va? i'm trying -- we're all concerned about what happened here and want to know the basic question of whether you're concerned and this think was appropriate or not. >> so the as we know, the office of inspector general recently reviewed unauthorized commitments, and the purchase card program. for those that were identified to the oig we did 100% wee viewreview of that sample and referred those to the head of contracting activity for review and ratification if appropriate. so that's where those are. now, those were, with respect to purchase card transactions above the micro purchase threshold. so if they were identified as being, we didn't have the authority, the va acquisition regulations, go to 10k, right? mr. frye will tell you about that. if they were above the $10,000 authorization for fee care and were non-far based, one could

logically say they probably require ratification. and if they require ratification, one could make an argument that they perhaps were not proper. >> okay. i'll allow a colleague to pursue this, because if they choose because i'm out of time and for the record will ask mr. williamson what is noble about the cost of purchasing this care without contract $7 billion do we know it or is it noble? but i realize i don't have time now. we'll ask this question for the record and yield back to the chair. >> thank you, mr. o'rourke. now five minutes. >> thank you mr. chairman. i am aiming this in the direction of mr. murray and boyle. not sure which. there's a business in my district that supplies specialized shoes. diabetic shoes and to vets through the va.

however this business didn't have a contract. in november of 2014 11 notified them that the custom orthotic appliance and related service released a request for proposals. the business filled out the paperwork, denied for not meeting minimum technical requirement of having a certified, not podiatrist but padorthist on staff. who sets the requirements for the contracts? the main va office and second question is since this business did not have a contract, how do you think the va was paying them for the services provided? >> well -- >> doesn't matter. >> i'll take that. >> okay. >> one, i'll need to explore more the specifics of this case, but the requirements, if it was done by 11, done by the local contracting office that supports visen 11 and work for me and my organization. they probably worked closely with the prosthetic folks in that visen or at that medical center to develop the requirements. it is not set by the central

office, i don't believe, in this particular case. now, i don't know about the contract situation, or not, but it is possible they were being bought under the micropurchase threshold,s 3ds,000 by the local prosthetic folks with the government purchase card. >> and i get my follow jum question to that, the owner did say they would receive a purchase order that would have a credit card number on it and expiration date and couldn't purchase more than one set of shoes or inserts per time. my question is when talking about this particular organization serviced about 200 veterans in my district, and now can no longer do that. there really is no competitor, and when businesses that are highly specialized at service veterans, get stuck in this cycle, in the va between, in they're not setting rules. they're responding to an organization saying, yes, we'll join with you in partnership to pray specialized care. so it's harmful to the folks on the other end of this trying to comply getting an rfp in.

mail saying now you have to sign up for this. they've been providing this for a couple years already and get thrown out because they didn't have a minimum certification, but it was okay and fine as long as they were being paid through the credit card number and the purchase order. it just -- don't you see an inequity in that, trying to keep service providers even available? they have no idea what you're doing and what's complicit and not complicit. >> i understand. sounds like if they were doing repetitive orders with a purchase card, that is a split requirement, a logistical discernment. $3,000 in this case a far based contract, should be, in place. >> you can check this out for me if i give you the info the personal info? >> happy to do so yes. >> i appreciate it. i yield back mr. chairman, thanks. >> thank you. ms. rice you are recognized for five minutes. >> thank you, mr. chairman. i feel like i missed something

here. i'm trying to figure out why maybe mr. murray you can answer this question. by is there such a reluctance to apply far regulations, when talking about non-va care? if you can give that answer succinctly, because i have a lot of other questions. >> i don't sense there's a reluctance at, you know, the leadership levels. in fact, the leadership levels that i see, pc3 choice, provider agreements, seem to be the preferred approach for providing care in the community. that specific -- if you want to delve into this i think that -- chief acquisition officer, head of contracting activity for the health administration might have some sense for why this is true or could be true in the field. >> all right. one of the things that we try to address and try to do it with the lechs strags request that

came in, we're not known as being the most streamlined and easiest to deal with. brad street numbers, vendors have to do this, apply for federal contract wage statutes. there's a lot of additional arktivety to do business with the government. we tried to recognize with the legislation, an order of precedence. we want to start deliver and provide care in our va medical centers. next is with contracts. next with agreements. our last preference would be what has been termed the individual authorizations. so we want to the have that as really kind of the backstop as we go through this priority hierarchy in providing care, we see that as the, the least preferred option but one we don't want to take away from approximately 400,000 veterans that are being served by some of those small providers. >> mr. giddens, it's become a $7 billion backstop. right?

>> i don't know all seven of that, all seven, i believe is for overall fee and some happened through far and non-far. >> the problem -- >> i don't have the breakout. >> the problem is that there's no comprehensive auditing that has been done. i guess mr. williamson, if you could i mean -- what -- what i see a pattern of is either gao or inspector general saying here's a problem. here's how you fix it. and a intentional or negligent failure on the part of the va to take recommendations and actually implement them. so can you just -- tell us what you've recommended, the va do, and where they are still lacking? >> well, of course, as you know, we put va on our high risk list very recently and part of the justification for that was that they are not implementing many of the recommendations. in fact, over 100

recommendations we've made that va has not implemented just in the health care area alone. so -- so -- there are 22 recommendations, and i don't want to use all your time up but let me give you a couple examples. one is, we recommended that va keep track, wait times, for -- for veterans that went to non-va providers. they have not yet done that. we've talked to them about it. they still haven't done that. >> what's the reason for them not having done it? >> we don't really know. >> when you ask them you tell them, how -- >> i think what they're looking at. they want to close a case from the time the veteran starts the process of getting an appointment to the time the claim's paid. they want to do that in 90 days and they are tracking that. but for some reason they're reluctant to track the 30 days.

>> why? >> good question. i don't know they've given us a great answer on that. >> what would be a good answer? is there a good answer? >> they probably don't have the systems to do it. it takes a lot of work. it does. it does take some good data. but that's not a good reason necessarily for not doing it. >> mr. williamson, so you've laid out a blueprint for how the va can improve, whether it's tracking wait times, doing better audits to see where these multibillion dollar expenditures are going. and i guess -- what i -- and maybe there isn't an answer to this. that -- it seems to me that you have not been able to get any satisfactory answers as to why you're recommendations have not been implemented, and maybe you're not the right person to answer this, but i don't know if anyone at the va, i haven't heard mr. murray give explanation why. so --

>> well i think part of it is that, it always comes back to the same issues no matter what you're, what program you're reviewing in va. the data is often insufficient. the awed mated systems they have in many cases cannot produce the kinds of things they need. and it comes down to a lack of oversight. both at the local level and at the head quarters level, and time and time again, the claims processing problems we found on the emergency care for -- for non-service-connected veterans, same thing. >> the problem is that you there will be no overall cultural shift at the va unless there is meaningful oversight, whether talking about this issue or about how whistle-blowers are treated, or anything else. and that's really at the heart of the problem. isn't it? >> comes down to accountability, and it's not there. >> thank you, mr. williamson. i yield back, mr. chair.

>> thank you ms. rice. mr. lamborn, you're recognized for five minutes. >> thank you mr. chairman rch and i appreciate your leadership in pursuing yet another scandal, basically. here it is june 1st. it's another month and we have another scandal. and it seems like the whole year been like this and i for one am getting sick and tired of it. mr. williamson, i'd like to ask you for some background in this whole issue. whether we call the contracts illegal or just improper or non-compliant, what can go wrong when the va doesn't follow the proper procedures as regards these contracts? mr. williamson? >> you're talking to me? >> yeah. >> oh, okay. i thought you were -- >> from a gao perspective. >> you know i'm not a lawyer or a procurement expert either, and

i'm, in listening to what i've heard today from the va witnesses, i'm a bit confused, because in one hand you know, there are did -- they say there's no impetus or reluctance to do a far-based for purchased product for va non-providers i think there is. otherwise mr. frye would not have had the difficulty he's had. i think i would -- i would want to know, i would want to know what a far base system would mean to accessible care for veterans because the end game here is still providing high quality, accessible and cost effective care for veterans. and so if a remedy to solve the problem, if a far based -- if it's determined that a far based system should be used here the remedy should, i would want to know how long will it take?

in this process, for a person of her contract to be executed. and what the process means. and i would want to know how it affects the accessibility to the care for veterans. also, one thing we haven't mentioned yet is the whole idea of what it would mean for the acquisition workforce. when we did our clinical contract care work, we found that the contracting officers and the contracting officer representatives who do most of the legwork for the contracting officers already are stressed in terms of work load. if you increase that work load you double it tenfold, whatever, whatever it would mean to get a far-based system, then you know what would it mean in terms of budget for hiring new people and so on? i just don't know what a far-based system would do in terms of accessibility and the work force, and that's what we need to know. >> what's interesting the gao

identified six categories of problems that can arise when proper oversight is not provided by the va. the type of provider care, credentialing and privileging, clinical practice standards. medical record documentation. business processes. and maybe the most important to me, access to care. so let me turn now to mr. frye. would you agree that those six areas are called into question when proper procedures are not followed? >> well, yeah, absolutely and in addition to that, when federal contracts are required and you don't use them there are terms and conditions that are completely missing from the contract. by federal statute, you're required to have terms and conditions. these include the termination for convenience termination for default. the disputes clause. fair and reasonable price determination.

just a whole host of issues, not -- not -- and probably even more important the terms of health care, the safety and efficacy terms and conditions that are required to be followed by these specific contractors, without those contracts, without a contract, without those terms and conditions, the contractor is free to do what he or she wants. >> well and that's -- that's my concern. and, ms. anderson, in regards to your statement earlier, i have to agree with you. the government is obligated to pay for as much as that are rendered, even if the proper foundation wasn't, you know -- the procedures weren't followed in soliciting those services. >> thank you for the opportunity to respond to that. we were comparing a far-based contract and what it -- what it will take to become far compliant, and then to mr.

williamson point to what end? what we really, that result in immediate care to the veteran. and i -- i -- i chaired a work group in july of 2014. and that work group was responsible, tasked with, identifying measures and how do we become far client? we realized after three-hour weekly sessions over four months that there are lots of hurdles to overcome. not the least of which labor issues, consultation with labor. hiring. hiring a contracting officer workforce, estimate 600, then it's a -- how immediate can we really give the care at that point?

still, we need to go through the hurdles. so we quickly realized that we need to really begin aggressively pursuing legislation, and aggressively pursuing legislation we, working with -- working with the department of labor. working with omb working with the department of justice we -- >> ma'am -- >> we've embedded in the legislation protections, credential credentialing, quality of care. >> okay, ma'am. you're getting into another issue that is is a very important issue. the proposal of legislation. my time is way over. i wanted to make the point. no one's arguing that the government should not pay these contracts. i'm concerned what gao and mr. frye identified what can go wrong when the procedure's not followed. mr. chairman thank you for your inkulgens and i yield back. >> now recognized for five minutes. >> thank you, mr. chairman, and first of all, mr. lebonte, my

deepest apologies for you, and what i understand, and you understand, much more clearly is that veterans care is a zero sum proposition. if one veteran doesn't receive the care they're entitled toened a the best quality then it's a failure. so your situation is unacceptable. the thing i encourage you on and as i looked into this, the tort issue. that's your recourse on this and they will always try and throw barriers up both in the private sector and in the public, but there are a lot of good folks out there that can help with that. so i would hope you would pursue that. >> well the efficacy of the tort program is that the va essentially invest gates themselves. i mean their attorney acts as their investigator which is -- >> trust me, people win these, and what i'm saying is, if this was wrong, there are people out there to assist you. there are veteran attorneys that are veterans themselves, that their job is to try and help make this right. >> yes, but the va has a

six-month start to coach witnesses where you're not allowed to file -- >> i agree. it's never easy. as you're sitting here listening to this, the issue for you is that all the rest of this is kind of irrelevant. the issue is what happened to you, and i would just say from your perspective, there's two things happening here. we're kind of at the 40,000-foot reform discussion here. my advice to you is that go down that road. pursue that hard, where you can get, redress your -- >> what i'm doing now and witnessing that that program is ineffective as far as va investigating themselves. the va attorney sends the information that i send the attorney/investigator to the actual hospital risk management coordinator who then tells the privacy officer which records they need to keep, or manipulate or lose and tells the department head how to coach their residents to specifically to the legal matter. so i would say to that recourse is ineffective and designed to

protect the hospital's reputation rather than actually help the veteran. >> i wouldn't disagree with you just, my -- there's folks to advocate with you. stick with it. veteran service organizations others, so stick with it. >> thank you. >> i'm goin' to move back to this again, our 40,000 foot, and i appreciate you all being here. and i'm going to my colleague from new york, ms. rice, was hitting on this, mr. wrmsilliamson. i've seen it before. ? >> o. puts out 22 recommendations. what is the weights of a j.o. recommendation. what does that do? >> well you are, because the congress is, we report to the congress and the congress provides the leverage we need, and it's forums like this that we have that bring those things to light. >> exactly. this is why and, again, mr. murray, i could go down and ask some of these but i don't think it was necessarily even a rhetorical question. i do think you're the wrong person to answer this. we're in this needs to be fixed

and somebody needs to deal with this, but this is a much broader issue. it's a reform issue. the va being all things for all people and not to antagonize my chairman, this is the va trying to build hospitals trying to do everything for everybody and i've been saying we need to have that discussion to figure out how do we best leverage both the private sector, the public sector our promises to our veterans get quality care and do it in the most cost-effective manner? so we're here, i would argue, deal wig a very important issue and it's very granular and we're discussing inappropriate versus illegal and they do matter. the bigger issue here is that if i would ask the questions and again i don't think they're fair to you, mr. murmury, is what should the va be doing. how do we fix the contracting? what is the purpose and mr. frye pointing out the holes in there this is probably not the forum for that. so i appreciate you all being here.

i don't question that we're all trying to get to the same point, but you heard mr. lebonte. this is what happens when you break faith. he doesn't believe anybody's going to get good care and we can tell him countless stories of highest quality health care dlived in country by a va hospital and that would be irrelevant to him. i don't think we'll get there in the current system. i feel like, i'm confident your 22 recommendations will be recommended in two years from now and we'll be trying to implement them and that is a horrible condemnation on the entire process. >> they have implemented seven of them. >> yeah, and it is. again, it's not because of the motive, to not provide quality care. it goes back to the institutional sdpin and issues on cull cheer we're trying to get to. that level over the top makes answering many of these questions very difficult. i thank you, chairman, for your time. >> well, again mr. lebonte, i

certainly apologize for your situation and i think you personalize the problem in this contracting process. i'm stunned by the kind of bureaucratic incompetence, the corruption, the lack of leadership demonstrated here today, where what i've heard is yeah, we had these rules, but they're really not important. the kind of lawlessness that exists in this department is just extraordinary. mr. frye, how do you -- what you heard here today was essentially, oh, splitting hairs. oh, it's really kind of not improper. oh, it's really not illegal but we don't follow the law here. because we're somehow above the law. i mean, mr. frye, could you comment on what you've heard today? >> that's exactly right. let's talk about those those purchases above $10,000. they are using the same

methodology from $1 that is used from $1 to $10,000 above $10,000. that authority has never existed. every purchase, every acquisition of health care above $10,000 must have a far-based contract in place, it must be signed by a duly appointed contracting officer and i will take issue with ms. anderson. we can't pay that unless it's been irratified by a contracting officer. irratification is a requirement where a contracting officer must do an investigation. we can't liquidate that obligation willy-nilly, but we are. we're going ahead without doing ratifications, liquidating the option. those are improper payments, by the way. our own regulations and the gao red book and other statutes state that we will not pay unauthorized commitments until they're ratified. we've done it wholesale. to my knowledge, not a single one of these requirements above

$10,000 has ever been ratified, and we bought billions of dollars worth of health care. if that isn't illegal, i don't know what is but i guess we can parch words here. >> and mr. frye, is there anybody else in senior leadership besides yourself that actually cares about getting this right? >> it doesn't appear. that there's anyone outside my organization that cares. i come to work every day and i watch this malfeasance. i watch this malpractice. you know? they've made a mockery of the federal acquisition system. the far has the same force and effect as the law. we all know that's those who are trained and its use and certainly attorneys know that, and we're just ignoring it. this isn't done in any other government agency. if you bring other government agencies senior procurement executives or chief acquisition officers you wouldn't get this same story. this is another example of us trying to blow smoke up your sleeve. >> secretary mcdonald, just a

place hold jer i don't sense he's working to make a difference here. does he care? >> i hope secretary mcdonald cares. again, i think secretary mcdonald dislikes these scandals, this malfeasance more than anybody else, because he's got a very short window here to move the va forward and, again, he moves us two steps forward and we move 12 steps backwards every time one of these scandals arises. >> thank you. ranking member kuster, recognized five minutes. >> mr. frye let me follow-up on this. if every single one of these contracts was far-qualified or whatever the verb would be, what would the time commitment and court to the va be for that process? >> thank you for asking that question. so from $1 to $10,000 we have a non-far compliant, however it is

far-based, system in place. it's like falling off a rock. it's non-far compliant. the appropriate terms and conditions are in that contract. it is simply a -- a process where authorized personnel, not contracting officers, sign this document, and they're on their way to the doctors. it's not hard at all. and it's been this way for years. now, we all recognize including counsel, that it is not compliant with the far, and so a year ago, in july we began a four-month effort to bring it in compliant, but in november after all of that effort veterans health administration summarily rejected it. it didn't go far enough for them, even though it was far-compliant. so -- >> but that's my concern is that we've heard from my colleague ms. walorski that a company that had been providing services was obviously somebody drew attentions to that. they didn't have a contract. they tried to go through a

contract, but, in fact the process was so burdensome, what ended up happening was that the veterans didn't get the podiatry they needed because that company was disqualified. there was no other company available. so i want to try to understand how do we get from here i recognize the problem. i agree with you, we've got a problem. how do we get from here to veterans all across the country getting timely care in a cost-efficient high-quality manner manner? >> sure. and i -- i realize there are issues sometimes with veterans getting care. no matter what system we have. whether it's in the va hospital -- >> but would you agree there's an added cost for all of this administrative procedure on top? i mean i'm not -- i'm nopt condoning it. i'm just asking you. >> i have no idea if there's an added cost but i tell you this, there is a requirement -- >> -- talked about 600 additional people? >> under the act to do it.

>> i understand the requirement. i'm not asking you about the requirement. that's up to us. >> right. >> what i'm asking you is, what is the cost to the system for each one of these authorizations to be compliant? >> you're asking the wrong person. you'd have to ask the program officials. >> do you -- agree that there is a cost? that there's potential delay, there's administrative procedure that has to go on. there are individuals that have to be involved? do you agree. >> i agree there's a cost using any system. federal acquisition or any other system. i'm ambivalent if the federal acquisition regulation wasn't used. that's fine. but we have to have a system. we can't just spend money like drunken sailors willy-nilly. if year going to have a non-far sim, put a non-far system in place. let's go through the rule-making process at omb.

promulgate the rules and let's comply with the rules. simple as that. >> what do you think is the correct dollar amount that we would have the balance of being able to supervise contracts, but not have every last paper clip be covered by this contractual obligation? >> again, i have no idea. i'm not a program facialofficial but we have pc 3, it's a far-based contract. providing specialty care and goes up into the hundreds of thousands of dollars and veterans are getting care every day using pc 3. >> and do all providers in the pc 3 kneltwork have a far-based contract? >> have a what contract? >> a far-approved contract? >> if they're in -- >> even in a rural area like i'm in? >> no. there are some rural areas, for instance, another far-based contract which you're familiar with called arch. i'm not that familiar with it

because i'm not a program official. but i know it exists because of care that's required out in rural areas. >> so what my time is nearly up, but i think what i'm interested going forward is, let's separate out the ones that are possible. i'd like to hear more about the pc 3 far-based contracts, and then not chase every last one down a rabbit hole with 600 new employees, but let's try to use a public/private arrangement, because i know it's expensive. i've been in health care the past 25 years. it's expensive to supervise these contracts. we're going to have to get to the bottom of it. so thank you. >> you're recognized five minutes. >> thank you, mr. chairman. mr. murray, i have a question or two for you. i want to ask you about the proposed legislation sha the va has come up with and i think ms.

anderson made reference to it. basically to let va off the hook saying you don't have to follow far anymore. for these kinds of contracts. it really bothers me, because one of the potential abuses that can happen when far or something the equivalent of far is not followed, is that there's a potential for cronyism, or higher prices. it's sort of like soul sourcing of contracts and the taxpayer isn't given the benefit of competing bids and that kind of thing. would you agree with me that the legislation -- or -- i won't put it that way. are you concerned that the legislation va is proposing could allow for those problems to arise? >> i am, and i'm concerned about that sort of thing fraud, cronyism, paying more than you should across programs whether

it's travel or conference spending, or whether it's payroll. got a major initiative to make sure we, you know payroll is where it needs to be in terms of controls. so absolutely. champion is why it's so important that controls that we suggested and perhaps more are required, in these, in this legislation, be implemented. you know? reviews, the control that i'm intrigued with is that we review these individual authorizations to see if they pass a threshold, $ $1 million annually and think right away maybe this needs to be far-based. we're doing a lot of this for instance. >> well, but the specific language that concerns me in the proposed bill says "health care can be awarded without regard to any law that would otherwise require the use of competitive

procedures for furnishing of care and services." so to me that opens the door for potential cronyism. mr. frye, would you like to comment on that, that same question? >> well that piece disturbs me as well but i think in the background there may be some additional information, counsel down at the end of the table was involved in putting that together, but certainly again if you give us legislation that allows us to do something besides the far i'm am biv length, but we've got to develop those rules go through the rulemaking process, put those rules in place and then we have to enforce the rules and hold people accountable. we don't hold people accountable for anything right now. you know, we come down here. i read the newspapers every day. chairman miller says, you know why aren't things working? why aren't -- why don't we follow the rule jgs because no one's held accountable. no one. no one has been held accountable

at all for these violations of fro regulations in law in the course of events with these obligations for fee-basis care, and i suspect no one will ever be held accountable. there are hundreds of thousands of these transactions that should have been ratified. there are billions of dollars that have been spent, and we'll just sweep it under the carpet. >> well, i'm -- truly concerned about that mr. chairman. i richard your leadership on this issue and i yield back. >> thank you. mr. o'rourke, you're recognized for five minutes. oh. ms. rice you're recognized five minutes. >> thank you, mr. chairman. mr. williamson i want to follow-up on ms. kuster's line of questions in terms of the va's position that was stated previously that following far would impact a large number of veterans by compromising immediate access to care in our

community providers. forgive me if this was already spoken about, but do you share that? >> i share, it's very much of a concern. again, unless i know more about how a far-based system would work for purchased care for non-va providers and i know how long that takes to execute these contracts, i can't give you an answer. if i had that, i would -- but my concern is that it's going to take a longer period of time to do and in the meantime, that veteran, the access that that veteran has to that non-va provider is going to be degraded. >> so -- we have to figure out a way to -- either not have far apply. right? and implement your

recommendations. >> but whether our recommendation on that particular aspect. but, you know, i'm listening to all of the all of the dialogue here, and i think that whatever -- we have to know some facts first about how such a system would work and then -- >> where can you get those facts from? >> what? >> where can you get those facts from? >> well, first of all, for the care that's given, and by the way, pc 3, if 80% of the veterans used the pc 3 network of providers, it would solve a lot of your problem. but they don't. very minute number currently use it for a lot of reasons. in any case,. >> you think that's the answer? could be one of the answers here? >> well, it's one of the answers. essential it is. it is. and sister-in-lawcertainly it is. for every other form of care, you have issue far-based whether we're doing it illegally

or not. but the remedy has to be, once you know the answer to the question for clarity not only on the accessible care issue but also the cost, because i think that the impact on the acquisition work force in va would be -- potentially quite a bit more, in terms of having to hire more people. but you have to get the answers first and i haven't heard it here. >> well, that's the problem at these hearings. a lot of questions are asked and very few answers actually are received. thank you. i yield back. >> can i follow on to your question, please? >> mr. chairman? sure. >> so -- i find myself in complete agreement with mr. williamson that we have to balance this need for access and provide the right structure that represents in 2re679s of the taxpayer it's balancing what's going for veterans and taxpayer.

how do we look at that i own that for the department. i am going to work to put that together. i would love to meet with a committee and/or the staff as we do this and get your input but i have to find a way to allow us to balance this, meet the needs of the veteran manage their access while at the same time representing the interests of the taxpayer and recognizing the federal acquisition regulations and all appropriate laws. i own that for the department. >> well, thank you for that offer. >> well, i'd like to thank the witnesses. you are now excused. and let me just say, it really doesn't matter how the system's changed, because if you're not going to follow whatever system's there, because if you don't have the discipline, don't have the leadership, it really just doesn't matter. i mean at the end of 9 day there's got to be a rule of law and this is just -- i think you some of the witnesses today just you know really

demonstrated how lawless this organization is. you're now excused. today we have had a chance to hear about problems that exist within the department of veterans affairs, with regard to oversight of its non-va health programs. this hearing was established to accomplish continuing widespread problems with procurement of non-va health care. two, allow va to provide answers as to why these problems still exist. and have been allowed to continue for so long and three, to assess next steps that must be taken by the department in order to stem the continued waste of taxpayer dollars and in jeopardized services provided to veterans. i ask unanimous consent all members have five legislative days to extend, revise remarks, without objection so ordered. i would like to once again thank all of our witnesses and

audience members for joining us at today's conversation. with that, this hearing is now adjourned. president obama heads to the pentagon today for a briefing from his national security team on u.s. strategy against isis. he'll be making a statement just before 4:00 p.m. eastern time. you'll be able to watch it live on c-span. congress returns tomorrow from its fourth of july break. this week the house plans to continue and to finish up work on a bill to fund the interior department. the epa and other related agencies. also on the house's agenda a bill making changes to no child left behind. among them allowing states to set their own accountability standards. the u.s. senator is also back tomorrow working 0 an separate proposal dealing with no child left behind giving states nor authority to determine how weight to give to standardized test scores and a kwrmation vote scheduled later in the day for a federal circuit court judge. see the house live on c-span.

the senate live on c-span2. office of personnel mpgt director katherine archuleta recently revealed two recent opm data breaches one a hacker gained access to opm records with a credential used by a federal contractor and doesn't blean anybody at her agency is personally responsible for the cyber attacks. the first breach disclosed june 4th and impacted an estimated 4.2. federal workers. op mp has yet to determine how many people were impacted buoy a second data breach. she and other witnesses testified before a senate subcommittee. the hearing will come to order. the massive breach of opm systems may have been the most devastating cyber security attack in our nation's history. unfortunately while the news reports about these incidents have been shocking, they should not be surprising.

the opm incident follows several across government and is only the latest example of the federal government's inability to protect itself from cyber security threats. today's hearing before the subcommittee on financial services and general government is intended to illicit further information about the recent opm data breaches and a time to discuss the enormous challenges facing the federal government as it attempts to ensure that this does not happen again. the government spends approximately $82 billion a year on information technology. given the cost of these projects and their impact on our economy, and the national security, members of the subcommittee have an ongoing commitment to conduct oversight. we must ensure that hard-earned tax dollars of millions of americans are being spent wisely and effectively. just last year the subcommittee held a hearing with opm director archuleta, former cio steve van

roikal former gs administrationer dan tangerleany and director of i.t. management, david pouner. given enormous resources and important security issues at stake, the subcommittee considered it imperative omb and federal agencies appropriately manage these projects. we are all well aware of examples of projects that ended in spectacular failure as with the initial rollout of healthcare.gov. while that crisis makes news we should also be troubled by the accounts that don't grab headlines, including initiatives with ongoing costs that grow each year after year without demonstrating effective results or sufficient security. we must have safeguards in place to ensure that oversight of these projects is consistent, that problems are anticipated before they occur and most importantly, that someone is actually accountable and responsible. all too often large complex i.t.

projects drag on for years outstanding the administration that administered them and employers responsible for managing them. in the bill alone, billions spent on tax system modernization at the internal revenue service. work that is being continued for decades and is still incomplete. even for projects now in track, past problems generate millions in additional costs and years of delay. and as we have seen recently at irs, and once again with the opm breach both of which have kprap mized the personal data of millions of americans, billions of federal dollars spent are no guarantee of security. across the government i.t. projects too frequently go over budget. fall behind schedule and do not deliver value to taxpayers. responsibility for oversight is often fragmented throughout the agency owning the project and omb does not conduct appropriate review and management.

whether issues related to programs requirements performance, spending or security, lots of people are involved. but often no clear lines of accountability are drawn. what happened at opm is devastating, millions of americans and their families and friends have been affected given those impacted limited free credit monitoring and of any theft insurance will not be enough to address the long-term consequences that we may see for years to come. but also troubling is the knowledge opm is the most recent example of the government systemic failure to protect itself. according to gao, we should have serious concerns for the future. the number of information security accidents reported has explodesed in recent years. constant vigilance is required and gao found that government systems may not be prepared for the job. 19 of 24 major federal agencies have reported deficiencies in

information security controls. the ig at 23 of those agencies cited information security as a major management challenge. how many headlines of serious data breaches will it take to implement the steps necessary to protect ourselves? and at what point do some in washington recognize that growing the bureaucracy without scully governing is a recipe for this type of disaster. the obama administration views the federal government capable of tackling almost every problem the nation faces, yet while attempting to grow the size and scope of the federal government at every turn, the administration fails to follow through on the task it is responsible for. if you bounce from one bigger government solution to another without carrying out your basic responsibilities, this is what happens. it's easy to suggest more money is the solution. that seems to be the response of the administration leaning on every time there's a problem but is often the wrong choice.

especially in situations like this where it appears that the problem is something much greater than a lack of resources. the american people have lost faith in their institutions. the last thing they will do is trust washington to solve a problem when it can't even protect the personal information of those it employs. there needs to be a dramatic change in the status quo. what i hope to hear from witnesses today, not the same stale line more money is needed but an explanation why the federal government failed to do the basic job of protecting personal data of millions of employees with the vast resources that it already has in hand. what. is doing right now to resolve this problem, and what is being done to ensure that we are prepared for the next attack. i hope with your help we can learn from this incident and identify ways to improve and protect our security. i appreciate the interest of all of my colleagues and shared compliment to doing what we can to work together to try and

address this so important issue. we cannot afford not to. senator coonce? >> thank you chairman bozeman. i'd like to welcome other witnesses, opm director katherine archuleta, michael esser and irs chief information officer richard spires. we are here today as the chairman laid out to review information technology spending, and data security at the office of personnel management. as part of that review we need to discuss recent cyber security attacks that put federal employee information and our national security at real risk. we also need to address the late breaking inspector general audit that expresses concerns about opm's i.t. modernization project. while we conduct the subcommittee oversight's opm and its spending and response i urge us to put it in a context of larger cyber security challenges that face our government and society as a whole. and progress or lack there of by congress in strengthening our nation's cyber defenses and in provides needed funding for

federal cyber security and i.t. initiatives. regarding the cyber incidents at opm, one breach involved personal ta of roughly 4 million 4 million federal employees during the breach investigation investigators found another intrusion where information from background investigations was allegedly stolen. i understand opm only recently became aware of the security clearance theft and that the investigation is still underway. so while we may be limited in exactly what we can discuss in this context i'm very hopeful we can have a protective and ongoing conversation. the fact these security breaches happened is frankly terrible. they force us to grapple with the reality that in our inner connected world we're more vulnerable than ever and we need to do more to protect our public employees vital personal information from foreign attackers. after we've investigating why these cyber attacks were able to breakthrough we need to be willing to do what's necessary to ensure they don't happen again. these attacks don't just compromise the information of millions of federal employees,

but our nation's security as well. it's further troubling the i.g. office found opm not complied with a federal security information act which mandates information security requirements for all federal agencies. while opm has made recent improvements improvements, we need to remain vigilant. both director archuleta and the opm and cio only been on the job roughly a year and a half and to their credit they've made i.t. security a priority. they need to clearly understand the job is not done. opm indicated to the subcommittee most of its i.t. security systems are aged and at the end of years full life. security patches are no longer provided by the original vendor. in fiscal year 2014 opm began a three-year modernization and seeking a third installment of $21 million to complete that project this year. we have to understand that without that funding the investments of the previous two years can't be meaningfully completed. i hope opm's representatives

will speak to these assertions directly here today. last, i just wanted to emphasize i think we need to prevent another round of sequestration. opm's fy16 budget request includes a $32 million increase year's level virtually all address i.t. and infrastructure improvements. sequestration could critically threaten those investments and the likely hoods of our employees. some of these cuts might be in the short-term they could have serious long-term impacts and i think we need to work together to ensure our federal agencies are prepared as best they can be against cyber threats. the federal government is at constant threat of cyber attacks. it successfully wards off millions of attempted attacks every year. i think we need to work together to protect the nation's economic and national security interests by coming together to deal with these vital cyber security issues. chairman boozman thank you for holding this hearing and i'm eager to continue to work together as we consider the needs of our federal agencies in combatting cyber threats.

>> mr. chairman, may i just have a few comments. >> you can comment all that you like. >> first of all, mr. chairman i really want to thank you for your leadership in convening this hearing. i think america wants to know certainly our federal employees want to know what happened and what is the impact on them and what is the impact on the nation. i would strongly recommend to the chair that after this hearing and then also the briefing will receive this afternoon the chair the ranking consider having a classified briefing because as a member of both the intel committee and someone who's been involved on this, there are things that are best discussed that you need to know for your responsibilities in a setting. and we would be -- and senator cochran and i would be happy to cooperate with you in establishing that. because it needs to be -- you'll know more this afternoon. second thing is the second point is what has happened at

opm and also what happened to the breaches at the army shows that this is a serious national issue. it effects not only opm but every agency. and also shows that national security and its impact is not going to reach. mr. chairman i'm also going to remind the committee or bring to their attention we tried to deal with this in 2012 under the leadership of senators lieberman. there was a bipartisan effort to have a cyber security bill that dealt with new authorities for key agencies to establish critical infrastructure create sharing both dot-gov and dot com in giving dhs authority to unite federal authorities of all government to have both the authorities to make sure they have the resources to know how to do the right job.

exactly what you're saying, sir, let's not just throw money at it. let's get value and security for the dollar. that was stopped because the chamber of commerce established a massive lobbying campaign because they were worried we would overregulate. well, we are where we are. we need to do a lot of work. we had a bipartisan study group. they had people like blunt, koets, collins those of us on intel. maybe we need to resurrect that because it's opm today, it will be another agency tomorrow. we've got to make sure our cyber shields are up, we're fit for our people. so i just wanted to refresh everybody that. and of course my federal employees need to know what happened, how do they protect themselves. and we need to know how to protect america. so thank you, mr. chair. >> thank you, senator.

i think the suggestion of the classified briefing is an excellent one. and also this is not a part zin issue. this is something that's been going on for a long long time. we have three witnesses appearing before us today. kathrine archuleta, director of the office of personnel management. michael esse, assistant i.g. for audits at opm. and richard spires, ceo of resilient network systems and former chief information officer at dhs and irs. director archuleta, i invite you to present your testimony. >> chairman boozman ranking member and members of the subcommittee, government and nongovernment entities are under constant attack by evolving and advance persistent threats and criminal actors. these adversaries are sophisticated, well-funded and focused.

unfortunately these attacks will not stop. if anything they will increase. although opm has taken significant steps to meet our responsibility to secure personnel data, it is clear opm needs to accelerate these efforts not only for those individuals personally but also as a matter of national security. my goal as director is to leverage cyber security best practices and protect the sensitive information entrusted to the agency modernizing our i.t. infrastructure to better confront emerging threats and to meet our mission and our customer service expectations. opm has undertaken an aggressive effort to update its cyber security. we committed nearly $67 million

toward shoring up our i.t. infrastructure. in june of 2014 we began to completely redesign our current network while also protecting our legacy network. these projects are ongoing on schedule and on budget. we implemented state-of-the-art practices, such as additional fire walls to factor authentication for remote access, and limited privilege access rights. we are also increasing the types of methods utilized to encrypt our data. as a result of these efforts in april of 2015, an intrusion that predated the adoption of these security controls affecting opm's i.t. systems and data was detected by our new cyber

security tools. opm immediately contacted dhs and the fbi. and together we initiated an investigation to determine the scope and the impact of the intrusion. in early may the inner agency incident response team shared with relevant agencies that the exposure of personnel records had occurred. in early june, opm informed congress and the public that notification actions would be sent to effected individuals beginning on june 8th through june 19th. we are continuing to learn more about the systems that contributed to individuals' data potentially being compromised. for example, we have now confirmed that any federal employee from across all

branches of government whose organization submitted service history records to opm may have been compromised. even if their full personnel file is not stored in opm's system. these individuals were included in the previously identified population of approximately 4 million current and former federal employees and have been included in the notification. later in may the inner agency incident response team concluded that additional systems were likely compromised. this separate incident which also predated the development of our new security tools and capabilityies continues to be investigated by opm and our inner agency partners. based on this continuing investigation in early june, the inner agency response team

shared with relevant agencies that there was a high degree of confidence that opm's systems related to background investigations of current, former and prospective federal government employees and for those for whom a federal background investigation was conducted may have been compromised. while we have not yet determined its scope and its impact we are committed to notifying those individuals whose information may have been compromised as soon as practicable. but for the fact that opm implemented new, more stringent security tools in its environment, we would never have known that malicious activity had previously existed in the network. in response to these ijs dents opm working with our partners at dhs has immediately implemented

additional security measures to protect the sensitive information we manage. we continue to execute our aggressive plan to modernize opm's platform and bolster security tools. we are on target to finish a completely new modern and information security environment by the end of fiscal year 15 which will eventually replace our legacy network. opm's 2016 budget request included an additional $21 million above 2015 funding levels to further support the modernization of our i.t. infrastructure, which is critical to protecting data from persistent adversaries we face. this funding will help sustain the network security upgrades and maintenance initiated in fiscal years 14 and 15 to

improve opm's cyber posture including advanced tools such as database encryption and stronger firewalls and storage devices. we discovered these intrusions because of our increased efforts in the last 18 months to improve cyber security at opm, not despite them. i am dedicated to ensuring opm does everything in its power to protect the federal work force and to ensure that our systems will have the best security posture the government can provide. thank you and i appreciate the opportunity to testify today. i am happy to address any questions you may have. >> mr. esse. >> chairman boozman, ranking

member. i'm the assistant inspector general at the u.s. office of personnel management. thank you for inviting me to testify in today's hearing on the audit work performed by the opm office of inspector general. >> can you put your mic on? >> it's on. >> just pull it closer then. >> today i will be discussing opm's long history of systemic failures to properly manage its i.t. infrastructure, which we believe may have ultimately led to the breaches we are discussing today as well as issues related to opm's current i.t. modernization project. there are three primary areas of concern that we have identified through our audits during the the past several years. information security governance, security assessment and authorization and technical security controls. information security governance is the management structure and

processes that form the foundation of a successful security program. for many years opm operated in a decentralized manner. with the agency's program office manages their i.t. systems. this decentralized structure had a negative impact upon opm's i.t. security posture and all of our fisma audits between 2007 and 2013 identified this as a serious concern. by 2014 steps taken by opm to centralize i.t. security responsibility with the cio had resulted in many improvements. however, it is apparent that the ocio is still negatively impacted by the many years of decentralization. the second concern is security assessments and authorization. this process includes a comprehensive assessment of each i.t. system to ensure that it meets the applicable security standards before allowing the

system to operate. we identify problems related to system authorizations in 2010 and 2011 but removed it as an audit concern in 2012. however, problems with opm's system authorizations have reappeared. in 2014 21 opm systems were due to receive a new authorization 11 were not authorized by year end. in addition, the ocio has recently put authorization efforts on hold until it completes the current modernization project. this action to extend authorizations is contrary to omb guidance which specifically states that an extended or interim authorization is not valid. it is also worth noting omb no longer requires systems to be authorized every three years. but that is assuming agencies have implemented a mature, continuous monitoring program. our fisma audit determined that opm does not have a mature

program and therefore we still expect opm systems to have current authorizations. the third concern relates to opm's use of technical security controls. opm has implemented a variety of controls and tools to make the agency's i.t. systems more secure. while this is obviously a positive step, we are concerned that these tools are not being implemented properly and do not cover the entire technical infrastructure. as we found that opm does not have an accurate centralized inventory of all servers and databases. even if all the security tools were being used properly, opm cannot fully defend its network without a comprehensive list of assets. also, there has been much discussion of the difficulty in securing opm's systems as they are old legacy systems. while this is true in many cases, and many of opm's systems are mainframe based it is our understanding that some of the systems impacted by the breaches

are in fact modern systems for which most of the technical improvements necessary to secure them could be accomplished. in addition to the issues identified in our audits, i would also like to briefly address opm's i.t. modernization project which will overhaul its entirere and migrate all systems to a new data center environment. we recently issued a flash audit alert discussing this project and our concerns related to project management and the use of a sole source contract for the duration of the effort. one area of significant concern that we identified is that opm does not have a dedicated funding source for the entire project. its estimate of $93 million includes only the initial phases of the project. the $93 million estimate does not include the cost of

migrating 50 major systems to this new shell environment and the cost of the work is likely to be substantial and the lack of a dedicated funding source increases the risk that the project will fail to meet its objectives. in closing, it is clear opm has a great deal of work to do to strengthen its security posture. and we fully support the concept of the project, but for a tax of this magnitude it's imperative they follow solid management practices to provide the project the best chance for success. thank you for your time and i am happy to answer any questions you may have. >> thank you. mr. spires. >> good morning, chairman and ranking member and members of the sub committee. i am honored to testify today and i hope my experience is

valued regarding the recommendations i will make on how the federal government can more effectively safeguard data and improve a cyber security posture. most federal government agencies find themselves susceptible to data breeze to core i.t. systems because of three primary causes. first, lack of i.t. management practices. the best defense is the result of managing your i.t. infrastructure and applications well. but beginning in the 1990s and up to the present the federal government has not properly managed i.t. having failed to effect ily adapt with the changes in i.t. technology and the evolving cyber security threat. as an example of the failures when i served in government we would all too routinely discover i.t. systems outside of the i.t.'s organization purview that had been deployed with the proper testing and accreditation.

the approach across government, and i would point out mr. esser in his testimony already referred to the decentralization with the the opm environment itself, and it has led to the deployment to data centers and struggle with managing and maintaining this dispersed infrastructure and systems. the result in complexity of vastly different systems and underlying different i.t. infrastructures makes it impossible to secure such an environment. second, lack of i.t. best security practices. while well-intention and appropriate for the time, the 2002 act skewed the approach for government i.t. security. it looks at the controls for individual systems when in reality viewing systems in isolation hid the impact of the larger enterprise security

posture. further until recently, systems would be certified and accredited based on a three-year cycle which is a significant issue when looking at the rapid evolution of technology in the cyber threat environment. third, a slow and cumbersome acquisition process. when i was at dhs i was a proponent of the continuous diagnostics and mitigation or cdm program. but it is dismaying to see how long it took two-plus years, just to implement phase one. that doesn't include the additional competitive process for an agency to attain probabilities. sophisticated adversaries will exploit any and all vulnerabilities and the government is more vulnerable when it takes months if not years to deploy new i.t. security capabilities. my recommendations to address these root causes. first, effectively implement the

law that is meant to address the systemic problems in managing i.t. effectively and the main intent of the law is to empower the agency cio to address these issues. so far i'm pleased with the new federal cio tony scott for taking the supports rule out. congress can support these efforts by demanding aggressive implementation of fatara by different agencies, and development of measures for assessing impact and transparency in reporting ongoing progress. effective implementation of the management. second derive a positive movement with the updated law and the move for continuous monitoring, yet i recommend the government rethink how it is measuring success with focus along three lines.

there is a continuing need to have security rules to prevent intrusions and more importantly detect them when intrusions do occur. yet the government needs to assume that sophisticated adversaries will still gain access. the root of all trust is verified identity and the government needs to step back and rethink how it is rapidly implementing ubiquitous use of identification along with behavioral detection systems to identify insider threats or compromise credentials. finally the government needs to target protection of an agency's information. through focused effort and use of available data protection technologies, the government contain high assurance that only the trusted parties have access to an agency's most sensitive information. this would go a long way towards thwarting additional major and damaging data breaches.

certainly the data breaches at opm are terrible for the government and for those millions of us that may be negatively impacted in the future. however, this episode and the need to implement fatara and the new law could be needed for sustained change. it's critical to make enough progress to insure the commitment, to the needed changes in i.t. security are sustained into the next congress and administration. thank you for the opportunity to testify today. >> thank you, mr. spires, for your testimony. at this time we are going to proceed to our questioning. in fact we had planned on proceeding to our questioning where each senator will have seven minutes and i hope we have time to accommodate two rounds of questioning. we have a vote that's called right now. it's only one vote. so what we'd like to do is go

ahead and suspend, run and vote and come back and start immediately with the question period. so with that we will do that. the committee will come to order. again, i apologize for the delay. the only thing we have to do around here is vote. so there's just no waying of knowing you schedule these things and certainly that trumps everything, which it should. director archuleta, according to

news reports about the second opm breach pertaining to opm's clearance security systems hackers had access to data for a year. these systems contain personal family and financial information for current, former and prospective federal employees and contractors. will a notification be provided to individuals who was compromised in the latest breach? >> yes, sir. we are working on determining the scope of that breach even as we speak. and as we determine at the same time we are developing a notification process to reach those individuals. we are taking into account what we've learned from the first notification and looking at the wide range of options we would have in that notification process. >> well, notifications be provided to family members and other individuals whose information was contained in the security clearance system solely due to their relationship with

the security applicant? >> sir i can say we're taking into consideration all of the individuals that were effected by this breach. and as that notification plan is developed, i would welcome the opportunity to come up and detail it for you. >> how did you decide that 18 months of credit monitoring and identity theft insurance is sufficient protection for effected federal employees? >> this is an industry best practice. we are again the second notification to really examine that to see what the range of options may be. >> well opm offer the same protection to individuals whose information was stored on security clearance databases? or does this heightened level of compromised information warrant additional protections? >> again, sir, this is what we're looking at with our partners across government to make sure that we examine the wide range of options that we need to consider. >> what additional steps do you plan to take to protect the victims given the long-term

effects these breaches pose? >> we are looking at not only with the notification but also looking at the steps we can take to protect their data. i am as upset as they are about what happened and what these perpetrators have done with our data. so we are examining not only the notifications but also the protections and remedies we must put in place. >> those are important questions. those are the kind of things we're getting from our federal workers. i know you'll have a lot more other questions related to that. but it's so important we try and get information to those that have been effected. >> i understand. mr. spires, the administration has ordered a 30-day sprint to patch security holes is 30 days sufficient time to correct more than a decade of negligent systems and failed attempts at modernization? >> i'm sure you wouldn't be

surprised for me to say no it is not sufficient time. the situation we find ourselves in, i think it is a good thing though to put in place a process by which planning should take place to put us in a much better posture. >> as we get into the -- into these things mr. spires mr. esser, do you expect us to find significant problems as far as breaches with the other agencies? >> well, first i would say you will find significant problems with them not following i.t. best security practices including fism. not that that alone would necessarily indicate breaches, but given the situation we find ourselves in across most federal agencies, i would expect you to find significant breaches.

yes. >> mr. esser. >> i would concur with mr. spires. we've been seeing breach after breach this year health insurance companies background investigation, contractors and government entities. it would not surprise me to see more. >> okay. mr. spires, again, looking at the scope of the problem how long do you feel like it will take the government, you know, to actually do the things we need to protect ourselves from these outside threats? >> let me say i think we should take a -- an ordered approach to this problem. so in my mind what agencies should first be doing is identifying the sensitive data sets that they have and putting those in some type of bucketed priority order. and then coming up with plans to protect those sensitive data sets. and the reason i say it that way

is to think we can go into these large agencies that have as i said decades of mismanagement and of essentially decentralized i.t., and fix that quickly i think is just naive. so this notion of doing it by protecting the sensitive data sets both with and there's data technologies today and encryption data that do that, at the data set or document level. and then you have to worry about the identity problem. it does no good if you've encrypted the data but then the credentials of someone that can get to the data have been compromised, right? so you also need to work on the identity problem. that's where things like multifactor authentication models come in. which by the way there's many new technologies that make this much faster and easier to roll out than it was four or five year ago. also, this notion that says even if someone has been authenticate authenticated and authorized, that doesn't necessarily mean their behavior is correct, right? the insider threat problem.

we have to watch that. so this notion of starting to bring in behavioral detection systems are ways in which we can monitor the behavior particularly of privileged users. those that have root access to the systems and to the data are the ones that need to -- frankly, we need to monitor. >> very good. director archuleta, we have heard numerous accounts of frustrations with csid including long wait times, repeated website crashes and inaccurate information reported to victims. what steps are you taking to oversee the services provided by the contractor? >> csid has tremendous experience in these types of notifications. that serve sony with their large breach. and we believe they have the capability and capacity to handle this. >> but when you call in now, the wait times are very, very long. >> yes, sir. >> might have great experience -- i don't know that they've experienced anything of

this magnitude. >> thank you, sir. i am as angry as you are about that're doing everything they can to reduce those wait times. that's why i have instructed my cio and her team to work with that contractor to improve daily the services they're giving to our employees. employees should not have to experience that. and that is why we are demanding from our contractor that they improve their services. i do believe sir, because of the conflation of two incidences that we have an unusual number or high number of phone calls but that's not an excuse. our contractors should be able to perform to that number. and we're demanding that it do so. >> thank you. >> thank you, chairman boozman. ms. archuleta, if obm had completed its planned i.t. upgrades would this breach have been prevented? woulds these consequences been prevent snd and if opm had been

in con pliens would still have occurred? >> my cio advised me even if there had been 100% fisma compliance, there's no guarantee that systems won't get breached. and that's why an i.t. strategic plan and the implementation of an i.t. plan is so important. mitigation, risk mitigation is the answer to what we need to do. we need to be able to detect and mitigate. and that's what our plan is designed to do as we move from a legacy system to the new shell system. >> yes i believe we need to act very rapidly to move from this old decades old systems to a new system. we need to make sure we are tracking, that we're documenting and justifying all that we do. but we also need to be sure that we're acting as quickly as we can to protect the records that have been entrusted to us. >> ms. archuleta, of all the

folks, the federal employees who've been effected as the co-chair of the senate law enforcement caucus i'm particularly concerned about federal law enforcement officers and their families. because they have credible reasons to be concerned. criminals they've previously apprehended or investigated might have motivation to seek out their homes of their families. what are you doing specifically to promptly respond to their concerns or inquiries, not to suggest they're the only folks with real concerns, but in some ways they're one of the subsets of federal employees who have very real real legitimate and pressing concerns. >> on the top line what i can assure you, senator, is we're working with agencies across government to analyze the scope of this breach. we'll be able to discuss more with you in the classified session, but i can tell you that we are working very closely with our law enforcement partners. >> i'm eager to follow-up with you on that and get the

swiftness with gravely concerned employees of all backgrounds are able to get updates and more upside information about their path forward. your fy16 budget request was submitted before the discovery of the most recent incidents. and before we had any sense of its scope, are there additional tools or enhancements that you need in order to deal with the critical issues that are now well and widely known? and how might you seek an amendment to the budget request? >> thank you, senator, for that question. we are analyzing right now with omb and my cfo to determine whether -- what the request might look like. and i hope to be able to get back to you by the end of the week. >> thank you. last question for you if i might, if you had actually encrypted federal employees social security numbers or their personally identifying information, would that have prevented the disclosure of their personally identification to hackers once they've compromised the system? >> this is a question that's

been asked of my colleague who is are experts in cyber security. and they have informed me that indeed in this particular case the encryption would not have prevented this breach. encryption is an important tool, and that is why we continue to build the encryption methods within our systems. but in this particular case it would not have prevented it. >> my question wasn't whether it would have prechbted the breach, if it would have prevented the accessibility of personally identifying information once there was a breach? >> no, it would not have. >> about compliance and i.t. upgrades completed and encryption, mr. spires, mr. esser, any difference of opinion or any insights to offer us about whether compliance would have produced a different outcome here? >> i stated in my verbal testimony, sir. the issue with fisma the old 2002 law was that tchsit was really

around technical controls that would be then checked every three years. given the environment we live in, that is just not even close to being appropriate. and we're moving to a continuous diagnostics kind of model, which is the correct model where you're monitoring all of your systems and monitoring your complete environment, looking for intrusions looking for improper behaviors. but i would even echo the point that even that is not enough in today's environment. you need to bring in the data protection like the encryption capabilities, and you need to upgrade the capabilities to better understand who is actually accessing your system. those are all critical necessities in order to protect data today. >> was it -- would it be reasonable for us to have expected opm could achieve a data security given the resources they currently have available to them? >> i'm not sure i'm in a good position to answer that question. i'll go back to my point, a focused effort on protecting the

sensitive data with the right encryption and the right access control capabilities if you put the focus there, i think most federal agencies would have the funds, have the resources to be able to accomplish that. >> we've seen significant data breaches for home depot jpmorgan, target sony, neiman marcus just to name a few. and many of them have invested in cutting edge security systems. is the private sector having any more success in mitigating security breaches than the public sector is? >> i think it depends a lot on the actual company and varies greatly. i would say that, make another point here. i think one of the big differences between the government and the private sector is that the private sector has the ability to very rapidly acquire the newest capabilities that are being offered by the cyber security,

if you will, product companies or industry. and one of the things that i'd like to see is the government agencies be able to bring in like in a test environment be able to pilot new capabilities as they come to market that would really help government agencies to test. >> well you mentioned i look forward to explore thag with you in the next round of questions. thank you, mr. chairman. >> senator langford. >> thank you. thank all of you for the chance to be here. we've got a lot to be able to cover. with us to be able to help not only resolve things for the future but also be able to impact fully what's happened in the past. there are several comments you made on it what is the most pressing issue that you've discovered in just the flash report that you have done? based on the vulnerabilities that still exist and what needs to be finished? i'm not asking you to expose publicly vulnerables that still exist.

i'm asking you i guess what on the list how many things still need to be addressed, need to be addressed immediately? >> senator i think one of the most important things that needs to be addressed is the two factor authentication to access systems. this has been a long standing problem at opm. they have made improvements. they have implemented this to effect workstation access but the actual systems that are being used by employees need to be also implemented and required, two-factor authentication. >> i saw from your report and quite frankly the chief information officer also had listed the same thing in 2012. let me read this quickly. the initiative to require personal identity verification credential authentication to access the agency's network as of the end of 2014 95% of opm

workstations required personal identity verification access for the network. however, none of the agency's 47 major applications require personal identity verification authentication. is that still correct? >> to the best of our knowledge it still is. >> ms. archuleta, tell me about that and just the process of transition. >> yes. two points there. on the multifactor authentication for remote users is we are if 100% at that point now. as with regard to all other users we're working very rapidly to increase that. i've asked my cio to increase that effort. and i would be -- i'm sorry i don't have the percentages in my mind right now, but i'd be glad to get back to you where we stand as of this date. i do know we're working rapidly to do that. >> okay. so 95% pig yur you think is pretty close as far as the workstation saying 100% for those working remote, 95% workstations but still 47 major

applications that still are exposed, i guess. >> i would like to get back to you, senator, on that to give you the full details on it. >> then there's a question on the issue of security assessment and authorization. of that obviously that is a requirement from omb. this ongoing issue of this 47 different groups that are here. it says 11 of them were not completed in time or operating without a valid authorization. what can you tell me about that? >> i can tell you that all but one of those systems has been authorized. they're operating with authorization. and we're working on the final one that was with the contractor. >> okay. there's also a systemic problem there, obviously, of trying to find out why they weren't already through the authorization issues. to make sure that authorization is done on time and is on schedule. has that issue been fixed? rapidly people stepped in and said let's try to fix this the authorizations haven't been done. what about the process for the future to make sure that those

continue to be done on time? >> i'd like to have my cio get that information so i could give it back to you, sir. >> okay. i'll be glad to be able to have that. give me a timeframe when i can get that back. >> by the end of the week, sir. >> great. there's an outstanding letter i sent to your office june 10th. i'm the chairman of the committee on homeland security governmental affairs that has the federal work force in it. as you and i have discussed in the past. >> yes. >> june 10th i sent a letter that's yet to be acknowledged from your staff that they have received that letter much less to be answered to it. and there was some very basic questions that are still unanswered on it. none of them that would require a classified setting, but there's some basic responsive answers. i have letters that are already on the record from faa for instance and a tremendous number of employees that live in my district that have asked just some very basic questions. the folks from afge have asked some very basic questions to get a response from. they've yet to get a response even to say it's been acknowledged. they just want to know some timing. and i know the letters have gone out nationwide, but people want

to know that there's actually someone working on some of these other issues because there will be many for a while. >> senator, i apologize to you if you've not received that response. i know i've asked my staff to respond to that. and i know that it is forthcoming. but i will make sure you have that letter today. >> would be great. thank you. let's talk a bit about cost issues dealing with the appropriations side. do we have a ballpark cost to opm yet to contact the letter that's gone out to contact everyone to let them know, hey you possibly your information has been breached so there's really two cost factors that are sitting out here that our committee has to consider. one is the cost for the letters and the second is then for the credit report and screening been extended. do you have a cost estimate? >> i have an estimate

approximately 19 to 21 million. >> okay. and then what's the estimated cost on just the letter going out? that's not a cheap thing. >> that's the total cost, sir between e-mails and letters. so i don't have the breakdown. i'd be glad to get that for you. >> are you aware some agencies of actually the website you link people to to say give more information, some agencies center already blocked that internally. so those individuals when they try to go are blocked from that for fareear there may be phishing scams going on. >> yes. we've worked closely with departments and agencies because of some security protocols they might have. so we've worked with closely with them. and their cios and other top officials. >> finally, this issue of the inventory of servers and databases and different workstations that are out there. the central control is obviously important to make sure software's continuing to be upgraded and everyone has a

consistent security presence there. when there's any server independent there, it creates tremendous vulnerabilities. they just have to find one of those. how is that going with unifying that structure? that's not a legacy issue. that's more of an inventory issue. >> yes. i respect the inspect general's opinion on this, but my cio has told me that we have indeed an inventory of systems and data and i'd welcome the opportunity to discuss this with you and with him further. >> great. we'll look forward to getting that report and getting a chance to find out more about that. that's one of those significant vulnerabilities. >> yes. thank you, sir. >> mr. chairman thank you. and senator for conducting this hearing. welcome to our three witnesses. miss archuleta, i'm going to begin with you. and i just have a series of questions that i hope are relatively short responses. and i'll just work my way through them as quickly as i can. what is the current estimate of the total number of files or employees breached? >> under the employee in the

employee personnel files we estimate that to be a little over 4 million. >> and that is at least according to press reports those numbers may grow. what else may occur? what may you discover? >> it's an ongoing investigation. we'll continue that investigation with our partners. so at this point we know that it's a little over 4 million. >> and when we talk about is it -- are those words interchangeable? 4 million employees and 4 million files, that mean the same thing? >> that's approximately 4 million people who have been effected by it. >> and then what's the total amount possible for number of employees effected? you say we estimate it today to be 4 million. it may grow. what's the maximum number of files that could have been breached? >> what we know is -- i want to separate in incident one and incident two. so incident one is the one i'm describing the employee personnel files. and we have estimated that to be around a little over 4 million as i've described. >> what's the total number of

employees that could be effected by that? >> that's the number -- >> that's the number. >> that's the number. all right. >> so as we look at the second incident which we have not determined the scope of it i don't have a number for you on that. >> well, how many employee -- let me ask it differently. how many files do you have management over? >> well, as you know federal background investigation file may have a number of different names and a pii within it. so that's why i can't give you a specific number on that one. so we're working as i said, to get that number. i will bring it to you as soon as i have it. >> let me ask this just one more time and make sure that you and i are on the same page. >> okay. i apologize if i'm not understanding. >> it may be the inarticulation on my part. you have a certain number of files within your agency subject to this kind of breach. what's the total number of files that potentially could be breached? >> that's what we're investigating right now, sir. >> let me ask it this way, how

many files are there at opm? >> well, there are millions of files, sir. we are a data center. so there are millions of files. the sf 86 or background investigations contain numerous names. that's why i want to be careful to make sure the number i do give to you i'm confident about. >> all right. you indicated you've taken significant steps. i wrote that down as part of your system. we've taken significant steps. and yet the oig says only three of 29 recommendations have been closed and indicates -- let me look at his testimony. only three of these 29 recommendations have been closed to date. and nine of these open recommendations are long standing issues that were rolled forward from prior year fisma audits. how do you reconcile we've taken significant steps and yet the oig's report says that there's long standing problems and only 3 of 29 have been addressed? >> we work very closely with our

i.g. and as i've said before, we work with him to make sure that we have complete and open transparency with him. we meet on a regular basis. he continues to assist us in identifying the areas of improvement. and the issues he has brought to us we are working through. i think the 2014 audit that he performed for us and provided to us we're working through the steps that he has outlined for us. and i know we're not in agreement with all of them but we do believe that that conversation and the transparency that we have between us will be helpful in resolving all of them. >> mr. esser, do you agree with ms. archuleta that the agency has taken significant steps to correct its problems? >> yes i do. i think they have made great strides over the years to improve some of the issues we've reported. for example, the decentralization issue which went back to 2007 in this past

year's audit we decreased our severity of that finding from material weakness to significant deficiency. in addition there's a number of areas where they've put in tools and made strides to improve security. that said, there are a number of long standing issues in our reports that are open and we hope to see movement on. >> mr. spires let me give you an opportunity. if you were still in the former capacity at this agency instead of the irs or the homeland security, let me first start with the broader question. based upon your understanding of the facts involved here and your best judgment, was the breach or breaches that have occurred at opm, were they predictable based

upon what we knew looking at the -- for example, the oig report. if you saw those reports is this an outcome that could be expected? >> i think it is an outcome that could be expected, sir. >> and do you have a sense based upon either testimony or your independent knowledge and what you heard in the reports that would you say that the opm officials have taken significant steps to solve their problems? >> it does sound like they are doing a number of the things correctly. i think the centralization of i.t. is a very good step. they are talking about a modernization program that would upgrade their i.t. infrastructure. that being said i'm going to go back to my earlier point that if i had walked in there as a cio -- i'm speculating a bit -- and i saw the kinds of lack of protections on very sensitive data, the first thing we would

have been working on is how do we protect that data? not even talking about the systems. how is it we get better protections and then control access to that data better? i think that is probably where the focus needs to shift here based on what i'm hearing. >> meaning that ought to be the priority. ms. archuleta, does anyone at opm take personal responsibility for these breaches? or is this just considered a problem with the system? is this a problem with individuals not performing their duties, or is it just more that this is the system we inherited and we are working on it and no one in particular is responsible for the outcome? >> i think mr. esser and mr. spires said it correctly. this is decades of lack of investment in the system that we inherited when i came in. from the very beginning of my

tenure i have been focused on this. we are working to install not only the architectural strategies but also to install the detection systems and be able to remediate. but as both of my colleagues have mentioned we have legacy systems that are very old. often times we have to test to be sure we can even add those protection systems into the legacy system. so those tools into the legacy system. if there is anyone to blame, it is the perpetrators. they're concentrated, very well funded, focused aggressive efforts to come into our systems not just to opm but as both of my colleagues have said across the whole enterprise is one that we are concerned about and one we are working with our colleagues. it is -- we are going to take every step we possibly can at

opm to continue to protect. that is why we are trying to move out of the legacy system. >> to date you don't consider any of your staff or employees or people responsible at opm for i.t. and its security to be personally responsible? it's a problem with the system that has been inherited? >> this is an enterprise wide problem and cyber security is a responsibility to all of us. who had organizations. that is why with tony scott's assistance and his efforts we're going to address this as an enterprise wide basis as well as opm. >> no one is personally responsible? >> i don't believe anyone is personally responsible, but we are working as hard as we can to protect the data of our employees because that is most important. i take it seriously and am angry as you are that this has happened to opm and i'm doing

every i can to move as quickly as i can to protect the systems. >> thank you very much. >> thank you, sir. >> mr. esser ms. archuleta mentioned the problem with the legacy systems which i think we all understand. isn't it true that several of what was breached were not legacy system, but were the right tools in place had not have been breached? >> yes, sir, based on our audit work -- >> the idea that this is all legacy is really not the case? >> well, there are many legacy systems at opm. i don't want to give the wrong impression. that's a fact. but based on the work that we have done in our audits and ongoing work that we are doing it is our understanding that a few of the systems that were breached are not legacy systems. they are modern systems that current tools could be implemented on. >> very good.

i think that's really important. concerns have been raised about the contracts to provide credit monitoring service to victims of the first breach. we don't yet know the scope of the second breach and what services will be provided for additional victims. mr. esser, in your flash audit you raised concern about opm'sin contract to manage infrastructure improvement project related to subsequent phases of the project. do you have additional work planned to oversee opm's security practices? >> it is certainly something that we are monitoring and following the reports and gathering information. we have not planned any audits of that at this time. it's something that we may do. >> very good. mr. spires, you describe a number of root causes that led to this and a number of

recommendations. can you tell us again a couple key recommendations that would make a difference over the next recommendations that would make a difference over the next year or two. >> i would like to reemphasize fitara. we need to figure out how to manage our it more effectively. and i would say that is the single root cause that has led to these kinds of situations we find ourselves in with these data breaches. and it's not that i'm just one to say well we need to have all the power with the cio. we need cio's that have the authority to really bring best practices and not to allow systems or practices to continue that jeopardize the security of our data and our systems. and that has been the problem for decades. we still have real cultural problems, i'm out of government

now for two years, but based on many discussions i've had with brethren and that are still cio's and still in government we need to take this incredibly seriously, and i would urge you as a subcommittee to provide your own oversight of the implementation implementation. >> do we need additional legislation? >> i'm not convinced, we sneed cyber legislation about how we better share information between the government and the private sector that is something that congress should continue to work on. i think we have between the fitara act and the updated act i think we have enough of the fools on the legislative side. i think it's now a leadership set of issues with the proper oversight of congress. >> along the same lines, what

would you comment on in regard to again the most significant weaknesses, the underlying causes. what do you see as the priority that we need to be doing the next two or three years? >> well specific to opn, i think the project that they're undertaking to modernize the it systems is the right way to go. that definitely needs to be done, we fully support that project. we do have some concerns as expressed in our flash audit alert regarding some of the project management related to it. the soul source contracting, but in general, we think it's definitely the right path to follow low. >> and so you will be -- how will you all be involved? mr. spiers talked about oversight. that's certainly something we can do in regard to this

committee. how will you be involved in that process? >> well, we're continuing our oversight of the modernization project. the flash audit alert was issued this week, and it was just an interim report so to speak we're going to continue our audit work throughout the length of this project. >> the administration's cap cyber goals in an effort to drive. that's not working. do you recommend any changes to the goals? >> i would first comment that i think -- i mean, i think having goals is certainly appropriate, but let's take one example. this notion we've all talked about this need for multifak toral authentication. to be able to protect the credentials of those that use these systems are legitimate.

when you look at the cyber goal, and you look at the use of, for instance the hspd-12 piv card, and trying to get the 75% usage within the federal agencies within the goal. they only need one way in. and 75% just doesn't cut it in this world 234i more. we need to rethink, i think the objectives there. go back to the prioritization about protecting data doing the multifactor authentication, those should be the highest goals. that does not mean that we shouldn't be working to continue to bring in the right kinds of capabilities to better protect our systems. we need to do that as well. it's time to rethink those goals. and to reset them along those priorities. >> you mentioned at opm that one of the findings you found is that we didn't know exactly what

entailsed system. what's -- what they have, has that been corrected or we still don't know the number of units and servers and all the hardware and things? >> based on our latest work that's still our understanding. the director commented a little while ago that they do have a complete inventory of systems. we'd be more than happy to work with them and look at that, and do our audit work related to that. >> but if that is the case, that's just recently happened. >> yes, sir, very much. >> chairman i'll defer to the vice chair. >> senator mulcowski. >> can you tell me has -- i understand even top notch security firms themselves sometimes have a cyber shield that can be penetrated?

>> i mean, i don't have any more information than whey read in the news senator but i have heard that, i read that as well. >> which indicates that this is an international problem? >> it seasoncertainly is and even despite best efforts of highly skilled professionals. that's not to excuse where we are. your advice is to get with it and get with if pretty quick? >> i think you summed it up very well. >> would this be across all government agencies that opm was hit? >> i'm -- my experience having served on the federal counsel and worked with many of the agencies is that opm is not some outliar here, that many of the federal agencies have similar issues to what opm faces as far as their management and cyber security posture. >> thank you very much sir. now, the federal employees. maryland is the home to 130,000

federal employees. and they work at everything from the national institutes of health to the national security agency. most people at the national security agency are civilian employees. what do i tell my employees, because they're quite apprehensive. is there going to -- what is the impact of this on them. can you talk about this and what is the impact on them how are you in communication, and should they be afraid that another shoe will drop, and that it could drop on them and their credit ratings or whatever? >> yes. and i do want to say that i care very much as you do, vice chair woman about our federal employees. and what this breach has done has exposed their data as you know, and i am very concerned about that. that's why in terms of the first incident we've been working very

hard to not only begin but to improve our notification system and to provide both identity threat and credit monitoring for them. we've received much feedback from our employees and we're using that feature to look at -- >> they're pretty apprehensive and agitative. >> i am angry too. and i am angry that this has even happened. i have worked very hard toward correcting decades as i said before of inattention and i will continue to do so, i will tell you that i am very concerned about protecting the data of our employees. and that as we move into incident two i'm going to use their feedback, their concerns to inform us so that we can look at the wide range of options that we will have available to us with these notifications. >> do you have a counsel of

federal employee organizations that you meet with that can kind of tell you the view from the employer up so you really hear what they're saying? people like myself senator cardin senator kane, senator warden, we're proud of the fact that the capitol region is the home to so much daal end that works when so much pressing interest from the cure for cancer to protect our country against predatory attacks. and now they're worried about predatory attacks against them. do you meet with them and get this advice so that we can at least while we're trying to sort out the best way to have a cyber shield. cyber shields on our dot gov. >> we're doing several things vice chair woman maculski thank you. >> we are working with our chico --

>> i don't know where chico is it's where i bought some of my jackets. >> mine too. the human capital officers for each of the agencies as well as all department heads and leaders, we tried to adjust the notification system so that it's a -- it is customized to the employees. we're also listening to our unions. our union representatives and seeking their input and other stakeholder groups to see how we can better improve our notification system. not in a long term, but during this period from june 8th to june 19th is to take their feedback every day around call centers around how we could provide faq's on websites, how we can work directly with department heads and agencies. in the notification process, we take very very seriousl