recommendations, it is hard to build political, and public support. i want to just follow up on something you said. this is not only true in this region, between st. louis city and the county, it is true across the country. what they are doing is important because we have to put it all together from coast-to-coast. just focusing here, i think there are a number of strategies that could be deployed, that would be self-help strategies community-based strategies neighborhoods, individual families, churches businesses, and the next step should be to look at what the contribution, everybody in the private sector, and the public sector, can make. and then put out what those contributions can be, and in lists people to start making them. for example, on early childhood.

i am a big believer in programs -- they can start of his voluntary, or supported by various community organizations -- literally visiting the new mom, the new parents of every newborn. and beginning to build a relationship, and offering support. so many of these young parents don't have the families nearby. they don't always know everything they are supposed to know to take care of their babies. they don't have follow-up they are supposed to come back to well child visits and shots, but they need somebody who can be in that home a few hours a week to show them what to do. i think we could enlist a huge number of maybe retired moms, and grandmothers, or retired nurses. people still working, but could give time during the week.

we have to start at the beginning. we need to help parents understand they are there child's first teacher. they are the most important adults in that child's development. it is not only what we need to do to expand medicaid, which is so important so that people get the health care they deserve to have. other states have made that choice, i hope it will remain here. it saves states money. it helps support community, and world hospitals -- rural hospitals. we need to assign responsibility to every sector of society then work together to get those delivered. i thank you for the overview your report gives. >> thank you very much. [applause] >> we also have dr. tiffany anderson.

she is the superintendent of the school district. you can give for a hand. just a little over three years ago, we would not have thought we would still have a jennings a school district. just come in and am very innovative work, taking the school from on accreditation to exceeding accreditation standards. [applause] she has done some wonderful innovative work will stop we've asked her to share some of that today. dr. anderson: it is wonderful to be in a place of worship, let me start out by sharing a few things that we do. i must first say, i thank god for being here, and being next to all of these wonderful people today. just being a listening here about what we really deal with. so often, we are invisible in

what we say, and what we have to offer. this moment truly tells us you are not invisible in her presence. clearly. clearly. you all know i am a preacher's daughter. i will be short, because there are a lot of people on the panel. you normally see me on crossing guard duty. to do this work, and make the changes you have to make, you have to be willing to be in schools, and remember they are now the center of the community. we wanted to be church, but not every parent since their child the church. they have to send their child to school. when you remember that then you realize you have to do all of these pieces. i will give some practical examples. if every teacher loves their children -- if any of my students, if i gave them permission to leave, we do year-round school, one of the

only places we do that. [applause] dr. anderson: any of my students are in the audience, stand really quickly so i can see you. they probably did not make it in because i told they cannot leave until 2:30. [laughter] dr. anderson: with that in mind, i want to know 100% free lunch with 90% african-american students. three years ago, we were at -- you have to be a 70% to be accredited, below 50% is unaccredited. we are now at 78% as of last year. [applause] dr. anderson: so, i thank you. ellen's show you some things about how we got here. the first thing have to know, europe to serve the whole child. let me tell you something said jennings does. it is important to know this because we have got to be the

highest minority, and highs poverty in the area. we have one of the smallest budget in all of the districts. we have the lowest expenditure as well. resources or low standards should be high resources. my resources, what i hope, that it is rentable -- recoverable. you really should have a mental health screening when you come to the door. [applause] dr. anderson: everyone of our schools has a mental health therapist. it is part of what we do. we do it for our students, and ever families. we're building the first hospital clinic. you can take those classrooms, and turn it into a hospital. we are helping to pay for the construction. it opened in january.

we're the pediatrician on staff. not only will they serve jennings students, but they will serve anybody in jennings. it doesn't matter if you come to jennings, your child is my child. we are all connected in this ring. preschool funding is pretty much nonexistent. most of the districts around do not have preschools. we have preschool, it cost 60,000-80,000 dollars. the money that i save, i able to hire a preschool in every school. you must do that. you must do that. my hope is that it will start being funded. the progress that we made, we are being innovative, but on a shoestring budget. you should not have to have

almost no central office, and large class sizes that's not be the norm. that is the other piece. i will give you two other quick examples. i still believe relationships are projected district. in all of our schools, parents can wash one load of laundry for free for one hour of volunteerism. come to any pdo -- pto and you will see a packed pto because we're the only school-based food pantry. we're the only one. it was when it just opened up in east st. louis. we give out about 8000 pounds of food a month. 30% of our staff are employees. i know we have a lot of folks here. we hired parents, and alumni.

economic recycling. in less you are fed, and healthy, and have all those of the pieces, you will not achieve. i will give you a few examples, but all of you are invited to come to jennings at anytime and volunteer. you heard what she said. it goes fraud all of us. the last thing, in jennings we track ever children from birth all the way to cradle. i don't care if your private charter, we visited every school you can imagine. we came back, and we had -- they don't funded the way the need to. our funding was cut to one parent or teacher. i am going to my trading in a couple of weeks. we have another staff member that serves that. and you're pregnant, you have

your parent teacher training. you come and one of our preschools. in jennings, we teach to bang grade levels above -- two levels above. we have 100% placement. every one of my 138 babies they graduated, there placed in post secondary, and i have a council that follows them all the way through college. that is what it takes to make a difference. [applause] >> secretary clinton, may i suggest dr. tiffany anderson for vice president. [laughter] [cheers] hillary clinton: what i was

going to say, i think we have three oprahs up here. i'm so glad to talk about the whole child, and working with the whole family, and providing opportunities for parents to be involved so that they are partners with teachers, and i think what you just said, and the results you're getting should be a wake-up call. about what is needed, and i would hope that you would get more financial support for your pre-k, more financial support to do the work that is making a difference in these children's lives. you have earned it. you've shown what it means to really take care of our kids. [applause] hillary clinton: i want you to know -- >> i want you to know i thought you'd be perfect for this because of the work she has

done. we have many teachers and st. louis who are just as committed and dedicated. that story doesn't really gets told. one of the things that really strikes me about dr. anderson as when i called her about this panel, she was on the road. you don't remember? she doesn't live here. she lives in kansas, right? she drives to take care of these babies. when i call at 6:00 in the morning, she said i've been on the roads and 2:00. that is the kind indication that we have here. -- dedication that we have here. [applause] >> you are going next, chris sorry.

i'm just glad a not you. i'm just introducing you. this -- he's with beyond housing. he is beyond housing. they don't just create affordable housing, they do a comprehensive community development. if there is single thread that you are hearing run through each of these persons, it is that we cannot silo people. we cannot only address one issue. we have to look at holistically what is impacting our communities, and our individuals, and our families. we wanted to share about his initiative that looks at the whole family. chris: it is an honor to be here. a note to myself -- never follow dr. anderson ever again.

i thank you for hearing our collective stories about our work here. you said earlier we have a lot of solutions. how do we take them to scale? we are a place based developed organization. it is in normandy. we are -- we believe in the notion that home matters. home was a place for you come home to every night, it is also delight in and around where you live. if we will take care of our families and take care of our children, we have to recognize what happened. we think you should focus on how things helped. do all of those together, and say how do they connect. you heard dr. anderson talk about a lot of point of connectivity. but how you support the family. we support the notion. what we have done with 24 small

little cities, yes, we work with all of them, try to help them get better. we said is, we're driven by your voice. we believe in a revolving circle. the community has all the answers, all we have to do is listen. for the last five years, we have done a variety of things. we invested over $50 million in our community. we build new homes to add to our rental portfolio. we bought an rehabbed housing. can we change the bill environment -- the build environment? my neighborhood is getting a little bit better. yes, the housing is important, but if that is all we do, we will still fail.

less like at economic development. the community told us we haven't had a grocery store for over 50 years. who would love a new grocery store. four years ago, we were able to build a 60,000 square foot lot -- 16,000 square foot lot. the average increase of sales over the four-year. is averaging 9% per year. what is important, the average increase of other places is less than 2%. our folks know, good, healthy affordable food is good. folsk -- folks have to eat, right now we have a movie theater under construction. you can staffing will week later, that is good. i invite you to the grand opening in october as well. a lot of times we struggle with the basics.

that is not what a thriving community looks like. you have to have other things, like entertainment. we have a two story community services building. we believe i retail opportunities. how do we build a sense of community? how do we make sure we are driving resources? we are partnering with the normandy school district. that is struggled mightily for a whole host of reasons. we worked with united for children, they worked with our license pre-k, our role is to given the resources to say to those mom-and-pop providers how can we help you provide better services for our little ones? how to make sure they're ready for the first day of kindergarten? invest in our little ones. do that, and they will be

successful. when they get to kindergarten, every kindergartner has received a college savings gap of $500. we have over 800 kids with college savings account already. after this next school year, we will have over 1000 children. we will tell them that you can go to college. it is just a matter of where you will go to school. we also have a program called viking advantage. child and their families save a dollar, we match it with three, to pay for college. some of the may graduate. what we found out is, we're at about 80% persistence rate of kids staying in college. the hard part is finishing.

85% of our kids are finishing and graduating. how do we drive resources in a very intentional way to say that you can be great, you can live your dreams, and our job at adults is to support you along the way? we have 300 per dissuading and walking cup -- clubs, cooking clubs, and others. if you don't feel good, the rest of life is complicated. how do we get people to be healthier? how do we get them to say i want a better life, and how can we invest in it? we like to get stuff done. we like to build things. we also want to provide programs, and support programs. we run st. louis is only freedom school will stop it is an absolutely fantastic program. at the end of the day, we

believe one of the hardest things for folks understand is this notion that community building happens at the speed of trust. how can you be in community over, and over again and be with folks during the good times and not so good times? ribbon breaking's are great, but the real work cap and stay in and day out. the real work happens with this idea of kindness. no matter what it will take, we are not going away. we will stay with you. we will make sure your child's life is successful. [applause] hillary clinton: i am certainly picking up a theme from our panelists. that is -- we need comprehensive approaches to these issues. if we continue to silo evil, to

just work in certain channels. we will not be as successful as we could be. as you heard from the diagnosis, and the recommendations from the study to what is being done in one school district that faces a lot of challenges. community building is really at the heart of what you are doing. i think sometimes when people hear our three panelists, they get excited, but then they say -- who is going to do that? that is complicated. how do you break down the bureaucratic barriers, and get more people involved to produce these outcomes? that is a challenge. it is clearly a surmountable challenge.

if more developers cared about building communities, rather than buildings we would have more people doing exactly what you are doing. what we need to do is all be apostles -- missionaries for this viewpoint. it try to get more people to think like what you are hearing. then try to take it to scale. if it works in jennings, if it works in normandy, let's make sure it keeps working. let's move from there to provide more support for more people to do exactly what you have heard. this is very exciting. before i came here, i did not know about any of this. i think it is important, whether running for president, or just being a person, that you listen. try to learn from the frontlines. doing the hard work, making a

difference, i have to thank you for giving me a lot of great ideas about what others can do as well. [applause] >> along that line, i want to acknowledge our treasurer, with the stand please? [applause] in the city of st. louis, just develop the same kind of college savings plan that chris talked about. every child entering kindergarten in the city of st. louis will receive a college account of $50 given by the city. it is a new program that she is in charge of. i will quote her from a place we were together yesterday. she said if st. louis can find the millions of dollars necessary to build a new football stadium -- [applause] [cheers]

>> 418 that doesn't want to be here -- for a team that doesn't even want to be here, we can certainly find money for our children. i want to salute her. [applause] >> they gave me some leeway with these first three rows, so i padded them. >> one of the recommendations is universal child development. we know from experimental work in the state of oklahoma that the children who have these have better outcomes than children that don't. they have higher expectations for the children. we have been working with treasurer jones, and a very proud of what just been doing.

i think we can do that as a region. we will work towards that. [applause] hillary clinton: i think it is important to look at what city under the leadership of the treasurer is doing, and what some states are doing. i have to tell you, traveling around the country talking about universal pre-k, i get to a point where i say -- probably to state that is leading the country in providing universal pre-gay is oklahoma -- three -- pre-k is oklahoma. therefore, it seems to me that it is a good idea. a good idea to talk to political leaders.

my goodness, if oklahoma can do it, certainly missouri can do it. [applause] it will >> it was important on this panel that we don't gloss over the fact that we have serious challenges here. those challenges are rooted in the foundational fact that this nation -- racism. it showed its way on august 9 when michael brown died. our next panelist is the ceo of teach for america here in st. louis. he is also a progressive fighter for justice. because of her position, she was chosen to be part of the president's task force on policing. though she does become of many things, i will ask her to speak to this divide, and the need for

police, and community reform. [applause] >> i greatly appreciate the opportunity, and the invitation. i will willingly say that this seat that i occupy to be occupied by many in this movement. young people in particular. i want to acknowledge that because i come to you with lessons i have learned of the streets, and through ferguson, and through the classroom. also some ideas. the first lesson was a clarification about what leadership is. i was able to codify this definition paying very close attention to what young people dead in ferguson. i figured out the leadership is proximal it maintains closeness of the issue without fear of retribution. it is consistently truthful,

about mistakes, truthful about the facts. that leadership keeps showing up regardless of how dangerous it is. lastly, the real leadership is unapologetic. when me know what is right, we continue to fight for it. [applause] i will say as i have audience with you, not only is that the kind of leadership we have seen in ferguson, and cleveland and all around the country. that is the kind of community we will continue to demand from our public servants. [applause] it is also critically important to recognize, as an educator, when young people show up and display the credit leadership, with all due respect it's not require an organization. they already possessed those assets. if you look at our young people, as full beings, who have a great

deal to offer the world. think about what they have to give us, then we can learn those kind of lessons. [applause] so, community programming is important, church programming is important, and yet, we cannot program children out of poverty. if we could, we would not still be in the situation. i come to you with that lesson, to say that we are having a policy discussion i am told that policy decisions match the efforts of across the region. [applause] the other thing that i know that august 9 confirmed for me, is that kids can learn if they are dead. all of the conversations we are having about education are poor naught if they end up like

michael brown, or tamir rice. so, as much as i will have a conversation that is rooted in my experience as a educator, it is also the idea is that anyone needs to lead that young person. three things the first is what we call responsible leadership, the idea that you're seeing a child as their full cells -- self if a child is from ferguson or jennings, bosnia, mexico, they bring unique skill sets to be world. layered onto what officers do

we are constantly have any conversation about being anti-biased. we are not just talking about mindsets, we are also talking about knowledge and skills. number one, mindsets, not only should we do you training people away from bias, we should be setting a hiring standard. there should be a minimum bar of anti-racist mindset that officers and teachers should come into the classroom with. there are also things like diversifying the teaching force and police force. we know that 2% of teachers are african-american men. at teach for america we have done things like half of our incoming teachers are people of color. it is possible to find these

folks, we also have to make sure we are getting behind structural diversity. when you talk about getting beyond mindsets, we talk about knowledge and skills. knowledge is built by immersion. we are in our fifth week of teaching teachers right now, not only are they teaching summer school right now, they are getting rigorous training, we are also sending them on home visits. where also sitting them down to learn every seat -- feet of elders. if we actually ensure that knowledge comes not just from a textbook, the college of education, but actually immersing ourselves in the community, and learning from the people who have been continuing to build that community, we can build that knowledge base.

the last thing is skilled, that has to continuously be developed. it has to be that we are consistently evaluating people raised on their skills. when a teacher is doing well they should be rewarded, when a teacher is not doing well, they should be coached to figure out if they can do well, and if they cannot, there are lots of different occupations. the same with a police officer. until we have very clear data about officers records -- officer's records in the communities they serve, it is impossible to make that decision. [applause] the second point, i appreciate you have continued to the national conversation about the personal -- prison industrial complex. if we examine that, we have to go back to its roots.

not only can we create national level policy to incentivize the police officer and teacher training i am talking about, we can also do it with the decline of disparaging officer issues. if your first interaction is negative, you have now learned the lesson that you should be internalizing the idea that something is wrong with you, we know it can happen -- we know what could happen. we should never be dooming children to a future of criminalization when they are only eight, nine years old. [applause] again, policy structures and incentivizing in a different way to support issues in schools.

if we change punitive measures in schools to actually align with restorative justice framework, and people can learn how to channel anger, and actually move through the world in a thoughtful and professional way, then we are not only empowering them to escape a life of crime, we are also empowering them to be full citizens. [applause] the last piece that i will say is that this work is not finished. i was a member of the president's task force, i am a member of the ferguson commission, i am a proud educator yet, until these things go from being on paper to actually being the living, breathing constitutional rights of every citizen in this country, and the laws that are actively passed by ira government -- our government, we will not see full-scale change. we still need special prosecutors with officer

involved shootings. we still need police departments and governments to a knowledge the trust that has been continuously broken and communities. we cannot move forward unless we are consistently incentivizing treatment for all public servants. i appreciate the opportunity, i appreciate so much the effort that has been made in the community with our teachers last year they made 1.5 years in growth in reading and math in a year. we clearly said in less your classroom is academically rigorous and culturally responsible, you are not meeting the standards. we know that the proof is in the pudding, my hope is that policy and structural solutions will match the good work you have seen today. [applause]

hillary clinton: excellent. [applause] >> we intentionally asked some activist and some on the grounds to be with us today. would you stand? [applause] i asked them to stand, secretary, so you can see unlike what the media represents, we are intergenerational, it is faith people and people of not -- who are not of any faith, all races, we are in this together, we are not going away. [applause]

hillary clinton: i would expect nothing less. i appreciate britney's important statement about structural and policy differences. this has to be approached on many levels, but you also have to embed the structural and policy changes, and support systems, so that when you go one-on-one, whether it is with teachers, or law enforcement officers, or any other member of the community who has a lot of contact with and power over their fellow members of the community you can do it too great success with a group of people, but if you not -- if you do not continue it and the same

lessons are not passed down year after year in 25-30 years you are back to where we are today. i am more hopeful today than discouraged. i know how hard this is. i thank you for serving on the police commission appointed by the president. i know certainly he is doing every thing he can to try and put the policy and the appropriations power behind incentivizing these changes. it has to continue. one of the challenges in the country is because of our differences, political for sure partisan for sure. geographic differences, we have a different -- a lot of different communities around the country with different needs and perceptions, experiences. we are not as good as we need to be on persisting and continuing changes that we know work.

you know britney, from your experience as an educator, you can turn a school around, but unless you change the mindset the behavior, the knowledge, the skills of the people who will be in that school after you leave it has no staying power. our challenge is number one, to do the work to create better outcomes, to chair that -- share that, and sustain it. you cannot do that without systematic and policy changes and incentives. it goes back to the point of the neighborhood building, the new markets tax credit is something my husband started. it has revitalized poor and distressed communities, it has made a huge difference and the congress let it expire. it did not matter how much evidence there was, if this was a tool to help people in st. louis, and many other places

around the country and less there is a strong basis of words -- base of support, political and vocal, to keep things at work, we are just on the hamster wheel. what you heard from the panelists and pastors is we have opportunity, shame on us if we do not see the. -- if we do not seize it. that's what i think we have to be doing right now. [applause] >> thank you. i am looking for greg, i need a time check, honey questions can we take? -- how many questions can we take? this works. how many?

>> the first question asked -- asks, considering mass incarceration and its affects, what policy changes you pursue to reverse the trend, and how committed will you be to healing past injustices? hillary clinton: it comes to families and the strength of families. one of the four pillars of my campaign is to do all i can to strengthen families. without strong families, you will not have a strong america. one of the key problems facing african-american families is the disparity in sentencing, is the mass incarceration for nonviolent offenses and other minor problems that should be

diverted away from the formal criminal justice system. i gave a speech about this a few weeks ago in new york, i am very committed to this. when you look at the numbers they are daunting. it is clear that there is disparity in identifying children, starting from the earliest ages with a heavy prejudice against black children. you have two kids who are acting out in school, as i remember, all kinds of kids act out, the challenge is how you change their behavior and support them and get them on the right track. when you get -- when you start at the early age labeling kids

as troublemakers, it becomes a self filling prophecy. -- self fulfilling prophecy. we have to get to a true juvenile justice system as opposed to what we have now. that is another funnel into the adult is an system. we have to do more to set up the criteria so that african-american men are not sent to prison for doing the same thing that a white man of the same age, the same background, the same jurisdiction does. [applause] i believe we can do all of this in a way that still keeps neighborhood safe. i've had a couple people say to me, if you send people -- if you don't send people to jail, what we get a bad crime rate? that's not how it works. we of course would keep violent

people in jail. we cannot expect to avoid because consequences of mass incarceration at the rate we now have -- rates we now have. we cannot support a system that makes money off of mass incarceration. [applause] as well as making money off of immigrant incarceration. there are two different parts of this industry. i want is to have a open conversation, look at what is working in some places, and begin to use the federal government as an incentive to make people in local, state jurisdictions change the way that they go about imposing criminal justice.

i know everything we are talking about takes time. it takes persistence. we have to start somewhere. i intend to tackle this problem. it causes great hardship for so many communities, and it is not fair. i think we can do better on all of those accounts. [applause] >> tying this all together, we want you to be aware that as a part of this commission we get a lot of data, one of the things that has kept me up at night is the data that says in 2014 there were 1100 black children since from schools to the juvenile system. in that same year there were only 63 white children who had that same result. i again say that this is a race issue, even though we don't want talk about it.

it brings me to the next question -- >> in terms of what you just said, that whole school to prison pipeline really seems like there was a big report about dissension. the rate in which african-american students are suspended and put out of school as early as kindergarten. in fact it was preschool, there were some districts suspending preschools. some of the rationales were things like i cannot afford another alternative. it does become a mindset peace. personally that is not a belief i have some education is supposed to be the one thing you don't take away.

that becomes a mindset in terms of how you adjust the adult behavior. the cycle of oppression is so ingrained that people naturally do those kinds of things. when students come out of jail there is no -- or juvenile, they come back to high school there's nothing in between, no counseling. we have a program where they go there first, get mental health counseling, and then transition. giving support and resources unfortunately the mindset for the teachers, leaders -- for our leaders, that has to change. that piece is huge. when we start talking about what needs to change. when our teacher the first day they go on a home visit. for our leaders, we give them

racism training -- dismantling racism training. for every president at seamus -- -- for every principle it should almost be required. hillary clinton: when you're talking about what you have done in jennings, you'd mentioned that you had mental health and other health care programs, i think that is key. a lot of teachers -- i agree completely that race is a big part of that. in some communities it is also economic disparities. they have been for, they will always be poor, they are behaving poorly, we don't want them. we know that, people carry prejudices. i think it is fair to say that a lot of our kids are coming to school with heavy challenges.

poverty is toxic. family disruption is toxic. violence in the neighborhood is toxic. a lot of little kids have developed all kinds of anxiety and depression and all sorts of problems that are not being tended to. you have provided your teachers, and addition to the training and accountability that you want to invest, you have also provided them with an alternative. if they see that child acting up, acting out, unable to sit down, unable to behave, rather than see it as a behavior problem, see it as a health problem. see it as a environmental -- and environment problem -- an internal problem. a big problem is lead paint poisoning. we have so many kids affected by

the time they are in third grade, their iq has been dramatically reduced because they have led in their brains -- lead in their brains. you have to provide alternatives. the numbers you just gave, the disparity is truly a wake-up call. there were -- there will be kids of all races who have the best of intentions, the best trained teachers will have a problem with some of these kids. the vast majority of need something besides being thrown out of school or thrown into the juvenile justice system. [applause] tracy girl -- traci blackmon: i am going to asked, if i put them in an envelope, will you promise to read them? at some point during this long

journey will you address them? i think this question is appropriate to close, america has tremendous capacity, but it often lacks the will to change. can you reflect on how we can inform a better will for a better america. [applause] hillary clinton: that is a profound, and really important question. let me offer a few reflections. i want to start with something i said in my remarks, that was the phrase, habits of the heart. i believe in policy changes, structural changes systemic changes. i will promote it all -- as i have two my career, and certainly as president.

i also believe we need to confront the deep seated biases and prejudices that still within too many of us. it is something that is hard to talk about. honestly i think the vast majority of all of us could pass lie detector tests. we would say of course we don't have biases, but of course we do. that's why i'm hoping for a lot more conversations like this across the country. where people honestly talk. you will hear that voice saying, what about.., y, z -- about x y, z?

i believe we have a lot of good solid information about what works. when you say we have the capacity, we have not only capacity, but evidence. we know what you are doing in jennings, it is so admirable and you should have a lot more help than you currently have. there should be a lot more ways to take what you are doing and spread it more broadly than it currently is. what britney is doing on training teachers and giving the people in law enforcement a knowledge-based and skill-based training so that they can learn more about themselves, what they see, how they react, so they can be more aware and try to be better at serving the communities they pledged to protect.

on health disparities, we know that if you live within 10 miles of one another you may live in a community where the life expectancy is 18 euros less or more. what is the problem and how we solve it? rather than say, well, that is the way it has always been. no. that's not true. medicaid would make a big difference. thanks to president obama's willingness to put will behind capacity. it is not going to do people here any good if they cannot access it. there is a lot we know about what to do and how to do it, but i will tell you when it -- what it comes down to come i don't want to sound like a civics teacher 101, but this is how i feel, if people voted for people

who would represent them about these issues -- interests -- [applause] that's the way we run. it would be easier if you elect people who are actually committed to addressing health disparities, providing more resources to struggling schools. supporting developers who want to build communities, not just buildings. that should be a given when people do not vote because they are discouraged, that only encourages a lack of will. people who do not see a reason to change, they say well, people had a chance, they didn't come out. the hardest thing to do in a campaign is to convince people to actually take the time to vote.

i think that is the clearest way to get the will. if you are listed -- elected to deliver on these issues then you can be held accountable. but if you do not even have to go to the communities that are making these demands because you know they will not vote, and you do not have to pay attention to them, nothing changes. let's remember capacity based on evidence for solutions that work, systemic change, deep changes of the habits of our heart, working with one another to try and some work these changes over time, and then turning out to vote and holding public officials accountable for what they do or don't do. that to me is how we translated into well. traci blackmon: i want to thank you for your time today.

this is just a slice of the brilliance that is in st. louis. [applause] i must take my opera hat off and put on my pastor had come of it because at the drop of a dime, the people i am privileged to serve here prepared the place for you. christ the king, will you please stand? [applause] they never complain, at least not so i can hear it. thank you for being you. reverend karen will close in prayer. reverend: before i pray, i was thinking about tracy's quote from howard berman -- thurman

there is another one i like from one of his books. he talks about meeting people at the place of their ashtray, in other words, you come to where they are. you figure out what is important to them, and then you enter into a relationship. you begin to build a relationship in which things can change, where we can change mindsets -- change. where we can change mindsets culture, and behavior. i want to thank you for coming and sitting with us at the place of her ashtray -- our ashtray. we believe -- we realize we scratched the surface, people have so much more to contribute i prayer is this will not be the last time that you come to this area. [applause] let us pray.

god we thank you for this time. we thank you for the willingness of everyone to share from their hearts. we thank you for the wonderful things going on in the city. lord, we lift up our collective voices to say it is not enough. there are those suffering from injustice. there are those fighting for basic human rights. there are those feeling helpless and hopeless. there are those who still live on the margins. there are those we walk by everyday and forget. there are those in places of power and authority who operate out of privilege and not added humanity and humility. we asked that you would begin to move with -- throughout our city. laura, would you bless secretary clinton as she continues on her

journey. would you allow her to keep her for -- year's open as she listens to the concerns of those she wishes to serve. touch her heart. keep her safe. and lord, we wait for the next time we meet. thank you for all that took out of -- took time out of their schedules. we asked that you watch over them as we move closer to a beloved community where diversity is appreciated where individuality is celebrated, and not feared. as you are called by many names, we do pray of the creator god and the name of jesus, who i know amen. [applause]

>> we will have more live coverage tomorrow. louisiana governor bobby jindal is expected to announce his official entry into the presidential race. he will be the 13th candidate to do so. [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> a good read can be big perfect opinion for your summer journeys. what better book than one that peers into the personal life of every first lady in american history. "first ladies, presidential historians on the lives of iconic american women." a great summertime read,

available as a hardcover or e-book through your favorite bookstore or online bookseller. >> the head of the office of personnel management was back on capitol hill to testify about the two recent data breaches. it impacted over 4 million federal workers. they have yet to determine how many people were affected by the latest data reach -- breach. >> good morning.

>> today's hearing before the subcommittee on financial services and general government is intended to elicit further information about the recent opm data breaches. it is also a time to discuss the enormous challenges facing the es not happen again. the government spends approximately $82 billion a year on information technology. given the cost of these projects and the impact on our economy and the national security members of the subcommittee have an ongoing committee -- commitment to conduct oversight. we must ensure that hard-earned

tax dollars of millions of americans are being spent wisely and effectively. just last year, the subcommittee held a hearing with opm director arculetta, steve van roykle, dan tangerlini and david panner. given the enormous resources and important security issues at stake, the subcommittee considered it imperative that omb and federal agencies appropriately managed these projects. we're all well aware of examples of projects that ended in spectacular failure as with the initial rollout of health care.gov. we should also be troubled by the accounts that don't grab headlines, including initiatives with ongoing costs that grow each year after year without demonstrating effective results or sufficient security.

we must have safeguards in place to see that projects are consistent, that problems are anticipated before they occur, and most importantly, that someone is actually accountable and responsible. all too often, large complex i.t. projects drag on for years. outlasting the administration that initiated them. and the employees responsible for managing. in the fsg bill alone, billions have been spent over the years on tax system modernization at the irs. work that has been continuing for decades and is still incomplete. even for projects now on track past problems generate millions in additional costs and years of delay. and as we have seen recently at irs and once again with the opm breach, both of which have compromised the personal data of millions of americans, billions of federal dollars spent are no guarantee of security. across the government, i.t. projects too frequently go over budget, fall behind schedule and do not deliver value to

taxpayers. responsibility for oversight is often fragmented throughout the agency, owning the project and omb does not conduct appropriate review and management. whether issues related to programs requirements, performance, spending or security, lots of people are involved. but often, no clear lines of accountability are drawn. what has happened at opm is devastating, millions of americans and their families and friends have been affected. giving those impacted limited free credit monitoring and any theft insurance will not be enough to address the long-term consequences that we may see for years to come. but also troubling is the knowledge that opm is just the most recent example of the government's systemic failure to protect itself. according to gao, we should have serious concerns for the future. the number of information security incidents reported by federal agencies has exploded in recent years.

constant vigilance is required and government systems may not be prepared for the job. 19 of 24 major federal agencies have reported deficiencies and information security controls. the i.g. at 23 of those agencies cited information security as a major management challenge. how many headlines of serious data breaches will it take to implement the steps necessary to protect ourselves? and at what point do some in washington recognize growing the bureaucracy without actually governing is a recipe for this type of disaster. the obama administration views the federal government as capable of tackling almost every problem that the nation faces. yet, while attempting to grow the size and scope of the federal government at every turn, the administration fails to follow through on the task that is already responsible for. if you bounce from one bigger government solution to another without carrying out your basic responsibilities, this is what happens.

it's easy to suggest more money is the solution. that seems to be the response the administration leans on every time there's a problem. but is often the wrong choice. especially in situations like this where it appears that the problem is something much greater than a lack of resources. the american people have lost faith in their institutions, the last thing they will do is trust washington to solve a problem when it can't even protect the personal information of those it employs. there needs to be a dramatic change in the status quo. what i hope to hear from our witnesses today is not the same stale line that more money is needed, but an explanation as to why the federal government failed to do the basic job of protecting personal data of millions of employees with the vast resources it already has in hand. what it's doing right now to resolve this problem and what is being done to ensure that we are prepared for the next attack. i hope with your help we can

learn from this instant and identify ways to improve and protect our security. i appreciate the interest of all our colleagues and shared commitment to doing what we can to work together to try and address this so important issue. we cannot afford not to. senator? senator: i'd like to welcome our witnesses, assistant opm and former chief information officer richard spyers. we are here today to review information technology spending and data security at the office of personnel management. as part of that review, we need to discuss recent cyber security attacks that have put federal employee information at real risk. we need to address the late breaking inspector general audit that expresses concerns about opm's i.t. modernization project. but while we conduct this subcommittee oversight of opm and it's spending and response,

i also urge us to put this in the context of larger cyber security challenges that face our government and our society -- and society as a whole and , progress or lack thereof by congress in strengthening our nation's cyber defenses and in providing needed funding for federal cyber security and i.t. initiatives. regarding the cyber incidents at opm, one breach involved personnel data of roughly 4 million federal employees, stored on an interior department networks. investigators found another intrusion where information from background investigations was allegedly stolen. i understand opm recently became aware of the security clearance theft and the investigation is , underway. while we may be limited in exactly what we can discuss in this context, i'm very hopeful we can have a productive and ongoing conversation. the fact the security breaches happened is, frankly, terrible. they force us to grapple with the reality that in our inner connected world, we're more vulnerable than ever and need to do more to protect our public employees vital personal information from foreign attackers. after we've investigated why

these cyber attacks were able to breakthrough, we need to be willing to do what's necessary to ensure they don't happen again. these attacks don't just compromise the information of millions of federal employees, but our nation's security, as well. it's further troubling, the i.g.'s office has found that opm has not fully complied with the federal information security management act which mandates information security requirements for all federal agencies. while opm has made recent improvements, we need to remain vigilant. both director archuleta and the opm cio have only been on the job roughly a year and a half. and to their credit, made i.t. security a priority. but they need to clearly understand that the job is not done. opm has indicated to the subcommittee most of the i.t. security systems are aged and at the end of the useful life for some security patches are no longer provided by the original vendor. fiscal year 2014, opm began a three-year i.t. system modernization and seeking a third installment of $ 21 million to complete that project this year. and without that funding, the investment of the previous two

can't be meaningfully completed. i was alarmed by the i.g.'s allegations about mismanagement of the modernization projects to date, and hope that opm's representatives will speak to these assertions directly here today. last, i just wanted to emphasize, i think we need to prevent another round of sequestration. opm's fy '16 budget request includes a $32 million increase over last year's level. virtually all of which would address i.t. infrastructure improvements. sequestration could critically threaten those investments and the livelihoods of our employees. while some of these cuts might be weathered in the short-term they can have serious long-term impacts. and i think we need to work together to ensure federal agencies are prepared to protect -- prepared as best they can be to protect against cyber threats. the federal government is at constant threat of cyber attacks. it successfully wards off millions of attempted attacks a year. and i think we need to work together to protect the nation's economic and national security interests by coming together to deal with these vital cyber

security issues. chairman bozeman thank you for , holding this hearing and i'm eager to work together as we consider the needs of our federal agencies and combatting cyber threats. >> thank you, senator. >> mr. chairman. may i just have a few comments and observations? >> you can comment all you like. >> first of all, mr. chairman, i really want to thank you for your leadership and convening this hearing. i think america wants to know, certainly our federal employees want to know what happened and what is the impact on them, and what is the impact on the nation? i would strongly recommend to the chair that after this hearing and then also the briefing we'll receive this afternoon, the chair and the ranking consider having a classified briefing because as a member of both the intel committee and someone who has been involved on this, there are things that are best discussed that you need to know for your responsibilities in a setting.

and we would be -- and senator cochran and i would be happy to cooperate with you in establishing that. center: -- senator: it needs to be -- you'll know more this afternoon. second thing is, the second point is, what has happened at opm. and also what happened to the breaches at the army shows that that this is a serious national issue. it affects not only opm, but every agency and shows that national security and its impact is not limited to d.o.d. mr. chairman, i also want to remind the committee or bring to their attention, we tried to deal with this in 2012. under the leadership of senators liberman and collins, there was a bipartisan effort to have a cyber security bill that dealt with new authorities for key agencies to establish standards for critical infrastructure, create info sharing regime to protect both.gov and .com and

giving dhs authority to unite federal resources across all levels of government to have both the authorities, to make sure they have the resources to know how to do the right job. exactly what you're saying, sir. let's not just throw money at it. let's get value and security for the dollar. that was stopped because the chamber of commerce established a massive lobbying campaign because they were worried we would overregulate. well, we are where we are. so we need to do a lot of work. we had a bipartisan study group. people like collins, coates, maybe we need to resurrect that because it's opm today, it'll be another agency tomorrow. we've got to make sure our cyber shields are up, we're fit for duty, and we're fit to protect our people. so, i just wanted to refresh everybody that, and of course, my federal employees need to

know what happened, how do they protect themselves? and we need to know how to protect america. so thank you, mr. chair. >> thank you, senator. and i think the suggestion of the classified briefing is an excellent one. and also, that this is not a you know, certainly not a partisan issue. this is something that's been going on for a long, long time through successive administrations administrations. we have three witnesses appearing before us today. katherine arculetta, michael esra, and richard spyer and former chief information officer at dhs and irs. director arculetta, i invite you to present your testimony. director: chairman boseman and members of the subcommittee. entities are under constant attack by evolving and advanced

persistent threats and criminal actors. these adversaries are sophisticated, well-funded, and focused. unfortunately, these attacks will not stop. if anything, they will increase. although opm has taken significant steps to meet our responsibility to secure personnel data, it is clear that opm needs to accelerate these efforts. not only for those individuals personally, but also as a matter of national security. my goal as director is to leverage cyber security best practices and protect the sensitive information entrusted to the agency, modernizing our i.t. infrastructure, to better confront emerging threats, and to meet our mission and our customer service expectations.

opm has undertaken an aggressive effort to update its cyber security for fiscal year '14 and '15, we committed nearly $67 million towards shoring up our i.t. infrastructure. in june of 2014, we began to completely re-design our current network while also protecting our legacy network. these projects are ongoing, on schedule, and on budget. we implemented state of the art practices such as additional fire walls, factor authentication for remote access and limited privilege access rights. we are also increasing the types of methods utilized to encrypt our data. as a result of these efforts in

april of 2015, an intrusion that predated the adoption of these security controls affecting opm's i.t. systems and data was detected by our new cyber security tools. opm immediately contacted dhs and the fbi and together, we initiated an investigation to determine the scope and the impact of the intrusion. in early may, the inner agency incident response team shared with relevant agencies that the exposure of personnel records had occurred. in early june, opm informed congress and the public that notification actions would be sent to affected individuals beginning on june 8th through june 19th. we are continuing to learn more

about the systems that contributed to individuals' data potentially being compromised. for example, we have now confirmed that any federal employee across all branches of government who submitted service records to opm may have been compromised, even if their full personnel file is not stored in the opm system. these individuals were included in the previously identified population of approximately 4 million current and former federal employees and have been included in the notification. later in may the team concluded that additional systems were likely compromised. this separate incident which also predated the development of our new security tools and

capabilities continues to be investigated by opm and our interagency partners. based on this continuing investigation in early june, the interagency response team shared with relevant agencies there was a high degree of confidence that opm systems related to background investigations of current, former and prospective federal government employees and for those a whom federal background investigation was conducted may have been compromised. while we have not yet determined its scope and its impact, we are committed to notifying those individuals whose information may have been compromised as soon as practicalable. but for the fact that opm implemented new and more stringent security tools in its environment, we would never have known that malicious activity

had previously existed in the network. in response to these incidents opm, working with our partners at dhs has immediately implemented additional security measures to protect the sensitive information we manage. we continue to execute our aggressive plan to modernize opm's platform and bolster security tools. we are on target to finish a completely new modern and secure datacenter environment by the end of fiscal year '15. which will eventually replace our legacy network. the original budget request included an additional 21 million above 2015 funding levels to further support the modernization of the i.t. infrastructure which is critical. this funding will help sustain

the network security upgrades and maintenance in years to improve the posture including advanced tools, such as database incorruption and stronger fire walls and storage. we discovered the instraousons -- intrusions because of our efforts to improve cyber security at opm, not despite them. i am dedicated to insuring that opm does everything in its power to protect the federal workforce and to insure that our systems will have the best security posture the government can provide. thank you and i appreciate the opportunity to testify today. i am happy to address any questions you may have.

>> mr. eser. michael esser: chairman, and ranking member coops and members of the committee. thank you for inviting me to testify at today's hearing on the i.t. audit work performed by the inspector general. >> can you put your microphone on? it's on. just pull it closer then. michael: today i will be discussing opm's long history of systemic failures to properly manage it's i.t. infrastructure which we believe may have led to the breaches we are discussing today as well as issues to the current modernization project. there are three primary areas of concern that we identified through our fiscal audits during the past few years.

information security governance security assessment and , authorization and technical security controls. information security governorance is what forms the foundation of a successful security program. for many years opm operated in a decentralized manner with the program officers managing their i.t. systems. this decentralized structure had a negative impact upon opm's i.t. security posture and all the audits between 2007 and 2013 identified this as a serious concern. by 2014, steps taken by opm to centralize i.t. security responsibility with the cio had resulted in many improvements. however, it is apparent the ocio is negatively impacted by the many years of decentralization. the second concern is security assessments and authorization.

this process includes a comprehensive assessment of each i.t. system to ensure it meets the security system before allowing the system to operate. we identified problems related to system authorizations in 2010 and 2011, but removed it as an audit concern in 2012, however problems with opm system authorizations have reappeared in 2014 20 opm systems were due to receive a new authorization butio 11 were not authorize sized by year end. in addition, the ocio has recently put authorization efforts on hold until it completes the current modernization project. this action to extend authorizations is contrary to omb guidance which specifically states that an extended or interim authorization is not valid.

it is also worth noting omb no longer authorized and we still expect them to have concern the authorizations. the third concern relates to opm's use of technical security controls. opm implemented a variety of controls and tools to make the agency's i.t. systems more secure. while this is a positive step we -- steps, we are concerned these tools are not being implemented properly and did not cover the entire infrastructure as we found that opm does not have a accurate inventory of all data bases, and opm cannot fully defend its network without a comprehensive list of assets.

there has been much discussion in securing the systems as they are old legacy systems. while this is true in many cases and many systems are main frame based, it's our understanding that some of the systems impacted by the breaches are in fact modern systems for which most ft technical improvements -- most of the technical improvements are necessary to improve them could be accomplished. i would also like to briefly address opm's modernization project which will overhaul it's entire infrastructure and migrate all systems. we recently issued an alert discussing this project and our concerns related to project management and the use of a sole source contract for the duration of the effort. one area of significant concern that we identified is that opm does not have a dedicated funding source for the entire project. its estimate of $93 million includes only the initial phases of the project.

which covers tightening up the security controls and building a new shell environment. the $93 million estimate does not include the cost of migrating the cost of this work is likely to be substantial. and the lack of a dedicated funding source increases the risk of the project will fail to meet its objectives. in closing, it is clear that opm has a great deal of work to strengthen its posture. however, especially for the task of this magnitude, it is imperative that we follow solid i.t. project management best practices. to provide for the best chances of success. thank you for your time. i'm happy to answer any questions you have. >> thank you.

mr. spires? mr. spires: i'm honored to testify. i hope my experience regarding recommendations i will make regarding how the federal government can more effectively safeguard data and improve cyber security posture. most federal government agencies find themselves susceptible to core mission systems because of three primary causes. first, lack of i.t. management best practices. the very best cyber security defense is managing your infrastructure and software applications well. beginning in the 1990's and up to the present, the federal government has not properly managed i.t.. having failed to effectively adapt with the changes in technology and the evolving cyber security threat. as examples of these failures,

when i served in government, we would all to routinely discover systems outside the purview that have been deployed without the proper security and accreditation. the highly distributed approach across government, and i point out that mr. ester is testimony referred to decentralization within opm itself, has led to thousands of data structures. the resulting laxity of vastly different systems and underlying structures makes it virtually impossible to properly secure such an environment. second, lack of i.t. security best practices. while well intentioned and appropriate for the time, the 2002 act skewed the approach for

security. the law says to look at the controls for individual systems when in reality, doing systems in isolation high the impact of large security posture. until very recently, systems would be certified and accredited based on a three-year cycle. which is a significant issue when looking at the rapid evolution of technology in the cyber threat environment. third, a slow and cumbersome acquisition process. when i was at dhs, i was a proponent of diagnostics and mitigation programs. it is dismaying to see how long it took, two plus years just to intimate phase one. that does not include the additional competitive process for agency to obtain get abilities. sophisticated adversaries will exploit any and all one abilities. the government is even more

honorable what it takes months not years to deploy new security capabilities. my recommendations to address these causes -- first, effectively implement the federal reform act. this law is meant to address the systemic problem in managing i.t. effectively and the main intent of the law is to power the cio to address these issues. so far, i am pleased with tony scott and the role of the rollout. congress can support these efforts by demanding aggressive implementation development of measures for assessing the impact, and transparency in reporting ongoing process. effective and limitation is the government's best hope. second, dry adoption of best practices.

there have been positive movements with the updated law and the move to continue monitoring. i recommend the government rethink how it is measuring success, with focus along three lines. the continuing need to pursue cyber security tools to prevent intrusion, but even more importantly, detect them quickly when intrusions do occur. the government needs to assume that sophisticated adversaries will still gain access. the root of all trust is verified identity, and the government needs to step back and rethink how it is rapidly implementing ubiquitous use of multi factor authentication's, along with the behavioral detection systems to identify insider threats or compromise credentials. finally, the government needs to target additional protection of an agency's most sensitive information. through focused effort in the use of data protection

technologies, the government has high assurance that only the trusted parties have access to the sensitive information. this would go a long way towards forging additional bridges. certainly the breaches at opm are terrible for the government and the millions who may be negatively impacted in the future. however, the need to implement the law can be the impetus for much-needed and sustained change. it is critical to make enough progress during the next 18 months to ensure that leadership commitment to meet a change in i.t. management and security is sustained into the next congress and administration. thank you for the opportunity to testify today. >> thank you mr. spires. at this time, we're going to proceed to our question that we

plan on proceeding to our question. each senator will have seven minutes. i hope you have time to accommodate two rounds. we have a vote hold now, it is only one vote. we will like to suspend run and vote and come back and start immediately with the question. we will do that. [inaudible]

>> the committee will come to order. again, i apologize for the delay. the only thing we have to do around here is vote. and so, there is just no way of knowing. you schedule these things and certainly that trumps everything, which it should. director archuleta, according to the news reports of the opm's security clearances, hackers have access to sensitive data for year. the systems contained important information for current, former, and perspective federal employees and contractors. a notification, will be provided to an information and focus groups. archuleta: even as we speak we are developing a notification process to reach those individuals. we are taking into account what

we have learned from the first notification and looking at the wide range of options we would have in that notification process. >> will notifications be provided to family members and other individuals whose information was included solely due to their relationship with the applicant? archuleta: we are into consideration all of the individuals affected by the breach. as the plan is developed, i would welcome the opportunity to come into detail for you. >> how did you decide that 18 months of protection is sufficient for federal employees? archuleta: this is an industry best practice. the second notification is really examining that to see with the reign of options may be. >> will you offer the same protection to individuals stored

on databases, or does this heightened level warrant additional protections? archuleta: this is what we are looking with our partners for a wide range of options we need to consider. >> what additional steps you plan to take to protect the victims, given the long-term effects these breaches pose. ? archuleta: i am looking at the steps we can take to protect their data. im am as upset as they are. we are examining not only the notifications, but also the protections in the remedies we must put into place. >> those are important questions. those are the kind of things we are getting from federal workers. i know you will have a lot more questions related to that. it is so important that we try to get information to those that have been affected. mr. spires, the administration

has ordered a 30-day sprint to patch security holes. is 30 days sufficient time to correct more than a decade of negligence about our systems? in the failed attempts at modernization? mr. spires: i'm sure you would not be surpirserised for me to say no. i think it is a good thing though, to put in place a process by which planning should take place. so that we could start to get our arms around what should be done agency by agency put us in a better posture. >> as we get into these things, mr. spires, do you expect us to find significant problems as far as breaches with the other agencies? mr. spires: first, i should say you will find significant

problems with them not following best practices. and not that that alone would necessarily indicate breaches, but given the situation we find ourselves and, you should find significant ones. >> i would concur with mr. spires. we have been seeing breach after breach this year, health insurance companies and background and government entities. it would not surprise me to see more. >> mr. spires, how again looking at the scope of the problem, how long do you feel like it would take the government to actually do things we need to do to protect ourselves from the outside threats. mr. spires: i think we should

take an ordered approach to the problem. in my mind, what agencies should first be doing is identifying the sensitive datasets they have and putting them in a bucket did ed priority. and coming up with plans to protect those data sets. to think that we can go into these large agencies that have as i said, decades of mismanagement and decentralized i.t. and fix that quickly is just naive. this notion of doing it by protecting sensitive data sets, data technology today and encryption and the like, to do that at the document level -- and then, you have to worry about identity. it does no good if you have encrypted the data, but the credentials of someone to get to the data have been optimized. you need to work on the identity problem. that is where things like

multi-factor models come in. there are many new technologies to make this much faster and easier to roll out that it was five years ago. also, this notion that even if someone has been authenticated and authorized, that doesn't mean their behavior is correct. right? the insider threat problem, we have to watch that. this notion of bringing in detection systems are ways we can monitor the privileged user. those that have root access to the systems and data are the ones that, frankly, we need to monitor. >> director archuleta, we have heard numerous accounts of frustration with csid. including inaccurate information reported to the victims, what steps are you taking to monitor the contractor? archuleta: we have experience in

these verifications. we served sony sony with their large breach. we believe they have the capacity to handle that -- >> but when you call in now, the wait times are very long. i don't know that they have experienced anything of this magnitude. archuleta: thank you, sir. i am as angry as you are about that. i want to make sure they are doing everything they can to reduce wait times. that is why i have instructed my team to work with the contractor to improve daily the services they are giving to our employees. an employee should not have to experience that. that is why we are demanding from our contractors that they improve their services. i do believe sir, because of the two incidences, we have had an unusual number -- i high number of phone calls. that is not an excuse. our contractors should

confrimirm to that number. >> ms. archuleta, if i might if opm had completed the upgrade with these consequences have been prevented? if opm had been in full compliance, would any of the breaches still occurred? archuleta: my cio has advised me that even if there had been 100% compliance, there is no guarantee that that system will not get breach. that is why an i.t. strategic plan and the implementation is so important, mitigation -- risk mitigation is the answer to what we need to do. we need to be able to detect and mitigate. that is what our plan is designed to do as we move from a legacy system to the new shell system. i believe we need to act very rapidly to move from this old

system to a new system. we need to make sure that we are tracking, documenting, and justifying everything we do. we also need to be sure we are acting as quickly as we can, to protect the records entrusted to us. >> all of the federal employees web been affected, as the cochair of the senate law enforcement caucus, i am particularly concerned about those officers and their family. they have to be concerned about previous criminals that might have motivation to seek out their homes and families. what are you doing specifically to sponsor their concerns? not to suggest there are only folks with concerns, but they are one of the subsets that have very real and legitimate pressing concerns. archuleta: what i can assure you, senator, we are working across agencies to analyze the

scope of this breach. we will be able to discuss more with you in the classified session. i can tell you that we are working very closely with our law enforcement partners. >> i am eager to follow up with you on that and to get some reassurance, which greatly concerns federal employees of all backgrounds. that they are able to get updates and more information on their path forward. your budget request was submitted before the discovery of the most recent incident, before we had any sense of the scope. are there additional tools or enhancements that you need in order to deal with the critical issues that are now well and widely known? how might you seek an amendment to the budget request? archuleta: thank you for that question. we are analyzing now with onb and my cio to determine what the request might look like.

i hope to get back to you by the end of the week. >> thank you. last question, if you had actually encrypted federal employees'identifying information, would that have protected them from the hackers once the system is compromised? archuleta: this was a question that had been asked of my colleagues who are experts in cyber security. they have informed me, indeed, in this particular case, the encryption would not have prevented the breach. encryption is an important tool, that is why we continue to build the encryption method within our system. in this particular case, it would not have prevented it. >> my question was not whether it would have prevented the breach, would it have protected it wants the system was breach? archuleta: no. >> regarding the question on system compliance and upgrades,

mr. spires, any difference of opinion? any insights if compliance would have produced a different outcome? >> the issue the old 2002 law, it was really around a set of technical controls that would be checked every three years. given the environment we live in, that is not even close to being appropriate. we are moving towards a continuous diagnostics model which is the correct model. where you monitor all of your systems and the complete environment, looking for intrusions and improper behavior. but i would even echo the point that even that is not enough in today's environment. you need the data protection like encryption and you need to upgrade to better understand who is accessing your system. those are all critical process of these in order to protect

data today. >> would it be reasonable for us to have expected that opm could achieve a data security given the resources they currently have available? mr. spires: i am not sure i'm in a good position to answer that. i go back to my point of a focused answer of protecting sensitive data with the right encryption and a right access control capabilities. if you put the focus there, i think most federal agencies would have the funds and resources to be able to a college that. >> we have seen significant data breaches for home depot jpmorgan target, sony, neiman marcus. many of them have invested in cutting-edge cyber security. is the private sector having any more success in mitigating cyber breaches? mr. spires: it depends a lot on

the actual company, it varies greatly. i would say that to make another point here, one of the big differences between the government and the private sector is that the private sector has the ability to very rapidly acquire the newest capabilities that are being offered by the cyber security, if you will, industry. one of the things i would like to see is the government agencies be able to bring in, in a test environment or pilot, new capabilities as they come to market. that would really help government agencies to adopt the new capabilities. >> you referenced the slow and cumbersome procurement, i look forward to exploring that with you in the next round of questions. thank you. senator langford: we have a lot to be able to cover. to be able to resolve things for the future, but what has happened in the past.

there are several comments that you made, what is the most pressing issue you discovered since the flash report you have done? based on the vulnerabilities that still exist and what needs to be finished? i am not asking you to expose publicly boehner abilities that still exist, what on the list need to be addressed immediately? >> senator, i think one of the most important things that needs to be addressed are the two factor authentication's to access systems. this has been a long-standing problem at omopm. they have made improvements and implement of this to affect workstation access. the actual system that are being used need to be implemented also and required two factor authentication.

senator langford: the chief information officer had also listed the same thing in 2012. let me read this. the initiative to require personal identity authentication to access the agency network, as of 2014, 90% of workstations required personal identity access for the network. however, none of the 47 major applications require personal identity verification authentication. is that still correct? >> to the best my knowledge, it is. ms. archuleta, only about that. archuleta: two points there. remote users, we are 100% at that point now. with regard to all other users we are working very rapidly to increase that. i have asked my cio to increase that effort. i would be, i'm sorry i don't

have the percentages in my mind right now, but i would be glad to get back to you where we stand as of the state. we are working rapidly to do that. senator langford: a 95% figure is pretty close? 95% workstations, still 47 major applications are exposed, i guess? archuleta: i would like to get back to you for full details. senator langford: there is a question on authorization. obviously, that isa a requirement for onb. on this, it says 11 were not completed in time. archuleta: all but one of those systems has been authorized. they are operating with authorization number and we are working on the contractors.

senator langford: there is a systemic problem. i'm trying to figure out why to make sure that authorization is done on time and on schedule. has that issue been fixed? i know people stepped in and said, let's turn to fix this. what about the future, to make sure they're done on time? archuleta: i would like to have my cio get that information to get back to you. senator langford: give me a time frame. archuleta: by the end of the week. senator langford: i am the the chair for, june 10, i sent a letter that has yet to be acknowledged -- much less be answered. none of them that would require a classified setting. but there are some basic

responsive effort. i have letters already on the record, and tremendous number of employees that live in my district am a asking basic questions -- the folks have asked some very basic questions. they have yet to get a response or even say it has been technology. they just want to know timing. i know the letters have gone out nationwide. people want to know if there are people working on these issues. archuleta: i apologize if you have not received that response. i asked my staff to respond to that. i know that it is forthcoming. i will make sure you have that letter today. senator langford: lb great. thank you. do we have a ballpark cost to contact everyone to let them know hey possibly your information has been breached? there are two cost factors that our committee has to consider. one is the cost of sinning the

letter out. the second is the cost for the credit report and screening that is happening. you have a cost estimate? archuleta: as we take a look at the pickup rate on credit monitoring and that will adjust it, is approximately anywhere from $19 million to $21 million. senator langford: what is the estimated cost on a letter going out? archuleta: between e-mails and letters, i do not have the breakdown. i would be glad to get that for you. senator langford: some agencies the website you link to, some agencies have already blocked that internally. so those individuals may try to go our blocked, for fear there may be phishing scams. archuleta: we worked closely because of the security protocols they might have. we work closely with them, and

their cios and other top officials. senator langford: the inventory of workstations out there, the central control issue is important for keeping up security and technology upgrades, and making sure software is upgraded. making sure everyone has a consistent presence there. when there is a server there, it creates tremendous -- that is not a legacy issue. archuleta: i respect the inspector general on this. i would welcome the opportunity to discuss this with you and with him further. >>senator likeankford: thank

you. >> i just have a series of questions that hope are relatively short responses. i will work my way through as quickly as i can. what is the current estimate of the total number of files for employees breached? archuleta: under director archuleta we estimate that the over 4 million. it is an ongoing investigation. we will continue that with our partners. at this point we know it is a little over 4 million. senator moran: are those words interchangeable? 4 million employees and 4 million files? director archuleta: approximately formally people who have been affected eye it. senator moran: what -- by it. senator moran: