[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]










  SECURITY CLEARANCE REFORM: THE PERFORMANCE ACCOUNTABILITY COUNCIL'S
                              PATH FORWARD

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 25, 2016

                               __________

                           Serial No. 114-105

                               __________

Printed for the use of the Committee on Oversight and Government Reform




[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]









         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                                    ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

23-404 PDF                     WASHINGTON : 2017 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001                     
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
                                 ------                                

                   Jennifer Hemingway, Staff Director
                 David Rapallo, Minority Staff Director
                         Jack Thorlin, Counsel
                          William Marx, Clerk
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                          
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 25, 2016................................     1

                               WITNESSES

Ms. Beth Cobert, Acting Direcor, U.S. Office of Personnel 
  Management
    Oral Statement...............................................     7
    Written Statement............................................     9
Mr. Terry Halvorsen, Chief Information Officer, U.S. Department 
  of Defense
    Oral Statement...............................................    13
    Written Statement............................................    15
Mr. Tony Scott, Deputy Director for Management, U.S. Office of 
  Management and Budget
    Oral Statement...............................................    18
    Written Statement............................................    20
Mr. William Evanina, Director of National Counterintelligence and 
  Security Center, Office of the Director of National 
  Intelligence
    Oral Statement...............................................    24
    Written Statement............................................    26

                                APPENDIX

Chairman Chaffetz Opening Statement..............................    60
Press Release from Senator David Vitter, submitted by Ranking 
  Member Elijah E. Cummings......................................    65
Responses to questions for the record from Terry Halvorsen, Chief 
  Information Officer at the U.S. Department of Defense, 
  submitted by Chairman Chaffetz.................................    66
Responses to questions for the record and relevant attachments 
  (#1-4) from Beth Cobert, Acting Director, U.S. Office of 
  Personnel Manaement, submitted by Chairman Chaffetz............    73
Responses to questions for the record from William Evanina, 
  Director of National Counterintelligence and Security Center, 
  Office of the Director of National Intelligence, submitted by 
  Chairman Chaffetz..............................................    89
Responses to questions for the record from Tony Scott, U.S. Chief 
  Information Officer, U.S. Office of Management and Budget, 
  submitted by Chairman Chaffetz.................................    97

 
                       SECURITY CLEARANCE REFORM:
         THE PERFORMANCE ACCOUNTABILITY COUNCIL'S PATH FORWARD

                              ----------                              


                      Thursday, February 25, 2016

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 9:59 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Duncan, Jordan, 
Walberg, Amash, DesJarlais, Massie, Meadows, Buck, Walker, 
Blum, Hice, Russell, Carter, Hurd, Palmer, Cummings, Maloney, 
Norton, Lynch, Connolly, Duckworth, Lawrence, Lieu, Plaskett, 
DeSaulnier, and Welch.
    Chairman Chaffetz. Without objection, the chair is 
authorized to declare a recess at any time.
    I appreciate you all being here for this hearing, 
``Security Clearance Reform: The Performance Accountability 
Council's Path Forward.''
    At last count, the Director of National Intelligence 
reported 4.5 million people held security clearances, 4.5 
million, and the queue for clearances continues to grow. At the 
end of fiscal year 2015, there were more than 388,000 new 
background investigations, and 117,000 periodic 
reinvestigations backlogged at the Office of Personnel 
Management. That is a lot of folks with access or requesting 
access to our most sensitive national security information.
    And we have learned last year that most if not all the 
personal information collected during background investigations 
was exfiltrated in one of our country's biggest cyber attacks. 
We have to be careful not to ever, ever allow that to happen 
again. We have to fix the process, and we have to protect the 
information we collect.
    And as part of my opening statement, I would actually like 
to yield some time to the gentleman from Oklahoma, who has been 
very keenly involved in this, Mr. Russell.
    Mr. Russell. Thank you, Mr. Chairman.
    And I do appreciate the panel also being here today.
    Following the June 2015 OPM data breach, I began working 
with my good friend and colleague Congressman Ted Lieu on a 
path forward that would protect not just the personal and 
private information of those who hold security clearances but 
what amounts to crown jewels for any foreign intelligence 
service.
    My concern deepened as we learned the full extent of the 
breach. All told, 18 million records were stolen in the breach, 
including data on military and intelligence personnel, placing 
Americans at great risk that has not abated.
    I also received a letter from my time in the service being 
a former top secret SCI clearance holder in the military 
stating that my data had been compromised. For me and my friend 
Congressman Ted Lieu, who also received a letter, this is not 
some academic issue.
    It should also be noted that the DOD never lost security of 
such data when it was under their care. It was through 
pressure, largely from Congress, to save money, make an effort 
to eliminate a large backlog. Well, we eliminated the backlog 
by eliminating security. Whatever savings we had has surely 
been forfeited in that result.
    Today, we will examine the reform efforts advanced by the 
90-day sustainability and security review by the Performance 
Accountability Council, or PAC. One of the main points of 
emphasis I made along with Mr. Lieu was the need for the 
Department of Defense to own the data for our service members 
and Department civilians. And I am encouraged that the PAC 
review will result in this being accomplished.
    Under the reforms recommended by the PAC, the Department of 
Defense will be responsible for not just building the 
infrastructure that will house this critically important data; 
they will also be responsible for defending it.
    The questions remain, however, that while the DOD has been 
given the responsibility, will they be given the authority 
while being placed under a bureau that is placed under a 
department? This has to be answered.
    I remain concerned regarding the creation of the new 
National Background Investigations Bureau, or NBIB. NBIB will 
ultimately absorb the Federal Investigative Service, which 
currently is tasked with conducting background investigations 
for the vast majority of our government. And while I believe we 
all recognize the pressing importance and urgency of 
modernizing and updating the security clearance process, I 
remain unconvinced that allowing an OPM entity, whether its 
name be FIS or NBIB, is the correct path in the long term. 
After all, the OPM allowed the worst breach of secure data in 
our nation's history.
    I hope that today's hearing will show by NBIB will be a new 
way forward rather than just a rebranding of FIS. I appreciate 
the willingness of Acting Director Cobert and other members of 
the PAC that they have shown in working with me and Congressman 
Lieu on this issue and your willingness to give us complete 
access and answer our questions.
    My aim in this hearing, as I hope we will hear today with 
the chairman's indulgence, is to ensure that the process 
forward for NBIB is the right path and that we are not just 
putting a fresh coat of paint on a house with a bad foundation, 
a house that our enemies have broken into and stolen everything 
in it, I might add.
    I look forward to hearing from our panel of witnesses as we 
seek to understand the difference between NBIB and its 
predecessor, as well as the role of the Department of Defense 
in protecting this vital information.
    And, Mr. Chairman, with that, I yield back.
    Chairman Chaffetz. I thank the gentleman.
    In the essence of time, I will submit the remainder of my 
opening statement into the record.
    Chairman Chaffetz. I now recognize the ranking member, the 
distinguished gentleman from Maryland, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman. And I want 
to thank you for holding today's hearing. I commend both 
Congressman Lieu and Russell for their work on this issue and 
for requesting today's hearing.
    I would like to yield 2 minutes to the gentleman from 
California, Mr. Lieu.
    Mr. Lieu. Thank you, Ranking Member Cummings, for giving me 
the opportunity to speak. And I want to thank the chair and the 
ranking member for holding this hearing, as well as last year's 
hearings, that exposed fundamental weaknesses in our nation's 
cybersecurity, particularly as applied to OPM.
    And last year's OPM data breach was the most significant 
government cybersecurity breach we have ever uncovered and 
serves as a poignant reminder that U.S. Government needs to 
change the culture of cybersecurity.
    It also revealed that there was an irrational system where 
we had a human resources agency protecting these critical 
national security assets or security clearance records, and as 
Representative Russell mentioned, not only did we both get 
notices that our information was compromised, I think our 
spouses did as well.
    In October 7 of last year, Congressman Russell and I wrote 
a letter to the administration. It was to the Performance 
Accountability Council requesting that you transfer the 
security clearance data, the protection and design of it, to a 
Department of Defense agency. The letter was dated October 7, 
and, Mr. Chairman, I would like to enter it into the record.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Lieu. I am pleased that the administration and the PAC 
board has in fact now put forward a plan that will transfer the 
design and protection of this information to a DOD agency.
    I do share the same concerns that Congressman Russell has 
regarding the NBIB. I would like to know why it is we need the 
creation of a new bureau, how it would be different from the 
Federal Information Service, and whether the lines of authority 
are clear, and if there is going to be accountability.
    And I agree with Congressman Russell that we need to hear 
about how these reforms are not just going to be window 
dressing on a broken home but a comprehensive renovation.
    And let me again thank the witnesses here today for your 
public service, for your hard work on this issue, and look 
forward to working with you to make our nation's cybersecurity 
stronger.
    I yield back.
    Mr. Cummings. Again, I want to thank Representative Lieu 
and Representative Russell for their leadership on this issue.
    And, Mr. Chairman, this is precisely the type of hearing 
our committee should be having, looking across agencies at new 
proposals to improve the effectiveness and efficiency of 
government.
    Mr. Chairman, in 2013, a very disturbed Navy contractor 
with a security clearance shot and killed 12 people and injured 
four others here in Washington, D.C. Our committee conducted an 
investigation of that terrible shooting, and we found that a 
contractor USIS conducted the shooter's background check. We 
found that USIS failed to include information on his previous 
arrest for shooting out the tires of his neighbor's car. As a 
result, he was given a secret-level security clearance.
    We also found that USIS committed fraud against the 
American taxpayers on a much wider scale by submitting 
incomplete background investigations. USIS ultimately agreed to 
the demands of the Justice Department to forego $30 million as 
a result of its actions, and it no longer conducts background 
checks on behalf of the Federal Government.
    I ask unanimous consent that the report I issued on this 
topic be entered into the record.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Cummings. Thank you, Mr. Chairman.
    Then, last year, cyber attackers successfully breached 
OPM's data systems. Again, our committee investigated, and 
again, we found a weak link in the chain: a contractor. We 
heard testimony explaining that these cyber attackers were able 
to gain access to Federal systems by using KeyPoint's 
privileged access to OPM's networks. As a result, the personal 
information of millions of Federal employees with security 
clearances was compromised.
    These cyber attacks on OPM were not isolated incidents. 
Other Federal contractors, including Anthem and Premera, were 
also attacked. Experts believe these were all part of a 
sophisticated, coordinated cyber espionage campaign. They all 
occurred at about the same time, they all targeted sensitive 
information about Federal employees, and they all were carried 
out using similar malware.
    The proposal we are discussing today is a significant and 
substantive response to these events, and it is more than just 
the new National Background Investigations Bureau. The 
administration's proposal leverages the expertise of key parts 
of the government like the Department of Defense to provide 
critical IT and cybersecurity capabilities.
    I believe this is a serious effort to combat sophisticated 
cyber attackers who are targeting our government, and it 
deserves serious consideration by this Congress.
    Today, I want to hear more about how this proposal will 
address the significant problems we have had with these 
contractors. The government's reliance on contractors helps 
supplement their workforce and increase our capabilities, but 
as we have seen, it also carries major risks. I want to know 
how the administration's proposal will increase oversight and 
accountability over contractors charged with safeguarding some 
of our nation's most sensitive information.
    Let me address two final points. First, earlier this week, 
Donna Seymour, OPM's chief information officer, retired after 
more than 35 years of service to our great country. 
Unfortunately, some have inaccurately--inaccurately--blamed Ms. 
Seymour for preexisting vulnerabilities she inherited. Now, I 
was one of the most vocal critics of the CIO's office at our 
last hearing because the inspector general raised concerns 
about obtaining access to information from that office. And I 
continue to believe those concerns were valid.
    However, our investigation has now found that the cyber 
attacks against OPM were already underway when Ms. Seymour took 
office in December of 2013. In addition, experts in and out of 
the agency informed us that she helped uncover the attack, she 
led an aggressive response, and she elevated cybersecurity to a 
top priority when previously it had language.
    Finally, Mr. Chairman, I want you to know that I believe 
that these recent political attacks against Ms. Seymour are 
both unfair and inaccurate. They also set a terrible precedent 
that would discourage qualified experts from taking on the 
challenges our nation faces in the future.
    Finally, on that same note, as we sit here today, certain 
Republicans in the Senate are holding up the nomination of a 
great public servant, Beth Cobert as OPM Director, for 
political reasons that have nothing, absolutely nothing to do 
with her qualifications for the position. As we all know, 
Republicans are threatening to block anyone the President 
nominates to the Supreme Court for political reasons in the 
same way they are stalling Ms. Cobert's nomination, despite the 
fact that she has been widely praised for turning things around 
at the agency.
    I have said it before and I will say it again: We must not 
only reach common ground, we must reach higher ground. And that 
is what the American people are demanding of us, and that is 
why they are so frustrated. Just this morning, Senator David 
Vitter issued a press release proclaiming that he is ``blocking 
Beth Cobert to be Director of the Office of Personnel 
Management'' as if he is bragging about it. He is doing this 
because of his political opposition to the Affordable Care Act 
and not for anything relating to the actions of Ms. Cobert.
    I have a copy of the press release here, and I ask 
unanimous consent that it be entered into the record, Mr. 
Chairman.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Cummings. As I close, this is simply outrageous. The 
inspector general has praised her efforts, and even some of her 
critics in Congress have praised her leadership. There is 
absolutely no reason to continue playing politics, and I hope 
that every member of our committee will join me today in asking 
the Senate to confirm President Obama's nomination for this 
position as soon as possible.
    Mr. Chairman, again, I want to thank you for your 
indulgence. I want to thank you for calling this very important 
hearing, and I look forward to the testimony of our witnesses.
    And with that, I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I will hold the record open for 5 legislative days for any 
member who would like to submit a written statement.
    As we introduce this first panel of witnesses, I want to 
particularly thank Ms. Cobert, who has been nominated by the 
President to be the new Director of the Office of Personnel 
Management. I find her to be a very competent person who is a 
breath of fresh air who actually has the background to run this 
agency.
    Part of the reason we got into this mess, since you brought 
it up, to the ranking member, is that there was a political 
appointee that was put in there who had no business running the 
Office of Personnel Management. She was terribly under-
qualified to do this, and I am glad that the agency has taken 
action to get rid of what I consider to be one of the worst 
problems, which was their CIO because there were undoubtedly 
problems, but that was in my personal opinion not part of the 
solution.
    Now, that has been taken care of, and we can further debate 
that. That is not the subject of the hearing today. What I 
appreciate is the communication from Ms. Cobert. I think she 
has, as I said, the right background. We do still need some 
responsiveness relating to a subpoena, but I do believe that 
the Office of Personnel Management is making an effort to get 
that information to us.
    I want to be one that is counted as supporting her 
nomination, and I think the country will be better off, the 
government will be better off confirming her presence and 
allowing her to be the Director, fully confirmed, as soon as 
possible.
    Mr. Cummings. Mr. Chairman, would you yield for just ----
    Chairman Chaffetz. Yes.
    Mr. Cummings.--30 seconds?
    Chairman Chaffetz. Yes.
    Mr. Cummings. Would you join me in a letter today to send 
to Senator Vitter saying what you just said?
    Chairman Chaffetz. I will send one to the majority leader 
----
    Mr. Cummings. All right.
    Chairman Chaffetz.--but ----
    Mr. Cummings. That will do.
    Chairman Chaffetz.--I don't want to send one to a specific 
----
    Mr. Cummings. Fine.
    Chairman Chaffetz. But ----
    Mr. Cummings. I would appreciate that.
    Chairman Chaffetz.--I am saying it publicly. I will put it 
in writing. I believe Ms. Cobert has the right qualifications. 
I think the country and the office will be better off with her 
confirmation.
    Mr. Cummings. I just wanted to make sure we did it together 
if we can.
    Chairman Chaffetz. Yes.
    Mr. Cummings. Thank you very much.
    Chairman Chaffetz. And so that is quite the introduction to 
joining us here today. We do appreciate your presence and your 
expertise and look forward to hearing how we move forward, but 
again, I am glad that there have been changes in the CIO's 
office. That is part of the solution and gets rid of the 
problem.
    Mr. Terry Halvorsen, who is the chief information officer 
at the United States Department of Defense, welcome here, sir. 
Thank you.
    Mr. Tony Scott, Deputy Director for Management at the U.S. 
Office of Management and Budget, we appreciate your presence as 
well; and Mr. William Evanina, did I pronounce that--yes, I 
hope so. Thank you. The Director of National 
Counterintelligence and Security Center at the Office of the 
Director of National Intelligence. We appreciate your presence 
as well.
    All of these panel members have very important, critical 
roles to the safety and security of our nation. We thank you 
for participating.
    Pursuant to committee rules, all witnesses are to be sworn 
before they testify, so if you will all please rise and raise 
your right hand.
    [Witnesses sworn.]
    Chairman Chaffetz. Thank you. The witnesses may be seated. 
Let the record reflect that all of them answered in the 
affirmative.
    In order to allow time for robust discussion and 
questioning by members, we would appreciate it if you would 
limit your verbal comments to 5 minutes. Your entire written 
statement will be submitted into the record.
    Ms. Cobert, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                    STATEMENT OF BETH COBERT

    Ms. Cobert. Chairman Chaffetz, Ranking Member Cummings ----
    Chairman Chaffetz. Sorry, microphone there. Yes, thank you.
    Ms. Cobert. Get that right. Chairman Chaffetz, Ranking 
Member Cummings, and members of the committee, thank you for 
the opportunity to testify before you today.
    This year, the administration announced significant changes 
to how the Federal Government performs background 
investigations. As a result, OPM will stand up the National 
Backgrounds Investigations Bureau, NBIB. The NBIB will absorb 
the operations of OPM's Federal Investigative Services and will 
be housed within OPM. The NBIB will be a new government-wide 
service provider for background investigations. OPM has and 
will work closely with their interagency partners on this 
effort that is so critical to the integrity of the Federal 
workforce and our national security.
    The NBIB presents significant change for the Federal 
Government in a number of important and positive ways. DOD will 
design, build, and operate the NBIB's investigative IT systems 
in coordination with the NBIB. This strengthens the Federal 
Government's security clearance and background investigation 
processes by leveraging DOD's significant IT, national 
security, and cybersecurity expertise.
    NBIB will also have elevated standing and prominence within 
the national security leadership across the government. The 
head of NBIB will be a Presidential appointee and a full member 
of the Suitability and Security Clearance Performance 
Accountability Council, the PAC. Additionally, NBIB will have 
its own dedicated structures in vital areas of operations 
tailored to NBIB's core mission.
    Finally, we will institutionalize NBIB's ability to tap 
into the rich expertise and knowledge that exist across the 
Federal Government through locating the leadership team in 
Washington, D.C., and utilizing programs such as rotating 
details and joint-duty assignments.
    OPM plays an important role in conducting background 
investigations for the vast majority of the Federal Government. 
Currently, OPM's Federal Investigative Services conducts 
investigations for over 100 Federal agencies, approximately 95 
percent of the total background investigations government-wide, 
including more than 600,000 national security investigations 
and 400,000 investigations related to suitability, fitness, or 
credentialing each year.
    The NBIB will assume the investigative functions of OPM's 
Federal Investigative Services and add important new 
capabilities. The NBIB will concentrate solely on its mission 
to provide effective, efficient, and secure background 
investigations for the Federal Government. The NBIB will 
receive dedicated support in key areas, including acquisition 
and privacy, and will focus on bringing in additional talent 
with national security expertise as we do so.
    To begin the implementation phase of these reforms, we are 
establishing a transition team. This team, comprised of 
personnel from the PAC member agencies, will be established by 
mid-March. Supporting the implementation of the NBIB and aiding 
its success will be a core focus for the PAC. The NBIB will 
leverage existing expertise, resources, and processes for 
providing government-wide services as it is launched.
    The NBIB will work closely with OPM's Federal Investigative 
Services leadership to minimize disruption for agencies that 
rely on us to perform background investigations. We are working 
along with DOD to establish an initial transition schedule to 
sunset the OPM IT systems currently supporting background 
investigations.
    Throughout these efforts, we will provide continuity of 
service to our customer agencies by providing quality 
background investigation services. Our goal is to have the 
NBIB's initial operating capability officially established with 
a new organizational design and a leader in place by October 
2016.
    The establishment of the NBIB continues this 
administration's work to protect American citizens and some of 
our nation's most sensitive information and facilities. On 
behalf of OPM, I am proud to be part of this most recent effort 
by the administration. I look forward to working with my 
colleagues on this panel, with our customer and partner 
agencies across the Federal Government, and with this Congress 
in a bipartisan, collaborative fashion for the benefit of the 
American people. I'm happy to answer any questions you may 
have. Thank you.
    [Prepared statement of Ms. Cobert follows:]
    
    
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

       
    Chairman Chaffetz. Thank you.
    Mr. Halvorsen, you are now recognized for 5 minutes.

                  STATEMENT OF TERRY HALVORSEN

    Mr. Halvorsen. Good morning, Mr. Chairman, ranking member, 
and distinguished members of the committee. Thank you for this 
opportunity to testify before the committee today on DOD's 
information technology and cybersecurity support to the 
National Background Investigation Bureau.
    In duly capacity, I look forward to expanding this role 
with the opportunity to oversee IT systems for the National 
Background Investigation Bureau. This is an opportunity for the 
Federal Government to truly capitalize on established DOD 
technology, commercial expertise, other government expertise to 
improve the security of the IT infrastructure for the vital 
Federal background investigation system process.
    DOD has substantial experience in the development of 
systems with strong cybersecurity and has worked to integrate 
commercial- and government-developed cyber defense and 
detection tools into the DOD networks. This gives the 
Department unique cyber defense capabilities.
    The DOD is driving cultural, business, and technical 
innovation into DOD by better integrating our IT 
infrastructure, supporting agile and innovative IT. We will do 
the same here.
    The Department's cybersecurity workforce is well trained to 
protect against and respond to cyber intrusions. Our 
cybersecurity operations and procedures are mature and 
reinforced by policy and regulations across the Department.
    We will bring together the Department's full range of 
resources and expertise. The Defense Information Systems Agency 
will oversee the organization's effort to provide the IT 
services and security with continual oversight by my office in 
my role as the CIO.
    The Department's objective, of course, is to replace the 
current background investigation information systems with a 
new, more reliable, flexible, and secure system in support of 
the NBIB while we ensure continuous operations for the vital 
background investigations system and ensure that we are making 
as much security improvements to the current systems while we 
are in the process of replacing them.
    I echo Beth's comments. We have been working closely 
together with OPM and other parts of the government since this 
incident was discovered. We will continue to do so.
    DOD will cooperatively conduct a full cybersecurity 
assessment of the current background investigations 
infrastructure. This joint assessment will determine the near-
term steps that the Department will take to assist OPM with the 
operation of the current system, as well as to develop the 
steps that OPM itself can take to better defend the current 
systems as we are designing and putting in of the new 
investigation systems IT infrastructure.
    I will stress again we will do this in cooperation with 
everyone, but in the end, DOD has the technical responsibility 
and the technical expertise to oversight what we are doing in 
this new IT investigation system.
    Thank you, and stand by for your questions.
    [Prepared statement of Mr. Halvorsen follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    Chairman Chaffetz. Thank you.
    Mr. Scott, I incorrectly identified your title. You are 
actually the U.S. chief information officer. My apologies for 
that. But you are now recognized for 5 minutes.

                    STATEMENT OF TONY SCOTT

    Mr. Scott. Thank you, Chairman Chaffetz. I was grateful for 
the promotion, but my boss would probably be angry about that.
    So, Chairman Chaffetz, Ranking Member Cummings, and members 
of the committee, thank you for the opportunity to speak about 
the administration's recently announced changes to modernize 
and strengthen how the Federal Government performs and 
safeguards background investigations for its employees and 
contractors.
    As you know, the Federal Government issues, handles, and 
stores important and sensitive data, and we use this data to 
conduct critical government functions, one of which is the 
subject of today's hearing, the Federal Government's background 
investigations process.
    As we all know, as technology evolves and our economy 
becomes more digitally connected, the Federal Government's 
tools, systems, and processes for managing sensitive data and 
for conducting background investigations must also evolve. And 
to protect the personal data of our employees and citizens, we 
must keep pace with the technology advancements that occur in 
order to anticipate, detect, and counter external and internal 
attempts to breach government systems.
    In my role as Federal chief information officer, I'm 
particularly concerned with confronting the unyielding 
cybersecurity threats posed to the information technology 
systems used across the Federal Government. My team is 
responsible for developing and overseeing the implementation of 
Federal IT policy through a variety of responsibilities. Today, 
I'll focus on the Administration's response to increasing 
cybersecurity threats and actions we are taking to improve the 
government's background investigation process through the 
establishment of the new National Background Investigations 
Bureau, or NBIB.
    In 2008, the interagency sustainability--or Suitability and 
Security Clearance Performance Accountability Council, or the 
PAC as we call it, was established through an Executive order. 
The PAC is convened and chaired by the Office of Management and 
Budget and consists of the Director of National Intelligence, 
the Director of the U.S. Office of Personnel Management, and 
the Departments of Defense, Treasury, Homeland Security, State, 
Justice, and Energy, and the FBI, among other agencies.
    The PAC oversees reforms to the process--or to the 
processes on which Federal agencies and the public rely to 
ensure that Federal employees, contractors, and members of the 
armed forces are suitable for employment and can be trusted 
with access to facilities and sensitive information.
    As Beth mentioned, the administration will establish a new 
Federal entity, the National Background Investigations Bureau, 
to modernize and strengthen the government's background 
investigation processes. That will include organizational 
redesign led by a political appointee, who will be a full 
member of the PAC.
    It will include reengineering efforts to look at underlying 
business processes. DOD will design, build, secure, and operate 
NBIB's IT. This will leverage DOD's expertise in IT and 
cybersecurity while better protecting sensitive information and 
will deploy the fullest security resources against increasingly 
sophisticated and evolving threats.
    To support this work, the President's fiscal year 2017 
budget includes $95 million within DOD's top line that will be 
dedicated to the development of these IT capabilities.
    The PAC will establish an interagency cybersecurity 
advisory group to provide advice and counsel on system 
development and threat mitigation, and these efforts are 
consistent with OMB's direction to all Federal agencies to 
modernize their IT systems to adequately secure mission 
functions, systems, and information. And a dedicated privacy 
official will be appointed to advance privacy by design as new 
processes and systems are developed.
    More broadly, enhanced cybersecurity across all Federal 
agencies will be strengthened by the implementation of the 
Cybersecurity National Action Plan, or CNAP, which builds on 
the security measures and initiatives that have been 
implemented in response to the 2015 cyber incidents. The CNAP 
takes near-term actions and puts in place a long-term strategy 
to enhance cybersecurity awareness and protections and begin 
the long-overdue replacement of legacy systems while ensuring 
privacy and maintaining public safety and economic and national 
security.
    We look forward to working with Congress to create a more 
secure, efficient, and effective Federal backgrounds 
investigations infrastructure. I thank the committee for 
holding this hearing and pleased to answer any questions you 
may have.
    [Prepared statement of Mr. Scott follows:]
    
    
    
  [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

  
    Chairman Chaffetz. Thank you.
    Mr. Evanina, you are now recognized for 5 minutes.

                  STATEMENT OF WILLIAM EVANINA

    Mr. Evanina. Thank you, sir. Chairman Chaffetz, Ranking 
Member Cummings, members of the committee, first, thanks for 
having the opportunity to have me representing the intelligence 
community be here with you as part of this panel and to take 
part in the formation of the National Background Investigations 
Bureau and provide an update on substantive reforms and 
security clearance processes that we have done so far in this 
effort.
    As the national counterintelligence executive and the 
Director of the National Counterintelligence and Security 
Center, I have the privilege of working with some of the best 
and brightest security minds in the United States Government. I 
am honored to share with you the progress we have made with 
respect to security clearance reforms and raising awareness 
throughout the United States Government on the potential 
security threats resulting from multiple breaches and the theft 
of personally identifiable information known as PII.
    The Director of National Intelligence is a principal member 
of the PAC, and I act on his behalf in this role. On behalf of 
the intelligence community, the ODNI strongly endorses this 
plan to create the National Background Investigations Bureau 
and leverage the Department of Defense's--all their skills, 
abilities, tools, and techniques to protect the associated 
systems and data. I am committed to this partnership with the 
NBIB and will continue our holistic and collective approach 
towards successfully implementing new security clearance 
processes.
    In accordance with the Intelligence Reform and Terrorism 
Protection Act and Executive Order 13467, the security 
executive agent is responsible for directing the oversight of 
investigations and determinations of eligibility for access to 
classified information or to hold sensitive positions rendered 
by any executive branch department or agency.
    These authorities also give the DNI responsibilities to 
develop uniform and consistent policies and procedures and to 
ensure the effective, efficient, and timely completion of 
investigations and adjudications.
    We've been working diligently to establish a policy 
framework and infrastructure for robust engagement on national 
security processes across the U.S. Government. I have included 
examples of governance, policy, and standards in my statement 
for the record. However, I'd like to highlight just a few here 
today.
    In October 2013, the DNI issued executive correspondence 
directing agencies to review and validate whether employees or 
contractors actually require eligibility for access to 
classified information. This effort resulted in a reduction of 
clearance-holders by approximately 18 percent across the United 
States Government. This effort continues today.
    In June of 2015, the DNI issued correspondence on 
implementation of continuous evaluation, providing executive 
branch agencies direction in reevaluating clearance-holders on 
a more frequent and automated basis. And in June of 2015, OPM 
and ODNI issued their first joint regulation on designating 
national security positions, which standardized this process 
across the entire government.
    In my role as the national counterintelligence executive 
and the Director of NCSC, I have been emphasizing the benefits 
of merging counterintelligence and security because we know 
they are stronger together. This partnership provides the 
enhanced ability to both identify threats posed by foreign 
adversaries and at the same time enact security measures to 
mitigate those threats.
    NCSC is actively reviewing and assessing all threats posed 
by foreign adversaries, including those related to cyber 
breaches and theft of PII. Specific to the theft of PII over 
the past few years NCSC initiated a comprehensive national 
counterintelligence and awareness campaign to educate those 
impacted, like members here in this panel, by the breach that 
happened last year, including former government employees and 
former contractors and their families.
    This past September, my office began releasing educational 
awareness videos and materials for a Web site NCSC.gov and 
actively engaging with all departments and agencies on such 
topics as spear-phishing, social media deception, and human 
targeting. We are in the process of releasing a fourth video on 
travel awareness.
    To date, the campaign has reached over 330 organizations to 
include over 100 U.S. Government departments and agencies, 
private sector groups, and cleared industry. I or my staff have 
participated in over 15 briefings and hearings to multiple 
committees to address CI and security implications of all 
breaches that have occurred in the last few years.
    Additionally, NCSC has provided briefings to well over 150 
Senate, House staff--and Senate staff to provide tools to 
mitigate such threat--threats for themselves, their families, 
their members, and constituents.
    We continue to explore every possible avenue to maximize 
distribution of the campaign materials. We are currently 
partnering with the--with DHS and the White House using social 
media and private sector engagements. NCSC, leading the entire 
intelligent community, continues to provide enhanced awareness 
to individuals victimized by the recent breaches and provide 
mitigation strategies to thwart potential foreign adversaries.
    In conclusion, NCSC values our robust partnership with OPM, 
OMB, and DOD and other PAC stakeholders in this committed 
endeavor. Together, we will continue to take our necessary 
steps to enhance government-wide policies and procedures in 
securing our systems and our data.
    And once again, I would like to thank the committee for the 
opportunity to provide an update on security clearance reforms, 
formation of the NBIB, and NCSC's efforts to mitigate the 
impact of all the breaches, and specifically with respect to 
PII. We look forward to working with your committee and the 
rest of the Congress, and I'm happy to answer any questions you 
may have.
    [Prepared statement of Mr. Evanina follows:]
    
    
    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    

    Chairman Chaffetz. Thank you. I now recognize myself for 5 
minutes.
    Ms. Cobert, we have some outstanding document requests. 
When will we get those?
    Ms. Cobert. We're continuing ----
    Chairman Chaffetz. Microphone, please.
    Ms. Cobert. I will get this right. I apologize.
    We are continuing to work through those. I know we made a 
delivery of a significant number of documents by the date of 
the subpoena, and we are working with your office to prioritize 
those. We are working to get them to you as fast as we can.
    Chairman Chaffetz. And I would hope that the ranking member 
would also join us in those document requests.
    Mr. Cummings. I will.
    Chairman Chaffetz. Thank you. I want to talk about social 
media. Ms. Cobert, will all agencies look at social media for 
those applying for security clearances?
    Ms. Cobert. Thank you, Congressman. Let me start and I 
think ----
    Chairman Chaffetz. We don't have much time.
    Ms. Cobert. We are in the process working with the DNI ----
    Chairman Chaffetz. Why wouldn't you look at social media?
    Ms. Cobert. In looking at social media, we want to make 
sure that we are looking at it in a way that is effective, that 
brings insight to the process, that reflects what's in that 
information and it's done in an appropriate and systematic way.
    Chairman Chaffetz. Will ----
    Ms. Cobert. And that's the new policies that we are working 
to put in place.
    Chairman Chaffetz. Will you require that each person 
applying for a security clearance provide their online 
identities to you?
    Ms. Cobert. The specifics of the social media policy are 
ones we are working through with the DNI. As the security 
executive agent, they set the policies that we follow.
    Chairman Chaffetz. Okay. Mr. Evanina, why the hesitation on 
providing social media information?
    Mr. Evanina. Sir, there is no hesitation. We've been 
working robustly the last few years with the Department of 
Defense to enact I think what we believe to be a robust policy 
on selecting ----
    Chairman Chaffetz. So what is the policy in short?
    Mr. Evanina. Well, the policy in short is utilization of 
social media to enact investigations and adjudications of 
individuals who request a security clearance. And that's in the 
process as we speak.
    Chairman Chaffetz. Do you require anybody seeking a 
security clearance to provide their online identities?
    Mr. Evanina. Well, not at this point right now, but through 
the pilots we have issued throughout the government and DOD, we 
----
    Chairman Chaffetz. See, this is my frustration. You have 
been working on this for years, and you haven't yet implemented 
a policy that requires them to identify their online 
identities. How hard is that? It is a one-sentence question.
    Mr. Evanina. Well, I think the difficulty begins when you 
have the mixture of executive branch organizations, and 
currently right now the issues are multifaceted. It involves 
the utilization of privacy issues for the ----
    Chairman Chaffetz. What privacy issue do you have? By its 
very definition, social media means you are not being private.
    Mr. Evanina. I concur, sir, but the issue is getting past 
the password and having authority granted or waiver to get 
through the password to get to the information which is in the 
social media.
    Chairman Chaffetz. So we are going to grant them a security 
clearance to access the information of the United States of 
America, information that can't be shared to the public, and 
they won't share their information with you?
    Mr. Evanina. I hope not.
    Chairman Chaffetz. Well, when are you going to have this 
policy done?
    Mr. Evanina. Well, the policy is currently out of the ODNI, 
and it is in coordination with the executive brach of the 
government.
    Chairman Chaffetz. When is it going to be done? Who is in 
charge of this?
    Mr. Evanina. Currently ----
    Chairman Chaffetz. Who do we call to this committee to 
explain this to us?
    Mr. Evanina. It's currently with the Office of Management 
and Budget for coordination.
    Chairman Chaffetz. Okay. Mr. Scott, where are we at with 
this?
    Mr. Scott. I don't know, but I will find out and get back 
to you.
    Chairman Chaffetz. And you are the--I need to get it 
right--chief information officer for the--so--I am sorry. The 
chief information officer for the United States of America.
    Mr. Scott. I just don't know today where we're at on that 
particular policy ----
    Chairman Chaffetz. This is the cluster ----
    Mr. Scott.--but I will find out and get back to you.
    Chairman Chaffetz. This is the cluster that is the Federal 
Government. This should be such a simple question. It should be 
on your form, show us all your online identities. And then as 
we are doing a background investigation, how can you not go 
look at their Facebook page or their Twitter posts or their 
Instagram or Snapchat or any of the other ones? We don't do 
that? How moronic are we? I mean, come on. My 14-year-old could 
figure this out. What is the hesitation?
    Yes, this is the problem. It is just silent. I was planning 
to take 20 seconds on this question and we should probably do 
an entire hearing on how we don't look at the social media of 
people we--we give top security clearance, we are showing 
people--we are putting people's lives in danger, their very--
and we can't go online and look at their social media? All 
right. I have got to keep going but this is--go hire a bunch of 
teenagers. They would do it better than we are doing it. I 
mean, they know how to do this stuff but we don't as a 
government--ISIS has figured it out. They know how to do it, 
but we don't seem to do it.
    All right. With the National Background Investigation 
Bureau, which inspector general has jurisdiction, Mr. 
Halvorsen?
    Mr. Halvorsen. I don't think a single inspector general 
will have jurisdiction. I can assure you that certainly the DOD 
IG, as we build the IT systems, will look at this. I ----
    Chairman Chaffetz. Will you provide access? Will there be 
any limitations on access for the inspector general for OPM to 
look at this?
    Mr. Halvorsen. No, sir. We couldn't do that legally. They 
have access legally to look at all that, as does the General 
Accounting Office, and I am sure there will be many committees 
and offices that will want to have access to this. Legally, 
they'll be entitled to that, and we will give it to them.
    Chairman Chaffetz. I appreciate it.
    As the DOD's CIO, are you ultimately going to be 
responsible for the IT system at the NBIB?
    Mr. Halvorsen. Yes.
    Chairman Chaffetz. And will you report to the Director of 
the NBIB or will you be able to make IT decisions and overrule 
the NBIB? Who is in charge?
    Mr. Halvorsen. In the end, DOD is in charge of the 
technical decisions, but I will stress we have worked well 
together with all of the members of this panel. We will 
continue to coordinate with all of the customers. We will 
continue to do this in a cooperative way. But in the end, I 
report to the Secretary of Defense. The Secretary of Defense is 
the biggest customer of the NBIB, and I assure you, I don't 
expect any problems to come up. If they do, I'll take them 
directly to the Secretary of Defense.
    Chairman Chaffetz. But you are in charge, correct?
    Mr. Halvorsen. I am the accountable official for building 
this IT system the right way.
    Chairman Chaffetz. I appreciate it. My time is expired. I 
will now recognize the gentleman from Maryland, Mr. Cummings.
    Mr. Cummings. Thank you very much, Mr. Chairman.
    James Clapper, Director Cobert, the Director of National 
Intelligence, recently told an audience at the Naval Academy 
that the number one threat facing our country is cyber attacks. 
He said, ``The cyber threat is here. It is upon us now and we 
need the people here today to help us defend our systems and 
our nation.''
    I do appreciate the collaborative interagency approach you 
all are taking with regard to this proposal. I would like to 
know what you are doing to enhance oversight of government 
contractors because our investigations have shown that 
contractors have repeatedly been the weak link in Federal 
cybersecurity. In the OPM data breach, for instance, cyber 
attackers first breached KeyPoint and then disguised themselves 
as KeyPoint employees to gain access to OPM's background 
investigation system.
    Director, what steps are you taking to require KeyPoint and 
other contractors to shore up their IT security?
    Ms. Cobert. Thank you, Congressman. Improving our ability 
to work with our contractors on cybersecurity is a key priority 
for us at OPM, and I know it is across the executive branch. We 
have been reviewing the clauses in our contracts and working to 
ensure that we can make--that those have the provisions that we 
need going forward.
    There's an effort underway with NIST, with the Office of 
Federal Procurement Policy to develop standards. One specific 
example, we are re-competing the field investigation contract 
this year, the contract under which CACI and KeyPoint do that 
work today. That contract will be re-competed.
    As we're preparing to re-compete that contract, we have 
been working actively to include those clauses. We've in fact 
already been working with the Department of Defense to look at 
the kind of clauses we're going to put in place in that 
contract to make sure that we can leverage their expertise here 
as well. So we take this seriously. We're reviewing the 
contracts, and that's just one example of how we're moving that 
forward.
    Mr. Cummings. I am going to come back to those clauses in a 
minute. But, Mr. Scott, what measures is the administration 
taking to prevent the misuse of Federal contract IT systems to 
penetrate government IT systems?
    Mr. Scott. Part of our updated guidance that's coming out, 
Ranking Member Cummings, includes standardized contract 
language that we expect will be adopted in all the contracts 
that agencies use for IT. And that's a way of getting 
consistency and then also being able to measure performance 
against that.
    Mr. Cummings. Well, as you know, another OPM contractor, 
Anthem, was also breached, and the personnel information of 
nearly 80 million Americans was compromised, including names of 
Federal employees. Experts believe these were all part of a 
sophisticated, coordinated cyber espionage campaign. They all 
occurred at about the same time, they all targeted sensitive 
information about Federal employees, and they all were carried 
out using similar malware.
    Mr. Halvorsen, does it worry you that our adversaries can 
target private corporations with relationship to the Federal 
Government to obtain sensitive information about Federal 
employees? And how does the administration's proposal improve 
cybersecurity at Anthem or other government contractors?
    Mr. Halvorsen. Well, it certainly worries me that 
organizations can and governments can target U.S. companies. I 
think what the administration has done here, by allowing DOD to 
be part of this, we have in DOD already some existing clauses 
and regulations that require our contracts to highlight 
cybersecurity.
    I think everybody at this table, Mr. Scott has certainly 
been leading an effort to improve Federal cybersecurity 
everywhere, taking those clauses. We partner a lot. Ms. Cobert, 
as the acting OPM Director, has been doing the same thing. So I 
think we're handling the threat and moving forward in all the 
right directions to put in the right clauses, the right rules, 
the right things.
    We're also at DOD working with Mr. Scott expanding the 
communications we have with private contractors so that they 
can do better security on their own and feeding them better 
intelligence about what the threat is.
    Mr. Cummings. After the attack, Anthem did not ask the 
incident response team at US-CERT to investigate. You would 
think that Anthem as a government contractor would be 
required--and this goes back to these clauses, Director 
Cobert--would be required to allow a government forensics team 
in to investigate the theft of government employees' personal 
information.
    Director Cobert, why wasn't Anthem under any contractual 
requirement to report breaches involving government data to US-
CERT? Why is that?
    Ms. Cobert. Congressman, Anthem was under requirement to 
report breaches to OPM to our situation room, and we can then 
work with them on how to respond. I was not there at the time 
so I don't know the specifics of that. I know we are having an 
ongoing set of discussion with Anthem and our other health 
insurance partners about how to strengthen cybersecurity and 
how we're going to work with them going forward ----
    Mr. Cummings. So that is a ----
    Ms. Cobert.--including that possibility.
    Mr. Cummings. That is a part of the contract now, though? 
In other words, the contracts--I take it was in the contract 
before. They didn't do it. Is that what you are trying to tell 
me?
    Ms. Cobert. No. To the best of my understanding, the 
obligation in the contract is to report to OPM.
    Mr. Cummings. Okay.
    Ms. Cobert. That they did do.
    Mr. Cummings. Okay. Now, what about US-CERT?
    Ms. Cobert. I don't believe that the contract requires them 
to report to US-CERT, but as we're looking at the new contracts 
and as we're working with all of our health insurance partners, 
that is one of the options we are exploring.
    Mr. Cummings. Would you get back to us on that because, as 
I said before, this is a, you know, weak link that I think we 
don't want to miss, particularly when you all are putting 
things together and trying to tighten up any kind of loopholes. 
That is something that I would hope that you all would take a 
look at and get back to us on.
    I yield back.
    Ms. Cobert. I will do that.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from Oklahoma. I appreciate 
his leadership on this issue, along with Mr. Lieu. But I will 
now recognize Mr. Russell of Oklahoma for 5 minutes.
    Mr. Russell. Thank you, Mr. Chairman. And I do thank the 
panel for being here today and for making every attempt to 
resolve this situation. However, we have got some problems 
here.
    Mr. Scott, who is currently funding the FIS?
    Mr. Scott. I believe that's part of the revolving fund in 
OPM. Beth could probably answer that ----
    Mr. Russell. Okay. And I am getting a nod from Ms. Cobert 
there. So it currently comes out of OPM, and yet, as I heard it 
stated by you that this will come--this $95 million to stand up 
the Bureau will now come from top line of Department of 
Defense. Why is it that Department of Defense has to pay for 
it?
    Mr. Scott. This would be added to the DOD budget and give 
them the funds needed to develop the systems.
    Mr. Russell. Will it come out of OPM's budget.
    Mr. Scott. I don't ----
    Mr. Russell. Yes.
    Mr. Scott. Since the ----
    Mr. Russell. Therein lies the problem.
    Mr. Scott. Since the fiscal year 2017 budget isn't the 
reality yet, I don't know the answer to that.
    Mr. Russell. Well, I think we know in principle that if FIS 
was funded by, you know, OPM, then it just makes good sense 
that the monies would be transferred.
    Ms. Cobert, would you like to answer that?
    Ms. Cobert. The Federal Investigative Service operates with 
a revolving fund. It--the agencies that use those services pay 
fees for those services. That is the core of FIS's funding is 
through the fees that agencies that require background 
investigations pay for those services. So the funds come from 
agencies through interagency agreements into OPM. It's a 
revolving fund, not appropriated funds.
    Mr. Russell. Okay. Well, and that helps somewhat, but here 
is the problem. And while I agree that DOD is the biggest user, 
herein lies the overarching problem. We have allowed, out of a 
necessity of cost saving, of elimination of backlogs that we 
got into this situation where 18 million records have been 
breached. Whatever it was we hoped to gain has absolutely 
materially aided our enemies for probably two or more 
generations. They will be able to mine incredible data. It does 
not take a genius to figure that out. And so now, as we are 
getting ready to set up potentially another house, we want to 
make sure it is not a house of cards.
    I have real concerns that this money is coming out of 
Department of Defense specifically, and here is why. For $95 
million you could have 60,600 soldiers being paid, and we are 
talking about additional cuts. And so now because we have had a 
breach and now we are going to try to make a bureau, we are 
going to cut 30,000 soldiers from the Army and further diminish 
the Marine Corps. I mean, this is the problem. We are weakening 
our country. We are weakening the Department of Defense. We are 
weakening whoever might have a security clearance.
    I don't think that the solution is take it out of top line 
of Department of Defense, and I will take real issue with that.
    I also sit on the House Armed Services Committee, and with 
my background, I am given a little bit of respect and wide 
berth on those issues. So I am not satisfied with those 
answers.
    Here is another one: responsibility. Okay. And I 
appreciate, Mr. Halvorsen, all that you do. I do understand it. 
And you were careful to accurately describe the authority 
pieces. You said that DOD would be technically in charge, that 
DOD will be allowed to be a part of this. And I think that is 
accurate language, but therein again lies the problem. When you 
are in conflict with your recommendations, will you have the 
final authority to push that through for national security?
    Mr. Halvorsen. Sir, I believe that I will, and I ----
    Mr. Russell. Believe?
    Mr. Halvorsen. Yes, sir. And I'll stress again ----
    Mr. Russell. But the wiring diagram could conflict with 
that, does it not, because now Department of Defense is going 
to have to go through, you know, the Bureau, who goes through 
OPM, and then we will talk about it on the PAC. You may not 
have that authority, is that correct?
    Mr. Halvorsen. Sir, I don't think that is correct, and I 
would say this. The wiring diagram isn't finished. But I will 
tell you this. Again, I report to the Secretary of Defense. 
Secretary of Defense has made it very clear to me ----
    Mr. Russell. Oh, I am sure he has.
    Mr. Halvorsen.--number one customer. I ----
    Mr. Russell. But if OPM disagrees with the Secretary of 
Defense, then we have got a problem, do we not?
    Mr. Halvorsen. If we had that problem, I think we might 
have a short problem. I don't think in the end OPM is going to 
tell the Secretary of Defense ----
    Mr. Russell. But the wiring diagram ----
    Mr. Halvorsen.--not to build it.
    Mr. Russell.--is set up potentially for that type of flaw, 
and this is a problem. One thing I did learn as a soldier--
maybe it doesn't happen here in Congress but it certainly did 
on a battlefield--you have to have unity of effort, and not 
just unity of effort. You have got to have somebody clearly in 
charge.
    And here is my big beef. If the Department of Defense is 
going to clearly have the greatest level of responsibility to 
protect these documents, then they by golly better have the 
authority to make it good, and we ought not to be weakening and 
diminishing our land forces to pay for some data breach. Those 
monies, we have got to figure out a different way.
    And with that, Mr. Chairman, I have exceeded my time. Thank 
you for your indulgence.
    Chairman Chaffetz. I thank the gentleman. I will recognize 
the gentlewoman from the District of Columbia, Ms. Norton, for 
5 minutes.
    Ms. Norton. Thank you very much, Mr. Chairman.
    Director Cobert, the breach that has occurred into Federal 
employee data is deep indeed. In fact, I would guess that if 
you worked for a private corporation, much of that data would 
not be even in the hands of your employer, for example, your 
spouse's data, your children's data, the kind of data that is 
appropriate for a government agency, and yet minimally in the 
beginning only 18 months and $1 million was allowed in 
protection. I am grateful to the appropriators it is going up 
to 10 years and $5 million. I have a bill for lifetime 
protection.
    Isn't it true that much of this information, information 
not only regarding the employee but the employee's family, 
spouses, children, is unchangeable, cannot be somehow mitigated 
by making changes in the particular data that the hackers have?
    Ms. Cobert. Yes, that is correct, Congresswoman.
    Ms. Norton. To your knowledge, has any use been made of 
this data to this point?
    Ms. Cobert. Congresswoman, we are in continual dialogue 
with our partners in law enforcement and the intelligence 
community, and we have not seen misuse of this data.
    Ms. Norton. This is what is so worrisome, that the 
hackers--I don't know if they are simply mischievous or if they 
are holding the data until it is useful. But I want to say 
again that I don't see how OPM can do anything but recommend to 
the President that there be lifetime protection.
    Look, this protection may never be used. That is to say it 
may never cost the government much. It is like an insurance 
policy. So I must say that the very least we owe Federal 
employees, given this breach, it would seem to me is lifetime 
protection for data that cannot be changed.
    I appreciate--and do you have any real way to monitor 
whether or not any use is being made of this data?
    Ms. Cobert. Congresswoman, there's--we are, as I said, in 
dialogue with the FBI, with the NCSC, the DNI, and others ----
    Ms. Norton. What obligation ----
    Ms. Cobert.--to monitor those ----
    Ms. Norton. What obligation would you be under to inform an 
employee were you to find that use has been made? How would 
that work?
    Ms. Cobert. We would work with those bureaus to understand 
the right way to inform them. We've also continued to remind --
--
    Ms. Norton. There is no protocol yet for what to do?
    Ms. Cobert. We haven't had--we continue to remind employees 
about the opportunity to sign up for the monitoring services. 
The levels of penetration of people signing up for those 
services far exceeds what we've seen in the private sector 
context. We'll continue ----
    Ms. Norton. No, but see, that is not my question.
    Ms. Cobert.--to work with them.
    Ms. Norton. My question is you discover that some use has 
been made. What do you then do?
    Ms. Cobert. It will--we were--that's why we need to work 
with law enforcement. We need to understand the nature of how 
that data is being used ----
    Ms. Norton. Ms. Cobert, I hope ----
    Ms. Cobert.--to take the appropriate actions.
    Ms. Norton.--during your--I don't have much time. I hope 
during your time that an actual protocol is set up for 
immediate notification in some way that the employee can be 
further protected.
    Look, I am interested in the fact that 60 percent of the 
investigations are done by contractors. I understand perhaps 
the reason why, but I noted that one of the contractors Anthem, 
which is not discussed as much, had jurisdiction over health 
insurance of Federal employees, and 80 million Americans' 
information or 80 million Americans was breached.
    And of course that is very, very personal information, but 
they declined to let US-CERT investigate the breach. I can't 
understand that. These people are acting in the place of the 
government. Shouldn't the people who provide these services, 
have the sensitive information, be required to institute 
equivalent security measures, including having somewhat 
equivalent to the government or the government come in to 
investigate a breach?
    Ms. Cobert. Congresswoman, we are working with our health 
insurance partners like Anthem on how to enhance their 
cybersecurity and our visibility into that. We are working on 
that ----
    Ms. Norton. Why wasn't US-CERT ----
    Ms. Cobert.--with our inspector general.
    Ms. Norton. I mean, these people work for the government. 
Why wasn't US-CERT allowed to investigate a breach of Federal 
employee data? Why isn't that routine?
    Ms. Cobert. Congresswoman, those are the--well, the kinds 
of clauses we were looking to implement going forward. The 
Anthem incident and the Anthem contract predated my time at 
OPM, but I know the health and insurance part of OPM, with our 
senior cybersecurity advisor Clif Triplett is working and in 
discussion with those insurers ----
    Ms. Norton. So you believe ----
    Ms. Cobert.--how to do ----
    Ms. Norton. You believe that there should be an 
investigation by the government or by an independent auditor 
when there is a breach by one of these contractors. Is that the 
case?
    Ms. Cobert. I believe that we need to bring the best 
resources we can to bear on these situations, and we need to 
put in place clear processes that reflect the challenges that 
we face today, and that's what we're working to do.
    Ms. Norton. Mr. Chairman, I wish we could get an answer to 
that question. I understand she's new, but if a contractor 
cannot be investigated in the same way that, for example, the 
IG will investigate a similar breach of a Federal agency, then 
I think we have a problem. I think we ought to give her time, 
but I think that question needs to be answered one way or the 
other with respect to contractors.
    Chairman Chaffetz. I concur. I think this--if they are 
going to be allowed and are given access, whether they are a 
contractor or employee, the IG ought to be able to investigate 
it and not just create this fictitious firewall and say, oh, 
you can't look over here. We saw this at the Department of 
Education. They have 184 databases and yet nobody is looking at 
them.
    And so I would agree. And I think this is a good bipartisan 
thing that we can push. We have brought this up previously with 
Ms. Cobert, and you can see the frustration that we see. We 
need an actual solution to this problem and challenge. I know 
you are new, but we need that.
    And I also want to follow up with Mr. Russell here. We as a 
Federal Government have spent $525 billion plus over the last 7 
years, and our IT doesn't work. And that is a tremendous 
frustration to go have to grab money away from our troops to 
clean up a problem that should have never been there in the 
first place, again part of the frustration.
    And I do hope in this similar vein we can work in a 
bipartisan way to understand where the funding component comes 
and that this be of the utmost priority. But to grab it out of 
the troops' budget is probably the last place we should do 
that. So I don't know if you wanted to add anything to that. 
Sure.
    Mr. Cummings. You know, as I am listening to you, Mr. 
Chairman--and I guess this would be for you, Mr. Scott; I am 
not sure--is it that the IT system is so huge that we can't get 
it together? Do you follow what I am saying? Is it too big to 
improve? Do you follow me?
    Mr. Scott. Yes, well, let me talk about the case generally 
across the Federal Government. And we've heard from every CIO 
that getting the funding to go replace any of these large 
systems has not been something they've been able to do in their 
normal budgeting process. It's why we put together the ----
    Chairman Chaffetz. But wait, wait, wait, wait ----
    Mr. Scott.--Cyber National Action Plan.
    Chairman Chaffetz.--wait a second. Wait a sec. Wait a sec. 
You are getting more than $80 billion a year, and that isn't 
enough?
    Mr. Scott. No. There's a lot of money, but the easiest 
money to get is money to sustain the old legacy systems that 
get more expensive every year because of lack of skills on old 
COBOL systems. The security that you put around those is more 
costly. And the hardest money to get is money to go develop new 
ones. It's why we've proposed the IT Modernization Fund that 
would give agencies access to the capital they need to go 
replace these things, and it's a core part of the CNAP plan 
that we've put together.
    Chairman Chaffetz. Well, I have got to recognize the 
gentleman from Florida, but I think that is hogwash. You asked 
for about $3 billion, and yet you have had $525 billion over 
the last 7 years. To suggest we are just $3 billion away from 
actually solving this problem is ridiculous. And you spending 
70 percent of the budget on the legacy systems, only 30 percent 
investing in new systems, and even the procurement ----
    Mr. Scott. It's worse than that.
    Chairman Chaffetz. Yes. And there is a talent portion to 
all that, but I don't think it has been a lack of funding, $80 
billion a year. This is not a funding issue. One good trip to 
Best Buy and you could do better than we are doing now. That is 
the concern.
    So let me recognize the gentleman from Florida, Mr. Mica --
--
    Mr. Connolly. Mr. Chairman?
    Chairman Chaffetz.--for 5 minutes.
    Mr. Connolly. Mr. Chairman?
    Chairman Chaffetz. Yes?
    Mr. Connolly. If the gentleman from Florida would just 
withhold for one second, I share the chairman's concern, and I 
would simply suggest to him that one of the things I think we 
need to do--because the statistic gets bandied about we are 
spending 70 or 80 percent maintaining legacy systems. I think 
our committee ought to drill down on that, and I think one way 
we do that--and Mr. Scott can help us here--let's actually get 
an inventory agency by agency of what we are talking about so 
we have a better handle on that. And it would allow us then in 
some depth to work with agencies about, well, what would it 
take to replace these things?
    Chairman Chaffetz. And I ----
    Mr. Connolly. Why are they costing so much money?
    Chairman Chaffetz. And I would agree with that. One of the 
reasons I called for the dismissal of Ms. Seymour is for years 
the inspector general had been asking for an inventory. The 
Office of Personnel Management went for years, didn't even know 
how many laptops and how many ports. I mean, how can you solve 
the problem if you don't even know what the inventory is?
    Mr. Connolly. Yes.
    Chairman Chaffetz. And so I totally agree with the 
gentleman from Virginia. This is part of the problem. This is 
why you have--when you have years of an inspector general 
saying it is better to unplug the system than to continue on, 
we have to heed those.
    Mr. Connolly. I thank my friend from Florida for his 
courtesy and I thank the chair.
    Chairman Chaffetz. I will now recognize the gentleman from 
Florida, Mr. Mica. Thank you for your patience.
    Mr. Mica. Thank you, Mr. Chairman.
    I had the opportunity--and I still don't like Newt Gingrich 
for what he did to me, but made me chairman of the Subcommittee 
on Civil Service for 4 years, and I thought we had problems 
then. And actually, those were our glory days. I think we have 
reached the absolute bottom of the pit. I wish you well, Ms. 
Cobert. It is just unbelievable. I was just thinking of the 
money we have spent. I worked with the gentleman from Virginia 
on consolidation of IT systems. I think we did, Gerry, a 
hearing. Are you all still doing your retirement processing for 
Federal employees by hand?
    Ms. Cobert. We are working to ----
    Mr. Mica. Are you doing them by hand?
    Ms. Cobert. Some more elements of it are digital ----
    Mr. Mica. That was after spending ----
    Ms. Cobert.--but much of it is manual still.
    Mr. Mica. It is manual. Gerry, they spent a quarter of a 
billion dollars setting that up, and then now they are still 
doing it by hand. That is not what this hearing is about, but 
you take it whether it is--this is about security clearance 
reform. My God, they are putting in this system, which is at 
the expense of DOD, and it is going to be in place when? Can 
somebody tell me? You are doing the IT part of it? October? 
When? Hello?
    Mr. Halvorsen. The system will start being built in '17, 
and hopefully, by the end ----
    Mr. Mica. So it is not until '17?
    Mr. Halvorsen. Yes, sir.
    Mr. Mica. Okay. What is the backlog now? You have 388,000 
new background investigations pending? Is that right, Ms. 
Cobert? And I have 117 periodic reinvestigations backlogged, 
half a million ----
    Ms. Cobert. We are ----
    Mr. Mica.--and the IT system is going to be in place in 
'17?
    Ms. Cobert. Congressman, the ----
    Mr. Mica. Well, is the backlog--I mean, that is what staff 
is giving me. I am only told ----
    Ms. Cobert. You know, the figures I have on the backlog, we 
think about the backlog in terms of the timeliness for doing 
those ----
    Mr. Mica. It is a half ----
    Ms. Cobert.--investigations ----
    Mr. Mica. It is a half ----
    Ms. Cobert.--so yes.
    Mr. Mica. It is a half a million backlogs right now. We 
don't have a system in place. I really even don't know where to 
start. If I was doing something, I would probably look at 
putting some--there are plenty of people that can conduct these 
investigations. There are companies that do that. Can you 
contract with some of those folks? Can we get this in bite-
size? You can only eat an elephant a bite at a time, I am told.
    Ms. Cobert. So, Congressman, we have systems that support 
background investigations today. We have made strides over the 
last months ----
    Mr. Mica. But you are going to ----
    Ms. Cobert.--in making those more secure, and then we are 
going to rebuild them ----
    Mr. Mica. They are building ----
    Ms. Cobert.--with security.
    Mr. Mica.--you this system, and then you are going to run 
it?
    Ms. Cobert. No, DOD will operate the new systems.
    Mr. Mica. But ----
    Ms. Cobert. We are currently running the existing systems.
    Mr. Mica. And who is going to conduct the investigations?
    Ms. Cobert. The investigations will be ----
    Mr. Mica. By this new agency?
    Ms. Cobert. Will be conducted by the National Background 
Investigations Bureau.
    Mr. Mica. Oh, folks, hang on to your shorts on this one. By 
the time you get the IT in place and the money you are going to 
spend, and then by the time you get OPM up and running, I mean, 
you can't even get the personnel to do the manual processing of 
the retirement. I think we are headed for another disaster. God 
bless you, but I am telling you, you have got to take this a 
bite at a time. You need to get contracts out. You need to get 
it out of OPM. Building this system, it is designed to fail. We 
will be back here the next Congress in '17. I guaran-damn-tee 
you--and put that in the record, it is a new word--that this 
will continue to be a disaster the way it sounds like you are 
putting it together.
    I haven't even gotten into the issue of our personal 
records being hacked. Where are we on that? I mean, I got a 
notice that mine were hacked. Have you taken protections for 
all of us? I don't know if I signed up for whatever you 
offered, but we have millions of records hacked in OPM. What is 
the status of that?
    Ms. Cobert. We have, working with the DOD, been through a 
process to notify individuals ----
    Mr. Mica. I have been notified.
    Ms. Cobert.--whose records ----
    Mr. Mica. What is the remedy? I mean ----
    Ms. Cobert. So there is services available ----
    Mr. Mica. Yes, I just started getting--this week, I started 
getting scam calls from different groups that I have never 
gotten before at home. Member of Congress, what is the status 
of protecting me? Okay. Let's not even do me, but we have got 
hundreds of thousands of Federal employees out there.
    Ms. Cobert. So we have provided these services. We have 
notified individuals and repeated that they had the opportunity 
to enroll ----
    Mr. Mica. So we have to sign up. You have taken nothing 
preemptive to help us.
    Ms. Cobert. We--these services are in place for you to 
receive ----
    Mr. Mica. Okay.
    Ms. Cobert.--the monitoring services. You have to provide 
your personally identifiable information, and we cannot legally 
----
    Mr. Mica. I don't trust ----
    Ms. Cobert.--do that on your behalf.
    Mr. Mica.--giving you any more of my information. It has 
already been hacked and people have it. I just want to know 
what we are doing preemptively to help people who have been 
hacked who have worked for the Federal Government or are 
working for the Federal Government.
    Ms. Cobert. We have provided them services. We have ----
    Mr. Mica. That is ----
    Ms. Cobert.--provided them information about how they can 
protect themselves ----
    Mr. Mica. Well, I think if you ----
    Ms. Cobert.--and we are working with them to the extent 
they have an issue ----
    Mr. Mica. If you could come back ----
    Ms. Cobert.--to help restore their identity ----
    Mr. Mica. Come back with another plan ----
    Ms. Cobert. Restore their identity.
    Mr. Mica.--and look at what I suggested. Thank you, Mr. 
Chairman. I yield back, and I will be back.
    Chairman Chaffetz. Thank you. I now recognize the gentleman 
from Massachusetts, Mr. Lynch, for 5 minutes.
    Mr. Lynch. Thank you, Mr. Chairman. I want to thank the 
panelists for helping the committee with its work.
    The standard form 86, very, very extensive and very 
thorough, and it goes into a person's entire history, their 
family, very, very in-depth investigation. That is what was 
hacked in many cases with respect to the hacks against OPM. And 
when Ms. Archuleta and Ms. Seymour were here last time, I asked 
them point blank if any of that information was encrypted. And 
the answer was no, we gathered all of this information at OPM, 
put it in one repository, and then did not encrypt it. So we 
basically invited people to come in and hack and basically get 
all the information. There were no firewalls or anything like 
that. So it was just colossally bad, bad management.
    Now, I support the move to DOD because you have got at 
least some record of protecting information. It is in the vital 
interest of this country to do so. Are we going to be able to 
move that information over and secure it? I know a lot of it 
has already been hacked, but what is the next step on that, Mr. 
Halvorsen?
    Mr. Halvorsen. Yes, sir. We will move the information over. 
We will use the proper levels of encryption on all the levels 
of the data and have a leveled and layered defense of all of 
that data, and it will be physically and virtually inside the 
DOD boundaries.
    Mr. Lynch. Okay. And so there are about 4 million Americans 
that have to have security clearance. That is both Federal 
employees and contractors. And there is about 600,000 a year 
that we are issuing new clearances to. I would like to think 
that the idea that by October of 2017--is that what we are 
talking about when the system is going to be up and running or 
is it '16?
    Mr. Halvorsen. We will have the system begin running, yes, 
October of '16. It will not be completed by October of '16, but 
we will begin to execute new parts of that system in October of 
'16. It will take the following year to complete that given the 
complexity of the system.
    Mr. Lynch. I just think that that is happy talk with all 
due respect. With the problems we are having with pensions 
and--you know, I used to chair the Subcommittee on Federal 
Employees, and, you know, we have had longstanding problems 
with that. I just think that is, like I say, happy talk. That 
is just dream world stuff. We have had terrible, terrible 
problems with just getting basic information up and running. We 
are still doing stuff manually, as the gentleman from Florida 
pointed out.
    But interestingly enough, the only stuff that hasn't been 
hacked is the stuff that we are doing by hand. And I am sure 
that is not intentional, but that just demonstrates the 
weakness of our system.
    Let me ask you, is there any value, you know, because if 
someone is going through this, you know, top secret clearance 
process, that is an important role. And if they are looking for 
that type of clearance, we have a concomitant duty, I think, to 
make sure that person is thoroughly, thoroughly vetted. And I 
agree with that.
    But is it necessary to have all those folks online and to 
have the ability of one person sit down and get access to all 
of them? Or is there an opportunity to have some type of 
firewall, Ms. Cobert?
    Ms. Cobert. Congressman, we have taken steps already to 
move in the direction you are describing. We have put in place 
more advanced firewalls. We have increased the segmentation of 
the data. We have improved encryption. We are not finished, but 
we are working towards that.
    And as we think about the redesign of the system--I'm sure 
Terry could talk more about it--the question you're posing 
about who needs to have access to what elements of the data, 
how do we store it effectively, how do we allow people what 
they need from a business operation perspective to interact 
with the data but have it in a much more segmented way is part 
of the future design.
    We've put in remedial measures on the current systems. We 
have much better firewalls. We have much more stringent 
criterias for access to that data, so we've done the things 
that we need to do within the existing systems, but we 
fundamentally need to build them with security by design built 
in, and that is what our partners from DOD are going to help us 
do.
    Mr. Lynch. Okay. One last point. The recently passed 
omnibus bill that the President signed says that ``in relevant 
part the enhanced personnel security program of an agency shall 
integrate social media.'' So shall means shall. And so all this 
hedging is contrary to congressional intent.
    Ms. Cobert. Congressman, we are actively working to do that 
today on the SF-86. It requires folks to put their email 
address and aliases. We are working closely with the DNI to put 
that in place.
    Mr. Lynch. Okay.
    Ms. Cobert. The pilots that DOD has been running on 
continuous evaluation, for example, do incorporate social media 
----
    Mr. Lynch. All right.
    Ms. Cobert.--and we are learning from those pilots.
    Mr. Lynch. This is not the general public, so there should 
be no hedging. These people want top security clearance in many 
cases. And that is fair enough, but we obviously have the 
obligation to vet these people if they are getting this top 
secret clearance. That is all I am saying.
    Ms. Cobert. We share that commitment, Congressman, and I'm 
sure the DNI shares that as well.
    Mr. Lynch. Thank you. I yield back.
    Chairman Chaffetz. And before the gentleman yields back, 
maybe what we should do is take all the data and put it on an 
Apple iPhone because evidently, that is encrypted. That would 
be a heck of a lot cheaper than trying to recreate what Apple 
is evidently able to do, so just an idea.
    I will now recognize the gentleman from North Carolina, Mr. 
Meadows for 5 minutes.
    Mr. Meadows. Thank you, Mr. Chairman. Thank each of you for 
your testimony. Thank you for your work.
    Mr. Halvorsen, let me come to you because, as I understand 
it, you are the CIO and you report to whom?
    Mr. Halvorsen. I report to the Secretary of Defense.
    Mr. Meadows. And so as we go to implement this new process, 
it is your responsibility, the funding--you make the decisions, 
is that correct?
    Mr. Halvorsen. That is correct.
    Mr. Meadows. Okay. Then help me understand because OPM has 
a relationship here, so how, now that it is your decision and 
we are going to pay for it through OPM, how do the two of those 
work together because it seems like the funding stream now is 
going to be, I guess, separated so to speak.
    Mr. Halvorsen. Very clear. The funding stream that we have 
talked about, the $95 billion is for the build of the new 
system. It is not the entire funding stream for the operation 
of the NBIB.
    Mr. Meadows. So Ms. Cobert has the funding for the 
operation?
    Ms. Cobert. The funding for the operation of the Federal 
Investigative Service is a--it is a fee-for-service operation. 
So DOD, when it requests a security clearance ----
    Mr. Meadows. Right.
    Ms. Cobert.--pays the Federal Investigative Service and 
will pay the NBIB as that bureau is stood up to conduct the 
investigations. So the funding for the investigations we do for 
DOD actually comes from DOD. The fundings we do for other 
Federal agencies come from them. It is a revolving fund model 
as opposed to an appropriated model.
    Mr. Meadows. All right. So how does that affect oversight 
and really as we start to look at it? Because when it gets in 
to be a fee for service, why would they contract with OPM? Is 
that a contract they have to have with OPM or can they go to an 
outside source? I mean, you see where I am going with this, the 
potential conflict.
    Ms. Cobert. Sure. The agreements we have in place, the way 
we--it is--will be structured with the NBIB is that the NBIB 
will conduct the background investigations for DOD and other 
agencies, as we do today. We charge them a price for those ----
    Mr. Meadows. Sure.
    Ms. Cobert.--investigations ----
    Mr. Meadows. Right.
    Ms. Cobert.--and even today, we work closely with DOD as 
our largest customer and with the other PAC agencies around 
pricing. We want to make sure we are doing a quality job but we 
are doing it in a way that is a smart use of taxpayer dollars.
    Mr. Meadows. Well, and I see that. I guess, Ms. Cobert, one 
of the concerns I have is when you have monies that are going 
to OPM versus an outside contractor, whomever it may be, the 
accountability, it is kind of like having a general contractor 
that has subcontractors that are--who is ultimately--if the job 
is not done correctly, who ultimately--who does that fall to? 
Does it fall to Mr. Halvorsen or to you? And ----
    Ms. Cobert. The operations--the investigative operations 
will be housed in OPM. They will be--report to me. I will be 
accountable.
    Mr. Meadows. All right. So how do you anticipate--you know, 
if it is a fee for service, how do you get the appropriations 
to make sure you are properly staffed to be able to--you know, 
because, again, it becomes a model that becomes extremely 
tricky. It is operating like a private sector, but yet, you are 
not.
    Ms. Cobert. Again, the model that was put in place to have 
a fee-for-service model is because the agencies, who are the 
ultimate customers of background investigations, fund those. 
They are in fact demanding customers. When we work with DOD 
today, we have an ongoing dialogue about what are we doing with 
their funds? How are we carrying that through?
    We--agencies' demands for background investigations are 
somewhat unpredictable. They give us expectations but their 
level of demand for background investigation is a result of 
their activity, and so they pay for those, and we use those 
funds ----
    Mr. Meadows. Okay. But so why would we not just say, okay, 
Ms. Cobert, you have all the authority? Why do we do this back-
and-forth fee aspect of it because it just seems like a shell 
game where we are moving it from one area to the other, and why 
wouldn't we just say you are responsible, you are accountable 
from an oversight, appropriations, and everything else? This 
back-and-forth becomes very problematic.
    Ms. Cobert. We are responsible for the use of the revolving 
funds in our congressional budget justification.
    Mr. Meadows. Right.
    Ms. Cobert. We talk about the amount of the revolving funds 
that we anticipate using in fiscal year 2017. We work the 
pricing through with our interagency partners, so we are 
responsible for the spending of those funds. The amount that we 
put to work in the revolving fund is part of our budget 
submission.
    Mr. Meadows. But do you see my point that if he comes back 
and he says, well, I only had demand for X number of--it 
creates a problem for you instead of--do you follow me?
    Ms. Cobert. That is an exact issue ----
    Mr. Meadows. It is ----
    Ms. Cobert.--we have, and that is why we work with agencies 
to understand what are their projections, what are they doing, 
what do they need.
    Mr. Meadows. Okay.
    Ms. Cobert. We do want agencies to actually, you know, 
understand what it takes to do this, and that's--I think this 
structure works well from that perspective. But part of 
standing this entity up, we've done some excellent work with 
the CAPE group at DOD about how to fund this, and we are going 
to continue to look at that, and I'm happy to continue that 
dialogue as we go forward.
    Mr. Meadows. Okay. I am out of time. I want to remind all 
of you that Mr. Connolly and I are going to be looking very 
closely at FITARA, and while I have you here, I want to 
emphasize it once again. I yield back.
    Mr. Russell. [Presiding] The chair now recognizes the 
gentleman from Virginia, Mr. Connolly.
    Mr. Connolly. Thank you, Mr. Chairman. And let me take up 
where my friend from North Carolina left off. We are going to 
follow up on FITARA.
    Ms. Cobert. Our FITARA plan has been approved by OMB.
    Mr. Connolly. And conveniently, Ms. Cobert, we have OMB 
right here. But I do think there is bipartisan consensus on a 
lot of the IT aspects of Federal management, and that may not 
last forever, but we are working hand-in-glove and seamlessly 
on this committee and our two subcommittees with respect to 
that. And I pray you take advantage of that because anything 
can happen, you know.
    Mr. Halvorsen, I think you had a personal loss in your 
family, is that correct?
    Mr. Halvorsen. That is correct, sir.
    Mr. Connolly. I am so sorry.
    Mr. Halvorsen. Thank you.
    Mr. Connolly. And you were supposed to be at an event with 
us the other day, and all of us, everybody there wanted to 
convey their sympathy to you and your family.
    Mr. Halvorsen. I thank you, and I appreciate the scheduling 
you've made to ----
    Mr. Connolly. We understand perfectly of course, and I hope 
your family is doing okay.
    And, Ms. Cobert, congratulations on bringing us together. 
Hopefully, it will have some effect in the other body. And I 
commend the chairman and the ranking member. Especially if we 
are as concerned as we say we are about the breach at OPM, the 
last thing in the world we need is any cloud at all over the 
legitimacy or status of the head of OPM, and so I would pray 
our colleagues in the other body confirm you as swiftly as 
possible. There is no substantive reason not to do that, and I 
know you have been working very hard in your acting capacity to 
try to deal with some very heavy baggage ----
    Ms. Cobert. Thank you.
    Mr. Connolly.--with respect to breaches. And I will say, I 
know my friend from Florida was expressing some frustration, 
but I also am one of the victims. And my experience with the 
service provided so far has been very positive.
    Ms. Cobert. Thank you.
    Mr. Connolly. They have caught things we didn't know about. 
In fact, frankly, they are so strict they are--you know, my 
wife can't always respond in my name to their concerns, so they 
are pretty tight. So hopefully, that is the experience of 
others as well. And as I have told you privately, we have, I 
don't know, 20-something million victims through no fault of 
their own, and priority number one of OPM and you as the 
Director is to protect those victims and make them as whole as 
we can. And I know you share that goal as well.
    Mr. Halvorsen, I am looking at the Bureau's cyber 
infrastructure and the new plans, and the Office of the 
Secretary issued this statement, that the purpose of the new 
design and build for that infrastructure is to ``avert or 
eliminate the continuous and dynamic threat of identity theft, 
financial espionage, other attacks on personal information 
while providing a secure basis for background investigations 
necessary for the Federal Government.''
    Can you briefly describe the mission of the Defense 
Information Systems Agency and why it was selected to design 
and operate that new system to meet that goal?
    Mr. Halvorsen. This is the DOD's contract acquisition and 
design agency for major systems in an IT. In my review of the 
capabilities, DISA was best positioned to be the oversight and 
designer of this.
    I will stress, however, when we say DISA is the designer of 
this system, it will not be without lots of input, and in some 
cases, commercial adaptation of technology.
    Mr. Connolly. Will this new network or system deploy 
EINSTEIN sensors for protection?
    Mr. Halvorsen. It will deploy the right set of sensors. It 
could be EINSTEIN. It could be EINSTEIN equivalence or things 
that might be better than EINSTEIN as we're looking at the 
future. As you well know, this is a field that changes rapidly. 
There will not be a single system that does this, but an 
integrated layer of systems that are better integrated to talk 
and both stop attacks, but if they had happened, to identify 
them and quarantine them quickly.
    Mr. Connolly. All right.
    Mr. Halvorsen. That takes a layered defense system.
    Mr. Connolly. I am going to run out of time, and if the 
chairman will allow them to respond, I will of course give up 
my time.
    But, Ms. Cobert and Mr. Halvorsen, when the breach 
occurred, one of the things we were told was, well, OPM had 
deployed EINSTEIN 1 and EINSTEIN 2 but not EINSTEIN 3. And had 
it had EINSTEIN 3 in place, maybe the breach would have been 
mitigated or eliminated. I would like both of you to comment on 
that because I think there is a lot of confusion up here, which 
I share, well, is EINSTEIN the answer or is there some other 
answer? Are there things that DOD that are not yet available in 
the civilian agencies that should be? Help us a little bit with 
that--do we still stand by that analysis?
    Ms. Cobert. Congressman, what I can tell you is we continue 
to be moving forward with deploying the EINSTEIN capabilities 
as they become available. So we have been moving forward with 
EINSTEIN 3 and EINSTEIN 3A. From my perspective at OPM as a 
customer of the support that folks like DOD and DHS can 
provide, I am happy to be an early adopter of the smart tools 
as they make them available to us. And whichever are the best 
tools, and folks like Mr. Halvorsen will help us figure out 
what those are, those are the ones we will deploy.
    Mr. Halvorsen. I think Beth got it right, sir, and I think 
you know we will continually review this. We've had recent 
reviews by--frankly done on behalf of what I've asked. NSA and 
some commercial customers say these are the best-layered 
defenses today. EINSTEIN technology will be part of that, but 
it is not the singular answer to build the best defense system 
forward.
    Mr. Russell. The gentleman yields back.
    The chair now recognizes the gentleman from Georgia, Mr. 
Hice.
    Mr. Hice. Thank you, Mr. Chairman.
    Mr. Scott, just out of curiosity, will the President's 
appointee to the NBIB be confirmed by the Senate?
    Mr. Scott. As proposed, I don't believe so, sir.
    Mr. Hice. Do you know how that process will be? Is it just 
an appointment ----
    Mr. Scott. That's correct.
    Mr. Hice. Okay. Ms. Cobert, let me go back to you. As you 
know, the PAC conducted the review after the Navy yard 
shooting. That review led to 13 specific recommendations to 
improve the clearance process. Has the intelligence community 
fully complied and addressed those recommendations?
    Ms. Cobert. Congressman, the PAC collectively has been 
working to implement the full set of recommendations from the 
review following the Navy yard.
    In my prior role at OMB when I was the chair of the PAC, in 
my current role as acting Director of OPM, we've been working 
closely with our colleagues in the DNI, for example, to put in 
place pilots of continuous evaluation to implement new Federal 
Investigative Standards, to improve access frankly ----
    Mr. Hice. So are you saying ----
    Ms. Cobert.--so we are working ----
    Mr. Hice.--they have or have not been ----
    Ms. Cobert. We are ----
    Mr. Hice.--fully implemented?
    Ms. Cobert. We are working through the process. The 
timetable for full implementation is not--we're still in that 
process but we are actively working that and actively managing 
it through the PAC.
    Mr. Hice. So it has not yet been fully implemented, and you 
do not have a time frame ----
    Ms. Cobert. There are ----
    Mr. Hice.--we know it will be complete?
    Ms. Cobert. There are different time frames for different 
elements. So one of the elements was to actually have 
continuous evaluation pilots in place. We have those in place. 
DOD has done some that's covered hundreds of thousands of 
people. The investigative standards and the quality ----
    Mr. Hice. All right. Can you give us ----
    Ms. Cobert.--of the standards ----
    Mr. Hice.--a general time frame?
    Ms. Cobert. Some of the elements are already due. Some last 
until 2017. I can--I am happy to provide you. We report on 
Performance.gov ----
    Mr. Hice. Please provide that and let's carry on, but 
please provide that information.
    Ms. Cobert. And we would be happy to do that, sir.
    Mr. Hice. All right. The Navy yard shooter had multiple 
previous arrests and yet was still somehow able to obtain 
clearance. How can this be?
    Ms. Cobert. Congressman, there are real challenges in 
getting complete and comprehensive records from local law 
enforcement. Some of those are due to the challenges that the 
local law enforcement has in their own recordkeeping.
    Mr. Hice. Okay. There has been recommendations ----
    Ms. Cobert. Those systems aren't automated.
    Mr. Hice.--to work and improve that process from State and 
local criminal records. When is that process going to improve?
    Ms. Cobert. That process has seen improvement. I can cite 
examples from New York City, from--we track actually ----
    Mr. Hice. I don't want examples. I want when are we going 
to see that enormous gap closed?
    Ms. Cobert. We are continuing to work with law enforcement. 
The records are their records. Things like Congress gave us 
with the NDAA that gives background investigators greater 
access to records that was implemented last year will be one 
step in helping us, but we have to work this through with local 
law enforcement to make sure they've got ----
    Mr. Hice. That is the whole point.
    Ms. Cobert.--the systems.
    Mr. Hice. That is the whole point. The local law 
enforcement, when is that relationship going to be resolved so 
that information can be readily made available so that we don't 
have people like the Navy yard shooter gain access?
    Ms. Cobert. Congressman, we are working actively with local 
law enforcement. In fact, we have--we had ----
    Mr. Hice. Okay. Listen, that ----
    Ms. Cobert.--a task force, and we are going to ----
    Mr. Hice. That is ----
    Ms. Cobert.--continue that.
    Mr. Hice. That is a really cheap answer. We are working 
actively. We are working actively, and yet--please provide that 
for us. I want as much specifics as you can provide without 
rambling ----
    Ms. Cobert. I'm happy to provide you that.
    Mr. Hice.--on this issue.
    Mr. Hice. All right. Have the revised 2012 Federal 
Investigative Standards been fully implemented?
    Ms. Cobert. We have implemented those through Tier 3. The 
rest of them are on schedule to be implemented over the next 
year too, I believe--I don't have the specific timeline but had 
----
    Mr. Hice. Okay.
    Ms. Cobert.--implemented the Tier 3, for example, this 
fall.
    Mr. Hice. Okay. Another recommendation involved the 
detection of false information that was submitted by 
applicants. As you may recall, Snowden, for example, said that 
he had worked for the U.S. Government for 6 years, 
investigators and all that, never contacted any coworkers, they 
never got any further details. The Navy yard shooter has 
serious mental health problems. What is being done to verify 
applicants' information more complete and in a more effective 
manner?
    Ms. Cobert. So there is a number of steps that we've put in 
place to increase the accuracy. I can go through the specifics 
and probably get that back to you in terms of each of those 
elements because that involves work with the different--I don't 
have the details of that right here ----
    Mr. Hice. All right. So you ----
    Ms. Cobert.--but I can get that to you.
    Mr. Hice. Doesn't it seem that that would be information 
that you would have?
    Ms. Cobert. I want to make sure that my response to you 
in--is accurate in terms of exactly the specifics of the 
progress we've made, sir.
    Mr. Hice. Okay. And we are talking about applicants putting 
false information and no one checking it. That seems like that 
would be information, if it is being corrected, that would be 
right on the top of your head. I would appreciate you getting 
that information to us ASAP.
    My time is expired, Mr. Chairman. Thank you, and I yield 
back.
    Mr. Russell. The gentleman yields back.
    The chair now recognizes the Congressman from California, 
and I appreciate his efforts on this issue, Mr. Lieu.
    Mr. Lieu. Thank you, Mr. Chairman.
    The hearings last year in Oversight Committee exposed 
fundamental weaknesses in our nation's IT infrastructure, 
specifically as applied to OPM. And thank you, Mr. Scott, for 
doing the 100-day cybersecurity sprint last year. The Director 
of the OPM last year resigned to be replaced by Ms. Cobert, and 
you have been doing a terrific job given the situation you have 
been put in.
    And last October, Representative Russell and I wrote a 
letter to the administration to the PAC board saying you need 
to move the security clearance IT system to the Department of 
Defense. And I am very pleased to read in your testimony, Ms. 
Cobert, that in fact the Department of Defense, with its unique 
national security perspective, will design, build, secure, and 
operate the security clearance IT system.
    My question has to do more with the other aspect of your 
plan, which is now the creation of a new bureau, the National 
Background Investigations Bureau. And I share some of the 
concerns raised by Congressman Russell. And my first question 
has to do with the wiring diagram. My understanding is this 
bureau will be headed by a Presidential appointee who then 
reports to the Director of OPM. Still, Ms. Cobert, could you or 
the new Director fire that person?
    Ms. Cobert. I imagine I could, yes, sir.
    Mr. Lieu. Okay. What happens if you have a disagreement 
with the Department of Defense over how to do the security 
clearance IT system?
    Ms. Cobert. Congressman, as Mr. Halvorsen said, DOD has the 
responsibility for the security of the IT systems. We have 
given that responsibility in agreement with them because we 
want to rely on their expertise. They have the national 
security expertise, the cybersecurity expertise around these 
issues. They are in that place because of that expertise, and 
we would expect that their guidance on how those things should 
operate is what we would follow.
    Mr. Lieu. And if they want more money to do the IT system 
upgrades and so on, where would that money come from?
    Ms. Cobert. So let me distinguish between the budget 
funding for the IT upgrades, as Mr. Halvorsen has described, as 
well as the funding for the ongoing support for NBIB. The 
funding for NBIB, because it is a fee-for-service model, are 
fees paid for our customers. The largest customer of the 
National Background Investigations Bureau will be the 
Department of Defense. And so, in fact, DOD will be providing 
those funds to the NBIB through the payments that they make for 
background investigation services. So they are both the 
customer paying the bill, as well as the individuals who will 
be supporting the use of those funds on IT for the revolving 
nature of the funds.
    Mr. Lieu. Okay. In terms of personnel, my understanding is 
the Federal Information Service will be folded or basically 
replaced with this new bureau. Will there be less people, the 
same, or more?
    Ms. Cobert. Congressman, I don't have the answer to that 
question at the moment. We are working with NBIB to make it 
purpose-built for this mission, for the scale of this mission, 
for the new capabilities, and frankly, for the new operating 
practices that are going to be part of it.
    In addition to the IT redesign that DOD will be leading, a 
key part of the transition team and the ongoing efforts is 
business process reengineering. How do we take advantage of 
these new technology tools to make this process be better, be 
smarter, be more efficient? And so when we put together, we 
can't tell you today what the scale of the individuals involved 
will be.
    Mr. Lieu. And taking a step back, what is the reason for 
not continuing with the Federal Investigative Services? Why do 
we need this new bureau?
    Ms. Cobert. Beyond the changes in how we operate IT, which 
are significant and particular given the IT intensity of this 
activity, that is a very significant change. What we wanted to 
do with the other change is to elevate the mission, elevate 
this role by having a Presidential appointee lead it in 
conjunction with the PAC as a peer of those leaders.
    We want to make sure that it has more dedicated support 
custom-tailored to this mission to make sure we can address the 
privacy issues with a national security context to make sure 
that it's got greater dedicated resources for the specific and 
unique type of contracting activity that it does or the legal 
issues it confronts or the other key elements of its operation.
    So we wanted that dedicated support, and we wanted to make 
sure we could institutionalize the interagency collaboration 
that really works. We work closely through the PAC with the IC, 
with the Department of Justice with the FBI, and that will be 
embedded in how the NBIB operates.
    Mr. Lieu. Thank you. And I yield back.
    Mr. Russell. The gentleman yields back.
    The chair now recognizes the gentleman from Alabama, Mr. 
Palmer.
    Mr. Palmer. Thank you, Mr. Chairman.
    Mr. Evanina, what sort of records do current continuous 
evaluation pilot programs look at?
    Mr. Evanina. Well, sir, I could speak for the intelligence 
community and the Office of the Director of National 
Intelligence. We're looking at about seven or eight major 
databases that will be continuously evaluated to identify areas 
of concern for clearance-holders that currently exist and on a 
continuous basis.
    So, for instance, right now, background investigations that 
are reinvestigations occur either a 5-year or 10-year cycle. 
We're looking to facilitate that on a continuous basis so, for 
instance, if you have an incident tonight, a domestic dispute, 
an arrest or financial issue like bankruptcy, we'll identify 
that immediately and not have to wait for 5 years to do that. 
But there'll be automated checks on a recurring basis.
    Mr. Palmer. Would you be able to follow up on something 
like with Mr. Alexis where he showed that he lived in Seattle 
but worked in Manhattan? Would it pick up discrepancies like 
that?
    Mr. Evanina. Probably not specifically where he resides, 
but the request for public information of residency would be 
part of that documentation. However, what happened with the law 
enforcement issue on the West Coast would not be a part of 
that. There'd be financial records, travel records, and 
publicly available records on the internet.
    Mr. Palmer. The personnel that are looking at these 
documents, does it not make sense to train them to look for 
abnormities like that? I mean, to say that you live in Seattle 
and you work in Manhattan should at least ask someone if they 
are commuting.
    Mr. Evanina. Absolutely, sir. And I'll--I'm confident that 
it happens now when investigations are conducted on background 
investigations and reinvestigations periodically with their 5- 
and their 10-year period. Those investigators who conduct those 
investigations are robust and thorough and they would ask that 
question, sir.
    Mr. Palmer. Mr. Halvorsen, what records does the DOD pilot 
program look at?
    Mr. Halvorsen. Sir, all of the same records plus we are 
looking at financial, we're working with law enforcement to do 
some criminal and sex offender. We look at social media, other 
internet public records and internal DOD data sources.
    Mr. Palmer. I want to go back to Mr. Evanina. Given that it 
has been almost a decade, why is the continuous evaluation not 
yet a standard practice across the intelligence agencies?
    Mr. Evanina. Sir, I'll proffer that a lot of agencies in 
the intelligence community currently utilize continuous 
evaluation.
    Mr. Palmer. You said a lot of them, but why is it not 
standard practice across all of them?
    Mr. Evanina. I'll correct that. The majority if not all of 
the organizations in the intelligence community currently use 
continuous evaluation. We are working with partners here to 
promulgate that across the executive brach of the government.
    Mr. Palmer. I appreciate that it is a majority, but can we 
get to all?
    Mr. Evanina. Yes, sir. I'll get you specifics as to which 
agencies don't if there is such an agency that does not conduct 
that now.
    Mr. Palmer. Thank you, sir.
    Mr. Palmer. I want to go back to Mr. Halvorsen. Is the 
information looked at under the pilot program different from 
what would be looked at under the periodic reinvestigations of 
the current standard practice?
    Mr. Halvorsen. The data is different, and that's part of 
what we're trying to pilot. There are some additional data 
sources in the pilots, and that's what we're evaluating now to 
see if that makes more sense in a continual way in cooperation 
with our intelligence counterparts.
    Mr. Palmer. When will all of the DOD's cleared population 
be covered by the continuous evaluation program?
    Mr. Halvorsen. Sir, I think there are two questions there. 
Right now, the DOD, we do use continuous monitoring. We are 
still in the process of working with the intelligence community 
on when that will become the standard for periodic 
investigations.
    Mr. Palmer. I want to shift gears a little bit here. Ms. 
Cobert, at your Senate nomination hearing, you said that the 
changing nature of cybersecurity means we all need to change 
the way we interact, the way we use systems at work and at 
home. You then explained that you yourself cannot access your 
personal Gmail account from your OPM computer because that is 
the way a lot of threats come in. Can you expand on how access 
to private accounts like personal Web mail on agency computers 
compromises the integrity of the Federal information systems?
    Ms. Cobert. Certainly. The--by--there's--whether it's 
phishing attempts or other things, there's a lot of ways things 
come in. Those might not have the same screens and filters that 
we have on our own government emails. And so the policy that 
we've put in place at OPM is to restrict access to those 
personal accounts. You don't want individuals being able to 
click on those accounts and accidentally click on something as 
a phishing attempt, for example.
    We know about the security controls on our own systems. We 
don't know about the security controls on individual's personal 
emails. Therefore, we do not want them on OPM computers.
    Mr. Palmer. Okay. My time is expired, Mr. Chairman. I yield 
back.
    Mr. Russell. The gentleman yields back.
    The chair now recognizes the gentleman from California, Mr. 
DeSaulnier.
    Mr. DeSaulnier. Thank you, Mr. Chairman. I want to thank 
all the panelists for the hard engaged work you are in the 
process of. Certainly, I think we can all agree that this was a 
very important issue, and the OPM data breach was alarming to 
say the least. So my questions and comments are going to be 
more directed to that understanding where responsibility lies, 
sort of consistent with some of the comments by Mr. Meadows.
    Understanding that this wasn't an isolated incident and it 
was sophisticated and coordinated and those kind of things are 
going to continue to happen in our new world. And so I have a 
couple of slides if we can put the first one up, speaking of 
technology.
    [Slide.]
    Mr. DeSaulnier. Our committee investigations found that 
cyber attackers used a sophisticated kind of malware called 
PlugX.
    Slide 2, please.
    [Slide.]
    Mr. DeSaulnier. The cyber attackers targeted government 
contractors with access to large amounts of personal 
information about Federal employees. These contractors, as you 
can see in the slide, were KeyPoint, which connected to OPM for 
the background investigation work it does, Anthem and Premera, 
which provide insurance to millions of Federal employees and 
their families.
    Slide 3, please.
    [Slide.]
    Mr. DeSaulnier. Once they hacked into KeyPoint, as we have 
now learned, the attackers were able to disguise their 
movements to appear to be authorized users inside OPM's 
networks. Once they got in, they installed PlugX malware on 
OPM's networks as well.
    Slide 4, please. This is the last slide.
    [Slide.]
    Mr. DeSaulnier. Over a period of months in 2015 the 
attackers made off with personal information they found using 
this method. In all, again alarming, over 90 million people 
could have been affected by this breach.
    Mr. Scott, at the committee's first hearing--that is the 
last slide, thank you--on the OPM data breach on June 16 of 
last year, your written testimony stated, ``Both State and non-
State actors who were well-financed, highly motivated are 
persistently attempting to breach both government and 
nongovernment systems. And these attempts are not going away. 
They will continue to accelerate on two dimensions. First, the 
attacks will continue to become more sophisticated''--as we 
have seen--``and secondly, as we remediate and strengthen our 
own practices, our detection capabilities will improve so it is 
a constant effort.''
    On a scale of 1 to 10, how would you rate, given your 
experience, the sophistication of the cyber attackers 
responsible for the breaches of KeyPoint, Anthem, and OPM in 
2015?
    Mr. Scott. I think there's consensus among all of us who 
looked at it this that it's in the upper ranges, I'd say 8 or 
9, in that range.
    Mr. DeSaulnier. Thank you. Director Cobert, our 
understanding is that cyber attacks against OPM were underway 
in 2013 and 2014, and they were only detected in 2015 when new 
tools deployed by former CIO Donna Seymour came online, is that 
correct?
    Ms. Cobert. That is my understanding, yes, sir.
    Mr. DeSaulnier. In your opinion, could OPM have prevented 
these attacks with the tools it had in 2013?
    Ms. Cobert. The tools we had in 2013 are very different--
were not adequate to prevent the breach. The breach occurred, 
correct?
    Mr. DeSaulnier. Right.
    Ms. Cobert. Yes.
    Mr. DeSaulnier. So in the overall context, this is the 
constantly trying, stay ahead of things, and that OPM was 
trying to stay ahead, but the tools they had weren't 
sophisticated enough to stop it so we slid behind.
    Mr. Halvorsen, the committee's investigation revealed that 
the adversary behind these attacks, again, were sophisticated 
and persistent and will continue to be. As these breaches 
illustrate, the adversary can be and will be present and at 
work, laying low, and being invisible largely to us. Knowing 
that we all have a lot of confidence in DOD and knowing it is 
not misplaced, I think, in bipartisan level and knowing that 
you can't explain everything in the sophistication that you 
bring to this endeavor, the molding between you and OPM is 
important.
    So could you just briefly describe with obviously being 
sensitive to the classified issues that you deal, what do you 
bring in a nutshell to this effort that will give us a higher 
level of confidence.
    Mr. Halvorsen. Well, I think, first of all, DOD, we live 
with a volume of attacks and I won't give the specific numbers. 
You--I think you've seen them. They're very, very large every 
day from everything ranging from the less talented to the most 
extreme talented adversaries. Our integration across DOD and 
how we deal with that both in preventing them but also--and I 
want to stress--people keep attacking--I don't think we're at 
all going to have a perfect system of prevention. Our ability 
to quickly detect, isolate, quarantine, and take corrective 
action and protect the forensics is something we will bring to 
this table and probably the integration of all of that and 
being able to produce a better full environment is what DOD 
brings to the table.
    Mr. DeSaulnier. I just want to thank you all. You are a 
group of Federal employees that when you are doing your job 
well, nobody hears from you, so congratulations. Thank you, Mr. 
Chairman.
    Mr. Russell. The gentleman yields back.
    We do appreciate the panel and their efforts. I would like 
to just make some closing comments. The fee-for-service, while 
it is understood that you have users and the compensation 
should come from those that use, but could you please explain, 
whoever would like to address it, where you have $95 million 
now that will come from Department of Defense, and yet 
Department of Defense will still be required to do a fee for 
service for their own users? So not only do they get to pay, 
they get to pay again. They have complete responsibility but 
they don't have the authority. Is that accurate?
    Ms. Cobert. Congressman, the $95 million requested in the 
budget was to deal with the modernization and move to a new 
model. That is a--someone will think of that as the--more the 
one-time investment that we need to make on behalf of the 
entire Federal Government, and because DOD will be doing that 
work on behalf of the government, the funds were put into the 
DOD budget.
    On an ongoing basis, it is our responsibility working with 
DOD to make the overall operations and systems work well. DOD, 
as Terry has stated, will be the lead, will have authority for 
the decisions around the systems. We will then at OPM, through 
the NBIB and with our interagency partners, be deploying those 
systems every day to conduct the work. So DOD will be building 
and operating the system, securing the systems. At NBIB we will 
be using those systems to conduct the investigations, and the 
fees from agencies support that work so that we have the 
funding to get it done.
    Mr. Russell. Well ----
    Ms. Cobert. It means you can scale that as the demand 
changes.
    Mr. Russell. And I understand that, and I appreciate that, 
Director Cobert, but, I mean, doesn't it stand to reason that 
if you are the one providing the service, you ought not to 
charge yourself to perform it? Would you agree with that 
statement? The Department of Defense will be conducting what 
amounts to its own background usage, and yet now, you are also 
requiring a fee for them to perform their own service. Is that 
correct?
    Ms. Cobert. The Department of Defense will be provisioning 
the IT system. The individual investigators, the work that's 
done in using those systems will be done by the NBIB. So 
they're our IT provider. We are the users, and that's what the 
fees cover.
    Mr. Russell. Okay. But herein is the concern. You know, 
while you have, you know, a great reputation and, you know, as 
you have heard in the comments in committee today, you know, 
good bipartisan, you know, commendation for your efforts, all 
of that could change in a year.
    The whole team that we see, although they are longstanding 
public servants and we appreciate that service, if we don't set 
this structure up correctly and, as we heard by admission from 
Mr. Scott today, this funding is going to come from the top 
line of Defense. Well, gee, you know, as I have already 
illustrated, that amounts to about 60,000 soldiers' pay.
    This is a problem because we are trying to set up a system 
that will have competing interests that will go against 
something that comes top line from defense, and then it appears 
that the Department of Defense, which will have much of the 
legwork and will provide much of the sweat equity so to speak, 
they will also be asked to pay for their own labor.
    Ms. Cobert. Congressman, I--I'm not sure I agree with the 
competing interest point. DOD is our largest customer. We are 
providing services to DOD. They as our customer--and I can 
attest today they are a very demanding customer, want to make 
sure that we do a quality job, that NBIB will do a quality job 
and that NBIB does that in a quality way but in an efficient 
way. We have dialogues with them today about pricing. This 
activity does have to happen across the Federal Government. It 
is an important activity. It has a cost, and we believe that 
this structure of us working with DOD and our other customers 
puts appropriate pressure on NBIB to do it right, to do it 
efficiently, and that will continue. I actually view that more 
as an alignment of interests ----
    Mr. Russell. Well ----
    Ms. Cobert.--than a competition.
    Mr. Russell.--and I get that from a government function 
point of view, but I think the real issue here is that this is 
a national security issue. It has been breached. It will last, 
in my estimation, at least two generations. There is a gold 
mine of information whereby to track folks.
    And so the big concern of mine is is that, you know, from 
a--and I don't mean this in an unkind form but in a technical 
form--from a bureaucratic view that, yes, there are government 
functions, but since this is such a national security issue, it 
stands to reason that many of the three-letter agencies did not 
want to be slid under OPM when we did these reforms originally. 
In fact, they stiff-armed it. They didn't get breached.
    Department of Defense, largely through pressure of Congress 
and through budgets, did. Now, we are turning back to them but 
we are still going to keep it potentially in a convoluted 
authority structure. This is a defense issue. This is a 
national security issue. And it still begs the question of 
whether or not DOD should be involved in its own personnel at 
all under an OPM structure. And I think those questions have to 
continue to be asked. I am very concerned about that.
    And I would just be curious both from Mr. Evanina and also 
Chief Halvorsen in that regard would we have better security 
for our defense personnel in a standalone or do we need to have 
this amalgam of agencies with a convoluted structure, 
cooperation notwithstanding, that could make us vulnerable yet 
again in the future. Chief Halvorsen?
    Mr. Halvorsen. So I think what we've proposed is actually 
the best security solution. We are, from DOD's standpoint, in a 
sense acting as the contractor for their IT services. We will 
provide those. We are responsible for those IT services.
    And I want to make a couple points. The cost for the 
current IT are baked into the current OPM pricing. The $95 
million is to do the modernization. I actually believe when we 
are done with the modernization, the IT cost will actually come 
down. This is a more effective way to do IT than what we have 
been doing today. The IT will be central. Everybody will use 
standard--the IT system.
    I think the same thing is true as we look at the business 
systems. I don't think you want DOD, Department of State, 
anybody else, doing different things with the investigations. I 
think that A) makes it more efficient, but also creates seams 
that could be exploited. I think we eliminate those seams.
    I understand your issues about are we going to be able to 
get the right authorities in place. I think we are, and I think 
we will owe you continual updates on how we're doing it.
    Mr. Russell. Mr. Evanina?
    Mr. Evanina. Sir, I will echo that and say that from the 
intelligence perspective from the community, we believe this is 
the most effective and efficient manner to attack this problem. 
And I think it's important to bifurcate the issues here. The 
first half of it is the investigations being done in the field 
to include Federal employees and contractors and the 
adjudications, which is inherently governmental by the folks at 
the NBIB.
    The second part of that is the systems and data that's 
acquired to be securely stored by DOD we believe is the most 
efficient way to handle this issue not only from a national 
security perspective and housing the data and ensuring it's 
secure through DOD but also maintain the current rhythm and 
motive of doing the investigations we are currently doing now.
    Mr. Russell. I would like to thank panel. We appreciate 
both your time and your continued efforts in this. It is 
appreciated. We all care about the same things. It is my 
sincere hope that we will work together to resolve these issues 
that have come up.
    And seeing that there is no further business, this hearing 
is now adjourned.
    [Whereupon, at 12:01 p.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
               

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]



                                 [all]