mr. esser: i would concur with mr. spires. we have been seeing breach after breach this year, health insurance companies and background and government entities. it would not surprise me to see more. >> mr. spires, how again looking at the scope of the problem, how long do you feel like it would take the government to actually do things we need to do to protect ourselves from the outside threats? mr. spires: i think we should take an ordered approach to the problem. in my mind, what agencies should first be doing is identifying the sensitive datasets they have and putting them in a bucketed priority. and coming up with plans to protect those data sets. the reason i say it that way is to think that we can go into these large agencies that have, as i said, decades of mismanagement and decentralized i.t. and fix that quickly is just naÏve. this notion of doing it by protecting sensitive data sets, data technology today and encryption and the like, to do that at the document level -- and then, you have to worry about identity. it d

mr. esser any difference of opinion or insight you might offer about the complies and whether it could have and been a different outcome here? >> the issue with fism 2002 law is it was really around a set of technical controls that would be checked every three years. given the environment that we live in, that is not even close to being appropriate. we're moving to a continue use dying nothing nos ticks tape of model which is the correct model where you're monitoring all of your system moderning your environment, looking for intrusions and improper behaviors. but i would echo the point that even that is not enough in today's environment. you need to bring in the data protection and you need to upgrade the capabilities to better understand who is actually accessing your system. those are all critical necessities in order to protect data today. >> was it -- would it be reasonable for us to have expected that opm could achieve a data security given the resources they currently have available to th

mr. esser: it is certainly something we are monitoring and following and gathered information. we haven't planned any audits of that at this time. it is something we may do. senator boozman: you describe a number of root causes in i.t. security. can you tell us a couple of key recommendations? mr. spikes: i thank congress for passing this for the good of the nation. we need to figure how to manage i.t. perfect of the. that is the single clause -- cause that has led to these data breaches. i'm just one -- i'm not just one to say have all the power reside with the cio. bring best practices and not allow systems or practices to continue that jeopardize the security of our data and our systems. that has in the problem for decades. we still have a real cultural problems. based on many discussions, the cultural issues loom larger. we need to take this incredibly seriously. i urge you to provide your own oversight of the implementation. senator boozman: do we need additional legislation? mr. spikes: i

mr. esser? mr. esser: i agree with what ms. see -- seymour just said. we do background investigations of other companies as well, so we can be used in that way as well. mr. cartwright: i want to note that usis was invited here today. >> i appreciate the gentleman, but we have members that would like to speak. pll cartwright: very good. mr. russell: i'm baffled by all of this. upon receipt or upon your appointment of the directorship o.p.m. director archuleta stated she was committed to building an inclusive workforce. who would have thought that would have included our enemies. in this testimony here today we heard statements that we did not encrypt because we thought they might be able to decrypt or desifere. there was another statement i heard earlier today that had we not established the systems, we would never have known about the breach. that's like saying, had we not watered our flower beds, we would not have seen muddy footprints on the open wind owe sill -- windowsil. this puts our inte

mr. esser, the office of inspector general conducted an audit in 2014, the chairman was talking about this, of opm's security information and programs and found several weaknesses. can you briefly identify the weaknesses that you found? >> yes, sir. the most critical weaknesses that we identified in our report from 2014 were the continued information security governance problems that have existed since 2007, the decentralization of the controls over systems. that, however, is an area that is certainly close to being improved to a full extent. another area of weakness were the security area and authorize, which is, each system that opm owns, should go under an assessment every three years and be authorized for usage. we identified 11 systems at the end of 2014 that had not been authorized, that were due to be authorized. the technical security controls was another big area that we identified. while opm has implemented a number of strong tools and is improving in that area, our concern is that so

mr. esser what are the risks with not having a valid system authorization? >> the risks are evident that not having a valid authorization essentially could be a symptom of weak controls over operating systems and applications. and lead to things such as a breach. >> okay. with all the things that we're talking about here today, and ms. seymour you were obviously fully aware of these risks and opm were aware of the risks? >> yes, sir. i was aware of these reports. >> okay. now, this is -- i kind of hate going back to this because it's come up several times already today. but still, i'm waiting for an answer. the inspector general of course put out his report last november expressing great alarm recommending that opm consider shutting down the systems because of the risks that you knew about, ms. archuleta knew about. and yet these recommendations were ignored. i'm going to come back to you with this because quite frankly ms. archuleta has tried to dodge this question and dance all around it. i want to come straight up with you, why were those recommendations

. >> i think mr. esser and mr. spires said it correctly. this is decades of lack of investment in the system that we inherited when i came in. from the very beginning of my tenure i have been focused on this. we are working to install not only the architectural strategies but also to install the detection systems and be able to remediate. but as both of my colleagues have mentioned we have legacy systems that are very old. often times we have to test to be sure we can even add those protection systems into the legacy system. so those tools into the legacy system. if there is anyone to plam it is the perpetrators. they're concentrated, very well funded focused aggressive efforts to come into our systems not just to opm but as both of my colleagues have said across the whole enterprise is one that we are concerned about and one we are working with our colleagues. it is -- we are going to take every step we possibly can at opm to continue to protect. that is why we are trying to move out of the legacy system. >> to date you don't consider any

mr. esser, let he come back to you. what currently are the consequences of owners of opmi.t. system currently what are the consequences now if they operate without a valid authorization? >> there are essentially no consequences consequences. we report that in our audits. but but other than that, there are no official sanctions in place. it is something that gets publicized and that's the extent. >> it sounds to me like this thing is still not being taken seriously. no consequences for operating without authorization. why in the world are we still operating without authorization or is that occurring? >> sir i have extended the authorizations that we had on these systems because we put a number of security controls in place in the environment. we have increased the effectiveness of the security around those systems. >> but there's in consequences for not operating on a system with authorization? so how serious are you taking it? >> there are consequences. >> what are they? >> those consequences a

mr. esser, again, are there measures that need to be taken to get the whole thing up to the standard it ought to be? i mean, is there anything that you would recommend? >> yes, yes. we do recommend that the cio, the agency, take the steps that in a lot of cases they're beginning to take. the centralization of the i.t. governance is well along the way. what they also need to do is get a full inventory of the assets that they're responsible for protecting. and the shell project that ms. seymour has alluded to earlier is also something that we support. we also have some concerns about the way it's been -- the project has been started and managed, but overall, we support the idea behind the shell project. >> we appreciate the gentleman. i know recognize the gentle woman from new mexico. >> thank you, mr. chairman. thank you for having this important hearing. i want to thank the panel for taking this conversation and these questions so seriously. in new mexico, we're one of the states that has one o

mr. esser, again, are the measures that need to be taken to get the whole thing up to the standard it ought to be? i mean, is there anything you would recommend? >> yes, yes. we do recommend that the cio, the agency, take the steps that in a lot of cases they are beginning to take. the centralization of the i.t. governance is well along the way. would also need to do is get a full inventory of assets that they are responsible for protecting. and the shell project that ms. seymour has alluded to earlier is also something that we support. we also have some concerns about the way it's been, the project has been started and managed. but overall we support the idea behind the shell project spent we appreciate the joke but i now recognize gentlewoman from new mexico for five minutes. >> thank you, mr. chairman. and thank you for having this morning i want to thank the panel for taking this conversation and these questions so seriously. in new mexico we are one of the states that has one of the larges

mr. michael esser, assistant inspector general for audit office of the inspector general of the united office of personnel management. we welcome you all. witnesses are all to be sworn in before they testify. if you can rise and raise your wife -- right hand. you solemnly swear or affirm that the testimony you will give will be the truth, the whole truth, and nothing but the truth . thank you, please be seated, and let the record respect -- reflect that all witnesses responded in the affirmative. we appreciate you limiting your testimony to five minutes. we will, i can limit those 25 minutes, we will be -- limit those testimonies to five minutes. it will be entered into the record. after the conclusion, we will hear from mr. cummings and go to questions. we were now recognize katherine archuleta:. you are wrecking nice for five minutes. katherine archuleta: members of the committee, i'm here today to talk to you about the successful intrusions into opm systems and data. first, i want to deliver a message to employees, retirees and emily. the security -- and families. the security of their dat

mr. michael esser, assistant inspector general for audits office of the inspector general at the united statesce of personnel management. we welcome you all. pursuant to committee rule, all witnesses will be sworn before they testify. if you will please rise and raise your right hand. do you solemnly swear or affirm that the testimony you are about to give will be the truth, the whole truth and nothing but the truth. thank you. please be seated. let the record reflect that all witnesses answered in the affirmative. in order to allow time for discussion, we would aappreciate you limiting your testimony to five minutes. we will -- again please limit your comments to five minutes. i'll be a little bit generous but five minutes if you could and then your entire written statement will be entered into the record. at the conclusion of those we'll hear from mr. cummings and go to questions from there. with that, we'll recognize miss archuleta, the director of the office of personnel management and you are now recognized for five minutes. >> chairman, ranking member cummings and members of the committe

mr. eser. michael esser: chairman, and ranking member coops and members of the committee. thank you for inviting me to testify at today's hearing on the i.t. audit work performed by the inspector general. >> can you put your microphone on? it's on. just pull it closer then. michael: today i will be discussing opm's long history of systemic failures to properly manage it's i.t. infrastructure which we believe may have led to the breaches we are discussing today as well as issues to the current modernization project. there are three primary areas of concern that we identified through our fiscal audits during the past few years. information security governance security assessment and , authorization and technical security controls. information security governorance is what forms the foundation of a successful security program. for many years opm operated in a decentralized manner with the program officers managing their i.t. systems. this decentralized structure had a negative impact upon opm's i.t. security posture and all the audits between 2007 and 2013 identified this as