help identify further steps the agency can take. as you know, public and private sectors both face these challenges and we should face them together. i would like to address now the confusion regarding the number of people affected by two recent related cyber incidences at opm. first, it is my responsibility to provide as ak sateccurate information to congress, the public and more importantly the affected individuals. second, because this information and its potential misuse concerns their lives, it is essential to identify the affected individuals as quickly as possible. third, we face challenges in analyzes the data due to the form of the records and the way they are stored. as such i have deployed a

dedicated team to undertake this time-consuming analysis and instructed them to work, make sure their work is accurate and completed as quickly as possible. as much as i want to have all of the answers today, i do not want to be in a position of providing you or the affected individuals with potentially inaccurate data. with these considerations in mind i want to clarify some of the reports that have appeared in the press. some press accounts have suggested that the number of affected individuals has expanded from 4 million individual to 18 million individuals. other press accounts have asserted that 4 million individuals have been affected in the personnel file incident and 18 million individuals have been affected in the background investigation incident. therefore, i am providing the

status as we know it today and reaffirming my commitment to providing more information as soon as we know it. first, the two kinds of data that i am addressing, personnel records and background investigations were affected in two different systems in the two recent incidents. second the number of individuals with data compromised from the personnel records incident is approximately 4.2 million as reported on june 4th. this number has not changed and we have notified those individuals. third, as i have noted we continue to analyze the background investigation data as rapidly as possible to best understand what was compromised and we are not at a point where we are able to provide a more definitive report on this issue.

that said, i want to address the figure of 18 million individuals that has been cited in the press. it is my understanding that the 18 million refer to a preliminary unverified and approximate number of unique social security numbers in the background investigations data. it is a number that i am not comfortable with at this time because it does not represent the total number of affected individuals. the social security number portion of the analysis is still under active review and we do not have a more definitive number. also, there may be an overlap between the individuals affected in the background incident and the personnel file incident. additionally we are working deliberately to determine if individuals who have not had their social security numbers compromised but may have other

information exposed should be considered individuals affected by this incident. for these reasons i cannot yet provide a more definitive response on the number of individuals affected on the background investigations data intrusion. and it will -- it may well increase from these initial reports. my team is conducting this further analysis with all due speed and care. and again i look forward to providing an accurate and complete response as soon as possible. thank you, mr. chairman for this opportunity to testify to you today and i'm happy to be here, along with my cio, to address any questions you may have. >> thank you. mr. mcfarland you are not recognized for five minutes. >> chairman, ranking member cummings and members of the committee. good morning, my name is patrick

mcfarland and i'm the director of the office of personnel management. thank you for inviting me to testify here. i would like to note to my colleague, the deputy inspector general is here with me. with your permission, he may assist in answering technical questions. in 2014 opm began a massive project to overall the i.t. environment by building an entirely new infrastructure called the shell and mie yatgrateing all of its system to the shem. before i discuss the recent examination of this project i would like to make one point. there have been multiple statements made to the effect that this complete overall is necessary to address immediate security concerns because opm's current legacy technology cannot be properly secured. this is not the case. there are many steps that can be taken or indeed which opm has

already taken to see%%+o cure the agency's current i.t. environment. i just wanted to emphasize that whale we agree that this overall is necessary, the urgency is not to great that the project cannot be managed in a control manner. last week my office issued a flash audit alert discussing two significant issues related to this project because my written testimony describes these issues in detail, i will give only a summary for you this morning. first we have serious concerns with how the project is being implemented. opm is not following proper i.t. project management procedures and does not know the true scope and cost of this project. the agency has not prepared a project charter, conducted a feasibility study or identified all of the applications that will have to be moved from the existing i.t. infrastructure to

the new shell environment. further, the agency has not prepared the mandatory omb major business case formally known as exhibit 300. this is important in the step in the i.t. project and the proper vehicle for seeking approval and funding from omb. it is also a necessary process for enforcing proper project management techniques. because opm has not conducted these very basic planning steps, it does not know the true cost of the project and cannot provide an accurate time frame for completion. opm has estimated that this project will cost $93 million. however the amount only includes strengthening the agency's current i.t. security posture and the creation of a new shell environment. it does not include the cost of

migrating all of opm's almost 50 major i.t. system es and numerous sup system to the shell. this mayigration will be the most costly phase of this project. even if the $93 million figure was an accurate estimate, the agency does not have a dedicated funding stream for the project. therefore, it is entirely possible that opm could run out of funds before completion leaving the agency's i.t. environment more vulnerable than it is now. opm also has set what i believe to be an unrealistic time frame for completion. the agency believes it will take 18 to 24 month to migrate all of its system to the shell. it is difficult to imagine how opm will meet the goal when it does not have a comprehensive list of all of the systems that need to be migrated. further, this process is

inherently difficult and there are likely to be significant challenges ahead. the second major point discussed in the alert relates to the use of sole source contract. they've got a single source vendor. unless there's an kppgs, federal contracts must be subject to full and open competition. however there's an exception for compelling and urgent situations. the first phase of this project, which involves securing opm's i.t. environment was indeed such a compelling and urgent situation. that phase addressed a crisis namely the breaches that occurred last year. however the later phases, such as migrating the applications in the new shell environment are not as urgent. instead they involve work that is essentially a long term capital investment. opm should step back, complete its assessment of the opm

architecture and develop a major i.t. business case proposal. when omb approval and funding has been secured, they should move forward with the project. opm cannot afford to have this project fail. i fully support opm's effort to modernize the environment and the director's long term goals. however if it is not done correctly the agency will be in a worse situation than it is today and millions of taxpayers will have to be -- many -- and millions of passenger pair dollars will have been wasted. i'm happy to answer any questions you may have. >> thank you. ms. seymour, was your statement with ms. archuleta or do you have one yourself? >> it was with the director, thank you sir. >> i would ask unanimous consent to enter into the record a letter that was given to us this morning from the office of

personnel management dated today, signed by ms. archuleta dealing with the number of records. without objection, we'll enter into into the record. we'll now recognize ms. barron decamilo for five minutes. >> good morning. my name is anne barron decamilleodecamilo. i appear here to talk. dr. andy asment is here with me to answer me questions. like many americans, i too am victim of these incidents and concerned about the continued cyber incidents at numerous government and private sector entities. i understand the scope and the problem we face and the challenges in securing critical

networks. cybersecurity is a true team sport. there are many agencies response including intelligence community, law enforcement department of homeland security as well as individual system others and individual enusers as well. my organization within dhs is part of the national cybersecurity center. we focus on analyzing the risks, sharing information about responding to significant cyber incidents. we work withted partners around the world and focus on threats facing the government in critical sector networks. our role is largely voluntary. we build and rely upon trusted relationship to share information and respond to incidents. when an entity believes they've been a victim of a significant cyber incident, they invite us to help them assess the scope of my intrusion as well as provide recommendations op how they can mitigate the incident and

improve their security posture. our current involvement with opm began in march of 2014 when they learned there was a potential compromise within the opm networks. from march to may, uwe part of of the team that remeet yated the intrusion. throughout that time we shared information that we had learned about the intrusion with our governmental partners as well as private sector partners so they could better protect themselves. we on may 28, 2014, the intraagency response teamed concluded that the malicious actor in question from that event had been removed from the network. we also provided opm with recommendations on what steps they could take to increase their security. there is no silver bullet or magic solution. most government agencies and

their private sector counter parts are making up for years of underspending on security paz ort f the information technology development. the internet was designed with's of use rather than security in mind. the status of opm networks in may of 2014 was not unlike other similarly situated agencies. opm did some things well and was weak in other areas. i understand that opm had at the time under its new leadership started an effort to improve its cybersecurity. the incident report for opm included several recommendations, some of which could be imp mmted quickly and others f which would take longer. opm made a concerted effort to adopt the recommendations beginning last summer. it was opm who in april of 2015 discovered the new intrusion.

this is how the malicious access to opm data at the data center was diskord. this newly discovered threat information was also quickly shared by us with our private sector partnered and other trusted partners around our communities. the intraagency response team has been working with opm since april of 2013 to assess the scope and nature of the incident. there are a few things i can share. we were able to use the einstein capability to detect the presence of malicious activity on the department of interior data center which houses the opm personnel records. further on-site investigation revealed that some personal information was compromised. this is the 4.2 million number that director archuleta referenced today. as a result of what we learned from the april 2015 investigation, opm continued to conduct forensic investigations into its own environment. en in that process opm discovered evidence of an additional compromise on its own

network. we then led into intraagency response team to assess opm's networks and in erm june found that background investigation dataed that been exposed and possibly exfill traited. that's currently under investigation. we learned at the time that they had precluded further access. the protected measure may have mitigated any continued effects of the intrusion. the work is on going and we continue to assess the scope of the potential compromise. although i'm appearing today redid to provide information, i do so with some concern. we rely on voluntary cooperation from agencies and private entities who believe they may be vims. i worry that us appearing in front of this committee will have a chilling effect on their willing to notify us the bhoel of government of future incident. we need private companies to

continue to work with government and share information about sbieber threats er swieber cyber threats. thank you. i look forward to your questions. >> mr. hess, you're now recognized for five minutes. >> thank you chairman, ranking member cumminging. i'm president and chief exec ty officer of kpee point government solutions. since 2004 key point has provided field work services for the background investigation to a number of federal agents include the office of personnel management. we employ investigators in every state proud to be part of opm's team helping to ensure that the security investigations its conducts are thorough, detailed and consistent. we take issues of cybersecurity very seriously and as a contractor providing critical services across the federal government, we stand in partnership with the federal government to trying to combat

every present and ever changing cyber threats. we're committed to the highest levels of protections. the recently announced breach of the opm is the focus of this hearing. i would like to make clear that we see no evidence suggesting that key point was in any way responsible for the opm breach. there are recent media reports suggesting that the incursion into the opm is what breached. there is no evidence that key point was responsible for that breach. proesz reported that hackers stole opm credentials assigned to a key point employee and leveraging to access opm's systems. there is no evidence suggesting that key point is responsible for or directly involved. the employee was working on an

opm system not a key point system. i know that throughout the hearing, the incursion of the key point system discovered last september will be discuss. . can point has continuously maintained its authority to operate ato from opm and dhs. this means that we met the stringent information and security requirements imposed under our federal contracts. key point only maintains information that is required. we like government agencies face aggressive, well funded and ever evolving threats. let me say a few words about the earlier incursion of key point. in december of 2013 the washington post noted that it would notify 48,000 federal workers that they personal information may have been exposed. i emphasize the word may because in the report after the extensive analysis of the

incursion, we find no evidence f exfiltration of personal day tap. last august following public reports of that data security preach at another federal contractor providing background checks donna seymour asked key point to invite the uscert to test key point's network and key point agreed. the department of homeland security and technical services conducted risk vulnerabilities tests including internal maps. they provided a number of findings at the end of the engagement which were resolved while the team was on site as well as recommendations for the future. while they found issues, they were resolved and the team found no malware on key point's system. however then in september the hunt team informed key point that it had found indications of

sfes kated malware undetectable. the team provided key point with mitigation recommendation to remove the malware from our environment and other recommendations for hardening its network to prevent future compromises. key point immediately began implementing the issues identified by u.s. cert, and concluded the malware was not functioning correctly and because of errors. i recently attended a classified briefing at opm where i learned more about the opm breach and in the opening setting i cannot go into details presented in that briefing however i can reiterate we have seen no evidence between the incursion of key point and

we are always striving to make sure our defenses are as strong as possible. we have also been working closely with opm to improve our information security posture in light of the new advanced persistent threats. we have been working diligently to make our systems more resilient and stronger by implementing the recommendations and a number of the most significant improvements have been full deployment of the authentication, and enhanced intrusion detection systems and network information and improved network segmentation and many more. we have been working with all of our customers to update our atos, and this includes an audit from an independent party. we will continue to fort tpaoeu protections of our systems. our adversaries are constantly

working to make new attacks against our system. while it may be impossible to eliminate the threat of a cyber attack we will continue to evaluate our protections. thank you for drawing attention to this critical issue and allowing key point to share its perspective. thank you for your testimony. mr. gee netta, we will now recognize you for five minutes. >> thank you. my name is robert gee annetta, and i am currently the chief investigation officer. i joined in august of 2013, and before then i was with bae systems and served in the united states navy. until august 2014 usi performed

background investigation work for the united states office of personnel management. when i started to working at usis, they would perform background investigation work and were operating under two security systems which was issued from opm in 2012. those authorities to operate required annual review of the systems and opm's 2014 review included approval of the systems security plans and a site visit in may of 2014. in june 2014, usis immediately notified opm and initiated the comprehensive response plan per response to the plan. usis's responses included the

investigations firm to lead the investigation and remediation efforts. usis instructed them to leave no stone unturned in their investigation, and they invested thousands of personnel hours and dollars to mediate against the attack. those efforts succeeded in block the attacker. the straws investigation was also able to develop significant technical details about how the attack occurred what the attack attacker did within the systems and when data was compromised. this was shared with opm and other government agencies. in addition usis invited investigators in and gave them full access. they ordered a stop work order and terminated the long-standing

contractual relationship with the company. this led usis to bankruptcy. just yesterday i was invited to testify before the committee and i will do my best to answer any questions you may have. >> i recognize myself. ms. archuleta, you have personally identifiable information for how many federal employees and retirees? >> we have -- >> move your microphone closer, please. >> we have 2.7 individuals who are full-time employees and 2.4 -- >> no i asked you -- you have personal identifiable information for how many employees and retirees? >> the number i just gave you includes the number of employees and retirees and personally identifiable information within the files depends on whether

they have had a background investigation or whether -- >> how many records do you have? this is what i am trying to get at? >> i will ask mrs. seymour -- no come on you are the head of the agency and i want to ask you how many heads are at play here. >> i will get back to you -- >> no, no, this is what you wrote to the appropriations chairman to the house and senate that will. you wrote as a proprietor of sensitive data including personal identify blg information for 32 million federal employees and retirees, opm has an obligation to maintain and maintain cyber controls. you wrote that in february. are you here to tell me that information is all safe or is it potentially 32 million records that are at play here? >> as i mentioned to you earlier

in my testimony mr. chairman, we are reviewing the number and the scope of the breach and the impact -- >> so it could be as high as 32 million? is that right? >> i mentioned to you, i will not give a number that is not completely accurate and as i mentioned in my testimony -- >> i am asking you for a range. we know it's a minimum of 4.2 million, but it could be as high as 32 million? >> i am not going to give you a number that i am not sure of. >> when they fill out the sf86, that would include other people identified within those forms, correct? >> that's correct, sir. >> do we know on average how many people are identified if you fill out an sf86, how many people -- >> i don't believe anybody has calculated an average. >> are you taking a look i am asking if you will take a

simplying of records and understand how many other people are identified in those records. if you have 32 million employees and former employees in your database and they are also identifying other individuals i would like to know on average how many people that is. is that fair? >> we are not calculating on average, we are calculating on a very distinct and accurate number. >> when you ask for $32 million more in your budget request it was because you had 32 million employees identified and former employees, correct? >> that -- the number of employees that we have yes, we are asking for support for our cyber security -- >> do you have a complete inventory of data bases and network device -- >> we have as complete inventory

as we can, sir. that changes on a daily basis? >> changes on a daily basis? you don't have it, do you mr. mcfarland says it's not complete. >> his ig report was done in 2014. we have made significant progress in our i.t. program since then and we know where those are and we know the pii in them. >> to my members of the committee here we have to move quickly, just having an inventory of what is at play here is key and the inspector general does not believe you when you say that. ms. archuleta in 2014, opm became aware of an attack on its networks. i would like to enter into the

record, a chinese attack, 2014. did it result in a breach of security? >> on the march 2014 opm network the adversary activity the data to that number none was lost. >> i asked if there was a breach in security? >> there was activity that dated back to november of 2013 and with the forensics of that information, we found no pii was lost. >> i am asking you a broader question. did they have access to the person identify taeugs information? >> i am not a forensic expert but we have the forensic team with us right here on this

panel. >> in your perception from your understanding did they have access to the personnel information? >> we know there is add srau saeur annual activity that dated back to november of 2013, and i also know that no pii was lost. >> no that's a different question. the question i asked is did they have access? whether they exfill traeutd it is a different question. >> i said there was add srau saeur annual activity. >> did it result in a breach of security in your opinion? is that a breach of security? >> that's a breach of our systems, yes. >> is that a breach of your security? >> with the security systems, yes. >> so yes, it was a breach of security, yes? >> they were able to enter our systems. the security tools that we had in place at that time were not

sufficient to fight back and we have since instituted more and that's why in april of this year we were able to -- >> okay but at the time at the time it was a breach of security, right? >> yes there was a breach into our system. >> was there any information lost? >> as i just said to you there was no pii lost. >> that's not what i asked you. i asked did you lose any information? >> you would have to ask the forensic team? >> i am asking if you know if anything information was lost? >> i will get back to you. >> i believe you have this information. >> you believe i have the information? >> yes. >> did they take information when they broke into the system? >> no pii -- >> that's not what i asked you. we will take as long as you want here. i did not ask if they exfill

traeutd pii i am asking you did they take any other information? >> i will get back to you -- >> i know you know the answer to this question. ms. seymour, did they take any other information? >> in the march 2014 incident, the adversaries did not have access to data on our network and they did have access to documents and they did take documents from the network. >> what were those documents? >> outdated security documents about our systems and manuels about our systems? >> what kind of manuels? >> about the servers and environment? >> is that like a blueprint for the system? >> that would give you enough information that you could learn about the platform, the infrastructure of our system, yes. >> did they take any personnel

manuals manuals? >> no. >> they took some manuals about the way we do business. they did not take personnel manuals manuals, and we may not be defining that the same way. >> but they did take information? >> yes, they did. >> do you believe it was a breach of security? >> yes i do. >> so ms. archuleta when we rewind the tape and look at the interview you did on july 21st you said we did not have a breach in security and there was no information that was lost. that was false, wasn't it? >> i was referring to pii. >> no you weren't. that was not the question. that was not the question. you said and i quote there was no information that was lost. is that accurate or inaccurate? >> the understanding that i had of that question at that time referred to pii.

>> it was misleading and a lie and was not true. when this plays out we're going to find that this was the step that allowed them to come back and why we are in this mess today, it was not dealt with and you were misleading and went on television and told all the federal employees don't worry, no information was lost. did they have access to the personal information, ms. seymour? >> no, at that time they did not have access to the personal information? >> they may not have taken it, but did they look at it? >> at that time they did not have access. i want to talk to you mr. mcfarland and i wanted you to hear me, listen to me very carefully. there have been, after our last

hearing on this subject members on both sides wanted to ask for ms. archuleta's resignation and i ask that we not do that but we have this hearing so we could clear up some things, and because i wanted to make sure that we all are hearing right and we are being fair. this is my question. you have one opinion and ms. archuleta, director archuleta and ms. seymour have another opinion. you seem to say they need to do certain things in a certain order, and they say they think the order that they are doing them in is fine. they say they can do certain things in a short time and you say it's going to take longer.

you also say they don't have the necessary stream of funding they may need. this is what i want to know. is this a difference of opinion with regard to experts? do you understand what i am say? you have your set of experts and they have their set and do you deem it a difference of opinion? the reason why i mentioned from the very beginning about the desire of certain members of our committee to ask for ms. archuleta archuleta's dismissal is because i want you to understand how significant that answer is, because there are some members that believe that you have made recommendations and that those recommendations had been simply disregarded. can you help us with that mr.

mcfarland? do you understand my question? you look confused. don't be confused. i can't hear you. >> i always look that way. >> okay, good. you always look that way. okay, go ahead. >> i am not confused, no, but it's a very difficult question. >> but it's a very important question. >> absolutely. of course it's a difference of opinion, but the opinion that i have comes from auditors who are trained to look for the things that they reported on and they did, in my estimation as normal and usual an excellent job. they stand behind their findings. i stand behind their findings. >> but is it just a difference of opinion? >> well, it's obviously a difference of opinion without question, and from my perspective ours is based on

auditing and questioning and understanding the situation and that's where we come up with our answers. >> you heard ms. archuleta give a whole list of things that she is doing or about to do i think, naming a new cyber officer and whatever and does that satisfy you as far as your concerns are involved? >> no, it doesn't satisfy me as far as our concerns. we have a whole suitcase of concerns. we have identified on our reports. i think that the best way to explain your answer to that question is that we -- we are i

guess, very frustrated that we asked answers of opm and it takes a long time to get the answers. we ask definitive questions and we don't necessarily get definitive answers. we know for a fact that the things that we have reported are factual. we don't take a backseat to that at all. our people have done this for a long time they know what they are doing but, yes it comes out to a difference of opinion, but ours is based on fact. i can't speak for the other side. >> all right. your company has a lot to answer. according to the justice department, usis perpetrated a

multimedia fraud, and they failed to protect sensitive information of tens of thousands of federal employees, including people in the intelligence community and even the capital police, and our integrities developed out tkoeld out bonuses. last week the committee invited the integrities chairman to testify. do you know what he said? >> i do not. >> i will tell you. he said, no, he refused. in 2014, a team from department of homeland security, asked integrity if they could scan the networks because the cyber spies were able to move from usis to those other sub sid airies.

do you know how they responded? >> i understand they declined. >> yes, they refused. al teg raw tea is our parent company. who made the decision to refuse the government's request? >> i don't have that information. i am not aware of who made that decision. it certainly was not me. >> can you find out for me? >> i can ask. >> how soon can we get that information? >> i will take it back to counsel and see what we can do. >> i would ask you to get it to us in the next 24 hours. i would like to have that. i have been trying to get it for a long time. i would like for you to tell the committee names of specific of the board. >> i interact almost never with

the board of directors. >> you are about as close -- we have been trying to get the information for a while. you are all we got. i know you are just back from vacation from italy. did you get a bonus by the way? >> i did. >> oh, my goodness. how much did you get? >> i don't recall the exact amount. >> it was in the neighborhood of $95,000. >> your company also refused to provide answers in a hearing in 2014. do you know what your company representative said when the committee attempted to get these answers? >> i am not in that communication chain, so i don't. >> let me tell you. they sent an e-mail to our staff and i quote, the company does not anticipate making a further response, end of quote. do you know -- would you know why they would say that? >> again i am the chief

information officer at usis, and i don't know. >> sounds arrogant to me. the same question i asked back in february of 2014, more than 16 months ago name the board of directors that decided not to answer those questions, you wouldn't know that either? >> i don't know the board of directors. i know the chairman is steve duh leash. >> you are still working for usis is that right? >> how long will you be there? >> indeterm tphupbt but in the next month or so i will be departing. >> will you try to get me those names? >> i will take your request back to the appropriate people. >> thank you. we recognize the gentleman from florida. >> thank you, mr. chairman. ms. archuleta there has been a

discussion today about how many peoples' federal employees and retirees have been breached and you testified at the beginning, you estimated about 2.4 million, is that correct? >> it was 4.2 -- >> 4.2 in personnel? half of that is retirees and that's 2.4 and then you add -- >> i don't know exactly, but it's about half and half. >> the second figure you started to debate about was 18 million which has been reported by the media, and that would deal with breach of social security numbers? >> the analysis right now is taking a look at all the pii because pii comes in various forms -- >> but you are not prepared to tell us how many -- >> no, sir.

>> of the social security numbers are breached. the chairman pointed out your statement in february, you had said over 32 million records? >> that was the number he used yes. >> so you really don't know, then, how many records have been breached beyond the 4.2? >> no, sir that's the investigation we are doing right now. >> i thought about this a little bit and i thought, well, first thing, were my records breached my staff, and then thinking about the other people downtown and the agencies and we have a responsibility to protect their personal information, and over the weekend in fact monday i spoke the day at an embassy being briefed on a bunch of issues, and then brought to my

attention was people insensitive positions that they were notified by you all a breach of their records. so our overseas personnel insensitive positions have also been subject to the breach sprebgt? >> employee personnel records -- >> how many data is there? address, and personal information about these individuals. you think a little bit about people in the glass places here and you want everybody safe. i was stunned to find out that some of the people, united states citizens serving overseas were notified that their personnel records have been breached and information is available on them and they are in possible situations that could be compromised by that information, but you have notified them, right? >> we have notified the 4.2 million -- >> those are the people.

they mentioned to this me. i was there on other subjects, but they expressed concern -- >> i am as concerned as you are about this because these are the individuals who have been -- whose data -- >> these people are on the front line, and they are overseas and representing us and i could hear concern in their voice about what has taken place. i have read sit chinese hackers, does anybody know? was it the chinese? do we know for sure? do you know for sure? >> that is classified information, sir. >> so you have some idea but it's classified? >> it's classified and i can't comment here. >> whether it's chinese or some group that could give this6é information to people who would want to do harm, then that means some of those people to me are at risk? >> sir, every employee is

important to me, not whether they are serving in kansas city or overseas. >> no but yesterday morning before i left eye visited a site of a terrorists act in one of the capitals and i saw well that place still had not been open and it has been months since that terrorists attack and our people are over there on the front lines and their information has been compromised. you have been there the longest ms. de-camille yo. >> what was that? >> you have been in position since 2012 at opm? >> no i work for department of homeland security. >> but you are responsible for overseeing opm's -- >> dhs is a shared cyber security, and we are working with partners and we work with

them protecting the boundaries --xj1kf >> when did we first find out about the breach? >> it was notified by a third-party partner to us in march of 2014. >> 2014. so when you came on ms. seymour, about 2014? >> i came onboard in december of 2013 sir. >> so you were there. they talked about his bonus. are you ses? >> yes. >> did you get a bonus, too? >> yes, sir, i did. >> howuv@ >> i do not know the exact amount but i believe it was about $7,000. >> whether you were private or public, you were getting a bonus while some of this was going on. >> we will recognize the gentle woman from new york for five minutes. >> thank you. i am trying to get this straight. opm was breached directly, is that correct? i will ask ms. seymour opm was

breached twice? >> that's correct. >> and one occurred in december of 2014 detected in april of 2015, and then the security breach -- when were the two breaches? when were the two breaches, the dates? >> the first opm breach goes back to -- we discovered it in march of 2014 and the breach actually -- but the breach actually occurred in -- >> you discovered it in march 2014. >> yes, ma'am, and the breach actually occurred -- the adversary had access of november of 2013. >> and then the second breach was when? two breaches, correct? >> that's correct, ma'am. the second breach we discovered in april of 2015, and the date

that that breach goes back to is act of 2014. -- i am sorry, june of 2014. >> who discovered this breach? how did opm discover this breach? >> the first breach we were alerted by dhs. >> so you did not discover it the department of homeland security discovered it? >> yes, ma'am. >> the second one, who discovered it? >> opm discovered it on its own in april of 2015 and by then we put significant security measures in our network. >> now when did you report these breaches? who did you report them to? >> on april 15th when we discovered the most recent

breach we reported that to us cert. >> who? >> the computer kwrurr readiness team. >> did you report it to congress? >> we reported it to the fbi and made the notification to congress as well. >> that was the april 15th one. what about the first one? >> for the first breach, again, dhs notified us of that activity in our network and so they already knew about that one, and yes, ma'am we made notifications to congress of that one as well. >> when? >> i am sorry, ma'am i don't

have that date in my notes. i would be happy -- >> could you get it back to the committee for us. did you notify the contractors of the breach? >> at the first breach there was not an awareness that -- of what the adversaries were targeting and this may go beyond opm. i know our staffs at -- my staff, my security staff, had conversations with the contractor organizations and i know the indicators of compromise that dhs had were provided to other government organizations, were put into einstein as well as they have communications that they would -- >> but the breaches were direct. now, i want to understand the

inner reaction with the contractors. now, when they breached you, did it go into opm? i am asking you both. when they went into that system did that connect to opm or was it held within your system? >> it was held within the intrusion of 2014 it was within our systems? >> within your systems? so the four identities they have and information they have, it came from opm or the contractors? are they one in the same or separate? i will go back to ms. seymour? >> these are separate incidents so with the breach as usis, the way opm does business with its contractors is different from the other way it's agency may do business with key point and usis, so there were approximately 49,000, i believe

it was, individual we notified based on the key point incident and there were other agencies that made notifications based on the other incidents. the 4.2 number you are getting is about the personnel records the incident at opm -- >> what i would like to get in writing is exactly what information came out of opm and what information came out of the contractors? is it one in the same? you are the final database so i want to understand the connection and how the breaches occurred and how they enter connect. i want to remind you you are under oath and i have a series

of questions to follow-up to carolyn maloney's questions. it was reported in the wall street journal a company says they were involved in discovering the breach that apparently has been, according to the article, linked to chinese hackers. opm's press secretary said the asuretion that sigh tech was somehow involved them -- ms. seymour, do i have your attention? they said they were invited in by opm and their equipment was run on opm and their equipment indicated they had been an intrusion of your system and they notified you but your response officially from opm is that it's inaccurate and they were not involved, and ms.

archuleta archuleta, you said they were not involved. i remind you both you are under oath, so do you want to change your answer? >> no, they were not. >> no, they were not. >> reminding you again you are under oath were they ever brought in to run a scan on opm's equipment? >> it was engaged and we looked at using their tool in our network, and it's my understanding we gave them some information to demonstrate whether they tool would find information on our network and in doing so they did indeed find those indicators on our network. >> thanks, ms. seymour. the ceo and vice president of technology officer came in and briefed the staff and they

relate they were given access and ran their processes and they discovered it, and previously it was denied they had involvement. what exactly did sigh tech do? were they given access to your system and run it on your system? >> here is what i >> that was not the question, ms. seymour. i am assuming you would have greater an understanding that you would know, considering you are the chief information officer and you are testifying before us how it happened and there already has been a news article so tell us clearly what access was sigh tech given to your system. >> i am trying to explain how he -- they had access. opm discovered the breach and we were doing market research and we purchased licenses for their tools. we wanted to see if that tool set would also discover what we had already discovered. yes, they put their tools on our network and yes they found that information as well.

>> so you were tricking them and you already knew it and said, shazam, you got it, too. seems highly unlikely, don't you think? >> we do a lot of research before we decide what tools we will buy for our network? -- network. >> at that point you had not removed the system from your system? you knew it was there and you brought them in and their system found it too which means it was continuously running and the personnel information was still at risk? correct? >> no, we had latent malware on our system that we were watching and quarantined. >> so it was no longer operating? >> that's correct. >> ok. clearly you are going to have to give us an additional briefing and the intel committee staff exactly how you did this because sigh tech is relating what they did and it's compelling and quite frankly what you say sounds highly suspicious, that you brought them in and tricked them to see if they could discover it,

something you already discovered , and why would you need them if you already discovered it and further tricked them to say you don't have the system on your system anymore. it contradicts in so many ways that defies logic. but the other thing i want to ask you is your sf84 form was comprised. it was compromised, you sound like it's minor. but this is the form, and this is what they have to fill out. their social security number is all over this. in my community there are a number of people who had to build this out to serve their country. what are you doing about the additional information in the form and being released and is out there about the individuals? >> i filled out exactly the same form -- >> i doesn't ask that. -- didn't ask that. it's not just about identity theft. this is not just their credit

cards and checking accounts. what are you doing about the rest of the information that is in here about counseling them and assisting them? >> i just used that by way of example i understand what is in the form. personally and as the director of opm, and because at opm, as you know, we do federal background investigations and i am clearly aware of what is in the form. as i mentioned in my testimony that we are working with a very dedicated team to determine what information was taken from those forms and how we can begin to notify the individuals who were affected by that. that form is very complicated and that is why i am very, very careful about not putting out a number that would be inaccurate. that is a complicated form with much information. it has pii and other information so we want to be sure that as we look at how we protect the

individuals that completed those forms that we are doing everything we can and we are looking at a wide range of options to do that. this is an effort that has is working together throughout government and not just opm. we are concerned about the data lost as a result of the breach by the hackers that were able to come into our systems. i will repeat again, but for the fact that we found this, this malware would still be in our systems. >> chairman i want to thank them for acknowledging that sigh tech did have involvement even though they previously denied their involvement. >> we now recognize the gentle lady. >> -- but first i want to ask ms. archuleta, members have been concerned about this 4.2 million number that you have tried to straighten out for the record.

that's not a final number and it almost surely will go up. is that the case? >> there are two incidents. >> i understand that. >> in the first incident, that number is 4.2 million. in the second incident we have not reached a number. >> so the number is going to go up. i understand -- and i am receiving calls from federal employees about opm's promise of 18 months, i believe it is, free credit monitoring. is it true that federal employees must pay for this service after that time? >> well, the services we are offering is identity theft protection up to $1 million that we are also offering credit monitoring for 18 months, which is the standard industry

practice. as we look at the second notification, we are looking at our whole range of options. >> ms. archuleta, there's a great deal of concern, not so much about paying for it but about the amount of time, the 18 months may be too short period of time given how much you don't know and we don't know. >> we are getting tremendous information back from not only -- >> are you prepared to extend that time if necessary? >> i have asked my experts to include this feedback that we have received on a number of different considerations. >> are you prepared to extend that 18 months in light of what has happened to federal employees if necessary? >> as i said, we don't know the scope of the impact -- the scope of -- >> precisely for that reason ms. archuleta. i have to go on. if the scope is greater as you get more information, will you correlate that to extending the

amount of time that federal employees have for this credit monitoring? >> congresswoman, i will get back with you as to how -- what range of options we have. >> when you get back to us within two weeks on that. ms. archuleta, we have people out there, all of us have constituents out there, and you won't even tell me you are prepared to extend the time for credit monitoring, what kind of satisfaction can they get from opm? i am just asking you that if necessary? >> congresswoman i am as concerned as you are -- >> in other words, you are not willing to answer that question. are you willing to answer this question. they report having to wait long periods of time, sometimes hours to even get anybody on the phone from opm. can you assure me that if a federal employee calls they can

get a direct answer forthwith today if they call, and if not what are you going to do about it? >> we are already taking steps and what the contractor has implemented is a system similar to what social security is using, so if they get a busy tone, they also can leave their number and they will get a call back. >> within what period of time, ms. archuleta? >> for example, i heard a gentleman told me this morning that he left his number and was called back in an hour, so that individual does not have to wait on the phone. >> you let the chairman know before the end of this week what is the wait time for a return call, and that was a subject of great concern. >> we get those numbers every day and we will be glad to. >> we need some assurances, and we can't assure them beyond 18 months they are going to get credit monitoring and that's a very unsatisfactory answer, i want you to know.

i want to ask, we understand that much of this is classified and we keep hearing we can't tell you things because it's classified. of course the press is finding out lots of stuff. they reported that law enforcement authorities have been examining the connection between the cyber attack at opm and a previous data breach that occurred at key point. i want to ask you -- and i don't want to discuss or am not asking anything classified, but you assert in key point's data breach, did you find hackers were able to move around the company network prior to detection? >> in the case of the key point investigation? >> yes. >> yes, ma'am, they were able to

move around and the key point network. we had an interagency response team that spent time reviewing the network after the customer technical -- >> even for the domain level? >> correct. they had access -- we were there in august of 2014. the on-site assistant team was able to discover -- >> what does that allow a hacker to do if you get to the domain level? >> they had access to key point at that point in time, through the fall of 2013, during that time they were able to leverage certain malware to escalate privileges for the entry point and they entered the -- >> they can get to background points. >> the time has expired. >> they could not. they were not -- there was no -- there was a pi loss associated

with 27,000 individuals associated with that case, i believe. it was potentially exposed and because of lack of evidence we were not able to confirm that so they had potential access but we were not able to confirm the exfiltration of that data. >> thank you, mr. chairman. >> thank the gentle 80. i now recognize myself for five minutes of questioning. let me ask ms. archuleta, what do you believe was the intent behind the attack? we are talking about the attack, so what do you think the intent was? >> you would have to ask my partners and the cyber security about that. i don't -- i am not an expert in -- >> ms. seymour maybe you could respond? >> that would be better placed with dhs and perhaps with others. >> let me start with ms. seymour do you have any idea as to the attack? >> opm doesn't account for the attribution or for which the

information is used. >> i would be happy to discuss the details and it's more appropriate for a closed classified setting. >> ms. archuleta, how would you assess opm's information with current and former employees regarding the breach, at this point in time how would you assess it? >> i believe that we are very -- we want to work very hard with our contractor to make sure that we are delivering the service that we want. we have asked them throughout this process to make improvements. we have demanded improvements and are holding them accountable, excuse me sir, to deliver the services we contracted for and ms. seymour is in communications with them and i do not want our employees to sit and wait on a phone and do not want them to have to wonder whether their data has

been breached and i want to serve them in every way we can and that's why we are demanding from our contractor the services in -- services the contractor will deliver. we are working hard on that and each day give them the appropriate feedback for what we are hearing from our employees. >> federal news conducted an online survey about the data breach, and one of the questions asked was to rate opm's communication with current and former federal employees about the data breach. the results showed that 78% of rerespondants indicated it was poor, and 3% described it as good and less than 1% said it was excellent. i appreciate the fact that you want to improve that, and we expect you to make sure that who you have contract with improves that.

>> those numbers don't make me happy, sir. >> those are terrible numbers. >> i will do whatever i can. i care deeply about our employees. >> let me move on. some news reports indicate attackers may now be in possession of information of every federal employee and retirie and up to one million former federal employees. if that is true, they have the information of date of birth and job history and more that could be there. for years we have been hearing about the risk of a cyber pearl harbor. is this a cyber pearl harbor? >> the information associated with the data breach that was confirmed is what we would call on a severity scale a significant impact. >> a significant impact. what does significant impact mean? >> meaning the data, if it was

correlated with other data sources, it could impact the environment as well as the individual. >> environment meaning? >> the fact they were able to take the data out of the environment, that is a significant impact on the environment and insuring they were able to mitigate the ability the attacked her -- the attacker used to get into the environment. >> so it has blown up? >> sorry? >> it has blown up a lot of things, protection, security? it's a pearl harbor. >> that's not a term i am comfortable with using, but when the severity scale -- >> it's pretty significant? >> yes, medium to high significance, yes. >> let me ask ms. seymour, do you think issuing a request for

quotes on may 28th and establishing a deadline of may 29th to potential contractors was a reasonable opportunity to respond in this significant issue of cyber security? >> our goal was to be able to notify individuals as quickly as possible. we worked with the gsa schedule and contacted the schedule holders, and put it on fed bizops for other opportunities. so our goal was to make sure that we could notify individuals as quickly as possible. >> that was quick. maybe too quick. my time has expired and now i recognize the gentleman from

massachusetts, mr. lynch. >> thank you, mr. chairman and thank you to the witnesses for participating today. ms. archuleta, you testified before the senate. let me ask you on the outset who is ultimately responsible for protecting the information of employees at opm or that are covered by opm, the federal employees? >> the responsibility of the records is with me and my cio. >> so you also testified that nobody was to blame. is that right? >> i think my full statement sir, was that i believe that the breach was caused by a very dedicated, a very focused actor who has spent much funds to get into our systems, and i have worked the rest of my team was i

have worked since day one to improve legacy systems -- >> i understand you are blaming the perpetrators that those are the people responsible, is that basically what you are saying? >> the action was caused by a very focused aggressive perpetrator. >> i can't have repeated the same answers. mr. mcfarland, the assistant inspector general testified a number of the systems that were hacked were not older legacy systems but they were newer systems. is that your understanding? this is not the old stuff, this is the new stuff? >> yes, that's correct. >> ok. and the former chief technology officer at the irs and department of homeland security said the breaches were bound to happen given opm's failure to update its cyber security. is that your assessment, mr. mcfarland? >> i think without question it exacerbated the possibility,

yes. >> this is a quote. if i walked in there as a chief information officer and saw the lack of protection for the sensitive data, the first thing we would have been working on is how do we protect that data. i am concerned as well about the flash audit that you just put out, and your ultimate determination was that you believe what they are doing will fail. >> the approach that they are taking, i believe, will fail. >> ok. >> they are going too fast. they are not doing the basics. and if that's the case, then we're going to have a lot of problems down the road. >> let me ask you, so very crudely describing this, they are creating a shell, a

protective shell, and then we are going to migrate applications in under the shell and because of the shell they will be resistant or impervious to hacking. doesn't seem like we should have to wait until the last application is under the shell before you find out whether or not the shell is working. is that -- is that -- will that give us an opportunity to look at the early stages of this project? >> i am not sure if it will give us that opportunity or not. what is important, i think, from our perspective is that they have the opportunity, opm has the opportunity right now to do certain things that will increase the security a great deal, and that should not be abandoned and just in place of. i don't mean to imply it is

abandoned but that should not be in place of speeding through the rest of the project to get it done. the crisis part may not seem this way to a lot of people, but the crisis at opm was with the breach. that part is over. the best thing to do is safeguard the system as it is right now, and then move appropriately for full restructuring. >> do you think opm's estimate of $93 million is accurate? >> i don't think it's anywhere close to accurate. >> i don't either. it doesn't seem to include the whole migration information where they pull the information in. >> as an example, the financial system that we have, in 2009, we

had to migrate that information. >> right. >> and in so doing, it had a lot of oversight and went pretty well. in fact,our office was part of the oversight. but just that one system took two years and $30 million. >> all right. and that's a small fraction of what we are talking about here right? a very small fraction. >> very small. >> i yield back. >> we now the gentleman from south carolina. >> thank you, mr. chairman. mr. chairman, i want to read a regulation i would ask all the panelists to pay attention. it's a little tedious. if new or unanticipated hazards are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverer shall immediately bring the discovery to the attention of the other party.

that's a regulation. mr. hess, mr. jgianetta were there also things between you and the government? >> there are. >> they would be similar to that? a notice provision? >> i doint have the exact text -- don't have an immediate recollection of the exact text but it is similarly worded. >> i think it's helpful sometimes to define terms, particularly for those that are liberal arts majors and don't deal with this. what is a new or unanticipated threat or hazard? mr. hess? >> that would be an indication of a compromise of a system or failure of any of the system protections. >> oh, so when chairman chafeus was having a hard time getting answer to that because the focus was on the loss of personal information, it's just a threat or hazard. it doesn't actually have to be a

loss, does it? >> not the way i would define it. >> me either. what about existing safeguards have ceased to function. what does that mean? mr. hess? >> sir, it's pretty explanatory. >> it did strike me as being self-explanatory. is it self-explanatory to you? existing functions have ceased to function? >> yes >> and here is the relate of question. what is the word immediately mean? >> without delay. >> without delay. is there another meaning that you are familiar with? >> that's a good definition. >> so you had a contractual obligation with the government and a regulatory obligation that if new or unanticipated threats are discovered by the government or contractor or if existing safeguards have ceased to function, the discoverier shall immediately bring the situation

to the attention of the other party. ms. archuleta, i've heard this morning about a march 2014 data breach. did i hear that right? >> yes, sir, you did. >> when did you bring that to their attention? >> i would have to get that information. i don't have it in my notes. seymour would know. >> i would expect that it was immediate. >> let's find out. ms. seymour, do you know? >> no, sir, i don't. i don't think we immediately notified our contractors of a breach to our network because at that time we did not have any question as to whether it was affecting them. it was to our network at that time.

>> mr. hess, mr. gianetta, is that your understanding that they were under no duty to bring that to your attention? not all at once. it is your contractual language. do you think you should have been notified because of the march breach? >> absolutely. >> why? i just heard one person say they didn't know and the other, it was really none of your business. why should you have been notified despite the plain contractual language? why do you think it was important that you be notified? >> so that we could take more appropriate actions to protect data. >> were you notified? >> i was not. >> were you notified immediately? >> no. >> huh. what do you have to say about that, ms. seymour. >> i believe that that's accurate, sir. >> well, i'm with you there.

i guess my question is why? why despite the plain language of the contract and the regulation why did you not immediately notify the contractor? >> we worked with dhs and partners to understand the potential compromise to our system so that we could -- >> was dhs one of your contractors? >> no, sir. >> i didn't think so. that doesn't really help me understand the regulation because this says contractor not dhs. why didn't you notify the contractor? >> we were still investigating what happened in our network. >> what does the word immediately mean to you? >> without undo -- >> did you do so? >> no, we did not. >> does it say as soon as you figure out what happen after you talk to dhs? that is not in my version of the regulation. is it in yours? >> i have not read that regulation. >> that one doesn't exist. the one that says notify dhs or

try to figure it out. the only one that exists says to immediately notify the contractor. you didn't do it and my question is why? >> i can't answer that question. >> who can? >> i will take that back and get you -- >> to whom will you take it? >> i believe i would take it back to my staff to see if we have processes in place. >> do you think it's staff's responsibility to notify the contractor? >> we have processes in place for making notifications when we find these -- >> who is ultimately responsible for that? who failed to meet the contractual regulations? >> i'd have to read that regulation. i'd be happy to read it. i'd like to read the full context of it. >> you think the context is different than what i read? >> i'd want to read the -- >> have you read the contract?

>> i have read most of the parts of the contract, sir. >> i can't speak for the chairman but my guess is he and the other members would be interested in who failed to honor the letter and spirit of the contractual obligation. with that, i yield back. >> we'll recognize the gentleman from california. >> thank you, mr. chairman. i have concerns not just about the failures of opm leadership but its contractors. in particular, usis. it looks like what happened here wasn't just recklessness or negligence. it was fraud. i want to know how far up this fraud went. the hedge fund managers that funded these companies knew about it. let me begin with mr. mcfarland. the department of justice joined the lawsuit for defrauding the government under its contract with opm. and according to justice department filing, beginning in at least march 2008 and through

september 2012, usis management devised and schemed quality -- executed as scheme to deliberately -- in order to increase the company's revenues and profits. the u.s. assisted in this investigation, correct? >> that is correct. >> the parent company paid bonuses during the period of the fraud that amounted to nearly $30 million. has usis paid the government back for those bonuses? >> i'm not positive, but i believe not. >> let me enter into record, mr. chairman, if possible, an article from "the wall street journal" entitled "executives got payout before screener went bankrupt." if i could enter the article into the record. >> without objection. >> thank you. i ask a second one be entered. an article in "the washington

post." the justice department filed a motion in this case on friday seeking $44 million from usis' parent company. that's from this monday. >> without objection, so ordered. now let me ask ms. dicamillo for usis to have these breaches it would have cost less than $30 million, correct? >> not having investigated specifically the breadth and depth of all the parent companies we were focused on the usis network. they were higher than $30 million for the recommendations we provided to them. that number could be as high as $50 million. >> thank you. i appreciate that. now i want to any mr. gianetta about the bonuses awarded. who on the board reviewed the performance of the ceo and decided to award him with bonuses during the 4 1/2 years

usis was defrauding the government? was it the board? >> since my role began at usis in 2014 as the chief information officer, i don't have any knowledge direct or indirect of who approved -- >> you don't know if it's the parent company or hedge fund managers. we don't know who did this? we'll send you written questions after this. i want your commitment that usis or autegrity will provide a response to our questions within 30 days. will you commit to that? >> certainly. >> i also think the committee should call the president of autegrity as well. let me now turn to mr. mcfarland. you issued two advisory reports, one in november 2013 and november 2014, correct? on opm. mr. mcfarland? you issued two ig reports dated november 2013 and november 2014. >> sorry.

i didn't hit the very first part. >> so you issued two reports dated november 2013 and november 2014 on opm? >> you're speaking on fisma i'm sorry, yes. >> these two ig reports, would you agree the 2014 report is quite similar to 2013 report because opm actually failed to implement many of your recommendations? >> i think there were many carryovers, yes. >> would you agree this is a difference of opinion? you had opm violating standards that the administration had put in. for example in 2014, your report on page 24 says opm was not compliant that required to -- that the office required to factor in -- an authencation. on page 12 you also said that opm was not complying with international institute

standards. you would agree opm was not following these standards, correct? >> yes. >> do you take responsibility for not following omb guidance as well as guidance from national institute of standards, which had you followed, could have prevented these breaches? >> well, sir -- >> yes or no. do you accept responsibility for -- >> it can't be a yes or no. >> this is a yes or no. you don't have to accept responsibility. i just want to know if you do. >> i have to take into consideration when an audit is conducted by the auditor. i have to make an informed decision about his recommendations. it's not whether i disagree with him. >> this is omb. it's this administration's guidance. >> and we have worked very closely with omb to make sure that we're tracking, documenting

and justifying all of our steps in -- >> my time is up. i take it you don't actually take responsibility. i yield back. >> i now recognize mr. meadows. >> thank you, mr. chairman. ms. seymour, let me come to you because there seems to be some conflicting information before this committee. on april the 22nd, you indicated it was the adversary's modern technology and the opm's antiquated system that helped thwart, in your words, thwart hackers at the first opm attack. is that correct? >> yes, sir. >> last week you testified repeatedly that it was the opm's antiquated systems that were the problem and the chief reason that the system was not secure

and didn't do just the basic cybersecurity measures of incryption and network protection. so i guess my question to you, ms. seymour, which is it? is it the fact the old system helped you or the old system hurt you? those are two conflicting pieces of testimony. >> i don't believe they are conflicting, sir. in the first incident the old technology thwarted the actor because they did not know what they were doing in that environment. we immediately put in place a plan to provide better -- >> so you caught them immediately? >> no, we immediately put in place a plan so that we could improve the security posture. what we did was we moved to build a new architecture where we could put additional security controls. we also, at the very same time put security controls in our current environment. >> ok.

>> we did not wait. >> well, you say you didn't wait once you found the problem, but is there a -- >> sir -- >> hold on. let me ask the question. is there in the security i.t. cybersecurity technology chief operators, is there anyone who would apply for a job who would suggest not to do incryption of sensitive data? >> incryption is not a panacea. >> i didn't ask that. is there anybody in your job or similar job that would say we're going to protect everything. let's leave it unincrypted. can you think of anyone? because i've been asking all over the united states. i can't fund anybody. -- find anybody. >> i'm trying to explain the situation. our databases are very large. our applications are not always

able to work properly and incrypt and decrypt that data. >> so you're saying this was a volume problem not a management problem. because you're under oath and that's concerning because you're saying you just didn't have the resources to handle the large volume of information? >> it's not a resource information. -- issue. it's whether our applications are built so that they can -- >> so they aren't encrypted today? >> we have purchased the tool set, sir, and we are in the process of encrypting pieces of our databases as apposed to the whole database. >> we need to focus on the sensitive information. what do we tell the millions and millions of federal workers that now because their system has been breached, now you're going to encrypt -- do you feel like you've done your job? >> i do, sir. i came on board and recognized these issues and worked with director archuleta to put in a

plan -- >> you both came in in 2013. >> at the end of 2013, yes, sir. >> how long did it take you to buy equipment to start encrypting? simple answer. >> june of 2014. >> ok. so you bought equipment in june of 2014. so when did you start encrypting? >> a couple of databases encrypted already. >> a couple out of how many? >> we have numerous. >> that's my pontint. -- point. >> it takes time and resources. >> when you aplidplied for the -- applied for the job and were going through your senate confirmation you said you'd make i.t. technology your top priority. again in this committee you said that it was your number one priority. can you explain to the federal

workers and all those that have had their personal information breached how making it your number one priority when you were confirmed in 2013 is still to be believed? or was it just what you said during a confirmation hearing and you never intended to act on it? >> i believe the record will show that i have acted on it. that i am dealing with a legacy system that's been in place for 30 years. and we are working as hard as we can. in 18 months we have made significant progress. but so have our aggressors. cybersecurity is an enterprise responsibility. i am working with all of my partners across government. and i have shown that we have prioritized this even as early as 2014 and 2015 in our budgets and in the resources we directed towards that. i do not take this responsibility lightly. as i pledged in my confirmation

hearing and last week and as i pledge to you today, i take it extremely seriously, and i am as upset as you are about every employee that is impacted by this. that is why we're dedicating resources throughout government. not just at opm, but at every level of government to make sure this does not occur again. we're working very hard. >> i appreciate that. i appreciate the patience of the chair. >> thank you, mr. meadows. i'd like to recognize my colleague from the great state of new jersey, ms. coleman. >> thank you for your being here today. i have a couple of questions. i would like a shorting answer as possible. with regard to one breach that involved the 4.2 million employees, those are actual employees and retirees. that's a closed system. we know how many that is. with regard to the individuals whose information was in a

system because background checks were being done with them, "a," we don't know how many. "the," -- "b," every one of those individuals didn't ultimately get a job so we have some whose information aren't even employed by the government. >> yes if there was a background investigation requested. >> in that second breach of that universe that's so large, that information was breached through a breach in the security of keypoint? is that true, ms. archuleta? >> yes. >> someone who had credentials with -- >> there was a credential used and it was -- that was the way they got in. >> thank you. so who is trying to identify all the universe that's been compromised through the latter breach? is it key point who is trying to clean up its mess or -- >> no, no, we have a total

enterprise wide security team or forensic team that is doing the forensics on this. >> mr. mcfarland has made a number of observations and recommendations. and i believe i was left with feeling that you didn't believe opm was moving in the right direction on the rootight path -- on the right path to get to where it needs to go. i was also informed his recommendations or findings are a result of auditors and specialists in this area. i have two questions for you ms. archuleta. number one is, are you using experts and the same kinds of skill sets that mr. mcfarland is using and looking at the same things he is looking at? and do you agree with his recommendations? and if not, on what areas do you

disagree? >> the audit i can take by way of example. first of all, i respect the inspector general's diligence in overseeing this topic. and there are areas we have areas of agreement and areas that i think we need further conversation about. in terms of the existing contracts and use of full and open competition, ides like to assure the ig that the processes we used toward the already existing contracts have been perfectly legal. and we're going to continue to ensure that our future contracts and processes entered into will also be legal. i also understand that he's concerned about the sole source contract of tactical and shell he spoke about. i understand his concerns and i'd like to remind him that the contracts for migration and cleanup have not yet been awarded and we'll consult with him as we do that. where we don't -- where we have areas that we need to consider

together and, by the way, the ig and i meet on a monthly basis and our staffs meet on a weekly basis or biweekly, i look forward to discussing with him the major business case so we can figure out what the practical timeline will be. >> tell me what you think is the time frame for the ig's office and your office and mr. mcfarland, you might weigh in, necessary to get to where we need to get. not that all these things are going to be implemented but we agree on what needs to be done. are we talking about three months from now, six months from now? do we have any idea? >> i would ask donna just to talk about the tactical and shell processes. we are trying to do that is just the leak -- do that as rapidly as possible so we can move out

of the legacy network. the issue about the migration and the cleanup will continue to -- we will continue to discuss but we're trying to rapidly move toward that shell. >> do we still have contracts with q point? >> yes. and q point, this is to mr. hess, i believe, how many contract with how many departments do you have? >> our primary contracts through homeland security and opm. >> and so are you -- are your contracts, active contracts coming to an end or are you at the end of these contracts? >> they're all active contracts. >> they're all active contracts. mr. mcfarland, should we be ceasing our relationship with with -- with key point? >> based on what i know at this point, i have no reason to believe that we should. >> that we should? >> i have no reason to believe that we should cease relationship.

>> that we should cease. >> no, that we should not -- >> should not? do you agree with that, ms. archuleta? >> i do agree. key pount has taken the steps necessary to mitigate any security questions they have been very active in working with us on that. >> should we cease contracting with them? mr. mcfarland says yes and you said -- >> no, he said no. >> i said no. i'm sorry. thank you very much. mr. mcfarland, last question to you, what are the three important things we need to do just to get us back on the right track and how long should it take? and that will be the end of my questioning, mr. chairman. thank you very much. >> i'll give you four, if i could. first, we'd like to see the implementation of multifactor

authencation using pvi cards and then develop a comprehensive inventory of information systems, servers and databases. and further protect existing data with encryption and data loss prevention tools. and then proceed with the infrastructure overhaul with disciplined project management approach. and i have no idea how long that will take for discussion. >> thank you. i would now like to recognize mr. de santos from florida for five minutes. >> thank you, mr. chairman. this is a really, really frustrating hearing and, obviously, a colossal failure. we have a government that will tell us how much water we can have flushing in our toilets how much corn we have to put in the gasoline we use to drive our

cars and boats and the government will tell us the type of health insurance we can and cannot buy yet on the core functions of government, the things we need the government to do, it seems it fails habitually. this is a major example of that. the numbers of people affected when ms. archuleta talked about, we don't know on the clearance side. we dont know because it's not just the person that filled out the form. you have friends, family members, associates, foreign nationals you may know who china would like to know who those foreign nationals are. you're talking about a larger number than the number who filled out those forms. yet it seems to me that we just have bureaucratic paralysis. nobody is really accountable. ms. archuleta, members of this committee have called upon you to resign. you've rebuffed that. do you still believe you should

remain in your position? >> i am more committed than ever to serve the employees of this administration. i am working very hard. and i think -- >> do you accept responsibility? >> i accept the responsibilities that are given to the director of the opm and i have fulfilled those responsibilities by making sure we have the right people in the right places and seeking the resources we need to do our work and make sure the systems we have in place can do the work that they are expected to do. again, we have a legacy system that is 30 years old. we have dedicated money -- >> and i appreciate that. i've been here for your statements and heard you make that point. >> thank you, sir. >> but if not you, then who, if anybody in opm, should be held accountable for this colossal failure? >> i am responsible as the director of opm for -- >> is anybody going to be held responsible?

>> for a number of different responsibilities. i take very seriously, as i said in my confirmation hearing and many other hearings after, including today -- >> what about responsibility? >> i accept -- i have -- >> they'll say, ron, we have people mess up in the government all the time and nothing ever happens. and that's not the world that our constituents live in where there's usually consequences. so you're not committing that anybody will be fired or helda -- held accountable because of this? >> we're going to do the best job that we can. >> i appreciate that, but that is not something that i think the american people have confidence in right now given what's happened. now let me ask ms. di camillo, people have been warning about the risk of a cyber pearl harbor. obviously the ig warned the opm about vulnerabilities in their system for years and years.

does this institute a cyber -- constitute a cyber pearl harbor. >> that question was asked to me earlier. we use a severity scale. based on the impact to data and the network and getting back to a known healthy state, we'd consider this a medium to high severity. and the ability for the mitigations we put in place as part of the plan we provided to opm post assessment. >> those are mitigations for the system itself, correct? they don't include mitigations for any of the capabilities that some of the people whose ident -- whose identities may have been compromised correct? >> correct. we ensure the protection of their networks. we provide mitigations to help them get back to a known good

healthy state and prevent these things, and if they are targeted again, helping them detect that activity sooner so they can contain it and clean that up. >> if china gets blackmail information they can use against people serving in our government in important positions, if china is able to identify chinese foreign nationals maybe who are friendly with the united states and people, there's no way you can calculate the damage that are causes? >> i'm a cybersecurity operator. that's clearly a question for intelligence. >> i think it's a very important question, and i think the damage to this is very, very severe. i yield back the balance of my time. >> i'd like to recognize the chairman from virginia, mr. connolly. >> i think the chairman. thank you for allowing me to go at this moment because i have to chair a meeting at 12:30.

let me just say, you know, i was just listening to our colleague from florida. it's easy to make a scapegoat out of somebody or something. that isn't to absolve people of responsibility. but what we're facing is a much bigger threat than a management snafu. we are facing a systematic organized, financed pernicious campaign by the chinese government in the form of the people's liberation army with a trained unit to penetrate weak spots in our cyberworld. and that includes the federal government and it may include retail and commercial enterprises, certainly banks among them. to pretend somehow this is miss archuleta's fault is to really miss the big picture.

and, frankly, a disservice to our country. we have a bigger threat. whether we want to acknowledge it or not, we now are engaged in a low level, but intense new kind of cold war, a cyberwar with certain adversaries including china and russia. and it is every bit as much a threat to the security and stability of this country, and we need to gird ourselves for this battle. and it's not ok to dismiss testimony that resources were denied. this committee led the effort, and i proudly co-sponsored the bill, to modernize how we purchase and manage i.t. assets in the federal government. is that important? why are these people here before us? because it is important.

and congress has neglected it. we can't have it both ways. so while we certainly hold ms. archuleta responsible as the head of opm for how they are managing this breach, and we have every right to question why the breach occurred, to make a scapegoat in this alice in wonderland world we've created here sometimes where the answer is off with your head. how easy. what a cheap headline that gets, and it does get a headline every time. but it begs the question, which is far more fundamental, far more profound and far more disturbing as a threat. and that's ultimately what we need to deal with. mr. mcfarland, last week your office issued a flash audit alert to raise awareness of serious concerns over opm's

ongoing overhaul of its entire i.t. infrastructure. according to that flash alert your office stated, in our opinion the project management approached this overhaul and is entirely inadequate and introduces a high risk of project failure. if i understand correctly, you are saying the project won't do what we need it to do. is that correct, mr. mcfarland? >> no, i'm not saying the project wouldn't ultimately do what is hoped for. i'm saying the potential for problems exist and it's very high. >> i want to use the word in the report. entirely inadequate. introduces a very high risk of project failure. that doesn't say -- that doesn't say to me there's the possibility of failure. it predicts it's more likely than not. >> high risk for sure.

>> you also indicated it will cost too much. you want to expand on that a little bit? >> $93 million that's set aside at this point won't come close. migration itself is going to be an extremely costly measure. >> right. one would note the cia used an outside vendor. i think they spent $600 million but their system seems to be working, but it cost $600 million over ten years if i'm not correct. ring a bell? sound right? >> i'm not familiar with that. >> worth looking at. they partnered with the private sector rather than try to find all the answers inside. ms. archuleta, what's your response to that ig flash audit alert? >> the ig brought up some process issues that were very important. i think some that we don't agree with but there are other areas we do agree with. the important thing is to underscore the relationship we

have with our ig and we'll continue to value his opinion and bring forth his ideas in to the considerations that we make. i do believe that we have to move carefully, but we have to work swiftly. as you've said, these aggressors are spending a lot of money. a lot of money to get into our systems. we need his assistance. we will seek his guidance. we will listen carefully to his recommendations, and certainly consider those as we move forward. >> i just, mr. chairman, i introduced the data breach notification act of 2014. unfortunately, although we blended that on a bipartisan basis into the safe and secure federal websites act, the senate did not act. had we acted we would have had

protocols in place for dealing with this at least after the fact to reassure the victims who are federal employees and federal retirees. i'd hope this committee once again will help prod the system as it did last year, only this to act. thank you to my dear friend from pennsylvania. >> now the chairman of the subcommittee on i.t. mr. hurd for five minutes. >> thank you mr. chairman. my mama always told me you can always find the good in any situation. let me try to start off with that. dhs caught them caught the problem. that's a good thing. when they were engaged, we found it. wish it was sooner, but we caught the problem so that's good. i also got a