tv Federal Officials Testify on Security Clearances and Cybersecurity CSPAN February 21, 2017 9:05am-11:37am EST
kennedy, and ronald reagan. lyndon johnson up to the top ten. but pennsylvania's james buchanon is ranked dead last in all three c-span surveys and bad news for andrew jackson as well. our seventh president found his overall rating dropping this year from number 13 to number 18. but the survey had good news for outgoing president barack obama. on his first time on the list, historians placed him at number 12 overall. and george w. bush moved three spots up on the scale to 33 overall with big gains in public persuasion and relations with congress. how did our historians rate your favorite president? who are the leaders and the losers in each of the ten categories? you can find all this and more on our web site at c-span.org. >> the house held a security recently on security and
efficiency of federal employee background checks. the oversight reform committee questioned office and management of budget officials to protect federal employee's personal information. this hearing is about 2.5 hours. >> committee on oversight government reform will come to order and without objection, the chair is authorized to declare a recess at any time. appreciate you all being here. we have very important hearing. we have a number of members that i'm sure will be here, but it will be late. there is the national prayer breakfast and getting across town at this point of the day is a difficult task. nevertheless, glad to have you here and look forward to this important hearing. two years ago, the office of personnel management suffered one of the most damaging data breaches in the history of the federal government. this went on for some time and we still, there are still additional details that need to be learned.
but the counterintelligence value of the data that was stolen will last for an untold amount of time, a generation or so. it troubles me to hear reports that maybe some of the things that led to this haven't necessarily been changed at the office of personnel management. we have a number of questions that i think we need to explore. for example, our legacy system still in use for back-up investigations. opm and employing good cybersecurity practices such as dual factor authentication and network. what is opm off of this legacy technology? when will opm stop using unsecure and vulnerable legacy technologies such as cobal and using maybe modernized solutions? how is opm protecting the inside of the network and not just the building the cyberwalls higher?
will opm adopt a zero trust model as part of their cybersecurity strategy? you can't steal what you can't access and a zero trust model makes life much harder for the hackers. these are some of the questions that we'll continue to ask and explore. we said it in the committee's data breach report and i'll say it again. chief information officers matter. they really do matter. that's why we have two of them on the panel today. federal agencies, particularly cios, must recognize their positions are on the front line of defense against these cyberattacks. and as a government, we're on notice. leadership at federal agencies must be vigilant about the ever-present national security threats targeting their i.t. systems and especially in opm's case with the most vulnerable information held by the federal government. the national background investigation bureau, also known as nbib, n-b-i-b, at the office
of personal management. when last testified in february of 2016, the nbib had just be beenbeen announced. questions about how to operate given split responsibilities with the overseeing the i.t. security of the nbib. today, we'd like answers to the questions with assurances we're moving in the right direction and also, as to when the new organization will be fully operational with a secure i.t. environment. was the creation of the nbib simply a rebranding effort or does it represent real change? on our last hearings, we talked about the many security clearance processes failed to check social media information of the applicants. the day before our follow-up hearing in may of 2016, the
director of national intelligence issued a new policy with collection of available social media information in certain cases. we'd like to understand how this policy is being implemented and if it is effective. fine, the clearance process seals to sea seems to be getting worse while the reform process continues. based on an opm management memo of october 2016, there's a backlog, at least then, there was a backlog of 569,000 cases. that's quite a list. it does beg the question as to why we have to have so many background checks but where are we at in terms of the backlog? and while despite all the reform activities, the clearance process taking longer, in fiscal year 2015, took an average of 25 days to process the clearance and 125 days for top secret clearance.
fiscal year 2016, average of 166 days to process and 246 days for top secret clearance. that's quite a jump in the timeline that it takes in order to get there. the security clearance data and processes were transferred from the department of defense to opm and now talk of this process back to the department of defense. and we also have the newly created nbib where opm and dod have a shared responsibility and stop moving the organizational boxes around. we continue, as we continue our side of the transition of responsibilities from opm to the nbib, we need to ask about the efficiency and making sure we're protecting and securing the united states of america. so there are tremendous amount of number of people that are working on i.t. issues.
we will have additional hearings and discuss that. i personally do believe, and this is, at some point, i would like to draw this out from you, attracting and retaining i.t. professionals has got to be a challenge for the government. it's a challenge in the private sector. it's a challenge across the board. i was fortunate enough to have a newly minted son-in-law who's in the i.t. field and the opportunities for him for employment were unbelievable. i've never seen anything like it. which is good, as his father-in-law. that's a good thing. on a serious note, i do think we have to address on the whole of government, not just this particular field but the whole of government, how do we retract and retain i.t. professionals? because we do need so many of them and there's so much vulnerability for the country as a whole. so this is an important hearing and i appreciate you being here
and i would like to ask the ranking member, mr. cummings. >> thank you for calling this hearing. and as i listen to you talk about the i.t. people, chairman, it's very important that we all let federal employees know how important they are. that we do everything in our power to provide them with the types of salaries and work security that they need. that's one of the things that would help to attract them and keep them. today's hearing is on the process our nation uses to conduct background checks for federal employees who are seeking very important security clearances so they can have access to our most guarded secrets. this hearing could not come at a more critical time.
yesterday, i sent a letter requesting a pentagon investigation of the president's national security advisor, lieutenant general michael flynn, for his potentially serious violation of the united states constitution. i was joined by the ranking members of the committees on armed services, judiciary, homeland security, foreign affairs and intelligence. general flynn has admitted that he received payment to appear at a gala in december of 2015 hosted by russia today. that country's state sponsored propaganda outlet. general flynn dined with russian
president vladimir putin. as explains, the department of defense warns its retired officers that they may not accept any direct or indirect payment from foreign governments without congressional approval because they continue to hold auf offices of trust under the emoluments clause. and detailed russia's attack on the united states to undermine our election. this report concluded with high confidence that the goal was to quote, undermine public faith in the united states democratic process, end of quote. district described as the
kremlin's international propaganda outlet, end of quote. it explained, and i quote, that the kremlin staff's end quote, and closely supervises coverage and recruiting people who can convey russian strategic messaging because of their ideological beliefs, end of quote. it is extremely concerning that general flynn chose to accept payment for appearing at an event hosted by the propaganda arm of the russian government and at the same time that the country was engaged in an attack against this nation in an effort to undermine our election. something is wrong with that picture. but it's even more concerning that general flynn who president trump has now chosen to be his
national security advisor may have violated the constitution in the process. we do not know how much general flynn was paid for this event and for his dinner with president putin, whether it was $5,000, $50,000 or more. we don't know. we do not know whether he received payments from russian or other foreign sources or separate occasions or sought approval from the pentagon or congress to accept these payments. we don't know. and related to today's hearing, know what effect this potentially serious of the constitution will have on the security clearance. security clearance holders and those applying for security clearances are required to
report the contacts with foreign officials. we do not know what, if anything, general flynn reported about his contacts with officials from russia or other countries. we do not know if he reported this one payment or any other payment he may have received. these are the questions that need to be answered. also have questions about the individuals who may seek to join the administration. and obtain access to classified information while they are currently under investigation. for example, there have been reports that president trump's former campaign chairman, paul manafort, has been advising the white house recently while at the same time, he's reportedly under fbi investigation for his dealings with russian interests. we want to know how security clearances are handled, if existing clearance holders or new applicants are under criminal investigation.
does the fbi allow these individuals to continue to have access to classified information? or is there a process to place a hold on someone's clearance for application until the investigation resolves the questions? finally, president trump claims that democrats only became interested in russian hacking for political reasons and that, for example, we had no interest in cyberattacks against opm. quote, they didn't make a big deal of that, end of quote. the president is 1 million percent wrong. i and other democrats work aggressively on this committee's investigation of the attacks on opm. we held multiple hearings, including one that i requested. we conducted extensive interviews and briefings with key witnesses. we reviewed more than 10,000
pages of documents and we issued two reports from the majority and minority. i call for expanding our investigation to other agencies including the state department, the postal service in which we're both attacked. i call for investigating the cyber-attacks on financial institutions like j.p. morgan chase. our intelligence industries, i apologize, i call for the investigating cyber attack on the biggest for-profit hospital chain systems that had the largest hacking breach ever reported and companies including home depot, target and kmart. the president's claim we are focusing on russian hacking for political reasons is ludicrous. our intelligence agencies that warned us that if we do not act now, our adversaries including
russia are determined to strike again. we need to get answers to these questions immediately and i thank all of our witnesses for being with us today and again, mr. chairman, i thank you for this hearing and i yield back. >> hold the record open for five legislative days for tany membes to submit a written statement. the witnesses, we're pleased to welcome kathy, office of personnel management. miss mcgettigan, david devries. mr. cord chase, chief information security officer at the united states office of personnel management and mr. charles faylin, director of the national background investigations bureau or nbib. their expertise will be important to the subject matter
so everybody will be sworn in. we're also honored to have mr. terry halverson as the department of defense. he's retiring at the end of the month and we could think of no better gift than having to testify before congress. it's such a joy and i know you're looking forward and happy birthday, merry krochristmas, hy retirement for testifying before congress but thank you, sir, for your service to this country and at the department of defense and we really do appreciate your expertise and look forward to hearing your testimony but we wish you well and again, thank you for your service and your willingness to be here today. probably could have squirmed out of this one if he really wanted to and he stepped up to the plate and took this assignment. so thank you, sir, for being here.
all witnesses are to be sworn before they testify, so if you would raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, whole truth, and nothing but the truth, so help you god? you may be seated. witnesses all answer in the affirmative. keep your comments to 5 minutes and like said, your whole record or testimony and any supplements part of the record. >> good morning, mr. chairman, ranking member and distinguished members of the committee. thank you for the opportunity for myself and colleagues to testify on the office of personnel management. i am joined by mr. charles faylin, the director of the national background investigation bureau, opm's
chief information officer and opm's chief information security officer. while i am presently the acting director of opm i do have over 25 years of service at the agency. opm recognizes how critical the topics of today's hearings are to the federal government and national security and i look forward to having a productive conversation about the nbib transition, the security process and information technology security. as you know, the nbib is primary and charlie with a distinguished level in multiple roles in the federal government and private industry. his experience including at the cia and director of security and with the fbi as assistant direct for , leading its
security division. designed with an enhanced focus on national security and continuous process improvement. its new organizational structure is aimed at leveraging record automation, transforming business processes and enhancing customer engagement and transparency. in late 2014, market capacity for contract investigation services was drastically reduced by the loss of opm's largest field and this backlog was exacerbated security incidents at opm announced in 2015. looking forward, it is an nbib priority to address the investigative backlog while maintaining a commitment to quality. to accomplish this, nbib is focusing efforts this three primary areas. first, we work to increase capacity by hiring new federal investigators and increasing the number of investigative field
work contracts. second, nbib is focusing on policy and process changes to ensure efficient operations. third, nbib has actively worked with customer agencies to prioritize the cases that are most critical to our national security. information technology also places a central role in nbib's ability to enhance the background investigation process. while still in develop, nbib's new system and nbis will be operated and maintained by d.o.d. on behalf of nbib. on op m's behalf, new officer, david devries. he was the principle deputy cio and strong relationship with his former agency. as we look to strengthen the infrastructure of nbib, working on fortifying our entire
technology eco-system. as the federal government modernizes how it does business, opm raising new tools to deliver optimum customer service and enhanced security. opm enhanced its cybersecurity efforts from multiple angles and added tools and updates with implemented staff and agencywide training, hired critical personnel and finally, continued to clollaborate with interagenc partners. our cybersecurity tools and security updates include 100% multi-factor user authentication to access opm's network. this is done via the use of piv cards and major i.t. system compliance initiatives. further more, oreck pm recogniz it's not just about technology but also about people. added seasoned cybersecurity
experts to its talented team. a number of senior i.t. managers and leaders and centralized its cybersecurity program and resources under the chief security information officer. in this capacity, cord is taking steps to secure access to sensitive information and strengthened its threat awareness by enrolling in multiple information and intelligence sharing programs. in conclusion, the necessary key partnerships and plans have been improving the security and efficiency of opm's i.t. systems. these structural and process improvements will enable us to improve timeliness, reduce the background investigation equally and productive as the cio's holistic approach to adopting new tools and procedures to enhance the security of opm's
networks and data. thank you for the invitation to testify before you today and we welcome any questions you may have. >> thank you. thank you for your testimony. mr. devries, now recognized for five minutes. my understanding is maybe yourself, mr. chase and mr. faylin, i don't know if you have opening statements or care to say anything, but i'll recognize each of you. if you don't have anything, mr. devries? >> i'd like to thank you for the opportunity to come here as the bio was read there, i did come from 30 years in the army. i transitioned in in 2009 to become a senior executive within the d.o.d. and spent the last 2.5 years as the principle deputy for the cio. broad range here, i was asked to come here to opm and accepted that and brought here in september of 2016. and it's a pleasure to be here today and i enjoy the opportunity to answer your
questions here. thank you. >> thank you, mr. chase? >> thank you very much for the opportunity to speak and i'll bring that, sorry, you've got to bring the microphones uncomfortably close to make sure we can all hear you. >> thank you for the opportunity to speak today. one of the things that i want to make clear is that i ran into the fire to help with the events that occurred in 2015. and the rebuilding process, we've made a lot of advancements to get us to a standard environment. by no means am i saying we're successful or won anything, but doing our best to secure within opm and nbib. there's quite a few items i'd be happy to discuss with you on those improvement and that's all i have. >> thank you, mr. faylin? >> thank you, mr. chairman. happy to be here with you today and join a good conversation on this to echo a little bit of what ms. mcgettigan.
three key things, recovering and increasing our capacity to do background investigations. improving our capability to gather information that is relevant to background investigations and finally, working on those investigations that will help us in partnership with the security executive agent and the suitability executive agent to look at what an investigation will look like as we move down into the future. key to this is building an organizational structure beyond what existed on september 29th and adding capabilities in terms of investments and in terms of innovation and then very importantly, working in partnership with d.o.d. as we build out an information technology system that will be able to enhance and inform security investigations across our entire spectrum of 100 customers across the federal government and with that, i'm very happy to be here and thank
you for the opportunity today. >> thank you. mr. halvorsen. >> thank you for the opportunity to testify before the committee today under the department's information technology and cybersecurity report. i am terry halvorsen. you've had my opening statement. i think you're familiar. so i'll cut this short. the department is responsible for the development and securing the nbib i.t. systems. we've brought the full expertise in i.t. and cybersecurity resources to bear on this problem and it's our objective to replace the information system with a more reliable, flexible, and secure system in support of the nbib. the defense information system under the d.o.d.'s oversight established a national background investigation system program management office to implement this effort.
pmo is responsible for the design of the i.t. systems, capability needed to support the investigative process to include ensuring that the cybersecurity protections and resiliency of these capabilities. the alignment of the systems under d.o.d. assures we leverage all national security systems, expertise and capability to protect the background investigation data and i assure you, we are doing that. the department has made significant headway on this important mission since i previously testified last february and on track to deliver capabilities needed in a fashion using best industry practices. fiscal year 2016, the department funded to better posture for official stand-up and funding in fiscal year 2017. i would like to thank congress and members of this committee for supporting the department's funding request for nbib i.t. infrastructure and cybersecurity
m m monetization. discovering cape babilities wit more secure investigative background system in the future. we are actively partnering with industry and integrating feedback into the process to make sure we focus on capabilities and keep up with the changing pace of technology. i am pleased with the department and our partners made today, look forward to seeing what this organization will accomplish as it makes progress to deliver several prototype capabilities by end of fiscal year 2017 and covering the full investigative process in the fourth quarter of 2018. this is an important opportunity to strerngthen the i.t. infrastructure that supports the federal background process and approach i.t. cybersecurity
expertise, best industry practices while maintaining a streamline government approach to the investigative services that the nbib provides for more than 100 federal agencies. thank you for this committee's continued support and i look forward to your questions. >> thank you. i'd like to recognize the gentleman from texas, the chairman from the subcommittee on information technology, mr. herd. >> thank you mr. chairman. and ranking member for continued diligence on this important issue. some basic questions for you. sorry for the basicness of the questions. you're in charge, right? >> yes, sir. >> do you have a technical background? >> i do not have a technical background. >> who is the person directly reporting to you responsible for preventing another attack that we saw like one we saw a number
of months ago? >> so, it is not a direct chain of command. >> sorry, if you can move the microphone, straighten it up and right next to you. >> thank you. there's no one specifically in my chain of command immediately responsible. we rely on mr. devries and mr. chase to provide security for the systems we're operating today. >> copy. so mr. chase, you're in charge. >> that is correct, for cybersecurity. >> thank you for running into the fire. and i recognize the difficulty of the task and in your brief remarks, you talked about the first step was getting opm up to a baseline. >> correct. >> can you take 90 seconds and explain that baseline? >> that's a good question. one of the things when i came on board was to set an appropriate strategy and a pathway forward. it was the stabilization phase. so we understood there were
quite a few out of compliance so we knew we had to take steps to get those back into compliance and had another layer of engineering tasks that included network segmentation and appropriate monitoring tools in place and the tuning process to support that. throughout fiscal year 2016, we were able to get those accomplished but to a standard baseline where we feel comfortable to control our environment and we understand where we are with the i.t. system boundaries and i.t. system boundary inventories. >> so of the i.g.g.a.o., they've all done reviews. there's been a number of outstanding issues. many of the outstanding issues for years had been on the ig report and the gao high risk report. of those documents, how many of those vulnerabilities that have been identified are still outstanding? >> so, there are still items that are outstanding and we prioritize them based on their
cr cr credicality. the i.t. system compliance was the most significant vulnerability identified in the fi fy 16 report. >> good copy. you talked about segmentation and we saw that for the breaches in '14 and '15. the hackers were able to basically move without, with impunity through the network. and my question is what have you done to make life harder on the hackers that, once they get past your defenses? and i would say, i begin with the presumption of breach. you give an attacker enough time and they have enough resources, they're going to get in. what do you do when once they get in and how do you improve segmentation? >> considered a level of efforts.
a customer oriented agency and has to communicate but some of the segmentation is identify all of our major systems and assets within our environment as well as all the privilege and non-privilege users. we've segmented those between each other and set the appropriate firewalls and monitoring tools to make sure one can't get to the other and vice versa and if there are attempts to get between one or the other and either stopped or flagged and a follow-up with that event itself. >> and my remaining minutes, i want to ask a question and i don't mean to be indelicate. why did we get to this situation? and i ask that question in order to learn from this experience so we can take those lessons learned and apply it across the federal government. >> so i'm going to say i came post-breach. i know there's lessons learned. there was a majority in minority reports issued and audits issued. that's what i'm going off of and try to prioritize the next steps
to be able to suppress the threat and risk within opm. >> so why, you've been there now for enough time. you've seen the problems. you've probably been shocked by some of the deficiencies within the network. why do you think that network got to where it was? >> i would say based on those reports and information that was put in front of me, failures that led to it. >> i yield back. >> thank the gentlemen. recognize the ranking member of the team. >> thank you, mr. chair and thank you for your testimony here today. this is actually the committee's third hearing on the opm data breach. the data breach compromised the information of millions of federal employees. the committee responded almost immediately and did an extensive bipartisan investigation into the incident. in total, committee staff reviewed more than 10,000 pages of documents, interviewed multiple witnesses and numerous
briefings from federal and non-federal entities. i applaud the work we have done on the opm data breach but i must address the elephant in the room. we are holding a hearing about hacking by sophisticated actor. likely a state actor for a hack that occurred more than a year ago but this committee has chosen not to take any action to investigate the recent russian hacking to impact our election. only last month, the nsa, cia and fbi concluded with a high degree of confidence that russia successfully hacked groups throughout our nation in an effort to influence our election. in the face of this report from our top intelligence agencies, we have done zero oversight into this issue. there has not been a single hearing or request. my wonderful chairman on the i.t. subcommittee asked mr. chase about lessons learned.
mr. halvorsen, i would like to ask you about the opm data breach lessons learned. >> we took the vulnerabilities in the database and i can assure you both in the legacy systems, the work they're doing today and in the new system, we are taking those lessons learned and making sure the systems we are building new are built from the ground up with cybersecurity baked in and assume from the beginning that this system could be penetrated. there's a condition we have that you might hear in the navy terms that's set conditions, close the water tight doors. we are making sure that the new system will be segmented enough that we can close the doors. because two things you want to stop. certainly, you want to stop people from getting in, but when they get in, you don't want your answer to be, you've got to shut the system down. that's a victory. we're designing this system and that is the correct word to fight through any attempt to breach this system and be able to block and contain and then
eradicate any malware or system loss that gets in here. >> thank you. did the subsequent investigations help in understanding how things could be improved? >> absolutely. >> anybody else want to answer that? >> yes, i did. >> and any of the other witnesses? >> i concur. >> concur. >> thank you. went a long way to ensure everything possible was being looked at to prevent this from happening again but it's clear that politics prevented this committee from being willing or able to do the non-partisan oversight on the russian attack. that's why i and every one of my democratic colleagues in the house signed on to legislation to establish an independent bipartisan commission to investigate foreign interference in the 2016 elections. thank you for your response. >> the gentlewoman field first.
i said publicly and the gentlewoman should know given it involves sources and methods the united states congress is organized such that the house intelligence committee takes the lead on those things. we can investigate anything at any time but i do have limits in that i cannot investigate sources and methods which clearly is the purview of the house intelligence committee. i would also suggest that we were the first committee to create a subcommittee specifically on information technology. we were the first to dive into the opm data breach and we have been pushing from the department of education and others to make sure that we do have the proper defenses in place and to suggest it's only one particular country would be naive at best and it could everything from a guy in
the van down by the river to a nation state. >> we know it was the russians in this particular instance. >> and i think that should be investigated. i have said as much publicly and i've also, i think, everybody should know every member of congress should know that the house intelligence committee is really the only organization within congress that is set up to be able to do that. >> would the gentlelady yield, please? >> yes, i will. >> congressman and i found a bill in december which asked that we have a 9/11 type investigation and the reason why we did that is because we didn't want it to get mired in a political battle like the benghazi committee did. the select committee and that,
if it would be patterned after the 9/11 commission, so that we would bring america's best experts to the table that would be equal number of democrats, equal number of republicans and that they would look at this thing carefully and with the chair intelligence, i need to explain this and they would come back with recommendations. they would have subpoena power. then we refiled that bill in january when the new session came in. every single democrat in the congress signed on to that bill. not one single republican signed on it, and one of the reasons why we did that, we felt we didn't need to move to common ground but higher ground. that this was such a serious attack on our democracy and our election process that it deserved that kind of attention and so that bill is still out
there, and only democrats have signed on, and one of the reasons we were concerned about it is the chairman of the intelligence committee, mr. nunez, is a part of the transition team for president trump and we just felt that we needed to take the complete thing out and let an independent body do that and i just wanted to explain that to the gentlelady and thank you for yielding. >> now recognize the gentleman from florida, mr. disantos. >> i've had people, constituents wonder what has been done to mitigate the potential damage to people whose files were compromised? >> thank you for that question.
we have entered into a contract identity protection contract. we expanded the coverage that we already had. and we are moving toward having coverage for 10 years. the current contract covers all those affected by the 2 breaches and it runs out into december of 2018. >> what would it mean for somebody to have their stuff compromised? >> we have identity protection services and credit monitoring. so people have received, people affected received information on how to sign up for the credit monitoring, although they're covered by insurance whether they sign up or not. and currently, the ceiling on the insurance, we've expanded to $5 million and moving toward come pplying with congressional
direction to have the contract go for ten years of credit monitoring. >> i think that we, this committee and i applaud the chairman for being on this issue and we hear about these other hacks and stuff. this was catastrophic. i mean, you're talking about these files with the amount of information that's there and i've had to go through it in the military. other people perhaps, you guys have gone through it too. there is a lot of, a lot of information there and it's a massive vulnerability. so i hope that what's being done is going to be effective. let me ask. this may be mr. chase or someone else want to take this. if opm suffers another compromise in nbib applicationsapplications or breach, who makes the final call if they are taken offline or continue to run? >> if it's in the new systems that's developed, that is me. >> you agree with nathat?
>> for the new system, yes. >> let let me ask you this because majority staff on this committee had a report indicating that there were certain tools following some of the previous breaches that were bought. and then they were delayed in terms of their deployment. for a variety of reasons, but one they had to make certain notifications to relevant unions. so what kind of notifications is the i.t. security team required to make before deploying these tools? and what is the purpose of the notifications? >> so from post breach coming in, any tool that we go out on the streets to market and do our research on is fully vetted internally. we have a procurement office inside of opm that works with us to make sure the appropriate language is put into that.
and then we move through the process of deployment of that tool. >> but in terms of the delays, there have been delays because of notification requirements? >> i'm not aware of that specific statement. >> okay. have there been other barriers or challenges in trying to timely deploy some of these tools, bureaucratic r iic roadb? >> again, post breach, based on the situation and again i mentioned earlier stabilizing, the procurement office has been very, very flexible with me in making sure they can give us the time. >> but this was -- but the implication is it may have been a problem prebreach? >> not aware outside of what i'm reading in the report. >> do you think that it was a problem? >> i have no firsthand knowledge of that, but just from the acquisition side and having been in this field for many years, yes. >> okay. i will yield back the balance of my time. >> i thank the gentleman. now recognize the gentleman from massachusetts, mr. lynch, for
five minutes. >> thank you, mr. chairman. i want to thank our witnesses for your great work and for your willingness to help us. i want to revisit the issue raised by miss kelly. about the unwillingness or the inability of the committee to really investigate what has gone on with the russian hacking. but before i get into that, let's talk a little bit about the issue that brings you here. in june and july of 2015, opm publicly disclosed that its information technology systems had been experiencing massive data breaches over some time, compromising the social security numbers, birth dates, home addresses, background investigation records and other highly sensitive personal information belonging to 22 million individuals. the cyberbreaches were not only devastating in terms of their impact on the financial security of their victims, rather they
also posed the grave national security threat as the extensive security clearance questionnaires about an 80-page document that really drills down on folks. and was filled -- was filled out by nearly 20 million americans who have security clearance rights and privileges and the names and the information of those individuals were included among the data. i had asked -- that was a terrible, you know, some people called that a -- like a cyberpearl harbor because all our folks who were actually active lly interested in workin in our national security organizations, you know, basically they were given up. and so i ask that a very basic level, i ask ed miss leta who ws
running the opm at the time, i said, have you actually gone back and encrypted the social security numbers of these employees? were they encrypted? and she said, no, they were not. so all those social security numbers of those 22 million people went out. and then a year later, we had one of her successors, not her successor, but one of the people under her, i asked again, have we encrypted the social security numbers of the people, 22 million people and they said, there are still -- still vulnerabilities, we still haven't been able to -- so let me ask, have we encrypted at least the social security numbers of the 22 million people? >> sir, i'll take that for the record. yes, we have begun a vigorous program in 2016 to encrypt the databases, so not just encrypting the social security number, but it is the databases that contain those critical
information -- >> are we done with that yet? >> we are not completely done. across the whole opm environment, but the hpa systems we have gone through and i have one remaining system to be done and that is scheduled for next month. >> what percentage of the 22 million have been encrypted? can you give me an estimate on that? >> of the mbib system, which contains those records there, all but one have been encrypted. >> so what is lacking in percentage? >> one major database there? on the main frame. >> all right. you're not answering my question, but, look, we need to get that done, okay. let me go on to the russian thing. look, we have got -- i understand the chairman's resistance on socials and methods, i get that. i would like to introduce these into record. first of all, i would like to introduce into the record my letter from december 15th, 14th, asking for a hearing on the
russian hacking. secondly, i would like to enter into the record an fbi investigation regarding russian militia cyberactivity, dathey d a whole investigation on this called grizzly steppe. the analytical process and cyberincident attribution produced by the office of the director of the national intelligence. i would like to submit a statement for the record, worldwide threat assessment by james r. clapper, june 9th, 2016. >> without objection. so ordered. >> we have enough here, just with this here, we have enough here to do an investigation and this is just the stuff that is unclassified that the intelligence community has put out there. we don't have to talk about -- >> will the gentleman yield? >> sure, i'll yield. >> two points.
number one, sources and methods are the sole jurisdiction of the intelligence committee. number two, have you really thought this through? do you really think it is appropriate for this committee to investigate the specific hack of the dccc? because if you're going to do an investigation of the dccc, we're going to have to dive into a political party's infrastructure, operations, data, i don't think that's appropriate. when there is a difference -- here is the difference -- >> you know, you're using all my time here. >> look, look, they hacked the american election. that is -- >> there is no evidence of that and president obama said that. that wasn't even possible. >> this is high confidence this is our own fbi, high confidence. it may not be outcome determinative, i'm not saying that. but based on the fbi, based on
the office of the -- of the director of national security, they're saying yeah, and also the cia, they're in agreement that the elections were hacked. now, i'm not saying they affected the outcome, but they tried. they -- it may have just been chaos that they wanted to create. but they interfered with our elections. and if we're turning a blind eye to that, that's a shame. that's a shame. that's the core of our democracy. and, look, if we're going to say, oh, that's somebody else's work, that's not anybody else's work, that's our work. there are plenty of reports we can talk about and we ought to do it publicly about the damage done to the confidence in our electoral system. that's what's important here. people have to -- people have to fear that we have an in -- a certain integrity in our own system and other countries are not allowed to interfere with that. that's a red line. we should not allow that.
and it should be a very serious obligation of this committee to make sure that doesn't happen again. and we need all the committee's jurisdiction to work on this. we're a committee of unlimited jurisdiction. the gentleman said that quite frequently. that's the strength of this committee. and i think this is -- look, they hacked our election. this should be bipartisan. this should not be democrat versus republican. >> the gentleman's time -- the gentleman's time is well expired. as i said, i do think there should be -- as i said when it happened, there should be an investigation, there should be a prosecution, they should go after -- >> the investigation -- >> the gentleman's time expired. the intelligence committee is the only one that can look at sources and methods. >> won't look at sources and methods. we'll look what the agencies themselves have made -- >> the gentleman's time has expired. and if you're going to do a proper investigation, as this committee did, with the breach at the office of personnel
management, you have to look at the two sides of the breach, those that were trying to do it, which this committee could not look at, in the opm breach, again, that is the purview of the -- of the house intelligence committee. but we could look at those that were breached. and how inept the systems were. and how bad it was set up and how the inspector general was warning of these things. that we did do. >> we had nine investigations from hillary clinton, nine separate investigations. >> the gentleman is out of order. the gentleman's time has expired. i've given you well more than five minutes. what i think is inappropriate, i'm trying to answer the question, it would be wholly inappropriate for the united states congress for us to dive into the dccc. you might want to do an investigation yourself of the dccc, i don't think that the united states congress should be diving into their individual private systems of a political
party. i think that's -- if you want me to start issuing subpoenas on the dccc, i'm probably not going to do it, but go ahead and suggest it. >> how about some of the fbi -- >> the gentleman's time has expired. >> you asked me a question. >> no, i did not. >> you asked -- >> no, i did not. >> will the gentleman yield? will the chairman yield? i think we need to calm down here a little bit. mr. chairman, you have made some statements and i just ask you to give him the courtesy of a minute and a half to respond. >> no. i will not. i will not. plenty of time. >> will the gentleman let me finish? thank you. this is -- this has been an attack on our democracy, mr. chairman, and mr. lynch is one of our greatest members. and the passion that he has expressed is not limited to him. it is to many americans. they feel as if all of our --
the things that underpin our democracy have been attacked, over and over and over again. and as i said yesterday, we keep saying we're going to wait until certain things happen with president trump. they're happening now. >> can i -- >> if the gentleman would just give me 30 more seconds. and all i was saying is i was hoping that in -- i mean, as a courtesy to the gentleman, just wanted him to be able to respond. >> i would like to ask you a question if you don't mind, to my ranking member. does the ranking member believe that this committee should do an investigation of the dccc? >> i think that we can look at certain things. i know i am very familiar with sources and methods, but i think what the gentleman is saying is let's look at the things that are unclassified, and apparently he had has reports in his hand. and we can -- and see where we
go from there. number two, as i said before, in answering the chairman's question, we have a bill that would -- what i think would resolve this issue very nicely. i think the thing that i'm most concerned about and i'm sure mr. lynch is concerned about is that we cannot just turn a blind eye to when we have 17 intelligence agencies who unanimously agree that there has been hacking with regard to our elections and there seems to be -- one thing i noticed is there has been an effort not by you, mr. chairman, but by others, to say, okay, it didn't affect the results. we don't have to get there. forget it. i accept president trump as my president. i'm looking for it -- to meeting with him next week. but, the idea that russia could come in and interfere with our elections, all of us should be going berserk. we should be -- i mean, just really, really upset. so all i'm saying to you is that i think that all of the gentleman is saying is he's got
documents that you have already entered into the record that are unclassified. want to look at those. now, how far we can go is another thing. but, again, mr. chairman, you and i know what happened with benghazi committee. basically it became a partisan fight. >> hold on. the gentleman's time has expired here. you're going well outside the scope of -- >> no, i'm not. >> yes. >> no, i'm not. >> i've given you plenty of time. i've given you more time. i'm asking you a simple question, i just want an answer to a simple question. >> i answered it, i told you. >> i'll ask one more time. >> yes, i answered you. i just answered you. >> i just want -- >> i just answered you. >> i'm just saying -- >> you're not listening. what i said was that what the gentleman asked. all he asked, he said take the unclassified information, do not turn a blind eye to the -- an
attack on our electoral system and let's go as far as we can. when you take it to the intelligence committee, what you've done is you've gotten mr. nunez, who is on the transition -- who is on the transition committee for president trump. and as much as i like him, i want -- as the gentleman asked, he wants an investigation that will have integrity. and that -- i've preached integrity over and over again. like i said to you, mr. chairman, and to our committee members, when you deal with integrity and you -- as transparency, it is like money in the bank. and so i would just ask you to just work with us and see what we can come up with. that's all. >> my last point, my last point, i don't think it is appropriate, i disagree with the attack on the integrity of the intelligence committee. i disagree with that. i think they are of ining at the ri integrity. i think they run that committee
appropriately. i'm sorry you don't feel that way. >> now, see, now you put something in my mouth. let me be real clear. hold on. no, no, no, you said something that is not accurate. what i said was -- i'm not questioning the integrity of mr. nunez or mr. schiff, mr. schiff, both of them i have a lot of respect for. what i'm saying is what the gentleman said, that we want a report, when people look at the situation, i'll be very brief, when people look at the report, and they see somebody on the transition team for mr. trump, then it becomes questionable. all i'm saying to you is to the world, we want -- that's why we filed the bill we filed and that's why we are asking for more like an independent investigation. that's all. >> okay. last point -- last point, last point, and we're going to recognize mr. meadows. i ask this rhetorically. do the democrats truly want this committee to do an investigation of the dnc and the dccc?
>> yes. yes. we do. >> wow, okay. we're now going to recognize -- >> a lot of these e-mails are already public. they're public. they leaked them. the damaging ones. >> let's recognize the gentleman from north carolina. mr. meadows. >> thank you, mr. chairman. we're going to refocus on the focus of this hearing. i wish that we would have as much passion that is concerned about the well-being of the 22,000 people that got hacked, the potential security breaches that are there, instead of losing or winning an election. i wish we had as much passion about that. let's start to focus on the real aspects of what we need to be doing. there are other hacks. with the irs. let's focus on the hard working american taxpayers.
i'm sick and tired of hearing the repeated talking points over and over again. there is no one who will work in a more bipartisan way to get to the truth than me. but i disapprove of the talking points that continue to get repeated to undermine the credibility of a duly elected president. >> will the gentleman yield? >> no, i will not. >> let me go in to this particular issue, when we're looking at this, you mention that you have 100% dual authentication throughout the system. is that correct? >> yes, sir. that's my understanding, yes. >> all right. and you're filling some very big shoes. i happen to be a fan of miss cobert, she actually -- we come from very different sides of the aisle, but she was always very respo responsive to this committee and me personally. i want to make sure we can
clarify perhaps your testimony. because the 100% dual authentication is really at the front door, is it not? we have indications from the ig that there is still a whole lot within the system that if they get in the front door, that only two of 46 systems inside would require that. is that your understanding? you may want to refer -- i think the cio -- >> i think he'll defer to mr. devries, thank you. >> so we have multifact electormultifactoral authentication to get on to the networks. >> once in -- >> no, once they get in, they're still authorized their access based upon those attributes and their roles of what they're assigned to. >> how do you respond to the ig that said only two of 46 systems
would actually -- of the major applications would require piv authentication? is that not accurate? >> i'd like to go back and look at that. i'll defer to my -- here, but -- that does not ring true to how -- >> this isn't my first rodeo. i've been here with a number of folks and, in fact, i called for the resignation of the opm director wynn. there were similar terms that i'm hearing today that give me concern that we're making progress. and i guess how do we define success? at what point will we have all the major applications and mr. lynch talked about the encryption. now, we have been promised encryption over and over and over again and yet even today we're not there with -- so are all the social security numbers
encrypted today? >> no, sir. >> okay. when will they be encrypted? >> but i have -- >> just time frame. when will they be encrypted? all the social security numbers. i mean, that's basic, i've got encryption better than that on my home computer and here we are, we have -- is is it a lack of resources? >> so, it was somewhat due to that and also schedule change here on the main frame, that's the only one that was delayed, and i re-energized that one back in there. >> when is that? >> 2017, sir. >> and so we will have everything encrypted by the end of 2017, fiscal year? >> the hva system, the high value assets, which includes the social security number and so forth, will be encrypted this year, yes. >> in terms of segmention, how do you segment a legacy system? either one of you can answer it.
>> so, again, as part of our strategy we looked at all the systems and all the i.t. system inventories we had out there -- >> are you going from a zero trust? >> that's the idea, to use zero trust tenant. >> you rushed into the fire. >> ran into it, sir. >> and so as you ran into the fire, you decided from a zero trust aspect that you're going to look at every single system? >> absolutely. >> all right. so we can tell all of those employees or potential employees or those who have had their personal life history looked at that by the end of 2017, that you have great assurance that we have the most up to date, sophisticated, cybersecurity protection that they will ever see and it will be segmented in a way that if somebody gets in the front door, that they won't be able to go through the whole system, is that correct? >> that is correct. and there is also many, many
compensating controls that reside in the network. so we have our network analysis tool, data loss prevention tool, malware detection tools and then we have a 24/7 security operations center that is on glass watching for those events to come through. >> i yield back. i thank the chairman. >> i thank the gentleman. i'll recognize the gentle woman from florida for five minutes. >> thank you, mr. chairman. i want to say good morning to all of you. and thank you for being here. bring get in before i get in my question, i feel compelled to make this comment. i spent 27 years in law enforcement. i served as chief of police. so i am very concerned about the issue that we're discussing today. security breaches of any kind, i believe, deserve every bit of attention and every bit of passion. i've been here, little shy of a month. what i did not sign up for is what i believe was the blatant
disrespect that was displayed to each other by my colleagues. and so i believe if we're going to solve our nation's problems, civility has to be at the center of it. and with my question, director phalen, last november the new york times and other media outlets reported that while meeting with the prime minister of japan, then president elect trump allowed his daughter and son-in-law to sit in during all or part of the meeting. in reporting about this meeting, the times found, and i quote, that anyone present for such a conversation between two heads of state should at a minimum have security clearance. what we do not -- we do not know whether president trump has stopped this practice of allowing family members who do
not have security clearances from attending meetings with dignitaries and other foreign officials. director, i ask you, what are the security risks for having individuals who do not have the appropriate security clearances present during classified meetings or briefings. thank you very much. >> thank you, representative. thank you for the question. the determination as to whether an individual has a security clearance is left to the head of the agency with whom they are employed or otherwise contracted with. and, of course, the situation between a president elect and president is a different situation. the president has the ability to grant a clearance or grant access to classified information to anyone who they please. it is at their discretion. and the -- i'm not aware of any of the details around the meeting that occurred with the leadership of japan, i just don't know the details about that, whether anything of
classified nature was discussed or not. but it would -- in the current situation, it would be the president's discretion to allow individuals, even without clearances, to know or have access to classified information. >> so each department would make that determination, is that what you said? there is no basic general guidelines for persons to have security clearances in certain situations or positions. >> there are general guidelines. and there are specifically there are investigative standards which we follow and we conduct an investigation. the agency who ultimately grants the clearance follows an adjudication set of guidelines, what are the key factors that one would look at when making a determination, whether this individual is eligible or should be eligible to receive classified information. and then as a separate act, the agency then -- if the answers are affirmative, they're eligible, the agency would make a determination as to whether to brief a national security
program or not, give them the clearance. >> thank you very much. >> the gentle woman -- does the gentle woman yield back? >> i yield. i'm sorry. thank you. i yield. >> she's yielding. >> to mr. cummings. >> to mr. cummings. >> i want to let mr. meadows know, when i asked you to yield, one thing i was going to say is before you got here, and i will share this with you many my opening statement, i talked about all the efforts that we have made in this committee with regard to the other breaches. i listed them one by one, all of the many we have done and i said it in a way that because president trump, said we suddenly got excited about the russian hacking. but i laid it out and, again, i will share my -- it was a courtesy to you, because i didn't want anybody to think that this is something new to us. we spent in a bipartisan way
hours upon hours upon hours upon hours trying it deal with these and i give the credit to a lot of credit to the chairman. that's what i was trying to tell you. i didn't want you to be left with the impression we haven't been working on these hacks. every single time. >> will the gentleman yield? >> it is the gentlewoman's time. >> will the gentlewoman yield for a comment? a nice comment. >> yes, certainly, please, mr. meadows. >> we'll be the judge of that. >> the gentleman from maryland is a good friend. and a trusted one. and in the passion of my not yielding back to him, i don't want anything to be inferred about our relationship and our willingness to work in a bipartisan way. and i apologize for my passion in not yielding, but i also want to stress that our friendship
and our willingness to get to the bottom line of it is unyielding and unchanging. and i yield -- i thank the gentlewoman. >> we know recognize the gentleman from ohio. >> i thank you the chairman. mr. har divorlvorsen, you are tf department officer for the entire department of defense? >> that is correct. >> you said dod cio is responsible for all matters relating to the department of defense enterprise. to support the back ground investigative processes for the mbib. is that accurate? >> it is. >> okay. are you familiar with the december 6th washington post story front page, pentagon hid study revealing 125 billion in waste.
are you familiar with that article? >> i am familiar with that article. >> let me ask you, let me ask this, do you have the resources you need to do everything i just read in your testimony, help mbib which has 100 federal agencies, make decisions about regarding individuals who work there and everything at the department. do you have the resources you need to do your job? >> we have the resources to make sure we develop and design a new system that is secure and can attack and defend the data. >> you think you got adequate resources to do everything you're tasked to do? >> i think i have adequate resources to everything i'm tasked to do, specific to this mbib issue. >> but not overall? is that what you're saying? >> i don't think anybody here would say they have all of the resources. >> you always want more. i get that. you are familiar with the story open the front page of the washington post last month, or two months ago? >> i am. >> and the findings of the mckenzie and company study, 125
billion in waste at the pentagon, do you agree with that, those findings? they talked about as many full time employees and back office personnel and in purchasing bureaucracy as many employees there as we actually have almost as many people there as we have in troops in the field, troops in total. do you agree with what you know about that, that study? >> do i personally agree with that study? i do not. is that reason i'm here to testify, no. so if you want more data on that, i'll take any questions you have for the record. >> okay. were you -- were you interviewed or talked to in the course of the study by mckenzie and company? they talked to you? >> i have talked to mckenzie and company, yes. >> multiple times? i'm curious. >> for the study, i believe once, but i'll get that confirmed, but i have talked to mckenzie in the course of my
business. >> the article reports on the front page here above the fold, the report issued in january 2015 that identified a clear path for the defense department to save 125 billion over -- i think this is important too. what the study said, what the article reports that the study said was that this savings in bureaucracy, waste and other areas, is money that could go into weapons systems and our troops, frankly where i think most americans would want their tax dollars and resources to go. the article continues, the plan would not have required layouts of civil -- instead would have streamlined the bureaucracy through attrition and curtailed high price contractors and last clause says and made better use of information technology. do you have any idea what they're referring to there, make better use of information technology? >> i do. if you're asking me do we think we could do bet we are information technology, i think i testified in numerous hearings that do i believe we should continue to adopt best
commercial practices? should we bring more commercial systems on into dod and other government? i said we should. i believe there are ways to reduce some money in our i.t. business. do i think that number is correct personally? i do not. >> so little bit ago, you said you didn't agree with the study. now you agree with all parts of the study. is it both or -- >> i said i agree that there are efficiencies to be found in the i.t. systems by doing what we're doing. i think we will achieve some. i do not think the numbers in the study, my personal opinion, they're not correct. i will take any more questions you have about -- >> you think the 125 billion number is a little high, would you hazard to guess what kind of savings taxpayers could see if part of what mckenzie found in their study was implemented, and how we could better get money to weapons systems and to troops? >> no, i will not hazard a guess. >> okay. mr. chairman, i just think this is an important area where we
need to -- i know it is not the sole focus, not the primary focus of this hearing today, but this is an area we need to study. if we can get more money into upgraded weapons systems and to our troops and if we got this potential waste, even the chief information officer says there is some waste there, but any we can find and savings we can find i think makes sense. with that, i yield back. >> thank you. point well taken. now, i recognize the gentleman from maryland, mr. rasken, for five minutes. >> thank you very much. i wanted to start actually by responding, mr. chairman, to the question that you posed about whether or not the democratic national committee would be proper object for inquiry and investigation by this committee and my first reaction to it, i think, was sympathetic to you. not really, because it is not part of the government, it is a private entity for most purposes. you think about the democratic
national convention, where it is going to be located, who is going to speak at it, that's a private matter, a private association. on the other hand, it struck me that the supreme court has said that political parties are public instrumentalities capable of state action for certain purposes. so when you go back and look at smith versus white, the supreme court said a political party could not exclude from participation people based on race. so the equal production clause applied directly to political parties, that they were not private entities for those purposes, they were public instrumentalities. in other cases, the supreme court has treated political parties as public instrumentalities and public carriers for the purposes of effective action in democracy. and i think if you look at it from a global perspective, that is the role the political parties play, the dnc, the rnc,
they are organizing political activity for tens or hundreds of millions of people. and so if they are cybervulnerable, i think it makes the whole country cybervulnerable and it casts a cloud over democratic government itself. so that's why in the end, i think it is a complicated question you raised, but i would side with the ranking member, and with the other members who are speaking on this side of it. let me pose a question as a new member of this committee, who was -- i was not here for the original opm breach. all of this is a bit new to me. but i want to ask the question, we know from the national intelligence community about the fact that they believed with high confidence that there was an organized campaign by russia to subvert the 2016 election and to compromise the 2016 election. i also heard that there is certain other countries where certain kinds of hacking are
common or concentrated like nigeria, apparently, is a place where there is a lot of cyberhacking and fishing attacks going on. do you have a list of the most common enemies or culprits of our cybersecurity that you use and i know miss mcgettigan, if that is something you can answer. >> i'll defer to mr. devries to answer that. >> if i could -- >> please. >> if i could, i would like to defer to mr. chase here for the expertise. we do have the network monitoring, but we are part of the greater ecosystem of that from dhs. >> okay. let's cut to the chase. >> thank you. no pun intended. one thing i want to make clear we're a customer service oriented agency. we rely on our partners from the department of homeland security, fbi and other components within
dod. the potential attribution or the knowing of a bad actor is in the our job. my job is to focus the staff at opm to protect the data that resides there. >> okay. so -- but i guess, right. you're a customer service agency and you want to serve the various government agencies that interact with you. the problem, of course, is we have got these outside entities that are trying to invade and undermine and so on. do we know who those entities are? is there, like, an fbi most wanted list of the cybersaboteurs all over the world or in this country? the national intelligence committee tells us it is russia, but we hear from other people, no, it is a fat guy on a couch some place. i don't know why it is always a fat guy. why can't it be a skinny ny gu a couch? but it might be nigeria? where is it coming from? and does the list exist?
and is there any attempt to get to the bottom of it? >> do you believe the experts in the field that there is going to be a technological answer to this, so we can actually create a secure cyberenvironment or is -- you know, is this a task where we go up two steps and fall back three steps? are we really -- is it an uphill fight, i guess, is what i'm asking. mr. halvorsen? >> right now it is an uphill fight. i do believe technology will get us some of the solutions but i think this is much like any area in technology. we will make strides forward. the people who want to use technology for bad will make strides forward. and it will be a continuing
analysis and engagement that is not going to end anytime soon. >> thank you very much. mr. chairman, i yield back. >> i thank the gentleman. we'll recognize mr. calmer, new to our committee, we're pleased to have him here, from kentucky. speaker, the microphone button there, the talk button. there you go. >> thank you, mr. chairman. my question is for mr. devries. sir, i would like to follow up with you on the i.t. infrastructure project that opm abandoned last year. the committee's understanding is that you're no longer leasing to new data centers for opm's new i.t. environment but rather are repurposing the hardware and equipment meant for the i.t. environment that the contractor built. my question is, is this accurate? >> yes, sir. it is. >> okay. how much did opm pay the contractor for the new i.t.
infrastructure project before terminating the contract may 2016? >> so i would have to get back to you with the exact amount consumed there. i do not have that number with me here today. >> the -- why was the contract terminated? >> sir, as i completed my assessments coming on board as the cio, that effort was to build a new infrastructure, to move the legacy stuff into. they went out on the contract, that contractor went out of business, did not show up to work. we terminated the contract after that. we then repositioned the equipment back in, because we purchased that as we had purchased the design and engineering diagrams. we have what we paid for. now just turning it back on. >> it is my understanding that
the first two phases of that were completed and after approximately $45 million of investment, opm abandoned the project, but you say that we have what we paid for or did we lose what we paid for? >> we have evolved that and i'm now building on that capability that we purchased then, yes, sir. >> so is opm operating the legacy i.t. environment? is that correct? >> sir, i will say no. we have evolved a lot. that was part of my assessment coming on board is to look at what the network was, where our high value assets, where are our centers of gravity, if you will, and what is the protection there. mr. chase talked with about of the defense in depth that we put in place. it is not the same legacy infrastructure that it was in 2015. not by a long shot.
>> so can we be assured that this environment is more secure today than prior to the data breaches? >> absolutely. mr. chase and i would not be here if it was not. >> good. >> i yield back. >> i thank the gentleman. we'll recognize the gentle woman from the virgin islands for five minutes. >> thank you, mr. chairman. thank you, all, for being here this morning to testify. i wanted to -- i appreciated your testimony this morning on all of the topics and it seems to be very wide ranging the discussion that we're having this morning. but we are all here because protecting our nation's security from insider threats and external threats is a paramount importance to you all and to us as members of congress. i wanted to discuss the security clearance process. and how individuals are granted access to sensitive information. director phalen, for you
specifically, how would mbib handle the clearance process for someone under active fbi investigation? what happens with that application? >> when the -- when an agency puts an individual in for a clearance, it starts with a determination by that agency that this individual needs a clearance for whatever work they're going to be doing. the individuals, information is sent to mbib or to some other -- >> what if you find out the person is under active fbi investigation. what happens at that point? >> if we in the process of conducting the investigation determine an individual is under active investigation, we would notify the requester and -- of what we understand to be the investigation. and we would continue the -- our part of the investigation unless we were told to stop based on
some decision by the requester. >> now, in knowing that you're going to continue the investigation of someone who is under an active fbi investigation, would that be one of the factors in disqualifying an individual from a security clearance? >> not necessarily. and would not be our determination. it would be the determination of the requesting agency who is either the requesting agent themselves if they have independent adjudication authority or the dod world the consolidated adjudication facility. these are the individuals that make the ultimate determination as to whether an individual is eligible for access it -- >> so your processing the application, giving them the information, and then the agency head then makes the determination whether or not the person has the security clearance? >> ultimately, yes. >> so for the ultimate decision maker for granting a security clearance for a senior white house staffer, who would that person be? >> the chief of the white house security office is the adjudication authority. >> and so the chief of the security office for the white
house is the determiner for an individual and the senior white house level having a security clearance? >> yes. >> and can -- and who places that person in that office? the chief officer? is that an independent -- is that appointed by the president, is that a career person, who is that individual? >> i actually don't know right now. i can find that answer. >> i would love to know that answer, because is it possible for the ultimate decisionmaker to make a decision to grant an individual a national security clearance if the person is under an fbi investigation? you're saying, yes, that's possible. >> it is possible. >> and the reason i'm asking that is because, of course, you know, of course there is a reason i'm asking, right? according to multiple reports, several members of the trump campaign and incoming trump administration may currently be under fbi investigation for their connections with the russians. the very country implicated in the hacking that everyone seems to be interested in here today. so president trump's national
security adviser, michael flynn, is reportedly being investigated by the fbi for phone calls with the russian diplomat, and the new york times reported that the fbi is investigating communication and financial transactions between russia and the former campaign manager, paul manafort. so my question is, if this individuals now become senior white house staffers, who need security clearance as having sit on the national security council, along with steve bannon, if those individuals are under fbi investigation, they may still get a national security clearance? >> that is certainly possible. i would distinguish between someone who is under investigation and someone who has been charged or convicted with a crime. >> of course. as a lawyer, i know you're innocent until proven guilty. an active fbi investigation would raise some eyebrows, would it not, because the fbi would not begin an investigation on my, you know, freshman student who has cheated on a test or something.
they usually start fbi investigations for pretty serious things. >> it would be a noteworthy item on the adjudication, yes. >> okay. mr. chairman, i think we need the answer to some of the questions that we have been asking here. and so do you know, director phalen, that when or any of the senior white house staffers who have access to senior material are under criminal investigation by the fbi? >> i do not know that, no. >> okay. thank you. >> as the gentle woman yields back, miss mcget agatigan, she the acting director, i think she asked a reasonable question here, who are the people that make those determinations and get back to -- will you make that commitment? >> yes, we will get back to you. >> thank you. thank you very much, mr. chairman. as well if you would find out how do we find out --
>> ask her. >> it would be great to know in that process one who the decisionmaker is and is there a list of individuals who are under fbi investigation, if the chairman and the ranking member would receive that, that would be very helpful in making that determination, what are the factors. >> okay. we will follow up. thank you. >> thank you. >> and i would open up to any member if they have questions for opm, miss mcgettigan is the acting director. >> mr. chairman -- just -- i assume at some point miss mcgettigan is going to actually answer a question as opposed to always getting back to us. >> okay. that -- she wasn't even asked a question in that series, so i think that's a little inappropriate. but let me -- and she did make a commitment to get back to the committee. i think that's reasonable. so i'll now recognize myself for
five minutes. and i guess this question goes to mr. chase, tell me about the authority to operate. there have been some questions about this in the past. the inspector general found that the authorities to operate were a material weakness in fiscal year 2016. the ig reported that 18 major systems still did not have current authorities to operate in place. what is the current state of those atos? >> so all the -- >> you can move that microphone closer. >> i apologize, sir. all the atos are currently compliant. >> can you put some meat on the bones to define that for us? >> in fy '16, we had to identify all the systems, and quite a few of them were out of compliance. we took on two major initiatives, one was a sprint in
february of '16 to look at all of the systems to include the hvas, to ensure the best pathway forward to get them compliant. the next phase of that was marketing within opm, and the agency heads and the acting director at the time, to ensure that everybody in the agency knew the importance to get everybody into compliance. >> would the ato -- you said all of them, would that include the pips. >> that's correct, sir. >> it would. okay. >> that was not reflected in the fy '16 report and has been recently. >> everything within the mbib, those all have current valid atos? >> yes, sir. >> okay. >> let me switch over here, if we could, to miss mcgettigan or maybe mr. phalen, you might be the right person -- let me ask you, mr. phalen. what is the current state of the ability to look at the social media?
we have been talking in this committee or over the last couple of years with opm about during background check investigations, looking at social media. what are you doing or not doing in that process? >> thank you, mr. chairman. two points to make on that. number one, in april of this -- of 2016, the security executive agent set out a directive that would allow us -- allow an investigation to use social media, publicly available, in order to inform an investigation. we at mbib and its predecessor, the federal investigative service, have been using on a targeted basis social media inquiries to help resolve issues when they come up during an investigation. we are in the middle of a short pilot to understand how we can incorporate it into a formal -- into a more consistent use
during an investigation. in other words, how do we collect the information, get it disam big waited and make sure it is accurate and of any value and provide it to an investigator who is in the field conducting an investigation to help enhance that. >> can you define short pilot? i think we have been talking about this for a couple of years and this doesn't seem to be very short. >> so, a number of pilots have been conducted by a number of agencies to look at the value of social media and most concluded -- most have reached a similar conclusion, there can be valuable information in collecting social media -- >> hold on here. this is what drives people crazy about government. you had to conduct a study to find out if looking at social media would be valuable and the conclusion is it might be, yes. come on. every single time there is a terrorist attack, what is the very first thing the investigative body does? they go and look at their social media. and more often than not, they say, oh, my goodness, if somebody had just looked at
this. why in the world do we need -- we're still doing a pilot? let me answer the question for you. yes. looking at publicly available social media should be part of the background check. it is a joke to think they that you're not looking at social media. and the idea that we even have to think about this, by its very definition, it is social. it is open. it is there. facebook, you can go -- come on. instagram, twitter, every single time we go and do an interview for somebody, we check their social media. why do you have to do another pilot? >> the pilot was not to determine whether or not there is any value in social media. the pilot that we're currently running is how do we incorporate it into a standard background investigative process and the largest pole in this tent here is not can we collect the information, it is not is there going to be valuable information in there, it becomes how does it get incorporated in a manner that is cost effective to our customer base.
and because the collection is easy part. the analysis of it becomes harder and more data that is out there, more difficult the analysis becomes. i believe that this is a relevant data source. we believe it is a relevant data source. we're going to continue to exploit it. this pilot was a very short one to determine how we can build it into -- our current investigative process, and as we move down the road, how it will become more of a mainstay for this investigative process. >> have you considered implementing a policy to require the disclosure of online user names or social media identities as part of the clearance process. >> we have not at this point. >> why not? >> that would be a decision to be made by the security executive agent to ask for that information. >> here's my personal take on this and then we'll go to mr. connelly. the united states of america, the people of the united states of america, are about to entrust somebody with a security clearance that allows that individual to look at and
understand information that the rest of the public doesn't get to look at, right. that is the very nature of a security clearance. we're doing this, we're giving this person special privileges because we trust them. i would think it would be reasonable that in return for that, you don't have to apply or try to get a job with the security clearance, there is nobody that forces you to do that. that's optional. but you would think in return for that, they would say, yes, here is my instagram account, and i would go so far to say here is my password, if you want to go look at my private instagram, that is a reasonable thing to look at, when you're trying to go back and do it -- a background check. some of the background checks are so thorough, you're looking at bank records, looking at education, you're interviewing neighbors, you're talking and trying to figure out as much as you can about this information, very costly expensive laborious process. and yet we're not even -- we're so bashful, we won't even say,
we're going to be looking at your instagram, is that okay? and if it is not, then maybe we shouldn't be giving them a security clearance. that's my take on it it very frustrating. it takes so long. every time we have a problem, what is the very first thing the fbi and other law enforcement want to do? they want to dive into their social media. that's the best way for them to figure out what has been going on, what is the attitude, who are they communicating with, and if we're going to give a security clearance, it seems reasonable. i'm past my time. i'll now recognize the gentleman from virginia, mr. connelly. >> i thank the chair. i also would say to the chair i caution him, i don't think it is appropriate for him to characterize an intervention or question of this committee. i don't do that to him. and i expect him not to do it to me. and if we're going to get into that, two can play the game. miss mcgettigan, i questia ques
maybe you can answer. opm is is going to migrate to the format for transaction submissions of background checks instead of using legacy systems? i thought i heard mr. devries say we're pretty much done with the legacy systems. have we fully migrated to the required xml system? >> i will have to defer that to mr. devries. >> you don't know the answer. >> i do not. >> mr. devries. >> no, sir, we have not. >> why not? >> so the whole legacy system is compromised of eight different systems which ask question and interact and portray and conduct the investigation through that. >> a lot of the language on -- especially i think a member brought the word pips, the main database system, that maintains it there, that's written on language that is no longer supported and i'm trying to move it out of there. it is not just merely a case of
just taking something and putting it out to xml. we have employed xml in terms of the interface going to the customer, put that into the front facing applications there, and we have also put other protections this in there, like masking of the social security number, and in other techniques. so, yes, to the customer facing one, as we have another opm systems, we have put the xml piece into it. >> miss mcgettigan, what is opm and mbib doing to ensure if data is ex-filtrated, that the data will be protected and its location and attempted use not -- will not only be -- not only prevented by visible to the mbis for action? what are you doing to protect that in the ex-filtration process? >> i apologize. again, sir, i will have to defer to mr. devries or mr. halvorsen.
>> canagain, you can't answer t question? >> i cannot. >> mr. devries. >> does the acting director of opm get involved in cyberissues at all? >> i do get involved somewhat, but when the reach occurred, i was in human resource solutions. i was not the chief management officer at that time. i was not intimately involved. i was involved from another area that had no responsibility for that. >> mr. de vries, what are we doing about protecting that data so it is not breached? >> on a macro perspective, the
employee or individual who is going to be investigated, he enters his records or his information into the equip through the sf, standard form 86. that information is stored securely on an encrypted database. that gets cued up to go to the investigators. once they are awarded that work from the mvip. with my coming on board in september, we changed that process. in the past, when the companies would get their task orders to do these investigations, we just talked about the contract that was awarded to four new companies, two are existing and two in there, the investigators no longer can down lloload that information to their company information stores. it stays as part of the government and we have incorporated a new security system where when they pull the records in, it is under a different system and they
authenticate themselves with a verification card that is issued by opm and mvib. >> i only have 30 seconds. let me ask another question. what are we doing to boost the compass to to decrease the enormous backlog on security background checks. mr. phalum? >> we have done two things. number one, we referenced earlier, we have started a new contract period and doubled the number of companies that are available to provide contract investigations and that, we believe, will have a significant impact on our ability to work off the backlog. in fiscal 2016, we hired 400 new federal investigators into the service and we plan on in 2017 adding another 200. we are already seeing the fruits of that addition to work off the capacity. >> i think this is really
important. i get complaints all the time specially from private sector companies with enormous jobs they cannot fill because of this backlog. the more we can do to streamline, expedite, while making sure it is still active. >> we will now recognize the gentleman from alabama, mr. palmer. >> thank you, mr. chairman. i know you are new on the job, miss mcgettigan. if there is anyone on the panel who can answer this, i would appreciate it. >> employees are allowed to do limited access for personal business, access their bank
accounts, what have you. there is limited access for personal business, limited use. >> are you aware that it was reported that the immigration customs enforcement agency just a couple years ago, i think preceded maybe by a year or so the breach of the systems at opm. they had numerous cases where the tax were coming through the use of personal e-mail utilizing the federal server. were you aware of that? >> no, sir, i was not. >> it is an area that koeconcer me. are there any opm directors or high-ranking officials using e-mail accounts or accessing personal accounts or using personal accounts to do business. we know that's been a problem in other agencies, most notably,
the state department it concerns me that we haven't made the maximum effort to protect ourselves from cyberintrusion. for the record, would i like to point out that james clapper made the poichnt it was the chinese, not the russians that we believe hacked opm. i think this may have been asked earlier. opm is still not fully in agreement with the requirements for the piv cards. where are we on that? >> sir, we are 100% compliant for the piv cards for the users to access the network. >> is it a chip-based card? >> yes, sir, it is. >> and multifactor verification?
>> multifactor verification. >> we have that across the board. >> you need the card and the personal identification that you put in pin in, import it. >> let me ask you this. in regard to hiring people who handle your data systems particularly to protect against cyberattacks, how long does it take to process an applicant, for instance, there is a gentlemen at the university of alabama, birmingham, one of the top people in the country known as gary warner. he is turning out some of the best experts in cybersecurity. the day they graduate. almost the day they graduate, they can get a job with visa, master card. it seems to take months to get in the system for the federal
government. is that an issue at opm? >> yes, sir, it is an issue in terms of the background investigations. we are very much backlogged. we are committed to reducing that bag log and p we have -- to that end, we have just awarded contracts to increase our capacity. the field contracts to increase our capacity and we are on a path to reduce that backlog. it will take time and employees of opm or perspective employees of opm are also waiting for background investigations? >> i know that, and i wasn't here for the opening of this hearing, that there seems to be a tendency to try to politisize this. if that's where some members
want to go with it, that's fine. i think the seriousness of the breach at o.p.m. requires that we do our job toss make sure our data systems are secure. one of the things i might suggest and encourage you to consider is doing the background checks on these top students while they are still in school so that when they graduate we're not going to lose them to the private sector. i think that we put ourselves to great exposure by not having quicker access to the best people that are available to proeffect our da protect our data systems. is that something opm might consider? could we expedite the process? >> it is unreasonable to think someone could get a really good job somewhere else and have to wait months here to get an interview? >> we do have some programs, presidential management, a fellow program.
we have people apply, recent graduates apply and they are better and then they become finalists. we do not do, do my knowledge, background investigations. they are always done once the person receives a conditional offer of employment. >> thank you for coming today. i want to make this point that the purpose of this hearing is to make sure that our data systems are secure and i think this committee will do whatever we need to do to make that possible. i yield back. >> we'll now recognize the gentlemen from wisconsin? >> thank you, mr. de vries,
we'll ask you -- >> my apologies. we need to go to the gentlewoman, mrs. lawrence. the gentle woman is recognized for five minutes. >> i know you would never purposely not recognize me, mr. chairman. >> yesterday, ranking member cummings scent aler to the defense secretary about a potential serious violation of the constitution by attorney general, michael flynn. general flynn had admitted he was paid to attend an event sponsored by the russian-backed television network known as r.t. and he dined with the russian president then, putin. r.t. has been described by the n.s.a., c.i.a. and f.b.i., the kremlin's international propaganda outlet. it receives funding, staffing,
and direction from the russian government. director phalen, your staff provided the 86 for security holders. have you or any member of your immediate family in the past seven years had any contact with a foreign government, its establishment or it's representatives, whether inside or outside of the u.s.? my question to you, why are these individuals asked this question? >> thank you, representative, for that question. the reason these questions are asked is to insure that the individual who is making an adjudicative decision understands what relationships an individual may have with a foreign government or foreign representative and the nature of that question is to get to the heart of what that relationship may be. it could be benign. it could be not benign but this
would be the judgment of ajude dags organization. our goal would be to gather as much information as we can get. >> the form also asks the question, have you in the past seven years provided advice or support to any associated with a foreign business or foreign organization. my question to you is, do you know if general flynn has a clearance? >> i have not checked the record. i believe he does but i could not say that authoritative. the investigation of general flynn would ask yerlgenerally b conducted by the fbi. >> so you don't know if he has a
clearance? >> i don't know authoritatively but i believe he does. >> do you know if he ever reported to the appropriate authorities? >> i don't know that. >> do you know if general flynn ever reported how much he was paid for his trip. >> i do not know that. >> you are stating within the government, that would be the fbi that would answer that question? >> his reporting chain if his clearance was still through the department of defense, would have been back through the department of defense security office and they would be the organization that would have that on their record. it would be up to the fbi if they were doing the investigation to reach out to the department and ask if that had been reported. >> do you know if that reachout has happened? >> i do not know. >> mr. chairman, we need to get answers to these basic questions. i am requesting that the committee send aler requests a
copy of general flynn's security application as well as any and all updates he may have submitted? >> will the chair agree to that? >> send me the request. >> i appreciate it. we have a responsibility and we have been talking about this. mr. chairman, you have been a staunch leader in this. this is an area i feel we need questions answered. thank you so much. i recognize the gentlemen from wisconsin. >> okay, mr. devries, they completed a data optimization plan. do you know when that will be completed or has it been completed? >> thank you, sir. i appreciate that question, because that's one near and dear to my heart. i came on board as a cio in september.
we did not publish that one, because it was not complete. i completed the assetment on it. we are finalizing that and that should be done back up to o & b by the end of this quarter. >> the next couple months. >> do you know what the savings goal is for a plan like that? >> i do not have that. >> how many data centers do you now now? >> today, sir, i own seven. we closed on two and about ready to move out of eye third oa thi the next two months. >> and what is left? >> i have five left and i am going down to two. >> another question. during the data discovery breach and mitigation process, your relationship with the inspector general was strained. there was a lack of
communication. there wasn't timely reporting and i think the a.g. wasn't informed on what you would consider a timely basis. i understand things improved since that time. how would you characterize your relationship with the inspector general today? >> on behoff alf of the cio off i would say it is very good. we meet monthly to go through their concerns and bha owhat ou status is of reporting back to those findings. it is a very good relationship. they hold nothing back. i would like to defer now the final question to my chief information security officer because he deals with them much more frequently. is that okay? >> one of the things when i came on board was to establish a relationship with the inspector general. we meet on a weekly basis to
talk about things. there are a lot of things going on i wanted to make sure the inspector general is abreast of. with that, they have given us guidance on what's appropriate to align to enter metrics and reporting and it has been helpful for me and my staff behind me to see why that relationship is one that pays difficult dechb dividends in the long run. >> if there was a breach, how quickly wot insmek tore know? >> i make the first p call to the director and then it is in real time mode. >> i yield the remainder of my time. >> now recognizing the ranking member, mr. cummings. >> according to the website, the national background investigation bureau is now responsible for conducting approximately 95% of the total background investigations, governmentwise. is that right? >> yes, sir, that is. >> out of the total number they are responsible for conducting,
does that include political appoint te appointees in the trump administration? >> generally, not. >> why not? >> by tradition, that work has been given to the fbi to conduct those investigations by the white house. >> so guideline "a" states that an individual seeking the security clearance must have unquestionable allegiance to the united states and lays out a series of examples of disqualifying factors that they will use to determine eligibility. based on some of the questions on the sf-86, i think many people often think of associations with groups seeking to overthrow the u.s. government by violence means like violent ar any cass or terrorist groups when we think of this guideline.
is that fair? >> yes, sir. >> the disqualifying factors, they have much more? >> yes, people that use illegal. >> this could include persons that use illegal or unconstitutional means for perceived wrongs by the federal, state, or local government, end of quote. is that correct? >> those would be adjudicative questions, yes, sir. >> if investigations uncover negative or derogatory information in any areas, you could raise concern with regard to them, is that correct? >> that would be noted in the
investigation and that would be forward to an ajudy kags authority to make sure that individual should be cleared. >> if someone said they were a boy scout or girl scout, would that raise concern under guideline "a," of course not, right? >> new york's sir. >> what if someone described themselves as a lennolennonist,d that raise some concern sns. >> it would. the investigator should pursue that with the subject as to what that means. >> what if someone said his goal was to destroy the state, unquote? what response would that elicit? >> that would elicit a very strong line of questioning with that individual and with others to determine what he means by that so we can give a full picture to the adjudicator.
>> what if somebody said, i want to bring everything crashing do down and destroy all of today's establishment, should that raise a concern? >> yes. >> each of these phrases were reportedly used by steve bannon to describe his views and his goals according to ronald radash of ""the daily beast."" mr. bannon has denied saying those things but i imagine an investigator would still have concerns about them and they would want to see numerous reports about racism and rampant p on the news website mr. bannon used to run sxwchlt their m. >> this is a very serious problem. the president has picked mr. bannon to be his chief strategist and the president just reorganized the national security council and gave mr. bannon a permanent seat at the
table while removing the chairman of the joint chief of staff and the director of national intelligence. this is at least it causes us to -- we should wonder about this and question it. do you -- you may have answered this earlier. if somebody is under criminal investigation, and i know we now have a liaison. tell me how that works, a criminally a z criminally liaison. >> what happens if you find somebody is under criminal investigation? >> depending on what it is and the immediate seriousness of the nature. we macy contact the agency askig for clearance to give them a heads up. they may or may not determine if they want to determine the request for a clearance. otherwise, we will continue the investigation. going further down the road, an
adjudicator would be faced with this question. this is an individual under criminal investigation. it would be up to them to understand what that investigation is about and to make a judgment whether or not na investigation or what is surrounding it would be disqualifying for access to classified information, whether it shows an inability to be trusted to hold on to classified information. >> in other words, a person could still get a clearance? >> yes. >> i would assume if that person were then later on convicted of an offense, then probably his clearance would be withdrawn, is that right? >> the organization that issued the clearance would be the organization to rescind the clearance. it would be up to that
organization to determine whether or not that conviction has any impact on their ability to be trusted? >> my last question. i just gave some quotes that are attributed to mr. bannon? if you were to raise -- if those questions were raised, would anyone go and then say mr. bannon or whoever may have said those kind of things denied them, would then you -- would somebody go back to look to see if those statements were made in the periodicals or whatever and how might that affect the security clearance of that person. do you understand my question? >> i believe i do. if we were faced with an individual who had made statements that appear to be counter to the united states, that would be an issue we would
pursue with the subject themselves to start with. to use your exam, if the individual said, i never said that. i don't feel that way. we would use to the best of our ability whatever source we can find to get to a resolution to determine what the truth is, to the extent that we can, so we can give as full a picture as we can to the official that has to make that test. >> if you have discovered that unequivocally that the person had not been honest with you, what affect might that have? >> that would be passed on to the adjudication authority and they would have to determine whether that makes a difference. >> we now recognize the gentle woman from new york, miss maloney. >> your microphone. >> i'm really concerned about cyber security. if congress is serious, it must call on the president to rescind, in my opinion, his
across-the-board hiring freeze. how request you move forward if you can't hire the people that can do the job. this freeze that he has put in place in my opinion, undermines the federal government's ability to recruit, develop, and maintain a pipeline of cybersecurity talent that's needed to strengthen federal cybersecurity. if there was a field that didn't change every 24 hours, it is cybersecurity. you have to get youngest, brightest, latest people that are involved in it. i am concerned about this freeze he put in place. it was roughly p put in there. he issued this memoranda ordering across the board hiring freeze in the federal government. no vacant positions existing at noon on january 22nd, 2017 may
be filled and no new positions may be created. it seems to me when it comes toim provi to improving cybersecurity, a hiring freeze is one of the most count counterproductive policies you could put in place. federal cio tony scott and then omb director, shaun donovan, put in place a cybersecurity strategy implementation plan for the entire government. the vast majority of federal agencies cite a lack of cyberand i.t. tall ient as am major reso that protects their abilities of talent. i would like to ask mr. devries
as the cio of opm, can you highlight some of the challenges that opm has faced when it comes to reyuting and hiring cybersecurity specialists? obviously, you can't do anything if you can't hire anybody. could you give us some insights there? >> thank you for that question. that pertains to opm, the federal work space and federal cybersecurity and i.t. professionals. that is a concern to all of us. how do i keep the pipeline coming in? from my experience just coming aboard at opm in september, we had five hiring actions out there. we had about a 60% -- we did not get to them fast enough before they went some place else. we have completed that. we have filled knows things. that's our challenge across the federal space, how do i recruit
and retain these folks? it comes from the passion of the heart. they come on board. if i give them meaningful experiences and training, they will stay. we are working across a federal space of how do i help improve the rotation, from federal service back to industry and then back in again? we have made strides on it. we need to continue to work on that together. >> i have to say that cybersecurity is tied to the security of the nation. and i think i don't see how you can do your job if you can't hire people. so i would respectfully like to request the chairman think about maybe asking for a waiver for the cybersecurity air wrea in hiring. it is hard to hire them, because they are in great demand all over the country right now. that is a prime focus of the country. so we need to work in this for
the good of the country p we are all individuals. i'm going to write the president my own letter and request that he waive it for the area of cybersecurity. how does this hinder your ability and capability to improve when it quoms comes to securing i.t. systems when you are not able to hire people? how does this affect you? >> congresswoman, in terms of the hiring freeze, this is a 90-day freeze. there are many exemptions to that freeze, primarily in terms of national security, public health and public safety. >> isn't this national security cybersecurity. >> well, agency heads are able to make that determination and to exempt those positions that
are deemed to be national security. >> so that's taken care of? >> if they are not, if they have a position, a cybersecurity position that they would not feel was needing that authority, they can come to opm and we will review their request for an exemption? >> have any people asked for exemption sns. >> i haven't seen any requests. >> my time has expired. thank you. >> thank you. a few wrap-up questions. mr. devries, could you please provide the committee all the ncats or other pen test reports in the last few years? >> yes, sir, we can. >> we would preeshappreciate it. mr. phalen, one of the sad realities of what happened when
director archuleta was in place, this hack had legacy systems online that dated back to 1985. even if you applied for a job and didn't get a job with the federal government, you did it after 1985, you might have been in that system. what are you doing to take the nonactive records so they are not online and accessible to some hack sng have ying? have you made any adjustments there? >> to be honest, sir, i don't know. i know we have done a tremendous amount. you have heard it earlier in securing the systems. i am very comfortable we have the barriers in the front end and the ability in nimy words t fight an active shooter online on the network. i don't believe we have taken a tremendous amount of this and put it offline, because it needs to be accessible for any future work that we do? >> to a degree. somebody retired in 1991.
all of the sudden, we have a hack in 2014. it does kind of beg the question, why is that system? mr. halverson looks like he has something to say. >> the new system will have tiered storage in terms of what's live and what goes back? it will go into a different storage system and it will be much harder to access. >> it seems like one of the lessons we should have learned is for the nonactive employees, there may be a period of time. you all are more experts on it than we are. after a certain amount of time, maybe it should be more sitting in some mountain as opposed to online. when there is conflict, disagreement, when there is an attack, who ultimately is in charge. >> through my program, we have a
process that we implemented based on the lessons learned from the 2015 breach. there is a communication path. >> who is in charge? >> who makes .decision. >> if is on the current system, i do that. on the new system, within the nbis, as we transition to if, d.o.d. will. >> mr. halverson or whoever his replacement is? >> that's correct. >> last question. mr. halverson, you have the freedom of retirement running around the corner here.
given that you are years of service, your perspective, your expertise, summarize for us what should the congress understand? what are your greatest frustrations and concerns and best suggestions that you can offer us. >> first, i'll thank congress. as you know, working through many of the membership, we did get the cyberaccepted service, which i do think was the first thing we needed to get done to recruit and move past some of the thing that is were blocking our ability. i do think we are going to have to re-evaluate the pay scale for cybersecurity personnel in some other key positions. we do rely on patriotism. we can recruit people a lot for that. the pay disparities are getting out of hand. i will tell you, i have lost six or seven people this year, very good, because they could not any more turn down the offers and i can't counsel them against that
after a certain point. >> i am totally convinced you are right. i hope this congress -- i plan on helping to champion some legislation to get more realistic assessment to provide that flexibility. >> the other most important thing that we do, and i have said this before, i will keep saying it. i do think the secret weapon of our country to keeb op our secuy and edge in war fighting, is better use of our industry and commercial ability and agility. we are embarking to bring as much commercial into these activities. we are doing it with this system. we need to continue that and we need to continue that against and across the federal government space. that also means we will have to work and raise the bar for industry on security.
i'll be the first to say that d.o.d. included, we have to get better in our security practices. i am heartened by what i see in my discussions with the commercial community. they are starting to take that to heed and we are seeing a rise in their ability to protect data. we need to encourage that and open up our dialogue with the commercial sector on how best to do that and share more information. >> again, mr. halverson, we thank you for your service and we wish you nothing but the best of luck in whatever your future endeavors take you. thank you again for your service. let me recognize mr. quumings and we will clothes the meeting. >> thank you i want to thank all of our witnesses for being here today. you certainly have been extremely helpful. i just hope that i want to express my appreciation to all the people that work with you. i know that you all have teams
of people who will give their blood, their sweat, their tears, because they want america to remain the greatest country in the world. mr. halverson, again, i want to join in with the chairman. we thank you for your service u me have . i have a brother who is a former air force officer who is a cyberexpert. he talks to me all the time about the demand for these folks that are good. i have sat on the naval academy board of visitors. one thing we have done in the naval academy, it's now mandatory that every student have extensive cyberlessons. it's part of our curriculum. we see the significance of that. i want to ask you this. one of the things that we wrestle with is federal employees feel that they are
under attack constantly. we've seen recently where all kinds of measures have been put forth that really make them feel pretty insecure. i'm just wondering, first of all, talk about briefly the people that you worked with and what they bring to the table. a lot of people, i think, give the impression sometimes that the people that work for the federal government are not giving a lot and not giving their best and not feeding their souls as i often say. you are on your way out. you have had an opportunity to work with a lot of people. i'm sure one of the saddest parts is probably a bitter swede thing. you created a family. i always tell my children, whenever you get a job, you also create a family of people that are look out for you and who care about you and sometimes you are with more than you are with your own family.
cow ta could you talk about just generally the people you have worked with, sir? i know you could not have done what you have been able to accomplish without a support system, if you might, just very briefly. >> having both been in the military and federal service, i have the highest respect for the federal workforce. they do exceptional work. they put in a lot of hours. they do their best on everything they can do. i'm also going to comment i see that also in the commercial work space when i bring the people in. i do think this is a leadership issue. if you p make any of your employees, whether they are federal, military or commercial, feel a part of the team and you listen to that team, they will give you everything they have got to get the work done. for 37 years, that's what i have seen in the federal government and in that work space. >> when you show people that you
truly care about them, not just about them but their families and their welfare, i tell the people that come to work with us on the ogr, if they are not better when they leave me, then i have failed. in other words, if their skill level is not higher, if they are not more proficient, more effective and efficient, then i have done something wrong. i want to invest in them. i want to be a part of their destiny. i want to touch their futures, eve w even when i'm dancing with the angels. i want to know they have gone on to do great things. our nation needs the very, very best. working with the chairman, we saw that. in working with the -- and then i'll be finished. i give the chairman a lot of credit. when we looked at secret service, he and i made a concerted effort to say to the secret service, we wanted the elite of the elite.
we wanted the very, very best and we wanted to create that culture. i think we are moving toward that, mr. chairman. i don't know that we have got there. we are trying to get there. we have done that in a number of agencies in a bipartisan way. again, the only reason i raise the question, mr. alver soson i because i just want the public to be reminded there is a vast array of federal employees na keep our country the great country that it is. i want to thank all of you and everybody who back you all up for doing what you do and now we still have a lot of work to do as you have all made very, very clear i believe we can still get it done. thank you, mr. chairman. >> the men and women that work within your departments in groups, it is a tough job but a
very important job. we do appreciate it. thank you. >> the committee stands adjourned. >> congress is on break forth presidents' day holiday. a number are holding meetings in their home state. chuck grassley held a town hall. thomas tweeted out and said he heard from a man that worked as an interpreter in afghanistan and is trying to get asylum. in response, senator grassley said president trump's executive order wasn't carefully drafted and he tried to help the man. president trump took the morning out to tour the national museum of african-american history and culture and he said he plans to visit the holocaust museum soon.
new epa administrator, scott pruitt, is speaking to agency employees about his goals, which include a smaller epa and fewer read racials. administrator pruitt was confirmed on friday. we will have live coverage of his comments this afternoon. every night we are showing american history tv programs normally seen on the weekends. it will be followed by a tour of the japanese american museum. american history tv in prime time tonight starting at 8:00 eastern. watch c-span this congress is going to be the busiest congress we have had in decades. >> live, tuesday, february 28th
at 9:00 p.m. eastern on c-span and c-span.org. listen live on the free radio app. >> so which presidents were ameri america's greatest leaders? c-span recently asked 91 presidential historian toss rate our 43 presidents in 10 areas of leader ship. top willing went to abraham lincoln. he has held the top spot for all three c-span historian surveys. three other top vote geters continue to hold their positions, george washington, franklin roosevelt and theodore roosevelt. tw twit dwight eisenhower makes his first appearance in the c-span top five this year. rounding out the historians top ten, harry truman, thomas jefferson, john f. kennedy and
ly lyndon johnson but pennsylvania's james buchanan is ranked dead last and bad knew for andrew jackson, who found his overall rating dropping from number 13 to number 18. the survey had good news for outgoing president, barack obama, on his first time on the list, historians placed him at number 12 overall. george bush moved three spots up on the scale to 33 overall with big gains in public persuasion and relations with congress. how did our historians rate your favorite president? who were the leaders and the leezers in each of the ten categories. you can find all this and more on our website at c-span.org. what's going to happen to health care costs if the affordable care act is repealed? peter van doren tried to answer this question andls