[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]






                       SECURITY OF HEALTHCARE.GOV

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 19, 2013

                               __________

                           Serial No. 113-100


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov
                                       ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

87-764 PDF                     WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001
                                           
                        
                        
                        


                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman

RALPH M. HALL, Texas                 HENRY A. WAXMAN, California
JOE BARTON, Texas                      Ranking Member
  Chairman Emeritus                  JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky               FRANK PALLONE, Jr., New Jersey
JOHN SHIMKUS, Illinois               BOBBY L. RUSH, Illinois
JOSEPH R. PITTS, Pennsylvania        ANNA G. ESHOO, California
GREG WALDEN, Oregon                  ELIOT L. ENGEL, New York
LEE TERRY, Nebraska                  GENE GREEN, Texas
MIKE ROGERS, Michigan                DIANA DeGETTE, Colorado
TIM MURPHY, Pennsylvania             LOIS CAPPS, California
MICHAEL C. BURGESS, Texas            MICHAEL F. DOYLE, Pennsylvania
MARSHA BLACKBURN, Tennessee          JANICE D. SCHAKOWSKY, Illinois
  Vice Chairman                      JIM MATHESON, Utah
PHIL GINGREY, Georgia                G.K. BUTTERFIELD, North Carolina
STEVE SCALISE, Louisiana             JOHN BARROW, Georgia
ROBERT E. LATTA, Ohio                DORIS O. MATSUI, California
CATHY McMORRIS RODGERS, Washington   DONNA M. CHRISTENSEN, Virgin 
GREGG HARPER, Mississippi            Islands
LEONARD LANCE, New Jersey            KATHY CASTOR, Florida
BILL CASSIDY, Louisiana              JOHN P. SARBANES, Maryland
BRETT GUTHRIE, Kentucky              JERRY McNERNEY, California
PETE OLSON, Texas                    BRUCE L. BRALEY, Iowa
DAVID B. McKINLEY, West Virginia     PETER WELCH, Vermont
CORY GARDNER, Colorado               BEN RAY LUJAN, New Mexico
MIKE POMPEO, Kansas                  PAUL TONKO, New York
ADAM KINZINGER, Illinois             JOHN A. YARMUTH, Kentucky
H. MORGAN GRIFFITH, Virginia
GUS M. BILIRAKIS, Florida
BILL JOHNSON, Ohio
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina

                                 _____

              Subcommittee on Oversight and Investigations

                        TIM MURPHY, Pennsylvania
                                 Chairman
MICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado
  Vice Chairman                        Ranking Member
MARSHA BLACKBURN, Tennessee          BRUCE L. BRALEY, Iowa
PHIL GINGREY, Georgia                BEN RAY LUJAN, New Mexico
STEVE SCALISE, Louisiana             JANICE D. SCHAKOWSKY, Illinois
GREGG HARPER, Mississippi            G.K. BUTTERFIELD, North Carolina
PETE OLSON, Texas                    KATHY CASTOR, Florida
CORY GARDNER, Colorado               PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         PAUL TONKO, New York
BILL JOHNSON, Ohio                   JOHN A. YARMUTH, Kentucky
BILLY LONG, Missouri                 GENE GREEN, Texas
RENEE L. ELLMERS, North Carolina     JOHN D. DINGELL, Michigan (ex 
JOE BARTON, Texas                        officio)
FRED UPTON, Michigan (ex officio)    HENRY A. WAXMAN, California (ex 
                                         officio)

                                  (ii)
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                                  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Tim Murphy, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................     1
    Prepared statement...........................................     3
Hon. Diana DeGette, a Representative in Congress from the State 
  of Colorado, opening statement.................................     4
Hon. Fred Upton, a Representative in Congress from the State of 
  Michigan, opening statement....................................     8
    Prepared statement...........................................     9
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, opening statement..............................    10
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, opening statement...............................    10
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, opening statement.................................    12
    Prepared statement...........................................    12
Hon. G.K. Butterfield, a Representative in Congress from the 
  State of North Carolina, prepared statement....................   116

                               Witnesses

Henry Chao, Deputy Chief Information Officer and Deputy Director, 
  Office of Information Services, Centers for Medicare and 
  Medicaid Services..............................................    13
    Prepared statement...........................................    16
    Answers to submitted questions...............................   178
Jason Providakes, Senior Vice President, Center for Connected 
  Government, The MITRE Corporation..............................    88
    Prepared statement...........................................    91
    Answers to submitted questions...............................   185
Maggie Bauer, Senior Vice President, Creative Computing 
  Solutions, Inc.................................................    94
    Prepared statement...........................................    95
    Answers to submitted questions...............................   188
David Amsler, President and Chief Information Officer, Foreground 
  Security, Inc..................................................    99
    Prepared statement...........................................   101
    Answers to submitted questions...............................   192

                           Submitted Material

Letter of November 19, 2013, from Mr. Waxman, et al., to Mr. 
  Upton and Mr. Murphy, submitted by Ms. DeGette.................     6
Report, dated April 24, 2012, ``Cybersecurity, Threats Impacting 
  the Nation,'' Government Accountability Office, submitted by 
  Mr. Lujan......................................................    48
Article, undated, ``Bad news for woman cited as Obamacare success 
  story,'' CNN.com, submitted by Mrs. Ellmers....................    79
Majority memorandum, submitted by Mr. Murphy.....................   118
Subcommittee exhibit binder......................................   125

 
                       SECURITY OF HEALTHCARE.GOV

                              ----------                              


                       TUESDAY, NOVEMBER 19, 2013

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:15 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Tim Murphy 
(chairman of the subcommittee) presiding.
    Members present: Representatives Murphy, Burgess, 
Blackburn, Scalise, Harper, Olson, Gardner, Griffith, Johnson, 
Long, Ellmers, Barton, Upton (ex officio), DeGette, Braley, 
Lujan, Schakowsky, Butterfield, Welch, Tonko, Yarmuth, Dingell, 
and Waxman (ex officio).
    Staff present: Carl Anderson, Counsel, Oversight; Mike 
Bloomquist, General Counsel; Sean Bonyun, Communications 
Director; Karen Christian, Chief Counsel, Oversight and 
Investigations; Noelle Clemente, Press Secretary; Brad Grantz, 
Policy Coordinator, Oversight and Investigations; Brittany 
Havens, Legislative Clerk; Sean Hayes, Counsel, Oversight and 
Investigations; Brandon Mooney, Professional Staff Member; 
Andrew Powaleny, Deputy Press Secretary; Tom Wilbur, Digital 
Media Advisor; Jessica Wilkerson, Staff Assistant; Stacia 
Cardille, Democratic Deputy Chief Counsel; Brian Cohen, 
Democratic Staff Director, Oversight and Investigations, and 
Senior Policy Advisor; Hannah Green, Democratic Staff 
Assistant; Elizabeth Letter, Democratic Press Secretary; Karen 
Lightfoot, Democratic Communications Director and Senior Policy 
Advisor; Karen Nelson, Democratic Deputy Committee Staff 
Director for Health; Stephen Salsbury, Democratic Special 
Assistant; and Matt Siegler, Democratic Counsel.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Good morning. I convene this hearing of the 
Subcommittee on Oversight and Investigations to discuss the 
security of the Healthcare.gov Web site.
    Americans want to know the answers to two simple questions: 
is my information secure if I use Healthcare.gov, and why 
should I believe the administration that it is?
    It has been nearly 50 days since the launch of 
Healthcare.gov, and the Web site is still not functioning at an 
acceptable level. This is despite the numerous promises and 
assurances the public was given by members of the 
administration leading up to and over the several months up to 
the launch of the Web site.
    This committee heard directly from Secretary Sebelius, 
Administrator Tavenner, and CCIIO Director, Gary Cohen, that 
they were ready by October 1. We are all deeply troubled that 
the individuals who want to be in charge of America's 
healthcare system could not even predict accurately if the Web 
site would work. And those predictions were not just limited to 
the Web site. We have also been routinely promised that the Web 
site was safe, and that Americans' personal information would 
be secure.
    When Administrator Tavenner last appeared before this 
committee, she informed us that testing began in October of 
last year, that end-to-end testing would be completed by the 
end of August this year. We have now learned that this simply 
was not the case. End-to-end testing is not possible when the 
Web site isn't completed.
    Today we hope to hear from our witness about how much of 
the Web site remains to be built. If the first parts of 
Healthcare.gov have been this problematic, we are obviously 
concerned about parts that are being constructed under current 
pressures and time constraints.
    The witness for our first panel today is Mr. Henry Chao, 
the Deputy Chief Information Officer at the Centers for 
Medicare and Medicaid Services, and we want to thank you for 
coming and testifying today. I can only imagine how stressful 
the last few months have been for you, so welcome here. Yet, I 
hope you can appreciate the fact that HHS has a ways to go to 
regain the trust of the American people in this Web site. They 
were promised a functioning Web site as easy as buying a TV on 
Amazon, and what they got was a train wreck.
    The reason the trust of the American people may be so 
difficult to regain is because every day, new revelations 
emerge that show this wreck was entirely foreseeable. Last 
week, this subcommittee uncovered emails from CMS showing that 
as early as July of this year, Mr. Chao, our first witness, was 
worried that the company primarily responsible for building the 
Web site, CGI, would ``crash at takeoff.''
    Today this subcommittee also released materials showing 
that as early as March to April of this year, top 
administration officials were well aware that Healthcare.gov 
was far off schedule, and testing of the Web site would be 
limited. We have also learned that Healthcare.gov was only 
launched after Administrator Tavenner signed an authority to 
operate, which included a memo warning her that a full security 
control assessment was not yet completed. This memo makes it 
clear that the highest levels of CMS knew that there were 
security risks present, yet again, while this document was 
being signed in private, administration officials were 
promising the public that in only a few days, the American 
people would be able to use a perfectly functioning Web site.
    A few weeks ago, Secretary Sebelius told this committee 
that the highest security standards are in place, and people 
have every right to expect privacy. I hope that today we hear 
what those standards are, not only from Mr. Chao and also from 
our second panel as well.
    Our second panel features some of the contractors that are 
responsible for the security of Healthcare.gov, and I thank 
them for testifying today. I am disappointed that one of the 
companies responsible for security, Verizon, chose not to 
testify today. We will certainly be following up with Verizon 
so that they are accountable to the public for their work here.
    Today's hearing is not just about the Web site. Web sites 
can be fixed. What cannot be fixed is the damage that could be 
done to the American people if their personal data is 
compromised. Right now, Healthcare.gov screams to those who are 
trying to break into the system, ``If you like my healthcare 
info, maybe you can steal it.''
    [The prepared statement of Mr. Murphy follows:]

                 Prepared statement of Hon. Tim Murphy

    Americans want to know the answers to two simple questions: 
Is my information secure if I use HealthCare.gov? And why 
should I believe the administration that it is?
    It has been nearly 50 days since the launch of 
HealthCare.gov, and the Web site is still not functioning at an 
acceptable level. This is despite the numerous promises and 
assurances the public was given by members of the 
administration leading up to the launch of the Web site. This 
committee heard directly from Secretary Sebelius, Administrator 
Tavenner, and CCIIO Director Gary Cohen that they were ready by 
October 1. We are all deeply troubled that the individuals who 
want to be in charge of America's healthcare system could not 
even predict accurately if the Web site would work.
    And those predications were not just limited to the Web 
site. We have also been routinely promised that the Web site 
was safe and that Americans personal information would be 
secure. When Administrator Tavenner last appeared before this 
committee, she informed us that testing began in October of 
last year, and that end-to-end testing would be completed by 
the end of August this year. We have now learned that this was 
simply not the case. End-to-end testing is not possible when 
the Web site isn't completed. Today, we hope to hear from our 
witness about how much of the Web site remains to be built. If 
the first parts of HealthCare.gov have been this problematic, 
we are obviously concerned about parts that are being 
constructed under current pressures and time constraints.
    The witness for our first panel today is Mr. Henry Chao, 
the Deputy Chief Information Officer at the Centers for 
Medicare and Medicaid Services. We thank you for testifying 
today. I can only imagine how stressful the last few months 
have been. Yet, I hope you can appreciate the fact that HHS has 
a ways to go to regain the trust of the American people. They 
were promised a functioning Web site--as easy as buying ``a TV 
on Amazon''--and they got a train wreck.
    The reason the trust of the American people may be so 
difficult to regain is because every day new revelations emerge 
that show this train wreck was entirely foreseeable. Last week 
this subcommittee uncovered emails from CMS showing that as 
early as July of this year Mr. Chao, our first witness, was 
worried that the company primarily responsible for building the 
Web site--CGI--would crash on takeoff. This subcommittee also 
released materials showing that as early as April top 
administration officials were well aware that Healthcare.gov 
was far off schedule and testing of the Web site would be 
limited.
    We have also learned that HealthCare.gov was only launched 
after Administrator Tavenner signed an ``Authority to 
Operate,'' which included a memo warning her that a full 
Security Control Assessment was not completed. This memo makes 
it clear that the highest levels of CMS knew that there were 
security risks present. Yet, again, while this document was 
being signed behind closed doors, in public, administration 
officials were promising that in only a few days the public 
would be able to use a perfectly functioning Web site.
    A few weeks ago Secretary Sebelius told this committee that 
the ``highest security standards are in place, and people have 
every right to expect privacy.'' I hope that today we hear what 
those standards are from not only Mr. Chao, but our second 
panel as well. Our second panel features some of the 
contractors that are responsible for the security of 
HealthCare.gov, and I thank them for testifying today. I am 
disappointed that one of the companies responsible for 
security, Verizon, chose not to testify today. We will 
certainly be following up with Verizon so that they are 
accountable to the public for their work here.
    Today's hearing is not just about the Web site. Web sites 
can be fixed. What cannot be fixed is the damage that could be 
done to Americans if their personal data is compromised.
    Right now, HealthCare.gov screams to crooks, ``If you like 
my healthcare info, you can steal it.''

    Mr. Murphy. But I now recognize for an opening statement 
Ms. DeGette of Colorado, for 5 minutes.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Chairman Murphy. I want 
to add to your thanks to Mr. Chao for being here today, as well 
as the three contractor witnesses; MITRE, CCSi and Foreground.
    We must make sure that the data on Healthcare.gov is 
secure. Everybody can agree on that. The American people must 
know that their data is protected when they go on the site to 
find a quality, affordable insurance plan for themselves or 
their families. This is critical. However, my fear is that 
today's hearing is actually less about the facts of the 
security of Healthcare.gov, and more about political points and 
undermining the ACA.
    Now, without a doubt, no one could disagree there are 
troubling problems with the rollout of the Exchanges. Three 
weeks ago, our full committee held the first hearing on the 
inexcusable fact that Healthcare.gov seems to have been broken 
since it was very first launched. And three weeks later, while 
improving, it is clearly not up to speed. As I have said 
before, the Exchanges need to be fixed, and they need to be 
fixed fast so that the American people can easily access 
quality, affordable insurance plans open to them. I hope we 
will have another hearing after the November 30 deadline to see 
how they are working.
    My fear about this hearing today though is that it won't 
enlighten the American public, but instead raise unjustified 
fears about security piling on all of the other issues. Now, 
obviously, as I said, we need to make sure that the data on 
Healthcare.gov is secure, but we should not create smoke if 
there is no fire.
    So before we begin, I want to give the American people some 
peace of mind based on the facts that we know about security on 
Healthcare.gov.
    First, and critically, no American has to provide any 
personal health information to Healthcare.gov or to insurers in 
order to qualify for health coverage and subsidies. To make 
sure about this, I went on the Exchange myself the other day, 
and that is because the ACA bans discrimination based on pre-
existing health conditions. Before the ACA became law, 
Americans buying coverage on the individual insurance market 
had to fill out page after page of personal health information 
to apply for insurance. But no longer, thanks to the Affordable 
Care Act. Americans do not have to turn over any private health 
insurance to get coverage.
    Second, while no Web site in the Government or in the 
private sector is 100 percent secure, unfortunately, there is a 
complex and detailed set of rules that HHS must follow to make 
sure that data on Healthcare.gov is secure. And I am looking 
forward to hearing from you, Mr. Chao, about these security 
issues today.
    The Agency has a long record of maintaining personal 
information about Medicare, Medicaid, Social Security and many 
areas, and has never had a significant leak of information. HHS 
must comply with the Federal Information Security Management 
Act, and National Institute of Standards and Technology 
Guidelines to protect information systems and the data 
collected or maintained by Healthcare.gov. And like all Federal 
agencies, HHS is required to develop, document and implement an 
agency-wide information security program.
    To date, our committee's investigation has found that CMS 
has complied with every important security rule and guideline. 
They hired a small army of contractors to make sure the Web 
site is secure, and they are going to talk to us about it 
today.
    The memo, Mr. Chairman, that you talked about at our last 
hearing, that identified some security concerns, primarily a 
lack of end-to-end testing on Healthcare.gov, but it also 
outlined a mitigation plan, one we learned was--that the Agency 
was following to mitigate security risks. So I want to hear 
from the contractors and from you, Mr. Chao, if, in fact, these 
findings are being heeded.
    Now, unfortunately, Mr. Chairman, I have to raise one more 
issue in my remaining minute, and that is this committee's 
grand tradition of bipartisanship investigation. Apparently, 
the committee, last Thursday, received a memo from CMS, Red 
Team discussion document. The majority on this committee did 
not share this memo with the minority on this committee until 
yesterday, coincidentally, just after they leaked this memo to 
The Washington Post. Now--and if you saw The Washington Post 
front page today, you saw a big story, and, Mr. Chairman, you 
were quoted in that story, talking about concerns about the 
readiness of the Exchange based on this memo.
    I know that is not the topic of this hearing today, but I 
have got to say it is not in the tradition of the committee to 
conduct investigations that way. And when the majority received 
this memo, it should have immediately provided it to all of the 
members so that we could read it and find out. We are all just 
as concerned about making these Exchanges work.
    And to that end, Mr. Waxman and I have written a letter 
expressing our displeasure, and we would like to enter that 
into the record at this time, Mr. Chairman.
    [The information follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
  
    
    Mr. Murphy. That is fine, and I will look forward to 
talking with you more about these procedures. I know that these 
came as part of a couple of hundred thousand pages of documents 
that we are going through, but I will be glad to review that 
with you because I certainly respect my colleague on this----
    Ms. DeGette. That we were able to find it in time to give 
it to The Washington Post in time for today's hearing, and to 
be quoted----
    Mr. Murphy. We will----
    Ms. DeGette [continuing]. In The Washington Post.
    Mr. Murphy. We will have a good discussion on that. I thank 
my colleague, whose time has expired.
    I now recognize the chairman of the full committee, Mr. 
Upton, for 5 minutes.

   OPENING STATEMENT OF HON. FRED UPTON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Upton. Well, thank you, Mr. Chairman.
    You know, for months, administration witnesses have come 
before this committee and assured us that the implementation of 
the President's healthcare law was ``on track''--their words--
and that Healthcare.gov would be ready for the October 1 
launch. But why not give the straight story to the Congress and 
the public, because back on April 18, Secretary Sebelius 
testified in this very room, we have the Federal hub on track 
and on time. I can tell you we are on track. Those are her 
words. But we now know that the Secretary's testimony did not 
match what was happening behind the scenes.
    Two weeks before she testified before this committee, 
Secretary Sebelius was present at an April 4 meeting where 
experts identified significant threats and risks launching the 
site on October 1. The administration was on track, on track 
for disaster, but stubbornly they stayed the course, repeating 
their claims that all is well and on track, right up until the 
mess that launched on October 1. And even after the launch, 
administration officials insisted that the volume was primarily 
the culprit, when they, in fact, knew otherwise.
    But our oversight of the health law is not just about a Web 
site. No, it is not. It is about whether the public can trust 
and rely on this healthcare system that the administration has 
been building for over three years, and spending hundreds of 
millions of dollars. The failure of this Web site has 
significant consequences for all Americans. One important 
question is whether individuals will be able to enroll and 
obtain coverage by January 1. Security is another critical 
concern. How can the public trust a hastily thrown-together 
system in which meeting a deadline was more important for the 
administration than conducting complete end-to-end testing of 
the site's security.
    Mr. Henry Chao, Deputy Chief Information Officer of CMS, is 
here to answer those questions, about CMS's management of the 
Federal Exchange and the implications for security. And, Mr. 
Chao, I do understand that you are a career employee, and have 
been at CMS for years, and I know, as Chairman Murphy 
indicated, the last few months have not been particularly easy. 
Last March, you were one of the first to publicly offer a 
glimpse of the true situation when you candidly remarked about 
the Web site and said, let us just make sure it is not a Third 
World experience. Documents produced to the committee paint a 
clear picture that the administration officials, in fact, knew 
for months before the October 1 date about delays and problems 
with the Web site development. Mr. Chao, you have been 
responsible for managing the development of Healthcare.gov, but 
I can imagine many matters were outside of your control. And 
given the lack of end-to-end testing, I hope that you can 
explain to us today why the administration felt confident in 
the security of Healthcare.gov when the system went live on 
October 1.
    We are also joined by three companies that were awarded 
contracts by CMS to provide security services for the Federal 
Exchange. These companies are here also today to answer 
questions about their roles. I know the subjects of security 
presents certain sensitivities, and I am glad that they made 
the decision to accept our invitations to testify and inform us 
about how Healthcare.gov works or doesn't.
    One thing that we have learned; there are countless 
contractors involved in building this Web site, and 
responsibilities are divided. Very divided. It is a complex 
system, I know, but we would like to know how the delays and 
rushed implementation have affected or complicated the ability 
to perform the security work for the Web site.
    [The prepared statement of Mr. Upton follows:]

                 Prepared statement of Hon. Fred Upton

    For months, administration witnesses have come before this 
committee and assured us thatimplementation of the president's 
healthcare law was ``on track,'' and that HealthCare.gov would 
be ready for the October 1 launch.
    But why not give the straight story to the Congress and the 
public? On April 18, Secretary Sebelius testified in this very 
room, ``we have the Federal hub on track and on time. . I can 
tell you we are on track.'' But we now know that the 
secretary's testimony did not match what was happening behind 
the scenes. Two weeks before she testified before this 
committee, Secretary Sebelius was present at an April 4 meeting 
where experts identified significant threats and risks to 
launching the site on October 1. The administration was on 
track--on track for disaster. But stubbornly, they stayed the 
course, repeating their claims that all was well and on track 
right up until the mess that launched October 1. Even after the 
launch, administration officials insisted volume was the 
primary culprit, when they knew otherwise.
    But our oversight of the health law is not just about a Web 
site. It is about whether the public can trust and rely on this 
healthcare system that the administration has been building for 
over 3 years. The failures of this Web site have significant 
consequences for Americans. One important question is whether 
individuals will be able to enroll and obtain coverage by 
January 1. Security is another critical concern. How can the 
public trust a hastily thrown together system in which meeting 
a deadline was more important for the administration than 
conducting complete, end to end testing of the site's security?
    Mr. Henry Chao, Deputy Chief Information Officer of CMS, is 
here to answer our questions about CMS' management of the 
Federal exchange and the implications for security. Mr. Chao, I 
understand you are a career employee and have been at CMS for 
years. I am sure the last few months have not been easy for 
you. Last March, you were one of the first to publicly offer a 
glimpse of the true situation when you candidly remarked about 
the Web site, ``Let's just make sure it's not a third-world 
experience.'' Documents produced to the committee paint a 
clearer picture that administration officials knew for months 
before October 1 about delays and problems with the Web site 
development. Mr. Chao, you have been responsible for managing 
the development of HealthCare.gov, but I imagine many matters 
were outside your control. Given the lack of end-to-end 
testing, I hope you can explain to us today why the 
administration felt confident in the security of HealthCare.gov 
when the system went live on October 1.
    We are also joined by three companies that were awarded 
contracts by CMS to provide security services for the Federal 
exchange. These companies--MITRE, CCSi, and Foreground--are 
here today to answer questions about their roles. I know the 
subject of security presents certain sensitivities and I am 
glad they made the decision to accept our invitations to 
testify and inform this committee about how HealthCare.gov 
works. One thing we have learned--there are countless 
contractors involved in building this Web site, and 
responsibilities are divided. It is a complex system. I would 
like to know how the delays and rushed implementation have 
affected or complicated your ability to perform the security 
work for the Web site.

    Mr. Upton. And I yield the balance of my time to Dr. 
Burgess.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. I thank the chairman for the recognition, and 
I do want to thank our witnesses for being here today.
    Pretty broad agreement, the implementation of the 
Affordable Care Act has been problematic, and rather than 
getting better, it may be getting worse. We have low enrollment 
numbers, a Web site so bad that it has required the appointment 
of a glitch tsar, cancelled plan, broken promises from the 
President, just for starters. These initial problems break the 
surface of the deeper issues that lie ahead for not just the 
law, but for the American people that must live under the law.
    And, Mr. Chao, you probably, prior to anyone else, sounded 
the alarm with that speech to AHIP, and I know you are tired of 
hearing it, but I will tell you once again, your comments that 
you were just trying to prevent the Web site from becoming a 
Third World experience, I admire your ability to see over the 
horizon and tell the problems before they come up and hit you 
in the windshield. But also you are the one who recommended 
that it was safe to launch the Web site on October 1. So what 
happened in those 6 months that led you, yourself, and others 
in the administration to believe that this law was, in fact, 
ready for primetime? Not only did the Center for Medicare and 
Medicaid Services fail to establish basic functionality, but 
Healthcare.gov's flaws continue to pose a threat to the 
security of Americans' personal data. And just on a personal 
note, when I went to Healthcare.gov this morning, it was still 
not functional. Another Web site, HealthSherpa.com, can 
actually tell me about the plans that are available in my area. 
We know it was possible to do this. We are all wondering why it 
wasn't.
    Thank you, Mr. Chairman. I will yield back.
    Mr. Murphy. Gentleman yields back.
    Now recognize the ranking member of the full committee, Mr. 
Waxman, for 5 minutes.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Thank you very much, Mr. Chairman.
    The last 6 weeks have been difficult ones for supporters of 
the Affordable Care Act. The troubled rollout of the Web site 
prevented many of our constituents from signing up for the 
affordable, high-quality coverage for which they now qualify. 
And it has been relentlessly exploited for political gain by 
Republican opponents of the law.
    I was interested to hear the phrase in the 2 Republicans' 
statements, maybe in all of them; we don't want a Third World 
Web site. Well, let me tell you what is Third World. Third 
world in this country is when we leave millions of people 
unable to get insurance because they have pre-existing medical 
conditions, or they can't afford it. No other industrial 
country allows such a thing to happen, but that is what 
Republicans who have opposed this law would have us return to.
    I think we are turning the corner on the Web site. On 
Friday, Jeff Zients, the administration's point person on 
Healthcare.gov, announced two key metrics of improvement, and 
it seems to me these are all very good signs the Web site is 
getting better. Additional improvements are still needed, but 
Healthcare.gov means more and more people will be signing up 
for coverage as that Web site becomes more usable.
    I want to tell you what is happening in California. In the 
first month, 35,000 people enrolled in the Exchange, over 
70,000 qualified for Medicaid, and State officials say that the 
pace of enrollment is increasing. In just the first 12 days of 
November, enrollment from the first month almost doubled.
    Now, I know we are looking today at the issue of data 
security on Healthcare.gov. It is an important issue. We should 
begin by acknowledging that the ACA represents an enormous step 
forward for privacy because, when people apply for insurance 
coverage, the law bans them from being asked questions about 
their underwriting, about their medical conditions, about the 
privacy of things that affect their health, because it is not 
necessary to ask those questions. They are not going to be 
denied insurance coverage because of previous medical problems. 
But there is some personal information that people are going to 
be asked for when they sign up, and we need to ensure that this 
information is protected.
    This question comes up repeatedly--came up repeatedly when 
Secretary Sebelius was before us. She told us the department is 
placing a high priority on the security of the Web site, and 
the highest security standards are in place to protect personal 
information on Healthcare.gov.
    I hope this hearing will be serious, evenhanded inquiry, 
but I fear that some of my Republican colleagues may exaggerate 
security concerns to stoke public fear, and exaggerate it so 
that they can dissuade people from even signing up. This is 
exactly what this subcommittee did when they launched an 
investigation into nonprofit community organizations serving as 
healthcare navigators. They were harassing these people in 
order to prevent them from helping people learn what is 
available to them.
    Mr. Chairman, yesterday we learned that you have been 
withholding important investigative documents, leaking them to 
the press before even providing them to the Democratic members 
and staff. And I sent you a letter this morning describing why 
this is a violation of the committee's precedent. It is not the 
way this committee has traditionally operated, and it raises 
concerns about whether these hearings are becoming another 
partisan attempt to weaken the Affordable Care Act.
    The committee should not go down that road. We should be 
using our oversight powers to improve the Affordable Care Act, 
not to sabotage it or to discourage Americans from signing up 
for quality care.
    I want to yield the balance of my time, Mr. Chairman, to 
Mr. Dingell.

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Dingell. I thank the gentleman. I ask unanimous consent 
to revise and extend my remarks, and I am pleased to be here 
and I am certainly pleased that my subscription to The 
Washington Post is in effect so I can find out what is being 
leaked by my Republican colleagues to the media.
    This is interesting. We have clearly a violation of the 
practices, traditions and histories this committee and the 
investigations it has done. I speak as a member who has done 
more investigations than anybody in this room, including 
probably more than all of them put together.
    Here, we have a breach of the responsibility of the 
leadership to make information available to the committee at 
the same time they make it to the press. I find that difficult, 
but worse than that, I find it intolerable that this committee 
is running around fishing for trouble where none exists. I feel 
a little bit like the old maid who came home and looked under 
the bed to find out if there was somebody there, hoping, in 
fact, that there would be. Unfortunately, there is not.
    I have seen no evidence of any complaints or any evidence 
of misbehavior with regard to the information that is 
controlled by the Government. I would urge this committee to 
spend its time trying to make this situation work, and see to 
it that we collect the information that is necessary, make the 
Web site work, and see to it that we register the Americans so 
that we can cease being a Third World nation, both with regard 
to how the Congress runs and how the health care of this 
country works.
    Mr. Murphy. Gentleman's time has expired.
    Mr. Dingell. We are down around the Third World nations in 
the way that we take care of the health of our people. Look at 
the statistics.
    Mr. Murphy. Thank you.
    Mr. Dingell. It will give you a shock.

               Prepared statement of Hon. John D. Dingell

    I thank the gentlemen for yielding.
    Partisan politics have always been at the heart of the 
Majority's investigation into the Affordable Care Act, but 
today we have reached a new low.
    Breaking with longstanding committee practice, the majority 
selectively released certain documents to the press before 
Democratic staff even had the opportunity to review.
    Oversight is one of the most important responsibilities of 
the Congress, and it can result in good things when used 
properly. This committee has a long history of bipartisan 
cooperation when conducting oversight.
    When I was chairman, the minority always had ample time to 
access documents. I hope we can soon return to that precedent 
and work on these issues together rather than playing games 
with the press.

    Mr. Murphy. Gentleman's time has expired.
    Thank you very much. And now I would like to introduce the 
witnesses on our first panel for today's hearing. Henry Chao 
has served since January 2011 as the Deputy Chief Information 
Officer and Deputy Director of the Office of Information 
Services at the Centers for Medicare and Medicaid Services. 
Some of his prior roles include Chief Information Officer in 
the Office of Consumer Information and Insurance Oversight, and 
Chief Technology Officer for CMS. I will now swear in the 
witness.
    You are aware, Mr. Chao, that the committee is holding an 
investigative hearing, and when doing so, has the practice of 
taking testimony under oath. Do you have any objection to 
taking testimony under oath? The witness indicates no. The 
Chair then advises you that under the rules of the House and 
the rules of the committee, you are entitled to be advised by 
counsel. Do you desire to be advised by counsel during your 
testimony today? Mr. Chao indicates no. In that case, would you 
please rise, raise your right hand, I will swear you in.
    [Witness sworn.]
    Mr. Murphy. Thank you. You are now under oath and subject 
to the penalties set forth in Title XVIII, Section 1001 of the 
United States Code. You may now give a 5-minute summary of your 
written statement. And make sure the microphone is on and 
pulled close to you. Thank you, Mr. Chao.

 STATEMENT OF HENRY CHAO, DEPUTY CHIEF INFORMATION OFFICER AND 
 DEPUTY DIRECTOR, OFFICE OF INFORMATION SERVICES, CENTERS FOR 
                 MEDICARE AND MEDICAID SERVICES

    Mr. Chao. Thank you, Chairman Murphy, Ranking Member 
DeGette, and members of the subcommittee for inviting me to 
testify about the security of the Federally Facilitated 
Marketplace.
    The security and protection of personal and financial 
information is a top priority for CMS which, for decades, has 
protected the personal information of the more than 100 million 
Americans enrolled in Medicare, Medicaid and the Children's 
Health Insurance Program.
    The protection of personal information in CMS programs is a 
monumental responsibility. Every day, CMS enrolls new Medicare 
beneficiaries, pays claims timely and efficiently, and protects 
the information of consumers and providers. CMS used this 
experience and our security-best practices to build a secure 
Federal Marketplace that consumers should feel confident 
entrusting with their personal information.
    CMS follows Federal law, Government-wide security processes 
and standard business practices to ensure stringent security 
and privacy protections. CMS's security protections are not 
singular in nature; rather, the marketplace is protected by an 
extensive set of security layers.
    First and foremost, the application--the online application 
is developed with secure code. Second, the application 
infrastructure is physically and logically protected by our 
hosting provider. Third, the application is protected through 
an internet defense shield in order to protect unauthorized 
access to any personal data. Finally, several entities provide 
direct and indirect security monitoring, security testing, and 
security oversight which includes the various organizational 
groups that CMS are reporting to key stakeholders with respect 
to security and privacy.
    This includes the Department of Health and Human Services. 
We also work in conjunction with US-CERT, which is operated by 
the Department of Homeland Security. CERT stands for Computer 
Emergency Response Team. And the Office of the Inspector 
General of HHS. Each of these groups has varying roles to 
ensure operational management and technical controls are 
implemented and successfully working.
    The Federally Facilitated Marketplace is protected by the 
high standards demanded of Federal information systems, 
including regulations and standards proscribed by FISMA, NIST, 
the Privacy Act and the directives promulgated by the Office of 
Management and Budget.
    CMS designed the marketplace IT systems and the Hub to 
reduce possible vulnerabilities and increase the efficiency. A 
large number of connections can cause security vulnerabilities. 
The Hub allows for 1 highly secured connection between highly 
protected databases of trusted State and Federal agencies, 
instead of hundreds of connections that would have been 
established as part of how normal business practices in present 
day in how Government connects organizations with each other to 
conduct business.
    A series of business agreements enforce privacy controls 
between CMS and our Federal and State partners. Additionally, 
CMS designed the marketplace systems to limit the amount of 
personal data stored, and protects personal information and 
limits access through passwords, encryption technologies, zoned 
architecture with firewall separation in between the zones, and 
various other security controls to monitor log-in and to 
prevent unauthorized access to our systems.
    CMS also protects the Federal Marketplace through intensive 
and stringent security testing. While the Federal Marketplace 
has had some performance issues that could have been addressed 
through more comprehensive functionality and performance 
testing, I want to be clear that we have conducted extensive 
security testing for the systems that went live on October 1. 
We continue to test for security on a daily and a weekly basis 
any new functions or code prior to its launch. Of course, we 
are working around the clock to fix our performance issues so 
that the vast majority of users have a smooth experience with 
the site by the end of the month.
    While I cannot go into specifics of our security testing 
due to the sensitive nature, I assure you that CMS conducts 
continuous antivirus and malware scans, as well as monitors 
data flow and protections against threats by denying access to 
known source-bad IP addresses and actors. Additionally, we 
conduct two separate types of penetration testing on a weekly 
basis. The most recent penetration testing showed no 
significant findings. Also on a weekly basis, CMS reviews the 
operation system infrastructure and the application software to 
be sure that these systems are compliant and do not have 
vulnerabilities. Vulnerabilities are often fixed immediately 
on-site, and retested to ensure the strength of our system's 
security. Each month, we review our plan of action and 
milestones in order to continuously improve our system's 
security.
    For the Federally Facilitated Marketplace, we conduct 
security control assessments on a quarterly basis, which is 
beyond the FISMA requirements. As of today, no vulnerabilities 
identified by our tests have been exploited through an attack. 
Because of CMS's experience running trusted secure programs, 
our fulfillment of Federal security standards and constant and 
routine security monitoring and testing, the American people 
can be confident in the privacy and security of the 
marketplace.
    Thank you, and I would be happy to answer your questions.
    [The prepared statement of Mr. Chao follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. Thank you, Mr. Chao. I will recognize myself 
first for 5 minutes.
    Mr. Chao, for the last year, members of this committee have 
asked you and others in the administration about the status of 
the launch of the President's healthcare law. We wanted to know 
if you would be ready for the October 1 start of enrollment. 
Over and over, we were assured that all was well and everything 
was on track.
    The documents produced to the committee show a different 
picture, and I would like to walk through a couple of them with 
you.
    In mid-March, you made a candid comment that you didn't 
want the Exchange Web site to be a Third World experience. Now 
the committee has learned about a report prepared by committee 
for senior HHS and White House officials, and presented to 
these officials in late March and early April this year. That 
document is tab 1 of your document binder. This document 
highlights a number of risks facing Healthcare.gov's launch, 
late policy, delayed designs, and building time and limited to 
a test.
    When did you first see this presentation?
    Mr. Chao. I haven't seen that presentation.
    Mr. Murphy. You were not briefed at all that there was a 
McKinsey report presentation going on?
    Mr. Chao. I knew that McKinsey had been brought in to 
conduct some interviews and assessments and report to our 
administrator, in which I actually participated in some of 
those----
    Mr. Murphy. You participated in the interviews when 
McKinsey was exploring this?
    Mr. Chao. Right, but I was not given the final report.
    Mr. Murphy. Were you aware that they had met with Secretary 
Sebelius, Marilyn Tavenner, Gary Cohen and others at CMS 
Headquarters, HHS Headquarters, the Executive Office Building 
and the White House?
    Mr. Chao. We----
    Mr. Murphy. Any of those incidences?
    Mr. Chao. I believe there were some meetings that I heard 
of, but I don't know the exact dates when they occurred.
    Mr. Murphy. Now, part of your job is to make sure that this 
Web site is working, am I correct?
    Mr. Chao. Correct.
    Mr. Murphy. And so this was a major report that went as 
high up as the Secretary, maybe others, we don't know, but 
saying that there were serious problems with this. And you are 
saying that, even though you were interviewed by this, you did 
not ever have this briefing yourself?
    Mr. Chao. No, I didn't.
    Mr. Murphy. You knew it existed?
    Mr. Chao. I had heard that there was a final report out, 
but I didn't see the actual report.
    Mr. Murphy. Did anything change for you in recognizing that 
this report was out there, basically telling people working on 
the HHS Web site that there were serious problems, no end-to-
end testing, that other various aspects of it?
    Mr. Chao. I can't really tell you or speak to you of the 
contents of that report because I did not see it, and I didn't 
hear about it until actually it was in The Washington Post.
    Mr. Murphy. I mean certainly, this is part of the concerns 
we have, and we are not making this stuff up. It is a matter 
that we have a Web site out there which untold millions, tens 
of millions or hundreds of millions are spent on this Web Site, 
which you have major leadership role here. McKinsey is hired to 
come and present what the problems are, and lay out a roadmap 
of those problems. I am deeply concerned that this is something 
that you knew existed but had not read.
    So when were you first concerned that the administration 
wasn't going to be ready October 1 for the start of the open 
enrollment?
    Mr. Chao. I never thought that. I had relative----
    Mr. Murphy. But you made a comment about you didn't want 
this to be a plane crash.
    Mr. Chao. Well, you are referring to the email----
    Mr. Murphy. Yes.
    Mr. Chao [continuing]. Exchange that I had with several----
    Mr. Murphy. Yes, certainly that email didn't say everything 
is going fine, congratulations team.
    Mr. Chao. Of course--I----
    Mr. Murphy. It said I don't want this to be a--so you must 
have had some awareness that some problems existed.
    Mr. Chao. Chairman, you have to understand, and the 
committee, that I have been working on this since mid-2010----
    Mr. Murphy. And we appreciate that.
    Mr. Chao [continuing]. And I have--I am a very cautious 
and--you know, I err on the side of caution and urgency 
because, even back in 2010, I didn't believe that, you know, 
everything would be easy and just, you know, going along 
smoothly. So on a regular basis, I work with a lot of my 
contractors and my staff to sensitize them on the sense and 
level of urgency that is involved.
    Mr. Murphy. Absolutely. Especially with McKinsey was called 
in to prepare this document which was important enough for them 
to have meetings at CMS, HHS, with the Secretary of Health and 
Human Services, at the Executive Office Building and at the 
White House, describing the level of problems. So I appreciate 
your sensitivity and awareness to that. I am concerned you 
saying you have not even read this yet.
    Your testimony mentions the use of sensors and active event 
monitoring. You state that if an event occurs, an instant 
response capability is activated. Has that happened yet?
    Mr. Chao. Yes.
    Mr. Murphy. How many times?
    Mr. Chao. You mean whether if we are conducting----
    Mr. Murphy. No, an instant response----
    Mr. Chao [continuing]. An instant response----
    Mr. Murphy [continuing]. Capability. Well, first of all, 
has anything happened yet, any hackers, any breaches, anyone 
trying to get into the system from the outside, has that 
occurred yet?
    Mr. Chao. I think that there was 1 incident that I am aware 
of, but it requires that we go to a classified facility and to 
actually----
    Mr. Murphy. Only once since the--where--but you are saying 
no other attempts to breach into this system have occurred?
    Mr. Chao. Not successful ones, no.
    Mr. Murphy. Not since when?
    Mr. Chao. Not successful ones.
    Mr. Murphy. All right. Now, when there are attempts, who do 
you report this to?
    Mr. Chao. It is a combination of a series of authorities 
that are involved.
    Mr. Murphy. Law enforcement?
    Mr. Chao. Well, through our incident reporting and breach 
reporting processes that go through our agencies, various key 
leadership and then up through the department, as well as we 
have a Security Incident Response Center at the department that 
works with US-CERT at DHS.
    Mr. Murphy. Thank you. We will follow-up subsequently.
    I know I am out of time, so we will now recognize Ms. 
DeGette for 5 minutes.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    First of all, Mr. Chao, and also to the contractors, 
something you said in your opening I think we should really 
take heed, which is you want to be careful not to divulge 
sensitive information about the security designs of the Web 
site. Is that right?
    Mr. Chao. That is correct.
    Ms. DeGette. So I would say to you and to the contractors, 
and I think the majority would agree with me, if there is a 
question asked about that sensitive information, if you would 
just let us know and then we can take it into executive 
session, or whatever we need to do.
    Ms. Murphy. Absolutely.
    Mr. Chao. Certainly.
    Ms. DeGette. Thank you, Mr. Chairman.
    Now, Mr. Chao, the chairman was asking you about this memo 
that you had--or it is an email, and it was on Tuesday, July 
16. If you can take a look at tab 7 in your document binder, 
please. That is a copy of your memo, and it looks to me in 
reading it that you were basically telling people that you 
wanted to make sure this Web site got up and going. Is that 
right?
    Mr. Chao. Yes.
    Ms. DeGette. And that was your view, right?
    Mr. Chao. Yes.
    Ms. DeGette. Did you take further actions after July 16 to 
try to get the Web site up and going?
    Mr. Chao. It was a constant daily effort.
    Ms. DeGette. And it still is, isn't it?
    Mr. Chao. To improve it, certainly.
    Ms. DeGette. Yes. OK, I would like you now to take a look 
at tab 1 of your document binder. Now, Mr. Chao, this is the 
document that was given to The Washington Post yesterday by the 
majority, and also simultaneously to the Democrats on the 
committee. This is the document the chairman was asking you 
about in his opening statement. Have you ever seen this 
document before?
    Mr. Chao. No, I haven't.
    Ms. DeGette. OK, so you don't really know about whatever it 
might have said in that document, right?
    Mr. Chao. No, I----
    Ms. DeGette. OK, thanks.
    Mr. Chao. I believe it is an executive level briefing for--
--
    Ms. DeGette. Right, but you weren't--you didn't--you 
weren't part of that briefing?
    Mr. Chao. No.
    Ms. DeGette. OK. That doesn't mean though that you weren't 
concerned about the Web site working and trying to make it 
work.
    Mr. Chao. Well, of course. I think in some of the 
interviews with McKinsey, you know, I think some of what is in 
here could have potentially come from information that----
    Ms. DeGette. But you wouldn't know that because you didn't 
see it.
    Mr. Chao. No, I----
    Ms. DeGette. OK.
    Mr. Chao [continuing]. Don't see how it was formed.
    Ms. DeGette. I want to talk to you about the topic of this 
hearing now for a few minutes, and that is the issue of 
security. And I think I heard you say both in your opening and 
in response to questioning by the chairman, I just wanted to 
ask again. Have there been vulnerabilities that have been 
discovered since the Web site unveiled on October 1?
    Mr. Chao. Security vulnerabilities----
    Ms. DeGette. Yes.
    Mr. Chao [continuing]. Have not necessarily been reported 
in terms of it being a security threat. I think there was some 
misuse of terminology of something like 16 incidents reported 
that--in a previous DHS testimony a couple of days ago, but 
they were actually incidents involving disclosure of PII 
information, and it wasn't due to the result of anyone trying 
to attack the Web site.
    Ms. DeGette. What was it a result of?
    Mr. Chao. It was dealing with some training issues at the 
call center, or we had a system issue where if you had similar 
usernames and you chose a special character at the end of that 
username, for example, if your name is Smith and you chose an @ 
sign at the end of the username, sometimes that @ sign was 
treated like a--what we call a wildcard search, so the return 
log-in information about someone else, but that since--since 
was reported, has been fixed as of today.
    Ms. DeGette. That problem has been fixed so that is----
    Mr. Chao. Yes.
    Ms. DeGette [continuing]. Not happening anymore?
    Mr. Chao. It is not a hacker----
    Ms. DeGette. Now, you have been at the Agency how long, 
sir?
    Mr. Chao. Approximately 20 years.
    Ms. DeGette. And in working on the other sensitive areas, 
Medicare and other areas, is this common that sometimes there 
might be a little bump like this?
    Mr. Chao. Fairly common.
    Ms. DeGette. Uh-huh, and what does the Agency do when that 
is identified?
    Mr. Chao. We have an extensive set of processes and 
controls in place with designated personnel to handle whether 
they are----
    Ms. DeGette. And----
    Mr. Chao [continuing]. For example, security breaches 
versus the personally identifiable information-type incidents, 
data loss.
    Ms. DeGette. And there is continuing testing, is that 
right?
    Mr. Chao. Correct.
    Ms. DeGette. Now, MITRE has been performing assessments for 
CMS, is that correct?
    Mr. Chao. Correct.
    Ms. DeGette. And what that does is it gives the contractors 
the opportunity to identify and resolve security 
vulnerabilities, is that correct?
    Mr. Chao. I think what is--the benefit is that we use a set 
of contractors to independently test the system so that we are 
not taking the words of, let us say, for example, QSSI or CGI 
themselves performing security testing. So this independent 
testing provides us a more, you know, balanced view of----
    Ms. DeGette. And is this ongoing, this----
    Mr. Chao. Yes.
    Ms. DeGette [continuing]. This independent testing?
    Mr. Chao. It is on a daily and weekly basis.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    Mr. Murphy. The Chair now recognizes Mr. Barton for 5 
minutes.
    Mr. Barton. Thank you, Mr. Chairman.
    In Mr. Dingell's opening statement, and to some extent what 
Ms. DeGette just said, I am reminded of the movie 
``Casablanca,'' and Claude Rains, the French chief of police, 
goes into Rick's Cafe and says, ``I am shutting it down, I am 
shutting it down.'' And Rick comes up, who is played by 
Humphrey Bogart, and says, ``Why are you shutting us down?'' 
And Claude Rains, the chief of police, says, ``I am shocked, 
shocked, to learn there is gambling going on,'' just as the 
croupier comes up and says to Claude Rains, ``Your winnings, 
sir."
    It is interesting and amusing that the past master running 
this committee, Mr. Dingell, would be shocked, shocked and 
amazed that something was given to The Washington Post 
yesterday. Now, I am not saying that it was, I don't know, but 
if it did happen, it wouldn't be the first time in this 
committee's history that documents were given to the press at 
approximately the same time they were distributed to the 
members of the committee.
    Mr. Dingell. If the gentleman would yield, I didn't say I 
was shocked, I said I was grateful I had the subscription to 
The Washington Post so I could keep track of what----
    Mr. Barton. Well----
    Mr. Dingell [continuing]. Is going on in the committee----
    Mr. Barton. Well----
    Mr. Dingell [continuing]. Along with my Republican----
    Mr. Barton [continuing]. Reclaiming my time from my--which 
is my time, from my good friend. What shocks me is that Mr. 
Chao, our witness, who is the Deputy Chief Information Officer 
and Deputy Director of the Office of Information and Services 
for Medicare and Medicaid, who has been identified numerous 
times as the chief person in charge of preparing this Web site 
at the CMS level, was not aware of this document. I mean to me, 
that is what is shocking.
    So my first question to you, sir, is when were you made 
aware of this McKinsey briefing document?
    Mr. Chao. I think I was aware that some document was being 
prepared, because I had gone through the interviews, but 
towards the end when the briefings occurred, I was not part of 
them, nor was I given a copy.
    Mr. Barton. I mean, were you aware that McKinsey had been 
hired to come in and basically troubleshoot the status of the 
Web site?
    Mr. Chao. I don't think they were brought in to 
troubleshoot, I think they were brought in to make an 
assessment by conducting various interviews with key----
    Mr. Barton. Did----
    Mr. Chao [continuing]. Stakeholders.
    Mr. Barton. Did this group ever talk to you?
    Mr. Chao. Yes.
    Mr. Barton. OK, so they did come in and at least visit with 
you?
    Mr. Chao. Yes, they have interviewed me before.
    Mr. Barton. Once, twice, a dozen?
    Mr. Chao. Probably at least two times from what I recall.
    Mr. Barton. OK. Now, since you have been made aware of the 
document----
    Mr. Chao. Well, I----
    Mr. Barton [continuing]. Have you studied it?
    Mr. Chao. No, I was not made aware of the document. I was 
interviewed by the team that put that together. When the 
document was assembled, I didn't get a copy of it.
    Mr. Barton. OK. Well, as Mr. Dingell has pointed out, it is 
in The Washington Post. So have you--before coming before this 
subcommittee this morning, have you perused this document?
    Mr. Chao. No, I have not.
    Mr. Barton. You have not perused this document, OK. Well, 
on page 1 of the document, it says the working group, whoever 
that is, maybe you can enlighten us on that, determined that 
extending the go-live date, which, as we all know, is October 
the 1st, should not be a part of the analysis and, therefore, 
worked with a boundary condition of October the 1st as the 
launch date. Now, in plain English, what that means is somebody 
decided we couldn't delay the startup date so, by golly, we are 
going to assume it is going to go live on October the 1st.
    Were you a part of the working group that made that 
decision?
    Mr. Chao. No.
    Mr. Barton. Do you know who the working group was that made 
that decision?
    Mr. Chao. No.
    Mr. Barton. Do you have any idea, was it the President and 
the Secretary of Health and Human Services, or was it somebody 
below your level that made a decision somewhere in the bowels 
of the bureaucracy?
    Mr. Chao. I think that it probably was a conglomerate of 
several----
    Mr. Barton. A conglomerate?
    Mr. Chao [continuing]. Key leadership that came to that 
conclusion.
    Mr. Barton. OK. Did you----
    Mr. Chao. I was----
    Mr. Barton. Did you have any decision-making authority 
yourself about when the start-up date should be?
    Mr. Chao. No.
    Mr. Barton. That was not in your authority to say we are 
going to have to put it off or make a decision to go forward?
    Mr. Chao. No, I do not get to pick what date.
    Mr. Barton. Do you know who did have that decision-making 
authority?
    Mr. Chao. I believe it is our administrator, Marilyn 
Tavenner, and potentially other folks, but primarily I take my 
direction from Marilyn Tavenner.
    Mr. Barton. All right. Well, Mr. Chairman, my time has 
expired, but I will just say in summing up, we are concerned at 
multiple levels, but if you review this CMS document, which I 
did not see until just now, this morning, it doesn't take but 
about 10 minutes to go through and look at it, and it is 
absolutely clear that the startup of the Web site was not going 
to work well, if at all, on October the 1st. It was not. And it 
says that in here.
    So with that, I yield back.
    Mr. Murphy. Thank you. Gentleman's time has expired.
    The Chair now recognizes Mr. Dingell for 5 minutes.
    Mr. Dingell. Chairman, I thank you for the recognition and 
thank you for holding this hearing.
    We are over 6 weeks into the implementation of the 
Affordable Care Act, and while the functionality of the 
Healthcare.gov Web site has improved, it is clear there is more 
work to be done, and I am hopeful that the subcommittee will 
work hard to achieve that goal.
    ACA is the law of the land, and I believe we share the goal 
of making it a functioning and secure Web site, however, it is 
important to remember that we can never fully eliminate the 
risks when building a large IT system, and so we must take 
steps to mitigate them. I would also urge that we take the 
necessary steps to make the program work, because this is the 
largest undertaking of this character I believe that we have 
ever seen by a Government anywhere.
    First question, yes or no. Is CMS responsible for 
developing the Data Services Hub and the eligibility enrollment 
tools for the Federally Facilitated Marketplace? Yes or no, Mr. 
Chao?
    Mr. Chao. Yes.
    Mr. Dingell. Now, Mr. Chao, are these projects required to 
comply with the Privacy Act of 1974, the Computer Security Act 
of 1987, the Federal Information Security Management Act of 
2002? Yes or no?
    Mr. Chao. Yes.
    Mr. Dingell. Now, additionally, CMS must also comply with 
regulations and standards promulgated by the National Institute 
of Standards and Technology at the U.S. Department of Commerce. 
Is that correct?
    Mr. Chao. Yes.
    Mr. Dingell. Now, these NIST standards require CMS to 
balance security considerations with operational requirements. 
Is that correct?
    Mr. Chao. Yes.
    Mr. Dingell. Mr. Chao, once the key pieces of 
Healthcare.gov Web site is the Data Hub. Is this a large 
repository of personal information as some of my friends on the 
other side have claimed? Yes or no?
    Mr. Chao. No.
    Mr. Dingell. Say that again. No?
    Mr. Chao. No, it does not store any----
    Mr. Dingell. OK, I want----
    Mr. Chao [continuing]. Personal----
    Mr. Dingell. I want that on the record and clearly heard. 
Does the Data Hub retain any personal information at all? Yes 
or no?
    Mr. Chao. No.
    Mr. Dingell. Indeed, is it fair to say that the Data Hub is 
a tool to transmit eligibility information to Federal agencies? 
Yes or no?
    Mr. Chao. Yes.
    Mr. Dingell. Now, did the Data Hub pass a security test to 
the October 1 launch of Healthcare.gov? Yes or no?
    Mr. Chao. Yes.
    Mr. Dingell. All right, is the Data Hub working as intended 
today? Yes----
    Mr. Chao. Yes.
    Mr. Dingell [continuing]. Or no?
    Mr. Chao. Yes.
    Mr. Dingell. And is there any evidence to the contrary?
    Mr. Chao. No.
    Mr. Dingell. Is there any evidence of breaches or lack of 
security of personal data or information by any person who has 
submitted such data to this undertaking? Yes or no?
    Mr. Chao. No.
    Mr. Dingell. It is always true--our duty to remember how 
our healthcare system operated prior to the passage of the ACA. 
At that time, insurance companies were allowed to medically 
underwrite people to determine their premium. This required 
lengthy, confusing applications, and contained a lot of 
personal medical information. Oftentimes this was submitted 
electronically as well. ACA has changed all of this.
    Now, in fact, this is a question to you again, Mr. Chao. In 
fact, application forms on Healthcare.gov do not require the 
submission of any personal health information. Is that correct, 
yes or no?
    Mr. Chao. Yes.
    Mr. Dingell. Now, Mr. Chao, that is because ACA prohibits 
discrimination on the basis of pre-existing conditions, and 
outlaws charging people more because they are sick. Is that 
correct?
    Mr. Chao. Yes.
    Mr. Dingell. So the information is not necessary?
    Mr. Chao. It is not.
    Mr. Dingell. And it is not correct--and it is not 
collected?
    Mr. Chao. It is not collected.
    Mr. Dingell. All right, this is a remarkable improvement 
over the old system in terms of both security and the quality 
of care.
    Next question. There are a lot of negative stories in the 
press that create a lot of confusion, so I want to get this 
record straight.
    Is Healthcare.gov safe and secure for my constituents to 
use today with regard to protection of their personal 
information and their privacy? Yes or no?
    Mr. Chao. Yes.
    Mr. Dingell. Is there any evidence at all to the contrary?
    Mr. Chao. No.
    Mr. Dingell. Mr. Chairman, you have been most gracious. I 
yield you back 12 seconds.
    Mr. Murphy. Thank you.
    Now going to recognize Mrs. Blackburn for 5 minutes. Thank 
you.
    Mrs. Blackburn. Thank you, Mr. Chairman.
    Mr. Chao, we really appreciate that you would come and work 
with us on this issue. I want to talk with you for a minute 
about some red flags that seemed to be apparent to you, and you 
are going to find the email I am referencing at tab 7, and it 
is the July 16, 2013, email that you sent to Monique 
Outerbridge. And I really want to focus there. You know, when 
you have something that is running off the rails and--as this 
obviously seemed to you to be doing, it was a project that just 
was not proceeding as it should be proceeding, and you 
expressed these concerns about the performance of CGI, what I 
would like to hear from you is just an articulation of maybe 
what were those top 3 or 4 red flags that seemed to be going up 
to you, that you said I fear that the plane is going to crash 
on takeoff, and some of those wordings that we have heard from 
you now.
    So give me just kind of the top 3 or 4 things.
    Mr. Chao. I think in the context of this email, it was at a 
time period in which we were getting ready to roll out what we 
called Light Account, which is that initial registration 
process. And as I mentioned before, I am a person who has a lot 
of anxiety and I always err on the side of caution if we are 
going to run out of time, so I occasionally get a little 
passionate in my emails to remind people that they need to move 
fast, and if they are moving fast, they need to move faster. 
That is just the way I operate and the way I direct staff and 
contractors. And what I was afraid of was, at this particular 
point in time, was that we were falling behind in the rollout 
of Light Account.
    Mrs. Blackburn. OK, on Light Account, did your test on that 
go off without a hitch, or what happened?
    Mr. Chao. There--I don't exactly remember the specifics 
about what tests passed or failed, I just was afraid that we 
were in jeopardy of missing the date. So, therefore, you know, 
I--at that time period, starting July, I wrote lots of emails 
to try to----
    Mrs. Blackburn. OK, did you hit the date?
    Mr. Chao. I believe we--it took an extra 4 days.
    Mrs. Blackburn. An extra 4 days?
    Mr. Chao. Yes.
    Mrs. Blackburn. On the test. And you don't remember exactly 
what the concerns were that came to you at that point in time. 
Is there a memo of review, a memo, an articulation of what----
    Mr. Chao. I----
    Mrs. Blackburn [continuing]. Transpired in that test 
process?
    Mr. Chao. I don't think it is necessarily a memo. I think 
the way we operate is that we have daily meetings and----
    Mrs. Blackburn. Are there minutes from those meetings----
    Mr. Chao [continuing]. We----
    Mrs. Blackburn [continuing]. And could you submit those to 
us for the record?
    Mr. Chao. I don't believe that there were minutes. I 
believe they were just status check-ins with, you know, 
contractors and their----
    Mrs. Blackburn. Are there notes?
    Mr. Chao. No, I don't----
    Mrs. Blackburn. Informal notes?
    Mr. Chao. I don't believe so. I think when my emails were--
--
    Mrs. Blackburn. OK.
    Mr. Chao [continuing]. Submitted as evidence----
    Mrs. Blackburn. OK.
    Mr. Chao [continuing]. That is kind of a----
    Mrs. Blackburn. All right, let me go on a minute. I want to 
talk specifically about CGI. What about, you know, if you all 
kind of informally worked in a group, and didn't have formal 
meetings or minutes and memos and things of that nature, just 
give me your impression, what was it--your perception that 
caused you to lose confidence in CGI, where were you on that, 
because I think it is so interesting, you mentioned price and I 
note in this email chain from Monique Outerbridge that they had 
$40 million already that they had taken, they were coming back 
and asking for another $38 million. Now, if I had someone who 
had used up all of their money from a project, and then they 
came back and asked for that much more, I think I would have to 
say, wait a minute. So regardless, obviously, the price to you 
was of tremendous concern. Am I right on that?
    Mr. Chao. Correct.
    Mrs. Blackburn. OK, so they had already kind of washed your 
confidence there. What else was it in their conduct that eroded 
your confidence in their ability to transact this portion of 
business?
    Mr. Chao. I think what I was trying to say is that, 
relatively speaking to, I would say, most project managers that 
are looking at smaller-scale projects, I would say there might 
be some room to be----
    Mrs. Blackburn. OK----
    Mr. Chao [continuing]. A little more confident, but given 
the task at hand, my confidence level had to deal with the 
enormous amount of activities we had to be successful at to 
deliver, you know, on Light Account, that interim, you know, 
kind of piece, as well as the October 1 delivery.
    Mrs. Blackburn. I yield back.
    Mr. Murphy. Yes, I am just curious, to follow-up to that. 
Did you ever present these concerns that you had about being 
ready--whether or not it would be ready on October 1, when you 
were interviewed by McKinsey people?
    Mr. Chao. Well, this was in the July time frame. I think 
McKinsey was--their interviews were in maybe a March or April 
time frame.
    Mr. Murphy. I just wondered if you presented any concerns 
to them about being able to meet these dates when you spoke 
with them?
    Mr. Chao. I think as a course of conducting project 
management, program management, that working with CGI and QSSI 
and my team, we discussed these concerns on an ongoing basis. 
In----
    Mr. Murphy. Just one note. I will follow up----
    Mr. Chao. OK.
    Mr. Murphy. We will make sure someone follows up.
    Now I will recognize Mr. Waxman for 5 minutes.
    Mr. Waxman. And thank you, Mr. Chairman.
    Nobody is happy with this rollout of Healthcare.gov, and 
the administration has taken its lumps, but aside from lessons 
learned, it seems to me that my focus ought to be and my 
concern is getting this thing working. Americans want to be 
able to access the Web site and choose a healthcare plan, 
especially those who haven't been able to get an opportunity to 
buy health insurance in the past. That is why it seems to me, 
if we need legislative changes, we should make changes to make 
it work, not to repeal it. You know, the Republicans are so 
fixated on hating this law and they want to repeal it. They 
don't even want to consider helping make it work, and that is 
the focus that I want to use in asking you some questions, Mr. 
Chao. How do we make this work better?
    Now, is it accurate to say that CMS is getting the Web site 
up and running?
    Mr. Chao. Yes.
    Mr. Waxman. OK, and is it accurate that CMS has crossed--
Center for Medicare and Medicaid Services, that is the 
department--part of HHS that is working on it, they have 
crossed 200 items off its punch list?
    Mr. Chao. Correct.
    Mr. Waxman. And can you give me a few examples of important 
issues that have recently been addressed?
    Mr. Chao. Issues related to the enrollment transactions 
that had some data issues--data quality issues that were fixed, 
and now issuers can receive that data without doing a lot of 
cleaning up of that data. So----
    Mr. Waxman. Um-hum.
    Mr. Chao [continuing]. Data quality has improved. The daily 
transactions that we send to them have improved.
    Mr. Waxman. Um-hum.
    Mr. Chao. The response times for the Web site have 
improved. The error rate of people experiencing some level of 
difficulty with moving from stage to stage in their online 
application, that has been reduced and improved.
    Mr. Waxman. Well, in fact, Jeff Zients, the 
administration's point person on this whole Web site, announced 
on Friday that you have dropped your error rate from 6 percent 
to below 1 percent, and you have cut the average wait time for 
page loading from 8 seconds to less than 1 second. What do 
these improvements look like to the average consumer going on 
the site?
    Mr. Chao. I think they become transparent to the user. The 
user then can get at the task at hand of filling out their 
information, of finding out if they are asking for a premium 
tax credit, that they are calculated timely, and they are 
proceeding ahead in the application so that they can apply 
some, all or none of that premium tax credit to their plan 
compare so that they can look at the offsets that occur, and 
what the final premium should be, to make their selection and 
to go through the process in a very efficient and speedy 
fashion, as compared to what they experienced on day 1.
    Mr. Waxman. How about the overall stability of the site? It 
was down frequently in the early weeks. Has that improved?
    Mr. Chao. Yes, certainly. I think we do have regular 
maintenance windows, but those maintenance windows are used to 
implement these improvements that you have been hearing about.
    Mr. Waxman. So numbers seem to be getting better, and I 
expect we will see more improvements. The anecdotal evidence I 
get is that the site is getting better, slowly but surely, and 
that explains why the enrollment rate in November is speeding 
up significantly. In fact, I do have more than anecdotes, I 
have some figures. In Massachusetts, where they started a 
similar program, it started off slowly, only \3/10\ of a 
percent of overall enrollees for private coverage signed up in 
the first month, and then thus far, in the Affordable Care Act, 
1.5 percent. So both started slowly. We are even ahead of what 
Massachusetts was. But after that, there was a surge in 
enrollment as people got closer to deadlines.
    The LA Times reported that ``a number of States that use 
their own systems are on track to hit enrollment targets for 
2014 because of a sharp increase in November.'' California, 
which enrolled 31,000 people in private plans last month, 
nearly doubled that in the first 2 weeks of this month, and 
several other States are outpacing their enrollment estimates. 
In Minnesota, enrollment in the second half of October was 
triple the rate of the first half. So we see an acceleration, 
even in the Federal Marketplace. The New York Times reported 
that the Federal Marketplace has nearly doubled its private 
plan enrollment in just the first 2 weeks of November.
    We are not where we need to be, but we are seeing 
improvements, and this increased pace of people going back on 
the site successfully is, to me, very encouraging. So rather 
than just attack the healthcare law or look for ways to 
undermine it, we ought to try to make it work, and we are 
anxious to make sure that you do your job of getting the Web 
site and all of that working, and if we need any legislative 
change, call on us because we are ready, willing and able to 
act in that regard.
    Yield back my time.
    Mr. Murphy. The gentleman's time has expired.
    I now recognize for 5 minutes the gentleman from Texas, Dr. 
Burgess.
    Mr. Burgess. And thank you, Mr. Chairman. Thank you again, 
Mr. Chao, for being here.
    In response to one of Dr. Murphy's questions about a breach 
of the system, you responded that you could not talk about it 
in open session, that it would require a classified briefing. 
Is that correct? Did I hear you correctly?
    Mr. Chao. Correct. That was--that is how I was instructed 
by our department.
    Mr. Burgess. Very well. I would like to go on the record as 
asking that that classified briefing with staff--bipartisan 
staff occur. Can I get your commitment on trying to make that 
happen?
    Mr. Chao. Yes, sir.
    Mr. Burgess. Thank you. So the much-talked-about Red Team 
discussion document from The Washington Post this morning, 
which, of course, you have not seen, and I appreciate that, but 
you were interviewed, in response to Mr. Barton's questions, 
you were interviewed by the McKinsey team who were developing 
this?
    Mr. Chao. Yes.
    Mr. Burgess. Do you remember when?
    Mr. Chao. Approximately an April time frame.
    Mr. Burgess. During the time frame that this was being 
developed. Do you recall what you talked about?
    Mr. Chao. I think primarily what I was intimating to the 
McKinsey team was a schedule challenge, because during April, 
we had just started QHP submission, and working with issuers. 
They were very nervous that----
    Mr. Burgess. Excuse me, what is QHP?
    Mr. Chao. Qualified health plans.
    Mr. Burgess. OK.
    Mr. Chao. I apologize. And in--during that month, it was a 
rapid, you know, process to collect all the qualified health 
plan data that you see in plan compare on Healthcare.gov now, 
as well as in the State-based marketplaces, and I was remarking 
on how that is unprecedented to only give issuers, you know, 
that short amount of time to submit their data, and that we 
needed to make adjustments in the windows potentially so that 
they could come back in and make corrections. You know, that is 
an example of what I talked about in terms of the schedule 
challenges that we were trying to undertake something large-
scale, fairly complex compared to what is happening in the 
insurance landscape today, and that this was new and we were 
working on a short time frame.
    Mr. Burgess. And I will stipulate that those are legitimate 
concerns. And so on page 1 of this Red Team document, at the 
bottom of the page, highlighted, the working group determined 
that extending the go-live date should not be part of the 
analysis, and, therefore, work with a boundary condition of 
October 1 as the launch date. In other words, it didn't matter 
what the conditions on the ground were, come hell or high 
water, October 1 we have got to go live. And were you given 
that impression by anyone on your team as you worked through 
this?
    Mr. Chao. Not necessarily characterized that way, but as I 
mentioned----
    Mr. Burgess. Well, let me interrupt you again, my time is 
limited. Who would have made a decision like that, that it 
doesn't matter--I mean it is like the old saying, it doesn't 
matter what--don't check the weather, we are flying anyway. Who 
would make a decision like that?
    Mr. Chao. I think the decision ultimately is made, you 
know, by Marilyn Tavenner and, you know, a team of folks, I 
suppose, that she works with. But as the administrator, she 
sets the deadlines for my work, and----
    Mr. Burgess. Now, some of the people that are referenced in 
the report given to the committee by McKinsey, that people that 
had discussions in the White House, the old Executive Office 
Building, people like Nancy-Ann DeParle, Jeanne Lambrew, do you 
know if they were involved in these decisions?
    Mr. Chao. I can't speak to that. I didn't hear anything 
about those discussions.
    Mr. Burgess. Have you been in meetings with Jeanne Lambrew 
and Nancy-Ann DeParle?
    Mr. Chao. Yes.
    Mr. Burgess. And what--could you characterize those 
meetings?
    Mr. Chao. The ones that I remember were dealing with 
coordination with IRS on their FTI, Federal Tax Information, 
requirements, security protections and the Privacy Act with 
SSA.
    Mr. Burgess. At any point during those meetings, did it 
come up with the concern that we may not be ready trying to 
integrate all of these moving parts by October 1?
    Mr. Chao. Not in that context, no.
    Mr. Burgess. In any context?
    Mr. Chao. You know, concerns about whether if agencies were 
working closely together, but not really in the context of 
October 1, no.
    Mr. Burgess. One of the other things that keeps coming up 
repeatedly in this report is that, number 1, there were 
evolving requirements, there wasn't a consistent endpoint, 
there were multiple definitions of success, and in spite of all 
of the concerns brought up by the report, it must launch at 
full volume. I mean it almost sounds like a recipe for 
disaster, doesn't it? You are changing the definition as it 
goes along, you are not allowed to change the date, and you 
have got to launch at full volume. That is a pretty tall order, 
isn't it?
    Mr. Chao. It is.
    Mr. Burgess. Well, let me ask you this. How does it make 
you feel to know that there was this kind of report out there, 
and that other people knew about it, people in the White House, 
people within the Agency, and you have been the primary point 
man out there and no one discussed it with you? How does that 
make you feel?
    Mr. Chao. I am actually not terribly hurt by it or 
surprised by it. I think the information contained within it is 
something that I live on a day-to-day basis to try to deliver a 
working system. I----
    Mr. Burgess. You are playing into everyone's worst fear 
about what it is like to be in the bureaucracy.
    Let me ask you this. One of the things brought up in this 
report is that there is not a single implementation leader----
    Mr. Murphy. Gentleman's time has expired.
    Mr. Burgess [continuing]. Do you feel during your time that 
there has been a single implementation leader that you could 
look to for advice and direction through this?
    Mr. Chao. I think I have looked to several because of how--
--
    Mr. Burgess. Name one.
    Mr. Chao. Marilyn Tavenner.
    Mr. Murphy. Gentleman's time has expired. We are going to 
need to follow up with that. So we will submit those questions 
for the record too.
    Now recognize the gentleman from Texas, Mr. Green, for 5 
minutes.
    Mr. Green. Thank you, Mr. Chairman. And like all of us, I 
have some concern, I have some questions in a minute about the 
Healthcare.gov, but I want to just say that, you know, it is 
frustrating for those of us on this side of the aisle who 
supported it, who actually worked a lot of times on the 
drafting of different versions of the Affordable Care Act, to 
see what happened on October 1 without the rollout. And to have 
it successful, that is the way we need to deal with it, because 
having been here through also the prescription drug plan for 
seniors, that is the way you can get to the numbers you really 
need. So hopefully that will happen. But the law is still 
there, and last Saturday in our district, at least in Houston, 
because in Texas, we are unfortunate, we have some of the 
highest percentage and numbers of uninsured folks in the 
country, and in our congressional district 42 percent of my 
constituents work and don't have insurance through their 
employer. So they would be qualified to go with the ACA. And we 
actually did it by paper. Now, I have to admit, I can't 
remember except--and I wasn't around when Medicare was rolled 
out. I guess that was the last time we rolled anything out by 
paper, but let me give you the results. We had 3 members of 
Congress, the Mayor of Houston, our Republican county judge, 
and the Secretary of Labor. We actually had 800 families show 
up on a Saturday morning and signed in, of course, with 
multiple attendees per family, nearly 300 people set up follow-
up appointments after a navigator. We had 88 of the certified 
navigators there. And we don't know how many applications were 
completed because the number is still be tallied by navigators 
and HHS and our regional office out of Dallas. So there are 
people out there who want to do it. And if we have to do it by 
paper, we will do it, but that is the frustration we have. We 
want this to work because there are millions of people in our 
country who need this. Now, I know the majority in the House 
may not understand that, but I know in our district they do.
    But I don't know if you have a comment, but let me--and I 
can get to the Healthcare.gov.
    Mr. Chao. I think CMS takes to heart the matter, and I 
think everyone working on this is absolutely serious about 
improving this experience because we know that in districts 
like yours, there are quite a few number of people that need 
and want to enroll and use this benefit. So we are certainly 
working very hard to make that happen.
    Mr. Green. Well, with that success, believe me, we are 
going to do a lot of smaller ones in our district, and try and 
work with them and partner with media companies to maybe get 
the message out.
    I have a few questions about Healthcare.gov and the 
important goal I think we both share, and sharing is part of 
the success in implementation of the Affordable Care Act, 
people can have access to care they need and when they need it. 
Part of this goal requires that Federal and State exchanges 
secure the American people can trust their information and 
privacy won't be compromised. How is the Data Hub used to 
determine eligibility and enroll applicants and process appeals 
different from the data systems used by other Federal agencies, 
such as Social Security or the IRS?
    Mr. Chao. How is the Data Hub different?
    Mr. Green. Than the other agencies who obviously have up 
and running ways where Social Security and even IRS you can 
file?
    Mr. Chao. Well, I think what makes it different is that, 
for example, SSA is the eligibility agency for Medicare. So 
every night, SSA's field offices load data about accretions and 
deletions into the Medicare Program, and we receive a very 
large file from them every night that we process for 2 to 3 
hours to update all of our systems, so that providers can see 
new Medicare beneficiaries accreting into the system. That is 
lots of data moving between 2 organizations, and it is stored 
and it is time-intensive. The Data Services Hub goes out and, 
for a requestor of that data, a valid requestor, it reads the 
data where the source is, transfers it back to the requestor in 
a secure fashion, does not remember the contents of that data, 
and facilitates that without moving massive, you know, millions 
of records of data all at once, all the time, every day. It 
only transfers enough data to get the job done.
    Mr. Green. Were you at the HHS when we have gone through 
two Medicare enrolling by internet? I mean when we shifted from 
having to go into a Social Security office to file the 
paperwork, you can do it online now.
    Mr. Chao. Yes. Yes.
    Mr. Green. And I assume there were some glitches when that 
first started.
    Mr. Chao. Yes.
    Mr. Green. And, of course, we didn't have a deadline and a 
rollout and things like that. It was built in over the time so 
you had time to problem solve. And----
    Mr. Chao. Right.
    Mr. Green [continuing]. Our problem is we don't have that 
time to problem solve here in later November, and----
    Mr. Chao. I still remember in the mid-'90s, SSA put up the 
electronic benefits statement, and after a few months, they had 
to take it down and it didn't come back up until years later--
--
    Mr. Green. Well----
    Mr. Chao [continuing]. Until they perfected it.
    Mr. Green. OK, thank you, Mr. Chairman.
    Mr. Murphy. Gentleman yields back.
    Now recognize the gentleman from Louisiana, Mr. Scalise, 
for 5 minutes.
    Mr. Scalise. Thank you, Mr. Chairman. I appreciate you 
having this hearing, and, Mr. Chao, appreciate you coming to 
testify before the committee.
    We have had a number of hearings like this over the last 
few months, trying to find out first how the rollout was going 
to work, and of course, we have gotten testimony time and time 
again from the administration that the rollout was going to be 
fine. And then I think what is most frustrating is that when 
this report came out, this McKinsey report, that really 
chronicles the problems that were happening months ago, back in 
March and April, at the same time that administration officials 
were telling us that everything was going to be fine, and to 
that--and telling American families that everything was going 
to be fine when October 1 hit. I guess there are many things 
about this that trouble me, but first, you know, when I look at 
this, you say you hadn't seen this report, and I have read 
through a number of these items that McKinsey pointed out in 
the report that they were telling them to somebody in CMS, 
around you, over you, under you, somewhere, but these are 
things that should have been just basic testing requirements. 
I, you know, I used to write software. I actually wrote test 
plans for software rollouts, and, you know, in fact, many of 
these are just basic commonsense things you do. I mean we--if 
we made one line of code change, we literally would test that 
over and over in multiple ways, let alone major changes.
    What this report talks about is chaos at CMS. Nobody is in 
charge. They talk about the fact that you had multiple people 
that were making multiple changes to--and major design changes 
to the system just weeks prior to testing, I mean--prior to the 
rollout without testing it. I mean did you have a test plan, 
whether or not you read this report, these are things that you 
should have been doing anyway. I mean were you all making 
changes, big changes all the way through, and were you testing 
any of those changes, or just saying, well, you know, they told 
us October 1, roll it out no matter what.
    Mr. Chao. You have asked a lot of questions in there.
    Mr. Scalise. Yes.
    Ms. Chao. So let me try to recall how to address them. I 
think that certainly, yes, if you have this experience in 
software development, you need to have solid requirements 
before you can actually have good test cases in which to 
actually run tests. I think it is a dynamically changing 
environment of which, if we had more time and that time would 
have been devoted to solidifying requirements that are 
translated from policy----
    Mr. Scalise. You had 3 years. I mean there were 3 years. 
This is not something that just kind of got plopped on your 
desk. I mean the law passed and was signed into law in 2010. 
There was a lot of time to prepare for it. The requirements--
the major requirements were changing weeks before, some of them 
for political reasons by the Obama administration. So you can't 
just say, well, you know, we just didn't have enough time. I 
mean somebody in CMS, and if it wasn't you, it was--maybe it 
was Ms. Tavenner or who knows who it was, but somebody was 
making all these changes and saying, gee whiz, I mean, you 
know, we--let us make big changes and don't test it because we 
just want to roll this thing out no matter what.
    Mr. Chao. Well, having written software or written test 
cases, you know that the requirements come from the business 
side or the policy side. And they are subject to change based 
upon how your customer or your business----
    Mr. Scalise. The law didn't change.
    Mr. Chao. I----
    Mr. Scalise. The law was passed, and for 3 years that law 
didn't change. The law was there. You knew what those 
requirements were. Now, if you make changes in the 
requirements, you also ought to make changes in your test plan.
    Mr. Chao. I think the law has a very high-level expression 
of requirements that, certainly, you can't develop code or test 
cases from. There needs to be a significant amount of 
translation into lower level details. And that is what I mean 
by a schedule, challenges that we have to receive those 
requirements and translate them into test cases, test data, to 
exercise the system as well as build the system too. So----
    Mr. Scalise. All right, well, look, they talk in this 
report that the contractor received absolutely conflicting 
direction between the various entities within CMS. Conflicting 
directions within CMS. That is not a requirement change. That 
is one person saying do this, and another person in the same 
agency saying do something different. And, by the way, none of 
that is being tested in the meantime. That is not evolving 
requirements, that is chaos within the Obama administration 
where they are literally changing things and multiple people 
are changing them and nobody is talking to anybody.
    Mr. Chao. Well, I can't speak to how they characterized it, 
but I think that in CMS, we have Medicaid and CHIP 
requirements, we have insurance exchange requirements, 
oversight requirements, medical loss ratio, rate review, early 
retiree reinsurance, pre-existing----
    Mr. Scalise. And I know you all have that. Look----
    Mr. Chao. There are lots of----
    Mr. Scalise [continuing]. You have got a job to----
    Mr. Chao [continuing]. All I am saying is----
    Mr. Scalise. The bottom line is, the bottom line is, you 
know, this report lays out the chaos that was going on, but all 
of this information was known within the White House. Reports 
were being briefed to people in the White House. And either 
President Obama didn't know about it, in which case people 
directly under him knew that this thing was going to be a 
disaster and just didn't tell him, or the President did know 
about it and went out misleading people anyway. But either way, 
if the President really didn't know about this, this report 
says the White House absolutely knew what was going on, and 
they didn't tell the President. He ought to be firing these 
people today. If somebody--if a CEO went out there and said I 
am rolling out this project, this would be just like buying a 
TV on Amazon, that is what the President said, and if somebody 
right underneath him knew that it wasn't going to be like that, 
and this report says absolutely they knew and they didn't tell 
the President, he ought to go and fire every single one of 
those people right now and hold them accountable, or maybe that 
just says that he did know about it. And we will see what the 
President says, but this report is damming.
    And I yield back the balance of my time.
    Mr. Murphy. Gentleman's time has expired.
    Just--can you just clarify an answer you gave to the 
gentleman here? I thought you said something like, with more 
time, you would have done more testing, or something along 
those lines. Are you saying you would have liked to have more 
time?
    Mr. Chao. No, I think that is what I mean by there is a 
schedule, challenges that you are trying to maximize the time 
that you have left, as you are trying to extract the 
requirements from the policy that is being finalized. The 
longer a policy takes to be finalized, the longer it takes to 
translate the----
    Mr. Murphy. Do you wish you would have had more time to 
test it?
    Mr. Chao. I think that is true of every project I have ever 
worked on.
    Mr. Murphy. Thank you.
    Now recognize Mr. Yarmuth for 5 minutes.
    Mr. Yarmuth. Thank you, Mr. Chairman. Thank you, Mr. Chao, 
for your testimony today.
    I just want to follow up a little bit on Mr. Scalise's line 
of questioning, the issue of whether or not you had 3 years to 
prepare for this. When was the deadline for States to decide 
when they're--they were joining the--doing their own Exchanges 
or were going to participate in the Federal Exchange?
    Mr. Chao. I think the time frame was the end of 2012.
    Mr. Yarmuth. End of 2012. So January 1, essentially, of 
this past year. And when was the deadline for States to decide 
whether they were going to enter into a partnership with the 
Federal Government?
    Mr. Chao. I believe it was the end of April of 2013.
    Mr. Yarmuth. So really, the department did--or CMS did not 
have 3 years to prepare, and there was probably no way to guess 
3 years ago that only 14 States and the District of Columbia 
were going to set up their own Exchanges. Wasn't the 
anticipation that far more States would do their own Exchanges?
    Mr. Chao. Yes, we were hoping so.
    Mr. Yarmuth. So it really wasn't until this year that CMS 
really understood the magnitude of the volume of work that the 
Web site was going to have to accommodate?
    Mr. Chao. Correct. It is----
    Mr. Yarmuth. Right.
    Mr. Chao [continuing]. Not such a clear binary decision. 
You do or you don't. There is still coordination that has to 
occur in----
    Mr. Yarmuth. Right. Thank you for that.
    Now, obviously, when we are talking about security, we are 
talking about two separate issues; one is the vulnerability of 
the system to some kind of outside attack. I don't know why 
anyone would really want to attack the Federal Exchange, but 
assuming that is an issue. The second one is, the average 
citizen is concerned about information that is there about 
them. And I think that is one thing we are most interested 
here. Mr. Dingell actually asked you directly about the fact 
that there really isn't very much information on the Web site 
that would be considered private in nature. And I guess the 
question I would ask is, are people who are working with the 
Exchange now subject to or vulnerable to a more of a breach of 
their privacy than they were under the prior system when the 
insurance companies had pages and pages and pages of health 
information, including every doctor they had ever visited, 
every prescription they had ever taken, every medical procedure 
they had undergone and--over a certain period of time? Would 
you say that there was much more vulnerability under that 
system than there would be under the Federal Exchange?
    Mr. Chao. Much more so because so much more personal 
information, including health information, was involved in that 
process.
    Mr. Yarmuth. And I think during the course of questioning 
we have actually done a pretty good job of debunking the issue 
as to whether there really was security problem here. There is 
no evidence that there has been, and I think there really 
hasn't been any evidence presented that would make us doubt 
that. So I am glad about that, and I think that should 
encourage Americans to participate more actively.
    And since--one other thing that has come up, and it 
involves the question of 80 percent, and it is something I want 
to clarify because the press reports have been that the 
administration has said as a metric that 80 percent will be 
able to get on the site and smoothly sign up--enroll for health 
coverage as of the end of this month. That doesn't mean that 
the remaining 20 percent won't be able to access affordable 
quality health insurance, does it?
    Mr. Chao. No. I can't speak to the exact percentages, but I 
think there is a recognition that some people, whether it be 
Healthcare.gov or any system, for example, if you walked into 
an SSA field office, how many people can actually get their 
business done in one visit, as compared to, you know, the 
greater majority of people? I think some people need extra 
help. They need assistance to navigate the process, and I think 
that that is probably what they were referring to.
    Mr. Yarmuth. Thank you very much for that.
    And I just want to do some shameless self-promotion for my 
State right now. As of last Friday, Kentucky, obviously 
operating its own Exchange, 48,000 Kentuckians are enrolled in 
new health insurance, 41 percent of them are under the age of 
35. Over 452,000 visitors have gone to the Web site, 380,000 
people have conducted preliminary screenings to find out if 
they are eligible for coverage. And I think most importantly 
maybe, over--almost 1,000 businesses have actually begun the 
process of signing up for new coverage for their employees, and 
over 300 have actually been enrolled and have been qualified 
now to offer coverage. So Kentucky is doing well, and I hope 
the Federal Exchange will do just as well.
    I yield back.
    Mr. Murphy. Gentleman yields back.
    Now recognize Mr. Harper for 5 minutes.
    Mr. Harper. Thank you, Mr. Chairman. And, Mr. Chao, thank 
you for your time here today.
    And you replied earlier on a follow-up question that the 
chairman had, I believe you said you would have liked to have 
had more time for the testing. Did you request more time from 
anyone?
    Mr. Chao. No.
    Mr. Harper. And can you tell me why you did not request 
more time?
    Mr. Chao. Because I was given a target of October 1 and 
various other deliver dates, of which I had to stay on schedule 
for.
    Mr. Harper. Did you believe it was ready for October 1?
    Mr. Chao. I believe we did everything we could to make sure 
that the right priorities were set so that we could deliver a 
system on October 1.
    Mr. Harper. And do you believe the system was delivered on 
October 1?
    Mr. Chao. It was.
    Mr. Harper. Do you believe----
    Mr. Chao. It wasn't performing as well as we liked, and 
certainly had more glitches than we anticipated, but we did 
deliver a system on October 1.
    Mr. Harper. Do you think glitches is the proper word to use 
to describe the rollout?
    Mr. Chao. I think there are problems. There are defects if 
you--you know, glitches is just a word that is commonly used 
right now.
    Mr. Harper. Well, glitches doesn't seem to convey how 
serious the failure of the rollout has been, and so here we 
are. And, of course, one of the big concerns that we have is 
what do you do about making sure that personally identifiable 
information for those who sign up is protected. And on the 
report that you have there, on page 11, if I could get you to 
take a look at that real quick. On the McKinsey report. At the 
bottom of page 11 it says--and, of course, at the top it says, 
options that could be implemented to help mitigate key risks. 
At the bottom it says, name a single implementation leader and 
implement associated Government process. Has there been a 
single implementation leader named?
    Mr. Chao. I don't think that is the way it has been 
characterized before by, I think, Marilyn Tavenner, our 
administrator, certainly has accepted accountability and she 
does run the agency and----
    Mr. Harper. Certainly, but that is not saying that she is 
supposed to be the single implementation leader there. Is that 
how you read that report?
    Mr. Chao. I--but again, I didn't see this until just this 
very minute, so I----
    Mr. Harper. All right, when--you know, I spent some time 
here while we were waiting on time to question here, I went to 
the Healthcare.gov site, and it took a little while to try to 
figure out how in the search to get to the information on how 
you protect yourself from fraud in the health insurance 
marketplace. And it takes a couple of steps to get to this 
information. So people probably more sophisticated than I am on 
this would need to be tracking this. But if you look at it on 
the site, it says how to report suspected fraud, and it said 
you can report suspected fraud in one of two ways, and it lists 
a breakdown of one way, which is to use the Federal Trade 
Commission's online complaint assistant. And I tried that a 
moment ago and it was not very successful. It says you can call 
your local police department, and then it says you can visit a 
site, the Federal Trade Commission, to learn more about 
identity theft. And the second choice is to call the Health 
Insurance Marketplace Call Center, and it gives that number. So 
if you were the victim of personally identifiable information 
being fraudulently released or obtained, who would you call 
first under that scenario?
    Mr. Chao. The listed call center number. The marketplace 
call center.
    Mr. Harper. And it----
    Mr. Chao. If you are in a Federally Facilitated 
Marketplace.
    Mr. Harper. OK, and it says, explain what happened and your 
information will be handled appropriately. How do you define 
handled appropriately? What is that? How do you get someone's 
identity back once it has been compromised or there has been an 
identity theft?
    Mr. Chao. Well, I think there needs to be some analysis and 
collection of information to make sure what type of situation 
occurred, and then make a decision going forward there.
    Mr. Harper. Well, obviously, this is a critical matter, so 
some determination made. What is the time frame? How quickly 
can someone's life be put back together if this were to happen?
    Mr. Chao. I think it is situationally dependent, and I 
really can't--I am not comfortable----
    Mr. Harper. Sure.
    Mr. Chao [continuing]. Giving you an answer right off----
    Mr. Harper. You had said earlier that steps were being 
taken to prevent unauthorized access to the site. What about 
those who may have authorized access but release it in an 
unauthorized manner, what protections or safeguards are put in 
there particularly for those that are the navigators, and the 
situation that there has been no background check, unless it 
was required in the State, how is that being handled with the 
use of navigators?
    Mr. Chao. I think the premise is that when we issue, for 
example, a grant to a navigator organization, or we sign a 
computer matching agreement with a State, that there are rules 
of behavior and certain, you know, kinds of requirements that 
are associated with signing that agreement or receiving that 
grant.
    Mr. Harper. Do you have a central reporting location of the 
navigators that are in violation or reported in violation?
    Mr. Chao. I have to check on that.
    Mr. Harper. My time has----
    Mr. Murphy. Gentleman's time has expired.
    Mr. Harper. You let us know. My time has expired.
    Mr. Murphy. Thank you.
    Mr. Lujan is recognized for 5 minutes.
    Mr. Lujan. Mr. Chairman, thank you so very much.
    Mr. Chao, you were just presented with a whole series of 
hypotheticals. Have any of those hypotheticals happened?
    Mr. Chao. No, not to our knowledge, no.
    Mr. Lujan. I appreciate that, and I would suggest, Mr. 
Chao, if someone was maliciously using information in a way 
that they were not allowed to use it, would that be a crime?
    Mr. Chao. Can you repeat that question again?
    Mr. Lujan. If someone hacked into the Web site, and was 
using information in a way that they weren't allowed to use it, 
so--and anyway, wouldn't that be considered a crime?
    Mr. Chao. Certainly, yes.
    Mr. Lujan. And I believe that we could fully prosecute 
those individuals?
    Mr. Chao. Yes.
    Mr. Lujan. And I would hope that this committee would fully 
support and encourage the Department of Justice to go and fully 
prosecute anyone that is hacking this Web site.
    Mr. Chairman, it wasn't too long ago that there was a 
hearing that this committee had on Lifeline, and some of my 
Republican colleagues were encouraging members--citizens of the 
United States to go to visit Obamaphone.net to sign up for a 
Lifeline or to get information from the Web site as to the 
accuracy of what the program was about. An hour later, the Web 
site was taken down, and this committee, myself and 
Congresswoman Eshoo, asked the FTC to look into the matter, but 
they said it appears that in the fraudulent way that this data 
was being collected, that the Web site is now down.
    I think we as Members of Congress need to be careful with 
how we are purporting information out to the American people. 
We need to be careful about this. There is not, again, a member 
on this committee that doesn't believe that we should get the 
Web site working, that we need to get to the facts of what is 
happening. And with that being said, Mr. Chao, I guess two 
things. Mr. Chairman, there is GAO report that was published on 
April 24 of 2012, entitled ``Cybersecurity, Threats Impacting 
the Nation,'' and I would like to ask unanimous consent to 
insert it into the record.
    Mr. Murphy. Sure.
    Mr. Lujan. The report, and I would invite everyone in the 
committee to take a look at this. It was to the Homeland 
Security Department or committee, talking about the threats 
that our Nation is facing. The intelligence community, Homeland 
Security, the White House, members of Congress Web sites that 
have been hacked into. We need to do more in this area to make 
sure that we are keeping information secure.
    But with that being said, Mr. Chao, this has been talked 
about a bit, but on the front page of The Washington Post this 
morning, there was an article about a document that was leaked 
to the paper by the committee majority. The article describes 
an analysis conducted in 2013 by McKinsey and Company that 
identified potential risks in the development of 
Healthcare.gov. The report shadowed some of the problems that 
we now face today.
    Mr. Chao, did you see the report at the time it was 
published in March and April of 2013?
    Mr. Chao. No, I did not.
    M. Lujan. So is it fair to say that you are not the best 
person to comment on why the report was done, and how CMS and 
HHS responded to its findings?
    Mr. Chao. Yes.
    Mr. Lujan. Mr. Chairman, I raise this because it 
illustrates a number of problems with how this has been 
handled. In particular, the perception that is created when you 
withhold documents from the Democrats on the committee, and 
when you play gotcha games by leaking material to the press 
without context, it makes it appear that you are more 
interested in running a partisan investigation than in finding 
the facts, and I certainly hope that that is not the case, and 
believe that not to be true, but we need to work together to 
get to the bottom of this.
    So with that being said, Mr. Chao, what efforts is the 
Department of Health and Human Services undertaking to address 
the ongoing threats?
    Mr. Chao. We listed as part of our mitigation strategy 
daily and weekly security testing and scans, which is something 
we always do, but in this case we do it more frequently because 
we understand the sensitive nature of Healthcare.gov and the 
trust that--and confidence we have to obtain from people to 
come and use the site.
    Mr. Lujan. And how is the department coordinating with 
other Federal agencies who maintain Web sites that also gather 
personal information?
    Mr. Chao. I think we work with all of our key partners that 
are connected to the Hub to make sure that we function under 
what we call a harmonized privacy and security framework, and 
along with the States, have a process and a program in place to 
handle certain situations of which there are incidents that 
need to be managed, about potential data breaches. So we have a 
program, we have a policy, we have a set of operational 
procedures in place, working and coordinating across all these 
agencies.
    Mr. Lujan. And does that include, Mr. Chao, the 
intelligence community, the Department of Homeland Security?
    Mr. Chao. Yes.
    Mr. Lujan. Very good.
    So with that, Mr. Chairman, as I yield back my time, I just 
hope that it is clear, Mr. Chao, to you, to the President, that 
we are not happy with the rollout right now. We need to get 
this working. There are too many vulnerable Americans that need 
access to care, and we need to make sure that we can get them 
that coverage, in the same way, protect the information. But I 
think it is a big step forward that no longer will individuals 
have to report the kind of illnesses or accidents that they 
have had in their past, so that they can get care in the 
future.
    And with that, Mr. Chairman, I yield back.
    Mr. Murphy. Gentleman yields back.
    And without objection, the gentleman's document will be 
admitted to the record.
    [The information follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. The Chair now recognizes the gentleman from 
Colorado, Mr. Gardner, for 5 minutes.
    Mr. Gardner. Thank you, Mr. Chairman, and thank you, Mr. 
Chao, for your time before the committee today.
    Last week, the President met with several representatives 
of the insurance industry to discuss solutions that may be 
possible in light of the Healthcare.gov debacle. Have you had 
any conversations about changes you can make to Healthcare.gov 
to assist the insurance industry?
    Mr. Chao. I think part of the strategy--I haven't spoken to 
the issues myself or been part of those meetings, but I think 
as part of the strategy under Jeff Zients is to improve the 
experience of consumers, but that involves, you know, key third 
parties that are also key to this equation of getting around 
those agents and brokers, and working with issuers to fix, you 
know, certain aspects of the systems to make it work better.
    Mr. Gardner. So have you had any discussions then about 
providing insurance companies with the ability to directly 
enroll, or anybody in your agency department?
    Mr. Chao. We had designed something called direct 
enrollment into Healthcare.gov, or part of that FFM system 
architecture to accommodate that.
    Mr. Gardner. And so that is ready--that feature has been 
turned on or it has not been turned on?
    Mr. Chao. It was not working well initially, like many 
other things, but we have been performing fixes and optimizing 
it, and working with issuers to get direct enrollment up.
    Mr. Gardner. So have you had any discussions about giving 
insurers direct access to information on eligibility for 
subsidies?
    Mr. Chao. Only at--in terms of the result. There is a 
series of----
    Mr. Gardner. That is a----
    Mr. Chao [continuing]. Security and of handoffs.
    Mr. Gardner [continuing]. Yes----
    Mr. Chao. Right.
    Mr. Gardner. That is a yes then?
    Mr. Chao. Yes.
    Mr. Gardner. OK. Thank you for that.
    Do you--going back to the question then about the feature 
on the Web site, will that happen in the future then to that 
question, discussions about giving insurers direct access to 
information on eligibility for subsidies? Do you believe that 
will happen in the future?
    Mr. Chao. It is not really direct access, it is more of a 
hand-off, a secure hand-off in which they have collected enough 
information about the applicant and their, you know, or an 
agent and broker, and this person has given authorization for a 
consent to work with them as a third party.
    Mr. Gardner. So that is a yes then again as well?
    Mr. Chao. It is not access direct to eligibility data, it 
is a more involved process that protects the person's 
information.
    Mr. Gardner. But the insurance company will be getting the 
subsidy access?
    Mr. Chao. They don't get to calculate it. We--that is a 
marketplace----
    Mr. Gardner. But they will have information on the 
eligibility for the subsidies directly?
    Mr. Chao. Only as a result of the marketplace handling that 
data, not touching that eligibility data themselves.
    Mr. Gardner. The committee has been reviewing materials 
that indicates that some parts of Healthcare.gov were not 
completed before the launch, as we have discussed here. What 
portion or percentage of the Web site remained to be created 
when you launched on October 1?
    Mr. Chao. I don't have an exact percentage. I think some of 
previous conversations when people ask about whether things 
were complete, I look at it in terms of overall marketplace 
systems----
    Mr. Gardner. So you have never talked about what is 
complete, what is not complete, whether it is--how much to go?
    Mr. Chao. I think it was a set of priority functions that 
needed to be in place. Like, for example, you had to 
authenticate an individual. That is a key function that had to 
be done.
    Mr. Gardner. Well, how much do we have to build today 
still? I mean what do we need to build, 50 percent, 40 percent, 
30 percent?
    Mr. Chao. I think it is, just an approximation, we are 
probably sitting somewhere between 60 and 70 percent, because 
we still have to build the system----
    Mr. Gardner. But 60 or 70 percent that needs to be built 
still?
    Mr. Chao. Because we still have to build the payment 
systems to make payments to issuers in January.
    Mr. Gardner. So let me get this correct, 60 to 70 percent 
of Healthcare.gov still needs to be built?
    Mr. Chao. It is not really Healthcare.gov; it is the 
Federally Facilitated Marketplace----
    Mr. Gardner. But the entire system that the American people 
are being required to rely upon----
    Mr. Chao. That part is there.
    Mr. Gardner [continuing]. Sixty to 70 percent----
    Mr. Chao. Healthcare.gov, the online application, 
verification, determination----
    Mr. Gardner. That is----
    Mr. Chao [continuing]. Plan compare, getting enrolled, 
generating the enrollment transaction, that is 100 percent 
there. What I am talking about is----
    Mr. Gardner. But the entire system is 60 to 70 percent away 
from being complete?
    Mr. Chao. Yes, there is the back office systems, the 
accounting systems, the----
    Mr. Gardner. Thank----
    Mr. Chao [continuing]. Payment systems----
    Mr. Gardner. Thank you for that.
    Mr. Chao [continuing]. They still need to be----
    Mr. Gardner. And how--of those 60 to 70 percent of systems 
that are still being built, how are they going to be tested?
    Mr. Chao. You mean the remaining----
    Mr. Gardner. Yes.
    Mr. Chao [continuing]. Thirty to 40 percent? How are they 
going to be tested?
    Mr. Gardner. Yes.
    Mr. Chao. In the same exact manner we tested everything 
else.
    Mr. Gardner. Is it difficult to review the new parts of the 
Web site while it is operating?
    Mr. Chao. It won't affect the front end--the front part----
    Mr. Gardner. But that is pretty difficult, isn't it?
    Mr. Chao. Excuse me?
    Mr. Gardner. It is pretty difficult to review it while it 
is in operation, correct?
    Mr. Chao. No, it doesn't involve the front part. The----
    Mr. Gardner. Right, but where it is operating within----
    Mr. Chao [continuing]. Eligibility--when we are trying to 
calculate a payment, derive a payment, do data matches on the 
back end, that doesn't affect the Healthcare.gov operations.
    Mr. Gardner. How long will you have to test those parts 
that you are building?
    Mr. Chao. They are an ongoing basis. Depends on their build 
schedule.
    Mr. Gardner. So is it appropriate, given the performance of 
Healthcare.gov where we are at right now, to launch any new 
applications or features without testing them heavily before 
they go live?
    Mr. Chao. We are testing.
    Mr. Gardner. Mr. Chairman, I have several other questions 
and will follow up with you, but thank you for your time.
    Mr. Murphy. Thank you.
    Now recognize Mr. Welch for 5 minutes.
    Mr. Welch. Thank you very much. Thank you for the hearing.
    There is a mutual desire to get this thing to work, and 
there are really two models that we can use to deal with the 
failed rollout. One is to fix it, and the other is to use it as 
fodder to re-litigate the battle about whether health care is 
the law of the land. And my hope is that we are past that. 
There is an absolute urgency to make things work, and I know, 
Mr. Chao, that is your job, and I just want to put this into 
context. We had a big battle in this Congress, I was not here, 
over the passage of Medicare Part D. It was a largely partisan 
vote. The Republicans, under George Bush, were for it, most of 
the Democrats were against it, but it passed in a very close, 
tense vote. And my understanding is that as it then went into 
the implementation phase which required a computer program and 
a Web site, there were lots of significant difficulties with 
that program, and there were concerns about having it work.
    And I just want to ask you a little bit about that history, 
so that we have a context for the challenges we have today, not 
at all as an excuse because there is real unity about needing 
to get this fixed, but are the actions we take about getting it 
fixed or about trying to derail and scuttle the overall 
healthcare program. America is going to have to judge.
    But can you give us a sense what was going on inside the 
Agency when you were preparing the Medicare Part D Web site in 
2005, and were there concerns and issues that needed to be 
addressed then?
    Mr. Chao. The biggest and most prominent example that I can 
recall was the concern around auto-assignment and auto-
enrolling Medicare--Medicaid full benefit dual eligibles to 
receive a Part D prescription drug benefit, and switching them 
over as of January 1, and that we had sent these enrollment 
files out to the plans--the health plans or Part D sponsors, 
around November, and in December it was some realization, you 
know, last-minute realization that pharmacists and pharmacies 
were--who were on the frontline of helping these beneficiaries, 
required, you know, some access to information to help them 
navigate this new change. So as an example, we scrambled and we 
developed a method for pharmacies to actually get access 
through authorizations to Medicare enrollment data for the dual 
eligibles that were enrolled so that, at point of sale, they 
can at least do things such as, you know, three day fills----
    Mr. Welch. Right.
    Mr. Chao [continuing]. Just to figure out what plan they 
might be in. And, you know, that is just an example. I recall 
that was a mass scramble, time crunch, had to get it in place, 
lots of, you know, working around the clock, lots of urgency, 
pushing many, many people, not just on the contractor and the 
staff side, but working with the prescription drug industry as 
a whole, including pharmacists, to make this happen.
    Mr. Welch. All right, and those problems continued even 
after the January 1 rollout date, my understanding.
    Mr. Chao. Correct, because it is not perfected. It is--it 
is not so much a technical issue, when you introduce a new 
business process, for example, in a procedure, you know, in an 
administrative aspect of health care, it takes a while for 
people to actually understand how that works, you know, as 
compared to learning the data system that is involved to 
support that business process. So it is more than just a 
technical issue.
    Mr. Welch. OK, and is it your view that, as we ultimately 
succeeded with Part D, we can ultimately succeed in terms of 
the technical Web site issues with Healthcare.gov?
    Mr. Chao. Certainly. I think it comes with being focused 
and driven to get at the root of the problem and to fix the 
systems, because on the technical issue side, it is solvable, 
very solvable, and we have shown that it has made improvements.
    Mr. Welch. OK, thank you very much.
    I yield back.
    Mr. Murphy. Gentleman yields back.
    Now recognize for 5 minutes the gentleman from Virginia, 
Mr. Griffith.
    Mr. Griffith. Thank you, Mr. Chairman.
    Now, speaking of Medicare Part D, no one was required by 
law or force of penalty to subscribe to that, isn't that 
correct?
    Mr. Chao. No, but we did auto-assign, auto-enroll 
Medicare--Medicaid dual eligibles into Medicare Part D.
    Mr. Griffith. But it is a different animal than what we are 
dealing with now because a lot of Americans are being told they 
can't have their insurance so they are going to have to sign up 
through the Exchanges. So I do appreciate that, but there is a 
difference.
    You know, one of the things that when you get time today to 
look at the report, and I think it is a symptom of the problems 
that this Web site has had, is that you were not included in 
the briefings on the report that has come to light in the last 
24 hours, but when you get a chance to read that, one of the 
things you will see is they thought there ought to be one 
person overseeing all of the different parts. And listening to 
the vendors who previously testified before this committee, it 
looked like they were each building their own part and then, in 
the last month, they had to squeeze it all together in the last 
two weeks, things were changing.
    Another part of that report shows us that on a timeline, 
you really want to define your policy requirements prior to 
finishing the design and starting the build. Wouldn't you agree 
with that?
    Mr. Chao. That is the logical thing to do.
    Mr. Griffith. It is the logical thing to do, but in 
reality, we have heard testimony in this committee that they 
were changing policy, we know the big change on July the 2nd 
when all of a sudden the employer mandate was allegedly 
delayed--the President signed an executive order, I am not sure 
it has legal authority, but he did that, delayed that employer 
mandate. Further, we know from testimony that there were 
changes being made as close to the launch as 2 weeks before. So 
based on that, it would be the logical conclusion that you are 
going to have significant problems, wouldn't it?
    Mr. Chao. With the luxury of hindsight, I can see that, you 
know, there are contributors to the way the system performed 
when it was unveiled, but that is not----
    Mr. Griffith. Well, if you----
    Mr. Chao. But that is not, you know, I need to focus on 
fixing this thing.
    Mr. Griffith. And I know that is your focus is to fix it 
now, but also when you take a look at it, when you are still 
defining your policy requirements as late as two weeks prior to 
launch, it is very difficult to design and then to build and 
then to test a system and have it work, whether it is the 
security component or the performance component. It would be 
logical to do it in the proper order. When you do the 
illogical, you are liable to have problems. And I know you 
would agree with that, if you were free to answer honestly. And 
I would say to you that I also noticed that no one person was 
ever appointed to head this up while you were in charge of part 
of it, and you are in charge of making part of it work. It 
looks like there are at least six different representatives 
from different agencies that had a hand in overseeing what was 
going on, and no one had control over the others, isn't that 
correct?
    Mr. Chao. I think it was a governance committee that was 
formed.
    Mr. Griffith. A governance committee. And--isn't that 
interesting. And sometimes when you are trying to launch a big 
project like this though, you have to have one general in 
charge of the operation. Wouldn't that be logical?
    Mr. Chao. I would say that for the technical pieces, you 
know, I was responsible for making sure that the technical 
pieces were----
    Mr. Griffith. All right.
    Mr. Chao [continuing]. Organized.
    Mr. Griffith. And last month, this committee uncovered a 
September 27 memorandum indicating that Healthcare.gov launched 
without a full security control assessment. Administrator 
Tavenner had to attest that she was aware that the launch 
carried security risks. Can you tell us what those risks are 
specifically?
    Mr. Chao. First of all, I think the incomplete testing--it 
was fully security tested through 3 rounds of testing so that 
when we--when Marilyn Tavenner signed the authority to operate 
on September 27, it had no high findings and had gone through 
the appropriate security tests.
    Mr. Griffith. So what she said was not accurate, that it 
had a--did not have a full security control assessment, she was 
mistaken when she testified in front of us on that?
    Mr. Chao. I think there is a part of that sentence that 
might be--it needs clarification. I think what we were trying 
to say was that the security control assessment was not tested 
for a full entire system of which we were still--remember, I--
we are still building financial management aspects of it. I 
think it was just an acknowledgement that the--100 percent of 
the system was not complete at that time.
    Mr. Griffith. OK, and it is still not complete today, and 
the people of America want to know, you know, what is the 
security going to be----
    Mr. Chao. Well----
    Mr. Griffith [continuing]. If it is not completed on 
January 1.
    Mr. Chao. The October 1 pieces that were necessary, such as 
ensuring security privacy for those functions that I mentioned, 
were tested.
    Mr. Griffith. OK, and I appreciate that, but what can we 
expect on January 1?
    I apologize, I yield back.
    Mr. Murphy. Thank you. And by the way, our prayers are with 
the family of State Senator Creigh in Virginia who is, I guess, 
in critical condition.
    Mr. Griffith. If I might----
    Mr. Murphy. Right.
    Mr. Griffith [continuing]. Take a--since you bring it up. 
If I might take a moment of personal privilege. I do appreciate 
your prayers. Creigh and I were in opposite parties, but just 
like on this committee, you form friendships. And he served 
with me in that Virginia House of Delegates before he went on 
to the Senate and went on to run for other offices. But he 
still is a sitting Senator, and it obviously has shaken 
everybody in Virginia. And he is a good man and our prayers are 
with him, and I encourage everybody to say a prayer for Senator 
Deeds and his family.
    Mr. Murphy. I thank the gentleman.
    Now turning to Mr. Tonko for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chair.
    I would like to continue on that recent questioning of the 
document that my Republican colleagues have released.
    Mr. Chao, this document was signed, I believe, on September 
27, and it is an ATO, an authority to operate, memorandum to 
operate the Federally Facilitated Marketplace for 6 months, and 
implement a security mitigation plan.
    Mr. Chao. Correct.
    Mr. Tonko. Can you tell us, are ATO's commonly used in 
Federal data systems?
    Mr. Chao. Yes. It is the, in essence, the last official 
sign-off to authorize a Federal system to go into operations.
    Mr. Tonko. Thank you. And can you tell us why Administrator 
Tavenner signed this ATO rather than, well, perhaps other 
officials that might report to the administrator?
    Mr. Chao. I think the span of the stakeholders that were 
involved across the Agency has--we had not had a system that 
had this unprecedented involvement of so many different 
components, so that the recommendation by our chief information 
officer was to make a recommendation for the administrator to 
actually sign off on this, because she runs the entire agency.
    Mr. Tonko. And the fact that she signed it is good news? It 
is an indication, I would believe, that officials at the 
highest level of CMS were briefed on and taking responsibility 
for site security?
    Mr. Chao. Correct, yes.
    Mr. Tonko. Now, as I understand it, this document describes 
security testing for the Healthcare.gov Web site. It says that 
security testing of the marketplace was ongoing since inception 
and into September 2013. In fact, it says that, and I quote, 
``throughout the 3 rounds of security control assessment 
testing, all of the security controls have been tested on 
different versions of this system.'' Is that correct?
    Mr. Chao. Correct.
    Mr. Tonko. But the document goes on to say that because of 
system readiness, a complete security assessment of all the 
security controls in one complete version of the system was not 
performed. It says that this lack of testing, and I quote, 
``exposed a level of uncertainty that could be deemed as a high 
risk.''
    Mr. Chao. I didn't actually--I had recommended as part of 
that decision memo and I think at that time, as I mentioned 
earlier, you know, it is semantics, you know, not 100 percent 
of the system is built so you can't really consciously say you 
have it all available in one place to fully test, because not 
everything was needed for October 1. Only essential pieces 
involving Healthcare.gov were tested for security.
    Mr. Tonko. So the document then indicated that CMS 
postponed a final security assessment screening, right, and 
the--in its place, CMS did put in place a number of mitigation 
measures. And it concluded that these measures would mitigate 
the security risks.
    I want to take a moment to ask you about the September 27 
ATO, and how the risks identified are being addressed. Can you 
describe their recommendations in that September 27 memo?
    Mr. Chao. You mean in terms of mitigations?
    Mr. Tonko. Yes.
    Mr. Chao. OK, so on a daily basis, we run antivirus scans 
every 3 minutes, malware scans every 3 minutes, data full 
monitoring is a continuous effort, threat protection analysis 
against known bad IP's or hackers, I mentioned that in my 
opening remarks that it is continuous. On a weekly basis, we 
monitor operating system compliance, infrastructure system 
compliance, we conduct penetration testing, authenticated and 
unauthenticated, by marketplace security teams. We have a 24 by 
7 security operations team. We conduct additional penetration 
testing, authenticated and unauthenticated, by another group of 
security professionals in CMS that report under our chief of 
information security officer. We also conduct application 
software assurance testing, which is occurring biweekly. And on 
a monthly basis, we produce a plan of actions and milestones 
that keeps track and reports on any discovered weaknesses 
during all of this monitoring.
    Mr. Tonko. So CMS is taking action that was recommended in 
the ATO?
    Mr. Chao. Correct.
    Mr. Tonko. And do you have confidence in these and other 
measures you are taking to protect the security of Americans' 
personal information?
    Mr. Chao. I have high confidence.
    Mr. Tonko. OK. As I understand it here, the remedial 
actions and the ongoing security testing are protecting the 
security of the Web site.
    Mr. Chao. Yes.
    Mr. Tonko. And so perhaps the message coming from my 
Republican colleagues is that they do not want the Web site to 
work, and that they want to scare people from going on the Web 
site, when, in fact, we are hearing that security has been 
provided for.
    Mr. Chao. I think we have gone over and above, because we 
are very sensitive and we appreciate the nervousness around 
this new program with peoples' information.
    Mr. Tonko. Well, we appreciate you building the security of 
the Web site, and responding to the actions recommended in the 
ATO memo.
    Thank you so much. I yield back.
    Mr. Murphy. Thank you. Gentleman's time has expired.
    Now recognize the gentleman from Ohio, Mr. Johnson, for 5 
minutes.
    Mr. Johnson. Thank you, Mr. Chairman.
    Mr. Chao, I spent 30 years in information technology as--I 
have been the chief information officer of publicly traded 
companies, as well as the director of the CIO staff at U.S. 
Special Operations Command, and I know the pressures that 
delivering on a system of this complexity, I know the pressures 
that are there.
    I assume that you and I have a common goal here today, and 
that is to make sure that the American people hear the truth. 
Is that an accurate statement?
    Mr. Chao. That is correct.
    Mr. Johnson. OK. Given that then, would it be OK if you and 
I have an understanding, because this is two IT guys talking to 
one another. If I ask you a question that you don't understand, 
would you ask me for clarification so that we can get to the 
bottom of it, because we want to dig down in here into some 
things that are pertinent?
    Mr. Chao. Yes, sir.
    Mr. Johnson. OK, great. You know, under FISMA, agencies 
operating IT systems are required to establish security 
baselines, incorporate them into applications and networks, and 
test them to see that they are incorporated correctly. The use 
and review of this testing plan is typically known as a 
security control assessment. Several of the security control 
assessments for Healthcare.gov were either not completed or 
otherwise ignored.
    So are you familiar with the four security control 
assessments that were completed on the various aspects of the 
Federally Facilitated Marketplaces?
    Mr. Chao. Not in intricate detail, but I think I--going 
back to what you said about ignored or missed, I think the most 
important thing to remember is that on September----
    Mr. Johnson. Are you familiar with those security control 
assessments?
    Mr. Chao. I----
    Mr. Johnson. Have you seen or read them?
    Mr. Chao. I have read the most important one, that is the 
one----
    Mr. Johnson. Have you read all four of them?
    Mr. Chao. No, not all four.
    Mr. Johnson. OK, could you turn to tab 4 of the document 
binder that you have in front of you? This is the security 
control assessment completed on October 11, 2013. Are you 
familiar with the findings of this security control assessment?
    Mr. Chao. Yes.
    Mr. Johnson. OK. You testified a little earlier that it was 
your opinion, based on what you knew at the time, that the 
security control assessments--that security had been adequately 
addressed when Administrator Tavenner signed the document 
authorizing the operation of the Web site. Is that correct?
    Mr. Chao. Yes.
    Mr. Johnson. But yet you just testified that you were not 
aware and you didn't read the security control assessment, so 
how can you make that assertion that security had been 
adequately addressed when you hadn't even read the control 
assessments yourself?
    Mr. Chao. I am thinking that there might be some mismatch 
in versions here. Yours says final report October 11 for Health 
Insurance Exchange August through September 2013, SCA report. I 
have the Federally Facilitated Marketplace decision security 
part----
    Mr. Johnson. Well, I am talking about the one in your tab 
there.
    Voice. Excuse me, can we ask the witness to speak up a 
little bit? I am having difficulty hearing him.
    Mr. Chao. I am sorry.
    Mr. Johnson. But I have got to move on because I don't have 
time to look through the binder.
    Who develops the scope of a security control assessment 
before the contractor performs it?
    Mr. Chao. We have independent contractors that design our 
SCA testing.
    Mr. Johnson. Do you need an application like the Data 
Services Hub or the Web site to be complete in order to test it 
for purposes of a security control assessment?
    Mr. Chao. I think that depends on, you know, we don't like 
testing security----
    Mr. Johnson. Well, I can assure you that we don't.
    Mr. Chao. The--in terms of using live data, you know. So 
prior to going to production, we tend to conduct security----
    Mr. Johnson. Well, let me ask you a question. Let us put up 
a slide. Are you familiar with the term sequel injection?
    Mr. Chao. Um-hum.
    Mr. Johnson. OK. You know, sequel injection is a process 
that hackers use to gain access to sequel databases, relational 
databases, through a sequel. This is a screenshot directly off 
of Healthcare.gov that you see, if you put a semicolon in the 
search box, you get all of those different breakdowns of sequel 
injection.
    Have--can you give me any idea how vigorous the testing was 
around sequel injection, and are you aware that potential 
hackers have the capability to go in through sequel injection 
and manipulate these strings?
    Mr. Chao. I can't speak to the exact--that situation. I 
think some of the folks that are coming up behind me in the 
other panel might be able to specifically address----
    Mr. Johnson. I can assure you, Mr. Chairman, that I still 
have very serious concerns about the security aspects of this 
system.
    And with that, I yield back.
    Mr. Murphy. Thank you. Gentleman's time has expired.
    Now recognize Ms. Schakowsky for 5 minutes.
    Ms. Schakowsky. I want to also focus on this particular 
system that the contractor, MITRE--I am here, Mr. Chao. Yes, 
OK.
    Mr. Chao. Sorry.
    Ms. Schakowsky. We have heard this morning, we just heard, 
about the risks that the contract--contractor, MITRE, 
identified when it performed security control assessments for 
different components of Healthcare.gov. And at first glance, 
they can seem alarming, but my understanding is that all of 
these issues were mitigated for the functions on the Web site 
that launched on October 1. It is important to understand the 
general point of security testing, to identify any potential 
issues so they can be addressed before they became--become real 
problems. Asking MITRE to perform these assessments gives CMS 
and the contractors the opportunity to identify and resolve any 
security vulnerabilities before anyone's personal information 
could be put at risk.
    So, Mr. Chao, does that sound to you like an accurate 
description? Do the security control assessments involve an 
iterative process where problems are identified and then 
mitigated?
    Mr. Chao. Yes, that is correctly characterized.
    Ms. Schakowsky. So, Mr. Chao, I want to walk through some 
of these key security assessments to determine whether the high 
risks that MITRE identified have, in fact, been addressed.
    In January and February of 2013, MITRE performed a security 
control assessment of EIDM, the account creation function on 
Healthcare.gov. According to the final report, MITRE identified 
several high-risk findings.
    So, Mr. Chao, were these high-risk findings resolved and 
mitigated before the October 1 start of open enrollment in the 
Federal Marketplace?
    Mr. Chao. Yes, they were.
    Ms. Schakowsky. And the fact is that they were noted in 
the--that fact is noted in the MITRE report.
    OK, so MITRE also performed a security control assessment 
of the Data Services Hub in August 2013, and again identified 
several high-risk findings. Were these findings resolved and 
also mitigated before the October 1 launch?
    Mr. Chao. Yes, and the Hub received authority to operate in 
August.
    Ms. Schakowsky. Yes, and the fact is that was--and that 
fact was noted in the report.
    I also want to discuss the security control assessment that 
MITRE performed over August and September 2013 for the Health 
Insurance Exchange. Mr. Chao, were all high risks identified in 
this assessment mitigated before October 1?
    Mr. Chao. Yes.
    Ms. Schakowsky. I thank you. And what your answers confirm 
is that the system worked. MITRE identified potentially high 
risks--high security risks, and CMS made sure that they were 
mitigated before they would become major problems.
    The MITRE reports do not show a flawed system, they show 
that CMS conducted security control assessments to identify 
problems, and then fixed those problems. And I hope that my 
Republican colleagues will keep these findings in mind when 
they talk about the security of Healthcare.gov. We don't want 
to alarm the public about security risks that have already been 
addressed by CMS and its contractors. It just seems to me that 
identifying risks that were named, it is important also to note 
that they were all fixed before the launch on October 1. And I 
thank you very much for your testimony.
    I yield back.
    Mr. Chao. Thank you.
    Mr. Murphy. Gentlelady yields back.
    And now I recognize the gentlewoman from North Carolina, 
Mrs. Ellmers, for 5 minutes.
    Mrs. Ellmers. Thank you, Mr. Chairman. And thank you, Mr. 
Chao, for being with us today.
    Mr. Chao, I have a question about the subsidies, and some 
questions about some miscalculations that could be happening on 
the Exchange. Press reports have indicated that some subsidies 
are being miscalculated. In fact, one individual the President 
identified as a beneficiary of Obamacare now can't afford it. 
And, Mr. Chairman, I would ask unanimous consent to submit an 
article from CNN to the committee for the record.
    [The information follows:]
  
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mrs. Ellmers. OK. This is a single mom, has a teenage son 
with ADHD, went on the Washington State Exchange, had gotten an 
insurance quote for what she would pay at a gold price. Then 
she received notification that it was actually--the quote was 
actually higher for a silver plan. More confusion went on. Then 
even a cheaper plan at bronze level for $324. So, in other 
words, she ended up paying a lot more.
    I guess in my questioning for you is, is this happening on 
the Healthcare.gov site or the Federal Marketplace?
    Mr. Chao. I think there are a lot of inputs to how an 
advanced premium tax credit is calculated. A person can come 
back and make some modifications to their income levels, to 
their household composition. So--and Washington is a State-
based marketplace, so I can't really speak----
    Mrs. Ellmers. Um-hum.
    Mr. Chao [continuing]. For that particular case, but I 
think that Healthcare.gov allows people the flexibility to try 
several ways----
    Mrs. Ellmers. Um-hum.
    Mr. Chao [continuing]. To determine, you know, what their 
tax credit is.
    Mrs. Ellmers. OK, you know, and there again, I am just 
going based off the article. It doesn't seem to be that she had 
gone back to make any changes, it sounded to me like, you know, 
there were miscalculations that she was notified of. So again, 
my questioning is, is this happening in the Federal Exchange?
    Mr. Chao. I would need some specifics to be able to answer 
that.
    Mrs. Ellmers. OK.
    Mr. Chao. I think that if anyone ever does have issues with 
believing that their subsidies were incorrectly calculated, 
they could certainly call our call center to try to find out if 
it was correct or not.
    Mrs. Ellmers. So that is basically, you know, I am just 
asking how someone would address that, or how that would 
happen, if there were miscalculations then you could speak to 
someone personally and----
    Mr. Chao. Yes, we have both the call center and what we 
call an eligibility support work----
    Mrs. Ellmers. Um-hum. Do you know if this is what is 
happening?
    Mr. Chao. I----
    Mrs. Ellmers. Have you heard any reports of----
    Mr. Chao. I think there are many calls to the call center 
for many different reasons.
    Mrs. Ellmers. Um-hum.
    Mr. Chao. I don't know exactly, you know, I can't tell you 
there were 10 cases today or----
    Mrs. Ellmers. Um-hum, OK.
    Mr. Chao. But if you----
    Mrs. Ellmers. CGI--well, we can move on. I appreciate that. 
CGI, the contractor responsible for building Healthcare.gov, 
can you explain your role with them in the last weeks of 
September? Did you, you know, were you in contact with them, 
were you working with them one-on-one, were you in their 
office?
    Mr. Chao. Yes, I actually--I moved down to Herndon and 
lived in a hotel from September 10 to about the last week of 
October----
    Mrs. Ellmers. Um-hum.
    Mr. Chao [continuing]. And I worked at CGI almost every 
day.
    Mrs. Ellmers. So you were actually there in their offices, 
working out of their offices? OK.
    Mr. Chao. Yes.
    Mrs. Ellmers. One of the things that--I have got about a 
minute left on my time. The President announced a tech surge to 
fix the Web site. Who is involved in that surge?
    Mr. Chao. There--Todd Park is involved----
    Mrs. Ellmers. Um-hum.
    Mr. Chao [continuing]. And there are two fellows, one by 
the name of Mikey Dickerson, and another by the name of Greg 
Gershman.
    Mrs. Ellmers. Do you know about their compensation? How are 
they being compensated?
    Mr. Chao. I have no insight to that.
    Mrs. Ellmers. Um-hum. Do they have a contract or did they 
have to sign an agreement?
    Mr. Chao. I don't know.
    Mrs. Ellmers. Who do these individuals report to?
    Mr. Chao. I am not--actually, I am not sure who they have a 
contract with, or whether if they----
    Mrs. Ellmers. So--but you are in charge of the technical 
component to Healthcare.gov, and they don't report to you?
    Mr. Chao. No, they are part of a tech surge team that is 
being led by Jeff Zients.
    Mrs. Ellmers. OK.
    Mr. Chao. Right.
    Mrs. Ellmers. So Jeff Zients is really the person that they 
are reporting to?
    Mr. Chao. Right.
    Mrs. Ellmers. OK, thank you very much.
    Mr. Chairman, my time has expired.
    Mr. Murphy. Gentlelady yields back.
    Now go to Mr. Olson for 5 minutes.
    Mr. Olson. I thank the Chair. Welcome, Mr. Chao.
    As you can imagine, sir, folks back home in Texas 22 have 
one simple question: Why, why, why did Healthcare.gov roll out 
on October 1 when most people in CMS, including yourself and 
every contractor writing codes and doing the testing, said 
stop, stop, stop, stop. We need more time. This Red Team 
document is frightening. I refer you to page 4 of the document, 
terms like limited end-to-end testing, parallel stacking of all 
phases. Stacking is vertical not parallel. Insufficient time 
and scope of end-to-end testing. Launch at full volume. And I 
refer you to a 7/16 email which you said you were worried that, 
and this is a quote, ``crash the plane takeoff.''
    With all due respect, sir, it never got to the runway. It 
was still waiting at the ramp there, waiting for the pilots, 
the bags, the fuel, waiting for new tires. Using your analogy 
and my record as a naval aviator, Healthcare.gov was a ``hangar 
queen,'' never ready to fly.
    I do want to talk about--the folks back home I work for are 
most concerned about protection of their personal health 
information. With so little testing, they are concerned about 
the lack of security control assessments, SCA's. And my 
question is, I will refer you to the document brief there, and 
on--please turn to tab 2, sir. My question concerns--you guys 
said that--this is a document you wrote for Ms. Tavenner, that 
you needed a 2-part mitigation plan. And part 2 is basically, 
you said, 1 of the recommended steps is to ``conduct a full SCA 
test on the FFM in a stable environment where all security 
controls can be tested within 60 to 90 days of going live on 
October 1.'' The FFM will not be completed by November 30, so 
how can you conduct a full test of the SCA within 60 days of 
open enrollment? How could that happen when you are losing 30 
days right off the bat?
    Mr. Chao. I think the 60 to 90 days refers to the inclusion 
of the final piece that needs to be built. What we mentioned 
earlier, which I just want to say that it is actually 30 
percent of the systems are left to be developed, not 70 
percent, and that 30 percent represents the payment aspect and 
the accounting aspects of making payments in the marketplace, 
for all marketplaces, not just for Federally Facilitated 
Marketplaces, and that that functionality has to be in place 
for the January 1 effective date enrollments. And so I think 
once we have that completed, we could do a full SCA across the 
entire system.
    Mr. Olson. But, sir, the document says October 1 rollout, 
60 to 90 days after that. And apparently right now, we are 
going back to at least November 1 at the earliest for the 
rollout. I don't see how you get 60 days or 90 days of testing 
before we are going live again.
    And one further question about the SCA's. How many SCA's 
did you identify and fix before the rollout on October 1, how 
many have been identified and fixed after rollout, and how many 
are still out there. What is the scope that my constituents 
should be worried about?
    Mr. Chao. The most important aspect is that there were no 
high findings in the SCA tests as of the October 1 rollout. And 
as I mentioned earlier, I read off a list of mitigation 
activities that we go over and above any system that we put 
into--we deploy and put in operations and monitor on a daily 
basis.
    Mr. Olson. When can you assure us that a full SCA will be 
conducted system-wide? Ever?
    Mr. Chao. When the last pieces of the system are completely 
built, which is not--you know, I don't want people to think 
that there hasn't been a full SCA. A full SCA has been 
conducted on the pieces that were needed for October 1 for 
eligibility enrollment. We have yet--we still have to build the 
financial management aspects of the system, which includes our 
accounting system and payment system and reconciliation system. 
Those will also have security testing involved as well.
    Mr. Olson. And the full end-to-end----
    Mr. Chao. Testing----
    Mr. Olson [continuing]. Testing, the whole, full system, 
when can we expect that to occur, sir? What date?
    Mr. Chao. I don't have an exact date, but it should be in--
some time in December.
    Mr. Olson. So 2013, not 2014, 2015, 2016?
    Mr. Chao. Correct.
    Mr. Olson. 2013. OK, sir. One final question, and I want to 
refer back to your email from July 16 about needing to feel 
more confident about Healthcare.gov. I am assuming that some 
time in the last 4 months you got that confidence. What gave 
you that confidence? What was the trigger mechanism, when did 
that happen? Something changed in the last 4 months.
    Mr. Chao. I didn't say anything about having more 
confidence. I am always cautious, which is what I was trying to 
say earlier is that, until this is fixed, until the vast 
majority of people have a good experience going through here, 
and we have people who want to enroll, get enrolled, 
particularly for January 1, I am going to continue to focus on 
that along with the rest of the team. And, you know, and so it 
is not really about confidence level right now, it is about 
focusing on fixing the problem.
    Mr. Olson. And so we are not fine yet. The hangar queen is 
still at the hangar.
    I yield back the balance of my time.
    Mr. Murphy. I thank the gentleman for yielding back.
    What we are going to do is give each side 5 more total 
minutes, because Ms. DeGette has a couple of clarifying 
questions, I have a couple of clarifying questions. If anybody 
from my side needs some time, we will do that real quick.
    Ms. DeGette.
    Ms. DeGette. Thank you, Mr. Chairman.
    Mr. Chao, I want to thank you for coming and spending the 
morning with us. I am going to try to be quick because I would 
like you to get back to wherever you are going and make this 
thing work. OK.
    The first thing I want to clear up, because even though I 
thought we established it, my friends on the other side 
continued to ask you about this McKinsey document at tab 1, and 
I just want to clarify. You didn't--you weren't part of this 
Red Team evaluation, is that right?
    Mr. Chao. Correct.
    Ms. DeGette. And you didn't really see this document until 
today, is that correct?
    Mr. Chao. Correct.
    Ms. DeGette. So there were a lot of questions people asked 
you, hypothetical questions people asked you about this 
evaluation that you really don't know the answer to because you 
weren't involved in the process and you didn't see the document 
until today, right?
    Mr. Chao. Correct.
    Ms. DeGette. Now, as I understand it, this evaluation was 
done in March/April 2013. Is that your understanding as well, 
this McKinsey evaluation?
    Mr. Chao. It is approximately that time.
    Ms. DeGette. And do you have any knowledge of what that 
evaluation was supposed to be for? Was it a snapshot in time or 
do you even know?
    Mr. Chao. From the interviews that I had with McKinsey, it 
was about really 2 things. One was, I spent some time helping 
McKinsey understand the program.
    Ms. DeGette. Uh-huh.
    Mr. Chao. Meaning how it worked, where we were in terms of 
status and schedule. I don't--I suppose it also includes a 
point in time kind of an assessment, because I educated them on 
exactly what was happening up to the date----
    Ms. DeGette. Up to that time. Now, on page 4 of this 
assessment, I don't really want you to respond to this because 
you weren't involved in the document, but I do want to point 
out, there were a lot of questions that were asked today about 
the current situation, evolving requirements, multiple 
definitions of success, et cetera, but the people who were 
asking those questions today didn't talk about the last thing, 
which is in bold letters in a box, that says CMS has been 
working to mitigate challenges resulting from program 
characteristics. This was in March or April. And so without 
talking about this document necessarily, but I think what your 
testimony--what your job is really to identify issues 
throughout and try to mitigate them, is that right?
    Mr. Chao. Correct.
    Ms. DeGette. And that is what you have tried to do 
throughout.
    Mr. Chao. It is a constant mitigation set of activities----
    Ms. DeGette. And the administration has said it is going to 
try to have the Federal Exchange site working for 80 percent of 
the people by the end of November. Is that right? That is what 
we have been reading in the press.
    Mr. Chao. That is what the press quoted.
    Ms. DeGette. OK.
    Mr. Chao. I think what we have been saying is the vast 
majority of----
    Ms. DeGette. All right, and do you believe that that is a 
reasonable goal at this point?
    Mr. Chao. I think that is an attainable goal, given what I 
have seen so far.
    Ms. DeGette. Do you think it is going to happen?
    Mr. Chao. I don't think there are any guarantees. I think 
we are still in a stage where we are trying to apply as much 
due diligence, acquiring additional assistance, the tech surge, 
looking at performance, fixing the functional defects, along 
with making sure that security monitoring is an ongoing basis. 
So I think there is still a lot of moving parts that it 
wouldn't be prudent to give 100 percent guarantees about where 
we are going to be at on an exact date----
    Ms. DeGette. Well----
    Mr. Chao [continuing]. But I think we are on the right 
track.
    Ms. DeGette. You are--OK, but what I will say to you is, 
truly, and you have heard this from all of us, all of us were 
disappointed that it didn't work on October 1. I am sure you 
were too.
    Mr. Chao. Very.
    Ms. DeGette. And so we need this to be essentially working 
ASAP. For one thing, people who want insurance coverage as of 
January 1 have to sign up by December 15. So if it is not 
working for the vast majority of people by the end of November, 
that is going to be hard to do. Understood?
    Mr. Chao. We certainly understand that.
    Ms. DeGette. OK. One last thing. Someone had asked you the 
question--or had made the assertion that 60 percent of the site 
was not working, but I am told that is not really accurate, 
that it is really about 30 percent that is not working, and 
most of that is the backend which is the payment to insurance 
companies. So that is not necessarily the part that has to be 
working at this moment. Is that correct?
    Mr. Chao. Yes, it is not that it is not working, it is 
still being developed and tested.
    Ms. DeGette. OK.
    Mr. Chao. Right.
    Ms. DeGette. But that is the payment to the insurance 
companies.
    Mr. Chao. Correct.
    Ms. DeGette. Right.
    Mr. Chao. Which involves testing with Treasury----
    Ms. DeGette. OK.
    Mr. Chao [continuing]. And others.
    Ms. DeGette. All right. Thanks, Mr. Chairman.
    Mr. Murphy. Thank you.
    Recognize myself for 5 minutes.
    Just let me follow up here that--then what you are saying 
this 30 percent is yet to develop on the payment end. On 
October 1, the day this went live, how much of the site was 
developed at that time?
    Mr. Chao. Probably--well 100 percent of all the priorities 
that were set for by the business for October 1, it was up and 
running.
    Mr. Murphy. OK, but what about the other parts?
    Mr. Chao. I think there was a reprioritization associated 
with, like, the shop employer, shop employee and the Spanish 
Web site that was----
    Mr. Murphy. But it was crashing for everybody. We have 
heard that it wasn't designed for that many people, it didn't 
pass a stress test, it never had end-to-end testing, and you 
are saying it was 100 percent ready?
    Mr. Chao. No, it----
    Mr. Murphy. I just want to make sure I understand. What----
    Mr. Chao. When I--it was 100 percent built, meaning----
    Mr. Murphy. One hundred percent built, but----
    Mr. Chao. Or the----
    Mr. Murphy [continuing]. Just not working.
    Mr. Chao. Yes, working functionally and----
    Mr. Murphy. Well, then it is not built.
    Mr. Chao [continuing]. Performing well, that----
    Mr. Murphy. If a car is built but you can't run the car, 
that car is not built. If a Web site isn't working, it is not 
built.
    Mr. Chao. Well, I am certainly not going to sit here and 
try to tell you that it was working well. So I do----
    Mr. Murphy. Yes, but you said on October 1 it was 100 
percent built. I really need to know because you had said 
before you wish you had had more time, and you had just said to 
Ms. DeGette that your job was to identify issues and mitigate 
them. And since you would have liked to have had more time, and 
your job was to mitigate them, would you have liked to have 
seen this whole report from McKinsey that identified the 
problems so you didn't have to find them out?
    Mr. Chao. I don't--I--actually, I don't think it was 
necessary because I think this report was for--really for 
Marilyn Tavenner and others, and it was written for that level 
of consumption and that audience.
    Mr. Murphy. But you haven't seen this so you don't know. Or 
do you know?
    Mr. Chao. I am just assuming that that is why I wasn't----
    Mr. Murphy. OK, I just want you to stick with facts you 
know. So--well, what I am seeing here is from March on, 
Marianne Bowen, Jim Kerr, Todd Park, Brian Spivack, Michelle 
Snyder, Gary Cohen, Bill Corr, Mike Hash, Aryana Khalid, 
Katherine Sebelius, William Schultz, Michelle Snyder, Marilyn 
Tavenner, Mark Childress, Jeanne Lambrew and Ellen Montz all 
had briefings on this. Are those any people you work with?
    Mr. Chao. I have been in meetings with several of those 
folks.
    Mr. Murphy. Some of them. Since March and April?
    Mr. Chao. Yes.
    Mr. Murphy. And none of them raised any of these concerns 
to you, and you identified yourself that your job was to 
identify issues and mitigate them, but none of them 
identified----
    Mr. Chao. Within----
    Mr. Chao [continuing]. That, with all of these interviews 
and the 200 documents reviewed, that there were these problems?
    Mr. Chao. Within my day-to-day operational, you know, 
requirements to manage the contract, to manage schedule, to 
manage staff and----
    Mr. Murphy. Yes, but what you don't measure, you can't 
manage. And so I am concerned that this list of people who you 
work with were not communicating to you this document that you 
knew something existed because you, indeed, were interviewed on 
it yourself, but here we have this messy rollout that didn't 
work, that crashed, that only 6 people signed up the first day, 
and we still are concerned about problems, and yet it is 
puzzling to me why these key people just didn't talk to you 
about it. They gave you no hints that this existed?
    Mr. Chao. Perhaps that--I just was not included in certain 
discussions.
    Mr. Murphy. Well, if you knew then what you know now, would 
you have spoken up more with regard to rolling out this Web 
site on October 1?
    Mr. Chao. I wish I had the luxury of a time machine to go 
back and change things, but I can't do that.
    Mr. Murphy. I understand that, but it is a matter that--did 
you ask someone at that time for more time?
    Mr. Chao. No.
    Mr. Murphy. Why not?
    Mr. Chao. Because my direction----
    Mr. Murphy. From?
    Mr. Chao [continuing]. Was from Marilyn Tavenner, is to 
deliver a system on October 1.
    Mr. Murphy. So Marilyn Tavenner said deliver October 1. She 
had been in on these briefings from McKinsey that said there 
were serious problems. She was in at least 2 of them I believe. 
And this was at HHS Headquarters on April 4, she was there, and 
also at the Eisenhower Executive Office Building on April 6. 
She was there, she was briefed on these problems. She said move 
it for October 1, and you, as the man who is in charge of 
making sure this works, she didn't tell you that those problems 
existed. Is that what you are saying today?
    Mr. Chao. I can't comment on that. I----
    Mr. Murphy. It is--well, it is either she told you or she 
didn't tell you. I am just curious.
    Mr. Chao. I don't think she told me in the context of this 
briefing. I think we have status meetings all the time in which 
we talk about ways to mitigate and to----
    Mr. Murphy. You--so you met with her frequently over those 
months, but she never brought up the extent of these concerns?
    Mr. Chao. Not the McKinsey report, no.
    Mr. Murphy. OK.
    Mr. Chao. I think we talked about certainly about issues 
and priorities for October 1.
    Mr. Murphy. I see.
    Well, I have no further questions, so, Mr. Chao, I 
appreciate you spending so much time with us today. We are 
going to take a real quick 5-minute break. We recognize our 
next panel of witnesses has been sitting here for a while, so 
we will be right back in 5 minutes.
    And thank you again, Mr. Chao.
    Mr. Chao. Thank you.
    [Recess.]
    Mr. Murphy. All right, this hearing is reconvened.
    I would now like to introduce the witnesses in the second 
panel for today's hearing, and thank you all for being so 
patient and waiting.
    Our first witness is Jason Providakes. He is the Senior 
Vice President and General Manager for the Center for Connected 
Government at MITRE Corporation. He is also the Director of the 
Centers for Medicare and Medicaid Services Alliance to 
Modernize Medicare. Our second witness is Maggie Bauer. She is 
the Senior Vice President of Health Services at Creative 
Computing Solutions, Inc., also known as CCSi. She has 
extensive operations management experience in consulting, 
program management, IT infrastructure services, software 
development, lifecycle and end-user support on service-level 
drive performance-based programs. And our third witness is 
David Amsler. He is the Founder, President and Chief 
Information Officer at Foreground Security, Inc. He has more 
than 15 years of IT security experience, and he oversees the 
overall customer-centered vision and direction of Foreground 
Security, its industry-leading offerings and day-to-day 
operations.
    I will now swear in the witnesses.
    You are all aware that the committee is holding an 
investigative hearing, and when doing so, has the practice of 
taking testimony under oath. Do you have any objections to 
testifying under oath?
    Ms. Bauer. No.
    Voices. No.
    Mr. Murphy. All the witnesses are in the negative there. 
The Chair then advises you that under the rules of the House 
and the rules of the committee, you are entitled to be advised 
by counsel. Do any of you desire to be advised by counsel 
during your testimony today?
    Voices. No.
    Mr. Murphy. And all the witnesses have said no. In that 
case, would you please rise, raise your right hand and I will 
swear you in.
    [Witnesses sworn.]
    Mr. Murphy. And all the witnesses responded, ``I do.''
    You are now under oath and subject to the penalties set 
forth in Title XCIII, Section 1001 of the United States Code.
    You may now give a 5-minute opening summary of your 
statement, Mr. Providakes.

 STATEMENTS OF JASON PROVIDAKES, SENIOR VICE PRESIDENT, CENTER 
FOR CONNECTED GOVERNMENT, THE MITRE CORPORATION; MAGGIE BAUER, 
SENIOR VICE PRESIDENT, CREATIVE COMPUTING SOLUTIONS, INC.; AND 
    DAVID AMSLER, PRESIDENT AND CHIEF INFORMATION OFFICER, 
                   FOREGROUND SECURITY, INC.

                 STATEMENT OF JASON PROVIDAKES

    Mr. Providakes. Yes. All right, well, good morning, 
Chairman Murphy, and Ranking Member DeGette. My name is Jason 
Providakes, and I am here today on behalf of the MITRE 
Corporation. I serve as the director of the not-for-profit, 
Federally funded research and development center, operated by 
MITRE and sponsored by the U.S. Department of Health and Human 
Services.
    The MITRE Corporation is chartered in the public interest 
to apply systems engineering skills and advanced technology, to 
address issues of critical national importance. We accomplish 
this through operation of research and development centers that 
support our Government sponsors with scientific research and 
development, analysis and systems engineering and integration 
as well.
    Known as Federally funded research development centers, 
they are operated under a set of rules and constraints 
proscribed by the Federal acquisition regulations. The rules 
are designed to preserve the FFRDC's objectivity and dependence 
and freedom from conflict of interest.
    MITRE operates FFRDC centers for seven Federal agency 
sponsors. We were awarded the contract to operate the CMS 
Alliance to Modernize Healthcare center about a year ago 
following a competitive bid. The center was charged with 
assisting CMS in modernizing its operation, and supporting the 
implementation of health reform, and the expansion of health 
care to millions of Americans.
    MITRE serves as a technical, independent objective advisor 
to CMS. We have been supporting CMS successfully since about 
2005 on a contract basis, prior to the establishment of the new 
center. We advise on health IT, helped plan and develop future 
policies, we provide technical evaluations and objective 
evaluation of business models, and assess new technology.
    As part of its efforts to establish Healthcare.gov, CMS 
asked MITRE to conduct security assessments on parts of the 
site. And I appreciate the opportunity to clarify what our role 
was in assisting CMS on Healthcare.gov. We provide CMS with 
information security support and guidance under two contracts; 
the Office of Information Systems, and Enterprise Information 
Systems Group. Pursuant to tasks issued under those contracts, 
MITRE performed a total of 18 security control assessments, or 
SCA's, for components across the range of CMS enterprise 
systems. Most of these were performed on supporting 
infrastructure and development components. Six of the SCA's 
were directly related to Healthcare.gov, and were performed 
between September of 2012 and September of 2013.
    MITRE performs various tasks as part of overall support for 
CMS enterprise security maintenance. A limited amount of that 
support is in the form of external penetration testing relative 
to CMS Web sites, including Healthcare.gov. MITRE is not in 
charge of security for Healthcare.gov. We were not asked nor 
did we perform end-to-end security testing. We have no view on 
the overall safety or security status of Healthcare.gov.
    MITRE did not and does not recommend approval of--or 
disapproval of an authority to operate. Deciding whether and 
when to grant an ATO is inherently a governmental function that 
derives from the Government's assessment of overall risk 
posture. In this case, the Government made its ATO decisions 
based on a large set of inputs and factors, among which were 6 
SCA's performed by MITRE. We do not have visibility into the 
many other factors that went into the Government's ATO 
decision. CMS did not advise MITRE whether or when ATO's were 
granted for the marketplace components being tested. In this 
case, the Government made its ATO decisions based on a large 
set of data.
    Again, we were not asked to conduct end-to-end testing, 
rather we tested specific parts of Healthcare.gov, under a set 
of specific parameters established by CMS. We worked alongside 
the CMS-designated contractor in the course of testing to 
remediate risks as high, and in almost all cases, we succeeded. 
Our testing was accomplished in accordance with standard SCA 
engineering methodologies. In each case, we assessed component 
security control risks against CMS-defined security control 
parameters, on a high, moderate to low scale, and we 
recommended appropriate risk mitigations.
    On site security control assessment, testing typically 
begins on a Monday and wraps up within a week. The tests 
against CMS-defined security control parameters, over the 
course of 5 days of testing, MITRE identifies the risk and 
assigns a remediation priorities for risks judged to be high 
and moderate levels. Security testing is designed to flush out 
and pinpoint the security weakness of a digital information 
system. This enables corrective remediations to be applied, and 
also allows the system operator to make necessary business 
judgments and tradeoffs about the overall system.
    Because our role in performing the security control tests 
was limited in both time and scope, MITRE has no insight into 
how assessed security control risks were handled, or what other 
risks may have surfaced subsequent to the date of testing. 
Judgments about the potential impact of assessed security 
control risks on overall system operation or performance were 
business judgments made by CMS as part of the operating 
authority.
    Through our broader partnership with the Federal 
Government, we remain committed to assisting CMS in working to 
enhance the care and delivery of health care for all Americans.
    I would be happy to respond to your questions. Thank you.
    [The prepared statement of Mr. Providakes follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. Thank you.
    Now turn to Ms. Bauer for her opening statement.

                   STATEMENT OF MAGGIE BAUER

    Ms. Bauer. Good afternoon, Chairman Murphy, Ranking Member 
DeGette. My name is Maggie Bauer, and I am a Senior Vice 
President at Creative Computing Solutions, Inc., CCSi.
    I have responsibility for CCSi's Federal health contracts, 
including the Centers for Medicare and Medicaid Services, 
Veterans Affairs, the Department of Health and Human Services 
National Institutes of Health, and the Military Health Service.
    In addition to health-related services, CCSi delivers 
program and project management services, cyber security 
services and enterprise systems engineering, exclusively to the 
Federal Government.
    CCSi was founded in 1992 by Dr. Manju Bewtra.
    In August of 2012, CMS awarded CCSi a contract to provide 
security oversight of the CMS e-cloud. The e-cloud refers to 
CMS's virtual data center, which hosts systems and applications 
that support the Affordable Care Act. Foreground Security is 
their subcontractor, and we function as a fully integrated 
team.
    CCSi's role on this contract is to provide security 
operations monitoring and management, including 24 by 7 by 365 
security monitoring from a secure operation center, otherwise 
known as a SOC. We monitor the perimeter firewalls and network 
devices for the e-cloud, and we scan applications for security 
incidents. These scans do not measure or track availability, 
up/downtimes or latency. If we detect an anomaly, we follow the 
CMS-approved incident response plan procedures for identified 
security incidents, such as network security configuration 
flaws or vulnerabilities in the network, security devices or in 
applications. CCSi's contract does not extend to remediating 
security incidents.
    CCSi's scope of work includes configuration, tuning, 
monitoring and management of CMS Government-furnished equipment 
that resides in the Verizon Terremark security monitoring zone. 
We review log files, we conduct event analysis, we provide 
reporting on security incidents, all of this under the 
direction and supervision of CMS.
    Activities involving the development, scaling, testing, 
release or administration of the Federal Exchange Program, 
Healthcare.gov, the Federal Exchange, or the Federally 
Facilitated Marketplace are not within the scope of our 
contract.
    I would be pleased to answer any questions that you have. 
Thank you.
    [The prepared statement of Ms. Bauer follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. Thank you, Ms. Bauer.
    Mr. Amsler, you are recognized for 5 minutes.

                   STATEMENT OF DAVID AMSLER

    Mr. Amsler. Thank you, sir.
    Chairman Murphy, Ranking Member DeGette, members of the 
subcommittee, good afternoon and thank you for inviting me to 
testify at this hearing on the security of the Web site, 
Healthcare.gov.
    I am the president and chief information officer of 
Foreground Security. I also founded the company. We provide 
cyber security consulting, training and services for both 
private-sector and Government agencies. Our clients include 
Fortune 100 companies, smaller but highly targeted firms, and 
Government agencies.
    We defend our customers against an increasingly intricate 
threat and threat actors, through an integrated approach that 
entails building security architecture and assessing, 
monitoring and responding to attacks against our customer 
environments.
    Foreground Security is a small but growing dedicated cyber 
security business located in Herndon, Virginia, and Florida. 
Our roughly 100 employees are highly trained and committed to 
serving our clients.
    Foreground Security is one of the companies hired to help 
develop a robust operational security management program for 
the new virtual data center created to implement the Affordable 
Care Act. We are subcontracted to our teammate, Creative 
Computing Solutions, Inc., or CCSi, which is the prime 
contractor for the Centers for Medicare and Medicaid Services.
    Our role with CCSi includes a number of objectives relating 
to the security environment of Healthcare.gov. I think of our 
role as encompassing 3 phases. First is the creation of the 
security monitoring environment. This entailed getting key 
staff in place, identifying needed security monitoring software 
and hardware, and building out a dedicated security operation 
center, or SOC, from which all monitoring is performed. Second 
is building those security monitoring capabilities identified 
in phase 1 into the cloud environment itself. This has been the 
most challenging part of our contract, in large part because we 
have had to construct security monitoring capabilities while 
the system itself is being built. Our work on this phase 
continues. And third is actually monitoring the environment, 
which itself can be thought of as having two components. One is 
day-to-day, continuously searching for malicious activities 
including reporting and defending against them when they do 
occur. The other is monitoring known malicious actors or groups 
in advance of attacks to proactively identify the techniques or 
tactics they may be using or planning to use to compromise this 
environment. These are our main and State responsibilities 
relating to the security environment.
    We have worked very closely with CMS and Verizon Terremark 
on all phases of our work. CMS reviews and approves any 
capability we place in the environment, and Verizon Terremark, 
as the host of the environment, helps determine what security 
measures are placed in the virtual data center.
    Prospective on our role is important. While our work for 
CMS is essential, it is narrowly focused, and we were not 
involved in the design of the site, developing the software 
that runs it, or its administration. To that end, we do not 
monitor the site for performance purposes. Foreground Security 
is just 1 member of the security team, in addition to the other 
companies represented today here on this panel, Verizon 
Terremark, URS, CGI and QSSI, all play key roles in developing 
and testing the security of Healthcare.gov.
    I am proud of the work that Foreground Security has 
undertaken and continues to undertake in order to allow 
families and individuals looking for health insurance to use 
the Healthcare.gov Web site, secure in the knowledge that their 
personal information is being protected with state-of-the-art 
monitoring and defenses. To this point, Foreground Security has 
fulfilled its obligations to CMS on time and under budget. We 
are dedicated to secure the operation of Healthcare.gov, and 
take extremely serious the obligations to the public trust.
    I welcome any questions you may have.
    [The prepared statement of Mr. Amsler follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. Thank you, Mr. Amsler.
    Couple of questions I want to begin with. First of all, I 
will start with you, Mr. Amsler. You were here throughout Mr. 
Chao's testimony, all three of you were. Do you have any 
concerns about any comments that were made by Mr. Chao?
    Mr. Amsler. I wouldn't have any specific concerns----
    Mr. Murphy. Ms. Bauer?
    Mr. Amsler [continuing]. I would like to voice.
    Ms. Bauer. No.
    Mr. Murphy. Mr. Providakes?
    Mr. Providakes. No concerns.
    Mr. Murphy. All right. Mr. Amsler, you had said that in 
addition to the other companies represented today in this 
panel, Verizon Terremark, URS, CGI and QSSI, all played key 
roles in developing and testing the security of Healthcare.gov. 
Are you also referring to Ms. Bauer's company played a role in 
this?
    Mr. Amsler. I view them as our teammate, I view them as one 
of us.
    Mr. Murphy. Because I thought in her testimony she said 
that they were not that involved. So let me ask you, with this 
many companies involved, who did you all report to?
    Mr. Amsler. Well, our customer was CMS, and the security 
team----
    Mr. Murphy. Person. Is there a person?
    Mr. Amsler. Our direct Government technical lead, his name 
is Tom Shankweiler.
    Mr. Murphy. And with regard to this, with all of these 
companies involved playing key roles in developing and testing 
security, is that typical to have so many companies involved as 
opposed to one that is trying to do the end-to-end work on 
this?
    Mr. Amsler. Well, we have experienced all sizes of 
implementations. This one is obviously, certainly one of the 
largest that I have ever seen undertaken. I have certainly seen 
lots of people involved, but probably not this many.
    Mr. Murphy. Mr. Providakes, is this typical to have so many 
companies involved in dealing with the security in a site?
    Mr. Providakes. Not really number of companies that were 
involved, but having two or three is not untypical to have on 
the complexity of a site like this.
    Mr. Murphy. I just wondered if that added to the complexity 
of trying to monitor security of the site.
    Mr. Providakes. If it is well-managed from a program 
perspective----
    Mr. Murphy. Was it well-managed?
    Mr. Providakes. I would not know.
    Mr. Murphy. From your perspective?
    Mr. Providakes. I don't--we weren't involved in that level 
of insight on that. I believe, you know----
    Mr. Murphy. All right, Ms. Bauer, were you involved in that 
level, and was it well-managed from your point of view?
    Ms. Bauer. Our management from CMS has been on a very 
regular basis. We have daily meetings, in fact, since 
Healthcare.gov went live. Those meetings actually began, or 
ramped up I should say, to hourly and then back to way to about 
every 4 hours, and now they are on a shift basis of three times 
a day.
    Mr. Murphy. Well, you just said activities involving the 
development, scaling, testing, release or administration of the 
Federal Exchange Program system, Healthcare.gov, the Federal 
Exchange or the Federally Facilitated Marketplace, or FFM, are 
not within the scope of your contract. So you were not involved 
in the security issues involved with those Web sites?
    Ms. Bauer. The security, yes, but not the development, 
scaling, or testing of the Healthcare.gov applications, per se.
    Mr. Murphy. Were you involved with the testing of the 
security?
    Ms. Bauer. Yes.
    Mr. Murphy. And was it working?
    Ms. Bauer. Yes.
    Mr. Murphy. At October 1?
    Ms. Bauer. Everything that was under our scope.
    Mr. Murphy. Under your scope.
    Ms. Bauer. Yes----
    Mr. Murphy. But in terms of----
    Ms. Bauer [continuing]. Was functioning.
    Mr. Murphy [continuing]. How it relates to other parts, you 
don't know?
    Ms. Bauer. I would not know that.
    Mr. Murphy. OK. Mr. Amsler, how about for you, were your 
parts working OK in your individual part, and was that also 
tested with regard to the others?
    Mr. Amsler. Congressman, to be clear, as far as our work is 
concerned, our focus worked around operational monitoring 
security and some testing, we absolutely were working. I can't 
speak to the rest of the groups and the teams that were 
involved in development, or even the SCA----
    Mr. Murphy. What I am trying to find out, was that----
    Mr. Amsler [continuing]. People who were not involved.
    Mr. Murphy [continuing]. Typical, atypical, and would you 
be concerned about how your parts worked in conjunction with 
the site overall, or is that not typically a question you would 
ask? Well, it is like this: If you design a part for a car and 
you know your part is working, would you like to know if the 
car works?
    Mr. Amsler. Absolutely.
    Mr. Murphy. And so that is what I am asking all of you, 
would you have liked to have known that if your segments may 
have worked on their own, but you didn't know whether or not it 
worked at the whole system security. Is that correct, Mr. 
Providakes?
    Mr. Providakes. Well, that would be correct.
    Mr. Murphy. Ms. Bauer?
    Ms. Bauer. Yes.
    Mr. Murphy. OK. Mr. Providakes, CMS adopted the security 
controls you developed, correct?
    Mr. Providakes. That is correct.
    Mr. Murphy. And are these controls embedded in the 
applications at the direction of CMS?
    Mr. Providakes. They were assessed, but yes, they were 
embedded for the configuration changes would be made based on 
the configuration controls.
    Mr. Murphy. And at what point of the application 
development phase should security controls begin to be embedded 
into the application?
    Mr. Providakes. Well, at the production phase. Generally, 
when we test with an SCA, we are assuming that we are looking 
at the production-ready version of the application, and then we 
apply those CMS security controls we talked about and assess 
those against the production-ready version of that application.
    Mr. Murphy. Are they embedded into the architecture of 
Healthcare.gov?
    Mr. Providakes. The overall CMS enterprise security 
controls are to be applied across all the systems of 
Healthcare.gov.
    Mr. Murphy. So they should be embedded then into 
Healthcare.gov?
    Mr. Providakes. It should be.
    Mr. Murphy. Were they?
    Mr. Providakes. I have no way of knowing that.
    Mr. Murphy. Ms. Bauer, do you know if they were?
    Ms. Bauer. I do not know.
    Mr. Murphy. Mr. Amsler?
    Mr. Amsler. I wouldn't know the answer to that.
    Mr. Murphy. OK. But you all worked on these security parts. 
We don't know if they were embedded and you don't know if 
anybody did testing, but you would have liked to have seen 
that. Am I correct with all of you?
    Mr. Providakes. No, just parts. Just some parts.
    Mr. Murphy. Ms. Bauer, correct?
    Ms. Bauer. Correct
    Mr. Murphy. Mr. Amsler?
    Mr. Amsler. Correct.
    Mr. Murphy. Thank you.
    And now I will yield to Ms. DeGette for 5 minutes.
    Ms. DeGette. Thank you, Mr. Chairman.
    As Mr. Chao testified, it is part of CMS's protocols that 
they hire independent contractors to test different parts of 
the security aspects of the site. Is that your understanding as 
well, Mr. Providakes?
    Mr. Providakes. Yes, it is.
    Ms. DeGette. And is it yours, Ms. Bauer?
    Ms. Bauer. Yes.
    Ms. DeGette. And is it yours, Mr. Amsler?
    Mr. Amsler. Yes.
    Ms. DeGette. So, Mr. Providakes, I want to ask you first. 
You testified your company was not hired to perform end-to-end 
security testing, is that correct?
    Mr. Providakes. That is correct.
    Ms. DeGette. And so what your job was to assess and 
identify risks and specific components of Healthcare.gov, to 
work with CMS and to address those concerns and report on the 
findings and results. Is that correct?
    Mr. Providakes. That is correct.
    Ms. DeGette. And am I correct that in virtually all cases, 
when you did identify high risks in Healthcare.gov components, 
CMS was able to mitigate those risks before the system went 
live?
    Mr. Providakes. Yes. Almost all the high risks were 
mitigated.
    Ms. DeGette. And you said in your testimony--in your 
written testimony, MITRE is not in charge of security for 
Healthcare.gov. We were not asked, nor did we perform, end-to-
end security testing. We have no view of the overall safety or 
security status of Healthcare.gov. That is because you were 
only asked to do a narrow assessment of part of it, right?
    Mr. Providakes. A narrow assessment in scope and in a time 
that is----
    Ms. DeGette. In time.
    Mr. Providakes. In time.
    Ms. DeGette. Now, I just want to ask you, what is your 
personal view of the overall safety or security of 
Healthcare.gov, having worked on this, at least some aspects of 
it?
    Mr. Providakes. Well, my personal perspective----
    Ms. DeGette. Uh-huh.
    Mr. Providakes [continuing]. Knowing CMS experience in the 
past, as Henry Chao alluded to, they do a very solid job in 
terms of securing their systems--
    Ms. DeGette. And----
    Mr. Providakes [continuing]. Historically.
    Ms. DeGette. And what you were doing was part of the same 
types of things CMS has done to secure their systems in the 
past----
    Mr. Providakes. That is correct.
    Ms. DeGette [continuing]. Is that right?
    Mr. Providakes. That is correct.
    Ms. DeGette. Ms. Bauer--now, as I understand it, Mr. 
Amsler, your company works sort of as a subcontractor of Ms. 
Bauer's company. Is that right?
    Mr. Amsler. Yes.
    Ms. DeGette. OK. So what you folks do is your company--CCSi 
monitors the firewalls and network devices for the e-cloud that 
hosts Healthcare.gov, and scans the Web site's application for 
security vulnerabilities. Is that correct?
    Ms. Bauer. That is correct.
    Ms. DeGette. And on October 22, you briefed this committee, 
and I want to ask you, at that time, had you detected any 
activity that you would consider to be out of the ordinary for 
a system like this?
    Ms. Bauer. Not out of the ordinary, no.
    Ms. DeGette. OK. And are you continuing to monitor the Web 
site moving forward?
    Ms. Bauer. Yes, we continue to perform all the functions of 
our contract.
    Ms. DeGette. And why is that?
    Ms. Bauer. I am sorry?
    Ms. DeGette. Why are you continuing to monitor the 
functions?
    Ms. Bauer. Because that is the scope of our contract, is to 
continually----
    Ms. DeGette. OK. And have you----
    Ms. Bauer [continuing]. Monitor it.
    Ms. DeGette. Have you detected any activity since October 
22 that you considered to be out of the ordinary?
    Ms. Bauer. We would detect activity on a daily, if not 
hourly basis. That is part of the nature of security 
monitoring. Whether it is extreme or out of the ordinary, there 
is nothing that has been brought to my attention that would----
    Ms. DeGette. And would that be then reported to CMS?
    Ms. Bauer. Yes, there is an incident response plan, and we 
follow the procedures of that plan.
    Ms. DeGette. And have you seen anything that would indicate 
some terrible problem with the Web site vis-a-vis security?
    Ms. Bauer. Nothing that I have seen or that has been 
escalated to me, no.
    Ms. DeGette. OK. And there is another contractor as I 
understand that has also been asked to look at other aspects, 
and that is Verizon. They are not here today. Is that your 
understanding as well?
    Ms. Bauer. Yes. Yes.
    Ms. DeGette. So Ms. Bauer, has your company worked with CMS 
before? Mr. Providakes said his has on security issues.
    Ms. Bauer. No, we have not, but we----
    Ms. DeGette. OK.
    Ms. Bauer [continuing]. Have other security work.
    Ms. DeGette. OK. And Mr. Amsler, what about your company?
    Mr. Amsler. Not directly for CMS----
    Ms. DeGette. OK.
    Mr. Amsler [continuing]. But other HHS----
    Ms. DeGette. OK, so you wouldn't know whether this is--kind 
of mirrors other security activity with CMS. But, Mr. 
Providakes, you are telling me that, with what your company has 
done before, you are seeing a similar concern and readiness for 
security applications?
    Mr. Providakes. Well, what I said was that following CMS's 
approach towards security, they do execute, you know, 10, 20, 
70 SCA's a year that we actually executed for CMS. So part of 
their process is, before they execute an ATO, they look for the 
input of these SCA's, which is a very rigorous process, a 
definition, defined in a parameter in a moment of time that we 
would conduct these SCA's for CMS as input to the ATO process.
    Ms. DeGette. Right. OK, thank you.
    Thanks, Mr. Chairman. I appreciate it.
    Mr. Murphy. Let me ask clarification of something Ms. 
DeGette said.
    Mr. Providakes. Sure.
    Mr. Murphy. She asked you a question about CMS and their 
work on this, and you used the word historically. Were you 
referring then to the Healthcare.gov Web site or in the past 
they were?
    Mr. Providakes. No. In the past. Broadly across CMS in 
terms of their security rigor that they apply across their 
systems.
    Mr. Murphy. Thank you.
    Mr. Olson, you are recognized for 5 minutes.
    Mr. Olson. I thank the Chair. I mostly want to thank the 
witnesses for your patience being here. It has been a long day, 
I know that.
    Very brief questions. I mean, getting Healthcare.gov up and 
running is not rocket science, and that is good because if it 
were, we would still be waiting to land on the moon over 50 
years later.
    You may have seen the McKinsey report, the Red Team report. 
Have you all seen that?
    Ms. Bauer. I have not.
    Mr. Olson. OK. I will get the copies to you. I just want to 
ask some questions about the report. And I apologize that you 
haven't seen it, but it compares on page 4 ideal, large-scale 
programs and the current state of Healthcare.gov. And I want 
to--just some yes-or-no questions, do you agree with the 
statements from this report. And again, it is compared to 
large-scale program development ideal program with the 
characteristics of Healthcare.gov. The first ideal situation, 
clear articulation of requirements and success metrics in 
Healthcare.gov, evolving requirements and multiple definitions 
of success. Do you agree with those assessments that that is 
ideal, and that is what has happened with Healthcare.gov, Mr. 
Providakes? Yes or no, sir? Don't want to put you on the spot.
    Mr. Providakes. It is very difficult to answer that 
question. Is that a hypothetical question in terms of----
    Mr. Olson. Hypothetical, yes, sir. I mean the ideal program 
is in clear articulation and has that happened on 
Healthcare.gov?
    Mr. Providakes. In the best world, you would love to have 
clear articulated requirements upfront that you can design to, 
build to, test to, and that would be great, although it is 
rare, but that would be great.
    Mr. Olson. OK, involving requirements with Healthcare.gov, 
has that been a problem?
    Mr. Providakes. I am not sure of the number of 
requirements. I would think there were quite a number of 
requirements for Healthcare.gov.
    Mr. Olson. Ms. Bauer?
    Ms. Bauer. I would--just having looked at it briefly, I 
would agree with----
    Mr. Olson. I apologize for that, ma'am.
    Ms. Bauer. I would agree with the description of ideals--
the ideal situation, however, I wouldn't have insight into the 
current situation because that involves the development of 
Healthcare.gov----
    Mr. Olson. OK.
    Ms. Bauer [continuing]. Which is not within the scope of 
our contract.
    Mr. Olson. Mr. Amsler?
    Mr. Amsler. I would--ideal is--I agree with ideal. Again, 
we weren't involved in those aspects, so I couldn't speak to 
it.
    Mr. Olson. How about the program that ideal is sequential 
requirements design, build and testing, integration, revision 
between phases, and what the current situation is parallel 
stacking of all phases. Do you agree, Mr. Providakes? I 
apologize, sir, for not----
    Mr. Providakes. That is fine. If----
    Mr. Olson [continuing]. Pronouncing--would idealism work?
    Mr. Providakes. It would create significant challenges to 
the program office to deliver that.
    Mr. Olson. Has there been parallel stacking?
    Mr. Providakes. It would be a significant challenge to do 
that.
    Mr. Olson. Ms. Bauer?
    Ms. Bauer. I would agree with that statement.
    Mr. Olson. Mr. Amsler?
    Mr. Amsler. Agree.
    Mr. Olson. OK, how about interim integrated operations and 
testing is ideal. I think we all agree with that. And what has 
happened is insufficient time and scope of end-to-end testing. 
Would you all agree with those statements, yes or no?
    Mr. Providakes. I guess in the context you put it, you are 
saying is there a limited end-to-end testing, and given the 
fact that you have a hard date, I would surmise they had 
limited time to end-to-end testing. It doesn't mean you 
couldn't have done it, it just meant there is limited time to 
do it.
    Mr. Olson. Ms. Bauer?
    Ms. Bauer. Yes, generally I would agree. I would have no 
insight though into what the increments were as regards to 
schedule, but, you know, you could create milestones and 
achieve ideally just about any goal if you create the 
milestones and achieve them on the way to the goal.
    Mr. Olson. Mr. Amsler?
    Mr. Amsler. End-to-end testing for me is pure security. 
That is the world we live in, and that is the world that we 
only live in. We can achieve a lot testing along the way, but I 
would certainly--I always shoot for ideal. Ideal would be end-
to-end testing.
    Mr. Olson. And ideal a limited initial launch or a full 
launch? Not ideal. Last question. Yes or no, do you agree with 
those statements? Launching at full volume is not very good, 
limited initial launch what we should be seeking?
    Mr. Providakes. Well, limited launch increases the risk, 
obviously, than a full. It is an increased risk.
    Mr. Olson. Yes. Ms. Bauer?
    Ms. Bauer. I would actually suggest that perhaps a limited 
launch would have had a lower risk, and that a full launch may 
have a larger risk, whatever system you would be deploying.
    Mr. Olson. Mr. Amsler?
    Mr. Amsler. I agree with Ms. Bauer's statement.
    Mr. Olson. Well said, sir.
    And one final question. Again, I am not trying to put you 
on the spot, but with all your knowledge about how this program 
rolled out, are you comfortable putting yourselves' and your 
families', putting your personal information into 
Healthcare.gov?
    Mr. Providakes. I have.
    Mr. Olson. You are comfortable? Yes.
    Mr. Providakes. That is a personal choice that you have to 
make based on, in my case, where knowing the limited amount of 
personal information I put up there and other information, I 
feel comfortable personally, but that might not apply to 
everyone.
    Mr. Olson. Ms. Bauer, yes or no, ma'am, comfortable?
    Ms. Bauer. Yes.
    Mr. Olson. Mr. Amsler?
    Mr. Amsler. I am actually very happy with my current health 
care.
    Mr. Olson. Oh boy, you are trying to open a hornet's nest 
there.
    Mr. Murphy. Well, too bad you can't keep it.
    Mr. Olson. That is my time.
    Mr. Murphy. What it comes down to. Gentleman's time has 
expired.
    Ms. DeGette, you have a clarifying question?
    Ms. DeGette. Thank you, Mr. Chairman.
    The questions that Mr. Olson was asking you folks were on 
this McKinsey document that we spent so much time with the last 
witness talking about, tab 1 of the notebook. Have you seen 
that report before, Mr. Providakes?
    Mr. Providakes. I am familiar with this report.
    Ms. DeGette. OK. Ms. Bauer, have you seen it?
    Ms. Bauer. No, I have not.
    Ms. DeGette. And, Mr. Amsler, have you seen it?
    Mr. Amsler. I have not.
    Ms. DeGette. OK. So, Mr. Providakes, the 2 of you--Ms. 
Bauer and Mr. Amsler, any answers you were giving were really 
just based on speculation, since you haven't seen it and 
weren't involved with it, is that right?
    Ms. Bauer. Yes.
    Ms. DeGette. Mr. Amsler?
    Mr. Amsler. That is correct.
    Ms. DeGette. OK, Mr. Providakes, so Mr. Olson was asking 
you about some of these recommendations. This is from last 
spring. It was a snapshot in time. On page 4 of that report, at 
the bottom where he was talking about evolving requirements, 
multiple definitions of success, et cetera.
    Mr. Providakes. Um-hum.
    Ms. DeGette. The part he forgot to mention, which was the 
part also I noticed they forgot to mention when the previous 
witness was up, is the part that is in the box in bold type at 
the bottom of all of those current situation bullets, which 
says, CMS has been working to mitigate challenges resulting 
from program characteristics. Do you see that?
    Mr. Providakes. I do see it.
    Ms. DeGette. What does that mean to you?
    Mr. Providakes. Well, it means to me that they recognize 
the risks and the challenges of the program, and they were 
looking at options or mitigation approaches that would minimize 
the risks.
    Ms. DeGette. So CMS hired McKinsey to do an evaluation of 
the program and come up with some concerns that they could then 
work to mitigate. Is that right?
    Mr. Providakes. Only what I--yes.
    Ms. DeGette. And that is the same reason they hired your 
company to do security assessments, is to find places where 
there might be problems, and to make recommendations that they 
could then work to mitigate. Is that right?
    Mr. Providakes. That is correct. Identify risks, mitigate 
risks.
    Ms. DeGette. And in your view, at least the recommendations 
your company made, did they, in fact, work to mitigate those 
risks?
    Mr. Providakes. In the context of the SCA, yes.
    Ms. DeGette. Thank you very much, Mr. Chairman. I have no 
further questions.
    Mr. Murphy. OK, had you seen this document before today, 
Mr. Providakes?
    Mr. Providakes. I am familiar of the document. It has been 
a while.
    Mr. Murphy. But--so you are familiar. So when they say they 
have been working to mitigate challenges, you are personally 
aware that some of these mitigations were taking place, or you 
are just saying so today?
    Mr. Providakes. No, I had no idea of what mitigation--
whether they took the recommendations of this or not----
    Mr. Murphy. I was curious because you were drawing a 
conclusion, but I didn't know if you had--so that is based 
upon----
    Mr. Providakes. Based upon----
    Mr. Murphy [continuing]. Just a guess today, OK.
    Mr. Providakes. Exactly, yes.
    Mr. Murphy. Quick thing. Mr. Amsler, while developing the 
security measures for the cloud environment, have you 
encountered any challenges at all?
    Mr. Amsler. Certainly lots of challenges along the way. 
Congressman, did you mean more implementing them or certain 
things?
    Mr. Murphy. Some things that are different from what you 
are used to here, or anything standing out to you that is a 
concern with regard to the cloud environment or the security 
there?
    Mr. Amsler. Well, the cloud in and of itself brings a 
unique set of challenges that any--us in the industry are all 
trying to deal with. It----
    Mr. Murphy. That is a system that you can't necessarily 
correct right now with a cloud environment. On its own, it is a 
secure concern.
    Mr. Amsler. Agreed. It is our biggest--one of our biggest 
challenges that we are facing as an industry today, that being 
the cyber security industry.
    Mr. Murphy. Who is in charge of that cloud environment?
    Mr. Amsler. Verizon Terremark is, and I assume you mean 
actually owns it----
    Mr. Murphy. Yes.
    Mr. Amsler [continuing]. And controls it.
    Mr. Murphy. And how difficult is it to develop these 
security measures while the system is being built?
    Mr. Amsler. That would not be ideal.
    Mr. Murphy. Do you have all the tools and capabilities now 
to successfully and fully monitor this system?
    Mr. Amsler. I am a unique animal in that I live, eat and 
breathe cyber security, and as a company, we do----
    Mr. Murphy. I understand.
    Mr. Amsler [continuing]. So we always strive for better. I 
am always striving to make it the best that I can.
    Mr. Murphy. Do you have all the tools now you need to fully 
monitor the system?
    Mr. Amsler. We have a set of controls that exceed any 
standard set of controls----
    Mr. Murphy. I understand you are trying to do a great job. 
I appreciate that. I am just trying to get a sense of have you 
been limited in any way in your ability to do all the things 
you would like to do with your excellent team in place?
    Mr. Amsler. There are some things that we have asked for 
that are not in place as of yet.
    Mr. Murphy. Tell me, such as what?
    Mr. Amsler. These were--they are very technical in nature. 
Again, we have a standard set of controls----
    Mr. Murphy. Sure.
    Mr. Amsler [continuing]. Or we are shooting for more.
    Ms. DeGette. Mr. Chairman, we might want to have him give 
us that information----
    Mr. Murphy. Yes, could you let us know that?
    Ms. DeGette [continuing]. And provide it.
    Mr. Amsler. I would be happy to.
    Mr. Murphy. Or is that something you would like to do in 
private instead of public? Would that be better?
    Mr. Amsler. I would be happy to get with my team and get 
with the----
    Mr. Murphy. I appreciate that. Ms. Bauer, do you have all 
the tools necessary to fully----
    Ms. Bauer. Well, our answers are essentially the same 
because we are an integrated team.
    Mr. Murphy. I see.
    Ms. Bauer. I would agree with Dave.
    Mr. Murphy. All right. And, Mr. Providakes, do you have all 
the tools necessary to fully do your work here?
    Mr. Providakes. Well, we are in a slightly different role, 
but, yes.
    Mr. Murphy. I see. So let me ask this then, with regard to 
how things are. Have there been any attempts under what you 
have monitored, Ms. Bauer and Mr. Amsler, any attempts to hack 
into the system that you can tell?
    Mr. Amsler. Congressman, the simple answer is yes. The 
longer answer is I don't have an environment where it is not 
being attacked today, though.
    Mr. Murphy. I understand. So with regard to this, then, is 
the system now--are you saying that it is fully secure from 
external hackers trying to get in?
    Mr. Amsler. You know, I am never--we live in a world of not 
if but more when.
    Mr. Murphy. Um-hum.
    Mr. Amsler. That is the nature of the world we live in 
today. So I can never give you a guarantee that someone is not 
going to get in. It is probably going to happen at some point, 
but we have designed it to limit the damage and identify it as 
quick as possible.
    Mr. Murphy. So we can't at this point sign off and say the 
system is fully secure. It is an ongoing process, you are 
saying?
    Mr. Amsler. It is an always ongoing process. Today I feel 
comfortable with the capabilities we have put in place, but I 
am always striving for more.
    Mr. Murphy. I understand. And, Ms. Bauer, would you agree 
with that assessment?
    Ms. Bauer. I would. Dave is answering it from a very----
    Mr. Murphy. You have to talk into the microphone, I can't 
hear you.
    Ms. Bauer [continuing]. Very technical perspective, but I 
would say that from our perspective with regard to the tools 
and appliances we have in place, right now today, the system is 
secure. As Dave says, security is always evolving, it is always 
dynamic and ongoing, and we are always going to want to do 
better and keep on top of the latest technology, the latest 
appliances, so it will always be maturing. But as regards the 
scope of our contract and the appliances and tools and 
processes we have in place, we are confident----
    Mr. Murphy. I mean, I appreciate your standards of 
excellence, and I appreciate you understand this is an evolving 
process, but given the concerns for security, what I am hearing 
from you is nobody can really give 100 percent guarantee that 
this Web site is secure with regard to the data that it has in 
it, the personally identifiable information as people put those 
things in there. No one can guarantee that some hacker isn't 
going to try and get into it, and that they will continue to 
try and probe until they get through. Is that what you are 
saying?
    Mr. Amsler. But I also would say the same thing about 
Facebook or any banking Web site as well.
    Mr. Murphy. Sure.
    Mr. Amsler. It is just unfortunately the world we live in 
today.
    Mr. Murphy. I appreciate that. Same with you, Ms. Bauer?
    Ms. Bauer. Yes, and I think that the critical factor is the 
rigor with which we have procedures in place to identify any 
risks, any vulnerabilities, and then work to mitigate them. And 
we have very robust procedures in place for that.
    Mr. Murphy. Very good. Well, I appreciate the comments from 
the panel today, and I ask unanimous consent that the written 
opening statements of other members be introduced into the 
record, and without objection, those documents will be in the 
record.
    [The information follows:]
   
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Murphy. I also ask unanimous consent that the contents 
of the document binder be introduced into the record, and I 
authorize staff to make appropriate redactions. And without 
objection, the documents will be entered into the record with 
any redactions that staff determines are appropriate.
    [The information appears at the conclusion of the hearing.]
    Mr. Murphy. So in conclusion, I would like to thank all the 
witnesses and members that participated in today's hearing. I 
remind members they have 10 business days to submit questions 
for the record, and I ask that the witnesses all please agree 
to answer promptly to the questions, and we will work out some 
mechanism to answer some of them in confidential, in-camera 
discussions.
    And with that, this hearing is concluded.
    [Whereupon, at 1:30 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]
 
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]