>> -- update open more information about their path gard. your fy 16 budget request was submitted before the discovery of the most recent incidents and before we had any sense of its scope. are there additional tools or enhancements that you need in order to deal with the critical issues that are now well and widely known and how might you seek an amendment to the budget request? >> we are analyzing right now with omb and my cfo to determine whether drk what the request might look like and i hope to be able to get back to you by the end of the week. >> thank you. last question for you if i might. if you had actually encrypted

federal employees social security numbers or personally identifying information, would that have prevented the disclose shoe of their personally identifiable information to hackers once they compromised your system? >> this is a question that has been asked of my colleagues who are experts in cybersecurity and they have informed me that indeed in this particular case the encryption woulgd not have prevented this breach. encryption is an important tool and that's why we continue to build the encryption methods within our systems. but in this particular case it would not have prevented it. >> my question was wasn't whether it would have prevented the breach, it was whether it would have prevented the access to the information in. >> no it would not have. >> in response to the questions of the compliance and the i.t. upgrades, mr. spires, mr. esser any difference of opinion or insight you might offer about

the complies and whether it could have and been a different outcome here? >> the issue with fism 2002 law is it was really around a set of technical controls that would be checked every three years. given the environment that we live in, that is not even close to being appropriate. we're moving to a continue use dying nothing nos ticks tape of model which is the correct model where you're monitoring all of your system moderning your environment, looking for intrusions and improper behaviors. but i would echo the point that even that is not enough in today's environment. you need to bring in the data protection and you need to upgrade the capabilities to better understand who is actually accessing your system. those are all critical necessities in order to protect data today. >> was it -- would it be reasonable for us to have expected that opm could achieve

a data security given the resources they currently have available to them in. >> i'm not sure i'm in a good position to answer that question. i think -- i'll go back to my point. a focused effort on protecting the sensitive data with the right encryption and the right access control capabilities. if you put the focus there, i think most federal agencies would have the resources to be able to accomplish that. >> we've seen significant data braeshs for home depot jp morgan target, sony neiman marcus just to name a few and many of them have invested in cutting edge cybersecurity. is the private second forhas any more success in mitigating cyber breaches than the public second sore? >> i don't think i would make a comment on that. it depends on the actual company and varies greatly. i would say make another point

here. i think one of the big differences between the government and the private sector is that the private sector has the ability to very rapidly acquire the newest capabilities that are being offered by the cybersecurity if you will product companies or industry. and one of the things they would like to see is the government agencies be able to bring in like in a test environment, be able to pilot new capabilities as they come to market. that would really help government agencyies adopt the newest equipment. >> i look forward to exploring that further with you in the next round of questions. thank you, mr. chair. >> senator lankford. >> thank you. we've got a lot to cover to help resolve things for the future and be able to unpack fully what has happened in the past. mr. esser, there are several comments you made on it. what is the most pressing issue

that you discovered in the flash report that you have done base odden the vulnerabilities that still exist and what needs to be finished? i'm not asking you to expose publicly vulnerabilities that still exist. i'm asking you, i guess, what on the list need to be addressed and need to be addressed immediately. >> senator, i think one of the most important things that needs to be addressed is the two-factor authentication to access systems. this has been a long standing problem at opm. they have made improvements and implemented in to effect workstation access. but the actual systems that are being used by employees need to be also implemented and required two-factor aweuthenticationauthentication. >> i saw in your report and the chief officer listed the same thing in 2012.

the initiative to require personal identity verification credential authentication to access the agency's network 95% of opm workstations required personal identity verification access for the network. however none of the agents' 47 mayor applications require personal identity verification authentication. is that still correct? >> to the best of our knowledge it is. >> tell me about that and just the process of transition. >> yes. two points there. on the multifactor authentication for remote users is we are 100% at that point now, is with regard to all other users, we're working very rapidly to increase that. i've asked my cio to increase that effort. and i would be -- i'm sorry, i don't have the percentages in my mind right now but i'd be glad to get back to you where we stand as of this date.

but i do know we're working rapidly to do that. >> so a 95% figure you think is pretty close as far as the workstations and 100% for those working remote, 95% workstations but it's still the 47 major ap lie occasions that have fill exposed? >> i would like to get back to you to give tu full details on it. >> there's a question on the issue of security assessment and authorization. obviously that is a requirement from omb. this ongoing issue of this 47 different groups that are here it says on this 11 of them were not completed on time or operating without a valid authorization. what can you tell me about that? >> i can tell you that all but one of those systems has been authorized. they're operating with authorization and we're working on the final one that was with the contractor. >> and there's also systemic problem there obviously of trying to find out why they weren't already through the

authorization issues. to make sure that authorization is done on time and is on schedule, has that issue been fix snd i know rapidly people stepped in and said let's try to fix this but the authorizations haven't been done. what about the process or if future to make sure those continue to be done on time? >> i would like to have my cio give you this information to give it back to you. >> give me a time frame on when i can get that back. >> by the end of the week. >> there's also an outstanding letter i sent to your office june 10th. i'm the chairman of the committee on homeland security governmental affairs that has the federal workforce in it. as you and i have discussed in the past. >> yes. >> june 10th i sent a letter that's yet to be acknowledged from your staff that they have received the letter much less to be answered. there are basic questions that run answered none of them that would require a classified setting. i have lethsters on the record from a treem douse number of

employees that live in my district that asked some basic questions to get a response from. they've yet to get a response to say it's been acknowledged. they want to know some timing. i know the letters have gone out nationwide but people want to know there are people working on some of these other issues. >> i apologize to you if you've not received that response. i know i've asked me staff to respond to that. and i know that it is forthcoming. but i will make sure you have that letter today. >> be great. thank you. let's talk a little bit about cost issues. do swre a ballpark cost to opm yet to contact -- the letter that's gone out to contact everyone to let them know, hey, possibly your information has been breached? so there's really two cost factors that are suggest here here. one is the cost to distributing the letter out. the second one is the cost then for the credit report, credit screening and protection that

has been extended. >> i have a general cost as we take a look at the takeup rate on the credit monitoring and on the credit monitoring, that will adjust it but it's approximately anywhere between $19 million to $21 million. >> so $19 million to $21 million. and what's the estimated cost on the letter going out? >> that's the total cost sir between i mails and letters. so i don't have the breakdown. i would be glad to get that for you. >> are you aware that some agencies, the website that you link people to say get more information, some agencies have blocked that internally so those individual when they try to go are blocked from that for fear there may be phishing scams going on. >> we've worked closely with departments and agencies because of some security protocols they might have. we worked closely with them and their cios and other top officials. >> this issue of the inventory of servers and databases and

different workstations that are out there. the central control issues is important for keeping up security and technology, upgrades and making sure software is continued to be upgraded. when there's any server independent there, it creates tremendous vulnerabilities. they have to find one of those. how is that going for unifying that structure. that's not a legacy issue. that's more of an inventory issue. >> i respect the inspector general's opinion on this. but my cio has told me that we have indeed an inventory of systems and data and i would welcome to opportunity to discuss this with you and him further. >> we'll look guard to getting that report. that is one of those significant vulnerabilities. >> yes. thank you sir. >> mr. chairman thank you and senator coons for conducting this hearing. welcome to our three witnesses. ms. arch let archuleta i'm going

to begin with you. i'll work my way through them as quickly as i can. what is the current estimate of the total number of files or employees breached? >> under the -- in the employee personnel files we estimate that to be a little over 4 million. >> and that is, at least according to press reports those numbers may grow. what else may occur or what may you discover? >> it's an ongoing investigation. we'll continue the investigation with our partners. at this point we know it's a little over 4 million. >> are those words interchangeable, 4 million employees and 4 million files that mean the sams thing? >> that's approximately 4 million people who have been affected by it. >> what's the total amount possible for number of employees affected? you say we estimate it today to be 4 million. it may grow. what's the maximum number of

files that could have been breached. >> incident one and two, incident one is the one i'm describing the employee personnel files. we've estimated that to be a little over 4 million as i've described. >> what's the total number of employees that could be affected by that. >> that's the number -- >> that's the number? >> that's the number. >> all right. >> as we look at the second incident which we've not determined the scope of it i don't have a number for you on that. >> let me ask it differently. how many files do you have management over? >> as you know federal background investigation file may have a number of different names and pii within it so that's why i can't give you a specific number on that one. we're working, as i said to get that number andly bring it to you as soon as i have it. >> let me ask this one more time and make sure that you and i are on the same page. >> okay. i apologize. >> no. it may be the inarticulation on my part. you have a certain number of

files within your agency subject to this kind of breach. what's the total number of files that potentially could be breached? >> that's what we're investigating right now, sir. >> let me ask it this way. how many files are there at opm? >> well there are millions of files, sir. we're a data center. so there are millions of files. the background investigations contain numerous names. that's hay i want to be careful to make sure the number i do give to you i'm confident about. >> you've indicated you've taken significant steps. >> yes. >> i wrote that down as part of your testimony. and yet the oig says that only 3 of 29 recommendations have been closed and indicates -- let me look at his testimony. only 3 of these 29 recommendations have been closed to date and 9 of the open recommendations are long standing issues that were rolled forward from prior year audits. how do you reconcile we've taken

significant steps and yet the oig's report says that there's long standing problems and only 3 of 29 have been addressed? >> we wrk close we the oig. and we work with him to make sure that we have complete and open transparency with him. he -- we meet on a regular basis. he continues to assist us in identifying the areas of improvement. and the issues that he has braug to us we are working through. i think 2014 audit that he's performed for us and provided to us we're working through the steps that we had outlined for us. and i know we're not in agreement with all of them but we do believe that that conversation and the transparency that we are between us will be helpful. >> mr. esser, do you agree with ms. archuleta that the agency

has taken significant steps to correct its problems? >> yes i do. i think they have made great strides over the years to improve some of the issues that we've report. for example, the decentralization issue which went back to 2007, in this past year's audit, we decreased orb severity of that finding from a material weakness to a significant deficiency. in addition, there's a number of other areas where they've put in tools and made strides to improve security. that said, there are a number of long standing issues in our fisma reports that are open and we open to see movement on. >> mr. spires let me take this give you an opportunity. if you were still in the former capacity at this agency instead of the irs or homeland security let me first start with a broader question. based upon your understanding of

the facts involved here and your best judgment was the breach or breaches that have occurred at opm, were they predictable based upon what we knew looking at the, for example the oig report? if you saw those reports, is this an outcome that could be expected? >> i think it is an outcome that could be expected sir. >> and do you have a sense based upon either ms. archuleta's system or your independent knowledge and what you've heard of mr. esser and their reports, would you say that the opm officials have taken significant steps to solve their problems? >> it does sound like they're doing a number of the things correctly. i think the centralization of i.t. is a very good step. they're talking about a modernization program that would upgrade their i.t. infrastructure. that being said, i'm going back

to my earlier point that if i had walked in there as the cio, again i'm speculating a bit, and i saw the kinds of lack of protections on very sensitive data, the first thing we would have been working on is how do we protect that data. how is it we get better protections and control access to that data better. i this that is probably where the focus needs to perhaps even shift here based on what i'm hearing. >> meaning there's a priority that ought to be the priority first effort. >> yes. >> ms. archuleta, does anyone at opm take personal responsibility for these breaches or is this just considered a problem with the system? is this a problem with individuals not performing their duties or it's just more that this is the system that we inherited, we're working on it and no one in particular is responsible for the outcome?

>> i think mr. esser and mr. spires has said it very correctly. this is decades of lack of investment in the systems that we inherited when i came in. and from the very beginning of my teen your i have been focused on this and we are working to install not only the architectural strategies but also to install the detection systems and be able to remediate. but as both of my colleagues have mentioned we have legacy systems that are very old. and oftentimes we have to test to be sure we can add those systems, those protection systems to be the legacy system. so those tools into into the legaciment. if there's anyone to blame, sit the perpetrators. how do we -- they're concentrated, very well funded, focused, aggressive efforts to come into our systems, not just to opm but as both of my

colleagues have said, across the whole enterprise is one that we are concerned about and one that we're working with our claegs. it is -- we're going to take every step we possibly can at opm to continue to protect. that's why we're trying to move out of the legacy system. >> to date you don't consider anyone at opm, any of your staff or employees or people responsible for i.t. and its security to be personally responsible. it's simply -- i don't mean simply. it's a problem with the system that has been inherited? >> this is an enterprise wide problem and cybersecurity is the responsibility of all of us who had organizations. and that is why with tony scott's assistance and with his efforts, we're going to address this as an enterprise-wise basis. >> so no one is personally responsible? >> i don't believe anyone is personally responsible. i believe we're working as hard as we can to protect the data of

our employees because that's the most important thing that we can do. and i take it very seriously. i'm angry as you are that this has happened to opm and i'm doing everything i can to move as quickly as i ask to protect the systems sfl thank you very much. >> thank you sir. >> mr. esser, ms. archuleta mentioned that the problem with the legacy systems, which hi think we all understand but isn't it true that several of what was breached were not legacy systems, that with the right tools in place would not have been breached? >> yes, sir. based on our audit work. >> so the idea that this is all legacy and stuff is really not the case. >> there are many legacy systems at opm. i don't want to give the wrong impression. i mean that's a fact. but based on the work that we've done in our audits and ongoing work that we're doing, it's our

understanding that a few of the systems that were breached are not legacy systems. they're modern systems that current tools could be implemented on. >> okay. very good. i think that's really important. concerns have been raised about the contracts secured to provide credit monitoring services for victims of the first breach. we don't yet know the scope of the second breach and what services will be provided for additional victims. mr. esser in your flash audit you raise concern about opm's contract to management opm infrastructure improvement project related to subsequent phases of the project. do you have additional work planned to oversee opm's contract and practices? >> it's certainly something that we're con toring and following the reports and gathering information. we have not planned any audits

of that at this time 37 but it. but it's something that we may do. >> mr. spires, you describe a number of root causes and you've offered a number of recommendations. can you tell us again a couple key recommendations that would make a difference over the next year or two? >> yeah. i would really like to re-emphasize this. we need to figure out how to manage our i.t. more effective. that is the single root cause that's led to the kinds of situations we find ourselves in with these data breaches. and it's not that i'm just one to say we need to you know, have all of the power reside with the cio. but what we need are cios that have the authority to really bring best practices and not to allow, okay systems or

practices to continue that jeopardize the security of our data and our systems. and that has been the problem for decades. and we still have real cultural problems. i mean i'm out of government now for two years. but based on many discussions i've had with brethren that are still cios and still in government, the cultural issues loom large here. we need to take this incredibly seriously. and i would urge you as a subcommittee to provide your own oversight of the implementation of fa tara. >> do we need additional legislation? >> i'm not convinced. i think we need to general cyber legislation about how we better share information between the government and the private sector. i think that is something that congress should continue to work on. i think we have between the fa tara act and the updated fizz ma act, i think we've got enough of the tools on the legislative side. i think it's leadership and

management set of issues within the amendment with the proper oversight of congress. >> very good. >> mr. esser along the same line what would you comment on in regard to again the most significant weaknesses the underlying causes what do you see as the priority that we need to be doing in the next two or three years? >> specific to opm, i think the project that they're undertaking to modernize the i. tuchlt systems is the right way to go. we fully support that project. we do have concerns expressed in the flash audit alert regarding some of the project management related to it. the sole source contracting. but in general we think it's

definitely the right path to follow. >> mr. spires talked about yor sight. how will you be involved in that process? >> we're continuing our oversight, the flash audit aher was issued this week and it was just an interim report so to speak. we're going to continue our audit work throughout the lent length of this project. >> mr. spires, in an effort to drive significant rapid improvement changes. yet that's not working. do you recommend any changes to the goals? >> yes, i would first comment that i think -- i mean i think having goals is certainly

appropriate. but let's take one example. this notion we've all talked about the need for multifactor authentication, to protect the credentials of those who use the systems that are legitimate. when you look at the cyber goal and the use of the card and trying to get the 75% usage within the civilian federal agencies as the goal let's go back to the adversaries. they only need one way in right? and 75% just doesn't cut anytime this world anymore. and so we need to rethink the objectives there, go back to the prioritization of protecting data, doing the multifactor authentication. those should be the highest goals. that does not mean that we shouldn't working to continue to bring in the right kinds of capability to better protect our systems. we need to do that as well. it's time to rethink those goals

and reset them along those sets of priorities. >> mr. esser, you mentioned at opm that one of the findings you found was that we didn't know exactly what entails the system, you know, what they have. has that been corrected or we still don't know the number of units and servers and all of the hardware and things? >> that's our understanding. director archuleta commented that they do have a complete inventory of systems. we would be happy to work with them and do our audit work related to that. >> but if that is the case twhab's just recently happened. >> yes, sir. >> thank you very much. >> senator mikulski.

>> mr. spires could you tell me, had it been penetrated i understand topnotch security firms themselves sometimes have a cyber shield that can be penetrated. >> i don't have any more information than what i read in the news, senator but i have read that as well. >> which indicates this is an international problem. >> it really is. >> and shows that despite best efforts of highly skilled professionals professionals, that's not to excuse where we are, but you advice to us is to get with it and get with it really quick. >> you've summed it up very well. >> would you recommend that this be across all government agencies that opm was hit et cetera? >> my experience having serve on the federal cio council and worked with many of the agencies is opm is not some outlier here.

>> now thank you very much sir. and now ms. archuleta the federal employees maryland is the home to 130,000 federal employees and they work at everything from the national institutes of health to the national security agency. most people another the national security agency are civilian employees. what do i tell my employees because they're quite apprehensive, is they're going to -- what is the impact of this on them? can you talk about this? what is the impact on them, how are you in communication, and should they be afraid that another shoe will drop and that it could drop on them and their credit ratings or whatever? >> yes. and i do want to state that i care very much, as you do, vice chairwoman, about our federal

employees. and what this breach has done, it has exposed their data, as you know. and i am very concerned about that. that's why in terms of the first incident we have been working very hard to not only begin but also to improve our notification system and to provide both identity threat and credit monitoring for them. we've received much feedback from our employees and we're using the feedback -- >> so have i. they're pretty apprehensive and agitated agitated. >> i am angry too. i am angry that this has even happened. i

employer up so that you really hear what they're saying? people like myself, senator car den, senator cain, snard warden, we're proud of the fact that the capital region is the home to so much talent that works on so much pressing national interest from the cure for cans tore protect our country against predatory attacks and now they're worried about predatory attacks against them. do you meet with them and get this advice so that we can at least, while we're trying to sort out the best way to have a cyber shield when or dot-gov?

>> we're doing several things vice chairwoman mikulski and thank you for that question. >> we're working with our council. >> i don't know what chicco is. that's where i bought some of my jackets. >> the human capital officers for each of the agencies as well as all department heads and leaders and we've tried to adjust the notification system so that it is customized to the employees. we're also listening to our unions. our union representatives and seeking their input in other stakeholder groups to see how we can better improve our notification system, not in a long term but thurg this period from june 8th to june 19th to take their feedback every day around call centers about how we could provide ethic cues on ebb sites, how we can work directly

with district heads and agencies so they're assisting us in the notification process. we take very seriously what we owe to our employees and i will continue to do that and to make sure that in the second incident that we're using their input. >> i think it's absolutely crucial. mr. chairman, i would like to really thank you also for having the i.t. at the table when i schar chaired the committee it was my habit or really my administrative procedure that all of my subcommittees had an i.t. come on what was the hot spots for agencies or at least submit written testimony. the fact that you're usizing that utilizing that is crucial. mr. esser, thank you so much for your service. we so value the work of our inspector generals. they've been enormously helpful to me as chair and now vice chair of the committee to really

get value for our dollar to identify management hot spots and we really want to thank you for the identification not only of the problem but the recommendation for solutions. so thank you very much and all of the igs. >> you're very welcome, senator. >> thank you, senator. senator lankford. >> thank you. mr. spires, let me you a follow-up question. you said coming from the cio council before that many federal agencies have similar issues. twofold, one is to define what issues mean on this and then the second one is give me a percentage when you say many other agencies. and again i'm not asking you to articulate what are the security issues and specific clip where our vulnerabilities. give me a guess here how many agencies we're dealing with and what those issues are. >> i would say many of the federal agenciesyingsies have a similar

problem that mr. esser alluded to about decentralization of i.t. and in and of itself not necessarily a bad thing. but it's been very difficult for many of the agencies as they've rolled out systems and have to support the systems, the complexity factors have grown so significantly that it's just very, very difficult for them to get their arms around systems. i mean we would do a dhs, to call out dhs specifically, we would do inventories and find owl of the systems that we had. i think we did a relatively good job at that. but it would not be -- every year we would find more. try to secure that. and i say that's the first thing, is that most agencies i believe have that problem. when i talk to -- and i don't want to put a percentage of it because i don't know thou measure that as far as a percentage. most o the major agencies have this problem that the cio does not -- would not be able to sit

here and say they have a good handle on their true inventory of i.t. systems. >> what about use of credentials? >> i give all of the world credit to d.o.d. for having rolled out that card use ago and having the leadership and the wherewithal to make that happen. most government agents are struggling to rolled out the piv card, the smart card and use it for laj call network access control. it's still on issue. if you go to the goals and look at where we're at it's still an issue at most of the agencies on the civilian side. >> authorizations? networks? >> i think you're hitting the hot spots here. many systems we would find they wouldn't have authorizations because they were out in the field and they were not under the cios control. or what i also didn't like which was kind of hiding the

ball is little bit here you could do an interim authority to operate and some of those would last way too long. and if you will, there would be weaknesses in the system and it would be difficult to clear those weaknesses. again, i can't put numbers on that, sir but hopefully i've given you a sense of where many of the agencies sit today. >> my question to that related to appropriations. none of those seem like big dollar items. those are more management of current inventory, process, the wonderful term hygiene really for our systems. >> yeah. >> am i hitting that wrong or right? >> i want to be a little careful here. >> i mean if we've got a monitor crt with an orange screen on it i get it. we have some old systems out there. but the initial security side of this seems to be the first rung seems to be how we're handling the information the envin toir.

>> i agree we could manage this a lot for effectively and we don't necessarily need more dollars for that. but some of of it we need investment. >> ms. archuleta, you had in your written testimony an your oral testimony, you talked through the time line u of how things went. some areas you were very specific. there were a couple of terms that jumped out to me. it says, as a result of these efforts to improv our security posture, april 2015 an intrusion that redated the adoption of the security controls affecting opm's data was detected by the new cybersecurity tools. opm immediately contacted the federal bureau of investigation. can you give me a deaf nation of immediately? >> the same day. >> and then you had the same issue there where you talked about the scope and impact of the intrusion. shortly thereafter opm notified

congressional leadership. >> we have a seven-day requirement in which we met. >> met it within the seven-day. >> yes. >> thank you. the contractor that was involved in this with the responsibility of the strategic i.t. and security plan what was that contractor and what were the assurances they gave early on during the process to say we'll provide security structure, management. i'm kind of looking for what they said they would do and what they actually did. who was the contractor first? >> i want to be were clear while the adversary compromised cue point user credential to gain access to opm's network we don't have any information to suggest that key point as a company was responsible or directly involved in the intrusion. we have not identified a pattern of material deficiency that resulted in the compromise of the credentials.

and since last year we've been working with key point and they have taken strides in securing its network and have been proactive in meeting the additional security controls that we've asked them to use to protect all of the background data. >> so the question then with key point, the security controls they put in now, were these scott controls that were discussed earlier that were not fulfilled fulfilled fulfilled? >> our detection in april detected an intrusion into our system in late 2014. the detection was in 2015. we detected intrusion into our system in late -- in our system in late 2014. >> so what i'm trying to drive at is then there were changes in security protocol. were those changing recommended before or are they entirely new? >> these are ones that we planned and were installing as we progressed through our

improvements and unfortunately we tnt have them in place soon enough. we are working, as i said with a legacy system. we were testing many of our security tooltss and as a result of being able to install this particular security tool we were able to detect it. >> and that plan had been in place how long to be able to put those security -- >> it's part of the i.t. security plan which we developed -- >> the 2012 plan? >> 2014. >> "14. okay. thank you. >> thank you sir. >> senator coons. >> thank you, chairman boozman. ms. archuleta you're in the midst of a may yr i.t. modern nigh dags project. how much do you expect that total project to cost and what elements are included in that amount? >> there are four steps we're using for the plan. what are the tools that we're going to need to protect the systems as we move forward.

we're building a new shell system which will be the platform. and then the third and fourth are the migration and then the disposal of the legacy system. we're at the step right now in june of 2014 we hired a contractor to assist us in the development of the shell. and we're moving towards that. we, as i've said have identified $67 million in 2014 and 2015 that would enable us to move towards that. and we're asking for an additional $27 million in the 2016 budget to aid us. i have -- we're working closely with omb to determine if another request should be made. >> has a major i.t. business case been prepared as omb requires? >> yes, it has. we worked very close with omb. this was one of the points that the auditor or the ig brought

out in his flash audit. i can assure the ig that we in fact have been working very closely with omb. this is an urgent issue and we're moving as fast as we can making sure we track justify and document all that we're doing. consistent with the omb standards that have been given to us. we have a budget that we've worked very closely with omb to deliver. >> in response to the iq audit one of their concerns was that you give a sole source contract to a single contractor to manage all four faszs of this very large project. what kind of contract is it? is it a fixed cost project and what steps are you considering in light of the aud snit. >> as i said before there's oftentimes places where we have areas of dpreemt andagreement and

areas of further consideration with the auditor. in his flash audit the inspector general encouraged the use of existing contracts or the use of full and open competition. and i would like to assure you and the independenter general that the process followed in awarding the already existing contracts have been perfectly legal and that we will continue to ensure that any further contracts and processes entered into will also be perfectly legal. he also expressed concern that the sole source contract used in the tack call and shell phases should not be used for migration and the cleanup phases. i understand his concerns and i would like to remind the independent again that the contracts for migration and cleanup have not yet been awarded. where we would like to have further discussion with the inspector general is the practical time line for the

mayor i.t. business case. he's suggesting that we mo out that into fiscal year 2017. i would like to mo that much quicker given what we've already experienced. i assure the inspector general and everyone hear that all of our decisions are being tracked documented and justified. he's made a number of recommendations regarding contracting and standards that rely on external sources for assistance and i believe that the federal government through the food work that tony scott is providing to us and all of our partners in government has strong solution to offer. i look forward to talking more with him about his suggestion. >> have you had a chance to look at other agencies who have successful i.t. projects to have as model?

have you looked at whether having an outside contractor managing the project or breaking it into bite-size pieces might achieve your goals? >> we're looking at all of our options. i'm looking to all of the resources that i have available to me and i will certainly do that. i believe that the federal cio is an important asset to us as is our partners at dhs, nsa an fbi. so we're looking to those and i would -- i welcome the inspector -- or the inspector general's suggestions and as i move forward through this process i will be listening to him carefully as well as my partners across government. >> i appreciate that response. mr. spires you were the former cio at dhs and irs, both of which had very couple berson challenged i.t. projects.

were you able to turn around some of the legacy i.t. failures there and what advice do you have to opm as they engage into this effort? >> sure. first sir i would make the note that it's always about a team effort, right, in order to deliver these kinds of programs. i joined the irs and took over the business's modernization program. at that time it was on the gao high risk list. and i'm pleased to say as a team effort we were able to -- it took a long time but able to improve the processes to the point where recently that program was removed from the high risk list which is quite an accomplishment. let me just say that i have -- i've reviewed many programs and there are -- we could have a long discussion about how to appropriately manage i.t. programs. i would just make a couple of points very quickly. one thing that's very critical

is the overall governance program that you put in place. you need to get the right stakeholders in the room to work together to make this happen. all too often in government i've seen issues where that doesn't happen. don't overrely on contractor. you need to have a program management office of government officials that have the reck sit experience and skill set to be able to run these programs. and i would say -- i'm not picking on opm. don't know much about their modernization at all. but i've found that the smaller agencies sfrug l with this because they don't have the heritage of having learned those lessons within the agencies themselves. >> thank you. i see my time has expired. thank you for your testimony today. grateful for the input of the ig and for your offer to continue to consult with us and work with us as we move forward to try to offer critically needed reassurances particularly to law enforcement and all federal employeeance to find timely

solution to this and other challenges. >> senator moran. >> thank you very much. mr. spires based upon what you've heard today, your knowledge generally of government agencies and their skieber security issues is this a management issue or a resource issue? >> it's more of a management issue, sir. >> why do you say that in. >> because of the disburse nature of the way i.t. has been run in a lot of agencies. there are so many inefficiencies that have been crept into the system that i don't believe we effectively spend the i.t. dollars that we receive. now, so i believe that with the proper drive towards management you can actually drive a lot of savings from the existing budgets. but caveat that. when you're talking about new modernization programs sometimes with the right

business case it does make sense to invest in those. >> i assume, based upon your response to senator coons i assume there's a natural inclination when these issues araise that the easy thing to do is to hire a contractor. we don't know -- within the agency we don't know this stuff. this isn't our primary mission. let's get somebody in here who takes care of this. we've worked on -- this committee when senator udall was its chairman, we looked at how to improve the role that cios played in the agency in part to compensate for an attitude that we're not tech folks somebody else is responsible for that. ms. archuleta describe to me how you work with our coi. let me ask a question first. the first breach i think you're aware of goes back to june of 2014. as i recall you and others testified in front of this

committee in may of 2014 and the following month, june opm became aware of a breach. is that -- >> yes. the first breach that we discussed with you was -- >> i don't think you discussed this in may because if you knew about it i don't think we knew about it. >> i'm sorry, sir. >> so it's probably better that -- >> let me start. i juan to look at my -- make sure i have my months right. on march of 2014 was when we, we identified somed a very varial activity but no pi lost in that. in june of 2014 which is what you may be referring to is when usis was breached and there was opm data that was compromised that impacted about 2.6 individuals, thousand, 2.6

thousand individuals. in august of 2014 the key point government solutions which i described earlier, their ad very varial activity they're breached and that breach compromised approximately 49,000 individuals. and then in april of 2015 was the breach i've described earlier as well as the one in may. >> so there were -- make sure i understood what you just said. there were three breaches that occurred prior to the two we're now talking about? >> there was the opm network in march, june of 2014 usis in august key point. >> so what was your change -- what changed at opm -- you obviously then became aware on three occasions somebody is trying to intrude on our system. what then did opm do after reizing that? >> if i can just go back a

little bit. i want to reassure you to my colleague's point, that we -- one of the first actions i took as opm director was to hire donna seymour. the other second action i took was to zrop an i.t. strategic plan that had exactly the things that the pillars that my colleague describes. so i.t. leadership my cio, i. governance, that is my whole leadership team must buy into the design and the structure of the i.t. plan and its development. and i.t. architecture, what was it going to take if are us to build out the systems that we needed in view of our legacy system. i.t. data. we needed to be informed. we needed to know that what we were doing is right and that we were doing this in a way that was analytical. we also had, as an important

pillar there i.t. security. obviously very very important as we were building out, even as we were working on our strategic plan one of the most important pillars was i.t. security. and since donna seymour came in as cio and because of our experience -- and as mr. spires says, the good talents and experience we have in government, we brought her from d.o.d. and d.o.t. he was able to apply those skills and that talent to identify what our strategic steps are and thou develop them. first the thing we needed to look at is what could we place on that legacy system and that's where she began and continue to do throughout her teen your. >> your point is, from your arrival your priority was to get a cio and begin implementation of a plan? >> i will tell you senator, that from the first time i was

briefed on our i.t. infrastructure during my confirmation prep, preparation, i knew that there was a problem. and that is why in my confirmation hearing i said it would be a top priority and i promised my -- your colleagues that i would develop an i.t. strategic plan, which i did, and produced within the first 100 days. i was also wise enough to hire donna seymour. >> the i.t. strategic plan that you mentioned, is that something we can see? absolutely. it's on our website and i'll make sure you get a hard copy as soon as possible. >> mr. chairman, let me see if i have additional follow-up. following that i.t. strategic plan, is there now a new plan as a result of -- >> as you know a plan is dynamic. and as we learn things the plan changes. but we're following it and

making sure that every component, governance, leadership, making sure that we're making sound decisions on the architecture that we're building and making sure it's based on clear analytics and that cybersecurity is an important component of all of that. >> are you -- are there benchmarks that are now in place as a -- within that plan that we see whether we're making the process benchmark by benchmark? >> i'd like to come back to you and show you what those benchmarks are, sir. >> okay. let me ask about notification. you indicated in your testimony, and i wrote this down as well, as soon as practicable. i understand the value of that phrase. you know the president's proposed legislation for notification to occur within 30 days of a breach how do you think practicable fits with the 30-day requirement? >> well, i think within that proposed legislation as practicable is also included in there. we are i can assure you, trying

to do everything we can to come to as close to that date as we possibly can. >> is there anyone who oversees i.t. security out of opm? what's the relationship between omb -- >> it's so very close relationship. we work very closely with the federal cio who has responsibility for this, tony scott. he's been at omb for 90 days now. he's been engaged with us from the very beginning. and his -- he and donna have a very strong relationship and he has a strong adviser role to us. >> prior to his arrival 90 days ago was there someone filling that responsibility as well? >> i don't know that sir but i would be glad to get that information back to you. >> thank you very much. >> thank you, sir. >> thank you senator moran. thank all of you for being here. again i apologize for the earlier delay. this is such an important hearing, though i i think this

is probably one of the most important hearings that we'll have this year. and we will be following up in the not too distant future making sure that things are moving in the right direction. i want to thank all of you for participating. i want to thank any staff, senator coons' staff for the excellent job they did in preparing for the hearing. at this time i ask that unanimous con sents that the statements made by the employees union be included in the hearing record. if there are no further questions, the hearing record will remain open until next tuesday, june 30th at noon for subcommittee members to submit any statements or questions to the witnesses for the record. with that the subcommittee hearing is adjourned.

and now live capitol hill testimony and we head to capitol hill and hear more on the theft of personal records. we're hear from cat lynn archuleta again and patrick mcfarland. they're appearing before the committee today on those two recent data breaches. and we just showed you director archuleta's remarks yesterday where she revealed that an adversary gained access to the records with a credential used by a federal contract are. the first breach was disclosed on june 4th impacting 4.2

million federal workers. several republican and democrat lawmakers are calling for the opm director to step down. this is live coverage on c-span 3. we expect it to start in just a moment.

morning. the oversight committee is coming to order. ary hearing today is about the opm data breaches part 2. $529 billion, $529 billion is how much the federal government has spent on i.t. since 2008. roughly $277 million has been spent at the office of personnel

management, roughly 80% of that money has been spent on legacy systems and we're in a situation here where the hurricane has come and gone and just now opm is wanting to board up the windows. that's what it feels like. this is a major, major security breach. one of the biggest if not the biggest we have ever seen. this demand all of our attention and great concern about what happened, how we're going to prevent it from happening in future and what are we going to do with the information now because there is no simple easy solution. but i can tell you, oftentimes it feels like one good trip to best buy and we could help solve this problem and would be a whole lot better than where we are today. there are a lot of questions that remain about what happened last month. and the uncertainty is very disconcerting to a host of people. and it's unacceptable to this committee and the congress. the most recent public reports

indicate that many more american wrs affect bid the breach than originally disclosed. federal workers and their families deserve answer ons the scope of the breach and the tups of personal information compromised. because of this outstanding questions we still don't understand the extent to which the breach threatens our national security. but the risk is significant. only the imagination limit what is a foreign adversary could do with detailed information about a federal employee's education career, health family, friends and perm hab it. i ask unanimous consent to enter into the record a letter from the federal law enforcement officers association. i want to read part of it. here are the concerns about the office of personal management data breaches. our demands and list of questions remain understand

answered. they represent the law enforcement officers from 65 agencies. opm turned its back on federal law enforcement officers when i failed to protect sensitive information from an inexcusable breach. it's a miscarriage of its obligations. the very lives of federal law enforcement officers are now in danger and their safety and security of innocent people including their families are now in jep party does of opm's nail your and continued ignorance in the severity of the breach. the information lost includes personal financial, location information of these officers and their families leaving them vulnerable to i a tack and retaliation from criminalance terrorists currently and forerly investigated by the united states of nerk. without objection i'll enter this into the record. without a full understanding of the scope or the cost of the project. in fact the agency kept the project from the inspector general for more than a year.

the ig determined opm's chief information officer quote initiated this project without a complete understanding of the scope of opm's dpising technical infrastructure of the scale or cost of the effort required to mitigate it to the new environment. end quote. because of these concerns the question is quote possibly making opm environment less secure and increasing the cost to taxpayers. they awarded a seoul source contract without going through the process of complete competition. i would like to enter into the record without objection this article from the "washington post." this is may 13th. defense firm that employed drunk high contractors in of gan stan may have wasted $135 million in taxpayer dollars. these are the recipients of a seoul source contract to try to help clean up this mess.

they were formerly known as scientific corporation. they're now known as impeer tus corporation. they have a good list of very impressive military personnel who are involved and engaged. maybe this is the right decision. but when it is a seoul source contract it begs a lot of questions. no doubt we need to move fast but this organization has had a lot of problems in the past and it begs a lot of questions. noigs data security problem we have a data management problem. it is unclear why so much background information related to security clearances was readily available on the opm system to be hacked. it is unclear to me why there is a need for sf 86 background information, the sf 86 is the standard form 86 what the employees fill out. why was this background information on the network if the applicant isn't currently being investigated? part of the reason we're in this mess is that a lot of the

information that information and background checks that we're not engaging in was still on the system. if information isn't accessible on the network, it can't be hacked. if a security clearance isn't under investigation it's a best practice that others use and probably should have been used in this situation as well. we have to the a better job of anticipating our adversaries and protecting information from unnecessary exposure. one of the concerns is this legacy system that we're using is a cobalt. the language used a cobalt. i would ask unanimous consent to enter into the record a "wall street journal" article from april 22nd 1963. cobalt can help users cut cost when changing models government spurs process. 1963. i wasn't even born yet and that's the system that we're

operating on in this day and age when technology is changing moment by moment minute by minute. without objection i enter that into the record. yesterday ms. archuleta stated that no one is personally responsible for the opm data breach and instead blamed the hackers. hackers certainly have a lot of culpability on their hands. they's no doubt they are that various actors that are going to be attacking the united states. we take numerous hits on a daily basis. but i disagree that nobody is to be held personally responsibility. personal accountability is paramount paramount. they are chashlged with the responsibility of carrying out their duty. as the head of the agency ms. arch la let that is responsible for the security of the opm network and managing any risks. while she may have inherited a lot of problems she was called

on by the president and confirmed by the senate to protect the information maintained by opm. during her confirmation in 2013 she stated that i.t. modernization would be one of our main priorities yet it took a security breach in march of 2014, five months after the confirmation to begin to process of developing a manplan to fix the problem. that was just the beginning of starting to think of how to fix the problem. the shift is blame is inexcusable. i really hope we hear solid answers. it's not going to be good enough to say we'll get you that information. it's under investigation. there's a security -- no. we're going to answer questions. federal workforce, the people affected, they need to hear that. we're different. we're unique in this world because we're self critical and we do have hearings like this. i would also ask unanimous consent to enter into letters

into the record. one was a flash audit done june 17th of this year from patrick mcfarland the flashl audit information improvement project. without objection i will enter that into the record. i will ask unanimous consent to enter into the record the june 222 22nd response by the director of the office of pers until management, ms. archuleta and ski to enter that into the report without objection. so ordered. we also have some contractors here and we appreciate their participation. they have answers -- we have questions that need to be answered as well. we need their cooperation to figure this out. a lot of what was done by opm was contracted out. and there are very legitimate questions in particular that mr. cummings and others have asked and that's why i'm pleased to have them invited and

participating as well. so it will be a full and robust committee hearing. we appreciate the participation. without objection the chair is authorize today declare a recess at any time. i should have said that without objections so ordered. should have said that at the beginning. now i would like to recognize the distinguished ranking member mr. cummings for his opening statement. >> thank you very much mr. chairman. this is a very important hearing and we're here today because foreign cyberspies are targeting millions of our federal workers. opm has made it clear that every month there are 10 million efforts to pierce our cyberspace. these folks are hacking into our data system to get information about our employees. private information about them their families, their friends

and all of their acquaintances. and they may try to use that information in their espionage efforts against united states personnel and technologies. mr. chairman i want to start by thanking you. last week we held a hearing on cyberattacks against opm. and this morning we have an opportunity to hearing from opm's two contractors who offer suffered mayor data breaches, usis and key point. some people in your shoes might have merely criticized the agency without looking at the whole picture. but you agreed to my request to bring in the contractors and you deserve credit for that, and i thank you. on monday night i received a letter from usis, representatives finally providing answers to questions i

asked more than seven months ago, mr. gee neatty. seven months ago. seven months ago. the letter disclosed that the breach at usis affected not only dhs employees but our immigration agencies, our intelligence community and even our police officers here on capitol hill. but it took them seven months. the night before the hearing, the give me that information. but not only to give me the information but members of congress that information. my immediate concern was for the employees at these agencies. and i hope that they were all alerted promptly. but there's no doubt in my mind that usis officials never would

have provided that information unless they were called here to testify today. so i thank you again mr. chairman. i have some difficult questions for usis. i want to know why this company paid millions of dollars in bonuses to its top executives after the justice department was sued against the company for allegedly defrauding the american taxpayers of hundreds of millions of dollars. i can hardly wait for the answer. i want to know why usis used these funds for bonuses instead of investing in adequate cybersecurity protections for highly sensitive information our nation entrusted to it. mr. giannetta i want to know if

you as the chief information officer of usis received one of those bonuses and i would love to know how much it was and what the justification for it was. i understand that you just returned from italy. welcome back. so this is probably the last place you want to be. i also understand you're leaving the company in a matter of weeks. but i want to know why usis has refused for more than a year to provide answer to our questions about the board of directors. mr. hass i also have different questions for you were for key point. at least week's hearing i said one of our most important questions is whether the cyberattackers were able to penetrate opm's networks using information it obtained from one

of its contractors. as i asked last week, did they get the keys to opm's networks from its contractor. yesterday director archuleta answered that question. appearing before the senate appropriations committee she testified and i quote theed a very vary leveraged a compromised key point user to gain access to key point. the weak link in this case was key point. mr. hess i want to know how this happened. i appreciate that opm continues to have confidence in your company. but i also want to know why key point apparently did not have adequate logging capabilities to mon for the extent of data that was stolen. why didn't you invest in these safeguards.

mr. chairman, to your credit one of the first hearings you called after becoming chairman was on the risk of third-party contractors to our nations cybersecurity. at that hearing on april 20th multiple experts explained that federal agencies are only as strong as their weakness link. if contractors have inadequate safeguards, they place our government systems and our government workers at risk. i understand that we have several individuals here sitting on the bench behind our panel of witnesses who may be called to answer questions if necessary. mr. jobe who is the cio of key point. thank you for allowing them to be here. as we move forward it is critical that we work together. we need to share information

recognize what outdated legacy systems need to be updated and acknowledge positive steps when they do occur. above all, we must recognize that our real enemies are outside of these walls. they are the foreign nation states and other actors that are behind these devastating attacks. and with that i yield back. >> thank the jap. i'll hold the record open for five legislative days for any members who would like to submit a written state. we're pleased to have representative bosh ra come stock. i ask you now to consent that our colleague from virginia be able to fully participate in today's hearing. no objection so ordered. we now recognize the panel of witnesses pim i'm pleased to welcome katherine archuleta director of office of personnel management. we have patrick mcfarland, the

office of personnel management, ms. danah seymour, chief information officer of the office of personnel management ms. anne baron -- help me here decamilo, emergency readiness team at the united states department of homeland security. mr. eric hess is the chief executive officer of key point government solutions and mr. rob giannetta is the chief information officer at usis. all witnesses are to be sworn before they testify. so if you will please all rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, the whole truth and nothing but the truth? thank you. let the record reflect that all witnesses answered in the affirmative. in order to allow time for

discussion, please limit your verbal testimony to five minutes and obviously your entire written statement will be made part of the record. we will start first with the director of the office of personnel management ms. archuleta first. you're now recognized for five minutes. >> chairman ranking member cummings and members of the committee, thank you for the opportunity to testify before you again today. i understand and i share the concerns and the frustration of federal employees and those affected by the intrusions into opm's i.t. systems. although opm has taken significant steps to meet our responsibility, to secure personnel data of those we serve, it is clear that opm needs to dramatically accelerate those efforts. as i testified last week, i am committed to a full and complete

investigation of these incidents. and we continue to move urgently to take action to mitigate the long standing vulnerabilities of the agenciesyies systems. in march of 2014 we released our plan to secure the aging legacy system. we began implementing the plan immediately and in fiscal years 2014 and 2015 we directed nearly $70 million towards the implementation of new security controls to better protect our systems. opm is also in the process of developing a new network infrastructure environment to improve the security of opm infrastructure and i.t. systems. once completed, opmi.t. system wills be migrated into this new environment from its current legacy networks.

many of the improvements have been to address critical immediate nudes such as security vulnerabilities in our network. these upgrades include the installation of additional fire walls, we strix of remote access without two-factor authentication continue use monitoring of all connections to and sure that legitimate connections have access and deploying anti-malware software to prevent the cyber crime tools that could compromise our net works. these improvements led us to the discovery of the malicious activity that had occurred and we were immediately able to share the information so that other agencies could protect their networks. i also want to discuss data encryption. opm does currently utilize

encryption when possible. i've been advised by security experts that encryption in this instance would not have prevented the theft of this data because the malicious actors were able to steal privileged user accounts and credentials and could decrypt the data. our i.t. security team is actively building new systems with technology that will allow opm not only to better identify intrusions but to encrypt even more of our data. in addition to new policies that were already implemented to centralize i.t. security duties under the cio and to improve oversight of new major systems development, the i.t. plan recognize that further progress was needed and the oig's '14 report credited opm for progress in bolstering our security process and procedures and for committing critical resource to the effort.

with regard to information security governance the oig noted that opm implemented significant positive changes and removed its designation as a material weakness. this was encouraging as i.t. governance is a pillar of the strategic i.t. plan. regarding the weaknesses found with authorization the oig has recommended that i consider shutting down 11 out of the 47 opmi.t. systems because they did not have current and valid authorization. shutting down systems would mean that retirees could not get paid and that new security clearances could not be issued. of the systems raised in the 2014 audit 11 of those systems were expired. of those one, a contractor system is presently expired. all of the system r raised in the '14 audit have been extended or provided a limited

authorization. opm is offering credit monitoring services and identity theft information with csit for the approximately 4.2 mill your current and former civilian employees. our team is continue to work with them to make the online sign-up experience quicker. they're expanding staffing at call centers. i've taken steps to ensure that greater i.t. restrictions are in place even for privileged users. that includes removing remote access for privileged users and requiring two-factor authentication. we're looking into further protections such as tools that mask and redact data that would not be necessary for a privileged user to see. i want to share with this committee some new steps that i'm taking. first, i will be hiring a new cybersecurity adviser that will

report directly to me. that cybersecurity adviser will work with opm ooerks cio to manage on joining response to the incident complete development of the plan and assess whether long term changes to the architecture are needed to ensure that its assets are secure. this individual is expected to be serving by august 1 president second, to ensure that the agency is leveraging private sector best practices and expertise, i'm reaching out to chief information security officers at leading private sector companies that experience their own significant cybersecurity challenges and i will host a meeting with these experts in the coming weeks to help identify further steps the agency can take. as you know, public and private sectors both face these challenges and we should face them together. i would like to address now the

confusion regarding the number of people affected by two recent related cyber incidences at opm. first, it is my responsibility to provide as ak sateccurate information to congress, the public and more importantly the affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affected individuals as quickly as possible. third, we face challenges in analyzes the data due to the form of the records and the way they are stored. as such i have deployed a dedicated team to undertake this time-consuming analysis and instructed them to work, make sure their work is accurate and completed as quickly as

possible. as much as i want to have all of the answers today, i do not want to be in a position of providing you or the affected individuals with potentially inaccurate data. with these considerations in mind i want to clarify some of the reports that have appeared in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individual to 18 million individuals. other press accounts have asserted that 4 million individuals have been affected in the personnel file incident and 18 million individuals have been affected in the background investigation incident. therefore, i am providing the status as we know it today and reaffirming my commitment to providing more information as soon as we know it. first, the two kinds of data

that i am addressing, personnel records and background investigations were affected in two different systems in the two recent incidents. second the number of individuals with data compromised from the personnel records incident is approximately 4.2 million as reported on june 4th. this number has not changed and we have notified those individuals. third, as i have noted we continue to analyze the background investigation data as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definitive report on this issue. that said, i want to address the figure of 18 million individuals that has been cited in the press. it is my understanding that the 18 million refer to a

preliminary unverified and approximate number of unique social security numbers in the background investigations data. it is a number that i am not comfortable with at this time because it does not represent the total number of affected individuals. the social security number portion of the analysis is still under active review and we do not have a more definitive number. also, there may be an overlap between the individuals affected in the background incident and the personnel file incident. additionally we are working deliberately to determine if individuals who have not had their social security numbers compromised but may have other information exposed should be considered individuals affected by this incident. for these reasons i cannot yet provide a more definitive response on the number of

individuals affected on the background investigations data intrusion. and it will -- it may well increase from these initial reports. my team is conducting this further analysis with all due speed and care. and again i look forward to providing an accurate and complete response as soon as possible. thank you, mr. chairman for this opportunity to testify to you today and i'm happy to be here, along with my cio, to address any questions you may have. >> thank you. mr. mcfarland you are not recognized for five minutes. >> chairman, ranking member cummings and members of the committee. good morning, my name is patrick mcfarland and i'm the director of the office of personnel management. thank you for inviting me to testify here. i would like to note to my colleague, the deputy inspector general is here with me. with your permission, he may

assist in answering technical questions. in 2014 opm began a massive project to overall the i.t. environment by building an entirely new infrastructure called the shell and mie yatgrateing all of its system to the shem. before i discuss the recent examination of this project i would like to make one point. there have been multiple statements made to the effect that this complete overall is necessary to address immediate security concerns because opm's current legacy technology cannot be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has already taken to see%%+o cure the agency's current i.t. environment. i just wanted to emphasize that whale we agree that this overall is necessary, the urgency is not

to great that the project cannot be managed in a control manner. last week my office issued a flash audit alert discussing two significant issues related to this project because my written testimony describes these issues in detail, i will give only a summary for you this morning. first we have serious concerns with how the project is being implemented. opm is not following proper i.t. project management procedures and does not know the true scope and cost of this project. the agency has not prepared a project charter, conducted a feasibility study or identified all of the applications that will have to be moved from the existing i.t. infrastructure to the new shell environment. further, the agency has not prepared the mandatory omb major

business case formally known as exhibit 300. this is important in the step in the i.t. project and the proper vehicle for seeking approval and funding from omb. it is also a necessary process for enforcing proper project management techniques. because opm has not conducted these very basic planning steps, it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm has estimated that this project will cost $93 million. however the amount only includes strengthening the agency's current i.t. security posture and the creation of a new shell environment. it does not include the cost of migrating all of opm's almost 50 major i.t. system es and numerous sup system to the shell. this mayigration will be the most

costly phase of this project. even if the $93 million figure was an accurate estimate, the agency does not have a dedicated funding stream for the project. therefore, it is entirely possible that opm could run out of funds before completion leaving the agency's i.t. environment more vulnerable than it is now. opm also has set what i believe to be an unrealistic time frame for completion. the agency believes it will take 18 to 24 month to migrate all of its system to the shell. it is difficult to imagine how opm will meet the goal when it does not have a comprehensive list of all of the systems that need to be migrated. further, this process is inherently difficult and there are likely to be significant challenges ahead. the second major point discussed in the alert relates to the use

of sole source contract. they've got a single source vendor. unless there's an kppgs, federal contracts must be subject to full and open competition. however there's an exception for compelling and urgent situations. the first phase of this project, which involves securing opm's i.t. environment was indeed such a compelling and urgent situation. that phase addressed a crisis namely the breaches that occurred last year. however the later phases, such as migrating the applications in the new shell environment are not as urgent. instead they involve work that is essentially a long term capital investment. opm should step back, complete its assessment of the opm architecture and develop a major i.t. business case proposal. when omb approval and funding has been secured, they should

move forward with the project. opm cannot afford to have this project fail. i fully support opm's effort to modernize the environment and the director's long term goals. however if it is not done correctly the agency will be in a worse situation than it is today and millions of taxpayers will have to be -- many -- and millions of passenger pair dollars will have been wasted. i'm happy to answer any questions you may have. >> thank you. ms. seymour, was your statement with ms. archuleta or do you have one yourself? >> it was with the director, thank you sir. >> i would ask unanimous consent to enter into the record a letter that was given to us this morning from the office of personnel management dated today, signed by ms. archuleta dealing with the number of records. without objection, we'll enter into into the record. we'll now recognize ms. barron

decamilo for five minutes. >> good morning. my name is anne barron decamilleodecamilo. i appear here to talk. dr. andy asment is here with me to answer me questions. like many americans, i too am victim of these incidents and concerned about the continued cyber incidents at numerous government and private sector entities. i understand the scope and the problem we face and the challenges in securing critical networks. cybersecurity is a true team sport. there are many agencies response including intelligence community, law enforcement department of homeland security

as well as individual system others and individual enusers as well. my organization within dhs is part of the national cybersecurity center. we focus on analyzing the risks, sharing information about responding to significant cyber incidents. we work with trusted partners around the world and focus on threats facing the government in critical sector networks. our role is largely voluntary. we build and rely upon trusted relationship to share information and respond to incidents. when an entity believes they've been a victim of a significant cyber incident, they invite us to help them assess the scope of my intrusion as well as provide recommendations op how they can mitigate the incident and improve their security posture. our current involvement with opm began in march of 2014 when they learned there was a potential compromise within the opm

networks. from march to may, uwe part of of the team that remeet yated the intrusion. throughout that time we shared information that we had learned about the intrusion with our governmental partners as well as private sector partners so they could better protect themselves. we on may 28, 2014, the intraagency response teamed concluded that the malicious actor in question from that event had been removed from the network. we also provided opm with recommendations on what steps they could take to increase their security. there is no silver bullet or magic solution. most government agencies and their private sector counter parts are making up for years of underspending on security paz ort f the information technology development. the internet was designed with's of use rather than security in

mind. the status of opm networks in may of 2014 was not unlike other similarly situated agencies. opm did some things well and was weak in other areas. i understand that opm had at the time under its new leadership started an effort to improve its cybersecurity. the incident report for opm included several recommendations, some of which could be imp mmted quickly and others f which would take longer. opm made a concerted effort to adopt the recommendations beginning last summer. it was opm who in april of 2015 discovered the new intrusion. this is how the malicious access to opm data at the data center was diskord. this newly discovered threat information was also quickly shared by us with our private

sector partnered and other trusted partners around our communities. the intraagency response team has been working with opm since april of 2013 to assess the scope and nature of the incident. there are a few things i can share. we were able to use the einstein capability to detect the presence of malicious activity on the department of interior data center which houses the opm personnel records. further on-site investigation revealed that some personal information was compromised. this is the 4.2 million number that director archuleta referenced today. as a result of what we learned from the april 2015 investigation, opm continued to conduct forensic investigations into its own environment. en in that process opm discovered evidence of an additional compromise on its own network. we then led into intraagency response team to assess opm's networks and in erm june found that background investigation

dataed that been exposed and possibly exfill traited. that's currently under investigation. we learned at the time that they had precluded further access. the protected measure may have mitigated any continued effects of the intrusion. the work is on going and we continue to assess the scope of the potential compromise. although i'm appearing today redid to provide information, i do so with some concern. we rely on voluntary cooperation from agencies and private entities who believe they may be vims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us the bhoel of government of future incident. we need private companies to continue to work with government and share information about sbieber threats er swieber cyber threats.

thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging. i'm president and chief exec ty officer of kpee point government solutions. since 2004 key point has provided field work services for the background investigation to a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat every present and ever changing cyber threats. we're committed to the highest levels of protections. the recently announced breach of

the opm is the focus of this hearing. i would like to make clear that we see no evidence suggesting that key point was in any way responsible for the opm breach. there are recent media reports suggesting that the incursion into the opm is what breached. there is no evidence that key point was responsible for that breach. proesz reported that hackers stole opm credentials assigned to a key point employee and leveraging to access opm's systems. there is no evidence suggesting that key point is responsible for or directly involved. the employee was working on an opm system not a key point system. i know that throughout the hearing, the incursion of the key point system discovered last september will be discuss. . can point has continuously

maintained its authority to operate ato from opm and dhs. this means that we met the stringent information and security requirements imposed under our federal contracts. key point only maintains information that is required. we like government agencies face aggressive, well funded and ever evolving threats. let me say a few words about the earlier incursion of key point. in december of 2013 the washington post noted that it would notify 48,000 federal workers that they personal information may have been exposed. i emphasize the word may because in the report after the extensive analysis of the incursion, we find no evidence f exfiltration of personal day tap. last august following public reports of that data security preach at another federal

contractor providing background checks donna seymour asked key point to invite the uscert to test key point's network and key point agreed. the department of homeland security and technical services conducted risk vulnerabilities tests including internal maps. they provided a number of findings at the end of the engagement which were resolved while the team was on site as well as recommendations for the future. while they found issues, they were resolved and the team found no malware on key point's system. however then in september the hunt team informed key point that it had found indications of sfes kated malware undetectable. the team provided key point with mitigation recommendation to remove the malware from our

environment and other recommendations for hardening its network to prevent future compromises. key point immediately began implementing the issues identified by u.s. cert, and concluded the malware was not functioning correctly and because of errors. i recently attended a classified briefing at opm where i learned more about the opm breach and in the opening setting i cannot go into details presented in that briefing however i can reiterate we have seen no evidence between the incursion of key point and we are always striving to make sure our defenses are as strong as possible. we have also been working closely with opm to improve our

information security posture in light of the new advanced persistent threats. we have been working diligently to make our systems more resilient and stronger by implementing the recommendations and a number of the most significant improvements have been full deployment of the authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our atos, and this includes an audit from an independent party. we will continue to fort tpaoeu protections of our systems. our adversaries are constantly working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber

attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing key point to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes. >> thank you. my name is robert gee annetta, and i am currently the chief investigation officer. i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014 usi performed background investigation work for the united states office of personnel management. when i started to working at usis, they would perform

background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the comprehensive response plan per response to the plan. usis's responses included the investigations firm to lead the investigation and remediation efforts. usis instructed them to leave no

stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant technical details about how the attack occurred what the attack attacker did within the systems and when data was compromised. this was shared with opm and other government agencies. in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to

testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable information for how many federal employees and retirees? >> we have -- >> move your microphone closer, please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no i asked you -- you have personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees and personally identifiable information within the files depends on whether they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get

at? >> i will ask mrs. seymour -- no come on you are the head of the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will. you wrote as a proprietor of sensitive data including personal identify blg information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier in my testimony mr. chairman, we are reviewing the number and the scope of the breach and the impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not

completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86, that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified if you fill out an sf86, how many people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a simplying of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database and they are also

identifying other individuals i would like to know on average how many people that is. is that fair? >> we are not calculating on average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request it was because you had 32 million employees identified and former employees, correct? >> that -- the number of employees that we have yes, we are asking for support for our cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory as we can, sir. that changes on a daily basis? >> changes on a daily basis?

you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program since then and we know where those are and we know the pii in them. >> to my members of the committee here we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm became aware of an attack on its networks. i would like to enter into the record, a chinese attack, 2014.

did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity