amsler? >> yes. >> so i want to ask you first, you testified, your company was not hired to do the -- to perform end-to-end security testing; is that correct? >> that's correct. >> what your job was to assess and identify risks in specific components of healthcare.gov to work with cms and address those concerns and report on the findings and results; is that correct? >> that's correct. >> am i correct in virtually all cases, when you did identify high risk in healthcare.gov components, cms was able to mitigate risks before the system went live? >> yes, almost all the high risks were mitigated. >> and -- and you said in your testimony, in your written testimony, you are not in charge of security for healthcare.gov. we were not asked, nor did we perform end-to-end security testing. we have no view of the overall safety or security status of healthcare.gov. that's because you were only asked to do a narrow assessment of part of it; right? >> a narrow assessment in scope and a time that is -- >>

amsler? >> i would not know the answer. >> you don't know if they were embedded, but you would have liked to have seen that. >> for some parts. >> correct. >> now yield to ms. degette for five minutes. >> thank you, mr. chairman. as mr. chao testified, it's part of cms' protocols that they hire independent contractors to test different parts of the security can aspects of the site, is that your understanding as well, mr. providakes? >> yes, it is. >> and is it yours, ms. bauer? >> yes. >> and is it yours, mr. amsler? >> yes. >> so, mr. providakes, i want to ask you first, you testified your company was not hired to do the, to perform end-to-end security testing. is that correct? >> that's correct. >> and so what your job was, to assist and identify risks and specific components of healthcare.gov to work with cms and to address those concerns and report on the findings and results, is that correct? >> that's correct. >> and am i correct in virtually all cases when you did identify high risk at

amsler. a couple questions i want to begin with, first of all be, start with you. you were here throughout mr. childs' testimony, all three of you were. do you have any concerns about the comments made by mr. chao? >> i wouldn't have any -- >> mr. providakes? >> no concerns. >> you had said that verizon, tear mark, crs and qssi all played key role this is developing and testing the security of healthcare.gov. are you also referring to ms. bauer's company? >> i view them as one of us. >> i taught in her testimony she said they were not that involved, so let me ask you, with this many companies involved, who did you all report to? >> our customer was cms and the security -- >> is there a person? >> our direct government technical lead's name is tom shank weiler. >> and with regard to this, with all these companies playing key roles this developing testing and security, is that typical to have so many companies involved as opposed to one that's tried to do end work on this? >> we've experienced all sizes of implementations, this one is, obviously, certainly one of the