[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV
=======================================================================
HEARING
before the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 13, 2013
__________
Serial No. 113-91
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
_____
U.S. GOVERNMENT PRINTING OFFICE
87-316 PDF WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas TAMMY DUCKWORTH, Illinois
DOC HASTINGS, Washington ROBIN L. KELLY, Illinois
CYNTHIA M. LUMMIS, Wyoming DANNY K. DAVIS, Illinois
ROB WOODALL, Georgia PETER WELCH, Vermont
THOMAS MASSIE, Kentucky TONY CARDENAS, California
DOUG COLLINS, Georgia STEVEN A. HORSFORD, Nevada
MARK MEADOWS, North Carolina MICHELLE LUJAN GRISHAM, New Mexico
KERRY L. BENTIVOLIO, Michigan Vacancy
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on November 13, 2013................................ 1
WITNESSES
Mr. David A. Powner, Director of IT Management Issues, U.S.
Government Accountability Office
Oral Statement............................................... 9
Written Statement............................................ 11
Mr. Henry Chao, Deputy Chief Information Officer, Deputy Director
of the Office of Information Services, Centers for Medicare and
Medicaid Services
Oral Statement............................................... 28
Written Statement............................................ 30
Mr. Frank Baitman, Deputy Assistant Secretary for Information
Technology and Chief Information Officer, U.S. Department of
Health and Human Services
Oral Statement............................................... 38
Written Statement............................................ 40
Mr. Todd Park, Chief Technology Officer of the United States,
Office of Science and Technology Policy
Oral Statement............................................... 44
Written Statement............................................ 45
Mr. Steven VanRoekel, Chief Information Officer of the United
States, and Administrator, Office of Electronic Government,
Office of Management and Budget
Oral Statement............................................... 46
Written Statement............................................ 48
APPENDIX
A letter to Chairman Issa from Ranking Member Cummings submitted
for the record by Chairman Issa................................ 148
Pages 151-152 of Henry Chao's transcribed interview submitted for
the record by Chairman Issa.................................... 150
USA Today article submitted for the record by Chairman Issa...... 152
CMS memo dated Sept 3, 2013 submitted for the record by Chairman
Issa........................................................... 155
House Republican Playbook submitted for the record by Rep.
Cartwright..................................................... 162
IT Critical Factors Underlying Successful Major Acquisitions Link 179
OBAMACARE IMPLEMENTATION: THE ROLLOUT OF HEALTHCARE.GOV
----------
Wednesday, November 13, 2013
House of Representatives
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 9:35 a.m., in Room
2154, Rayburn House Office Building, Hon. Darrell E. Issa
[chairman of the committee] presiding.
Present: Representatives Issa, Mica, Turner, Duncan,
McHenry, Jordan, Chaffetz, Walberg, Lankford, Amash, Gosar,
Meehan, DesJarlais, Gowdy, Farenthold, Lummis, Woodall, Massie,
Collins, Meadows, Bentivolio, DeSantis, Cummings, Maloney,
Norton, Tierney, Clay, Lynch, Cooper, Connolly, Cartwright,
Duckworth, Kelly, Davis, Welch, Cardenas, Horsford, and Lujan
Grisham.
Also Present: Representative Kelly.
Staff Present: Richard A. Beutel, Majority Senior Counsel;
Brian Blase, Majority Professional Staff Member; Molly Boyl,
Majority Deputy General Counsel and Parliamentarian; Lawrence
J. Brady, Majority Staff Director; Joseph A. Brazauskas,
Majority Counsel; Caitlin Carroll, Majority Deputy Press
Secretary; Sharon Casey, Majority Senior Assistant Clerk; Steve
Castor, Majority General Counsel; John Cuaderes, Majority
Deputy Staff Director; Adam P. Fromm, Majority Director of
Member Services and Committee Operations; Linda Good, Majority
Chief Clerk; Meinan Goto, Majority Professional Staff Member;
Tyler Grimm, Majority Professional Staff Member; Frederick
Hill, Majority Staff Director of Communications and Strategy;
Christopher Hixon, Majority Chief Counsel for Oversight;
Michael R. Kiko, Majority Legislative Assistant; Mark D. Marin,
Majority Deputy Staff Director of Oversight; Laura L. Rush,
Majority Deputy Chief Clerk; Peter Warren, Majority Legislative
Policy Director; Rebecca Watkins, Majority Communications
Director; Krista Boyd, Minority Deputy Director of Legislation/
Counsel; Aryele Bradford, Minority Press Secretary; Yvette
Cravins, Minority Counsel; Susanne Sachsman Grooms, Minority
Deputy Staff Director/Chief Counsel; Jennifer Hoffman, Minority
Communications Director; Chris Knauer, Minority Senior
Investigator; Elisa LaNier, Minority Director of Operations;
Una Lee, Minority Counsel; Juan McCullum, Minority Clerk; Leah
Perry, Minority Chief Oversight Counsel; Dave Rapallo, Minority
Staff Director; Daniel Roberts, Minority Staff Assistant/
Legislative Correspondent; Valerie Shen, Minority Counsel; Mark
Stephenson, Minority Director of Legislation; and Cecelia
Thomas, Minority Counsel.
Chairman Issa. The committee will come to order.
The Oversight and Government Reform Committee exists to
secure two fundamental principles: first, Americans have a
right to know that the money Government takes involuntarily
from them is well spent and, second, Americans deserve an
efficient, effective Government that works for them. Our duty
on the Oversight and Government Reform Committee is to, in
fact, protect these rights. Our solemn responsibility is to
hold Government accountable to taxpayers, because taxpayers
have a right to know that the money Government takes from them
is well spent. It is our job to work tirelessly in partnership
with citizen watchdogs to deliver the facts to the American
people and bring genuine reform to the Federal bureaucracy.
Three and a half years ago, closer to four, in a partisan
vote, the House of Representatives passed the Patient
Protection Affordable Care Act, commonly referred to as
ObamaCare. The Act gave this Administration more than three
years to implement; it gave them virtually unlimited money; it
ensured them that, for all practical purposes, they need not
come back to Congress ever again because they created an
entitlement, one that raised its own money, spent its own
money, created its own rules.
The 2400 pages that were passed into law, and then read
afterwards, now represent tens of thousands of pages of
regulations that were created by this Administration based on
how this Administration wanted a law interpreted, meaning that
legislation created three and a half years ago was still being
written in late September.
The cornerstone of the President's signature achievement
included a website, Healthcare.gov. This site, and parallel
sites created by some States, were supposed to make it easy to
have an online marketplace. It was, in fact, an attempt to
duplicate what hundreds, perhaps thousands, of insurance
companies, large and small, around America do well every day.
On October 1st, President Obama said using it would be as
easy as buying an airline ticket on Kayak.com or buying a
television on Amazon. This is an insult to Amazon and Kayak. On
the day of the launch, President Obama should have known the
harsh lesson we have all learned since that time, and that was
they weren't ready. They weren't close to ready. This wasn't a
small mistake. This wasn't a scaling mistake. This was a
monumental mistake to go live and effectively explode on the
launchpad.
For American people, ObamaCare is no longer an abstraction,
and it is a lot more than a website. For millions of Americans,
it is about losing insurance the President promised you can
keep, period. For many Americans, it is about premiums going
up, when you were promised they would go down by $2500.
Big businesses lobbied and received an ObamaCare waiver
this year. However, the individual, the taxpayer, the citizen,
the only real recipient of health care, did not. Individuals
still have to pay a penalty if they don't have insurance that
meets a Federal standard, a standard of what your Government,
your nanny State believes, in fact, you must have. The penalty
is still in effect, and even if new exchanges don't function.
The penalty is in effect even if you planned on keeping the
health care you wanted, period, and discovered it is now gone,
or have yet to discover, because ultimately, if you are on an
employer plan, you may not yet have found out that your
employer either cannot afford or cannot receive the health care
you have grown accustomed to.
The specific reason we are here today is a narrow part of
this committee's oversight and legislative authority. It is, in
fact, to examine the failures of what should have been an IT
success story. Nearly $600 million, three and a half years, is
larger than Kayak ever dreamed of having to set up their
website. It is larger than eBay spent in the first many years
of a much more complex site that auctions, in real-time,
millions and millions of products a year.
We are here to examine the failure of technology not
because the technology was so new and innovative, not because
this was a moon shot, not because we needed Lockheed Martin and
Rockwell to come in and invent some new way to propel a ship to
the moon; but because we have discovered, and will undoubtedly
continue to discover, that efforts were taken to cut corners to
meet political deadlines at the end, that for political reasons
rules were not created in a timely fashion, that in fact the
rules that should have been created at the time of the passage
of the law or shortly thereafter in many cases were still being
given to programmers in September of this year.
Now, I recognize that there are divisions on this
committee, as there were when ObamaCare became law. Many
members, including myself, believe that there was and is a
health care crisis in America. It is a crisis of affordability.
And insurance is simply a way to score what that affordability
is, not to drive down the cost. Many members, including myself,
opposed this new law because we thought it wouldn't work and it
had no systems to actually reduce the cost of health care from
the provider.
My friends on the other side may correctly note, as I will
here, that many Americans are benefitting from ObamaCare at the
cost of trillions of dollars over a 10-year period. I certainly
hope so. But divisions over whether or not taxpayer money taken
and pushed back out to needy who are trying to afford health
care is not the subject today.
Unfortunately, during the first two years of the ObamaCare
law, under Speaker Pelosi, there was no effective oversight.
Oversight was shut down during the first two years of the Obama
Administration, and the Minority pointing out anything was
ignored. Under my chairman, we have tried to correct that, but
we have been disappointed by continued obstruction by the
Minority on this committee, defending the Administration even
when it has failed to deliver the relevant documents, and they
find themselves objecting to hearings, witness requests, and
constantly engage in petty downplaying of what in fact are a
serious problem.
The Minority today will undoubtedly point out that this
must be political, that we are not here because only 1100
people at a time could get on to a website before it crashed,
effectively, when 250,000 needed to get on it because it was
the law and they were mandated. We are not here for that
reason, the Minority will say; we are here because this is
political.
This committee, on a bipartisan basis, has offered
legislation that, if the Senate had taken up it and the
President had supported and signed it and it had been
implemented in this project, undoubtedly many of the mistakes
made we would find would not be made. In fact, the lack of
budget authority for a single point on a project of this sort,
conducted and overseen by somebody who had a success story in
similar operations rising to the level of a $600 million multi-
committee, multi-State website, if that person had been there
and in charge, I have no doubt that person would not be with us
today because that site would be up and running.
On October 10th I joined with Senator Lamar Alexander, a
member of the minority in the Senate who finds himself unable
to get answers, asking Secretary Sebelius to provide documents
related to Healthcare.gov. Unfortunately, on October 28th, a
month in to ObamaCare, I was forced to issue a subpoena because
of a lack of response from the Administration. To date, HHS has
not produced a single responsive document to this committee.
In contrast, the committee has received far more
cooperation, transparency, and document production, receiving
over 100,000 relevant documents, from the private sector, from
contractors working on this project, the very contractors who
were blamed on day one as their fault, not a single political
appointee's fault, not Obama's fault.
I know the ranking member and I could fill an entire
hearing with discussions about our differences, and I have no
doubt, in short order, he will air many of them. But for this
hearing I think we can find agreement. The agreement would be
simple: whether you like ObamaCare or not, taxpayer dollars
were wasted, precious time was wasted, the American people's
promise of ObamaCare, in fact, does not exist today in a
meaningful way because best practices, established best
practices of our Government were not used in this case.
Now, our Government must quickly grasp the lessons of what
happened here in ObamaCare's Healthcare.gov project to better
and more effectively implement underlying policy changes so
this won't happen again. The investigations of this committee
have received testimony and have paid documents indicating many
problems that led to the disastrous failure to launch on
October 1st. The committee has learned that numerous missed
deadlines and ignoring of integrated security testing
requirements are still a problem for this system.
The ranking member gave to me, and I will put it in the
record, a letter very concerned that some of the documents we
received from contractors, if they got in public hands, would
be a roadmap to the security flaws that exist in ObamaCare's
website today. It is our committee's decision that those
documents will not be released, that we will carefully ensure
that any material given to us by anyone that would help hackers
discover more quickly the flaws in ObamaCare's website are not
made public.
But let us understand the ranking member's statement in
that letter says more than I could say, and that is, on the day
of the launch, and even today, there are material failures in
the security of the ObamaCare website, meaning that even though
we may not put out the roadmap, hackers, if they can get on a
website that only accommodates 1100 people at a time, hackers
in fact may have already or may soon find those
vulnerabilities. They may soon find your social security number
or your sensitive information because there was no integrated
security testing before the launch. And MITRE Corporation and
others pointed this out in time for the launch to not have
occurred until security concerns were properly vetted.
The last known security test conducted by the records we
have been given--and, again, given by contractors, because the
Administration has failed to be in any way honest or
transparent in producing documents--show that in mid-September,
at least as to the Federal marketplace segment of the site,
they identified significant findings of risk. Documents from
the contractor MITRE identified a chaotic testing environment.
According to Mr. Henry Chao, the top operational officer
for the marketplace, Administration delays in issuing
regulations created a compressed time frame for building the IT
infrastructure. We know, for example, that HHS did not issue
any regulations in the three months prior to November 2012
election.
Yes, I am saying that it seems sad that you pass a law in
the first few months of an administration and, yet, it seems
that regulations came to a halt so they would not be out there
in the marketplace during the President's re-elect. Two years
is too long after a law that has mandates before you go and
tell the American people and the website producers what they
must do.
This committee has learned that a complete integrated
security testing did not occur, meaning test the pieces, but do
not test the entire product was one of the faults at the
launch. That heightens the risk of unauthorized access, non-
encrypted data, identify theft, and the loss of personal
identifiable information. This is not this committee's opinion;
this is testimony.
The director of CMS stated he was not even aware of some
testing results that showed serious security problems in the
weeks before the October 1st launch. He testified these results
should have been shared with him and said the situation was
disturbing. HHS offered no further explanation for nearly two
weeks, until after the committee made a redacted version of the
key memo public.
At a briefing last week, Tony Trenkle, CMS Chief
Information Officer, told investigators he normally signs the
authority to operate memos to launch CMS IT projects. In this
case, however, and wisely, he determined that he would not sign
the Healthcare.gov document, and in fact required a less
qualified and obviously erroneous signature by Marilyn Tavenner
to occur on that document.
Now, that is kicking it upstairs because you know it isn't
any good. And although I appreciate a CIO not signing a
document for a site that wasn't ready, I think at the same time
we must recognize that there should have been public objection
to Marilyn Tavenner signing that document for a website that
clearly was not ready for prime time.
Additionally, today we are hearing from a distinguished
panel of witnesses, and I recognize some of the witnesses,
particularly Mr. Park, are busy elsewhere trying to get this
site operational. But since we have been in the neighborhood of
six weeks into the launch, I trust that hundreds or, if
necessary, thousands of the right people have most of their
marching orders and that, in fact, it is time for Congress, on
any committee of jurisdiction, to look over the shoulder of the
Administration to ask both what went wrong and, today, not just
ask do you promise, on November 30th, to make it right, but
will you in fact commit to the changes in law that would ensure
this doesn't happen again.
I don't hold this committee hearing today to sell IT
reform. This committee has already done its job to sell IT
reform. However, it is essential that you understand that when
Mr. Cummings and I make public billions of dollars worth of
failed IT programs, the American people often get a small
snippet in the newspaper. So today I think the American people
should know this isn't the $600 million unique event. If it
were, it would be a different hearing. This is part of a
pattern that occurs due to failure to adhere to the private
sector's world-class standards for web production. This is a
pattern that includes Schedule C political appointees being
more involved than career professionals. This is a pattern that
has to stop.
Among our witnesses today will be Mr. Dave Powner, a
Government Accountability Officer and an expert in, in fact,
what those practices should have been and what failed on
Healthcare.gov. I might note for all he is, in fact, a career
professional, a nonpartisan, and an individual who doesn't work
for me, doesn't work for the ranking member, but works for the
American people.
I will do the rest of my introduction when the time comes.
I now will yield to the ranking member.
Mr. Cummings. Thank you very much, Mr. Chairman.
Good morning to everyone and welcome to our witnesses who
are here with us today. I want you to know that I appreciate
your service and, on behalf of a grateful Congress, we thank
you. I thank you for your dedication to ensuring that millions
of Americans who do not have health insurance will be able to
obtain quality affordable coverage going forward. This is an
incredibly admirable goal, and I thank you for everything you
are doing to make it a reality.
Unfortunately, not everyone in this room shares this very
important goal. Republicans opposed the Affordable Care Act in
2009 and voted against providing health insurance to millions
of Americans. Over the past three years they have voted more
than 40 times to repeal parts or all of the law and eliminate
health insurance for people across the Country. Since they
failed at these repeal efforts, they blocked requests for full
funding to implement the law. This forced Federal agencies to
divert limited funds from other areas.
Republican governors refused to set up State exchanges,
forcing the Federal Government to bear more of the workload.
And to make a political point against the Affordable Care Act,
Republican governors refused Federal funds to expand their
Medicaid programs to provide medical care for the poor,
increasing the burden on their own State hospitals. To me, this
is one of the most inexplicable actions I have ever witnessed
from elected representatives against their own people, the
people who elect them; their neighbors, their family members,
their friends, the grocer, the mortician.
After all of these efforts, House Republicans shut down the
entire Federal Government for three weeks in October. Three
weeks shut down the Government. They threatened to default on
our national debt unless we repealed the Affordable Care Act.
Again, this effort failed.
Now they are attempting to use the congressional oversight
process to scare Americans away from the website by once again
making unsupported assertions about the risk to their personal
medical information. Let me be clear. The Centers for Medicare
and Medicaid Services and its contractors failed to fully
deliver what they were supposed to deliver, and congressional
oversight of those failures is absolutely warranted. But nobody
in this room, nobody in this Country believes that Republicans
want to fix the website.
For the past three years the number one priority of
congressional Republicans has been to bring down this law, and
that goal, ladies and gentlemen, has not changed. Today they
complain that their constituents are waiting too long on
Healthcare.gov to sign up for insurance. But is there a
solution to fix the website? No. It is to repeal the Affordable
Care Act and eliminate health insurance for millions of
Americans.
While repealing the Affordable Care Act indeed would
reducing waiting times on the website, it would increase
waiting times in our Nation's emergency rooms.
Mr. Chairman, over the past month, instead of working in a
bipartisan manner to improve the website, you have politicized
this issue by repeatedly making unfounded allegations. In my
opinion, these statements have impaired the committee's
credibility. For example, on October 27th, you went on national
television and accused the White House of ordering CMS to
disable the so-called Anonymous Shopper function in September
for political reasons: to avoid ``sticker shock.'' That
allegation is totally wrong.
We have now reviewed documents and interviewed the CMS
officials who made that decision, and it was based on defects
in the contractor's work, not on a White House political
directive.
Last Thursday you issued a press release with this blaring
headline: ``Healthcare.gov Could Only Handle 1,100 Users the
Day Before Launch.'' This claim is wrong. You apparently based
your allegation on misinterpretation of the documents we
received, which relate to a sample testing environment. I
believe the witnesses will expound upon that today.
Most troubling of all was your allegation against one of
our witnesses today, Todd Park, the Chief Technology Officer of
the United States of America. You went on national television
and accused him of engaging in a ``pattern of interference and
false statements.'' Mr. Park is widely respected by the
technology community as an honest and upstanding professional.
In my opinion, your accusations denigrated his reputation with
absolutely no, absolutely no legitimate basis. As I said to my
letter to you on Monday, I believe your statements crossed the
line and I think you owe Mr. Park an apology, not a subpoena.
The unfortunate result of this approach is that we may miss
an opportunity to do some very good work. Our committee has
done significant substantive and bipartisan work on Federal IT
reform, and I applaud you for your leadership in that. And I go
back to the word, it was indeed bipartisan. We joined in to do
what this committee is supposed to do, to look at the facts, to
seek the truth, the whole truth, and nothing but the truth, and
then bring about reform.
Under the leadership above you and our Democratic
information technology expert, Mr. Connolly of Virginia, last
March we passed the Federal Information Technology Acquisition
Reform Act. This bill would increase the authority of agency
CIOs and provide them with budget authority over Federal IT
programs, including hiring. We did that together. We did that
in a bipartisan way. We put politics aside, rolled up our
sleeves, and worked together to constructively address these
challenges. I hope that that is what today's hearing is all
about.
And I again thank our witnesses, who I know are working
very hard to achieve these goals.
With that, I yield back.
Chairman Issa. I thank the gentleman.
Members may have seven days in which to submit opening
statements and other extraneous material.
I now ask that my entire opening statement be placed in the
record. Without objection, so ordered.
I now ask that the letter from Mr. Cummings, dated November
6, 2013, to me be placed in the record. Without objection, so
ordered.
Chairman Issa. I will now go to our panel of witnesses. We
welcome our first panel of witnesses:
Mr. Dave Powner is the Director of Information Technology
Management Issues at the Government Accountability Office.
Mr. Henry Chao is the Deputy Director of the Office of
Information Services at the Center for Medicare and Medicaid
Services, today probably called CMS for the rest of the day,
and Deputy Chief Information Officer at CMS.
Mr. Frank Baitman is the Chief Information Officer at the
Department of Health and Human Services, normally called HHS.
Mr. Todd Park is the Chief Technology Officer of the United
States.
Mr. Steve VanRoekel is the Chief Information Officer of the
United States.
Pursuant to the rules, as many of you who have not been
here before will see, I would ask that you all rise to take a
sworn oath. Please raise your right hands.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
[Witnesses respond in the affirmative.]
Please be seated.
Let the record reflect that all witnesses answered in the
affirmative.
Now, this is a large panel and it is going to be a long
day, and I suspect witnesses will be asked questions by both
sides of the aisle, so I would ask that since your entire
opening statements will be placed in the record verbatim, that
you adhere to the time clock and come to a halt as quickly as
possible when it hits red. Please understand yellow is not an
opportunity to start a new subject, it is an opportunity to
wrap up.
With that, we will go to our distinguished guest from the
GAO, Mr. Powner.
WITNESS STATEMENTS
STATEMENT OF DAVID A. POWNER
Mr. Powner. Chairman Issa, Ranking Member Cummings, and
members of the committee, we appreciate the opportunity to
testify on best practices that help agencies deliver complex IT
acquisitions. In July I testified before Chairman Mica's
subcommittee on 15 failed IT projects and other troubled
projects, and now we are faced with one of the more visible
troubled IT projects in Healthcare.gov. These complex projects
can be delivered successfully when there is appropriate
accountability, transparency, oversight, expertise, and program
management.
We issued a prior report that showcases seven successful IT
acquisitions and what allowed them to be delivered
successfully. This morning I would like to highlight best
practices from that report and others that would have made a
difference with Healthcare.gov. I would like to start by
highlighting the importance of FITAR, Mr. Chairman,
specifically those sections that increase CIO authorities and
strengthen IT acquisition practices.
Starting with accountability. Key IT executives need to be
accountable with appropriate business leaders responsible for
the project. This needs to start with the department CIOs and
for projects of national importance includes the president CIO.
At HHS, CIO authority is an issue GAO reported on just last
week.
Transparency. The IT Dashboard was put in place in June of
2009 to highlight the status and CIO assessments of
approximately 700 major IT investments across 27 departments.
About $40 billion are spent annually on these 700 investments
and public dissemination of each project's status is intended
to allow OMB and the Congress to hold agencies accountable for
results in performance. Surprisingly, recent Dashboard
assessments on Healthcare.gov primarily showed a green CIO
rating. But, interestingly, in March the rating was red, so
something was wrong at that time.
Third, oversight. Both OMB, department and agency oversight
and governance are important so executives are aware of project
risks and assure that they are effectively mitigated. We have
issued reports on OMB and agency TechStat sessions highlighting
the importance of these meetings and their excellent results,
primarily halting, rescoping, and redirecting troubled
projects. We have also recommended that more TechStats needs to
occur on troubled and risky projects. We are not aware that
Healthcare.gov was subject to a TechStat review.
Fourth, expertise. It is extremely important to project
success that program staff have the necessary knowledge and
skills. This applies to a number of areas, including program
management, engineering, architecture, systems integration, and
testing.
Fifth, program management. Several best practices increase
the likelihood that IT acquisitions will be delivered on time,
within budget, and with the functionality promised. This starts
with getting your requirements right by involving end-users,
having regular communication with contractors throughout the
acquisition process, and adequately testing the system,
including integration end-to-end and user acceptance.
There are a number of key questions that can be asked of
any IT acquisition to ensure that appropriate accountability,
transparency, oversight expertise, and program management is in
place, and these most definitely pertain to Healthcare.gov.
These include:
What role is OMB playing in ensuring that this major
acquisition is on track and specifically how involved is the
Federal CIO?
Is the department and agency CIO accountable and actively
involved in managing risks?
Is the acquisition status accurate, timely, and transparent
as displayed on the IT Dashboard?
Are OMB and agency oversight and governance appropriate?
Were governance or TechStat meetings held with the right
executives?
Were key risks addressed and was there appropriate follow-
up?
Does the agency have the appropriate expertise to carry out
its program management role and other roles it is to perform?
In the case of Healthcare.gov, a key question is whether CMS
has the capabilities to act as the systems integrator.
And, finally, is the program office following best
practices throughout the acquisition life cycle, starting with
how the project is defined to how it is tested and deployed for
operations? This would include security testing, assessment,
and authorization.
In summary, Mr. Chairman, OMB and agencies can do more to
ensure that the Government's annual 80-plus billion dollar
investment in IT has the appropriate accountability, oversight,
transparency, and best practices to deliver vital services to
the American taxpayers.
This concludes my statement. Thank you for your continued
oversight in Federal IT issues.
[Prepared statement of Mr. Powner follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you.
Mr. Chao.
STATEMENT OF HENRY CHAO
Mr. Chao. Good morning, Chairman Issa, Ranking Member
Cummings, and members of the committee. Since the passage of
the Affordable Care Act, CMS has been hard at work to design,
build, and test secure systems that ensure Americans are able
to enroll in affordable health care coverage.
I serve as CMS's Deputy Chief Information Officer and I am
a career civil servant that has 20 years working at CMS on
Medicare and Medicaid systems of varying skills. My role has
been to guide the technical aspects of the Marketplace
development and implementation to Federally-facilitated a
Marketplace eligibility enrollment systems in the data services
Hub.
I work closely with the private sector's contractors
building these IT components of Healthcare.gov. I also work
closely with my colleagues in CMS who handle other IT and
policy aspects of the site, including the Center for Consumer
Information and Insurance Oversight, which manages the business
operations and makes policy decisions that relate to
Healthcare.gov; the chief information officer who oversees the
account creation on Healthcare.gov through management of a
shared service called the Enterprise Identity Management
System; and the Office of Communications, which is focused on
the call center operations and the user experience aspects of
Healthcare.gov.
To facilitate the various key functions of the Federally-
facilitate Marketplace, CMS contracted with QSSI to develop the
Hub and CGI Federal to develop the Federally-facilitated
Marketplace. The Hub facilitates the secure verification of the
information a consumer provides in their Marketplace
application with information maintained by other Federal data
sources such as SSA and IRS. In addition to the Hub, CMS
contracted with CGI Federal to build the Federally-facilitated
Marketplace system which consumers use to apply for health care
coverage through private qualified health plans and for
affordability programs like Medicaid, CHIP, and advanced
premium tax credits and cost-sharing reductions.
The Federally-facilitated Marketplace system consists of
numerous modules, each of which was tested for functionality
and for security controls. Numerous test cases were used to
exercise the end-to-end functionality of the system. We
underestimated the volume of users who would attempt to
concurrently access the system at any one time initially in
October, and we immediately addressed the capacity issues in
the first few days and continue to actively work on further
improving performance and creating a better user experience.
Healthcare.gov is made up of two major subdivisions. One
subdivision is called Learn and contains information to assist
and educate consumers about the Marketplace. In addition, a
premium estimation tool was launched on October 10th to allow
consumers to browse health plans without creating a
Healthcare.gov account on the Get Insured subdivision of
Healthcare.gov, which contains the online application for
enrollment.
While the premium estimation tool could only sort consumers
into two age categories when it was first launched, its
functionality will be expanded to accommodate additional
scenarios to better fit consumer shopping profiles. This tool
is different from the FFM application because determinations
about consumers' eligibility for insurance affordability
programs, Medicaid and CHIP, are specific to the
characteristics of an applicant and his or her household, and
could only be calculated when an application is completed,
after income, citizenship, and other information is verified.
I know that consumers using Healthcare.gov have been
frustrated in these initial weeks after the site's launch.
While the Hub is working as intended, after the launch of the
FFM online application, numerous unanticipated technical
problems surfaced which have prevented some consumers from
moving through the account creation, application, eligibility,
and enrollment processes in a smooth and seamless manner. Some
of those problems have been resolved and the site is
functioning much better than it did initially. Users can now
successfully create an account, continue through the full
application and enrollment processes. We are now able to
process nearly 17,000 registrations per hour, or 5 per second,
with no errors. Thanks to enhanced monitoring tools, we are now
better able to see how quickly the online application is
responding and to measure how changes improve user experience
on the site.
We reconfigured various systems components to improve site
responsiveness, increasing performance across the site, but in
particular the viewing and filtering of health plans during the
online shopping process. We have also made software
configuration changes that have added capacity to improve the
efficiency and effectiveness of the system.
CMS is committed to creating a safe, secure, and resilient
IT system that helps expand access to quality affordable health
care coverage. We are encouraged that the Hub is working as
intended, and that the framework for a better functioning
Federally-facilitated Marketplace eligibility system and
enrollment is in place.
[Prepared statement of Mr. Chao follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. I know this isn't questioning time, but if
you can tell us 17,000 are signing up per hour, then why is a
subpoena from Ways and Means unanswered as to how many have
signed up? Please, don't answer yet. We will get to that.
Mr. Baitman.
STATEMENT OF FRANK BAITMAN
Mr. Baitman. Good morning, Chairman Issa, Ranking Member
Cummings, and members of this committee. My name is Frank
Baitman, and I am the Deputy Assistant Secretary for
Information Technology and the Chief Information Officer at the
U.S. Department of Health and Human Services. I am pleased to
join you here today.
The Department of Health and Human Services is the United
States Government's principal agency for protecting the health
of all Americans and providing essential human services,
especially for those who are least able to help themselves. At
the Department level, the Office of the Chief Information
Officer serves this objective by leading the development and
implementation of an enterprise-level information technology
framework. HHS is committed to the effective and efficient
management of our information resources in support of our
public health mission, human services program, and the U.S.
health system.
The HHS OCIO is responsible for developing the Department's
policy framework for IT, including such areas as enterprise
architecture, capital planning, records management,
accessibility, and security and privacy. For example, the
security arena has a healthy framework that encompasses the
Federal Information Security Management Act of 2002, OMB
directives, and the National Institute of Standards and
Technology's guidance on security and privacy, all of which are
embodied in the Department's security policies.
Our information technology portfolio is sizeable, including
support to a number of grant programs that provide IT resources
to State, local, and tribal governments in support of the
programs administered by HHS. The Department's portfolio also
supports everything from common and commodity IT, things like
human resources, email, and accounting systems; to the mission
systems that enable research at the National Institutes of
Health; to the regulation of drugs and devices at the Food and
Drug Administration; and to the treatment of patients at the
Indian Health Services' network of clinics.
HHS is a large department, with a diverse set of missions.
Our operating divisions include the Administration for Children
and Families; the Administration for Community Living; the
Administration for Health, Research and Quality; the Centers
for Disease Control and Prevention; the Centers for Medicare
and Medicaid Services, known as CMS; the Food and Drug
Administration; the Health Resources and Services
Administration; the Indian Health Service; the National
Institutes of Health; and the Substance Abuse and Mental Health
Services Administration. That is what makes up HHS. And we
manage our IT portfolio through a federated governance
structure. The vast majority of the Department's IT resources
are dedicated directly to the appropriations made to our
programs and operating divisions, and our governance structure
reflects that reality. Program-level IT decisions are governed
and reviewed by our operating divisions.
Each of HHS's operating divisions has its own chief
information officer, its own chief information security
officer, and an IT management structure; and management of the
development of Healthcare.gov was comparable to management of
similar IT initiatives throughout the Department's operating
divisions. Indeed, prior IT initiatives that we are all
familiar with, including Medicare.gov and Medicare Part D
Prescription Drug program were led and developed by CMS, who
serves as the business owner and developer of Healthcare.gov's
integrated eligibility and enrollment system for the Federally-
facilitated Marketplace.
Since I joined the Department about 18 months ago, we have
been working to restructure and update our IT governance,
bringing visibility into what the Department buys and builds
across all of our operating divisions, and we are now in the
process of putting in place three IT steering committees to
bring together technology and program leaders from across the
Department to improve our purchasing and management of IT
resources. These steering committees take a functional view of
our IT portfolio. We have created one to oversee health and
human service systems, a second to oversee scientific research
systems, and a third for administrative and management systems.
This governance structure will improve Department-wide
oversight of IT purchases and projects. Secretary Sebelius has
been a strong advocate for transparency into the Department's
IT portfolio and this new governance structure is designed to
achieve that outcome. Collectively, these three steering
committees will provide Department-wide guidance to the
operating divisions' respective IT portfolios and will ensure
that we identify and take advantage of opportunities to save
taxpayer funds.
For example, we are now in the process of establishing a
Vendor Management Office to improve the Department's
negotiating position with technology vendors and to make use of
enterprise-wide license acquisitions. We are always looking for
ways to consolidate investment systems or acquisitions to meet
the Department's broad IT portfolio needs more effectively and
economically. In the fiscal year 2014 budget process, HHS
identified $250 million in reductions within our IT portfolio
attributable to savings in various commodity IT areas.
Chairman Issa. Mr. Baitman, we know how great a job you are
doing; that is why you are here today. Could you please wrap
up?
Mr. Baitman. Sure.
I appreciate the opportunity to be with you here today.
[Prepared statement of Mr. Baitman follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you.
Mr. Park.
STATEMENT OF TODD PARK
Mr. Park. Good morning, Chairman Issa, Ranking Member
Cummings and members of the committee. Thank you for inviting
me to testify today on the Administration's ongoing efforts to
deliver on the promise of the Affordable Care Act.
As U.S. Chief Technology Officer, housed at the Office of
Science and Technology Policy, I serve as an advisor at the
White House on a broad range of technology policy and strategy
priorities, ranging from how technological innovation can help
grow the economy to how to open up government data to spur
innovation and entrepreneurship in the private sector to how
the power of technology can be harnessed to improve health
care, aid disaster relief, fight human trafficking, and more.
In this work, I try to bring the sensibilities of the private
sector tech entrepreneur that I have been for most of my
professional life.
As you know, October 1st was the launch of the new
Healthcare.gov and the Health Insurance Marketplace, where
people without health insurance, including those who cannot
afford health insurance and those who are not part of a group
plan, can go to get affordable coverage.
Unfortunately, the experience on Healthcare.gov has been
highly frustrating for many Americans. These problems are
unacceptable. We know there is real interest from the American
public in having easy access to the new affordable choices in
the health insurance marketplace. I believe that as public
servants we have a shared goal: to deliver to Americans the
service they deserve and expect. And since the beginning of
October I have shifted into working full-time on the team that
is working around the clock to fix Healthcare.gov and bring it
to the place it should be.
The team is making progress. The website is getting better
each week as we work to improve its performance, its stability,
and its functionality. As a result, more and more individuals
are successfully creating accounts, logging in, and moving on
to apply for coverage and shop for plans. We have much work
still to do, but are making progress at a growing rate.
I will be happy to try to answer any questions you may have
about Healthcare.gov and the progress the team is making. Thank
you very much.
[Prepared statement of Mr. Park follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you, Mr. Park.
Mr. VanRoekel.
STATEMENT OF STEVEN VANROEKEL
Mr. VanRoekel. Good morning, Chairman Issa, Ranking Member
Cummings, and members of this committee. Thank you for this
opportunity to testify on the efforts to improve the management
of Federal information technology and its relationship to the
implementation of the Affordable Care Act.
As the Chief Information Officer of the United States, I
serve as the Administrator of the Office of Electronic
Government and Information Technology, a statutorily created
office within the Office of Management and Budget. My primary
duties are: developing and issuing Government-wide, broad-brush
guidance and policy; overseeing the development of the
President's $82 billion IT budget; and convening and
facilitating Federal IT stakeholders to collectively address
and resolve complex cross-Government issues.
The results from my office have followed these themes:
flat-lining Federal IT spending since 2009, realizing over $1
billion in savings since 2012 with our PortfolioStat program,
and facilitating and convening agencies to work on crosscutting
opportunities and policy such as our work on opening Government
data, closing and optimizing our data centers, promoting a new
wave of cloud computing. My office has also done important work
in the area of cybersecurity, creating new, secure mobile
device specifications for our Country and protecting Federal IT
devices and the network.
My involvement in the implementation of the ACA also
reflects from my role as Federal CIO. I acted as a convener and
facilitator of agencies to work through the technical details
of the cross-agency implementation work of the ACA, primarily
yielding the cross-agency Data Service Hub feature of the
overall system.
As the committee is well aware, before joining the
Administration, I worked in the private sector for nearly 20
years, the majority of which was at Microsoft Corporation. I
shipped and helped launch many complex products and well-known
brands, such as Windows XP, Xbox, and Windows Server. The
launch of each of these projects presented its own challenges.
Microsoft is still patching Windows XP, 12 years after I helped
launched it in 2001. Continuous improvement is the nature of
these efforts.
As you can imagine, connecting multiple legacy IT systems
across multiple agencies of the Federal Government is a complex
task; however, this is no way an excuse for the problems
encountered in launching Healthcare.gov. We are taking this
unacceptable situation seriously and working hard to correct
course.
Since October 1st, I am actively helping in the all-hands-
on-deck effort to assist the Department of Health and Human
Services and the Centers for Medicare and Medicaid Services in
fixing this system. Given my prior experience in the private
sector, I acted as a customer advocate, helping to assess and
address opportunities to improve the customer experience while
we fix the website. Outcomes from this work include updates to
the home page of Healthcare.gov and listing alternative ways to
apply for health insurance. Recently, I am involved in the
technical aspects of the site, including monitoring progress
and advising the team.
We share the deep concern of this committee regarding the
current state of Healthcare.gov and we, as a team, are working
to improve this site to improve access to affordable healthcare
coverage as soon as possible. I look forward to continuing this
work after this hearing.
Thank you again for the opportunity to appear before the
committee today.
[Prepared statement of Mr. VanRoekel follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you.
I now ask unanimous consent that pages 151 and 152 of Mr.
Chao's transcribed interview be placed in the record. Without
objection, so ordered.
Chairman Issa. I now ask that the redacted document of CGI
Federal, which we will call Exhibit 1, I guess, be placed in
the record. Without objection, so ordered.
Chairman Issa. And I now ask that the CMS document entitled
Health Insurance Marketplace Preflight Checklist September
25th, 2013 be placed in the record.
Mr. Cummings. Mr. Chairman?
Chairman Issa. Yes.
Mr. Cummings. I just want to reserve so I can just see the
documents, that's all.
Chairman Issa. That is a committee document that both sides
have.
[Pause.]
Chairman Issa. Without objection, so ordered.
Chairman Issa. Mr. Chao, I am going to ask the clerk to
give you those documents and, before I start, I am going to
give you a very brief understanding of what I am going to come
back to you on in just a few minutes. But you have made
testimony, on pages 151 and 152 of your transcribed interview,
in a sequence of events that were related to the Minority's
questioning of you as to whether or not the Anonymous Shopper
function worked on October 1st. The other document is related
to that checklist, and we want to make sure you have that
before I ask you any further questions under oath.
While he is reading that, Mr. Park, you are here today, and
taken away from your other duties, because of a serious concern
about what you knew and what the Administration may have had
you say, and I want to give you an opening opportunity to
clarify that. After the October launch, and I will paraphrase,
you basically said that the problem with the website was that
there were 250,000 simultaneous users; they could have handled
60,000, but that 250,000 simply slowed it down or brought it to
its knees.
With your opening statement, the opening statements of
others, and what you now know, would you like to please, for
the record, give us the number of simultaneous users you
believe could have been handled through the portal on day one?
Mr. Park. Thank you, Mr. Chairman, for the question. It is
the nature of this kind of situation----
Chairman Issa. Now, Mr. Park?
Mr. Park. Yes, sir.
Chairman Issa. I want to treat you with respect, but I have
a very few minutes.
Mr. Park. Yes, sir.
Chairman Issa. You gave a number. That number was
erroneous. It couldn't handle 60,000 simultaneous users.
Documents that will be placed in the record show that on
September 30th the system crashed with 1100, and the goal was
to get to 10,000. Would you like to tell us for the record,
based on your working on this, what number the American people
could simultaneously be on the site working on day one before
the system began to time out?
Mr. Park. So, to answer as succinctly as I can, thank you
for the question, the information that we had at the time was
that CMS had designed the system for 50,000 to 60,000
concurrent users. Right now, if you ask me right now, based on
what I know now, what the system is currently capable of
handling, the thing I would be comfortable saying is that the
system has been comfortably handling, at present, about 20,000
to 25,000 current users.
Chairman Issa. Okay, so it is fair to say, and I will
paraphrase, on day one, on October 1st, at the launch, some
amount, perhaps greater than 1,100, which was experienced on
September 30th, and closer to the goal set on September 30th,
which they thought, in documents the committee has received,
they could get to 10,000 simultaneous. But on day one, on
October 1st, when this site launched, the site was capable of
handling somewhere more than 1,100, perhaps, but less than
10,000 simultaneous users, and certainly not the 60,000,
50,000, 20,000, or 250,000 that simultaneously tried to use the
site. Is that correct?
Mr. Park. So there may be a matter of confusion here, which
CMS may be better positioned to clarify.
Chairman Issa. Okay.
Mr. Park. But I believe that the 1,100 number was for a
particular unit of capacity.
Chairman Issa. Okay.
Mr. Park. As opposed to the entire system. But I will
defer.
Chairman Issa. Right. But the problem is there was a front
door, and that unit of capacity was limited by the front door.
You know, I come out of the IT world, I come out of the tech
world, but the American people can understand that you are only
as strong as your weakest link. If you have a bottleneck that
causes people trying to get through the site to not be able to
do it, to time out, that bottleneck is what determines it. And
since, on day one, only 6 people got to the end, I think that
for the American people, understanding that whatever the
capacity is today, the capacity was insufficient on day one.
Isn't that correct?
Mr. Park. So, sir, just in the interest of providing the
most accurate testimony I can----
Chairman Issa. I only want to know on day one was the
capacity sufficient.
Mr. Park. I can't speak to the numbers that you are talking
about. But clearly on day one, clearly on day one the system
was overwhelmed by volume.
Chairman Issa. Okay. Well, Mr. Park, you are going back to
something I hoped you wouldn't do. The volume on day one, and
maybe the GAO can answer, the volume on day one was not in
excess of what was expected, was it? The volume on day one was
what you would expect if everyone is going on the site to see
what it is all about after three and a half years of waiting,
isn't it, Mr. Powner?
Mr. Powner. Mr. Chairman, I don't have those specifics, but
I will say this: these volumes we are talking about, if you go
to examples like IRS on e-filing and the volume they handle
with people filing taxes in the eleventh hour, this is the same
problem that the IRS deals with on an annual basis. What you
need to do is you need to appropriately plan for your
performance in stress-testing, and there is fundamental
questions whether that was adequate here.
Chairman Issa. Well, and that is what we are going to
discover throughout the panel today.
Mr. Chao, I told you I would come back to you. You
testified under oath, on pages 151 and 152, on the Minority's
questions, that basically, and I will paraphrase because of
time, this site, the Anonymous Shopper function did not work.
Now, we have seen a document with CMS on it dated September
25th that said it passed that test. Is it that you did not know
it had passed the test when you made your statement saying that
it failed?
Mr. Chao. Well, first off, Chairman, I would like to say
that after working with your staff for eight, nine hours, as
well as the Minority staff, going through this transcribed
interview, I have not had a chance to look at this, so this is
the first time I am actually seeing the results of that day,
so----
Chairman Issa. Wait a second. Look, your job is to know
what is in the site. The CMS report that said, and this is
September, before the launch, that the test had been passed
successfully on the Anonymous Shopper. You testified that it
wasn't and that is why it was turned off.
Mr. Chao. Correct.
Chairman Issa. Are you prepared to say under oath that the
Anonymous Shopper was turned off by your knowledge, not your
guess, not your hypothetical, but are you prepared to say the
Anonymous Shopper was turned off because it failed the test?
And that would be your knowledge based on what you knew.
Mr. Chao. My words were not that it was turned on or off. I
think that is actually technically incorrect. I said it was not
made available because it failed testing. So you hand me this
page 151, 152, which I have not reviewed as far as correctness
and accuracy, and I suppose you are handing me this other
document that says----
Chairman Issa. Mr. Chao, what we are doing is we are saying
that CMS documents show that the Anonymous Shopper tested
positive, it worked. You said under oath, and I am sorry that
you may not have remembered what you said under oath, but when
the Minority asked you what is normally nice questions, self-
serving questions, help you rehabilitate yourself questions,
they are on your side, you said effectively that you gave a
reason, which the ranking member used in his opening statement
effectively, that the Anonymous Shopper was turned off for
reasons other than political.
Mr. Chao. Because I have----
Chairman Issa. We believe the Anonymous Shopper, the easy
front door, the I just want to know what it is going to cost
was not on, and if in fact if it was on, Mr. Park has said this
had different components. That portion could have been much
more effective. The American people could have gotten on and
shopped.
Mr. Chao. This line of questions that I was answering about
Anonymous Shopper is in the context of my knowledge, under
oath, that it did not pass testing, and I have documents that
show it did not pass testing.
Chairman Issa. Okay, so, when--Mr. Chao, my time has
expired, but when HHS and CMS deliver us documents showing that
it hasn't passed, we can have you back. Right now the documents
provided to us by the vendor show that it did pass on a CMS
document. That document is placed in the record. If anyone else
would like to understand that you have said it failed test,
they said it passed test. This Administration, in their absence
of transparency, has refused to give us the documents showing
it failed test, but the document we have today, which says CMS
all over it, which is in the record, says it passed test. It
passed the test. You said under oath it failed the test. Our
problem is the people you work for won't give us the documents
so we can fully understand that, just as the people you work
for won't answer a simple question to the Ways and Means
Committee, which is how many people have signed up, even under
a subpoena.
With that, I recognize the ranking member to try to
rehabilitate your testimony.
Mr. Cummings. Mr. Chairman, let me be clear that we have
staff who work just as hard as yours. It is not about self-
serving, it is about getting to the truth, and I would not
insult your staff----
Chairman Issa. I wasn't insulting your staff.
Mr. Cummings. Well, I take it as an insult.
Chairman Issa. What I said was that----
Mr. Cummings. It is not about self-serving; it is not about
rehabilitating. It is about trying to get to the truth, period,
the truth and nothing but the truth. And I am not going to try
to rehabilitate, as you said, Mr. Chao.
Chairman Issa. Well, maybe you can get him to give us the
documents.
Mr. Cummings. I think in a few moments somebody else on
this panel will present the documents that there is something
that you did not disclose just now that will be brought out to
show that your statements are inaccurate.
Now, Mr. Park----
Chairman Issa. Would the gentleman yield?
Mr. Cummings. Of course. Somebody else will bring it up,
another member.
Chairman Issa. So somebody else will rehabilitate----
Mr. Cummings. No, no, no, no, no. No. No. No. Again, we
will show you the document that there are some things that you
have been blacked out that you have not disclosed, and we will
show you those in a few minutes.
Now, if I may proceed.
Mr. Park, although we have not met before today, I
understand that you have an outstanding reputation in the IT
community. I did not know this previously, but the cofounder of
your former company is Jonathan Bush, of Athena Health, who is
the cousin of former President George Bush, is that right?
Mr. Park. Yes, sir.
Mr. Cummings. I have a quote here that Mr. Bush, the cousin
of the former president, gave to a reporter a few weeks ago,
and he says this about you: ``Todd is uniquely thoughtful,
dedicated, and precise. He is a manic problem-solver, blind to
partisanship. If there is anyone who can fix the problems with
the exchanges, it is Todd.''
Mr. Bush also said that you are working so hard to improve
the website that you ``spent the first week of October sleeping
on the floor of his office as he tried to help get
Healthcare.gov off the mat.'' Is that right?
Mr. Park. Yes, sir.
Mr. Cummings. Well, your reputation certainly precedes you.
Unfortunately, however, last week Chairman Issa appeared on Fox
News and accused you and other political appointees of engaging
in a ``pattern of interference and false statements related to
this site.''
That is a serious attack against your integrity. I don't
want to get into anyone's intent or motives here, but I do want
to give you an opportunity to respond directly. And this is not
unusual for me, because I realize that we are all on this Earth
for a short while and that our reputation is all we have. And
since those statements were made about you, I would like to
give you an opportunity to respond.
Mr. Park. Thank you, sir. Thank you for the opportunity.
And, again, I don't take any of this personally; it is a fast-
moving situation with a lot going on. So I would just say this,
that it was the case, absolutely, that volume was a key issue
that hit the site. It is still an issue for the site, although
we have greatly expanded and are expanding the ability for the
site to accommodate volume. I relayed my best understanding at
the time in each of my statements. It is the nature of things
that as you do more painstaking diagnosis of a system, you
learn more about what you need to do to fix it, and I can say
now that, in addition to volume, there are other key issues
that have to be addressed with the site in terms of its
performance, in terms of its stability, in terms of its
functionality, and there are aggressive efforts happening to do
that which are making great progress, so it is getting better
and better each week with the work of a tremendous team led by
Jeffrey Zients and Ms. Tavenner, of which I am proud to be a
small part. But you have my assurance that at each part along
the way, if I am ever asked a question, I will tell you what I
know to the best of my ability, my best understanding, and that
is what I will continue to do as my understanding gets better
and better.
Mr. Cummings. Well, let me ask you this. Did you engage in
a ``pattern of interference and false statements?''
Mr. Park. No, I did not. I relayed my best understanding at
the time, and I will continue to do that. As my understanding
gets better, I will relay that, absolutely.
Mr. Cummings. Before you were subpoenaed to come here
today, your office wrote a letter describing your extreme
demanding workload for the next two weeks and offering to
testify in December instead. Was this concern coming just from
your office or was it really a legitimate concern of yours that
you would be pulled away from the website issues to prepare for
testifying here today?
Mr. Park. So it has never been a question of if I will
testify, it was just a question of when. It had been the hope
of me and the team that is working to fix the site that I could
continue to focus intensely on helping to fix the site this
month and come back in a few weeks. That being said, I
understand that the chairman came to a different decision. I
respect that decision. I am the son of immigrants from Korea. I
have incredible love for this Country. I have huge respect for
the institution of Congress and its role in our democracy, and
if the committee wanted me to be here today and decided I
should be here today, then I am happy to be here today and make
the time to answer your questions.
Mr. Cummings. Although I understand that the website----
Chairman Issa. The gentleman's time has expired.
Mr. Cummings. Mr. Chairman, I just ask for the same amount
of time you had.
Chairman Issa. I let you ask the last question after your
time had expired, and it was completed.
We now go to the gentleman from Florida for five minutes.
Mr. Tierney. Mr. Chairman, I think it was about almost four
minutes that you exceeded your time by that. Is there----
Chairman Issa. I went to one question after the end, which
was Mr. Chao, which----
Mr. Tierney. Four minutes. I am only asking----
Chairman Issa. The gentleman is recognized.
Mr. Tierney. Well, you are not going to run a fair hearing,
you are just going to go out and do this all the way.
Chairman Issa. The gentleman from Florida is recognized.
Mr. Mica. Thank you for yielding.
It is kind of interesting to see, as ObamaCare implodes,
how everybody is running for cover. Yesterday we saw the former
President of the United States, Bill Clinton, throw the current
President under the bus, so to speak, on this issue. Today we
heard the other side, Mr. Cummings, our Democrat leader, start
out by citing that the problem with this is Republican
governors, that a lot of them opted for an exchange.
Mr. Chao, are these governors Arkansas, Delaware, Illinois,
Missouri, Montana, aren't they all Democrat governors and they
opted out of the exchange? Are you aware of that? Well, they
are, just for the record. But it is interesting to see how they
run for cover.
I have a question for all of you. Each of you I want to ask
you this question. It is obvious that ObamaCare was not ready
for prime time from both an IT performance ability and also
from a security standpoint. Were you aware of that, Mr. Powner,
before October 1st?
Mr. Powner. GAO did issue a report----
Mr. Mica. Were you--okay.
Mr. Powner.--in June that there was a lot to do in a
compressed schedule, correct.
Mr. Mica. Yes.
Were you aware of it, Mr. Chao?
Mr. Chao. Can you repeat the question again?
Mr. Mica. That ObamaCare was not ready from an IT
operational standpoint and also from a security standpoint for
prime time on October 1st. Were you aware of it?
Mr. Chao. I was aware that there was security testing----
Mr. Mica. You were aware that there were problems. Okay.
Mr. Chao. And that there were no high findings in security
testing.
Mr. Mica. I said from an operational. So you thought it was
operational.
Mr. Chao. I am just trying to answer your question.
Mr. Mica. Well, operational and security.
Mr. Baitman?
Mr. Baitman. I was aware that various modules that were to
be part of the system were----
Mr. Mica. Weren't working.
Mr. Baitman.--were being removed.
Mr. Mica. Mr. Park, anything on security? Mr. Park,
operational and security.
Mr. Park. As I recall, sir, no.
Mr. Mica. Oh, okay.
Mr. VanRoekel?
Mr. VanRoekel. I am aware that any system, private sector
or public sector----
Mr. Mica. What about the security?
Mr. VanRoekel.--needs constant addressing of security.
Mr. Mica. What about the security issue?
Mr. VanRoekel. Any system needs constant--security needs to
be constantly addressed.
Mr. Mica. Did you review a document prepared by MITRE that
reviewed--this hasn't been released yet, but it reviewed the
security testing and capability?
Mr. VanRoekel. No, sir, I didn't see that.
Mr. Mica. You did not see this, September 23rd, that
highlighted some of the issues? Okay.
First of all, it looks like political decisions got us into
this strait. You commented, Mr. Chao, to our committee that you
had to have regulations in place to go forward to make
decisions on the construct, right?
Mr. Chao. Correct.
Mr. Mica. And there were regulations that were not imposed,
and I think you also intimated that some of them were stopped
by the White House prior to the election.
Mr. Chao. No, I did not.
Mr. Mica. Okay. Mr. Chao, you said the delay in the
issuance of regulations guidance was a significant problem in
compressing the time frame and actually the White House
pressure to stop those regulations coming out before the
election, because they didn't want folks to know what was
coming. You are not aware of that?
Mr. Chao. Well, I think you are paraphrasing from my
testimony, which I----
Mr. Mica. Okay. Well, here is your comment to our staff:
You can't test the system without requirements, so if
requirements are coming in late, then obviously you are going
to be a little nervous. Was that your statement?
Mr. Chao. I think that holds true for any----
Mr. Mica. That is what we have. That was your statement.
Okay, so----
Mr. Chao. My answer in the context was for any development
project that requires requirements in order to build the system
in a compressed time frame----
Mr. Mica. Did you know that security and the testing was
done by MITRE, of security, is that correct?
Mr. Chao. MITRE and Blue Canopy.
Mr. Mica. Okay, both respectable firms. And this is the
MITRE report. MITRE was unable to adequately test
confidentially and integrity of the exchange system in full.
Are you aware of that?
Mr. Chao. Well, that seems actually true and appropriate,
because the full system isn't built.
Mr. Mica. But it was never fully tested? Has it been
tested?
Mr. Chao. No. I think what it is referring to is that there
are other components of the Marketplace program that still need
to be built.
Mr. Mica. Sir, can you sit here and tell us that there are
not heightened risk of unauthorized access, non-encrypted data,
identity theft, and loss of personal identifiable information?
Chairman Issa. The gentleman's time has expired.
Mr. Chao. That was----
Mr. Mica. And Mr. Powner, can he also answer to that?
Mr. Chao. That was my reply in response to a decision memo
in which we wanted to generally highlight the potential risk
that is applicable to any system of this magnitude that is
servicing the public and collecting information about people.
Chairman Issa. Mr. Powner, if you had anything else,
briefly.
Mr. Powner. Your staff shared that document with me. I
think the key is that was an early assessment, not on the
complete system, and a key question going forward is what has
been done in terms of security testing and assessment while the
system continues to be built.
Chairman Issa. Thank you.
The gentlelady from New York, Mrs. Maloney.
Mrs. Maloney. Thank you. I would like to thank all of the
panelists for their public service and thank the chairman and
ranking member for this oversight hearing. There is a success
story in the State that I am privileged to represent, New York
State. Nearly 50,000 New Yorkers have enrolled in health
insurance plans through the New York State health program.
Almost 200,000 New Yorkers have completed full applications on
the New York State of Health. Additionally, the State's
customer service center operators have provided assistance to
more than 142,000 New Yorkers. And the rates for the plans
represent a 53 percent reduction compared to the previous
year's individual rates, and in addition to the cost savings,
it is estimated that nearly three-quarters of individual
enrollees will qualify for financial assistance. This is
according to an official State report from New York. So this is
certainly good news.
But we do need improvements on the Federal user experience,
and I would like to ask Mr. Park have improvements been made
daily on the website? Are you working to make improvements
every day?
Mr. Park. Thank you so much for the question, and it is
terrific news coming out of New York. So the answer to your
question is people are working every day to make things better.
I would say the site is getting better week by week. Some days
are better than others, but if you look at the trend line, week
over week things are getting better. So, for example, one
metric of the user experience is what is called system response
time. This is the rate at which the website responds to user
requests like displaying a page that you want. Just a few weeks
ago that rate was, on average, eight seconds across the system,
which is totally unacceptable. It is now actually under a
second today.
Mrs. Maloney. Well, that is really good news. How much
faster can the public expect the website to be? Now you are
under a second, is that what you are saying?
Mr. Park. On average, yes.
Mrs. Maloney. On average?
Mr. Park. Yes.
Mrs. Maloney. Well, can the public expect--can you make it
any faster than a second?
Mr. Park. Yes. The team believes that it can, the team
doing this, and we are most of the way, I think, in terms of
average response time that we want to be. We want to get it
down further. We are also actually, thanks to----
Mrs. Maloney. So I would say that reducing wait time has
become a priority, right? And that certainly will help
enrollment numbers, don't you think, Mr. Park?
Mr. Park. That is right. Yes, ma'am.
Mrs. Maloney. Okay, great. That is terrific. Now, are
accounts registering properly at this time? Was that problem
solved?
Mr. Park. That problem has actually largely been solved.
That was, of course, a significant problem up front that folks
experienced. But thanks to expanded capacity, thanks to system
configuration changes and code fixes, that problem has largely
been solved. People can actually get through the front door and
begin the application process and start shopping for affordable
health options.
Mrs. Maloney. So how many registrations can the system
handle now? Congratulations on solving that, by the way.
Mr. Park. So I believe that the latest number the team
reports is about 17,000 registrations an hour, and the plan is
to actually up that in terms of new accounts being created.
Then, of course, people who have registered previously are
coming back and coming back and coming back to keep working on
their application, shop for plans, etcetera.
Mrs. Maloney. And how are you reaching out to people who
may have been discouraged and encouraging them to come back and
try again? Is there any effort to reach out to them or just the
notices that it is happening?
Mr. Park. Yes, ma'am. So CMS is currently engaged in an
effort to begin to reach out to folks who actually got stuck in
the application process and encouraging them to come back and
make it through the front door and start applying for coverage.
Mrs. Maloney. Are there resources there to help people
navigate the process? I am hearing they are confused often. Is
there any resources there to help them figure it out?
Mr. Park. Yes, ma'am. There is Help text, there is also the
call center, and the team is also working quite vigorously to
keep improving the user interface and the flow so that you need
less help, so that it is more and more clear to you at
particular points what to do.
Mrs. Maloney. And how are you assessing or distributing the
feedback that you are getting from users that have used the
system and want to tell you how they can make it faster? But I
don't see how you could make it any faster than a second, quite
frankly. But how are you communicating that feedback from
users?
Mr. Park. You can make it faster, by the way, and so people
are working on that. But there is feedback coming from a
variety of different sources; from users, from folks in the
field, from the call center, from testers, and that is actually
being fed into a list dynamically kept on an ongoing basis of
things to do in priority order to make the website better and
better.
Mrs. Maloney. And I understand that the Hub, the data Hub
is working well. Is that correct?
Mr. Park. The Hub has worked extremely well from day one.
It supports actually not just the Federal Marketplace, but all
the State Marketplaces, including New York's great success; and
that continues to hum along very nicely.
Mrs. Maloney. Well, thank you. My time has expired and I
see that sleeping on the floor is paying off in your hard work.
Thanks.
Mr. Park. The team. It is the team. I am just part of it;
the team is doing the work.
Mrs. Maloney. Your team. Congratulations. Thank you.
Mr. Park. The team.
Chairman Issa. I thank the gentlelady.
We now go to the gentleman from Tennessee, Mr. Duncan.
Mr. Duncan. Thank you very much, Mr. Chairman. While I am
very skeptical about the Government's ability to run our health
care system, what I am more concerned about or object to more
is all the sweetheart insider deals that Government contractors
get under these programs and all the people and companies that
are getting filthy rich off of these programs.
I have an estimate here on the cost of all the technology,
the estimate of OMB as of August 30th, before all the problems
surfaced, and they said we would spend $516.34 million on the
technology. Now we have seen estimates way above that. So I
have a question about that, about how much all this is going to
cost us to straighten this out and are these going to be
continual costs each year? Are we going to have to spend more
and more and more on the technology?
But secondly, and a greater concern, I have two stories
here, one from The Washington Post about 10 days ago and one
from CBS News a couple days later, and they say the
Administration knew three and a half years in advance that
these problems were going to occur. The Washington Post story
says in May 2010, two months after the Affordable Care Act
squeaked through Congress, President Obama's top economic aids
were getting worried. Larry Summers, director of the White
House's National Economic Council, and Peter Orzag, head of the
Office of Management and Budget, had just received a pointed
four page memo from a trusted outside health advisor that
warned that no one in the Administration was up to the task of
overseeing the construction of an insurance exchange and other
intricacies translating the 2,000 page statute into reality.
So what I am asking, and I welcome comments from anybody on
the panel, how much is all this going to cost to straighten out
these problems that we now know that we have? And, secondly,
how long is it going to take, when the Administration or you
all have had three and a half years warning that this was going
to happen? How much longer is it going to take to straighten
all this out?
Chairman Issa. Mr. Powner, you seem to be giving the best
answers.
Mr. Powner. I can comment on the cost figure, what we know
to date. If you look at OMB documentation, there are exhibits
where you report spending by fiscal year, and through the
fiscal year 2013, so by the end of September, it was north of
$600 million spent. Now, I will caveat that by saying that did
include IRS costs associated with that and some other
Government agencies; it wasn't just all CMS and HHS.
But your question about what it is going to cost to fix,
that is where we are kind of blind to that, and I think that is
a key question, how much that will end up being.
Mr. Duncan. All right. Does anybody know? If we have spent
$600 million already, and it is not working, does anybody have
any idea how much all this is going to cost us in the end?
Nobody knows?
Then go to the second question. How long is all this going
to take? If you have had three and a half years to get ready
for this and we had all these promises about you can keep your
plan, you can keep your doctor, your health care cost premiums
are going to go down by as much as $2500, and we now know that
all that was false or incorrect, how much longer is it going to
take, another three and a half years to get this straightened
out?
Mr. VanRoekel. I think it is important to note, sir, that
Americans are getting insurance today, that the system is
passing through and people are registering. The focus today, as
I said in my opening statement, is about continuous improvement
and making sure that we make that even better and stronger, and
that more and more people----
Mr. Duncan. Millions are getting their policies canceled
and more are getting sticker shock because of premium
increases, too. But I am just wondering. What I am asking about
is all the technology. If we have had three and a half years
that the Administration has known that this was going to
happen, and they couldn't fix it in three and a half years, how
much longer is it going to take us?
Chairman Issa. Would the gentleman yield?
Mr. Duncan. Yes, sir.
Chairman Issa. You know, we have two distinguished
individuals from the private sector, and I would suspect that
at Athena and at Microsoft they knew what their burn rate was,
they knew what their time was. In fact, neither of their
companies would exist if they had launched their product quite
like this. Even Windows Vista launched better than the Obama
website.
But the gentleman could include their experience in the
private sector, if they would like to compare this launch with
the launch of each of their companies.
Mr. VanRoekel. I think it is important to note on this the
way that Federal budgeting and Federal IT is managed and
empowered, and I think FITAR actually emphasizes this, as well
as many of the memos and things that I have put out, is
empowering agencies to do their mission work, to execute
against the budget. We formulate the budget within the Office
of Management and Budget, and then the Congress and the
appropriators actually grant that budget to the agencies to
then execute; and the tools that we build to track, spend, to
make sure that diligence is happening on that are all about
empowering the agency to make those smart decisions about what
they do. So in the private sector it is not directly parallel
because you are not, from our position, on the ground actually
running these programs day-to-day.
Chairman Issa. You are begging an angel capitalist to give
you one more chunk of money that he may or may not give you.
With that, we go to the gentlelady from the District of
Columbia for her five minutes.
Ms. Norton. Thank you, Mr. Chairman. And although you have
called witnesses who are being asked to fix a plane while it is
in the air, I do believe oversight is appropriate in light of
the round of surprises we have had.
Let me try to clear something up, Mr. Chairman. Mr. Chao
got a round of questions about the preflight checklist, and I
do have a document that said testing successfully, yes. I don't
know if that means conducted a test or what, because if you
look more deeply into the document, and you didn't have this
before you, where you have the CGI checklist, that defect
report, it is entirely consistent, Mr. Chao, with what you have
said because this defect report says there were 22 defects.
Chairman Issa. Would the gentlelady make that document
available?
Ms. Norton. I would be glad to make this available to you
and to the press.
I am also troubled by how the committee often pulls the
White House into these matters without any evidence. The White
House, in this case, the rollout is accused of not knowing
enough and now they have been accused of directing matters with
respect to the Anonymous Shopper function. Even the chairman
has said that publicly on television.
So I would like to ask Mr. Chao about that issue. And the
question really has to do with whether you were forced to
register and then shop, whether that change was made from shop,
then register to register, then shop; whether that change was
made because of the involvement of the White House in any way.
Mr. Chao. Absolutely not. It was a decision made on the
results of testing. It would be pretty egregious, and I
understand that a lot of folks are wondering why the website is
functioning the way it is, but to consciously know that it
failed testing and to then put it into production for people to
use is not what we do. We use the best available information,
and if the test results show that it is not working, we don't
put it into production.
Chairman Issa. Would the gentlelady yield?
Ms. Norton. I certainly will, Mr. Chairman, if you will
make sure I get my time
Chairman Issa. Of course.
Would you stop the clock?
You know, the gentlelady's information, I have been told,
the one that you are referring to, is in fact a roll up to the
decision that it had passed. In other words, your document is
not inconsistent with it. I think Mr. VanRoekel made it clear
that they are still fixing XP, after they no longer support it.
So I think the conclusion of the document is clear. You are
asking Mr. Chao. He is still saying that this thing failed the
test, when it in fact documents show it passed the test. Was it
perfect? No. But if you could only get six people registered on
day one and only 240 registered on day two, some might say that
the website was not passing the test in those first two days
either. So hopefully that document, you can make it available
to all of us, but I have been told that that is simply part of
the supporting documents for the conclusion that CMS has in
their own documents, which is that that portion which was
excluded, and we have been told in testimony that, in fact,
they were told by people at CMS to turn it off and that those
people were being instructed by people at the White House.
Ms. Norton. Let me clear that up, Mr. President.
Chairman Issa. Okay.
Ms. Norton. I mean Mr. Chairman.
Chairman Issa. I just want you to understand that
contractors told us----
Ms. Norton. Well, Mr. Chairman, let's look at the document.
Let's have people look at the fine print and decide when these
22 defects were noted, because I got it in black and white
here.
Now, you say the White House did not say to turn off the
Anonymous Shopper, Mr. Chao, was that your testimony?
Mr. Chao. Yes.
Ms. Norton. Because the allegation of the chairman was that
the White House ordered it because they wanted to avoid sticker
shock. I remember seeing that on, I think, television. Now,
just let me say something about sticker shock. I had a staff
member go on just to test the DC Health Link, which is where we
all will have to go, and she found that the same--there are 267
different policies, insurers on DC Health Link, and she found
that the same Blue Cross Blue Shield she is now getting from
the Federal employment program she can get for between $160 and
$220 less. So if there is sticker shock, at least some people
are finding sticker shock works the other way.
But I want to drill down on this decision from the White
House. Was there White House directive that because--the
decision came not because--I want to make sure your testimony
remains, because there has been some difference the chairman
cited--that there was no White House directive, but the reason
for pulling the Anonymous Shopper was because the function
failed testing, does that continue to be your testimony?
Mr. Chao. Correct. If we would have put it into production,
even though it is anonymous shopping nor browsing, it requires
some attributes about your preferences, your demographics to
approximate potentially what premium tax credit ranges you
would qualify for so that you can then move into shopping or
plan compare. It didn't work in either calculating the
approximate premium tax credit, nor did it work in plan
compare, so if we allowed people to go through that, they would
have gotten erroneous information and that would have been much
worse than not having it at all.
Ms. Norton. I have already pointed to a document. By the
way, this document is from September.
Now, did you get----
Chairman Issa. The gentlelady's time has expired. Would you
briefly finish?
Ms. Norton. Did you get any direction from the White House
to disable or to delay the shopper function and were there any
political considerations that went into your decision to do so?
Mr. Chao. None whatsoever. I look at the facts of whether a
system is going to be ready. And, of course, not everything is
always 100 percent perfect, and there are certain tolerances,
but in this case it failed so miserably that we could not
consciously let people use it.
Ms. Norton. Thank you, Mr. Chairman.
Chairman Issa. I thank the gentleman.
We now go to the gentleman from North Carolina, Mr.
McHenry. Could you yield for just 10 seconds?
Mr. McHenry. Happy to.
Chairman Issa. Thank you.
Mr. Chao, if it couldn't calculate the prices properly, is
it your testimony that when people went through the back door,
those six that got through on the day one, that it did
calculate what their plan and let them shop through another
part, a completely different portal?
Mr. Chao. If you don't go through what was----
Chairman Issa. No, no, no. I have taken six seconds from
the man and I don't want to go passed a few seconds.
Mr. Chao. If you fill out an online application and you put
your information in, you get an eligibility determination, you
ask for financial assistance----
Chairman Issa. Yes, you go through everything. But you are
saying you didn't get the right price through the same software
that would determine the right or wrong price----
Mr. Chao. No. Anonymous shopping was using different
software.
Chairman Issa. Oh, yeah. Okay. That remains to be seen.
Mr. McHenry, thank you.
Mr. McHenry. Mr. Chao, all my constituents care about and
want to know is when they log on, is their data, all their
personal identifiable information, is that as secure as if they
do online banking.
Mr. Chao. It was designed, implemented----
Mr. McHenry. I mean, that is a yes or no question.
Mr. Chao. It was designed, implemented, and tested to be
secure.
Mr. McHenry. So it was fully tested in best practices under
the Federal Government standard for IT proposals.
Mr. Chao. Correct.
Mr. McHenry. It was?
Mr. Chao. It was security assessment testing conducted by
MITRE and another company.
Mr. McHenry. Okay. So it is fully tested as the other IT
projects you have overseen into that same standard.
Mr. Chao. I am trying to understand what you mean by fully
tested. It was tested----
Mr. McHenry. Fully tested? Holy cow. This is like a new
low. Okay, then let me use the----
Mr. Chao. There are a lot of----
Mr. McHenry. Best practices are a complete integrated
testing, is that correct?
Mr. Chao. It is tested and prescribed under the FISMA
framework and NIST controls that are specified as a standard.
Mr. McHenry. Okay. So why did your boss resign?
Mr. Chao. He didn't resign.
Mr. McHenry. Okay. So due to security readiness issues----
Mr. Chao. I think he decided to make a career change, which
I can't speak to.
Mr. McHenry. I think it was a fantastic time to hightail it
out after this great rollout. So let me ask another question.
So Marilyn Tavenner signed the authority to operate memorandum.
Traditionally, would your office sign a memorandum or have you
signed previous memorandums on authority to operate?
Mr. Chao. Myself, I have not.
Mr. McHenry. Has your boss, or previous boss?
Mr. Chao. Not that I know of. But I do not manage the ATO
sign-off process, that is done between the chief information
officer and the chief information security officer.
Mr. McHenry. Okay. And they would traditionally do it, not
the CMS administrator.
Mr. Chao. I think you would have to ask them.
Mr. McHenry. Okay. Fantastic. We plan to do that.
Let me ask you, Mr. Park, you said on USA Today, on October
6, ``These bugs were functions of volume. Take away the volume
and it works,'' referring to Healthcare.gov. It was in the
fourth paragraph. Do you still stand by that statement?
Mr. Park. Thank you for the question. What I was
specifically referring to----
Mr. McHenry. No, no. Do you still stand by----
Mr. Chairman, I ask unanimous consent to submit this for
the record.
Have you seen this USA Today----
Chairman Issa. Without objection, so ordered.
Chairman Issa. And the question is on the statement, not on
what you would want someone else to believe today.
Mr. McHenry. These bugs were function of volume. Take away
the volume and it works. Do you still stand by that?
Mr. Park. So I stand by the fact that the bugs that the
reporter was referring to, which were issues users were
experiencing in account creation up front, were in fact
functions of volume. What I will say now, based on additional
understanding, is that in addition to volume, which was a
challenge, the account creation process was, later on, also
affected by particular functionality bugs, which have been
fixed, most of which have been fixed, along with volume
capacity expansion and other system configurations----
Mr. McHenry. So, Mr. Park, let me tell you a story. I have
a woman named Sue who logged on. She filled out everything
else. She did not fill out her middle initial. She got a
processing error. She went back to try to fix it, put in the
middle initial. She had to wait 48 hours to get another update.
Turns out that her income was not verifiable because she put in
a monthly income. She calls a navigator, the navigator says,
yeah, we have some problems with that; maybe you can do it on
an annualized basis. Well, unfortunately, she couldn't get back
into the system, so then has to call back for another navigator
and the navigator says, gosh, we have a little issue here, so
let me try an annualized income and put it in on the back end
that navigators can do. She is still waiting. She started on
October 1st. She is still waiting to be successfully logged in
to this website that you said these bugs were functions of
volume; take away the volume and it works.
This is such a deeply flawed data rollout, and my
constituents are most concerned about trying to sign up, much
less when they do sign up that they don't have their data
stolen.
Mr. Chairman, I yield back.
Chairman Issa. I thank the gentleman.
Mr. Park, you can answer, if you see a question there.
Mr. Park. That would be great. Thank you. So I was actually
talking specifically about issues with account creation. There
are issues downstream as well, and, again, each time I speak
with you, each time I speak, I will relay the best
understanding I have and try to be as precise as I can be.
Chairman Issa. I thank you.
We now go to the gentleman from Virginia, Mr. Connolly.
Mr. Connolly. Thank you, Mr. Chairman, and let me begin on
a bipartisan note. Mr. Chairman, you and I helped write,
joining together, the FITAR Act requiring reform of Federal IT
acquisition. Mr. VanRoekel, you seem to have been equivocal,
maybe, at our last meeting in January when you testified here,
but I want to read to you a statement by the President of the
United States. He said, just recently, one of the lessons
learned from this whole process on the website is that probably
the biggest gap between the private sector and the Federal
Government is when it comes to IT; how we procure it, how we
purchase it. This has been true on a whole range of projects.
A reasonable inference from that statement could be drawn
that perhaps we do need some more legislation, some new
legislation to free up some of the moribund rules----
Chairman Issa. Would the gentleman yield?
Mr. Connolly. If we could freeze my time.
Chairman Issa. Of course. I couldn't agree with you more
that, in fact, one of the lessons that I hope all of us take
out of this hearing today is that we have two people from the
private sector who know that they would never do a process like
this one was done, and yours and my legislation is really about
trying to create at least a modicum of similarity in IT
procurement in the Federal Government the way it is done in the
private sector. And I thank the gentleman for his comments.
Mr. Connolly. I thank the chairman.
So I commend to Mr. VanRoekel the statement of the boss.
Mr. Chao----
Chairman Issa. So now I am the boss?
Mr. Connolly. No. Well, you are too.
Chairman Issa. Oh, you mean the President.
Mr. Connolly. The other boss.
Chairman Issa. Ah, yes. His boss.
Mr. Connolly. The big boss.
Mr. Chao, during your interview with committee staff on
November 1, you were presented with a document you had not seen
before and it was titled Authority to Operate, signed by your
boss on September 3rd, 2013, is that correct?
Mr. Chao. Correct.
Mr. Connolly. The Republican staffers told you during that
interview that this document indicated there were two open
high-risk findings in the Federally-facilitated Marketplace
launched October 1, is that correct?
Mr. Chao. Correct.
Mr. Connolly. This surprised you at the time.
Mr. Chao. Can I just qualify that a bit? It was dated
September 3rd and it was referring to two parts of the system
that were already----
Mr. Connolly. You are jumping ahead of me. We are going to
get there.
So when you were asked questions about that document, you
told the staffers you needed to check with officials at CMS who
oversee security testing to understand the context, is that
correct?
Mr. Chao. Correct.
Mr. Connolly. The staffers continued to ask you questions,
nonetheless, and then they, or somebody, leaked parts of your
transcript to CBS Evening News, is that correct?
Mr. Chao. It seems that way.
Mr. Connolly. Since that interview, have you had a chance
to follow up on your suggestion to check with CMS officials on
the context?
Mr. Chao. I have had some discussions about the nature of
the high findings that were in the document.
Mr. Connolly. Right. And this document, it turns out,
discusses only the risks associated with two modules, one for
dental plans and one for the qualified health plans, is that
correct?
Mr. Chao. Yes.
Mr. Connolly. And neither of those modules is active right
now, is that correct?
Mr. Chao. That is correct.
Mr. Connolly. So the September 3rd document did in fact not
apply to the entire Federally-facilitated Marketplace, despite
the assertions of the leak to CBS notwithstanding, is that
correct?
Mr. Chao. That is correct.
Mr. Connolly. And these modules allow insurance companies
to submit their dental and health plan information to the
Marketplace, is that correct?
Mr. Chao. Correct.
Mr. Connolly. That means those modules do not contain or
transmit any personally identified information on individual
consumers, is that correct?
Mr. Chao. Correct.
Mr. Connolly. So, to be clear, these modules don't transmit
any specific user information, is that correct?
Mr. Chao. Correct.
Mr. Connolly. So when CBS Evening News ran its report based
on a leak, presumably from the Majority staff, but we don't
know, of a partial transcript, excerpts from a partial
transcript, they said that security issues raised in the
document ``could lead to identity theft among buying
insurance,'' that cannot be true based on what we just
established in our back and forth, is that correct?
Mr. Chao. That is correct. I think there was some
rearrangement of the words that I used during the testimony and
how it was portrayed.
Mr. Connolly. So to just summarize, correct me if I am
wrong, the document leaked to CBS Evening News did in fact not
relate to parts of the website that were active on October 1,
they did not relate to any part of the system that handles
personal consumer information, and there, in fact, was no
possibility of identity theft, despite the leak.
Mr. Chao. Correct.
Mr. Connolly. Thank you, Mr. Chao.
I yield back.
Chairman Issa. Would the gentleman yield your 26 seconds?
Mr. Connolly. Yes, Mr. Chairman.
Chairman Issa. Have you read the November 6th letter from
the ranking member to me?
Mr. Connolly. Yes. In fact, I think I cosigned that letter.
Chairman Issa. Oh, that is good. So the gentleman is well
aware that even today there are significant security leaks that
the ranking member was concerned, if discovered, would allow
hackers to take people's private information, that there is a
security risk, and that was cautioned by you not to let that
out. Susannah will give you the answer, if you will just let
her. Okay, I hear none.
Mr. Connolly. I am sorry, I am not following the quote.
Chairman Issa. Well, I was trying to let the staff speak to
you, but the bottom line is that there are security risks
today, according to you and the ranking member. This website
still has vulnerabilities, if discovered, that would lead to
personal information coming out, is that correct, in your
letter?
Mr. Connolly. Mr. Chairman, that may be, but I am talking
about a deliberate leak that, frankly, distorted reality based
on two modules that were inactive and using that misinformation
to suggest that it applied to, in fact, the active website.
Chairman Issa. But end-to-end security problems in your
letter do apply to the active website, right?
Mr. Connolly. Well, they may, Mr. Chairman, but right now
my questioning to Mr. Chao had to do----
Chairman Issa. No, I understand you are rehabilitating Mr.
Chao.
Mr. Connolly. No, I am not. Mr. Chairman----
Chairman Issa. But the question is----
Mr. Connolly. Mr. Chairman, Mr. Chairman, let's be fair. I
am trying to get the facts on the record and correct a
deliberate smear against Mr. Chao. Not to rehabilitate him, but
to, in fact, get the truth out because someone deliberately
leaked something and distorted it, Mr. Chairman, in the name of
this committee.
Chairman Issa. No, I appreciate your concern. My concern
is----
Mr. Connolly. I am glad you do, Mr. Chairman.
Chairman Issa.--Mr. Chao had the MITRE report and it is
that report that, even redacted, you didn't want released
because it shows a roadmap to the vulnerabilities of the site
as it is today. That is your letter.
Mr. Connolly. Mr. Chairman, I began my questioning by
acknowledging our joint bipartisan effort to in fact try to
legislate reforms in IT acquisition. That is an acknowledgment
on my part, and yours, that, in fact, the Federal IT
acquisition process is broken, whether it is this example or
some other. So I have no desire, no motivation to hide
anything. But I am concerned at a pattern of calling people to
give us testimony and cherry-picking their testimony to make a
political point that, frankly, does not serve this committee
well in terms of its oversight role and does damage to good
public servants' reputation.
Chairman Issa. I appreciate the gentleman's bipartisan
efforts.
Mr. Connolly. I thank the chair.
Chairman Issa. Mr. Jordan is recognized.
Mr. Jordan. I thank the chairman.
Mr. Chao, a week ago the President was interviewed last
Thursday and was asked about Secretary Sebelius, and the
President defended his health secretary--I am quoting from the
Chuck Todd interview--defended his health secretary, argued
that the website bugs aren't necessarily her fault. ``Kathleen
Sebelius doesn't write code. She wasn't our IT person.''
Who is the IT person? Who is the person in charge? Who is
the person responsible? Who is the one who signed off on this
before it went public?
Mr. Chao. The person that is responsible is our
administrator, Marilyn Tavenner.
Mr. Jordan. And did she base her decisions on the memo you
sent her on the 27th, is that right? Isn't that the Authority
to Operate memo?
Mr. Chao. I think that is----
Mr. Jordan. I mean, the President talked about IT person.
Ms. Tavenner is not an IT person. Who is the IT person? Is that
Mr. VanRoekel?
Mr. Chao. I don't know.
Mr. Jordan. Is that Mr. Park? Is it Mr. Chao? Which of you
is that person?
Mr. Chao. I don't know, I didn't speak to the President.
Mr. Jordan. No, but he refers to a person. Who would it be?
Who is the IT person in charge?
Mr. Chao. I don't know what the President was referring to.
Mr. Jordan. Let me start with slide C3, if I could. The
final report came out October 13th, after October 1st. I just
want to read the first: MITRE was unable to adequately test the
confidentiality and integrity of the exchange system in full.
Lower down: Complete end-to-end testing of the application
never occurred.
Doesn't that raise concerns? Did you know about this before
October 1st, Mr. Chao?
Mr. Chao. I think that is taken out of context.
Mr. Jordan. It is pretty plain language. Didn't test it; no
end-to-end testing; done before October 1st. And yet the IT
person in charge, whoever the President is referring to,
somebody said it is okay to start this thing.
Mr. Chao. I say it is taken out of context because there
are still quite a few----
Mr. Jordan. Mr. VanRoekel, did you know the results of the
MITRE testing before October 1st?
Mr. VanRoekel. I haven't seen this document, so I would
love to----
Mr. Jordan. Well, you have the fancy title; you are the
Chief Information Officer of the United States of America. That
is a pretty big title. And you didn't know about this before
the biggest domestic policy program website in the history of
this Country ever is launched, and you didn't know about this?
Mr. VanRoekel. Sir, I haven't seen this document.
Mr. Jordan. Well, that scares us.
Mr. Park, you are supposed to be the guy who is going to
solve everything; you are Clark Kent coming out of the phone
booth here. Did you know about this before October 1st?
Mr. Park. I did not.
Mr. Jordan. And why is it----
Mr. Chao. Would you like me to explain why----
Mr. Jordan. I would like someone to tell me why you didn't
know that end-to-end testing wasn't done----
Mr. Chao. It is not about not knowing; it is that, for
example, the first payment to the insurance companies, the
issuers, are not going to occur until sometime in the first
part of January. We are still building the system.
Mr. Jordan. We just had this. The system all works
together. It wasn't tested all at once.
Mr. Chao. We are still building parts of the system to
calculate payment, to collect the enrollment data from all the
marketplaces and to make that payment----
Mr. Jordan. So there is more system to be built. So we can
expect more problems in the future to add to the problems we
have already seen.
Mr. Chao. Security testing is ongoing.
Mr. Jordan. Let me ask you this. This, to me, seems to be
the billion dollar question. Why didn't you delay this? You
guys knew there were going to be problems. You hadn't done end-
to-end testing. Some of your testing we hoped that the tests
would work when we presented it to the White House. Why didn't
you delay this? Mr. Chao, why wasn't it delayed?
Mr. Chao. That is not my decision to make.
Mr. Jordan. This, to me, is the thing. The chief technology
people don't know, but October 1st is October 1st, a date that
is in the law? It is not. It is just a date--let me cite you
this here. The Washington Post article--and I know I only have
a minute, but The Washington Post article I think is important.
David Cutler sent a memo to the White House, says, you know
what, don't keep the political people in the White House, Nancy
Ann DeParle, Jeanne Lambrew in charge, bring in outside people.
Larry Summers agreed with that assessment; Peter Orzag agreed
with that assessment, but the President says no, we are going
to keep Nancy-Ann DeParle in charge of this, kept the political
people in charge.
In your testimony to the committee, Mr. Chao, you said
this, when asked about October 1st, my marching orders were get
the system up by October 1st, right?
Mr. Chao. Correct.
Mr. Jordan. Why? If you have all these problems, why not
wait?
Mr. Chao. I didn't ask why. I said that was my----
Mr. Jordan. And what I am suggesting is the folks at the
White House knew this thing had problems, evidenced by the
testing that wasn't done end-to-end. They, for political
reasons, had picked this date, so for political reasons they
had to adhere to this date, and the end is, the end result is
Americans' personal information is put at risk.
Mr. Chao. I tried to correct your perception of what this
excerpt was from. It is about a long chain of systems that need
to be built, and this is a point in time.
Mr. Jordan. Mr. Chairman, I have two seconds. Let me just
finish with this. We have asked, you and I have asked Ms.
DeParle, Ms. Lambrew to come in front of this committee next
week, and the letter we got back yesterday was they are not
going to come; and they are the people we need because they are
the political people in charge. They are the ones who
determined October 1st was the date they needed to move forward
on, and they are the ones who I think ultimately are
responsible for putting at risk Americans' personal
information.
With that, I yield back.
Chairman Issa. Okay.
Mr. Powner, there were all these questions and you seemed
to have an answer you wanted to give on this end-to-end testing
before it was done. Do you want to weigh in at this point?
Mr. Powner. Well, I would just reiterate the point that the
security testing was done early, on an incomplete system, and
the fundamental question is what is being done now and how
adequate is that to date.
Chairman Issa. Thank you.
Mr. Davis.
Mr. Davis. Thank you. Thank you very much, Mr. Chairman.
Mr. Chairman, there has been a lot of information over the past
several weeks regarding the security of Healthcare.gov and
whether consumers who use this system are at risk. I would like
to hear from the witnesses about this matter and separate fact
from fiction.
Mr. Chao, the Federal Information Security Management Act,
known as FISMA, requires agencies to protect information
systems. FISMA specifically requires an authorizing official to
sign off before an agency begins operating a system. In the
case of Healthcare.gov, we have a memo that was signed by
Administrator Tavenner on September 27, 2013, entitled
``Federally-Facilitated Marketplace.'' This memo says that the
security contractor ``has not been able to test all of the
security controls in one complete version of the system.'' It
also says this resulted in a ``level of uncertainty that can be
deemed as a high risk.''
Mr. Chao, can you explain how CMS tested various components
of the system for security risk?
Mr. Chao. In general, in most large IT projects that
require several what we call environments that are used to move
from a developer's machine in writing code and to test that
locally, and then to put it into a larger environment to test
with other code, and you go through this step-wise process of
constructing the system. I think what the statement reflects is
that in any situation similar to the Marketplace systems,
security people have to test when they can and when they have a
window. As I mentioned, there is a compressed time line, and
that compressed time line affords some ability for security
testing to occur as the software is being developed through its
life cycle.
I think what the memo was just trying to say, and it was
erring on the side of caution, that as software is continuously
being developed, it was tested in three cycles. So by the end
of three cycles it had fully tested the necessary functions to
go live on October 1st. There are, as I mentioned earlier,
other system functions that are yet to be built and will
continue to have security testing conducted.
So security testing is a point in time. Risk acceptance of
that security testing results is a point in time. And then in
that memo you will also see that we have applied various
mitigation steps to try to offset the potential risk that was
identified.
Mr. Davis. Do you know of any other IT systems, in your
experience, that were authorized without completing full system
security testing?
Mr. Chao. I think that there is a slight art in the wording
of that. I think every system the Federal Government puts into
live production needs to have sufficient security testing, per
FISMA and OMB and NIST requirements. Whether we tested in three
cycles, whether we tested annually or every three years,
testing is an ongoing and ever-present, kind of part of the
process. When we are testing the controls for a portion of a
system that is ready for a particular delivery date, we fully
test those. For a portion of the controls for a part of the
system, as I mentioned earlier, in which we do not have to make
payment on October 1st, that is then tested at a later date,
when that function is ready and needed in order to go into
operation. So it is an iterative ongoing process.
Mr. Davis. Has a security team been established?
Mr. Chao. Yes.
Mr. Davis. Has CMS been performing weekly testing?
Mr. Chao. Yes.
Mr. Davis. I have no further questions. Thank you, Mr.
Chairman. I yield back.
Chairman Issa. I thank the gentleman for yielding back.
We now go to the gentleman from Utah, Mr. Chaffetz.
Mr. Chaffetz. I thank the chairman.
I thank you all for being here.
Mr. Baitman, I would like to start with you. Since the end
of August, how many times have you personally met with
Secretary Sebelius?
Mr. Baitman. I am not sure, probably once or twice.
Mr. Chaffetz. And when was the last time you met with the
secretary?
Mr. Baitman. I believe that it was during the shutdown. The
secretary had regular meetings with senior leadership.
Mr. Chaffetz. So you met one time in October?
Mr. Baitman. I believe so.
Mr. Chaffetz. So you met one time. You are the chief
information officer. You met one time in October with the
secretary. My understanding is you engaged a hacker to look at
Healthcare.gov, correct?
Mr. Baitman. CMS asked us to help them with various things.
Mr. Chaffetz. But you engaged a hacker to look at the
system.
Mr. Baitman. We engaged someone who is called an ethical
hacker who is on my staff.
Mr. Chaffetz. An ethical hacker. When did they start their
hacking?
Mr. Baitman. It was during the shutdown.
Mr. Chaffetz. And how long did it take him to complete his
hacking exercise?
Mr. Baitman. I think it is an ongoing activity. But he is
actually based in Atlanta.
Mr. Chaffetz. And then he gave you a report. How many
serious problems did he find?
Mr. Baitman. I don't know if I would call them serious. I
think that there were something like 7 to 10 items on that
report.
Mr. Chaffetz. So you had 7 to 10 items of hacking, some of
which you don't believe are serious, but some are obviously
serious. What percentage of those have been fully rectified?
Mr. Baitman. I turned those over to CMS for their review.
Some actually weren't systems issues, they included things like
physical security as well.
Mr. Chaffetz. So you have no follow-up? You have no idea
what percentage of those hacking incidents were rectified?
Mr. Baitman. I believe CMS got back to my staff last week
and said the majority of those had been remediated.
Mr. Chaffetz. You don't know what percentage. It is not 100
percent.
Mr. Baitman. I don't believe it is 100 yet, no.
Mr. Chaffetz. So you shared that with CMS. Did you share
that with Secretary Sebelius?
Mr. Baitman. I have not.
Mr. Chaffetz. You are the chief information officer for the
Health and Human Services.
Mr. Baitman. These are fairly technical items. The
appropriate place to share them is with the system owner.
Mr. Chaffetz. But it is not safe and secure, and I guess
that is the fundamental concern, is even after the October
launch, you are the chief information officer, you get a hacker
who in a couple days finds probably 10 or so problems and
challenges. It is that easy to get in and hack the information.
That is the concern.
Mr. Powner, is this ready? Following up on Mr. McHenry's
question, is the site, in your opinion, currently as safe and
secure as an online banking site?
Mr. Powner. I would have to look and assess the security.
And all that stuff that MITRE did and the authority to operate
is preliminary because it was on--I mean, MITRE said that they
didn't test the interfaces. The interface testing needed to
occur. So all that stuff that is preliminary raised issues,
but, again, we----
Mr. Chaffetz. Would you put your information in there?
Mr. Powner. I would have to see what the security testing
and assessment has been since then before I was comfortable. I
haven't seen it yet, so we are going to look at it.
Mr. Chaffetz. Well, the answer is not yet yes.
Mr. Chao, would you put all your personal information about
you and your loved ones in it?
Mr. Chao. Yes. In fact, I have recommended my sister, who
is unemployed right now, to actually apply.
Mr. Chaffetz. Did she successfully register?
Mr. Chao. I haven't talked to her lately; she has been out
of the Country.
Mr. Chaffetz. Interesting. And you have this report, then,
from Mr. Baitman, about the hacker's report?
Mr. Chao. I do not personally, but as I mentioned earlier,
there are security teams in place, including permanent security
staff under the chief information security officer that
coordinates with franks.
Mr. Chaffetz. Mr. Chairman, this is something we obviously
have to follow up on.
Mr. Park, you are a very bright and talented person. The
Federal Government is lucky to have somebody of your caliber
engaged in this process, and it actually gives me comfort that
you are looking at this and spending some time in it, but I
have a fundamental question that I want to ask you. Have you
ever shopped on Amazon.com?
Mr. Park. Yes, sir.
Mr. Chaffetz. Have you ever showed on eBay.com?
Mr. Park. Actually, no.
Mr. Chaffetz. We are going to have work with you on that
one.
Chairman Issa. As a Californian, I am personally offended.
Mr. Park. I would like to.
Mr. Chaffetz. Let's go back to the Amazon experience. When
you put something in your shopping cart, is that considered a
sale?
Mr. Park. No.
Mr. Chaffetz. Thank you.
I yield back.
Chairman Issa. Would the gentleman yield?
Mr. Chaffetz. Sure.
Chairman Issa. Mr. Chao, you have been fairly defensive
about things being out of context, so I am going to ask
unanimous consent that the CMS document of September 3rd, 2013,
the memorandum, be placed in the record in its entirety. But
before I do so,--well, without objection, so ordered.
Chairman Issa. But I want to make something clear. We had
previously redacted information. Is there anything in that memo
that you believe needs to be redacted? Because otherwise we
will put it in in its entirety so there's no question about
that.
Mr. Chao. I would have to review it.
Chairman Issa. Okay, it is in the record now. By close of
this hearing, if there is something that needs to be redacted,
I need to know, because I will consider redacting it.
Mr. Cummings. Mr. Chairman?
Chairman Issa. Yes.
Mr. Cummings. I just wanted to make sure there was no
sensitive information in there.
Chairman Issa. Well, that is the problem.
Mr. Cummings. I am just trying to obey the law, Mr.
Chairman.
Chairman Issa. This thing is already in the record. If we
choose to redact something--the question is that there are
numerous things that give us sightings of lines in September
3rd that clearly this thing wasn't ready for security on
September 3rd. And when our people questioned you about
September 27th and there was no end-to-end and security
concerns, you want to say you were taken out of context, but
both September 3rd and September 27th, what we find is that
there was no end-to-end testing, and any point of vulnerability
is a point that could access people's private information.
Isn't that true, Mr. Powner? So the absence of end-to-end
testing means that anything that can reach into the database,
in fact, could be a significant security risk to people's
personal information, and has nothing to do with whether or not
a module is about shopping, isn't that true?
Mr. Powner. That is correct.
Chairman Issa. Okay.
Yield back and at this point I recognize the gentleman from
Tennessee, Mr. Cooper, next.
Mr. Cooper. Thank you, Mr. Chairman. I am worried that the
net effect of this hearing might be to exaggerate the security
difficulties of the website. I serve on the Armed Services
Committee, and our own Pentagon is attacked many thousands of
times a day, sometimes by foreign powers. So the entire
Internet could and probably should be more secure. So we have
to acknowledge some system problems for the whole Internet, and
then there are other issues we can deal with.
Another concern I have is the witnesses are being badgered,
and I would like to offer witnesses, perhaps Mr. Baitman,
perhaps Mr. Park, Mr. Chao, and others an opportunity to
respond, because I believe in fairness, and the American people
do not want to see a kangaroo court here. And the way this
hearing has been conducted does not encourage good private
sector people to want to join the Federal Government.
I personally had the privilege of hearing Mr. Park speak in
Nashville, Tennessee a couple years ago. He spoke before a
hard-core private sector, pro-capitalist, business audience,
and they told me they had never heard a speaker who understood
business better, who got it; and it was a real tribute to me
that someone of your caliber was willing to work for the
Federal Government, because that instilled faith in the
process, because we are the best Nation on Earth. We have to
act like it. We do face problems sometimes, but the American
spirit is the can-do, we can fix it attitude, not the blame
game, not the bickering game.
So if there are witnesses who would like a chance to say a
few words in public, because you have been treated unfairly, in
my opinion, and I would like to have this be an equal playing
field.
Chairman Issa. Would the gentleman yield? Have I cut off
anyone's answer here today?
Mr. Cooper. Will I be able to keep my time?
Chairman Issa. Of course.
Mr. Cooper. You cut off the ranking member of this
committee at the beginning of this hearing.
Chairman Issa. I cut him off a minute into question and
answer, after he had exceeded his five minutes. But no witness
here today has been cut off.
Mr. Cooper. But, Mr. Chairman----
Chairman Issa. Every witness has been allowed to complete
their entire answer.
Mr. Cooper. Mr. Chairman, but using----
Chairman Issa. I just want to understand. Kangaroo courts
is quite an accusation, and I hope the gentleman from
Tennessee, when he uses the term kangaroo court in the future,
will think better of making an accusation. No witness has been
cut off. Every witness has been allowed to complete their
entire answer in every case. We went about six minutes before I
asked Mr. Baitman to simply conclude. That is the closest thing
to anything. So this is not a partisan hearing. I will not have
it accused of being a partisan hearing. We have a website that
the American people have seen doesn't work. We are trying to
get to an understanding of why it didn't work so that it
doesn't happen again. And these happen to be experts, and for
the most part we are relying on them to be the people fixing
it.
The gentleman is recognized.
Mr. Cooper. Thank you, Mr. Chairman. This is a hearing on a
broken website by a broken committee, and the air is thick with
innuendo. When the chairman discusses rehabilitating witnesses,
that implies they need rehabilitating, when in some cases the
witnesses have perhaps already been abused, sometimes by leaks,
whether deliberate or not. So let's focus on fixing the
problems. And I think Mr. Baitman was about to speak.
Mr. Baitman. Thank you, Mr. Cooper. There is one thing I
would like to clarify in response to my comments to Mr.
Chaffetz. We found vulnerabilities with the system, and there
will always be vulnerabilities. Every system that is out there,
systems that are live, systems that we trust right now, banks,
online shopping sites, all have issues because they are
continually making changes to their code. That introduces
vulnerabilities. And it is up to us on a continual basis, as
Mr. VanRoekel pointed out, all software goes through continuous
improvement. So what we are doing right now is continually
improving our software and on an ongoing basis identifying
vulnerabilities that exist.
Mr. Cooper. Any other witness? Mr. Chao?
Mr. Chao. What I would like to say is that if I come across
as being defensive, I apologize, but I am being defensive not
in terms of me; I am being defensive in terms of the truth. And
I believe that that is what this committee is trying to get to.
In fact, I think that is what you said in the beginning. So
when I detect that there is distortions or misuse or unrevealed
things about that I spent nine hours with your staff basically
being deposed, I am going to be defensive because that is not
the truth. That is all I want to make clear about my
defensiveness.
Mr. Cooper. Any other witness like to make a point?
This committee has many talents and it has broad
investigative jurisdiction. To my knowledge, and I could be
wrong because my colleagues have many talents, to my knowledge,
none of us could do a website on our own. We are not software
engineers. You could?
Chairman Issa. I think, unfortunately, you have several
hear, including one who made a living doing it.
Mr. Cooper. Well, none of us would want to certainly be
engaged in this task. Are you volunteering to work for----
Chairman Issa. None of us want to own this particular
website.
Mr. Cooper. Well, yeah. But it is easy to criticize. It is
hard to perform. And as the gentleman, Mr. VanRoekel, pointed
out, even Microsoft, with Windows XP, is still revising it 12
years later. Software is an iterative process. The Internet is
not perfect, but it is still one of the great technological
accomplishments of mankind. It is transforming the planet, and
in a good way overall, but there are glitches and we work on
those.
So when we swear witnesses, as we do, when we put them in a
very uncomfortable position, deliberately, in some cases when
we subpoena then unilaterally, that creates tension, and it is
actually going to slow the fix of the website. So I worry about
that.
And the chairman and Mr. Connolly have already collaborated
on what sounds like an excellent bill to fix overall Federal
IT. I was very impressed when Mr. VanRoekel pointed out that is
an $82 billion issue. What we are talking about here today, at
least from the August cost estimate, is 0.6 percent of that.
Why don't we focus on the larger issue and fix it? Because, as
I said earlier, it is much better to light a candle than to
curse the darkness.
Chairman Issa. If the gentleman would yield, maybe we can
close on a positive note. Both Mr. Powner, who has constantly
talked about stress-testing end-to-end, and Mr. VanRoekel, who
knows very well that Microsoft never put a new operating system
that wasn't stress-tested end-to-end; it still had bugs, it
still had vulnerabilities. And by, the way, whenever you add a
new driver, a new something else, you create a potential new
one that has to be tested. But stress-testing end-to-end was
something that this committee wanted to know at the onset, why
it hadn't been done, because it is a best practices, which GAO
has very kindly made clear. I believe it is already in the
record, but if it is not, the nine points that GAO had made in
their report of best practices that were not followed.
So Mr. Connolly and I, Mr. Cooper, we are trying to get to
where best practices will always be used. And in this case, not
because of these individuals, per se, they are here as experts,
but this development over three and a half years shortcutted
some best practices, and it is not the first time and it won't
be the last time, but it is one where, as I said in the opening
statement, it is so important, when the American people are
focused, for us to say you can expect better from your
Government in the future; and I don't mean on Healthcare.gov, I
mean on all of that $82 billion worth of IT.
And I appreciate your comments to that end.
Mr. Cooper. Mr. Chairman, let's see about getting your bill
to the floor.
Chairman Issa. Boy, I tell you, that is something we all
would like to do, so I am going to talk to leadership----
Mr. Cooper. You are in the majority party.
Chairman Issa. You know what? I tell you what. I will get
it to the floor in the House. If you will help me in the
Senate, we will get this done.
Mr. Cooper. I have lots of influence in the Senate. I would
be happy to help.
Chairman Issa. Thank you.
[Laughter.]
Chairman Issa. With that, we recognize the gentleman from
Michigan, who knows a great deal about health care websites
from his State, Mr. Walberg.
Mr. Walberg. Thank you, Mr. Chairman, and thank you for
holding this hearing.
And to the panel as well, thank you for being here. You
have plenty to do. We wish you didn't have to be here today,
but when I receive letters on top of letters and contacts in
six town hall meetings that I held last week, live town hall
meetings, like this one from Rachel Haynes in Eaton Rapids,
Michigan, where she talks about the fact of cutting off from
her insurance, her husband and five children, she says this: I
hated the idea of getting on to Healthcare.gov website, as I
believe insurance is a private matter. I did it anyway. The
website did not work, so I called a number. And she goes on to
tell of talking with a person on the phone and ultimately being
hung up on.
That is the reason why this hearing is important. Frankly,
Mr. Chairman, I believe that this whole act that was put into
law under the cover of darkness with the simple votes from the
other side of the aisle who now take offense at us having
hearings like this on problems and doing proper oversight is
the reason to have this hearing today, because people like
Rachel Haynes and her family are concerned not only about
security, but right now that is one of the biggest concerns on
a website that doesn't work for her.
I want to go back to some of the concerns in the MITRE
report and I want to ask the first question. Mr. Chao has
already, in earlier statements to questions just before me,
indicated, when asked why he didn't push back on opening this
thing up on October 1st, he didn't ask why. So I am going to go
to Mr. Baitman, because I think that is an important question
that should have been asked, why. Why do we have to open up on
October 1st?
But the question I would ask here, Mr. Baitman, MITRE was
responsible for conducting the security control assessment for
the Federal exchange, is that correct?
Mr. Baitman. That is my understanding.
Mr. Walberg. According to MITRE, the final security
assessment for the Federal exchange occurred from late August
through mid-September. Is that your understanding?
Mr. Baitman. It is.
Mr. Walberg. Mr. Baitman, to the best of your knowledge,
did MITRE conduct a complete integrated security test of the
Federal Marketplace?
Mr. Baitman. I can't answer that; I don't have visibility
into it.
Mr. Walberg. Well, I would like a document put up that
deals with this test and the outcome, if I could have this
particular document. Okay. If you see there, FFM, the website,
the Marketplace, complete percentage, 66 percent complete. That
is it. Sixty-six percent complete. This document was obtained
by the committee. We have in place--let me ask this question,
Mr. Baitman. Is it a problem that MITRE wasn't fully able to
test one-third of the Exchange?
Mr. Baitman. I can't answer that. This project was run and
managed by CMS. They are responsible for the security.
Mr. Walberg. In the security control assessment dated
October 11th, 2013, and of which a preliminary copy was given
to CMS, on September 23rd, 2013, MITRE writes that they are
unable to adequately test the confidentiality and integrity of
the health insurance exchange system in full. They go on to say
MITRE also writes the application at the time of testing was
not functionally complete.
Mr. Powner, what are the dangers of conducting a security
assessment on an incomplete system?
Mr. Powner. Well, you could have vulnerabilities that go
untested. Also, too, on this document--see, there are a lot of
dates that don't add up. My understanding is that MITRE
conducted their security assessment in August and September,
and it was later September. So there is data all over the
place. The bottom line to your point, though, is it wasn't done
on a complete system.
Mr. Walberg. MITRE has told, Mr. Powner----
Mr. Chao. Excuse me. I just want to point out that that is
a CGI-provided document, that is not from CMS.
Mr. Walberg. Yes, I understand that. MITRE has told
committee staff that to their knowledge, there has not been a
comprehensive test of the entire system. One of the dangers
posed by not conducting a complete, integrated security tests
of all the system components, Mr. Powner?
Mr. Powner. Well, in order to ensure that your data is
secure and the system is safe to use, you want to test on as
complete a system as possible.
Mr. Walberg. Then based on what you know, were Americans'
sensitive personal information at risk when Healthcare.gov
opened on October 1st, 2013?
Mr. Powner. I don't know what happened from mid-September
on. That is the only caveat I would like to say, because there
was testing done through mid-September, and I am blind to what
happened during that period of time.
Chairman Issa. The gentleman's time is expired, if you
could wrap up very quickly.
Mr. Walberg. Last question. Can you ensure the American
people that the website will work on November 30th?
Chairman Issa. The gentleman may answer.
Mr. Walberg. Asking Mr. Powner.
Mr. Powner. That is not my responsibility.
[Simultaneous conversations.]
Chairman Issa. The gentleman's time is expired. If anyone
else wants to answer November 30th, they may. Mr. Park, will it
work on November 30th? Properly, fully?
Mr. Park. The team set a goal of having Healthcare.gov
function smoothly for the vast majority of Americans. The team
is working incredibly hard to meet that goal.
Chairman Issa. I thank the gentleman.
Mr. Walberg. With secure information?
Mr. Park. With secure information.
Chairman Issa. Thank you. The gentleman from Nevada.
Mr. Horsford. Thank you, Mr. Chairman, and to the ranking
member and to the other committee members, to our witnesses.
This is an important hearing. Our constituents are rightfully
concerned about their right to be able to access affordable
health care on the website, Healthcare.gov. And while the
rollout has been problematic, what has been more troubling is
the fact that this has been turned into more of a game than it
has been about how we can work together to fix the problems of
the site.
My concern is one of security of personal information. I
also sit on the Homeland Security Committee, we are having a
hearing also this morning on this subject. So I want to ask
about the potential security risks to consumers. Mr. Chao, do
you agree that protecting personal identifiable information on
Healthcare.gov is important and is something that can be
achieved?
Mr. Chao. I think that is something that we as CMS and as a
Federal agency comply with, FISMA and OMB and NIST
specifications for securing people's data, and then following
HIPAA's requirements for confidentiality, integrity and
availability of data.
Mr. Horsford. Can you explain how CMS protects consumer
information, how that is safeguarded by CMS?
Mr. Chao. I think one of the things that is very obvious
when you come to Healthcare.gov, and if you go to, in my
opening remarks I mentioned there are two sides to it, or two
legs. If you go to the Get Insured side, one of the first
things that you have to do is to register to establish an
account. And we mentioned that registrations are up to about
17,000 per hour right now. That registration process allows you
to establish what we call a level one assurance of assurance
account, which is based upon the National Institute of
Standards and Technology. That is very similar to something
like what you would establish in terms of opening up a Gmail or
Yahoo account, just very basic information.
Mr. Horsford. Okay. Let's move on to the next question. We
are very limited on our time.
Mr. Chao. So basically the answer is, it is about
authenticating you, it is about, are you who you say you are
before we let you into the system. And that is one major step
in ensuring that people's privacy is protected, so that they
only see their own data.
Mr. Horsford. And is Healthcare.gov any more or less risky
to consumers than other sites, including private company
information in the banking world or using credit cards to
purchase information over the internet?
Mr. Chao. I can't speak for what privacy frameworks and
programs apply to private sectors. But for the Federal
government, we follow the FISMA guidelines and the requirements
set forth by certain OMB directives. And we use independent
security testing contractors to ensure that we comply.
Mr. Horsford. Mr. Park, you have spent some time with this
website. Have you been able to understand the security features
that are inherent in it?
Mr. Park. That hasn't been my particular focus on the team,
no. There is a CMS security team dedicated to security matters.
Mr. Horsford. Based on your review of that, do you believe
the site poses any unreasonable risks to consumers?
Mr. Park. I haven't actually, again, dived into that
personally. But my understanding is that CMS is applying its
information security best practices to the protection of the
site. CMS has a great track record in protecting the privacy of
Americans.
Mr. Horsford. Mr. VanRoekel, I understand you worked on the
data Hub. Can you explain why you believe consumers should have
confidence that their information is secure as it passes
through the Hub?
Mr. VanRoekel. I didn't actually code the Hub itself, so I
didn't do the day-to-day. But one thing that should be pointed
out is that cyber security is part of everything we do. You
almost can't buy a keyboard in government now without having
cyber security considerations on that. And we have built a
culture of assessment and mitigation that is all about
assessing the level of risk, it is low to high. And then you
put into place technology to mitigate that risk, to make sure
that we are protected.
The standards that we abide by are the NIST standards which
are actually co-developed with the private sector. So the
banking industry, financial industry, insurance industries
outside of government actually use the same standards as
government does, and we hold government to those standards, and
often in many cases lead those industries in the ability to do
these things.
The other aspect of this is, this is ongoing. You hear, I
am sure, in the Homeland Security Committee, a lot around the
fact that we have cyber security in what we do there, you have
to do ongoing tests. You have to rapidly respond and
assessments are never done. You have to just stay vigilant in
those cases.
Mr. Horsford. Thank you. Mr. Chairman, I would just say
that this is not about playing offense or defense. It is about
us getting this job done on behalf of the American people and
working together. I am rather insulted by this House Republican
playbook----
Mr. Meadows. [Presiding.] The gentleman's time is expired.
Mr. Horsford.--where it talks about ObamaCare----
Mr. Meadows. The gentleman from Oklahoma is recognized.
Mr. Horsford.--the loss of insurance and what this means.
This is not----
Mr. Meadows. The gentleman will suspend. The gentleman from
Oklahoma is recognized.
Mr. Lankford. Thank you, Mr. Chairman. Gentlemen, thank
you. This is not a day that is probably a fun day for you, you
probably didn't get up and go gosh, I can't wait for this day.
I get that, and I want to say thank you, because all of you are
professionals that have given to public service. You all could
make a lot more money in the private sector and you have chosen
to serve people. We all have differences on opinion on
direction and that kind of stuff, but I want to say thank you
to you as well for what you are doing, because you have made a
conscious choice in that.
Let me walk through a couple of things just to be able to
get to some of the reality on it. About an hour and a half ago
I went on my iPad, went to Healthcare.gov and hit this button
that says create account. It doesn't go anywhere. It just
changes colors and does nothing. So I reloaded on this and for
about an hour and a half I have just occasionally hit that
button.
This is the frustration, the struggle of a lot of folks out
there. Then you all have the frustration, we get that. We have
questions, though, as we walk through this process of now what
happens.
Mr. Park, you were asked a question earlier about the
November 30th time line. I assume Mr. Zients has laid that out
there at the end of November, when everything would be ready
and available. You said it is our goal. Can you give me more
specifics? Are we going to hit November 30th?
Mr. Park. Thank you for the question, and thank you for
your kind words at the beginning as well.
The goal that has been laid out is not for the site to be
perfect by the end of November.
Mr. Lankford. Functional, so people can log on?
Mr. Park. So that the vast majority of Americans will be
able to use the site smoothly. That is the goal we are gunning
for. We are working very hard to get here.
Mr. Lankford. So here is the issue. Around 5 million people
have received a cancellation letter. I have multiple
constituents that have sent me copies of their letters, all of
them end with, your insurance policy concludes December 31st.
If they cannot get on and log into the site by December 15th,
they will not have access to insurance January 1st and they
will be uninsured. People who are currently insured will not
have insurance as of January 1st.
So I understand the deadline is out there for March 31st,
and all this kind of stuff on it. Those individuals who have
received it by the millions cannot get insurance and on January
1st will be uninsured.
So I get that is the goal. But the reality is racing at us.
And the comment has been made on it that we are trying to fix a
plane that is in the air. I fully understand the complexities
of that. The challenge of it is that many of us had said, park
the plane for a year, let's get it right before we launch this
thing. That is not your fault, you all are dealing with the
realities that are on the ground. But that is something that we
are trying to communicate on this.
Mr. Chao, let me ask you something. September 27th, the
ATO, the authorization to operate, in some of the committee
staff that you had mentioned, that was a very long day as well,
you visited with committee staff on it. During that
conversation, there was a back and forth on this ATO coming out
that Mr. James Kerr and yourself, that you had edited there,
since Marilyn Tavenner. In that memo, you wrote, ``Due to a
system of readiness issues, the security control assessment was
only partially completed. This constitutes a risk that must be
mitigated to support the marketplace day one operations.'' You
were asked by staff, what are some of those risks that are out
there, that are kind of the unknowns on it, that have to be
mitigated. During that conversation, you had listed things like
unauthorized access, not encrypting data, identity theft,
misrouted data, personal identifiable information, those are
the kinds of the great unknowns of this, at that point.
Then, am I tracking this correctly? Do you remember this?
Mr. Chao. Yes. Those are examples that I was asked to
provide.
Mr. Lankford. Sure. The problem is that you are trying to
mitigate on things that you don't know. I understand about
mitigating on a risk. You mitigate on things that you know, is
that correct?
So on day one, Marilyn Tavenner is signing a document
saying, there are risks that are out there. Some of those that
you had listed, we are going to have to mitigate on those. Were
we mitigating for every possibility on it?
Mr. Chao. I think what you do is, on a risk-based approach,
you look at the probability of a particular risk occurring and
you prioritize. For example, one of the mitigation steps was to
conduct weekly security testing and to report back to the
Administrator on the result of that security testing.
Mr. Lankford. During that testing process, did you find
that some data was misrouted? Once it was launched? Are
insurance companies getting information that is incorrect?
Mr. Chao. There are cases in which insurance companies were
getting data that were not incorrectly routed to them, but
incorrectly formatted within the transaction.
Mr. Lankford. Do you know who briefed Marilyn Tavenner on
the security risks? Because obviously she had to sign off on
this document. Do you know who sat down with her and briefed
her on the security risks, here are all the things we are
trying to walk through?
Mr. Chao. It was our chief information officer and chief
information security officer.
Mr. Lankford. Two other quick questions. Is there a way to
be able to track what personal information any employees can
see while they are working on this? Obviously you had a lot of
contractors involved in this, now we have added even more
contractors trying to learn all those contractors, who they
even are. Is there a way to be able to track? Because now there
is personally identifiable information in the system as well.
Is there something in place that tracks what people who are
working on the back end of the site can see as far as
personally identifiable information?
Mr. Chao. Yes. There are system logs. For example, if you
call the call center and the call center representative is----
Mr. Lankford. I am talking about people working on the back
end.
Mr. Meadows. The gentleman's time is expired. You can
finish the question.
Mr. Chao. In certain cases, yes. Like if you are in a
testing environment. Very few people touch a production
environment. So they wouldn't even have access to that live
data. Sometimes when we use testing data, you want to see the
results, so you do have developers having access to that
information. But it is not live people's data.
Mr. Meadows. I thank the gentleman from Oklahoma.
For the record, Mr. Chao, I wanted to point out, those
items that you identified as particular inherent risks were
identified by you prior to the September 3rd memo that was
introduced. I know the gentleman from Virginia had indicated
that it was after that memo. But for the record, you indicated
those prior to that memo being introduced by committee.
Mr. Chao. I don't quite understand what you are trying to
say there. Because the question was asked, what examples, and
it was in the context of the September 27th memo. You are
saying September 3rd.
Mr. Meadows. You mentioned these risks because of the
failure to do integrated security testing.
Mr. Chao. I don't believe I said failure.
[Simultaneous conversations.]
Mr. Chao. This is the problem, I don't have the transcript
in front of me, I cannot confirm with you. I was not given an
opportunity to make corrections, if there were corrections to
be made. So you can tell me what you want, but all I can say is
to the best of my knowledge, I don't recall saying that. I need
to see my transcript.
Mr. Meadows. The gentleman from Vermont, the distinguished
gentleman from Vermont is recognized.
Mr. Welch. Thank you, Mr. Chairman.
First, I want to join Mr. Lankford in thanking each of you,
Mr. Powner, Mr. Chao, Mr. Baitman, Mr. Park, Mr. VanRoekel, for
the incredible effort that you are putting into trying to fix a
very serious problem. Thank you.
Second, you don't have to be an opponent or a supporter of
the health care law to acknowledge that there are significant
rollout problems associated with the website. Those of us who
are supporters, and I am a very strong supporter of the health
care law, are absolutely committed to providing the support you
need to make this thing work.
There are really four issues that we have that are rolling
around. One is, the website, what we have to do to fix it, and
it has to be fixed. Two is, what is the impact of these
cancellation notices that a lot of Americans are receiving.
They thought they had health are, they were assured that they
could keep the policy that they had. And the problem gets
compounded if the website is not working. And then third is the
individual mandate that is the subtext of the debate, but that
is essential to the law, but in order to make that work, the
website has to work. And the fourth is the IT purchasing, are
there some lessons that we can learn. I tend to think that it
is really important to move ahead on the Issa-Connolly
legislation.
So that is the context that we are in. You are here to help
us fix the problem. We have to get that done.
So I want to start by just asking you, Mr. Park, if you
could make some comments about, you would be repeating a little
bit, but what are the specific things we can do to get this
fixed? And I understand all of us would like to have a hard and
firm date where everything is going to be perfect. But what we
are dealing with is the real world, and we want it to be
functional for the vast majority of Americans. So what are the
ABCs that you need to do and hopefully not require you to sleep
on the floor in the office at night?
Mr. Park. Thank you so much for the question . The team is
taking all the right steps under the leadership of Jeffrey
Zients and Ms. Tavenner. So first of all, the team has
implemented monitoring cross the site, improved monitoring to
actually understand performance of the system, and where are
the issues and where to focus.
Secondly, with the help of that data, the team has
undertaken an aggressive program of improvements to actually
improve the stability and performance of the site through
tuning, system configurations, capacity expansion, et cetera,
which has resulted in, among other things, the site being more
stable, system response times going down, as I mentioned, from
8 seconds to less than a second.
Thirdly, the team is working on functionality bugs. So high
priority issues with respect to the user interface and user
experience. And that is actually being pursued very
aggressively of course as well.
Then finally, there is a bunch of work underway to keep
improving the software release process. So you can actually fix
these issues faster and faster at a growing clip.
Then you have QSSI having been brought in by Administrator
Tavenner as the general contractor to manage this effort. And
so it is all moving at increasing speed.
Mr. Welch. How are we going to address the problem that Mr.
Lankford had getting on the website, where he hit the enter
button and it didn't work for an hour and a half?
Mr. Park. There has been a lot of progress on that front,
and many more folks can get in now than previously, through
both the ability for that particular component of the system to
handle more volume through capacity expansion and software
optimization. And also through bug fixes that have been
applied. But actually, if Congressman Lankford would be so
kind, I would love to follow up with you afterwards just to
understand your specific situation. And then we can actually
use that to inform the troubleshooting and the fixing.
Mr. Welch. I would really like it if you did, because that
is a fair question.
Mr. Lankford. If the gentleman would yield for just one
second.
Mr. Welch. Yes.
Mr. Lankford. It is pretty straightforward. I just got to
that page and hit the button, it changed colors and did
nothing. So it is nothing more than that, as far as moving in
to just to log in to create an account.
Mr. Welch. Mr. Powner, do you have some concrete
suggestions about what we can do as a Congress to make it more
efficient and more effective when we are making significant IT
purchases on behalf of the American taxpayer?
Mr. Powner. I have a couple very specific suggestions, and
I am going to go back to my oral statement. We are down in the
weeds on what needs to be done to fix it, and the program
management needs to be in place. But the IT dashboard, there
are 700 major IT investments. This is one of them. It was
green. Given the late start, the compressed schedule and the
complexity, does anyone think it was really a green project? I
don't think so. It should not have been green. There should
have been flags on the dashboard and better transparency.
The other thing is proactive governance. We look at the IT
reform plan, things in the FITAR bill legislation. Proactive
governance is very important. It is great and I am pleased that
Steve and Todd and everyone is involved now. But we need that
governance up front on important projects, not when things go
in the tank. We need it up front. It is the same thing with
when projects go in the tank, we get engaged with the
contractor more. Why don't we engage with the contractor,
engage with the right executives, up front instead of when we
have problems? I know there are a lot of projects and a lot of
priorities. But we need to find a way to tackle that better.
Mr. Welch. Thank you. I yield back.
Mr. Meadows. I thank the gentleman from Vermont. The
gentleman from Pennsylvania, Mr. Meehan, is recognized.
Mr. Meehan. I thank the chairman, and I to want to join in
this sentiment, that I appreciate that you are legitimately
trying to work on this. We all are. And I happen to chair the
Cyber Subcommittee on Homeland in addition, and have great
concerns and frustrations. I think I reflect many of the people
out there that with the concept of frustration, because in many
ways, when I talk to my folks at home, this isn't about a
website, it is about trust. It is about this inherent trust
that they have in the relationship with their doctor is now
being impacted. And the very trust they have in the ability for
this system not only to operate but to operate securely.
Now, I know this is sort of outside, I was stunned when I
heard the question the other day that the Secretary said yes,
we can have felons that are operating as navigators. What is
going to be done from this point forward to assure that no
felon will be used as a navigator anywhere in the United
States? Mr. VanRoekel?
Mr. VanRoekel. In the context of this system, that is sort
of a health policy decision, it is not a tech decision.
Mr. Meehan. Mr. Chao, is there anything that can be done?
Will you participate in getting something done?
Mr. Chao. I think CMS is actively performing background
investigations.
Mr. Meehan. Well, that is not what the Secretary said.
Look, please look into that for me. That is not my line of
questioning, but I move into this whole issue of trust. Again,
trust, we had Ms. Tavenner and you before our committee
testifying about the readiness in July and August of this, to
ready to go. I just look at the background of, this is the IG's
report to Congress on FISMA. One of the things that Ms.
Tavenner and you were talking about was compliance with FISMA
and therefore, when you look at HHS, the IGs came out, the
second worst score in every agency across government, HHS. A 50
percent compliance with FISMA. The second worst in all of
government.
So we are already dealing, again, with a question of trust.
So let me just get to the heart of our engagement. Because I
was so frustrated, I couldn't understand how an IG's report,
Mr. Chao, could have suggested that there were great concerns
about the ability to be ready in time to conduct the testing.
And you assured me at that time that they were on schedule and
you were going to meet all the requirements for the testing, as
did Ms. Tavenner.
Now, we were told before the marketplace systems were
allowed to operate, they had to comply with all of the rigorous
standards. Yet at the same time that you were testifying before
me, I had a Washington Post story that was saying staffers were
aware by late 2012 that the work of building the Federal
exchange was lagging. Employees warned at meetings late last
year and in January that so many things were behind schedule,
there would be no time for adequate end to end testing of how
the moving parts worked together.
So how was it done, then, that in this short time frame,
where their own employees are saying it couldn't be done, the
IG said that there were tremendous concerns about the ability
to do the testing, somehow the day before our committee had you
before us, there was a report from the Secretary that said, all
of our marketplace systems are allowed to operate and begin
serving consumers, and I am pleased to report that the Hub
completed its independent security control assessment on August
23rd?
Mr. Chao. The Hub was tested first, and it was completed in
August, as you mentioned. I think the remainder of August and
into September, we concluded the third round of testing for the
marketplace systems, particularly for the functions that were
needed for October 1st.
Mr. Meehan. How could you do the testing on the system?
Because you have reported, but here is the document that came
out from CGI. At the very time you were saying to me that this
was, this had been certified as complete, by the certifying
agency and Tavenner was here testifying that it was done, you
have at the same time an internal memo from CGI saying that the
FFM schedule was only 51 percent completed, on the same day you
are telling me that the certification has been finished. How
can you complete and certify when they haven't even built more
than half of the system?
Mr. Chao. I don't know what document you are holding, but I
am assuming that in August, 51 percent is about where we were
at. Remember, we still have other key functions, such as
payment, risk adjustment, reconciliation.
Mr. Meehan. How do you give certification when it is only
51 percent complete?
Mr. Meadows. The gentleman's time is expired.
Mr. Chao. Because you test the components, the parts of the
system that go into production and that are actually
interacting with the public.
Mr. Meadows. The gentleman's time is expired.
We recognize the gentleman from Massachusetts, Mr. Tierney.
Mr. Tierney. Thank you very much.
Mr. Chao, do you feel you have had adequate opportunity to
answer that last question? Or do you have other things you want
to add?
Mr. Chao. I think I got my last word in.
Mr. Tierney. Thanks. So earlier this morning, at the
beginning of the hearing, Chairman Issa asked you about the
anonymous shopper function. Do you recall that?
Mr. Chao. Yes.
Mr. Tierney. You said you had decided to direct CGI to
disable it because of defects, and Chairman Issa challenged you
and accused the White House of ordering the action for
political reasons. Do you recall that?
Mr. Chao. Yes.
Chairman Issa. Would the gentleman yield?
Mr. Tierney. No.
So during that phrase, also I think Chairman Issa handed
you a document, and I think it is probably still with you
there.
Mr. Chao. Yes.
Mr. Tierney. And the chairman gave you the document that
said it showed that there were no defects in the system. It
does say that the function is anonymous shopper, does say the
CGI said it tested successfully. Then he has blown up a box,
over a number of the other statements made on the right hand
side of that box. It just says 9/22 this feature will be turned
off on day one, October 1.
Now, I have given you a sheet there, I believe staff has
given you a sheet there that is clean from those boxes, and
just as the original document without the chairman's blowups on
there obstructing any of the other materials. Do you have that
document?
Mr. Chao. I think so. Is it this one?
Mr. Tierney. Yes. So that is the original document. ON the
bottom right, will you read for me the last, the statement
there starting with defects identified?
Mr. Chao. Defects identified by CMS being treated as
critical target fixes for 9/12.
Mr. Tierney. And that is, in fact, what you testified to,
right, that you had found defects?
Mr. Chao. Yes.
Mr. Tierney. As you read up from that box, you found that
there were defects that you decided to disable the shopper
function and focus instead on plan compare?
Mr. Chao. Correct.
Mr. Tierney. Why did you do that?
Mr. Chao. Because if given the opportunity to choose a more
critical function, plan compare is much more critical in the
path of a consumer being able to enroll in health care as
compared to the ability to browse.
Mr. Tierney. So you thought that was the best priority and
you focused attention on that?
Mr. Chao. At that time, yes, given the CGI resources that
were available. And actually, there was a subsequent date, I
think, I would have to locate the documentation. We did do
another round of testing post-9/12 and it was still failing.
Mr. Tierney. So you disagree with CGI, they thought it
tested successfully and you instead had this ongoing belief
that it tested unsuccessfully, there were defects and that is
why you made the decision to switch your priorities to the
other?
Mr. Chao. Correct, because the report that I would look at
is from our ACA independent testers, not from CGI.
Mr. Tierney. And, in fact, that is why the shopper function
was disabled, correct?
Mr. Chao. Correct, based on the report from the independent
testers.
Mr. Tierney. So when Chairman Issa stated on national
television that the White House ordered you as CMS to disable
the shopper function in September for political reasons to
avoid consumer sticker shock, that is not true, is it?
Chairman Issa. I object. The gentleman may not
mischaracterize my statement.
Mr. Tierney. The gentleman may not object in the middle of
somebody else's questioning. If questions go through the chair,
which you don't currently occupy, and I will continue my
questioning of Mr. Chao.
Chairman Issa. Mr. Chairman, point of privilege.
Mr. Meadows. The gentleman is recognized.
Chairman Issa. The gentleman is repeatedly disparaging and
mischaracterizing what I have said. Could the chair please
direct all members, if they want to allege a quote, ensure that
it is a quote and not in fact a characterization that is
inaccurate, as the gentleman's is?
Mr. Meadows. The chair would remind each and every member
here to direct their comments, without personality, and
directing those comments to make sure that they are reflected
as to not make a personal attack.
Mr. Tierney. Well, that is well said. I don't know of any
personal attacks, so I assume you are directing that at
somebody else.
But I will read a quote on October 27th, from Chairman Issa
on national television. Here it is: ``Contractors have already
told us that, in fact, people represented that the White House
was telling them they needed these changes, including instead
of a simple 'let me shop for a program then decided to
register' they were forced to register and go through all the
things they have slowed down in the website before they could
find out about a price.''
The contractors the chairman referred to were CGI, but CGI
officials have denied ever saying such a thing. Nevertheless,
he went on to claim the White House, ``buried the information
about the high cost of ObamaCare'' in order to avoid consumer
``sticker shock.'' And that is not why you made the decision to
disable that program of anonymous shopper, is it, Mr. Chao?
Mr. Chao. Just as I answered before, absolutely not.
Mr. Tierney. Thank you. I yield back. No, I yield to my
colleague.
Mr. Cummings. I just want to address this to Chairman Issa.
When speaking to Mr. Connolly earlier, you referred to a letter
sent to you on November 6th. It is not a letter I sent jointly
with Mr. Connolly, so he did not read that letter. That letter
was about MITRE security testing document provided to the
committee. MITRE told us that like any website security
documents, they are sensitive, and their release potentially
could give hackers hints on how to break into the system.
So I asked you to treat those documents with sensitivity,
to consult with me before making them public. You tried to use
my letter to argue that the system is not secure, but that is
not what I said. Every security testing document for every IT
system, no matter how secure the system is, is sensitive. Every
security testing document could give ill-meaning individuals
help in causing mischief.
These documents do not mean there are problems with the
security of the system. I just wanted to clear that up. And I
yield back.
Mr. Tierney. I yield back as well.
Mr. Meadows. Thank you. The gentleman's time is expired
Mr. Chao, I know that you have made a number of comments
with regard to your sworn testimony and what you recall or
don't. I would make it available to you for your reference
there at the desk, if you would like to have that, in case
there are other questions that are asked regarding that.
Mr. Chao. Thank you, but I probably would need some time to
go over it.
Mr. Meadows. So you need time to review what you have said
previously on the record?
Mr. Chao. It was nine hours worth of interview questions.
Mr. Meadows. Okay. As soon as the hearing is over, if you
would like to come back and review this, we will be glad to
make it available to you.
With that, I recognize the gentleman from Tennessee, Mr.
DesJarlais.
Mr. DesJarlais. Thank you, Mr. Chairman. Welcome. I know
that the hearing is getting long and here has been a lot of
questioning going on. But there is no doubt that eh American
people want some answers about this huge investment in a
rollout of a website that certainly didn't go as planned. It
has been a learning experience, it has been an educational
experience.
Mr. Park, looking back, knowing what you know how, looking
at the rollout in October, give a letter grade to the rollout
of ObamaCare, A through F.
Mr. Park. That is an interesting question. In terms of the
rollout of the website, it has obviously been really, really
rocky. I kind of hesitate to assign a letter grade to it. But
it is what nobody wanted.
Mr. DesJarlais. I think the people appreciate honesty. You
don't have to fail it, but what do you think it was, A through
F?
Mr. Park. I think it depends on the user. There were some
users able to get through, and there were other users, a lot of
users who couldn't.
Mr. DesJarlais. So you are not going to give it a grade?
Mr. Park. I think that kind of oversimplifies it.
Mr. DesJarlais. Maybe. But there are a lot of people
watching who want answers. And this is a complex issue. So just
maybe for simplification, they would like to know that a lot of
people who are responsible for rolling this out don't think
that it went very well. To listen to this hearing, it doesn't
really sound like a lot of you think it was that abysmal of a
failure. This hearing started out with the ranking member
talking about how this is a Republican issue, how we are out to
destroy health care or the health care law, how we are trying
to repeal it, how we are trying to not have this hearing to see
if we can make this succeed.
Bottom line is, a lot of money was invested in this and
people do want answers. So it is complex, but yet in a simple
fashion I think people would like to hear that hey, we screwed
up.
Mr. Chao, could you give it a letter grade?
Mr. Chao. I agree with Todd that it is highly subjective.
Mr. DesJarlais. Okay. Fair enough.
Will anybody give it a letter grade?
Chairman Issa. Would the gentleman yield?
Mr. DesJarlais. Mr. Chairman.
Chairman Issa. Perhaps we could have it as a pass-fail, a
little less subjective.
Mr. DesJarlais. Yes, that would be less complicated. Would
you give it a pass or a fail, Mr. Park?
Mr. Park. Again, I don't want to reduce it to something
that--just to be clear, all of us are frustrated about how the
site rolled out. None of us think it went well. All of us think
it was incredibly rocky and we are incredibly focused on trying
to fix it and make it better. And it is getting better week
after week after week.
Mr. DesJarlais. Okay, so knowing what we know now, Mr.
Chao, you testified that you were given your marching orders,
but yet, I don't think the October 1st date was immovable.
Would you agree with that?
Mr. Chao. I don't have the luxury of determining what date
is movable or not movable. I was given October 1st as a
delivery date, and that is what I targeted.
Mr. DesJarlais. Knowing what you know now, would you have
pushed harder to have the date moved back?
Mr. Chao. That is pure speculation.
Mr. DesJarlais. How can it be speculation? You know what
you know now.
Mr. Chao. Because I wasn't in a position to choose a date.
Mr. DesJarlais. I am asking today, sitting here today,
testifying in front of this committee, knowing what you know
now, would you have pushed harder to move the date back?
Mr. Chao. I go by what I said.
Mr. DesJarlais. So you would let history repeat itself.
Mr. Chao. That is not what I said.
Mr. DesJarlais. Mr. Park, would you have----
Mr. Chao. That is not what I said.
Mr. DesJarlais. Okay, Mr. Park, would you, knowing what you
know now, ask to have this delayed or pushed back?
Mr. Park. I don't actually have a really detailed knowledge
base of what actually happened pre-October 1. I don't know what
levers were available. So I would hesitate to make any point
now.
Mr. DesJarlais. So once again, we spent over a half a
billion dollars of taxpayer money and no one who is responsible
for the rollout is willing to say that we should have done
things differently. The President doesn't know it, but first of
all, we were trying to save the American people from a bad law
by all that we just went through over the past few months. And
really, we were trying to save the President from himself. He
needed to sit down and talk with us about delaying this, and
nobody sitting on this panel, after seeing what a failure this
has been over the past month, is willing to step up and say,
yes, we should have delayed this. Is that what I am hearing? I
didn't give everyone a chance. Does anyone want to speak to
that?
Chairman Issa. Perhaps the GAO could comment on whether or
not this was a site that in retrospect should have been
launched on October 1st and serviced that full six people while
millions of people were unable to get through.
Mr. Powner. Clearly, knowing what we know now, a delay in
rollout would have made sense. But the thing is, we are not
privy to who knew what when in terms of the test results and
all that kind of stuff. That is where we don't have insight
into that.
Mr. DesJarlais. Okay, well, a lot of these regulations, Mr.
Chao, were delayed until after the election. Do you have any
reason why a lot of the regulations that probably caused a lot
of these problems were delayed until after the election?
Chairman Issa. [Presiding] The gentleman's time is expired.
The gentleman may answer.
Mr. Chao. I don't have the scope, it is not within my scope
to cover when regulations get released or not.
Chairman Issa. Does anyone know? Mr. Park, you were chief
technology. Mr. VanRoekel, your organization owned the question
of whether or not in a timely fashion these regulations were
created.
Mr. VanRoekel. No, that is actually a mischaracterization
of my organization's role. We and my team are tech policy
people, not health policy people related to regulations.
Chairman Issa. But whether the trains run on time, where
there are things implementing laws, isn't that what OMB does?
Mr. VanRoekel. My role in OMB is to set government-wide
policy to look at government-wide communication of budget.
Chairman Issa. So we should get the OMB director in here
and find out why after three and a half years things weren't
done so that this could be launched for the American people in
a timely fashion. I guess we could get a couple of OMB
directors.
The gentleman's time is expired. The gentleman from
Missouri is recognized for five minutes.
Mr. Clay. Thank you, Mr. Chairman, and thank you for
attempting to get answers to your questions on Healthcare.gov.
My questions today will focus on the Federal contract between
CMS to CGI Federal, to set up Healthcare.gov. If any other
witnesses, including Mr. Powner, care to comment on my
question, please feel free to jump in.
Mr. Chao, in your testimony today you stated that CMS
contracted with CGI Federal to build a federally-facilitated
marketplace system, including the eligibility and enrollment
system. According to the Washington Post, this contract is
worth $93.7 million.
How much money from this contract has already been awarded
to CGI?
Mr. Chao. I don't have the exact figures.
Mr. Clay. What incentives and disincentives were in the
contract for CGI Federal to successfully fulfill their contract
to roll out Healthcare.gov?
Mr. Chao. I think as with, starting at the highest level of
the Federal Acquisition Regulation has very specific guidance
about contracting and the contracting framework in which you
will then award IT contracts, with specifications for something
like the marketplace.
Mr. Clay. And they are still working on the website, CGI
Federal?
Mr. Chao. Yes.
Mr. Clay. And they have been paid how much to this point?
Mr. Chao. I don't have the exact figures in front of me.
Mr. Clay. And are you pleased with the product you received
from CGI Federal?
Mr. Chao. I think as Todd mentioned, we are all----
Mr. Clay. Look, we have a responsibility as an oversight
committee, and that is to protect taxpayer dollars. And so I am
asking specific questions about the taxpayers' dollars. Perhaps
Mr. Powner can shed some light on that. Have we paid CGI
Federal yet?
Mr. Powner. I don't know specifically what went to CGI. We
do know that the government has paid IT funding over $600
million. That is what we do know.
Mr. Clay. Okay, tell me about the structure of the
contract, then. If they perform, then they should get paid,
correct?
Mr. Chao. I think how this contract is formulated is that
there is a performance element to it. So there is a based set
of costs that are factored into performing the work.
And then during certain review periods, they could receive
a performance kind of incentive. But I would have to get back
to you on exactly how that works, because I don't run the
contract.
Mr. Clay. Would you share with this committee how they are
going to be paid for the work performed already? Are they still
working on Healthcare.gov? Since they messed it up in the first
place, are they still on it?
Mr. Chao. They are the contractor that does the
development, as well as ongoing operations and maintenance. So
yes, they are still working on it.
Mr. Clay. Mr. Powner, can you shed some light on this?
Mr. Powner. Yes. I would just like to say that we sit here
and talk about contractor fault, government fault, government
is at fault here too on the requirements point of view. It is
clear that from a requirement perspective there is fault on the
government side. Congressman Clay, we went through this with
the Census Bureau, with the handhelds, same situation.
Mr. Clay. Same situation.
Mr. Powner. Same situation.
Mr. Clay. But we corrected it.
Mr. Powner. Ill-defined requirements, we overspent, we came
in, fixed it. But it is the same situation, ill-defined
requirements, questions, there are all kinds of questions
across the board.
Mr. Clay. Okay. I have been told that this was simply lazy
Federal contracting. What are the failures of CMS in policing
the CGI contract to ensure that the rollout of Healthcare.gov
would be a success? What are the failures? Can anybody tell me?
I'm going to go back to CMS.
Mr. Powner. Executive oversight. I think there is a
fundamental question. There are to be investment boards in
place with these agencies and departments. The questions are,
what meetings occurred, who attended, what risks were
discussed, what follow-up occurred, how timely were those
meetings. That is really what we need to look at.
Mr. Clay. Well, and from a taxpayer perspective, these are
millions of dollars going to a failed product. I don't think
they are happy. And with that, Mr. Chairman, I yield back.
Mr. Cummings. Would the gentleman yield?
Mr. Clay. I don't have time.
Chairman Issa. I would ask unanimous consent the ranking
member have 30 seconds. The gentleman is recognized.
Mr. Cummings. Mr. Park, we have had a lot of bad news in
this hearing. Can you just again tell us where we are and the
progress we are making, you are making?
Mr. Park. It is the progress the team is making, I am just
a small part of the team. But the team is working really hard
to make progress week after week, just some numbers, which are
always helpful, right? As I mentioned previously, the average
system response time, which is the time it takes a page to
render a request to be fulfilled of a user was eight seconds on
average a few weeks ago, it is now under a second. Another
measure is the system error rate, which is the rate at which
you experience errors in the marketplace application. That was
over 6 percent a few weeks ago, now it is actually at 1 percent
and actually getting lower than that.
So really good progress, still much, much more to do. A lot
of work to do. But there is a system and a pattern of attack in
place, as I mentioned earlier, around monitoring, production
stability work, functional bug fixing and improvement of these
processes.
Mr. Clay. Would the ranking member yield?
Chairman Issa. The Chairman would yield to the gentleman
from Missouri.
Mr. Clay. Thank you, Mr. Chairman. Mr. Park, what
contractors are working on fixing the site? Isn't CGI one of
them, CGI Federal?
Mr. Park. CGI is one. And CMS of course is the manager of
all the contracts, they could give you the most comprehensive
answer. But CGI is one, yes.
Mr. Clay. Thanks.
Chairman Issa. I thank all of you, and Mr. Park, in case it
isn't said again in this hearing, we believe that what you are
doing today is important. I think what GAO has said is, there
wasn't a single point of contact, an expert in charge in a
timely fashion that would be accountable and coordinate that
would, if you will, sleep on their floor if that is what it
took, before October 1st. So that is the big reason we are here
today, but I think that is where GAO is making the point to all
of us that the next time there is one of these, we need to have
somebody, perhaps not of your stature, but as close as we can
come, there in the months and years preceding it.
We now go to the gentleman from South Carolina, Mr. Gowdy.
Mr. Gowdy. Thank you, Mr. Chairman.
Mr. Park, do you agree that there is a difference between
an innocent misstatement of a perceived fact and a deliberate
attempt to deceive?
Mr. Park. Yes.
Mr. Gowdy. So do I. When did you first realize that you
couldn't keep your health insurance even if you did like it,
period?
Mr. Park. Again, that is kind of a health policy matter,
that is really outside my lane.
Mr. Gowdy. You don't know when you first realized that you
couldn't keep your health insurance, even if you liked it,
period?
Mr. Park. I don't recall, no.
Mr. Gowdy. Would you agree with me that credibility or the
lack thereof in one area of life can impact credibility or the
lack thereof in another area of life?
Mr. Park. I suppose it could.
Mr. Gowdy. In your written testimony, you wrote, ``As you
know, October 1st was the launch date of the new website,
Healthcare.gov.'' And I did know that. I just didn't know why.
And I am going to read to you a quote from Secretary Sebelius.
She said, and I will paraphrase it initially, that she was
hurried into producing a website by October 1st because the law
required it. Now I will read you the direct quote. ``In an
ideal world, there would have been a lot more testing. We did
not have the luxury of that, with a law that said it is go-time
on October 1st.''
Mr. Park, I don't know what ideal world she is referring
to. So I am going to stick with the one we are in. What law was
she referencing? What law required this website to launch on
October 1st?
Mr. Park. I can't really speak for Secretary Sebelius.
Mr. Gowdy. I am not asking you to speak for her. I am
asking you, what law was she referring to? Is there a law that
required this website to launch on October 1st?
Mr. Park. Again, that is a health policy, legal matter.
Mr. Gowdy. It is actually a legal question. Do you know if
there is a law that requires this website to launch on October
1st, or do you know whether it was just an arbitrary date that
the Administration settled on?
Mr. Park. I actually do not.
Mr. Gowdy. Would you find that to be important, whether or
not we really had to go October 1st, given the fact that we
weren't ready to go October 1st? Would you find that relevant,
whether or not we actually had to launch a substandard product?
Mr. Park. Sir, I am, respectfully, just a technology guy.
Mr. Gowdy. Don't short yourself. You are the smartest one
in the room.
Mr. Park. That is not true, sir.
Mr. Gowdy. Trust me. I have been in this room for a while.
It is true.
[Laughter.]
Mr. Gowdy. There is no law that requires that. So what
Secretary Sebelius said was patently false. There is no law
that required a go-time on October 1st.
But I want to move to another component of her quote. Some
of us don't consider testing to be a luxury. But let's assume
arguendo that she is right, that additional testing would have
been a luxury that would have been nice to have. How much more
testing would you have done prior to launching?
Mr. Park. I am not even familiar with the development and
testing regimen that happened prior to October 1. So I can't
really opine about that.
Mr. Gowdy. Let me ask you this. Because you are the
smartest one in the room, and very good at what you do, where
the heck were you for the first 184 weeks? If you are being
asked to fix this after October 1st, in a couple of weeks,
where were you for the first 184 after the so-called Affordable
Care Act passed? Where did they have you hidden?
Mr. Park. Sir, in my role at the White House as USCTO in
the Office of Science and Technology Policy, I am a technology
and innovation policy advisor. So I had a broad portfolio of
responsibilities.
Mr. Gowdy. But you are obviously good enough that they
brought you in to fix what was broken. It has been called a
train wreck. That is not fair to train wrecks. It has been
called other things. They brought you in to fix it. Why didn't
they bring you in to start it? Why are you doing a reclamation
project? Why didn't you build it?
Mr. Park. I am part of an all-hands-on-deck effort to
mobilize across the Administration to actually help under Jeff
Zients' leadership. And in the lead-up to October 1, that
wasn't part of my role.
Mr. Gowdy. When will it be operational to your
satisfaction?
Mr. Park. We have a goal that the team is pursuing with
tremendous intensity.
Mr. Gowdy. How many more weeks? Because I am going to get
asked when I go home. I know you can appreciate that. I am
going to get asked. When will it be operational? When will it
be as good as it can get? Because you will concede the first
184 weeks did not go swimmingly. Is it going to be another 184
weeks?
Mr. Park. Sir, I think the honest answer is that there is a
team of incredibly dedicated public servants working hard on
it.
Mr. Gowdy. I get all that. I am looking for a number. We
can interpret the poem later. I am looking for a number.
Mr. Park. They are working hard to have the site
functioning by the end of this month smoothly for the vast
majority of Americans. That is the goal.
Chairman Issa. The gentleman's time is expired. I might
stipulate for the record that Mr. Park was at HHS at the time
of passage, and for that roughly first two years. So his
expertise does come out of the origin of ObamaCare.
Mr. Gowdy. My question, Mr. Chairman, was simply if he is
good enough to be brought in to fix it after the locomotive has
crashed off the mountainside, where in the hell was he for the
first 184 weeks when it was being broken? Why wait until it has
crashed? If he is a savant, and I am convinced he is, where has
he been? I know the Obama girl was missing. I think they found
her, actually, the lady from the website, I think they found
her. But where has he been?
Chairman Issa. The gentleman's time is expired. We now go
to the gentleman from Texas. Would the gentleman yield for just
10 seconds?
Mr. Farenthold. Certainly.
Chairman Issa. I want to make a statement, and Mr. Gowdy,
you are right on that they should have had the A team on this
and some of the people here today clearly were there for the
train wreck. I want to note that Mr. Park's duties did not
include overseeing this website, and I do appreciate the fact
that it appears as though in 60 days they are going to make
right what wasn't ready on October 1st. I think that is what
the gentleman wants to be able to explain back home, is that we
have been told that November 30th, this will work reasonably
well. In other words, a 60-day delay or less could have allowed
this to be launched in a timely fashion. I thank the gentleman
and ask that his full time be restored.
Mr. Farenthold. Thank you very much.
I do want to follow up on that, Mr. Park. There are a lot
of hedge words in there, vast majority of Americans, mostly
working. Am I going to be able to go to the IRS and say, it
didn't work for me, I couldn't get my insurance, I am not going
to be fined? You have to tell us when it is going to be in good
shape. Can you give us a date? Is the end of the month
realistic?
Mr. Park. The team is working really hard to hit that goal.
That is what I am able to say right now, sir.
Mr. Farenthold. As a former web developer, that is what I
was telling clients when we were going to miss a deadline, we
are working real hard to meet it. And I am a former web
developer, certainly nothing of this scope. But with $600
million I probably could have put together a team to do it, and
do a better job.
But I am not going to throw the contractor under the bus. I
think it is too much money, a lot of issues there. But one of
the biggest struggle we had when we were developing websites
was getting stuff from the client, whether it was their copy
for the text of the website or whether it was the
specifications. The copy we could change pretty quick, we could
just cut and paste it out of the email into an HTML editor or
content manager.
But when the actual specifications for how it goes change
up to the last minute, it is very difficult to do. Mr. Chao,
how late were there substantial changes being ordered to the
website? Do you have a time frame how long before that October
1st launch?
Mr. Chao. I don't think there were any substantial changes
ordered. It was more a standard practice of looking at how much
time you have left, watching your schedule very closely and the
priorities that are set by the business.
Mr. Farenthold. And then figuring out which corners to cut.
I want to follow up on a couple of questions that some
other folks asked that I didn't think got completely answered.
Mr. Jordan asked you, Mr. Chao, if it was thoroughly tested.
You said yes, it was thoroughly tested. Mr. Jordan didn't ask
the next follow-up question, how did it do on those tests, did
it pass?
Mr. Chao. If I said thoroughly, I apologize.
Mr. Farenthold. Maybe he said it was tested.
Mr. Chao. It was tested under the prescribed, we were
talking about security testing. So I was saying that it was
tested under the prescribed security controls.
Mr. Farenthold. And let me follow up with Mr. Park on
something Mr. Lankford asked. He was concerned about either
members of your team or other folks having access to sensitive
data. Those days you were sleeping on the floor, could you have
walked in to a server with a thumb drive and walked out with
people's personal information like Mr. Snowden? Are those
security risks there?
Mr. Park. No, I could not have. No.
Mr. Farenthold. That is a little bit reassuring.
Let me also ask Mr. Chao or Mr. Powner, with respect to the
private sector, if there is a data breach or a compromise, your
credit card information or your personal information gets
released, there is a Federal law requiring notice. I just got a
notice from a major software company that my credit card had
been compromised. Will we find out if our information on
Healthcare.gov is compromised? Is there a notice requirement?
Is there something in place? Will we know if that information
has been hacked and is public?
Mr. Chao. Yes, there are actually several laws and rules
that apply, particularly with disclosing any incident or breach
that involves a person's information.
Mr. Farenthold. Okay, so there are no special exemptions in
ObamaCare. We will hopefully find out.
Again, I am just concerned. We are at a time right now
where the trust in government has never been lower. We have the
whole NSA-Snowden incident, we have the IRS looking at people
for political purposes. You will excuse me if I am concerned
that we have a massive website that is a target for hackers
that a lot of people have information to that by definition
reaches out and touches the IRS and Social Security computers.
Whenever you connect computers together you open pathways to
hackers. So I am very concerned about the security issues. I
just want to make sure we are going to know if there are some
problems that they are not going to be swept under the rug for
political purposes.
Mr. Chao. We worked closely with Frank Baitman's security
operations at the Department level as well as extensive
computer testing.
Mr. Farenthold. And finally, Mr. Chao, you stated earlier
in your testimony that the anonymous shopping feature, which I
would love to see, I don't think it is even in place now, but
it was disabled before the election. We can talk about
political purposes or not.
Chairman Issa. I think the gentleman is saying before the
October 1st launch.
Mr. Farenthold. It was deleted. Why wasn't the October 1st
deadline push back because it didn't work? Why wasn't the whole
thing delayed? When you delayed the anonymous shopping part,
the part we all feel most safe about, going and finding out how
much it will cost without revealing personal information, you
delayed that, why didn't you delay the whole thing when you
knew it wasn't going to work?
Mr. Chao. I think anonymous shopper was a very narrow slice
of looking at what the tradeoffs would be in putting something
into production as opposed to----
Mr. Farenthold. Again, I am sorry, I am out of time. But I
do want to say, with my lack of trust in the Federal Government
now, I am loathe to put my personal information in and would
love to shop anonymously, just like I did on some of the
private exchanges in Texas as I look for what I am going to
about my personal health care. I don't think you have to give
up your personal information to get prices for something. You
don't have to do it on an airline website, you don't have to do
it on Amazon and you shouldn't have to do it on Healthcare.gov.
I yield back.
Chairman Issa. I thank the gentleman.
Is the gentlelady from New Mexico prepared to go?
Ms. Lujan Grisham. Yes, Mr. Chairman, I believe so.
Chairman Issa. You are recognized. Thanks for coming back.
Ms. Lujan Grisham. Absolutely, thank you.
Actually, before we start, I realize I wasn't here for this
statement, but I want to echo what my colleague Congressman
Lankford said about gaps in coverage. Coming from a State with
nearly 25 percent uninsured, two things have occurred. One,
people who as of October 1st couldn't get on the website and
are continuing to follow this issue very closely, their
individual or family plans expired or were expiring and so they
went off the exchange, because they can't get on, and purchased
brand new policies for another year. Unlike the small
businesses, they are in that now for a year. And they are
paying much higher rates than they would have could they have
gotten on the individual exchange, because New Mexico is a
partnership State.
Then second, as December 15th looms ever closer, we know
that that is another important deadline for many individual
plans. We have the same issue and I am very concerned about
that, and I appreciate that it was brought up. So I told you
about what we are working through. We have been fighting for a
long time in New Mexico to find ways to have access to
affordable coverage. I need, we need, my constituents need this
website to work. We need to enroll in the exchange. I know you
have heard all day long that we are all frustrated. They are
frustrated, I am frustrated. And while I wish that we had
better solutions for them earlier on, my biggest concern is
that we are reaching a critical point in the implementation
time line.
In order to ensure that there is no gap in coverage between
plan years, individuals and families who would like to choose a
plan from the exchanges, as I said earlier in my remarks, have
to be enrolled by December 15th. Your stated goal of fixing the
website by the end of November leaves very little room for
error. And I know it is not easy. But while you are here, I
just want to make sure that for the record, we are emphasizing
that there is real urgency here.
Mr. Park, I think that you have a deep appreciation for how
transformative good technology can be. But I would like to know
if this is a time constraint that you are aware of, and also
more broadly if you feel the same urgency that I do about
getting the site operational for as many users as possible.
Mr. Park. Absolutely.
Ms. Lujan Grisham. All right, then, I can imagine that
leaving your office for at least an entire day would have
pretty important impacts on your work fixing the website. What
would you be doing if you weren't here today?
Mr. Park. I would be working with the team on the site.
Ms. Lujan Grisham. So Mr. Park, I wish that you were
working on Healthcare.gov, on the website, right now. And part
of this committee's job is to ensure that you have all the
tools and resources that you need to do your job. What else can
we do to assist you to get this done?
Mr. Park. Well, again, I am a small part of the broad team
that is working incredibly hard, led by Administrator Tavenner
and Jeff Zients, and the CMS team. I would say just one member
of the team who could be responsive to that. And there are
requests for assistance, that would be correct.
Ms. Lujan Grisham. Great. I think we are going to need more
clarity about that. I also agree with this committee's efforts
to talk about reforming IT procurement. I don't know if today
is the day to try to deal with those best practices. Given that
States do it poorly and the Federal Government is doing it
poorly and that we have spent millions I guess, the whole
Country analysis, billions of dollars on IT projects that
haven't done well anywhere in the public center. We have to
figure out a better way to do that. I hope that this committee
will continue to lead that effort in a bipartisan way.
But I want to go back to the situation that we are in. I
want to be results-oriented. I want to solve these problems. I
feel like we shouldn't' be pulling a surgeon from the operating
room today. So thank you, Mr. Park. I yield back.
Mr. Park. May I just make one more statement?
Mr. Cummings. I just wanted you to yield.
Mr. Park. So do you yield?
Ms. Lujan Grisham. I do.
Mr. Park. I just wanted to actually not lose the second to
last thread that you started, which was IT procurement. I think
that is a phenomenally important issue. This committee has done
terrific work on it, I think you can actually do more. So I
would love to see a high energy bipartisan effort attacking
this issue from multiple dimensions. I know less about it than
many people on this committee. What I do know is that there is
not a single silver bullet. There are decades of practices and
rules and laws that have actually led to where we are now. But
I think with a concerted effort, high energy effort, bipartisan
effort that we could actually take this out and deliver better,
faster, higher return results to the American people.
Chairman Issa. I ask unanimous consent the gentlelady have
an additional 30 seconds. Without objection, so ordered. And
would you yield to the ranking member?
Ms. Lujan Grisham. Yes.
Mr. Cummings. Thank you.
Chairman Issa. The gentleman is recognized.
Mr. Cummings. I want to just get to the bottom line here.
What will happen is that people are sitting there, and I agree
with the gentlelady, looking at results, when we go back to
what happened with Lankford and he was trying to get on the
page, Mr. Park, and he couldn't get there, could you talk about
that for a minute? Because that is real.
And there are probably people watching us right now who are
trying to get on the page. Can you tell us what you are doing
and how that affects things like that? Because they have
reporters now that sit on telecasts, and they say, I waited an
hour, I waited two hours. So tell us how that relates to what
you are doing, so our constituents can have some kind of
assurances that things are going to get better. Do you follow
me?
Mr. Park. Absolutely, sir. Thank you for the question.
I will just answer it quickly, because I know we have
limited time. One, there have been dramatic improvements in the
ability to, as a consumer, create an account and get on the
site. And all the metrics that we are seeing, that has been a
function of basically improving the ability of that pat so it
can handle volume through capacity expansion, software work and
also fixing bugs. So many, many more people are actually able
to get through now than at the beginning.
That being said, it is not perfect yet, so I actually would
really love to follow up with the Congressman to understand his
particular use case and dial that back to work with the team.
Also, there are folks who early on got caught in the middle
of that cycle and are stuck there. Those are folks that CMS is
now reaching out to, as we talked about earlier in the hearing,
to actually get them through the process cleanly. So it is an
issue that actually I think has been in large part addressed
but there is still work to do. I do want to follow up with the
Congressman and understand the specific use case he has had and
his situation so we can figure that out.
Chairman Issa. Thank you.
Now as we go to Mr. Massie, who from a standpoint of his
education and known IQ, could in fact rival you as the smartest
guy in the room.
Mr. Massie. No, I am from the trade school that is a mile
down the river from your arts school that you attended.
Chairman Issa. You had better share that with the rest of
the world.
Mr. Massie. I went to MIT, you went to Harvard.
Mr. Park. You could definitely kick my butt, sir.
[Laughter.]
Mr. Massie. Maybe we could share some numbers later. I am
sure we share an affinity for numbers.
But first I want to talk about the final security control
assessment that was prepared by MITRE, and just read a little
bit of that. It says MITRE was unable to adequately test the
confidentiality and integrity of the HIX access in full. The
majority of MITRE's testing efforts were focused on testing the
expected functionality of the application. Complete end-to-end
testing of the application never occurred.
So this was MITRE's final security control assessment. And
we are throwing around a lot of three-letter acronyms, HIX,
CMS, ATO. But I have a document that has CYA written all over
it here, Mr. Chao. You wrote a letter, and this is the final
ATO, or authority to operate, to Marilyn Tavenner, which she
signed off on. In this letter, you stated, ``Due to systems
readiness issues, the SCA,'' and that is security control
assessment, ``was only partly completed. This constitutes a
risk that must be accepted and mitigated to support the
marketplace day one operations.''
In this sentence here, and this was written on September
27th, or certainly signed off on September 27th, were you
trying to tell your boss that there is a risk and I am not
going to accept it, but you must accept this risk, we can
either delay the date or we can accept the security risk?
Mr. Chao. I think I was outlining more of a generalized
risk acceptance with a fairly significant rollout of the
marketplace system.
Mr. Massie. But that risk existed because there had never
been an end-to-end security test on this, is that true? That is
basically what the letter states here.
Mr. Chao. I think in previous testimony I have also said
that end-to-end is a highly subjective term.
Mr. Massie. If it is subjective, how are you going to get
it done in 60 to 90 days?
Mr. Chao. It depends on the scope of what you are trying to
put in production.
Mr. Massie. Well, the scope is, is our data safe? Is the
personal information that Americans enter into the system going
to be safe? For instance, in this same letter, and it is a very
short letter, signed by Marilyn Tavenner on September 27th, you
suggest that we conduct a full security control assessment, so
I will let you define what that is, in a stable environment,
which implies that you don't have a stable environment right
now, where all security controls can be tested within 60 to 90
days of going live on October 1st.
Here is what troubles me about this letter. You are
basically saying, look, we can go live but there are going to
be security risks. But let's test it on real people's data, on
real personal information. Let's test it for 60 to 90 days.
Mr. Chao. No, that is not what I said. That is not what the
memo alludes to. When we do security testing, we don't do it in
terms of using live people's data. We do security testing in a
pre-implementation environment prior----
Mr. Massie. Well, I would contend we are beyond pre-
implementation. We are testing this in the real market and it
is failing.
You said that the format of this ATO is not typical, is
that true?
Mr. Chao. It is true.
Mr. Massie. So you have never seen that sort of format
before. Is it a problem that you were not given the final
security control assessment prior to authoring the ATO,
authorization to----
Mr. Chao. I don't think that is necessarily a problem,
because my staff were copied on it.
Mr. Massie. But you didn't get to see it. You said,
actually I didn't get a copy of the final ATO.
Mr. Chao. Correct.
Mr. Massie. Those are your words.
Mr. Chao. Because I was with the information systems
security officer in Herndon when these tests were being
conducted. It was determined that there was no high finding----
Mr. Massie. As the person with responsibility for the
authorization to operate, I think you should have been at your
desk reading the final security control assessment.
Mr. Chao. I was there in person.
Mr. Massie. But I am glad to see that you covered yourself
by putting this sentence in here.
Mr. Chao. That was not to cover myself. That was a decision
memo between her and I.
Mr. Massie. Are any among you today willing to bet your job
that thousands of people's personal data won't be released
because of implementation of this website?
Chairman Issa. That is certainly a yes or no question.
Mr. Massie. That is a yes or no question.
Mr. Chao. They are trying to ask us to predict something
that security vulnerabilities are as, some folks have mentioned
before, it happens every day. That is why we do security
testing.
Mr. Massie. Obviously from the documents here, you weren't
comfortable with this, you were trying to transmit to your
boss, let me just read your words again, ``This constitutes a
risk that must be accepted and mitigated to support the
marketplace day one operations.'' In other words, to launch
this thing by October 1st you were telling your boss she is
going to have to accept some risks that are not normal for
this.
[Simultaneous conversations.]
Chairman Issa. Quickly. The gentleman's time is expired.
Mr. Massie. Okay. Mr. Park, we have Mr. Chao saying 17,000
users an hour can subscribe. And we have Mr. Lankford who has
been waiting for over an hour and a half. We have five orders
of magnitude difference between those two numbers. Which is
closer to the truth?
Chairman Issa. The gentleman may answer.
Mr. Massie. How many people an hour are able to enroll in
healthcare?
Chairman Issa. The gentleman previously said 17,000. Is
that correct?
Mr. Park. Seventeen thousand registrations for new account
per hour is the number that we have.
Mr. Massie. I imagine you have a war room somewhere where
you are directing these operations and you have some big
number. The only number that matters, how many are enrolling?
How many are enrolling right now per hour? Can you tell us?
Mr. Park. Actually what the war room tracks----
Mr. Massie. Just a number. Come on. We both love numbers.
Chairman Issa. Let the gentleman answer. Your time is
expired, please. It is a Harvard-MIT problem, I think.
[Laughter.]
Mr. Park. In terms of enrollment numbers, those are going
to be released by the Administration shortly.
Chairman Issa. I thank the gentleman. We now go to the
gentleman from Pennsylvania, Mr. Cartwright.
Mr. Cartwright. Thank you, Mr. Chairman.
The Affordable Care Act was passed into law in 2010. It
seeks to increase competition in the marketplace, to help bring
down health care costs. It ends the practice of denying
coverage to those with pre-existing conditions, bans annual and
lifetime limits on health care benefits, it also enable parents
to keep their children on health care until they are 26 years
old, and it makes small businesses eligible for tax credits to
ease the burden of employee coverage.
The law also works to strengthen Medicare and will make
prescription coverage for seniors more affordable. These tax
credits are desperately needed in my district, where nearly 9.4
percent of my constituents live below the poverty line; 70,000,
that is 10.5 percent, do not have health insurance in my
district, including 6,500 children. They will be able to
utilize the subsidies offered under the Affordable Care Act
finally to get health care.
Now, I also want to get to the bottom of what is going on
with this website, Healthcare.gov, and I support oversight
hearings for that purpose. However, this hearing, like so many
previous hearings this committee has held, is clearly an
extension of the politically motivated repeal or delay agenda
that some of my friends on the other side of the aisle have
been pushing since this law was first passed in 2010.
It seems to me that if the chairman really were so worried
about getting this website fixed, so that people could actually
access affordable health care, he would not have subpoenaed Mr.
Park to come in and testify today. In fact, Mr. Park agreed to
testify before this committee just two and a half weeks later.
But the chairman refused that offer and subpoenaed him anyway.
The chairman's subpoena, combined with the constant releasing
of partial transcripts, taking witnesses' quotes out of
context, it seems like it is part of a predetermined political
strategy rather than a constructive effort to conduct
responsible oversight as this committee is supposed to do.
In fact, although the chairman claimed otherwise in his
opening statement here today, the House Republican Conference
is politicizing this issue. And here is the proof. They have
issued a playbook to Republican Members, and they actually call
it that, a playbook, right on the cover of the thing. It
doesn't say how to fix problems with the website or improve the
process, or work to ensure Americans health care. It tells them
how to exploit any challenges or glitches for their own
political gain.
I am not saying all Republicans are doing this. But it
certainly seems to me in this forum that the chairman of this
committee is.
Chairman Issa. Would the gentleman like to place that into
the record? Because I haven't seen it.
Mr. Cartwright. Yes.
Chairman Issa. Without objection, so ordered.
Mr. Cartwright. It is my hope that we can have oversight
without this kind of gamesmanship and partisan politics as this
committee has been able to do in the past. I really would like
to get to the bottom of what is going on with the website,
because I want my constituents to be able to sign up for
quality, affordable health care.
Mr. Chao, on November 7th, Chairman Issa issued a press
release with the headline ``AACA Testing Bulletin:
Healthcare.gov Could Only Handle 1,100 Users Day Before
Launch.'' He then accused Jay Carney and Mr. Park of making
false statements to the American people by suggesting that
officials estimated capacity at about 60,000. That is what the
chairman said, ``Jay Carney is being paid to say things that
aren't so. But in this case, Todd Park and other people who
knew the facts, who had to know the facts, and the facts were
from documents we received from lead contractors that slowed
down to an unacceptable level at 1,100 users. Well, in fact,
Todd Park was telling us that at 60,000 was the target and at
250,000 they just couldn't handle it.''
As the basis for that allegation, the chairman quoted from
a testing document that he released which says this, ``Ran
performance testing overnight in IMP1B environment, working
with CGI to tune the FFM environment to be able to handle
maximum load. Currently we are able to reach 1,100 users before
response time gets too high.''
Mr. Chao, it is my understanding that the IMP1B environment
was only a sample testing environment, not a test of the full
production capacity of the entire website. Am I correct in
that?
Chairman Issa. The gentleman's time has expired, but the
gentleman may answer.
Mr. Chao. You are correct, the what we call implementation
1B environment is about 10 percent the size of the full
production environment.
Mr. Cartwright. Thank you. I yield back.
Chairman Issa. I thank you. We now go to the gentleman, Mr.
Meadows. Mr. Meadows, would you yield for just 10 seconds for a
comment?
Mr. Meadows. Certainly, Mr. Chairman.
Chairman Issa. I never could quite understand how this
thing could handle 60,000 simultaneous users but only do six in
a day. So maybe unlike some of the smart people here, I just
don't get it. But six in a day doesn't seem like 60,000
simultaneous users. I thank the gentleman.
Mr. Meadows. Thank you, Mr. Chairman, and thank each one of
you for coming to testify. Mr. Park, you are not old enough
probably to remember this, but I remember the Six Million
Dollar Man. You are now the $600 million man, because you are
coming in to fix all this. So we are hopeful that you, based on
the people that I represent, that you are successful by
November 30th.
We do want to ask you, though, how do we define success?
Because the talking points are all that it is going to be fixed
for the vast majority of Americans as they go on. And we see
Mr. Lankford here, he can't get on. So what is success? Is it a
98 percent without wait time? How do we define success so on
December 1st, we will know whether you were worth $600 million
or not?
Mr. Park. Thank you for your comment sand your question.
First of all, I am just a small part of the team working to fix
this.
Mr. Meadows. So what is success?
Mr. Park. Success is, first of all the site will most
definitely not be perfect.
Mr. Meadows. But when the President asks you, were you
successful, how do you define success?
Mr. Park. First of all, on a system that is stable, so it
is actually up and running consistently.
Mr. Meadows. What percentage of the time? Ninety-eight
percent of the time?
Mr. Park. One proxy that we are using actually is, for its
performance in general is response time and error rate. And if
the system actually has issues and goes down then actually
these things can then exacerbate those rates.
Mr. Meadows. I am going to run out of time. What I would
ask you to do is, for the record, get to the committee what we
can look to so we can disseminate to all of America on what
success is, so on December 1st, we will all know.
Mr. Park. I will take that back, absolutely.
Mr. Meadows. All right, thank you.
Mr. Chao, much of your testimony is, I have read some of
your testimony and it seems to be a little different. But I
also know that you had several meetings, ongoing meetings with
White House staff over this process, is that correct?
Mr. Chao. I accompanied Marilyn Tavenner and other
directors, such as Gary Cohen.
Mr. Meadows. So how many times were you at the White House?
Mr. Chao. Over the course of three years, maybe less than
two dozen times.
Mr. Meadows. Because the logs suggest 29 times, is that
correct? Would that be in the ballpark?
Mr. Chao. That might not be accurate, because some meetings
were----
Mr. Meadows. Who conducted these meetings? Jeanne Lambrew?
Mr. Chao. I believe her name is pronounced Lambrew. There
were meetings conducted by her. Also, I met with Steve
VanRoekel.
Mr. Meadows. In those meetings? So you all were a part of
those meetings?
Mr. Chao. No Steve chaired a----
Mr. Meadows. I am asking about the White House meetings. So
there were 29 White House meetings of which you had this group.
Who were the people in the room? Were you in there?
Mr. Chao. I am not trying to be difficult, but there are
different parts of the White House. There is a White House
conference center.
Mr. Meadows. Okay, the meetings with Jeanne, she was
leading, the 29 meetings, about two dozen.
Mr. Chao. That was probably less than a handful.
Mr. Meadows. Okay. I guess my question is, I am a little
confused how the President would be surprised that this was
such a debacle on October 1st if you all were meeting regularly
with the White House. Why would they be surprised on October
1st that it didn't roll out the way everybody thought it
should?
Mr. Chao. I think the subject matter, at least with my
attendance being there, was to discuss things such as the
status of the Hub development.
Mr. Meadows. So did anybody express concern that there was
a problem, that October 1st there was going to be a problem?
Mr. Chao. No.
Mr. Meadows. There was no one in that room? We had all the
brightest minds in the world in this room and no one
anticipated a problem on October 1st?
Mr. Chao. They were highly specific issues, such as working
on 6103 requirements with IRS, Privacy Act implementation with
SSA, they are very operationally specific.
Mr. Meadows. So you all weren't meeting on how the website
was going to work?
Mr. Chao. Not meetings--my meetings were more operationally
focused about implementation.
Mr. Meadows. So it is plausible that the President would be
surprised that this wasn't going to work, based on those
meetings?
Mr. Chao. I wouldn't know that.
Mr. Meadows. So who would have been in the best position to
be able to advise the President that we were going to have this
unmitigated mess? Anybody in that room? Who should we bring
back here, I guess is what I am saying, Mr. Chao, that can help
the American people understand why this was such a fiasco?
Mr. Chao. I really don't have an answer to that.
Mr. Meadows. Mr. Chairman, I yield back. It is amazing how
we could find how you can't answer a simple question for the
American people.
Mr. Chao. I don't think that is for me to decide.
Mr. Meadows. I asked the question. It is for you to answer.
Mr. Chao. Okay, so my answer is, it is not really for me to
decide.
Chairman Issa. Mr. Meadows, your time is expired and I
strongly suspect that as is often said in politics, success has
many fathers, quite a few mothers, plenty of relatives, but
failure is an orphan. You are going to find an orphan here, if
I have ever heard or seen one.
With that, the patient gentleman from Massachusetts, Mr.
Lynch, is recognized.
Mr. Lynch. Thank you, Mr. Chairman.
I want to thank the members of the panel for coming forward
and their willingness to help the committee with its work.
I do want to say just at the outset that my experience in
Massachusetts with the Massachusetts health care, so-called
RomneyCare, that was a precursor to this in many ways, I am
speaking of the Affordable Care Act, also rolled out very, very
slowly. That is my experience, being on the ground in
Massachusetts when that plan went forward. So it was very slow
in ramping up. Of course it didn't have the urgency of this
program. It was sort of planned that way.
I also remember the Medicare Part D Act, which was a
Republican initiative, also rolled out extremely slowly. I know
a lot of my seniors, I had to do 16 town halls around my
district to try to tamp down the backlash because of the
slowness of how that was ramped up. So this is not, this
experience is not out of line with those other two programs. So
I just wanted to make that note.
I have had a chance to go out and talk to some of the
outreach workers. A lot of the outreach on the Affordable Care
Act in my district is being conducted through the local
community health centers. I have basically an urban district.
So the health center employees are going out and signing people
up.
One of the concerns that they have raised is that the
Affordable Care Act is so focused and sort of facilitated by an
email address. People have to have an email address in order to
interact with this whole thing. If you look at the demographic
of the 31 million people who we are trying to get health care
to that were not receiving health care before, the poor, the
elderly, that is a high correlation between folks who didn't
get health care before and don't have an email.
So the outreach workers, when I said what is your biggest
problem, they said, well, when we are working with the elderly
and we are working with low income families, the poor, they
don't have an email address. And the system we have is
basically, it requires an email address. To do it otherwise, to
scratch that itch, we are somehow going to have to close that
gap. Because a lot of these folks don't have email addresses
and yet they are the very people that we are trying to get
health care to.
Has any thought been given to, look, this was supposed to
be the easy part, getting people up on the grid. I am not
talking about making health care affordable or high quality
health care or making sure access is there. Just getting up on
the grid, this was supposed to be the easy part.
So I am concerned, I am concerned about where we are today
and where we need to get to in order to meet any definition of
success. So what are we doing about those people, who don't
have an email address because they are poor or elderly, they
are not on the grid? How are we going at them? Anybody got an
idea?
Mr. Chao. We do operate call centers. We have 12 call
centers in which people can work with a live person online to
fill out the application and to go through their determination
process and to select a plan.
Mr. Lynch. Yes, but at least the workers I have talked to
have said it is like 31 or 34 pages. Do they have to go through
a 34 page application on the phone?
Mr. Chao. I think what happens, the call center experience
is, isn't you are necessarily filling out a paper application.
You can start that way and submit it that way. But I think you
can also start with a call center representative.
Mr. Lynch. Well, I am not so sure that is working. That
might be part of our problem. I have a district where I have a
lot of seniors, a lot of folks that are struggling. So we have
to figure that one out.
Mr. Chao. We can certainly confirm that, that process or
that procedure.
Mr. Lynch. That will help.
The other situation is this. At the same time that we are
trying to get this up, get people on the grid, we have
employers that are making decisions not to continue health care
plans for their employees. So they are unplugging and they are
sending people to the exchanges. So I have employers out there,
a lot of them in the construction industry, that are saying, I
know I used to provide health care for you, but now I want you
to go to the exchanges and get them. So they are unplugging,
they used to provide health care. And now these employees in
the construction industry are trying to plug in. And they are
having these problems.
I am wondering, is there any way to sort of make sure that
that unplugging doesn't occur until we have a platform that we
are confident people can plug into? I think there is going to
be a gap here. It concerns me greatly that we have so many
people in the construction industry that are, and I have met
with union employers, about 50 union employers and about 35
non-union or open shop employers that are both having the same
problem. I think there is a mismatch in what is going on here,
where the employers are disengaging and sending their employees
to the exchanges. And when they try to go to the exchanges,
they are having problems signing up. I am wondering if there is
some corrective action that we might be able to take, either
delaying the process for employers to disengage or just giving
people time to hook into the system that is not ready for prime
time.
Chairman Issa. The gentleman's time is expired. The
gentleman may answer. If the gentleman would yield just
briefly?
Mr. Lynch. Sure.
Chairman Issa. I was hoping you would suggest the question
of, can't we do this by mail.
[Laughter.]
Mr. Lynch. That is an inside joke.
Chairman Issa. But in all seriousness, the fact is that if
somebody doesn't have email capability, why couldn't they make
a call to a call center, receive those many pages, fill out
that paperwork, return it in a self-addressed stamped envelope,
so that in fact the Post Office could ensure that the elderly
people not comfortable with email and so on.
Mr. Lynch. Well, it is just my thought, and I won't take
longer time than you did, but I know that generally, we are
trying to get away from a paper process. So I suppose as a
little inefficient it might be necessary, but it is not the
ideal now.
Mr. Chao. Could I just answer that? It is not really, we
are not considering that as a last resort, because paper is a
last resort, but we do make accommodation, if you want to start
the process in paper, you can, and then mail it in to our
eligibility support worker contract, which will then take you
through the rest of the process.
Chairman Issa. I thank you.
And with that we go to the gentleman from Michigan, Mr.
Amash.
Mr. Amash. Thank you, Mr. Chairman. I am going to yield my
time to my friend, the gentleman from Ohio, Mr. Jordan.
Chairman Issa. The gentleman from Ohio is recognized, and
without objection, the gentleman from Ohio will be able to
control the time.
Mr. Jordan. I thank the gentleman for yielding.
Mr. Park, Mr. Meadows asked the pertinent question. There
were a series of meetings held at the White House, weekly
meetings that were presided over by folks in the White House.
Mr. Meadows asked who were those people who need to come in
front of this committee who can answer the questions. The
questions like, why didn't you know that the security
assessment wasn't completely done end-to-end testing? Who can
answer the questions about why you decided to go ahead and
launch this on October 1st?
And we know who that person is, because according to the
Washington Post story, November 2nd, a memo that they got from
David Cutler spells it out. Mr. Cutler said, we need to put
someone from the private sector in charge, someone who has run
a business, someone who has that kind of experience and
expertise. And the President said no, he had already put in the
article, he had already made up his mind, Nancy Ann DeParle is
that person.
So that is the person we need, Mr. Chairman.
And Mr. Cutler also points out, Mr. Meadows referenced this
as well, according to the memo, the overall head of
implementation inside HHS was Jeanne Lambrew. So those are the
two people we need. Would you agree, Mr. Park, they need to
come here and tell us what took place, why these decisions were
made, why it was done the way it was done, these are the two
key people? This is the lady the President said, no, that is
who I want in charge. Even though Peter Orzaq, Larry Summers,
Zeke Emmanuel and David Cutler said, put someone else in
charge, the President said, no, I want Nancy Ann DeParle in
charge, don't you think she should come in front of this
committee, Mr. Park?
Mr. Park. Respectfully, I can't really speak to that, sir.
Mr. Jordan. I know. We are probably going to have to do the
same thing for her that we did for you, we are going to have to
subpoena them. Because yesterday, last week, the Chairman and I
sent a letter to the White House asking that simple question,
would Ms. DeParle, the person hand-picked by the President to
run this operation, would she come in front of this committee
and testify about this disaster this rollout has been, and
would Ms. Lambrew come as well. And the response we got back
yesterday from the White House was, thank you for inviting us,
but we are not coming.
So it looks like we are going to have to do the same thing,
Mr. Chairman, that we had to do with Mr. Park, to get the two
key people to come here.
Now, according to White House logs, Mr. Chao, you testified
you had been there been 10 and 29 times to these meetings, and
Mr. Park, nine times according to White House logs, you have
been to nine of these where Jeanne Lambrew ran the meeting. Is
that correct, Mr. Park, you went to the White House when Ms.
Lambrew ran these weekly meetings?
Mr. Park. I can't verify that.
Mr. Jordan. But that is what the visitors log says. Were
you in meetings with Nancy Ann DeParle and Jeanne Lambrew at
the White House?
Mr. Park. From time to time, yes.
Mr. Jordan. And of course the meetings were about the
rollout of the Affordable Care Act and the website?
Mr. Park. As I recall, there were different kinds of
meetings that I attended from time to time.
Mr. Jordan. Were they about ObamaCare, Mr. Park?
Mr. Park. They were about the Affordable Care Act.
Mr. Jordan. Right. And what is your official title? You are
head of information technology for the entire United States?
That is your title? So I assume it was about information
technology, correct?
Mr. Park. No, actually, sir, first of all, I am a
technology and innovation policy advisor in the Office of
Science and Technology Policy. So I am not the head of IT for
the U.S. Government, just to clarify. And I can't actually
recall, like for the meetings, what particular topics were
discussed, off the top of my head. So unless there is more
specificity.
Mr. Jordan. At any time during these nine different
meetings you had, or more, for that matter, meetings you had,
was the rollout of ObamaCare discussed and the concerns about
this thing not being ready on October 1st?
Mr. Park. Again, without more specificity----
Mr. Jordan. Mr. Chao, on these meetings, who ran the
meetings that you attended 29 times at the White House? Who was
in charge of running the meetings then? Were any of those
meetings run by Ms. Lambrew or Ms. DeParle?
Mr. Chao. I don't think it was 29 times.
Mr. Jordan. You testified between 10 and 29. So whatever
the numbers, in those meetings when you were at the White
House, were any of those run by Jeanne Lambrew or Nancy Ann
DeParle?
Mr. Chao. One was run by Nancy Ann and one, just a couple I
attended that was with Jeanne Lambrew. And as I mentioned
before, my role was to provide a five-minute status on Hub
development.
Mr. Jordan. I am not worried so much about your role. I
just want to establish the fact that you were at the White
House between 10 and 29 times. Mr. Park was there nine times.
Mr. VanRoekel, how many times were you in these weekly meetings
at the White House?
Mr. VanRoekel. I don't recall. I didn't attend any weekly
meetings.
Mr. Jordan. Were you in any meetings with Jeanne Lambrew or
Nancy Ann DeParle?
Mr. VanRoekel. I have been in the company of those two
people.
Mr. Jordan. Regarding the Affordable Care Act?
Mr. VanRoekel. Maybe once or twice.
Mr. Jordan. Okay. Mr. Chairman, my time is expired. But
those are the two people, those are the individuals that need
to come in front of this committee. And we can't accept the
fact that we get a letter from the White House that says thank
you, but we are not coming.
Chairman Issa. I thank the gentleman. I would note for all
members that there is a vote out on the Floor. We are going to
go until the very last minute. What I would ask is, if Mr.
Bentivolio or Mrs. Lummis, do either of you have specific
questions for Mr. Park?
Mrs. Lummis. I do not.
Chairman Issa. Then Mr. Park, because we would otherwise
keep you for longer than I think is necessary, I want to thank
you for being here. I apologize to the other witnesses, you get
to stay through the vote. But Mr. Park, you have been a very
cooperative witness. I appreciate your being here. I believe
you are being here as a person we are going to look to to get
this right by November 30th. It was critical I appreciate your
being here and without objection, you are dismissed.
Mr. Park. Sir, just one more request?
Chairman Issa. Sure.
Mr. Park. Would someone send me contact info for
Congressman Lankford, just so I can follow up?
Chairman Issa. We will have that contact information given
to you. I will do one other thing quickly. If when you go back,
since you are a Federal employee, go to the FEHBP website. What
you will find there in a .pdf form is a spreadsheet. Now, Mr.
Chao seems to think that it was not important to give people a
shopping list. But I will tell you, if you are Federal
employee, postal or non-postal, you can go to that website, you
can look at every single plan and it will tell you how much the
annual rate is, the bi-weekly rate, how much your government
pays for you and how much you will pay by plan.
Now, that doesn't let you endlessly look at the details of
the plan. But for 230-plus plans spread over not just 50 States
but the District of Columbia and Puerto Rico, we provide this
to the Federal workforce. I might suggest that if you can't get
some form of legitimate, open shopping list up quickly, that
currently telling people what their rate is, if they are 27 or
50, is disingenuous, because it distorts what the real rates
are. And that a splash page like this, or a .pdf, so people
could look at all the plans, and by age, depending upon what
their age is, they would know what the rate is, could be done
in a matter of hours by a tenth grader.
And that might suffice until this program is available.
Mr. Chao. Can I make a comment really quickly? In my oral
remarks, I mentioned that we are working on a premium
estimation tool that will give you more details than just the
very coarse under 49, over 50, so that you can browse plans. We
are working on that.
Chairman Issa. But understand, your under 50 is 27, your
over 50 is 50. That misstates, because it is age-based, it
misstates the truth. If you were picking it, you should have
picked 64 and 29, and you would have gotten much higher rates,
if you are going to give anecdotal. But the truth is, a simple
spreadsheet that Microsoft, forget about Microsoft, Supercalc
could have given you that spreadsheet before many of my staff
were born. And that could have been made available very
quickly.
So I might suggest that the American people deserve to know
that a plan based on their age is X amount and a free look
would be very helpful. I commend you to look at FEHBP and what
we do for ourselves as Federal employees.
And with that, I am going to go to the gentleman from
Michigan, I believe we have time. Mr. Bentivolio.
Mr. Bentivolio. Thank you very much, Mr. Chairman.
Gentlemen, are you familiar with Brook's law? Anybody?
Brook's law? That is the first thing you learn in software
development. You need to divert developers to training new
developers you added to the project, which kind of tells me
that November 30th rollout is another hope and a dream.
Are you familiar with this, Information Technology,
Critical Factors Underlying Successful Major Acquisitions,
dated October 2011, nine best practices?
Mr. Chao. I think I perused it.
Mr. Bentivolio. Oh, good. So you are familiar with, well,
you perused it, you didn't study it, apparently you didn't.
Mr. Chao. I was busy working on the marketplace program. So
I don't have a whole lot of time to read a lot of other
materials.
Mr. Bentivolio. Are you familiar with this fix that you are
putting in for ObamaCare, you are diverting people that
understand the software to train people, additional people to
come in and fix the problem?
Mr. Chao. Yes, I think that is what is happening now.
Mr. Bentivolio. You think. Okay. I am going to list three.
Program officials, three of the nine best practices essential
to IT, which you did not implement. Program officials were
actively engaged with stakeholders, ObamaCare rollout
apparently lacked senior oversight for most senior technology
officials, including Federal CIO, Federal CTO and HHS CIO.
Mr. Powner, what should take from this report?
Mr. Powner. Clearly, those are best practices. What we did,
that was a report that we did, we always report on failures. So
we actually went to ten agencies and we asked them for a
success story. So there are seven successful acquisitions in
there and we asked why they were successful. None of that is a
surprise. It is defining your projects right up front, putting
the right people in charge, good communications with
contractors and managing best practices throughout the life
cycle.
So it is something everyone at this table knows needs to be
done on successful acquisitions. Mr. Chairman, I think FITAR
and where we look at the acquisition process, and the whole
bit, that is fine, that is going to be very helpful. But a lot
of this just gets down to solid governance and good management
and the right attention on these projects. That is what those
practices really highlight.
Mr. Bentivolio. Thank you. Mr. Chairman, I would like to
yield the rest of my time to Mr. Meadows. Thank you.
Chairman Issa. The gentleman is recognized.
Mr. Meadows. I thank the gentleman from Michigan. And I
have a question. I have been running the numbers, and my
understanding is, we are creating this site to create a system
that is available for 17,000 users per hour, is that correct?
Mr. Chao. The way it was described is that the first part
of the process is, you have to register for an account. That
current capacity is running at 17,000 registrations per hour.
Mr. Meadows. So what are we building the system to be able
to handle in terms of capacity, 17,000 or higher than that?
Mr. Chao. It is approximately 48,000 to 58,000 users in the
system. By that I mean you could be on the learn side just
looking at static web pages to actually actively filling out an
application.
Mr. Meadows. What is the smallest end of the conduit? What
truly is it, 17,000, 25,000 or 43,000? What is our smallest
ability in terms of volume to handle in terms of capacity?
Mr. Chao. I think right now there is about, on average,
somewhere between 22,000 to 25,000.
Mr. Meadows. So that is what we are building the capacity
to, 25,000?
Mr. Chao. Per hour it is sitting right around that.
Mr. Meadows. And that is what we are building it to, that
is the specs?
Mr. Chao. Actually a little exceeding that. For example,
the front part, identity management part, we are going to apply
some improvement that is going to go to 30,000 registrations
per hour.
Mr. Meadows. Let me tell you the reason why I ask. I have
done the numbers. If you take the number of uninsured Americans
that are out there, and if they got on the system today, 24
hours a day, which we know doesn't happen, it would be 43,000
people an hour. So we are building a system that won't even
take care of the uninsured people that we have right now. So
how are we going to be successful?
Mr. Chao. I would like to look at your calculations.
Mr. Meadows. It is 50 million people, you can do it over
the next 48 days.
Mr. Chao. I don't think the estimates were there.
Mr. Meadows. I know the estimates weren't there. But if you
do the math, that is what works. I yield back.
Chairman Issa. I thank the gentleman, and I am sorry that
you have to look at his figures, that in fact the burn rate
necessary to get done wasn't understood from day one, and the
surge requirement at 4:30 in the afternoon or 5:30 in the
afternoon Pacific Time wasn't in fact what you were looking at.
I know Mr. VanRoekel would understand that you need two or
three or four times the highest capacity to deal with when
people actually are going to log on and try to do it.
Mrs. Lummis is recognized.
Mrs. Lummis. Thank you, Mr. Chairman.
Mr. Chao, you said that NIST defines high risk as a
vulnerability that could be expected to have a severe or
catastrophic adverse effect on individuals or organizational
operations or assets. I want to focus on the part about the
severe or catastrophic adverse effect on individuals.
Is it true that there were two high risks that continue to
be found related to the marketplace information systems that
you weren't told about at the time?
Mr. Chao. I think you are referring to the September 3rd
authorization to operate.
Mrs. Lummis. I am.
Mr. Chao. Those two findings were, I think earlier in the
hearing today, we clarified that that was dealing with two
components of the marketplace systems that deal with plans
submitting dental and health plan information, qualified health
plan, and didn't involve any personally identifiable
information.
Mrs. Lummis. The memo I have is redacted. So it doesn't, I
don't have the information that you just testified to because
of the redactions in the memo. So maybe that is correct, maybe
it is not. Are you testifying that that is absolutely what it
is about?
Mr. Chao. Yes, because I saw an unredacted version that was
handed by committee staffers to me last week. And if it has
been redacted, it has been redacted by someone else.
Mrs. Lummis. Did one of the risks outlined in this memo
pertain to the protection of financial or privacy data?
Mr. Chao. I don't have it right in front of me. I think
there was an appendix section. But I don't recall seeing that.
Mrs. Lummis. So you don't know whether financial and
privacy data were outlined as a risk in this memo?
Mr. Chao. I don't believe so, because it dealt with our
plan management or our qualified health plan submission module,
which are data that is submitted by issuers and dental
providers.
Mrs. Lummis. Is it true that the internal memo, this memo,
outlined one of these risks as the threat and risk potential
are limitless?
Mr. Chao. No. I think it is referring to a very specific
type of risk when you allow an upload of a file that has an
internal macro that runs. But it is not about people. This is
not personally identifiable information.
Mrs. Lummis. What is it about?
Mr. Chao. It is plans submitting their network adequacy. It
is basically worksheets that contain information about the
benefit data that each issuer submits.
Mrs. Lummis. Okay. I am going to switch gears. Mr. Chao,
did you brief White House officials prior to October 1st about
the status of the website?
Mr. Chao. No, not directly about the website.
Mrs. Lummis. Who did?
Mr. Chao. I don't know.
Mrs. Lummis. Mr. Baitman, did you?
Mr. Baitman. I did not.
Mrs. Lummis. Mr. VanRoekel, did you?
Mr. VanRoekel. Not only do I not know that that happened, I
don't know and I did not.
Mrs. Lummis. When Mr. Jordan asked you some questions, one
of the things that he asked you was about your involvement in
meetings. He was specifically referencing Ms., I am looking for
the name. Well, let me just ask you this. Were any of the
meetings you attended at the White House?
Mr. VanRoekel. It depends how you describe the White House.
Chairman Issa. The White House includes Treasury, the Old
Executive Office Building, the New Executive Office Building,
and the White House proper at a minimum.
Mr. VanRoekel. I didn't know if you were talking about
physical or organizational.
Chairman Issa. Organizational.
Mr. VanRoekel. I work in an agency that is part of the
Executive Office of the President. So every meeting I have is
considered sort of part of that organization.
Mrs. Lummis. And was Ms. Lambrew present?
Mr. VanRoekel. As I mentioned in my answer to Mr. Jordan,
in one to two meetings, yes.
Mrs. Lummis. And what were those meetings about?
Mr. VanRoekel. Those particular meetings were dealing with,
they were asking actually, my private sector advice on demand
generation and marketing to young people, how to use social
media to reach out to uninsured Americans.
Mrs. Lummis. So who was briefing the White House about the
status of the website? No one? Did no one brief the White House
about the status of the website before October 1st? Mr. Chao?
Mr. Chao. Not me personally, but our administrator, Marilyn
Tavenner, certainly is representing the agency. So you might
want to ask her.
Mrs. Lummis. So we don't know whether the status of the
Federal exchange and the data, how they were ever a focus of
meetings between White House and HHS personnel before October
1st?
Mr. Chao. I think what I said earlier, that in the meetings
I attended, I provided status briefings on the progress of
certain IT builds like the data services Hub.
Mrs. Lummis. And your reports on the status of the builds
set off alarm bells with them?
Mr. Chao. No, because the data services Hub was actually
performing well and on time. And it received its authority to
operate in August.
Mrs. Lummis. Okay. So what happened between August and
October 1st?
Mr. Chao. I didn't attend any White House meetings.
Mrs. Lummis. What happened with the performance of the Hub?
Mr. Chao. The Hub is doing fine. It is doing what it is
intended to do.
Mrs. Lummis. Mr. Chairman, I yield back.
Chairman Issa. I thank the gentlelady.
I will be brief. Mr. Chao, the EIDM, or what I call the
front door, is what didn't perform well, isn't that true?
Mr. Chao. Correct.
Chairman Issa. And since the system was designed so that
you had to go through the front door to get anything else, it
doesn't really matter if you had 60,000, 600,000 or 60 million
capability, if the American people had to go through that front
door and only six got to the end, we can presume that the
number that existed just prior to launch of 1,100 in that so-
called minimized test, or as you said, it was only one-tenth
the amount, really wasn't true. The truth is that when people
got time outs as they tried to register, as they tried to go
through the EIDM, the marketplace Hub, one that you forced them
through by in September determining that they could not look at
a splash page to get a price idea if nothing else was
available.
That front door being blocked is essentially the reason
that the American people have wasted, for the most part, a
month trying to get registered, isn't that true?
Mr. Chao. No, it is not true.
Chairman Issa. Yes, well, it is.
Mr. Baitman, where were you, since you and Mr. VanRoekel
are critically part of this process? Where were you, and Mr.
Park was brought in afterwards, where were you in the months
and years leading up to this? Why is it that you were not aware
that on day one, this product was going to fail to launch in
any legitimate, acceptable way?
Mr. Baitman. As I indicated in my opening testimony, HHS is
a federated agency.
Chairman Issa. Okay, not your job, this is an orphan.
Mr. VanRoekel, you came out of the private sector. Bill
Gates and Steve Baumer and a lot of other people at Microsoft
would have had somebody's neck hung, maybe not literally and
maybe not fired them, but they would want to know, demand to
know, Steve Jobs, when he was alive over at Apple or NEXT and
the other programs, they would have said, who the blank is
responsible for this failure? Can you tell me today whose job
it was to make sure that we didn't have this dreadful failure
to launch that didn't call the one person that should have
known and didn't do their job? One person? Who was that person?
Mr. VanRoekel. As I said earlier, I wasn't close to the
actual development. I am not in a position to make that call.
Chairman Issa. Okay, so I had you and Mr. Park, Mr.
Baitman, Mr. Chao, we will leave the GAO out of it, because we
are probably going to ask them and others to help us find out.
But none of you today can tell us who failed to do their job.
And as a result, the American people lost a month of any
effective, real ability to sign up. This website was dead at
launch for all practical purposes.
And I am sorry, Mr. Chao, you can give me all the numbers
you want, six on the first day, 240 on the second day, when
millions of Americans were trying to make this work. We may
disagree on ObamaCare, but we don't disagree that that was
unacceptable. You heard it on both sides of the aisle.
Mr. VanRoekel, I think you fail to understand, you and Mr.
Baitman and all of you in the Administration who were allowed
to go to those meetings, Mr. Powner would tell you that best
practices should be a lot more like it is at Toyota Company or
Honda. In the production line, one person who sees a bad car
coming down is allowed to stop the production line. In this
case, a really defective, something that would make the Edsel
look like a success story, launched on October 1st and nobody
said, here today or for that matter since I have been listening
to the various hearings, nobody said, I should have pulled the
stop button.
Mr. Chao, you refused to answer give a grade. Mr. Baitman,
you refused to answer give a grade. Mr. VanRoekel, you refused
to answer to give it a grade. Well, I am going to give it a
grade. This was an F. Or on a pass-fail, this was a fail. Every
one of you should have been close enough to know there was
something wrong, to ask somebody in one of those many meetings,
are we sure this is going to work. And at least get an
assurance from somebody that it would.
Mr. Powner, I want to thank you for being here today.
Although many people have talked about FITAR and what we need
to do in legislation, you are the only person here that
represents an organization that has said, there is a right way
to do it, we have looked at agencies at the Federal Government
who have done it right, and like you, we normally look at the
agencies that fail. We look at the program out of Wright-Pat
that failed and lost us a billion dollars. We are looking at
failure that cost the American people millions of their hours,
frustrated, trying to get online to check whether or not health
care is going to be more affordable for them.
So I look forward to all of you being part of the process
of best practices in your job going forward. But I look also
with all of you realizing without legislative change, we will
be back here again, with everybody saying, I didn't fail to do
my job, even when a product failed to launch.
And with that, you are dismissed. We will set up the next
panel for after the vote.
[Recess.]
Chairman Issa. Now for our second panel we have Richard
Spires, Former Chief Information Officer at the Department of
Homeland Security. And Ms. Karen Evans is the former
Administrator of the Office of Electronic Government and
Information Technology at the Office of Management and Budget.
Pursuant to the rules, all witnesses will be sworn. Would
you please rise, raise your right hand to take the oath.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth and nothing
but the truth?
[Witnesses respond in the affirmative.]
Chairman Issa. Please be seated.
Let the record reflect that both witnesses answered in the
affirmative.
In order to save time, we ask that the entire opening
statements of both witnesses be placed into the record. Without
objection, so moved.
We now will allow you to abbreviate, since your entire
opening statement is in the record. Try to stay within the five
minutes.
Ms. Evans?
STATEMENT OF KAREN EVANS
Ms. Evans. Good morning, Chairman Issa, Ranking Member
Cummings and members of the committee. I am pleased to be
invited back to share my views of ObamaCare implementation, the
rollout of Healthcare.gov.
From an IT implementation standpoint, Healthcare.gov was a
classic IT project failure that happens in the Federal
Government too frequently. As the executive leadership at the
Federal Departments and agencies, the President's political
appointees are at the top of the management chain for Federal
employees and contractors. In looking for the cause of this
failure, some point to the lack of testing. Others, including
the President, cite the challenges of the IT procurement
process. And still others note the complexity of the program
and the interfaces with private insurance company systems.
However, the cause of this failure was not the complexity
of the program nor the procurement process nor the testing. The
functionality and the shortcomings of Healthcare.gov are a
result of bad management decisions made by policy officials
within the Administration. They did this to themselves. And if
they are now surprised, it is because their own policy
officials failed to inform them of the decisions they have made
and the consequences associated with those decisions.
As soon as this legislation was passed, there were policy
decisions which needed to be made. These policy decisions would
drive the technical design of healthcare.gov IT systems. They
fundamentally determined the workflow and business processes
driving how the law would be implemented.
I have been on both sides of policy implementation, as a
career civil servant and as a political appointee. The problems
with Healthcare.gov are symptomatic of a recurring problem.
Passing a law or issuing a policy is not enough. If there is a
new law, management reform or policy initiative you want to
accomplish, then you as a policy official need to be engaged
during the implementation to assure there is an appropriate,
integrated project team in place to manage the day to day
operations.
All levels of the organization need to be willing to get
into the weeds to understand these intricate aspects of
management and implementation. Because the devil is in the
details. Someone can change a seemingly innocuous requirement
in a meeting and cause a huge impact on schedule, cost or
functionality. IT projects are particularly good at
highlighting management failings, because they require
coordination between the many different parts of an
organization. If the agency's CIO is not actively at the
management table, participating in those decision, and more
importantly, explaining the ramifications of the policy
decisions they are making, the projects get off track and
ultimately fail.
The chief information officer is the person in the C suite
who has the capacity to translate technology issues into
business-speak for other business leaders. When a technical
implementation specification hinges on a policy decision, the
technical team depends upon the CIO to elevate the question to
the appropriate decision maker. Because the CIO can speak to
senior executive in terms that are relevant to them and can
state potential consequence in terms of political and policy
values, the CIO is in a unique position to ensure that policy
officials do not regard those decisions as staff level
functions. And if these potential consequences are significant,
then departmental and White House officials may need to be
briefed by the CIOs.
In the wake of the Healthcare.gov implementation failure,
some analysts have asserted that the private sector could have
done this better, thereby implying that there are some
conditions inherent in Federal IT which impede success and
impair Federal CIOs. It is certainly true that Federal CIOs are
burdened by deliberative restraints placed upon them by
Congress and OMB. But Federal CIOs also enjoy freedom from
competition and the whims of the market.
Overall, Federal CIOs and commercial CIOs are more similar
than different. We all have the same job description: to be the
technical, savvy member of the executive team, to provide value
through innovation, to manage data as a strategic asset, and to
lead a large team of technologists and inspire them to achieve
greatness. Whether a CIO is at a large or small organization,
bureau level or department, public sector or private, the scale
may differ, but the management challenges are the same.
I have included in my written statement some key questions
which every CIO should be asking; but more importantly, the CIO
should be able to answer these questions for their leadership
in clear business terms. Thank you for the opportunity to
testify today, and I look forward to answering any questions.
[Prepared statement of Ms. Evans follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you.
Mr. Spires?
STATEMENT OF RICHARD A. SPIRES
Mr. Spires. Chairman Issa, Ranking Member Cummings and
members of the Committee, thank you for the opportunity to
testify on issues with Healthcare.gov and more generally on IT
management issues in the Federal Government.
With more than 30 years of experience working on delivery
of large IT programs, I speak from real world experience
regarding what is required to successfully deliver such
programs. I served in the past two Administrations and saw
similar IT management issues in both. So my remarks focus on
highlighting systemic weaknesses in our ability to effectively
manage IT, along with some recommended solutions.
My written testimony outlines five key elements required to
effectively deliver an IT program. In regard to the rollout of
Healthcare.gov, my information was obtained from previous
Congressional hearings and media articles. It is clear that
there were fundamental weaknesses in the program management
processes. For a system as complex as Healthcare.gov, best
practice would have led to a plan that included completion and
testing of all subsystems six months prior to public launch,
three months of end to end functional integration testing, and
a subsequent three month pilot phase in which selected groups
of users identified problems not caught in testing.
It was reported that the program did not start and end
functional testing until two weeks prior to launch and there
was no formal pilot program prior to roll-out. This is evidence
of a lack of mature program management processes. Second, there
was a lack of program governance model that recognizes the
proper roles and authorities of the important stakeholders, to
include the business, IT, procurement, privacy, et cetera. For
IT programs, the business organization or mission organization
must be intimately involved in helping define requirements,
making hard functionality trade-offs and being a champion for
the program. The IT organization must ensure there is a capable
program management office using management best practices to
deliver large IT programs.
Evidence of launch of Healthcare.gov shows the balance
between the business and IT organizations was not correct. For
example, changes were being finalized up to a few weeks before
launch. This is much too late. Requirements should have been
locked down months before. The business organization had the
ability to make changes that led to bad management practice.
The issues of the rollout of Healthcare.gov are emblematic
of the IT management challenges in the Federal Government, yet
improving our ability to effectively manage our IT is critical.
Our government, if it more effectively manages IT, can harness
its transformational capability, significantly improving
government's effectiveness and efficiency. I recommend that
three actions be taken to improve Federal Government IT.
First, it is important that Congress pass legislation to
update how this government manages IT. I appreciate the
leadership of Chairman Issa and Representative Connolly in co-
sponsoring the FITAR legislation. While legislation alone will
not fix all the issue with IT management, it will elevate the
standing of agency CIOs and put in place mechanisms for
development of centers of excellence to leverage best practices
and program management and acquisition across the Federal
Government. These changes could have helped to address the
critical failings of the program management of Helathcare.gov.
Second, agency CIOs need to have control over
implementation, operations and the budget of all commodity in
their agency, which includes the data centers, cloud services,
servers, networks, standard collaboration tools like email as
well as back office administrative systems.
A couple of years ago, I was fortunate to be in a session
that included a number of CIOs for Fortune 50 companies. In the
course of discussion, it became clear that one of the clear
elements in effectively leveraging IT for an enterprise is a
modernization standardization and appropriate consolidation of
the underlying IT infrastructure.
I urge that Congress address this recommendation through
the IT reform legislation and the Administration to address
this recommendation through the portfolio stat process.
Third, the current Administration should make IT management
a centerpiece of its overall management reform agenda. This
entails the recognition and focus at the most senior levels of
government of the importance of IT and improving IT management.
It includes a serious commitment to improving program
management practices, elevating the status of agency CIOs and
ensuring the agency CIOs own the commodity IT.
I hope the troubled launch of Healthcare.gov can serve as a
catalyst to drive positive change in the way we manage IT. The
best practices exist and are proven. We need leadership in
Congress to pass reform legislation and leadership in the
Administration to recognize the importance of IT management.
Thank you.
[Prepared statement of Mr. Spires follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Chairman Issa. Thank you both.
First of all, I would ask unanimous consent that the
article entitled The Healthcare.gov Rollout: What Should We
Learn?, which Mr. Spires authored on November 4th, 2013, be
placed into the record. Without objection, so ordered.
Chairman Issa. I am going to start with you, Mr. Spires.
You heard the first panel. From your experience, and I will go
to Ms. Evans also, did I have the right people for the most
part here, leaving GAO out for a moment, to ask who is
responsible, why was this thing launched practically non-
working, completely, only six successful registrations the
first day? Did I have the right people?
Or did I have the wrong people and that is why they all
said it wasn't their job?
Mr. Spires. You had the right technical people at the
table. I believe in a balanced program where you have
technology leaders as well as the business leaders working
together.
Chairman Issa. But somebody at that table should have been
able to tell us basically who should have stopped this program
or recognized that it was going to fail to launch?
Mr. Spires. Somebody at that table I think should have been
able to tell you that.
Chairman Issa. Ms. Evans, in your time at OMB, I think more
than anything else, is it your experience that the Office of
Management and Budget ultimately, the OMB director, who gets to
meet with the President, who gets to say that key pieces of
legislation, key implementations are or are not going
correctly? Has that been your experience?
Ms. Evans. And I will speak from my experience, and that is
true. And so we viewed, during my tenure, that OMB had
oversight into the Executive Branch of ensuring that the
President's priorities got implemented.
Chairman Issa. I am going to ask you from one personal
experience. Have you been in the Oval, other than ceremonially,
have you been the Oval for a meeting?
Ms. Evans. Not exactly in the Oval Office, but they have
staff offices outside.
Chairman Issa. But you were in that area?
Ms. Evans. Yes.
Chairman Issa. So you were there, I assume, with the
Director or somebody on some important briefing that was going
on?
Ms. Evans. Yes.
Chairman Issa. And that is a regular part of White House
life?
Ms. Evans. If you are working on priorities that are
important to the Administration, yes. And one would assume that
if you are a staff person in the White House, all of us are
working on priorities that are important to the President. Not
going to meetings at that level are not necessarily a daily
occurrence of the job.
Chairman Issa. I realize that is a rare one. But we can all
agree, I believe, I think the ranking member would join with
me, that the signature piece of legislation of the President is
the Affordable Care Act. Can you figure out for me or help me
understand how people could serve the President so poorly that
it appears he was never told that this was going to be a
disastrous launch?
Ms. Evans. In my analysis from the public record, as well
as watching the testimony that happened prior, I believe that
if I were in that position that I would have elevated things
through, because that is the President's key legislation, it is
his number one priority. And so that is what the Chief
Information Officer is supposed to do. They are supposed to
analyze, as I said in my testimony, analyze what potential
decisions are being made and what is that impact on the
President's priorities to get done, from a political
perspective, from a communications perspective, from an
oversight perspective of what the impact would be and how you
would have to do a Congressional notification if you were
changing things.
That is what a CIO is supposed to do. That would have been
elevated up so that the OMB director would have known what the
impact was happening, so that the director could then talk to
the President about potential opportunities.
Chairman Issa. Now, Mr. VanRoekel was your successor, is
that correct?
Ms. Evans. Yes.
Chairman Issa. And yet he said that he was only the
facilitator of these meetings. Did you do a lot of facilitation
when you had his job?
Ms. Evans. I would call it facilitation. I don't know that
the agencies that I was supposed to provide leadership and
oversight to would necessarily call it facilitation. I would
like to think that that is the nice way that we did it.
Chairman Issa. You invited people to bring in groups?
Ms. Evans. Yes.
Chairman Issa. You brought them to the White House or
accompanying facilities?
Ms. Evans. Yes.
Chairman Issa. And at those meetings, you either were there
personally or at least you introduced the meeting and monitored
whether it was going the direction that you and your bosses
wanted it to go?
Ms. Evans. I can speak to my own management style, which is
a very hands-on approach. Because I really personally view that
if it is my boss's priority, number one priority to get
something done, then it is my job to make sure that the
leadership up the chain to him are fully informed of decisions
that are being made.
So I am a little hands-on as a manager. I came up through
the ranks, through operations. So I have a tendency to do that.
Chairman Issa. But you are not a micromanager?
Ms. Evans. I would like to think I am not. But if it is
something that is that important, I personally, especially for
things that are important to the Administration at the time
during my tenure, I would personally make sure that I knew the
status of what was going on on those projects.
Chairman Issa. Mr. Spires, I am not leaving you out
completely. But I will ask both of you, in 184 weeks from the
passage of the Affordable Care Act, until the failure to
launch, can you conceive that any one, leaving GAO out, on that
first panel, should not have seen that there were problems and
had taken at least an active role in addressing those problems?
Mr. Spires. Proper governance is critical on programs like
this. Because there are a lot of stakeholders involved. And you
need to have good information and you need to do it on a very
regular basis to make sure that these programs are going well.
Individuals at this panel, other than Mr. Powner, certainly I
think should have been in that chain of receiving that
information, reviewing that, being part of reviews as part of a
good governance model. That clearly did not exist.
Chairman Issa. And Ms. Evans, I will modify that as my
close. Not only shouldn't they have, but can you give us a
little bit of a feel for what life would have been like if
President Bush, who you worked for, had gotten blindsided by a
failure of one of his hallmark pieces of legislation, Medicare
Part D, No Child Left Behind or something of a similar level?
Ms. Evans. I was involved in Medicare Part D, just so that
you know. And we could talk about that as well. If something
like this happened during my tenure, I can only speak for what
I would do. I would have offered my resignation before I got
fired.
Chairman Issa. With that, I recognize the ranking member.
And you never got fired, I want to make that clear.
Ms. Evans. No. I did not get fired. I did the job for six
years. But in this particular case, if my President had to go
on TV and say some of the things that this current President
has had to do in an area of my responsibility, I would have
offered my resignation.
Chairman Issa. Thank you.
Mr. Cummings. What was your responsibility with regard to
Medicare Part D?
Ms. Evans. When the rollout came out, there were some
specific issues related to information technology. I would say
it is the same type of thing that is happening right now. An
analysis had to be done about, could you actually fix it
through information technology, what were the issues. And it
really was a timing issue with the legislation, which is the
reason why I am making the point about when you pass a law, you
have to know.
So the way that that legislation was crafted, if a user
signed up for the benefit at 11:59 p.m. on the 30th of the
month or the 31st of the month, then they were eligible at
12:01 a.m. the next month for that benefit. There is no IT
system the way that these systems work that you could get all
that information populated through the system so you had to
really analyze what was the work process and how the IT worked.
So what we did was we provided options to the policy
councils to say, if there really are additional funds
available, what happened was they had, similar to what the
navigators are now, people to help sign up, and if you signed
up people before the 15th of the month, then those people
actually got paid within 30 days, the ones that were helping
sign people up. If you signed up after the 15th of the month,
then the people that were helping do this actually would get
paid 45 to 60 days later.
So the idea was, okay, if the technology solutions can
only, there is a big badge process that happens the 15th of the
month, you provide the incentives up front, get everybody into
the system between the 1st and the 15th, get them signed up so
that all their data shows up in the IT systems by the next
month so that they are eligible.
Mr. Cummings. But let me ask you this, were there IT
problems back then?
Ms. Evans. There are always IT problems. But what you have
to do is analyze it from a business perspective and provide
alternatives to the policy leadership so that they can make
informed policy decisions of how they are going to handle it.
Mr. Cummings. Yes, because I specifically remember working
with my constituents because they were having all kinds of
problems.
Ms. Evans. Absolutely.
Mr. Cummings. Let me ask you both this. If you have a
situation here where for example, in the governors, more than
half the governors decide not, for example, to do their own
marketplace, would that have affected you in any way or should
that have affected this project? I am just curious. From an IT
standpoint.
Mr. Spires. Well, sure it would, sir. From a volume
standpoint, from the scope and scale of what you would need to
create.
Mr. Cummings. Would it make it a little harder?
Mr. Spires. Yes.
Mr. Cummings. A little more complicated?
Mr. Spires. A little more complicated, yes, sir.
Mr. Cummings. And so Mr. Spires, someone had suggested that
one of the problems with the development of the Affordable Care
website is that there was no single contractor overseeing the
work of all the other contractors, that there was no lead
system integrator. However, experience in the past
Administrations with using contractors used to oversee other
contractors has often resulted in failed programs and millions
of wasted tax dollars, is that right?
Mr. Spires. That is correct, and I have a close history
with this at the IRS, if you would like me to comment on the
topic.
Mr. Cummings. Yes.
Mr. Spires. When I came in in 2004 to run the business
systems modernization program at the IRS, and it got moved to
that outsourced kind of program management office where a
contractor was serving as that systems integrator. And it was
not working well. I am a huge believer that the government
needs to stand up to build a strong program management office
for these large scale, complex IT programs. You have to have
solid, experienced government people in charge and running
these programs.
It doesn't mean you can't have contractor support. But I
have found if you don't do that, the dynamics don't work. There
are so many stakeholders involved that are government people
you have to work with who are not part of the program, and in
order to make that work effectively, you need to have strong
government people on the ground that are running this program
day in and day out.
Mr. Cummings. So I didn't see it in IT but I saw it when I
was chairman of the Coast Guard Subcommittee, with Deepwater,
where we were literally buying boats that didn't float.
Mr. Spires. Yes.
Mr. Cummings. Literally. Some of them are sitting near my
district right now.
And the contractor, the lead systems integrator, didn't
have that intertwined situation that you just talked about
where the government people were doing their piece. And it just
doesn't work.
I see my time is expired. Thank you.
Chairman Issa. I thank the gentleman.
Mr. DeSantis?
Mr. DeSantis. Thank you, Mr. Chairman. Thanks to the
witnesses.
Mr. Henry Chao, he told the committee when they interviewed
him that he had not ever rolled out a program that had complete
systems-wide end-to-end testing. I just wanted to get your take
on that, to not have system-wide end-to-end testing. Is that a
good practice?
Mr. Spires. That is poor practice at best. I may make
another comment about this, if I could. I was, as far as what I
know, right around the timing, the testing clearly was not
adequate to put this system into production. My experience has
always been, and I have had to live this, where we have made
these hard calls. It is better to delay, and it is better to
delay for two reasons. One, you only get that one chance to
make that first impression with a system. We clearly didn't do
it well here, did well, with the rollout of Healthcare.gov.
But two, and even more importantly than that, once you put
the system in production, you have to operate it and maintain
it, deal with all the customer issues and all that. That in and
of itself is a very large amount of work that takes energy from
the team, rather than the team really getting to the point of
fixing the system to the point where it is running well, then
putting it into production.
And I know for whatever reason this October 1st date was
viewed as immovable. But I think that was a very big mistake
made on the rollout of Healthcare.gov.
Mr. DeSantis. I appreciate that. I was looking through some
of the materials. In late September there was a memo that said
that the ongoing development had posed a level of uncertainty
that can be deemed as a high risk security threat. So when you
see that, it seems to me that would be a big red light that
this is not ready to go forward. Would you concur with that?
Ms. Evans. Based on my experience, yes, sir, I would. That
would be a risk that you would have to evaluate the October 1st
deadline against, what kind of operating risk is there and can
you mitigate that risk. It would have to be fully explained to
the leadership involved, in this case the CMS director and
probably farther up, about what could happen if we went forward
with the implementation and we haven't fully tested all of
these things.
Mr. DeSantis. It is frustrating, because so much of this
law, and we see it in the implementation, was based on
representations to the American people that have now turned out
not to be true, for example, if you like your plan you can keep
it, if you like your doctor you can keep it, it will reduce the
budget deficit, it will cover everybody. The most recent
estimate is 10 years from now, you are still going to have 31
million people with no coverage. So this bill doesn't even do
that.
As I was looking through some of the testimony, some of
these regs that the people needed in order to start
implementing it were delayed on purpose, on political decision
to get through the 2012 election. So these folks were in a
situation where they had to kind of create this website, but
they actually weren't giving as much time as they could have
had the Administration been forthright about some of these
things. But there was a desire to move this beyond the 2012
election, so that the American people would not be able to
fully evaluate the program.
So what I have seen here today is that there was a decision
by the Administration, a knowing decision, to launch a website
that did not work and indeed, was not adequately tested for
security. I think this is problematic just generally, no matter
what you are doing from a government IT perspective. But this
website is unique, because individual Americans, and we have
millions of people now who are seeing their insurance plans
canceled because of this law, it is not like that website is
just out there for them. They are forced to get, under penalty
of law, health coverage through that website if they are one of
the unfortunate folks who are seeing their plans canceled.
So we are in a situation where the government is going to
tax them unless they procure insurance off this website that is
not fully functioning and that has questions about its
security. So it is very, very discouraging. I have a lot of
constituents who are upset about this.
So I just appreciate you guys coming. I think this is, in
terms of a case study on how not to do something, I think
people will look back on this. But I think one of the things
was, there were political imperatives here and the politics
trumped what would work and what would be best for the American
people. I think that is unfortunate. I yield back the balance
of my time.
Chairman Issa. I thank the gentleman.
I would like to ask just a couple more questions, seeing no
one else here. Both of you served the previous Administration.
Did they ever tell you what the cost of not launching one of
your projects was? In the private sector, it is like, we are
going to have X amount of revenue every month, and if we don't
launch Windows XP, then we lose that much revenue? Did you ever
have those discussions as part of your daily work?
Mr. Spires. We would, sir. The IRS had discussions about
it.
Chairman Issa. For example, the new audit thing.
Mr. Spires. Yes. There were business models that were built
for systems that would show the kind of return. And of course,
at the IRS, you could actually measure it many times in
dollars. So yes, we did have those kinds of discussions.
Chairman Issa. How about you, Ms. Evans?
Ms. Evans. We would have those discussions across the board
on each and every agency's performance. So when agencies turned
in a business case to justify the investment, they also put in
there the return or the cost benefit analysis. So if you delay
the launch date, then it affects your ability to start getting
some of the benefits. Because the benefits in the government,
when you measure them, is a little bit different than the
bottom line in private industry. So it is benefits to the
taxpayer for the services that could be delayed with a delayed
launch.
Chairman Issa. In this case, that doesn't happen to be
true. This is like a private business, and I will show you
here. I wish Mr. VanRoekel was still here. The estimate from
CBO at the time of, well, they keep changing it, but in
February of this year, the estimate was that penalties from
uninsured individuals were going to total $52 billion over a
decade, half a billion dollars a year. Although that number
keeps shrinking of what they think they are going to get,
similarly the penalties from employers, $150 billion over 10
years, more or less $100 million a month.
So here is this website, and Mr. Cummings and I have heard
the figure $600 million enough times that it echoes in our
sleep. But the delay of ObamaCare from a standpoint of revenue,
when the President had to delay the employer mandate, he was
losing $100 million a month of revenue. If he had had to delay
the no I am sorry, I got my figure wrong. I will have to be
careful on that part. Forty-five billion over 10 years is $4.5
billion a year. So it is about $250 million, well, the back in
February it was $300 million a month would have been lost if he
delayed the penalties on the uninsured individuals. But he had
already delayed something that was three times larger.
So the reason I am asking this s, Ms. Evans, if you were
back at OMB and somebody had told you in timely fashion, we are
in trouble on this website, and we need to delay this thing
because our projections two months or three months out, it is
not going to be ready, and you were looking at having to go to
the President and say, we would like you to delay something
that will delay revenue by $300 million a month, wouldn't you
have had a normal business decision of, well, can't we spent
$300 million more if that is what it takes to get this thing
done on time?
In a sense, again, I go back to what I said before Mr.
Cummings was there, the President was so poorly served in that
I assume, and Mr. Spires, your experience particularly would be
helpful here, I assume that if six months earlier you said, in
order to not lose $300 million a month of revenue, calculated
revenue, we need to put more money into this, we wouldn't be
talking half a billion or a billion or $2 billion. We would be
talking incrementally a relatively small amount of money to do
a project necessary to get this thing locked in and tested in a
timely fashion, wouldn't we?
Mr. Spires. If I could comment. I would even say this, I am
not sure this was about money. I am not sure we would have had
to add more people to this.
Chairman Issa. I don't think we would have. I just wanted
to make the point that there was plenty of money at stake.
Mr. Spires. Well, there might have been. But I go back to
the point of the program management disciplines. Now, to that
end, once you get close, once you are six months in, it is
very, very hard to then change. You are not going to pick up a
lot of time.
But if this had been done correctly on the program
management side, I suspect that the money was there. I don't
think that was a constraint on this particular program.
Chairman Issa. Ms. Evans?
Ms. Evans. Given the scenario that you just outlined, the
way that this would be presented during my tenure, the way we
would present it is, these are tradeoffs, policy decisions that
need to have tradeoffs. So you would analyze, this is the
income that was going to come in, this is the method that we
thought we were going to be able to do. But given where it is,
here are the alternatives, and then here are the tradeoffs, so
that you can either realize a portion of that or we can then
recover it and then some if we go with this.
So alternatives would have vetted through the policy
process so that people could have looked at that and then said,
okay, well, we can't put so many people on it, there is a point
of diminishing return. There is only so many dollars and so
many people that you can throw at an IT project in order to fix
it.
So then you would have alternatives in order to realize
that income, so that you could move forward to reduce the
deficit. That is part of the analysis that the Office of
Management and Budget would lend to the policy process so that
the decisions could be made by the appropriate policy
officials.
Chairman Issa. Let me just close with a question. If we
went back three and a half years and upon the passage the
regulations necessary to determine some of the specifics this
offer would have to deal with had been done in a timely
fashion, six months or so, then presented to industry and
stakeholders and going through a process of, if you will,
analyzing it from a standpoint of needs of those who would use
it, then taking the outcome of that, producing a standard, a
year, year and a half into this process, delivering that to the
contractor and then monitoring the process of a fixed and final
set of regulations relative to this new website and its work,
is there any doubt in your mind that three and a half years was
in any way, shape or form not enough time to start with the
passage of the Affordable Care Act three and a half years ago
and reach a well-tested, well-engineered, from a security,
speed, scalability on the launch date of October 1st?
In other words, was there anything inherently wrong with
picking October 1st that good practices over three and a half
year wouldn't have taken care of?
Mr. Spires. I think with where they are at, it is a little
hard to know how long it will take for this to really
stabilize. But it will stabilize. So if you look at it from
that perspective, sir, I am pretty sure that if this had been
well-managed, and to your point, include the regulation process
of that, that this site could have been delivered and
appropriate on October 1st and could have been well running on
that date.
Ms. Evans. I would look at it, and I always look at things
from my tenure at OMB.
Chairman Issa. It was a long tenure.
Ms. Evans. It was a long tenure. And also from an
operational perspective coming up. But I would have looked at
the law to understand what were we really required to do by
what time period. And really scoped the project to a point
where it was very clear and understood what was going to be
delivered.
I think one of the major issues that you have here with the
requirements that happen on every IT project is that they are
scope creeped. So as people start working through it, they add
on another requirement and they add on another requirement. So
the parameters have to be drawn on something that is this
complex, so that everyone would have a clear understanding of
what is really going to launch on October 1st, if that is the
President's due date. And then stick to that and everything
else becomes an add-on and a module. That is best business
practice. And if it is critical, that you have to have it, then
it has to be voted on through the good governance process
through a business process.
That is the part that is still a little unclear in this
overall process of what really was the scope, and what was
expected to be delivered on October 1st.
Chairman Issa. Thank you. That is what we are going to
continue working on, regardless of the actual Affordable Care
Act, the question of what went wrong and how do we prevent it
in the future.
Mr. Cummings?
Mr. Cummings. Thank you very much.
Ms. Evans, I was listening to you very carefully. You said
that if you were in this situation where your boss had to go
before the American people and do what President Obama did, and
I am not trying to put words in your mouth, you said you
probably would resign. Is that right?
Ms. Evans. Yes.
Mr. Cummings. There are two parts to this. One part is what
happened in the past. The other part is where we go in the
future. I think it is very important that we learn from the
past. I believe that it can tell us a lot about mistakes we
made, so that we don't fall into those ditches again.
This is where I want to go. I say to my staff, there are
two things that I am most concerned about, effectiveness and
efficiency. I tell them we have a limited amount of time on
this earth, we have a limited amount of time to be in the
positions that we are in, that it is our watch and we must do
what we have to do for the American people in an effective and
efficient way.
I guess my question is, suppose you are President Bush, say
if he was in these circumstances. And he said, Evans, don't
quit. Fix it. What would you do? And do you believe it could be
fixed in a reasonable amount of time? If at all? So you didn't
quit.
Ms. Evans. I didn't quit.
Mr. Cummings. We wouldn't let you quit.
Ms. Evans. You wouldn't let me quit because I had to fix my
mistake. So at this point I would be down in the daily
operations, I would have done an assessment to see what exactly
could be fixed and then again, back to the scoping issue of
what the President actually said would be available and what is
now required. Now, you have additional circumstances on here
with the insurance companies canceling policies, and you have
this gap now here people actually have to be able to sign up
for services. So that would be analyzed, and I would say, okay,
here is where we are with the IT project, we need to put other
kinds of compensating controls in place in order to be able to
deal with the American public's need to be able to sign up for
insurance.
And that would be then elevated through the policy chain.
So things like going directly to insurance providers, putting
up, as Chairman Issa said, the whole list of what plans are
available so that people could at least see the information and
not necessarily sign up, all those alternatives would be laid
out. And they would be viewed from a communications
perspective, from a policy perspective and from a political
perspective to ensure that you could put the best service
forward to meet that immediate need of that gap between the
December 15th and the January 1st deadline. Because that is the
big critical piece that you are trying to get to right now.
And how do you fix that and how do you meet that need for
the American people.
Mr. Cummings. Mr. Spires, did you have a response to my
same question?
Mr. Spires. Well, let me add on.
Mr. Cummings. Yes, do you have something to add onto what
she said?
Mr. Spires. Let me just add that I applaud, and I want to
thank the team that is working on this. We talked about Mr.
Park and what he is doing, but my goodness, the whole team has
to be working around the clock.
Mr. Cummings. Are you familiar with the team, other than
Mr. Park?
Mr. Spires. No.
Mr. Cummings. Are you familiar with Mr. Park?
Mr. Spires. Yes.
Mr. Cummings. And what is your opinion of him and his
competence?
Mr. Spires. He is a very talented technologist, extremely
talented.
Mr. Cummings. They tell me he is one of the best in the
world.
Mr. Spires. I think that is probably a fair assessment,
sir.
Mr. Cummings. All right.
Mr. Spires. Let me add a couple things, though, about the
end of November. I would like it to work, too. This is all, for
me, about helping government make IT more effective. But this
end of November, there are two concerns I have. One is, it is
just very difficult when you are in this, when you do
integration testing, and that is essentially what we are still
doing, even though the system is alive, for a while you tend to
find defects actually increase as you do more testing. And even
as you work things off and fix things, you even get more. So I
am worried about that.
The other thing I am worried about, frankly, is when you do
this integration testing, a lot of times you will uncover some
significant architectural issues. You may not, but sometimes
you do when you integrate these subsystems. You know where
those architectural issues show themselves are in performance
issues.
So I am concerned that we are seeing, when they open it up
and it doesn't perform well from a scalability standpoint, and
handling the volume, that is an indication of some potentially
underlying technical issues from an architecture perspective.
Those things may take longer to fix.
This is just my experience in working these kinds of
problems in the past. So when they say they are going to have
it fixed by November, for the vast majority of users, I hope
that is the case. I just have concerns that that may not turn
out to be the case.
Mr. Cummings. I think that Mr. Park answered that question
several times.
Mr. Spires. Yes.
Mr. Cummings. And he talked about, and I think it is
probably because of the things that you just talked about, he
said that, I can almost repeat it, he said it so many times,
that they have a goal and they are going to try to attain that
goal.
Mr. Spires. Yes, absolutely.
Mr. Cummings. But you said something a few minute ago, you
said that, and I am going to put words in your mouth, you said
something to the effect that eventually they will get it
together.
Mr. Spires. Yes, they will.
Mr. Cummings. And my last comment is this. I guess as the
son of two former sharecroppers sitting in the Congress after
one generation, and a father who only had a second grade
education, my father believed in a can-do attitude. Can-do.
That is what this Country is all about.
I guess when I hear all the naysayers, I am so glad to hear
you say that you believe that it will be worked out. You don't
know when, I understand that. But some kind of way, we have to
move to that can-do. This is the United States of America. I
think it would be an embarrassment if we can't get this done.
Would you agree, as IT people?
Ms. Evans. Absolutely. We are the Nation that innovates and
creates technology. So it will get fixed. This is really a
communications issue and an expectation of what are the
services that are actually going to be there. We have the
technology to fix it, and you have some of the smartest people,
I am sure, working on it right now. Technology is not a
partisan issue. What really needs to be debated overall is some
of the other issues that you brought out in what you are
talking about, is the policy issues. That is where the
President should be debating with you, Congress, on policy
issues. Technology should be implemented to support that.
Mr. Spires. I think it is also important to say that the
way we manage our IT programs in government needs to improve.
That is a non-partisan view. I saw it in the last
Administration and I see it in this Administration.
Ms. Evans. I agree.
Mr. Spires. We need to fix that.
Mr. Cummings. Thank you both. Your testimony has been
extremely helpful. Thank you.
Mr. Meadows. [Presiding] I thank the ranking member for his
comments. I thank each of you for coming today to testify.
I do want to follow up a little bit with this additional
testing. As we start to go in, and having been someone who was
in the private sector, who has worked a number of times with
systems, just when you think you have the problem fixed, you
find ten more.
So with best practices, do you not think it is best
practice to take down the site while we work through these
technical glitches and, more importantly, through some of the
security concerns which are a bigger problem for me than
whether we can get on and log on, it is once you have done
that, would that not be the best practice, to take it down?
Mr. Spires. Yes. Let me caveat it by saying, this is a non-
political statement I am making. Just from a best practices
perspective, if I was running that program and no other
considerations, I would immediately take the site down. I would
have the team focus on working through the issues. I would do
real stress testing on the system and then I would bring the
site back up when it was ready. That is what I would do from a
best practice perspective.
Mr. Meadows. Without all the politics of it.
Mr. Spires. Without any of that.
Mr. Meadows. But from a best practices standpoint?
Mr. Spires. Yes, because it could get the team focused on
fixing the system and not operating the system right now.
Mr. Meadows. Ms. Evans, I want to go to some of your
testimony. Let me quote here, because I want to understand what
you said. You said, ``The functionality and shortcomings of
Healthcare.gov are a result of bad management decisions made by
policy officials within the Administration.'' They did this
``to themselves. And if they are now surprised, is it because
their own policy officials failed to inform them of the
decisions and the consequences associated with those
decisions.'' We asked that in the earlier panel. And we really
didn't get a response. But in light of your testimony, what did
you mean by that?
Ms. Evans. For example, a decision that was made to remove
the browsing function. When you make that decision, and what
came out in the previous panel was that was actually made by
the project manager, based on a technical result of testing.
So by that type of decision and rolling that up, there is
policy implications associated with that. So the policy
officials said, okay, it is okay. So if you take a sequence of
events that are programmed into a system that are supposed to
go one, two, three, four, five, and you take out number two,
and now you expect one, three, four and five to work really
well and two is not there anymore? That was a policy decision
to go forward with a site, with a major piece of functionality
pulled out and not tested. That is why I made the statement
about, and now you are surprised that it is not working.
Mr. Meadows. So they shouldn't be surprised?
Ms. Evans. They should not be surprised. If the sequence is
one, two, three, four, five, and you take two out, and you
haven't tested the impact of when two is out, you should not be
surprised it doesn't work.
Mr. Meadows. So let me ask you this, then. Who should have
informed the White House or what policy official should have
done that in this overall Healthcare.gov? Who is the go-to
person? That is what we have been trying to figure out. Who is
the go-to person that said, golly, we pulled it out, but it is
not working.
Ms. Evans. In the rest of my testimony, and this is not a
partisan statement either, this is my belief of what the role
of a chief information officer is supposed to do. In my view,
what would happen is that would have come up from CMS. So it
was made as a technical decision. And the chief information
officer at a department level is supposed to analyze what that
impact is on the portfolio overall, on behalf of the Secretary.
What is that going to mean from both a policy, political,
communications, technology, all of that. And then elevate that
issue.
So I really believe that the chief information officer is
the one who is supposed to be the nexus, the tech-savvy person
on that staff, to analyze those implications as it relates to
business and policy.
Mr. Meadows. I know we have a lot of CIOs. Who specifically
would that have been? What is the name?
Ms. Evans. Well, in this particular case, if everything
worked the way it is supposed to, it would have been the chief
information officer at HHS.
Mr. Meadows. Which is who?
Mr. Spires. Mr. Baitman.
Ms. Evans. Mr. Baitman. Which is in his portfolio.
Mr. Spires. Can I add, though, because I think that is
absolutely right, what you said. But what I like to do in
programs is pull those people together on a regular basis in
some kind of governance forum so that you can have those
dialogues, so the CIO can represent the technology issues and
implications to policy changes. But it shouldn't just be the
CIO's decision.
Ms. Evans. No, and I am not saying it should be the CIO's
decision.
Mr. Spires. It should be a shared decision.
Mr. Meadows. A shared decision, but he should be the one
informing?
Mr. Spires. That is correct.
Ms. Evans. That is right.
Mr. Meadows. So I will finish with this last question. I
have Google in my district. I love Google. We have, in
California, which I don't represent, we have unbelievable
expertise. Because we are the greatest Nation, as the ranking
member talked about, would we not be reaching out to those
experts right now and saying, please come help us get it all
done? Would that not be the appropriate thing to do?
Mr. Spires. I thought they had brought in a few of the
technical experts as well.
Mr. Meadows. But really, if we are trying to get this done
by November 30th, which I think a lot of us question whether it
will really happen, and that should not necessarily be an
indictment, would we not reach out to more experts in the
private sector?
Mr. Spires. I think at this point that would not work for
November 30th. The learning curve is so great, you would spend
more time trying to get these experts up to speed on the
specifics of the details of Healthcare.gov than you would get
any benefit out of that at this point. That doesn't mean going
forward you might not want to engage others as well.
Ms. Evans. The one thing I would want to add, I think both
Richard and I have been in situations with challenged rollouts
in our career, where we have had challenged rollouts. To your
point, the best value that Silicon Valley could do at this
point is validate the solutions you are going to put in place.
So what I have done in the past on projects where I have
had, and I have had failures in my career, as my technical team
is telling me that this is what we are going to do or these are
the changes that we are going to make, we would validate those
against and talk to Silicon Valley saying, from a technical
perspective, so they are only analyzing the technical issues at
that point, saying, if we roll this out and this is the current
problem, and we make these configuration changes, is that going
to solve the problem. That is probably the best application of
those resources at that point, and as well with Healthcare.gov.
Mr. Meadows. I thank the chairman.
Chairman Issa. [Presiding.] I thank you, and if this were
health care and not IT, we would probably say, get a second
medical opinion in this case.
Mr. Cummings?
Mr. Cummings. Again, I want to thank you all. I think when
we talk about best practices, you look at, I wish maybe in this
instance that some of these best practices that we are talking
about had been done. And I noticed that you all talked about
IT, technical, and then you also talked a little bit about
political. There is so much that goes into these decisions. But
for me, I want to see this work, and I am sure you do too.
I do not, I just don't believe in failure. We are better
than that. I hope that the folks who were part of the process
will hear the things that you are talking about. Because I
think our strength is in the expertise we all bring. All of us
have our own experiences. And having served in the positions
that you served, and served, you bring a lot to the table.
Hopefully, folks will have their ears open and their minds open
to make sure that this doesn't happen this way again. I know we
can do better.
And I guess the bottom line is that there are so many
people that are depending on us. There are a lot of people.
Mr. Spires. I am not calling this a failure, sir. It is
troubled. But this is not a failure. We need to get it fixed,
you are right.
If I could just also say, because I think it is important
enough to say, I made this comment, but I think it is
important, we need the CIOs to be strengthened in this
government from the standpoint of their empowerment.
Mr. Cummings. So you are familiar with Mr. Issa's bill?
Mr. Spires. Absolutely, and I very much support that.
Mr. Cummings. Do you think that legislation gets to the
issue you are trying to get to?
Mr. Spires. Yes. When you have the lineup of CIOs on your
first panel and none of them were really engaged, that is just
not correct. And it leads to failure of IT programs.
Ms. Evans. My view is that the legislation should pass. I
have had a lot of discussions with Chairman Issa's staff about
this, and the role of the CIO. I obviously feel very passionate
about it. I believe if that law is passed, it will remove all
excuses for non-performance of CIOs and you would have a very
different oversight meeting. Because everything that the CIOs
have said in the past that they cannot do, that legislation
would fix. Therefore, they would be held accountable for their
job.
Mr. Cummings. By the way, that is something we did on a
bipartisan basis.
Ms. Evans. That is right.
Mr. Cummings. Thank you very much. I really appreciate both
of you.
Chairman Issa. Thank you.
I have just one closing question. I know that you are not
software writers per se. But I talked to Mr. Farenthold, who
actually put up websites. And I just ask a question. You saw on
the last panel where I essentially admonished all of them to
look at the FEHBP or what was just for 230 plans, what was just
a few pages that would tell you how much each plan was and how
much the government would pay and how much each person would
pay.
Now, one of the reasons that that was only a few pages is
that that spreadsheet was for a program that did not age
discriminate. The Affordable Care Act discriminates based on
three things: the plan itself, if it is regional, has a region
in which it operates. If it is national, it has a single price,
like FEHBP.
It rate discriminates based on age and whether you smoke or
not. I have gone back and forth, those are the only variables.
So for a given location, which is where you choose your plan,
let's just say the Alabama something or other, you only have to
know your age and whether you smoke or not. And I do a little
quick math, and again, unlike the gentleman from Harvard, Mr.
Park or Mr. Massey from MIT, I went to Kent State and a little
Catholic school up in Michigan. So I did arithmetic, not
calculus.
But between 65 and 27, when you leave your parents' plan,
and the time you are eligible for Medicare, there are 38 years.
So as far as I can tell, there are 38 different ages you could
be based on the costs of a given plan. And then the question of
do you smoke or not.
So I saw essentially a spreadsheet or a data base to
retrieve from of 76 possible answers if you want to go to a
plan and ask how much it costs.
Now, for both of you, if I wanted a website that had an
engine in the back end that looked at, for a given plan, and
asked the question of, how old are you and do you smoke or not,
and then I went out and got the number from that cell, how hard
do you think that would be? Because you understand on September
12th, or September 3rd, they made a decision to not launch that
part. September 12th, they reiterated. They scrubbed moving the
software, they moved their people to other problems.
I just want to understand, how many people and how long do
you think it would take for 76 different numbers that you put
in on a little program, here is my age and I smoke or I don't
smoke, and I want to know how much this plan is? And I am being
a little facetious, and Mr. Spires, you are both smiling well.
But that really is the website that we are asking for a splash-
type open shopping.
Mr. Spires. Obviously, with the requirements you stated,
that is a pretty simple website. I suspect that what Mr. Chao
was referring to had a lot more functionality and capabilities,
and you can call it bells and whistles, and that may be
inappropriate, than that.
Chairman Issa. But didn't the American people deserve to be
able to surf prices as simple as a data base? It is almost the
back end of a pocket calculator to come up with that.
Ms. Evans. Absolutely. But again, when you get into some of
the big projects, and that is what I mean about scope creep,
and really understanding what did have to launch on October
1st, based on that policy decision. So if it is as simple as
what you described, the government already has a website set up
called Benefits.gov that those simple questions, and this might
be an alternative that they could use right now while they are
working on the longer plan, those simple questions could be put
in there. You can fill out this information now, this was
started as one of the 24 initiatives. And you would not only
find out what you are eligible for under Healthcare.gov, but
you could also find out what other Federal benefits you are
eligible for based on the way that you would answer these
questions that only live in the session.
So that whole site was set up for Federal benefits, so that
you could see everything that you are eligible for as a
citizen. So that simple requirement could have launched and can
still launch in Benefits.gov.
Chairman Issa. I am of an age that I knew the names of all
the Mercury astronauts. I didn't know much about government
contracting as a young man, but I have been told that the space
pen was designed to be able to write in zero gravity, so they
could make their notes in this inverted zero gravity. But the
Russians used a pencil.
[Laughter.]
Chairman Issa. The pencil cost what it took to sharpen it,
while the space pen cost millions of dollars to design and
produce.
Now, that may be a euphemism for a lot of what we deal
with. But today we heard somebody tell us that they decided to
scrub because there were security concerns over what ultimately
was a glorified splash page. If you were back, both of you were
back in your positions and you wanted to please your boss by
giving him as much deliverable as you could, and 30 days out
you discovered that something had to give, would you have
grabbed a pencil out of the drawer instead of telling people
they would have to wait months or years to get the space pen?
Mr. Spires. I certainly would have tried that, sir. I would
have even said, seems to me, and I will echo what Ms. Evans
said, that there should have been a lot of work up front to
simplify as much as possible what needed to be launched on
October 1st.
Chairman Issa. I want to thank you. Mr. Lacy Clay alluded
to the Harris project that was done during a previous
Administration where the Census Bureau, not really the
Administration, had 10 years to launch something and they kept
changing it, so that the corporation could legitimately say
that it wasn't ready, but they could show all these change
orders in what was basically a handheld scanner, not a terribly
high-faluting piece of technology. So I do understand the
mission creep.
We were just told that apparently in the month of October,
we signed up approximately 27,000 people into ObamaCare. With
that, would either one of you like to venture whether or not
the estimate we were given that they are now signing up roughly
27,000, on the Federal exchange, but we were told they are
signing up about 27,000 an hour. So apparently they are signing
up about the same amount per hour that they signed up in the
first month.
Would any of you venture a guess to what that number will
be? Will it be at least ten times 27,000 an hour or 270,000 a
day at the end of the month? Or are you going to bet on the low
side?
Ms. Evans. I am not a betting person. So I will put that on
the record. There is not enough information for me to bet.
Chairman Issa. But with 17,000 an hour being told to us
under oath here today, does anyone want to look at 170,000 or
200,000 or 300,000 a day and bet higher or lower here?
Ms. Evans. Lower. It is going to be lower, because he said
17,000 registrations. So that is not 17,000 completions. This
is again, you are talking about how they are measuring certain
things and how you want the outcomes. So you are looking at the
outcomes and they are measuring things at the beginning of the
process. So if you are talking about all the way through the
process, it is going to be on the lower side.
Chairman Issa. I suspect you are exactly right. When I was
in private life, they always wanted to sell me impressions, how
many impressions a piece of advertising got. And I always
wanted to buy how many sales. So I suspect that we have 17,000
impressions an hour, while in fact the amount of sales could be
not much more than that less than 30,000. So I am betting that
when we get our answer at the end of November, that it is
100,000 or less in the Federal exchange. I certainly hope for
more, because we need it to be, I think, 43,000 a day if we are
going to cover everyone.
Would either of you like to make any closing statements?
Ms. Evans. I just want to say I appreciate your inviting me
back, the committee inviting me back to share my viewpoints. I
would echo some of the comments that Richard has made today,
that it is important to get that legislation through to enhance
the roles of the CIO, so that we can ensure that other things
like IT procurement and those things happen, so that we can
avoid this for this type project, for all of the whole, entire
portfolio.
Mr. Spires. I am not sure I could say it any better than
you just said it, Karen. So I have no other remarks. Thank you.
Chairman Issa. Thank you both. We always say, I will
associate myself with the gentlelady. So I thank you both again
for your public service in the past and your continued service
today. We stand adjourned.
[Whereupon, at 3:40 p.m., the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�