Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  June 24, 2015 5:00am-7:01am EDT

5:00 am
than see it as a behavior problem, see it as a health problem. see it as a environmental -- and environment problem -- an internal problem. a big problem is lead paint poisoning. we have so many kids affected by the time they are in third grade, their iq has been dramatically reduced because they have led in their brains -- lead in their brains. you have to provide alternatives. the numbers you just gave, the disparity is truly a wake-up call. there were -- there will be kids of all races who have the best of intentions, the best trained teachers will have a problem with some of these kids. the vast majority of need something besides being thrown out of school or thrown into the
5:01 am
juvenile justice system. [applause] tracy girl -- traci blackmon: i am going to asked, if i put them in an envelope, will you promise to read them? at some point during this long journey will you address them? i think this question is appropriate to close, america has tremendous capacity, but it often lacks the will to change. can you reflect on how we can inform a better will for a better america. [applause] hillary clinton: that is a profound, and really important question. let me offer a few reflections. i want to start with something i
5:02 am
said in my remarks, that was the phrase, habits of the heart. i believe in policy changes, structural changes systemic changes. i will promote it all -- as i have two my career, and certainly as president. i also believe we need to confront the deep seated biases and prejudices that still within too many of us. it is something that is hard to talk about. honestly i think the vast majority of all of us could pass lie detector tests. we would say of course we don't have biases, but of course we do. that's why i'm hoping for a lot more conversations like this across the country.
5:03 am
where people honestly talk. you will hear that voice saying, what about.., y, z -- about x y, z? i believe we have a lot of good solid information about what works. when you say we have the capacity, we have not only capacity, but evidence. we know what you are doing in jennings, it is so admirable and you should have a lot more help than you currently have. there should be a lot more ways to take what you are doing and spread it more broadly than it currently is. what britney is doing on training teachers and giving the
5:04 am
people in law enforcement a knowledge-based and skill-based training so that they can learn more about themselves, what they see, how they react, so they can be more aware and try to be better at serving the communities they pledged to protect. on health disparities, we know that if you live within 10 miles of one another you may live in a community where the life expectancy is 18 euros less or more. what is the problem and how we solve it? rather than say, well, that is the way it has always been. no. that's not true. medicaid would make a big difference. thanks to president obama's
5:05 am
willingness to put will behind capacity. it is not going to do people here any good if they cannot access it. there is a lot we know about what to do and how to do it, but i will tell you when it -- what it comes down to come i don't want to sound like a civics teacher 101, but this is how i feel, if people voted for people who would represent them about these issues -- interests -- [applause] that's the way we run. it would be easier if you elect people who are actually committed to addressing health disparities, providing more resources to struggling schools. supporting developers who want to build communities, not just buildings. that should be a given when
5:06 am
people do not vote because they are discouraged, that only encourages a lack of will. people who do not see a reason to change, they say well, people had a chance, they didn't come out. the hardest thing to do in a campaign is to convince people to actually take the time to vote. i think that is the clearest way to get the will. if you are listed -- elected to deliver on these issues then you can be held accountable. but if you do not even have to go to the communities that are making these demands because you know they will not vote, and you do not have to pay attention to them, nothing changes. let's remember capacity based on evidence for solutions that work, systemic change, deep changes of the habits of our heart, working with one another to try and some work these changes over time, and then
5:07 am
turning out to vote and holding public officials accountable for what they do or don't do. that to me is how we translated into well. traci blackmon: i want to thank you for your time today. this is just a slice of the brilliance that is in st. louis. [applause] i must take my opera hat off and put on my pastor had come of it because at the drop of a dime, the people i am privileged to serve here prepared the place for you. christ the king, will you please stand? [applause] they n they never complain, at least
5:08 am
being you. reverend karen will close in prayer. not so i can hear it. thank you for being you. reverend karen will close in prayer. reverend: before i pray, i was thinking about tracy's quote from howard berman -- thurman there is another one i like from one of his books. he talks about meeting people at the place of their ashtray, in other words, you come to where they are. you figure out what is important to them, and then you enter into a relationship. you begin to build a relationship in which things can change, where we can change mindsets -- change. where we can change mindsets culture, and behavior. i want to thank you for coming and sitting with us at the place of her ashtray -- our ashtray.
5:09 am
we believe -- we realize we scratched the surface, people have so much more to contribute i prayer is this will not be the last time that you come to this area. [applause] let us pray. god we thank you for this time. we thank you for the willingness of everyone to share from their hearts. we thank you for the wonderful things going on in the city. lord, we lift up our collective voices to say it is not enough. there are those suffering from injustice. there are those fighting for basic human rights. there are those feeling helpless and hopeless. there are those who still live on the margins. there are those we walk by everyday and forget.
5:10 am
there are those in places of power and authority who operate out of privilege and not added humanity and humility. we asked that you would begin to move with -- throughout our city. laura, would you bless secretary clinton as she continues on her journey. would you allow her to keep her for -- year's open as she listens to the concerns of those she wishes to serve. touch her heart. keep her safe. and lord, we wait for the next time we meet. thank you for all that took out of -- took time out of their schedules. we asked that you watch over them as we move closer to a beloved community where diversity is appreciated where
5:11 am
individuality is celebrated, and not feared. as you are called by many names, we do pray of the creator god and the name of jesus, who i know amen. [applause] >> we'll have more live road to the white house coverage today. lase governor bobby jindle expected to announce he is officially entering the 20 16th rble race. our live coverage starts at 5 p.m. eastern on c-span 3. >> a government report is critical of the office of personnel management's handling of employee files following recent data breaches. that hearing is next on c-span
5:12 am
on this morning's "washington journal" an update on trade legislation and the council of concerned citizens. "washington journal" is live at k7 eastern. >> like many of us, first families take vacation type. and like presidents and first ladies, a good read can be the perfect companion for your summer journeys. what better book than one what peers inside the personal lives of our first ladies. 45 iconic american women who survived the scrutiny of the white house. a great summertime read. through your favorite bookstore or online book seller. >> the head of the office of
5:13 am
personnel management was back on capitol hill to testify about the two recent data breaches. the first was disclosed on june 4 and impacted over 4 million federal workers. they are yet to determine how many were affected on the latest data breach. it is chaired by senator john bozeman of yeark. >> good morning. >> good morning. >> the hearing will come to order.
5:14 am
services and general government is intended to elicit further information about the recent opm data breaches. it is also a time to discuss the enormous challenges facing the federal government as it attempts to ensure this does not happen again. the government spends approximately $82 billion a year on information technology. given the cost of these projects and the impact on our economy and the national security members of the subcommittee have an ongoing committee -- commitment to conduct oversight. we must ensure that hard-earned tax dollars of millions of americans are being spent wisely and effectively. just last year, the subcommittee held a hearing with opm director
5:15 am
arculetta, steve van roykle, dan tangerlini and david panner. given the enormous resources and important security issues at stake, the subcommittee considered it imperative that omb and federal agencies appropriately managed these projects. we're all well aware of examples of projects that ended in spectacular failure as with the initial rollout of health care.gov. we should also be troubled by the accounts that don't grab headlines, including initiatives with ongoing costs that grow each year after year without demonstrating effective results or sufficient security. we must have safeguards in place to see that projects are consistent, that problems are anticipated before they occur, and most importantly, that someone is actually accountable and responsible.
5:16 am
all too often, large complex i.t. projects drag on for years. outlasting the administration that initiated them. and the employees responsible for managing. in the fsg bill alone, billions have been spent over the years on tax system modernization at the irs. work that has been continuing for decades and is still incomplete. even for projects now on track past problems generate millions in additional costs and years of delay. and as we have seen recently at irs and once again with the opm breach, both of which have compromised the personal data of millions of americans, billions of federal dollars spent are no guarantee of security. across the government, i.t. projects too frequently go over budget, fall behind schedule and do not deliver value to taxpayers. responsibility for oversight is often fragmented throughout the agency, owning the project and omb does not conduct appropriate review and management.
5:17 am
whether issues related to programs requirements, performance, spending or security, lots of people are involved. but often, no clear lines of accountability are drawn. what has happened at opm is devastating, millions of americans and their families and friends have been affected. giving those impacted limited free credit monitoring and any theft insurance will not be enough to address the long-term consequences that we may see for years to come. but also troubling is the knowledge that opm is just the most recent example of the government's systemic failure to protect itself. according to gao, we should have serious concerns for the future. the number of information security incidents reported by federal agencies has exploded in recent years. constant vigilance is required and government systems may not be prepared for the job. 19 of 24 major federal agencies have reported deficiencies and
5:18 am
information security controls. the i.g. at 23 of those agencies cited information security as a major management challenge. how many headlines of serious data breaches will it take to implement the steps necessary to protect ourselves? and at what point do some in washington recognize growing the bureaucracy without actually governing is a recipe for this type of disaster. the obama administration views the federal government as capable of tackling almost every problem that the nation faces. yet, while attempting to grow the size and scope of the federal government at every turn, the administration fails to follow through on the task that is already responsible for. if you bounce from one bigger government solution to another without carrying out your basic responsibilities, this is what happens. it's easy to suggest more money is the solution. that seems to be the response the administration leans on every time there's a problem. but is often the wrong choice.
5:19 am
especially in situations like this where it appears that the problem is something much greater than a lack of resources. the american people have lost faith in their institutions, the last thing they will do is trust washington to solve a problem when it can't even protect the personal information of those it employs. there needs to be a dramatic change in the status quo. what i hope to hear from our witnesses today is not the same stale line that more money is needed, but an explanation as to why the federal government failed to do the basic job of protecting personal data of millions of employees with the vast resources it already has in hand. what it's doing right now to resolve this problem and what is being done to ensure that we are prepared for the next attack. i hope with your help we can learn from this instant and identify ways to improve and protect our security. i appreciate the interest of all our colleagues and shared commitment to doing what we can to work together to try and
5:20 am
address this so important issue. we cannot afford not to. senator? senator: i'd like to welcome our witnesses, assistant opm and former chief information officer richard spyers. we are here today to review information technology spending and data security at the office of personnel management. as part of that review, we need to discuss recent cyber security attacks that have put federal employee information at real risk. we need to address the late breaking inspector general audit that expresses concerns about opm's i.t. modernization project. but while we conduct this subcommittee oversight of opm and it's spending and response, i also urge us to put this in the context of larger cyber security challenges that face our government and our society -- and society as a whole and
5:21 am
, progress or lack thereof by congress in strengthening our nation's cyber defenses and in providing needed funding for federal cyber security and i.t. initiatives. regarding the cyber incidents at opm, one breach involved personnel data of roughly 4 million federal employees, stored on an interior department networks. investigators found another intrusion where information from background investigations was allegedly stolen. i understand opm recently became aware of the security clearance theft and the investigation is , underway. while we may be limited in exactly what we can discuss in this context, i'm very hopeful we can have a productive and ongoing conversation. the fact the security breaches happened is, frankly, terrible. they force us to grapple with the reality that in our inner connected world, we're more vulnerable than ever and need to do more to protect our public employees vital personal information from foreign attackers. after we've investigated why these cyber attacks were able to breakthrough, we need to be willing to do what's necessary to ensure they don't happen again. these attacks don't just compromise the information of millions of federal employees, but our nation's security, as
5:22 am
well. it's further troubling, the i.g.'s office has found that opm has not fully complied with the federal information security management act which mandates information security requirements for all federal agencies. while opm has made recent improvements, we need to remain vigilant. both director archuleta and the opm cio have only been on the job roughly a year and a half. and to their credit, made i.t. security a priority. but they need to clearly understand that the job is not done. opm has indicated to the subcommittee most of the i.t. security systems are aged and at the end of the useful life for some security patches are no longer provided by the original vendor. fiscal year 2014, opm began a three-year i.t. system modernization and seeking a third installment of $ 21 million to complete that project this year. and without that funding, the investment of the previous two can't be meaningfully completed. i was alarmed by the i.g.'s allegations about mismanagement of the modernization projects to
5:23 am
date, and hope that opm's representatives will speak to these assertions directly here today. last, i just wanted to emphasize, i think we need to prevent another round of sequestration. opm's fy '16 budget request includes a $32 million increase over last year's level. virtually all of which would address i.t. infrastructure improvements. sequestration could critically threaten those investments and the livelihoods of our employees. while some of these cuts might be weathered in the short-term they can have serious long-term impacts. and i think we need to work together to ensure federal agencies are prepared to protect -- prepared as best they can be to protect against cyber threats. the federal government is at constant threat of cyber attacks. it successfully wards off millions of attempted attacks a year. and i think we need to work together to protect the nation's economic and national security interests by coming together to deal with these vital cyber security issues. chairman bozeman thank you for , holding this hearing and i'm eager to work together as we consider the needs of our federal agencies and combatting
5:24 am
cyber threats. >> thank you, senator. >> mr. chairman. may i just have a few comments and observations? >> you can comment all you like. >> first of all, mr. chairman, i really want to thank you for your leadership and convening this hearing. i think america wants to know, certainly our federal employees want to know what happened and what is the impact on them, and what is the impact on the nation? i would strongly recommend to the chair that after this hearing and then also the briefing we'll receive this afternoon, the chair and the ranking consider having a classified briefing because as a member of both the intel committee and someone who has been involved on this, there are things that are best discussed that you need to know for your responsibilities in a setting. and we would be -- and senator cochran and i would be happy to cooperate with you in establishing that. center: --
5:25 am
senator: it needs to be -- you'll know more this afternoon. second thing is, the second point is, what has happened at opm. and also what happened to the breaches at the army shows that that this is a serious national issue. it affects not only opm, but every agency and shows that national security and its impact is not limited to d.o.d. mr. chairman, i also want to remind the committee or bring to their attention, we tried to deal with this in 2012. under the leadership of senators liberman and collins, there was a bipartisan effort to have a cyber security bill that dealt with new authorities for key agencies to establish standards for critical infrastructure, create info sharing regime to protect both.gov and .com and giving dhs authority to unite federal resources across all levels of government to have both the authorities, to make
5:26 am
sure they have the resources to know how to do the right job. exactly what you're saying, sir. let's not just throw money at it. let's get value and security for the dollar. that was stopped because the chamber of commerce established a massive lobbying campaign because they were worried we would overregulate. well, we are where we are. so we need to do a lot of work. we had a bipartisan study group. people like collins, coates, maybe we need to resurrect that because it's opm today, it'll be another agency tomorrow. we've got to make sure our cyber shields are up, we're fit for duty, and we're fit to protect our people. so, i just wanted to refresh everybody that, and of course, my federal employees need to know what happened, how do they protect themselves? and we need to know how to protect america. so thank you, mr. chair.
5:27 am
>> thank you, senator. and i think the suggestion of the classified briefing is an excellent one. and also, that this is not a you know, certainly not a partisan issue. this is something that's been going on for a long, long time through successive administrations administrations. we have three witnesses appearing before us today. katherine arculetta, michael esra, and richard spyer and former chief information officer at dhs and irs. director arculetta, i invite you to present your testimony. director: chairman boseman and members of the subcommittee. entities are under constant attack by evolving and advanced persistent threats and criminal actors. these adversaries are sophisticated, well-funded, and focused.
5:28 am
unfortunately, these attacks will not stop. if anything, they will increase. although opm has taken significant steps to meet our responsibility to secure personnel data, it is clear that opm needs to accelerate these efforts. not only for those individuals personally, but also as a matter of national security. my goal as director is to leverage cyber security best practices and protect the sensitive information entrusted to the agency, modernizing our i.t. infrastructure, to better confront emerging threats, and to meet our mission and our customer service expectations. opm has undertaken an aggressive effort to update its cyber security for fiscal year '14 and '15, we committed nearly $67
5:29 am
million towards shoring up our i.t. infrastructure. in june of 2014, we began to completely re-design our current network while also protecting our legacy network. these projects are ongoing, on schedule, and on budget. we implemented state of the art practices such as additional fire walls, factor authentication for remote access and limited privilege access rights. we are also increasing the types of methods utilized to encrypt our data. as a result of these efforts in april of 2015, an intrusion that predated the adoption of these security controls affecting opm's i.t. systems and data was detected by
5:30 am
our new cyber security tools. opm immediately contacted dhs and the fbi and together, we initiated an investigation to determine the scope and the impact of the intrusion. in early may, the inner agency incident response team shared with relevant agencies that the exposure of personnel records had occurred. in early june, opm informed congress and the public that notification actions would be sent to affected individuals beginning on june 8th through june 19th. we are continuing to learn more about the systems that contributed to individuals' data potentially being compromised. for example, we have now
5:31 am
confirmed that any federal employee across all branches of government who submitted service records to opm may have been compromised, even if their full personnel file is not stored in the opm system. these individuals were included in the previously identified population of approximately 4 million current and former federal employees and have been included in the notification. later in may the team concluded that additional systems were likely compromised. this separate incident which also predated the development of our new security tools and capabilities continues to be investigated by opm and our interagency partners. based on this continuing
5:32 am
investigation in early june, the interagency response team shared with relevant agencies there was a high degree of confidence that opm systems related to background investigations of current, former and prospective federal government employees and for those a whom federal background investigation was conducted may have been compromised. while we have not yet determined its scope and its impact, we are committed to notifying those individuals whose information may have been compromised as soon as practicalable. but for the fact that opm implemented new and more stringent security tools in its environment, we would never have known that malicious activity had previously existed in the network. in response to these incidents
5:33 am
opm, working with our partners at dhs has immediately implemented additional security measures to protect the sensitive information we manage. we continue to execute our aggressive plan to modernize opm's platform and bolster security tools. we are on target to finish a completely new modern and secure datacenter environment by the end of fiscal year '15. which will eventually replace our legacy network. the original budget request included an additional 21 million above 2015 funding levels to further support the modernization of the i.t. infrastructure which is critical. this funding will help sustain the network security upgrades and maintenance in years to
5:34 am
improve the posture including advanced tools, such as database incorruption and stronger fire walls and storage. we discovered the instraousons -- intrusions because of our efforts to improve cyber security at opm, not despite them. i am dedicated to insuring that opm does everything in its power to protect the federal workforce and to insure that our systems will have the best security posture the government can provide. thank you and i appreciate the opportunity to testify today. i am happy to address any questions you may have. >> mr. eser.
5:35 am
michael esser: chairman, and ranking member coops and members of the committee. thank you for inviting me to testify at today's hearing on the i.t. audit work performed by the inspector general. >> can you put your microphone on? it's on. just pull it closer then. michael: today i will be discussing opm's long history of systemic failures to properly manage it's i.t. infrastructure which we believe may have led to the breaches we are discussing today as well as issues to the current modernization project. there are three primary areas of concern that we identified through our fiscal audits during the past few years. information security governance security assessment and , authorization and technical security controls. information security
5:36 am
governorance is what forms the foundation of a successful security program. for many years opm operated in a decentralized manner with the program officers managing their i.t. systems. this decentralized structure had a negative impact upon opm's i.t. security posture and all the audits between 2007 and 2013 identified this as a serious concern. by 2014, steps taken by opm to centralize i.t. security responsibility with the cio had resulted in many improvements. however, it is apparent the ocio is negatively impacted by the many years of decentralization. the second concern is security assessments and authorization. this process includes a comprehensive assessment of each i.t. system to ensure it meets
5:37 am
the security system before allowing the system to operate. we identified problems related to system authorizations in 2010 and 2011, but removed it as an audit concern in 2012, however problems with opm system authorizations have reappeared in 2014 20 opm systems were due to receive a new authorization butio 11 were not authorize sized by year end. in addition, the ocio has recently put authorization efforts on hold until it completes the current modernization project. this action to extend authorizations is contrary to omb guidance which specifically states that an extended or interim authorization is not valid. it is also worth noting omb no longer authorized and we still expect them to have concern the authorizations. the third concern relates to opm's use of technical security
5:38 am
controls. opm implemented a variety of controls and tools to make the agency's i.t. systems more secure. while this is a positive step we -- steps, we are concerned these tools are not being implemented properly and did not cover the entire infrastructure as we found that opm does not have a accurate inventory of all data bases, and opm cannot fully defend its network without a comprehensive list of assets. there has been much discussion in securing the systems as they are old legacy systems. while this is true in many cases and many systems are main frame based, it's our understanding
5:39 am
that some of the systems impacted by the breaches are in fact modern systems for which most ft technical improvements -- most of the technical improvements are necessary to improve them could be accomplished. i would also like to briefly address opm's modernization project which will overhaul it's entire infrastructure and migrate all systems. we recently issued an alert discussing this project and our concerns related to project management and the use of a sole source contract for the duration of the effort. one area of significant concern that we identified is that opm does not have a dedicated funding source for the entire project. its estimate of $93 million includes only the initial phases of the project. which covers tightening up the security controls and building a new shell environment. the $93 million estimate does not include the cost of
5:40 am
migrating the cost of this work is likely to be substantial. and the lack of a dedicated funding source increases the risk of the project will fail to meet its objectives. in closing, it is clear that opm has a great deal of work to strengthen its posture. however, especially for the task of this magnitude, it is imperative that we follow solid i.t. project management best practices. to provide for the best chances of success. thank you for your time. i'm happy to answer any questions you have. >> thank you. mr. spires? mr. spires: i'm honored to
5:41 am
testify. i hope my experience regarding recommendations i will make regarding how the federal government can more effectively safeguard data and improve cyber security posture. most federal government agencies find themselves susceptible to core mission systems because of three primary causes. first, lack of i.t. management best practices. the very best cyber security defense is managing your infrastructure and software applications well. beginning in the 1990's and up to the present, the federal government has not properly managed i.t.. having failed to effectively adapt with the changes in technology and the evolving cyber security threat. as examples of these failures, when i served in government, we would all to routinely discover systems outside the purview that have been deployed without the
5:42 am
proper security and accreditation. the highly distributed approach across government, and i point out that mr. ester is testimony referred to decentralization within opm itself, has led to thousands of data structures. the resulting laxity of vastly different systems and underlying structures makes it virtually impossible to properly secure such an environment. second, lack of i.t. security best practices. while well intentioned and appropriate for the time, the 2002 act skewed the approach for security. the law says to look at the controls for individual systems when in reality, doing systems in isolation high the impact of
5:43 am
large security posture. until very recently, systems would be certified and accredited based on a three-year cycle. which is a significant issue when looking at the rapid evolution of technology in the cyber threat environment. third, a slow and cumbersome acquisition process. when i was at dhs, i was a proponent of diagnostics and mitigation programs. it is dismaying to see how long it took, two plus years just to intimate phase one. that does not include the additional competitive process for agency to obtain get abilities. sophisticated adversaries will exploit any and all one abilities. the government is even more honorable what it takes months not years to deploy new security capabilities. my recommendations to address these causes -- first,
5:44 am
effectively implement the federal reform act. this law is meant to address the systemic problem in managing i.t. effectively and the main intent of the law is to power the cio to address these issues. so far, i am pleased with tony scott and the role of the rollout. congress can support these efforts by demanding aggressive implementation development of measures for assessing the impact, and transparency in reporting ongoing process. effective and limitation is the government's best hope. second, dry adoption of best practices. there have been positive movements with the updated law and the move to continue monitoring.
5:45 am
i recommend the government rethink how it is measuring success, with focus along three lines. the continuing need to pursue cyber security tools to prevent intrusion, but even more importantly, detect them quickly when intrusions do occur. the government needs to assume that sophisticated adversaries will still gain access. the root of all trust is verified identity, and the government needs to step back and rethink how it is rapidly implementing ubiquitous use of multi factor authentication's, along with the behavioral detection systems to identify insider threats or compromise credentials. finally, the government needs to target additional protection of an agency's most sensitive information. through focused effort in the use of data protection technologies, the government has high assurance that only the trusted parties have access to the sensitive information. this would go a long way towards
5:46 am
forging additional bridges. certainly the breaches at opm are terrible for the government and the millions who may be negatively impacted in the future. however, the need to implement the law can be the impetus for much-needed and sustained change. it is critical to make enough progress during the next 18 months to ensure that leadership commitment to meet a change in i.t. management and security is sustained into the next congress and administration. thank you for the opportunity to testify today. >> thank you mr. spires. at this time, we're going to proceed to our question that we plan on proceeding to our question. each senator will have seven minutes. i hope you have time to accommodate two rounds.
5:47 am
we have a vote hold now, it is only one vote. we will like to suspend run and vote and come back and start immediately with the question. we will do that. [inaudible]
5:48 am
>> the committee will come to order. again, i apologize for the delay. the only thing we have to do around here is vote. and so, there is just no way of knowing. you schedule these things and certainly that trumps everything, which it should. director archuleta, according to the news reports of the opm's security clearances, hackers have access to sensitive data for years. the systems contained important information for current, former and perspective federal employees and contractors. will a notification be provided to information and focus groups. archuleta: even as we speak, we are developing a notification process to reach those individuals. we are taking into account what we have learned from the first notification and looking at the wide range of options we would have in that notification process. >> will notifications be
5:49 am
provided to family members and other individuals whose information was included solely due to their relationship with the applicant? archuleta: we are going to give consideration to all of the individuals affected by the breach. as the plan is developed, i would welcome the opportunity to come in to detail for you. >> how did you decide that 18 months of protection is sufficient for federal employees? archuleta: this is an industry best practice. the second notification is really examining that to see with the range of options may be. >> will you offer the same protection to individuals stored on databases, or does this heightened level warrant additional protections? archuleta: this is what we are looking at with our partners for a wide range of options we need to consider.
5:50 am
>> what additional steps do you plan to take to protect the victims, given the long-term effects these breaches pose? archuleta: i am looking at the steps we can take to protect their data. i am as upset as they are. we are examining not only the notifications, but also the protections in the remedies we must put into place. >> those are important questions. those are the kind of things we are getting from federal workers. i know you will have a lot more questions related to that. it is so important that we try to get information to those that have been affected. mr. spires, the administration has ordered a 30-day sprint to patch security holes. is 30 days sufficient time to
5:51 am
correct more than a decade of negligence about our systems? in the failed attempts at modernization? mr. spires: i'm sure you would not be surprised for me to say no. it is not sufficient time to fix the systems. the situation we find ourselves in, i think it is a good thing, though, to put in place a process by which planning should take place. so that we could start to get our arms around what should be done agency by agency to put us in a better posture. >> as we get into these things mr. spires, do you expect us to find significant problems as far as breaches with the other agencies? mr. spires: first, i should say you will find significant problems with them not following i.t. security best practices. and not that that alone would necessarily indicate breaches, but given the situation we find
5:52 am
ourselves in, you should find significant ones. mr. esser: i would concur with mr. spires. we have been seeing breach after breach this year, health insurance companies and background and government entities. it would not surprise me to see more. >> mr. spires, how again looking at the scope of the problem, how long do you feel like it would take the government to actually do things we need to do to protect ourselves from the outside threats? mr. spires: i think we should take an ordered approach to the problem. in my mind, what agencies should first be doing is identifying the sensitive datasets they have and putting them in a bucketed priority.
5:53 am
and coming up with plans to protect those data sets. the reason i say it that way is to think that we can go into these large agencies that have, as i said, decades of mismanagement and decentralized i.t. and fix that quickly is just naïve. this notion of doing it by protecting sensitive data sets, data technology today and encryption and the like, to do that at the document level -- and then, you have to worry about identity. it does no good if you have encrypted the data, but the credentials of someone to get to the data have been optimized. you need to work on the identity problem. that is where things like multi-factor models come in. there are many new technologies to make this much faster and easier to roll out that it was five years ago. also, this notion that even if
5:54 am
someone has been authenticated and authorized, that doesn't mean their behavior is correct. right? the insider threat problem, we have to watch that. this notion of bringing in detection systems are ways we can monitor the privileged user. those that have root access to the systems and data are the ones that, frankly, we need to monitor. >> director archuleta, we have heard numerous accounts of frustration with csid. including long wait times repeated website crashes and inaccurate information reported to the victims, what steps are you taking to monitor the contractor? archuleta: we have experience in these verifications. -- notifications. we served sony with their large breach. we believe they have the capacity to handle that -- >> but when you call in now, the wait times are very long.
5:55 am
i don't know that they have experienced anything of this magnitude. archuleta: thank you, sir. i am as angry as you are about that. i want to make sure they are doing everything they can to reduce wait times. that is why i have instructed my c.i.o. and her team to work with that contractor to improve daily the services they are giving to our employees. an employee should not have to experience that. that is why we are demanding from our contractors that they improve their services. i do believe, sir, because of the two incidences, we have had an unusual number -- a high number of phone calls. that is not an excuse. our contracts should be able to perform to that number. >> thank you. >> ms. archuleta, if i might, if
5:56 am
opm had completed the upgrade, with these consequences have been prevented? if opm had been in full compliance, would any of the breaches still occurred? archuleta: my cio has advised me that even if there had been 100% compliance, there is no guarantee that that system will not get breached. that is why an i.t. strategic plan and the implementation is so important, mitigation -- risk mitigation is the answer to what we need to do. we need to be able to detect and mitigate. that is what our plan is designed to do as we move from a legacy system to the new shell system. i believe we need to act very rapidly to move from this old system to a new system. we need to make sure that we are tracking, documenting, and justifying everything we do. we also need to be sure we are
5:57 am
acting as quickly as we can, to protect the records entrusted to us. >> all of the federal employees have been affected, as the cochair of the senate law enforcement caucus, i am particularly concerned about those officers and their family. they have to be concerned about previous criminals that might have motivation to seek out their homes and families. what are you doing specifically prompt or respond to their concerns or inquiries, not to suggest they're the only folks with concerns, but they are one of the subsets that have very real and legitimate pressing concerns. archuleta: what i can assure you, senator, we are working across agencies to analyze the scope of this breach. we will be able to discuss more with you in the classified session. i can tell you that we are working very closely with our law enforcement partners.
5:58 am
>> i am eager to follow up with you on that and to get some reassurance, which greatly concerns federal employees of all backgrounds. that they are able to get updates and more information on their path forward. your budget request was submitted before the discovery of the most recent incident, before we had any sense of the scope. are there additional tools or enhancements that you need in order to deal with the critical issues that are now well and widely known? how might you seek an amendment to the budget request? archuleta: thank you for that question. we are analyzing now with onb and my cio to determine what the request might look like. i hope to get back to you by the end of the week. >> thank you. last question, if you had actually encrypted federal employees' identifying information, would that have
5:59 am
protected them from the hackers once the system is compromised? archuleta: this was a question that had been asked of my colleagues who are experts in cyber security. they have informed me, indeed, in this particular case, the encryption would not have prevented the breach. encryption is an important tool, that is why we continue to build the encryption method within our system. in this particular case, it would not have prevented it. >> my question was not whether it would have prevented the breach, would it have protected it once the system was breached? archuleta: no. it would not have in this case. >> regarding the question on system compliance and upgrades mr. spires, any difference of opinion? any insights if compliance would have produced a different outcome? mr. spires: the issue, the old
6:00 am
2002 law, it was really around a set of technical controls that would be checked every three years. given the environment we live we are moving towards a continuous diagnostics model which is the correct model. where you monitor all of your systems and the complete environment, looking for intrusions and improper behavior. but i would even echo the point that even that is not enough in today's environment. you need the data protection like encryption and you need to upgrade to better understand who is accessing your system. those are all critical process of these in order to protect data today. >> would it be reasonable for us to have expected that opm could achieve a data security given the resources they currently have available?
6:01 am
mr. spires: i am not sure i'm in a good position to answer that. i go back to my point of a focused answer of protecting sensitive data with the right encryption and a right access control capabilities. if you put the focus there, i think most federal agencies would have the funds and resources to be able to a manage that. sen. coons: we have seen significant data breaches for home depot, jpmorgan, target sony, neiman marcus. many of them have invested in cutting-edge cyber security. is the private sector having any more success in mitigating cyber breaches? mr. spires: i don't know if i would make a sweeping comment on that. it depends a lot on the actual company, it varies greatly. i would say that to make another
6:02 am
point here, one of the big differences between the government and the private sector is that the private sector has the ability to very rapidly acquire the newest capabilities that are being offered by the cyber security if you will, industry. one of the things i would like to see is the government agencies be able to bring in, in a test environment or pilot, new capabilities as they come to market. that would really help government agencies to adopt the new capabilities. sen. coons: you referenced the slow and cumbersome procurement, i look forward to exploring that with you in the next round of questions. thank you, mr. chair. sen. lankford: we have a lot to be able to cover. to be able to resolve things for the future, but what has happened in the past. there are several comments that
6:03 am
you made, what is the most pressing issue you discovered since the flash report you have done? based on the vulnerabilities that still exist and what needs to be finished? i am not asking you to expose publicly abilities that still exist, but what on the list need to be addressed immediately? mr. spires: senator, i think one of the most important things that needs to be addressed are is the two-factor authentication to access systems. this has been a long-standing problem at opm. they have made improvements and implementation of this to affect workstation access.
6:04 am
the actual systems that are being used need to be implemented also and require two factor authentication. senator lankford: the chief information officer had also listed the same thing in 2012. let me read this. the initiative to require personal identity authentication to access the agency network, as of 2014, 90% of workstations required personal identity access for the network. however, none of the 47 major applications require personal identity verification authentication. is that still correct? mr. esser: to the best my knowledge, it is. sen. lakford: ms. archuleta tell me about that, please. dir. archuleta: two points there. remote users, we are 100% at that point now. with regard to all other users
6:05 am
we are working very rapidly to increase that. i have asked my cio to increase that effort. i would be, i'm sorry i don't have the percentages in my mind right now, but i would be glad to get back to you where we stand as of this date. we are working rapidly to do that. senator lankford: a 95% figure is pretty close? 95% workstations, still 47 major applications are exposed, i guess? dir. archuleta: i would like to get back to you for full details. senator langford: there is a question on authorization. obviously, that is a requirement for omb. on this, it says 11 were not completed in time. or were operating without a valid authorization. what can you tell me about that? dir. archuleta: all but one of those systems has been authorized. they are operating withd we are working on the contractors. senator lankford: there is a systemic problem.
6:06 am
i'm trying to figure out why -- to make sure that authorization is done on time and on schedule. has that issue been fixed? i know people stepped in and said, let's turn to fix this. what about the future, to make sure they're done on time? dir. archuleta: i would like to have my cio get that information to get back to you. senator lankford: give me a time frame. dir. archuleta: by the end of the week. senator lankford: that would be great. i am the the chair for -- june 10, i sent a letter that has yet to be acknowledged, much less be answered. there were some basic questions that are still unanswered on it. none of them that would require a classified setting. but there are some basic unresponsive answers. i have letters already on the record, and tremendous number of employees that live in my district are asking basic
6:07 am
questions -- the folks have asked some very basic questions. they have yet to get a response or even say it has been acknowledged. they just want to know timing. i know the letters have gone out nationwide. people want to know if there are people working on these issues. there have been many for a while. dir. archuleta: senator, i apologize if you have not received that response. i asked my staff to respond to that. i know that it is forthcoming. i will make sure you have that letter today. senator lankford: great. thank you. let's talk about cost issues dealing with the appropriations side. do we have a ballpark cost to contact everyone to let them know, hey, possibly your information has been breached? there are two cost factors that our committee has to consider. one is the cost of sending the letter out. the second is the cost for the credit report and screening that is happening. do you have a cost estimate?
6:08 am
dir. archuleta: i have a general cost as we take a look at the pickup rate on credit monitoring and that will adjust it, it is approximately anywhere from $19 million to $21 million. senator langford: what is the estimated cost on a letter going out? dir. archuleta: that is the total cost between e-mails and letters, i do not have the breakdown. i would be glad to get that for you. senator lankford: some agencies, the website you link to, some agencies have already blocked that internally. so those individuals may try to go there are blocked, for fear there may be phishing scams. dir. archuleta: we worked closely because of the security protocols they might have. we work closely with them, and their cio's and other top officials. senator lankford: the inventory of servers and databases and to different workstations out
6:09 am
there, the central control issue is important for keeping up security and technology upgrades, and making sure software is upgraded. and everyone has a consistencet security presence there. when there is a server there, it creates tremendous -- that is not a legacy issue. that is more of an inventory issue. dir. archuleta: i respect the inspector general's opinion on this. our cio says it is sufficient. i would welcome the opportunity to discuss this with you and with him further. senator lankford: thank you. that is one of the significant responsibilities. >> thank you for having the series. ms. archuleta i will start with you.
6:10 am
i just have a series of questions that i hope are relatively short responses. i will work my way through as quickly as i can. what is the current estimate of the total number of files for employees breached? director archuleta: we estimate that the over 4 million. sen. moran: what have you found? dir. archuleta it is an ongoing : investigation. we will continue that with our partners. at this point we know it is a little over 4 million. senator moran: are those words interchangeable? 4 million employees and 4 million files? director archuleta: approximately 4 million people who have been affected by it. sen. moran: you say the number affected. we estimate it to be 4 million. what is the maximum of files that could have been breached? director archuleta: i want to separate incident one and two.
6:11 am
incident one i describing the am employee personnel files. estimate that to be a little over 4 million. senator moran: what is the total number that could be affected? director archuleta: that is the number. senator moran: all right. director archuleta: the second incident, we have not determined the scope of that. i don't have a number. senator moran: how many files do you have management over? director archuleta: federal background investigation file may have a number of different names. and pii within it. that is why i cannot give you a specific number. we are working to get that number. i will bring it to you as soon as we have it. senator moran: let me ask warmer one more time to make sure we are on the same page. you have a certain number of files within your agency subject to this kind of breach. what is the total number of files that could have been
6:12 am
breached? director archuleta: we are investigating that right now. senator moran: how many files are there at opm? director archuleta: there are millions of files. we are a data center. there are millions of files. they contain numerous names. i want to be careful to make sure the number and give you i'm confident about. senator moran: all right. you indicated you have taken significant steps. i wrote that down as part of your testimony. but only three of 29 recommendations have been closed. only three of these 29 recommendations have been close to date. nine of these open recommendations are long-standing issues that were rolled forward from the prior year audits.
6:13 am
how do you reconcile "we have taken significant steps," and yet the oig says there are long-standing problems and only three of 29 have been addressed? director archuleta: we work closely with our i.t. we work with him to make sure that we have complete and open transparency with him. we meet on a regular basis. he continues to assist us in identifying the areas of improvement, and the issues he has brought to us, we are working through. the 2014 audit that he performed for us and provided to us we are , working through the steps that he has outlined for us. we are not in agreement with all of them, but we do believe that the conversation and the transparency that we have between us will be helpful for resolving all of them. sen. moran: mr. esser, do you believe the agency has taken significant steps to
6:14 am
improve? mr. esser: yes. i think that they have made great strides over the year to improve some of the issues we have reported. in this past year's audit we , have decreased our severity of that finding from a weakness to a significant deficiency. in other areas they have put in , tools and made strides to improve security. with that said, there are number of long-standing issues in our reports that are open. we hope to see a movement on. senator moran: mr. spires, let if you are still in a former capacity at the irs or homeland security let me start with a , broader question. based upon your understanding of the facts involved here and your
6:15 am
best judgment, was the preacher breach or breaches that have occurred at opm, where they predictable, based on what we knew, looking at the oig reports, use all those reports is this an outcome that could be expected? mr. spires: i think it is an outcome that could be expected sir. senator moran: would you say that the opm officials have taken significant steps to solve their problems? mr. spires: it does sound like they are doing a number of the things correctly. the centralization of i.t. is a good step. they're talking about a modernization program that would upgrade their i.t. structure. that being said i will go back , to my earlier point. if i had walked in there as a cio -- and again i am
6:16 am
speculating a bit -- and i saw the lack of protection on very sensitive data, the first thing that we would have been working on is how to protect that data. not even talking about the system. how do we get better protections and control access to that data better? i think that is probably where the focus needs to shift. based on what i am hearing. sen. moran: meaning there is a priority. mr. spires: yes. senator moran: ms. archuleta does anyone at opm takes personal responsibility for these breaches, or is this just considered a problem with the system? is this just individuals not performing their duties? or that this is a system we inherited, we're working on it and no one in particular is
6:17 am
responsible for the outcome? director archuleta: i think they said it correctly. this is decades of a lapse of investment in the system. that i inherited when i came in. from the very beginning of my tenure, i have been focused on this. we are working to install not only the architectural strategy, but also to install the detection system and be able to remediate. both of my colleagues have mentioned, we have legacy systems that are very old. often times we have to make sure we can add those protection s into the legacy system. if there is anyone to blame, it is the perpetrators. they are concentrated and well-funded. focused. aggressive efforts to come into our systems not just at opm, but across the whole enterprise. it is one we are concerned about and one we are working on with
6:18 am
colleagues. we are going to take every step we possibly can at opm to continue to protect. that is why we are trying to move out of the legacy system. senator moran: to date you don't consider anyone at opm, any of your staff or employees are people responsible for i.t. and security to be personally responsible? it is a problem with the system that has been inherited? dir. archuleta: this is an enterprisewide problem, and cyber security is the responsibility of all of us in organizations. that is why the tony scott's assistance and his efforts, we are going to address it as an enterprise-based as well as opm. sen. moran: so no one is personally responsible? dir. archuleta: i don't believe anyone is personally
6:19 am
responsible. i believe we are working as hard as he can to protect the data of our employees. and that is the most important thing we can do. i take it very seriously. i'm angry, as you are, that this has happened to opm. i'm doing everything i can to move as quickly as i can to protect the system. senator moran: thank you very much. director archuleta: thank you, sir. sen. boozman: mr. esser, isn't it true some of the tools -- the idea that this was all legacy and stuff is really not that case? mr. esser: there are many legacy systems at opm. i don't want to give the wrong impression. that is a fact. based on the work that we are doing, it is our understanding that a few of the systems that were breached are not legacy systems.
6:20 am
they are modern systems with that current tools could be implemented on. senator boozman: very good. i think that is important. concerns are being raised about the contract secured to provide credit monitoring services to the victims of the first breach. we don't know the scope of the second breach and what services will be provided for additional victims. mr. esser in your flash audit you rose concerns about opm's infrastructure. an improvement project related to subsequent phases of the project. do you have additional work plan ned atfor opm's practices? mr. esser: it is certainly something we are monitoring and following and gathered information. we haven't planned any audits of land at this time.
6:21 am
it is something we may do. senator boozman: mr. spires, you describe a number of root causes in i.t. security. you offered a number of recommendations. can you just tell us again a couple of key recommendations that would make a difference over the next year? mr. spires: high really want to emphasize foratara. i thank congress for passing this for the good of the nation. we need to figure how to manage i.t. perfectly. that is the single cause that has led to these data breaches. i'm not just one to say have all the power reside with the cio. bring best practices and not allow systems or practices to continue that jeopardize the security of our data and our
6:22 am
systems. that has in the problem for decades. we still have a real cultural problems. based on many discussions, the cultural issues loom large here. we need to take this incredibly seriously. i urge you to provide your own oversight of the implementation of fitara. senator boozman: do we need additional legislation? mr. spikes: i am not convinced. i think we do need general cyber legislation of how to share. i think that is something congress should continue to work on. i think we have between two acts -- we have enough tools. now it is a leadership with
6:23 am
in the administration with proper oversight of congress. senator boozman: very good. mr. esser, along the same line what would you comment on the most significant weaknesses or the underlying causes? what do see as a priority we need to do in the next three years? mr. esser: specifically at opm, the project they are undertaking to modernize the i.t. systems is the right way to go. that definitely needs to be done. we fully support that project. we do have some concerns regarding some of the project management related to it. the sole-source contracting. in general, we think it is definitely the right path to follow.
6:24 am
sen. boozman: so you will be -- how will you all be involved? mr. spires talked about oversight. that is something we could do. how would you be involved in that process? mr. spires: we continue the modernization of the process. the flash audit alert was issued this week. it was an interim report, so to speak. we will continue our audit work throughout the length of this project. senator boozman: mr. spires, your effort to drive improvement and changes -- that is not working. do you recommend any changes to the goals? mr. spikes: i think having goals is certainly appropriate but let's take an example.
6:25 am
this need we have all talked about, this need for multifactor accreditation, the need to better protect systems that are legitimate. yet when you look at the cyber goal and you look at trying to get the 75% usage within the civilian federal agency as the goal, let's go back to that adversaries. they only need one way in. 75% doesn't cut it in this world anymore. we need to rethink i think the objectives there. go back to the privatization of protecting data. those should be the highest goals. that doesn't mean we should be working to continue to bring in the capabilities to better protect systems. we need to do that.
6:26 am
it is time to reset those goals. reset them along those priorities. senator boozman: we didn't exactly know what entails the system. is that being corrected? or we still don't know? mr. esser: based on our latest work, that is still our understanding. we would be more than happy to work with them and look at that and do our audit work related to that. senator boozman: if that is a case, it has recently happened. mr. esser: yes, sir. sen. boozman: two i very much. --thank you very much.
6:27 am
senator mikulski: thank you very much. mr. spires, do they have a cyber shield? mr. spires: i do not have any more information than what i read in the news, but i read that as well. senator mikulski: that is a problem. that is not to excuse where we are. but you are advised to us is to get with it, and get with it quick. mr. spires: you sum it up well. sen. mikulski: -- mr. spires my experience having : served on the council and worked with major investment agencies is opm is not some kind of outlier here. many agencies have similar shoes to what opm is facing.
6:28 am
as far as i.t. management and cyber security posture. senator mikulski: thank you very much. ms. archuleta, the federal employees, maryland is the home to thousands of federal employees, and they work at everything from the national institutes of health to the national security agency. most are civilian employees. what do i tell my employees, because they are quite apprehensive? what is the impact of this on them? can you talk about this? what is the impact on them? how are you in communication? should they be afraid that another shoe will drop, and it could drop on them and their credit ratings or whatever? director archuleta: yes, and i do want to say i care very much as you do about our federal employees.
6:29 am
what this breach has done is it has exposed their data. i'm very concerned about that. in terms of the first incident we have been working hard to not only begin, but to improve our notification system and to provide both identity theft and credit monitoring for them. we have received much feedback from our employees. we are using that feedback. sen. mikulski: so have i. they are pretty apprehensive and agitated. dir. archuleta i'm angry, too. : i'm angry this has happened. i have worked very hard toward correcting decades, as i have said before, of inattention, and i will continue to do so. i will tell you that i'm very concerned about protecting the data of our employees. as we move into incident two, i am going to use their feedback
6:30 am
, their concerns to inform us as we look at the wide range of options we will have available to us with regard to these notifications. senator mikulski: do you have a council or federal employee organization that you meet with that could tell you the view from the employer up so you hear what they are saying? people like myself, senator cardin, senator kaine, senator warren, are very aware of the fact that the capital region is the home to so much talent and so much pressing national attacks. now they are worried about predatory attacks against them. we're turned to sort out the best way to have a cyber shield on our.gov. director archuleta: we are doing
6:31 am
several things, vice chairman mikulski. thank you for that question. we are working with our human capital officers. senator mikulski: i don't know what chico is. that's where i bought some of my jackets. [laughter] director archuleta: mine, too. all of the department heads and leaders try to adjust the notification system so it is customized to the employees. we are listening to our union s, our union representatives and seeking their input and other stakeholder groups to see how we can better improve our notification system. not in the long-term, but take during this period from june 9 to june 18th take their two feedback every day about call centers and how we could provide -- how we could work directly with department heads and agencies. they are assisting us in the
6:32 am
notification process. we take seriously what we owe to our employees. i will continue to do that and make sure that in a second incident that we are using their input. senator michael z: i think that is very crucial. -- senator mikulski: i think that is very crucial. i would like to thank you, mr. chairman, for having the ig at the table. all my subcommittees either had an ig come in the hot spot or testimony. the fact that you are utilizing that is really crucial. we will have a lot to talk about this afternoon. better talk privately. mr. esser, thank you so much for your service. we so value the work of our inspector generals. they have been enormously helpful both as chair and vice chair of the committee to get value for our dollar.
6:33 am
to identify management hotspots. we really want to thank you for the identification for the not only the problem but also the recommendation for the solutions. thank you very much, and all of the ig's. mr. esser: you are very welcome, senator. chair: thank you, senator. senator lankford: let me ask a follow-up question. many federal agencies have similar issues. one, define what issues mean on this. second, give me a percentage when you say "many" of agencies. i'm not asking you to articulate what are the security issues and what are the vulnerabilities -- i am not asking you to do that. give me a guess how many agencies are we are dealing with and what those issues are. mr. spires: many agencies have a
6:34 am
similar problem that mr. esser alluded to about the centralization of i.t. it is not necessarily -- it has been very difficult for agencies as they rolled out systems. the complexity factors have grown so significantly. it is difficult to get their arms around the system. we would do inventories and find all of the systems that we have. i say that we did a relatively good job at that. every year we would find more. that is the first thing. most agencies have that problem. i don't want to put a percentage on that. i don't know how to measure that as far as the percentage. most of the agencies have this problem that the cio would not be able to sit here and say that they have a good handle on their true handle on i.t. systems.
6:35 am
senator lankford: what about use of credentials? mr. spires: i give all the credit to dod for rolling out that part to make it happen. most agencies are still struggling to roll out what we call the smart card. and then use it for logical access control. it is still an issue. if you go to the cap goals and look at where we are at, it is still an issue that most of the agencies on the civilian side . senator lankford: authorizations? mr. spires: again, think you're hitting a hotspot. they were out in the field. they would not have authorizations because they were out in the field and not under the cio control. another thing i did not like, which is kind of hiding the ball a little bit, you could do an
6:36 am
interim authority to operate, and some of those would last way too long. there would be weaknesses in the systems. it would be difficult to clear those weaknesses. i cannot put numbers on that sir. hopefully i have given you a sense of where i feel many agencies are today. senator lankford: none of those seem like big dollar items. those are more management, current inventory structure, process the number one term hot togene for our systems. senator: i want to be careful -- mr. spires: i want to be careful here. senator lankford: if we have got a monitor with an orange screen on it, i get it. we have some old systems. i'm asking the initial security side of this, the first rung seems to be how we are handling the information in the inventory. mr. spires: i agree with your sentiment that says we could
6:37 am
manage this a lot more effectively, and we do not necessarily need new dollars. to do that. some of these issues you do need investment. senator lankford: sure. ms. archuleta you have in your , written testimony, you talked through the timeline of how things went. some areas you were very specific. there are of terms that jumped out to me there. let me read this back to you -- as a result of these efforts to resolve our security posture, and april 2015 predated the adoption of the controls. it was detected by our new cyber security tools. opm immediately contacted the department of homeland security and federal bureau of investigation. could you give me definition? is it a week, a month? director archuleta: same day. senator lankford: great. you had the same issue there. you talked about the scope of the intrusion. opm notified congressional leadership. what is our time frame?
6:38 am
director archuleta: we have a seven-day requirement which we met. senator lankford: terrific. thank you. the contractor that was involved in this, who was that contractor? what were their assurances that they gave early on during the contracting process to say we will provide a security structure, management -- i'm looking for what they said they would do and what they did? who was the contractor first? director archuleta: i want to be clear that while the adversary leveraged to gain access to the network, we don't have any evidence that would suggest the company was directly involved in the intrusion. we have not identified a pattern or material deficiency that resulted in the compromise of the credentials. since last year, we have been working in key point and they have taken strides in security
6:39 am
its network and have been proactive in meeting additional security controls we have asked them to use to protect all the background data. senator lankford: so the question then with key points, where these discussed earlier or were these things that were consider? director archuleta: i think i understand, but let me be sure. our detection in april detected an intrusion into our system in late 2014. the detection was in 2015, we detected an intrusion in our system in late 2014. senator lankford: what i am trying to drive at is then there were changes in security protocols. were those changes recommended before, or were they entirely new? director archuleta: they were once we had planned and work installing. unfortunately, we didn't have it in place soon enough.
6:40 am
we are working with a legacy system. we were testing many security tools. and as a result of actually being able to install this particular security tool, we were able to detect it. senator lankford: and that plan had been in place how long? director archuleta: it started our i.t. security plan which we developed in -- senator lankford: 2012 plan? director archuleta: 2014. senator lankford: thank you. director archuleta: thank you, sir. senator coons: you're in the middle of a major project. how much do expect that total project to cost? what elements are included? director archuleta: four steps. what are the tools we are going to need to protect our systems even as we move forward? we are building a new shelf system that will be the platform.
6:41 am
the third and fourth are the migration and the disposal of the legacy system. we are at the step right now -- in june of 2014, we hired a contractor to assist us in the development of the shell. we are moving towards that. we have identified $67 million in 2014 and 2015 that would enable us to move toward that. we're asking for an additional $27 million in the 2016 budget. to aid us. we are working closely with omb to determine if another request should be made. senator coons: has it been made? director archuleta: yes. we worked very close with omb. this is one of the points that the auditor or the ig brought out in his flash audit.
6:42 am
i could assure the ig that we have been working very closely with omb. this is an urgent issue. we are moving as fast as we can making sure that we track and document all that we are doing with the standards that have been given to us. we have a budget that we work very closely with omb to deliver. senator coons: in response to the ig audit one of the concerns was that you give a sole-source contract to a single contractor in all four phases of a very large project. what type of contract is it? is it a fixed contract? what steps are you considering a light of the audit? director archuleta: they're often time places where we have areas of agreement and areas where we would like to have further consideration with the auditors. in his flash audit the inspector
6:43 am
, general encouraged the use of either existing contracts or the use of full and open competition. i would like to assure you that the processes followed in the awarding process had been perfectly legal, and we will continue to assure any further contracts and processes entered into will also be perfectly legal. he also said the shell cases should not be used for migration and cleanup phases and i understand his concerns . i would like to remind the inspector general that the contract for migration and cleanup have not yet been awarded. where we would like to have further discussion with inspector general is the timeline, the practical timeline, for our major i.t. business case. he is suggesting we move that
6:44 am
out into fiscal year 2017. i would like to move that much quicker given what we have already experienced. i assure the inspector general and everyone here that all of our decisions are being tracked, document, and justified. he has made a number of recommendations regarding contracting and standards that rely on external sources. for assistance, and i believe the federal government and the good work that tony scott is providing to us and all of our partners have strong solutions to offer. i am going to look forward to talking more to him about his suggestions. senator coons: have you had a chance to look at other agencies that have had successful i.t. projects to look as a model? have you looked at whether having an outsider contractor might achieve some of your goals? you have multilevel expenses and time critical i.t. projects.
6:45 am
breaking into bite-size pieces may achieve some of your goals. director archuleta: i was looking at all of our options. this is a very serious issue. i looking at all of the am resources i have available to me. i will certainly do that. i believe the federal cio is an important asset, as is our partners at dhs, nsa, and fbi. we are looking to those. i welcome the inspector general's suggestions. as i move forward, i will be listening to him carefully, as well as partners across the government. senator coons: i appreciate your response. mr. spires, you were the former cio at dhs and irs both of which have had very cumbersome, difficult, and often challenging i.t. projects. we able to do turnaround some of the legacy i.t. failures there? what advice do you have for opm?
6:46 am
as they engage with another expensive, multi-complex change? mr. spires: i would make the note that it is always about a team effort. in order to deliver these kinds of programs, i actually joined irs and took over a program. at the time, it was on the gao high-risk list, and i am pleased to say that as a team effort, it took a long time, improved our processes to the point where recently that program was removed from the high-risk list, which is quite an accomplishment. let me just say that i have reviewed many programs. we could have a long discussion of how to appropriately manage i.t. programs. i will make a couple of points really quickly. one thing that is critical is the overall governance framework that you put in place. you need to get the right stakeholders in the room to make
6:47 am
this happen. all too often in government, i have seen issues were that does not happen. the other thing i would say is don't over rely on contractors. you need to have a program management office of government officials that have the requisite experience and skill set to run these programs. and i'm not picking on opm. i do know much about their modernizations at all. i have found the smaller agencies struggle more with this because they do not have the heritage of having learned those lessons within the agencies themselves. senator coons: thank you. i see my time has expired. mr. spires, mr. esser, miss archuleta thank you for your , testimony today. thank you for the input end working with us as we move forward to try to offer critically needed reassurances, particularly to law-enforcement, but also to employees and to find timely and cost-effective solutions to this and other cyber challenges.
6:48 am
chair: senator moran. senator moran: chairman, thank you very much. mr. spires, based on what you heard today, your knowledge of government agencies and their cyber security issues, is this a management issue? or is this a resource issue? mr. spires: it is more of a management issue, sir. senator moran: why is that? mr. spires: the dispersed nature of the way i.t. has been running a lot of agencies, there are so many inefficiencies that have crept into the system. i don't believe we have effectively spend the i.t. dollars we have received. i believe with the proper drive towards management, you could drive a lot of savings from the existing budgets. there is a caveat to that. when you are talking about new modernization programs, sometimes with the right business case, it does make sense to invest in those.
6:49 am
senator moran: based on your response to senator coons, easy i assume there is a natural inclination when these issues arise that the easy thing to do is to hire a contractor. we do not know this stuff, it is not our primary mission, let's just get somebody in here who takes care of stuff. we have worked on this committee when senator udall was its chairman with fitara and those issues, how cio's play a part in the agency, in part trying to compensate for an attitude that we are not tech folks, some of the else is this once will for that. miss archuleta, described to me how you work with your cio. let me ask the russian first -- the first breach i think you -- let me ask a question first -- the first breach i think you were aware of goes back to june 2014. as i recall, you and others testified in this committee in may of 2014, and the following
6:50 am
month opm became aware of a , june, breach. is that -- director archuleta: yes. the first breach that we discussed with you was -- senator moran: i don't think you discussed this in may. you know about it. i do not think we know about it. director archuleta: i'm sorry. i want to look and make sure how i have my months right. march 2014 was when we identified activity. but there was no pii that was lost in that. in june 2014, which is what you may be referring to, u.s. i.s. was breached. there was opm data that was compromised. it impacted 2.6 million -- i'm sorry, 2.6 thousand individuals. in august of 2014, the key point
6:51 am
government solutions, which i described earlier, their adversarial activity -- they were breached. it compromised approximately 49,000 individuals. in april of 2015 was the breach that i described earlier as well as the one in may. senator moran: let me make sure you understand what you just said. there were three breaches that occurred prior to the two that we are now talking about. director archuleta: there was. the opm network in march -- senator moran: what changed at opm? you obviously then became aware on three occasions someone is trying to intrude on our system. what then did opm to after realizing that? director archuleta: if i could just go back a little bit because i want to reassure you
6:52 am
to my colleague's point that one of the first actions i took as opm director was to hire don seymour. the second action i took was to develop a strategic plan for the that had exactly the things, the pillars my colleagues described. i.t. leadership. my cio. i.t. governance, that is my whole leadership team must buy into the design and plan and structure of the i.t. plan and its development. i.t. architecture -- what was it going to take for us in view of our legacy system? i.t. data. we needed to be informed, we needed to know that what we were doing was right we're doing in a way that was analytical. we also had as an important pillar i.t. security. obviously very important.
6:53 am
as we were building out, even as we were working on our strategic plan, one of the most important pillars was i.t. security. sense donna seymour came in as cio because of her experience and as mr. spires said, we brought her from dod to apply those skills and that talent. what could be place on that legacy system? what would it take to do that? that is where she has began and what she continues to do throughout her tenure. senator moran: your point is not necessarily following the three breaches that we just talked about but from your arrival, your priority was to get a cio and begin implementation of a plan? director archuleta: i will tell you, senator that from the first time i was briefed on our i.t. infrastructure german
6:54 am
during my confirmation preparation, i knew that there was a problem. and that is why my confirmation hearing, i said it would be a top priority, and i promised your colleagues that i would develop an i.t. strategic plan, which i did. and produce within the first 100 days. i was wise enough to hire donna seymour. senator moran: the i.t. strategic plan that you just mentioned is that something we , could see? director archuleta: absolutely. it is on our website. i will make sure you get a hard copy. senator moran: following that i.t. strategic plan, is there a new plan as a result? just implementing this 1 -- director archuleta: a plan is dynamic, and as we learn things, the plan changes. we are following it. we are making sure every component, making sure we're
6:55 am
making sound decisions on the architecture, that we are building and making sure it is based on clear analytics, and that cyber security is an important component of all of that. senator moran: are there benchmarks and place -- in place within that plan so we could see where we are making progress? director archuleta: i would like to come back to and show you what those benchmarks are. senator moran: let me ask about notification. you indicated as soon as practicable, and i understand the value of that phrase, the president's proposed legislation for notification within 30 days of a breach, how do you think it practicable fits with the 30-day requirement? director archuleta: within the proposed legislation, it is included in there. i can assure you we are trying
6:56 am
to do everything we can to come close to that data. as we possibly can. senator moran: is there anyone who oversees i.t. security outside of opm? what is the relationship between omb? director archuleta: it is a very close relationship. we work closely with the federal cio who has responsibility for this. tony scott has been at omb for about 90 days now. he has been engaged with us from the very beginning. he and donna have a strong relationship and a strong advisor role. senator moran: prior to his arrival 90 days, was there someone filling that responsibility as well? director archuleta: i don't know that, sir, but i would be glad to get that information back to you. senator moran: thank you. chair: thank you, senator moran. thank you all for being careful to the again, i apologize for the earlier delay. this is such an important hearing. it is probably one of the most
6:57 am
important hearings we will have this year. we will be following up in the not-too-distant future and making sure things are moving in the right direction. i want to thank you all for participating. i also want to thank my staff and senator coons staff. ' staff for the excellent job they have done. i asked unanimous consent for government a place to be included in the hearing record. if there are no further questions, the hearing record will remain open until next tuesday, june 30 at noon for subcommittee members to submit any statements or questions to the witnesses for the record. with that the subcommittee , hearing is adjourned. [captions copyright national cable satellite corp. 2015] [captioning performed by the national captioning institute, [captioning performed by the national captioning institute,
6:58 am
>> ahead of the office of personal management will be back on capitol hill today to testify about the two recent data breaches of employee files. we will have live coverage from the house oversight committee at 10:00 eastern on c-span3. rep. jeffries: "washington journal" is next. the house is back at 10:00 eastern for morning speeches. this afternoon, the chamber delays -- debates delaying the epa's implementation of carbon rules for power plants. follow live coverage here on c-span. >> the new congressional
6:59 am
directory is a handy guide to the 114th congress with color photos of every senator and house member, plus bio and contact information and twitter handles. also, district maps, a full dell foldout map of capitol hill, and a look at congressional committees, the president's cabinets, federal agencies and state governments. order your copy today. it is $13.95 plus shipping and handling through the c-span online store at c-span.org. >> coming up this hour, we will get an update to the president's legislation for fast-track trade deals. and we will look at the upcoming supreme court decision on health care securities. our guest is dave tompkins of cq -- david hawking's of cq roll call. also, representative glenn thompson and representative lois frankel. david graham of "the atlantic"
7:00 am
will discuss his article on the council of conservative citizens, which he describes as a white supremacist organization. you can join the conversation on facebook and twitter. ♪ ♪ host: good morning. 13 pro-business democrat and 47 republicans voted to give president obama is the power he needs to close trade deals. the fast-track authority cleared it last legislative hurdle. 80 majority vote is needed on the actual legislation which is come as early as today. we will talk more about that coming up. "your tho

40 Views

info Stream Only

Uploaded by TV Archive on