esser, ms. archuletta mentioned that the problem with the legacy systems, which i think we all understand -- but isn't it true that several of what was breached were not legacy systems that with the right tools in place would not have been breached? >> yes, sir. based on our audit work -- >> so the idea that this is all legacy and stuff, is really not -- not the case? >> well there are many legacy systems at opm. i mean, i don't want to give the wrong impression. i mean, that's a fact. but based on the work that we've done in our audits and ongoing work that we are doing, i had' your understanding that a few of the systems that were breached are not legacy systems. they are modern systems that current tools could be kblekt implemented on. >> okay. very good. i think that's really important. concerns are being raised about the contract secured to provide credit monitoring service for victims of the first breach. we don't yet know the scope of the second breach and what services will be provided f

esser, do you agree with ms. archuleta that the agency has taken significant steps to correct its problems? >> yes i do. i think they have made great strides over the years to improve some of the issues we've reported. for example, the decentralization issue which went back to 2007 in this past year's audit we decreased our severity of that finding from material weakness to significant deficiency. in addition there's a number of areas where they've put in tools and made strides to improve security. that said, there are a number of long standing issues in our reports that are open and we hope to see movement on. >> mr. spires let me give you an opportunity. if you were still in the former capacity at this agency instead of the irs or the homeland security, let me first start with the broader question. based upon your understanding of the facts involved here and your best judgment, was the breach or breaches that have occurred at opm, were they predictable based upon what we knew looking at the -- for example, the