb in april 2015 of an incident effecting data in transit in its network. opm reported that they were

working closely with various government agencies on a comprehensive investigation in response to this incident. we have been actively monitoring the situation and have been gauged in making sure that there's a government wide response to the events at opm. to further improve federal cyber security infrastructure and to protect systems against these evolving threats, omb launched a 30-day cyber security sprint last week. the sprint will focus on two areas. first an inner agency team is creating a set of action plans and strategies to further address critical cyber security priorities. second agencies were directed to accelerate efforts to deploy threat indicators, patch critical vulnerabilities and tighten policies and practices for privileged users. and to dramatically accelerate implementation of multifactor authentication. in closing i want to underscore

a critical point i made at the beginning of this testimony. both state and nonstate actors are tempting to breach government and nongovernment systems in a very aggressive way. it's not going to go away. and we're going to see more of it. ensuring the security of information on federal government networks and systems will remain a core focus of the administration as we move aggressively to implement innovative protections and respond to new challenges as they arrive. in addition to the actions we are taking we also look forward to working with congress on legislative actions that may further protect our nation's critical networks and systems. i thank the committee for holding this hearing and for your commitment to improving federal cyber security. be pleased to answer any questions you may have. >> thank you. miss burns, you're now recognized for five minutes. >> thank you. good morning chairman chaffetz ranking member cummings and distinguished members of the

committee. my name is sylvia burns and i am the chief information officer for the u.s. department of the interior. i appreciate the opportunity to testify regarding doi's efforts to secure and protect agency, customer and employee data in the wake of recently discovered cyber intrusion. additionally we appreciate having had the opportunity to provide a classified briefing on the cyber intrusion for members of your committee staff and other congressional staff on may 21st 2015. cyber intruders executed very sophisticated tactics to obtain unauthorized access to opm data hosted in a doi data center which contained sensitive personally identifiable information. the incident was and remains under active investigation. at present the effort has not discovered evidence that any data other than opm data was exfiltrated. doi has initiated a major

planning effort to address short, medium and long-term remediation to reduce risks to the department, our employees, our customers and our partners. doi takes the privacy and security of this information very seriously. in april dhs's u.s. computer emergency readiness team informed doi about a potential malicious activity which was later determined to be a sophisticated intrusion on doi's network. doi immediately began working with u.s. sert the fbi and other federal agencies to initiate an investigation and determine what information may have been compromised. doi allowed dhs and the other investigating agencies immediate access to the doi computer systems and doi dedicated support -- people to support the investigation. although there is evidence that the adversary had access to the doi data center's overall environment, today the investigation has not discovered evidence that any data other

than opm data was exfiltrated. however, the investigation remains ongoing. concurrent with the investigation doi immediately initiated a major planning effort to address short medium and long-term remediation to strengthen our cyber security protections. we undertook those efforts in the context of other cyber security improvements which were already underway pursuant to the department's commitment to the administration's cyber security cross agency priority goals as well as dhs's cdm program. we have now accelerated our work on pre-existing efforts while di vising and implementing new security measures in consultation with the investigating agencies with the expertise related to this particular threat. activities are under way include working with dhs to scan for specific malicious indicators across the entire doi network. as part of dhs's binding operational directive, we are identifying and mitigating critical i.t. security

vulnerabilities for all internet facing systems and at the direction of the secretary and deputy secretary. we are doing the same for all of doi's i.t. systems. this includes systems that are for doi's internal use as well as systems for the public and non-doi users. we are acquiring and implementing new capabilities that will help us detect and respond quickly to new intrusions. we continue to meet with interagency partners to learn about their activities and lever their knowledge. we are fully enabling to factor identification for all users. doi's existing long-term plan includes several agency wide strategic initiatives including continue our commitment to dhs cdm program. we're almost done implementing hardware and software management asset and new opportunities for white listing, network access control and dashboardingity to.

we are strengthening cyber security and privacy work force so we have knowledgeable and experienced people to address current and future threats facing the agency. we are designing network increase seg menation so if an intrusion occurs in one segment we can better eliminate the extent of the exposure. we are implementing data rights management for potential future investments. again, doi takes the privacy and security of its data very seriously. we are committed to supporting and continuing the investigation regarding the incident effecting opm data. further more we will continue to be an active participant in the ongoing efforts by the federal government to improve our nation's overall cyber security posture. chairman chaffetz, ranking member cummings and members of the committee, this concludes my prepared statement. i would be happy to answer any questions that you may have. >> thank you. ms. seymour you're now

recognized for five minutes. >> my remarks were included with the director. thank you for having me here today, chairman chaffetz and ranking member cummings and i'll be happy to answer your questions. >> mr. eszer you're recognized for five minutes. >> chairman chaffetz ranking member cummings and members of the committee good morning. my name is michael r es ser, i am the assistant inspector general at u.s. office of personnel management. thank you for inviting me to testify in today's hearing on the i.t. security audit work performed by the opm office of the inspector general. today i will be discussing opm's long history of systemic failures to properly manage i.t. infrastructure which we believe ultimately led to the breaches we are discussing today. there are three primary areas of concern that we have identified through our audits during the past several years. information security governance, security assessment and

authorization and technical security controls. information security governance is the management structure and processes that form the foundation of a successful security program. for many years opm operated in a decentralized manner with the agency's program offices managing their i.t. systems. the agency's cio had ultimate responsibility for protecting these systems, but often did not have the access or control to do so. the program office staff responsible for i.t. security frequently had no i.t. background and performed this function in addition to their other full-time roles. as a result of this decentralized structure, many security controls remained unimplemented or untested and all of our fisma audits between 2007 and 2013 identified this as a serious concern. however, in 2014 opm took steps to centralize i.t. security

responsibility with the cio. this new structure has resulted in imthe improvement at opm. although we are optimistic about these improvements it is apparent that the ocio is still negatively impacted by years of decentralization. this is a comprehensive assessment of each i.t. system meets applicable security standards. opm has a long history of issues related to system authorization as well. in 2010 and 2011 we noted serious concerns in this area, but after improvements made removed as an audit concern in 2012. however, problems with opm system authorizations have reappeared. in 201421 systems were due to

be, but not in the end. temporarily efforts put on hold while modernizes in response to security breaches. so it is likely that the number will increase. while we support the effort to modernize systems we believe authorization activity should continue. the third topic relates to opm's use of technical security controls. opm has implemented a variety of controls and tools to make the agency's i.t. systems more secure. however, such tools are only helpful if they are used properly and cover the entire infrastructure. we have concerns that they are not. for example, we were told that opm performs vulnerability scans on all computer servers using automated scanning tools. although opm was performing the

scans, our audit also found that some were not done correctly and that some servers were not scanned at all. one significant control that is lacking altogether is the requirement for piv credentials for two factor authentication to access information systems. we also determined that opm does not have an accurate centralized inventory of all servers and databases. even if all opm's security tools were being used properly, opm cannot fully defend its network without a comprehensive list of assets. in closing it is clear that even though security responsibility is now highly centralized under the ocio the recent security breaches indicate that opm still has significant work to do to identify all of the assets and data that it is tasked with protecting and then take the steps to do so. thank you for your time. and i am happy to answer any questions you may have.

>> thank you. now recognize ranking member mr. cummings. >> thank you. the recent attack against the office of personal management is the latest in a series of aggressive attacks against our nation in both the public and private sectors. i want to put up a slide that lists some of the most significant breaches over the past few years. anthem, 80 million people. jp morgan, 76 million people, target 70 million people opm, at least 4 million so far. then there was the postal service. sony pictures. this is not a comprehensive list by any means. ladies and gentlemen, when you see this list, the picture is

clear. the united states of america is under attack. sophisticated cyber spies, many from foreign countries are targeting the sensitive personal information of millions millions of americans. they are attacking our government, our economy, our financial sector our health care system and virtually every single aspect of our lives. for more than two years i've been pressing for our committee to investigate these cyber attacks. so i thank the chairman for holding today's hearing. and i hope we will hold similar hearings on many of these other attacks as well. with respect to the attack against opm, my primary concern is who was targeted, government workers. but foreign governments could do

with this information. i have several questions for opm. how many employees were indeed effected? which kind of information was compromised? and what steps are being taken to help these employees now? also i want to know how these attackers got inside of opm's networks. last year cyber attackers penetrated the networks of usage and key point two contractors that perform background checks for security clearances on behalf of opm. one of the most critical questions we have today is did these cyber attackers gain access to opm's data systems using information they stole from usage or key point last year? did they get the keys to opm's network from one of its contractors? chairman, i ask you to invite both key point and usage representatives here to testify

today. you agreed to invite usage but last night last night they refused. just as they have refused repeated requests for information over the past year. did not offer someone else they thought would be appropriate, they simply refused. i do not say this lightly, mr. chairman, but i believe usage and its parent company may now be obstructing this committee's work. we have suggested previously that the committee hold a transcribed interview given the history of noncompliance i believe this may be one of the only ways to obtain the information we are seeking. mr. chairman over the past few years i've also been pressing to investigate ways to better protect personal information that belongs to the american people. their financial records, their medical records, their credit

card information their social security numbers and a host of other information they want to keep secure. i sought advice from some of the nation's top information security experts in private business and government. these experts warned that we cannot rely primarily on keeping the attackers out. we need to operate with the assumption that the attackers are already inside. they're already there. last week one of the world's foremost cyber security firms was penetrated in a cyber attack. and according to fire eye, one of the companies my staff spoke with, the average amount of time a hacker remains undetected is more than 200 days. that's a lot of time. obviously we need strong firewalls and other defenses to keep attackers out.

but experts recommend much more aggressive measures to wall off or segregate data systems to minimize the impact of data breaches in the future. practices like data masking, redax and encryption must become the norm rather than the exception. finally, we need to remember who the bad guys are here. they're not u.s. companies or federal workers who are trying to keep our information safe. the bad guys are the foreign nations and other entities behind these devastating attacks. according to law enforcement officials, north korea, china, russia and iran are the most advanced persistent threats to this nation's cyber security. so as we move forward today i want to caution everyone that as much as we want to learn about

this attack we have to do so in a responsible way. a lot of information about the attack is classified. and the last thing we want to do is give our enemies information or compromise active law enforcement investigations. and we're having a classified briefing for members at 1:00 p.m. today. so i encourage everyone to attend. and as i close mr. chairman i want to thank you again for the bipartisan approach you've taken on this issue. and i hope we can continue to investigate these and other breaches to identify common threats against our country and the best ways to counter them. with that i yield back. >> thank you. and i'll recognize myself for five minutes. i question how big was this attack? how many federal workers have been compromised? we've heard 4 million, we've heard 14 million. what's the right number? your microphone please.

>> sorry. during the course of the ongoing investigation into the cyber intrusion of opm the compromise compromise, the personnel records of current and former federal employees that we announced last week that number is approximately 4.2 million. in addition, in the investigation of that breach we discovered, as i mentioned in my testimony, an additional opm system was compromised. and these systems included information based on the background investigations of current, former and prospective federal government employees as well as other individuals. because different agencies feed into opm background investigation systems in different ways, we are working with the agencies right now to determine how many of their employees were effected. we do not have that number at this time, but we will get back

to you once -- >> what's your best estimate? is the 14 million number wrong or accurate? >> as i said before, we do not have an estimate because this is an ongoing investigation. >> how far back does it go? the information that -- you have former employees, current employees and potential employees, so how far back does this information go? that was in your system? >> thank you for that question, mr. chaffetz. i would have to respond again as because it's an ongoing investigation -- >> has nothing to do with impeding investigation. ushtd know what information you have and what you don't. so this is not going to slow down any investigation. people have a right to know. the employees have a right to know. how far back does your information database go that was compromised? >> the legacy systems date back to 1985 but i do not -- >> so anything that's 1985 -- >> no, sir. that would not be correct. >> you don't know. does it include military personnel? >> as i said, this is an -- >> it's a yes/no question. does it include military

personnel? >> i would be willing to discuss that in classified setting. >> does it include contract information? >> again i would be comfortable about whatever information that includes. does it include cia personnel? >> i would be glad to discuss that in a classified setting. >> does it include the standard form sf-86? >> the individuals who have completed an sf-86 may be included in that. we can provide additional information in a classified setting. >> why wasn't this information encrypted? >> um, the encryption is one of the many tools that systems can use. i'll look to my colleagues at dhs for their response. >> no, i want to know from you why the information wasn't encrypted. it's personnel, sensitive

information, birth dates, social security numbers, background information, addresses. why wasn't it encrypted? >> data information encryption is a valuable -- >> yeah, it's valuable. why wasn't it? >> and is an industry best practice. our cyber security framework promotes encryption as a key protection method. accordingly opm does utilize -- >> we didn't ask you to come read statements. i want to know why you didn't encrypt information. >> an adversary possessing proper credentials can often decrypt data. it's not feasible to implement on networks that are too old. the limitations on encryptions is effective on the effectiveness is why opm is taking other steps such as limiting administrators' accounts and requiring multi factor authentication. >> okay, it doesn't work. so you failed. you failed utterly and totally. so the inspector general, november 12th, 2014, we recommend that the opm director

recommend shutting down systems that do not have current and valid systems. and you chose not to. why? >> i appreciate the report by the i.g., we work closely with our -- >> he had a very serious recommendation to shut down the system and you said no. >> i'd like to turn that over to my -- >> no, i'd like you to answer that question. it says, we recommend the opm director consider shutting it down. your response back to the office -- from the office of the chief information officer, the i.t. program managers will work with the isso's to ensure they maintain current ato's and there are no interruptions -- so basically you said no. the inspector general was right. your systems were vulnerable. the data was not encrypted. it could be compromised. they were right last year. they recommended that you shut

it down and you didn't. and i want to know why. >> there are many responsibilities we have with our data. and to shut down the system, we need to consider all of the responsibilities we have with the use of our systems. >> so you made a conscious decision, knowing that it was vulnerable, that all these millions of records for federal employees was out there, the inspector general pointed out the vulnerability, and you said, no, we're not making a change? >> as the director of opm, i have to take into consideration all of the work that we must do. it was my decision that we would not but continue to develop the system and making sure that we have the security within those systems. the recommend -- >> and did you do that? you didn't, did you?

that didn't happen, did it? >> the recommendation after -- the recommendation to close down the systems came after the adversaries were already in the network. >> when did they get in the network? >> it was as a result of our security systems that we were able to detect the intrusion. >> when did they get into the system? >> we detected the intrusion in april. >> of? >> 2015. >> so but how did you know in november 2014 that they were -- you didn't know if they were in there, did you? >> no, we did not. we did not have the systems in -- we did not have the security systems installed at that time. it was because we were able to add the systems that we were able to detect. >> so you detected it, it wasn't

a software provider? you found it yourself? >> opm detected the intrusion. >> so the "new york times" and the others who wrote about it were wrong? >> that's correct. >> how many people have received letters? >> there's a rolling notification as of january 8, we'll complete the notification by 4.2 million. by june 19th, i don't have the exact number. i'd be glad to get that information for you. >> one last question with everybody's indulgence here. miss archuleta, there was a data breach at opm in july of 2014. okay? this is what you said about miss seymour. in december, i was very fortunate to bring donna seymour from the department of defense on board. she has great experience and brought her talents to opm. it was because of her leadership

and her dedicated employees that we were able to make sure that none of this personally identifiable information was compromised. this was july of 2014. you cited her and the data breach as making sure that none of the personally identifiable information got out the door. now that it has been hacked, are you going to give her that same amount of credit? >> i do give her that same credit. when i began my tenure as director of opm, one of my first priorities was to develop an i.t. strategic plan and to develop an important pillar of cyber security within our systems. we have worked very hard since that time. and as we update these legacy systems, it's important that we recognize that there is a persistent and aggressive effort on the part of these actors to not only intrude in our system, but systems throughout government and indeed in the

private sector. >> well, you have completely and utterly failed in that mission if that was your objective. the inspector general has been warning about this since 2007, and there have been breach after breach. he recommended shutting it down last year, and you made a conscious decision to not do that. you kept it open. the information was vulnerable, and the hackers got it. i don't know if it's the chinese, the russians, or whatever else. but they've got it, and they're going to prey upon the american people. that's their goal and objective, and you made the decision to leave that information vulnerable. it was the wrong decision, in direct contradiction to what the inspector general said should happen and he had been warning about it for years. >> in the ig's report he acknowledges the fact that we've taken important steps in

reforming our i.t. systems. advanced tools take time. >> so what kind of grade would you give yourself? are you succeeding or failing? >> i am -- i am -- cyber security problems take decades. >> we don't have decades! they don't take decades. >> i'm sorry. cyber security problems are decades in the making. whole of government is responsible. and it will take all of us to solve the issue and continue to work on them. my leadership in this particular, with opm, is one that instigated the improvements and changes that were recognized, that recognized the attack. >> yield back. recognize the ranking member, mr. cummings, for as much time as he wants. >> thank you very much, mr. chairman. miss seymour, this data breach is particularly concerning,

because the individuals who were targeted are government employees and the suspected attackers are foreign entities. i'm concerned that this breach may pose a national security threat. according to a statement from opm, the personal information of approximately four million current and former federal employees was compromised in this breach. what can you tell us about the type of personal information that was compromised in this breach? >> thank you for the question, sir. the type of information involved in the personnel records breach includes typical information about job assignments, some performance ratings, not evaluations, but performance ratings, as well as training records for our personnel. the information involved in the background investigations incident involves sf-86 data as well as clearance adjudication

information. >> so, social security numbers? >> yes, sir. social security number, date of birth, place of birth, typical pii, that would be in those types of files. >> miss seymour, it was reported on friday that in addition to this breach, hackers had reached highly sensitive information gathered in background investigations of current and former federal employees. is that true? >> yes, sir, that is. >> do you know how far back that goes? >> no, sir, i don't. these are -- the issue is that these are longitudinal records, so they span an employee's, you know, career, and so i do not know what the oldest record is. >> so it's possible that somebody could be working for the federal government for 30 years and their information over that 30 years could have been breached? >> yes, sir.