supported things like expanded background checks and body cameras for police. maybe that's because he came from a family of action. his farther and grandfather were both pastors who fought to end white-only political primaries and segregated school busing. he wasn't just about condemnation. he lived his life to effectuate political chapping. and last night d. political change. and last night at the sandy hook promise dinner, i chatted with my friend mark barden. his son daniel massacred at sandy hook elementary school by a gunning man wielding a military assault weapon with 30 cartridges apiece, would have just finished third great last week. mark recalled how special daniel was. daniel just six years old lived a life of action, too.

daniel was that kid who sensed when other children were hurting. his dad told me last night how daniel would see little kids sitting alone at lunch with no one to talk to, and daniel would go over, sit down next to them, make a new friend, just because it was the right thing to do. reverend pinckney and little daniel barden new the difference between words and actions. they understood that actions are what really count. the u.s. gun homicide rate is 20 times higher than that of our 22 peer nations. 86 people die every day from guns. that's four sandy hooks ten charlstons -- every day.

since sandy hook, there has been a school shooting, on average every week. how on earth can we live with ourselves if we do nothing or, worse, if we don't even try? he will be joined by vice president joe biden and first lady michelle obama. we will bring you that event live here on c-span. an in-depth look at iran, its

government culture, and their views of the united states. that is saturday, here on c-span. here some of our featured programs. saturday night at 8 a.m. eastern, we will look at the government and culture of iran, its relationship with the u.s., and nuclear ambitions. sunday night, interviews with two presidential candidates. first rand paul and the vermont independent senator bernie sanders. author nelson -- nelson dennis on the history of puerto rico and its turbulent relationship with the united states. sunday night the political career of ronald reagan. saturday night a little after 9:00 commemorating the it

hundred anniversary of the magna carta, -- on they'd hundredth anniversary of the magna carta the limits to executive power. and the french sailing ship brought its representative to america in 1780. we were there to cover the welcoming ceremony and to hear from the crew and government officials. >> wednesday the house oversight and government reform committee held its second hearing on the data breaches. the deputy director testified along with patrick mcfarland about the cyber attack that may have optimized records of up to 32 million people. this hearing is almost four

hours. >> good morning. the oversight committee is coming to order. this is part two. $529 billion. that is how much the federal government has spent on i.t. since 2008. roughly $577 million has been spent at the office of personnel management. roughly $277 million has been spent at the office of personnel management, roughly 80% of that money has been spent on legacy systems and we're in a situation here where the hurricane has come and gone and just now opm is wanting to board up the windows. that's what it feels like. this is a major, major security breach. one of the biggest if not the

biggest we have ever seen. this demand all of our attention and great concern about what happened, how we're going to prevent it from happening in future and what are we going to do with the information now because there is no simple easy solution. but i can tell you, oftentimes it feels like one good trip to best buy and we could help solve this problem and would be a whole lot better than where we are today. there are a lot of questions that remain about what happened last month. and the uncertainty is very disconcerting to a host of people. and it's unacceptable to this committee and the congress. the most recent public reports indicate that many more american wrs affect bid the breach than originally disclosed. federal workers and their families deserve answer ons the scope of the breach and the tups of personal information compromised. because of this outstanding questions we still don't understand the extent to which the breach threatens our

national security. but the risk is significant. only the imagination limit what is a foreign adversary could do with detailed information about a federal employee's education career, health family, friends and perm hab it. i ask unanimous consent to enter into the record a letter from the federal law enforcement officers association. i want to read part of it. here are the concerns about the office of personal management data breaches. our demands and list of questions remain understand answered. they represent the law enforcement officers from 65 agencies. opm turned its back on federal law enforcement officers when i failed to protect sensitive information from an inexcusable breach. it's a miscarriage of its obligations. the very lives of federal law enforcement officers are now in danger and their safety and

security of innocent people including their families are now in jep party does of opm's nail your and continued ignorance in the severity of the breach. the information lost includes personal financial, location information of these officers and their families leaving them vulnerable to i a tack and retaliation from criminalance terrorists currently and forerly investigated by the united states of nerk. without objection i'll enter this into the record. without a full understanding of the scope or the cost of the project. in fact the agency kept the project from the inspector general for more than a year. the ig determined opm's chief information officer quote initiated this project without a complete understanding of the scope of opm's dpising technical infrastructure of the scale or cost of the effort required to mitigate it to the new environment. end quote. because of these concerns the question is quote possibly

making opm environment less secure and increasing the cost to taxpayers. they awarded a seoul source contract without going through the process of complete competition. i would like to enter into the record without objection this article from the "washington post." this is may 13th. defense firm that employed drunk high contractors in of gan stan may have wasted $135 million in taxpayer dollars. these are the recipients of a seoul source contract to try to help clean up this mess. they were formerly known as scientific corporation. they're now known as impeer tus corporation. they have a good list of very impressive military personnel who are involved and engaged. maybe this is the right decision. but when it is a seoul source contract it begs a lot of questions. no doubt we need to move fast

but this organization has had a lot of problems in the past and it begs a lot of questions. noigs data security problem we have a data management problem. it is unclear why so much background information related to security clearances was readily available on the opm system to be hacked. it is unclear to me why there is a need for sf 86 background information, the sf 86 is the standard form 86 what the employees fill out. why was this background information on the network if the applicant isn't currently being investigated? part of the reason we're in this mess is that a lot of the information that information and background checks that we're not engaging in was still on the system. if information isn't accessible on the network, it can't be hacked. if a security clearance isn't under investigation it's a best practice that others use and probably should have been used in this situation as well. we have to the a better job of

anticipating our adversaries and protecting information from unnecessary exposure. one of the concerns is this legacy system that we're using is a cobalt. the language used a cobalt. i would ask unanimous consent to enter into the record a "wall street journal" article from april 22nd 1963. cobalt can help users cut cost when changing models government spurs process. 1963. i wasn't even born yet and that's the system that we're operating on in this day and age when technology is changing moment by moment minute by minute. without objection i enter that into the record. yesterday ms. archuleta stated that no one is personally responsible for the opm data breach and instead blamed the hackers. hackers certainly have a lot of

culpability on their hands. they's no doubt they are that various actors that are going to be attacking the united states. we take numerous hits on a daily basis. but i disagree that nobody is to be held personally responsibility. personal accountability is paramount paramount. they are chashlged with the responsibility of carrying out their duty. as the head of the agency ms. arch la let that is responsible for the security of the opm network and managing any risks. while she may have inherited a lot of problems she was called on by the president and confirmed by the senate to protect the information maintained by opm. during her confirmation in 2013 she stated that i.t. modernization would be one of our main priorities yet it took a security breach in march of 2014, five months after the confirmation to begin to process

of developing a manplan to fix the problem. that was just the beginning of starting to think of how to fix the problem. the shift is blame is inexcusable. i really hope we hear solid answers. it's not going to be good enough to say we'll get you that information. it's under investigation. there's a security -- no. we're going to answer questions. federal workforce, the people affected, they need to hear that. we're different. we're unique in this world because we're self critical and we do have hearings like this. i would also ask unanimous consent to enter into letters into the record. one was a flash audit done june 17th of this year from patrick mcfarland the flashl audit information improvement project. without objection i will enter that into the record. i will ask unanimous consent to enter into the record the june

222 22nd response by the director of the office of pers until management, ms. archuleta and ski to enter that into the report without objection. so ordered. we also have some contractors here and we appreciate their participation. they have answers -- we have questions that need to be answered as well. we need their cooperation to figure this out. a lot of what was done by opm was contracted out. and there are very legitimate questions in particular that mr. cummings and others have asked and that's why i'm pleased to have them invited and participating as well. so it will be a full and robust committee hearing. we appreciate the participation. without objection the chair is authorize today declare a recess at any time. i should have said that without objections so ordered. should have said that at the beginning. now i would like to recognize the distinguished ranking member

mr. cummings for his opening statement. >> thank you very much mr. chairman. this is a very important hearing and we're here today because foreign cyberspies are targeting millions of our federal workers. opm has made it clear that every month there are 10 million efforts to pierce our cyberspace. these folks are hacking into our data system to get information about our employees. private information about them their families, their friends and all of their acquaintances. and they may try to use that information in their espionage efforts against united states personnel and technologies. mr. chairman i want to start by thanking you. last week we held a hearing on

cyberattacks against opm. and this morning we have an opportunity to hearing from opm's two contractors who offer suffered mayor data breaches, usis and key point. some people in your shoes might have merely criticized the agency without looking at the whole picture. but you agreed to my request to bring in the contractors and you deserve credit for that, and i thank you. on monday night i received a letter from usis, representatives finally providing answers to questions i asked more than seven months ago, mr. gee neatty. seven months ago. seven months ago. the letter disclosed that the breach at usis affected not only dhs employees but our

immigration agencies, our intelligence community and even our police officers here on capitol hill. but it took them seven months. the night before the hearing, the give me that information. but not only to give me the information but members of congress that information. my immediate concern was for the employees at these agencies. and i hope that they were all alerted promptly. but there's no doubt in my mind that usis officials never would have provided that information unless they were called here to testify today. so i thank you again mr. chairman. i have some difficult questions for usis. i want to know why this company paid millions of dollars in

bonuses to its top executives after the justice department was sued against the company for allegedly defrauding the american taxpayers of hundreds of millions of dollars. i can hardly wait for the answer. i want to know why usis used these funds for bonuses instead of investing in adequate cybersecurity protections for highly sensitive information our nation entrusted to it. mr. giannetta i want to know if you as the chief information officer of usis received one of those bonuses and i would love to know how much it was and what the justification for it was. i understand that you just returned from italy. welcome back. so this is probably the last place you want to be.

i also understand you're leaving the company in a matter of weeks. but i want to know why usis has refused for more than a year to provide answer to our questions about the board of directors. mr. hass i also have different questions for you were for key point. at least week's hearing i said one of our most important questions is whether the cyberattackers were able to penetrate opm's networks using information it obtained from one of its contractors. as i asked last week, did they get the keys to opm's networks from its contractor. yesterday director archuleta answered that question. appearing before the senate appropriations committee she

testified and i quote theed a very vary leveraged a compromised key point user to gain access to key point. the weak link in this case was key point. mr. hess i want to know how this happened. i appreciate that opm continues to have confidence in your company. but i also want to know why key point apparently did not have adequate logging capabilities to mon for the extent of data that was stolen. why didn't you invest in these safeguards. mr. chairman, to your credit one of the first hearings you called after becoming chairman was on the risk of third-party contractors to our nations cybersecurity. at that hearing on april 20th multiple experts explained that federal agencies are only as

strong as their weakness link. if contractors have inadequate safeguards, they place our government systems and our government workers at risk. i understand that we have several individuals here sitting on the bench behind our panel of witnesses who may be called to answer questions if necessary. mr. jobe who is the cio of key point. thank you for allowing them to be here. as we move forward it is critical that we work together. we need to share information recognize what outdated legacy systems need to be updated and acknowledge positive steps when they do occur. above all, we must recognize that our real enemies are outside of these walls. they are the foreign nation states and other actors that are

behind these devastating attacks. and with that i yield back. >> thank the jap. i'll hold the record open for five legislative days for any members who would like to submit a written state. we're pleased to have representative bosh ra come stock. i ask you now to consent that our colleague from virginia be able to fully participate in today's hearing. no objection so ordered. we now recognize the panel of witnesses pim i'm pleased to welcome katherine archuleta director of office of personnel management. we have patrick mcfarland, the office of personnel management, ms. danah seymour, chief information officer of the office of personnel management ms. anne baron -- help me here decamilo, emergency readiness team at the united states department of homeland security.

mr. eric hess is the chief executive officer of key point government solutions and mr. rob giannetta is the chief information officer at usis. all witnesses are to be sworn before they testify. so if you will please all rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, the whole truth and nothing but the truth? thank you. let the record reflect that all witnesses answered in the affirmative. in order to allow time for discussion, please limit your verbal testimony to five minutes and obviously your entire written statement will be made part of the record. we will start first with the director of the office of personnel management ms. archuleta first. you're now recognized for five

minutes. >> chairman ranking member cummings and members of the committee, thank you for the opportunity to testify before you again today. i understand and i share the concerns and the frustration of federal employees and those affected by the intrusions into opm's i.t. systems. although opm has taken significant steps to meet our responsibility, to secure personnel data of those we serve, it is clear that opm needs to dramatically accelerate those efforts. as i testified last week, i am committed to a full and complete investigation of these incidents. and we continue to move urgently to take action to mitigate the long standing vulnerabilities of the agenciesyies systems. in march of 2014 we released our

plan to secure the aging legacy system. we began implementing the plan immediately and in fiscal years 2014 and 2015 we directed nearly $70 million towards the implementation of new security controls to better protect our systems. opm is also in the process of developing a new network infrastructure environment to improve the security of opm infrastructure and i.t. systems. once completed, opmi.t. system wills be migrated into this new environment from its current legacy networks. many of the improvements have been to address critical immediate nudes such as security vulnerabilities in our network. these upgrades include the installation of additional fire walls, we strix of remote access without two-factor authentication continue use

monitoring of all connections to and sure that legitimate connections have access and deploying anti-malware software to prevent the cyber crime tools that could compromise our net works. these improvements led us to the discovery of the malicious activity that had occurred and we were immediately able to share the information so that other agencies could protect their networks. i also want to discuss data encryption. opm does currently utilize encryption when possible. i've been advised by security experts that encryption in this instance would not have prevented the theft of this data because the malicious actors were able to steal privileged user accounts and credentials and could decrypt the data. our i.t. security team is

actively building new systems with technology that will allow opm not only to better identify intrusions but to encrypt even more of our data. in addition to new policies that were already implemented to centralize i.t. security duties under the cio and to improve oversight of new major systems development, the i.t. plan recognize that further progress was needed and the oig's '14 report credited opm for progress in bolstering our security process and procedures and for committing critical resource to the effort. with regard to information security governance the oig noted that opm implemented significant positive changes and removed its designation as a material weakness. this was encouraging as i.t. governance is a pillar of the strategic i.t. plan. regarding the weaknesses found

with authorization the oig has recommended that i consider shutting down 11 out of the 47 opmi.t. systems because they did not have current and valid authorization. shutting down systems would mean that retirees could not get paid and that new security clearances could not be issued. of the systems raised in the 2014 audit 11 of those systems were expired. of those one, a contractor system is presently expired. all of the system r raised in the '14 audit have been extended or provided a limited authorization. opm is offering credit monitoring services and identity theft information with csit for the approximately 4.2 mill your current and former civilian employees. our team is continue to work with them to make the online

sign-up experience quicker. they're expanding staffing at call centers. i've taken steps to ensure that greater i.t. restrictions are in place even for privileged users. that includes removing remote access for privileged users and requiring two-factor authentication. we're looking into further protections such as tools that mask and redact data that would not be necessary for a privileged user to see. i want to share with this committee some new steps that i'm taking. first, i will be hiring a new cybersecurity adviser that will report directly to me. that cybersecurity adviser will work with opm ooerks cio to manage on joining response to the incident complete development of the plan and assess whether long term changes to the architecture are needed to ensure that its assets are

secure. this individual is expected to be serving by august 1 president second, to ensure that the agency is leveraging private sector best practices and expertise, i'm reaching out to chief information security officers at leading private sector companies that experience their own significant cybersecurity challenges and i will host a meeting with these experts in the coming weeks to help identify further steps the agency can take. as you know, public and private sectors both face these challenges and we should face them together. i would like to address now the confusion regarding the number of people affected by two recent related cyber incidences at opm. first, it is my responsibility to provide as ak sateccurate information to congress, the public and more importantly the

affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affected individuals as quickly as possible. third, we face challenges in analyzes the data due to the form of the records and the way they are stored. as such i have deployed a dedicated team to undertake this time-consuming analysis and instructed them to work, make sure their work is accurate and completed as quickly as possible. as much as i want to have all of the answers today, i do not want to be in a position of providing you or the affected individuals with potentially inaccurate data. with these considerations in mind i want to clarify some of the reports that have appeared

in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individual to 18 million individuals. other press accounts have asserted that 4 million individuals have been affected in the personnel file incident and 18 million individuals have been affected in the background investigation incident. therefore, i am providing the status as we know it today and reaffirming my commitment to providing more information as soon as we know it. first, the two kinds of data that i am addressing, personnel records and background investigations were affected in two different systems in the two recent incidents. second the number of individuals with data compromised from the personnel records incident is approximately 4.2 million as

reported on june 4th. this number has not changed and we have notified those individuals. third, as i have noted we continue to analyze the background investigation data as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definitive report on this issue. that said, i want to address the figure of 18 million individuals that has been cited in the press. it is my understanding that the 18 million refer to a preliminary unverified and approximate number of unique social security numbers in the background investigations data. it is a number that i am not comfortable with at this time because it does not represent the total number of affected

individuals. the social security number portion of the analysis is still under active review and we do not have a more definitive number. also, there may be an overlap between the individuals affected in the background incident and the personnel file incident. additionally we are working deliberately to determine if individuals who have not had their social security numbers compromised but may have other information exposed should be considered individuals affected by this incident. for these reasons i cannot yet provide a more definitive response on the number of individuals affected on the background investigations data intrusion. and it will -- it may well increase from these initial reports. my team is conducting this further analysis with all due speed and care. and again i look forward to providing an accurate and

complete response as soon as possible. thank you, mr. chairman for this opportunity to testify to you today and i'm happy to be here, along with my cio, to address any questions you may have. >> thank you. mr. mcfarland you are not recognized for five minutes. >> chairman, ranking member cummings and members of the committee. good morning, my name is patrick mcfarland and i'm the director of the office of personnel management. thank you for inviting me to testify here. i would like to note to my colleague, the deputy inspector general is here with me. with your permission, he may assist in answering technical questions. in 2014 opm began a massive project to overall the i.t. environment by building an entirely new infrastructure called the shell and mie yatgrateing all of its system to the shem.

before i discuss the recent examination of this project i would like to make one point. there have been multiple statements made to the effect that this complete overall is necessary to address immediate security concerns because opm's current legacy technology cannot be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has already taken to see%%+o cure the agency's current i.t. environment. i just wanted to emphasize that whale we agree that this overall is necessary, the urgency is not to great that the project cannot be managed in a control manner. last week my office issued a flash audit alert discussing two significant issues related to this project because my written testimony describes these issues in detail, i will give only a summary for you this morning.

first we have serious concerns with how the project is being implemented. opm is not following proper i.t. project management procedures and does not know the true scope and cost of this project. the agency has not prepared a project charter, conducted a feasibility study or identified all of the applications that will have to be moved from the existing i.t. infrastructure to the new shell environment. further, the agency has not prepared the mandatory omb major business case formally known as exhibit 300. this is important in the step in the i.t. project and the proper vehicle for seeking approval and funding from omb. it is also a necessary process for enforcing proper project management techniques. because opm has not conducted

these very basic planning steps, it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm has estimated that this project will cost $93 million. however the amount only includes strengthening the agency's current i.t. security posture and the creation of a new shell environment. it does not include the cost of migrating all of opm's almost 50 major i.t. system es and numerous sup system to the shell. this mayigration will be the most costly phase of this project. even if the $93 million figure was an accurate estimate, the agency does not have a dedicated funding stream for the project. therefore, it is entirely possible that opm could run out of funds before completion leaving the agency's i.t. environment more vulnerable than

it is now. opm also has set what i believe to be an unrealistic time frame for completion. the agency believes it will take 18 to 24 month to migrate all of its system to the shell. it is difficult to imagine how opm will meet the goal when it does not have a comprehensive list of all of the systems that need to be migrated. further, this process is inherently difficult and there are likely to be significant challenges ahead. the second major point discussed in the alert relates to the use of sole source contract. they've got a single source vendor. unless there's an kppgs, federal contracts must be subject to full and open competition. however there's an exception for compelling and urgent situations. the first phase of this project, which involves securing opm's i.t. environment was indeed such

a compelling and urgent situation. that phase addressed a crisis namely the breaches that occurred last year. however the later phases, such as migrating the applications in the new shell environment are not as urgent. instead they involve work that is essentially a long term capital investment. opm should step back, complete its assessment of the opm architecture and develop a major i.t. business case proposal. when omb approval and funding has been secured, they should move forward with the project. opm cannot afford to have this project fail. i fully support opm's effort to modernize the environment and the director's long term goals. however if it is not done correctly the agency will be in a worse situation than it is

today and millions of taxpayers will have to be -- many -- and millions of passenger pair dollars will have been wasted. i'm happy to answer any questions you may have. >> thank you. ms. seymour, was your statement with ms. archuleta or do you have one yourself? >> it was with the director, thank you sir. >> i would ask unanimous consent to enter into the record a letter that was given to us this morning from the office of personnel management dated today, signed by ms. archuleta dealing with the number of records. without objection, we'll enter into into the record. we'll now recognize ms. barron decamilo for five minutes. >> good morning. my name is anne barron decamilleodecamilo. i appear here to talk.

dr. andy asment is here with me to answer me questions. like many americans, i too am victim of these incidents and concerned about the continued cyber incidents at numerous government and private sector entities. i understand the scope and the problem we face and the challenges in securing critical networks. cybersecurity is a true team sport. there are many agencies response including intelligence community, law enforcement department of homeland security as well as individual system others and individual enusers as well. my organization within dhs is part of the national cybersecurity center. we focus on analyzing the risks, sharing information about responding to significant cyber

incidents. we work with trusted partners around the world and focus on threats facing the government in critical sector networks. our role is largely voluntary. we build and rely upon trusted relationship to share information and respond to incidents. when an entity believes they've been a victim of a significant cyber incident, they invite us to help them assess the scope of my intrusion as well as provide recommendations op how they can mitigate the incident and improve their security posture. our current involvement with opm began in march of 2014 when they learned there was a potential compromise within the opm networks. from march to may, uwe part of of the team that remeet yated the intrusion. throughout that time we shared information that we had learned about the intrusion with our governmental partners as well as private sector partners so they could better protect themselves.

we on may 28, 2014, the intraagency response teamed concluded that the malicious actor in question from that event had been removed from the network. we also provided opm with recommendations on what steps they could take to increase their security. there is no silver bullet or magic solution. most government agencies and their private sector counter parts are making up for years of underspending on security paz ort f the information technology development. the internet was designed with's of use rather than security in mind. the status of opm networks in may of 2014 was not unlike other similarly situated agencies. opm did some things well and was weak in other areas. i understand that opm had at the time under its new leadership started an effort to improve its cybersecurity. the incident report for opm

included several recommendations, some of which could be imp mmted quickly and others f which would take longer. opm made a concerted effort to adopt the recommendations beginning last summer. it was opm who in april of 2015 discovered the new intrusion. this is how the malicious access to opm data at the data center was diskord. this newly discovered threat information was also quickly shared by us with our private sector partnered and other trusted partners around our communities. the intraagency response team has been working with opm since april of 2013 to assess the scope and nature of the incident. there are a few things i can share. we were able to use the einstein capability to detect the presence of malicious activity on the department of interior

data center which houses the opm personnel records. further on-site investigation revealed that some personal information was compromised. this is the 4.2 million number that director archuleta referenced today. as a result of what we learned from the april 2015 investigation, opm continued to conduct forensic investigations into its own environment. en in that process opm discovered evidence of an additional compromise on its own network. we then led into intraagency response team to assess opm's networks and in erm june found that background investigation dataed that been exposed and possibly exfill traited. that's currently under investigation. we learned at the time that they had precluded further access. the protected measure may have mitigated any continued effects of the intrusion. the work is on going and we

continue to assess the scope of the potential compromise. although i'm appearing today redid to provide information, i do so with some concern. we rely on voluntary cooperation from agencies and private entities who believe they may be vims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us the bhoel of government of future incident. we need private companies to continue to work with government and share information about sbieber threats er swieber cyber threats. thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging. i'm president and chief exec ty officer of kpee point government solutions. since 2004 key point has provided field work services for the background investigation to

a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat every present and ever changing cyber threats. we're committed to the highest levels of protections. the recently announced breach of the opm is the focus of this hearing. i would like to make clear that we see no evidence suggesting that key point was in any way responsible for the opm breach. there are recent media reports suggesting that the incursion into the opm is what breached.

there is no evidence that key point was responsible for that breach. proesz reported that hackers stole opm credentials assigned to a key point employee and leveraging to access opm's systems. there is no evidence suggesting that key point is responsible for or directly involved. the employee was working on an opm system not a key point system. i know that throughout the hearing, the incursion of the key point system discovered last september will be discuss. . can point has continuously maintained its authority to operate ato from opm and dhs. this means that we met the stringent information and security requirements imposed under our federal contracts. key point only maintains information that is required. we like government agencies face aggressive, well funded and ever

evolving threats. let me say a few words about the earlier incursion of key point. in december of 2013 the washington post noted that it would notify 48,000 federal workers that they personal information may have been exposed. i emphasize the word may because in the report after the extensive analysis of the incursion, we find no evidence f exfiltration of personal day tap. last august following public reports of that data security preach at another federal contractor providing background checks donna seymour asked key point to invite the uscert to test key point's network and key point agreed. the department of homeland security and technical services

conducted risk vulnerabilities tests including internal maps. they provided a number of findings at the end of the engagement which were resolved while the team was on site as well as recommendations for the future. while they found issues, they were resolved and the team found no malware on key point's system. however then in september the hunt team informed key point that it had found indications of sfes kated malware undetectable. the team provided key point with mitigation recommendation to remove the malware from our environment and other recommendations for hardening its network to prevent future compromises. key point immediately began implementing the issues identified by u.s. cert, and concluded the malware was not functioning

correctly and because of errors. i recently attended a classified briefing at opm where i learned more about the opm breach and in the opening setting i cannot go into details presented in that briefing however i can reiterate we have seen no evidence between the incursion of key point and we are always striving to make sure our defenses are as strong as possible. we have also been working closely with opm to improve our information security posture in light of the new advanced persistent threats. we have been working diligently to make our systems more resilient and stronger by implementing the recommendations and a number of the most significant improvements have been full deployment of the

authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our atos, and this includes an audit from an independent party. we will continue to fort tpaoeu protections of our systems. our adversaries are constantly working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing key point to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes.

>> thank you. my name is robert gee annetta, and i am currently the chief investigation officer. i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014 usi performed background investigation work for the united states office of personnel management. when i started to working at usis, they would perform background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems

security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the comprehensive response plan per response to the plan. usis's responses included the investigations firm to lead the investigation and remediation efforts. usis instructed them to leave no stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant technical details about how the attack occurred what the attack

attacker did within the systems and when data was compromised. this was shared with opm and other government agencies. in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable information for how many federal employees and retirees? >> we have -- >> move your microphone closer,

please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no i asked you -- you have personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees and personally identifiable information within the files depends on whether they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get at? >> i will ask mrs. seymour -- no come on you are the head of the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will.

you wrote as a proprietor of sensitive data including personal identify blg information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier in my testimony mr. chairman, we are reviewing the number and the scope of the breach and the impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86,

that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified if you fill out an sf86, how many people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a simplying of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database and they are also identifying other individuals i would like to know on average how many people that is. is that fair? >> we are not calculating on average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request it was because you had 32 million

employees identified and former employees, correct? >> that -- the number of employees that we have yes, we are asking for support for our cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory as we can, sir. that changes on a daily basis? >> changes on a daily basis? you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program since then and we know where those are and we know the pii in

them. >> to my members of the committee here we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm became aware of an attack on its networks. i would like to enter into the record, a chinese attack, 2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and

with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity that dated back to november of 2013, and i also know that no pii was lost. >> no that's a different question. the question i asked is did they have access? whether they exfill traeutd it is a different question. >> i said there was add srau

saeur annual activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your security? >> with the security systems, yes. >> so yes, it was a breach of security, yes? >> they were able to enter our systems. the security tools that we had in place at that time were not sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay but at the time at the time it was a breach of security, right? >> yes there was a breach into our system. >> was there any information lost? >> as i just said to you there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the

forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information. >> you believe i have the information? >> yes. >> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfill traeutd pii i am asking you did they take any other information? >> i will get back to you -- >> i know you know the answer to this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network and they did have access to documents and they did take documents from the network. >> what were those documents?

>> outdated security documents about our systems and manuels about our systems? >> what kind of manuels? >> about the servers and environment? >> is that like a blueprint for the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel manuals manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel manuals manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes i do. >> so ms. archuleta when we rewind the tape and look at the interview you did on july 21st

you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said and i quote there was no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii. >> it was misleading and a lie and was not true. when this plays out we're going to find that this was the step that allowed them to come back and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal

information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you mr. mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last hearing on this subject members on both sides wanted to ask for ms. archuleta's resignation and i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right and we are being fair. this is my question.

you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer. you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion with regard to experts? do you understand what i am say? you have your set of experts and they have their set and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our

committee to ask for ms. archuleta archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made recommendations and that those recommendations had been simply disregarded. can you help us with that mr. mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good. you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely. of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on and they

did, in my estimation as normal and usual an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give a whole list of things that she is doing or about to do i think, naming a new cyber officer and whatever and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns.

we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to explain your answer to that question is that we -- we are i guess, very frustrated that we asked answers of opm and it takes a long time to get the answers. we ask definitive questions and we don't necessarily get definitive answers. we know for a fact that the things that we have reported are factual. we don't take a backseat to that at all. our people have done this for a long time they know what they

are doing but, yes it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right. your company has a lot to answer. according to the justice department, usis perpetrated a multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital police, and our integrities developed out tkoeld out bonuses. last week the committee invited the integrities chairman to

testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other sub sid airies. do you know how they responded? >> i understand they declined. >> yes, they refused. al teg raw tea is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me? >> i can ask.

>> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from vacation from italy. did you get a bonus by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in

2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again i am the chief information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than 16 months ago name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors. i know the chairman is steve duh leash. >> you are still working for

usis is that right? >> how long will you be there? >> indeterm tphupbt but in the next month or so i will be departing. >> will you try to get me those names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta there has been a discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning, you estimated about 2.4 million, is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees and that's 2.4 and then you add -- >> i don't know exactly, but

it's about half and half. >> the second figure you started to debate about was 18 million which has been reported by the media, and that would deal with breach of social security numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir. >> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records? >> that was the number he used yes. >> so you really don't know, then, how many records have been breached beyond the 4.2? >> no, sir that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached

my staff, and then thinking about the other people downtown and the agencies and we have a responsibility to protect their personal information, and over the weekend in fact monday i spoke the day at an embassy being briefed on a bunch of issues, and then brought to my attention was people insensitive positions that they were notified by you all a breach of their records. so our overseas personnel insensitive positions have also been subject to the breach sprebgt? >> employee personnel records -- >> how many data is there? address, and personal information about these individuals. you think a little bit about people in the glass places here and you want everybody safe.

i was stunned to find out that some of the people, united states citizens serving overseas were notified that their personnel records have been breached and information is available on them and they are in possible situations that could be compromised by that information, but you have notified them, right? >> we have notified the 4.2 million -- >> those are the people. they mentioned to this me. i was there on other subjects, but they expressed concern -- >> i am as concerned as you are about this because these are the individuals who have been -- whose data -- >> these people are on the front line, and they are overseas and representing us and i could hear concern in their voice about what has taken place. i have read sit chinese hackers, does anybody know?

was it the chinese? do we know for sure? do you know for sure? >> that is classified information, sir. >> so you have some idea but it's classified? >> it's classified and i can't comment here. >> whether it's chinese or some group that could give this6é information to people who would want to do harm, then that means some of those people to me are at risk? >> sir, every employee is important to me, not whether they are serving in kansas city or overseas. >> no but yesterday morning before i left eye visited a site of a terrorists act in one of the capitals and i saw well that place still had not been open and it has been months since that terrorists attack and our people are over there on the front lines and their information has been compromised. you have been there the longest ms. de-camille yo.

>> what was that? >> you have been in position since 2012 at opm? >> no i work for department of homeland security. >> but you are responsible for overseeing opm's -- >> dhs is a shared cyber security, and we are working with partners and we work with them protecting the boundaries --xj1kf >> when did we first find out about the breach? >> it was notified by a third-party partner to us in march of 2014. >> 2014. so when you came on ms. seymour, about 2014? >> i came onboard in december of 2013 sir. >> so you were there. they talked about his bonus. are you ses? >> yes. >> did you get a bonus, too? >> yes, sir, i did. >> howuv@ >> i do not know the exact

amount but i believe it was about $7,000. >> whether you were private or public, you were getting a bonus while some of this was going on. >> we will recognize the gentle woman from new york for five minutes. >> thank you. i am trying to get this straight. opm was breached directly, is that correct? i will ask ms. seymour opm was breached twice? >> that's correct. >> and one occurred in december of 2014 detected in april of 2015, and then the security breach -- when were the two breaches? when were the two breaches, the dates? >> the first opm breach goes back to -- we discovered it in march of 2014 and the breach actually -- but the breach

actually occurred in -- >> you discovered it in march 2014. >> yes, ma'am, and the breach actually occurred -- the adversary had access of november of 2013. >> and then the second breach was when? two breaches, correct? >> that's correct, ma'am. the second breach we discovered in april of 2015, and the date that that breach goes back to is act of 2014. -- i am sorry, june of 2014. >> who discovered this breach? how did opm discover this breach? >> the first breach we were alerted by dhs. >> so you did not discover it the department of homeland

security discovered it? >> yes, ma'am. >> the second one, who discovered it? >> opm discovered it on its own in april of 2015 and by then we put significant security measures in our network. >> now when did you report these breaches? who did you report them to? >> on april 15th when we discovered the most recent breach we reported that to us cert. >> who? >> the computer kwrurr readiness team. >> did you report it to congress? >> we reported it to the fbi and made the notification to congress as well. >> that was the april 15th one. what about the first one? >> for the first breach, again,

dhs notified us of that activity in our network and so they already knew about that one, and yes, ma'am we made notifications to congress of that one as well. >> when? >> i am sorry, ma'am i don't have that date in my notes. i would be happy -- >> could you get it back to the committee for us. did you notify the contractors of the breach? >> at the first breach there was not an awareness that -- of what the adversaries were targeting and this may go beyond opm. i know our staffs at -- my

staff, my security staff, had conversations with the contractor organizations and i know the indicators of compromise that dhs had were provided to other government organizations, were put into einstein as well as they have communications that they would -- >> but the breaches were direct. now, i want to understand the inner reaction with the contractors. now, when they breached you, did it go into opm? i am asking you both. when they went into that system did that connect to opm or was it held within your system? >> it was held within the intrusion of 2014 it was within our systems? >> within your systems? so the four identities they have and information they have, it came from opm or the

contractors? are they one in the same or separate? i will go back to ms. seymour? >> these are separate incidents so with the breach as usis, the way opm does business with its contractors is different from the other way it's agency may do business with key point and usis, so there were approximately 49,000, i believe it was, individual we notified based on the key point incident and there were other agencies that made notifications based on the other incidents. the 4.2 number you are getting is about the personnel records the incident at opm -- >> what i would like to get in writing is exactly what information came out of opm and what information came out of the contractors? is it one in the same?

you are the final database so i want to understand the connection and how the breaches occurred and how they enter connect. i want to remind you you are under oath and i have a series of questions to follow-up to carolyn maloney's questions. it was reported in the wall street journal a company says they were involved in discovering the breach that apparently has been, according to the article, linked to chinese hackers. opm's press secretary said the asuretion that sigh tech was somehow involved them -- ms.

seymour, do i have your attention? they said they were invited in by opm and their equipment was run on opm and their equipment indicated they had been an intrusion of your system and they notified you but your response officially from opm is that it's inaccurate and they were not involved, and ms. archuleta archuleta, you said they were not involved. i remind you both you are under oath, so do you want to change your answer? >> no, they were not. >> no, they were not. >> reminding you again you are under oath were they ever brought in to run a scan on opm's equipment? >> it was engaged and we looked at using their tool in our network, and it's my

understanding we gave them some information to demonstrate whether they tool would find information on our network and in doing so they did indeed find those indicators on our network. >> thanks, ms. seymour. the ceo and vice president of technology officer came in and briefed the staff and they relate they were given access and ran their processes and they discovered it, and previously it was denied they had involvement. what exactly did sigh tech do? were they given access to your system and run it on your system? >> here is what i understand, sir. opm discovered this activity on its own. >> that was not the question, ms. seymour. i am assuming you would have greater an understanding that you would know, considering you are the chief information

officer and you are testifying before us how it happened and there already has been a news article so tell us clearly what access was sigh tech given to your system. >> i am trying to explain how he had access. opm discovered the breach and we were doing market research and we purchased licenses for their tool. we wanted to see if that tool set would also discover what we had already discovered. yes, they put their tools on our network and yes they found that information as well. >> so you were tricking them, and you already knew it and said shazam you got it too. seems highly unlikely don't you think? >> we do a lot of research before we decide what tools we will buy for our network? >> at that point you had not removed the system from your system? you knew it was there and you brought them in and their system found it too which means it was

continuously running and the personnel information was still at risk? >> no, we had latent malware on our system that we were watching and quarantined. >> so it was no longer operating? >> that's correct. >> okay. clearly you are going to have to give us an additional briefing and the intel committee staff exactly how you did this because sigh tech is relating what they did and it's compelling and quite frankly what you say sounds highly suspicious, that you brought them in and tricked them to see if they could discover it, something you already discovered it, and why would you need them if you already discovered it and further tricked them to say you don't have the system on your system anymore, and 7 contradicts in so many ways it defies logic. on your sf84 form was comprised.

you sound like it's minor. but this is the form, and this is what they have to fill out. their social security number is all over this. in my community there are a number of people who had to serve it out to be able to serve their country. what are you doing about the additional information in the form and being released and is out there about the individuals? >> i filled out exactly the same form -- >> i doesn't ask that. it's not just about identity theft. this is not just their credit cards and checking accounts. what are you doing about the rest of the information that is in here about counseling them and assisting them? >> i just used that by way of example i understand what is in the form. personally and as the director of opm, and because at opm, as you know, we do federal background investigations and i am clearly aware of what is in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what

information was taken from those forms and how we can begin to notify the individuals who were affected by that. that form is very complicated and that is why i am very very careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has pii and other information so we want to be sure that as we look at how we protect the individuals that completed those forms that we are doing everything we can and we are looking at a wide range of options to do that. this is an effort that has is working together throughout government and not just opm. we are concerned about the data lost as a result of the breach by the hackers that were able to come into our systems. i will repeat again, but for the fact that we found this, this malware would still be in our

systems. >> chairman i want to thank them for acknowledging that sigh tech did have involvement even though they previously denied their involvement. i have a question for ms. de-camille yo, but first i want to ask ms. archuleta, members have been concerned about this 4.2 million number that you have tried to straighten out for the record. that's not a final number and it almost surely will go up. is that the case? >> there are two incidents. >> i understand that. >> in the first incident that number is 4.2 million. in the second incident we have not reached a number. >> so the number is going to go up. i understand -- and i am receiving calls from federal

employees about opm's promise of 18 months i believe it is free credit monitoring. is it true that federal employees must pay for this service after that time? >> well, the services we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months, which is the standard industry practice. as we look at the second notification, we are looking at our whole range of options. >> ms. archuleta, there's a great deal of concern, not so much about paying for it but about the amount of time, the 18 months may be too short period of time given how much you don't know and we don't know. >> we are getting tremendous information back from not

only -- >> are you prepared to extend that time if necessary? >> i have asked my experts to include this feedback that we have received on a number of different considerations. >> are you prepared to extend that 18 months in light of what has happened to federal employees if necessary? >> as i said, we don't know the scope of the impact -- the scope of -- >> precisely for that reason, ms. archuleta. i have to go on. if the scope is greater as you get more information, will you correlate that to extending the amount of time that federal employees have for this credit monitoring? >> congresswoman i will get back with you as to how -- what range of options we have. >> when you get back to us within two weeks on that. ms. archuleta we have people out there all of us have constituents out there and you won't even tell me you are

prepared to extend the time for credit monitoring what kind of satisfaction can they get from opm? i am just asking you that if necessary? >> congresswoman i am as concerned as you are -- >> in other words you are not willing to answer that question. are you willing to answer this question. they report having to wait long periods of time, sometimes hours to even get anybody on the phone from opm. can you assure me that if a federal employee calls they can get a direct answer forthwith today if they call and if not what are you going to do about it? >> we are already taking steps and what the contractor has implemented is a system similar to what social security is using, so if they get a busy tone, they also can leave their number and they will get a call back. >> within what period of time

ms. archuleta? >> for example, i heard a gentleman told me this morning that he left his number and was called back in an hour, so that individual does not have to wait on the phone. >> you let the chairman know before the end of this week what is the wait time for a return call, and that was a subject of great concern? >> we get those numbers every day and we will be glad to. >> we need some assurances, and we can't assure them beyond 18 months they are going to get credit monitoring and that's a very unsatisfactory answer, i want you to know. i want to ask, we understand that much of this is classified and we keep hearing we can't tell you things because it's classified. of course the press is finding out lots of stuff. they reported that law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that

occurred at key point. i want to ask you -- and i don't want to discuss or am not asking anything classified, but you assert in key point's data breach, did you find hackers were able to move around the company network prior to detection? >> in the case of the key point investigation? >> yes. >> yes, ma'am, they were able to move around and the key point network. we had an interagency response team that spent time reviewing the network after the customer technical -- >> even for the domain level? >> correct. they had access -- we were there in august of 2014. on onsightte team -- >> what does that allow a hacker to do if you get to the domain

level? >> at that point in time through the fall of 2013, during that time they were able to leverage certain malware to escalate privileges for the entry point and they entered the -- >> they can get to background points. >> the time has 1çç÷expired. >> they could not. they were not -- there was no -- there was a pi loss associated with 27,000 individuals associated with that case, i believe. it was potentially exposed and because of lack of evidence we were not able to confirm that but they had potential access but we were not able to confirm the exfiltration of that data. >> i now recognize myself for five minutes of questioning. let me ask ms. archuleta, what

do you believe was the intent behind the attack? we are talking about the attack, so what do you think the intent was? >> you would have to ask my partners and the cyber security about that. i don't -- i am not an expert in -- >> ms. seymour maybe you could respond? >> that would be better placed with dhs and perhaps with others. >> let me start with ms. seymour do you have any idea as to the attack? >> opm doesn't account for the attribution or for which the information is used. >> i would be happy to discuss the details and it's more appropriate for a closed classified setting. >> ms. archuleta, how would you assess opm's information with current and former employees regarding the breach, at this point in time how would you assess it? >> i believe that we are very --

we want to work very hard with our contractor to make sure that we are delivering the service that we want. we have asked them throughout this process to make improvements. we have demanded improvements and are holding them accountable, excuse me sir, to deliver the services we contracted for and ms. seymour is in communications with them, and i do not want our employees to sit and wait on a phone and do not want them to have to wonder whether their data has been breached and i want to serve them in every way we can and that's why we are demanding from our contractor the services the contractor will deliver. we are working hard on that and each day give them the appropriate feedback for what we are hearing from our employees. >> federal news conducted an online survey about the data

breach, and one of the questions asked what to rate opm's communication with current and former federal employees about the data breach. the results showed that 78% of rerespondants indicated it was poor, and 3% described it as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that, and we expect you to make sure that who you have contract with improves that that >> those numbers don't make me happy, sir. >> those are terrible numbers. >> i will do whatever i can. i care deeply about our employees. >> let me move on. some news reports indicate attackers may now be in possession of information of every federal employee and retirie and up to one million former federal employees.

if that is true they have the information of date of birth and job history and more that could be there. for years we have been hearing about the risk of a cyber pearl harbor. is this a cyber pearl harbor? >> the information associated with the dayta breach that was confirmed is what we would call on a severity scale a significant impact. >> a significant impact. what does significant impact mean? >> meaning the data if it was correlated with other data sources, it could impact the environment as well as the individual. >> environment meaning? >> the fact they were able to take the data out of the invinement that is a significant impact on the environment and insuring they were able to mitigate the ability the attacker kwraougsattack er used to get into the

environment. >> so it has blown up? >> sorry? >> it has blown up a lot of things protection, security? it's a pearl harbor. >> that's not a term i am comfortable with using, but when the severity scale -- >> it's pretty significant? >> yes, medium to high significance, yes. >> let me ask ms. seymour, do you think issuing a request for quotes on may 28th and establishing a deadline of may 29th to potential contractors was a reasonable opportunity to respond in this significant issue of cyber security? >> our goal was to be able to notify individuals as quickly as possible.

we worked with the gsa schedule and contacted the schedule holders, and put it on fed bizops for other opportunities. so our goal was to make sure that we could notify individuals as quickly as possible. >> that was quick. maybe too quick. my time has expired and now i recognize the gentleman from massachusetts, mr. lynch. >> thank you, mr. chairman and thank you to the witnesses for participating today. ms. archuleta you testified before the senate. let me ask you on the outset, who is ultimately responsible for protecting the information of employees at opm or that are covered by opm, the federal employees? >> the responsibility of the records is with me and my cio.

>> so you also testified that nobody was to blame. is that right? >> i think my full statement, sir, was that i believe that the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our systems, and i have worked the rest of my team was i have worked since day one to improve legacy systems -- >> i understand you are blaming the perpetrators that those are the people responsible, is that basically what you are saying? >> the action was caused by a very focused aggressive perpetrator. >> i can't have repeated the same answers. mr. mcfarland the assistant inspector general testified a number of the systems that were

hacked were not older legacy systems but they were newer systems. is that your understanding? this is not the old stuff this is the new stuff? >> yes, that's correct. >> the former chief technology officer at the irs and department of homeland security said the breaches were bound to happen given opm's failure to update its cyber security. is that your assessment, mr. mcfarland? >> i think without question it exacerbated the possibility, yes. >> this is a quote. if i walked in there as a chief information officer and saw the lack of protection for the sensitive data the first thing we would have been working on is how do we protect that data. i am concerned as well about the flash audit that you just put

out, and your ultimate determination was that you believe what they are doing will fail. >> the approach that they are taking, i believe will fail. >> okay. >> they are going too fast. they are not doing the basics. and if that's the case then we're going to have a lot of problems down the road. >> let me ask you, so very crudely describing this, they are creating a shell a protective shell, and then we are going to my great applications in under the shell and because of the shell they will be resistant or impervious to hacking. doesn't seem like we should have to wait until the last application in under the shell before we find out whether or not the shell is working.

is that -- is that -- will that give us an opportunity to look at the early stages of this project? >> i am not sure if it will give us that opportunity or not. what is important i think from our perspective is that they have the opportunity opm has the opportunity right now to do certain things that will increase the security a great deal, and that should not be abandoned and just in place of. i don't mean to imply it is abandoned but that should not be in place of speeding through the rest of the project to get it done. the crisis part may not seem this way to a lot of people, but the of people but the actual prices at opm was with the breach. that part is over. the best thing to do is

safeguard the system as it is right now, and then move appropriate ly appropriately for full restructuring. >> do you think opm's estimate of $93 million is accurate? >> i don't think it's anywhere close to accurate. >> i don't either. >> it doesn't seem to include the whole migration information where they pull the information in. >> as an example, the financial system that we have, in 2009 we had to migrate that information. >> right. and in so doing, it had a lot of oversight and went pretty well. in fact,our office was part of the oversight. but just that one system took two years and $30 million. >> all right. and that's a small fraction of what we are talking about here right? a very small fraction.

>> very small. >> i yield back. >> you recognize the gentleman from south carolina. >> mr. chairman, i want to read a regulation i would ask all the panelists to pay attention. it's a little tedious. if new or unanticipated hazards are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverer shall immediately bring the discovery to the attention of the other party. that's a regulation. mr. hess, mr. jgianetta were there also things between you and the government? >> there are. >> they would be similar to that? a notice provision? >> i doint have the exact text but it is similarly worded. >> i think it's helpful sometimes to define terms,

particularly for those that are liberal arts majors and don't deal with this. what is a new or unanticipated threat or hazard? mr. hess? >> that would be an indication of a compromise of a system or failure of any of the system protections. >> oh, so when chairman chafeus was having a hard time getting answer to that because the focus was on the loss of personal information, it's just a threat or hazard. it doesn't actually have to be a lorks does it? >> not the way i would define it. >> me either. >> what about existing safeguards have ceased to function. what does that mean? mr. hess? >> sir it's pretty explanatory. >> it did strike me as being self-explanatory. is it self-explanatory to you? existing functions have ceased

to function? what is the word immediately mean? >> without delay. >> without delay. is there another meaning that you are familiar with? >> that's a good definition. >> so you had a contractual obligation with the government and a regulatory obligation that if new or unanticipated threats are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverier shall immediately bring the situation to the attention of the other party. ms. archuleta, i've heard this morning about a march 2014 data breach. did i hear that right? >> whyyes, sir you did. >> when did you bring that to their attention? >> i would have to get that information. i don't have it in my notes.

perhaps ms. seymour would know. >> do you know if it was immediately? >> i would expect that it was immediate. >> let's find out. ms. seymour do you know? >> no sir, i don't. i don't think we immediately notified our contractors of a breach to our network because at that time we did not have any question as to whether it was affecting them. it was to our network at that time. >> mr. hess mr. gianetta is that your understanding that they were under no duty to bring that to your attention? not all at once. it's your contract yowl language. do you think you should have been notified because of the march breach? >> absolutely. >> why? i just heard one person say they didn't know and the other it

was really none of your business. why should you have been notified despite the plain contractual language? why do you think it was important that you be notified? >> so that we could take more appropriate actions to protect data. >> were you notified? >> i was not. >> were you notified immediately? >> no. >> huh. what do you have to say about that ms. seymour. >> i believe that that's accurate, sir. >> well i'm with you there. i guess my question is why? why despite the plain language of the contract and the regulation why did you not immediately notify the contractor? >> we worked with dhs and partners to understand the potential compromise to our system so that we could -- >> was dhs one of your contractors? >> no, sir. >> i didn't think so.

that doesn't really help me understand the regulation because this says contractor, not dhs. why didn't you notify the contractor? >> we were still investigating what happened in our network. >> what does the word immediately mean to you? >> without undo -- >> did you do so? >> no, we did not. >> does it say as soon as you figure out what happened or after you talk to dhs? that is not in my version of the regulation. is it in yours? >> i have not read that regulation. >> that one doesn't exist. the one that says notify dhs or try to figure it out. the only one that exists says to notify the contractor. you didn't do it and my question is why? >> i can't answer that question. >> who can? >> i will take that back and get you -- >> to whom will you take it? >> i believe i would take it back to my staff to see if we

have processes in place. >> do you think it's staff's responsibility to notify the contractor? >> we have processes in place for making notifications when we find these -- >> who is ultimately responsible for that? who failed to meet the contractual regulations? >> i'd have to read that regulation. i'd be happy to read it. i'd like to read the full context of it. >> you think the context is different than what i read? >> i'd want to read the -- >> have you read the contract? >> i have read most of the parts of the contract, sir. >> i can't speak for the chairman but my guess is he and the other members would be responsible to learn who failed to honor the letter and spirit of the contractual obligation. with that, i yield back. >> we'll recognize the gentleman from california. >> thank you, mr. chairman. i have concerns not just about

the failures of opm leadership but its contractors. in it usis. it looks like what happened here wasn't just recklessness or negligence. it was fraud. i want to know how far up this fraud went. the hedge fund managers that funded these companies knew about it. let me begin with mr. mcfarland. the department of justice joined the lawsuit for defrauding the government under its contract with opm. and according to justice department filing, beginning in at least march 2008 and through september 2012 usis management de devised and schemed quality reviews much backgrounds -- >> the u.s. assisted in this investigation, correct? >> yes. >> the parent company paid