[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]







       SOCIAL SECURITY ADMINISTRATION: INFORMATION SYSTEMS REVIEW

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 26, 2016

                               __________

                           Serial No. 114-72

                               __________

Printed for the use of the Committee on Oversight and Government Reform






[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

22-192 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001                     
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
                      Liam McKenna, Senior Counsel
                    Sharon Casey, Deputy Chief Clerk
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                    
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on May 26, 2016.....................................     1

                               WITNESSES

The Hon. Carolyn W. Colvin, Acting Administrator, Social Security 
  Administration
    Oral Statement...............................................     5
    Written Statement............................................     7
Mr. Robert Klopp,Deputy Commissioner, Systems, and Chief 
  Information Officer, Social Security Administration
    Oral Statement...............................................    12
    Written Statement............................................    14
Ms. Marti A. Eckert, Associate Commissioner, Information 
  Security, and Chief Information Security Officer, Social 
  Security Administration
    Oral Statement...............................................    18
    Written Statement............................................    20
Ms. Gale Stallworth Stone, Deputy Inspector General, Social 
  Security Administration
    Oral Statement...............................................    26
    Written Statement............................................    28

                                APPENDIX

RESPONSE Ms. Colvin-QFRs.........................................    60
RESPONSE Ms. Eckert-QFRs.........................................    66
 
       SOCIAL SECURITY ADMINISTRATION: INFORMATION SYSTEMS REVIEW

                              ----------                              


                         Thursday, May 26, 2016

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:04 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Duncan, DeSantis, Blum, 
Hice, Carter, Grothman, Hurd, Palmer, Cummings, Connolly, 
Cartwright, Kelly, Lawrence, Watson Coleman, Plaskett, Welch, 
and Lujan Grisham.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order.
    Good morning. We are having an important hearing today on 
the Social Security Administration, Information Security 
Review.
    During the past 2 years, this committee has heard a great 
deal about PII, personally identifiable information. Whether it 
is the Office of Personnel Management, the IRS, or the 
Department of Education, the Federal Government collects, 
maintains, transmits, and generates vast quantities of 
personally identifiable information.
    The National Institute of Standards and Technology, 
otherwise known as NIST--whoops, I forgot to read this part.
    Without objection, the chair is authorized to declare a 
recess at any time. My bad. Without objection, so ordered.
    The National Institute of Standards and Technology, 
otherwise known as NIST, has said ``unauthorized access, use, 
or disclosure of PII can seriously harm both individuals''--and 
they went on to say--``and reduce the public trust in 
organizations.'' NIST's assessment on the high value of PII to 
institutional credibility and personal privacy has been proven 
time and again perhaps no more poignantly than the data breach 
at OPM where tens of millions of Federal workers highly 
private, highly sensitive information on drug abuse, divorce, 
and even their fingerprints were taken by sophisticated 
attackers.
    Ultimately, the cybersecurity battle is won as much in the 
boardroom as it is in the computer lab. Today's hearing will 
continue the committee's oversight on how Federal agencies are 
securing America's data, and this time we are talking to the 
Social Security Administration.
    The information technology challenges Federal agencies face 
begin with the culture and leadership established by 
individuals such as those we have on the panel today. From the 
administrator of the Social Security Administration to the 
chief information officer to the chief information security 
officer, the senior leadership has responsibility to modernize 
the Social Security Administration's technology and harden its 
information security posture to protect the massive amounts of 
PII traveling across the Social Security Administration's 
systems. And the volume of data is truly mind-boggling at this 
organization.
    In short, the Social Security Administration stores the 
sensitive and personal identifiable information of virtually 
every American living and deceased. The Social Security 
Administration processes--and get these stats--processes an 
average daily volume of nearly 150 million transactions. In the 
past year alone, the data centers supported 1.6 billion 
automated Social Security number verifications; 251 million 
earnings items; 5 million retirement, survivor, and Medicare 
applications; 3 million initial disability claims; 1.5 million 
disability reviews; and 17 million new replacement Social 
Security card applications, a lot of work and a lot of good 
people working at the Social Security Administration.
    This makes also the Social Security Administration a 
frontline target in the information age. Of concern is how that 
Social Security Administration networks bear the hallmarks of 
poor information security similar to those seen at OPM's 
networks back in 2014.
    Year after year, penetration testers have been able to 
obtain global access privileges on the networks. This year, the 
agency didn't even detect the attack until auditors were told 
about them after sitting in the network for 3 days. The 
majority of Social Security Administration's 127 major 
application databases and 19.4 petabytes of data reside on 
mainframes which Social Security told testers they were 
``apprehensive about scanning or other rigorous testing because 
of its fragile operating posture.'' It is probably not a good 
sign when they don't want to do testing because they are afraid 
of how fragile the system is.
    As has been proven by these pen tests or penetration tests, 
adversaries have been able to gain footholds into the networks, 
elevate privileges, and for the first time this year, do so 
completely undetected by the Social Security Administration, at 
least that we know of. Our cybersecurity conversation needs to 
move beyond firewalls and intrusion detection systems. Advanced 
persistent threats Federal agencies like Social Security face 
are adept at bypassing those sorts of perimeter defenses.
    Moreover, the question is not whether adversaries are going 
to get inside the network but if they can be found before they 
do serious damage. And that conversation about the modern tools 
necessary to detect and mitigate advanced threat sectors is 
almost impossible to have when we can't get agencies like the 
Social Security Administration off of these legacy 
technologies.
    We had an important hearing about this topic yesterday on 
the big broad problems and challenges that we face within the 
Federal Government, and here we are going to examine a specific 
agency, as we have done.
    I would note that this committee has done something that 
has not been done before, and that is we have a subcommittee 
that is specific to the issues as it relates to information 
technology.
    Social Security Administration has been using programming 
language such as COBOL and Fortran and ALC since the 1970s, 
over 66 million lines of that old code to support operating 
systems with the PII of all Americans. But I want to be fair. 
In spite of these facts, Social Security Administration is 
doing well in some areas, which gives me a sense of optimism 
for the security of my data, my children's data, and frankly, 
the data of everybody in this room.
    In 3 out of the last 4 years the Social Security 
Administration scored at least 96 percent on the Office of 
Management and Budget's cybersecurity assessment, though the 
score for fiscal year 2015 dropped 12 percentage points to 84 
percent. During the most recent penetration test of the Social 
Security Administration, the white-hat hackers were unable to 
gain access to Social Security's internal systems through 
public-facing systems. That is the good news. And Social 
Security Administration was able to improve their score on the 
most recent iteration of the FITARA scorecard from a D to a C.
    There are some positive takeaways from here, but, however, 
in the world of cybersecurity it only takes one vulnerability, 
one port, one credential, or one back door to actually expose 
millions of people's information. This is one of the largest, 
most important organizations we have for the storage of data, 
and thus, we felt it was important to have this at the full 
committee hearing today.
    Chairman Chaffetz. And with that, I will now recognize the 
ranking member, Mr. Cummings of Maryland, who I believe where 
the Social Security resides is in your district. So I will now 
recognize Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman. And you 
are absolutely right. The Social Security Administration is 
located in the 7th Congressional District of Maryland. And of 
course it manages our nation's Social Security program, and 
certainly good to see the Honorable Carolyn Colvin, who I have 
known for many years, and I want to thank you for your 
leadership.
    In fiscal year 2017, it will ensure that more than 50 
million seniors and their dependents receive the benefits 
earned through their lifetime of work. That is about 89 percent 
of the United States population over the age of 65. To 
administer Social Security program, as well as the Disability 
Insurance program and the Supplemental Security Income program, 
the Social Security Administration collects sensitive data on 
nearly every American.
    The data breach of the Office of Personnel Management 
affected more than 25 million people. A breach at the Social 
Security Administration could affect nearly every single person 
in this country.
    The good news is that Social Security has never had a known 
exfiltration. However, threats are constantly evolving, and 
today's hearing will enable us to examine what more must be 
done to meet these threats and ensure that Social Security data 
remains safe and secure.
    In many ways, Social Security's information technology 
systems are modeled for the Federal Government. The agency has 
saved about $370 million in its IT budget over 3 years. This 
sounds technical, but Social Security achieved highest 
individual metric grade for IT project savings on FITARA 
implementation scorecard metric that our committee 
commissioned. In other words, it was the benchmark against 
which the other 23 agencies were measured.
    However, Social Security is confronted by tens of millions 
of scans and probes every week trying to find vulnerabilities 
in the agency's defenses. Every second of every day determined 
hackers here in the United States and around the world are 
trying to breach Social Security's firewalls.
    Audits of Social Security's IT systems and practices have 
found weaknesses that need to be corrected. In 2012, a FISMA 
audit reported that these shortcomings constituted a material 
weakness. The agency has worked to address these shortcomings, 
and more recent audits have found improvements in the agency's 
IT security.
    But there is still ``significant deficiency in internal 
controls'' according to the most recent audit. Additional 
measures must be implemented to close remaining gaps. 
Unfortunately, Social Security's IT budget has been underfunded 
for years. According to the FISMA audit, one of the factors 
that contributed to the agency's significant deficiency was 
that ``SSA focused its limited resources on high-risk 
weaknesses and therefore was unable to implement corrective 
action for all aspects of the prior year deficiencies.''
    And I hope that our witnesses will address this issue. At 
yesterday's hearing there was quite a bit of testimony with 
regard to whether there were sufficient funds going into these 
agencies to do the things that they needed to do. That argument 
goes back and forth, but we want to have a fair, accurate 
assessment of how the money is being used that you are getting, 
whether it is being used effectively and efficiently, and what 
difference would additional money make.
    There are some in the Congress who believe that the more 
money you get--that you don't need any more money, and to be 
frank with you, I think all of us want to know exactly what the 
situation is. Are you asking to do more with less? I don't 
know, but I would like to know.
    So Social Security benefits are funded through the Social 
Security tax paid by employers and employees. Funding for 
benefits is considered mandatory spending and is not subject to 
the appropriations process. However, the agency's 
administrative expenses are paid from the account that is 
funded by discretionary appropriations subject to the annual 
appropriations process. Congress's failure to adequately fund 
Social Security's administrative expenses has resulted in 
extended wait times for seniors calling the 800 number, reduced 
operating hours at field offices, and delays for adjudicative 
hearings that now average more than 500 days. Underfunding 
Social Security Administration has also affected its efforts to 
modernize its 40-year-old IT infrastructure and address 
evolving cyber risks.
    The President's fiscal year 2017 budget seeks the first 
installment of what is expected to be a $300 million request 
over the coming years to upgrade Social Security's IT systems. 
Congress must act on this request and provide the agency the 
resources it needs to protect the data entrusted to it. Again, 
we want to know how those funds are going to be used if you get 
them and exactly whether they are being, again, used 
effectively and efficiently.
    Shortchanging data security at Social Security as a 
senseless pursuit of austerity could put the privacy of every 
American at risk, and that is a risk we simply cannot afford to 
take.
    And with that, Mr. Chairman, I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I will hold the record open for 5 legislative days for any 
members who would like to submit a written statement.
    I will now recognize our panel of witnesses. We are pleased 
to welcome the Honorable Carolyn Colvin, acting commissioner of 
the Social Security Administration; Mr. Robert Klopp, deputy 
commissioner of systems and chief information officer at the 
Social Security Administration; Ms. Marti Eckert, associate 
commissioner of information security and chief information 
security officer at the Social Security Administration; and Ms. 
Gale Stallworth Stone, deputy inspector general at the Social 
Security Administration. We thank you all for being here.
    Pursuant to committee rules, all witnesses are to be sworn 
before they testify, so if you will please rise and raise your 
right hand.
    [Witnesses sworn.]
    Chairman Chaffetz. Thank you. If you will please be seated 
and let the record reflect that the witnesses all answered in 
the affirmative.
    In order to allow time for discussion, we would appreciate 
it if you would limit your comments to 5 minutes. Your entire 
written statement will be entered into the record.
    So we are pleased again to have the acting commissioner 
here, Ms. Colvin, and you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                 STATEMENT OF CAROLYN W. COLVIN

    Ms. Colvin. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee, thank you for inviting us to discuss 
IT at Social Security. My name is Carolyn Colvin, and I'm the 
acting commissioner of the Social Security Administration.
    Just to provide you of the scope of what we do at SSA, with 
an appropriation of around $12 billion in 2015, we paid more 
than $930 billion in benefits to nearly 67 million people that 
year. In addition, we maintained earning records for nearly 
every American and completed over 8 million claims for 
benefits. My written testimony provides further examples. Our 
IT infrastructure supports all of this work.
    I'm pleased to be here, along with our chief information 
officer Robert Klopp and our chief information security officer 
Marti Eckert. Mr. Klopp has impressive private industry 
expertise in leading technology change and in balancing that 
change with reliable service delivery. And Ms. Eckert is an 
excellent public servant who has done great work to strengthen 
our cybersecurity program.
    The security and integrity of our IT systems is of 
paramount importance to me, and I value Mr. Klopp and Ms. 
Eckert's advice and guidance. I and other agency leaders 
communicate with them regularly to discuss IT and cybersecurity 
issues.
    Today, I will describe in brief how IT supports our mission 
and the need for a multiyear IT modernization effort. Mr. Klopp 
will discuss how we invest in and manage IT and our paths and 
achievements in modernizing our IT infrastructure. Ms. Eckert 
will summarize our continuous cybersecurity efforts and 
improvements.
    We are all committed to working with Congress and OMB to 
invest our IT dollars wisely, improve our cybersecurity, and 
ensure compliance with FISMA and FITARA. Investing wisely in 
technology is one of my priorities as we work to deliver smart, 
secure, and efficient service. We must use all of our IT 
funding for ongoing operational costs such as our network of 
field offices, national 800 number, and our online services.
    Each year, we see greater numbers of people across all 
demographics doing business with us online. Since we launched 
My Social Security in 2012, over 24.5 million customers have 
created accounts. In fiscal year 2015 we received more than 
half of all Social Security retirement and disability 
applications online, including 75 percent of Medicare 
applications.
    That said, we have a significantly aged IT infrastructure 
which is increasingly difficult and expensive to maintain. 
Although our legacy infrastructure is not sustainable over the 
long term, these aged systems are the very tools that we rely 
upon each day to provide service to the public. We must 
maintain these legacy systems while developing their 
replacements.
    Let me be clear. We need a sustained, long-term investment 
to make the changes needed to develop a fully modern IT 
infrastructure that is capable of supporting the millions of 
people we serve every day, not to mention workloads that are 
growing as the baby boomers age. That is why the President's 
budget for 2017 requests a multiyear mandatory funding stream 
so that we can undertake IT modernization that will bring our 
systems up to modern standards.
    As we continue to provide opportunities for better customer 
service through new online services, we must remain vigilant in 
continuing to strengthen our cybersecurity. I am firmly 
committed to protecting the public's information. Our 
cybersecurity defense capabilities are comprehensive, 
multilayered, and strong. They safeguard the public's 
information against evolving threats and cyber attacks. We have 
a rigorous approach to cybersecurity testing, and we try to 
hack our own systems every day. We also work with independent 
auditors and Homeland Security. We are continually 
strengthening our defenses.
    In conclusion, we must position our agency for future 
success, and this must involve smart IT investments and a 
nimble cybersecurity program. I've worked to assemble a first-
rate systems team at Social Security, and I fully expect that 
we will meet the challenges before us. With sustained and 
adequate funding, we will continue to provide the high-quality 
services the public expects and deserves.
    I thank the committee for your support, and I will be happy 
to answer your questions.
    [Prepared statement of Ms. Colvin follows:]
    
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]  
    
    
    
    
    
    Chairman Chaffetz. Thank you.
    Mr. Klopp, you are now recognized for 5 minutes.

                   STATEMENT OF ROBERT KLOPP

    Mr. Klopp. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee.
    Chairman Chaffetz. Sorry, if you just move that mic a 
little bit closer right up there. There we go. Thank you.
    Mr. Klopp. Okay, cool. Thank you for inviting me to discuss 
IT at Social Security. My name is Rob Klopp, and 2015 Acting 
Commissioner Colvin appointed me to serve as SSA's deputy 
commissioner for systems and chief information officer. Prior 
to my appointment, I worked for a variety of private sector 
technology firms based in the Silicon Valley and elsewhere on 
the West Coast. I was recruited by the U.S. Digital Service's 
staff to try to help.
    It was clear from the first day that the challenge facing 
the SSA comes from an aging IT infrastructure serviced by an 
aging IT staff. With acting Commissioner Colvin's full support 
and leadership, here is what we've accomplished in the last 17 
months. We've started modernizing the underlying infrastructure 
and now have an authorization to operate production systems 
from the cloud. We have started modernizing our data 
architecture and will have a modern citizen database in 
production by the end of this calendar year. With this 
deployment, we will decommission our enumerations master file 
that has served us for over 30 years.
    We've deployed a modern development environment that 
provides a basis for all new software development within the 
agency. This continuous development infrastructure will help us 
to significantly reduce the cost of developing, testing, and 
deploying modern software and will provide the basis for 
DevOps, the ``new'' new thing in software engineering.
    We have developed an enterprise data warehouse that will 
provide the agency with an integrated view of current and 
historical data across every aspect of the agency. This 
warehouse will provide the foundation upon which the SSA may 
become a data-driven enterprise.
    We have deployed significant new cybersecurity defenses and 
are beginning the deployment of yet another.
    We have reorganized our systems staff to get more focus on 
cybersecurity, on software engineering, and on servicing our 
business components. As part of this, we have started hiring 
the next generation of IT staff and have procured a state-of-
the-art 90-day coding boot camp to create our own digital 
services organization. This boot camp and the other 
organizational changes are designed to make us more agile from 
the top to the bottom.
    Further, we are organizing around products instead of 
around projects. This is a critical new approach that will help 
us to minimize the effort that we now call maintenance and 
reduce the accumulation of technical debt. It is technical debt 
that forces us to spend millions on IT modernization. This 
topic of product management is one that I hope you will ask me 
about later.
    We have developed a new IT investment process to help us 
start product development off the right foot and allow us to 
better track the actual benefits we estimated in our early 
cost-benefit analysis.
    We have started the first very modern product development, 
DCPS. This Disability Case Processing System product will 
deliver the long-promised and much-needed capabilities to 
assist in disability determination. DCPS is modern through and 
through using state-of-the-art programming languages, open-
source software, and the cloud. Development of the first 
release is completely agile, and the customers will see the 
work progress after each 2-week sprint. This first release is 
hitting development milestones on time and on budget, and we 
are optimistic that deployment for the first three States will 
begin this calendar year.
    Finally, we have engaged the agency and challenged them to 
rethink how we engage our customers. Our customer connect 
product is very ambitious, and it will set the stage for modern 
IT by providing a perspective of what systems must look like 5 
years from now when applications like Uber are passe.
    It's been an amazing year. These are not initiatives just 
on the books. They are in flight and will deliver operational 
code this year. But there are issues. My biggest concern is 
around sustained funding. With the support of the acting 
commissioner, we've made great strides, but the foundation for 
modernization effort is all that we've built. We can modernize 
the agency, but we will require extra funding to keep the 
legacy systems running and keep servicing the public. The SSA 
delivers checks that represent 5 percent of the U.S. GDP, and 
that is not an insignificant operation.
    If we try to modernize in small increments, we will 
progress at a pace that is slower than the pace of technology 
that technology advances and actually lose ground. I think the 
time to rebuild is now while the legacy systems are still 
supported by the staff who developed it.
    Rebuilding aged IT infrastructure is not unlike rebuilding 
other aging infrastructure. Roads, bridges, dams, and/or the 
grid requires an investment and a strong effort. We look 
forward to working with Congress to overcome these challenges. 
Thank you, and I look forward to your questions.
    [Prepared statement of Mr. Klopp follows:]
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]   
    
    
    Chairman Chaffetz. Thank you.
    Ms. Eckert, you are now recognized for 5 minutes.

                  STATEMENT OF MARTI A. ECKERT

    Ms. Eckert. Chairman Chaffetz, Ranking Member Cummings, and 
members of the committee, thank you for inviting me to discuss 
information security at the Social Security Administration. My 
name is Marti Eckert, and I am the agency's chief information 
security officer. In this role I support our CIO and our 
agency's commitment to protect the information we manage and 
our systems from threats and vulnerabilities.
    Today, I will briefly discuss our cybersecurity program and 
some of the measures we are taking to counter potential cyber 
threats.
    We take seriously our responsibility to protect the 
information the public provides us. We take a strong, proactive 
approach to risk assessment and mitigation associated with 
securing this information in our many systems. We have strong 
controls in place, but we know that in today's escalating 
threat environment there is no perfect way to lock down every 
system. Every cybersecurity program must be a practice of 
continuous improvement.
    We employ a dynamic enterprise-wide cybersecurity program 
and leverage a defense in-depth strategy to help protect our 
network, our data, and our employees. We work to protect our 
information, detect attacks, identify suspicious activities and 
systematically respond to software and hardware 
vulnerabilities. We use an integrated proactive defense 
strategy that enables us to carry out the agency's mission and 
meet customer expectations in a safe and secure environment.
    To keep our information safe, we use a comprehensive 
holistic approach comprised of many technology solutions, 
policies, and awareness programs. Our cybersecurity program 
meets or exceeds all federally established oversight goals, and 
as technology and standards evolve, we continue to meet newly 
established benchmarks and security requirements each year. We 
addressed the NIST cybersecurity framework core functions of 
identify, protect, detect, respond, and recover.
    To ensure we have a strong and robust program, we also 
collaborate with other Federal agencies such as Homeland 
Security to address cyber threats. We have no critical 
vulnerabilities, as identified on DHS's Federal Cyber Exposure 
Scorecard, and we meet all nine of the cross agency priority 
cybersecurity goals on information security defenses.
    We are proud of our cybersecurity program but remain 
vigilant and continually improve and mature our defenses. We 
have developed several cybersecurity best practices that we 
share with other Federal agencies.
    We continue to build upon the work we did last year during 
the Cybersecurity Sprint to put in place standard practices 
such as multifactor authentication. Since fiscal year 2012 we 
have offered a multifactor identification method for citizens 
to conduct business with us online on our My Social Security 
portal. This summer, we will make multifactor authentication 
mandatory for My SSA users in compliance with the Cybersecurity 
Act of 2015 and Federal directives.
    We rank sixth in our peer group of 24 CFO Act agencies when 
it comes to FISMA compliance. In fiscal year 2015 our overall 
score was lower than the previous year due in part to a change 
in scoring metrics. Most of our reduced compliance metrics fell 
into the area of risk management.
    Let me assure you we take the auditor's findings seriously, 
and we have completed actions on many recommendations from the 
FISMA assessment. For example, we implemented a zero-tolerance 
policy and immediate remediation for weak credentials. We 
prioritize our actions when remediating audit findings to 
address the most significant risks first following best 
practices and making best use of limited resources to address 
open recommendations.
    To sustain a robust information security program, we must 
respond with newer and innovative defenses that will improve 
our ability to react quickly. Our plans include the use of more 
analytics tools to identify threats faster and the use of 
automation to respond and remediate incidents more quickly, as 
well as updating technology to reduce our reliance on outdated 
processes.
    Your support in providing sustained adequate funding is 
critical to ensure we maintain and evolve the high level of 
information security the public expects and deserves. Thank 
you, and I will be happy to answer any questions.
    [Prepared statement of Ms. Eckert follows:]
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
       
    Chairman Chaffetz. Thank you.
    Ms. Stone, you are now recognized for 5 minutes.

               STATEMENT OF GALE STALLWORTH STONE

    Ms. Stone. Good morning, Chairman Chaffetz, Ranking Member 
Cummings, and members of the committee. Thank you for the 
invitation to testify today.
    The Social Security Administration holds sensitive data for 
more than 300 million people. It administers programs that 
result in payments of $2.5 billion per day. It has over 60,000 
employees and more than 1,200 field offices across the country. 
These realities inherently make SSA a tempting target for cyber 
criminals. Indeed, recent data breaches of government agencies 
underscore the need for Federal agencies to make every effort 
to secure and protect sensitive information.
    Unauthorized access to or the theft of SSA data could 
result in harm and distress to hundreds of millions of 
Americans. While it is a significant challenge to maintain 
uniform information security controls across an organization as 
vast as SSA, the agency must continue to make this its top 
priority.
    In our most recent Federal information Security 
Modernization Act, or FISMA, report, we determined that SSA's 
programs and policies were generally consistent with FISMA 
requirements. However, we identified a number of weaknesses 
that may limit SSA's ability to adequately protect its 
information systems.
    First, there were weaknesses in SSA's network security in 
that SSA did not always resolve systems vulnerabilities in a 
timely manner.
    Second, inadequate access controls allow programmers to 
have unmonitored access to various systems functions while 
other users had in appropriate access to software.
    Third, at some non-central office sites weaknesses not only 
persisted in systems security but in policies and risk 
management as well.
    The risk and severity of these weaknesses met OMB's 
definition of a significant deficiency in internal controls, a 
conclusion we have cited in prior SSA FISMA compliance reports. 
We believe the agency needs to address these weaknesses, as 
well as strengthen its continuous monitoring program to provide 
constant cyber protection, prioritize and implement risk 
mitigation strategies, review and improve account management 
controls, and enhance IT oversight to ensure consistency across 
the agency.
    It is equally important that SSA authenticates its users of 
its electronic services. SSA provides many of its customer 
service functions online through the My Social Security portal, 
including the ability to change direct deposit information. In 
recent years, we have received reports of changes to online 
accounts that beneficiaries did not make or authorize. We've 
also investigated many cases involving the fraudulent 
redirection of Social Security benefits to financial accounts 
controlled by identity thieves. Electronic fraud schemes such 
as these can affect a significant number of victims and lead to 
large Social Security losses.
    While SSA has taken steps to strengthen controls over the 
My Social Security portal, given the sensitivity of the 
information in these accounts, SSA should implement additional 
user authentication techniques to further guard against 
identity and benefit theft.
    Finally, SSA must properly manage its IT investments to 
position itself for success. SSA expects to complete its 
systems migration to the new data center in August. This modern 
data center should meet SSA's IT needs for at least 20 years. 
OIG provided real-time oversight of this project to help ensure 
that it was completed on schedule.
    The disability case processing system, however, has been in 
development for more than 5 years. Last year, SSA reset the 
project and it continues to work on a single case processing 
tool for disability examiners across the country. To date, SSA 
has spent more than $300 million on DCPS, so going forward, the 
project requires diligent oversight and continued user 
involvement.
    In conclusion, OIG will continue to monitor these issues 
closely and work with SSA and the committee to enhance and 
protect the agency's information systems. Thank you again for 
the invitation to testify, and I'm happy to answer any 
questions.
    [Prepared statement of Ms. Stone follows:]
    
    
   [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] 
    
   
    Chairman Chaffetz. Thank you. Thank you all. I appreciate 
your testimony but will now recognize the gentleman from 
Tennessee, Mr. Duncan, for questioning.
    Mr. Duncan. Well, thank you, Mr. Chairman, and thank you 
for calling this important hearing.
    I remember just a few years ago in this same committee when 
we had a hearing on identity theft and how fast that crime was 
growing and we had a witness from a company that had been on 
one of the morning programs not long before that that this 
company had downloaded 250,000 Federal tax returns just to show 
that it could be done.
    And so sometimes I wonder if there is such a thing as 
cybersecurity. In fact, my staffer has one possible--he always 
writes out many questions for me, but he has got one here: If 
the government spent most of its budget on just updating and 
modernizing IT systems, could we ever guarantee that they would 
not be vulnerable to hackers and malicious code? And I think 
the answer to that is no. And it seems to me that all this--I 
don't know if it is almost a waste to keep trying to arrive 
with cybersecurity that is impossible to obtain.
    I also have gotten the figures. The Social Security 
Administration has spent approximately $16 billion on 
technology in the last 10 years, $16 billion, and yet I keep 
reading these things about how their IT infrastructure is 
aging, out of date. I mean, it just seems crazy to me because 
the biggest corporations in this country and wants to do 
business with all 310 million like Walmart and other giant 
corporations, they spend a lot, but they don't spend as much as 
the Federal Government does. We have been spending for the last 
10 years Federal Government-wide about $81 billion per year.
    And it seems to me that these computer companies were 
turning the top people at these computer companies into not 
just multi-, multimillionaires but multi-, multibillionaires, 
and it seems to me that they are ripping off the American 
people and the taxpayers in the process.
    But I do have a question here for Ms. Stone and Ms. Colvin. 
Would it be possible or logical to put the Social Security 
Administration's most sensitive information into an intranet 
system that would be accessible only to government agencies 
with proper clearance, intranet instead of internet? Ms. Stone, 
do you understand that question? Would it be possible to do 
something like that, or Ms. Colvin?
    Ms. Stone. I would defer to the agency on that because I 
would say that that's the environment that we have now is that 
it is intranet. But again, I will defer to the agency.
    Ms. Colvin. Sorry. The system that we have now is--you 
know, is available only to those who are given access to it, 
which is primarily our employees. We share data with other 
governmental agencies and some local and State agencies.
    I would ask Rob Klopp, who is really our technologist, to 
talk about other ways ----
    Mr. Duncan. All right.
    Ms. Colvin.--that this might be done.
    Mr. Duncan. All right.
    Mr. Klopp. So what we try to do today in order to 
authenticate people is the same kinds of things that commercial 
companies do. We will reach out and ask interesting questions 
that come from your financial background through contracts with 
folks like Equifax and Experian. So if you try to set up a My 
SSA account, what we do is ask some question about, you know, 
when did you start your mortgage on your house at such and such 
an address, I mean, things that are very difficult for bad 
actors to get a hold of.
    So--and as Marti pointed out, the next level of this 
authentication is to use two-factor authentication, and we're 
going to mandate that on My SSA in the middle of this year.
    So, you know, I think that we're trying to do--you know, 
we're bringing on all of the best practices to do the best we 
can to try to cut down the identity fraud, which is what 
happens when people can get in. It's not really a cyber thing, 
but it's definitely something that as CIO that I'm trying ----
    Mr. Duncan. Well, my time is up, but I just think it is so 
frustrating to see all of this spending, much more than is 
being done in the private sector, and yet we are not hearing 
the same excuses from the private sector. And I know the 
easiest thing in the world is to spend other people's money and 
there is just not the same pressures or incentives to hold down 
spending in the Federal Government as there is in the private 
sector. But we have got to do better. We can't keep getting 
with all the spending, these--hearing over and over again that 
the systems are out of date, aging, and so forth. Anyway, thank 
you, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the ranking member, Mr. Cummings, for 5 
minutes.
    Mr. Cummings. Thank you very much.
    I want to just follow up on what Mr. Duncan was just 
talking about. I think he makes a very good point. I mean, when 
you look at this situation, it seems that we are spending a lot 
of money. And I believe that the money is probably being spent 
effectively and efficiently, but I also think that we are--we 
heard testimony yesterday that it is almost like trying to fix 
an airplane while you are flying it, you know, create it while 
you are trying to fly it because you are always trying to keep 
up with things.
    And, you know, listening to Mr. Duncan, it is interesting 
to note that in the private sector, look at folks like Home 
Depot and others, I could just name all the private folks who 
have had their systems hacked very effectively.
    So can you answer his question, though? I mean, how do we--
is it too big to properly address, this whole issue? In other 
words, the thing that I think that concerns me is the image 
will be presented that we are just spending, spending, 
spending, and then the people on Capitol Hill, that is us, come 
to that conclusion, and then you end up not getting the money 
that you need. And then of course we are going to beat up on 
you when you are not answering the calls, when you are not 
addressing all the issues that you have to address. So somebody 
make the best case for me, please.
    Ms. Colvin. I think it's very clear that hackers and bad 
people are going to constantly try to infiltrate every system, 
just as you had the Fosters, and I think that we have to be as 
determined that they will not, and I think that's the reason 
for the rigorous testing, why we try to hack ourselves, why we 
use independent auditors, and why we work very closely with 
Homeland Security because each time a vulnerability is 
identified, we address it immediately or as resources permit.
    And I think that this is something that we have to 
constantly do. We're in an evolving environment where 
technology is certainly continuing to develop. We've had to 
move away from the paper process so it's not like we have 
options of not using the technology. So we have to constantly 
look at best practices, constantly make sure we have the 
expertise that we need inside the agency. I think SSA is 
fortunate to have someone who's come from corporate America who 
has worked with a lot of the technological changes and will 
help us to move forward.
    We know that it's a continuous, ongoing process. We do 
believe--and I'll let Rob speak to this, but we do believe that 
because our legacy system is so old, we are at risk and we need 
to make changes, but we have to make them carefully because we 
can't run the risk of not being able to get the $930 billion 
out. And Social Security has never missed a check payment, and 
we use that old system to do that.
    I think also there's been a new way of procuring and 
developing systems thanks to the work of the Congress and 
others so that you have more agile development and that you can 
look at the cybersecurity issues and what you need to do to 
address those.
    Rob, you want to add something to that?
    Mr. Klopp. You know, I think Marti pointed out that, you 
know, cyber is an ongoing effort. I think that part of the deal 
is that we probably started off a little bit behind, and we 
need--and we're catching up, but I'm talking about the Federal 
Government in general, not about SSA in particular. And I think 
we are catching up.
    One of the side effects of having electronic information is 
that it--you know, it is vulnerable. So we're working on it. I 
think we'll continue to work on it. I think that the benefits 
of technology outweigh these risks by so much that we just have 
to keep on it and keep being vigilant.
    Mr. Cummings. Let me ask you, Ms. Stone, I want to move on 
to you. I understand that resource constraints have also 
affected the inspector general's office, including its IT 
security efforts. Most of the people on this committee, by the 
way, have a phenomenal amount of respect for IGs. We try to be 
as supportive of you all as we possibly can be.
    Your office first approached creating a Computer and 
Internet Security Incident Response Team in fiscal year 2015 
budget request, but this request has not been funded, is that 
right? And what role would that--what would have been the role 
of that team?
    Ms. Stone. The vision of that team would be to assist the 
agency in the event of some type of cybersecurity incident.
    Mr. Cummings. And so as a result of not having the 
resources, what are the consequences?
    Ms. Stone. We don't have agents to dedicate to that--to 
those events.
    Mr. Cummings. And was that a top priority of yours?
    Ms. Stone. Well, that along with I just--generally building 
that--an infrastructure around electronic information as a 
whole where we're using data to identify potential 
vulnerabilities and working with the agency to, I guess, 
improve its continuous monitoring program, just providing that 
constant feedback to them on where they're--we see 
vulnerabilities.
    Mr. Cummings. I am running out of time, but let me ask you 
this. You made a number of recommendations. Do you see a lot of 
this being the result of fiscal issues, in other words, not 
sufficient funds? I mean, I'm just curious ----
    Ms. Stone. Well, I ----
    Mr. Cummings. See, because that is why we call you up here 
is that we keep throwing money but that we don't see a lot of 
progress. And so therefore, again, as I said a little bit 
earlier, then folks say let's reduce the money. And so I am 
just--you are the one making the recommendations. Your budget--
I know you have been affected based upon what you just said, 
but what about your recommendations with regard to the agency?
    Ms. Stone. Well, what I can say is that we have seen a 
conscious effort by the agency to address issues like limiting 
the privilege accounts that have higher access. We've seen them 
work on continuous monitoring. We've seen them, I guess, 
implement additional multifactor authentication. So there is a 
willingness on the agency's part to address these. I can't 
really speak to their budgetary use, but we have seen the 
efforts on their part.
    Mr. Cummings. Just one last thing, Mr. Chairman.
    You know, one of the things that I tell my office is that, 
you know, a lot of times the public has come to the point to 
have low expectations of government. They don't expect to get 
somebody on the phone. They don't expect things to be addressed 
properly. And then the complaints, Commissioner, as you know, 
then come to us.
    And I think, you know, this whole idea of trying to do all 
the other things that you have to do, that is address the 
calls, and I know you get a lot of them, the complaints, the 
problems, but you have got to have people and you have got to 
have resources to do that. And so what happens if you don't 
have the resources, if you don't have the people, the quality 
of service has to suffer. I don't care--no matter where--I have 
managed a lot of people in a lot of offices, and it has to 
suffer.
    So, again, my thing is making sure that the resources that 
we do have are used in a way that is effective and efficient. 
And again, that is sort of an offense of defense because, 
again, these folks here, they will cut you--I mean, you won't 
have a budget. And folks will be saying, you know, again, do 
more with less. And you all have to constantly, and you know 
this, make the best case for the funds that you have and the 
funds that you need.
    I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize myself for 5 minutes.
    One of the concerns--I do agree with Mr. Cummings that one 
of the deep challenges is you are flying an airplane and the 
capacity of that airplane continues to grow. And one of the big 
concerns we have is we have to do the inspections, we have to 
worry about the penetration tests. At the same time, we have 
got a constant need in the IT sector to upgrade. So I do 
understand and respect that, but I do believe also that we, 
particularly in Congress, rely heavily on the inspector general 
to be the impartial eyes and ears on the ground.
    Ms. Stone, I want to talk about one of the penetration 
tests at Social Security Administration. This was a test 
conducted by the Department of Homeland Security. It was done 
at the request of the agency, and it was done in August 2015. 
When did your office first learn about this test?
    Ms. Stone. We were actually briefed on these tests in 
September 2015.
    Chairman Chaffetz. So you were given a verbal briefing in 
September, roughly a month after the test, correct?
    Ms. Stone. Right.
    Chairman Chaffetz. And when did you first get a copy of the 
report?
    Ms. Stone. Within the last 2 to 3 days.
    Chairman Chaffetz. From just now, right?
    Ms. Stone. Yes.
    Chairman Chaffetz. And where did you get a copy of that 
report?
    Ms. Stone. I believe my chief of staff requested it from a 
component within the agency.
    Chairman Chaffetz. And I believe that--did you even know 
that there was a report?
    Ms. Stone. We did not.
    Chairman Chaffetz. How did you learn that there was a 
report?
    Ms. Stone. In conversations with members of your staff.
    Chairman Chaffetz. So now that you have had a chance--it is 
our staff that lets you know that there is a report. You get a 
verbal briefing. You don't know that there is an actual report. 
We let you know that there is a report, and then now that you 
have gone through that report, do you think that the verbal 
briefing accurately portrayed the results of that test?
    Ms. Stone. Well, at this point I would say we haven't had 
an opportunity to do a deep dive on the report, which is why we 
need to look for any inconsistencies. There was some language 
used in there in the report, as I understand it, that was not 
consistent with what we received during the verbal briefing, so 
we wanted to make sure that we have an opportunity to evaluate 
that report. And because we have our contract auditors doing 
their annual FISMA review at this time, we will definitely 
share that information with them.
    Chairman Chaffetz. Do you think the testers--did you know, 
for instance, that the testers observed and copied personally 
identifiable information and were able to exfiltrate that 
randomly generated return?
    Ms. Stone. We did not know that until we had the 
opportunity to review the report. I believe the earlier 
briefing suggested that there were no PII.
    Chairman Chaffetz. That is kind of an important point, do 
you think?
    Ms. Stone. Yes, it is.
    Chairman Chaffetz. Well, okay. We have got three people 
from Social Security here. Please explain to us why you didn't 
let the inspector general know a pretty important part of the 
test that they were able to exfiltrate data. How can you not 
share that with her?
    Ms. Colvin. I can't speak to the specific report. Marti--
Ms. Eckert will be able to do that. But I do want to emphasize 
that we invite the auditors and Homeland Security in to test so 
that we can identify vulnerabilities that we can fix. My 
understanding is that it's not as if they're penetrating us 
from outside. We let them in, and then they began to look at 
how they're going to be able to hack the system and they give 
us the feedback and then we look at the recommendations of what 
we need to do.
    But relative to your question of why we did not inform the 
Office of Inspector General, I think Marti probably would be 
able to talk about what our process is.
    Chairman Chaffetz. Go ahead.
    Ms. Eckert. Thank you, Chairman. It may be the timing of 
the briefing that we did as opposed to the actual final written 
report and why there may have been inconsistencies in what was 
shared.
    Chairman Chaffetz. Well, is it not common practice to share 
those reports with the inspector general?
    Ms. Eckert. We share many work products with the inspector 
general ----
    Chairman Chaffetz. I know, but ----
    Ms. Eckert.--even--in ----
    Chairman Chaffetz. Do you share them or not? You see where 
it becomes suspicious to us when you have something that is not 
very flattering, it is embarrassing, I think it is human nature 
to want to, oh, I hate to share this, but I also do believe 
that the inspector general is there to help be part of the 
solution, not part of the problem. And it is suspicious when, 
you know, you have this report and you don't share it with the 
inspector general. You went to the lengths to give them a 
briefing, correct?
    Ms. Eckert. I believe so. I believe that was right at the 
time that it was occurring, and we were letting them know that 
that was going on.
    Chairman Chaffetz. Well, my understanding is that the 
briefing happened roughly a month after the penetration test 
started. So here is a copy of the report. ``Risk and 
vulnerability assessment for high-value asset prepared for the 
Social Security Administration September 28, 2015.'' Congress 
shouldn't be the one to tell the inspector general that there 
is a report. How would they even know to ask for the report?
    Ms. Eckert. So we share over 1,100 different pieces of 
information from them as part of the financial statement audit. 
So Ms. Stone referred to the request--that we are doing that 
again now, and we share everything that is required as part of 
that audit. We don't necessarily share with them every work 
product that we produce, and we will know in the future to 
share those products.
    Chairman Chaffetz. Well, this was a report produced by 
Homeland Security?
    Ms. Eckert. Yes.
    Chairman Chaffetz. It just seems to us--it just comes 
across as if you are hiding something from the inspector 
general. The fact that they were able to, unimpeded, do a 
penetration test, albeit that you invited them to do it, but 
that was the finding, is that they were able to exfiltrate 
personal identifiable information, which means there is a 
problem and you don't share that with the inspector general. 
Ms. Stone, is that the way it should work?
    Ms. Stone. I would say no. Typically, we have a very good 
working relationship with the agency, and there is back and 
forth with sharing information.
    I would like to add one point, however, to this is that 
when we had our contract auditors in performing similar 
penetration testing, we--those testers also gain access to the 
point that they could see PII. So the fact that that weakness 
or vulnerability existed was not news to us, but the fact that 
there was a report and we had not gotten a copy, that was news 
to us.
    Ms. Colvin. Mr. Chairman, I will say that, again, we have a 
very strong relationship with the inspector general as far as 
being responsive. I always see them as an early alert system. 
I'm sure that this had to be an oversight because there's no 
evidence of any history of trying to hide something. It's very 
possible that the staff was reviewing this so they'd be able to 
respond prior to sending it to the Office of Inspector General, 
but we will make certain that that type of breakdown does not 
occur.
    Chairman Chaffetz. I appreciate it. We have some more 
questions about it, but I am well past my time. I will now 
recognize the gentleman from Pennsylvania, Mr. Cartwright, for 
5 minutes.
    Mr. Cartwright. Thank you, Mr. Chairman. And, Commissioner 
Colvin, thank you for being here today and for your service.
    The President's fiscal year 2017 budget overview states the 
following--and I want to quote from it because it is 
concerning--``our current state of service remains fragile as 
the demands of balancing service and stewardship 
responsibilities continue to strain our resources.'' And what 
does this mean when it says the ``state of service remains 
fragile'' at Social Security, if you know?
    Ms. Colvin. Because of budget constraints, we are 
constantly balancing between our service delivery to the public 
and our program integrity efforts, which includes 
cybersecurity. Because of the activity in fraud and the 
activity in cybersecurity, we've had to continually shift 
resources to program integrity. For instance, just in 3 years, 
we've gone from spending $74 million in cybersecurity to $96. 
That comes away from, of course, our customer service 
activities, the same thing as we look at developing our systems 
and other kinds of things.
    I had to set up--or didn't have to but I felt it was 
prudent to set up a centralized fraud unit because fraud was 
becoming so prevalent in the country and we wanted to be able 
to get out front and be able to detect it and prevent it, and 
so we've switched considerable resources there. As a result, 
we're seeing increased waiting times in our field offices on 
our 800 number. You will recall that Congress was quite 
concerned because I had to close a considerable number of 
offices ----
    Mr. Cartwright. And I wanted to ask you about that because 
when you say customer service as being basically degraded, that 
really bothers me. In fact, it says in the Social Security 
budget overview, ``While we have worked diligently to improve 
national 800-number service, the funding we receive for fiscal 
year 2016 will increase wait times and busy signals.'' 
Commissioner Colvin, that is not acceptable. What is the 
answer?
    Ms. Colvin. The answer is we need committed, sustained 
funding. I cannot spend money that I don't have. I cannot incur 
an anti-deficiency. We have never made our--for the 3 years we 
were in a total freeze, and as you well know, it takes 2 years 
for our workers to even be qualified to do the claims work that 
we have out there in the field.
    When I was here in 1970, we had 70,000 employees. We're 
down to 62,000 now and at the same time that our workload is 
continuing to increase. So if we have to pull away from some of 
the things that we do, it's always the impact on the customer.
    Mr. Cartwright. Well, can you talk about the impact that 
resource constraints, the type you are talking about, have had 
on the Social Security 800 number and field offices? For 
example, how long have wait times been this year?
    Ms. Colvin. I don't know the specific answer to that off 
the top of my head, but I'd say the average wait is probably 30 
minutes. We still have lines in our field offices. We are 
constantly looking at IT to see how we can take some of the 
work out of the field offices to be able to address the wait 
times. For instance, we have 4 million visitors a year to our 
offices for a replacement Social Security card. We're beginning 
now to roll out a replacement card online, but we have to do 
that carefully. We have to make sure it's secure. So we're 
doing whatever we can to pull out work from the field office to 
make the wait times less, same thing with the 800 numbers, but 
it's a resource issue.
    Mr. Cartwright. Well, that is wait times on the phone. 
Maybe even more important are the people who are waiting for 
adjudicatory hearings. Can you discuss the impact that the 
resource constraints have had on wait times for adjudicatory 
hearings, Commissioner?
    Ms. Colvin. There have been two impacts. One has been our 
budget and the inability to actually have the number of ALJs we 
need to have a hearing, as you know, at the hearings require an 
ALJ. We also in the past years have had difficulty with getting 
a register of candidates. We're working very closely with OPM, 
and thanks to Congress, there was a required date for a test, 
and so that's moving forward.
    But at the same time, it's a resource issue. We're now up 
to 570 days that someone has to wait for a hearing. It's 
something that greatly concerns me because many of these people 
die before they get a decision. But again, we try to balance 
the resources we have.
    Mr. Cartwright. So what happens if Social Security does not 
receive the funding it has requested? What happens to these 
wait times?
    Ms. Colvin. They will increase. They will increase. We are 
very efficient as an agency, and I must stress that. Our 
overhead is 1.3 percent of all of our outlays. We like to talk 
about USAA as being one of the best private insurance 
companies. Their overhead is 8 percent, so I think we do an 
incredibly good job with the resources we have, and I'm able to 
tell you how we spend the dollars. But the bottom line is we do 
compete with other agencies for the dollars, and we don't have 
an adequate budget.
    Chairman Chaffetz. I thank the gentleman.
    Mr. Cartwright. Thank you. I yield back.
    Chairman Chaffetz. Thank you.
    I now recognize the gentleman from Texas, the chairman of 
the subcommittee on IT, Mr. Hurd of Texas.
    Mr. Hurd. Ms. Eckert, when was the DHS security review 
done?
    Ms. Eckert. My recollection is it was done in August. It 
was last summer.
    Mr. Hurd. How many critical vulnerabilities were found?
    Ms. Eckert. There were a set of about nine recommendations 
that they made to us.
    Mr. Hurd. So you don't know how many critical 
vulnerabilities were actually found?
    Ms. Eckert. It was a penetration-type test ----
    Mr. Hurd. Yes.
    Ms. Eckert.--so it wasn't that they were looking for 
specific ----
    Mr. Hurd. How long have you been ----
    Ms. Eckert.--software vulnerabilities ----
    Mr. Hurd. How long have you been the CSIO?
    Ms. Eckert. Three years.
    Mr. Hurd. Three years? And you have a qualified--and, Ms. 
Colvin, I want to start with you on a comment. You are right. 
You all did the right thing by getting a third party to come in 
and test your systems. That is a good best practice, but you 
all approached this hearing absolutely wrong. You should have 
come in here and said, listen, we have X number of critical 
vulnerabilities from August of 2015 and that these are the 
steps that we have taken to mitigate all of these actions. And 
this information was given to the second group of people that 
came and did another security evaluation.
    And you are talking about how you are not properly 
capitalized, but look, you guys have saved $300 million in IT 
savings by doing things properly. Good work. But the reality is 
use the money that you actually have in the right way. You are 
not giving a team that is coming in here to test your digital 
infrastructure, and you are not giving them all the information 
from the previous test.
    And not once have you all come in here and said that there 
are these significant vulnerabilities, critical vulnerabilities 
that we fix. The DHS team was able to escalate privileges once 
they were inside their system and take control over your entire 
system. That is a big deal, all right? And the fact that in 
none of you all's testimony do you mention this.
    And then you have the audacity to say that Social Security 
meets all of the cross-agency priority cybersecurity goals. 
Somebody was able to sit on your system and take complete 
control over it. I wouldn't consider that to be a--I wouldn't 
pat yourself on the back for being able to perform that. And 
you are the CSIO and you don't know how many critical 
vulnerabilities that there were in a report that was done and a 
test that was done almost a year ago? Please.
    Ms. Eckert. We report our vulnerabilities monthly to the 
Department of Homeland Security. Every month, the number of --
--
    Mr. Hurd. So what are you doing to fix it?
    Ms. Eckert. We have very many different things that we do. 
It is a holistic ----
    Mr. Hurd. You have very many different things?
    Ms. Eckert. It is a holistic, integrated approach. We do 
patch management, we do intrusion detection, we do ----
    Mr. Hurd. Okay. Ms. Eckert, you obviously ----
    Ms. Eckert.--continuous monitoring ----
    Mr. Hurd.--didn't read my background before you came here. 
I did this for a living, okay, and so saying you have many very 
different things is not a strategy on how to mitigate critical 
vulnerabilities.
    Ms. Colvin, how many records do you have on the--how many 
Americans do you have information on?
    Ms. Colvin. We have over 175 million wage earners, and then 
we have ----
    Mr. Hurd. How many Social Security numbers are there?
    Ms. Colvin.--about 65 million beneficiaries. We have 
records on most--on everybody.
    Mr. Hurd. Pretty much everybody, right?
    Ms. Colvin. Yes. Yes.
    Mr. Hurd. I think that is a pretty big deal.
    Ms. Colvin. Yes.
    Mr. Hurd. When you talk about PII, this is the treasure 
trove a ----
    Ms. Colvin. Yes.
    Mr. Hurd.--and it should be protected with the best tools. 
And we should have--I have said this 100 times. This is not an 
issue of technology. This is an issue of leadership. You have 
information on every single American in the United States of 
America, and your CSIO doesn't even know from the last report 
how many critical vulnerabilities there were. They don't know 
how many times they were able to escalate privileges. And then 
the other group that is coming in and you are doing a best 
practice, you are not sharing that information with the IG? And 
our subcommittee, our staffers had to inform the IG of this 
information? This is absolutely ludicrous.
    And the reason we have all of you all here is because it 
stops with you ----
    Ms. Colvin. I understand.
    Mr. Hurd.--right? This is your responsibility. This is 
your--you have got to make sure this happens, and if I were 
you, I hope you have some very uncomfortable conversations with 
your CIO and your CSIO because this is basic information that 
they should know. And as a taxpayer, as someone who did this 
for a living, as someone who was responsible to 700, 800,000 
Americans, I am appalled by this. And you know what, if I were 
the Russians, I were the Chinese, I were other hackers, I would 
be licking my chops because these people are not prepared to 
protect this information. This is outrageous.
    And, Mr. Chairman, thank you for this. Thank you for the 
bipartisan nature of this, and I yield back my time.
    Chairman Chaffetz. I thank the gentleman.
    I will now recognize the gentleman from Virginia, Mr. 
Connolly, for 5 minutes.
    Mr. Hurd. Unbelievable.
    Mr. Connolly. Thank you, Mr. Chairman.
    I say to the panel some of the frustration you are hearing 
is not only about Social Security. We have had a series of 
hearings where we hear the same story, and we are very worried 
that the Federal Government is so vulnerable.
    There is a story on CNN today that the nuclear program of 
the United States is protected on floppy disks, technology 
going back to the 1970s, and one asks what could go wrong with 
that?
    So I welcome anyone answering, but following up on my 
friend from Texas, Mr. Hurd, how worried should we be? I mean, 
given the fact that you have, as you say, Ms. Colvin, data on 
every American, to make sure they have the benefits when they 
qualify that they need and that they are entitled to? But the 
downside of that is you have got data on every American. And we 
saw what happened with the OPM breach, which compromised 
information on people who trusted, you know, their information 
with a Federal agency for a job application or for Federal 
service or for a security clearance.
    And so help reassure us that we are not facing something 
similar with Social Security Administration, that Mr. Hurd can 
be reassured that actually after testing the system whatever 
the vulnerabilities we discovered we have moved with alacrity 
to address them in an efficacious way.
    Ms. Colvin. Mr. Cooper, we certainly as an agency are not 
----
    Mr. Connolly. No, no, I am Mr. Connolly.
    Ms. Colvin. I mean Mr. Connolly.
    Mr. Connolly. That is all right.
    Ms. Colvin. I'm sorry, sir.
    Mr. Connolly. I am Irish, Virginia, via Boston a ----
    Ms. Colvin. Apologize.
    Mr. Connolly.--God only knows what it is. I don't know.
    Ms. Colvin. Let me just assure you that ----
    Mr. Connolly. No problem.
    Ms. Colvin.--we are very concerned about cybersecurity in 
the agency, and we know as an agency--I'm not talking about the 
rest of the government. As an agency, we are always concerned 
about this. We know that we're always seeking that continuous 
improvement. We look at the vulnerabilities to see what the --
--
    Mr. Connolly. Yes, but, look, I have got a little bit of 
time. I am seeking reassurance. He raised the question, Mr. 
Hurd. He was responding, Ms. Eckert, to what he thought he 
heard from you. I am giving you the opportunity to come back 
and reassure us you can rest easy because, yes, we discovered 
vulnerabilities and here is what we did or they have all gone 
away magically or they are still there and we don't know what 
to do about them. I mean ----
    Ms. Colvin. Well, I think Ms. Eckert can talk about what 
we've done, but I just wanted to say that this is an ongoing, 
continuous challenge ----
    Mr. Connolly. Of course.
    Ms. Colvin.--as an agency.
    Mr. Connolly. We know that, but ----
    Ms. Colvin. All right. Marti, you want to speak to what 
we're doing?
    Mr. Connolly. Well, what we have done after you got the 
data you got in terms of the penetration.
    Ms. Eckert. Sir, as I said, we have a holistic and 
integrated ----
    Mr. Connolly. You have got to speak into that microphone, 
Ms. Eckert, because I can't hear you. I am sorry. Thank you.
    Ms. Eckert. Oh, my apologies.
    Mr. Connolly. That is all right.
    Ms. Eckert. We do have an integrated, holistic approach. As 
far as the specific vulnerabilities, it--identified in the DHS 
report, they were recommendations that we have taken action on. 
Specific vulnerabilities that were uncovered have been 
remediated, but let me reiterate what the commissioner said. We 
hack ourselves every day, so we look for vulnerabilities 
continuously with continuous monitoring. We also on top of that 
then have our own penetration testing program where, daily, we 
attempt to identify and remediate vulnerabilities that we find 
over and above our continuous monitoring strategy.
    Mr. Connolly. And in the process of doing that, Ms. Eckert, 
have you identified--you know, we have got some clunky systems 
that have to be replaced, and here is the program for doing 
that or here is the need we have identified, and we don't have 
the resources yet to address that because that is a critical 
piece, too. We are dealing with legacy systems. We are dealing 
with non-encrypted systems. I mean, we have got--and, Mr. 
Klopp, I'm going to get to you on that in terms of 
implementation of FITARA that tries to address all of that. 
But, I mean, I hope that is part of what you--it is not a sign 
of weakness to identify weakness. It is a sign of weakness when 
you ignore the weakness.
    Ms. Eckert. We do, and we take a risk-based approach to 
remediating our vulnerabilities and all cyber recommendations 
that we have, whether they be from DHS, whether they be from 
the inspector general, whether they are from our own 
penetration testing program.
    Mr. Connolly. Okay. I am now down to 13 seconds.
    Mr. Klopp, real quickly, tell us about your FITARA 
implementation. Your grade improved. We had a hearing on that. 
And how does that relate to this broader discussion of 
vulnerability and what we are doing?
    Mr. Klopp. I mean, you know, FITARA is important. I would 
say we are moving aggressively to fill not just the stuff that 
is in front of us now and required of us, but we actually think 
that we are a little bit ahead because we can see the new 
FITARA stuff that's coming down the pike. You know, again, it's 
a constant thing.
    I guess the last thing I would say is I want--let's be 
really clear about what we--you know, Marti's pointed out that 
we invite these folks to come in to test our systems. We take 
the testing very seriously. And what that means is we want them 
to find these exposures. We are looking for them to find these 
exposures.
    In both of the cases of the August DHS exercise, as well as 
our exercise with our other auditors, they were not able to 
penetrate our system from the outside, and so we let them in. 
And when we let them in, sometimes they can move around a 
little bit and they declare the fact that they can move around 
as a vulnerability but they can't get things out. So we allow 
them another step and another step and another step because 
we're looking for these vulnerabilities.
    The fact that they found them is because we let them in and 
we let them in and it turned things off and let them around 
this because we're looking for these things. We expect to come 
back to you every time with these auditors finding 
vulnerabilities because we're--we want them to find them. So we 
find them, we remediate them.
    There's an exercise going on now with Homeland security, 
and as a result of activities we've taken, we're now more 
secure than they were--we were the last time in, and they're 
having a harder time doing some stuff. They've also found some 
new stuff. And, you know, the next time we come in you can--you 
talk to us about the new stuff that they've found.
    It's--but let me be really clear, and this is--probably the 
assurances. As far as we know, no one, without help from us, 
has ever come into the agency, entered and penetrated in or--
and exfiltrated data out. No one without help from us or 
knowledge in advance of the way we have our cybersecurity 
system set up has been able to do that. So that's the 
assurances I would give you. They do it when we let them in or 
we turn off our defenses.
    Chairman Chaffetz. It scares me to death that you think 
that. It just really does. It really does scare me because the 
last time you had that test, they surfed around there for days 
and they were totally undetected. They were able to exfiltrate 
data if they wanted to.
    I would appreciate it if you would share with our staff in 
a bipartisan way what you have done to remediate that. We will 
have to follow up on that.
    I will now recognize the gentleman from Georgia, Mr. Hice, 
for 5 minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    We all know that Social Security has personal 
identification information of everyone in America, and I 
certainly cannot overemphasize the importance of this whole 
issue to me personally and my constituents, as well as my 
colleagues here, that the Social Security Administration take 
cybersecurity seriously and do absolutely everything within 
your power to mitigate any and all threats that are potential.
    And, you know, we are here today because obviously there 
are some network infrastructure legacy system potential 
compromising. There are some vulnerabilities is perhaps a 
better word, and that is why we are here. But any system at the 
end of the day is only as good as the people who are behind the 
system and working with it.
    Mr. Klopp just referred a moment ago to the August testing 
and, you know, there are some issues that were found. Okay. We 
know there are issues. So let me begin, Ms. Colvin, with you. 
What is the Social Security Administration doing specifically 
to improve employee training as it relates to the 
vulnerabilities?
    Ms. Colvin. We have ongoing mandatory cybersecurity 
training for everyone within the agency. When the--any 
aberration is detected that has been created by an employee, 
that is discussed with them, and I think that Marti as our 
expert can go into more specific detail, but that is something 
that we take very, very seriously because we do have offices 
throughout the country, as well as the local DDS--State DDS's 
who also have access ----
    Mr. Hice. Are you satisfied with the training?
    Ms. Colvin. We are always looking at continuous 
improvement. When we see something happening that would suggest 
that employees are not fully in compliance, we do additional 
trainings. So training is not a one-time thing. It's ongoing.
    Mr. Hice. Do you see the FISMA requirements as a floor or a 
ceiling?
    Ms. Colvin. A floor because I think that we've got to keep 
up with technology. We've got to always stay in front of the 
hackers, and that's one of the reasons when Rob talks about 
wanting to know where our vulnerabilities are, we want to shore 
those up because we know as soon as we fix those, the hackers 
are going to probably find something else, and so we went to 
continuously do that.
    Mr. Hice. Okay. So in any given month, how often do you 
meet with the CIO?
    Ms. Colvin. Oh, I meet with him on a weekly basis many 
times. I meet with him one-on-one. He's my direct report. He's 
a member of my senior executive team. We meet on Tuesdays.
    Mr. Hice. What about the chief security officer?
    Ms. Colvin. Absolutely.
    Mr. Hice. Absolutely what? How often do you mean?
    Ms. Colvin. The--we meet probably several times a week 
around issues. We--I get a weekly report from Ms. Eckert 
relative to cybersecurity and what is happening.
    Mr. Hice. All right. What about the IG?
    Ms. Colvin. The IG had been invited to attend all of my --
--
    Mr. Hice. So you feel confident that you are staying in 
good communication with all these as it relates to the 
cybersecurity vulnerabilities?
    Ms. Colvin. Absolutely because cybersecurity has to be one 
of our highest priorities.
    Mr. Hice. Yes, it absolutely does.
    All right, Ms. Stone, let me go to you. The GAO recently 
testified to thousands of information security recommendations, 
and they found that agency had failed to implement those 
thousands of recommendations even to the extent of 42 percent 
of the 2,000 recommendations that have been offered. Given your 
experience in the inspector general's office, what are the 
problems? What are the challenges? Why are agencies not 
implementing the recommendations?
    Ms. Stone. I can speak from, I guess, experience at Social 
Security. From time to time you may have a policy or procedure 
that is managed out of a central office. The ability to 
replicate that across the country is sometimes challenging. For 
example, when there have been instances where we've identified 
a vulnerability in one location, maybe the agency has had an 
opportunity to come in and remediate it in that location, but 
because the security posture is not that mature, you may still 
see that same issue popping up somewhere else. So it really 
comes down to the maturity of the security posture of the 
agency in that it's a culture where we are going to detect it 
and remediate it as soon as possible and then prevent it from 
reoccurring elsewhere.
    Chairman Chaffetz. I thank the gentleman.
    We are now going to recognize Ms. Plaskett, the gentlewoman 
from the Virgin Islands, for 5 minutes.
    Ms. Plaskett. Thank you. Thank you so much. Good morning, 
everyone.
    I thought it was really interesting that your discussion 
just now, Ms. Stone, about the recommendations and the work 
that you are going to do and your efforts to replicate these 
recommendations across the country. But one of the things that 
I was wondering you had discussed with us today about the 
critical work that you are performing in the inspector 
general's office combating waste, fraud, and abuse is the 
personnel and the amount of individuals that you have. My 
colleague just stated that systems are only as good as the 
people that are behind them.
    And so I am wondering. I notice that the IG--and I am 
quoting here in the President's fiscal year 2017 budget--that 
the OIG employees on duty have dropped from 610 in fiscal year 
2006 to 526 in fiscal year 2015. I know that some of that is 
attrition through retirement potentially and otherwise, but 
that is a decrease in 84 employees. How has that affected your 
ability to combat waste, fraud, and abuse at Social Security?
    Ms. Stone. Well, first, I will speak to it from an audit 
perspective. Typically, our auditors are issuing one audit per 
auditor per year. With the flat-line in our budget and because, 
I'll say, about 86 percent of our budget is personnel, we've 
not been able to replace people, so fewer auditors mean fewer 
audits being conducted. I'd say we've reduced our productivity 
in that area by about 25 audits.
    Ms. Plaskett. So the funding constraints, they have 
accounted for some of the flat-lining in productivity or 
ability to ramp up additional audits, but has it led to any 
reduction in your staffing as well?
    Ms. Stone. Oh, absolutely, especially--I'll speak from an 
investigative standpoint. Ms. Colvin referred to the 
Cooperative Disability Investigations unit. We dedicate agents 
to that project, but we get no additional funding for that. So 
to the extent that we dedicate another agent to that process, 
that's fewer agents that can actually respond to a cyber 
incident or looking at facilitator fraud or things of that 
nature. So to the extent that our budget remains flat or 
decreases, that's fewer resources that we have to put on the 
ground.
    Ms. Plaskett. I have here, and you tell me if this is 
correct, that the caseload has dropped from 12,000 cases in 
2007, and you are saying 8,400 now?
    Ms. Stone. Yes, that is correct. Our high was about 12,000 
in 2007, and subsequent--and the--I believe the last 3 years 
we've averaged about 8,400 cases.
    Ms. Plaskett. So I know you know we are all concerned with 
hacking and infiltration of these systems and our IT systems 
ramping up, and I know that your office has some integration in 
that in terms of criminal investigations. Has your office had 
to reduce the number of those investigations due to a reduction 
in the budget and the flat-lining that you have experienced?
    Ms. Stone. Absolutely. Just as you indicated, we've seen 
that drop from about 12,000 cases to 8,400.
    Ms. Plaskett. And you talked a little earlier when you 
first started our discussion on Cooperative Disability 
Investigation program. And my understanding is that that is 
contract support, correct?
    Ms. Stone. Yes. That is a--and the Bipartisan Budget Act 
actually provided additional funding or language suggesting 
that there be a CDI unit to cover each State. And when that--
those funds come in, it's actually the administrative costs 
that the agency pays to get those contractors at the State and 
local law enforcement level. However, for us, none of our 
personnel or administrative costs are covered for that.
    Ms. Plaskett. And would you say--what would be, you think, 
a much more thorough--and in your mind the ability to really go 
after the things that it seems everyone on this panel is 
concerned about? Would it be through the personnel that are 
working directly in your office or through this CDI program 
that they have?
    Ms. Stone. Actually, it's a combination thereof because 
it's a balancing act. Both of those workloads are very 
important. We've proven that the CDI units are--have a high 
return on investment, and they're very successful, but by the 
same token, we still have a responsibility to go after 
facilitator fraud, and we have to do our normal OIG 
investigations. So, again, it's a balancing act.
    Chairman Chaffetz. I thank the gentlewoman.
    Ms. Plaskett. Thank you.
    Chairman Chaffetz. I now recognize the gentleman from 
Alabama, Mr. Palmer, for 5 minutes.
    Mr. Palmer. Thank you, Mr. Chairman.
    Deputy Stone, the Social Security Administration reported 
to staff in a recent briefing that was reported on the Federal 
IT dashboard--I tell you what, I am going to skip that 
question. I want to go to acting Commissioner Colvin.
    The committee has been corresponding with you about the 
disability case processing system for years. In a response you 
sent Representatives Issa, Jordan, and Lankford on July 30, you 
said, ``I have personally and proactively taken to put the DCPS 
on the right course.'' Nearly 2 years later, here we are, and 
so there are a few questions.
    And I just want to point out in 2008 started this process 
of overhauling the DCPS system and spent $288 million and had 
to scrap it in 2014, basically threw away almost $300 million. 
I want to know, today, is DCPS currently fully functional 
serving all of the State DDS's?
    Ms. Colvin. DCPS was started in 2008. As you point out, I 
assumed leadership role here in 2013 ----
    Mr. Palmer. Ma'am ----
    Ms. Colvin.--so it had been in existence ----
    Mr. Palmer.--because of ----
    Ms. Colvin.--5 years before I came.
    Mr. Palmer. Yes. I did a reset and we are on schedule. We 
have an aggressive schedule where we expect to be rolling out 
or having our first product to three DDS's in December 2016.
    Mr. Palmer. So the answer is no, it is not fully 
functional? If you are still waiting ----
    Ms. Colvin. Well ----
    Mr. Palmer. Let me ----
    Ms. Colvin. We are doing it in an agile way so products 
will be delivered on an ongoing basis.
    Mr. Palmer. Well, how much have you spent since it has been 
under your watch since June of 2014?
    Ms. Colvin. That's--I'm sorry, I need to look at that 
figure. It's about--it's about somewhere between $60 and $70 
million on my watch.
    Mr. Palmer. Okay. And then you have got another $60 or $70 
million yet to spend, is that right?
    Ms. Colvin. Yes, I would say that's accurate.
    Mr. Palmer. So do the funding numbers include 
customizations that Social Security Administration needs to 
make so that the core DCPS is ready to accommodate the needs of 
the States?
    Ms. Colvin. We're looking at a core product. There will be 
some additional costs for customization, but right now, we want 
to make sure that we have the same product in every State.
    Mr. Palmer. But yes or no, does it include the 
customizations that you need to make?
    Ms. Colvin. I would say yes.
    Mr. Palmer. That is interesting. When this is done, how 
much will Social Security Administration spend on this?
    Ms. Colvin. Are you speaking relative to cost since we 
reset?
    Mr. Palmer. I am talking about total cost, DCPS for the 
whole ----
    Ms. Colvin. Well, there was $262 million spent by my 
predecessor, and we're looking at a potential $170 million ----
    Mr. Palmer. So we are talking about half-a-billion dollars?
    Ms. Colvin. Not on the reset.
    Mr. Palmer. No, I know not on the ----
    Ms. Colvin. Okay.
    Mr. Palmer. The total since 2008 we are going to spend 
about a half-a-billion dollars and we are still not fully 
functional. So ----
    Ms. Colvin. Well, we started the reset in 2015.
    Mr. Palmer. Ms. Stone, what is your view on it?
    Ms. Stone. I would say the--my biggest concern at this 
point is, you know, I don't want to be here answering these 
same questions 6 months from now. And in the past we've seen 
some similar situations. I know that they are--that some 
questions have been raised about whether or not the December 
time frame is realistic. If we have any delays, that could 
result in additional cost. We know that this is a complex 
system. So I'm just as interested and concerned as you all are 
about the success of this implementation.
    Mr. Palmer. Well, there was a McKinsey study of the DCPS 
that came out in April, April 21, that says that progress had 
been slower than expected and the current trajectory must be 
significantly accelerated to meet the timeline for core. Why do 
you think that is? Why do you think they made that finding?
    Ms. Colvin. Well, I think that clearly it's a complex 
program. We had had an original management review. We then 
later had the technical review by McKinsey. They've clearly 
stated that we're on the correct path.
    Mr. Palmer. Let me ask in the few seconds I have left Mr. 
Klopp to respond to that.
    Mr. Klopp. Sure. So the answer is that we took off on the 
project starting October 1 of last year. We, for all I think 
the right reasons, decided to do this in an extremely modern 
technical environment, which meant that there was a learning 
curve that we had to take on in order to figure on how to work 
in the cloud, how to use new programming languages, et cetera, 
et cetera. And that learning curve slowed velocity in the 
beginning, as you would expect it to.
    What we find right now is that we're passing through that 
learning curve phase and velocity is picking up, which is why 
we're so confident that we're going to make the December dates.
    Chairman Chaffetz. Thank you.
    I now recognize the gentlewoman from New Jersey, Mrs. 
Watson Coleman, for 5 minutes.
    Mrs. Watson Coleman. Thank you, Chairman, and thank you to 
each and every one of you here today.
    To you, Commissioner, isn't it true that under the previous 
Commissioner of Social Security Michael Astrue I believe his 
name was, the agency made the decision to create a unified IT 
program system that all DDS entities could use to process 
claims known as the Disability Case Processing System? Under 
his tenure, Social Security awarded that primary contract to 
Lockheed Martin in 2010, is that not true?
    Ms. Colvin. That's correct.
    Mrs. Watson Coleman. Rather than have a series of 
questions, I recognize that we are operating in a very dynamic 
system, and you have a tremendous responsibility to preserve, 
protect our information that you have access to and at the same 
time provide us services. I know in New Jersey we have had 
problems with the disability office in moving things quickly, 
but that is what happens.
    I also recognize from what I have read that you all have 
been doing a pretty doggone good job of protecting our 
information.
    Ms. Colvin. Thank you.
    Mrs. Watson Coleman. And there is also a good relationship 
with the Office of the Inspector General, so you, Commissioner, 
have taken the opportunity to be a leader and to engage those 
principles that are very important to the success of your 
program, as well as the protection of our interests and the 
delivery of our services.
    It changes every day. This system with cyber attacks and 
things of that nature happens every day. You fix something, 
people find another way to do it. But yet none of our 
information has been compromised in the same way some of these 
large companies, and I need to commend you for that. And I need 
you to understand that I understand that it is a moving target. 
And with the right resources, you will keep up with it as much 
as you absolutely can, but this is not a finite system and this 
is not a perfect system.
    So to each and every one of you, I want to thank you for 
the dedication and the work you are doing in that space. I 
yield back.
    Ms. Colvin. Thank you.
    Chairman Chaffetz. I thank the gentlewoman.
    I now recognize the gentleman from Georgia, Mr. Carter.
    Mr. Carter. Mr. Chairman, I want to yield my time to the 
chair.
    Chairman Chaffetz. Thank you. I thank the gentleman.
    Mr. Klopp, you wanted to provide clarity about penetration 
and the ability from somebody in the outside to come into the 
system and exfiltrate information. I want to give you another 
chance at that. Are you sure that nobody has been able to do 
that?
    Mr. Klopp. I'm--I will tell you that--Marti and I are 
passing notes back and forth. We are not aware that they were 
able to do that in the August penetration--in the August 
testing that they went on. What I will tell you is that we're 
undergoing testing today, and I've actually been personally in 
communication with ----
    Chairman Chaffetz. Let there be no doubt the two tests of 
that I am aware that were done at the invitation of the Social 
Security Administration, they give you credit for the fact that 
they couldn't penetrate from the outside, but from the inside 
they certainly could.
    Mr. Klopp. So I believe that when we let them in the 
inside, they were able to penetrate. They were not able, as far 
as ----
    Chairman Chaffetz. So how many people are in the inside? 
How many users of these accounts do you have?
    Mr. Klopp. Thousands.
    Chairman Chaffetz. Yes, like tens of thousands, like 96,000 
is the actual number. So here is the problem. That is a 
vulnerability. You had 96,000 people who are already on the 
inside, and their ability to get in, surf around, and 
exfiltrate information is undoubtedly happening because the two 
penetration tests that were tried, that happened.
    But I want to talk about from the outside penetration, not 
the tests, not the people you invited, you are not aware of 
anybody who has been able to penetrate from the outside 
uninvited and maybe over what period of time? Any of you?
    Mr. Klopp. I don't think we are--go ahead, Marti.
    Ms. Eckert. So we do not to date have any evidence that 
someone from the outside has gotten in and exfiltrated out. But 
anyone in cyber will tell you that there are no absolutes at 
this point in time.
    Chairman Chaffetz. Okay. Now, here is the problem I have 
with that answer, okay, with all due respect. There is a person 
who is sitting in jail for doing this very thing. There is a 
person in Miami, right? Oh, now you are shaking your head yes. 
What happened in that case?
    Ms. Eckert. So that was a case of fraud, correct?
    Chairman Chaffetz. Yes, it is fraud.
    Ms. Eckert. We're talking about identity theft ----
    Chairman Chaffetz. Yes.
    Ms. Eckert.--right? And it was identity theft where they 
acted as someone else ----
    Chairman Chaffetz. Yes. Oh, yes ----
    Ms. Eckert. Yes ----
    Chairman Chaffetz.--how creative. I can't believe anybody 
would do that. What happened? Go ahead. Keep going.
    Ms. Eckert. So there have been--and I think Ms. Stone 
alluded to ----
    Chairman Chaffetz. Oh, so there was a penetration from the 
outside where somebody disguised themselves. In fact, they 
tapped in and they created 900 fraudulent accounts. How much 
money did they take out from the government, how much money?
    Ms. Eckert. I don't know the answer to that.
    Chairman Chaffetz. Yes, it is $20 million. There is $11 
million that still hasn't been recovered, and this guy is 
sitting in jail.
    Here is the problem. You are the chief information security 
officer. The person came in in just the last couple of years 
and did this. And this is the one that we know about. And you 
don't recall that off the top of your head?
    Ms. Eckert. So my apologies. I was thinking of cyber 
incidents and ----
    Chairman Chaffetz. Why is this not a cyber incident?
    Ms. Eckert. It is ----
    Mr. Klopp. It's not.
    Ms. Colvin. It's not.
    Ms. Eckert. It's fraud.
    Mr. Klopp. It's not.
    Ms. Eckert. It's identity theft ----
    Ms. Colvin. It's fraud.
    Ms. Eckert.--which is fraud.
    Chairman Chaffetz. Okay. So what is the difference between 
----
    Ms. Eckert. And my apologies.
    Chairman Chaffetz.--fraud and cyber?
    Ms. Eckert. I do understand from your perspective that 
those things are alike, and my apology for ----
    Chairman Chaffetz. Well, what is the difference?
    Ms. Eckert. So we have established--we did--we have 
established an Office of Antifraud Programs, and ----
    Mr. Klopp. So, look, the difference is that cyber is 
designed to defend us against someone who is coming in trying 
to hack in through our systems, and that's a completely 
different ----
    Chairman Chaffetz. No, it is not.
    Mr. Klopp. No, it is a completely different discipline.
    Chairman Chaffetz. He came in ----
    Mr. Klopp. It's recognized by the Department of Homeland 
Security and those folks as a completely different discipline.
    Chairman Chaffetz. He came into the system ----
    Mr. Klopp. He ----
    Chairman Chaffetz.--he hacked his way into the system ----
    Mr. Klopp. He didn't hack his way into the system. He did 
not hack is way into the system.
    Ms. Colvin. No, he didn't.
    Mr. Klopp. What he did was he captured somebody else's 
identity and came in through the system legitimately as a 
fraudster. It is not within the--it's not recognized in the 
information technology world that that is a case of cyber 
attack. That is not the way the information technology world 
would view that. It is fraud. It is identity fraud, and it ----
    Chairman Chaffetz. He did ----
    Mr. Klopp. He did something that we are diligently fighting 
against but ----
    Chairman Chaffetz. He did ----
    Mr. Klopp.--it's not cyber fraud.
    Chairman Chaffetz. He didn't do this one or two times. He 
didn't go down the street and grab Betty's telephone number and 
address and say--he did this by the hundreds of times because 
he was able to get in there ----
    Mr. Klopp. Because he was able to get 100 identities. Go 
ahead.
    Ms. Colvin. That was because he was able to get Social 
Security numbers that he had access to, and that's the big 
issue of identity theft where you take someone else's identity. 
But we are now using data analytics to be able to prevent that 
kind of thing from happening. I've set up a complete center on 
data analytics where we can look at trends and patterns.
    Chairman Chaffetz. We will continue to flesh this out with 
you, but when somebody is able to go in there and change those 
addresses and do those types of things, I just disagree. I 
think that is it--that person again, if you are going out and 
stealing a couple numbers and you are doing that, that is a 
little different. I would grant you that. But when this person 
is doing this en masse and changing those addresses--it was the 
IG that found out about it first.
    Ms. Colvin. It's fraud, though. It's not cybersecurity. We 
know--I mean, it's a bad issue.
    Chairman Chaffetz. You've got a lot of ----
    Ms. Colvin. It's one we're working on.
    Chairman Chaffetz. You've got a lot of explaining to do to 
us ----
    Ms. Colvin. All right.
    Chairman Chaffetz.--on how you are differentiating this and 
who else that should be sitting at this table to protect 
against that.
    Ms. Colvin. And I would like an opportunity later, maybe 
not at this hearing, to explain to you what we're doing in 
those kinds of cases. But we're doing something very 
differently in dealing with those cases than what we're doing 
with cybersecurity, and we're working very closely with the 
Office of Inspector General in those kinds of cases.
    Chairman Chaffetz. All right. We have a vote on the Floor. 
I went over my time.
    Mr. Cummings. May I have just one ----
    Chairman Chaffetz. Yes.
    Mr. Cummings. Ms. Stone, with regard to fraud, and perhaps 
you might answer this, Commissioner Colvin, does finance affect 
your ability to get to those people who are trying to commit 
fraud? In other words ----
    Ms. Colvin. Well, it certainly does because when we 
identify suspicious pattern in a case, we refer that to the 
Office of Inspector General. And because their resources have 
been inadequate, they're not able to handle every referral that 
we make to them. So that definitely would impact their ability 
to determine what is fraud because that is their role to 
determine what is fraud. We simply refer cases that are 
suspicious or that have a pattern.
    Mr. Cummings. Ms. Stone ----
    Mr. Klopp. In fact, it's worth--I'm sorry, it's worth 
quickly pointing out that when we see fraud, we refer to law 
enforcement. When we see cybersecurity, cyber breaches, we 
refer to a completely different branch.
    Mr. Cummings. All right. Is that accurate, Ms. Stone?
    Ms. Stone. That is correct, sir.
    Mr. Cummings. All right. Thank you.
    Chairman Chaffetz. All right. Two points I want to make and 
then we will close out here. I was elected in 2008, so that is 
the benchmark that I take in terms of funding. IT funding for 
Social Security Administration was about $1.1 billion. It is 
now roughly $1.5 billion. Everybody wants steady funding. I 
wish the Congress would move to 2-year funding. I think that 
would give people more exposure. But that is $400 million more 
than it was back in 2008.
    And so I know there is a lot of discussion about dollars 
and steadiness and it has been up and down, but it is hundreds 
of millions of dollars more than it was in 2008. And this 
penetration test report coming out of Homeland Security, this 
is--I am going to read this--we have got 11 minutes left on the 
Floor--on one of the concerns here.
    This is from Homeland Security from their report. ``Social 
Security team members were apprehensive about scanning or other 
rigorous testing of the mainframe due to its fragile operating 
posture. The DHS team decided to forgo testing of the mainframe 
in an effort to reduce the operational risk of bringing it 
down. It should be noted that the fragile state of the 
mainframe is a major vulnerability on its own and should be 
addressed as soon as possible.''
    I think we share a mutual concern of making sure--if they 
couldn't even get into do a test, how fragile is it? It is an 
ongoing question, and if you could help answer that question 
for us.
    We appreciate all you do and your cooperation in working 
with us. We would appreciate it ongoing. We thank you for your 
participation--Yes. Go ahead.
    Mr. Cummings. Just one real quick thing. I have a list of 
questions, Commissioner Colvin, with regard to EEOC and, you 
know, I understand that there has been an update on the issue. 
Can you tell us where we are on that?
    Ms. Colvin. Well, there were two recommendations that we 
had. One you are interested in what we were doing about the 
recommendation of EEOC, to have that operation report directly 
to me. I made that decision, and that will happen effective 
June 1.
    Mr. Cummings. Okay.
    Ms. Colvin. I think the second you have questions about the 
various EEO class-action cases.
    Mr. Cummings. Yes, that is right. The Jensen settlement, 
which was the disabled employees, has been settled. It is being 
implemented. The Taylor decision has been appealed on both 
sides, so we're waiting for a decision to that appeal.
    Mr. Cummings. I will have some additional questions which I 
will submit to you in writing.
    Ms. Colvin. I will be happy to answer those.
    Mr. Cummings. All right. Thank you.
    Ms. Colvin. Thank you.
    Chairman Chaffetz. Thank you. We have some additional 
questions as well, but we have a vote on the Floor, so the 
committee stands adjourned. Thank you.
    Ms. Colvin. Thank you so much.
    Ms. Stone. Thank you.
    [Whereupon, at 10:50 a.m., the committee was adjourned.]






                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
               
               
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]              
               
               

                                 [all]