health care coverage. i serve as deputy chief operations officer, and i'm career civil servant with 20 years working at cms on medicaid systems of varying scales. of te marketplace of element and implementation to facilitate a marketplace eligibility systems and the data services. i work closely with the private sector's, contractors, building these i.t. components. i work closely with my colleagues who handle other id and policy aspects, including the center for insurance oversight, which manages the business operations and makes policy decisions. the chief information officer that oversees the account creation on healthcare.gov through management of a shared service call the enterprise

identity management system, and the office of communications which is focused on the call center operations and healthcare.gov. to facilitate the various thects of the marketplace, andfacility for secure -- addition to the hub, cms contract with cgi federal to build the federal facilitated market the places to which consumers use to apply for health coverage through private qualified health plans inaffordability programs.

access the system at any one time. immediately address the capacity issues in the first few days and continued to work on and betterrovement user experience. healthcare.gov is made up of subdivisions, one called learn and contains information to assist and educate consumers about the marketplace. a premium estimation tool was launched on october 10 to allow consumers to browse health care plans without creating alan health care -- without creating a healthcare.gov account, which contains the online application for enrollment. only the new tool could sort into two age categories,

its functionality will be expanded to accommodate additional scenarios to fit consumer shopping profiles. this tool is different from the efforts of an application because determinations about of an applicant in his or her in his or her household. after income, citizenship, and other information is verified. i know consumers using healthcare.gov have been frustrated after the sites launch. numerous unanticipated technical problems surfaced which have prevented consumers from moving through the account creation application eligibility and enrollment processes. some of those problems have been resolved. the site is functioning much better than it did initially. users can create an account and continued through the application. we are now able to process

nearly 17,000 registrations per hour, or five per second with no errors. we are not better to able see how quickly the online applications have responded and measure how weekly changes happen. in particular the viewing and filtering during the online shopping process. we have software configurations that have added capacity and effectiveness to the system. cms is committed to a brazilian system that helps expand access to affordable health care coverage. we aren't here -- encourage the hub is working as intended and the framer for better functioning market place eligibility system is in place. >> i know this is a questioning time. if you can tell us, wise a

subpoena from ways and means on answered as to how many have signed up? >> don't answer that. we will get to that. morning. my name is frank bateman. i'm the deputy assistant secretary for the chief information officer at the u.s. department of health and human services. i am lease to join you here today. the department of health and human services is the united states government principal agency for protecting the health of all americans and providing essential human services, especially for those who were least able to help them selves. leading the development and imitation of enterprise level information technology framework. hhs is committed to the effective and efficient management of our resources, in

support of our public health , human services program, and the health system. the hhs oh cio is responsible for policy framework for i.t.. including such areas as enterprise architecture, capital planning, records management, accessibility, and security and privacy. arenaample, the security has a healthy framework. it encompasses the federal formation security management act of 2002, omb directives, and the national guidance on security and privacy. all of which are embodied in the department security policies. our information technology portfolio is sizable. including support to a number of grant programs that provide i.t. resources, state am a local, and tribal governments.

the department portfolio also supports everything from common and commodity i.t., things like human resources and e-mail, to the mission systems that enable research at the national institute of health, to the regulation of drugs and devices at the fda, and the treatment of patients at the indiana health services network of clinics. is a large apartment with a large set of missions. it includes the ministration for children and families, the ministration for community living, the administration for health research and quality, the centers for disease control and prevention, the centers for disease control to services, the fda, and thehe indian health service, they national institute of health,

and the substance-abuse and mental health services administration. etzel makes up hhs. portfolio through a federated government structure. the vast majority of the department i.t. resources are dedicated directly to the appropriations made to our programs and operating divisions. our governance structure reflects that reality. program level i.t. decisions are governed and reviewed by our operating division. hhs has its own chief operations officer, and an i.t. management structure. management of the development of healthcare.gov was comparable to management of similar i.t. initiatives through the department operating division. were i.t. initiatives that familiar with, including

medicare part d, were led and developed by cmf. they serve as the business owner and developer of health care.gov integrated eligibility system for the federal facilitated workplace. since i joined the department about 18 months ago, we have been working to restructure and update our i.t. government. bringing visibility into what the department buys and builds across all of our operating divisions. we are now in the process of putting in place three i.t. steering committees to bring together technology and program leaders from across the department to improve our purchasing and management of i.t. resources. these steering committees take a functional view of rit portfolio , and we accreted one to oversee health and human services, a second to oversee scientific

research systems, and a third for administrative management systems. this government structure will improve department wide oversight of i.t. purchases and projects. secretary sebelius has been an advocate for transparency, and this new government structure is designed to achieve that outcome. collectively, these three committees will provide the guidance to the operations based i.t. portfolios, and ensure that would take it vantage of opportunities and save taxpayer funds. for example, we are in the process of establishing a vendor management office to improve the department negotiating decision with technology vendors and make use of enterprise wide license acquisitions. we are always looking for ways to consolidate investments, to me department brought i.t. portfolio needs more effectively and economically. budget process, hhs

unified $250 million in reductions within our i.t. portfolio attributable to savings in various commodity i.t. areas. >> we know how great a job you're doing. that is why you are here today. could you please wrap up? >> i appreciate the opportunity to do it here today. >> thank you. mr. park. >> good morning. chairman issa, thank you for inviting me to testify today on the administration ongoing efforts to developer on the promise of the affordable care act. how's of the office of scientific technology policy, i serve as an advisor at the white house on a broad range of technology policy in strategy priorities. ranging from how technological innovation can help grow the economy, to help to open up and spurt data entrepreneurship, to how the power of technology can be harnessed to improve the health relief, and more.

i try to bring the sensibilities of the private sector tech entrepreneur that i have been most of my professional life. as you know, october 1 was the launch of the new healthcare.gov, and the health insurance marketplace for people without health insurance, including those who cannot afford health insurance, and those were not part of a group plan, can get affordable coverage. unfortunately the experience and healthcare.gov has been highly frustrating for many americans. these problems are unacceptable. we know there is real interest from the american public in having easy access to the new affordable choices in the health insurance marketplace prayed i'm -- the place. i believe we have a shared goal to deliver to americans the service they deserve and expect. since the beginning of october, i have shifted to working full- time on the team working round- the-clock to fix healthcare.gov and bring it to the place it should be.

the team is making progress. the website is getting better each week. itsork to improve functionality. as result, more and more individuals are successfully crating accounts of logging in, moving on to apply for coverage and chopper plans. we have much work to do what are making progress at a growing rate. i'll be happy to answer any questions you may have about healthcare.gov and the progress the team is making. >> thank you. issa,d morning chairman raking member comings -- cummings. thank you for this opportunity. as the chief information officer of the united states, i serve as the administrator of the office of electronic government and information technology, an office created within the management and budget. my duties are developing and issuing governmentwide

broadbrush guidance of policy, overseen development of the president $82 billion i.t. budget, and convening in facilitating stakeholders eclectically bedrest and resolve -- to collectively resolve issues. spendingg federal i.t. since 2009, realizing for $1 billion in savings since 2012 with opera folio program, and facilitating agencies to work on cost-cutting agencies in policy, such as opening gated -- data, providing a new way of cloud computing. my office has done important work in the area of cybersecurity creating new secure mobile devices for our country, and protecting federal i.t. devices and the network. my involvement in the of commendation of the aca also reflects from my role as federal cio. i acted as convener and

facilitator of agencies to work with the technical details of the cross aging -- cross agency work of the aca, primarily yielding the data hub feature of the overall system. as the committee is aware, before joining the administration, work in the private sector for nearly 20 years. majority was at microsoft corporation. i shifted and helped launch many well-known brands. the launch of each of these products presented its own challenge. microsoft is still patching windows xp 12 years after i helped launched in 2001. continuous improvement is the nature of these efforts. as you can imagine, connecting multiple legacy i.t. systems across multiple agencies of the federal government is complex tasks. this is no way an excuse for the problems of launching healthcare.gov. we are taking this unacceptable situation seriously and working

hard to correct course. since october 1, i am actively helping the all hands on deck effort to assist the health and human services and centers for medicare and medicaid services in fixing the system. given my prior experience in the private sector, acted as a customer advocate open to assess and address opportunities to address the customer experience. outcomes from the work occludes updates to the -- and listing for new ways to apply for health care services. andnitoring progress advising the teams. we sure the deep concerns that this committee has regarding healthcare.gov, and we as a team are working to improve the site to improve access to affordable health care coverage as it is possible. i look forward to continuing this work after the hearing. they to again for the opportunity to appear for the committee today. >> thank you. i now ask unanimous consent that

pages 151 and 152 of mr. childs transcribed interview be placed in the record. and now ask that the redacted document of cgi federal, which we will call exhibit one, be placed in the record. i now ask that the cms document entitled health insurance market place preflight checklist september 21, 2013 be placed in the record. >> open to see the documents. -- i would like to see the documents. >> that is a committee document that both sides have. [no audio]

>> without objection, so ordered. to ask the clerk to give you those documents. briefing to give you a understanding of what i'm going to come back the one in a few minutes. pagesve made testimony on 151 and 152 of your transcribed interview in a sequence of events that were related to the minority questioning of you as to whether or not the anonymous shopper function worked on october 1. the other document is related to that checklist prayed we want to make sure you have that before he ask you any further questions under oath. that, mr.s reading park, you're here today and take

it away from you other duties because of a serious concern about what you knew, and the administration may have had you say. i want to give you an opening opportunity to clarify that. ther the october launch, problem with the website was there were two empty thousand simultaneous users. it can handle 60,000. 250,000 products to its knees. if your opening statement, and what you now know, would you like to for the record give us the number of simultaneous users you believe could have been handled through the portal on day one? >> thank you mr. chairman for the question. it is the nature of this kind of situation -- >> mr. park. i want to treat you with

respect. i have very few minutes. you gave a number. it was erroneous. it couldn't handle 60,000 simultaneous users. dr. michele that ought september 30, the system crash with 1100. the goal was to get to 10,000. would you like to tell us for the record basin you're working on this what number the american people could simultaneously be on the site working on on day one before the system began to timeout? can, answer as simply as i the information that we had at the time was that cms had designed the system for 50- 60,000 current users. right now, based on what i know now, what the system is currently capable of handling, the thing i would become will saying is that the site has been handling a present about 25,000 users. >> it is fair to say that, i

will paraphrase, and a one, at the launch, some amount greater than 1100 which was experienced on september 30, and closer to the goal set a september 30, which they thought they received, they could get to 10,000 simultaneous. on day one, october 1, when this site launch, the site was capable of handling somewhere more than 1100, but less than 10,000 simultaneous users, and certainly not 60,000, or 250,000 that simultaneously tried to use the site. is that correct? >> there may be a matter of confusion here. cms may be better is issued to clarify. i believe 1100 number was for a particular unit of capacity. i will -- >> there was a front door, and a

capacity was limited by the front door. i think for -- i come out of the i.t. world and the tech world. the american people can understand that you are only as strong as your weakest link. if you have a bottleneck that causes people trying to get to out, theto shut bottleneck is what determines it. on day one, only six people got to the end, i think that for the american people, understanding , the capacity was insufficient on day one. is that correct? -- here, >> i only want to know on day one, wasn't sufficient? >> i can't speak to the numbers you're talking about. one, the system was overwhelmed by volume. >> mr. park you're going back to something i thought you would do. was not inon day one

excess of what was expected. the volume on day one was what you would expect if everyone is going on the site to see what it is all about after 3.5 years of waiting. chairman, do not have the specifics. these volumes are talking about, , this go to the examples is the same problem the irs deals with on an annual basis. what you need to do is appropriately plan for your performance and stress test. there is fundamental questions of that was adequate here. >> that is what we are going to discover today. on testified under oath pages 151 and 5 -- 22 on the minority questions that time, thisbecause of site did not work. we have seen a document which has cms on it in the last day,

september 25, that said it past the test. is it that you do not know it had passed the test when he major statement saying that it failed? >> first off, would say that after working with your staff for 8-9 hours, as well as the minority staff, going through this transcribed interview, i have not had a chance to look at this. this is the first time i'm actually saying the results of that day. >> your job is to know what is in the site. said, thisort that of december -- this is ittember, you attested the pa passed successfully. are you prepared to say that the anonymous shopper was turned off by your knowledge, neither happened pedicle.

the anonymous shopper was turned off because it failed the test? that would be your knowledge based on what you knew. >> my knowledge was not that it was turned on or off. it was not made available because of failed testing. you hand me this page 151 and 152, and i-- and suppose you're handing me this other document that says -- >> we are saying that the documents show that the anonymous shopper tested positive. it worked. you said under oath, and i'm sorry the may not remember what you said under oath, but when the minority as to what is normally nice questions, self- serving questions, they are on your side, you said that you gave a reason, which the braking member used in his opening statement, that the anonymous shopper was turned off for

reasons other than political. we believe the anonymous shopper , the easy front door, i was in a way it is going to cost was on, thisnd if it was had different components. that portion could have been more effective. if american people could have gotten on an shop. >> this line of questions is in the context of my knowledge under oath that it did not pass testing. i have documents that show it did not pass testing. >> my time has expired. when you deliver a stock commission on the it hasn't passed, we can have you back. right now the documents provided to us by the vendor so that it did pass. that document is placed in the record. if anyone else would like to understand the have said it failed test, they said it past has, it's administration and

their absence of transparency showing it failed test, and document we have today which says cms all over it, says it past test. it passed the test you said under oath that failed. our problem is the people you work for want to give us the document so we can fully understand that. just as the people you work for won't answer a simple question to the ways and means committee, how many people have signed up. even under subpoena. recognize the braking member to rehabilitate your testimony. >> mr. chairman, let me be clear. staff who work just as hard as yours. it is not about self-serving. it is about getting to the truth. not insult your staff. >> i was not insulting your staff.

>> i take it as an insult. >> it is not about self-serving. it is not about rehabilitated. it is now trying to get to the truth. the truth and nothing but the truth. i'm not going to try and rehabilitate. >> maybe you can get him to tell us. >> in a few moments, somebody documents,resent the -- thatg that will not will show you to be inaccurate. up.one else will bring it >> someone also rehabilitate. >> no, no. we will show you the document that had been blacked out, but you have not disclosed rate we will show you those in a few minutes. mr. park, if i may proceed. although we have not met before

today, anderson you have an understanding, and outstanding reputation in the i.t. community. i do not know this previously, but the cofounder of your armor company is jonathan bush. the cousin of former president george bush. is that right? >> yes, sir. >> i have a quote here that mr. bush, the cousin of the former president, gave to a reporter a few weeks ago. he said this about you. is uniquely thoughtful, dedicated, and precise. solver.manic problem blind partisanship. if there is anyone who can fix it problems with the exchanges, it is todd." he also said that you were working so hard to prove -- improve the website you, " spent

the first week of october slipping on a floor of his office as he tried to help get health care.gov off the map." is that right? >> yes, sir. >> your rotation precedes you. week, the chairman accused you of engaging in a pattern of interference with alstom is related to this site. that is a serious attack against your integrity. i do not want to get into anyone's intent or motive seer. you annt to give opportunity to respond directly. this is not unusual for me. i realize that we are all on this earth for a short while. our reputation is all we have got. since those statements were made about you, i would like to give you an opportunity to respond.

>> thank you, sir. thank you for the opportunity. again, i do not take any of this personally. it is a fast-moving situation. a lot is going on. i would just say this. case absolutely that volume of the key issue. .t is still an issue relayed my best understanding of the time. it is the nature of things that as you learn more about what you need to do to fix it, i can say now that in addition to volume, their other key issues that have to do with the site, in terms of its performance and stability. it is getting better and

better each week. proud to be a small part. you have my assurance that each point along the way, i will tell you what i know to the best of my ability. >> let me ask you this. and you engage in a pattern of interference? >> no, i did not. before you were subpoenaed to come here today, your office wrote a letter to scrubbing the workload for the next few weeks. was this concern coming from aur office or was that concern of yours that you would be pulled away from the website issues?

it have any hope of me and the team fixing you said that i could focus intensely on helping to fix the site this month, and come back in a few weeks. i understand that the chairman came to a different decision. i respect that decision. i'm the son of immigrants from korea. i have incredible love for this country. i have huge respect for congress. if the committee wanted me to be here today and decided i should be here today, i'm happy to be here today. >> i understand -- amount of the same time that you had. >> we now go to the gentleman from florida. >> it was four minutes you

exceeded your time by. >> i went to one question after the end. >> four minutes. >> the geminis recognize. >> you're not going to run a fear hearing. >> the gentleman from florida is recognize. >> it is interesting to see is obamacare implodes, however but he is running for cover. we saw the former president of the united states, bill clinton, so the current president under the bus so to speak on this issue. side, we heard the other mr. cummings, our democrat leader start up by citing the problem with this is republican governors that opted foreign exchange. chao, are these governors, are they alle

democrat governors? well, they are for the record. it is interesting to see how they run for cover. i have a question for all of you. each of you, i want to ask you this. it is obvious that obamacare was not ready for prime time from both an i.t. performance ability and also from a security standpoint. were you aware of that? >> gao issued a report. do.e was a lot to >> were you aware of it? >> can you repeat the question? >> obamacare was not ready from an i.t. and operational, and

security standpoint for prime time on october 1. were you aware of that question mark >> i was aware that -- >> you were aware that there were problems? issa from operational. >> i'm just trying to answer your question grade >> operational --\ >> i was aware of modules not working. >> anything on security? >> not as i recall. >> i'm aware that any system private sector or private sector needs constant addressing. >> what about the security? constant --m needs security needs to be constantly address. >> this tuchman has been releasesyet, but it

the document -- the security. >> no sir, i did not. >> first of all, it looks at political decisions got us into this. you commented to our committee that you had to have regulations in place to go forward to make decisions. right? >> correct. >> there were regulations that were not imposed. some of them were stopped by the white house prior to the election. >> no, i did not. >> the delay in issuance of regulations guidance was a addressing problem the time frame rate actually, the white house pressure to stop those regulations coming up

before the election because they didn't want folks to know what was coming. >> i think you are paraphrasing for my testimony. >> he richer, doorstep. you can test the system. obviously you're going to be nervous. is that your statement? >> that holds true for anything. my answer in the context was for any development project requires requirements in order to build the system in a compressed timeframe. >> did you know that security had -- and the testing was done by miter of security. >> and blue canopy. >> and this is the report. adequatelynable to test and integrity of the change system and full. are you aware of that? >> that seems actually true and

appropriate. the full system isn't built. >> it was never fully tested? >> no, why think it is referring to is their other components of the program that need to be built. >> can you sit here and tell us oft there are not high risk non-encrypted data, identity theft? >> the gentleman's time has expired. reply in response to a decision memo in which we wanted to generally highlight the potential risk applicable to any system of this magnitude that is servicing the public and collecting information about people. key to your staff shared with me, that was a non- assessment not on the system.

the key question going forward is what has been done going forward while the system is continued to be built. >> thank you. >> thank you, i would like to thank the panelists for their public service and thank the chairman and raking th member for this. i'm privileged to represent new york state. enrolledw yorkers have through the new york state health program. almost 200,000 have completed full applications on the new york state of health. the state customer service center operators have provided assistance to more than 142,000 new yorkers. the rates for the plans represent a 53% reduction compared to the previous year individual rates. savings,on to the cost

it is estimated nearly three quarters of individual enrollees requalify for financial assistance. this is according to an official statement core from new york. this is certainly good news. we do need improvements on the federal user experience. park,d like to ask mr. have improvements in may daily on the website? are you working to make improvements every day? >> thank you for the question. are frick -- terrific news coming out of new york. it is getting better week by week. some days are better than others. week over week, things are getting better. on one metric of user experience, system response time, the rate of which the website responds to requests. a few weeks ago, that rate was eight seconds across the system, which is unacceptable. it is now under a second.

-- her metric >> how much faster can the public expect the website to be? now you under a second? >> on average. >> can make it faster? >> the team believes they can. they are doing this work. responsehe average times, we won it down further. >> reducing weight time has become a priority? that will help enrollment numbers. >> yes, ma'am. >> that is terrific. our accounts registering properly? has largely been solved. that was a significant problem of from. thanks to expand the capacity, thanks to configuration changes and code fixes, that has largely

been solved. people can get to the front door and start shopping for affordable health options. >> how many registrations can the system handle now? numberlieve the latest is 70,000 registrations an hour. the plan is to up that. people who have registered previously are coming back to keep working on the application and shop for plans. >> are you reaching out to people who of been discouraged and encouraging them to come back westmark is or any effort to reach out to them? currently gauging an effort to reach out to folks to hot stock. to folks who got stuck. >> are the resources there to help people navigate the process? is there any resources that can

help them figure it out? tax, andis the health the team is working on improving the user interface so you need less help. more and more clear to you what to do. assessing oru distributing the feedback you're getting from users that have used the system and want to tell you how they could make it faster? how are you communicating that? >> you can make it faster. feedback coming from a variety of different sources. from users and folks in the field. from the call center. some testers. that is being fed into a list an ongoing basis to make the website better and better. >> i understand it the hub is

working well? >> it has worked extremely well since day one. it supports the federal marketplace and all of the state workplaces. alongontinues to come very nicely. >> thank you. my time has expired. i see that sleeping on the floor has paid off. >> the team is doing the work. >> congratulations. >> we now go to the gentleman from tennessee. >> thank you. while i am skeptical about the government ability to run our health care system, what i am more concerned about is our sweetheart insider deals that government contractors get under these programs. all the people in companies that are getting filthy rich off of programs.

i have an estimate here on the cost of all the technology that of august 30.as they said we would spend 516 million dollars on the technology. now we have seen estimates above that. i have a question about that. about how much all of this is going to cost us to straighten this out? are these going to be continual costs each year? re: one have to spend more and more on the technology? a greater concern, i have two stories from the washington post about 10 days ago and one from cbs news. usedsay the ministration 3.5 years in advance that these

problems were going to occur. the washington post story says after it squeaked through congress, president obama aides were getting worried. they had just received a pointed memo from an outside house advisor that warned that no one was up to the administration of overseeing the construction of an insurance exchange into reality. , and i welcomeg comments from anybody on the panel, how much is that going to cost to straighten out these problems that we now know that we have? how long is it going to take had 3.5ministration has years warning that this was going to happen? how much longer is it would take

us to straighten all of this out? >> you seem to be giving the best answers. i can comment on the best answers. -- i think i can comment. of september, north of 600 million spends now. i will caveat that by saying that did include irs costs associated with that. it wasn't just all cms and hhs. your question about what is going to cost to fix, that a key question. >> does anybody know? have we spent $600 million already, and it has not worked, does anybody have any idea how much it's going to cost in the end? nobody knows? todoes anybody know how much ts

would cost in the end? . nobody knows? how long is all this going to take russian mark if you have had three and a half years to get ready for this and there are all these promises that you can keep your plan. we now know that all that is false. it takes another 3.5 years to get that straightened out. note thatmportant to americans are getting insurance today. the system is passing through and people are registering. the focus is on continuous improvement and making sure that we make it even better and stronger. are getting their insurance policies canceled and finding sticker shock because of pre-men increases. -- premium increases.

i am wondering about all the technology. you've had three and a half years. -- you've had 3.5 years. the administration has known this is going to happen. .t has been 3.5 years how much longer will this take? >> we have to distinguish individuals from the private sector. at athena and microsoft, they knew with their burn rate was and what their rate was. vista launch better than the obama website. includeentleman could their experience in the private sector, if they would like to compare this with the launches of their companies. >> i think it is important to note that this is the way that federal budgeting and federal

i.t. is managed. we emphasize this in the memos that we put out. this empowers agencies to do their mission. we formulate the budget within the office of management and budget. budget torants that agencies to execute. the tools that we build to track spending our about empowering the agency. isthe private sector, it parallel to our position on the ground. begging and age-old capitalist to give you one more chunk of money that he may not give you. >> although you call witnesses asked to-- are being --

i do believe that this appropriate. let me try to clear something up, mr. chairman. mr. chao got a round of questions about the catalyst. says thatocument that it has been conducted. if you look more deeply into the document that is before you, you had the cgi checklist there. the defect report. consistent, mr. chao, with what you have said. this defect report says that defects.e 22 to fax -- >> would you make that document available? >> i will. >> let me, this, i am troubled roles thes committee

white house into these matters without any evidence. white house is accused of -- of not knowing enough and they have been accused of directing theers, with respect to anonymous shopper function. even the chairman has said that on television. i would like to ask mr. chao about that issue. um, this notion -- the question really has to do with whether you were forced to register, uh, and then, um, shop. whether that change was, uh,

-- whetherhopping that change was made because of the involvement of the white house in any way. >> absolutely not. it was a decision made on the results of testing and it would be pretty egregious and i understand that a lot of people want to know why the website is functioning a way that it did. to consciously know that it failed testing and then put into production for use is not what we do. we use the best information available and if the tests show that it is not working, we do not put into production. >> will you yield? >> certainly, if you make sure i get my time back. >> we stop the clock? -- will you stop the clock? a decisionerring to

that has passed. xp, aftertill fixing they no longer supported. -- support it. you say that it still fails the test. the document shows that it passed the test. was a perfect? -- was it perfect? no. websiteht say that the was not passing a test in those first two days. hopefully, you can make that document available to all the us -- us. -- of us. we have been told that they were told people at cms to turn it off. those people were being instructed by the white house. >> let me clear this up, mr.

chairman. >> i just want you to understand that the contractors told us -- >> let's look at the fine print ectsdecide if these 22 def were noted, because i have it in black and white here. houseid that the white did not say to turn off the anonymous shopper. is that your testimony? the allegation of the chairman is that the white house ordered it because they wanted to avoid sticker shock. i saw that on television. let me ask you -- let me say something about sticker shock. thed a staff member go on test for the d.c. health link. -- there are 200

67 different policies -- 227 7hrough policies -- 26 different policies. thefound that she can get same insurance she is getting now for less. if there is sticker shock, it is working the other way. -- i want to drill down into this decision from -- from the white house. was there a white house , ective that because of -- came not, i want to make sure your testimony there wasat -- that no white house directive but,

the reason for pulling the anonymous shopper was because the function failed testing. does that continue to be your testimony? >> correct. if we had put it into production, even though it is anonymous shopping, it requires some attributes about your preferences and demographics and what premium tax credit rages you qualify for so that you can move into shopping or plan comparing. it didn't work in calculating the pre-existing tax credit or doing plan comparison. people would have gotten a roni us information and that would have been much worse than not having it at all. ous information and

that would have been worse than not having it at all. >> did you get any direction from the white house to disable or delay the shopper function? were there any lyrical considerations that went into your decision to do so? >> no. none whatsoever. i look to see if the system will be ready. not everything is perfect. in this case, it failed so miserably, that we could not we could not let people use it. chao, if you cannot calculate the prices properly, is it your testimony that when people through the back door and thathrough on day one, they were able to calculate through a different portal? >> if you don't get through, what was --

an onlinefill out application, you get an eligible determination and you ask for financial assistance with black you went through everything -- -- >> you went through everything and -- >> anonymous shopping uses different software. >> that remains to be seen. >> mr. chao, all my constituents care about and want to know is when they log on, is there data and all their personal and isntifiable information, that as secure as when you do online banking. >> it was designed, implement it --h black -- implemented

it was security in trouble assessment testing. >> ok. it is fully tested as the other i.t. projects you have seen. to that same standard. i'm trying to understand what you mean by "fully tested." >> fully tested? holy cow! this is like a new low. -- best track kisses are practices are a complete integrated testing. >> it was subscribed under controls that were specified. office -- well then, why did the boss resign. >> he didn't resign. i think he decided -- i think he

decided to make a career change. >> is a fantastic time to hightail it out after this great rollout. let me ask you another question, -- have youy, under signed previous memorandum? >> myself, i have not. >> has your previous boss? >> not that i know of. i do not manage the process that is dumb between the officer and the chief information security officer. >> they would traditionally do it and not the cms administrator ? >> i think you would have to ask them. >> fantastic. we plan on doing that. you said in usa today, these bugs are functions of volume.

if you take away the volume, it works. you are referring to healthcare.gov in the fourth paragraph. do you still stand by that statement? >> thank you for the question. what i was referring to -- no -- mr. chairman, i ask unanimous consent on the record. >> so granted. >> these bugs were functions of volume and you take away the volume, and it works. >> i stand by the statement that the issues were created during account creation and were functions of volume. i will say that in addition to also wereater on affected functionality bugs that

have been fixed. volume capacity expansions and system configurations. >> let me tell you a story. i have somebody named sue. she filled out everything except her middle initial. she got a processing error and went back to cut it said -- to fix it. her income was not verifiable. the navigator said that she had some problems with it. she could not get back into the system and had to call back for another navigator. gosh, weator said, have a little issue here. we will try to put onto the backend that the navigators can do.

she is still waiting and she started on october 1. she is waiting to be successfully logged in to this website. that these bugs were functions of volume and if you take away the volume, it works. this is a deeply flawed data rollout. my constituents are concerned about trying to sign-up and, when they sign up, that they don't have their data stolen. >> you can answer if you see a question there. >> that would be great. i was talking about issues with account creation and there are issues downstream, as well. each time we speak with you -- each time i speak, i relate the best understanding that i have. >> thank you. gentlemanto the

from virginia. >> we begin on a bipartisan note. and actoining together that requires reform of i.t.. this a federal -- i.t. this a federal i.t. acquisition and you seem to have been equivocal at our last meeting. i want to read you a statement from the president. he said that one of the lessons learned from this process is that the biggest gap tween the private sector and the federal government is when it comes to i.t. and how we procure it, how we purchase it. this is been true in a whole range of projects. we need some free up some of the more abundant -- moribund rules.

>> i couldn't agree with you more. one the lessons i hope that we hearinge out of this is that there are two people in the private sector who would never do a process like this. trying toation is li create a modicum of similarity. >> i think the chairman. d the statement of the boss. >> mr. chao. >> you mean the president? >> the other boss. the big boss. interviewduring her with committee staff, you are presented with a document and it " authority to

operate." in 2013.y your boss this document indicated that there were two respondents in the federally launched marketplace. is that correct? >> correct. can i qualify that? it was dated september 3 and referred to two parts of the system. >> you are jumping ahead of me. we're going to get there. you told staffers that you need to check with officials at cms. is that correct? >> correct. >> the staffers continue to ask you questions, nonetheless. somebody leaked parts of the transcript to cbs news. is that correct? >> it seems that way. >> hmm.

since that interview, have you had a chance to follow-up. discussionsd some about the nature of the findings on that document. >> this document, it turns out, discuss only the risks with two modules. is that correct? >> yes. neither of those modules are active right now. applys document did not to the entire federally despiteted marketplace, the assertions of the leaks to cbs. is that correct? >> yes. modules do not contain ontransmit any information

individual consumers. is that correct? >> correct. >> they do not transmit any specific user information. is that correct? >> yes. >> cbs evening news ran the from afrom a leak partial transcript. they say that this could lead to identity theft. that cannot be true, base and we onst established. -- based what we just established. the document leaked to cbs news did not relate to parts of the website that were active on october 1 and did not relate to any part of the system that

relates to personal consumer information. possibilityt any of identity theft. >> correct. >> thank you mr. chao. -- thank you, mr. chao. >> have you read the letter? aware gentleman is well that there are significant security leaks that would allow hackers to take people's five information -- private information. susannah will give you the information if you let her. >> ok. >> i'm sorry. i'm not following the question. >> i was trying to get the staff to speak you. the bottom line is that there are security risks today,

according to you and the ranking member. this website still has boehner abilities. is -- vulnerabilities. is that correct? >> i'm talking about a deliberately that distorted reality on two modules that were inactive. it used misinformation to suggest -- >> the security problems in your letter to refer to the website. >> my questioning to mr. chao had to do with -- >> i understand you rehabilitating mr. chao. >> i'm trying to get the facts on the record to correct a deliberate smear against mr. chao, not to rehabilitate him. in the name of this committee. >> i appreciate your concern. >> i'm glad you do.

and you wrote a report did not want it released because it shows a roadmap to the vulnerabilities of the site, as it is today. >> mr. chairman, i began our our jointcknowledging bipartisan effort to acknowledge reforms. that is engorgement at the acquisition process is broken. whether it is this example or any other. i have no reason to hide anything. i'm concerned about a pattern of: people to give testimony and cherry picking. it does not serve the committee goodand does damage to public servant reputation. >> mr. jordan is recognized. >> mr. chao, a week ago, the

president was interviewed. he was asked about secretary sibelius. from the chuck todd interview. the health secretary argued that the website was not her fault. >> kathleen sebelius does not write code. who is the i.t. person? who is the person in charge and responsible? who signed off on this? >> the person who is responsible is marilyn. >> did she based her decisions on the memo you sent? is that right? >> i think that -- >> the president talked about an i.t. person. which of you is that person? >> i don't know.

>> and refers to a person. person.fers to a who is the i.t. person in charge? >> i do not know what you are referring to. >> that me go to slide three. slide three.to complete end to end testing never occurred. did that raise concerns? did you know about that before october 1? >> i think that is taken out of context. >> it is in pretty plain language. e octoberne befor 1. >> i say this again out of context because there is quite a few -- >> did you know about the testing before october 1?

>> i have not seen this document. >> you have the fancy title. you do not know about this before the biggest domestic i'll see program website in the history of this country was ever launched? you are supposed to be the guy who is going to solve everything and come out a phone booth. did you know about this? >> i did not. would you like me to explain why -- >> i would like someone to explain why and to end testing was not done. payment is not going to occur until the first part of january and we are still building the system. >> the system worse together and it does not work together. >> we are still building parts of the system to calculate

payments for all the marketplaces. to make that payment. >> there is more system to be built and we can expect more problems, in addition to the ones we've already seen. >> the security testing is ongoing. >> why didn't you delay this? you guys knew there was going to be problems. you hope the test would work when he presented to the white house. why didn't you delay it? mr. chao. >> that is not my decision to make. >> the chief technology people 1 -- isnow that october october 1 a gate in the law? it's not. i know i have a minute. the washington post article is important. do not keep the political people in the white house. bring in outside people.

larry summers agreed with that assessment. the president said, no. we are going to keep nancy in charge of this. you get the political people in charge. 1, my marchinger orders were to get the system up. correct? >> correct. >> why? >> i didn't ask. thehat i'm suggesting is, folks at the white house knew this had problems. for political reasons, they picked the state and had to adhere to it. the end result is that american's personal information -- americans personal information is put at risk. >> is a long chain of systems that needs to be built.

-- this is a long chain of systems that needs to be built. ms.e asked mr. carlo and lambro to come in front of this committee. these are the people we need. they are the ones who determined that october 1 with the date that they would move on. they are the ones who are responsible for putting americans at risk. >> they're all these questions that you seemed to want to give an answer to on end to end testing. >> i would reiterate the point that the security testing is done early on and complete system. complete system. >> thank you. mr. davis. >> thank you. there's been a lot

of information over the past several weeks regarding the security of healthcare.gov and other consumers who use the system. i would like to hear from the witnesses about this matter and separate fact from fiction. mr. chao, the federal information security act requires agencies to protect systems. agency to sign up before operating a system. in the case of healthcare.gov, signed onmemo september 27. federaltitled,

marketplace. to make sure that the -- it says that the security controls have not been tested on one complete version of the system. it also says that that resulted in a level of uncertainty that risk."deemed as "high mr. chao, can you explain how cms tested various components for risk? and most large i.t. projects that require several, what we call "enviroments," to just that locally and putting it into a larger environment with other codes, we go three stepwise

process. what the statement reflects is situation, similar to the marketplace system, security people have to test when they can and when they have a window. there is a compressed timeline. that complexed -- compressed occur.e had security the memo was trying to say that as software is being developed, it is tested in three cycles. by the end of three cycles, they had fully tested the necessary functions to go live. there are, as a mentioned earlier, other system functions

that will continue to have security testing conducted. it is a point in time. risk is a point in time. see thatemo, we will we have applied steps to offset the potential risk that was identified. >> do you know of any other i.t. systems, and your experience, that were authorized without completing a full systems jury testing? testing?urity >> there is a slight art in the wording of this. every system that the federal productionputs into needs to have security testing. whether we tested in three cycles or tested annually, or every three years, testing has

been an ever-present are of the process. we are testing -- part of the process. we fully test those. we a portion of the system, mention that we do not have to make payment on october 1. that is tested at a later date, when a function is needed. ive and ongoing process. >> has a security team been established? >> yes. >> has cms been performing weekly testing? >> yes. >> i have no further questions. i yield back. >> we go to the gentleman from utah. >> i would like to start with you. how maye end of august,

times have you met with secretary sibelius. >> i'm not sure. probably once or twice. >> was the last time you met with the secretary? was during the shutdown. >> you met one time in october? >> i think so. >> you're the chief information officer and you met one time with the secretary. you engaged a hacker to look at healthcare.gov, correct? >> cms asked us to help them. >> you engaged a hacker. >> you engaged a "ethical hacker." >> when did they start the hacking? >> during the shutdown.

>> when did he complete the exercise? >> it is ongoing. >> how many serious problems that he find? >> i don't know that i would call them serious. there were seven or 10 items on the report. >> you've had seven or 10 items of hacking. some are serious. what percentage of them have been rectified? >> i turned those over to cms for their review. some were not system issues. they involve security. up oru, you have no follow- what percentage of those hacking incidences were rectified? >> i believe that cms got back to my staff last week and some of those have been remediated. >> you know what percentage. -- you do not know what percentage? >> now.

.-- >> did you share this with the secretary? >> no. i have not. >> you are the chief information officer. >> the statistical items. items.e are technical a hacker finds tenant problems in a couple of days and it is that easy to hack the information. that is the concern. is this ready? to follow-up on mr. mchenry's as safe, is the website and secure as online banking website? >> i would have to look and assess the security. it is preliminary. they did not test the interface. interface testing needs to occur.

we have raised issues. >> would you put your information in their? re? >> i would have to see the testing before i was comfortable. >> the answer is not yes. >> mr. chao, which you put all the information of you and your it?d ones anin >> yes. i had my sister put it in. mentioned, there are teams in place under the chief information security officer. >> mr. chairman, this is something we have to follow-up on. federal government is lucky to have somebody like you engaged in this process. is a comfort that you are

looking at this and spending time. -- it is a comfort that you are looking and spending time on this. have you ever shop at amazon or ebay? >> no. >> as a californian, i am offended. >> when you put something in a shopping cart, is that considered a sale? >> no. >> thank you. i yield back. >> mr. chao, you feel that things are out of context. memorandum that the the place in the record in its entirety. before i do so, i want to make some things clear, we redacted information. is there anything in the memo that you feel needs to be redacted? otherwise, will put it in in its

entirety so that there is no question. >> out after review it. -- i would have to review its. . >>-itis what to make sure there i no sensitive information -- want to make sure that there is no sensitive information. >> the question is that there saynumerous things that that this thing was not ready for security on september 3. there was no end to end. you want to say you were taken out of context. both september 3 and september 27, we find that there was no end to end testing. there are vulnerabilities. isn't that true?

meanssence of the testing that anything they can reach into the database can be a significant security risk to people's security information. it has nothing to do a shopping. isn't that true? >> that is correct. >> i recognize the gentleman from tennessee. >> i am worried that the net effect is to exaggerate the security difficulties of the website. the armed services committee and the pentagon is attacked many times in a day. sometimes, by foreign powers. the internet could and should be more secure. we have to acknowledge system problems for the internet and there are other things we can deal with. another concern i have is the witnesses being badgered. i would like to offer mr.

bateman and mr. park an opportunity to respond. i believe in fairness and the american people do not want to see a kangaroo court here. the way this hearing is being conducted, it does not encourage good private sector people to join the government. i've heard mr. park speak a couple years ago for a private sector, procapitalist business audience. told me that they had never heard a speaker who got it at her. -- better. it instilled faith in the process. we are the best nation on earth. the american spirit is the 'can do'attitude and not the blame game. do" attitude and not

the blame game. you have mentioned -- you have been treated unfairly. >> have i cut off anybody's answer? >> you cut off the ranking member. >> i cut him off after he exceeded his five minutes. no witnesses have been cut off. every witness has been allowed to complete their entire answer. kangaroo court is like the accusation. i help the gentleman -- hope the gentleman from tennessee will think better of making an accusation. has been cut off. i asked mr. bateman to conclude. that is the closest thing.

this is not a partisan hearing and i will not have it the accused is such. we have a website of the american people have seen does not work and we are trying to understand why it did not work. these happen to be experts and, , fixing it. part >> the chairman is discussing rehabilitating witnesses. -- that suggests that they need rehabilitation. whether it is deliberate or not, let's focus on fixing the problem. >> there's one thing i want to , we found

vulnerabilities with the system and there will always be vulnerabilities. banks and online shopping sites all have issues. that introduces vulnerabilities. all the software goes through continuous improvement. what we are doing right now is continuingly -- continually findingg on a basis and the vulnerabilities that exist. >> what i would like to say is that if i come across as being defensive, i apologize. i'm being defensive of the truth. i believe that that is what this committee is trying to get to. that is what you said at the beginning. misuse and the staff being

deposed, i'm going to be defensive. that is not the truth. that is all that i want to make clear about my defensiveness. >> any other witness like to make a point? this committee has many talents and broad jurisdiction. to my knowledge, i could be wrong, to my knowledge, none of us can do a website. we are not software engineers stop >> i think, unfortunately, you have several here. >> none of us would want to be engaged in this. >> none of us want to own this particular website. >> it is easy to criticize and hard to perform. as a general and pointed out, even microsoft, with windows xp,

is still revising it. process and the internet is. perfect. it is still one of the great technological accomplishments of mankind. .here are glitches we would put witnesses in an uncomfortable position consistently. and it isates tension going to slow the effects of the website. i worry about that. we have collaborated on an excellent bill to fix the overall i.t.. that therewent out it was a 0.6%.d

what we focus on the larger issue and fix it. as i said, is much better to light a candle than to curse the darkness. >> maybe we can close on a positive note. he is talked about stress wellng and he knows very that microsoft never put a new system up that was not stress test it still had vulnerabilities, but -- by the way whenever you add a new driver or new something else, you create a potential new one that has to be tested, but stress testing end-to-end was something that this committee wanted to know at the onsefment why it hadn't been done because it is a best practices, which geohas -- g.a.o. has kindly made clear, the nine points that g.a.o. made in their report of best practice that is were not followed. so mr. connolly and i, mr. cooper, we are trying to get to where best practices will always be used. and in this case not because of these individuals, per se, they are here as experts, but development over 3 1/2 years short cutted some best

practices, and it's not the first time and it won't be the last time, but it's one where, as i said in the opening statement, it's so important when the person people -- american people are focused for us to say you can expect better from your government in the future, and i don't mean on healthcare.gov, i mean on all of that $82 billion worth of i.t. aappreciate your comments to that end. >> mr. chairman, let's see about getting your bill to the floor. >> that's something we all would like to do. i'll talk to the leaders. >> you are the majority party. a i'll tell you what, ail get it to the floor in the house if you'll help me in the senate. we'll get this done. >> i have lots of influence in the senate. be happy to help. >> thank you.

>> with that we recognize the gentleman from michigan who knows great deal about health care websites from his state, mr. walberg. >> thank you, mr. chairman. thank you for holding this hearing and panel as well thank you for being here. you have penalty to do. wish you didn't have to be here today. but when i receive letters on top of letters and contacts and six town hall meetings i held last week, live town hall meetings, like this one from rachel in eaton rapids, michigan, where she talks about the fact being cutting off from her insurance. her husband and five children. and she says this, hated the idea of getting on the healthcare.gov website as i believe insurance is a private matter. i did it anyway. the website did not work. so i called the number. she goes on to talk with pearn

on the phone and ultimately being hung up on. that's the reason why this hearing is important, frankly, mr. chairman, i believe that this whole act that was put into place law with a cover of darkness with votes from the other side of the aisle now take offense at us having hearings on problems and doing proper oversight is the reason to have this hearing today. because people like rachel haines and her family are concerned not only about security but right now that's one of the biggest concerns on a website that doesn't work for her. i want to go back to some of the concerns in the mitre report. i want to ask first question, mr. chao has already in earlier statements to questions just before me, indicated when asked why he didn't push back on opening this thing up on october 1, he didn't ask why. i'm going to go to mr. baitman. i think that's an important question. why did we have to open up on october 1?

the question i would ask here, mr. baitman, mitre is responsible for conduct thing the security control assessment for the federal exchange, is that correct? >> that's my understanding. >> according to mitre, the final security assessment for the federal exchange occurred from late august through mid september s. that your understanding? >> it is. mr. baitman, to the best of your knowledge did mitre conduct a complete integrated security test to the federal marketplace? >> i didn't answer that. >> i would like to document -- a document put up that deals with this test and the outcome f. i could have this particular document. you see there f.f.m., the website, the marketplace, complete percentage, 66% complete. that's it.

66% complete. this document was obtained by the committee we have in place. let me ask this question, mr. baitman. is it a problem that mitre wasn't fully able to test one third of the exchange? >> i can't answer that. this project was run and managed by c.m.s. they are responsible for the security. >> in the security control assessment dated october 11, 2013, a preliminary copy was given to c.m.s., on september 23, 2013, mitre writes they are unable to adequately test the confidentiality and integrity of the health insurance exchange

system in full. they go on to say, mitre also writes the application at the time of testing was not functionally complete. mr. powner, what are the dangers of conducting a security assessment on an incomplete system? >> you could have vulnerabilities that go untested. also, too, on this document. there's a lot of dates that don't add up. my understanding is mitre conducted their security assessment in august and september. and it was later september. there's data all over the place. the bottom line to your point it wasn't done on a complete system. >> mitre told -- >> identify want to point out that's a c.g.i. provided document. not from c.m.s. you see on the bottom -- >> i understand that. mitre has told committee staff to their knowledge there has not been a comprehensive test of the entire system. one of the dangers posed by not

conducting a complete integrated security test of all thecy tell components, mr. powner? >> in order to ensure that your data is secure and the system safe to use, you want to test on as complete a system as possible. >> sensitive personal information at risk when it opened on october 1, 2013? >> i don't know what happened mid september on. that's the only -- there was testing done through mid september, and i have -- i am blind to what happened in that period. >> could you then ensure -- >> the gentleman's time has expired. if you could wrap up. >> last question. can you ensure the american people that the website will work on november 30? >> the gentleman may answer. >> asking mr. powner. >> that's not my responsibility. >> you can't -- the gentleman's time has expired. anyone else wants to answer november 30, they may, mr. park, will it work on november 30? properly, fully? >> the team set a goal of having healthcare.gov function smoothly for the americans t the team is

>> thank you, mr. chairman. and to the ranking member and to the other committee members. to our witnesses, this is an important hearing. our constituents are rightfully concerned about their right to be able to access affordable health care on the website, healthcare.gov. while the rollout has been problematic, what's been more troubling is the fact that this has been turned into more of a game than it has been about how we can work together to fix the problems of the site. and my certain is one of security of personal information. i also sit on the homeland security committee. we are having a hearing also this morning on this subject. and so i want to ask about the

potential security risks to consumers. million chao, do you agree that protecting personal ible information -- identifiable information on healthcare.gov is important and something that can be achieved? >> i think that's something that we at c.m.s. and federal agency comply with fisma and o.m.b. and nist special occasions for securing people's data and then following hipaa's kind of requirements for confidentiality, integrity, and availability of data. >> can you explain how c.m.s. protects consumer information? how that is safeguarded by c.m.s.? >> i think one of the things that is very obvious when you come to healthcare.gov and if

you go to, in my opening remarks, i mentioned there are two sides to it, two legs, if you go to the insurance side, one of the first things that you have to do is to register to establish an account. and we have mentioned that registrations are up to about 17,000 per hour right now. and that registration process allows you to establish what we call a level one assurance, of assurance account which based upon the national institute of standards and technology, that's very similar to something like what you would establish in terms of opening up a g mail or yahoo! account. it's basic information. >> move on to the next question. we are very limited on our time. >> basically the answer is it's about authenticating you. it's about are you who you say you are before by let you into the system. that is one major step in

ensuring that people's privacy are protected that they only see their own data. >> is healthcare.gov, any more or less risky to consumers than other sites, including private company information in the banking world or using credit cards to purchase information over the internet? >> i can't speak for what privacy frameworks and programs apply to private sectors, but for the federal government, we followed fisma guidelines and requirements set forth by certain o.m.b. directors, and we use independent security testing contractors to ensure we comply. >> mr. park, you spent some time with this website. have you been able to understand the security features that are inherent in it? >> that hasn't been my particular focus on the team, no. there's a c.m.s. security team dedicated to security matters. >> based on your review of that, do you believe the site poses any unreasonable risks to consumers?

>> i have to actually again dive into that personally, my understanding is c.m.s. is applying best practices to the site and c.m.s. has a great track record in protecting the privacy of americans. >> mr. van roekel, i understand you worked on the data hub. can you explain why you believe consumers should have confidence that their information is secure as it passes through the hub? >> i didn't actually code the hub itself. i didn't do the day-to-day. one thing that should be pointed out -- >> we are going to leave this of assessmentture that is about assessing level of risk, is a low to high, and you put in the place technology to mitigate the risk to make sure that they are protected.

the standards we abide by are the standards which are developed with the private sector. the banking industry, financial industry, they use the same standards as government new. we hold government to those standards. we lead those industries to do those things. the other aspect of this is that this is ongoing. you hear in the homeland security committee fact that we have cybersecurity and what we do, we have to do ongoing tests and rapidly respond. assessments are never done. you have to stay vigilant. >> i would just say that this is not about playing offense or defense. it is about us getting this job done on behalf of the american people and working together. i am insulted by this house playbook that talks about obamacare -- a loss of

insurance, and what this means. this is not working. >> the gentleman will submit. the gentleman from oklahoma's recognize. >> this is not a day that is a fun day for you. i get that. i want to say thank you. you are professionals that given to public service. you can make a lot more money in the private sector. we have differences of opinion. i just want to say thank you for what you are doing. you have made a conscious choice in that. let me walk for a couple of things to get the reality. about an hour ago, i went on my ipad and got healthcare.gov, and i hit this button that says create an account. it doesn't go anywhere. it just changes colors and does nothing. a half, ian hour and have occasionally hit that button. this is the frustration and a lot of the folks have.

we get that. we have questions as we walk through this process of what happens. you said is our goal. can you be more specific? are we going to hit november 30? >> thank you for the kind words at the beginning. the goal that has been laid out butor -- not to be perfect, -- >> functional. >> so the vast majority of americans can use this smoothly. >> here is the issue. around 5 million people have received cancellation letters. i have constituents who have received copies of their letters that end with the insurance policy concludes with december the 31st. if they cannot get into this site by december 15, they will

not have access to insurance january 1. they will be uninsured. the deadline is out the for march 31. those who have received by the millions cannot get insurance and will be uninsured. i get that is the goal. the reality is rating -- racing at us. we are trying to fix a plan that is in the air. i understand the complexities of that. the challenge is that many of us that park the plane for a year, let's get it right. your fault. you are dealing with the realities on the ground. that is something we are trying to communicate on this. the september 27, the .uthorization to operate some committee staff that you

during the conversation, there was a back- and-forth on this ato coming out that mr. james kerr and yourself edited there. sissy --emo, due to a two to a system of readiness issue, this constitutes a risk that must be mitigated to support the marketplace day one operations. you were asked by staff what are those risks that are out there that are becoming the unknowns that have to be mitigated. you had listed things like unauthorized access, data, personalize identifier information. am i tracking this correctly? >> yes. those are examples i was asked to provide. >> the problem is, you're trying to mitigate on things you do not know. i understand on risk. you mitigate on things that you

know. is that correct? one, signingon day a document that says there are risks that are out there. some that were listed, it's mitigate on those. were we mitigating for every possibility? >> what you do, look at the probability of a particular risk occurring. he prioritize, and one of the mitigation steps was to conduct weekly security testing, and report back to the ministry here on the results of that security testing. >> during that if you find that some data was misrouted? gettingrance companies information that is incorrect? >> there are cases in which insurance of an israeli data that were not incorrectly routed to them, but incorrectly formatted within the transaction. >> do you know who reads marilyn tavener on the wrist?

she had to sign off on this document question mark >> -- she had to sign up on the document. is there way to be able to track what information employees can see while they are working on this? we have a lot of contractors working on this. is there way to track? gathers personally identifiable --ormation grade information. logs.re are system if you call the call center and the representative -- >> i'm talking about the back in. >> the gentleman's time is expired. you can finish the question. >> and in certain cases, yes.

it is not live people data. i think the gentleman from oklahoma's breed for the record, i want to point out that those items that you identified as particular inherent risks were dignified by you prior to the september 3 memo that was introduced. i know the gentleman from virginia had indicated that it was after that memo. for the record, you indicated those prior to that they introduced by committee. >> i do not understand what you are trying to say. it was in the context of the memo. >> you mentioned these risks he cause of the failure to do integrated security testing. >> and not believe i said failure.

resolved.not >> i do not have the transit -- the transcript in front of me. i cannot confirm with you. i was not given an opportunity to make corrections if there were corrections to be made. all can say is that to the best my knowledge, do not recall saying that. i need to see my transcripts. isthe gentleman from vermont recognized. >> thank you. first, i want to join mr. langford and thanking each of you. for the incredible effort that you are putting into trying to fix a very serious problem. thank you. second, you do not have to be an opponent or supporter of the health care law to acknowledge that there are significant rollout problems associated with the website. ,hose of us who are supporters i'm a strong supporter of the health care law, are absolutely committed to provided the

supported the you need to make this work. there are four issues that are around. the website, and what we have to do to fix it. it has to be fixed. number two, what are the impacts of these cancellation notices that americans are receiving. they thought they had health care were sure that they keep the policy they had. third, the individual mandate that is the subtext of the debate. that is essential to the law. in order to make that work, the website has to work. the fourth is the i.t. purchasing. are there some lessons that we can learn? i tend to think that it is a truly important move ahead on the legislation. that is the context that we are in. you're here to bus fix the problem. we have to get that done. i want to start by asking you mr.