f opm leadership but its contractors. in it usis. it looks like what happened here wasn't just recklessness or negligence. it was fraud. i want to know how far up this fraud went. the hedge fund managers that funded these companies knew about it. let me begin with mr. mcfarland. the department of justice joined the lawsuit for defrauding the government under its contract with opm. and according to justice department filing, beginning in at least march 2008 and through september 2012 usis management de devised and schemed quality reviews much backgrounds -- >> the u.s. assisted in this investigation, correct? >> yes. >> the parent company paid bonuses during the period of the

fraud that aamounted to $30 million. has usis paid the government back for those bonuses? >> i'm not positive, but i believe not. >> let me enter into record mr. chairman if possible, an article from "the wall street journal" entitled "executives got payout before screener went bankrupt." if i could enter the article into the record. >> without objection. >> i ask a second one be entered. an article in "the washington post." the justice department filed a motion in this case on friday seeking $44 million from usis' parent company. that's from this monday. >> without objection, so ordered. >> now let me ask ms. dicamillo for usis to have these breaches it would have cost less than $30 million, correct? >> not having investigated

specifically, the breadth and depp th of all the parent companies we were focused on the usis network. they were higher than $30 million for the recommendations we provided to them. that number could be as high as $50 million. >> thank you. i appreciate that. now i want to any mr. gianetta about the bonuses awarded. who on the board reviewed the performance of the ceo and decided to award him with bonuses during the 4 1/2 years usis was defrauding the government? was it the board? >> since my role began at usis in 2014 as the chief information officer, i don't have any knowledge direct or indirect of who approved -- >> you don't know if it's the parent company or hedge fund managers. we don't know who did this? >> we'll send you written

questions after this. i want your commitment that usis or autegrity will provide a response to our questions within 30 days. will you commit to that? >> yes. >> i also think the committee should call the prltesident of autegrity as well. you issued two advisory reports one in november 2013 and november 2014, correct? on opm. mr. mcfarland? you issued two ig reports dated november 2013 and november 2014. >> sorry. >> so you issued two reports dated november 2013 and november 2014 on opm? >> you're speaking on fisma, yes. >> these two ig reports would you agree the 2014 report is quite similar to 2013 report because opm actually failed to implement many of your

recommendations? >> i think there were many carryovers, yes. >> would you agree this is a difference of opinion? you had opm violating standards that the administration had put in. for example in 2014 your report on page 24 says opm was not compliant that required to factor authencation. on page 12 you also said that opm was not complying with international institute standards. you would agree opm was not following these standards correct? >> yes. >> do you take responsibility for not following omb guidance as well as guidance from national institute of standards which had you followed, could have prevented these breaches? >> well, sir -- >> yes or no. do you accept responsibility for -- >> it can't be a yes or no.

>> this is a yes or no. you don't have to accept responsibility. i just want to know if you do. >> i have to take into consideration when an audit is conducted by the auditor. i have to make an informed decision about his recommendations. it's not whether i disagree with him. >> this is omb. it's this administration's guidance. >> and we have worked very closely with omb to make sure that we're tracking, documenting and justifying all of our steps in -- >> my time is up. i take it you don't actually take responsibility. i yield back. >> i now recognize mr. meadows. >> ms. seymour let me come to you because there seems to be some conflicting information before this committee. on april the 22nd you indicated

it was the adversary's modern technology and the opm's antiquated system that helped thwart in your words, thwart hackers at the first opm attack. is that correct? >> yes, sir. >> last week you testified repeatedly that it was the opm's antiquated systems that were the problem and the chief reason that the system was not secure and didn't do just the basic cybersecurity measures of incryption and network protection. so i guess my question to you ms. seymour which is it? is it the fact the old system helped you or the old system hurt you? those are two conflicting pieces of testimony. >> i don't believe they are conflicting, sir. in the first incident the old

technology thwarted the actor because they did not know what they were doing in that environment. why immediately put in place a plan to provide better -- >> so you caught them immediately? >> no we immediately put in place a plan so that we could improve the security posture. what we did was we moved to build a new architecture where we could put additional security controls. we also at the very same time put security controls in our current environment. >> okay. >> we did not wait. >> well, you say you didn't wait once you found the problem, but is there a -- >> sir -- >> hold on. let me ask the question. is there in the security i.t. cybersecurity technology chief operators, is there anyone who would apply for a job who would

suggest not to do incryption of sensitive data? >> incryption is not a panacea. >> i didn't ask that. is there anybody in your job or similar job that would say we're going to protect everything. let's leave it unincrypted. can you think of anyone? because i've been asking all over the united states. i can't fund anybody. >> i'm trying to explain the situation. our databases are very large. our applications are not always able to work properly and incrypt and decrypt that data. >> so you're saying this was a volume problem not a management problem. because you're under oath and that's concerning because you're saying you just didn't have the resources to handle the large volume of information? >> it's not a resource information. it's whether our applications are built so that they can -- >> so they aren't encrypted

today? >> we have purchased the tool set, sir, and we are in the process of encrypting pieces of our databases as apposed to the whole database. >> we need to focus on the sensitive information. what do we tell the millions and millions of federal workers that now because their system has been breached now you're going to encrypt -- do you feel like you've done your job? >> i do sir. i came on board and recognized these issues and worked with director archuleta to put in a plan -- >> you both came in in 2013. >> at the end of 2013, yes, sir. >> how long did it take you to buy equipment to start encrypting? >> simple answer. >> june of 2014. >> okay. so you bought equipment in june of 2014. so when did you start encrypting? >> a couple of databases

encrypted already. >> a couple out of how many? >> we have numerous. >> that's my pontint. >> it takes time and resources. >> when you aplidplied for the job and were going through your senate confirmation you said you'd make i.t. your top priority. again in this committee you said that it was your number one priority. can you explain to the federal workers and all those that have had their personal information breached how making it your number one priority when you were confirmed in 2013 is still to be believed? or was it just what you said during a confirmation hearing and you never intended to act on it? >> i believe the record will show that i have acted on it. that i am dealing with a legacy

system that's been in place for 30 years. and we are working as hard as we can. in 18 months we have made significant progress. but so have our aggressors. cybersecurity is an enterprise responsibility. i am working with all of my partners across government. and i have shown that we have prioritized this even as early as 2014 and 2015 in our budgets and in the resources we directed towards that. i do not take this responsibility lightly. as i pledged in my confirmation hearing and last week and as i pledge to you today, i take it extremely seriously and i am as upset as you are about every employee that is impacted by this. that is why we're dedicating resources throughout government. not just at opm, but at every level of government to make sure this does not occur again. we're working very hard.

>> i appreciate that. i appreciate the patience of the chair. >> thank you, mr. meadows. i'd like to recognize my colleague from the great state of new jersey ms. coleman. >> thank you for your being here today. i have a couple of questions. with regard to one breach that involved the 4.2 million employees, those are actual employees and retirees. that's a closed system. we know how many that is. with regard to the individuals whose information was in a system because background checks were being done with them, "a," we don't know how many. every one of those individuals didn't ultimately get a job so we have some whose information aren't even employed by the government. >> yes if there was a background investigation requested. >> in that second breach of that universe that's so large, that

information was breached through a breach in the security of keypoint? is that true, ms. archuleta? >> yes. >> someone who had credentials with -- >> there was a credential used, and it was -- that was the way they got in. >> so who is trying to identify all the universe that's been compromised through the latter breach? is it key point who is trying to clean up its mess or -- >> no no, we have a total enterprise wide security team or forensic team that is doing the forensics on this. >> mr. mcfarland has made a number of observation and recommendations. and i believe i was left with feeling that you didn't believe opm was moving in the right direction on the rootight path to get to where it needs to go. i was also informed his

recommendations or findings are a result of auditors and specialists in this area. i have two questions for you ms. archuleta. number one is are you using experts and the same kinds of skillsets that mr. macfarland is using and looking at the same things he's looking at. and do you agree with his recommendations? and if not, on what areas do you disagree? >> the audit i can take by way of example. first of all, i respect the inspector general's diligence in overseeing this topic. and there are areas we have areas of agreement and areas that i think we need further conversation about. in terms of the existing contracts and use of full and open competition, ides like to assure the ig that the processes we used toward the already

existing contracts have been perfectly legal. and we're going to continue to ensure that our future contracts and processes entered into will also be legal. i also understand that he's concerned about the sole source contract of tactical and shell he spoke about. i understand his concerns and i'd like to remind him that the contracts for migration and cleanup have not yet been awarded and we'll consult with him as we do that. where we don't -- where we have areas that we need to consider together and, by the way, the ig and i meet on a monthly basis and our staffs meet on a weekly basis or biweekly, i look forward to sdusing with him the major business case so we can figure out what the practical timeline will be. >> tell me what you think is the time frame for the ig's office and your office and mr.

mcfarland you might weigh in necessary to get to where we need to get. not that all these things are going to be implemented but we agree on what needs to be done. are we talking about three months from now, six months from now? do we have any idea? >> i would ask donna just to talk about the tactical and shell processes. the reason we're trying to do that as rapidly as possible so we can move out of the legacy network. the issue about the migration and the cleanup will continue to discuss but we're trying to rapidly move toward that shell. >> do we still have contracts with q point? >> yes. >> and q point this is to mr. hess, i b2=ñbelieve, how many contract with how many departments do you have? >> our primary contracts through homeland security and opm. >> and so are you -- are your

contracts, active contracts coming to an end or are you at the end of these contracts? >> they're all active contracts. >> they're all active contracts. >> mr. mcfarland should we be ceasing our relationship with key point? >> based on what i know at this point, i have no reason to believe that we should. >> that we should? >> i have no reason to believe that we should cease relationship. >> that we should cease. >> no that we should not -- >> should not? do you agree with that ms. archuleta? >> i do agree. key pount has taken the steps necessary to mitigate any security questions they have been very active in working with us on that. >> should we cease contracting with them? mr. mcfarland says yes and you said -- >> no, he said no.

>> i said no. i'm sorry. thank you very much. mr. mcfarland last question to you, what are the three important things we need to do just to get us back on the right track and how long should it take? and that will be the end of my questioning, mr. chairman. thank you very much. >> i'll give you four, if i could. first, we'd like to see the implementation of multifactor authencation using pvi cards and then develop a comprehensive inventory of information systems, servers and databases. and further protect existing data with encryption and data loss prevention tools. and then proceed with the infrastructure overhaul with disciplined project management

approach. and i have no idea how long that will take for discussion. >> thank you. now i'd like?rhb to recognize mr. de santos from florida for five minutes. >> this is a really really frustrating hearing and obviously, a colossal failure. we have a government that will tell us how much water we can have flushing in our toilets how much corn we have to put in the gasoline we use to drive our cars government will tell us the type of health insurance we can and cannot buy yet on the core functions of government, the things we need the government to do it seems it fails habitually. this is a major example of that. the numbers of people affected when ms. archuleta talked about we don't know on the clearance side.

we dont know because it's not just the person that filled out the form. you have friends family members, associates, foreign nationals you may know who china would like to know who those foreign nationals are. you're talking about a larger number than the number who filled out those forms. yet it seems to me that we just have bureaucratic paralysis. nobody is really accountable. ms. archuleta members of this committee have called upon you to resign. you've rebuffed that. do you still believe you should remain in your position? >> i am more committed than ever to serve the employees of this administration. i am working very hard. and i think -- >> do you accept responsibility? >> i accept the responsibilities that are given to the director of the opm and i have fulfilled those responsibilities by making sure we have the right people in the right places and seeking the

resources we need to do our work and make sure the systems we have in place can do the work that they are expected to do. again, we have a legacy system that is 30 years old. we have dedicated money -- >> and i appreciate that. i've been here for your statements and heard you make that point. but if not you then who, if anybody in opm should be held accountable for this colossal failure? >> i am responsible as the director of opm for -- >> is anybody going to be held responsible? >> for a number of different responsibilities. i take very seriously, as i said in my confirmation hearing and many other hearings after, including today -- >> what about responsibility? >> i accept -- i have -- >> they'll say, ron we have people mess up in the government all the time and nothing ever happens. and that's not the world that our constituents live in where there's usually consequences.

so you're not committing that anybody will be fired or helda akontable because of this? >> we're going to do the best job that we can. >> i appreciate that but that is not something that i think the american people have confidence in right now given what's happened. now let me ask ms. di camillo people have been warning about the risk of a cyber pearl harbor. obviously the ig warned the opm about vulnerabilities in their system for years and years. does this institute a cyber pearl harbor. >> that question was asked to me earlier. we use a severity scale. based on the impact to data and the network and getting back to a known healthy state, we'd consider this a medium to high severity. and the ability for the

mitigations we put in place as part of the plan we provided to opm post assessment. >> those are mitt gaugsigations for the system itself. they don't include mitigations for any of the capabilities that some of the people whose ident hit identities may have. >> ensure the protection of their networks. we provide mitigations to help them get back to a known good healthy state and prevent these things, and if they are targeted again, helping them detect that activity sooner so they can detect it and clean that up. >> if china gets blackmail information they can use against people serving in our government in important positions, if china is able to identify chinese foreign nationals maybe who are

friendly with the united states and people there's no way you can calculate the damage that causes? >> i'm a cybersecurity operator. that's clearly a question for intelligence. >> i think it's a very important question, and i think the damage to this is very very severe. i yield back the balance of my time. >> i'd like to recognize the chairman from virginia mr. connolly. >> thank you for allowing me to go at this moment because i have to chair a meeting at 12:30. let me just say, you know, i was just listening to our colleague from florida. it's easy to make a scapegoat out of somebody or something. that isn't to absolve people of responsibility. but what we're facing is a much bigger threat than a management snafu. we are facing a systematic

organized, financed pernicious campaign by the chinese government in the form of the people's liberation army with a trained unit to penetrate weak spots in our cyberworld. and that includes the federal government and it may include retail and commercial enterprises, certainly banks among them. to pretend somehow this is miss archuleta's fault is to really miss the big picture. and, frankly, a disservice to our country. we have a bigger threat. whether we want to acknowledge it or not we now are engaged in a low level but intense new kind of cold war, a cyberwar, with certain adversaries including china and russia. and it is every bit as much a

threat to the security and stability of this country and we need to gird ourselves for this battle. and it's not okay to dismiss testimony that resources were denied. this committee led the effort, and i proudly co-sponsored the bill, to modernize how we purchase and manage i.t. assets in the federal government. is that important? why are these people here before us? because it is important. and congress has neglected it. we can't have it both ways. so while we certainly hold ms. archuleta responsible as the head of opm for how they are managing this breach, and we have every right to question why the breach occurred, to make a scapegoat in this alice in wonderland world we've created here sometimes where the answer is off with your head.

how easy. what a cheap headline that gets, and it does get a headline every time. but it begs the question, which is far more fundamental, far more profound and far more disturbing as a threat. and that's ultimately what we need to deal with. mr. mcfarland last week your office issued a flash audit alert to raise awareness of serious concerns over opm's ongoing overhaul of its entire i.t. infrastructure. according to that flash alert your office stated, in our opinion the project management approached this overhaul and is entirely inadequate and introduces a high risk of project failure. if i understand correctly you are saying the project won't do what we need it to do. is that correct mr. mcfarland? >> no i'm not saying the

project wouldn't ultimately do what is hoped for. i'm saying the potential for problems exist and it's very high. >> i want to use the word in the report. entirely inadequate. introduces a very high risk of project failure. that doesn't say -- that doesn't say to me there's the possibility of failure. it predicts it's more likely than not. >> high risk for sure. >> you also indicated it will cost too much. you want to expand on that a little bit? >> $93 million that's set aside at this point won't come close. migration itself is going to be an extremely costly measure. one would note the cia used an outside vendor. i think they spent $600 million but their system seems to be working, but it cost $600 million over ten years if i'm

not correct. ring a bell? sound right? >> i'm not familiar with that. >> worth looking at. they partnered with the private sector rather than try to find all the answers inside. ms. archuleta, what's your response to that ig flash audit alert? >> the ig brought up some process issues that were very important. i think some that we don't agree with but there are other areas we do agree with. the important thing is to underscore the relationship we have with our ig and we'll continue to value his opinion and bring forth his ideas in to the considerations that we make. i do believe that we have to move carefully, but we have to work swiftly. as you've said, these aggressors are spending a lot of money. a lot of money to get into our systems. we need his assistance.

we will seek his guidance. we will listen carefully to his recommendations, and certainly consider those as we move forward. >> i just, mr. chairman i introduced the data breach notification act of 2014. although we blended that on a bipartisan basis into the safe and secure federal websites act, the senate did ñ not act. had we acted we would have had protocols in place for dealing with this at least after the fact to reassure the victims who are federal employees and federal retirees. i'd hope this committee once again will help prod the system as it did last year, only this time getting the senate to act. thank you to my dear friend from pennsylvania. >> now the chairman of the

subcommittee on i.t. mr. hurd for five minutes. >> thank you mr. chairman. my mama always told me you can always find the good in any situation. let me try to start off with that. dhs caught them caught the problem. that's a good thing. when they were engaged, we found it. wish it was sooner, but we caught the problem so that's good. i also got a letter from the chief information officer of opm. dear mr. hurd the u.s. office of personnel management recently became aware of a cybersecurity incident affecting its data and you may have been exposed. we have determined the data compromised in this incident may have included your personal information such as your name, social security number date and place of birth and current or former address. i know ranking member cummings and mr. micah were talking about how could an adversary use this

information. i spent nine years as an undercover officer in the cia. if it was the chinese, any federal official traveling to china, former official, someone there, is a subject of being targeted for elicitation of information about what's going on in the federal government. if it was the russians this information is going to be sold and used against them to drain people's bank accounts, create new access codes to get private information. if it was narcotrafficantes in mexico, it's the home addresses of men and women in border patrol, people that are keeping us safe. the threat is huge. the impact is fantastic. one thing my dad always said was it never hurts to say you're sorry. following thus letter it says -- nothing in this letter should be construed as opm accepting

liability for any other matters covered by this letter or for any other purpose. later it says, we regret this incident. i'm sorry actually goes a long way. i agree with what my colleagues from virginia had said about this long committed attack by advanced persistent threats and my issue is not with how we responded to the threat. i think the immediate technical steps that were taken were good things right? and i believe all the folks involved in the mitigation of the immediate threat were doing some things that can be used in other places. what i have a problem with is everything before this. if you were in the private sector, the head of a privately traded company and ernst & young was doing your yearly audit and you had at least five years of audit information saying that your digital infrastructure had

some high risk to it and needed to be immediately fixed, the board of directors would be held akontable for criminal activity. by multiple years. i would penetrate the networks of companies and identify the problems they had. a lot of times if there was a high risk issue we'd call the customer immediately and say this has to be fixed right now. the company and customer would do that immediately. then we'd issue our report saying here was the high risk report but it was fixed. because a company like ernst & young doing an audit would probably not put this information in an audit to go to the board because it's guys you've got to fix. so my problem is these high-risk issues identified by the ig haven't been addressed. key point. my first question is ms. ann di

camillo, have they reviewed key point's network? >> we were on site at key point's network in loveland colorado with our inner agency partners. we went there in an abundance of caution baseod the event that happened at usis and opm. we needed to look at contractors performing background clearance. this was done out of an abundance of caution. so our team did an assessment. some results came back that caused some concern. so we sent an instant response team on site and reviewed their network. we were there for a couple of weeks. >> when we hire contractors, are they subject to the same standards of network hygiene that u.s. government networks are? >> our contractors subject to the same? it would be part of the contract

language associated with requirements that are for any kind of network that houses government data there are certain requirements per the fisma law of 2002. >> in his opening remarks ranking member cummings read some of director archuleta's comments to the senate committee. the adversary leveraged a compromised key pont user credential to gain access to opm's network. when the written information that key point submitted said we have seen no evidence of a connection between the incursion at key point and opm breach that's the secretary of this hearing. mr. hess, feedback? >> congressman hurd, it is true that the key point incursion, we've seen no evidence of the connection with the opm -- >> are you saying ms. archuleta is lying? >> she is correct from the knowledge that i have been given. there was an individual who had

an opm account that happened to be a keypoint employee and that the credentials of that individual were compromised to gain access to opm. >> thank you. i yield back. >> we'll now recognize the gentlewoman from the virgin islands. >> thank you very much. good afternoon, everyone. i think that it's very interesting. i was listening to the ranking member cummings talking about the vulnerability of government contractors and the questions of my colleague mr. hurd regarding whether or not companies that have government contracts must keep the same level of security and care that the opm or other agencies would have to in terms of preparing for cyberattacks. mr. gianetti, i have a letter that was sent from usis to ranking member cummings on december 5th of 2014.

and the letter says that the federal agencies had the failure of the company. and i wanted to ask you some assertions that you made in that letter. it says their council wrote the critical cyberattack defense information only flowed in one direction, from usis to the government. is that correct? >> in the discussion we had earlier about the shared responsibility to notify from a contractor to the government and the government to the contractor, that is correct. >> what you're qualifying it now. so you're saying -- >> i'm not qualifying it. i'm suggesting that we were required and obligated by our contract to notify opm we had an intrusion, which we did immediately, and in the discussion that was held earlier, opm recognized they did not notify usis or, i believe,

keypoint of their intrusion of march of 2014. >> in terms of the cyberdefense information, was it one way or did it go both ways? >> in my humble estimation it was one way. >> it was from yours to the others. what would have been your estimation been the requirement of opm or the others toward you? >> well i'm not a lawyer or -;(j i don't have the contract in front of me but my understanding is that there's a requirement to notify, to say we've got an issue. here's what the issue is so that there's a free flow and sharing of information. >> so if you have an issue you're supposed to let them know correct? >> that's correct. >> that's what you felt you did. >> absolutely. >> what did they do about that information that you gave them? >> the cert team? >> yes. >> we invited the cert team to our facilities in grove city,

p.a. formally via a letter. the cert team arrived. shortly after receiving that letter. and enumerated our network and understood through discussions wuths our technicians as well as the third party we hired what had transpired from the 5th of june through the time they arrived. >> why does your letter also state that cert has not provided usis with any findings it may have recovered during its review. >> i didn't write the letter -- >> you are here testifying for your company. i am an attorney. i'd never write a letter as an attorney forra a company without the entire company agreeing. >> you are here to testify for the veracity of the letter. was the letter correct? >> we did not receive a briefing from cert as to the findings

they had vis-a-vis the intrusion. >> then let's ask cert since they're here. >> we did receive some recommendations relative to what we might do to -- >> that's not a review? >> our invitation to cert requested their assistance in identifying threats to our network. and we did not receive that. >> okay, well let's ask ms. barron dicamillo. >> our team was on site. an uner agency response team including law enforcement partners. we worked part of the incident response team. we're working with the system administrators daily. informing them every day of -- >> how many days did you inform them on a daily basis? >> we were there about two weeks. >> that's at least ten report ooze. >> we worked through the weekend. >> that's 14 reports they were

given asserting what -- >> the daily findings. and they can change. >> did you find something and give them ideas of what needed to be done? >> why we were able to discover there was malicious malware on the network and compromised credentials, specifically -- >> how did those compromised credentials -- what were the two areas you found within their own system that should have been taken care of previously? >> we found a lack of some security mechanisms that would have helped prevent this. we weren't able to find the initial point of entry. >> can you talk about the lack of logging. >> there's logs that can help us piece together what happened within your network. >> why weren't those there? >> it's a risk-based decision. it can cost a lot of money -- >> it's a risk and cost decision made by the company itself? >> it can be.

it can require quite a bit of storage. >> the government contractor we hired to do government work for us decided a risk and cost decision on their part did not require them -- they didn't put in the log ins necessary to protect the system. >> i can't answer that specifically. i can just give you some of the reasons that people are not having the historical logs because of the volume of data. there's millions of net flow records that happen a day. >> the letter sent by usis to ranking member cummings, would you agree with that? >> we provided daily reports and a findings report. we went over that with the team and provided a mitigation report and i have documented evidence of all of that. >> did you want to respond to that? >> if i may. >> sure. >> it's my understanding from our forensic investigator strauss freedburg that was was

found by the cert team vis-a-vis ms. barron di camillo's comments was not information they hadn't already discovered. >> so the log ins that were needed for them to be able to go and do a deeper forensic was something they already knew? >> that's -- >> yes or no. >> -- the forensic evidence of the third party partner. what he's saying is it was a confirmation and whye were able to confirm the credentials with the third party forensic firm in there and discover additional findings through the assessment we did. >> for now we'll recognize the gentleman from alabama, mr. palmer, for five minutes. >> thank you, mr. chairman. ms. archuleta, last week i brought up a letter from two of my legislative staffers received warning them their personally

identifiable information may have been compromised in the cybersecurity hack. i bring this up again because earlier you disputed the number of people that are affected by this when ms. seymour admitted after i questioned her about the letter that she signed that this goes beyond the people who filled out the form 86. and i just want to know considering the fact that a vast amount of personally identifiable information. was it likely exposed by foreign contractors, outsourced by opm and opm's failure to aed by by the ig's recommend agss? >> can you repete that question? >> let me rephrase it. do you stand by your assertion this is limited to a smaller group than is being undicated in

the media and this extends beyond the people who filled out standard form 86? >> thank you for clarifying the question, sir. i think it's really important not to conflate to the two incidents. the first incident was the employee personnel records, which is the 4.2 million -- >> i'm just asking -- >> and the second incident, we haven't determined the number yet of the scope of that incident and the number of employees that's would have been affected by that. >> so the answer is yes, that it's more. i think it's very evident that this attack on the federal employees personally identifiable information not only puts those workers at risk but also puts secondary groups at risk. for instance if they have their personal e-mail addresses as it's evident from as i pointed

out last week that some of the breaches occurred through personal e-mail addresses. that all of these employees and second -- their secondary relationships is it possible that certain information was exposed there as well? >> yes. the team is working on the analysis of the scope. it's exactly why we're taking our time to make sure it's accurate. the sf-86s we've talked about earlier. the data in there is -- includes not only the employee but may include other information and pii for other individuals. that's why we're being very, very careful about that and looking at the data because it's -- it could be that there was no pii for -- >> beyond this i'm talking about where the breach apparently occurred as well through personal e-mail addresses, particularly at the immigration, customs enforcement agency that was reported in "the

wall street journal." i brought this up to you last week. >> yes. >> but where they got in on personal e-mail addresses that would expose everybody in their e-mail chaun and i think we've got -- >> i understand your question. >> you received a letter from senator mark warner with some specific questions about a contract that you awarded to csid. have you responded to senator warner's letter yet? >> i have to check with my staff, sir. we were attempting to respond as kwuk quickly as possible. >> have you personally read his letter? >> i read his letter but i don't know his response made it through our system yet. >> he raises a question about how quickly this contract was awarded to csid. you didn't go through the normal process and it was awarded in 36 hours, i think is what senator

warren says. was it intentionally steered to csid? >> no, sir. >> who made the decision? >> i would ask donna to talk about the process that we used. it was a fair and competitive process. >> fair and competitive process. >> our contracting officer made the selection on the contract. >> did you evaluate the management of csid? >> i did evaluate the technical and cost proposals. >> are you -- did you evaluate the people who run the company? >> i had resumes for the people -- or for the key personnel that they provided in the proposal. >> are you familiar with their board of directors? >> no sir, i'm not. >> do you know owen lee, one of their directors? >> no sir i don't. >> okay. mr. chairman my time is

expired. i yield the balance. >> from start to finish, how long was it from when you got the proposal that you awarded the contract? >> i would have to go back and look at exactly when we released the rfq but i believe it -- and i don't want to misspeak. let me go back and find out when exactly we received the rfq and when we awarded the contract. i don't have that data with me. >> but it was less than 48 hours. >> i think it was in about that time frame. >> and the award is how much money? >> the contract is about $21 million for the services that we're providing for credit monitoring notification and the identity theft insurance.

>> why was it made so fast? >> we wanted to -- >> and what was there other companies that could do just as good job? trying to figure out how we got that company. >> we received a number of proposals and evaluated them based on the government's needs. several requirements we put in the rfq that the companies responded to. and we evaluated all of those proposals that we received against that's criteria and they provided the best value to the government based on those requirements. >> will you also copy when you give senator warner the answers those questions, will you also send us those answers as well? >> yes.sir. >> yes. >> i think he raises a number of important questions as to mr. palmer here and we will continue to pursue that. now recognize the gentleman from pennsylvania, who's been waiting

patiently, mr. cartwright. >> thank you, mr. chairman. find myself you the lerly dissatisfied with the explanations we've heard today. i want to train my attention on you, mr. haas. you have made some fine distinctions about what the employee of your company was doing, the one who got hacked and who was working on opm's systems at the time. and because of that hack, that employee became a victim and lost personal information and that led to the successful hacking of opm's systems. have i broadly described that correctly, sir? >> we actually do not know how the employee's credentials were compromised. >> but it was a key employee am i correct in that? >> that is correct. >> you are the ceo of key point? >> that is correct. >> and you are denying accountability for the opm hack and what you said is the employee was working on opm

systems at the time, not key points, that's what your testimony was, correct? >> that is correct. >> we have an individual's opm credentials that were taken. that individual happened to be a keypoint employee. did that keypoint employee have credentials as part of his or her scope of employment with keypoint? >> correct. >> it wasn't a coincidence this keypoint employee had credentials. it was part and parcel of his scope with your company, is that correct? >> that is correct. >> and it was keypoint paying this person as the person was working on opm systems at the time, am i correct in that? >> that is correct. >> and you understand under traditional concepts of the law, keypoint is responsible for the acts of its employees acting within the scope and course of their employment with your company, you understand that don't you?

>> i'm not familiar with that construct. >> all right. >> mr. hess, you're here today because of cyber espionage operation succeeded in breaching very personal information that your company was entrusted with on january 6, 2015 my ranking member, mr. cummings sent you a letter requesting information about the data breach. his letter requested a number of documents. did you get the letter? >> immediately upon receiving the letter keypoint counsel reached out to ranking member's staff to arrange for a briefing. and we tried to have a date and time set up. and we are still waiting for confirmation on that. >> you got the letter, right? >> yes, sir. >> and more than five months later you haven't responded with documents, am i correct in that? >> we've reached out immediately to the ranking member's staff to brief the staff and we have not received a spoons on it a time and date to do so. >> let's go through the document request that mr. cummings made.

he requested a log of all successful cyber entrugss into your company's networks in the last four years. that's a reasonable request, isn't it, mr. hess? >> i don't find it unreasonable. >> will you provide this to the committee? >> i will take that back to my team and let you know. >> you're the boss there, aren't you? >> i am the ceo. >> all right. but you're going to get permission from your team who work for you is that it? >> i'm going to take it back and discuss it with my team. >> next question copies of all forensic analyses and reports concerning the data breach including findings about vulnerabilities to malware. when will you provide these documents to the committee? >> i'll take that request back to my team and let you know. >> ranking member cummings requested a list of all affected customers affected by the data breach. will you provide that to the committee? >> i'll take that back to my team and let you know. >> mr. hess, your company exists

because of the largess of the united states federal government. we expect you to respond to requests from this committee. mr. cummings does not write letters because he just enjoyce writing letters. he's concerned about the security and safety not only of federal employees, but of the united states public. this is really important. will you please treat it as such? >> i do, congressman cartwright. we responded immediately to the the -- to congressman cummings' request by calling their staff having our counsel -- and i would also -- >> by responding and calling, but not providing the documents. we want the documents, mr. hess. i yield back. >> gentleman yields. >> let me take a second. i just want to clear this up. because you just said some things that you talked about my staff. >> yes sir. >> it's my understanding they did get back to us, but for

months, for months, back and forth because you all did not want to agree to the scope of the meeting. and then -- then just recently, because of this hearing, you finally said, scrap the limitations on the meeting, the scope, and we'll meet. and so i don't want you to, you know, i don't know whether you have the information or what, but i want you to be accurate. >> that's not the information that i have, sir. >> well, then your information's inaccurate. >> i will research that. >> mr. hess, is it reasonable by the end of this week to provide us the documentation on the communication and lack of the meeting over the last several months? is that fair, by the end of the week? >> i will take that back to my team. >> you're the ceo. >> it can't be that difficult.

>> chairman, i was asked last week, on wednesday, to -- >> you were asked months ago to brief the minority staff and that didn't happen. i just want to see the documentation. is that fair? >>ly take that request back. >> no i want an answer from you. i want to know when you will provide that information to this committee. >> i will take that back to my -- >> no i want -- you give me the date. when is it reasonable? you're the ceo. >> i understand, sir. ly take that request back to my team. >> no. i need an answer from you. we'll sit here all day. you want me to issue a subpoena? is that what you want me to do? i'll sign it today. give me an information that's reasonable. >> i need to take that information back to my staff. >> seriously, when are you going to provide that information? >> i'm trying to be helpful, chairman. i did do a briefing last week and we did reach out to congressman cummings' staff immediately upon receipt of the letter. and we did not receive by the information that i -- >> why -- am i asking for anything unreasonable to provide the correspondence and the

interaction? i mean, they're going to have their half. i just to want see their half. i'm trying on give you an equal opportunity here. >> i understand that, sir. >> when is it a reasonable date? >> let me get back to you with that information. >> no. i want you to decide. before the end of this hearing. we're going to go to the next set of questioning. you can counsel with all the people sitting behind you, but it's a reasonable question. mr. cartwright said is not unreasonable. so, if you think it is tell me. but i just want to see the correspondence. counsel all you want while we ask the net next set of questions, but i expect you keep an ear to mr. grothman we're going to recognize for five minutes. >> thank you. two comments before i ask questions. first of all, this is kind of a follow-up on what i think congressman hurter was trying to get at it surprises me there's not -- you folks are not con trite over what happened. it seems like you don't understand the enormity of the disaster that's happened here.

secondly, sadly this is all too often common for government and it's something that i think everybody in this institution should remember as we pass bills, having the government have these huge databanks of educational information or medical information or what have you, because if the people in charge of these banks of information don't display more sense of urgency than you folks, i think, you know the possibility of this happening in other agencies is something we should be considering. i now have some questions for ms. seymour. you're going to be in charge of a whole overhaul of this whole i.t. thing, correct? >> yes sir. >> do you feel you have the skill set to oversea something of this magnitude? >> you don't believe i have the skill set to do something this large and that's why i employ people who have a broader skill

set or different skill set than me in various areas. i don't have all the technical skills that i would need to do something. it takes a team. >> do you in your past positions, have you overseen -- what are the largest projects you've overseen, i.t. projects n your prior work experience? >> i've overseen some very large projects, sir, both in my past -- past employment with department of defense as well as the department of transportation. systems that were certainly enterprisewise and served large populations of people like opm. >> sizewise similar to -- >> yes, sir. sizewise similar uh-huh. >> and how quickly were they able to complete these projects? >>. >> some of them took -- some of

them were much faster than others. you know, depended on when i came into them. some of them were delivered within a year and some of them took years -- multiple years to deliver. the way we're change the way we deliver i.t. solutions now we're trying to be much more agile. we're trying to find what we call a minimal viable product. we're trying to find segments of capability we can deliver in shorter term, so we're trying to deliver, you know, capability within six months -- six-month segments and then build on that to get to a whole system. >> how quickly do you think you'll be able to complete this current project? do you have a goal or an expectation? >> when we started the project, sir, we -- we kind of divided it into two pieces so we could understand it. the first we called our tactical phase, which was shoring up the network we have today. and we've put a great number of security tools into our current network. that's what allowed us to find

this adversarial activity this year. the second piece of this was building the shell. and we estimated that it would take us approximately a year to be able to deliver that. that project is on schedule. and it is on budget. and we will be delivering the shell environment this fall. the next phase is migration. we recognized from the very beginning that we did not have a full enough scope certainly not from my tenure on board back to june of 2014 did i have enough scope or understanding of exactly the opm -- the full opm environment to be able to assess what it was going to take to do that migration. and so that's why we only contracted for the first two pieces. we said as we work through this project to understand it we'll be able to better estimate and understand what needs to move into that shell. but we knew from the beginning

that there were some systems that were very old, that are about 30 years old that we were going to have to migrate into that shell. so, we focused on those first. >> okay. one other question. last tenure before this committee, you refer to the fact that you -- you deal closely with the i.g. and last time we had a major i.g. project you apparently did not notify him of the project. do you have a reasonable for that or explanation for that? >> i don't -- i'm not aware of a requirement. i could certainly be corrected but i'm not aware of a requirement to notify the i.g. of every project we take on. certainly we included in our budget request for 2016, we talked through this project and documented it in that arena. we also discussed on a couple of

occasions with the i.g. this project because they have an interconnection with our systems. and we actually host some of their systems. so they have to come along with us in this project if we're going to continue to provide those services. >> okay. an undertaking of this size, maybe it's not something you normally tell the i.g. about but you would not have felt the necessity to notify them what's going on here? >> sir it's just based on my experience that if i am -- no sir, i would not normally advise the i.g. of a project that we're doing. that doesn't mean that i'm holding the information from them. but i also do know that we discussed with the i.g. on a number of occasions the fact that we were taking on this project and that they needed to modernize their systems and upgrade their systems to be able to meet the security requirements for this project.

>> gresham. >> i just got back to this meeting after one of the five national labs, which is in my district albuquerque new mexico. of course, the theme of many of those meetings are the constant threats every second of every minute of every day, they are clear that someone, something is entertaining a cyber security attack and it's a constant threat and they're clear that that's the environment they work in. they're also clear that they need our support and recognition to be proactive and to do something about these problems both internally and externally. and i appreciate their constant

surveillance and awareness of this critical problem. i, too before i ask my question, am extremely disappointed in the reaction from this panel at this hearing that we know that these are issues we have to deal with. that we are, in fact accountable and, in fact, you are liable. and what i hear is that none of those really are occurring. that if you don't provide us the answers at this hearing and the answers that rear requesting in the documents, you cannot help us assure we're protecting or adequately identifying the scope, which means that then you become part of the problem again. and i find it incredibly offensive that that's what is occurring in this hearing. what we all ought to be doing is ensuring we're protecting not only the thousands of federal employees in my district and the hundreds of thousands of employees around the country and the millions of employees

who are affected we are all scrambling to figure out who's the most accountable and who's the most responsible and who's the most liable. and i'm expecting much better cooperation. there's a lot of work to do in accountability identifying the scope, doing something about the legacy systems, making sure we're prepared for the next potential breach. as we do that, i do want to focus on how we're treating these employees. and so, director archuleta, i hold in my hand one of the letters that many of my employees and my constituents are getting. and i'm concerned about some of the aspects of the letter and i want you to talk me through about some of the concepts identified in the letter and how you came to these conclusions and what we might do to broaden those. for example, in the letter you say that your information to an employee could have been compromised, that potentially

affected -- i don't know when you're going to find out about that -- will receive a subscription to csid protection and identity theft for 18 months. now, what happens if you have an issue after the 18 months, is that individual going to be covered? >> the individual on the identity theft, yes. >> so even though the letter says you got an 18-month, what are we going to know in writing -- because these are lifetime issues. unfortunately, they don't go away. once that's been compromised, that's the problem. you're compromised. i don't think that these consequences are just 18 months. and i was interested in how you came with that framework. it seems to me people should know they're going to be protected by you and supported irrespective irrespective. >> i understand your concerns. i understand the responsibility we have to our employees about their pii. i take that responsibility very, very seriously.

i want to say there are in the letter -- the first sentence you wrote, the difference between exposure and exfiltration, it could be their data was exposed and not exfill traited but we feel strongly we need to offer the same to those employees whose data might have been exposed. >> i got it. i just want to know you're going to be responsible and supportive of these employees -- >> absolutely. >> not just in the short term, but the long haul. so they can expect another letter or something that says we're here. because the other thing i would like to you consider because i appreciate that response is that if you look at the letter again, and i've read it carefully, we're pushing folks -- i get also i agree, to the right kinds of experience i hope, contractors to provide that support and identity restoration. i would like more clarity about what that will involve. in addition, you've got to call all these outside numbers.

have you to call all these credit agencies. you have to enroll yourself. i would strongly encourage you that there ought to be a phone number that i can call to opm. >> by law, they have to enroll in the -- >> no no i understand that part. in terms of managing and supporting employees i expect the organization that's the source of the breach would be available to me and not just outside numbers. and i don't know if you've done any mystery shopping of the toll-free numbers or calling these credit folks but there's an interesting long waiting period. i would really strongly suggest we step up hr and that there's a quick and immediate response in your own department. >> thank you. i appreciate your comments. i agree with you totally that we need to hold our contractor responsible for their response. we're also instituting new ways that they can -- that they can respond to the employees. i think i mentioned before you got here is that we're using the

ssa model where we in fact, are being able to call them back. that no one has to wait online. >> we recognize the gentle woman from virginia, ms. come stock for five minutes. >> thank you mr. chairman. thank you for letting me sit in on this hearing. and i think as i've already talked with opm, we do plan on doing some hearings in the science and technology subcommittee, which i chair also. like some of my colleagues have already mentioned, they've had that experience i received those same letters, as have more importantly tens of thousands of my constituents here in north virginia like mr. conley. also had the unfortunate experience of also getting a letter from the irs saying my tax information had been compromised, but that's probably another hearing, mr. chairman. what i'm concerned about is i'm not hearing leadership here. i know when i visit the visa data center in my district and i

see all the things they have in place and the leadership they're exerting and the leadership that comes from the top there i see a very strong culture in their cyber security and how they're attacking it. my question ms. archuleta, when you came here 18 months ago you understood that we had a very real threat from china and other bad actors that this was constant, like the congresswoman was talking. it's constant, something every day and something you're always going to face. do you understand that? okay. and so in doing that because i think really what we know here from what mr. connolly has said, they're at war with us and we aren't up to speed. we aren't responding in kind in terms of the problem. now, what i'm hearing is the blaming the actor here. you're saying, we know they're bad actors. we know that. that's part of the job. what i would like to know in the 18 months how many meetings have you had personally where it's

been exclusively about cyber security and you've had those meetings and who have they been with? >> i've had those meetings with individuals throughout government. i have had those almost on a daily basis with my own staff and the cio. i would say that since the 18 months that i arrived i recognize the same problem that you did and we have taken tremendous steps. as you say, that there are these actors and they are aggressive and they are well funded and they are persistent. and the first thing i did was to implement an i.t. strategic plan with the focus on i.t. security. >> okay. i appreciate that because we've gone through those details. but have you visited private sector, a data center and seen what the private sector does? >> i have had discussions with the -- >> notice. have you visited? have you visited -- >> i have visited yes, other companies. the issue of cyber security was not the one that we discussed. but is the plan that i outlined

this morning, is that we're holding a summit in the very near future to bring those private individuals who are facing the exact same threat we are so we can learn from them. >> but in the past -- >> we need to access experts. >> in the past 18 months you had not done that? >> i had not met personally on cyber security issues. >> with the private sector? >> with the private sector. my colleagues across government have, like tony scott and others, the federal cio and i've been the benefit of those conversations at the -- and his experiences as well as other people throughout government. we recognize that cyber security is an enterprise issue for all of us in government. it's not just one person who has to take responsibility. all of us across government -- >> i appreciate that but i think the point that has been made by people who are leaders in this field is the person at the very top has to take that role. i would note when target, when

they had this breach when they had this problem, it wasn't just the cio who lost their job, it was the ceo who lost their job. that's how that was responded to in the private sector. so, i want to continue with some of the points that have been made by mr. mcfarland. have you sat down with mr. mcfarland to discuss his recommendations, you personally? >> i sit with mr. mcfarland. he's brought some of those to my attention. i've also -- with the flash audit i have not had opportunity because of the time period it was released but it's my full intention not only to talk with him about the flash audit but also to engage him as we move forward, as we always have. >> now, when i sent you the letter that you had sent back, really one of the questions i had in there was, how many people in my district have been impacted by this? i think it's a fairly simple question because you sent out the 4.2 million letters right? and letters usually have a zip code. so when you ask -- so you should be able to tell us how

many people we have in our districts that have been impacted by this so we -- i've certainly been hearing from many, and they have a lot of questions. i would also like to mention i would like to submit for the record questions from the american -- the federation of government employees. i've had a lot of incoming questions that have come that obviously we don't have time here. but just a simple question that did not get answered was how many constituents do i have impacted by this? >> we -- i'd be able to get you that information from our data. we'd be glad to share it with you. >> thank you, mr. chairman. i yield back. >> thank the gentle woman. we recognize the gentleman from california mr. des-d for five minutes. >> thank you. i apologize for having to leave. very troubling. i have a character flaw for this committee. i tend to give the benefit of the doubt, so ms. arch let that i would like to give you the benefit of the doubt but the flash report is concerning to

me. mr. mcfarland says, the project management approach for this major infrastructure overhaul is entirely inadequate and introduces a very high risk of project failure. would you say that your level of confidence in of opm is heightened or do you stand by that comment? >> i stand by that -- i stand by that comment. >> and you also asked for responses from opm. it says you asked for it june 2nd of 2015 and asked for comments by june 5th and later extended that to june 10th. by june 17th we had still not received comments or indication that comments would be forthcoming. did you ever get comments back before the hearing? >> i think we may have gotten comments back that day. >> okay. i got something this morning, u.s. office of personal

management strengthen cyber security and protect critical i.t. systems. doesn't have a specific date june 2015. ms. archuletta, is this the response or -- >> no i'm familiar with it. the action plan you received today is an action plan that i've developed along with my staff in response to the very serious issues and stletsthreats we're facing right now. it outlines what we've done and what we will be doing. the response to the i.g. on the flash audit he has received as i said before mr. mcfarland and i have not had the opportunity because of the time period that -- where we've been engaged with other things. it's our intent, as in the plan to ensure he's engaged with us alongside us and that we value his opinion and the work of his staff.

>> so mr. mcfarland, heretofor you haven't gotten that impression. at least that's my impression. that ms. archuletta said she values your input but you haven't gotten that from what i ascertain from your comments and written commentary. >> well, what is on paper is exactly what i -- >> so, do you have any heightened confidence that what ms. archuleta said about your relationship will improve? it doesn't seem there is any evidence to that. >> well, i think in general we have a good relationship. truly, i think we have a good relationship. regarding this matter i think we're worlds apart. >> that's fairly significant. as you said to mr. lynch $93 million, you said, isn't even close to the amount needed n your opinion, and the ability to

succeed, there's a high risk these efforts will ultimately be unsuccessful unsuccessful. given how horrible the consequences of what's already happened doesn't really give me a lot of confidence that going forward anything is going to improve. as a matter of fact, it sounds like it's going to get worse. >> i think going forward at the right -- at the right pace and concentration might be very successful. what i think is planned by opm, i think, is dangerous. >> would you like to respond to that, ms. archuleta? i can only imagine how difficult it is coming in here but i must tell you just sitting here and being willing to give you the benefit of the doubt, you appear to come across as petulent, defensive and evasive. >> i don't mean to do that at all. i take very, very seriously what has happened. >> you say that over and over again. with all due respect i believe you but it doesn't appear to be

the truth. >> well, i do -- what i have tried to do today is convey to the members how seriously i take this and that we are garnering all the resources including the opinion of the i.g. we disagree on some issues but we do have other areas of agreement. we also have areas that would benefit from discussion between me and the i.g. i think that's an important step. i.g.s work very closely with their administrations to make sure we're doing the best job we can. i take this information very seriously. i do not want to convey that i'm angry or petulent about it. i am respectful for the position he holds and the input he gives but i feel passionately about what has happened. i feel very passionate about the employees. i am a champion and have worked very hard throughout my entire career.

and if i sound passionate about it, i -- i have to say that i am. >> i just personal observation. sometimes you can feel passionate about things but not be capable of doing what you desire to do and i think we need to have a serious conversation. i know the chairman has these concerns about -- to be perfectly honest -- whether the current administration is competent enough to protect this information from people who would hack us. thank you. >> gentleman yield? >> yeah. >> gentleman yield. i think the gentleman gets to the point that i was trying to get to a little bit earlier. and the question becomes, we've got mr. mcfarland saying that -- i think he used the word dangerous. is that what you inside. >> that's correct. >> we're heading down a dangerous path. >> i believe so. >> and when you say dangerous, i mean you -- you're saying we're headed for some very serious

trouble. is that a fair definition of dangerous? >> absolutely. >> so, ms. archuleta, our problem is this we sit here and we've got an i.g. who we believe in and trust. the i.g. is saying that you need to take his advice in what you're doing is not going to get us there. as a matter of fact, may harm us. am i right mr. mcfarland? >> that's correct. >> so you put us in kind of a difficult situation. we've now been given notice as members of congress that we're headed down this path by somebody who we rely on. you tñddisagree with them but then you expect us to be supportive of you. no, no, no, no, listen to me. that's a problem.

now you put us in kind of a bad position. that means that if this happens again, problems get worse, then people say, well, wait a minute chaffetz, cummings you were sitting there. you heard what the i.g. said. i mean, why did you let this go on? that's the position we find ourselves in. so, i don't care whether you like each other or not. that doesn't matter to me. a lot of people get along. the question is, it sounds like you are refusing -- no, no, answer me now. i'm going to give you a chance. to do what he's asked you to do. because you disagree. but on the other hanld he's saying, we're going down a dangerous path. i mean, come on now. do you have a comment? >> yes. i just want to be sure. >> the flash audit identified

issues. a flash audit is meant to alert the administration about concerns. it merits an opportunity for the i.g. and his staff and the -- and my staff to sit down and find out where his concerns are. if he says it is a dangerous path i want to know specifically why he's -- >> haven't you told her that before? is this new? >> as far as the word dangerous i probably didn't use -- >> yeah but i mean, you told her the urgency of the moment. >> absolutely. >> and the problems that we're having. and where you see it heading. >> yes, in a letter. >> well, come now. >> he sent the letter. attached to the flash audit and we have not had the opportunity to sit down with him. and i take very seriously his concerns, mr. cummings. >> will the gentleman yield?

>> and the opportunity, if he uses the word dangerous, i need to understand clearly from him and his staff why he attaches that word. and the flash audit needs the scrutiny of both him and i together to protect the employees and to protect our data and to protect our system. >> with all due respect, and i know you're fairly new to this position, but the audits have been coming from the inspector general's office since 1997. they come in year in and year out. they have happened and happened and happened and happened. i mean i started the other hearing by reading through all the comments that have come along. so, this is a flash audit. you haven't had time to talk about it. you haven't had time to go through it. and yet you can award a multimillion dollar contract in less than 48 hours. that's what we don't understand. we're going to go through that in a minute. we're almost done with this

hearing. this isn't just one audit. this isn't just one observation. the good people in the inspector general's office have been warning about this since the '90s. and it was never taken care of. >> thank you for pointing that out. and i appreciate it. and acknowledge that. i've been here 18 months and i took seriously the audits that came before me and that is way i have done and taken the steps -- >> we don't believe you. i think you're part of the problem. i think if we want different results, we're going to have to have different people. and if you want to refresh the deck and we want to put mr. osmond orr someone like that in charge, we have to do it. we have a crisis. that hurricane has come and blown this building down. i don't want to hear about putting boards up on windows and it's going to take years to get there. that's why i think it's time for you to go. ms. seymour i'm sorry but i think you're in over your head. and i think the seriousness of this requires new leadership and a new set fresh of eyes to do

this. i wish you the best in life. i'm not out to get you. but you know what, this is as big as it gets. and there are going to have to be a new team brought in. that's where i'm at on this. yield back to the gentleman. >> gentleman back. >> i recognize myself. we have to talk about some things. mr. hess, have you come up with a decision about the timing of when you will provide this information i asked for previously? >> you want it by next week. >> fair enough. next week f we can get that information, we would certainly appreciate it. and we will follow up. i will follow up. i got mr. cummings' back on this one, and i will support him in this. he's asking reasonable questions and i appreciate the cooperation. thank you. i now -- i'm going to yield to the gentleman from alabama who's brought up a great issue and a great point. i want to go through this contract timeline here. again, we're guessing close to wrapping up. on thursday, may 28th of this year, just not too long ago at

11:33 a.m. opm posted a 29-page request for quotes to provide notification, credit access credit monitoring identity theft insurance and recovery service and project management services. on may 28th at 2015 at 1:46 p.m. opm posted amendment one, pricing sheet. may 129th at 1:32 p.m. opm changed the deadline from may 20th to may 30th. on may 29th at 2:45 p.m., opm posted another change. modified info to be submitted and deleted some clauses. and on tuesday, june 2nd a contract was awarded to the winveil group. i don't know the winvale group. could be nice people. i don't know. but they immediately turned around and subcontracted this. to a group i don't know a whole lot about. i would like to have mr. palmer ask you some questions about this. >> thank you mr. chairman. this question is to you, mrs. seymour.

do you know any of the management of cinside. >> not that i'm aware of. >> do you have any knowledge about the management of csaid? >> not that i'm aware of. i got key personnel resumes in the proposal. >> did anyone discuss with you any knowledge about the ceo, scott kruitchank. >> no sir. >> hosam bengasam. >> no, only four directors. the last one is owen lee. i asked you about him earlier. >> no, sir, i have no recollection of him. >> you know, you've let a contract in a very sensitive area. i mean this literally impacts millions of people. it impacts their -- potentially impacts their financial well-being, their careers, yet it appears you didn't do the most basic research into the company that you've contracted this with.

if you had, i think you might have discovered that mr. lee is under investigation by the democrat of justice and securities exchange council -- commission, i mean. they're looking into his management of a group called carnesi, which in nine months he lost 99.97% of the money invested in that hedge fund. mr. mcfarland let me ask you this, if you had known this would this have raised a red flag with inspector general's office? >> absolutely. >> >> i've listened to mr. cummings i've listened to the chairman. and the more i listen to these guys and and members of this entire committee ask these questions, the more concerned the more frightened i've become about how opm has handled this.

and thoenen to find this to find the most basic analysis is not being done just adds to that. one other question i want to ask you. mr. osmond who testified last week, made this comment -- i want to ask you are you aware of any outside contractors who are for nationals? have you contracted any work with them? ms. seymour? >> i'm sorry, i didn't realize that was my question. i apologize. am i aware of any -- >> have you contracted any of this work to four nationals? >> not that i'm aware of, sir. >> how about you, ms. archuleta? >> no. >> let me -- may i read this or do you to want read it? >> go ahead. >> this is in "the wall street journal," mr. osmond. he said some contractors that have helped opm managing internal data have had security issues of their own.

including potentially given foreign governments direct access to data long before the recent reported breaches. a consultant who did some work with a company contracted by opm to manage personnel records for a number of agencies told ars that he found the unix system administrator for the project was in argentina and his coworker was physically located in people's republic of china. they had access to every row of data and database. another team that worked with these data dayses had two team members with people's china passports. i know that personally because i worked with them and revoked their privileges. you're not aware of that? >> sir i'm aware of two of our -- two federal employees who have ties to foreign countries. they are u.s. citizens and they work on our programs.

>> how does -- here's whats on mutt said, from his perspective opm compromised this information more than three years ago. his current take on the breach is so what's knew? i yield the balance of my time. >> gentleman, where is -- i would like to ask unanimous consent this article yin by jowl yeah la roch, head fund manager who said sorry for losing 99.7% of his client's money is now being investigated by the s.e.c. and department of justice. ms. seymour were you aware that the contract that you let for windvale was going to be windvale's proposal included the fact that it had work --

that it was subcontracting or partnering with csid on. >> when you did your due diligence and looked into some resumes of the people that would be involved and engaged in this, did that include the employees and the board at this subcontractor? >> it did -- it did not include the board. we used past performance and their other systems of the contracting officer uses to research a firm to make sure they're qualified to do work with the federal government. >> at either windvale or the subcontractor, if there's more than one subcontractor, do you personally know anybody who's in any way, shape or form involved? any of those companies? >> not to my knowledge sir. >> there's nobody from the former department of defense or from the office of personnel management? you know none of those people? >> i don't -- i do not believe i know anyone in -- that's working for those firms. >> ms. archuleta do you know anyone that works for either of those two firms? >> not to my knowledge.

>> here we have someone who lost millions of dollars under investigation by the department of justice. we got to figure out how in the world these people get the contract. because we're saying, federal employees, millions of you effected, go give them the information. that's the kind of person we're dealing with. i'm not saying he's guilty. he's under investigation. why should we take the chance? why didn't you get to the gsa list? there's a list of approved vendors out there. why not use one of them? >> we did consult with gsa and the gsa schedule on this. there were some requirements we wanted to include in our contract that were not available on the gsa schedule and it -- >> like what? >> d-duplication of services is one of them. we knew -- what we were trying to do at opm was set up a contract vehicle that we could use in the future for any additional breaches, whether it's one or twossies or anything

else. we wanted to set up a vehicle that would not cause us to pay or to offer the same services to affected individuals at same time. that is built something the gsa schedule afforded us the opportunity to do, even after we talked with the schedule holder at gsa. >> i'm just telling you this reeks. for any contract to go out that fast i understand the gravity of the situation you'll deviate from that and immediately go out to a subcontract, i would encourage you to as swiftly as possible get back to senator warner mr. palmer as well as this committee. i do need to ask about credentials. ms. archuleta, is there anybody in the opm system, whether an employee or contractor, who is a foreign national? >> sir, i want to be sure of that answer. i'd have to come back to you to

be sure that i -- >> ms. seymour, is there anybody who's a foreign national who is involved as either a contractor or directly as an employee at opm? >> i will get back to you on that, sir. >> the fact that you guys -- that you two don't know that's -- that's what scares me. that's what really scares me is that you don't know. >> i know about my staff, sir. >> how many people on your staff? >> about 280. >> how many people have credentials to become a network administrator or have access to the network? how many? >> i believe it's about 50. >> so those 50 people. how often do you routinely audit that? >> we review them very frequently. >> like what? >> probably monthly. we have processes for when they come -- when people come on board and when they leave that we remove their access privileges. >> do you review the traffic that's going through there? because that's part of what happened is somebody gained network administrator access

and -- >> so, that's how we were able to track through and find out our background investigation -- >> after they had been there for more than a year right? >> yes, sir. >> so how often do you track that and monitor that? >> we had put the tools on our network just over the last six months or so to be able to see this type of activity in our network. again, sir, when i came on board, i recognized that these systems were in need of some modernization. we put in place a plan and began to execute that immediately, to put the security tools in place so we had visibility in our network. that's what led us to understand this latent activity that went back to even prior to my arrival at opm. >> i have a series of other questions. but let's recognize the gentleman from georgia, mr. carter. >> thank you, mr. chairman. thank you all for being here. mrs. seymour, i would like to start with you. it's my understanding that opm's

legacy system that you're currently using cobalt a system that was developed originally in 1959. is that correct? >>. >> i don't know when it was invented, sir, but yes we are using cobalt in some of our systems at opm. >> ard koing to my research and staff's research it was originally developed in 1959. and that's the system we're using. >> yes, sir. ms. archuleta, opm since 2008 has spent $577 million on i.t., is that correct? >> i don't know exactly that number but i'll accept it. >> you think it's pretty close? >> i would have to trust your judgment. i don't know the number on that but i could get back to you. yes, if you want -- >> would you say sthaet in the ballpark, $577 million? i mean give or take a couple hundred million. what are we talking about? >> i can tell you what we've spent on it, but, yes, i'll --

>> $577 million since 2008, yet we're still using a legacy system that was developed in 1959? >> i agree with you totally sir. we are using a legacy system that was designed in 1959 and that is what we're working to change. >> it's my understanding that approximately 80% of our i.t. budget is being spent on legacy systems. is that correct? >> right now the legacy -- we're working off of our legacy system, that's why we're making the investments into a new system. >> i'm sorry. i'm just flabbergasted by this. ist just mind-boggling that we could spend -- first of all, that we could spend $577 million. secondly, that we're spending 80% of what we have budgeted on legacy systems. i mean, it's just amazing to me that we're doing that.

nevertheless, ms. seymour, let me ask you, the i.g.'s flash audit estimated cost for two phases, only two phases of your infrastructure improvement project is going to be $93 million. is that correct? >> yes, sir. we put together the plan with a very robust inner-agency team and had that reviewed by a number of experts. >> $93 million? >> yes, sir. >> i'm sorry. i don't mean to -- to be dramatic, but $93 million? >> that covers both securing our legacy architecture, the one we have today, putting as many -- >> the one that was originally developed in 1959? >> our net -- not all of it was developed that long ago. >> if any of it was developed -- >> so, our network was designed you know, about a decade ago. so, we are trying to shore that up, provide as much security around that network as we can,

that's part of what the money is going to. the other part of the money is going towards building a more modern and securable network we will transition to. >> okay. it's my understanding that despite the decades we've been spending all this money, these millions of dollars that we are still using paper forms in some cases, is that true? >> a number of our business offices still use paper forms. >> we've spent $577 million on -- on i.t. since 2008 and we're still using paper forms? of course, hey, paper forms may be better in this case. at least we've still got control of those. >> i can't speak to what's happened before me, sir. i can tell you that when i came in and saw the state of our i.t. systems, i worked with director archuleta to put in place a plan, an aggressive plan, for migrating to more modern more secure network and systems. >> does it include paper forms?

does it include paper forms? will we still have paper forms after you make these adjustments? >> we want to remove as much paper as we can from our environment, sir. that's one of our goals. >> well i can't help but wonder if that's not a move in the wrong direction. i mean, at least we can have some control over these paper forms. we obviously don't have control over the computers and the information that we have on the internet. >> i would offer sir there are security concerns with paper just as well. we have you know, violations or issues with paper as well as you leave paper around. the other issue we have with paper, sir -- >> so, we leave paper around? >> sir, when you leave it in your office or when you're working with it. i would also offer that when we have paper, we don't have backup systems. that's a concern as well. as we move forward with -- >> mrs. seymour, i agree with every point you're making here. my point is we spent $577 million since 2008 and we're still using paper.

>> sir, i've also said i can't tell you what's going on before me. what i can tell you is the plan we are putting in place we're trying to put -- we're planning to put in place an enterprise case management system. we're working twartsdz that that will eliminate a lot of our paper. we'll modernize our systems and provide better protections around our -- around data and our systems. >> i think -- >> what we do that includes that $577 million that we've already spent? >> i'm sorry, snir. >> this is going to be more problem we throw at this problem, right? >> sir, i cannot account for what happens happened before me. >> thank the gentleman. we have a vote on the floor. we'll recognize mr. cummings for one more question. >> i'll be very brief. thank you very much. i want to go back to this contract contract. winvale got this contract is that right, mrs. seymour? >> that's correct. >> what was the process? it doesn't smell right. something doesn't smell right about this process. winvale gets it and then they turn around and csid --

>> no sir. the proposal that we got was from winvale partnered with csid. we knew up front that they were -- they had support from c csid. it was part of their proposal package to the government. >> you didn't know about mr. lee? >> no, sir, i did not. >> you didn't know his apology for losing 97.7% -- 99.7% of $60en million went viral -- >> no, sir, i did not. >> -- in march? >> no, sir, i did not. >> so the question becomes -- do you think you should have done some better due diligence? >> so we did due diligence on the company. there are several ways the contracting officer validates that the company is able to do business with the government. >> mr. mcfarland, this concerns you, i say it? >> yes, of course. >> and why is that, sir?

>> just the reasons you espoused. it was very fast. as a matter of fact, a few days ago we were talking about that in the office and we are going to be looking into it. >> i'd appreciate that. i just have one statement real quick, mr. chairman. i want to conclude you by thanking again to invite the contractors here today. we've obtained some significant information but there are also many, many unanswered questions. we ask use of information, they have refused to giv cfe than a year. mr. gichlt anetta, promised to help us get those answers but i'm concerned he may not be there in a couple weeks so we may need to follow up with parent company. we also asked keypoint for documents we originally requested months ago and you pressed him to provide those documents. i think you understand how frustratingd it has been for me over the past year. i thank you for your help for agreeing to invite them for

helping us get the information we need. we will prepare questions for the record for today. i hope we will be able to get all of these answers. i really hope it won't require a subpoena. with that, i thank you and i yield back. >> thank the gentleman. we're now at the halfway point. i'm just teasing. we're wrapping up here. you've all been sitting here a long time. a couple more questions. we do have a vote on the floor. director4 back to some of your previous comments. this has to do with what you said in july of 2014 regarding the opm data breach that became public in march of that year. at the time you said they did not have a breach in security. ms. seymour, i think was -- ms. seymour was very candid in saying she did think it was a breach in security. so, which -- is she wrong? >> as i explained earlier, sir, in the question that was asked to me, the conversation was around pii, and i answered it in that context.

>> but you don't believe that there was any access to see that information? >> i don't believe that there was -- that data was breached and that there was no data ex exfiltrated. >> do you believe they had access to it? >> that's why we believe there was, in fact, a breach. i'm not the forensics. i don't know what they did with it. what i was assured of sir, and how i responded in that -- in that interview was that i -- there was no pii extricated from the system. >> so, you did know that the opm network -- the network platform -- that the blueprint essential lit keys to the kingdom kingdom, was exfill traited, correct? >> the question was around the pii and i answered it. >> i'm asking you now. i'm asking you now. do you believe -- did you

know -- somehow you had to know, i hope -- >> mrs. seymour informed me that other data had been taken from -- but it was not -- it was in different context to that question. >> but that was a -- essentially a blueprint of how the schlystem worked, correct? >> she informed me some manuals had also been exposed and potentially exfildrated, yes i knew that. again, the question was around pii. >> again you did know there was a security breach, correct? >> correct. >> and you did know that there were things other than the pii that were potentially exfiltrated? >> i did. >> you did know that. what do you think's a bigger success for hackers you know, stealing the files for tens of thousands of employees or the files for 32 files for up to 32 million employees? >> i believe that all of that is very important, sir. i can't distinguish between both of them. each equally as important.

>> when did the hackers first gain access to opm's network? the ones we just learned about. maybe ms. seymour is better positioned to answer that. either one of you if you know what the timeline is on that. >> i have the timeline. >> yes. >> so the actors first gained -- adversary access was first noted within the network from november of 2013. >> the one that we just learned about? >> i'm sorry. that was from the 2014 intrusion you were referencing based on the manuals. >> and sorry, that happened at what timeframe? >> they had -- we were able to confirm based on the on-site assessment that they had confirmed access in november of 2013. >> okay. ms. seeymourseymour, i think you were going to say something. >> i was just going to clarify for this most recent incident dates back to june of 2014 the access the adversary had dates

back to june 2014, i believe. >> is it possible that when they took this blueprint i call it the keys to the kingdom that that would have potentially aided the hackers in coming back into the system and stealing these millions of records? >> these are available manuals typically for commercial i.t. equipment. so yes, it would an adversary in understanding our platform. they did not get, you know specific configuration diagrams of our entire environment but these are commercially available. a lot of these are commercially available documents about platforms, computing platforms. >> miss barron dicamillo did that provide any proprietary

information? >> iddid not include. it was manuals associated with certain types of platforms but again missing or that information is available, i think ibm is one of the sites. >> did the hackers have access to be able to see the information regarding personal employees? >> so in 2014 is that the incident you're referring to? >> yes. >> based on the on-site assessment we weren't able to confirm that they were able to access any of the pii information. so not only so your question about seeing it there's a certain portion of the networks they were specifically focused on and they were not able to infiltrate into those portions of the network. >> ms. seymour -- let me ask ms. archiletta.

responsible for safeguarding the pii in 2014, who do you hold responsible for its loss today? >> i hold all of us responsible. that's our job at the opm. we work very hard to do this. and we work with our partners across government. i know you're perhaps tired of hearing this from me but we're facing a very aggressive attacker. we protect against 10 million attempts each month. so we're working very hard to do that. we're working extremely hard to prevent the types of things that we're seeing here today. >> i want to make sure you're going to get us some documents right? we've been requesting documents for a long time. i want to make sure what documents you're going to provide us. are those the ones we've been asking for? i can't hear you. >> i'm sorry. we're going to be addressing that letter and each of the requests that you've made to the extent that we're able to.

>> okay. all right. thank you. >> it's been a long morning and into the afternoon. i thank you all. you all represent a number of people that have big -- a lot of staff so people who work hard they're patriarch, they care about this country. to that extent please let them know how much we appreciate them and all that you're doing. but we'll have somebody help you know where the restroom is. it's been a while. again, thank you for your participation today. we stand adjourned.

friday president obama will be in south carolina, where he will deliver a thousand eulogy for reverent clement to. he will be joined by jill biden and first lady michelle obama. we will bring you that here on c-span. >> i am not one of those who believes in the psychiatric examination of people. i believe that most of these people -- on the other hand

when i meet people i don't judge them in terms of whether the half i contact or firm handshake and what i tried to do when i meet them. >> he was not very self-aware. he did have a psychiatrist. he was in it and internist and the doctor later said he was careful to make nixon feel like he was not being analyzed. even though he went to one, he hated psychiatrist. he was afraid, in a way of looking at himself in a realistic way.

he said he did not carry grudges. he was one of the great grudge carriers of all time. focusing on the personal stories associated with our nations 37th president. on c-span's q&a. >> live today, washington journal is next. don't

at eight: 20 a.m. on the upcoming supreme court decision in michigan versus epa, case looking at whether the epa properly bash and powerplant regulations. >> good morning and welcome to the "washington journal" on this thursday june 25th. we'll begin with the top stories of the week. here's headlines for you to weigh in. congress has approved fast track authority for the president on trade but the hard part striking a deal and getting congress to approve one. and as we wait for decisions in the supreme court new poll finds americans strongly favor the tpros spect of same sex marriage but the public remains