of terrible tragedy and amazing unity. last wednesday night we experienced an unimaginable tragedy. nine men and women nine mothers, fathers sisters brothers, sons daughters lost forever. the hateful and racist actions of one deranged man has changed nine families forever. it has changed south carolina forever. charleston forever. but what we saw from the nine families at last friday's bond hearing was simple, was powerful and absolutely the best of who we are as americans. just a few minutes ago i was back in the cloakroom and i had the opportunity to talk to one of the victim's sons, daniel

simmons jr. i was talking to them back there and i said is there anything you want me to share when i go on the floor of the senate? he said please share that god cares for his people god still lives. i was amazed. then he said with great enthusiasm and energy, a sense of excitement that this evil attack would lead to reconciliation restoration and unity in our nation. those are powerful words.

it is with great sadness and amazing hope that our future as a nation hasn't changed. it has been changed because one person decided to murder nine. it has been changed because the response of those nine families has been so courageous. so inspiring. and if you permit me, i will read the names of it those nine individuals. we honor the reverend sharonda coleman-singleton, a beloved teacher, coach at goose creek

high school. her son chris has shown us all what an amazing mother she was through his strength over the past six days. we honor cynthia hurd, whose love for education has been shared for over 31 years as a libyan in the public library system. we honor suzy jackson which at 87 years young still offered her beautiful voice to the choir and had recently returned from visiting her family in ohio. we honor ethel lee lance who served her church with pride whose daughter calls her the strong woman who just tried to keep her family together. we honor depayne middleton-doctor who dedicated her life to serving the poor and

worked as an enrollment counselor at southern wesleyan university. we honor my good friend, reverend clementa pinckney, an amazing man of faith a great dad and a wonderful father. we honor tywanza sanders beloved son of tyrone and felicia, whose warmth and heartfelt spirit has kept us moving. we honor the reverend daniel simmons sr. whose granddaughter said my granddaddy was an amazing, amazing man. it seemed like every time he spoke, it was pure wisdom. and we honor pastor myra thompson, who served the lord with grace and dignity. she loved her children, her grandchildren and her grade --

great grandchildren. if you would just pause for nine seconds, a second for each one i would appreciate it. [moment of silence] mr. scott: thank you. in closing i want to thank all my colleagues in the senate and the house for their kind words over the past week and for the prayers that continue to come into our city from across the nation. we are charleston, we are south carolina and we are absolutely united and we are committed to replacing hate with love, pain with kindness and ill will and hostility with goodwill and comfort. i yield to senator graham. mr. graham: thank you.

the presiding officer: the senator from south carolina. mr. graham: and i just want to recognize senator scott. we all know tim as a man of quiet faith. he does it when no one's looking, by the way. i remember being in the cloakroom watching a basketball game, which is consistent with me and tim's over in the corner with headphones. i said what are you listening to or what are you doing? he said i'm doing my bible study, very sheepishly. tim, you have been a great comfort to our state because you are truly a man of god. to the rest of you i -- i want to tell people in south carolina the senate -- we've got a lot of differences and we display them a lot. i wish you could have heard what was said to me and tim. everybody in this body has come up to us and one way or another said the most kind things. so the united states senate, we have had our problems but we're still a family. so thank you all from all over this country for the kindness you've shown during these difficult times. very quickly, i don't know how you can sit with somebody for an

hour in a church and pray with them and get up and shoot them. that's something i department think we had here, but apparently we do. i just can't imagine what it takes of an individual to be welcomed in a church -- and here's what happened. he went to charleston with a plan. the people in the church had no idea who he was or what he had in mind, and he came into the church and he was sitting in the pews by himself and they invited him up for the bible study. and spent an hour with him. and he said they were so nice, i could almost -- i almost backed out. that says a lot about them. it says a lot about him. but tim mentioned something that i cannot get over. within 48 hours of having your family member murdered, they appear in a public setting looking the guy in the eye and saying you have ruined my life, but i love you and i forgive you. that is a level of love and understanding that can only come from some higher authority.

i don't have that within me. so when it comes to representing south carolina, tim and i will do our best, but on our best day we're nowhere close to these people. there's no politician in america that can represent their state better than the people of mother emmanuel a.m.e. church, when they went to a public place looked the killer in the eye and said i forgive you, i am praying for you. i wish we could muster that kind of love for each other just a little bit what w >> coming up, the house oversight committee holds a second hearing on the opm data breach. them are marked by president obama on the change in hostage policy. then more on that with lisa monaco.

>> on the next "washington journal," mc maldini discusses the charleston church shooting and debate over removing the confederate flag from the south carolina statehouse grounds. then paul tonko on whether the epa properly looked at power plant regulations. washington journal live every morning at 7:00 a.m. eastern on c-span. you can join the conversation on facebook and twitter. >> while congress is out for the july 4 break, book tv takes over crimes -- prime time on c-span2. wednesday, the digital age.

thursday, biographies and memoirs. watch our special primetime in addition of book tv starting monday at 8:30 p.m. eastern and turn in every weekend for the latest on nonfiction books. >> wednesday, the house oversight and government reform committee held its second hearing on the recent opm data breaches. katherine archuleta testified along with inspector general patrick mcfarland about the attack that may have compromised the records of 32 million people. this hearing, chaired by jason chaffetz, is almost four hours.

morning. the oversight committee is coming to order. ary hearing today is about the opm data breaches part 2. $529 billion, $529 billion is how much the federal government has spent on i.t. since 2008. roughly $277 million has been spent at the office of personnel management, roughly 80% of that money has been spent on legacy systems and we're in a situation here where the hurricane has come and gone and just now opm is wanting to board up the windows. that's what it feels like. this is a major, major security breach. one of the biggest if not the biggest we have ever seen. this demand all of our attention and great concern about what happened, how we're going to prevent it from happening in future and what are we going to do with the information now because there is no simple easy

solution. but i can tell you, oftentimes it feels like one good trip to best buy and we could help solve this problem and would be a whole lot better than where we are today. there are a lot of questions that remain about what happened last month. and the uncertainty is very disconcerting to a host of people. and it's unacceptable to this committee and the congress. the most recent public reports indicate that many more american wrs affect bid the breach than originally disclosed. federal workers and their families deserve answer ons the scope of the breach and the tups of personal information compromised. because of this outstanding questions we still don't understand the extent to which the breach threatens our national security. but the risk is significant. only the imagination limit what is a foreign adversary could do with detailed information about a federal employee's education career, health family, friends and perm hab it.

i ask unanimous consent to enter into the record a letter from the federal law enforcement officers association. i want to read part of it. here are the concerns about the office of personal management data breaches. our demands and list of questions remain understand answered. they represent the law enforcement officers from 65 agencies. opm turned its back on federal law enforcement officers when i failed to protect sensitive information from an inexcusable breach. it's a miscarriage of its obligations. the very lives of federal law enforcement officers are now in danger and their safety and security of innocent people including their families are now in jep party does of opm's nail your and continued ignorance in the severity of the breach. the information lost includes personal financial, location information of these officers

and their families leaving them vulnerable to i a tack and retaliation from criminalance terrorists currently and forerly investigated by the united states of nerk. without objection i'll enter this into the record. without a full understanding of the scope or the cost of the project. in fact the agency kept the project from the inspector general for more than a year. the ig determined opm's chief information officer quote initiated this project without a complete understanding of the scope of opm's dpising technical infrastructure of the scale or cost of the effort required to mitigate it to the new environment. end quote. because of these concerns the question is quote possibly making opm environment less secure and increasing the cost to taxpayers. they awarded a seoul source contract without going through

the process of complete competition. i would like to enter into the record without objection this article from the "washington post." this is may 13th. defense firm that employed drunk high contractors in of gan stan may have wasted $135 million in taxpayer dollars. these are the recipients of a seoul source contract to try to help clean up this mess. they were formerly known as scientific corporation. they're now known as impeer tus corporation. they have a good list of very impressive military personnel who are involved and engaged. maybe this is the right decision. but when it is a seoul source contract it begs a lot of questions. no doubt we need to move fast but this organization has had a lot of problems in the past and it begs a lot of questions. noigs data security problem we have a data management problem. it is unclear why so much background information related to security clearances was readily available on the opm

system to be hacked. it is unclear to me why there is a need for sf 86 background information, the sf 86 is the standard form 86 what the employees fill out. why was this background information on the network if the applicant isn't currently being investigated? part of the reason we're in this mess is that a lot of the information that information and background checks that we're not engaging in was still on the system. if information isn't accessible on the network, it can't be hacked. if a security clearance isn't under investigation it's a best practice that others use and probably should have been used in this situation as well. we have to the a better job of anticipating our adversaries and protecting information from unnecessary exposure. one of the concerns is this legacy system that we're using

is a cobalt. the language used a cobalt. i would ask unanimous consent to enter into the record a "wall street journal" article from april 22nd 1963. cobalt can help users cut cost when changing models government spurs process. 1963. i wasn't even born yet and that's the system that we're operating on in this day and age when technology is changing moment by moment minute by minute. without objection i enter that into the record. yesterday ms. archuleta stated that no one is personally responsible for the opm data breach and instead blamed the hackers. hackers certainly have a lot of culpability on their hands. they's no doubt they are that various actors that are going to be attacking the united states. we take numerous hits on a daily

basis. but i disagree that nobody is to be held personally responsibility. personal accountability is paramount paramount. they are chashlged with the responsibility of carrying out their duty. as the head of the agency ms. arch la let that is responsible for the security of the opm network and managing any risks. while she may have inherited a lot of problems she was called on by the president and confirmed by the senate to protect the information maintained by opm. during her confirmation in 2013 she stated that i.t. modernization would be one of our main priorities yet it took a security breach in march of 2014, five months after the confirmation to begin to process of developing a manplan to fix the problem. that was just the beginning of starting to think of how to fix the problem. the shift is blame is inexcusable. i really hope we hear solid

answers. it's not going to be good enough to say we'll get you that information. it's under investigation. there's a security -- no. we're going to answer questions. federal workforce, the people affected, they need to hear that. we're different. we're unique in this world because we're self critical and we do have hearings like this. i would also ask unanimous consent to enter into letters into the record. one was a flash audit done june 17th of this year from patrick mcfarland the flashl audit information improvement project. without objection i will enter that into the record. i will ask unanimous consent to enter into the record the june 222 22nd response by the director of the office of pers until management, ms. archuleta and ski to enter that into the report without objection. so ordered. we also have some contractors

here and we appreciate their participation. they have answers -- we have questions that need to be answered as well. we need their cooperation to figure this out. a lot of what was done by opm was contracted out. and there are very legitimate questions in particular that mr. cummings and others have asked and that's why i'm pleased to have them invited and participating as well. so it will be a full and robust committee hearing. we appreciate the participation. without objection the chair is authorize today declare a recess at any time. i should have said that without objections so ordered. should have said that at the beginning. now i would like to recognize the distinguished ranking member mr. cummings for his opening statement. >> thank you very much mr. chairman. this is a very important hearing and we're here today because foreign cyberspies are targeting millions of our federal workers.

opm has made it clear that every month there are 10 million efforts to pierce our cyberspace. these folks are hacking into our data system to get information about our employees. private information about them their families, their friends and all of their acquaintances. and they may try to use that information in their espionage efforts against united states personnel and technologies. mr. chairman i want to start by thanking you. last week we held a hearing on cyberattacks against opm. and this morning we have an opportunity to hearing from opm's two contractors who offer suffered mayor data breaches, usis and key point.

some people in your shoes might have merely criticized the agency without looking at the whole picture. but you agreed to my request to bring in the contractors and you deserve credit for that, and i thank you. on monday night i received a letter from usis, representatives finally providing answers to questions i asked more than seven months ago, mr. gee neatty. seven months ago. seven months ago. the letter disclosed that the breach at usis affected not only dhs employees but our immigration agencies, our intelligence community and even our police officers here on capitol hill. but it took them seven months.

the night before the hearing, the give me that information. but not only to give me the information but members of congress that information. my immediate concern was for the employees at these agencies. and i hope that they were all alerted promptly. but there's no doubt in my mind that usis officials never would have provided that information unless they were called here to testify today. so i thank you again mr. chairman. i have some difficult questions for usis. i want to know why this company paid millions of dollars in bonuses to its top executives after the justice department was sued against the company for allegedly defrauding the american taxpayers of hundreds of millions of dollars.

i can hardly wait for the answer. i want to know why usis used these funds for bonuses instead of investing in adequate cybersecurity protections for highly sensitive information our nation entrusted to it. mr. giannetta i want to know if you as the chief information officer of usis received one of those bonuses and i would love to know how much it was and what the justification for it was. i understand that you just returned from italy. welcome back. so this is probably the last place you want to be. i also understand you're leaving the company in a matter of weeks. but i want to know why usis has refused for more than a year to

provide answer to our questions about the board of directors. mr. hass i also have different questions for you were for key point. at least week's hearing i said one of our most important questions is whether the cyberattackers were able to penetrate opm's networks using information it obtained from one of its contractors. as i asked last week, did they get the keys to opm's networks from its contractor. yesterday director archuleta answered that question. appearing before the senate appropriations committee she testified and i quote theed a very vary leveraged a compromised key point user to gain access to key point.

the weak link in this case was key point. mr. hess i want to know how this happened. i appreciate that opm continues to have confidence in your company. but i also want to know why key point apparently did not have adequate logging capabilities to mon for the extent of data that was stolen. why didn't you invest in these safeguards. mr. chairman, to your credit one of the first hearings you called after becoming chairman was on the risk of third-party contractors to our nations cybersecurity. at that hearing on april 20th multiple experts explained that federal agencies are only as strong as their weakness link. if contractors have inadequate safeguards, they place our government systems and our government workers at risk. i understand that we have several individuals here sitting

on the bench behind our panel of witnesses who may be called to answer questions if necessary. mr. jobe who is the cio of key point. thank you for allowing them to be here. as we move forward it is critical that we work together. we need to share information recognize what outdated legacy systems need to be updated and acknowledge positive steps when they do occur. above all, we must recognize that our real enemies are outside of these walls. they are the foreign nation states and other actors that are behind these devastating attacks. and with that i yield back. >> thank the jap. i'll hold the record open for five legislative days for any members who would like to submit a written state. we're pleased to have

representative bosh ra come stock. i ask you now to consent that our colleague from virginia be able to fully participate in today's hearing. no objection so ordered. we now recognize the panel of witnesses pim i'm pleased to welcome katherine archuleta director of office of personnel management. we have patrick mcfarland, the office of personnel management, ms. danah seymour, chief information officer of the office of personnel management ms. anne baron -- help me here decamilo, emergency readiness team at the united states department of homeland security. mr. eric hess is the chief executive officer of key point government solutions and mr. rob giannetta is the chief information officer at usis. all witnesses are to be sworn

before they testify. so if you will please all rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, the whole truth and nothing but the truth? thank you. let the record reflect that all witnesses answered in the affirmative. in order to allow time for discussion, please limit your verbal testimony to five minutes and obviously your entire written statement will be made part of the record. we will start first with the director of the office of personnel management ms. archuleta first. you're now recognized for five minutes. >> chairman ranking member cummings and members of the committee, thank you for the opportunity to testify before you again today. i understand and i share the concerns and the frustration of federal employees and those affected by the intrusions into

opm's i.t. systems. although opm has taken significant steps to meet our responsibility, to secure personnel data of those we serve, it is clear that opm needs to dramatically accelerate those efforts. as i testified last week, i am committed to a full and complete investigation of these incidents. and we continue to move urgently to take action to mitigate the long standing vulnerabilities of the agenciesyies systems. in march of 2014 we released our plan to secure the aging legacy system. we began implementing the plan immediately and in fiscal years 2014 and 2015 we directed nearly $70 million towards the implementation of new security

controls to better protect our systems. opm is also in the process of developing a new network infrastructure environment to improve the security of opm infrastructure and i.t. systems. once completed, opmi.t. system wills be migrated into this new environment from its current legacy networks. many of the improvements have been to address critical immediate nudes such as security vulnerabilities in our network. these upgrades include the installation of additional fire walls, we strix of remote access without two-factor authentication continue use monitoring of all connections to and sure that legitimate connections have access and deploying anti-malware software to prevent the cyber crime tools that could compromise our net

works. these improvements led us to the discovery of the malicious activity that had occurred and we were immediately able to share the information so that other agencies could protect their networks. i also want to discuss data encryption. opm does currently utilize encryption when possible. i've been advised by security experts that encryption in this instance would not have prevented the theft of this data because the malicious actors were able to steal privileged user accounts and credentials and could decrypt the data. our i.t. security team is actively building new systems with technology that will allow opm not only to better identify intrusions but to encrypt even more of our data. in addition to new policies that were already implemented to

centralize i.t. security duties under the cio and to improve oversight of new major systems development, the i.t. plan recognize that further progress was needed and the oig's '14 report credited opm for progress in bolstering our security process and procedures and for committing critical resource to the effort. with regard to information security governance the oig noted that opm implemented significant positive changes and removed its designation as a material weakness. this was encouraging as i.t. governance is a pillar of the strategic i.t. plan. regarding the weaknesses found with authorization the oig has recommended that i consider shutting down 11 out of the 47 opmi.t. systems because they did not have current and valid authorization. shutting down systems would mean that retirees could not get paid

and that new security clearances could not be issued. of the systems raised in the 2014 audit 11 of those systems were expired. of those one, a contractor system is presently expired. all of the system r raised in the '14 audit have been extended or provided a limited authorization. opm is offering credit monitoring services and identity theft information with csit for the approximately 4.2 mill your current and former civilian employees. our team is continue to work with them to make the online sign-up experience quicker. they're expanding staffing at call centers. i've taken steps to ensure that greater i.t. restrictions are in place even for privileged users.

that includes removing remote access for privileged users and requiring two-factor authentication. we're looking into further protections such as tools that mask and redact data that would not be necessary for a privileged user to see. i want to share with this committee some new steps that i'm taking. first, i will be hiring a new cybersecurity adviser that will report directly to me. that cybersecurity adviser will work with opm ooerks cio to manage on joining response to the incident complete development of the plan and assess whether long term changes to the architecture are needed to ensure that its assets are secure. this individual is expected to be serving by august 1 president second, to ensure that the agency is leveraging private sector best practices and expertise, i'm reaching out to chief information security

officers at leading private sector companies that experience their own significant cybersecurity challenges and i will host a meeting with these experts in the coming weeks to help identify further steps the agency can take. as you know, public and private sectors both face these challenges and we should face them together. i would like to address now the confusion regarding the number of people affected by two recent related cyber incidences at opm. first, it is my responsibility to provide as ak sateccurate information to congress, the public and more importantly the affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affected individuals as quickly as possible.

third, we face challenges in analyzes the data due to the form of the records and the way they are stored. as such i have deployed a dedicated team to undertake this time-consuming analysis and instructed them to work, make sure their work is accurate and completed as quickly as possible. as much as i want to have all of the answers today, i do not want to be in a position of providing you or the affected individuals with potentially inaccurate data. with these considerations in mind i want to clarify some of the reports that have appeared in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individual to 18 million individuals. other press accounts have asserted that 4 million

individuals have been affected in the personnel file incident and 18 million individuals have been affected in the background investigation incident. therefore, i am providing the status as we know it today and reaffirming my commitment to providing more information as soon as we know it. first, the two kinds of data that i am addressing, personnel records and background investigations were affected in two different systems in the two recent incidents. second the number of individuals with data compromised from the personnel records incident is approximately 4.2 million as reported on june 4th. this number has not changed and we have notified those individuals. third, as i have noted we continue to analyze the

background investigation data as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definitive report on this issue. that said, i want to address the figure of 18 million individuals that has been cited in the press. it is my understanding that the 18 million refer to a preliminary unverified and approximate number of unique social security numbers in the background investigations data. it is a number that i am not comfortable with at this time because it does not represent the total number of affected individuals. the social security number portion of the analysis is still under active review and we do not have a more definitive number. also, there may be an overlap between the individuals affected in the background incident and

the personnel file incident. additionally we are working deliberately to determine if individuals who have not had their social security numbers compromised but may have other information exposed should be considered individuals affected by this incident. for these reasons i cannot yet provide a more definitive response on the number of individuals affected on the background investigations data intrusion. and it will -- it may well increase from these initial reports. my team is conducting this further analysis with all due speed and care. and again i look forward to providing an accurate and complete response as soon as possible. thank you, mr. chairman for this opportunity to testify to you today and i'm happy to be here, along with my cio, to address any questions you may

have. >> thank you. mr. mcfarland you are not recognized for five minutes. >> chairman, ranking member cummings and members of the committee. good morning, my name is patrick mcfarland and i'm the director of the office of personnel management. thank you for inviting me to testify here. i would like to note to my colleague, the deputy inspector general is here with me. with your permission, he may assist in answering technical questions. in 2014 opm began a massive project to overall the i.t. environment by building an entirely new infrastructure called the shell and mie yatgrateing all of its system to the shem. before i discuss the recent examination of this project i would like to make one point. there have been multiple statements made to the effect that this complete overall is necessary to address immediate security concerns because opm's

current legacy technology cannot be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has already taken to see%%+o cure the agency's current i.t. environment. i just wanted to emphasize that whale we agree that this overall is necessary, the urgency is not to great that the project cannot be managed in a control manner. last week my office issued a flash audit alert discussing two significant issues related to this project because my written testimony describes these issues in detail, i will give only a summary for you this morning. first we have serious concerns with how the project is being implemented. opm is not following proper i.t. project management procedures and does not know the true scope

and cost of this project. the agency has not prepared a project charter, conducted a feasibility study or identified all of the applications that will have to be moved from the existing i.t. infrastructure to the new shell environment. further, the agency has not prepared the mandatory omb major business case formally known as exhibit 300. this is important in the step in the i.t. project and the proper vehicle for seeking approval and funding from omb. it is also a necessary process for enforcing proper project management techniques. because opm has not conducted these very basic planning steps, it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm has estimated that this

project will cost $93 million. however the amount only includes strengthening the agency's current i.t. security posture and the creation of a new shell environment. it does not include the cost of migrating all of opm's almost 50 major i.t. system es and numerous sup system to the shell. this mayigration will be the most costly phase of this project. even if the $93 million figure was an accurate estimate, the agency does not have a dedicated funding stream for the project. therefore, it is entirely possible that opm could run out of funds before completion leaving the agency's i.t. environment more vulnerable than it is now. opm also has set what i believe to be an unrealistic time frame for completion. the agency believes it will take 18 to 24 month to migrate all of its system to the shell.

it is difficult to imagine how opm will meet the goal when it does not have a comprehensive list of all of the systems that need to be migrated. further, this process is inherently difficult and there are likely to be significant challenges ahead. the second major point discussed in the alert relates to the use of sole source contract. they've got a single source vendor. unless there's an kppgs, federal contracts must be subject to full and open competition. however there's an exception for compelling and urgent situations. the first phase of this project, which involves securing opm's i.t. environment was indeed such a compelling and urgent situation. that phase addressed a crisis namely the breaches that occurred last year. however the later phases, such as migrating the applications in the new shell environment are

not as urgent. instead they involve work that is essentially a long term capital investment. opm should step back, complete its assessment of the opm architecture and develop a major i.t. business case proposal. when omb approval and funding has been secured, they should move forward with the project. opm cannot afford to have this project fail. i fully support opm's effort to modernize the environment and the director's long term goals. however if it is not done correctly the agency will be in a worse situation than it is today and millions of taxpayers will have to be -- many -- and millions of passenger pair dollars will have been wasted. i'm happy to answer any questions you may have. >> thank you. ms. seymour, was your statement

with ms. archuleta or do you have one yourself? >> it was with the director, thank you sir. >> i would ask unanimous consent to enter into the record a letter that was given to us this morning from the office of personnel management dated today, signed by ms. archuleta dealing with the number of records. without objection, we'll enter into into the record. we'll now recognize ms. barron decamilo for five minutes. >> good morning. my name is anne barron decamilleodecamilo. i appear here to talk. dr. andy asment is here with me to answer me questions. like many americans, i too am victim of these incidents and concerned about the continued cyber incidents at numerous government and private sector

entities. i understand the scope and the problem we face and the challenges in securing critical networks. cybersecurity is a true team sport. there are many agencies response including intelligence community, law enforcement department of homeland security as well as individual system others and individual enusers as well. my organization within dhs is part of the national cybersecurity center. we focus on analyzing the risks, sharing information about responding to significant cyber incidents. we work with trusted partners around the world and focus on threats facing the government in critical sector networks. our role is largely voluntary. we build and rely upon trusted relationship to share

information and respond to incidents. when an entity believes they've been a victim of a significant cyber incident, they invite us to help them assess the scope of my intrusion as well as provide recommendations op how they can mitigate the incident and improve their security posture. our current involvement with opm began in march of 2014 when they learned there was a potential compromise within the opm networks. from march to may, uwe part of of the team that remeet yated the intrusion. throughout that time we shared information that we had learned about the intrusion with our governmental partners as well as private sector partners so they could better protect themselves. we on may 28, 2014, the intraagency response teamed concluded that the malicious actor in question from that event had been removed from the network.

we also provided opm with recommendations on what steps they could take to increase their security. there is no silver bullet or magic solution. most government agencies and their private sector counter parts are making up for years of underspending on security paz ort f the information technology development. the internet was designed with's of use rather than security in mind. the status of opm networks in may of 2014 was not unlike other similarly situated agencies. opm did some things well and was weak in other areas. i understand that opm had at the time under its new leadership started an effort to improve its cybersecurity. the incident report for opm included several recommendations, some of which could be imp mmted quickly and others f which would take longer. opm made a concerted effort to adopt the recommendations beginning last summer. it was opm who in april of 2015

discovered the new intrusion. this is how the malicious access to opm data at the data center was diskord. this newly discovered threat information was also quickly shared by us with our private sector partnered and other trusted partners around our communities. the intraagency response team has been working with opm since april of 2013 to assess the scope and nature of the incident. there are a few things i can share. we were able to use the einstein capability to detect the presence of malicious activity on the department of interior data center which houses the opm personnel records. further on-site investigation revealed that some personal information was compromised. this is the 4.2 million number

that director archuleta referenced today. as a result of what we learned from the april 2015 investigation, opm continued to conduct forensic investigations into its own environment. en in that process opm discovered evidence of an additional compromise on its own network. we then led into intraagency response team to assess opm's networks and in erm june found that background investigation dataed that been exposed and possibly exfill traited. that's currently under investigation. we learned at the time that they had precluded further access. the protected measure may have mitigated any continued effects of the intrusion. the work is on going and we continue to assess the scope of the potential compromise. although i'm appearing today redid to provide information, i do so with some concern. we rely on voluntary cooperation from agencies and private

entities who believe they may be vims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us the bhoel of government of future incident. we need private companies to continue to work with government and share information about sbieber threats er swieber cyber threats. thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging. i'm president and chief exec ty officer of kpee point government solutions. since 2004 key point has provided field work services for the background investigation to a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its

conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat every present and ever changing cyber threats. we're committed to the highest levels of protections. the recently announced breach of the opm is the focus of this hearing. i would like to make clear that we see no evidence suggesting that key point was in any way responsible for the opm breach. there are recent media reports suggesting that the incursion into the opm is what breached. there is no evidence that key point was responsible for that breach. proesz reported that hackers stole opm credentials assigned to a key point employee and leveraging to access opm's

systems. there is no evidence suggesting that key point is responsible for or directly involved. the employee was working on an opm system not a key point system. i know that throughout the hearing, the incursion of the key point system discovered last september will be discuss. . can point has continuously maintained its authority to operate ato from opm and dhs. this means that we met the stringent information and security requirements imposed under our federal contracts. key point only maintains information that is required. we like government agencies face aggressive, well funded and ever evolving threats. let me say a few words about the earlier incursion of key point. in december of 2013 the washington post noted that it

would notify 48,000 federal workers that they personal information may have been exposed. i emphasize the word may because in the report after the extensive analysis of the incursion, we find no evidence f exfiltration of personal day tap. last august following public reports of that data security preach at another federal contractor providing background checks donna seymour asked key point to invite the uscert to test key point's network and key point agreed. the department of homeland security and technical services conducted risk vulnerabilities tests including internal maps. they provided a number of findings at the end of the engagement which were resolved while the team was on site as

well as recommendations for the future. while they found issues, they were resolved and the team found no malware on key point's system. however then in september the hunt team informed key point that it had found indications of sfes kated malware undetectable. the team provided key point with mitigation recommendation to remove the malware from our environment and other recommendations for hardening its network to prevent future compromises. key point immediately began implementing the issues identified by u.s. cert, and concluded the malware was not functioning correctly and because of errors. i recently attended a classified briefing at opm where i learned

more about the opm breach and in the opening setting i cannot go into details presented in that briefing however i can reiterate we have seen no evidence between the incursion of key point and we are always striving to make sure our defenses are as strong as possible. we have also been working closely with opm to improve our information security posture in light of the new advanced persistent threats. we have been working diligently to make our systems more resilient and stronger by implementing the recommendations and a number of the most significant improvements have been full deployment of the authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our

atos, and this includes an audit from an independent party. we will continue to fort tpaoeu protections of our systems. our adversaries are constantly working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing key point to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes. >> thank you. my name is robert gee annetta, and i am currently the chief investigation officer.

i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014 usi performed background investigation work for the united states office of personnel management. when i started to working at usis, they would perform background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the

comprehensive response plan per response to the plan. usis's responses included the investigations firm to lead the investigation and remediation efforts. usis instructed them to leave no stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant technical details about how the attack occurred what the attack attacker did within the systems and when data was compromised. this was shared with opm and other government agencies.

in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable information for how many federal employees and retirees? >> we have -- >> move your microphone closer, please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no i asked you -- you have

personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees and personally identifiable information within the files depends on whether they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get at? >> i will ask mrs. seymour -- no come on you are the head of the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will. you wrote as a proprietor of sensitive data including personal identify blg information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber

controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier in my testimony mr. chairman, we are reviewing the number and the scope of the breach and the impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86, that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified if you fill out an sf86, how many

people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a simplying of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database and they are also identifying other individuals i would like to know on average how many people that is. is that fair? >> we are not calculating on average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request it was because you had 32 million employees identified and former employees, correct? >> that -- the number of employees that we have yes, we are asking for support for our

cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory as we can, sir. that changes on a daily basis? >> changes on a daily basis? you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program since then and we know where those are and we know the pii in them. >> to my members of the committee here we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm

became aware of an attack on its networks. i would like to enter into the record, a chinese attack, 2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the

person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity that dated back to november of 2013, and i also know that no pii was lost. >> no that's a different question. the question i asked is did they have access? whether they exfill traeutd it is a different question. >> i said there was add srau saeur annual activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your

security? >> with the security systems, yes. >> so yes, it was a breach of security, yes? >> they were able to enter our systems. the security tools that we had in place at that time were not sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay but at the time at the time it was a breach of security, right? >> yes there was a breach into our system. >> was there any information lost? >> as i just said to you there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information. >> you believe i have the information? >> yes.

>> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfill traeutd pii i am asking you did they take any other information? >> i will get back to you -- >> i know you know the answer to this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network and they did have access to documents and they did take documents from the network. >> what were those documents? >> outdated security documents about our systems and manuels about our systems? >> what kind of manuels? >> about the servers and environment? >> is that like a blueprint for

the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel manuals manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel manuals manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes i do. >> so ms. archuleta when we rewind the tape and look at the interview you did on july 21st you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said and i quote there was

no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii. >> it was misleading and a lie and was not true. when this plays out we're going to find that this was the step that allowed them to come back and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you mr.

mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last hearing on this subject members on both sides wanted to ask for ms. archuleta's resignation and i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right and we are being fair. this is my question. you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do

certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer. you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion with regard to experts? do you understand what i am say? you have your set of experts and they have their set and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our committee to ask for ms. archuleta archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made

recommendations and that those recommendations had been simply disregarded. can you help us with that mr. mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good. you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely. of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on and they did, in my estimation as normal and usual an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference

of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give a whole list of things that she is doing or about to do i think, naming a new cyber officer and whatever and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns. we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to

explain your answer to that question is that we -- we are i guess, very frustrated that we asked answers of opm and it takes a long time to get the answers. we ask definitive questions and we don't necessarily get definitive answers. we know for a fact that the things that we have reported are factual. we don't take a backseat to that at all. our people have done this for a long time they know what they are doing but, yes it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right.

your company has a lot to answer. according to the justice department, usis perpetrated a multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital police, and our integrities developed out tkoeld out bonuses. last week the committee invited the integrities chairman to testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department

of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other sub sid airies. do you know how they responded? >> i understand they declined. >> yes, they refused. al teg raw tea is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me? >> i can ask. >> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for

a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from vacation from italy. did you get a bonus by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in 2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff

and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again i am the chief information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than 16 months ago name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors. i know the chairman is steve duh leash. >> you are still working for usis is that right? >> how long will you be there? >> indeterm tphupbt but in the next month or so i will be departing. >> will you try to get me those

names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta there has been a discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning, you estimated about 2.4 million, is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees and that's 2.4 and then you add -- >> i don't know exactly, but it's about half and half. >> the second figure you started to debate about was 18 million which has been reported by the media, and that would deal with breach of social security

numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir. >> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records? >> that was the number he used yes. >> so you really don't know, then, how many records have been breached beyond the 4.2? >> no, sir that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached my staff, and then thinking about the other people downtown and the agencies and we have a responsibility to protect their personal information, and over the weekend in fact monday i

spoke the day at an embassy being briefed on a bunch of issues, and then brought to my attention was people insensitive positions that they were notified by you all a breach of their records. so our overseas personnel insensitive positions have also been subject to the breach sprebgt? >> employee personnel records -- >> how many data is there? address, and personal information about these individuals. you think a little bit about people in the glass places here and you want everybody safe. i was stunned to find out that some of the people, united states citizens serving overseas were notified that their personnel records have been breached and information is available on them and they are

in possible situations that could be compromised by that information, but you have notified them, right? >> we have notified the 4.2 million -- >> those are the people. they mentioned to this me. i was there on other subjects, but they expressed concern -- >> i am as concerned as you are about this because these are the individuals who have been -- whose data -- >> these people are on the front line, and they are overseas and representing us and i could hear concern in their voice about what has taken place. i have read sit chinese hackers, does anybody know? was it the chinese? do we know for sure? do you know for sure? >> that is classified information, sir. >> so you have some idea but it's classified? >> it's classified and i can't comment here. >> whether it's chinese or some

group that could give this6é information to people who would want to do harm, then that means some of those people to me are at risk? >> sir, every employee is important to me, not whether they are serving in kansas city or overseas. >> no but yesterday morning before i left eye visited a site of a terrorists act in one of the capitals and i saw well that place still had not been open and it has been months since that terrorists attack and our people are over there on the front lines and their information has been compromised. you have been there the longest ms. de-camille yo. >> what was that? >> you have been in position since 2012 at opm? >> no i work for department of homeland security. >> but you are responsible for

overseeing opm's -- >> dhs is a shared cyber security, and we are working with partners and we work with them protecting the boundaries --xj1kf >> when did we first find out about the breach? >> it was notified by a third-party partner to us in march of 2014. >> 2014. so when you came on ms. seymour, about 2014? >> i came onboard in december of 2013 sir. >> so you were there. they talked about his bonus. are you ses? >> yes. >> did you get a bonus, too? >> yes, sir, i did. >> howuv@ >> i do not know the exact amount but i believe it was about $7,000. >> whether you were private or public, you were getting a bonus while some of this was going on. >> we will recognize the gentle woman from new york for five minutes.

>> thank you. i am trying to get this straight. opm was breached directly, is that correct? i will ask ms. seymour opm was breached twice? >> that's correct. >> and one occurred in december of 2014 detected in april of 2015, and then the security breach -- when were the two breaches? when were the two breaches, the dates? >> the first opm breach goes back to -- we discovered it in march of 2014 and the breach actually -- but the breach actually occurred in -- >> you discovered it in march 2014. >> yes, ma'am, and the breach actually occurred -- the

adversary had access of november of 2013. >> and then the second breach was when? two breaches, correct? >> that's correct, ma'am. the second breach we discovered in april of 2015, and the date that that breach goes back to is act of 2014. -- i am sorry, june of 2014. >> who discovered this breach? how did opm discover this breach? >> the first breach we were alerted by dhs. >> so you did not discover it the department of homeland security discovered it? >> yes, ma'am. >> the second one, who discovered it? >> opm discovered it on its own in april of 2015 and by then we

put significant security measures in our network. >> now when did you report these breaches? who did you report them to? >> on april 15th when we discovered the most recent breach we reported that to us cert. >> who? >> the computer kwrurr readiness team. >> did you report it to congress? >> we reported it to the fbi and made the notification to congress as well. >> that was the april 15th one. what about the first one? >> for the first breach, again, dhs notified us of that activity in our network and so they already knew about that one, and yes, ma'am we made notifications to congress of that one as well.

>> when? >> i am sorry, ma'am i don't have that date in my notes. i would be happy -- >> could you get it back to the committee for us. did you notify the contractors of the breach? >> at the first breach there was not an awareness that -- of what the adversaries were targeting and this may go beyond opm. i know our staffs at -- my staff, my security staff, had conversations with the contractor organizations and i know the indicators of compromise that dhs had were provided to other government

organizations, were put into einstein as well as they have communications that they would -- >> but the breaches were direct. now, i want to understand the inner reaction with the contractors. now, when they breached you, did it go into opm? i am asking you both. when they went into that system did that connect to opm or was it held within your system? >> it was held within the intrusion of 2014 it was within our systems? >> within your systems? so the four identities they have and information they have, it came from opm or the contractors? are they one in the same or separate? i will go back to ms. seymour? >> these are separate incidents so with the breach as usis, the way opm does business with its

contractors is different from the other way it's agency may do business with key point and usis, so there were approximately 49,000, i believe it was, individual we notified based on the key point incident and there were other agencies that made notifications based on the other incidents. the 4.2 number you are getting is about the personnel records the incident at opm -- >> what i would like to get in writing is exactly what information came out of opm and what information came out of the contractors? is it one in the same? you are the final database so i want to understand the connection and how the breaches occurred and how they enter

connect. i want to remind you you are under oath and i have a series of questions to follow-up to carolyn maloney's questions. it was reported in the wall street journal a company says they were involved in discovering the breach that apparently has been, according to the article, linked to chinese hackers. opm's press secretary said the asuretion that sigh tech was somehow involved them -- ms. seymour, do i have your attention? they said they were invited in by opm and their equipment was run on opm and their equipment indicated they had been an

intrusion of your system and they notified you but your response officially from opm is that it's inaccurate and they were not involved, and ms. archuleta archuleta, you said they were not involved. i remind you both you are under oath, so do you want to change your answer? >> no, they were not. >> no, they were not. >> reminding you again you are under oath were they ever brought in to run a scan on opm's equipment? >> it was engaged and we looked at using their tool in our network, and it's my understanding we gave them some information to demonstrate whether they tool would find information on our network and in doing so they did indeed find those indicators on our network.

>> thanks, ms. seymour. the ceo and vice president of technology officer came in and briefed the staff and they relate they were given access and ran their processes and they discovered it, and previously it was denied they had involvement. what exactly did sigh tech do? were they given access to your system and run it on your system? >> here is what i understand, sir. opm discovered this activity on its own. >> that was not the question, ms. seymour. i am assuming you would have greater an understanding that you would know, considering you are the chief information officer and you are testifying before us how it happened and there already has been a news article so tell us clearly what access was sigh tech given to your system. >> i am trying to explain how he

had access. opm discovered the breach and we were doing market research and we purchased licenses for their tool. we wanted to see if that tool set would also discover what we had already discovered. yes, they put their tools on our network and yes they found that information as well. >> so you were tricking them, and you already knew it and said shazam you got it too. seems highly unlikely don't you think? >> we do a lot of research before we decide what tools we will buy for our network? >> at that point you had not removed the system from your system? you knew it was there and you brought them in and their system found it too which means it was continuously running and the personnel information was still at risk? >> no, we had latent malware on our system that we were watching and quarantined. >> so it was no longer operating? >> that's correct.

>> okay. clearly you are going to have to give us an additional briefing and the intel committee staff exactly how you did this because sigh tech is relating what they did and it's compelling and quite frankly what you say sounds highly suspicious, that you brought them in and tricked them to see if they could discover it, something you already discovered it, and why would you need them if you already discovered it and further tricked them to say you don't have the system on your system anymore, and 7 contradicts in so many ways it defies logic. on your sf84 form was comprised. you sound like it's minor. but this is the form, and this is what they have to fill out. their social security number is all over this. in my community there are a

number of people who had to serve it out to be able to serve their country. what are you doing about the additional information in the form and being released and is out there about the individuals? >> i filled out exactly the same form -- >> i doesn't ask that. it's not just about identity theft. this is not just their credit cards and checking accounts. what are you doing about the rest of the information that is in here about counseling them and assisting them? >> i just used that by way of example i understand what is in the form. personally and as the director of opm, and because at opm, as you know, we do federal background investigations and i am clearly aware of what is in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what information was taken from those forms and how we can begin to notify the individuals who were affected by that. that form is very complicated and that is why i am very very

careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has pii and other information so we want to be sure that as we look at how we protect the individuals that completed those forms that we are doing everything we can and we are looking at a wide range of options to do that. this is an effort that has is working together throughout government and not just opm. we are concerned about the data lost as a result of the breach by the hackers that were able to come into our systems. i will repeat again, but for the fact that we found this, this malware would still be in our systems. >> chairman i want to thank them acknowledging that sigh tech did have involvement even though they previously denied their

involvement. i have a question for ms. de-camille yo, but first i want to ask ms. archuleta, members have been concerned about this 4.2 million number that you have tried to straighten out for the record. that's not a final number and it almost surely will go up. is that the case? >> there are two incidents. >> i understand that. >> in the first incident that number is 4.2 million. in the second incident we have not reached a number. >> so the number is going to go up. i understand -- and i am receiving calls from federal employees about opm's promise of 18 months i believe it is free credit monitoring. is it true that federal employees must pay for this

service after that time? >> well, the services we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months, which is the standard industry practice. as we look at the second notification, we are looking at our whole range of options. >> ms. archuleta, there's a great deal of concern, not so much about paying for it but about the amount of time, the 18 months may be too short period of time given how much you don't know and we don't know. >> we are getting tremendous information back from not only -- >> are you prepared to extend that time if necessary? >> i have asked my experts to include this feedback that we have received on a number of different considerations. >> are you prepared to extend that 18 months in light of what

has happened to federal employees if necessary? >> as i said, we don't know the scope of the impact -- the scope of -- >> precisely for that reason, ms. archuleta. i have to go on. if the scope is greater as you get more information, will you correlate that to extending the amount of time that federal employees have for this credit monitoring? >> congresswoman i will get back with you as to how -- what range of options we have. >> when you get back to us within two weeks on that. ms. archuleta we have people out there all of us have constituents out there and you won't even tell me you are prepared to extend the time for credit monitoring what kind of satisfaction can they get from opm? i am just asking you that if necessary? >> congresswoman i am as concerned as you are --

>> in other words you are not willing to answer that question. are you willing to answer this question. they report having to wait long periods of time, sometimes hours to even get anybody on the phone from opm. can you assure me that if a federal employee calls they can get a direct answer forthwith today if they call and if not what are you going to do about it? >> we are already taking steps and what the contractor has implemented is a system similar to what social security is using, so if they get a busy tone, they also can leave their number and they will get a call back. >> within what period of time ms. archuleta? >> for example, i heard a gentleman told me this morning that he left his number and was called back in an hour, so that individual does not have to wait on the phone. >> you let the chairman know before the end of this week what is the wait time for a return

call, and that was a subject of great concern? >> we get those numbers every day and we will be glad to. >> we need some assurances, and we can't assure them beyond 18 months they are going to get credit monitoring and that's a very unsatisfactory answer, i want you to know. i want to ask, we understand that much of this is classified and we keep hearing we can't tell you things because it's classified. of course the press is finding out lots of stuff. they reported that law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that occurred at key point. i want to ask you -- and i don't want to discuss or am not asking

anything classified, but you assert in key point's data breach, did you find hackers were able to move around the company network prior to detection? >> in the case of the key point investigation? >> yes. >> yes, ma'am, they were able to move around and the key point network. we had an interagency response team that spent time reviewing the network after the customer technical -- >> even for the domain level? >> correct. they had access -- we were there in august of 2014. on onsightte team -- >> what does that allow a hacker to do if you get to the domain level? >> at that point in time through the fall of 2013, during that time they were able to leverage certain malware to escalate privileges for the

entry point and they entered the -- >> they can get to background points. >> the time has 1çç÷expired. >> they could not. they were not -- there was no -- there was a pi loss associated with 27,000 individuals associated with that case, i believe. it was potentially exposed and because of lack of evidence we were not able to confirm that but they had potential access but we were not able to confirm the exfiltration of that data. >> i now recognize myself for five minutes of questioning. let me ask ms. archuleta, what do you believe was the intent behind the attack? we are talking about the attack, so what do you think the intent was? >> you would have to ask my partners and the cyber security about that. i don't -- i am not an expert in -- >> ms. seymour maybe you could

respond? >> that would be better placed with dhs and perhaps with others. >> let me start with ms. seymour do you have any idea as to the attack? >> opm doesn't account for the attribution or for which the information is used. >> i would be happy to discuss the details and it's more appropriate for a closed classified setting. >> ms. archuleta, how would you assess opm's information with current and former employees regarding the breach, at this point in time how would you assess it? >> i believe that we are very -- we want to work very hard with our contractor to make sure that we are delivering the service that we want. we have asked them throughout this process to make improvements. we have demanded improvements and are holding them

accountable, excuse me sir, to deliver the services we contracted for and ms. seymour is in communications with them, and i do not want our employees to sit and wait on a phone and do not want them to have to wonder whether their data has been breached and i want to serve them in every way we can and that's why we are demanding from our contractor the services the contractor will deliver. we are working hard on that and each day give them the appropriate feedback for what we are hearing from our employees. >> federal news conducted an online survey about the data breach, and one of the questions asked what to rate opm's communication with current and former federal employees about the data breach. the results showed that 78% of

rerespondants indicated it was poor, and 3% described it as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that, and we expect you to make sure that who you have contract with improves that that >> those numbers don't make me happy, sir. >> those are terrible numbers. >> i will do whatever i can. i care deeply about our employees. >> let me move on. some news reports indicate attackers may now be in possession of information of every federal employee and retirie and up to one million former federal employees. if that is true they have the information of date of birth and job history and more that could be there. for years we have been hearing about the risk of a cyber pearl harbor. is this a cyber pearl harbor?

>> the information associated with the dayta breach that was confirmed is what we would call on a severity scale a significant impact. >> a significant impact. what does significant impact mean? >> meaning the data if it was correlated with other data sources, it could impact the environment as well as the individual. >> environment meaning? >> the fact they were able to take the data out of the invinement that is a significant impact on the environment and insuring they were able to mitigate the ability the attacker kwraougsattack er used to get into the environment. >> so it has blown up? >> sorry? >> it has blown up a lot of things protection, security? it's a pearl harbor.

>> that's not a term i am comfortable with using, but when the severity scale -- >> it's pretty significant? >> yes, medium to high significance, yes. >> let me ask ms. seymour, do you think issuing a request for quotes on may 28th and establishing a deadline of may 29th to potential contractors was a reasonable opportunity to respond in this significant issue of cyber security? >> our goal was to be able to notify individuals as quickly as possible. we worked with the gsa schedule and contacted the schedule holders, and put it on fed bizops for other opportunities.

so our goal was to make sure that we could notify individuals as quickly as possible. >> that was quick. maybe too quick. my time has expired and now i recognize the gentleman from massachusetts, mr. lynch. >> thank you, mr. chairman and thank you to the witnesses for participating today. ms. archuleta you testified before the senate. let me ask you on the outset, who is ultimately responsible for protecting the information of employees at opm or that are covered by opm, the federal employees? >> the responsibility of the records is with me and my cio. >> so you also testified that nobody was to blame. is that right? >> i think my full statement, sir, was that i believe that the breach was caused by a very

dedicated, a very focused actor who has spent much funds to get into our systems, and i have worked the rest of my team was i have worked since day one to improve legacy systems -- >> i understand you are blaming the perpetrators that those are the people responsible, is that basically what you are saying? >> the action was caused by a very focused aggressive perpetrator. >> i can't have repeated the same answers. mr. mcfarland the assistant inspector general testified a number of the systems that were hacked were not older legacy systems but they were newer systems. is that your understanding? this is not the old stuff this is the new stuff? >> yes, that's correct. >> the former chief technology officer at the irs and

department of homeland security said the breaches were bound to happen given opm's failure to update its cyber security. is that your assessment, mr. mcfarland? >> i think without question it exacerbated the possibility, yes. >> this is a quote. if i walked in there as a chief information officer and saw the lack of protection for the sensitive data the first thing we would have been working on is how do we protect that data. i am concerned as well about the flash audit that you just put out, and your ultimate determination was that you believe what they are doing will fail. >> the approach that they are taking, i believe will fail. >> okay. >> they are going too fast.

they are not doing the basics. and if that's the case then we're going to have a lot of problems down the road. >> let me ask you, so very crudely describing this, they are creating a shell a protective shell, and then we are going to my great applications in under the shell and because of the shell they will be resistant or impervious to hacking. doesn't seem like we should have to wait until the last application in under the shell before we find out whether or not the shell is working. is that -- is that -- will that give us an opportunity to look at the early stages of this project? >> i am not sure if it will give us that opportunity or not. what is important i think from our perspective is that they

have the opportunity opm has the opportunity right now to do certain things that will increase the security a great deal, and that should not be abandoned and just in place of. i don't mean to imply it is abandoned but that should not be in place of speeding through the rest of the project to get it done. the crisis part may not seem this way to a lot of people, but the of people but the actual prices at opm was with the breach. that part is over. the best thing to do is safeguard the system as it is right now, and then move appropriate ly appropriately for full restructuring. >> do you think opm's estimate

of $93 million is accurate? >> i don't think it's anywhere close to accurate. >> i don't either. >> it doesn't seem to include the whole migration information where they pull the information in. >> as an example, the financial system that we have, in 2009 we had to migrate that information. >> right. and in so doing, it had a lot of oversight and went pretty well. in fact,our office was part of the oversight. but just that one system took two years and $30 million. >> all right. and that's a small fraction of what we are talking about here right? a very small fraction. >> very small. >> i yield back. >> you recognize the gentleman from south carolina. >> mr. chairman, i want to read a regulation i would ask all the panelists to pay attention. it's a little tedious. if new or unanticipated hazards

are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverer shall immediately bring the discovery to the attention of the other party. that's a regulation. mr. hess, mr. jgianetta were there also things between you and the government? >> there are. >> they would be similar to that? a notice provision? >> i doint have the exact text but it is similarly worded. >> i think it's helpful sometimes to define terms, particularly for those that are liberal arts majors and don't deal with this. what is a new or unanticipated threat or hazard? mr. hess? >> that would be an indication of a compromise of a system or

failure of any of the system protections. >> oh, so when chairman chafeus was having a hard time getting answer to that because the focus was on the loss of personal information, it's just a threat or hazard. it doesn't actually have to be a lorks does it? >> not the way i would define it. >> me either. >> what about existing safeguards have ceased to function. what does that mean? mr. hess? >> sir it's pretty explanatory. >> it did strike me as being self-explanatory. is it self-explanatory to you? existing functions have ceased to function? what is the word immediately mean? >> without delay. >> without delay. is there another meaning that you are familiar with? >> that's