[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]







     SECURE CREDENTIALS ISSUED BY THE GOVERNMENT PUBLISHING OFFICE

=======================================================================

                                HEARING

                               BEFORE THE

                         COMMITTEE ON OVERSIGHT
                         AND GOVERNMENT REFORM
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                            OCTOBER 21, 2015

                               __________

                           Serial No. 114-54

                               __________

Printed for the use of the Committee on Oversight and Government Reform






[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]











         Available via the World Wide Web: http://www.fdsys.gov
                      http://www.house.gov/reform
                      
                      
                                 ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

97-975 PDF                     WASHINGTON : 2015 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
                      
              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

                     JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, 
MICHAEL R. TURNER, Ohio                  Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of 
TIM WALBERG, Michigan                    Columbia
JUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee
TREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida                TED LIEU, California
MICK MULVANEY, South Carolina        BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina          MARK DeSAULNIER, California
ROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia                PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama

                    Sean McLaughlin, Staff Director
                 David Rapallo, Minority Staff Director
     Art Arthur, Staff Director, Subcommittee on National Security
      Dimple Shah, Deputy Counsel, National Security Subcommittee
                           Sarah Vance, Clerk
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                           
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on October 21, 2015.................................     1

                               WITNESSES

Ms. Davita Vance-Cooks, Director, U.S. Government Publishing 
  Office
    Oral Statement...............................................     5
    Written Statement............................................     6
Ms. Kathleen Carroll, Vice President of Corporate Affairs, HID 
  Global, Inc.
    Oral Statement...............................................     6
    Written Statement............................................     8
Mr. James N. Albers, Senior Vice President of Government 
  Operations, Morphotrust USA
    Oral Statement...............................................     8
    Written Statement............................................     9
Michael A. Raponi, Inspector General, Government Publishing 
  Office
    Oral Statement...............................................    10
    Written Statement............................................    11

                                APPENDIX

Letter from GAO..................................................    36
State Response to Inquiry from Morphotrust R: Border Crossing 
  Card Issue.....................................................    56
Statement from Business Coalition for Fair Competition...........    57

 
     SECURE CREDENTIALS ISSUED BY THE GOVERNMENT PUBLISHING OFFICE

                              ----------                              


                      Wednesday, October 21, 2015

                  House of Representatives,
      Committee on Oversight and Government Reform,
                                           Washington, D.C.
    The committee met, pursuant to call, at 10:02 a.m., in Room 
2154, Rayburn House Office Building, Hon. Jason Chaffetz 
[chairman of the committee] presiding.
    Present: Representatives Chaffetz, Mica, Amash, Farenthold, 
Lummis, Massie, Meadows, DeSantis, Buck, Walker, Blum, Hice, 
Carter, Grothman, Hurd, Palmer, Connolly, Lieu, Plaskett, 
DeSaulnier, Welch, and Lujan Grisham.
    Chairman Chaffetz. The Committee on Oversight and 
Government Reform will come to order. And without objection, 
the chair is authorized to declare a recess at any time.
    I appreciate all of you joining us for this hearing today, 
Secure Immigration Identify Documents. For nearly 150 years, 
the Government Printing Office, otherwise known as the GPO, has 
served as the printer for the Congress and the Federal 
Government. In that capacity, it is responsible for the 
collection, production, distribution, and preservation of 
public information from three branches of government. As 
government records move from print to digital, GPO finds itself 
in a challenge to remain relevant and necessary. With declining 
print demands, GPO is projected to run out of money in 2020 
unless it overhauls its current business model.
    In 2013, the National Academy of Public Administration, or 
NAPA, conducted a review of the state of GPO and its ability to 
meet the digital demands of the future. NAPA found that all the 
facets of the GPO will need to be realigned, everything from 
GPO's digital publishing and preservation efforts to the size 
and skill set of its workforce will need to be re-evaluated.
    One major change to its business model involves GPO 
supplying secure credentials containing radio frequency 
identification, often referred to as RFID, in these chips to 
government agencies handling our Nation's immigration 
functions. GPO now issues those documents. It is unclear, 
however, if those documents are both secure and functional. 
Ensuring that identity documents are secure and reliable is 
critical to our national security.
    Immigration fraud was identified by the 9/11 Commission as 
a key method by which terrorists entered and remained in the 
United States. As the commission noted, ``Travel documents are 
as important as weapons.'' It went on to say, ``At many entry 
points to vulnerable facilities, including gates for boarding 
aircraft, sources of identification are the last opportunity to 
ensure that people are who they say they are.'' Given these 
facts, it is critical that secure credentials reflect state-of-
the-art technology to ensure Federal Government is a step ahead 
of those who would attempt to alter or misuse documents to 
commit terrorist or criminal acts.
    The Federal acquisition system is built on the principle of 
full and open competition. Full and open competition means 
contractors compete against each other on both the quality and 
the solution and the price. This ultimately benefits the 
American taxpayer, and I believe provides a better end product.
    Essentially, Federal departments and agencies can 
circumvent the full and open competition process and sole 
source their secure credential requirements to the GPO. This 
means that the American taxpayer does not realize the benefit 
of innovation and the best price through a full and open 
competition process. It also means the government forfeits the 
opportunity to leverage innovative solutions to ensure reliable 
and security of those credentials.
    It also appears GPO is increasingly shifting towards in-
house production of credentials. Now, if they offer the best 
product, the best price, more power to them. But without that 
competition, we are worried that over the course of time that 
security, that innovation, that it will suffer.
    Typically, an agency seeking to contract with the private 
sector for a good or service must comply with the Federal 
Acquisition Regulations, or FAR. The agency would publish a 
request for a proposal and receive bids from potential 
contractors in response. Then the agency has the opportunity to 
evaluate the solutions and the price offered by several 
contractors. This process of full and open competition is 
intended to make sure the agency is getting the best product at 
its lowest price.
    GPO claims that its 47-year-old authorizing statute, Title 
44, justifies its ability to issue secure credentials in this 
matter simply because these cards have prints on them and 
printing is a core GPO function.
    In particular, GPO has argued that, ``The production of 
secure credentials for Federal agency also involves the 
printing process, and so GPO is authorized to produce them.'' 
This raises the question of whether Title 44 should be used in 
competition process to acquire secure credentials from GPO. GPO 
certainly knows how to print, but do they have the capacity to 
innovate and provide reliable secure credentials?
    This is part of the discussion today, and I thank all the 
witnesses for their expertise and being here today, and look 
forward to a good discussion about a most important topic.
    We will now recognize the ranking member, Mr. Connolly of 
Virginia, for his opening statement.
    Mr. Connolly. Thank you, Mr. Chairman. And welcome to our 
panelists.
    I welcome the opportunity to examine more closely the 
government's procurement and production of secure 
identification cards. Today most people take for granted the 
necessity of carrying around some form of official credential, 
whether it's a passport, driver's license, employer-issued ID, 
or if you're a Member of this body, your voting card. Thanks to 
technological advances in recent years, some of these cards now 
digitally store personal information, which makes the integrity 
of the cards themselves and those involved in the manufacturing 
to create them critically important. It also strikes me as a 
prime opportunity for the public sector, which increasingly 
relies on these smart cards, to partner with industry, which is 
continually advancing the sophistication of the security, as 
well as the applications for this technology through innovation 
and research.
    I would suggest the Government Publishing Office, which is 
statutorily tasked with serving the printing needs for all 
three branches of the Federal Government, has been successful 
in fostering such a partnership with industry, on developing 
the modern U.S. passport, which it produces for the Department 
of State using paper and electronic components, competitively 
procured from private sector vendors. Based on that experience 
and growing interest from Federal agencies for the secure 
credentials, GPO requested and was granted authority by the 
Joint Committee on Printing, comprised of Members of Congress, 
to begin producing secure cards, beginning with the credentials 
for the Trusted Traveler Programs for U.S. Customs and Border 
Protection under the Department of Homeland Security.
    More recently, GPO took over the production of the Border 
Crossing Card for the State Department at the agency's request. 
One of the companies represented today, MorphoTrust, at one 
time printed those cards. But the State Department determined 
GPO could produce them with a more reliable read rate at a 
lower cost. While the production of the physical cards 
transitioned to GPO, I understand Morpho remains the lead 
contractor for imprinting the personalized information on each 
card.
    Mr. Chairman, I must say I was puzzled to read the prepared 
statements from today's industry witnesses in preparing for 
this hearing. For example, Ms. Carroll, who represents HID 
Global, an international company that prints the U.S. 
Government Green Card and passports for 25 other countries, as 
well as our Member voting cards, and secure IDs for 
congressional staff, says industry is threatened by GPO's 
expanded role in producing smart cards.
    Further, Mr. Albers of MorphoTrust, the U.S. subsidiary of 
a multinational company which partners with GPO, on producing 
U.S. passports and prints the driver's license for 42 of 50 
states, suggests GPO's actions represent an existential crisis 
for industry and its partnership with the Federal Government. 
Last time I checked, Congress provides GPO with a budget for 
printing and binding of roughly $80 million. While it does 
engage in printing and manufacturing of secure cards separate 
from the passport, it is on a limited basis, utilizing just 27 
employees. Production of secure cards accounts for four percent 
of the GPO's revenue, roughly $30 million, representing a mere 
fraction of the multi-billion dollar global secure card market. 
GPO does not actively compete with industry through the agency 
procurement process, responding only to direct agency requests.
    I understand industry representatives may be concerned that 
such inter-government arrangements hinder competition. But I 
would note that GPO often turns to industry to competitively 
procure products to meet those needs. Further, I would suggest 
that we ought to be more agnostic about whether this work is 
best performed by government or private sector, and I think you 
expressed that, Mr. Chairman, just now about whether this work 
is best performed by government, private sector, and instead 
consider which can meet agency needs for a quality product with 
the best cost.
    When I was chairman of Fairfax County, we explored 
opportunities to outsource several government functions. And I 
can recall having my auditor look into potential savings of 
outsourcing vehicle fleet maintenance. I was convinced the 
private sector could do that more cheaply and probably at 
better quality. To my surprise, the government actually came in 
cheaper than Jiffy Lube, and the customer satisfaction was 
universally positive. I was surprised. My preconceived notion 
was, in fact, wrong.
    So in the case of smart cards, the few agencies that turn 
to GPO have, in fact, reported savings, as GPO's only allowed 
to recoup its costs and does not make a profit. Those agencies 
also may cancel their agreement with GPO at any time without 
penalty if they find an industry partner that can produce a 
more reliable card and more cheaply.
    In addition, I would note this finding from the GAO which 
notes GPO, ``Does not have the capacity to meet the entirety of 
the Federal Government demand for secure credentials either 
through direct production in its facilities, or by contracting 
outside entities to fulfill a requisition.'' So even if GPO 
wanted to expand its secure card business, as our witnesses 
suggest is the case, it could not do so.
    Let me go back to what I said at the outset. This should be 
a textbook opportunity for government to better collaborate 
with industry. We wouldn't have this capability if not for the 
ingenuity of industry which has responded to both the public 
and private sector needs for technologically advanced secure ID 
cards. At the Federal level, GPO as the printer of the U.S. 
passport since 1926, has a role to play in this discussion, 
albeit a small one, as do other Federal agencies that rely on 
industry to be a partner in providing those essential services.
    I look forward to the hearing. Thank you, Mr. Chairman.
    Chairman Chaffetz. Thank the gentleman.
    Chairman Chaffetz. We'll hold the record open for 5 
legislative days for any members who would like to submit a 
written statement.
    Chairman Chaffetz. We'll now recognize our witnesses. We're 
pleased to welcome Ms. Davita Vance-Cooks, director of the 
Government Publishing Office, the GPO; Ms. Kathleen Carroll, 
vice president of corporate affairs at HID Global; Mr. James 
Albers, senior vice president of government operations at 
MorphoTrust USA; and Mr. Michael Raponi--did I pronounce that 
right?
    Mr. Raponi. Yes, Mr. Chairman.
    Chairman Chaffetz. --inspector general of the Government 
Publishing Office. We welcome you all.
    Pursuant to committee rules, all witnesses are to be sworn 
before they testify. So if you will please rise and raise your 
right hand. Please rise and raise your right hands. Thank you.
    Do you solemnly swear or affirm that the testimony you are 
about to give will be the truth, the whole truth, and nothing 
but the truth?
    Thank you. Please be seated.
    And let the record reflect that the witnesses all answered 
in the affirmative.
    Your entire written statement will be entered into the 
record. We're now going to recognize you for your verbal 
comments, but if you could please limit those to 5 minutes, we 
would appreciate it. And then we'll get to the questions.
    Director Vance-Cooks, you're now recognized for 5 minutes.

                       WITNESS STATEMENTS

                STATEMENT OF DAVITA VANCE-COOKS

    Ms. Vance-Cooks. Mr. Chairman and members of the committee, 
good morning. I have been looking forward to this opportunity 
to showcase the important secure credential work that the GPO 
performs on behalf of Federal agencies and our U.S. citizens. 
As you have asked, I will briefly summarize my prepared 
remarks, which have been submitted for the record.
    The GPO has produced the U.S. passports since 1926, giving 
us extensive experience in the important field of secure 
credentials. A decade ago, in partnership with State, we 
developed the e-passport which contains multiple physical and 
digital security features. And since then we have produced over 
100 million e-passports. Based on this experience, in 2007 the 
Joint Committee on Printing, our oversight committee, approved 
our request to fund a capability to produce secure credentials 
for Federal agencies that were asking us for these solutions.
    In 2012, the JCP approved our request to fund the 
establishment of a secure credential COOP site. The JCP, our 
oversight committee, has overseen and approved funding for this 
program throughout its existence. Our role in building secure 
identity documents is to provide Federal Government agencies 
with an option for a government-to-government solution backed 
by competitive outsourcing with the private sector. We are a 
choice. And the agencies are not required to use us.
    We are a printer and a card integrator. We produce secure 
credentials by using qualified expert staff working in an ISO 
9001 certified manufacturing operation backed by a COOP 
facility supported by a secure supply chain with access to both 
Federal and commercial experts in fraudulent document testing 
and forensic labs.
    In our partnerships with the private sector, we outsource 
our requirements for consulting, design, equipment, materials 
and supplies, and fabrication so that we can produce secure 
credentials with cutting edge security technologies.
    Our partnerships with the private sector create hundreds of 
jobs and provides multiple business opportunities. To date, the 
GPO has produced over nine million secure credential cards 
across 15 separate product lines. Among these products are the 
Trusted Traveler Program cards, the Border Crossing Cards, and 
the TWIC cards. And our customers are highly satisfied with 
GPO's product performance, reliability, security, and pricing. 
Our secure credential operation is relatively modest in size. 
Total program revenues for fiscal year 2014, approximately $30 
million, representing four percent of GPO's revenue.
    The secure credential operation is an authorized GPO 
function as outlined by Title 44, which defines printing and 
the requisition process. And that requisition process triggers 
competitive procurement outsourcing throughout the secure 
credential industry. And by law, the GPO can only recover its 
costs. So there are no profits, there are no shareholder 
margins, resulting in significant taxpayer savings. We operate 
under multiple layers of oversight and review, including our IG 
office. Our finances are independently audited by KPMG every 
year. In the last 3 years, at the request of Congress, we have 
been audited by NAPA and the GAO, and they have validated our 
mission. We are open and transparent.
    In conclusion, we are proud that the program is helping to 
keep our borders and our facilities secure. Our employees are 
so proud to print these products. We're proud to serve our 
country. And I invite you all to come down and see our secure 
credential operation.
    Mr. Chairman, members of the committee, thank you again for 
this opportunity.
    Chairman Chaffetz. Thank you.
    [Prepared statement of Ms. Vance-Cooks follows:]
    [Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/]
    Chairman Chaffetz. Ms. Carroll, you're now recognized for 5 
minutes.

                 STATEMENT OF KATHLEEN CARROLL

    Ms. Carroll. Good morning, Chairman Chaffetz and Ranking 
Member Connolly and other distinguished members of the 
committee. Thank you for inviting me to testify today.
    My name is Kathleen Carroll, and I am the vice president of 
corporate affairs at HID Global, where I focus on the 
intersection of technology, security, privacy, and public 
policy. I am honored to be able to share with you our concerns 
regarding the manufacture and procurement of secure immigration 
identify documents.
    For more than 25 years, HID Global has been designing, 
developing, and manufacturing secure credentials for private 
businesses and governments around the world, including the U.S. 
Green Card. In fact, as the Congressman noted, we do make the 
congressional staff ID cards and Member voting cards.
    The Department of Homeland Security has certified our 
Austin, Texas, facility for the manufacture of these 
credentials for the U.S. Government. A simple, easy-to-
replicate card can certainly be made by untrained people with 
readily available equipment. A complex hard-to-replicate 
reliable card is actually very difficult to make. What is often 
forgotten in discussions like this is that a secure identify 
document is part of an ecosystem that includes readers, 
software, databases, and processes to authenticate and verify 
such critical documents. All of these components must work 
together securely, seamlessly, consistently, and in a privacy-
protecting manner.
    Congress needs to decide whether these systems, which are 
the first line of defense at the border, require and deserve 
the innovation and investment that can only come from the 
private sector. This is why companies like HID Global exist. 
That is why the HID-made U.S. Green Card, has consistently been 
considered the hardest to counterfeit government-issued 
identify document. The Green Card has both physical card 
security and an extremely reliable RFID read rate.
    Congress created programs like the Green Card and the 
Border Crossing Card and mandated them for a reason, secure the 
border. We are proud of the jobs we create and the technology 
we developed to help you do that. And we hope to continue doing 
so in the future.
    Our ability to do so, however, is threatened by the 
Government Publishing Office's decision to become a 
manufacturer of secure credentials. With no legislative 
direction or authority from Congress, the GPO, a government 
entity, has broadly interpreted its mandate under Title 44 to 
manufacture ID cards and plastic data pages for passports. The 
GPO also aggressively markets its manufacturing services to 
executive branch agencies with the claim that it is the sole 
legal source of these ID cards.
    The evidence shows that the GPO doesn't really intend to 
compete at all. They instead inform executive branch agencies 
that they are required to obtain ID cards from the GPO under 
Title 44. The GPO began asserting this in 2007. We were part of 
a team of private industry vendors who spent months developing 
cutting edge secure identity documents for the consolidated 
Trusted Traveler RFID card program. Late in the procurement 
process, we were abruptly informed by letter that the GPO would 
provide the cards. The letter cited Title 44.
    More recently we were re-awarded the contract to 
manufacture the U.S. Green Card under a competitive bidding 
process with other private manufacturers. That competition 
almost didn't happen. We learned that the GPO had been having 
conversations with USCIS for months prior to the release of the 
most recent request for purchase. It is our understanding that 
the GPO was asserting that USCIS could avoid the rigorous 
process of conducting a competitive bid and instead simply 
request the Green Card be awarded to GPO under Title 44.
    Congress needs to decide if your goal is to have the best, 
most advanced secure credential technology to protect the 
border. If so, you need to insist that agencies should buy the 
best and most secure credentials from those of us in industry 
that have invested millions of dollars in innovation, 
expertise, and security.
    The GPO does not have the incentive or the capability to 
manufacture or even effectively develop the technologies 
offered by the private sector. It seems the threshold question 
Congress should be asking is, how do we make our government-
issued credentials used to gain entry into the United States as 
secure as possible? Not, how do we ensure that the GPO or any 
other entity that wants to enter the market to manufacture 
credentials can do so? The decision to manufacture secure 
immigration documents should not be left up to the GPO. For the 
sake of our national security, Congress should determine the 
best path forward.
    Thank you.
    Chairman Chaffetz. Thank you.
    [Prepared statement of Ms. Carroll follows:]
    [Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/]
    Chairman Chaffetz. Mr. Albers, you're now recognized for 5 
minutes.
    Mr. Connolly. Mr. Chairman.
    Chairman Chaffetz. Yes.
    Mr. Connolly. Can I just say to Ms. Carroll I thank you for 
the voter ID cards you produce, and I just hope we can persuade 
airports and TSA to accept them as a valid form of ID.
    Thank you.
    Ms. Carroll. If you need some help, I'll try to help.
    Chairman Chaffetz. Mr. Albers, you're now recognized for 5 
minutes.

                  STATEMENT OF JAMES N. ALBERS

    Mr. Albers. Good morning, Chairman Chaffetz, Ranking Member 
Connolly, other distinguished members of the committee. I thank 
you for inviting me to testify today. My name is Jim Albers, 
and I'm the senior vice president of government operations for 
MorphoTrust USA.
    MorphoTrust employs over 1,600 employees in the United 
States. All of our employees are cleared U.S. citizens, and all 
of our secure production facilities are located in the United 
States. MorphoTrust produces 80 percent of the driver's 
licenses and IDs in this country, the most widely used document 
for establishing identify. We have been the prime contractor on 
the State Department's passport personalization contract for 20 
years. I'd like to use this opportunity to talk about the 
industry, the importance of competition as it relates to price 
and innovation, and ultimately the security of the country.
    Private industry's ability to compete for contracts for 
Federal secure credentials is threatened by the Government 
Publishing Office's unique claims under Title 44. In 2008, 
following a competitive procurement, MorphoTrust was awarded a 
contract with the U.S. Department of State to produce the U.S. 
Passport Card, as well as the Border Crossing Card. Under this 
contract we produced over one million RFID-enabled secure 
credentials per year.
    In 2012, we learned through indirect sources that the GPO 
would now be producing the Border Crossing Card. There was no 
public notice, no RFI, no RFP. No opportunity for other 
suppliers to compete for this business. After a formal inquiry, 
we received a letter from the State Department's Office of 
Competition Advocate stating that they were required to use GPO 
for the production of secure credentials as it falls within the 
definition of ``printing'' under Title 44.
    There is a belief that the GPO enjoys a loophole from the 
Federal Acquisition Regulations under the guise of Title 44 
which requires that all printing be done by or through the GPO. 
The GPO is using this to procure without facing the free and 
open competition any private vendor would face. A lack of 
competition in industry will have a direct impact on national 
security by driving private suppliers and the innovations that 
they bring out of the business, and make it more difficult for 
America to stay one step ahead of the counterfeiters and the 
would-be terrorists.
    Production of secure credentials involves complex 
manufacturing processes that extend well beyond printing. These 
processes rely on persistent innovation and allow U.S. industry 
to design and produce some of the most sophisticated and secure 
credentials in the world. However, as we look at the 
competitive landscape, we believe that this industry's 
existence is threatened by the fact that GPO continues to grow 
large-scale production capability for the production of 
identity documents.
    Our economic system depends and only works well when there 
is competition. When you remove competition, you destroy 
capitalism. Competition drives innovation. MorphoTrust invests 
millions of dollars per year into internal R&D funds. We do 
this for two reasons. Number one, to stay ahead of the bad 
guys. And, number two, to stay ahead of the competition. If the 
government decided to send all its secure credential design, 
development, and manufacturing to GPO, industry would no longer 
have an incentive to invest.
    As a side note, when we do mess up, industry bears the 
costs of these mistakes. When government messes up, the 
taxpayers bear the cost.
    Competition drives down prices. As my friend right here, 
Kathleen, works for a competitor, sometimes MorphoTrust may 
partner with HID, and sometimes we may compete. Regardless, we 
both work hard to win. In a recent competition that Kathleen 
mentioned between our two companies, HID won the DHS Green Card 
award over MorphoTrust, with both companies drastically cutting 
prices over the current price, saving the government millions 
of dollars. Congratulations.
    National security is not being served by Title 44. While 
there were secure credentials prior to 9/11, those terrorist 
attacks on our soil highlighted the need for better identity 
documents. As the chairman already mentioned, the 9/11 
Commission reported for terrorists, travel documents are as 
important as weapons.
    In conclusion, in order to maintain a competitive 
industrial base, encourage competition and innovation, and keep 
one step ahead of the bad guys, it is time for Congress to 
reform Title 44. Doing so will clarify the authority of 
agencies to procure the production of secure credentials 
directly from the private sector. Only in this way will the 
United States Government secure and ensure the quality 
assurance, technological innovation, and cost efficiencies 
associated with robust private sector competition.
    Thank you for your time. I look forward to your questions.
    Chairman Chaffetz. Thank you.
    [Prepared statement of Mr. Albers follows:]
    [Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/
    Chairman Chaffetz. We'll now hear from the inspector 
general, Mr. Raponi, for 5 minutes. You're now recognized.

                 STATEMENT OF MICHAEL A. RAPONI

    Mr. Raponi. Good morning, Chairman Chaffetz, Ranking Member 
Connolly, and members of the committee. Thank you for the 
opportunity to testify on the oversight work of the Office of 
Inspector General as it pertains to secure credentials issued 
by the Government Publishing Office.
    As you are aware, the OIG is an independent entity within 
the GPO. Therefore, the views expressed in my testimony are 
based on the findings and the recommendations of the OIG and 
not intended to reflect GPO's position.
    By way of background, GPO produces Federal secure 
credentials in accordance with its mandate under Title 44 of 
the U.S. Code to fulfill the printing needs of the Federal 
Government. According to GPO officials, production of secure 
credentials fall within the statutory definition of 
``printing.'' We noted congressional support of GPO's 
production of secure credentials when in December 2007 the 
Joint Committee on Printing authorized expenditures associated 
with smart card technology.
    And again in 2012 when it authorized expenditures 
associated with the establishment of a COOP capability for 
GPO's secure cards production located in Stennis Space Center's 
facility in Mississippi.
    We also noted in 2015, the Government Accountability Office 
reported its views of activities and processes related to GPO's 
production of secure credentials. In its report, GAO reported 
that both Department of State and Customs and Border Protection 
officials, believe that after consideration of factors such as 
interagency coordination and collaboration and pricing, among 
others, GPO was best able to meet their production needs.
    OIG has issued ten reports since 2012. OIG reports are 
intended to help senior managers strengthen operations. Our 
assessments disclosed that GPO established an overall framework 
of policies and management controls it uses to produce secure 
credentials. While an established structure is present, we 
noted opportunities exist to strengthen some activities and 
processes. For the purpose of this hearing, I will highlight 
examples from four audits.
    In August 2014, as part of an anonymous hotline complaint 
expressing concerns over acquisition of passport eCovers, OIG 
reviewed key factors used to determine whether a proposal was 
technically acceptable when GPO procured the most recent 
passport eCovers. In that review we found documentation was not 
sufficient to demonstrate all key evaluation factors were 
performed, reviewed, and approved by the contracting officer. 
We also identified an issue that pertained to inconsistencies 
with the disposition of test results. Management agreed with 
our recommendations and took, or is in the process of, taking 
corrective action.
    In September 2014, OIG reported on the steps GPO took for 
ensuring accountability over blank ePassports through various 
stages of the production process. By way of computer chips, we 
traced and analyzed more than 2.4 million eCovers through the 
production process to final destination at State. In part, we 
found GPO could strengthen accountability by better documenting 
the physical destruction of eCovers and blank ePassports at its 
Stennis facility. Management agreed with the recommendations 
and took, or is in the process of corrective action.
    In December 2014, based on concerns raised by the Committee 
on House Administration, OIG conducted a review and reported on 
whether GPO identified and addressed risks necessary to protect 
itself in the event a key component of blank ePassports were 
either compromised or had its supply chain threatened. OIG 
found that while significant improvements were made compared to 
results of an earlier review, procedures for ensuring the 
security of the supply chain were not always followed. OIG also 
identified a risk associated with sole source providers for key 
components of the supply chain. And management agreed with our 
recommendations and took, or is in the process of taking, 
corrective action.
    In my final example, GPO reported that the secure 
credential production system developed to produce the 
Transportation Worker Identification Card, TWIC, failed to 
produce data as expected. GPO management requested OIG review 
the matter. In response, OIG analyzed the steps taken to 
develop the secure credential production system focusing on 
whether risks were adequately mitigated during the system 
development. We found GPO's taken numerous steps to establish 
an overall system development policy to follow when introducing 
new products, GPO's integrated system development policy into 
key IT policies.
    In examining the activities with the development of the 
TWIC system, we found, in general, the framework for managing 
projects was not followed for approximately 60 percent of the 
tasks. Management agreed with the recommendations and has 
taken, or in the process of, taking corrective action.
    In conclusion, since 2012 OIG has made a total 34 
recommendations, of which 22 are closed and the remaining 12 
are open and pending further verification. OIG is not aware of 
any current security breaches of the supply chain affecting 
GPO's production of secure credentials. We continue to work 
collaboratively with GPO to improve operations, maintain a 
longstanding record in delivering a world class service to our 
Nation.
    Thank you for the opportunity to testify today. And I'd be 
pleased to answer any questions that you or any members of the 
committee may have.
    Chairman Chaffetz. Thank you.
    [Prepared statement of Mr. Raponi follows:]
    [Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/
    Chairman Chaffetz. We'll now recognize the gentleman from 
Florida, Mr. Mica, for 5 minutes.
    Mr. Mica. Thank you, Mr. Chairman. And I appreciate your 
calling this hearing.
    You expressed a lot of pride, Ms. Vance-Cooks, in what 
you're doing. But I can tell you as far as credentialing and 
IDs, I have never seen a more screwed up program in my entire 
life. Our ranking member, Mr. Connolly, made a joke about our 
ID, being able to use it as identification like it at the 
airport. You produced the passports or you're responsible for 
the passports?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Mica. Yeah. Well, after 9/11, just a little history, I 
called in the State Department because they were producing 
passports, and that was one of our most important documents 
that government was producing at that time. We said we should 
have some uniform standards for credentialing and be able to 
verify who has the passport or the identification, whether it 
be a passport, whether it be a Member's card, or any other form 
of Federal identification. Today we still don't have that.
    The TWIC card is an--I'd be ashamed to come and say I had 
anything to do with the TWIC card. We've probably spent a 
billion dollars, we've issued millions of them, and the TWIC 
card, which is Transportation Worker Identification Card, we 
have a document, don't we, a TWIC card? And we're on our second 
issuance of them. Right? At least.
    Ms. Vance-Cooks. The GPO is responsible for the TWIC card. 
This is the first time we have produced the TWIC card.
    Mr. Mica. I know. But, again, does it have identifiable, 
verifiable information in it now finally----
    Ms. Vance-Cooks. Yes.
    Mr. Mica. --with both thumb and iris?
    Ms. Vance-Cooks. I believe it does.
    Does it?
    No. It does not.
    Mr. Mica. Oh, if you don't know that and come here, that's 
sad. And you're in charge of it. But it doesn't have it. It's 
unbelievable, again, and we force people to take it. Now if you 
go to a port, they show their TWIC card, they have to show 
another form of identification. It is not verifiable.
    I held no less than three hearings, and it's not all your 
fault, part of it is Congress' fault. They've gone in different 
directions. This is a useless document, that's a Member card, 
except for charging trillions of dollars on it when we vote. 
But it's unbelievable.
    The pilot card. I put three times in law that it must have 
identity verification, a strip that would contain basic 
information as to who that person was. They produced it, folks. 
You should see it. It was the biggest joke in the world. A 
pilot's identification getting into the aircraft, past security 
and everything, it looked like it came out of a Cracker Jack 
box. It was a folded little paper ID. And I said it had to be 
durable. It had to have embedded in it the information, and 
then it had to have a picture of the pilot. I'll be dammed if 
they didn't produce it. There's much more information on my 
American Express Card than they had on the pilot card. No 
verification.
    You're not going to touch my--especially with your 
reputation on that side of the aisle. I'll let you play with 
this one awhile--but the only photo on the pilot's license was 
Wilbur and Orville Wright. It was a national joke and disgrace. 
But the TWIC card, in particular, is still a fiasco.
    Do we have a reader that can read a TWIC card----
    Ms. Vance-Cooks. Yes.
    Mr. Mica. --approved?
    Ms. Vance-Cooks. Yes. And----
    Mr. Mica. How many ports is it deployed to?
    Ms. Vance-Cooks. I will have to check.
    Mr. Mica. Oh, I'm telling you--oh, I could probably count 
them on my fingers and toes.
    Ms. Vance-Cooks. All right.
    Mr. Mica. It's a disgrace. And even if you had a reader, it 
doesn't have the information to verify. Fingerprint can be 
played with. Iris is the most dependable.
    You said, Ms. Carroll, you must be able to verify the 
information with the reader. Right? And the private sector has 
done this. Haven't they?
    Ms. Carroll. Yes, sir.
    Mr. Mica. They produce cards with that kind of information. 
We have security at different facilities, both in the private 
sector and the public sector that can do that. Right?
    Ms. Carroll. Yes, sir.
    Mr. Mica. And you've heard what they've just told us here 
about the fiasco of this. And it's not all her fault. I don't 
want to blame--I give you 70 percent of the credit and 30 
percent of the blame.
    Ms. Vance-Cooks. All right.
    Mr. Mica. Part of it is Congress, and we do need to change 
Title 44. It's got to be changed. Somebody has to be in charge.
    First you get a standard, a basic standard, and the private 
sector has done it over and over. And you have to have 
verifiable information embedded in that card. Period. And then 
you have to have something that can read the damn card. So 
unless you get that in place, we are just--and this is, guys, 
this is a multi-billion dollar fiasco. I yield back.
    Chairman Chaffetz. I thank the gentleman.
    Now recommend Mr. Connolly of Virginia for 5 minutes.
    Mr. Connolly. I thank the chair.
    I really think this hearing seems to be about whether it's 
appropriate to have GPO in this function at all. And I think 
that's a fair question. I do think, Mr. Albers, you overstate 
your case. I hardly think the GPO represents an existential 
threat to the industry. How big is your company?
    Mr. Albers. Our company's about--MorphoTrust is about $650 
million a year.
    Mr. Connolly. Right. And they're talking about $30 million. 
So I suppose you could argue, and maybe if I were rewriting 
your testimony, I might make this argument that what they're 
doing is the camel's nose under the tent. And that is of 
concern because if that grows, if everybody decides we're not 
going to go the competitive RFP route, we're just going to go 
the convenient route and contract directly with GPO, you lose 
out in a lot of business and so does Ms. Carroll. Fair point.
    And let me ask you, Ms. Vance-Cooks, what about the 
argument Mr. Albers and Ms. Carroll essentially put to us which 
is, that you're using, and Federal agencies like State 
Department are using, Title 44 as a loophole from the normal 
FAR process to essentially give you a sole source contract that 
eliminates the possibility of private sector competition and 
quality in that equation?
    Ms. Vance-Cooks. Thank you for the question. Title 44 
basically simply states that we have the authority to make the 
secure credential card because it is, in fact, a printed 
product. And it's a printed product as defined by Title 44. 
However, they are making the assumption that we are forcing the 
Federal agencies to come to us.
    Mr. Connolly. No. No. They didn't make that argument. 
That's really not at all what Mr. Albers was arguing. He 
argued, and so did Ms. Carroll, that in various cases, Federal 
clients of yours used Title 44 to rationalize why they were 
going essentially sole source with GPO instead of putting it 
out to bid.
    Ms. Vance-Cooks. That is because the Federal agencies know 
that they have a choice. They can either go to the commercial 
sector or they can come to us. When they make that decision to 
come to us, they know that they can use a requisition process. 
That requisition process, however, triggers a competitive 
procurement solution, because we, in fact, outsource all of the 
components of that card to the rest of the secure credential 
industry. That creates hundreds of jobs in the community and 
that creates multiple business opportunities.
    Mr. Connolly. Mr. Albers, why given what Ms. Vance-Cooks 
just said, why shouldn't the State Department have that option? 
That's a competitive option. We prefer to go with GPO for 
various and sundry reasons. If I heard your testimony, you 
talked about the value of competition and free market, but in a 
sense what you want to do is eliminate this potential 
competition.
    Mr. Albers. Not at all, Congressman. First of all, I 
apologize for the hyperbole in my testimony. I'll have you know 
that I was a politician at one point. That might be hard to 
believe.
    Mr. Connolly. You poor guy. You know it's very unusual we 
employ hyperbole up here. But all right.
    Mr. Albers. So, there's a big difference, I think, between 
what Ms. Vance-Cooks is saying and what I'm saying. Number one, 
we're a system integrator, as is HID. We look to prime 
contracts with the Federal Government. Not that we don't mind 
subcontracting to organizations like GPO. That's a different 
piece. Okay? So, I'm not complaining about that.
    In my testimony, and by the way, I can put this into the 
record, the State Department responded to us that said: We were 
required to use GPO. And again in my testimony, we never had an 
opportunity to even complain about it. So you know----
    Mr. Connolly. So they used Title 44 as the rationale for 
that?
    Mr. Albers. They did. And they represented the GPO, and I 
don't have firsthand information. So I want to give Director 
Vance-Cooks, you know, a little bit of leeway here. It's been 
represented to me that the GPO marketing folks say: You have to 
use us. So I don't know whether that's true or not. I'm sure 
you probably control that type of communications, but----
    Mr. Connolly. Ms. Vance-Cooks, did you want to respond to 
that?
    Ms. Vance-Cooks. First of all, the GPO does not have sales 
teams. I hear that constantly that we have sales teams and that 
they're going door to door to these agencies forcing them to 
come to us. Nothing could be further from the truth because, 
first of all, we don't have sales teams.
    Number two, it is the client and the agencies who are using 
or stating that we are telling them that. I think all of this 
started back in 2007 when the public printer at that time 
stated in a hearing, that he felt that secure credentials was, 
in fact, something that could be and should be contained in the 
government. I have been in charge of the GPO since 2012. I have 
stated unequivocally, publicly as well as privately, that I 
don't believe that we should be in charge of all of secure 
credentials. In fact, what I have stated and what the evidence 
proves is that it is a choice of the Federal agencies. And I 
think they deserve that choice. And all of the evidence points 
to the fact that we are, in fact, using this as an option.
    Let me give you some examples. Number one, when there is an 
RFP out there for a secure credential, you will not find the 
GPO because we know that the secure credential market compete 
against themselves. We do not compete for State governments or 
local government information. What we do is provide a choice 
for those Federal agencies who want a government-to-government 
solution. And with that government-to-government solution they 
get the benefits, and one of the largest benefits, one of the 
best benefits, is the fact that we don't have shareholder or 
profit margins. The cost is what they get.
    Mr. Connolly. Thank you. My time is up, Mr. Chairman. I 
would ask unanimous consent that the GAO report dated March 10, 
2015, be entered into the report on this subject.
    Chairman Chaffetz. Without objection, so ordered.
    Mr. Connolly. I thank the chair.
    Chairman Chaffetz. Thank you. I will now recognize myself 
for 5 minutes.
    Director, you have an operating budget roughly in the $700 
million range. Correct?
    Ms. Vance-Cooks. Yes, sir.
    Chairman Chaffetz. How much of that money is allocated for 
research and development?
    Ms. Vance-Cooks. The research and development for secure 
credentials comes from our competitive procurement with the 
outside community. We leverage the best of the best----
    Chairman Chaffetz. So how much money do you spend? How many 
people do you have working on research and development?
    Ms. Vance-Cooks. We have a few, less than 5 people, working 
on R&D for the secure credential market if that's what you're 
referring to.
    Chairman Chaffetz. That's what I'm referring to. I'd ask 
unanimous consent to enter into the record a memo sent on 
September 30, 2013. And I want to read part of this. Without 
objection, so ordered.
    Chairman Chaffetz. This is from Daniel Walt. He's the 
departmental competition advocate. I mean, he's the competition 
advocate at the Department of State. And in this email that was 
sent to MorphoTrust, I'm going to read the middle of it, 
``Federal Acquisition Regulation, FAR, subpart 8.8 requires 
Federal agencies to acquire printing services through GPO 
unless GPO cannot provide the services. Therefore, we must use 
GPO for the printing of the passports and the Border Crossing 
Cards rather than re-compete the requirement.''
    Now, that seems to be directly opposite of what you're 
saying. Can you shed some light on this? I mean, you're saying 
you're in favor of competition, but at the same time we have 
the State Department saying we can't compete this. There can be 
no competition. Are they wrong or are they right?
    Ms. Vance-Cooks. I think that if you look at the evidence, 
the State Department doesn't even believe what they wrote. And 
I'll tell you why. Because if----
    Chairman Chaffetz. Believe me, that's not the first time 
that happened.
    Ms. Vance-Cooks. No. What I'm trying to say, Congressman, 
is that if the State Department really believed that they had 
to give all of the secure credential work to the GPO, then we 
would be doing it. Since that document was written by the 
competitive advocate, I can assure you that the GPO over here 
produces the passports and we produce the Border Crossing Card, 
but MorphoTrust handles the personalization of the Border 
Crossing Card. HID handles the Green Card. My point is that 
people make that statement, but let's look at the facts. And 
the facts point to the fact that, that business is spread 
across all of the commercial carriers. Not all of that business 
is with us. I think they say it, but it's not the practice.
    Chairman Chaffetz. And so your opinion of Title 44, in your 
opinion, you viewpoint here, that it's really up to the 
agencies to make that determination. That's the first step, 
whether or not they're going to compete for it or they're going 
to give it to GPO. Correct?
    Ms. Vance-Cooks. That is the way it's happening. Yes, sir. 
It is a choice.
    Chairman Chaffetz. And, but it's their choice. You don't 
believe it's mandated under the law that they have to use GPO?
    Ms. Vance-Cooks. It's not practical.
    Chairman Chaffetz. I know, but be specific here. This is a 
critical point.
    Ms. Vance-Cooks. Yes. Yes.
    Chairman Chaffetz. Is that, your opinion, under the law, do 
they have to use you under Title 44?
    Ms. Vance-Cooks. Under the law they are allowed the choice 
of coming to us. We are limited in our capacity to handle all 
of the work----
    Chairman Chaffetz. Okay.
    Ms. Vance-Cooks. --that would be coming through.
    Chairman Chaffetz. My time's short. And I think you were 
very succinct in that answer. I appreciate it.
    When you say you have no sales force, you do have a bit of 
a monopoly if you convince somebody to have them come to you. 
Do you have people that go out to the agencies and say: This is 
what you should be doing, or this is what we recommend, or this 
is what you can do? I mean, that in part is a sales force. 
Correct?
    Ms. Vance-Cooks. No. That in part is an account management. 
We have an account management group, and they're responsible 
for taking care of the clients that we currently have. What we 
have been hearing is that we have been accused of having 
salespeople who go out and tell people, you must come to us. 
That is not true. That is a fabrication.
    I'd like to also, if I have some time, to go back to the 
R&D question. I want to make sure that this committee realizes 
that the GPO is in the business of outsourcing all of its 
requirements. And when we outsource our requirements, that 
means that we leverage the best technology across the world, 
across the United States, and we do not have proprietary 
interests in one versus the other. That is to the benefit of 
the stakeholder. That is to the benefit of the taxpayer.
    Chairman Chaffetz. My time's expired, and I'll yield back. 
And now recognize the gentleman from California, Mr. Lieu, for 
5 minutes.
    Mr. Lieu. Thank you, Mr. Chairman.
    I personally don't have a problem with the U.S. Government 
Publishing Office, publishing U.S. Government documents and 
credentials. And this is an issue that both Democrats and 
Republicans in Congress have reaffirmed.
    So Director Vance-Cooks, let me ask you a few questions. 
The GPO was authorized by Congress to print passports in 1926. 
Is that correct?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Lieu. Okay. And then around 2005 the GPO began 
producing passports with more advanced technology at the 
request of the State Department. Is that correct?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Lieu. And so specifically you began to print passports 
with embedded RFID chips. Correct?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Lieu. And then Congress has continued to authorize GPO 
to print passports with these chips. Correct?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Lieu. All right. And during the GPO's strategic 
planning, in fact, Congress weighed in to authorize GPO to 
expand its services and provide secure identification cards for 
the Department of Homeland Security and the Social Security 
Administration in 2007 and again in 2012. Is that correct?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Lieu. Okay. Then let me just ask you this question, 
because the chairman did raise a good point. I just want to 
understand. Does the GPO or Congress force agencies to print 
with the GPO?
    Ms. Vance-Cooks. No, sir.
    Mr. Lieu. Okay. So now I have sort of a different question. 
It's more for the entire panel.
    RFID technology can be read at a distance. Right? You got 
these readers that can read this. And that means not only can 
government read these cards at a distance, but so can criminals 
and other folks. So I'm just sort of curious what kind of 
precaution should people who have these cards take so that 
these cards aren't read at a distance by, let's say, a 
criminal?
    I've gone to department stores where they sell these 
wallets that say, you buy this wallet and you can stop your 
RFID chip from being read at a distance. Do people need to buy 
those wallets? Are these wallets a gimmick? Can you sort of 
tell me there are security issues going on with that?
    Mr. Albers. So we build in a number of security protections 
for what we call personal identifiable information. Mr. Mica 
was talking about that.
    In the case of the passport card, there is a pointer to 
your file that only the CPB would have. So there is no personal 
identifiable information on that chip. It's only a pointer to 
your file. So when you're approaching the border with that 
card, the CPB officer can pull up your file and know that 
you're the person that's supposed to be there. So there really 
is no security threat in that application.
    You mentioned the protection from the RFID chip. The BCC 
and the passport card come with a little sleeve actually, so--
but that's a passive chip. So there is no radiation, there's 
nothing coming out of that chip. You can't turn it on or off. 
It's just there, you know, like your EZ Pass. I mean, it's 
there and it's read when you go through.
    Mr. Lieu. Okay. Thank you.
    Ms. Carroll. I'd like to add that not all RFID technology 
can be read from a distance. So, for example, in your U.S. 
passport, that cannot be read from a distance. You have to be 
in the same plane and within just a few inches of a reader. But 
the shot there is, is that the U.S. passport has a chip in it. 
It is not being read. The electronics in that document are not 
being read. Only the optical part or portion of it is. So the 
U.S. taxpayer is paying lots of money for a passport with a 
chip in it. It's not making them any more secure because that 
chip is not being read at the border.
    Mr. Lieu. What's the chip for if it's not----
    Ms. Carroll. It's an ICAO standard. The chip is in the U.S. 
passport and 27 of the Visa-waiver countries as well to make 
the document more secure. But the chip is highly resistant to 
counterfeiting. And so that's why they did that.
    Ms. Vance-Cooks. But it does meet the ICAO standards, and 
that is the most critical component.
    Mr. Lieu. Thank you. I yield back.
    Chairman Chaffetz. Thank the gentleman.
    I now recognize the gentleman from North Carolina, Mr. 
Meadows, for 5 minutes.
    Mr. Meadows. Thank you, Mr. Chairman. Thank each of you for 
your testimony.
    Director, I understand you're saying that you've got five 
R&D. The chairman was asking you. You have five R&D people that 
are working on the integration. Is that correct?
    Ms. Vance-Cooks. We actually have a secure innovation 
credential center. And it's a group of individuals who are 
responsible for looking at counterfeiting technologies and 
testing. But they work very closely with the private sector for 
that. And I think it's a great question because I want to 
emphasize again we're closely tied to the private sector for 
all of that. We even work with the Department of Homeland 
Security for all the fraudulent testing in the labs.
    Mr. Meadows. All right. So let me follow up. Mr. Albers, 
let me maybe come to you and ask you to give an opinion on 
that. Because one of the concerns I have is when we look at 
integration, you can take wonderful pieces of technology, and 
as you try to integrate them and make them practical and 
noteworthy, it doesn't produce the end result. So would you 
comment on what you're hearing. Is that an effective way or----
    Mr. Albers. So I have no personal information that GPO 
isn't an adequate systems integrator. Okay? My comment before 
about systems integration is that, it's a much different task 
than, you know, being a prime contractor. We want the 
opportunity and I think HID does, too, to be a prime 
contractor, to be a systems integrator. So the fact that the 
GPO----
    Mr. Meadows. Well, let me rephrase it. What kind of issues 
can arise from an integration standpoint that would make it 
less secure?
    Mr. Albers. Last word? I'm sorry.
    Mr. Meadows. Less secure.
    Mr. Albers. So, I mean, just like the GPO, any system 
integrator goes out to look at third party, and we have a 
complete supply chain management system, and we pick the best 
of the best. So when we work with a customer on requirements, 
for example, for the passport card, we look to build in 
security features such as watermarks, such as chips themselves. 
We outsource all that stuff. And our supply chain management 
manages all that stuff. There is risk in all that part of the 
process.
    Mr. Meadows. Sure.
    Mr. Albers. So the system integrator manages that process. 
So, you know, Lockheed and Northrop and all the other ones in 
town, they do the same thing. I'm not sure I'm answering your 
question, though.
    Mr. Meadows. All right.
    Ms. Vance-Cooks. I'd like to respond a little bit. He's 
absolutely correct, it's an ecosystem. But let's look at the 
trusted traveler program cards, which is what we produce as a 
printer and a card integrator. One of the ways to determine 
that we are doing a good job is the read rate, and the read 
rate for that particular card is between 80 and 90 percent.
    So there are different metrics that you can use to choose 
whether or not your product is doing exactly what it's supposed 
to and whether or not it is meeting the specs.
    Mr. Meadows. And I agree with that, so--but let me ask you 
that from a matrix, how do you--with GPO, how do compare to the 
private sector in terms of read rates and all that? I mean, do 
you compare that kind of data to see how effective you are?
    Ms. Vance-Cooks. We are very----
    Mr. Meadows. I see somebody behind you is nodding yes.
    Ms. Vance-Cooks. Yes. I know, I know. They're--we're proud.
    Mr. Meadows. Okay.
    Ms. Vance-Cooks. We're proud. We have data to prove that 
our read rates for our cards are very, very good.
    Mr. Meadows. All right. So let me in the time I have 
remaining, let's talk about Title 44, and it sounds like that 
there is maybe some ambiguity in terms of the requirement.
    Director, are you willing to send out a letter to all the 
agencies that says that they're not required to use you for 
their printing? To fix this ambiguity, because that's what you 
were saying, is that it is not really a requirement, but indeed 
some of the testimony has said that the State Department in 
particular believes that it is a requirement. So are you 
willing to correct the record, I guess, coming from, you know, 
your position?
    Ms. Vance-Cooks. What I'm willing to do is what I've always 
been doing up to this point, which is to let everyone know that 
it is a choice and we respect them.
    Mr. Meadows. So yes or no, would you be willing to send out 
something to the agencies that said they're not required to use 
GPO for their--so you are willing to do that?
    Ms. Vance-Cooks. I am willing to send a letter to say that 
it is a choice, because that is the way it has always been.
    Mr. Meadows. Okay.
    Ms. Vance-Cooks. Okay.
    Mr. Meadows. And so----
    Ms. Vance-Cooks. It is a practical business----
    Mr. Meadows. So do you think the ambiguity that is out 
there is just someone that happens to misunderstand Title 44 or 
is it inherent in Title 44?
    Ms. Vance-Cooks. I think that the Title 44 specifically 
states, that all printing must come to the GPO. What I am 
trying to say, and I think I'm being very articulate about it--
--
    Mr. Meadows. You are very articulate, by the way.
    Ms. Vance-Cooks. Thank you very much. I appreciate it.
    What I am saying, though, is that in practical application 
and in true business sense, what's really happening, sir, is 
that it is a choice. Not everyone even comes to the GPO for 
printing.
    Mr. Meadows. Okay. In the 6 seconds that I have left, let 
me finish with this, is I would ask that you try to clear up 
some of the ambiguity. Understand that I don't want you 
subsidizing and competing with the private sector, nor do I 
want the private sector coming in and taking over if you can do 
it more effectively, I'll be your advocate on that. As a 
business guy, I want to be----
    The other thing, it's a pebble in my shoe when you have law 
enforcement officers sitting in cars outside your office, it 
doesn't give the impression of efficiency. I don't understand 
why the printing office would have their own fleet of law 
enforcement cars. So if you would address that, I'll be happy--
--
    Ms. Vance-Cooks. You're not--excuse me. You----
    Mr. Meadows. I walk by them all the time.
    Ms. Vance-Cooks. No, no. I know you do.
    Mr. Meadows. And he's not sleeping half the time, so that's 
good.
    Ms. Vance-Cooks. Half the time? He better not be----
    Mr. Meadows. No. I'm kidding.
    Ms. Vance-Cooks. --sleeping at all. No. Would you believe 
it's in Title 44 that we must have our own police force?
    Mr. Meadows. Well, we may need, Mr. Chairman, to look at 
changing Title 44. I'll yield back.
    Ms. Vance-Cooks. All right.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from Georgia, Mr. Carter, for 
5 minutes.
    Mr. Carter. Thank you, Mr. Chairman. And thank all of you 
for being here. We appreciate your participation.
    Ms. Vance-Cooks, I want to ask you, it's my understanding 
that GPO produces the TWIC cards for DHS and for TSA. Is that 
correct?
    Ms. Vance-Cooks. Yes.
    Mr. Carter. I have two ports in my district, the port of 
Savannah, Georgia, and the port of Brunswick, Georgia, and of 
course they utilize the TWIC cards, and it's my understanding 
that they reported significant delays in both the renewal and 
the initial application. And I'm just wondering, is there a 
problem here? Is there a problem with producing the cards?
    Ms. Vance-Cooks. Are you referring to a recent statement? 
Because when we took over several months ago, we had a backlog. 
Now, let me be clear. We just took over that business, and that 
was, I believe, in June, May, or June of 2014. And when we took 
over that book of business, we had a backlog that we had to 
clear up. It is my understanding, sir, and I need to check, 
that things have been going very well since then----
    Mr. Carter. Okay. Well----
    Ms. Vance-Cooks. --but prior to that, they did have 
significant backlogs, but that was with another carrier.
    Mr. Carter. Well, it's my understanding that they've had a 
backlog and that----
    Ms. Vance-Cooks. Yes.
    Mr. Carter. --there are problems.
    Ms. Vance-Cooks. Right.
    Mr. Carter. So if you could check into that----
    Ms. Vance-Cooks. I will.
    Mr. Carter. --I would sincerely appreciate it----
    Ms. Vance-Cooks. Sure.
    Mr. Carter. --because this, of course, is commerce and this 
is a problem, a big problem in our district, so----
    Ms. Vance-Cooks. Sure. I'll be happy to do that, but I want 
to be clear that we did inherent the backlog back in June, but 
we made good efforts to reduce that backlog. And I know this 
for a fact, because I was heavily involved in it.
    Mr. Carter. Okay. Can you describe some of those efforts 
to----
    Ms. Vance-Cooks. Sure. When we began to launch, we ran into 
a problem with the speed rate of the information coming across. 
And this is a really good example of how well we work with the 
private sector, because we worked with GDIT on this. And GDIT 
put all of their best people on it, innovation, creativity, 
they worked diligently for weeks to make sure that they could 
correct that speed rate. So I'll check on that for you.
    Mr. Carter. Okay. Well, I appreciate that very much.
    Can you tell me, when you get the requests for the TWIC's 
cards, is it just through some kind of agency form, or I mean, 
how do you--how does that happen?
    Ms. Vance-Cooks. Right. It's called a requisition form, a 
standard Form 1 for printing and binding requisition, and this 
requisition form recognizes that a secure credential is a 
printed product, so it has a lot of questions on there about 
the pre-press work and all of the specific requirements that 
are attached to it. And then there is an MOU attached to it.
    Once we get that requisition form, then we issue--or it is 
triggering a competitive procurement across the entire secure 
credential industry for all of the components and the products 
to make that credential.
    Mr. Carter. Okay. So when DHS or when TSA orders these 
cards, do you have any oversight over it? Do you----
    Ms. Vance-Cooks. Yes. We have complete oversight over it, 
as well as the agency.
    Mr. Carter. Okay.
    Ms. Vance. The agency works with us 100 percent of the 
time.
    Mr. Carter. If they order more cards than they need, do you 
send them?
    Ms. Vance-Cooks. They give us the order about what they 
need, and then we respond. We only produce what they tell us to 
produce.
    Mr. Carter. But do you have any oversight about whether 
they are ordering the number of cards that they need? I'm 
concerned about the security here.
    Ms. Vance. I would----
    Mr. Carter. If there are excess cards being generated.
    Ms. Vance-Cooks. Okay. They give us an order for X number 
of cards, we produce them. They have their own oversight where 
they are responsible for those cards once we deliver it to 
them, and that's the point.
    Mr. Carter. Okay. So you're just following the order. If it 
says, give me 100 cards, you're sending 100 cards?
    Ms. Vance-Cooks. That is correct.
    Mr. Carter. No oversight on that whatsoever, no security 
clearance?
    Ms. Vance-Cooks. No, no, no, no. The oversight is on the 
production of the cards and taking care of those cards from the 
moment that we create them to the moment that we transport them 
to the facility of TWIC. Once TWIC takes ownership, that is 
their problem.
    Mr. Carter. Okay. Okay. So if there are excess cards that 
have been generated, it's not your fault, you're just filling 
the order?
    Ms. Vance-Cooks. If there are excess cards, it's on their 
end, sir.
    Mr. Carter. Okay. Well, getting back to the delays that 
they've experienced, tell me about the FAR, what's referred to 
as the FAR procedures. Do you implement those, do you utilize 
those procedures?
    Ms. Vance-Cooks. We follow the MMAR, and the MMAR closely 
mirrors the FAR, in fact, it's almost like the FAR, but it 
closely models it.
    Mr. Carter. Why would you choose one over the other?
    Ms. Vance-Cooks. Because we're a legislative branch agency 
and we don't follow the FAR. It's written in law. So once----
    Mr. Carter. It's written in law that you're not to follow 
the FAR?
    Ms. Vance-Cooks. Section 8.8 exempts printing from the FAR, 
therefore, the MMAR was developed to closely mirror and model 
the FAR.
    Mr. Carter. Okay. But we still had the backlog. If you can 
please check into that, I would appreciate it very much.
    Ms. Vance-Cooks. Absolutely.
    Mr. Carter. We need to know. This is very important.
    Ms. Vance-Cooks. Sure.
    Mr. Carter. Thank you. And I yield back, Mr. Chairman.
    Ms. Vance-Cooks. Thank you, sir.
    Chairman Chaffetz. I thank the gentleman.
    I now recognize the gentleman from North Carolina, Mr. 
Walker, for 5 minutes.
    Mr. Walker. Thank you Mr. Chairman. I apologize for my 
tardiness, coming from a markup from another committee hearing, 
but I did have a couple of things I wanted to address. First of 
all, let me thank you for the hospitality and all your staff 
there, Andy, Mike, Steve, and the guys, helping me understand a 
little bit of the process over there and what you guys are 
working on.
    My question is, in your statement, and you may have covered 
this, but I wanted to make sure that I'm clear on it, you say 
Federal agencies approach GPO, asking your agency to do work 
for them. I think we talked about that a little bit yesterday. 
Are you saying that the GPO itself does not reach out to 
Federal agencies to sell, ``their products and services GPO 
wants to produce?'' Can you expound on that for a little bit?
    Ms. Vance-Cooks. Certainly. Two points. The first point is 
that we do not have a sales team. Everyone keeps saying that we 
have a sales team. We don't have one. That's number one.
    I think people also should understand that the customers 
that we have for secure credentials are the same ones that we 
have for printing. They understand our function, they 
understand our capabilities, so they know that we can produce 
secure credentials.
    Mr. Walker. Okay. Do you have people who market your 
services in competition with the private sector companies?
    Ms. Vance-Cooks. No.
    Mr. Walker. You don't have salespeople, but would you say 
you have----
    Ms. Vance-Cooks. We do not have sales teams, we do not have 
marketers. We have people who can respond to inquiries if an 
agency contacts us. It is not unusual for an agency to contact 
us. And as you and I talked about yesterday when you visited, 
and thank you again for visiting us.
    The question is not whether or not GPO can respond, the 
question is what makes an agency decide that they should come 
and talk to us about secure credentials, because as you and I 
talked yesterday, it takes a lot of effort, a lot of resources, 
and a lot of time for an agency to make a change in a 
commercial carrier that they currently have. Why do they go to 
that trouble? Is there a problem with the product quality? Is 
there a problem with the read rate? What is pushing them to 
talk to the GPO?
    Because we have the consultant expertise, we can help them 
with that solution, but we do not tell them, you must come to 
us. But I have to say that in the 8 years that we have been 
producing secure credentials, not one of those clients has left 
us. We do very good work.
    Mr. Walker. Can you go a little deeper and maybe explain 
how you engage in these business development activities just 
for the record that we would understand how this breaks out, 
how it flows, and how you keep these for 8 years?
    Ms. Vance-Cooks. Well, let's say that a--let's start at the 
beginning. If an agency is having a problem with a carrier and 
let's say they're having a problem with the read rate, they 
currently do business with us anyway through printing, they'll 
talk to us about it, they'll ask us, can you do better, and 
we'll ask them, what is it that you're looking for. Sometimes 
they'll even ask us for a prototype. We can produce a 
prototype. And if that prototype works, they now have further 
discussions with us.
    There is constant conversation back and forth about their 
requirements, about their specifications, and we can provide 
it, but as I explained to you yesterday, the way in which we 
provide service to the client is by outsourcing all of that. I 
want to be clear that we're using the R&D and the innovation 
that the rest of the secure credential industry has, bringing 
it all together as an integrator into the GPO. And as you had 
said, Mr. Albers, we're an integrator, that's what we do.
    Mr. Walker. So final question. So basically you're making a 
case, and I don't want to put words in your mouth, that you 
compete on a level playing field with the private sector 
through the Federal requisition regulations, or FAR. Is that a 
fair statement, or would you like to expound on it?
    Ms. Vance-Cooks. The fair statement is that we 
competitively procure the products and services that we need 
from the private sector to build the best card that we can. It 
is competitive, it is a procurement, and it satisfies the 
stakeholders at a low rate, a very low price, because, again, 
we can only charge actual cost.
    Mr. Walker. Thank you, Ms. Vance-Cooks. I yield back.
    Ms. Vance-Cooks. Thank you, sir.
    Chairman Chaffetz. Thank you. I appreciate that.
    We'll now recognize the gentleman from Georgia, Mr. Hice, 
for 5 minutes.
    Mr. Hice. Thank you, Mr. Chairman.
    Mr. Albers, let me begin with you. In your opinion, how 
open and transparent would you say the requisition process is 
at GPO when it comes to these credential cards as it relates to 
FAR, which you have to abide by?
    Mr. Albers. I would say the answer is not open and 
transparent at all. I mean, our personal experience is that we 
don't compete as a system integrator with GPO, we're not 
allowed to. The agency decides to go to GPO, that's fine, or 
they decide to go to the private sector. If they go to the 
private sector, typically they have an RFI, they have an RFP, 
they have industry days, we have an opportunity to bid on those 
programs, those contracts, we compete with one another, and 
that drives down the cost.
    Mr. Hice. So you're saying once it goes to GPO, that 
private vendors no longer are allowed to compete at all?
    Mr. Albers. Not as a system integrator. No.
    Mr. Hice. Okay.
    Mr. Albers. As the director said, GPO uses industry, 
including some of us, to supply them as a subcontractor.
    Mr. Hice. And would you agree, too, that in that process, 
that if it goes to GPO as opposed to private vendors, the lack 
of innovation, competition, and a host of other factors go out 
the door as well?
    Mr. Albers. Well, absolutely. I mean, we don't get an 
opportunity to compete with one another. So GPO, and I'm sure 
has the best interest of the taxpayer at heart, but, you know, 
we're capitalists, so we have to get to where we need to be to 
be competitive.
    Mr. Hice. Okay. Director, how did GPO end up producing the 
border crossing cards from the State Department, the 
requisition process?
    Ms. Vance-Cooks. The State Department expressed some 
concern about problems they were having with the card. And it 
goes back to my earlier statement. What causes an agency to 
come to us, to talk to us, about their card, because it's a lot 
of work, it's a lot of issues. And they asked us to make a 
prototype, and we did. That prototype works very well. And then 
they asked us to perform some other things, and that's how it 
started.
    But let me just say something else. Mr. Albers talked about 
the lack of innovation. Because of the fact that the GPO 
procures, through a competitive process, all of the components, 
the service, the consultation, fabrication, materials to create 
the product, it means that we are leveraging the best of the 
best innovation and R&D throughout the industry.
    Mr. Hice. Well, I would think that would be fair to say 
that that's your opinion, but other private vendors out there 
don't have that same opinion, because they're not allow to even 
be a part of the process.
    How did you arrive at a card price for the BCCs?
    Ms. Vance-Cooks. There are four components to our price: 
labor, overhead, capital investment, and materials. And we are 
only allowed to charge those four components.
    Mr. Hice. And what was the cost?
    Ms. Vance-Cooks. For the border crossing card, I think it's 
about 14--6.01 I'm sorry, it's 6.01.
    Mr. Hice. Okay. Just out of curiosity, Ms. Carroll, Mr. 
Albers, did either of your groups have a price in mind? I mean, 
were you all able to go through the process and come up with a 
price that may have been different from GPO?
    Mr. Albers. So actually before Kathleen answers, we did not 
have an opportunity. As you probably know under the FAR, there 
is something called a cure notice. So if there is an issue, you 
get an opportunity to cure, and we were not given that 
opportunity. So----
    Mr. Hice. So you don't know what it would have cost you to 
produce the cards?
    Mr. Albers. Oh, we know now. I mean, we continue to produce 
the border--excuse me, the passport card, and we just bid on 
the Green Card versus----
    Mr. Hice. And what was the difference in your price and 
GPO's?
    Ms. Carroll. So we bid on the U.S. Green Card. That Green 
Card has significant enhancements and security features, it has 
two holograms, it has a window in it with stars, it has tons of 
security features, in addition to our read rates for the RFID 
is around 98 percent. Okay.
    Mr. Hice. Compared to?
    Ms. Carroll. Compared to 80 to 90 percent. Okay. Now, do 
you know how much we charge for the Green Card? $2 and--$2 and 
50 cents. Sorry.
    Mr. Albers. We bid $2.99, by the way, so----
    Ms. Carroll. Yeah.
    Mr. Hice. So----
    Mr. Albers. I know this very well.
    Mr. Hice. --more or less 65 percent savings----
    Ms. Carroll. Yes.
    Mr. Hice. --per card?
    Ms. Carroll. Yes.
    Mr. Hice. But you never had the opportunity to be part of 
the process?
    Mr. Albers. That's the Green Card.
    Ms. Carroll. No. With a Green Card, we did. We won that 
one. We did that one.
    Mr. Hice. Okay. But is it similar?
    Ms. Carroll. Same kind of card--or this one is better.
    Mr. Hice. So the costs should be in the ballpark----
    Ms. Carroll. It should.
    Mr. Hice. --of savings?
    Ms. Carroll. Yes.
    Mr. Hice. Okay. And also with less problems?
    Ms. Carroll. Absolutely.
    Mr. Hice. Okay. Director, I know the time's going away, but 
it's our understanding that there were some problems. What 
happens when a card is not reading properly? Is there the 
ability to rebuild a card, reissue it, or do they have to be 
destroyed if a card is not reading properly?
    Ms. Vance-Cooks. Well, if a card is not reading properly, 
then those cards are returned to us.
    Mr. Hice. And what do you do with them?
    Ms. Vance-Cooks. And then we determine what the problem is. 
And in some cases, we would destroy them.
    But let me go back to what they just said. I want to make 
sure----
    Mr. Hice. No. We've gone through that----
    Ms. Vance-Cooks. Okay.
    Mr. Hice. Do you have quality assurance----
    Ms. Vance-Cooks. Yes.
    Mr. Hice. --before you send cards out?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Hice. Okay. And you all do, too? Difference between the 
quality assurance? I'm curious, and I know my time's expired, 
so however you want to handle it.
    Chairman Chaffetz. If you could help us to get back to 
understand the process that you go through, I'd appreciate it. 
It would take some time, I'm sure, to explain it, so if you 
could provide that to us, that would be great.
    Chairman Chaffetz. I now recognize the gentlewoman from 
Wyoming, Mrs. Lummis, for 5 minutes.
    Mrs. Lummis. Thank you, Mr. Chairman. And I want to thank 
our panel for being here today.
    My first question is for the inspector general. As a result 
of your audits, what problems have you found with GPO's 
contracting processes, and what do you recommend to improve 
them?
    Mr. Raponi. We've done quite a bit of work with 
contracting. One of the contracts that we did review was with 
the passport eCovers. And as we went through that process to 
see if GPO followed its own practices, we found that there were 
several problems with that internally in terms of approval 
processes, having boards review things. We found problems with 
testing, inconsistency in, you know, determining what a test 
result meant.
    We also found that there were problems with the roles and 
responsibilities. When the contracting process requires a board 
to review the proposals, we found that, you know, maybe one 
person was doing it as opposed to a board, in which we would 
have seen a board review it, we would have said, okay, because 
you had a lot of people having input into making a decision 
versus one person. We had allegations of steering of contract 
also, so we looked at that, and we didn't find a problem with 
that either.
    Mrs. Lummis. Have the problems that you did identify been 
cured by the agency?
    Mr. Raponi. Acquisitions right now at GPO still has quite a 
few open recommendations.
    Mrs. Lummis. And is there a procedure by which you follow 
up with the agency to close those open issues?
    Mr. Raponi. Yeah. Our procedure is, as we produce an audit 
report and management either agrees or disagrees with the 
recommendation, then that goes on our books in terms of open 
recommendations as being unresolved. And as management works 
through the process of corrective action, they would send us 
proof that they took corrective action, and then we would 
verify it and then we would close the recommendation.
    Mrs. Lummis. Okay. So there are still areas of open 
recommendations, because the agency has not gotten back to you. 
Is that correct?
    Mr. Raponi. Yeah. Overall, GPO's very responsive to our 
recommendations. Their chief of staff heads it up. They monitor 
it closely, they put it into performance standards so that 
senior managers are held accountable for recommendations, talk 
about it frequently. They have very few open recommendations 
right now compared to other organizations, because they do 
actively manage it.
    Mrs. Lummis. Okay. Thank you.
    Director, I have a couple questions for you. And this is 
not my area of expertise. I've done requests for proposals as 
an agency head in State government, so I know the challenges. 
But I've never done them for secure cards, so I have some 
questions related to that. Where do the chips and component 
parts of the secure credentials come from, and how are they 
obtained?
    Ms. Vance-Cooks. Okay. The secure chips, the materials, the 
supplies, the fabrication, consultation, design, all of those 
components come from the private sector. And it depends 
entirely on what the specifications are for that particular 
agency.
    Mrs. Lummis. Okay. Do some of those component parts come 
from locations abroad?
    Ms. Vance-Cooks. Most of them come from America. Because we 
are in the MMAR, we follow the Buy American Act.
    Mrs. Lummis. Are there, though, some that come from abroad?
    Ms. Vance-Cooks. I would say there are probably some.
    Mrs. Lummis. And how do you vet a foreign provider?
    Ms. Vance-Cooks. We have a supply--we have an intense audit 
process for our vendors, but, again, most of them are coming 
from the United States and they all go through the same audit 
process.
    These vendors have to prove to us that they have the best 
technology and the best components that can be used in the 
credentials, and we follow them throughout the entire cycle as 
well. We also visit their factories, too, considerable onsite 
visits.
    Mrs. Lummis. So tell me how you can be assured and assure 
us that components are not compromised?
    Ms. Vance-Cooks. Because of the audit process and the 
testing process. We also have a tight relationship with the 
Department of Homeland Security ICE program, whereby they test 
all of these products for us. They make sure that these 
technologies are exacting up to the standards and we have 
appropriate testing for them. And that's a great question. I'd 
love to respond to that in writing as well to give you some 
assurance.
    Mrs. Lummis. I would love to see your response in writing.
    Ms. Vance-Cooks. Thank you.
    Mrs. Lummis. Thank you, Mr. Chairman. I yield back.
    Mr. Connolly. Mr. Chairman, just a clarification.
    It's perfectly fair to ask Ms. Vance-Cooks about foreign 
production and security of components. The private sector also 
uses foreign vendors----
    Ms. Vance-Cooks. Yes, they do.
    Mr. Connolly. --and the same question would apply to them.
    Mrs. Lummis. Uh-huh.
    Mr. Connolly. Thank you.
    Chairman Chaffetz. I now recognize the gentleman----
    Mrs. Lummis. If my time hadn't expired, maybe I would have 
gone there.
    Chairman Chaffetz. We'll now recognize the gentleman from 
Wisconsin for 5 minutes.
    Mr. Grothman. Yeah. I'll give another question to the 
director. You've got these global entry cards. Okay? And maybe 
I just don't understand this. It seems to me they're only--if I 
cross the border, I'd have a passport. Could you explain to me 
what the upside of these cards is or what their purpose is?
    Ms. Vance-Cooks. Well, we have the Nexus, the Sentry, and 
the Global Entry cards. I believe the Global Entry cards are 
for expedited movement through the system. The Nexus cards are 
for those people going to Canada, and the Sentry cards are for 
those people going to Mexico. And so the State Department has 
just identified--or excuse me--CBNP, that there are these 
different cards that you can use.
    Mr. Grothman. Okay. If I have a passport, I can't get to 
Mexico or Canada? Doesn't that trump everything?
    Ms. Vance-Cooks. Well, I think a passport trumps 
everything, yes. This is just for those particular people who 
might want to use that card.
    Mr. Grothman. Okay. And what is that, where they have a 
reader or something? You just----
    Ms. Vance-Cooks. There are readers for all of those cards, 
sir.
    Mr. Grothman. Okay. So in other words, if I have a 
passport, I might want a Global Entry card just because it 
means I can----
    Ms. Vance-Cooks. Well, I mean, you can go across the border 
and you can flash the card, it goes to the reader. I think Mr. 
Albers identified the fact that there's a secure identification 
code that hits the reader and you can just have expedited 
processing through. With a passport, though, as you know, you 
have to go right in front of the reader.
    Mr. Grothman. Okay. How many Global Entry cards a year do 
you guys produce?
    Ms. Vance-Cooks. I don't know the one, just the Global 
Entry, I just know that for the entire program up to this 
point, we've done about 5 million since inception. I can give 
you the specifics for each one for the record.
    Mr. Grothman. Okay. You have another card, a District of 
Columbia identification.
    Ms. Vance-Cooks. It's the DC One card.
    Mr. Grothman. Yeah. What's the purpose of that?
    Ms. Vance-Cooks. I believe it's just for the people to use 
to get on the bus.
    Is that what it's used for?
    Schools, buses.
    Mr. Grothman. How did you guys get involved in that?
    Ms. Vance-Cooks. They asked us if we would produce the 
card. And it only costs--it doesn't cost that much. It's a very 
low program card.
    Mr. Grothman. Okay. So you kind of contract yourself out to 
local units of government?
    Ms. Vance-Cooks. No. It's just that we are allowed to 
provide printing to the D.C. Government, but no other local 
government.
    Mr. Grothman. Okay. Now, there's a cost variance between 
the DHS trusted traveler program card----
    Ms. Vance-Cooks. Uh-huh.
    Mr. Grothman. --and the border crossing card. How--like, 
there's a more than two-to-one difference in price. How does 
that happen?
    Ms. Vance-Cooks. Well, it's happens because they're 
different cards for different processes. Now, remember, when 
you have those different cards, each agency is responsible for 
working with us to identify the specifications for that card, 
and we look at each component, and they might tell us they want 
holograms or they might want a different type of secure 
credential feature. And so one card may be more expensive than 
the other depending upon what the agency wants, and so what we 
can do is just give them the appropriate pricing for that. They 
make those decisions, we do not.
    Mr. Grothman. Okay. And just to digress, you said about 5 
million?
    Ms. Vance-Cooks. Year to date with the trusted traveler 
cards, but you've asked me specifically for how many are in 
Global Entry----
    Mr. Grothman. Yes.
    Ms. Vance-Cooks. --and how many are Nexus. I have to go 
back and get that information for you and send it to you.
    Mr. Grothman. Total combined is 5 million?
    Ms. Vance-Cooks. Yes, sir.
    Mr. Grothman. This year so far alone?
    Ms. Vance-Cooks. Since 2008, it's 5 million.
    He wants to know how many this year.
    One and a half million this year.
    Mr. Grothman. Okay. And how long do these things last?
    Ms. Vance-Cooks. Ten years.
    Mr. Grothman. Okay. So you figure if we're already at one 
and a half million this year, maybe 2 million a year?
    Ms. Vance-Cooks. Maybe.
    Mr. Grothman. So in a period of 10 years, 20 million?
    Ms. Vance-Cooks. It might.
    Mr. Grothman. Okay.
    Okay. Thanks. I yield the remainder of my time.
    Chairman Chaffetz. If the gentleman will yield before he--
let's go back to Global Entry. You've been a great witness, but 
I think you overstepped on the Global Entry.
    Ms. Vance-Cooks. I did.
    Chairman Chaffetz. Global Entry is worthless. There's not a 
single thing that that card does. Now, if I'm wrong, tell me. 
Anybody on this panel knows what the Global Entry card, that is 
issued does, tell me. And there's not a single reader, because 
it doesn't do anything. Am I wrong on that?
    The Global Entry program, but--it requires a passport, but 
when I got my Global Entry card, I tried to use it, and they 
just laughed, they just, like--I said, well, what's this for, 
and they said, well, nothing. It's sort of like my Wendy's, you 
know, get a free burger after you do ten trips, you know----
    Ms. Vance-Cooks. Okay.
    Chairman Chaffetz. --get a frosty----
    Ms. Vance-Cooks. You're asking me----
    Chairman Chaffetz. --but I don't even get a frosty, so----
    Ms. Vance-Cooks. All right. Well, I'm sorry you didn't get 
a frosty.
    Chairman Chaffetz. Yes.
    Ms. Vance-Cooks. Okay. But you're asking me about the 
purpose of the card, which is, in fact, the agency's response. 
If you're asking me what does that card do and how good is it, 
we are responsible for producing the card according to the 
specifications that the agency has identified. That is what we 
do. Now, if you are concerned about what their use is or 
anything like that, I can't explain.
    Chairman Chaffetz. Just a word of caution. Again, I think 
you've been an excellent witness, I've got more confidence in 
you and the agency based on your testimony today in general, 
but----
    Ms. Vance-Cooks. Okay.
    Chairman Chaffetz. --there are no readers, it does nothing, 
it is a waste of time. And when you say that you're partners 
and fully integrated every step of the way, we're going to hold 
you partly accountable----
    Ms. Vance. Okay.
    Chairman Chaffetz. --for producing a product that serves 
absolutely no purpose other than costs a lot of money.
    Ms. Vance-Cooks. And I will take that back to the agency. 
Thank you, sir.
    Chairman Chaffetz. And believe me, we will continue to 
press them on that point.
    Ms. Vance-Cooks. Okay. All right.
    Chairman Chaffetz. Does anybody else want to shed any light 
on the--I see some interest here. Ms. Carroll or Mr. Albers?
    Mr. Albers. Well, you're right on the Global Entry card. 
You use your fingerprints when you come in. You don't need a 
card at all. In fact, I've lost mine. So it doesn't do any--but 
that's not the fault of the director, I've got to tell you. I 
think she's right about that.
    Chairman Chaffetz. Yeah. There's no photo ID on it, there's 
no biometrics, you can't use it at TSA. I really struggle to 
understand. And I guess that's part of what we're looking for, 
for GPO----
    Ms. Vance-Cooks. Right.
    Chairman Chaffetz. --if you are partners, is to 
understand----
    Ms. Vance-Cooks. Right.
    Chairman Chaffetz. --why in the world do we do this card? 
But the primary responsibility, you're right, is with those 
that are issuing--or doing the program, but I just wanted to 
clarify that.
    I will now recognize--thank you for the time. We'll now 
recognize the gentleman from Alabama, Mr. Palmer, for 5 
minutes.
    Mr. Palmer. Thank you, Mr. Chairman.
    This year's Black Hat convention featured a $10 device 
called BLE key that purports to circumvent the RFD cards by 
exploiting vulnerabilities in the beacon communication 
protocol. Once the vulnerability is exposed, the individual can 
clone the RFID-equipped cards, and according to its 
researchers, it can be installed in less than 2 minutes. And 
this is a question to you, Ms. Vance-Cooks. Are you aware of 
this?
    Ms. Vance-Cooks. Am I aware of the Black Hat?
    Mr. Palmer. Are you aware that there's a group out there 
that claims that they can clone RFID cards and they can be 
installed in less than 2 minutes?
    Ms. Vance-Cooks. I'm not aware of that particular one, but 
I'm aware of a move underfoot by so many different 
organizations trying to clone different components of the card, 
yes. I can assure you I know in terms of the passport, I'd 
heard something about that, none of our cards, and we produced 
100 million e-passports, none of those have been compromised.
    Mr. Palmer. How about you, Ms. Carroll?
    Ms. Carroll. Yes. HID Global is fully aware of that. We 
actually attend those conferences because we need to understand 
exactly what the--you know, the Black Hat folks are--you know, 
maybe they're good guys, but the bad guys are paying attention 
and they're learning from these kinds of things as well.
    And so HID Global and companies like Morpho, too, we invest 
millions and millions of dollars every year in R&D to stay 
ahead of the bad guys. Our U.S. Green Card, we have been making 
it since 1998, it has never been successfully compromised.
    Mr. Palmer. I'm glad that you're aware of it and I hope 
that GPO will get up to speed on this. And I'd like to know 
what is being done to install safeguards against RFID cloning. 
I think it ought to be a top priority.
    Mr. Albers. If I could, Congressman.
    Mr. Palmer. Yes.
    Mr. Albers. I think Ms. Carroll's point is well taken, that 
we don't just take orders. Okay. We stay ahead of the curve. 
And I'm talking about industry, not just MorphoTrust. So we are 
aware of those. We're aware of the defrauders. I mean, when 
cards were coming from China, we bought them, and we tried to 
figure out what they're doing, and we put that company out of 
business; we, all of us.
    So, you know, there is a reason to keep industry in the 
game as much as you can, because we're following those trends. 
It's all well and good that an agency can go to another 
government agency and buy a product from an organization that 
doesn't charge a profit, but we build that into everything that 
we make. Every new card, every new biometric, every new 
software or hardware product that we make, we're looking at the 
trends of the industry and we're trying to stay ahead of them.
    Ms. Vance-Cooks. May I interject?
    Mr. Palmer. Yes.
    Ms. Vance-Cooks. Okay. I have just been advised and I want 
to make sure for the record that we do send people to Black Hat 
as well.
    Mr. Palmer. Okay.
    Ms. Vance-Cooks. So I want to characterize that for the 
committee. And secondly, I don't think that people should walk 
away believing that we just take orders. That's not the GPO. 
The GPO works closely with agencies. We want to serve the 
agencies, and we do that by working with them to make sure that 
they have the best product possible available in the 
marketplace.
    Mr. Palmer. My point in this is to make sure that GPO is 
aware that there are groups out there----
    Ms. Vance-Cooks. Yes.
    Mr. Palmer. --that can clone these cards, and that you're 
taking necessary safeguards to make sure that doesn't happen.
    Ms. Vance-Cooks. You're correct, sir. And I should have 
answered it correctly. We do send people to Black Hat. They are 
aware of it.
    Mr. Palmer. Thank you very much for----
    Ms. Vance-Cooks. Thank you for letting me clarify that.
    Mr. Palmer. --making that clarification.
    One last question, and that is, Ms. Vance-Cooks, that you 
conducted an audit in which a component of the passport eCover 
failed a specific test, and according to the audit report, the 
eCover failed the read time test for several sampled products. 
The solicitation stated that if a product was given a fail at 
any point, the proposal would be deemed technically 
unacceptable and would not receive further consideration, yet 
the products were determined to be technically acceptable with 
no documented explanation. Can you explain this discrepancy?
    Ms. Vance-Cooks. Sure. In fact, the IG report is very good 
in detailing that. Couple of points. Number one, the bidder in 
question submitted a very, very good product--not a very good 
product, very good price, but unfortunately that product did 
not work, and according to the specifications, we had to fail 
that product, and therefore, their product--the vendor was not 
part of it.
    We did not adequately document the part about the read 
rates, and that is what the IG has referred to, that we need to 
do a better job documenting what is critical and what is not. 
And believe me, we appreciate what he wrote, and we have made a 
lot of changes in our acquisitions to make sure that the next 
ones are very tightly controlled in terms of what works, what 
doesn't work, and what happens. It was a learning lesson for 
us. It would not have changed the decision, but we do need to 
make sure that we tighten our documentation.
    Mr. Palmer. My time has expired. I do appreciate your 
answers, though. Thank you very much.
    Ms. Vance-Cooks. Thank you.
    Chairman Chaffetz. I now recognize the gentleman from 
Virginia, Mr. Connolly.
    Mr. Connolly. I just want to say, Mr. Chairman, rarely in 
the history of Congress is there a hearing that exhaustively, 
comprehensively addresses one discrete issue. I think we've 
done that here today. But it has raised some very interesting 
questions, and I certainly look forward to working with you on 
reexamining Title 44 to make sure that we're not doing 
unwittingly harm to the ability of industry to compete, and 
that we still allow room for choice for Federal agencies with 
respect to GPO. Thank you, Mr. Chairman.
    Chairman Chaffetz. I thank the gentleman.
    One last question for the inspector general. You've looked 
at this, you've issued, I think you said, ten reports. What's 
your biggest concern?
    Mr. Raponi. The biggest concern when I start looking at all 
of this is there's a couple things. The acquisition process. 
The acquisition process is flawed right now. And I know GPO is 
working diligently to make corrective actions.
    And then secondly, when I look at the technology associated 
with it, I see that there is no inter-coordination within the 
GPO in terms of, like, leveraging the expertise from the CIO 
shop. And I think that--I had spoke with the CIO yesterday, and 
he's working on a more collaborative, more involvement in the 
IT and the security aspect of the secure credentials and the 
eCovers.
    Chairman Chaffetz. We want to thank, not only you as the 
inspector general, but all the people that work in these 
various IG offices. We have a lot of good men and women who 
spend a lot of time, months, sometimes years working on these 
issues. It's imperative that we on both sides of the aisle get 
that information.
    We would ask to you also keenly look at this concern that 
we have about how Title 44 is interpreted. Part of the reason 
we held this hearing is we do anticipate potentially rewriting 
that statute, and as we do so, I want to make sure we get the 
maximum input and any flaws or things that we might see there.
    I do appreciate, Director, the candid discussion we've had, 
it's an important part of the process, and appreciate the good 
work that so many of the men and women who work down there, and 
they do a critical, important thing. They've got to produce a 
great product at the end of the day. I do think your comments 
will go a long way to making sure that these agencies know that 
they do have a choice.
    And to Mr. Albers and Ms. Carroll, we appreciate the good 
work you've done, you've got a lot of good employees and people 
who are doing important work. The millions of dollars that is 
spent on research and development cannot be dismissed. Those 
are real costs, costs that a GPO, for instance, wouldn't go 
through, but also provides the next wave of technology that can 
make sure that we have the most secure documentation we can 
possibly have.
    So, again, I appreciate the productive hearing. I 
appreciate you all being here with us today.
    The committee now stands adjourned.
    [Whereupon, at 11:42 a.m., the committee was adjourned.]


                                APPENDIX

                              ----------                              


               Material Submitted for the Hearing Record



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


                                 [all]