[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]





 
                     U.S. DEPARTMENT OF EDUCATION: 
                        INVESTIGATION OF THE CIO

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 2, 2016

                               __________

                           Serial No. 114-131

                               __________

Printed for the use of the Committee on Oversight and Government Reform





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                      
                      
                      
                              ________

                U.S. GOVERNMENT PUBLISHING OFFICE
                   
 25-501 PDF                 WASHINGTON : 2017       
____________________________________________________________________
 For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
  Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001   


                                   
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                   Jennifer Hemingway, Staff Director
    Katie Bailey, Government Operations Subcommittee Staff Director
                         Michael Flynn, Counsel
                    Sharon Casey, Deputy Chief Clerk
                 David Rapallo, Minority Staff Director
                 
                 
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 2, 2016.................................     1

                               WITNESSES

Mr. Danny A. Harris, Chief Information Officer, U.S. Department 
  of Education
    Oral Statement...............................................     6
    Written Statement............................................     9
Ms. Sandra Bruce, Deputy Inspector General, U.S. Department of 
  Education
    Oral Statement...............................................    13
    Written Statement............................................    15
Ms. Susan Winchell, Assistant General Counsel for Ethics, U.S. 
  Department of Education
    Oral Statement...............................................    21
    Written Statement............................................    23
Mr. John B. King, Jr., Acting Secretary, U.S. Department of 
  Education
    Oral Statement...............................................    29
    Written Statement............................................    31

                                APPENDIX

RESPONSE from Mr. King ED to Questions for the Record............    90
RESPONSE from Ms. Winchell ED to Questions for the Record........    92


         U.S. DEPARTMENT OF EDUCATION: INVESTIGATION OF THE CIO

                              ----------                              


                       Tuesday, February 2, 2016

                  House of Representatives,
              Committee on Oversight and Government Reform,
                                                   Washington, D.C.
    The committee met, pursuant to call, at 10:02 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Walberg, Amash, 
DesJarlais, Farenthold, Lummis, Meadows, DeSantis, Mulvaney, 
Buck, Walker, Blum, Carter, Hurd, Palmer, Maloney, Norton, 
Clay, Connolly, Kelly, Lawrence, Lieu, Plaskett, and Lujan 
Grisham.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order. Without objection, the 
chair is authorized to declare a recess at any time.
    This is a follow-up to our November 17, 2015, hearing, and 
as part of my opening remarks, I would actually like to yield 
to the gentleman from Texas, Mr. Hurd.
    Mr. Hurd. Thank you, Mr. Chairman.
    Last November, I said in my opening remarks that the 
challenges facing the Department in the area of cybersecurity 
were not only technical in nature. The tools to address these 
issues already exist, whether it be continuous monitoring, 
EINSTEIN, or multifactor authentication. The list goes on. The 
technology is here.
    Cybersecurity for the Federal Government is a matter of 
quality management and effective leadership, not just tech, and 
I am pleased to see not only Mr. Harris back before this 
committee today but also Acting Secretary King.
    Because cybersecurity and information technology are issues 
that must be addressed not only by the CIO's office but also by 
the agency head. Implementation of FITARA and ensuring FISMA 
compliance are issues agency heads need to know about.
    Agencies can't treat data centers, multifactor 
authentication, and legacy technologies as something just for 
the CIO staff. Cybersecurity and IT management are mission-
critical infrastructure. They are as much a part of the 
agency's mission as student aid.
    And who is ultimately accountable for IT and cybersecurity 
issues? The answer isn't only Mr. Harris and his team in the 
OCIO shop. It is also you, Mr. King.
    My amendment was included in the Student Success Act, which 
restated the intent of Congress that students' PII was of the 
utmost importance to protect. This committee will continue to 
hold agencies responsible for the state of our agencies' 
information technology and cybersecurity posture.
    The good news for the Department of Education and really 
the American people is that we aren't here today to discuss a 
massive data breach involving millions of Americans' PII. We 
are here today, however, to examine whether we have the 
management in place at the Department of Education to handle 
this crucial challenge. We need to ensure that this is the 
leadership team that can put the tools and processes in place 
to ensure that we aren't back here again in a month or two 
talking about a data breach at the Department of Education.
    Thank you, Mr. Chairman, and I yield back.
    Chairman Chaffetz. I thank the gentleman.
    This is a very important hearing. In the IT sector, it is 
absolutely critical that we secure our data. We have seen the 
data breaches of huge proportions in the private sector; we 
have seen them at the White House, the Department of State, 
Internal Revenue Service, and certainly the Office of Personnel 
Management.
    Like these agencies, the Department of Education is a prime 
target. It houses the personal information of more than 139 
million Americans. The data breach at the Office of Personnel 
Management was something like 22 million, but there are 139 
million Americans that would be affected by a data breach at 
the Department of Education.
    We also need to remember that the Department of Education 
also oversees a student loan portfolio of more than $1.2 
trillion. This puts it on the proportion of Citibank and other 
major financial institutions. It is critical because taxpayers 
deserve the best in our chief information officer, and they are 
not getting the best at the Department of Education.
    The inspector general testified recently the Department 
continues to be vulnerable to security threats and has 
repeatedly failed to implement the recommendations and failed 
to detect friendly hacks into their system. The Department 
scored a negative--it was one of just a handful of agencies--
but a negative 14 percent on the Office of Management and 
Budget's cyber sprint. Cyber sprint was intended to get 
government-wide, get them up to speed, put more security in 
place, and yet the Department of Education was one of a handful 
of agencies that actually scored negative on that. And they 
received an F in the FITARA scorecard. This is a self-reported 
score, and they scored an F.
    Mr. Harris has served as the chief information officer 
since 2008, and by virtually every metric, he is failing to 
adequately secure the Department's systems.
    The committee's concerns were further amplified after 
learning Mr. Harris was investigated for possible criminal and 
administrative misconduct. The IG closed its investigation a 
few months ago, finding that the CIO potentially broke 12 
Federal laws, regulations, and/or agency directives. But the 
Department of Justice refused to prosecute. That is a mystery 
to us. We don't understand why they would not prosecute such 
wide use and abuse of the system.
    Mr. Harris was running two side businesses he intentionally 
failed to disclose on federally required ethics forms--a home 
theater installation business, a car detailing business--and 
inappropriately used agency resources and most likely agency 
time. Mr. Harris also admitted to the inspector general he did 
not report the income to the Internal Revenue Service. Now, 
most Americans would get in trouble for this type of situation, 
basically hiding information from the IRS.
    Additionally, the inspector general raised serious 
allegations that Mr. Harris influenced a government contract. 
As a high-ranking public official, Mr. Harris played a role in 
awarding and oversight in contracts to a close friend's 
company.
    Equally disconcerting are the anonymous tips that the 
inspector general described Mr. Harris's leadership as 
intimidating. This investigation started because people within 
the Department of Education expressed concern as 
whistleblowers, and the morale in the office of the CIO is an 
all-time low due to a dysfunctional environment that Mr. Harris 
has cultivated.
    Let me put up the first--the chart. There we go.
    [Slide.]
    Chairman Chaffetz. We rely heavily upon a disinterested 
third party to come in and evaluate. These are 14 metrics in 
the Office of the CIO at the Department of Education. Every 
single score is going down. Every single one of those is 
negative. And the Office of the Chief Information Officer at 
the Department of Education scored 285 out of 320, near the 
very bottom of his class.
    You can take that chart down.
    Look at the turnover rate for the IT staff within the 
Department of Education. Fiscal year it was down--it was 5 
percent. Turnover rate in fiscal year 2014 was 6 percent. 
Turnover rate in 2015 was 10 percent. It is a key metric in an 
understanding that maybe things aren't very good in that 
department. Every key metric is down. They are scoring an F on 
their scorecard.
    You have got an IG who is making a recommendation for 
criminal prosecution with the Department of Justice, and what 
does the Department of Education do? They give him bonuses. 
More than $200,000 in bonuses Mr. Harris got over the last 10 
years. And I want to know why. We have got good quality people 
working at the Department of Education, and we have got 
something wrong going on in that department and we are bonus-
ing him up? That makes absolutely no sense.
    Mr. Harris came and testified before this committee in 
November. I asked him a basic question about IT. Are you using 
COBOL? COBOL was instituted in the 1960s. The answer was no, we 
are not using it. It ends up they have more than 1 million 
lines of code in the Central Processing System, also in the 
National Student Loan Database. So he is off with these other 
businesses getting subordinates to do the work, taking bonuses, 
has three other jobs, and we are giving him bonuses.
    Every single metric is going down, scoring an F on the 
scorecard, there is a vulnerability, and there is 139 million 
people who are at risk. We don't have time to play these kind 
of games. This is exactly what the Oversight and Government 
Reform Committee is all about.
    Mr. Harris has had roles as an adjunct professor at Howard 
University, consulting for the Detroit public schools. He does 
IT consulting services for the city of Detroit. 
Congratulations. You don't have time to do that stuff.
    Simply put, when the CIOs fail to bring high management and 
ethical standards to their work, institutions suffer, systems 
are weakened, and the data of millions of Americans are in 
danger.
    For all the wrongdoing here, I am telling you there are a 
lot of good people who rely on the Department of Education. 
They work there. There are people at home in every State and 
every corner of our country who rely on this. But you know 
what? There are 10, 10 senior officials at the Department of 
Education under investigation right now. Mr. Harris is one of 
them. Bob Shireman is another one. Who are the other ones? 
Because this is an agency that has to function. If we are going 
to pour the billions of dollars in it, they have got to deal 
with it ethically. But we are looking at a situation here that 
is not going well, and that is why we have the hearing here 
today.
    Chairman Chaffetz. With that, I will now recognize the 
ranking member. We are glad to have Ms. Plaskett filling that 
role today. And we will now recognize her. Thank you.
    Ms. Plaskett. Thank you very much, Mr. Chairman. Thank you 
all for being here this morning.
    It is critical that all Federal employees meet the highest 
ethical standards and avoid even the appearance of impropriety. 
It is therefore essential that agencies take swift and 
appropriate action upon learning that one of their employees 
has engaged in either misconduct or exercised poor judgment in 
their work.
    In this instance, the Department of Education's inspector 
general conducted a thorough investigation into allegations of 
wrongdoing involving the Department's chief information 
officer, Mr. Danny Harris. In doing so, the IG dismissed some 
of those allegations as unsubstantiated and suggested that 
others ``may have violated Federal laws, regulations, and 
departmental directives.''
    Now, while the IG's report of investigations indicated that 
the CIO, Mr. Harris, may have violated Federal laws, it appears 
that law enforcement authorities who examined the alleged 
misconduct did not find any criminal wrongdoing after their 
investigation. That being said, the IG reports a series of 
errors in judgment by the CIO that raised valid questions about 
his ethical conduct.
    For example, though the IG did not find that the CIO 
influenced the Department's contracting process, the IG did 
find that the CIO had ``participated in awarding Department 
contracts to a company while having a personal relationship 
with the company's owner.'' We definitely need to ask you about 
that.
    The IG also found that, for a period of time, the CIO used 
his subordinate staff to help him run a home theater 
installation and car detailing business. While the IG did not 
identify anything prohibiting the CIO from running these 
businesses during non-work hours, the CIO's decision to use 
both subordinate employees and failure to report the earned 
income from that work shows, at a bare minimum, poor judgment 
on his part.
    While the Department cannot identify any specific policies 
or procedures that the CIO had violated, it took corrective 
action, including mandating that he undergo at least four in-
person counseling sessions, as well as receive formal written 
ethical guidance going forward.
    Since those counseling sessions, the CIO has reportedly 
taken the necessary steps to correct the deficiencies the IG 
found, and most importantly, since 2012, the CIO has not 
engaged in any of the ethically questionable behavior that the 
IG raised in the investigation.
    The fact that the CIO is no longer engaged in questionable 
conduct is nothing to celebrate. As a senior official in the 
Department, the CIO holds a critical leadership role, and as 
such, is expected to set a positive tone and example for the 
employees he supervises. If the Department employees cannot 
trust their CIO is guided by the highest ethical standards at 
all times, what message does that send in the Department of 
Education? It must be made clear that even borderline ethical 
conduct will not be tolerated by your department.
    I look forward to hearing directly from the Acting 
Secretary of the Department, Mr. King, John King, and the CIO 
himself, Mr. Danny Harris, who is here, on what steps they have 
taken to ensure that an appropriate tone is set for all 
employees at the department and what specific policies have 
been put in place, along with procedures to assure that these 
types of actions will not occur again.
    Given the critical role of the CIO in the Department's IT 
security, valid questions may be raised today about his 
effectiveness in light of not only the IG's report but prior 
audits the IG conducted on the adequacy of the Department's IT 
security. Those audits were examined at length by this 
committee during a hearing it held this past November on the 
state of the Department's cybersecurity. I expect that we will 
hear today from the CIO not only on an update of any 
improvements and progress the Department has made in 
cybersecurity since the hearing, but also his vision, your 
vision, Mr. Harris, and plan for strengthening Department's 
overall information system.
    Thank you, Mr. Chairman.
    Chairman Chaffetz. Thank you. And we will hold the record 
open for 5 legislative days for any members who would like to 
submit a written statement.
    We will now recognize our witnesses. Mr. Danny Harris 
currently serves as the chief information officer of the United 
States Department of Education, a role he has served in since 
2008. Prior to his current position, Mr. Harris served as 
deputy chief financial officer for 5 years. In his capacity, he 
was responsible for contract administration, grant management, 
accounting, risk management, internal controls, internal 
travel, and financial management systems.
    Ms. Sandra Bruce currently serves as the deputy inspector 
general of the United States Department of Education, and she 
has more than 30 years of experience directing, overseeing, and 
managing complex audit inspections and investigative-related 
programs.
    Ms. Susan Winchell has served as the assistant general 
counsel for ethics at the United States Department of Education 
since 2007. Ms. Winchell previously served as the deputy 
assistant general counsel and is the associate general counsel 
at the U.S. Office of Government Ethics.
    Mr. John King currently serves as the Acting Secretary of 
Education, a position he assumed in January of 2016. Before 
becoming Acting Secretary, Mr. King had served since January of 
2015 at the Department as the principal senior advisor. This is 
Mr. King's first time testifying before our committee, and we 
welcome you here today. Thank you for joining us.
    Pursuant to committee rules, all witnesses are to be sworn 
before they testify. If you will please rise and raise your 
right hand.
    [Witnesses sworn.]
    Chairman Chaffetz. Thank you. Please be seated. Let the 
record reflect that the witnesses all answered in the 
affirmative.
    In order to allow time for discussion, we would appreciate 
if you would please limit your oral testimony to 5 minutes, and 
your entire written statement will be made part of the record.
    Mr. Harris, you are now recognized for 5 minutes.

                       WITNESS STATEMENTS

                  STATEMENT OF DANNY A. HARRIS

    Mr. Harris. Thank you. Chairman Chaffetz, Ranking Member 
Plaskett, and members of the committee, thank you for giving me 
the opportunity to share with you my response to the 
allegations raised and investigated by the Department's 
inspector general.
    I've been proud to serve the public for the last 32 years 
at the Department of Education. However, in light of the IG's 
investigation and the counseling I received from the Office of 
the Deputy Secretary and the Office of the General Counsel at 
the Department, I fully understand and I take full 
responsibility for how some of my actions could allow questions 
to arise about my judgment. I view my behavior as unacceptable 
and I have learned from this experience.
    Before I address the topic of this hearing, I'd like to 
provide the committee with an update on the progress on 
cybersecurity since the last time I sat before you in November. 
Since that time, the Department has enhanced its progress by 
standing up an Integrated Project Team that will be tracking 
all corrective action plans tied to FISMA or financial 
statement audits. The team is made up of the general counsel, 
myself, the deputy CIO, FSA chief operating officer, and the 
FSA CIO. I believe focusing this level of attention by senior 
members of the agency will help ensure we meet our targets.
    The team will meet on a weekly basis to ensure that all 
corrective actions are resolved based on the dates provided to 
and agreed upon by the IG. The team will be paying particular 
attention to any items associated with the Department's high 
value assets, as well as items listed as repeat findings.
    With respect to the IG's investigation, I have promptly and 
fully cooperated with the investigation. While I was not 
provided with a list of specific accusations against me, based 
on the questions during the investigation and the counseling I 
received, I understand that some concerns were expressed about 
my interactions with subordinate employees.
    My management style is to make an--take an interest in and 
care about my colleagues and subordinates. I've been blessed 
with the opportunity to work with many outstanding individuals 
and even more blessed to have formed a friendship with some of 
the employees at the Department.
    Again, based on questions during the investigation and the 
counseling I received, I believe that concerns were raised 
about my conduct with respect to my hobbies. This is, in my 
personal time, I enjoy detailing cars. Additionally, prior to 
the investigation, I had also enjoyed installing audio/video 
equipment. My staff members at the Department were aware of 
these hobbies, and two of these individuals in particular were 
interested in learning more about these activities. I now 
realize that by including them in my hobbies, for which they 
were compensated, I used poor judgment.
    With regard to helping others on my team with home 
projects, I now understand that that could be misconstrued. 
Each request by staff was predicated by them approaching me and 
expressing an interest in benefiting from my experience.
    I think it is important to note that while I did not view 
these activities as a business, I nevertheless understand how 
it could be perceived. Therefore, I have ceased to install any 
audio/video equipment or engage in activities with staff where 
there is compensation. The last time I performed work related 
to installing audio/video equipment for anyone and accepted 
compensation was in 2012.
    The IG investigators also asked me questions related to the 
employment of a relative. My relative used the standard process 
to apply for a vacant position, and I had no part in the 
application process. The relative did not report to me or 
anyone working in my supervision. As I confirmed for the IG 
investigator, I did inquire with some colleagues whether they 
had openings in their office, and my relative is no longer 
working at the agency.
    With respect to my relationship with the owner of a vendor 
that performed work with the agency, I acknowledge that I did 
develop a personal relationship with the vendor around 2008. As 
CIO, I did not and do not have a role in determining who will 
be awarded contracts. At no time did I advocate for this vendor 
or ask staff to treat this vendor any differently than other 
vendors. I have also ended my personal relationship with the 
vendor effective February 2013.
    After cooperating with the IG investigators, I was 
counseled by then-Deputy Secretary Tony Miller in 2013, and 
later counseled by the ethics attorney Susan Winchell and 
Deputy Secretary Shelton and King. I also received a written 
counseling memo. I took each of these sessions very seriously, 
and immediately following my initial counseling, consulted any 
records I had with respect to my hobby and amended my tax 
returns to the IRS for 2008 through 2010. I determined I had no 
additional income for 2011 and reported the additional income 
on my 2012 tax returns and my form 278. The updated returns 
reflected a nominal increase, of which was roughly 1 to 2 
percent increase of my total household income.
    I have benefitted from the counseling of three deputy 
secretaries, as well as by the agency's lead attorney for the 
ethics division, Susan Winchell. While, at the time, I did not 
view my actions to be in violation of any laws, regulations, or 
policies, I do appreciate, however, that others viewed my 
conduct as questionable. I have severed my personal 
relationship with one vendor which I had developed a 
friendship. I no longer participate in activities related to 
installing audio/visual equipment, and I do not accept funds 
for detailing cars.
    I appreciate the opportunity to answer any questions you 
may have about the testimony. Thank you.
    [Prepared statement of Mr. Harris follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairman Chaffetz. Thank you.
    Ms. Bruce, you are now recognized for 5 minutes.

                   STATEMENT OF SANDRA BRUCE

    Ms. Bruce. Chairman Chaffetz, Ranking Member Plaskett, and 
the members of the committee, thank you for inviting me here 
today to discuss the Department of Education Office of 
Inspector General investigation of Dr. Danny Harris, the 
Department's chief information officer.
    As detailed in my written testimony, in 2011 and 2012, the 
OIG received two anonymous complaints concerning allegations of 
criminal and administrative misconduct by Dr. Harris. The 
complaints included allegations that Dr. Harris improperly 
awarded contracts to a company owned by his personal friend, 
operated a home theater installation business with a 
subordinate employee, and solicited other Department employees 
to perform work for this business.
    During our investigation, we learned of additional 
complaints alleging that Dr. Harris operated a business 
detailing cars where he employed subordinate employees to 
assist with the detailing work and also accepted payments from 
subordinate employees for detailing their cars; instructed a 
subordinate employee to purchase products from eBay for his 
home theater business and sold items on eBay using the 
subordinate's account, splitting the proceeds with the 
subordinate, and further used his Department email account to 
conduct these transactions; appeared to have advocated for a 
relative's employment within the Department; and appeared to 
have made a $4,000 personal loan to one of his subordinate 
staff.
    By April 2013, our investigation had substantiated most of 
these allegations. Our investigation determined that Dr. Harris 
operated outside business ventures involving home theater 
installation and car detailing with members of his subordinate 
staff; had business cards and received payments from 
subordinate employees for services provided by those ventures.
    Dr. Harris informed us that the home theater installation 
venture generated at least $10,000 in income, which exceeded 
the $200 annual threshold that required reporting on the Public 
Financial Disclosure Report, Office of Government Ethics form 
278. Dr. Harris admitted that he did not report the income on 
the required forms during the relevant time periods.
    The Department's designated ethics official informed the 
OIG that Dr. Harris not reporting the income on his ethics 
forms was a problem that needed to be referred to the U.S. 
Attorney's Office. Dr. Harris also advised that he did not 
report this income on his taxes and acknowledged that he 
probably should have done so.
    Our investigation also determined that Dr. Harris used his 
Department email account to conduct his outside business 
ventures.
    Participated on a panel that awarded a contract to a 
company owned by someone he had a personal relationship with. 
His participation, however, did not result in that contract 
being improperly awarded
    Took actions to help a relative secure employment within 
the Department. The relative was employed at the GS-4 level 
from 2010 to 2013.
    Made a loan--a $4,000 loan to one of his subordinate staff.
    We received conflicting information regarding the 
allegation that Dr. Harris instructed a subordinate employee to 
purchase products from eBay for his home theater business. Dr. 
Harris stated that the purchase was for his personal use. The 
employee stated the purchase related to the home theater 
installation business.
    As our criminal investigation into the allegations against 
Dr. Harris continued, we provided a report of our initial 
findings to the Department so that it could take appropriate 
administrative action against Dr. Harris. The OIG also made a 
referral to the Internal Revenue Service regarding Dr. Harris's 
failure to report all of his income on his income tax returns.
    In February 2015, the U.S. District Attorney's Office for 
the District of Columbia declined prosecution of all issues 
based on the availability of administrative remedies. In March, 
we submitted another report to the Department noting the U.S. 
attorney's decision.
    In June 2015, the acting deputy secretary responded to our 
report stating that, overall, the Department found no violation 
of law or regulation. Instead, the acting deputy secretary said 
that he believed Dr. Harris displayed certain lapses in 
judgment, which were addressed through counseling provided by 
the two prior deputy secretaries and the acting deputy 
secretary, and also guidance provided by the Department's 
ethics official.
    We closed our investigation administratively in September 
2015.
    This concludes my remarks, and I am happy to answer your 
questions.
    [Prepared statement of Ms. Bruce follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    
    
    
    Chairman Chaffetz. Thank you.
    Ms. Winchell, you are now recognized for 5 minutes.

                  STATEMENT OF SUSAN WINCHELL

    Ms. Winchell. Chairman Chaffetz, Representative Plaskett, 
members of the committee, thank you for the opportunity to 
appear before you today and discuss the matter regarding the 
Department's chief information officer, Danny Harris.
    As the designated agency ethics official at the Department, 
I am responsible for running the Department's ethics program. I 
believe a successful and effective ethics program must ensure 
that all employees have enough information about the rules to 
either know how to comply with them or to know when to ask 
questions and who to ask. I take this responsibility very 
seriously.
    I first became aware of the IG's investigation in February 
of 2013. At that time, in developing recommendations for deputy 
secretary, I took into consideration that no ethics rules had 
been violated, that the activities had already ceased, and that 
the matter had been referred to the U.S. attorney.
    I subsequently participated in conversations regarding a 
question from the deputy secretary about whether it would be 
appropriate to reassign Dr. Harris from the OCIO position to 
another position. Based on the information provided in the 
report, we concluded that that would be a drastic action under 
the circumstances and was neither reasonable nor required.
    According to information provided in the IG's report, the 
kinds of financial relationships Dr. Harris engaged in with 
subordinates are not covered by the criminal conflict of 
interest statute, but they do raise potential concerns under 
the standards of ethical conduct. I believe that paying a 
subordinate to provide services outside of work and providing 
personal services to--for a fee to a subordinate does create a 
``covered relationship'' with those subordinates. However, 
under the rules, the determination about whether a recusal is 
required rests with the employee first.
    While the ethics official may make a binding and 
independent determination about the necessity of a recusal, 
that determination may not be applied retroactively under the 
rules. Dr. Harris has now been counseled that he may not have 
outside financial relationships with any subordinate because 
the--as the ethics official, I have determined that such 
relationships could give rise to the appearance of a lack of 
impartiality.
    With respect to his friendship with the owner of a vendor, 
information in the IG's report suggests that Dr. Harris formed 
a close personal friendship with the vendor in approximately 
2010. However, in my reading of the IG's report, I concluded 
that the information presented did not support a conclusion 
that a close personal friendship existed at the time Dr. Harris 
participated in the selection of the vendor or the 
implementation of the resulting contract.
    According to the IG's report, Dr. Harris failed to report 
income he received from his outside activities on his public 
financial disclosure report. Dr. Harris has reported--did 
subsequently report income on his report covering calendar year 
2012. He has not reported any such income in subsequent years. 
The IG's report does not contain information to support a 
conclusion that the omissions were willful.
    The IG's report states that Dr. Harris advocated for a 
relative to be hired at the Department. From an ethics 
perspective, I reviewed the information provided in the report 
to determine whether Dr. Harris misused his government position 
in attempting to obtain employment for a relative. I concluded 
that he did not, as there is no information showing that he 
participated in or attempted to influence the hiring process. 
In my view, a simple inquiry about job openings that might be 
suitable for a relative is not, without more, a misuse of 
position under the rules.
    Finally, I reviewed the allegation that Dr. Harris misused 
Department equipment and resources by using Department email 
and other electronic resources in connection with his outside 
activities. However, the IG's report did not clearly establish 
whether the outside activities were a business or a hobby. If 
the activities were a business, personal use of government 
equipment is prohibited under the Department's policy. However, 
if they are a hobby, the Department policy does permit a 
certain amount of personal use of such equipment.
    I met with Dr. Harris in his office on March 21, 2014. I 
reviewed the ethics laws and rules regarding conflict of 
interest and appearance of lack of impartiality. This 
discussion focused, to a large extent, on how to handle friends 
in the workplace and appearance issues that arise when 
supervisors and subordinates have financial relationships 
outside of work. I also discussed gifts between employees and 
misuse of government equipment.
    Chairman Chaffetz, Representative Plaskett, and the members 
of the committee, this concludes my statement, and I am happy 
to answer any questions you may have.
    [Prepared statement of Ms. Winchell follows:]
    
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    Chairman Chaffetz. Thank you.
    Mr. King, you are now recognized for 5 minutes.

                 STATEMENT OF JOHN B. KING, JR.

    Mr. King. Thank you. Chairman Chaffetz, Representative 
Plaskett, and members ----
    Chairman Chaffetz. Your microphone doesn't appear to be on 
there.
    Mr. King. Chairman Chaffetz, Representative Plaskett, and 
members of the committee, thank you for the opportunity to 
appear before you today.
    In January of 2015, I joined the Department as senior 
advisor delegated the duties of deputy secretary, and I became 
Acting Secretary on January 1 of this year when Secretary Arne 
Duncan stepped down.
    I firmly believe that providing our children with a great 
education is not just about subject matter knowledge, but also 
about instilling the values that will help them become faithful 
contributors to our communities and democracy. I expect all 
Department employees to adhere to the highest standards of 
ethical conduct.
    Before I address the actions taken by the Department with 
respect to the report by the inspector general in this matter, 
I'd like to provide you with a brief update of what the 
Department has achieved to enhance our cybersecurity since the 
agency last testified before this committee, as I believe we 
have made meaningful progress.
    Specifically, we have moved from a rate of 11 percent 
compliance for two-factor authentication of all privileged 
users at the conclusion of the cybersecurity sprint to an 
overall compliance rate of 95 percent as of January 31, 2016. 
We continue to work aggressively with a single external vendor 
to accelerate implementation of two-factor authentication for 
the remaining privileged users at that vendor and project to 
achieve 100 percent compliance during March 2016.
    I view cybersecurity as a responsibility of the entire 
agency, not just that of any one individual. And although we 
have made and are continuing to make progress, I am not 
satisfied with where we are as an agency. I've notified my team 
that we must do better, and I've directed my team to 
immediately undertake additional actions to strengthen our 
cybersecurity.
    These steps include using a focused and disciplined 
approach to systematically resolving and addressing the root 
causes behind any cybersecurity-related findings from both our 
2015 FISMA audit and the 2015 financial statement audit.
    I have also directed the team to take additional steps to 
increase end-user cybersecurity awareness, to strengthen our 
incident response capabilities, and to continue to build the 
capacity of our internal team through hiring of additional 
professionals with expertise on these issues who can assist us 
in implementing best practices and improving the Department's 
cybersecurity program.
    Returning to the IG's investigation and report issued to me 
in March 2015, I considered very seriously the allegations. 
Ultimately, my response to those allegations closed a several-
years-long investigation and confirmed and supplemented the 
work of two prior deputy secretaries at the Department there 
and my staff and our Office of the General Counsel.
    I considered this matter in the overall context of Dr. 
Harris's more than 30-year career with the Department. Dr. 
Harris has been steadily promoted under administrations of both 
parties to roles of increasing responsibility. He was promoted 
to the Senior Executive Service in 1998 and was appointed to 
his current role as CIO during the prior administration under 
Secretary Spellings in 2008. He has been widely recognized for 
his work in the CIO role.
    Given that history of service and my commitment to ethics, 
I was therefore troubled to learn of the IG's investigation. 
However, I was also informed that Dr. Harris had been counseled 
by former Deputy Secretary Tony Miller on this matter, as well 
as my immediate predecessor, former Deputy Secretary Jim 
Shelton and the agency's lead career ethics attorney Susan 
Winchell.
    Upon receiving the IG's addendum in 2015, I again consulted 
with the general counsel's office. The synopsis of the addendum 
stated that the U.S. Attorney's Office in the District of 
Columbia had declined prosecution. After reviewing the 
addendum, the Office of General Counsel and Ms. Winchell 
advised that the additional information included in the 
addendum served to confirm the conclusions reached by the 
Office of General Counsel and two prior deputy secretaries 
following receipt of the initial report, namely, that the OIG 
investigative materials did not include information that could 
support a finding that Dr. Harris had violated any law, rule, 
or regulation.
    I considered all of these factors, along with the fact that 
the actions in question had occurred several years earlier, had 
since ceased, and that Dr. Harris took immediate responsibility 
for his actions and, where appropriate, included the relevant 
income on his financial disclosure forms and took other 
corrective actions.
    Based on these facts, I determined the appropriate course 
of action was to supplement the actions already taken with 
counseling of my own for Dr. Harris on these serious matters. I 
also asked Ms. Winchell to confirm her prior oral counseling to 
Dr. Harris in writing.
    As I stated at the outset, ensuring that the public's 
business and our work of expanding educational opportunity for 
all students are carried out according to the highest standards 
of ethical conduct is vitally and personally important to me. I 
believe the Department took appropriate actions to address the 
issues raised by the investigation and ensure that they are not 
repeated as we continue to work to rapidly strengthen our 
cybersecurity posture, an area of critical need and a top 
management priority for me over the coming year.
    Thank you for the opportunity to testify, and I look 
forward to answering any questions you may have.
    [Prepared statement of Mr. King follows:]
    
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]    
    
    
    
    Chairman Chaffetz. Thank you.
    I will now recognize the gentleman from Florida, Mr. Mica, 
for 5 minutes.
    Mr. Mica. I think Congress and the American people have to 
think that a CIO position, chief information officer position, 
stands for chaos, ineptness, and outrage after what we have 
learned this morning. The CIO is an important position to 
protect the integrity of information data. I think you have 
what, Mr. King, 139 million records that you possess, personal 
information, $1.2 trillion of information on people who have 
student loans, and anyone who has applied, I guess, has all 
that background information.
    At the very least, Ms. Bruce, Mr. Harris was acting 
improperly according to your investigation. I think there has 
been some hairsplitting here on whether it was a business or a 
hobby. You found information that it was a business, I think, 
in your investigation, did you not, Ms. Bruce?
    Ms. Bruce. That's correct.
    Mr. Mica. Yes. And I guess also if you don't report the 
income on your disclosure--that is financial disclosure--that 
is also a violation, Ms. Bruce?
    Ms. Bruce. Yes, according to 5 U.S.C. at 104.
    Mr. Mica. Yes.
    Ms. Bruce. Although the Department has decided that, 
because it was not done knowingly and willfully, it doesn't 
pursue a civil action. Knowingly only has to be established to 
do administrative ----
    Mr. Mica. And it was corrected after the fact, is that not 
correct? That is ----
    Ms. Bruce. That's correct.
    Mr. Mica. Yes. Well, Mr. Harris, you are a senior executive 
service position, is that correct?
    Mr. Harris. That is correct, sir.
    Mr. Mica. Yes. And you have been the CIO since 2008, is 
that correct?
    Mr. Harris. That is correct, sir.
    Mr. Mica. And every year since 2008--we will take you to 
2011--the FISMA audit contains findings of failure of the 
protection of the records and all of the information you are 
charged with, according to what we have. That is correct. And 
in that time, you received bonuses of $116,000, according to 
our report. That is just part of the record, right, Mr. Harris?
    Mr. Harris. That's correct, sir.
    Mr. Mica. This whole investigation started in December 
2011. In the meantime, he received bonuses in 2012 of $17,000; 
2013, $17,000; 2014. During all that time period, the 
information I have is your performance, the job you were hired 
for as the chief information officer, you had failing 
evaluations. Is that correct?
    Mr. Harris. That is not correct, sir.
    Mr. Mica. It is correct to the information that we have. 
The only information we had just now is Mr. King mentioned that 
since January they have done better. But it appears you have 
actually failed in your mission.
    First, your ethics--Ms. Winchell gave you as much cover as 
she possibly could, but your ethics were questionable. Ms. 
Bruce also said that your activities were not proper. There is 
no reason, Mr. King, why Mr. Harris shouldn't be fired. He is a 
senior executive service officer. He has failed continually 
since he took the position. I don't think you could find more 
ineptness or misconduct with any senior employee that has come 
before us and then rewarded for it. It is so offensive.
    And Ms. Winchell says, well, maybe we should discuss moving 
him to another position. Well, that is what is wrong with this 
whole system is he can fail every time, getting huge salaries, 
plus he has got his little businesses or hobbies or whatever 
you want to call it on the side, all the ethical questions that 
have been raised, and you leave him in that position. The worst 
thing would be to put him in another position and continue to 
get the high salaries and bonuses.
    Mr. King?
    Mr. King. Congressman, respectfully, what I can attest to 
is the dramatic progress since I arrived at the Department ----
    Mr. Mica. Dramatic progress?
    Mr. King.--in January 2015.
    Mr. Mica. Who approved the bonuses for him when he was 
failing? Were you involved? You were a deputy, weren't you?
    Mr. King. I was not present at the Department. I joined --
--
    Mr. Mica. You were not--who ----
    Mr. King. I joined ----
    Mr. Mica. Then it would be the Secretary that approves the 
bonuses? Who approved the bonuses? Even while he is under 
investigation, there should be at least a suspension of the 
bonuses.
    Mr. King. He was previously supervised by deputy ----
    Mr. Mica. But he failed every time, every single time since 
2008. The only time we have had any success reported is what 
you reported from January, and that is only because the 
chairman conducted a hearing and we hammered you last year.
    I yield back the balance of my time.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize Ms. Plaskett for 5 minutes.
    Ms. Plaskett. Thank you, Mr. Chairman. Good morning. Good 
morning, Mr. Harris.
    As a CIO, you are the senior official at the Department and 
that your division is looking for for leadership and guidance. 
The IG reported in her investigation into the alleged 
misconduct that you used subordinate staff to run an outside 
business and failed to properly report this business on a 
mandatory financial disclosure form. Do you dispute that report 
at this time?
    Mr. Harris. I do dispute that as articulated.
    Ms. Plaskett. Okay. But do you dispute that you failed to 
report the income?
    Mr. Harris. I do not dispute that.
    Ms. Plaskett. Okay. And although neither the Department or 
any law enforcement authorities, the law enforcement did not 
elect to prosecute, even the Acting Secretary stated in a 2015 
memorandum to the IG that you ``displayed certain lapses in 
judgment.'' Knowing that and not disputing that you failed to 
report that income and you agree with some portions of the 
report, what specific steps have you taken to earn back the 
trust of not only the Department but in particular the 
employees that you supervise?
    Mr. Harris. Well, thank you for the question. I want to say 
categorically that these were hobbies that I've enjoyed for the 
greater part of my life, and the employees that wanted to 
engage me, two of them actually wanted to learn from me. And I 
am a teacher. That's one of the things I love to do.
    Since 2012, I have severed my relationship with the vendor 
in question, and I'd like to also say that in 2004 when I sat 
on a panel, not selecting the vendor but providing a review for 
the panel, I was not a personal friend of that vendor. That 
friendship did not occur until 2008, and at that point I am 
completely removed from the acquisition process.
    Ms. Plaskett. So what have you done to earn back the trust 
of the people that you supervise?
    Mr. Harris. I have communicated with them, explained to 
them, providing transparency, and that's pretty much what I've 
done.
    Ms. Plaskett. And do you believe that that alone is 
sufficient to allow you to effectively serve as the CIO of the 
Department of Education?
    Mr. Harris. I'm sorry. Would you ask that question again?
    Ms. Plaskett. So you said that what you have done to earn 
back their trust is communicate with them about severing your 
ties with the contractor. Do you think that is sufficient to 
make you an effective CIO at the Department of Education?
    Mr. Harris. I think working hard and actually demonstrating 
that I'm passionate about the job and I'm providing not only 
the direction but the time to do the job right.
    I'd also like to put my job as CIO in context if I may. 
Cybersecurity is absolutely critical to the Federal Government. 
However, it is only one of the mission-critical 
responsibilities under my leadership. For example, I run the 
entire financial management platform. We have received 13 clean 
audit opinions. We have an incredible IT investment management 
program. We have the best grants management system in the 
Federal Government. One, I think, should look at the totality 
of my leadership, not just cyber, even though I agree that the 
Department had a poor record in improving cybersecurity. But 
again, it is only one aspect of my job, though it is a critical 
aspect.
    Ms. Plaskett. Thank you. Acting Secretary King, both the 
IG's report of the investigation in 2013 and the addendum to 
that report in 2015 raise not just concerns about this specific 
issue here with your CIO but the general culture at the 
Department of Education. Are you at all concerned that the IG's 
concerns indicate a broader cultural problem in your department 
when it comes to employees meeting ethical standards?
    Mr. King. Certainly, I have sent a clear message to the 
entire Department that we are committed to ethical conduct, as 
did my predecessor, Secretary Duncan. And with respect to this 
specific issue, it was taken seriously. Counseling was 
provided. They conduct that was of concern in the IG report 
ended by 2013. And cybersecurity is a top management priority 
for the Department. We've made substantial progress since last 
January when I joined the Department, but there is clearly much 
more work to do to ensure that we're ----
    Ms. Plaskett. So how are you instilling to your employees 
that this is not something that will be tolerated in the 
Department if all you have done is given him counseling 
sessions? Where is the stick as opposed to just, you know, the 
pat to him telling him don't do it again and it hasn't occurred 
again? How do people know that they cannot be involved in this 
kind of behavior? Is there anything procedurally that you have 
done with Mr. Harris or moving forward put in place that will 
demonstrate that to people?
    Mr. King. We provide ethics training to all new employees 
and annual ethics training to all employees. Ms. Winchell runs 
a strong department-wide ethics program. In the specific case 
of Dr. Harris, as I indicated previously, after the IG report, 
Deputy Secretary Miller and then Deputy Secretary Shelton 
reviewed the IG report with the general counsel, who advised 
that there were no violations of law or regulations or policy, 
but nonetheless, both took the step of providing counseling, 
which I think was humbling for Dr. Harris, made clear that the 
conduct needed to end. All of the activities cited ended by 
2013.
    When I joined the Department in 2015, the outstanding issue 
was the addendum resolving the referral to the Department of 
Justice. The Department of Justice also found there was no 
justification for further action in terms of a violation of 
law.
    I again consulted with the general counsel. Again, she 
advised that there was no violation of law or regulations. 
However, because I was concerned about sending a clear message 
about the importance of ethical conduct, I counseled Dr. Harris 
again and asked the general counsel to provide written guidance 
to Dr. Harris on all these matters.
    Ms. Plaskett. Has anything been sent out to the employees 
or anything letting people know how this conduct was not being 
tolerated? I mean, personally, I don't think that counseling is 
humbling for an individual that then allows them--that is just 
a way to keep your job. But I am just trying to see if you 
believe that what has been done will keep your department on 
track in the areas that the CIO is responsible for, and that 
you believe--do you believe that Mr. Harris can effectively 
continue in the position that he has now?
    Mr. King. I believe that the evidence is clear that the 
activities have stopped. It is clear that Dr. Harris 
understands the gravity of the impression that was created by 
his activities. His remorse is evident. We have made 
significant progress on cybersecurity over the last year that 
I've been at the Department, and Dr. Harris has been a key 
participant in that. He also is performing ably in other areas 
of his work as CIO in terms of infrastructure, planning for the 
continued upgrades to technology at the Department.
    The message around ethical conduct is clear from me and 
certainly from the training that is provided to all employees. 
We make clear that not only do we need ethical conduct, but we 
can't even have the appearance of any impropriety.
    Ms. Plaskett. Thank you.
    Chairman Chaffetz. Thank you. I am now going to recognize 
myself for 5 minutes.
    Mr. Harris, when did you first get to know William Hall?
    Mr. Harris. I ----
    Chairman Chaffetz. Your microphone, please.
    Mr. Harris. Thank you, sir. I met him about 15 or so years 
ago.
    Chairman Chaffetz. Which year did you meet him? 2000?
    Mr. Harris. I would say 2002 is what I recall.
    Chairman Chaffetz. In your testimony you said, ``My 
personal relationship with the individual developed several 
years after the date and occurred when I moved in 2008 to a new 
neighborhood and discovered the individual lived nearby.''
    Mr. Harris. That is correct, sir. I met him, but we did not 
form a friendship. He actually worked at the Department and I 
knew of him, but we never spent time together. I wasn't a 
friend. It wasn't until I ----
    Chairman Chaffetz. You didn't spend time with him in 2005? 
E Source was awarded a sole-source contract, and you were 
designated the program manager for that contract, correct?
    Mr. Harris. But I did not lead that project. I was just --
--
    Chairman Chaffetz. You were the program manager, correct?
    Mr. Harris. But I did not select that vendor.
    Chairman Chaffetz. But did you interact with them? You were 
the program manager.
    Mr. Harris. I did interact with him, but I was not a 
friend. It's no different than the vendors--the other vendors 
that I interact with that hold contracts with the Department.
    Chairman Chaffetz. 2006 E Source was awarded another 
contract, and you are again made program manager for that, 
correct?
    Mr. Harris. I don't recall, sir. I don't have that in front 
of me.
    Chairman Chaffetz. Okay. The point is, based on your 
testimony, your written testimony, you said you really got to 
know him in 2008, but it is clear that you had known him since 
2001. There was somebody that had--they had recommended--Mr. 
Hall had recommended to come work for you, who then you hired 
and then she oversaw those contracts, correct?
    Mr. Harris. That is not true.
    Chairman Chaffetz. Okay. We are going to explore that a 
little bit more, and be careful about how you answer that one.
    Mr. King, you said that you saw no violation of law, 
regulation, or policy, correct?
    Mr. King. That was what was advised by our general counsel.
    Chairman Chaffetz. Okay. So let's go through this. Mr. 
Harris, we know that you were friends with this William Hall. 
We know that you interacted with him. During 2008 to 2011, you 
had had some 700 phone calls with Mr. Hall, correct?
    Mr. Harris. They were not phone calls. I'm not a phone 
talker. They were probably text messages. But he was a friend. 
I make no excuses for that. He was a friend.
    Chairman Chaffetz. Yes, we have the phone records. These 
are the 700 calls, 700 during that time frame. There are two 
contracts that get awarded during that time, correct? One was a 
renewal, one was a new one?
    Mr. Harris. I am not involved in the acquisitions process 
in any shape, form, or fashion.
    Chairman Chaffetz. You are in charge. You are obviously 
very good friends with this person. According to the inspector 
general, you actually, either you or your company--you call it 
a hobby; I don't buy it. When you have revenue, you set up a 
company, you don't disclose it on your ethics form, you don't 
disclose it to the IRS. This is something you have already 
admitted.
    So, Mr. King, how is that not a violation of regulation, 
policy, or the law? He admitted that he had outside income 
above the $200 threshold and he did not report it neither to 
the IRS, nor on the ethics form. How is that not a violation of 
law, regulation, or policy?
    Mr. King. Well, as you know, the general counsel's role is 
to review--our chief career ethics officer, her job is to 
review the findings from the inspector general and to determine 
whether or not there has been a violation of law or regulation 
or policy. The general counsel advised ----
    Chairman Chaffetz. But you are asked to review that. You 
are the one that is supposed to look at that. You are not just 
supposed to read it and say, hey, that is what they say. You 
still to this day believe that Mr. Harris has done nothing 
wrong?
    Mr. King. As I indicated previously, the general counsel 
made ----
    Chairman Chaffetz. No, I want to know what you believe. All 
this evidence we have thrown out there, you still believe that 
there is nothing he has done wrong?
    Mr. King. My responsibility is to rely on the guidance of 
general counsel to review ----
    Chairman Chaffetz. No, your responsibility is to make a 
judgment ----
    Mr. King. To review the evidence based ----
    Chairman Chaffetz. You are hired for your judgment. You are 
the Acting Secretary.
    Mr. King. And based on the recommendation of the general 
counsel, based on the review that was conducted by Deputy 
Secretary Miller when these incidents first occurred, Deputy 
Secretary Shelton, after further review of the inspector 
general's report, after review of the addendum, which indicated 
that the Department of Justice declined further action, based 
on all of those recommendations and the recommendations of our 
staff, yes, I believe the Department's actions in this case 
have been appropriate.
    Chairman Chaffetz. I asked you if you believed that he had 
done anything wrong. To this day do you believe he has done 
anything wrong?
    Mr. King. I believe there were significant lapses of 
judgment, counseled him to that fact ----
    Chairman Chaffetz. In your mind, is that doing something 
wrong?
    Mr. King. Those significant lapses of judgment, I counseled 
him on those, and they ended by 2013.
    Chairman Chaffetz. Is it a violation of policy or 
regulation or law to have outside income and not disclose it?
    Mr. King. The specific determination of whether or not the 
evidence ----
    Chairman Chaffetz. No, no, no, no, no, Mr. King, with all 
due respect, you are smart guy. You are in this position for a 
reason. I am asking you, is it appropriate? Because everybody 
at the Department of Education is watching you and what you are 
doing, and there is a reason why you are scoring near the 
bottom of the heap, bottom 10 percent of everybody in 
government. Every single key metric we look at is going down, 
and it is your leadership that is on the line. I am asking you, 
is it appropriate, is it a violation of law, regulation, or 
policy to have outside income and purposely not disclose it?
    Mr. King. Based on the recommendation of our general 
counsel, I do not believe that there was a violation of law, 
regulation, or policy.
    Chairman Chaffetz. He admitted that he didn't do it.
    Mr. King. But I will say--I will say ----
    Chairman Chaffetz. He admitted he didn't do it. You don't 
think that is ----
    Mr. King. Respectfully, Congressman, on the point of 
whether or not every indicator is going down, the Department 
has made dramatic progress ----
    Chairman Chaffetz. No, no, no ----
    Mr. King.--with respect to cybersecurity since January of 
2015.
    Chairman Chaffetz. You got an F. You are one of only a 
couple agencies that during the cyber sprint you went down, and 
you are here to tell us things are getting better? I don't buy 
it. The question before you, again, last time--I don't want to 
badger you. This is the last time I am going to ask this. It is 
a simple question. Is it appropriate, is it a--or let me put it 
another way. Is it a violation of law, regulation, or policy to 
have outside income above $200 or more and not report it? 
Because he has admitted that he hadn't reported it.
    Mr. King. It was a lapse in judgment. As a result of that 
lapse in judgment, Dr. Harris was counseled on the point of the 
progress made ----
    Chairman Chaffetz. I'm asking you if it was a violation, 
not did he go through counseling, which didn't do crap. Did he 
or did he not violate policy?
    Mr. King. Respectfully, Congressman, after the counseling, 
the activities ended. I've been very clear that the activities 
constituted a lapse in judgment.
    I do want to make the point with respect to the 
cybersecurity and the topic of the hearing in November, the 
Department has made substantial progress. One of the clearest 
indicators of that is the issue of two-factor authentication, 
which is a significant cybersecurity challenge for all public 
and private institutions. We were at 11 percent of the time of 
the cybersecurity sprint. We are at 95 percent today with one 
vendor that needs to resolve their two-factor authentication 
compliance and will do so by March. That is very significant 
progress. We are also making progress on resolving the findings 
in the FISMA audit.
    I joined the Department in January 2015. Like you, I did 
not feel that the Department had done adequate work to protect 
our cybersecurity. We have, since then, made tremendous 
progress.
    Chairman Chaffetz. Mr. Harris, what kind of bonus to you 
get last year, 2015?
    Mr. Harris. Approximately $15,000.
    Chairman Chaffetz. All right. So $230,000 in bonuses, 
really? You can justify that?
    Mr. King. I can't speak to the reviews of performance prior 
to my joining the Department. I can say that since I joined the 
Department in January 2015, we have made very significant 
progress on cybersecurity.
    Chairman Chaffetz. There is no metric, with all due 
respect--and I appreciate the time here--there is not a single 
metric, not one that is positive. Every single metric has gone 
down.
    With that, my time is more than expired. I will now 
recognize the gentlewoman from New York, Mrs. Maloney, for 5 
minutes.
    Mrs. Maloney. Thank you.
    Dr. Harris, cybersecurity, it is a problem. It has been 
rated with an F. It is one of the biggest challenges we have 
before our government. It is a huge responsibility to address 
it. And as the chairman pointed out, you had $230,000 in 
bonuses. I understand you are paid $183,000 a year for being a 
CIO, is that correct?
    Mr. Harris. That is correct.
    Mrs. Maloney. And also you are a consultant to the 
Department of Education for the city of Detroit. Is that 
correct?
    Mr. Harris. No longer, but at one time.
    Mrs. Maloney. How much were you paid those years when you 
were there?
    Mr. Harris. Approximately $5,000.
    Mrs. Maloney. Approximately $5,000. And then also you teach 
at Howard University?
    Mr. Harris. That is correct.
    Mrs. Maloney. And how much are you paid for that?
    Mr. Harris. Fifteen thousand dollars.
    Mrs. Maloney. Fifteen thousand. And then on top of that, 
you have, I think, three other jobs I have heard today. You 
have got your car business with 40 employees, is that correct?
    Mr. Harris. That is not correct.
    Mrs. Maloney. Do you have a car business?
    Mr. Harris. I do not. It is a hobby, and one other 
individual who's an enthusiast helps me.
    Mrs. Maloney. Do you make money off of it?
    Mr. Harris. No, I do not. I get $50 and I pay for supplies. 
I make no money off of that.
    Mrs. Maloney. And then ----
    Mr. Harris. And I've only ----
    Mrs. Maloney. Then you have another hobby where you are 
putting equipment in people's homes and are compensated for 
that, too ----
    Mr. Harris. I ----
    Mrs. Maloney.--right?
    Mr. Harris. I did prior to 2012.
    Mrs. Maloney. Well, you are a very, very busy man. I can 
understand why there are problems at the cybersecurity and 
Education Department when you have so many other outside jobs.
    Anyway, on this situation with your friend, what was the 
contract for, the E Source contract, and how much was it for? 
You are the contract manager. Do you know what the contract 
was? Was it $10 or $1 million?
    Mr. Harris. Which contract would you be referring to, the 
one in 2004?
    Mrs. Maloney. All of them, the one in 2004 and the other 
two.
    Mr. Harris. The one in 2004 I believe was for project 
support. The other contracts ----
    Mrs. Maloney. Okay. How much was that one for?
    Mr. Harris. I have no idea.
    Mrs. Maloney. Can you find out and get back to the 
committee?
    Mr. Harris. I most certainly could.
    Mrs. Maloney. Okay. What were the other two for?
    Mr. Harris. I believe both were for project management 
support, and I can get you ----
    Mrs. Maloney. Project support?
    Mr. Harris.--the information on that.
    Mrs. Maloney. Now, why did this have to be a sole-source 
contract? That seems like a business that a lot of people could 
be in. I could even go in and get some project support. Why was 
that a sole-source contract?
    Mr. Harris. Well, if--allow me to put in context how they 
Department works in terms of acquisitions. I as the CIO make 
general--provide general direction on technologies and 
implementations ----
    Mrs. Maloney. Okay. Can you get back to me in writing ----
    Mr. Harris. I ----
    Mrs. Maloney.--why that was a sole-source contract? Because 
I think everybody on this panel could go in and do project 
support. That should be a competitively bid contract to the 
lowest-qualified bidder.
    Mr. Harris. I will get back to you. Our contracts division, 
which is not in CIO, determines the contract approach. I have 
nothing to do with that. But we can certainly get that 
information for you.
    Mrs. Maloney. I think the contract approach for an agency 
that is rated the most mismanaged, that probably has the most 
important goal and responsibility of any agency in our 
government is education and building our workforce and helping 
our young people become good citizens. It is an incredibly 
important agency. And I think maybe you are spending too much 
time in meetings.
    I think all these contracts should not be sole source. They 
should go to the lowest-qualified bidder. It would be cheaper 
to administrate and it would cut out any threat or all these 
ethics meetings on whether or not there is a conflict of 
interest. Do you agree that a sole-source contract would work, 
Dr. Harris?
    Mr. Harris. I'm not a subject matter expert on contracts, 
and that's not in my division so ----
    Mrs. Maloney. Okay. Ms. Bruce, do you think a sole-source 
contract to a qualified bidder--you have to have a panel, make 
sure they are qualified, that they can do the work, that they 
have a work history, that they are paying their taxes as good 
citizens, lowest-qualified bidder. Something like the support 
service, do you think that could have been a sole-source 
contract or should it be a sole-source contract or 
competitively bid?
    Ms. Bruce. Ms. Maloney, I would have to defer to the 
Department as far as the acquisition process. I do know that 
the Federal acquisition regulations and other processes do look 
for those things, but I would defer to the Department as to why 
they made the decision to use the sole-source contract.
    Mrs. Maloney. Yes. I don't understand that. And I think we 
should change the law, that you go to the lowest-qualified 
bidder. And if you go to a sole source, have to write out in 
detail why you need a sole source.
    I would just like to respond to Mr. King. I think the point 
that the chairman was trying to make is that when you head an 
agency, everyone looks at you. You are the leader. And you are 
sending messages to employees of how to act. And when someone 
violates a regulation or a law, then it tells everybody else 
they can violate the same one and go to counseling and it is 
okay.
    So I think that is the point he was trying to make, that if 
we have rules and laws, they are supposed to be followed. That 
is why they are there. And if you are going to change it--most 
people think you have a rule or law, you follow it. Basically, 
what is happening under your leadership is you have a rule or 
law, you can violate it, just go to counseling and it is okay. 
Is that an appropriate description of what is happening?
    Mr. King. No. So to be clear, the Office of General 
Counsel, my predecessor's predecessor, and my predecessor all 
reviewed the report of the IG and concluded there was no 
violation of law or regulation and ----
    Mrs. Maloney. But there is a law ----
    Mr. King.--his conduct ----
    Mrs. Maloney. There is a law that if you have outside 
income, you report it, and they didn't report the outside 
income. That, in my opinion, is a violation of law.
    Mr. King. The general counsel, in reviewing that specific 
issue, made a distinction between a hobby and a business and 
what knowledge of the application of the disclosure Dr. Harris 
had at the time. But I--but to be clear, of the conduct ----
    Mrs. Maloney. But I think we should change that, too, and 
we should say that a law is a law, and that a hobby is also 
covered. Maybe we need to clarify it for your counsel.
    Mr. King. The conduct at the time--just to be clear, the 
conduct that was described in the IG report ended by 2013. I 
had joined the Department in 2015.
    Chairman Chaffetz. I thank the gentlewoman.
    And I would--as we recognize Mr. Farenthold here, Mr. 
Harris, you previously served as the deputy chief financial 
officer. We introduced you as being responsible for contract 
administration, grant management, accounting. Your ignorance 
about contracting is, I think, without merit.
    I will now recognize the gentleman from Texas, Mr. 
Farenthold, for 5 minutes.
    Mr. Farenthold. Thank you very much.
    Mr. Harris, I am over here behind the person doing the 
transcriptions. I will lean over so you can see me.
    So after the breaches at the OPM, the OMB launched the 
cyber sprint for 30 days. And you guys actually scored negative 
14, which puts you in the worst of the worst. And I have kind 
of heard some testimony here that you are trying to improve. 
But the Department's performance in that cyber sprint 
reinforces the key IG finding that the Department had no 
mechanisms to restrict the use of unauthorized devices on its 
network. This was a finding from the 2011 fiscal year.
    The IG is continually warning that failure to restrict 
unauthorized devices on internal network segments could allow 
perpetrators to bypass the two-factor authorization, obtain 
information about the network, and gain access to the 
Department's internal resources.
    Obviously, the private sector is moving faster than the 
government by banning workers from using portable devices such 
as USB drives and wanting employees to be careful what they 
post on social media and even discouraging workers from posting 
out-of-office replies on their emails.
    The IG found you used Department emails to support your 
side business--we have talked a lot about that--but also that 
you connected various electronic devices like USB thumb drives 
and CD-ROMs from home in conflict with your own internal policy 
that I guess you wrote. Don't you see a little problem here 
with the guys on the top aren't following the rules?
    Mr. Harris. We certainly have tools in place now to 
restrict all employees from connecting anything. I think it's 
standard practice when you travel all the time with your 
devices so that you can work to inadvertently put a non-
supported USB or a CD in a drive.
    Mr. Farenthold. Yes. My concern is you guys have pretty 
much every student Social Security number on file, probably 
including both of my daughters. I am old enough that you 
probably don't have mine. So this is something that really is 
concerning.
    Mr. King was testifying that you guys have made some 
progress. Do you agree, the progress?
    Mr. Harris. Yes, we have.
    Mr. Farenthold. All right, but ----
    Mr. Harris. Ninety-five percent is a really good number.
    Mr. Farenthold. There is still work to be done, though?
    Mr. Harris. There is indeed.
    Mr. Farenthold. What is stopping you from getting it done?
    Mr. Harris. The--we have two small challenges on privileged 
and non-privileged. On the privileged, we are 95, and we have 
one vendor who is completely re-architecting their data centers 
to segment out the Department of Education so that we can 
overlay two-factor authentication. That is to happen in March, 
and we will be at 100 percent.
    In terms of unprivileged users, we're at 86 percent plus, 
and we're looking at our assistive technology and disabled 
community to provide technology that allows them to use two-
factor, and then we would be 100 percent on unprivileged as 
well. And we're looking to achieve that by summer.
    Mr. Farenthold. All right. And so can you talk a little bit 
about your--I mean, you are CIO. Could you talk a little bit 
about your IT background and training? Because it looks like 
you came up through the financial and contracting segments.
    Mr. Harris. Actually, I came up through the IT segment. I 
started at the Department as a GS-5 programmer. I did 
development work probably for the first 7 years of my career. I 
did big database administration work ----
    Mr. Farenthold. So you should have--why didn't you see some 
of this coming beforehand? I mean, obviously hindsight is 20/
20. So having, you know, worked up in the trenches of the 
organization and--you know, you saw the headlines from Snowden 
to--I mean, why didn't we see some of this coming and do 
something about it before it hit the fan?
    Mr. Harris. So as an IT professional, I am not a 
cybersecurity subject matter expert. And so it is true that the 
Department has been slow in making progress, and we're happy 
about the progress we're making now, but we need to make more.
    Mr. Farenthold. But, I mean, if you are a former programmer 
and have been messing with computers for years, in light of--I 
mean, when Snowden came out, didn't something go off in your 
head, maybe we ought to, you know, make sure that this doesn't 
happen to us?
    Mr. Harris. Well, it's a good question. I would like to say 
that approximately 6 years ago I met with then-Secretary Arne 
Duncan and indicated to him that I was very concerned about our 
IT security posture, and I asked him for funding to do the 
first-ever Department IT security discovery process. And that 
was really, in my opinion, the foundation of the Department 
really starting to get really serious about cybersecurity.
    Mr. Farenthold. But then how do we come to, you know, just 
a few months ago you are an F? I don't understand it. I guess 
if--well, I am not going to take a shot. We just have got to 
get it fixed. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I will now recognize the delegate from the District of 
Columbia, Ms. Norton, for 5 minutes.
    Ms. Norton. Thank you, Mr. Chairman.
    What is concerning here, Secretary King, if you see how 
this began, it was uncovered not from the top down but 
apparently there were anonymous complaints. That suggests 
something that is very troubling. If you are an employee--and 
who knows where these anonymous complaints--perhaps they were 
peers--but there is a good chance, given that we are talking 
about an SES member here, that it was subordinates and that 
there may have been resentments. So, you see, that reflects on 
the Department itself, and it is very concerning to me since 
obviously you look to whoever is in charge to provide the 
example so they can reprimand those who do not live up to what 
is expected.
    Now, I have to tell you, I am unimpressed that the U.S. 
attorney did not proceed. I know how U.S. attorneys work. They 
have to have a slam dunk. It has to be worth it to them. It has 
to be a big enough case because they have so many complaints or 
possible cases, so it absolutely means nothing.
    I don't even know what the standard is. I don't know if the 
standard was intent, which may have made it difficult, was know 
or should have known. So, you know, I discard that. But I do 
note that Ms. Bruce said that--and I am looking here at your 
testimony on page 5--``so that it could take appropriate 
administrative action.'' So I want to move to the Secretary.
    Would you outline the kinds of administrative action that 
was possible to be taken? We know that what happened was 
counseling. What kinds of administrative action could have been 
taken against this employee to indicate that there had been 
issues with what he had been doing?
    Mr. King. Well, I will ask Ms. Winchell to expand on this, 
but I think for us the key question is, was there a violation 
of law or regulation? There are a set of penalties or table of 
penalties that are associated with violations of law or 
regulation ----
    Ms. Norton. So I am asking for the administrative actions 
that could have been taken in light of the findings that have 
been made. So you don't have to reiterate the findings because 
I am going to ask you about no violations next.
    Mr. King. Yes.
    Ms. Norton. I am simply trying to find out, as someone who 
is literally ignorant, when I hear that what happened was 
counseling, okay, but what were the possible administrative 
actions that could have been taken?
    Mr. King. Well, the key thing is the finding here was a set 
of lapses in judgment that could lead to ----
    Ms. Norton. Okay. What were ----
    Mr. King.--here it's ----
    Ms. Norton.--the possible administrative actions ----
    Mr. King. Right.
    Ms. Norton.--that can be taken when there is a lapse of 
judgment but apparently no violation of regulations or, as far 
as you know, laws?
    Mr. King. As an SES employee, an SES can be reassigned. 
That was apparently considered by Deputy Secretary Miller 
several years ago when ----
    Ms. Norton. So what else could be ----
    Mr. King.--this first was raised. This could have been 
factored into the employee's ratings at the time. Those were 
decisions that were made by Deputy Secretary Miller at the time 
that these issues ----
    Ms. Norton. Pardon me ----
    Mr. King.--emerged.
    Ms. Norton.--were they factored into the employee's 
ratings?
    Mr. King. I'm--I don't know. That was--that was 2 years 
before--it was more than 2 years before I came to the 
Department.
    Ms. Norton. You don't have access to what the ratings were?
    Mr. King. I do not have personal knowledge of the ratings 
and how they were constructed by the--his supervisor at the 
time.
    Ms. Norton. Mr. Harris, were your ratings affected?
    Mr. Harris. Outstanding.
    Ms. Norton. Your ratings throughout ----
    Mr. Harris. My ratings were outstanding.
    Ms. Norton.--all of this was outstanding?
    Mr. Harris. Yes, as a result of the entire body of my work, 
not just cybersecurity.
    Ms. Norton. And that is even though these questions had 
arisen? You were given outstanding ratings even though these 
questions were known to those who were the raters?
    Mr. Harris. Many of them were just allegations, and I've 
owned up to those that represent really poor judgment on my 
part.
    Ms. Norton. So has your ratings suffered at all as a result 
of what has now been found to be the facts?
    Mr. Harris. No.
    Ms. Norton. So you continued to be rated outstanding?
    Mr. Harris. Yes.
    Ms. Norton. Mr. King ----
    Mr. King. Yes, so ----
    Ms. Norton.--you see the problem that that may raise. Put 
yourself in the position of a Federal employee, and you look at 
how the rating apparently has not even been affected, no 
violations of regulations, no violations of any kind found.
    Could I ask you, in light of the fact that no violations 
were found, that apparently there is a finding that it was 
unclear whether Dr. Harris's outside work constituted a 
business or a hobby, has it not occurred to the Department to 
clarify this so employees know what is the difference and so it 
will not be unclear for those who may have seen or known about 
this particular matter so that--don't you think that is rank 
confusion in the Department when they see a high level official 
was engaged in outside activity for which there was 
remuneration but it was unclear whether it was a business or a 
hobby? Doesn't the Department have an obligation now to issue 
guidance so that these things are cleared up?
    Mr. King. Yes. We do make clear in our ethics training what 
employees' responsibilities are ----
    Ms. Norton. So what is the answer? In other words, if an 
employee wants to know, look, I want to know, I don't want to 
be caught in this thing, too, I want to know if I do this, 
would it be considered a business by the Department of 
Education or would it be considered a hobby? Is there concrete 
guidance on that matter, given what has happened here with an 
SES employee?
    Mr. King. The guidance to employees is to, when there is a 
potential issue of appearance of impropriety, to seek guidance 
from the ethics officer, and the ethics officer provides that 
guidance. In this case--I mean, it's a question of whether or 
not Dr. Harris understood at the time that he needed to seek 
that guidance. He did not, and this was raised through the IG 
report, and then the ethics officer was reviewing the IG 
findings.
    Chairman Chaffetz. I thank the gentlewoman.
    I now recognize the gentleman from Michigan, Mr. Walberg, 
for 5 minutes.
    Mr. Walberg. Thank you, Mr. Chairman. It is good to have 
the testimony in front of us today. I guess I would offer a 
point of personal advertising. My SES bill seems to have more 
pertinence all the time of trying to deal with concerns that go 
on.
    Dr. King, I just want to ask you a direct question, and 
other questioners kind of waltzed all around it, but the direct 
question I want to ask you is do you have faith that Dr. Harris 
can effectively lead the OCIO?
    Mr. King. I do, based on the progress that we've made since 
January 2015 and based on his overall performance in the other 
areas of responsibilities, yes.
    Mr. Walberg. You have clear faith, certain faith that he 
can lead?
    Mr. King. I have confidence in his leadership. I have 
confidence in the progress that we've made over the last ----
    Mr. Walberg. Well, it is important for me to know because 
the Department of Education, in its oversight capacity over 
national education issues--and brought up the fact that Dr. 
Harris has been involved with Detroit school system in trying 
to turn a failing school system around, a system that needs to 
be turned around for the benefit of its students, the families, 
and the city at large.
    It is a requirement for any type of growth economically or 
otherwise in a community as important as Detroit to have a 
school system that we have confidence in. And so when we have 
leadership coming from the Department of Education and we have 
people from the Department that are working in a consulting, 
advisory, leadership, whatever aspect of trying to turn schools 
around like that, it is important that integrity reigns and 
that confidence is there. And so that is why I wanted to hear 
your answer. You said you have complete confidence, faith that 
Mr. Harris can carry on his duties.
    Let me ask you then, since you began directly receiving 
reports of findings from the IG as early as March 23, 2015, 
have you personally talked to OCIO staff to better understand 
the culture there to try and improve things for the staff but 
also the effectiveness of the organization?
    Mr. King. I've certainly worked with staff from OCIO as we 
have focused on addressing that--the significant need for 
improvement around cybersecurity, and I've worked closely with 
our staff to make those improvements since I arrived in January 
2015.
    Mr. Walberg. What specific steps are you taking to improve 
the morale at the very least?
    Mr. King. Well, I think the ----
    Mr. Walberg. Specific steps.
    Mr. King. The morale is bound up with the responsibility to 
execute on their work for the Department, which is to ensure 
that the Department's technology works smoothly for their 
fellow employees and to ensure that the personal information 
that we have is secure. And we have made substantial progress.
    I do think that substantial progress has required folks to 
work additional time, to adjust their work processes, but we 
are seeing progress. We're seeing progress in terms of our two-
factor authentication. We're seeing progress in terms of the 
resolution of FISMA audit findings. I met with the CIO and 
members of his team, as well as our Federal Student Aid 
Technology Team on a weekly basis for much of last year to 
ensure that we made progress, and we're going to continue to do 
that going forward.
    Mr. Walberg. And I wish you well. During the committee's 
November hearing, Dr. Harris, under my questioning, could not 
answer my questions during the testimony specifically in the 
area of risk rating and the facts/figures that were there and 
the contracting issues. Regarding information that he certifies 
on the Federal IT dashboard, do you have confidence in Dr. 
Harris to provide accurate information to the dashboard?
    Mr. King. I do have confidence going forward. Obviously, I 
can't comment on information that was provided prior to my 
joining the Department.
    I will say I share the committee's concern that we need to 
rapidly improve our cybersecurity posture. We are making 
progress. I think it's clear to everyone that all public and 
private institutions are subject to significant cybersecurity 
threat, and that threat is ever-evolving, and we've got to 
continue to work to ensure that we are positioned to protect 
the information that we have.
    Mr. Walberg. Well, I again wish you well on that. We expect 
to see that in action. It is very concerning that we set in a 
place of great responsibility with records, with backgrounds, 
Social Security numbers, information on families as well as 
students, and there is an expressed concern that we have all 
sorts of reason because of the lack of integrity, of 
credibility, and now, more importantly, ultimately no 
consequences except counseling.
    I think I have said probably enough. I yield back the 
balance of my time.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentlewoman from Illinois, Ms. Kelly, 
for 5 minutes.
    Ms. Kelly. Thank you, Mr. Chair. Good morning.
    We all are aware of the constantly evolving cyber threats 
to information systems, as seen by the many breaches that have 
recently occurred in both the private and public sectors. The 
Federal Information Security Management Act is another 
important piece of legislation that requires the agency and 
inspector general to assess the state of their information 
security management.
    Dr. Harris, my committee, the IT Subcommittee, held a 
hearing in November on the Department's compliance with FISMA 
based on the IG audit report. We learned the Department heavily 
relies on contractors for its IT systems. We also heard that, 
although progress has been made on IT security, continued 
improvement is needed. You acknowledged this need for 
improvement in your opening statement. Can you tell me what 
your top priority is in this space?
    Mr. Harris. Well, specifically in the FISMA area, we have 
put an integrated project team together to meet weekly to look 
at the 51 caps that we have under the 18 findings for FISMA. We 
have already completed a number of those, approximately four of 
those, and we're looking to complete the vast majority of them 
by mid-summer.
    Our number one priority is to protect--to correct those 
things that impact our HVAs, our high-value assets. A second 
priority is to ensure that repeat findings simply don't occur, 
not just not occur in individual systems, but occur across our 
ecosystems. So those are our two top priorities.
    Ms. Kelly. You might have answered this and I wasn't in the 
room, but do you feel like you have the staff and the resources 
that you need to complete your goals?
    Mr. Harris. We don't have the necessary resources that we 
need to complete our goals. Everything is based on risk, and so 
what we do is look at risk and then we complete those items at 
the highest level of risk. There are times--in fact, some of 
our repeat findings have to do with the fact that we don't have 
the resources to do everything.
    Ms. Kelly. And the reason I ask oftentimes people say they 
can't find the people to carry out the tasks because everyone 
is, public and private sector, looking for experts on 
cybersecurity, and of course government doesn't pay what the 
private sector pays. So are you finding that also?
    Mr. Harris. We are. It's one of our biggest challenges. As 
Dr. King mentioned earlier, we are bringing on a couple of 
cybersecurity experts to support not just the Department of 
Education but specifically Federal Student Aid, and we're 
looking for more talent also to bring on board to get at some 
of these challenging issues we have in cybersecurity.
    Ms. Kelly. Okay. Thank you. And I just ask that you keep 
this committee updated as you continue to address the 
weaknesses in the Department's security systems identified by 
the IG. Thank you.
    Mr. Harris. I will.
    Mr. Connolly. Would my friend yield?
    Ms. Kelly. Yes, I will.
    Mr. Connolly. I thank my friend from Illinois.
    Just if I could build on that, Mr. King, how well do you 
think the Department is implementing FITARA, which is of great 
concern to this committee?
    Mr. King. We are making progress. We have our FITARA 
implementation plan now approved by OMB. We have made good 
progress on implementation, continued work to happen through 
this spring into the summer. Historically, the work of the 
Federal Student Aid CIO and the Department CIO have proceeded 
on parallel paths but not always coordinated paths with 
Department CIO having full transparency into the activities of 
the FSA CIO. That will now change with FITARA implementation, 
and we are working through the internal operations to ensure 
that that happens.
    Mr. Connolly. And how are you doing on data center 
consolidation, perhaps one of the most immediate big cost-
savers if done correctly?
    Mr. King. We are in the initial stages of implementation. I 
would have to ask Dr. Harris to comment ----
    Mr. Connolly. Dr. Harris ----
    Mr. King.--on the technical side of that.
    Mr. Connolly. Mr. Harris?
    Mr. Harris. We have approximately 134 systems in our 
information systems inventory. More than half of them fall 
within our primary data centers, and we are working on those 
that fall outside, much of which don't have PII, but we're 
working with those vendors to amend contracts and to ensure 
that they follow NIST guidance and FISMA guidance.
    Mr. Connolly. Well, remember, one of the explicit goals is 
consolidation of those data centers. We don't want a huge, you 
know, plethora of data centers if we can help it. How are you 
coming on that?
    Mr. Harris. Well, what we're doing is we're looking at 
those things that we can actually consolidate, but we're also 
looking at a massive retirement of systems that we simply don't 
need to be carrying on our list of systems inventory.
    Mr. Connolly. We look forward to seeing that progress. 
Thank you. And I thank my colleague from Illinois.
    Mr. Carter. [Presiding.] The gentleman yields.
    The chair recognizes the gentleman from Alabama, Mr. 
Palmer, for 5 minutes.
    Mr. Palmer. Thank you, Mr. Chairman.
    Dr. Harris, you once said in an interview with FedScoop 
that what keeps you up at night are things you don't know, yet 
at our last hearing--it is November 17 last year--you couldn't 
answer some basic questions asked about the lack of personal 
identification, identity verification/authentication and the 
vulnerabilities in the Federal Student Aid central processing 
system. I would like to direct your attention to some slides if 
the staff can put up the first slide.
    [Slide.]
    Mr. Palmer. This is, if you will notice, a conference. It 
is a presentation from a conference on Federal Student Aid that 
you did.
    Okay. If you would go to slide number 8.
    [Slide.]
    Mr. Palmer. If you look at slide number 8, you are laying 
out all these things that you are doing. Now, this was in 2011. 
And what concerns me is when I was asking you just a basic 
question about the security measures that are in place to 
protect the CPS system, I mean, CPS system processes 22 million 
student aid applications a year. There is integration between 
the Veterans Administration, Selective Service, Department of 
Justice, Department of Homeland Security, Social Security 
Administration. I mean, there are 139 million unique Social 
Security numbers in this system. And your answer to that 
question was to apologize. You said I don't have operational 
oversight of that system. I have limited knowledge, but I can 
certainly get you more information on that.
    Dr. Harris, you know, what you don't know may keep you up 
at night, but I can assure you when we get responses like that 
from people responsible for keeping our information systems 
protected, when you can't answer that, that keeps us up at 
night.
    What I would like to do is to go back to this question and 
ask you, have you had time to learn about this since I asked 
you that question?
    Mr. Harris. I have, sir. And as a result of implementing 
FITARA, there are two significant things that have occurred 
that will allow me to engage Federal Student Aid more. I made 
no apology if you will about my lack of--my lack and limitation 
in the Federal Student area--arena. They have, up unto this 
point, independence. But FITARA will allow me 1) to have veto 
authority over Federal Student Aid IT activities and spending. 
It will also put me on their Investment Review Board, which I 
was not on before, to actually have an impact on how they 
strategize and plan their IT activities. Now, I can truly get 
answers about how their ecosystem actually works.
    Mr. Palmer. Well, what is the status of implementing the 
personal identification verification?
    Mr. Harris. The PIV?
    Mr. Palmer. The PIV.
    Mr. Harris. We are at 95 percent, and the one vendor that 
we talked about is in the Federal Student Aid ecosystem, and 
we're hoping to be--our plan is to be 100 percent by March ----
    Mr. Palmer. You ----
    Mr. Harris.--once that vendor segments their architecture.
    Mr. Palmer. You also made a point that you weren't able to 
give me an answer on that because you didn't have operational 
oversight, and I think you may have mentioned that it was 
performance-based organization. Can you describe the 
Department's oversight of the PVO's information security 
activities under FISMA now?
    Mr. Harris. Yes. Under FISMA they followed the same 
guidelines that the rest of the Department follows, and that 
actually does flow up to me. And that is exactly why we set up 
the team, the senior team to actually ensure that all of the 
lines are on time and are met.
    Mr. Palmer. How many of these--you made all of these points 
that things that you said needed to be done. How many of those 
have actually been done?
    Mr. Harris. I would have to see that again on the screen, 
sir, and I can react to that.
    Mr. Palmer. Well, you can go back to that. We're down to 
the last few seconds here.
    Mr. Harris. Okay. But I can respond--I can provide that 
information to you, sir.
    Mr. Palmer. Okay. That's all the questions I have, Mr. 
Chairman. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I will now recognize the gentleman from California, Mr. 
Lieu, for 5 minutes.
    Mr. Lieu. Thank you, Mr. Chair. I have a question for Mr. 
King.
    A number of times this morning you have said that you 
believe Mr. Harris engaged in a hobby rather than a business 
venture. When I think of a hobby, I think of someone collecting 
stamps or building model airplanes or maybe gardening. I am not 
aware of any hobby known as installing home theaters in other 
people's homes for a profit. Are you aware that in this case 
that there was a business card that said Harris Audio/Visual 
Innovation, which included a company logo and listed Danny A. 
Harris as owner and operator? Are you aware of that? Yes or no?
    Mr. King. Only for purposes of preparation for this 
hearing. That was a detail that was in the file that was 
reviewed by the Office of General Counsel ----
    Mr. Lieu. And you had read it? Were you aware of that fact?
    Mr. King. No. I did not review the entirety of the 
investigative ----
    Mr. Lieu. All right. So you weren't aware ----
    Mr. King.--findings.
    Mr. Lieu. So you were not aware until now that he had a 
business card that listed him as owner/operator?
    Mr. King. No. I became aware of that in the process of 
preparing for this hearing. That was in the investigative file. 
The structure in the Department ----
    Mr. Lieu. Okay. All right. Second question ----
    Mr. King.--is the general counsel reviews the investigative 
findings ----
    Mr. Lieu. Are you aware that he paid two employees to do 
these installations in other people's homes?
    Mr. King. My understanding is that there were two employees 
who were involved in this activity ----
    Mr. Lieu. Okay. All right. Have ----
    Mr. King.--and that received compensation ----
    Mr. Lieu. All right.
    Mr. King.--as part of that.
    Mr. Lieu. Now having known this, do you still believe he 
engaged in a hobby rather than a business venture?
    Mr. King. The ----
    Mr. Lieu. Just a yes or no.
    Mr. King.--determination of whether or not it was a hobby 
or a business venture was based on the recommendation from our 
Office of General Counsel that reviewed ----
    Mr. Lieu. Let me just stop you there.
    Mr. King.--the entirety of the file.
    Mr. Lieu. Let me stop you there. Let me tell you how it 
works. And I know something about this because I was an active 
duty JAG in the military. I am still in the reserves. I am a 
military attorney. The way it works in government, attorneys 
give advice. You make the decision. Attorneys don't make the 
decision; you do. And in this case, I want to know your view, 
now knowing these facts, did he engage in a hobby or a business 
venture?
    Mr. King. I credit the judgment of our general counsel ----
    Mr. Lieu. Okay. All right. You were ----
    Mr. King.--and two deputy secretaries that preceded me ----
    Mr. Lieu. Let me tell you how it works. You are not a 
rubber stamp for you attorney. That is not how it works. And if 
you think that is how it works, then you need to reevaluate.
    So let me shift to another line of questioning based on 
what Chair Chaffetz had mentioned about violating a law, a 
rule, or regulation. Outside this bubble of Washington, D.C., 
the rest of America would view what Mr. Harris did as violating 
a law, rule, or regulation. For you to not find that was simply 
an error. It was a mistake because your job is not to protect 
Mr. Harris. It is to send a proper tone, standards of conduct, 
and leadership for your agency. And you have now sent the 
message that you can operate a business venture, not report 
that on your ethics forms, not report the income on your tax 
filings, and that does not violate a law, rule, or regulation. 
That is simply ridiculous. And you cannot use a shield of 
relying on some recommendation of an attorney. It is your 
decision. It is your job to make the correct decision. You made 
the wrong one.
    I now have questions of Mr. Harris. And, Mr. Harris, I am 
going to ask you something related to cybersecurity now. You 
had mentioned in your testimony this morning that you said 
cybersecurity is a critical component of what you do but it is 
not the only one. I want to know, do you believe cybersecurity 
is the most important aspect of your job, yes or no?
    Mr. Harris. I do.
    Mr. Lieu. Okay.
    Mr. Harris. I think it overlays everything else.
    Mr. Lieu. All right. And do you have a chief security 
officer ----
    Mr. Harris. I ----
    Mr. Lieu.--for ----
    Mr. Harris. I do, sir.
    Mr. Lieu. All right. Does that person report to you or to 
the Secretary?
    Mr. Harris. He reports to me.
    Mr. Lieu. Okay. So some private sector companies have 
either reversed the order of having the chief information 
officer report to the security officer or had the chief 
security officer report directly to the Secretary. What do you 
think of those models?
    Mr. Harris. I don't feel that there is a conflict of 
interest. I have seen the organizational arrangement in both 
ways in the CIO organization, as well as outside of it. I 
personally don't see a conflict of interest between the CSO 
being inside of the CIO organization, but I have seen it, as 
you've indicated, arranged differently.
    Mr. Lieu. All right. So given the not-so-good ratings of 
the Department, you might want to look at those other models in 
terms of cybersecurity.
    And then I have a sort of general question about the 
executive branch's approach on cybersecurity. It does seem to 
me that there is no centralized place. You have got different 
agencies doing their own thing. You have got the Department of 
Homeland Security that has some role in cybersecurity. You then 
have the Office of Management and Budget that has some role in 
cybersecurity. Then, you have got this White House 
cybersecurity czar. Don't you think it would be much better if 
we had one agency, one person responsible for cybersecurity 
across all the .gov network that can either take responsibility 
when things go right or wrong but also have the power to go 
make changes when things are not performing as they should be?
    Mr. Harris. Though we interact with all of those bodies 
that you mentioned, we rely heaviest on DHS and their CDM 
program in terms of operationalizing the progress we need to 
get made. It's DHS that we work most closely with.
    Mr. Lieu. Okay. Thank you. I yield back.
    Chairman Chaffetz. Before the gentleman yields back, I ask 
unanimous consent to enter two documents into the record. One 
is a memorandum from Mr. John King, who is sitting before us 
today, to Aaron Jordan, Assistant Inspector General for 
Investigations, of June 23 of 2015. This is where he says, 
``Overall, we found no violations of law or regulation.'' 
Further, in finding 1, he said, ``It does not appear to support 
the conclusion Mr. Harris violated any law or regulation or any 
standard of ethical conduct.'' Any standard of ethical conduct. 
You want to get to the heart of why we are here today, it is 
that.
    I also ask unanimous consent to enter into the record July 
9, 2015. This is to Danny Harris from Susan Winchell, follow-up 
ethics guidance. And without objection, we will enter these 
into the record.
    Chairman Chaffetz. This document gives us huge concern 
given that Ms. Winchell's conclusion was that it is the 
employee's responsibility to ask and really what you should do 
is just ask next time. And quite frankly, I don't know, Ms. 
Winchell, why we should even hire you if that is just your 
advice because there is no enforcement. This is the concern.
    I will now recognize the gentleman from North Carolina, Mr. 
Walker, for 5 minutes.
    Mr. Walker. Thank you, Mr. Chairman.
    Last November, Mr. Harris, I believe we had a conversation 
and I asked you regarding remote access management and the two-
factor authentication at the Department. And this is an 
important point for me, I guess for all of us, because this is 
the first time this has happened. Remember, it was a failure in 
access management that contributed to the data breach over at 
OPM.
    It is especially troubling, given the Department's failure 
over the summer during the cyber sprint. And I am going to come 
back to the cyber sprint in just a few minutes, but I want to 
stay on this two-factor authentication. Mr. Harris, you told me 
during my previous question back in November that the 
Department has 100 percent implemented two-factor 
authentication, and that the financial system audits would be 
also at 100 percent by December.
    However, according to the inspector general--and this is 
from the FISMA audit of 2014, end of year, it says, ``In some 
instances, although the Department said it completed a 
recommendation, we continue to find that the corrective actions 
were not implemented.'' Do you or disagree with that finding?
    Mr. Harris. Based on my discovery, yes, I have found that 
the discipline that should have been in place in terms of some 
of the recommendations and--findings and recommendations and 
caps were not made, and that's something that the senior team 
now is ensuring will never happen again.
    Mr. Walker. So what you testified to me in November you are 
basically saying today was not accurate or was not true?
    Mr. Harris. It was based on my understanding.
    Mr. Walker. Well, what was your understanding based on?
    Mr. Harris. Based on the facts that my staff had provided 
me.
    Mr. Walker. So this is the staff's fault? It wasn't yours? 
You were just going off what the staff told you? So what you 
said in November is not true but what you are testifying today 
is?
    Mr. Harris. I always base my decisions on the data pulled 
by staff, but at the end of the day, it's my responsibility.
    Mr. Walker. Okay. Well, I am glad to hear that part. What 
about the contractors that we are dealing with? Are you sitting 
here testifying under oath today--as I look through these 
contractors--that every one of these contractors are also 
operating under a two-factor authentication? Are you saying 
that is the case as well?
    Mr. Harris. We are saying that is the case.
    Mr. Walker. So when ----
    Mr. Harris. The 95 percent is based on what we are doing 
internally, as well as the contractors are doing.
    Mr. Walker. You also said the Department's two-factor 
authentication is at level 4 in terms of the level of assurance 
according to the NIST authentication guidelines. Is that 
correct?
    Mr. Harris. That is the--correct with the exception of 
those that use PIV-I.
    Mr. Walker. Okay.
    Mr. Harris. I.
    Mr. Walker. So if that is the case then, then you are not 
employing two-factor authentication but the Department is also 
employing the highest level of assurance for 100 percent of all 
its users? That is the goal right here ----
    Mr. Harris. That is the goal, sir.
    Mr. Walker.--is 100 percent? Okay. All right. Well, here is 
the issue. In coming back to this cyber sprint, okay, this 
summer, 14 percent minus. And then within a few months you have 
secured 100 percent. How in the world does that happen over 
that short period of time?
    Mr. Harris. More times than not it's about configuring the 
system, issuing PIV cards, and turning that on.
    Mr. Walker. But why didn't you do that earlier then?
    Mr. Harris. I think the technical challenge for the vendors 
that implemented this and maintained these systems was larger 
than we anticipated. In ----
    Mr. Walker. Well, it appears to us that it is only when the 
light is shone on the deficiencies or you start bringing these 
grades of concurrent F's that you are willing to do something. 
Mr. King, you are fidgeting over there like you are wanting to 
jump in. What do you have to say on this?
    Mr. King. Yes, sir. So the Department had previously used a 
level 3 goal. That goal was changed to level 4. And in--I 
joined the Department in January 2015, began meeting regularly 
with the team on how we might improve our cybersecurity. After 
the sprint, we began meeting weekly to ensure that we would get 
to level 4 across the agency.
    In the Federal Student Aid area, we have a number of 
external contractors. They use PIV-I. In order to get to 95 
percent, we needed to amend nearly 60 contracts, which we did 
with external vendors, provided technical assistance to those 
external vendors. That's why we're at 95 percent. So I just 
want to convey again the urgency that we brought to this matter 
throughout my time at the Department.
    Mr. Walker. Yes, you have been conveying and almost to me 
like you are trying to cover here. I think the Congresswoman 
from D.C., Ms. Norton, really brought it to a point here saying 
there is no consequences for the actions. The people get 
scored. Your grade didn't change at all. You are still getting 
high marks. And the irony of this is this is education, so what 
in the world are we teaching our children? There are no 
consequences for their actions? Mr. King, today, you are still 
defending the actions like this is no big deal. I don't 
understand that.
    I want to ask you right now--I want to come back to this. 
Under oath, are you still saying to me and to this panel and to 
the American people that you do not believe that any standard 
of ethical conduct was breached? Is that your testimony?
    Mr. King. My testimony was that I saw significant lapses in 
judgment, that I counseled Dr. Harris ----
    Mr. Walker. That is what you said. Do you believe that 
today or not?
    Mr. King. Yes, I believe there were significant ----
    Mr. Walker. Do you believe that any ethical standard of 
conduct was breached or broken?
    Mr. King. I do not believe there was a violation of law or 
regulation or policy of the Department. However, I do believe 
there were significant lapses in judgment. I counseled Dr. 
Harris on those. That was the fourth counseling that he 
received ----
    Mr. Walker. So let me ----
    Mr. King.--on that matter ----
    Mr. Walker.--see, lapses of judgment, ethical conduct. Do 
those two merge at all or are those two separate things?
    Mr. King. That ----
    Mr. Walker. You sit here today and you blame it on your 
general counsel and lawyers for not taking a position of 
leadership and holding the people accountable.
    Mr. King. No, sir. I ----
    Mr. Walker. Do you understand why the American people are 
frustrated with this?
    Mr. King. I disagree with that characterization. I took it 
very seriously. It's why I engaged in additional counseling of 
Dr. Harris. It's why I asked that the counseling that he'd 
received from the ethics officer to be put in writing.
    Mr. Walker. You took it very serious. What actions did you 
take ----
    Mr. King. I ----
    Mr. Walker.--toward Mr. Harris?
    Mr. King. I engaged in counseling ----
    Mr. Walker. My time is expired. I am sorry.
    Mr. King. Once again ----
    Mr. Walker. I have to yield back. Thank you, Mr. Chairman.
    Chairman Chaffetz. Don't worry. We are going to keep going. 
We are going to be here for a while.
    Mr. Clay, you are now recognized for 5 minutes.
    Mr. Clay. Thank you, Mr. Chairman.
    And let me take a little different tack here and say that, 
look, I appreciate Federal employees' service to this country, 
and I am sure that Secretary King and Mr. Harris also take 
their service to the people of this nation seriously.
    Having said that, let me ask Secretary King and Dr. Harris, 
the standards of ethical conduct for Federal employees states, 
``Public service is a public trust.'' Would you both agree that 
Federal employees must be held to the highest ethical 
standards, Mr. King?
    Mr. King. Yes, absolutely.
    Mr. Harris. Yes.
    Mr. Clay. Mr. Harris? Okay. Mr. King, in your June 23, 
2015, response to the IG's reports of investigation into the 
CIO's alleged misconduct you stated, ``We found no violations 
of law or regulations.'' Is that correct?
    Mr. King. That is.
    Mr. Clay. The U.S. Attorney's Office has also declined to 
prosecute Dr. Harris and has closed its investigation. Is that 
correct?
    Mr. King. That is correct.
    Mr. Clay. However, there may have been violations of the 
standards of ethical conduct, so let's take a closer look at 
the IG's findings. Ms. Winchell, the IG found that Dr. Harris 
used Department email to conduct his outside business. Wasn't 
Dr. Harris's misuse of emails a violation of the ethics code 
prohibiting employees from using government property for 
nonofficial business?
    Ms. Winchell. Yes. The standards of conduct provide that 
employees may not use government resources for other than an 
authorized purpose. Authorized purpose is not defined by the 
rules. In this context, the authorized purpose would be defined 
in a department policy that permits a certain amount of 
personal use of government equipment and resources.
    I reviewed the record, and my review of the record was I 
didn't think it was clear whether this activity was a hobby or 
a business. It is true that there was a business card, it is 
true that there were written proposals for A/V installations, 
but it's also true that this was never formed as a business 
entity, it never had a business license, it never had a 
separate bank account. Several of the people that were familiar 
with it referred to it as a hobby, and several people referred 
to it as a business.
    If it's a hobby or a personal activity, under the policy, 
then, a certain amount, a de minimis amount of personal use of 
government resources is permitted. My review of the record is 
that there were 11 emails related to these businesses over a 3-
year period, and it seems to me that that comes well within the 
boundary of de minimis.
    If, on the other hand, this was considered a business, it 
would be strictly prohibited under that policy to use 
government resources. At the time that I gave Dr. Harris the 
counseling, I advised him that it was prudent to consider any 
activity that would generate income such that it needed to be 
reported on a financial disclosure report as a business, 
regardless of any other factors.
    Mr. Clay. It sounds to me like a hobby.
    Let me also say that you also found that Dr. Harris did not 
report on his tax return the income he received from his car 
detailing and home theater installation businesses. Ms. 
Winchell, wasn't Dr. Harris's failure to report income a 
violation of the ethics code requiring Federal employees to 
satisfy their tax obligations?
    Ms. Winchell. Well, of course it concerns me greatly when 
information is omitted from financial disclosure reports, but 
occasionally, employees omit information inadvertently.
    In this particular case, looking at the totality of the 
circumstances, I did not--it is a violation to willfully fail 
to provide information. But in this case, the record reflects 
that his wife actually queried a tax lawyer about whether the 
income was reportable on his income taxes, and they received 
advice that it was not, which I take to mean he also thought it 
didn't need to be reported on his financial disclosure report. 
The advice was wrong, although they relied on it, and it was 
remedied after they realized it was a mistake.
    Mr. Clay. Okay. Fair enough. And they corrected the record.
    Secretary King, the ethics code also requires Federal 
employees to avoid the appearance of impropriety. Wouldn't you 
agree that any appearance of impropriety involving the 
Department's officials and employees cannot be tolerated?
    Mr. King. Absolutely. And that was the focus of my 
counseling with Dr. Harris.
    Mr. Clay. Thank you for your response.
    And, Mr. Chairman, do I get any extra time?
    Chairman Chaffetz. You get two gold stars for concluding on 
time.
    Mr. Clay. Well, thank you very much. I yield back.
    Chairman Chaffetz. Your first two gold stars, I would note, 
but two nonetheless.
    Mr. Clay. All right.
    Chairman Chaffetz. We will recognize the gentleman from 
South Carolina, Mr. Mulvaney, now for 5 minutes.
    Mr. Mulvaney. I thank the chairman. I thank the panel.
    I have been struggling a little bit, folks, with how I 
wanted to address this hearing today because the purpose in my 
mind--and I only speak for myself, not for any other member and 
not the chairman or the ranking member. The purpose in my mind, 
Mr. Harris--and, please, several of us have referred to you 
today as Mr. Harris. We mean no disrespect. It is on your name 
tag, so when we can't remember your name, we look up, it is 
sitting there so ----
    Mr. Harris. That's quite all right.
    Mr. Mulvaney.--I know you have been called--we mean no 
disrespect.
    I don't think--at least for me personally, the purpose here 
is certainly not to try and get you fired. I think that is 
important for you to know that. In fact, for me, it is not even 
to drill down into the details of your car detailing business/
hobby, the audio/video, as objectionable as I may find that at 
a personal level. I think it was a bad decision by you and some 
bad judgment.
    At some point I think I have to recognize that Congress 
cannot be in the job of micromanaging the CIO position vis-a-
vis ethics at the Department of Education. We might not like 
it, it doesn't make us happy, but really, not our business.
    You start screwing around, Mr. King, it is a different 
story, but the folks who work for you, I think we have to rely 
on the process. The OIG gets involved, the ethics gets 
involved, and we may disagree, disagree with the decision, but 
that is not the purpose here is to second-guess, at least in my 
mind, whether or not what you did was right or wrong or whether 
or not the process of examining was right or wrong.
    The purpose of being here is what you are responsible for 
doing for the folks that we represent and the taxpayers and the 
139 million people's whose records you hold. And as we 
discussed last time, Dr. Harris, when you were here in 
November, it is not just the ordinary stuff that I give to 
Target. You have my bank accounts. That is a whole different 
level of serious than when I swipe my card at the gas station 
or I buy something at Target.
    So I don't want us to get distracted on whether or not it 
was a business or a hobby or you reported it on your taxes and 
lose in that minutia the fact that this is really dangerous 
stuff when it goes into the wrong hands.
    So I want to pick up with where you and I were, Dr. Harris, 
in November when you said something that caught my attention 
and we talked about it briefly when you said it wasn't so much 
a money issue that you had dealing with cyber at the DoE as it 
was getting the talent. And you said, look, we are a little 
tiny agency. It is not very sexy. We can't get the people. And 
I asked you, I said, look, we have other good people in other 
areas of the Federal Government. In other silos it is sexy. The 
Air Force, for example, does a tremendous job on this. DOD 
regularly does a really good job on this. There are other 
agencies. What have you been able to do since November, Dr. 
Harris, to try and draw on the resources available to us as a 
Federal Government in order to help protect the data of these 
taxpayers?
    Mr. Harris. I'm very pleased to announce that, in addition 
to becoming a little more aggressive in bringing in our own 
talent, we have taken advantage of what digital services has to 
offer. They have been in a number of times to talk to us about 
best practices and help us strategize. We are moving forward 
with the DHS for the CDM phase 2 project that will allow us to 
put more sensors and collect more data across our ecosystem 
then we've ever been able to do before. So I think from that 
perspective ----
    Mr. Mulvaney. Collecting data, again, this is not my area 
of expertise. I am more worried about you securing the data 
than collecting it. So tell me why that is relevant.
    Mr. Harris. Collecting it will allow us to secure it.
    Mr. Mulvaney. Okay.
    Mr. Harris. It's in real time that we're able to use our 
network access control and our data loss prevention that will 
actually, for example, stop you from sending unencrypted and 
specifically PII information outside of our ecosystem, as well 
as stopping folks from coming inside.
    Mr. Mulvaney. Mr. King, what have you done since we were 
here last? I don't think you were here in November. I may be 
wrong. But what have we done in the last couple of months to 
make sure--did we get access to the talent that you need to do 
this job properly?
    Mr. King. We have added a new chief security officer on the 
Education Department side who, to your point about military 
experience, is a retired military officer who comes to us from 
the Department of Defense and brings expertise on 
cybersecurity. We are in the process of adding additional 
talent on the Federal Student Aid side.
    But we have the technology. This is a challenge across the 
Federal Government of recruiting adequate talent. And where we 
need to continue to invest as a country is in STEM education so 
that we have a prepared cybersecurity workforce, not only that 
the government needs, but that the private sector needs as 
well.
    Mr. Mulvaney. Dr. Harris, I will close by saying this. 
While we are not here to deal with the details of your personal 
situation within the agency, to the extent your activity 
impacts on what people feel about working at the DoE, it 
certainly is relevant, and that is why I think you are getting 
all the attention today, and rightfully so.
    But let me close by saying this. While we are not here 
today to have anybody fired, at least in my mind, lose the data 
and it is a different story. Start losing people's bank 
records, and as unpleasant as this hearing may have been, it is 
going to be a whole different level of unpleasant. Lose the 
data and the next explanation you're going to have to give to 
this committee is why you shouldn't be fired. That is as plain 
as I can put it. So as reasonable as I am trying to be today in 
laying out for you what we are not here to try to accomplish, 
you can expect me and others to be fairly unreasonable with our 
patience next time if you lose the stuff. So please, don't lose 
it. Thanks.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from Texas, the subcommittee 
chairman on Information Technology, Mr. Hurd, for 5 minutes.
    Mr. Hurd. Well, thank you, Mr. Chairman. And thank you, 
Secretary King, for being with us today.
    And I would like to echo some of my colleagues' good work 
on the two-factor authentication. I know the difficulty of 
that. And, you know, I am confident that you all are going to 
get the 5 percent.
    And I would also say that using the new authorities in 
FITARA to get the FSA CIO under control of your own CIO is 
important, and if you think there are additional authorities 
that you need in order to have the right management structure 
in place, we are here to help.
    The one thing I would caution is saying that we are doing 
great work. Let's raise our gaze, as Speaker Ryan likes to say, 
and we should not be saying just implementing one part of a 
larger strategy is good enough. I think we should be talking 
about when 95 percent of the recommendations by the IG are 
approved, that is going to be great work. When there are not 
repeat findings, as you mentioned earlier today, Mr. Harris, 
that would be good work.
    Secretary King, has Mr. Harris been given a performance 
plan since you have been in your new role?
    Mr. King. When Dr. Harris was directly reporting to me, we 
had a performance agreement around goals that would be 
accomplished, and those goals were accomplished over the 2015 
year. That is related to the progress that we've seen in many 
areas of cybersecurity.
    Mr. Hurd. Has he been given a progress review?
    Mr. King. We met throughout the year for review of his 
progress and an end-of-year conversation about the overall 
performance. In each--on each of those occasions, although I 
did express appreciation for the progress we were making, I 
also conveyed the urgency of continued progress ----
    Mr. Hurd. Great.
    Mr. King.--on cybersecurity ----
    Mr. Hurd. And we already said--he mentioned he got an 
outstanding performance. So my question is--this is going to 
you, Mr. Harris--what is EDL?
    Mr. Harris. EDL, which happens to have PII, is an 
investment that is an education locator. It allows the public--
it's public-facing. It allows the public to reach out to anyone 
in the Department of Education that they need to reach.
    Mr. Hurd. And they are putting PII information in that?
    Mr. Harris. It's PII but ----
    Mr. Hurd. And this is not FISMA-compliant, is that correct?
    Mr. Harris. That is correct, sir. It is PII but we consider 
it low level. In other words, with the name and phone number, 
we consider it PII, but it certainly doesn't include Social 
Security numbers, bank information. So on the one hand it does 
not have an ATO, and we are pushing it to get an ATO.
    Mr. Hurd. And when will you get it done?
    Mr. Harris. We're looking for the end of next quarter.
    Mr. Hurd. Great. Fifty-four software programs that you all 
are using are no longer supported by the vendor. Why is that?
    Mr. Harris. To a large degree, many of these systems owners 
of these tools, sometimes it's an OS, sometimes it's an 
application or middleware, simply didn't have the funding to 
upgrade them or, from a mission perspective, decided that it 
wasn't ----
    Mr. Hurd. So what do you need to do in order to fix that 
problem?
    Mr. Harris. We are looking to do three things. We're 
looking to either upgrade or retire 90 percent of those by 
June. The remaining will have to have documentation that says 
the Department of Education accepts the risk. We will 
absolutely not allow anyone to sit out there and just say, 
well, we'll do it at some point.
    Mr. Hurd. Secretary King, if that is accomplished by June, 
I would say that is a pretty significant achievement. Secretary 
King--and I am not trying to be coy here--do you know what 
COBOL is?
    Mr. King. Yes.
    Mr. Hurd. Okay.
    Mr. King. I'm not familiar with the technical details of 
the coding language but I ----
    Mr. Hurd. It is coding language.
    Mr. King.--but I am aware of what COBOL is.
    Mr. Hurd. It was old even when I was going through 
university in programming.
    Mr. Meadows. I take exception to that, Mr. Hurd.
    Mr. Hurd. And you all have over one million lines of code 
on that. However, we were told at the last hearing on November 
17 that the Department of Education does not use COBOL. Is that 
correct, Mr. Harris?
    Mr. Harris. And I was referring to outside of the FSA 
ecosystem, and that is why I said we don't use it. I wasn't 
talking about FSA, to clarify.
    Mr. Hurd. So now that FITARA is giving you more authorities 
in which to oversee FSA, what is your plan with getting rid of 
COBOL?
    Mr. Harris. It's a good question, and based on the 
information I'm provided, COBOL is old; however, the latest 
version is considered secure. It has all the patches. From a 
business perspective, FSA is indicating--the FSA CIO is 
indicating that their business decision is to stay on the 
current version of COBOL and continue to keep it updated.
    I do want to engage the CIO at FSA about moving away from 
COBOL not because the software version is insecure but because 
the talent necessary to manage that platform is, as you can 
imagine, dwindling.
    Mr. Hurd. And I want to echo my colleague from South 
Carolina's comments, in months from now if these 54 programs--
we don't have a plan on getting rid of them, if we don't have 
100 percent achievement on two-factor authentication, you know, 
we should be asking larger questions here. And with great 
responsibility comes great accountability, and we are going to 
make sure you have all the tools you need to get the job done 
and we are going to hold you accountable.
    I yield back.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from North Carolina, Mr. 
Meadows, for 5 minutes.
    Mr. Meadows. Thank you, Mr. Chairman.
    Dr. Harris, let me come to your opening statement. In your 
opening statement, and I quote, ``Others viewed my conduct as 
questionable.'' So I guess the fundamental question here today 
is if others viewed it, did you view your conduct as 
questionable?
    Mr. Harris. Congressman Meadows, I would not waste any more 
of your time suggesting that my behavior represented poor 
judgment. After talking with the IG ----
    Mr. Meadows. So your action is questionable.
    Mr. Harris. Talking with the IG, after all the 
interventions with leadership, in hindsight, absolutely, I--
poor judgment.
    Mr. Meadows. All right.
    Mr. Harris. I make no excuses.
    Mr. Meadows. All right. So, Ms. Winchell, I would believe 
that you take ethics pretty seriously given your job, is that 
correct?
    Ms. Winchell. That's correct.
    Mr. Meadows. So when you hear a complaint, you get on it 
right away, is that correct?
    Ms. Winchell. Yes.
    Mr. Meadows. And so no time lapses between when you hear 
about it and you work towards remedy?
    Ms. Winchell. Well, we would evaluate the allegation and 
try to obtain as much relevant information before we took 
action, but yes ----
    Mr. Meadows. Okay.
    Ms. Winchell.--we would try to do that as swiftly as 
possible.
    Mr. Meadows. Sure. Mr. King, is that your testimony as 
well, you take it real serious?
    Mr. King. Absolutely.
    Mr. Meadows. Okay. Can either of you, Ms. Winchell or Mr. 
King, explain to me why the inspector general gave you a report 
on April of 2013 and they had to do a follow-up 2 years later 
and said that they had never heard from anybody? Why would that 
be?
    Mr. King, you may want to answer since it was directed to 
you on March 23 of 2015. In response it says, ``To date, we 
have not received a response from the Office of the Deputy 
Secretary concerning the findings that they gave on April 2 of 
2013.'' Why would they have not had response in 2 years ----
    Mr. King. When I ----
    Mr. Meadows.--if you take it serious?
    Mr. King. When I joined the Department in January of 2015, 
the IG explained that there was an addendum to the report that 
was forthcoming ----
    Mr. Meadows. But that is not what this is saying. I am 
going back to the original report when they put in the report 
on April 2 of 2013. You know what they heard from you guys? 
Crickets, not a single dadgum response.
    Ms. Winchell, you want to respond to that?
    Ms. Winchell. Well, I can't speak for why the Office of the 
Deputy Secretary didn't respond to the IG, but I can tell you 
that we met in the Office of the General Counsel to consider 
the report I think in--I think we were--in April, in the March/
April time frame in 2013. And at that time we understood from 
the IG that the offending conduct had ceased. But we also 
understood ----
    Mr. Meadows. How did you figure that out?
    Ms. Winchell. I don't ----
    Mr. Meadows. Who talked to Dr. Harris?
    Ms. Winchell. I ----
    Mr. Meadows. Because you didn't talk to him, according to 
your note ----
    Ms. Winchell. Right.
    Mr. Meadows.--until a year later, and you take everything 
real serious, and yet, according to your memo, you didn't talk 
to Dr. Harris until March 12 of 2014, almost a year after the 
IG submitted a request. Why would it take a year?
    Ms. Winchell. Well, we were--we were waiting for the 
feedback from the U.S. Attorney's Office to see what--if any 
action that they were going to take on these. We understood 
that the conduct had ceased actually in ----
    Mr. Meadows. How did you ----
    Ms. Winchell.--fall of ----
    Mr. Meadows. How did you understand that?
    Ms. Winchell. Pardon me?
    Mr. Meadows. Did you go and talk to Dr. Harris?
    Ms. Winchell. I understood it from the IG.
    Mr. Meadows. Well, now ----
    Ms. Winchell. I--it was in my notes ----
    Mr. Meadows.--hold on, hold on, hold on just a second. You 
understood from the IG's report and ----
    Ms. Winchell. No, I didn't--I don't--I ----
    Mr. Meadows. And they were waiting for a response ----
    Ms. Winchell. It's in my notes ----
    Mr. Meadows.--from you.
    Ms. Winchell. It's in my notes that, at the time that we 
had these conversations that the conduct had ceased.
    Mr. Meadows. So ----
    Ms. Winchell. I did not talk to Mr. Harris personally.
    Mr. Meadows. So you are in charge of ethics ----
    Ms. Winchell. Yes.
    Mr. Meadows.--and you are taking somebody else's word that 
the conduct has ceased a year later?
    Mr. King. My understanding is that Deputy Secretary Miller, 
after receiving the initial IG report, consulted with the 
Office of General Counsel and spoke directly with Dr. Harris 
giving Dr. Harris counseling.
    Mr. Meadows. And said it was okay?
    Mr. King. No. Giving him counseling that there was a ----
    Mr. Meadows. Now, how is that your understanding? Did you 
talk to Tony Miller about that?
    Mr. King. That's my understanding from the staff, the 
Deputy Secretary's Office ----
    Mr. Meadows. Okay. Well ----
    Mr. King.--overlapped between Deputy Secretary Miller and 
----
    Mr. Meadows. Mr. King, let me tell you what is troubling 
here. I don't know if Dr. Harris's actions are the most 
troubling or your cover-up of it is the most troubling, Mr. 
King, because let me tell you the concern I have. Everybody can 
make a mistake, but the minute that it was put forth by the IG, 
everybody, Ms. Winchell and Mr. King, you should have been all 
over this and saying that this is a problem.
    And let me tell you the reason why I am so concerned. I 
have been visiting Federal employees, and you know what I 
constantly hear is that there is a double standard for the 
people at the top and the rank-and-file Federal workers. And 
today, listening to this testimony, I tell you, I hope they are 
not watching because they would use a different word for a 
bovine waste than what is used here.
    Mr. King. Congressman, I just want to be clear that I took 
this incident very seriously. I started with the Department --
--
    Mr. Meadows. No, you haven't because your responses ----
    Mr. King.--in January of 2015 ----
    Mr. Meadows.--I would disagree, Mr. King, because your 
responses indicate that nothing has happened in terms of 
retribution. No one has been fired. In fact, you approved a big 
bonus for Dr. Harris. There has been no consequences so that --
--
    Mr. King. I disagree. There's--there have been four 
counseling ----
    Mr. Meadows. What are the consequences?
    Mr. King. There have been four counseling sessions ----
    Mr. Meadows. Okay. So his ----
    Mr. King.--two with the prior deputy ----
    Mr. Meadows.--consequence is that ----
    Mr. King.--secretaries ----
    Mr. Meadows.--he has had counseling sessions?
    Mr. King. Had counseling sessions, corrected the behavior. 
The behavior ended in 2013, fully 2 years before I joined the 
Department ----
    Mr. Meadows. And how do you know that?
    Mr. King. Based on the findings of the IG addendum ----
    Mr. Meadows. But how do you know that?
    Mr. King. The IG--the IG completed the investigation and 
provided an addendum ----
    Mr. Meadows. But the IG said ----
    Mr. King.--in March of 2013.
    Mr. Meadows.--it was a business. The IG said it was a 
business, and Ms. Winchell disagrees. And with the indulgence 
of the chair, I will finish with this. President Obama sent an 
Executive order just a few weeks ago on Second Amendment. The 
guidance with that said that if you have a business card, you 
are in the business of selling firearms. So in light of that, 
Ms. Winchell, is the President wrong or are you wrong?
    Ms. Winchell. I still think that, according to the 
information in the report, it is not clear whether this was a 
business or a hobby at the time that I reviewed the report.
    Mr. Meadows. Everybody else is very clear.
    I yield back.
    Chairman Chaffetz. Thank you.
    I will now recognize myself.
    Ms. Bruce, how long have you been in the Inspector 
General's Office?
    Ms. Bruce. I've been working--doing this kind of work for 
over 30 years. I've been in specific Office of Inspector 
General for the last 20.
    Chairman Chaffetz. And to the best of your recollection 
just in general, how many criminal referrals have you been 
involved in and engaged with during that time?
    Ms. Bruce. Well, I was an auditor, so I wasn't specifically 
in investigations, so I wouldn't have been involved with those 
types of things.
    Chairman Chaffetz. But since you have become ----
    Ms. Bruce. The deputy inspector general?
    Chairman Chaffetz.--more senior--yes, how many have you 
seen? How many have been coming out of the Office of Inspector 
General?
    Ms. Bruce. I would definitely have to get back with you on 
that. I ----
    Chairman Chaffetz. But it is a handful, right? This is not 
something that happens week in and week out.
    Ms. Bruce. So when you said criminal investigations, you 
mean ----
    Chairman Chaffetz. Oh, criminal referrals to the Department 
of Justice.
    Ms. Bruce. Oh, criminal referrals? Well, we have many 
criminal referrals to the Department of Justice because we 
don't know whether it's going to be tried criminally, civilly, 
or administratively. So we have plenty of those.
    Chairman Chaffetz. And so when you do that, you have come 
to a finding that you believe is fairly serious. If we could 
put up the slide of the potential violations here.
    [Slide.]
    Chairman Chaffetz. So this is the slide of the potential 
violations coming out of the IG to the Department of Justice. 
Now, the Department of Justice didn't come to a conclusion and 
say you are absolutely wrong. They just decided not to 
prosecute, correct?
    Ms. Bruce. That's correct. The Department of Justice 
declined prosecution in favor of administrative remedies.
    Chairman Chaffetz. So we can take that slide down.
    Mr. King, this is one of the problems. Because the 
Department of Justice believes that you as the Acting Secretary 
have the ability within your realm to enact the remedies, they 
decide not to prosecute. Don't come before this committee, as I 
believe you did, to try to infer that because there was no 
prosecution, there was nothing wrong there.
    Are you telling me, Mr. King, that Ms. Bruce and the 
inspector general is wrong on all 12 of those, not even the 
standard of breaking the law, but as you said, you have listed 
out, ``no violation of law, regulation, policy, or ethics''?
    Mr. King. The IG doesn't make a conclusion. They provide 
findings. The general counsel then reviews those findings. They 
were ----
    Chairman Chaffetz. And they make ----
    Mr. King. And they made a recommendation ----
    Chairman Chaffetz.--a recommendation to?
    Mr. King. They make a recommendation to me.
    Chairman Chaffetz. Yes.
    Mr. King. To--in this case, it'd be my ----
    Chairman Chaffetz. And you are the final ----
    Mr. King.--predecessor and to my predecessor's predecessor. 
In each case we took it seriously. We provided counseling. The 
conduct that was in question stopped in 2013.
    Chairman Chaffetz. What is it that Mr. Harris did--and I 
want to explain the reason why I think this is so vital. We 
have thousands--how many people at the Department of Education? 
How many people work at the Department of Education?
    Mr. King. More than 4,000 employees.
    Chairman Chaffetz. Okay. Mr. Harris gets a $15,000 bonus. 
You probably didn't hand out a whole lot of those, but a lot of 
people didn't get bonuses, and probably most didn't get those 
high of bonuses. They work hard, they care, they are doing 
things right. They don't need counseling sessions. They don't 
need inspectors general to come in and interview them. They 
don't need to have a Department of Justice review their file. 
And put up the scorecard again.
    [Slide.]
    Chairman Chaffetz. This is an objective. This isn't 
Congress. This is not some Republican or Democratic thing. 
``Best places to work'' category is the change between 2014 and 
2015, every single key metric is down, every single one. And it 
is listed as one of the worst places to work, and your turnover 
rate is near 10 percent.
    So, Mr. King, what--you can take that slide down--what is 
it that Mr. Harris did that justifies pulling money out of the 
taxpayers' pocket and giving him a $15,000 bonus?
    Mr. King. In the evaluation for 2015 is based on the 
totality of performance. Yes, employee morale is very important 
to us, but it is also very important that we made progress on 
cybersecurity. As I indicated, we went from 11 percent at level 
4 two-factor ----
    Chairman Chaffetz. Can I stop you right there, please? You 
scored an F in what you self-reported. The Office of Management 
and Budget put out a cyber sprint. You were one of, I think, 
three or four agencies that scored a negative. Everybody else 
bolted ahead. So ----
    Mr. King. Over the course of the 2015 year we went from 11 
percent to 95 percent, making dramatic improvements. We are 
also ----
    Chairman Chaffetz. And every single metric was negative, 
every single one. The problem is Mr. Harris has been in 
charge--you can say, well, it was so bad at 11 percent that we 
had such great improvement. The problem is he has been in 
charge since 2008. It is not like he just inherited this and he 
hasn't had a few months to fix it. What specifically did Mr. 
Harris do to justify the Congress appropriating people's money, 
$15,000?
    Mr. King. Again, cybersecurity is one aspect of his 
performance, but on cybersecurity he co-led an effort with our 
FSA CIO that involved amending nearly 60 contracts in order to 
ensure that all of our external vendors are at level 4 two-
factor authentication. We made dramatic progress there. We are 
resolving FISMA audit findings, and we're making progress on 
cybersecurity. We also have a variety of other technology 
efforts: replacing outdated technology systems, improving 
services to employees. The overall performance of the CIO in 
2015 was strong.
    I can't speak to prior evaluations of Dr. Harris's 
performance. What I can speak to is the progress that we've 
made since I joined the Department in January 2015.
    Chairman Chaffetz. Again, you are looking at an inspector 
general report that comes out midyear, criminal referrals, 
every single metric is down, 10 systems still to this date with 
expired authorities to operate, one has PII information, 54 
unsupported software systems. You have an inspector general who 
can go in there undetected into the system. You have the 139 
million Social Security numbers and this guy gets a bonus. This 
is why we have zero confidence in you personally, zero.
    Now, I want to ask a few more things because I am telling 
you, this bothers me to no end. Mr. Harris, you gave a loan to 
one of your employees, correct?
    Mr. Harris. Correct.
    Chairman Chaffetz. Has that been repaid?
    Mr. Harris. Yes, it has.
    Chairman Chaffetz. When?
    Mr. Harris. It was years ago. I don't have the exact date 
but I can get you that.
    Chairman Chaffetz. You listed two other jobs that you 
currently also have, right? You teach, correct?
    Mr. Harris. That is correct.
    Chairman Chaffetz. How much time does that take?
    Mr. Harris. I teach at night and I do it on my own time. 
And if I may, in context ----
    Chairman Chaffetz. Yes.
    Mr. Harris.--talk about my role as CIO. My average day is 
12 hours, and my superiors and colleagues and customers call me 
all times of the night and weekends. If you look at my leave 
balances, I am rarely away from the Department. So, yes, I do 
work a lot, but I am very passionate and very serious about my 
job.
    Chairman Chaffetz. What is the other job that you have that 
generates income? There is another one.
    Mr. Harris. I just teach. That's it.
    Chairman Chaffetz. But you had before. You were working for 
the city of Detroit, correct?
    Mr. Harris. I did a short consulting stint with Detroit, 
both the city and the school system, in a different year.
    Chairman Chaffetz. And how much time did that take?
    Mr. Harris. Very little. I would be in Detroit maybe once 
every other month and then I would work remotely. I was simply 
consulting them on their IT strategy, so very little.
    Chairman Chaffetz. Ms. Bruce, let's go back to this. Does 
the inspector general's office believe that this was a business 
or a hobby?
    Ms. Bruce. The Office of Inspector General found business 
cards, a logo, paid employees. We do believe that it's a 
business.
    Chairman Chaffetz. And were those paid employees 
subordinates of Mr. Harris?
    Ms. Bruce. Yes, they were.
    Chairman Chaffetz. Is that a violation of policy? I am 
asking for your professional opinion here.
    Ms. Bruce. So when you say violation of policy, I will 
answer it this way. When you speak of 5 C.F.R. 2635, 5012 701, 
702, and 704, you have to make sure that you're not giving the 
appearance of impartiality or misuse of position.
    Chairman Chaffetz. Mr. Harris, who is Christopher 
Claiborne?
    Mr. Harris. He works in the CIO organization.
    Chairman Chaffetz. So he works for you?
    Mr. Harris. He is several layers under me, but he works in 
the organization. I do not supervise him.
    Chairman Chaffetz. He is in your organization. You are the 
boss, right? If you came into his office and said do this, 
would he do it?
    Mr. Harris. I do not supervise him.
    Chairman Chaffetz. Come on. Seriously? He works where? His 
title, as best I can tell, Christopher Claiborne--and I don't 
mean to bring him into this. I am sure he is a nice guy, but I 
am sorry to have to invoke his name here, but you are just not 
being candid with us. He is an operations manager, Office of 
the Chief Information Officer, correct?
    Mr. Harris. That is correct. I just wanted to be clear that 
I don't supervise him directly.
    Chairman Chaffetz. Have you asked him to do work for you?
    Mr. Harris. I have not. He has always asked me to be 
involved.
    Chairman Chaffetz. In what?
    Mr. Harris. If I had a project that I was doing and he 
wanted to learn, he would ask me.
    Chairman Chaffetz. In your outside business was he 
involved?
    Mr. Harris. I didn't have an outside business. It was a 
hobby.
    Chairman Chaffetz. So when he sends this email dated 
November 6, 2009, saying ``If you have time, I'd like to talk 
to you about one. This is a million-dollar home in Beech Tree 
I'd like us to complete''--talking about leather chair 
recliners for a theater, complete theater, complete bar area. I 
can go on. ``I sent you pictures.'' He is doing all that. 
You're just telling me--how does that come about? He is just 
involved with you in a hobby.
    Mr. Harris. Absolutely.
    Chairman Chaffetz. Really?
    Mr. Harris. It's something we enjoy doing.
    Chairman Chaffetz. And you are his boss? You are ultimately 
in his office?
    Mr. Harris. Yes.
    Chairman Chaffetz. Mr. King, do you think this is 
acceptable?
    Mr. King. Again, after reviewing all of the information --
--
    Chairman Chaffetz. Well, I am asking you about ----
    Mr. King. Again, after reviewing all of the information 
that was provided, there was not a violation of regulation or 
law or policy. I was, however ----
    Chairman Chaffetz. Or concerned?
    Mr. King. I was, however, concerned about the appearance 
of--potential appearance of impropriety and counseled Dr. 
Harris to that effect, as did my predecessor and my 
predecessor's predecessor, as did our ethics officer. And as 
we've discussed previously, the activities ended in 2013.
    Chairman Chaffetz. Was it unethical when it was happening 
at the time if nobody said it and it was continuing today? Is 
that unethical?
    Mr. King. Again, it was a lapse in judgment, and I 
counseled Dr. Harris ----
    Chairman Chaffetz. But what ----
    Mr. King.--to that effect.
    Chairman Chaffetz. So good judgment would have said he 
wouldn't have done that. Unethical judgment would have said--
where is the line here? Come on. You have got 4,000 employees. 
They are all watching this hearing. Explain to somebody who is 
there and says, you know, my boss has a business and a hobby 
and, you know what, I bet if I helped them make money, that 
might help me. Is that a reasonable conclusion?
    Mr. King. Where there's an appearance of impropriety, it is 
bad judgment. I counseled Dr. Harris ----
    Chairman Chaffetz. What if there is ----
    Mr. King.--to that effect.
    Chairman Chaffetz. What if there is actual impropriety?
    Mr. King. In this case, based on the findings of the IG 
report that were provided to our Office of General Counsel and 
our review of those findings, the review that was conducted by 
Deputy Secretary Miller and then by Deputy Secretary Shelton, 
by Ms. Winchell, and then my review of their findings, there 
was not a violation here of law or regulation or policy. There 
were lapses in judgment. Dr. Harris was counseled on those 
lapses of judgment four separate times, and the behavior, the 
activities ended.
    Chairman Chaffetz. You really think that Ms. Bruce and the 
Office of Inspector General need a criminal referral because 
they believed there was no violation of law, regulation, 
policy, or ethics?
    Mr. King. They provided information to the Department of 
Justice, and the Department of Justice chose not to proceed 
based on the information they received. That's what was 
summarized in the addendum that I received in March of 2015.
    Chairman Chaffetz. I will now recognize Ms. Plaskett for as 
much time as she would like.
    Ms. Plaskett. That is very generous of you, Mr. Chairman. I 
won't forget that. Thank you.
    I just wanted to go back and ask some more questions. And 
this is really about the past conduct, the allegations 
concerning the past conduct. Ms. Winchell, in your testimony on 
today's hearing you stated that in the time you reviewed the 
inspector general's 2013 report, your understanding was that 
the activities had already ceased and that the matter had been 
referred to the U.S. Attorney's Office for investigation. Is 
that correct of your understanding at the time ----
    Ms. Winchell. That's ----
    Ms. Plaskett.--you reviewed the inspector general's April 
2013 report?
    Ms. Winchell. That's correct.
    Ms. Plaskett. Okay. And, Dr. Harris, had you stopped the 
activities at issue before the IG issued the April 2013 report?
    Mr. Harris. Yes. My last--the last activity I had was 2012.
    Ms. Plaskett. Last activity? What would that activity have 
been?
    Mr. Harris. My hobbies.
    Ms. Plaskett. Okay. And that would have been the detailing 
and the home technology--the theater ----
    Mr. Harris. That is correct. I still detail but I do not 
accept compensation. It's still a hobby of mine.
    Ms. Plaskett. Okay. And I understand that you had--and then 
going back to a contract with E Source Technologies, it is our 
understanding that you have a personal relationship with the 
president of that company, a contractor for the Department. And 
the IG's report references a contract awarded in 2004. What was 
your position in 2004 with the Department of Education?
    Mr. Harris. In 2004 I was the deputy CFO, and I was not a 
personal friend of that vendor then. I knew him. I knew of him, 
as I do other vendors, but I was not a personal friend.
    Ms. Plaskett. And were you involved in the procurement or 
the contracting as the deputy CFO in 2004?
    Mr. Harris. I may have sat on the panel, but I did not 
select the vendor.
    Ms. Plaskett. What does ``sitting on the panel'' mean?
    Mr. Harris. You simply review what the vendors provide.
    Ms. Plaskett. You are reviewing and then discussing with 
the others on the panel your recommendation or ----
    Mr. Harris. That is correct.
    Ms. Plaskett. Okay. So you were part of the group that made 
recommendations to the ultimate contracting, but you say you 
were not a personal friend ----
    Mr. Harris. That is correct.
    Ms. Plaskett.--in 2004?
    Mr. Harris. That is correct.
    Ms. Plaskett. When did you consider yourself a personal 
friend?
    Mr. Harris. Approximately 2008 when I moved into the same 
area where the vendor lives.
    Ms. Plaskett. And did you have any contact with the vendor 
between 2004 and 2008?
    Mr. Harris. I'm sure I saw him as a result of him having 
business at the Department, but I didn't--our families weren't 
friends. We didn't travel together. We didn't ----
    Ms. Plaskett. So you did that after 2008 when you say you 
traveled ----
    Mr. Harris. After 2008, yes, we became friends.
    Ms. Plaskett. You traveled together ----
    Mr. Harris. Absolutely.
    Ms. Plaskett.--your families?
    Mr. Harris. Absolutely. We were friends.
    Ms. Plaskett. And that friendship was started because you 
moved into the area or he moved into the same area?
    Mr. Harris. I moved into the same area and we realized that 
we lived in the same area because we ran into each other in the 
area.
    Ms. Plaskett. Okay. And then, Ms. Winchell, in your 
testimony you stated that ``It's not clear that a close 
personal friendship had formed at the time Dr. Harris was 
involved in activities relating to the owner's company.''
    Ms. Winchell. That's correct.
    Ms. Plaskett. Can you elaborate on that? What did you mean 
by that?
    Ms. Winchell. Well, you know, we all create friendly 
relationships at work, and the way the rule works--actually, 
the rule doesn't include friendship as the kind of relationship 
that necessarily gives rise to a conflict. And OG--the Office 
of Government Ethics did that fairly deliberately. They provide 
a process that you can go through to evaluate whether the 
friendship would give rise to an appearance of a conflict of 
interest, basically evaluating whether a reasonable person 
would question your impartiality if you were to work on a 
matter involving that individual.
    So when I'm looking at these questions--and employees do 
call me from time to time about whether or not they should work 
on something that involves a friend. I'll ask them a series of 
questions like have you gone on vacation with this friend? How 
long have you known them? You know, sometimes you have people 
that meet their significant others, and technically this rule 
doesn't apply to them until they're actually sharing a 
household. But obviously, that's an important thing to know.
    The report of investigation, the only evidence there is in 
the report of a close personal friendship is when the vacations 
occurred, which was, I believe, in ----
    Ms. Plaskett. So ----
    Ms. Winchell.--and--in or around 2010.
    Ms. Plaskett.--before people go on vacations together, 
they're usually eating and socializing ----
    Ms. Winchell. Right.
    Ms. Plaskett.--and everything else before you to rise to 
the occasion that I think ----
    Ms. Winchell. Absolutely.
    Ms. Plaskett.--I can go on a personal vacation.
    Ms. Winchell. That's true. But there's no ----
    Ms. Plaskett. So you don't think that there was a personal 
relationship before they went on a vacation?
    Ms. Winchell. Well, I think there probably was, but there's 
no evidence of that except in ----
    Ms. Plaskett. Did you ask the questions?
    Ms. Winchell. Well, Dr. Harris has said on several 
occasions that the close personal friendship started in 2008.
    Ms. Plaskett. Did you ask the questions?
    Ms. Winchell. I did not ask that question at that time 
because I didn't know ----
    Ms. Plaskett. So the series of questions that you ask 
employees when they call and ask ----
    Ms. Winchell. Correct.
    Ms. Plaskett.--do I have a personal friendship, when you 
were looking into this, did you ask him those personal 
questions ----
    Ms. Winchell. I ----
    Ms. Plaskett.--those series of questions?
    Ms. Winchell. I did not ask those questions at the time.
    Ms. Plaskett. So you just took his word for when that 
personal friendship began?
    Ms. Winchell. Yes, I did.
    Ms. Plaskett. Did you think in hindsight--does that make 
sense now? I mean, I have been an ethics ----
    Ms. Winchell. Well ----
    Ms. Plaskett.--counsel.
    Ms. Winchell. Right.
    Ms. Plaskett. I was counsel on the House Ethics Committee 
----
    Ms. Winchell. Okay.
    Ms. Plaskett.--and I think I would have gone back and 
looked because I don't want the employee to get into trouble.
    Ms. Winchell. Right.
    Ms. Plaskett. Not that I am just trying to cover myself, 
but that I don't want him to get into trouble.
    Ms. Winchell. I certainly appreciate your point, and I 
think at the time my thought process was that the friendship 
had ended, so I wasn't concerned about the ongoing implications 
of that friendship. But I think you are making a valid point.
    Ms. Plaskett. And so if you were to ask those questions 
now, do you think there may have been some overlap in time 
period when there was a personal friendship and he had 
involvement with this so that the 2013 date may not be the hard 
date that we should be looking at?
    Ms. Winchell. Well, I don't--the hard date that I was 
looking at for when the friendship became a close personal 
friendship was 2008 to 2010, and the activity involved in his 
participation in the contract was prior to that time.
    Ms. Plaskett. Okay. And why did you say his activity was 
prior to that time? Does he not still ----
    Ms. Winchell. Because ----
    Ms. Plaskett.--have an ongoing contract with the Department 
of Education?
    Ms. Winchell. He may have--there may be an ongoing 
contract, but there's no ongoing friendship at this point. In 
order for the appearance problem to exist, there has to be 
both, you know--the rules are about--this particular rule is 
about whether or not you have a personal interest or friendship 
on one hand and an official duty on the other hand. And at this 
point in time the friendship doesn't exist. And as I understand 
it, he also doesn't participate in these contracts.
    Ms. Plaskett. The president of the company no longer 
participates in the contracts?
    Ms. Winchell. No, Danny--Dr. Harris no longer participates 
in the--does not participate--doesn't have a role in the 
implementation of the contracts.
    Ms. Plaskett. Ms. Bruce, do you--and you know that--Ms. 
Winchell, how do you know that?
    Ms. Winchell. Well, the only participation that's detailed 
in the report is from 2004, 2005, 2006.
    Chairman Chaffetz. If I can ----
    Ms. Plaskett. Yes.
    Chairman Chaffetz. If the gentlewoman would yield, there 
are still contracts that this company has that you have a 
responsibility for, right? I mean, you are the CIO. They are 
contracts with the Department of Education regarding CIO 
issues.
    Mr. Harris. But I do not have responsibility for the 
acquisition process ----
    Chairman Chaffetz. How can you claim you don't have a 
responsibility when you are the chief information officer? 
Those contracts are still outstanding, Ms. Winchell. They are 
still there. They are still in place. They still get money from 
the American taxpayer via the Department of Education ----
    Mr. Harris. Sir, if I ----
    Chairman Chaffetz.--correct?
    Mr. Harris. If I may, the way the Department is organized, 
and most agencies are organized this way, when it comes to 
acquisition, not just the selecting of vendors but the payment 
of those vendors, that is completely removed from the CIO's 
organization. It is purposeful. There is a firewall between me 
and any contract activities. And so I can't influence in any 
shape, form, or fashion.
    Now, as CIO, I do set IT strategy but I do not select 
vendors, products, or services.
    Chairman Chaffetz. But you did, according to the inspector 
general, previously engage in the selection. According to the 
inspector general, there was one contract where another 
company's proposal was ``significantly greater than the 
proposed by other offerers.'' And that the IG writes that the 
decision was changed to go to your friend William Hall's 
company ``based at least in part on input from Mr. Harris.''
    Mr. Harris. That had to have been 2004, and I had no 
friendship with that individual.
    Chairman Chaffetz. You have gotten promoted since, then, 
and the contracts continue. So to say that you have no 
interaction, no responsibility, you are the chief information 
officer. This is the ethical problem that it then presents 
because you did help him get this contract.
    Mr. Harris. I'm sorry. I disagree, sir. I'm sorry.
    Chairman Chaffetz. You are the CIO, and they are a vendor. 
How do you not have responsibility for that?
    Mr. Harris. The firewall that is created on purpose with 
the contracting organization and the rest of the Department, 
including CIO, and especially CIO when it comes to IT 
contracts, I am completely removed from and had no authority or 
influence on that process. That is the way we are organized, 
and most agencies are organized that way.
    Ms. Plaskett. So you have no input on whether or not they 
are effectively carrying out the contract that involves 
information services?
    Mr. Harris. That is correct.
    Ms. Plaskett. You don't send reports or anything to say 
this relationship--this contractor is performing the duties 
that I need for my job correctly or incorrectly?
    Mr. Harris. That is the contracting officer 
representative's job.
    Ms. Plaskett. And when does ----
    Mr. Harris. That is not my job.
    Ms. Plaskett. Where does the contracting officer get that 
information from?
    Mr. Harris. They get it from the project manager and the 
people working with the vendor, but they would not get it from 
me.
    Ms. Plaskett. And the project manager and the people 
working with the vendor would be your employees?
    Mr. Harris. That is correct.
    Ms. Plaskett. And would any of those employees be the 
people who worked for you on your hobby?
    Mr. Harris. No.
    Ms. Plaskett. Were they people who report directly to you 
and give you information about whether the contract was being 
performed properly or not?
    Mr. Harris. They would provide me briefings on the status 
of our various ----
    Ms. Plaskett. And you have no input or say into whether or 
not that is yea, nay, okay, sounds good ----
    Mr. Harris. That is correct.
    Ms. Plaskett.--let's continue?
    Mr. Harris. From a contractual perspective, that is 
correct.
    Ms. Plaskett. Wait a minute. So you are saying that when 
your employees give you reports, you don't have anything to say 
about it?
    Mr. Harris. I would provide my input, but I don't make 
contractual statements.
    Ms. Plaskett. But you provide the input that then goes back 
to the contractual people who are determining whether or not 
this has been performed properly or not?
    Mr. Harris. I think that's an accurate statement.
    Ms. Plaskett. So you are in some measure involved in this, 
whether it be from you stating that the contractor has 
performed or not performed the work of the contracts properly? 
Yes ----
    Mr. Harris. I would still say that I am removed from the --
--
    Ms. Plaskett. Wait, but that is yes or no. That is yes or 
no.
    Mr. Harris. I would still say I am removed from the 
acquisition process.
    Ms. Plaskett. I didn't ask you about the acquisition. I am 
asking you if, as the CIO and the reports for the contract come 
to you, if you have any input in whether or not those are being 
performed properly or not.
    Mr. Harris. Yes.
    Ms. Plaskett. Thank you. So in stating that, are there 
additional steps that you believe Ms. Winchell, Secretary King, 
that should be taken to ensure that possibly we need to look at 
this a little further because it appears that when the IG made 
the report, you took it at face value what the IG said and 
didn't do your own digging in this, Ms. Winchell.
    Ms. Winchell. Well, I do rely on the IG report. That's 
true. I assume that they do a full and thorough investigation. 
So I did rely on the report. I don't do a separate 
investigation. I don't have authority to do investigation and 
have actually been instructed not to investigate wrongdoing 
because it can interfere with the IG's ability to do their job.
    Ms. Plaskett. But when you are counseling, these counseling 
sessions ----
    Ms. Winchell. I do ask questions.
    Ms. Plaskett.--you didn't think it was appropriate to speak 
with Danny on a more deeper level about what he was and was not 
doing?
    Ms. Winchell. I did speak to him on a fairly deep level 
about how the rules apply to personal friendships, how they 
apply to relationships with subordinates, and also misuse of 
position and misuse of government equipment. We had quite--
we've actually had two lengthy conversations about that over 
the course of the last few years focused specifically on the 
concerns raised in the report.
    Mr. King. Congresswoman, if I might, I think ----
    Ms. Plaskett. Yes.
    Mr. King.--what you are raising is exactly the issue of 
appearance of impropriety on which Dr. Harris was counseled by 
Deputy Secretary Miller, then Deputy Secretary Shelton, and by 
me to the reason, my understanding, that he ended the 
relationship entirely in 2013 so that there would not be an 
appearance of impropriety.
    What is clear, though, on the sequencing of the contracting 
is that the only findings that the IG had was that the personal 
friendship began in 2008. These contract matters occurred in 
2004. But again, in order to ensure that there is no appearance 
of impropriety, he was counseled on these matters and ended the 
relationship in 2013.
    Ms. Plaskett. But, Secretary King, you have an enormously 
important job. Your job is to educate the American children, 
our future. And you don't have time to be dealing with stuff 
like this. But what I am finding in this hearing that is really 
disturbing is that it has taken all of these other Members of 
Congress questioning Dr. Harris and going through this with a 
fine-tooth comb to find out that a lot of the statements that 
he has made in an IG report really don't cover up the entire 
truth of what was going on. To say that he was not involved in 
the requisition of the contract is correct after 2004, but to 
say he had no say and involvement in the contract is not a true 
statement.
    And I think--that is not incumbent on you, sir. That is 
incumbent on Ms. Winchell, Dr. Harris to be telling us the 
complete truth of it and not just concerned about making 
himself look like he had a hobby and was not so involved in the 
contracting with the personal relationship. That is what is 
disturbing to me because this is not your job to do. This is 
Ms. Winchell's, this is the IG, this is those counsel that you 
relied on to ask these more substantive questions, and 
obviously, unfortunately, almost cross examination of Dr. 
Harris to get to the truth of the matter.
    Chairman Chaffetz. I now recognize the gentleman from North 
Carolina, Mr. Meadows.
    Mr. Meadows. Mr. King, so let me make sure I am clear. Your 
testimony here today is that there has been no ethical breach 
by Dr. Harris? That is your testimony?
    Mr. King. That there has been no violation of law or 
regulation or policy of the Department ----
    Mr. Meadows. Yes, you keep going back to that. Is that what 
the general counsel told you to respond every time you were 
asked a direct question is to respond with that? Is that what 
your counsel ----
    Mr. King. That's my response to the question I was asked.
    Mr. Meadows. So there is no ethical challenge?
    Mr. King. Again, there is no violation of the law or 
regulation ----
    Mr. Meadows. Okay.
    Mr. King.--or policy of the Department.
    Mr. Meadows. If that is the case, I have got good news for 
you, Mr. Harris. You can go back to doing whatever you darn 
well please because what he is saying is there is no violation.
    Mr. King. Congressman, respectfully ----
    Mr. Meadows. No, that is what you are saying.
    Mr. King. No, respectfully, what I am saying ----
    Mr. Meadows. That is a circular reasoning.
    Mr. King.--is that--no. It's ----
    Mr. Meadows. You are saying it is not. Why did you stop, 
Dr. Harris? If there was no violation of ethical standards, why 
did you stop?
    Mr. Harris. In hindsight and after getting counseling, I 
realized the appearance is not good.
    Mr. Meadows. All right. So let me ask you this, Mr. King. 
Why did three different Secretaries counsel Dr. Harris? If the 
first one took, why was there a need for a counseling of the 
second one? Why is there a need for the third one?
    Mr. King. The evidence of those activities ----
    Mr. Meadows. If it was done on 2013 according to your 
testimony, everything was over, why did everybody keep 
following up with Dr. Harris? If there is no violation of 
ethics or anything else, why would you have embarked to counsel 
him again?
    Mr. King. The evidence is that the initial counseling was 
effective and that the initial counseling was effective and 
that the activities ended in 2013.
    Mr. Meadows. So why did you waste your time?
    Mr. King. But both my predecessor and I believe that high 
ethical standards are of the upmost importance and ----
    Mr. Meadows. So he did violate ethical standards?
    Mr. King.--also the importance--and wanted--no, and wanted 
to convey, wanted to convey ----
    Mr. Meadows. You can't have it both ways, Mr. King. You 
can't have it both ways.
    Mr. King. Again, we wanted to convey to Dr. Harris that 
there could not even be the appearance ----
    Mr. Meadows. Let me tell you what you are conveying ----
    Mr. King.--of impropriety.
    Mr. Meadows.--to the American people. Let me tell you what 
you are conveying to the American people, and more importantly, 
to the 4,000 workers at the Department of Education, is that 
you can bend the rules; it just is a matter of who you are if 
you are bending the rules. And that is a sad commentary here 
today because, Ms. Winchell, you said that you go by what the 
IG has, is that--that was your testimony, right?
    Ms. Winchell. That's correct.
    Mr. Meadows. Okay. If the IG said it was a business, which 
she did, why did you not go by that? You questioned it there.
    Ms. Winchell. Well, in all honesty, I'd have to go back and 
see exactly what the report said but ----
    Mr. Meadows. I have read it.
    Ms. Winchell. I ----
    Mr. Meadows. And I am telling you she said it--your 
testimony, Ms. Bruce, was it a business?
    Ms. Bruce. Correct. We said because income was being 
generated, has a business logo and employees were paid ----
    Mr. Meadows. It was a business. So why did you not take her 
advice--you did on everything else. Ms. Plaskett said that you 
should have done your investigation. You said you relied on it, 
but yet, on the business part, you didn't rely on it.
    Ms. Winchell. Well, I relied on the facts that they 
provided and on the breadth of their investigation, but I did 
not rely on the conclusions that they reached because I thought 
their conclusions were wrong.
    Mr. Meadows. But that is not what you said, Ms. Winchell, 
in answering Ms. Plaskett. And again, you are using circular 
reasoning. You said that it was the IG's assumption that he was 
either innocent or guilty, and so what you did was took their 
words and then you came to your own conclusion? Is that what 
you are saying, without an investigation?
    Ms. Winchell. I came to my own conclusion based on the 
facts that were provided in the investigation.
    Mr. Meadows. All right. So, Ms. Bruce, Mr. Harris paid 11 
employees? That was your testimony? I may have missed that.
    Ms. Bruce. No, two employees.
    Mr. Meadows. Two employees.
    Ms. Bruce. Yes.
    Mr. Meadows. So he paid two different employees?
    Ms. Bruce. Yes.
    Mr. Meadows. Mr. Harris, was a 1099 filled out or a W-2 
filled out for those two employees?
    Mr. Harris. No, sir.
    Mr. Meadows. So did they make over $600?
    Mr. Harris. I don't believe so.
    Mr. Meadows. You are under oath. Neither of them made over 
$600?
    Mr. Harris. I'll--I'll ----
    Mr. Meadows. Were never paid over $600?
    Mr. Harris. One may have made over $600. I don't believe 
the other did but I would have to look at the record.
    Mr. Meadows. So aren't you required to do a 1099?
    Mr. Harris. As I ----
    Mr. Meadows. I mean, if they are working for you.
    Mr. Harris. As I indicated, it was just a hobby.
    Mr. Meadows. Okay.
    Mr. Harris. In hindsight ----
    Mr. Meadows. So you told me it was just a hobby and so now 
you are detailing operation is just a hobby, is that correct?
    Mr. Harris. Absolutely, and I make ----
    Mr. Meadows. Okay. Well, I have two cars. When can I sign 
up? If it is a hobby, I mean I would love to bring my cars and 
let you detail my cars. Dr. Harris, I think you and I both know 
it is not just a hobby.
    Mr. Harris. It was a hobby, sir.
    Mr. Meadows. Okay. Have you done any personal work for 
anybody, Ms. Winchell, Mr. King?
    Mr. Harris. I have not, sir.
    Mr. Meadows. Ever?
    Mr. Harris. Ever.
    Mr. Meadows. Okay. How do we go from here, Mr. King, 
because it is not over with this hearing. I know a lot of 
people like to get prepared for a hearing and say it is all 
over and it is not over, I can tell you, because we have a 
responsibility to the American people and responsibility to the 
Federal workers who were whistleblowers, who are probably 
disappointed with your response today. So where do we go from 
here?
    Mr. King. Again, corrective action was taken. The behavior 
ended in 2013. Our focus at the Department is on ensuring that 
we move forward on cybersecurity and the other urgent 
priorities of the Department. We are making significant 
progress on cybersecurity, but we have much more to do and to 
ensure that we are responding as best we can to the 
cybersecurity threats ----
    Mr. Meadows. So let me ----
    Mr. King.--that exist.
    Mr. Meadows. Let me close with this last question then. 
What message does it send to all the Federal workers if we have 
someone who has been referred for criminal action by the OIG, 
who has been counseled three times for questionable behavior, 
and continues to get outstanding performance reviews and 
bonuses that would make most of us blush? What message does it 
send, Mr. King?
    Mr. King. The message is clear. Where there was the 
appearance of impropriety ----
    Mr. Meadows. I agree the message is clear, but I am ----
    Mr. King. Where there was the appearance of impropriety, 
the employee was counseled by three deputy secretaries, by our 
ethics officer ----
    Mr. Meadows. And the checks kept ----
    Mr. King.--and the activities ----
    Mr. Meadows.--coming. And the checks ----
    Mr. King. The activities ----
    Mr. Meadows.--kept coming.
    Mr. King. The activities ended, and the employee 
understands the importance of not even allowing the appearance 
of impropriety.
    Mr. Meadows. I will yield back. Thank you, Mr. Chairman.
    Chairman Chaffetz. Thank you. I have a few things to clean 
up.
    Mr. Harris, William Hall was the person in question here. 
He may be the finest man, offering good services. I hope so. We 
are sending him I don't know how many dollars, so I am guessing 
millions of dollars. According to the inspector general, you 
actually went to his house and installed home theater 
equipment, correct?
    Mr. Harris. I did.
    Chairman Chaffetz. Was that you personally?
    Mr. Harris. That was me personally.
    Chairman Chaffetz. Who else was involved in that?
    Mr. Harris. Just me.
    Chairman Chaffetz. And what were you paid by him to do 
that.
    Mr. Harris. I was not compensated.
    Chairman Chaffetz. So this is a person with how many 
contracts, six or eight contracts with the Department of 
Education, and you go to his house, you have a business--I 
disagree. I don't think this is a little hobby. I think this 
is--I agree with the inspector general here. And you go to this 
person's house and you install a home theater system, and he 
paid you how much? Nothing?
    Mr. Harris. He was a friend.
    Chairman Chaffetz. Mr. King, you don't see any ethical 
problem doing that?
    Mr. King. Again, Dr. Harris was not involved after 2008 
when this relationship began ----
    Chairman Chaffetz. No, I am just asking about when it 
happened ----
    Mr. King.--and the contract ----
    Chairman Chaffetz.--at the time.
    Mr. King. But what I counseled him on was ----
    Chairman Chaffetz. No, he was ----
    Mr. King.--that we can't have--we ----
    Chairman Chaffetz. That is--but wait, wait, wait. Mr. King, 
you are making an assumption that the inspector general says is 
not true.
    Mr. King. No, they ----
    Chairman Chaffetz. They laid out a case where Mr. Harris 
was involved--a contract was going to a different vendor. He 
got personally involved and at least had some input. I am not 
saying the final decision, some input, and that contract was 
changed and given to William Hall's company.
    Mr. King. There was a contract in 2004 before this 
relationship began according to the evidence.
    Chairman Chaffetz. But he was the program manager ----
    Mr. King. There then was ----
    Chairman Chaffetz.--for other contracts.
    Mr. King. But again, the personal relationship ----
    Chairman Chaffetz. No, wait a second, Mr. King. The initial 
contact, the interaction Mr. Harris had with William Hall 
started in like 2000, 2001.
    Mr. King. As acquaintances ----
    Chairman Chaffetz. So it is an acquaintance ----
    Mr. King. Based on the evidence ----
    Chairman Chaffetz. There is a standard between an 
acquaintance and a friend?
    Mr. King. Based on the evidence that was presented by the 
IG to our general counsel, there was a ----
    Chairman Chaffetz. I am tired of hearing about you and your 
general counsel, okay? They can give you all the advice you 
want. You make the decisions. You are the decision-maker. So 
let's just cut that part out and get right to the ----
    Mr. King. Again--again ----
    Chairman Chaffetz.--chase here.
    Mr. King. Again ----
    Chairman Chaffetz. Hold on one sec. Hold on one second. You 
see no ethical problem with somebody who oversees and 
supervises the personnel who have to implement these contracts 
with them personally going and installing home theater 
equipment to a company that I am guessing makes millions of 
dollars from those contracts?
    Mr. King. As I indicated, I made clear in my counseling to 
Dr. Harris ----
    Chairman Chaffetz. Yes, if you are just going to read ----
    Mr. King.--that there cannot be ----
    Chairman Chaffetz.--the same thing
    Mr. King.--there cannot be an appearance of impropriety to 
the extent that having this personal relationship ----
    Chairman Chaffetz. Well, I want to know if there was any 
impropriety, and in your mind, you are saying no ----
    Mr. King. What I'm saying is that ----
    Chairman Chaffetz.--there is no ----
    Mr. King.--the appearance, as a result of the personal 
relationship, was a problem. Dr. Harris understood that. The 
relationship ended in 2013.
    Chairman Chaffetz. I think Mr. Meadows is exactly right. 
You can't have it both ways. Either Mr. Harris violated no 
regulation, law, policy, or any ethical concern and you should 
continue on, sir. According to Mr. King, continue on, play on. 
You have had nothing docked in your pay, you have progressed at 
every level, you got bonused up. I mean, you have had, what, 
almost $250,000 in bonuses over the last 11 years. 
Congratulations. And you have side businesses, three other 
jobs, you had people that had contracts with you that were 
going to their home and installing theaters, over a 2-year 
period you exchanged 700 phone calls that were text messages 
you say, but you say, hey, there is no relationship. You still 
oversee those. I don't know how you get away with it. I really 
don't. I am concerned about the other 3,900 and however many 
employees are out there. I think you are sending the wrong mix.
    And, Mr. King, I hope at some point you do reevaluate and 
go through this.
    I have got one other thing here. Mr. Harris, what was the--
you had to go back with this unreported income. How much money 
are we talking about was the unreported income?
    Mr. Harris. It was 1 percent of my household income.
    Chairman Chaffetz. Over what period of time?
    Mr. Harris. Over a 10-year period.
    Chairman Chaffetz. So over a 10-year period you are making 
in excess close to $2 million during that time.
    Mr. Harris. No, sir. No, sir. It was an average of $4,000 a 
year, and that was before expenses. After expenses it was 
hundreds of dollars. And that is why--poor judgment, but that 
is why I didn't--it wasn't a business. It was just a hobby. But 
it was ----
    Chairman Chaffetz. So there is $40,000 in revenue? That is 
what we are talking about, that wasn't ----
    Mr. Harris. Over 10 years, and again, that's before 
expenses. With--after expenses, it would have been hundreds of 
dollars. There literally was no major profit to be made. It was 
insignificant amounts of money.
    Chairman Chaffetz. But you had employees, you were 
installing home theater equipment, you had people ----
    Mr. Harris. I did not have employees.
    Chairman Chaffetz. Okay. You had independent contractors 
that worked at the Department of Education that also worked for 
you, and they had dual income as well. I am just trying to--so 
if it is 1 percent of your income, you said 1 to 2 percent of 
your income over 10 years.
    Mr. Harris. Annually, 1 percent annually.
    Chairman Chaffetz. I know but I am taking your salary, 
183,000. You haven't always made that much. You multiply that 
times 10. That equals how much? One point eight million 
dollars. Take what is 1 or 2 percent of that, yes, and you 
start ----
    Mr. Harris. No, sir.
    Chairman Chaffetz.--to come up with tens of thousands of 
dollars that I just want to understand the gravity. We will 
work on the math with you and the Department of Education soon.
    I could continue on, but we have exhausted this. Mr. King, 
with all due respect, Ms. Winchell--let me do this before we do 
this.
    Ms. Bruce, we have talked about several things here over 
the last few minutes. You looked like you wanted to make some 
sort of comment there.
    Ms. Bruce. Only that I know we spent quite a bit of time 
talking about business. The OIG at no time never was approached 
to get some additional information. We've always been available 
for that additional information. Our concern has not been 
business. It's been about earned income. So I wanted to make 
sure that point was made clear. When you asked me about a 
business, it was about earned income in our report and not 
necessarily about a business.
    Chairman Chaffetz. And, Ms. Winchell, the policy is any 
income above $200, correct?
    Ms. Winchell. Yes, actually, it's the law that governs the 
financial disclosure reporting.
    Chairman Chaffetz. Right.
    Ms. Winchell. It's $200 from any source. Because Dr. Harris 
didn't form a business, that would be over $200 from each 
person who paid him to provide a service in a given year. So, 
for example, if he installed a home AV system for--and earned 
$700, he would need to report that. But if he detailed a car 
for $74 or $100 ----
    Chairman Chaffetz. Right.
    Ms. Winchell.--that would not need to be reported.
    Chairman Chaffetz. Yes, and I ----
    Ms. Winchell. In other words, they don't have to ----
    Chairman Chaffetz. In my mind, it is actually more 
understandable. And why do we do that? Why do we get 
disclosures of $200 or more?
    Ms. Winchell. Well, I can't speak for why the Legislature 
set the $200, but the whole point of the system is to help the 
government identify and remediate potential--actual and 
potential conflicts of interest.
    Chairman Chaffetz. Yes, it is an ethical issue.
    Ms. Winchell. Exactly.
    Chairman Chaffetz. Did he fill out a form for 10 years or 
did he fill a form out for just one year?
    Ms. Winchell. Mr. Harris actually has filled out his public 
financial disclosure form completely and in a timely manner 
every year. And when we have had questions that we needed to 
address on technical aspects of the form, he's been very 
responsive.
    Chairman Chaffetz. I don't know how you come to the--it's 
kind of laughable almost that after this hearing you still 
think he filled it out completely.
    Ms. Bruce, what did you find there?
    Ms. Bruce. Our evidence showed that for the years in 
question, 2008, '09, and '10, there were no disclosures as far 
as the $200--in excess of $200.
    Chairman Chaffetz. And Mr. Harris admitted that he is 
making money every year for 10 years, and there are 3 years 
that they didn't complete them. And you just said--this is what 
scares us--this is why we got a hearing that is going into hour 
4 is because you still--as the ethics officer, you spend 
supposedly 8 hours a day working on ethics, hard to believe 
that that happens, you still don't understand it. You still 
don't know that there is a problem.
    And, Mr. King, you are enabling this. You are the decision-
maker. You have been given this mantle of trust from the 
President of the United States and you are failing. And it has 
got to quit.
    You still don't know. He admitted right here just now that 
for 10 years he has been having this income and the inspector 
general--why are you shaking your head back in the audience 
just laughing at us? You are laughing at the American taxpayer. 
I don't know who that guy works for. I am telling you, don't 
just sit there and laugh at us. I will follow this through. You 
didn't think we were taking this seriously. You are making a 
fundamental and total mistake. You are misusing American 
taxpayer dollars. We have vulnerabilities that are just 
unbelievable. And we will continue to pursue this.
    You better hope that none of that data gets out there. But 
when the inspector general went to penetrate the system, they 
got in there unimpeded, never detected, walked back out and 
reported it to Congress, as they should.
    Ms. Bruce, to the people that work in the inspector 
general's office, thank you. Thank you for your good work. We 
wouldn't know about this without those good people doing tough, 
difficult work. Nobody wants to hear from the inspector 
general, but they do some of the most valuable work that we 
have before us today. I thank you all for your service, and I 
thank you for your testimony today. I thank the men and women 
who work in the Department of Education. We are trying to fix 
it, but the problem is sitting here with Ms. Winchell and Mr. 
King and Mr. Harris.
    This meeting is now adjourned.
    [Whereupon, at 12:59 p.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record
               
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]