would have been established as part of how the normal business -- youes in present-day know, how government connects organizations with each other to conduct business. additionally, cms design the marketplace to limit the amount of personal data stored and protects personal information and limits access to password , zonedion technologies architecture with firewalls , and dothe zones various other security controls to monitor locking and prevent unauthorized access to our systems. cms protects the federal marketplace through intensive and stringent security testing. while the marketplace has had performance issues that could have been addressed through more comprehensive functionality and

performance testing, i want to be clear that we have conducted extensive security testing for the systems on october 1. we continue to test for security on a daily and weekend -- daily and weekly basis. clocke working around-the- to fix our performance issue so the vast majority -- the vast majority of users have a smooth experience. all i cannot go into specifics of our security due to sensitive nature. scans monitorare data flow and threats by denying access to known source fed ip addresses and actors. conduct different types of penetration testing on a weekly basis. the recent testing showed no significant findings. cms reviews the operation system , infrastructure, and application software to be sure that these systems do not have

vulnerabilities. fuller abilities are fixed immediately on site and we tested to ensure the strength of our security. each month we review our plan of action in order to continuously improve our system security. for the federally facilitated marketplace we conduct control system -- control assessments. no vulnerabilities have been exploited. because of our experience of running trusted secure programs, fulfillment of federal security standards and routine security the american people can be confident in the privacy and security of the marketplace. i will be happy to answer your question. >> thank you. for the last year members of this committee have asked you and others in the administration about the status and launch of the president's health care law. we want you -- we want to know if you be ready for the october

1 enrollment. the documents produced the committee showed a different picture. march to me you made a candidate comment that you did not want the exchange website to be a third world experience. now that the committee has learned about a report prepared for the committee by senior hhs and white house officials and presented to these officials in late march and early april this year, that document is tab one of your document binder. this document highlights a number of risks facing.com -- facing healthcare.gov's launch. when did you foresee this presentation? >> i have not seen a presentation. >> you are not reefed at all? >> i knew that mckinsey have been brought in to conduct some interviews and assessments and report to our administrator, in >> you participated

participated in the interviews? >> i was not given the final report. >> were you aware they had met gerry:cretary sibelius, and others -- gary cohn and others? >> i believe there were some meetings i had heard of but i did not know the exact dates. >> part of your job is to make sure that this website is working, am i correct? >> correct. >> this was a major report that went as high up as secretary. there were serious problems with this and you are saying, even though you were interviewed by this, you did not ever have this briefing yourself? >> no, i didn't. >> you knew it existed? >> i had heard it was a final report out. i did not see the actual -- >> did anything change in recognizing that this briefing was out there, basically telling

people that there were serious problems? no end to end testing? the cannot speak to contents of that report because i did not see it and i do not was inout it until it the washington post. >> this is part of the concern we have. we have a website out there which untold hundreds of millions are spent on this website. mackenzie is hired to come and present what the problems are and lay out a roadmap of these problems. i'm deeply concerned that this is something you knew existed but had not read. when were you first concerned that they would not be ready october 1? >> i never thought that. you made a comment about this not being a plane crash.

>> you are referring to the e- mail exchange i had? clock's certainly it did not -- >> certainly it cannot say, everything is fine, congratulations team? you must've been aware of >>blems that existed in the i have been working on this since 2010. >> we appreciate that. caution on the side of in urgency because even back in 2010i did not believe that .verything would be easy on a regular basis i worked with a lot of my contractors and them on thesitize level of urgency. >> especially since mackenzie was pulled in to prepare this document, which was important enough for them to have meetings at cms, hhs, at the executive office building and at the white house.

i appreciate your sensitivity and awareness. i am concerned that you said you have not even what -- have not even read this yet. any event occurs -- has that happened yet? >> yes. >> how many times? >> you mean, whether we are conducting -- >> instant response capability. first of all, has anything happened yet, any breaches of people trying to get into the system from the outside? >> i think there was one incident that i am aware of. it requires that we go to a classified facility. you are saying no other attempts to bridge in the system -- >> not successfully. >> who do you report this to? combination -- a series of authorities that are involved.

they go through our agencies, various key leadership, and then up through the department. we have a security incident response center that works at dhs. >> i am out of time. all, to the contractors, something you said in your opening, i think we should take heed. to be careful not to die. to that information about the security designs of the website, is that right? >> that is correct. >> i would say to you and the contractors, if there is a about thatked sensitive information, if you would let us know and we can take that into executive decision.

the chairman was asking about this memo. it was on tuesday, july 16. if you can take a look at tab seven in your document finder, that is a copy of your memo. that you were basically telling people that you wanted to make sure that this website was up and going. further actions after july 16 to get the website up and going? >> it was a constant daily effort. >> it still is, if in -- still is, isn't it? it.o improve >> old like you to take a look at tab one of your document binder. -- i would like you to take a look at tab one of your document binder. this is the document that was given to the washington post yesterday by the majority and simultaneously to the democrats on the committee. this is the document the

chairman was asking you about in his opening statement. have you ever seen this document before? >> i haven't. >> you don't really know about what it might have said? >> i believe it is executive level with black you were not part of that briefing? >> no. >> that does not mean you were not concerned about the website. >> of course. i think in some of the interviews with mckinsey, some of what is in here could potentially come from information -- >> you would not know that because you did not see it. >> no. >> i want to talk about the issue of security. say those inrd you your opening and response to wanted tog -- i just ask again, have there been vulnerabilities that have been discovered since the website unveiled on october 1? havecurity vulnerabilities

not necessarily been reported in terms of it being a security threat. think there was some misuse of terminology of something like 16 incidents reported in a previous testimony a couple of days ago. incidentsactually involving disclosure of pii thermation and it wasn't result of anybody trying to attack our website. >> what was it the result of? clock signal is dealing with some training issues at the call center. >> it is dealing with some training issues at the call center. if your name is smith and you chose assigned at the end of the username, sometimes it is

treated like a wild card search. in the >>een fixed that problem has been fixed so it is not happening anymore? how long have you been at the agency? >> 20 years. >> working in other areas, is this common that there may be a little like this? >> fairly common. does the agency do when that is identified? >> we have an extensive set of processes and -- of processes and control in place. security breaches versus personally identifiable information incidents. testing,is continuing is that right? >> correct. assessments have been

performed for cms, is that correct? >> correct. >> what that does is it gives the contractors the opportunity to identify security von abilities, is that correct? >> i think what the benefit is is we use a set of contractors to independently test the system we are not taken the words of cgi themselves to perform security testing. this independent testing provides us more of a balanced view. >> is this ongoing? >> is on a daily and weekly basis. >> thank you very much, mr. chairman. >> the chair now recognizes mr. barton for five minutes. >> thank you, mr. chairman. i am reminded of the movie theblanca, claude rains french chief of police goes into ricks cafe and says, i am

shutting it down. rick comes up, played by humphrey bogart, and says, why are you showing -- why are you shutting this down? the police chili -- the police chief says, i am shocked that gambling is going on. that is just as claude rains comes up and says, your winnings sir. the past master of running this committee would be shocked and amazed that something was given to the "washington post" yesterday. i am not saying it was, i don't know. what if it did happen it would not be the first time in this committee's history that arguments were given to the press at approximately the same time they were distributed -- the was grateful that i had washington post so i could keep track was going on in the committee. >> reclaiming my time, which is

my time, from my good friend. what shocks me is that our witness, who was the deputy chief information officer and deputy director of the office of information and services for medicare and medicaid, who has been identified numerous times as the chief person in charge of repairing this website at the cms level was not aware of this document. to me that is what is shocking. when we made aware of this reaching document? -- of this greeting document? >> i think i was aware that some document was being prepared. towards the end when the briefing was occurred i was not a part of them. >> were you aware that mckinsey had been hired to come in and

thecally troubleshoot status of the website? >> i don't think they were brought into troubleshoot, i think they were brought in to make an assessment by conducting various interviews with key stakeholders. >> did this group ever talk to you? >> yes. >> so, they did come in and at least visited with you. >> they interviewed me before. >> once, twice, i doesn't? >> at least two times from what i can recall. >> since you have been made --re of the document >> i was not made aware of the document. i was interviewed by the team that put that together. when the document was assembled, i did not get a copy of it. >> as mr. dingell has pointed out, it is in the washington post.

before coming before this subcommittee this morning, as he peru's this document -- have you peru's this document? i have not. >> well, on page one of the it says the working group, whoever that is, extends the go live date should not be part of the analysis and therefore work within a boundary condition of october 1 as the launch eight. this meansglish what is that somebody decided we couldn't a late a start up date so we are going to assume it will go live on october 1. were you a part of the working group that made that decision? >> no. >> do you know who the working group was who made that decision? >> no. >> do you have any idea if it was the president ordered the

human services or if it was somebody in the bowels of bureaucracy? >> i think it probably was a conglomerate of several leadership that came to that conclusion. >> did you have any decision- making authority yourself about when the start of date should be? >> no. >> that was not in your authority to put it off or make a decision going forward? >> i did not have that authority. >> do you know who did? >> marilyn tavenner. primarily i take my direction from marilyn. >> my time is expired, at summing up, we are concerned that multiple levels, but if you review this cms document, which i did not see until now, this morning, it does not take me in

about 10 minutes to look at it, and it is absolutely clear that the startup of the website was not going to work well if at all on october 1. it was not. and it says that in here. with that, i yield back. >> the chair recognizes mr. dingell for five minutes. >> for the requisition, i am thanking you for holding this hearing. we are over six months now, into the implementation of the affordable care act. while the website has improved, it is clear there is more work to be done. i'm hopeful the subcommittee will work hard to achieve that goal. the aca is the law of the land, and we hope to make it a functioning website. it is important to remember that we can never fully eliminate the risks when building a large i.t.

system. we must take steps to mitigate them. we must take the steps to make the program work, because this is the largest undertaking in its character that we have ever seen by government anyway. first question -- the cms is responsible for the data services hub and the eligibility and enrollment pools for the federally facilitated marketplace, yes or no? >> yes. >> are these projects were hard to comply with the privacy acts of 1974, the computer security act of 1987, an act of 2002, yes or no? >> yes. >> cms must also comply with regulations and standards, promulgated by the national institute of standards and technology at the u.s. department of commerce. is that correct? >> yes.

>> these standards require cms to balance security considerations with operational permits. is that correct? >> yes. >> one of the key pieces of healthcare.gov website is the data hub. is this a large repository of personal information, as some of my friends on the other side have claimed, yes or no? >> no. >> i want that on the record. does the data hub retain personal information at all? >> no. >> is it fair to say the data some day data hub is a tool to submit eligibility information to federal agencies? >> yes. >> did the data hub pass a security test to the october 1 launch of healthcare.gov?

>> no. >> is the hub working today? >> yes. >> is there evidence to the contrary? >> no. >> is evidence of lack of security by people who have submitted data to this undertaking? >> no. >> it is always true of our duty to remember how our health care system operated prior to the passage of the aca. at that time, insurance companies were allowed to medically underwrite people to determine their premium. this required lengthy confusing applications and contained a lot of personal information. oftentimes, this was submitted electronically as well.

aca has changed all of this. now, in fact, this is a question to you again, in fact, application forms on healthcare.gov did not require the submission of any personal health information. is that correct, yes or no? >> yes. >> that is because aca prohibits this rumination on the basis of pre-existing conditions and outlaws charging people more because they are sick. is that correct? >> yes. it is not collected. >> this is a remarkable improvement over the old system in terms of security and quality of care. next question -- there are a lot of negative stories in the press to create a lot of confusion.

i want to get this record straight. is healthcare.gov safe for my constituents that they can use today with regard to their personal information and privacy, yes or no? >> yes. >> is there evidence to the contrary? >> no. >> i yield back. >> thank you. now going to ms. blackburn for five minutes. >> thank you. we really appreciate that you would come and work with us on this issue. i want to talk with you for a minute about some red flags. you are going to find the e-mail i am referencing, and it is the july 16, 2013, e-mail that you sent, and i want to focus there. when you have something that is running off the rails, as this

obviously seemed to be doing, it was not proceeding as it should be proceeding, and you expressed these concerns about the performance of cgi. what i would like to hear is an articulation of maybe what were those top three or four red flags that seemed to be going off to you, that you said, i fear that the plane is going to crash on takeoff, and some of those wordings that we have heard from you now? give me the top three or four things. >> in the context of the e-mail, it was at a time when we were getting ready to roll out what we called light account, which is an initial registration process.

as i mentioned before, i'm a person who has a lot of anxiety, that i always err on the side of caution if we are going to run out of time. i remind people that they need to move fast and they are moving fast, they need to move faster. that is just the way i operate and the way i direct staff and contractors, and what i was afraid of was at this particular point in time is that we were falling behind in the rollout of light account. >> on light account, did your test on that go off without a hitch, or what happened? >> i do not exactly remember the specifics about what tests passed or failed. i was afraid we were in jeopardy of missing the date, so, therefore, at that time in july, i wrote lots of e-mails -- >> did you hit the date? >> it took an extra four days.

>> an extra four days on the tests, and you do not remember exactly what the concerns were that came to you at that time? is there a memo of review, an articulation of what transpired in that test process? >> it is not a memo. the way we operate is we have daily meetings -- >> are there minutes from those meetings, that we could use? >> there were no minutes. i believe they were status check-ins with contractors-- >> are there notes? >> i do not believe so. when my e-mails were submitted, as evidence, that is a -- >> let me go on a minute. i want to talk specifically about cgi. what about -- you know, if you in formerly worked in a group

and did not have formal meetings or minutes and memos and things of that nature, just give me your impression on what impressed you that you were behind, because you mentioned price, and i note in this e-mail chain from monique that they had $40 million already, they were coming back and asking for another $38 million. if i had someone who had used up all of their money from a project and then they came back and asked for that much more, i think i would have to say wait a minute. so regardless -- obviously the price to you was of tremendous concern. am i right on that? >> correct. >> they had already lost your confidence there. what was in their conduct that

he wrote it their confidence in their ability to transact this portion of this business? >> i think what i was trying to say is relatively speaking to i would say the most project managers that are looking at smaller scale projects, there might be some room to be more confident. but given that task at hand, my confidence level had to deal with the enormous amount of activities we had to be successful at to deliver on light account that interim piece as well as the october 1 part. >> i yield back. the follow-up, did you present these concerns about being ready on october 1 when you were interviewed by the mckinsey people? >> this was in the july time frame. mckinsey, their interviews were march or april. >> did you present any concerns to meet this dates?

>> is a course of conducting project management program management that working with cgi, qssi, and my team, we discussed these teams on an ongoing basis. >> i recognize mr. waxman for five minutes. >> nobody is happy with this rollout of the healthcare.gov and the administration that has taken its lumps. aside from lessons learned, it seems to me why focus ought to be and my concern is getting this thing working. americans want to be able to access the website and choose a health care plan, especially those who have not been able to get an opportunity to buy health insurance in the past. that is what it seems to me if we need legislative changes we should make changes to make it work, not to repeal it. republicans are so fixated on

hating this law, and they want to repeal it, they do not even want to consider helping make it work. that is the focus that i want to use in asking you some questions, mr. chao. how do we make this better? is it accurate to say that the website is getting up and running? >> yes. it is accurate that cms -- they have crossed 200 items off their punch list? >> correct. >> can you give me examples of issues that have been recently addressed? >> issues related to the enrollment transactions have had some data quality issues, and issuers can receive that data without cleaning up the issues. data quality has improved. the daily communications we have sent to them have improved.

the response times for the website have improved. the error rate of people experiencing some level of difficulty with moving from stage to stage in their online application, that has been reduced -- >> the administration's point person on this whole website announced on friday that you have dropped your error to below 1%, and you have reduced the wait time to less than one second. >> they become transparent to the user. the user can then get at the task at hand of filling out their information, finding out if they are asking for a premium

tax credit that they are calculated timely and are proceeding ahead in the application so they can apply, some, or none, or all of that tax credit to their plan compare so they can look at the offsets that occur and what the final premium should be, to make their selection and go to the process in a very efficient and speedy fashion as compared to what they experience on day one. >> how about the overall stability of the site? it was down frequently in the early weeks. has that improved? >> yes. we have greater maintenance windows, but those windows are used to implement improvements that you have been hearing about.

>> numbers seem to be getting it better and i expect we will see more improvements. the site is getting better, slowly but surely, and that is why the enrollment rate in november is speeding up significantly. i have some figures. massachusetts, when they started a similar program, it started off slowly, only .3% overall for enrollees for private coverage signed up in the first month, and thus far, the affordable care act, 1.5%. both started slowly, ahead of what massachusetts was, but after that there was a surge of enrollment as people got closer to deadlines. the "l.a. times" reported that a number of states that have their own systems are projected to

achieve their projections. california nearly doubled its enrollment this month. other states are outpacing their and remote projections. we see an acceleration, even in the federal workplace. "the new york times" reported the federal market place has improved in the first two weeks of november. we are not where we need to be, but we are seeing improvements, and this increased pace of people going back on the site successfully is to me a very encouraging. so rather than just attacked a health care law and look for ways to undermine it, we ought to try to make it work, and we are anxious to make sure that you do your job of getting the website and all that working, and if we need any legislative change, call on us because we are ready, willing, and able to act in that regard. i yield back my time.

>> the gentleman from texas. >> thank you. in response to one of the questions about a breach of a system, you responded that you could not talk about it in open session, that it would require a classified briefing. is that correct? >> that is how i was instructed by our department. >> very well. i would like to get a commitment that i ask that that meeting with staff occur. can i get your commitment on trying to make that happen? >> yes, sir. >> thank you. the much talked about red team discussion document from "the washington post" this morning, which you have not seen, and i appreciate that, but you were interviewed in response to mr. barton's question. you were interviewed by the mckinsey team. do you remember when? >> april timeframe.

>> during when this was being developed. do you recall what you talked about? >> primarily, why i was intimating to the mckinsey team was a schedule challenge, because during april we had just started qhp submission and working with issuers. >> what is qhp? >> qualified health plans. during that month it was a rapid process to collect all the qualified health plan data that you see on healthcare.gov and the state-based workplaces. i was remarking on how that is unprecedented and only issuers only a short time to make their data, and we need to make adjustments in the windows to make sure they could come back and make corrections. >> that is an example of what i

talked about in terms of the schedule challenges that we were trying to undertake something large-scale, fairly complex, compared to what is happening in the insurance landscape today, and that this was new and we were working on a short timeframe. >> i will stipulate those are legitimate concerns. on page one of this red team document at the bottom of the page, highlighted, the working group determined extending the live stage of a part of the analysis, and work with a boundary condition of october 1 as the launch date. in other words about it did not matter what the conditions on the ground were, come hell or high water. on october 1, we have got to go live. were you given that impression by anyone on your team as you work through this? >> not necessarily characterized

that way, but as i mentioned -- >> my time is limited. who would've made a decision like that? that it does not matter? the old saying, do not check the weather, we are flying anyway. who would make a decision like that? >> i think the decision is ultimately made by marilyn tavenner and a team of folks, i suppose, that she works with. as the administrator, she sets the deadlines for my work. >> some of the people that are referenced in the report, given to the committee by mckinsey, is that people that had discussions in the white house, the old executive office building, people like -- do you know if they were involved in these decisions? >> i cannot speak to that. i did not hear anything about those discussions. >> have you been in meetings with those people? >> yes. >> could you characterize those meetings? >> the ones i remember were dealing with coordination with irs on their fti projections.

>> at any point in the meetings today, but the concerned that we may not be ready trying to integrate all of these moving parts on october 1? >> not in that context, no. >> in any context? >> concerns about whether agencies were working closely together, but not really in the context of october 1. >> one of the other things that keeps coming up repeatedly in this report is that, number one, following requirements. it was not a consistent endpoint. there were multiple definitions of success, and in spite of all the concerns brought up to the report, it must launch at full volume. it almost sounds like a recipe for disaster. does it not? you are changing the definition as it goes along. you have to launch at full volume.

that is a tall order, isn't it? >> it is. >> how does it make you feel to know that this was out there, and other people know about it, people in the white house, in the agencies, and you've been the primary point man and nobody discussed that with you? how does that make you feel? >> i'm not terribly hurt by it or was surprised by it. the information contained within it is something that i live on a day-to-day basis to try to deliver a working system -- >> you're playing into everyone's worst fears about what it is like to be in a bureaucracy. one of the things brought up in this report is that there is not a single implementation leader.

do you feel during your time there has been a single implementation leader that you could look to for advice and direction through this? >> i think i looked to several, because of how -- >> name one. >> the gentleman's time has expired. we will submit those questions for the record. i recognize the gentleman from texas. >> thank you. i have questions about healthcare.gov, but i want to say it is frustrating for those of us on the side of the aisle who supported it, who worked a lot of times on the drafting of different versions of the affordable care act to see what happened on october 1 without the rollout, and that is the way we need to deal with it. we have been through the prescription drug plan with seniors, and that is the way you can get the numbers you really need. hopefully that will happen. the law is still there, and last saturday in my district, at

least in houston, because in texas we are unfortunate, we have so the highest percentages of numbers of uninsured people in the country, and in our congressional district, 42% of my constituents work and do not have insurance through their employer. they would be qualified to go to the aca. we did that by paper. i cannot remember and i was not around when medicare was rolled out, that was the last time we rolled out anything by paper, but let me give you the results. three members of congress, the mayor of houston, the republican county judge, and the secretary of labor. we had 800 families show up on saturday morning and signed in, of course, with multiple attendees per family. nearly 300 people set up followup appointments after a navigator. we had 88 certified navigators there. we do not know how many applications were completed, because the number is still

being tallied by navigators and hhs in our regional office out of dallas. there are people who want to do it. and we have to do it by paper, we will do it. that is the frustration we have. we want us to work because there are millions of people in our country who need this. the majority in house may not understand that, but i know in our district, they do. >> i think cms takes to heart the matter and everybody is about improving this experience because we know in districts like yours there are quite a few number of people that need and want to enroll and use this benefit. we are working hard to make this happen. >> there are a lot of smaller ones in our district, and partnering with media companies to get the message out. i have a question about healthcare.gov, and the goal we share as the implementation of the affordable care act.

people can access the care they need when they need it. part of it requires that federal and state exchanges are secured so their privacy is not compromised. how is the data hub used to enroll applicants that would be different from processes used from other agencies, such as the irs? >> how is the data hub different >> than the other agencies who have up and running ways of -- >> the eligibility agency from medicare. every night ssa's field office load data about accretions into the medicare program, and we receive a file from them every night that was processed to update our systems so that providers can see new medicare beneficiaries coming into the system. lots of data moving between two

organizations and it is stored and it is time intensive. the data services public goes out and for a requester of that data from a valid requester, it leaves the data where the sources, transfers it back to the requester in a secure fashion, does not remember the contents of that data, and about moving millions of records of data all the time, all at once, every day. it only transfers and updated to get the job done. >> for you at hhs when we have gone through two medicare enrolling by internet -- i mean, when we shifted from no one at the social security office to do the paperwork -- you can do it online now? >> yes. >> there were glitches when it

started? >> yes. >> it was built in over the time so you have time to problem- solve. >> right. >> our problem is we do not have the time to problem-solve. >> in the mid 1990's, ssa put up a benefit statement and then they had to bring it down and did not put it up until years later until they perfected it. >> i recognize the gentleman from louisiana. >> i appreciate you having this hearing, and appreciate you coming to testify before the committee. we have had a number of hearings like this over the last few months, trying to find out first how the rollout was going to work and we have gotten testimony from the administration that the rollout was going to be fine. and then what is most

frustrating is when the report came out, this mckinsey report, that chronicles the problems that were happening months ago in march and april, at the same time that administration officials were telling us that everything was going to be fine, and then telling american families that everything was going to be fine when october 1 hit, there are many things about this that troubled me, but first, when i look at this, you say you have not seen this report, and i have read through a number of these items that the committee pointed out in the report, that we were telling them, to somebody at cms, around you, over you, under you, somewhere. these are things that should be basic testing requirements. i used to write software, wrote test plans for software rollouts, and many of these are commonsense things you do. if we made one line of code change, we would test that over and over in multiple ways to let alone major ways. what this report talks about is chaos at cms. nobody is in charge. they talk about the fact that you had multiple people that

were making multiple changes and major design changes to the system just weeks prior to testing, prior to the rollout, without testing it. did you have a test plan? these are think you should have been doing anyway. were you all making big changes all the way through and were you testing any of those changes, or saying, they told us october 1, roll it out no matter what? >> you have asked a lot of questions in there. so let me try to recall how to address them. i think that certainly, yes, if you have this experience in software development, you need to have solid requirements before you can have good test cases in which to actually run tests. it is a dynamically changing environment of which if we had more time and that time would have been devoted to solidifying requirements that are translated from policy -- >> there were three years. this did not just get plopped on

your desk. the law was passed and signed into law in 2010. there was a lot of time to prepare for it. major requirements were changed weeks before, some by political reasons, by the obama administration. somebody in cms, and if it was not you, maybe ms. tavenner, somebody was making these changes and saying let's make changes and do not test because we want to roll this thing no matter what. >> having written software or test cases, from the business side, or the policy side, they are subject to changes based on how your customer -=- >> the law did not change. the law was passed. for three years, nothing was changed. the law was there.

you know what those requirements were. you make changes in your requirements, you automate changes in your plan. >> the law is a high level attrition of requirements they could not develop code or test cases from. there needs to be a translation into lower-level details, and that is what i mean by schedule of challenges, that we have to receive those requirements and translate them into test cases, test data, to exercise the system as well as build the system, too. >> they talk in the report that the contractor received absolutely conflicting direction between the various entities within cms, conflicting directions within cms. that is not a requirement change. that is one person saying to this and another person in the agency do something differently. none of that is being tested in the meantime. that is not evolving requirements. that is chaos. within the obama administration, where they are changing things and multiple people are changed

and nobody is talking to anybody. >> i cannot speak to how they characterized it, but in cms we have medicaid and chip records, insurance exchange requirements, oversight requirements, -- >> and i know you have that. the bottom line is this report lays out the chaos that was going on, but all of this information was known within the white house, but reporters were being briefed within the white house. either obama did not know about that, which people under him did not tell him, or he knew about it and went on misleading people anyway. if the president did not know about, this report says the white house absolutely knew what was going on and did not tell the president, he ought to be firing these people today. if a c.o. went out, rolling out a project, this would be like buying a tv from amazon, and if he knew that it was not like

that, and this report says they knew, he ought to go fire every single one of those people right now and hold them accountable, or maybe that just as he did know about it, and we will see with the president says. this report is damning. >> can you clarify an answer you gave to the gentlemen here? i thought you said with more time you would have done more testing, or something along those lines? >> that is what i mean, is there is a schedule of challenges that you are trying to maximize the time that you have left as you are trying to extract a requirement or the policy that is being finalized. the longer policy takes to be finalized, the longer it takes to translate -- >> you wish you would have more time to test it? >> that is true with any project i have ever worked on. >> thank you, mr. chao. i want to follow up on mr. scalise's line of question, the issue of whether or not you had three years to prepare for this.

what was the deadline for state to decide when they were doing their own exchanges or going to participate in the federal exchange? >> the timeframe was the end of 2012. >> january 1 of this past year. when was the deadline for state to decide whether they were going to enter into a partnership with the federal government? >> i believe it was the end of april of 2013. >> cms did not have three years to prepare, and there is probably no way to know three years ago that only 14 states and the district of columbia were going to set up their own exchanges. was it the anticipation that there would be more states who would do their exchanges? >> we were hoping so. >> it was not until this year that cms understood the magnitude of the volume of work of the website that it was going to have to come at it.

>> correct, not such a clear binary decision. you do or you do not. there are still coordination that has to occur. >> thank you for that. obviously, when we talk about security, we are talking about two separate issues. one is the vulnerability of the system to some kind of outside attack. i do not know why anyone would want to attack the federal exchange, but assuming that is an issue, and the second is the average citizen's concern about information that is there about them. i think that is one thing we're most interested in here. mr. dingell asked you directly about the fact that there really is not very much information on the website that would be considered private in nature. and i guess the question i would ask is, are people who are

working with the exchange now subject or vulnerable to a breach of their privacy than they were under the prior system when the insurance companies had pages and pages and pages of health information, including every doctor they had ever visited, every proscription they had ever taken, every procedure they have ever undergone over a certain time? would you say there was much more vulnerability under that system than there would be in the federal exchange? >> much more so because so much of the personal information, including health information, was involved in that process. >> during the course of the question, with a job of evoking the issue of whether the there was a security problem here, there is no evidence that there has been. that is -- there's no evidence here that would make us doubt that. that should encourage americans

to participate more actively. and since one other thing has come up, and it involves the question of 80%, and something i want to clarify because the press reports have been that the administration has set as a metric that 80% will be able to get on the site and smoothly sign up, enroll for health care at the end of the month. that's not to mean that the remaining 20% will not be able to access affordable them a quality health insurance, is it? >> no. i cannot speak to the exact percentages, but i think there is a recognition that some people, whether it be a healthcare.gov or any system -- if you walked into an ssa field office, how many people can get their business done in one visit as compared to the greater majority of people? i think some people need extra

help. they need assistance to navigate the process. and i think that is probably what they were referring to. >> thank you for that, and i want to do some shameless self- promotion for my state. as of last friday, kentucky is operating its own exchange, 48,000 kentuckians are enrolled in new health insurance, 41% of them are under the age of 35, over 452,000 visitors have gone to the website, 380,000 people have conducted preliminary screenings to find out if they are eligible for coverage, and most importantly, over almost 1000 businesses have begun the process of signing up for new coverage for their employees, and over 300 had actually been enrolled in a bit now to offer coverage. kentucky is doing well, and i hope the federal exchange will do just as well. i yield back. >> the gentleman yields back. >> thank you.

you replied earlier on a follow- up question that the chairman had, i believe you said you would have liked to have had more time for the testing. did you request for time from anyone? >> no. >> and can you tell why you did not request more time? >> because i was given a target of october 1, and various other delivery dates, which i had to stay on schedule for. >> did you believe it was ready for october 1? >> i believe we did everything we could to make sure that the right priorities were set so that we could deliver a system on october 1. >> do you believe the system was delivered on october 1? >> it was. it was not performing as well as we liked and had more glitches than we anticipated, but we did deliver system on october 1. >> do you think glitches is the

proper word to use to describe the rollout? >> i think there are problems, defects, and glitches is just a word that is commonly used right now. >> does not seem to convey how serious the failure of the rollout has been, and so here we are, and one of the concerns that we have is what do you do about making sure that personally identifiable information for those who sign up is protected. on the report that you have, there on page 11, if i could get you to take a look at that real quick come on the mckinsey report -- if i could get you to look at that real quick. at the bottom of page 11, it says options. name the single implementation leader and implement.

as i have one leader named? think our administrator has accepted accountability. she just -- does run the agency. >> i did not see that until this very minute. >> i spent some time here. went to the healthcare.gov site. it took a little while to try to figure out how on the search to get to the information on how you are checked yourself from the fraud and insurance marketplace and it takes a couple of steps to get to this information. people probably more sophisticated than i am we need to be tracking this.

report suspected fraud. it says you can report it in one of two ways analysts a breakdown of one way -- and lists a breakdown of one way to use the online complaint assistant. i try to a moment ago. it was not very successful. it's if you could call your local police department and can visit a site for federal trade commission to learn more about identity theft. called thechoice is health insurance marketplace call center and gives that number. if you were the victim for personally identifiable information being fraudulently released, who would you call first? centerlisted call number, the marketplace call center. it says explain what happened and your information will be handled appropriately. how do you define handled

appropriately? >> there needs to be some analysis and collection of information to make sure this occurred and make the decision going forward. >> this is a critical matter. what is the timeframe? how quickly can somebody's life be put back together if this were to happen? >> it is situationally dependent. answeringomfortable right off. >> you said steps are being taken to prevent unauthorized access to the site. what about those who may have authorized access, what protections are safeguards? situations where there has been no background check unless it was required

from the state. how is that being handled with use of navigators? when we issue a grant to an organization or re-sign a computer matching agreement with the state, there are rules of from certain requirements that are associated with signing with that agreement or receiving that grant. >> do you have a central this?ing of >> i will have to check on that. >> thank you. thank you so very much. you were just presented with a series of hypotheticals. have any of them happened? >> not to our knowledge. >> i appreciate that. if someone was a maliciously using information in a way they were not allowed to use it, would that be a crime?

>> can you repeat that? >> if someone hacked into the website and was using information in a way they were not allowed to use it, wouldn't that be considered a crime? >> yes. i believe we could prosecute those individuals. >> i would hope they could encourage them to fully prosecute anyone that is hacking this website. not too long ago that there was a hearing that this committee had. republican colleagues were citizens to go to visit this. they were to sign up for a lifeline or to get information from the website to the accuracy of what the program was about. in our later the website was taken down. they asked them to look into the matter. they said it appears this data

that it was now down. we need to be careful with how we are purporting information out. we need to be careful about this. there is not a member on this committee that does not believe that we should get the website working. said, i guessg two things. on april 24thport entitled cyber security, threats impacting the nation. i would invite everybody to take a look at this. it was to the homeland security department about the threats our security is facing. the white house, members of congress. make sure that we're keeping information secure. with that being said, this has been talked about a bit.

there was an article about a document that was linked to this. it identified potential risks with healthcare.gov. it shadows of many problems we now face today. did you see the report at the time it was published in march and april 2 thousand 13? >> i did not. >> is it fair to say you are not the best person on how this was done? >> yes. a number ofstrates problems with how this has been handled, in particular the perception that is created when you withhold documents from democrats. this makes it appear that you're more interested in running a partisan investigation than the facts. i hope that is not the case. we need to work together to get

to the bottom of this. that being said, what effort are the undertaking to address ongoing threats? >> we listed it as part of our mitigation strategy. this is something we always do. we do it more frequently because we understand the sensitive and thef the website trust and confidence we have for people to come and use the site. >> how is the department coordinating with other agencies that maintain a website that also gather personal information? we work with all of our key partners that are connected to the hub to make sure we function under what we call a harmonized framework along with the states have a process in place to handle

certain situations where there are incidents that need to be managed. we have a set of operational procedures in place and coordinating across all the agencies. >> does that include the intelligence community? >> yes. >> very good. hope it is clear and to the president that we are not happy with the rollout right now. we need to get this working. get this and protect the information. it is a big step forward. with that i yield back. thank you for your time

before. last week the president met with several representatives of the insurance agency to discuss solutions that may be possible in light of the healthcare.gov debacle. have you had any conversations to make this help the insurance industry? >> part of the strategy of they are key to this equation of getting a role and to fix with issuers certain aspects to make it work better. to addad the ability this to an agency department? we designed this into

healthcare.gov or part of that system of market share. >> that has been turned on or not turned on? >> it was not turned on initially. been optimize it and working with issuers to get this. >> have you had any discussion about getting them access to eligibility for subsidies? in terms of the result. there is a series of security handoffs. >> that is a yes? i thank you for that. the question on the website, will that happen in the future? >> it is more of a secure handoff in which they have collected enough information about the applicant and this

person has given authorization consent to work with them as a third-party. is not accessed direct to eligibility data. it is a more involved process that protects the person's information. >> they will be getting the subsidy access. not get a calculated. that is a marketplace. only as a result of the marketplace handling that database. >> when the committee has indicated that some parts were not completed before the launch, what portion remains to be created when you launch on october 1? >> i do not have an exact percentage. i think some previous conversations when people asked

about if things were complete, i looked at in terms of overall market systems. >> you never talked about what is complete or not complete? >> there are priority functions and need to be in place. you need to authenticate it. >> how much do we have to build today? 50%? >> i think it is an approximation. we are probably sitting between 60 and 70%. needs to be built still. >> we still have to build the payment system. >> 60% needs to be built? federally facilitated marketplace. >> the entire system is here. determination, getting enrolled, generating a rolling transaction, that is

100%. the entire system is 60% or 70% away from being complete. to be done.l need >> of the system still being built, how are they going to be tested? you mean the remaining 30% or 40%? it will not affect the front part. >> that is pretty difficult. >> it is pretty difficult to review it while it is in operation? >> it does not involve the front part. >> we are trying to derive a onment to do data matches the back. >> how long will you have you to -- will you have to test them? >> it depends on their build schedule. to launchppropriate

any new obligations or features without testing them heavily before they go live? we are testing. thank you for your time. >> thank you for the hearing. there is a mutual desire to get this thing to work. there are two models we can use to deal with the roll out. one is to fix it. the other is to use it to relitigate about whether this is the law of the land. my hope is that we are past that. there is an absolute urgency to make things work. i know that is your job. i just want to put that in context. thisd a big battle in congress.

it was a largely partisan vote. they were for it. most of the democrats were against it. it passed in a very close, tense vote. my understanding is that there were lots of significant difficulties with that program. there were concerns about making it work. i want to ask you about that history so we have a context. there is a real unity about needing to get this fixed. are these actions about derailing the overall program? america will have to judge.

were there concerns that needed to be addressed then? the most prominent example i can recall was the concern medicaid area. we had sent this out to the around november. in december, there were some that pharmacists and pharmacies are on the frontline of helping these beneficiaries some access to

information to help them navigate this new change. as an example, we scrambled. a at the point-of-sale, they cannot be used to things such as three days fills just to figure out what plan they might be in. mask scramble. working around the clock. in workingy people with the prescription drug industry as a whole.

it is not perfected. it is not so much a technical issue. when you introduce a new it is in ancess, administrative aspect. it takes a while for people to understand how that works as compared to learning the data system. is more than just a technical issue. >> i think it comes with being focused and driven to get at the root of the problem and to fix the systems. on the technical issue, it is very solvable. we have shown that it has made improvements. >> thank you very much. speaking of medicare part d,

toone is required i law describe to that, is that correct? >> we did auto enroll it. it is a different animal than what we're dealing with now. they're going to have to sign up through the exchanges. i do appreciate that. this is a symptom of the problems that the website has had. these reports have come to light in the last 24 hours. when he get a chance to read they were looking at all

the different parts. it look like they are each building their own part. they have to squeeze it all together. in the last few weeks they will have to change it. you want toe, define your policy requirements. the designnishing and starting the build. with new agree with that? >> it is the logical thing to do. we have heard testimony that they were changing policy. he delayed this further. we know that there were changes being made as close to the launch a few weeks before.

>> of the luxury of hindsight, i can see there are contributors to the way the system performed when it was unveiled. i need to focus on fixing this thing. >> i know that your focus is to fix it now. it, whentake a look at you are still defying your policies, it is difficult to design and then build and then test the system and have it work. i would say that no one person was ever appointed to head this up what you were in charge with

part of it and making part of that work. it looks like there are at least six different representatives from agencies that have a hand in overseeing what was going on. isn't that correct? >> i think it was a governance committee. >> i would say for the technical pieces i was responsible for making sure that the technical pieces were organized. month they covered a memorandum saying they want these without an assessment. attestinistrator had to that she was aware that the launch carried security risks. can you tell us what they are specifically?

the incomplete testing was through three rounds of testing. this had no high findings and had gone through the appropriate security test. what she said it was not accurate? that it did not have a full security control assessment? >> i think there is a part of that sentence that needs clarification. i think the assessment was not tested for a full entire system of which we were still building the aspects of this. i think it is an acknowledgment that 100% of the system was not complete at that time.

the people want to know what is security going to be if it is not complete on january 21. authority functions that were not tested. >> what do we expect from january 1? with theayers are family of state senator cray. >> if i might take a moment to have a personal privilege. i appreciate your prayers. parties.n office at you form friendships. he served with me in that house before he went on to the senate and went on to run for other offices. he is still the sitting senator. it has shaken everybody in virginia. he is a good man. our prayers are with them. encourage everybody to say a prayer. i would like to continue on

that recent questioning of the document. this document was signed on september 27. there is a facilitator marketplace in and minted the mitigation plan. areyou tell us if they commonly used in federal data systems? >> yes. it is in essence the last authorize anoff to federal system to go into operations. >> can you tell us why they signed this rather than perhaps other officials that my import

to the administrator? >> i think the span of the stakeholders, we have not had a had thisat unprecedented involvement of so many components. recommendation was to make a recommendation for the administrator to actually sign off on this. she runs the entire engine. she signed itat is an issue. it is an indication that i think officials were briefed on and taking responsibility for site security. >> yes. this describes security testing for the healthcare.gov website. sense its was ongoing inception in 2 september 2013. it says the routes through three

rounds of security control the controlsll of have been tested on different versions of the system. is that correct? say that in one complete version of the system it was not performed. it is exposing the levels of uncertainty that can be deemed as a high risk. actually, i have recommended it as part of that decision memo. it is semantics. not 100% of the system is built. he cannot consciously say you have it all available in one place. they are involving healthcare.gov for security.

the document then indicated it. they did put in place a number of mitigation measures. wouldoncluded that they mitigate the security risks. thent to ask you about september 27 atl and how the being dealtfied are with. we run antivirus scans every three minutes. effort forcontinuous protection analysis. these are continuous. we conduct penetration of this.

we conduct additional penetration testing. authenticated by another group of security professionals. assurance testing is occurring by weekly. on a monthly basis would produce a plan of action and milestones that keeps track of any discovered weaknesses. >> they are taking action that was recommended at the ato? they wille confidence protect the security of americans personal information?

there was the ongoing security testing. perhaps the message is that they do not want the website to work and they want to scare people from going out on the website. >> we are very sensitive. we appreciate the nervousness around this new program with people's information. >> we appreciate the security of the website. in for responding to the actions. thank you. i yield back. >> the time has expired. >> thank you. i spent 30 years as the chief information officer a publicly

traded companies as well as the o staff. of the ci i know the pressures that delivering on a system of this complexity, i know the pressures that are there. aassume that you and i have common goal. today. sure theo make i american people hear the truth. is that accurate? >> yes. >> would it be ok if you and i have an understanding? if i ask you a question that you do not understand, would you ask me for clarification so that we can get to the bottom of it? we want to dig down here into do some things that are pertinent. great. are required to establish a security baselines and incorporate them into

networks and see that they are incorporated correctly. known as aically security control assessment. reviewed orssments not completed or otherwise ignored. are you familiar with the

findings of this assessment? yes. >> he testified earlier that it was your opinion based on what you knew at the time that the therity control assessment, security have been adequately addressed when the administrator operatinge document the authorization of the website. is that correct? >> yes. >> you just testified that you're not aware in did not review security control assessment. how can you make that assessment but it has been adequately addressed when you cannot read

the control assessment yourself? i am thinking there might be ine much match -- mismatch versions paired euros october 11 for the health insurance exchange august through september 2013. the onealking about here. >> kenny asked the witness to speak up a little bit? i'm having difficulty hearing. >> i am sorry. >> i have to move on. i do not have time to look through the binder. who develops the scope of an assessment before the contractor performs it? >> we have contractors that designed this. need this to be complete in order to test it for purposes of a security control assessment? it depends.

we do not like testing the security. >> we do not. >> in terms of using live data. we tend to conduct security. put up a slide. are you familiar of the term sequel injection? process that hackers use to gain access to databases three sequel. screenshot that you see. theou put a semicolon in search box, you get all of those different breakdowns. can you give me any idea how vigorous the testing was around the sequel injection?

are you aware hackers have the ability to go through and manipulate it? cannot speak exactly to that. panelf the folks know the may be specifically addressed. >> i still have very serious concerns about security aspects of the system. i want to also focus on this particular system that the contractor made here. we have just heard this morning that theyrisks identified when it performed security control assessments for different components. at first glance vacancy alarming. my understanding is that all of

these issues were mitigated for the functions on the website that launched on october 1. it is important to understand the general point of security testing to identify any potential issues so they can be addressed before they become real problems. asking them to perform these assessments gave some of the. is before anyone's personal , is a sound like an accurate description? the problems are identified in the mitigated. >> that is correct. >> i want to walk through some of these key security assessments to determine whether as in fact been addressed. hadc uary and february

this on healthcare.gov. where thes -- were thes mitigatede before the first start? >> they were. >> the fact is that they were notedin that that fact is in the report. performed a security control assessment of -- data services if you are data services. for these findings result? were they mitigated before the october 1 launch? >> yes.

>> the fact is that was noted in the report. i also want to discuss the security control assessment that was performed over august and september 2013 for the health insurance exchange. mr. chow, we are all high risks -- were all high risks mitigated before october 1? >> thank you. what this confirms is that the system worked. neither identified high security risks in cms made sure that they were mitigated before they would become major problems. it did not show the flood system. conductedthat cms this to identify problems and then fix the problems. that my republican colleagues will keep these findings in mind when they talk about the security of

healthcare.gov. we do not want to alarm the public about security risks that have already been addressed by cms and contractors. it seems that identifying risks that were named, it is important to also note that they were all fixed before the launch on october 1. i thank you very much for your testimony. i yield back. >> the gentlelady yields back. we recognize the gentlelady from north carolina for five minutes. >> thank you for being with us today. question about the subsidies and some questions about some miscalculations that thed be happening on exchange. press reports that indicated that some subsidies are being miscalculated. cannot afford it.

mr. chairman, i would ask unanimous consent to submit an article from cnn to the committee for the record. is that -- ok. is a single mom who has a teenage son with adhd who went on the washington state exchange and have gotten an insurance quote for what she would pay at a gold price and received notification that it was actually higher for a silver .lan a cheaper plan for bronze. she ended up paying a lot more. i guess my question for you is this happening on the site or the federal marketplace?

>> i think there are a lot of premium taxhow b credit is calculated. a person can come back and make some modifications to their income levels, to their household composition. washington is a state-based marketplace. think that healthcare.gov allows people the flexibility to try several ways to determine whether tax credit is. >> there again, i'm going off the article. it does not seem to me that she has gone back to making any changes. it sounded to me like you know there are miscalculations that she was notified of. my question is, is this happening in the federal exchange? >> i would need some specifics. if anyone ever does have issues with believing that the

subsidies were incorrectly calculated, they could certainly call our call center to try to find out if it was correct or not. >> yeah. i'm just asking how somebody would address that or how it i -- happen if tell you exactly there were 10 cases today. >> we can move on. i appreciate that. the contractor responsible for , can you explain your role within in the last week -- the last weeks of september? were you in contact with them? were you working with them one- on-one? were you in their office? yes.

from theown to herndon last week of october. i work there almost every day. >> you were in the office is working out of their offices. but yes. the top part is involved. there are two fellows, one by the name of mikey dickerson and another by greg gershman. being compensated? >> i have no insight into that. >> do they have a contract sha?l >> i do not know.

>> who do they report to? >> i am not sure who they have a contract with. >> you are in charge with the component with healthcare.gov. they do not report to you? >> note. they're part of a tech surge team led by jeff. >> just as the person they are reporting to. >> right. >> thank you very much. my time has expired. for> now goes to mr. olson five minutes. welcome. have onen imagine, simple question. why did it rollout on andber 1 when most people every contractor writing the code said stop, stop, stop?

give it more time. this document is frightening. look at page four of the page. testing". "limited is vertical, not parallel. launch at a volume. you are worried that crashed the plane take off. it neverdue respect, got to the runway. it was still waiting. -- it was a at the ramp there. the bigs. the fuel. waiting for new tires. analogy,r the hangargov was

queen never ready to fly. i am most concerned about protection that personal health for testing that has concerns about the lack of security control. question refers you to the document briefing. please turn to have number two. that you need it to you -- you needed a two-part mitigation plan. sevenwo is basically has one of these steps is to "conduct the full states on a stable environment for all controls can be tested within 60 or 90 days of going live on october 1." fmm will not be

completed. how can you expect the full of open enrollment? you are losing 30 days rent out the back. the conclusion of the vinyl piece that needs to be built. areally 30% of the systems left to be developed. not 70% appeared that represents the payment aspects. they can make payments for all marketplaces, not just fairly facilitated marketplaces. it has to be in place for january first enrollments. we have that complete we can do across the system. >> we're going back to at least november 1.

i do not see how it can have that in the days of testing before we are going live again. are for the role on october 1? how many are still out there? important aspect is that there were no hard findings in the aspect. as i mentioned earlier, i read off a list of mitigation activities that we go over and any system. we deploy him for these and monitor these on a daily basis. >> when do you feel a full one will be conducted? ever? arehenever the last pieces completely filled. i do not want people to think that there has not been a full sca. it was built off pieces we need

for october 1. to build have financial management aspects. it includes our accounting system, our reconciliation system. it will also have an in dash computer system involvement as well. >> when do you expect that to concern -- to occur? what day? >> i do not have an exact day. it should be sometime in december. 2014, 2015? >> correct. refer back to your e-mail from july 16 about needing to feel more confident about the healthcare.gov. i am assuming that some time in the last month you got that confidence. what was the trigger mechanism? something change. anything about having more confidence.

i am always cautious. that is what i was trying to say earlier. and until this is fixed in the vast majority of people want to enroll and get enrolled, particularly for january 1, i am going to continue to focus on that along with the rest of the team. is not really about a confidence level. it is about fixing the problem. >> i yield back the balance of my time. at thank you -- i thank you. we're going to give you five more total minutes to get a couple of clarifying questions. if anyone needs sometime we will do that real quick. >> thank you. i want to thank you for coming and spending the morning with us. i am going to try to be quick. i would like you to give back wherever you are going. the first thing i want to clear

up, even though i thought we established it, my friends on the other side continued to ask document this mckinsey at cap one. a wanted to clarify. redwere not part of this team evaluation, is that right? >> that is right. >> you do not see this document until today, is that correct? >> cracked -- correct. >> there were hypothetical questions as to that you really do not know the answer to because you are not involved in the process. >> as i understand it, this evaluation was done in march and april 2 thousand 13. is that your understanding as well? >> it is approximately. do you have any knowledge of

what that evaluation was supposed to be for? was it a snapshot or do you even know? >> from the interviews that i had with mckenzie, it was about really two things. i spent some time helping mckinsey understand the program, how it works, where we were in terms of status and schedule. includes a point in time assessment. i educated them for what was happening. >> on page four of this assessment, i do not want you to respond because you were not involved in the document, but i do want to point out there were a lot of questions that were the currentabout situation involving requirements, multiple definitions, etc..

asking thoseu are questions today did not talk about the last thing which is in bold letters in a box that says cms has been working to mitigate challenges resulting from program characteristics. this was in march or april. without talking about this document, i think what your job to identify issues throughout and to try to mitigate them. is that rewrite -- is that right? >> it is a constant mitigation set of activities. is goingministration to try to have the federal change by working for 80% of the people by the end of november. is that right? that is what we have been reading in the press. >> that is what the press quoted. you could say it is the vast majority. a do you believe that is reasonable goal? >> i think that is an attainable goal given what i have seen so

far. >> to happen? not think there are any guarantees. i think we are still in a state where we are trying to apply as due due jurrjens -- as much diligence to make sure that security monitoring is on ongoing basis. i think there are still a lot of moving parts where it would not be prudent to give 100% guarantee of where we have this. we're on the right track. >> what i will say to you is truly, and you have heard this from all of us, all of us were disappointed that i did not work on october 1. i am sure you were, too. we need this to be essentially working asap. people want insurance coverage as a generally first have to

sign up by december 15. if it is not working for the vast majority of people, that will be hard to do. understood? >> certainly understand. , i madene had asked you the assertion that 60% of the site was not working. i am told that is not accurate. that is really about 30%. most of tha is the backend, the payment. that is not have to be working at the moment. >> it is still being developed and tested, the backend. >> that is the payment to the insurance companies. >> yes. >> thank you. let me follow up here. on october 1, the day it went live, how much of the site was developed? probably, 100% of all

fourities that we set for october 1 was up and running. it. >> ok. what about the other parts? there was a reprioritization associated with shop employees and employers and the spanish website. >> it was crashing for everybody. it did not pass the stress test. you're saying it was 100% ready? >> no. it was 100% built. >> just not working. >> working functionally. >> that is built. if a car is built but you cannot trump card in the car is not built. if the website is not working it is not built. >> i'm not going to sit here and try to tell you that it was working. it wasaid on october 1 100%. i really need to know. you said you wished you would've had more time.

you said your job was to identify issues and mitigate them. since she would have liked to have more time and your job was to mitigate them, would you have liked to have seen this whole report from mckinsey that identify the problem so you did not have to find them out? i think this report was andly for maryland hapner others. it was written for that level of ofsumption and that level audience. i am assuming. >> i want you to stick with the know. you >> they all had briefings on

this. are those any people you work with? >> i have been meetings with several of those folks. >> since march and april? >> yes. >> none of them raise any concerns to you? job is to mitigate them. none of them identified that with all of these interviews that there were these problems? take over my cell . day-to-day operational requirements to manage the contract, manage staff. , >> what you don't measure, you can't manage. so i'm concerned thatted this of people who you work with were not communicating to you document that you knew something existed because you were interviewed on it yourself. but here we have this messy rollout that didn't work, that crashed, that only six people the first day.