[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON HOUSE
ADMINISTRATION
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
SECOND SESSION
__________
APRIL 12, 2018
__________
Printed for the use of the Committee on House Administration
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available on the Internet:
http://www.govinfo.gov
_________
U.S. GOVERNMENT PUBLISHING OFFICE
32-657 WASHINGTON : 2018
Committee on House Administration
GREGG HARPER, Mississippi, Chairman
RODNEY DAVIS, Illinois, Vice ROBERT A. BRADY, Pennsylvania,
Chairman Ranking Member
BARBARA COMSTOCK, Virginia ZOE LOFGREN, California
MARK WALKER, North Carolina JAMIE RASKIN, Maryland
ADRIAN SMITH, Nebraska
BARRY LOUDERMILK, Georgia
EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE
----------
THURSDAY, APRIL 12, 2018
House of Representatives,
Committee on House Administration,
Washington, D.C.
The Committee met, pursuant to call, at 11:16 a.m., in Room
1310, Longworth House Office Building, Hon. Gregg Harper
[Chairman of the Committee] presiding.
Present: Representatives Harper, Davis, Comstock, Walker,
Loudermilk, Brady, Lofgren, and Raskin.
Staff Present: Sean Moran, Staff Director; Kim Betz, Deputy
Staff Director/General Counsel; Cole Felder, Deputy General
Counsel; Dan Jarrell, Legislative Clerk; Erin McCracken,
Communications Director; Jamie Fleet, Minority Staff Director;
Khalil Abboud, Minority Deputy Staff Director; and Eddie
Flaherty, Minority Chief Clerk.
The Chairman. I now call to order the Committee on House
Administration for purposes of today's hearing on shared
employees. A quorum is present, so we may proceed. The meeting
record will remain open for 5 legislative days so that Members
may submit any materials they wish to be included therein.
My opening remarks will be brief.
Today's hearing will focus on the practice by which
multiple member offices share employees to perform
administrative functions, such as finance or information
technology services. The practice of sharing employees began in
the mid to late 1990s and continues today. However, there had
been concerns about the lack of oversight and supervision
shared employees have in their duties. The Office of Inspector
General audited the practice in 2008, and again, in 2012.
Today's hearing will provide this Committee with the
opportunity to understand the history of the practice of
sharing employees. Further, it will allow us the opportunity to
review the current reporting and disclosure requirements
imposed on shared employees and determine their effectiveness.
Finally, the hearing will allow the Committee to understand the
additional actions the House should take to ensure that all
risks are addressed.
I yield to my colleague and the Ranking Member, Mr. Brady,
for purposes of an opening statement.
Mr. Brady.
Mr. Brady. Thank you, Mr. Chairman, for holding--and thank
you for holding this hearing today.
Mr. Chairman, I have worked on the shared employees issue
since I became Chairman in 2007. I had hearings on this topic,
and we marked up new regulations to deal with this issue. I
also supported the efforts of Chairman Lungren in 2012 to
measure if what we were doing was working. We have more work to
do.
I won't support an overall limit on the number of offices
that share technology and finance staff that can support. We
should discuss that limit. I also support a background check as
a condition of access to the network. We need to explore what
these background checks measure and what we do with the
results.
I am very glad you have asked these witnesses here today.
We have a fine group of House office in front of us. I consider
Phil and Paul friends and look forward with our new inspector
general once I learn how to pronounce your last name.
I look forward to the testimony, and I yield back the
balance of my time.
The Chairman. The gentleman yields back.
Does any other Member wish to be recognized for the
purposes of an opening statement?
Seeing none, we are honored to have yet another
distinguished panel of witnesses before us, and I will now
introduce those to the Committee.
Phil Kiko was sworn in as the Chief Administrative Officer
of the House of Representatives on August the 1st of 2016. This
is the second time Mr. Kiko is serving at the CAO. In the mid
1990s, Mr. Kiko joined the then-newly formed CAO, and his
associate administrator for procurement and purchasing to help
establish the procurement office. Mr. Kiko has a long record of
dedicated service, both in the House and throughout the Federal
Government.
Most recently, Mr. Kiko served as staff director and
general counsel for two House committees, including serving on
this Committee from 2011 to 2012. Mr. Kiko also has worked in
two other House committees and served as chief of staff at a
Member's congressional office.
I would also like to introduce Paul Irving, our Sergeant-
at-Arms. Paul Irving was sworn in as the Sergeant-at-Arms at
the U.S. House of Representatives on January the 17th of 2012
during the second session of the 112th Congress. He is the 36th
person to hold this post since 1789. Mr. Irving previously
served as an assistant director of the U.S. Secret Service from
2001 to 2008 and served as a special agent with the Secret
Service for 25 years.
I would now like to introduce Michael Ptasienski, House
Inspector General. Michael Ptasienski was appointed as the
fifth inspector general of the United States House of
Representatives on February the 15th of 2018. Mr. Ptasienski
previously served in the Office of Inspector General of the
House as the Deputy Inspector General, advisory and
administrative services, and as the director, management
advisory services.
He has been serving in the House since 2008. Prior to
joining the House, Mr. Ptasienski spent more than 15 years
working in consulting and management roles in the financial
services industry, and has several professional certifications
in accounting, auditing, risk management, and project
management.
Again, I want to thank each of you for being here today
with us. The Committee has received each of your written
testimony. At the appropriate time, I will recognize you for 5
minutes to present a summary of that submission. You know how
this drill works with the timer that is there.
We look forward to hearing from each of you. This is a very
important hearing for us going forward. And the Chair now
recognizes the Chief Administrative Officer, Phil Kiko, for 5
minutes.
STATEMENTS OF HON. PHILIP KIKO, HOUSE CHIEF ADMINISTRATIVE
OFFICER, UNITED STATES HOUSE OF REPRESENTATIVES; HON. PAUL
IRVING, HOUSE SERGEANT-AT-ARMS, UNITED STATES HOUSE OF
REPRESENTATIVES; AND MICHAEL PTASIENSKI, INSPECTOR GENERAL,
UNITED STATES HOUSE OF REPRESENTATIVES
STATEMENT OF HON. PHILIP KIKO
Mr. Kiko. Thank you for the opportunity to participate in
today's hearing. The activity of certain shared employees and
their technical service is one of the first issues that was
brought to my attention when I became CAO. The House shared
employees account for less than 1 percent of the estimated
10,000 House employees. Collectively, they work for roughly 75
percent of House offices.
Unlike the majority of House employees, the oversight
structure of the technical services they provide is fractured
and decentralized. Because they are not employees of any House
officer, we are limited in our ability to take swift corrective
action when non-compliance with House policies and technical
standards are detected.
The problem is simple. Decentralized oversight leads to
non-compliance and abuse of policies intended to protect the
House. The solution is slightly more complicated, and one the
House has been grappling with for the last decade. With that,
at the direction of the Committee, in February 2017, the House
officer working group convened, and in June of last year,
issued a report identifying over 2,000 gaps in the management
structure, the subsequent risk to the House, and reforms to
mitigate those risks.
These gaps, in a broad perspective, relate to supervision
and oversight of shared employees, or lack thereof, the
delegation of tasks between shared employees, and the fact that
they are sharing workloads and have informal supervisory
agreements regardless of the employing authority. Improper
vetting of the employees, and perhaps most problematic, the
inability to enforce compliance with House information security
policies. For example, the unauthorized assets to office data
or commingling of data, the use of unsecured software, cloud
service, email accounts, and equipment.
Many of these gaps are not necessarily new, but the risks
associated with the gaps have changed and need to be addressed,
particularly the risk that impact the House cybersecurity
efforts. Cyber attacks, as you know, against the House, average
300 to 500 million each month. And the bookend to the outside
threat is the insider threat.
Tremendous efforts are dedicated to protecting the House
against to these outside threats; however, these efforts are
undermined when employees do not adhere to and thumb their nose
at our information security policy. And that is a risk, in my
opinion, we cannot afford.
The working group concluded the most effective way to
mitigate the risk of shared employee was to change the
employment structure itself. And after the working group
presented its recommendations, a Committee task force led by
Representative Davis was created. It hosted multiple bipartisan
listening sessions with Members on this topic, and I attended
every one of those meetings. Members expressed a strong desire
to retain shared employees as some of their duties can involve
information that is sensitive in nature. However, Members were
under the impression that, due to the technical nature of the
duties shared employees, whether IT or financial, underwent a
more vigorous vetting process, and they were also open to the
CAO having a more hands-on oversight on compliance with House
standards.
With this valuable feedback, a strategy was developed with
the committee to mitigate risk and significantly modify the
employment structure. It included the development of strict
administrative standards for IT and shared financial
administrators that would standardize the adherence to House
policies and add additional oversight and compliance measures.
The CAO would be the centralized oversight entity with
enforcement capabilities while preserving Member choice in
hiring. It mirrors the current contractor model in that it
allows for vetting individuals who will have privileged access
to the House network, and it creates the ability to immediately
revoke access for those who comply with House IT and financial
policies. It doesn't mean they are revoked forever. It is
revoked until they comply. Critical oversight capabilities that
Member offices I do not think have the bandwidth to deal with.
The CAO stands ready to roll up its sleeves with the
Committee and to close the gaps and greatly use the risks that
are inherent in the current model.
Thank you very much.
[The statement of Mr. Kiko follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Kiko.
The Chair will now recognize Sergeant-at-Arms Paul Irving,
for 5 minutes for the purposes of an opening statement.
STATEMENT OF HON. PAUL IRVING
Mr. Irving. Chairman Harper, Ranking Member Brady, and
distinguished Members of the Committee, I appreciate the
opportunity to participate in the Committee's hearing today
regarding the use of shared employees in the House.
As you know, the House Sergeant-at-Arms serves as the
Chamber's principal law enforcement officer. And from this
perspective, shared employees present unique challenges.
Shared employees have access to systems, offices, and
personnel of multiple Members, and can potentially create a
greater risk than an employee who has access to only one
office's systems. Shared employees may also have access to
sensitive information technology or financial records.
As the House of Representatives has moved towards greater
automation and increased use of digital technology, the
vulnerabilities and risks have likewise increased. The risks
posed by shared employees can be minimized by requiring
background checks as well as robust internal controls. I would
also recommend that shared employees be issued different ID
cards.
Because of the greater risk of shared employees, it is
critical that a shared employee be thoroughly vetted by the
offices. However, Members are generally free to set the terms
and condition of employment in their office. When an employee
works for a single Member office, the Member can monitor the
individual's performance and determine the level of trust and
responsibility that should be vested in that individual. In
certain respects, the Member assumes the risks of hiring the
individual.
When an employee is shared among many Member offices, each
Member is not as closely situated to monitor the individual's
performance. The relationship between the Member and staffer is
more attenuated, and knowledge about the employee's background
is minimal. Thus, each Member potentially faces greater risk
from the individuals who have access to sensitive information,
technology, or financial data, as the Member is not as well
positioned to vet or closely monitor the activities of the
employee.
Currently, the Capitol Police provides criminal background
checks for Members' offices upon request. When developing a
policy concerning background checks, the Committee may wish to
adopt or consider the scope, frequency of the investigation,
and the adjudication or background of the background check.
Background checks are not a panacea, but they can serve as
indicators that an individual is trustworthy or, conversely,
potentially susceptibility to influences that could have
negative repercussions for the entire House.
In addition to developing a uniform standard for background
checks, it is also essential that there be uniformity in
oversight as well as the institution of internal controls to
ensure that all shared employees strictly adhere to the
policies and procedures related to this unique position.
The CAO has put together a strategy for developing internal
controls and ensuring the maintenance and uniformity of
standards of shared employee conduct. I would support these
recommendations by the CAO regarding the continued development
and enforcement of these procedures.
I would also encourage all House offices to require strict
adherence to the established standards as a condition of
employment. Should an employee fail to comply with these
standards, I fully support the CAO being granted the authority
to revoke a shared employee's access to the House network.
One final area that can be leveraged to tighten security of
shared employees is to provide a slightly different ID card to
shared employees. Currently, ID cards are issued under one
office, while a shared employee may work for many offices.
Capitol Police officers can have difficulty identifying
appropriate access when an individual's ID differs from the
office in which they are working. If an ID card clearly denotes
the employee of the shared staff, the officer can easily
recognize that the individual might require further follow-up.
In sum, I want to thank the Committee for giving me the
opportunity to testify today, and I am ready to answer any
questions you may have.
Thank you.
[The statement of Mr. Irving follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. Thank you, Mr. Irving.
The Chair will now recognize our House Inspector General,
Michael Ptasienski, for 5 minutes.
STATEMENT OF MICHAEL PTASIENSKI
Mr. Ptasienski. Thank you Chairman Harper, Ranking Member
Brady, and Members of the Committee. I am honored to be here
today in my capacity as Inspector General of the House.
My testimony today concerns two areas of shared employees:
financial administrators and shared IT support staff.
Shared employees fill administrative and technical support
roles for both Member offices and Committees through part-time
positions. This model allows congressional offices to get the
back office help they need without having to hire full-time
staff. It does, however, introduce some significant risks.
Since 2007, we have conducted a considerable amount of work
that has highlighted risks associated with these types of
shared employees. Specifically, we identified risks associated
with inadequate management oversight of shared employee
activities, a lack of segregation of duties within offices, and
shared employee non-compliance with applicable laws and House
rules.
A particular concern is the role of the IT administrator.
By its very nature, this role is highly sensitive and carries
with it a whole host of risks.
The Office of Inspector General first noted risks
associated with the shared employees in 2007 after a financial
shared employee was able to defraud three Member offices for
over $169,000. In this case, an employee had the authority to
make purchases and controlled where items were delivered. In
addition, they completed, approved, submitted, and--submitted
vouchers for reimbursement. The same staffer also reviewed the
office monthly financials and maintained all the office
records.
This highlights a lack of segregation of duties. One
employee should never have the ability to order items, receive
the items, pay invoices, submit their own reimbursements, and
reconcile the books.
Some shared employees may be on the payroll for as many as
20 offices. In addition, there have been cases where shared
employees worked together in teaming relationships. These teams
collectively handled the work of multiple offices. As a result,
individuals may be performing duties for an office while being
neither a paid employee or contractor for that Member.
In 2008, the CHA adopted Resolution 110-7 and subsequently
published the shared employee manual in 2009, which placed
specific limitations on shared employees that were based upon
employment laws, House rules, and CHA's policies. This manual
outlined several new requirements, including having shared
employees sign an acknowledgment that they understood and would
comply with the applicable rules and guidelines.
Not all shared employees, however, have been complying with
these requirements. During a follow-up audit in 2012, we found
that 45 percent of shared employees had not signed the required
acknowledgment for understanding and complying with the manual.
In addition, some shared employees continued to work as both an
employee of the House, and as a contractor. And as recently as
2016, we found shared employee teaming relationships still
exist.
In any office, the system administrator is someone you
place a great deal of trust in. This role is inherently risky
due to the level of system access they have. They essentially
hold the keys to the kingdom, they can create accounts, grant
access, view, download, update, and delete virtually any
information within the office. Because of this high-level
access, an incompetent or rogue system administrator could
conflict considerable damage to an office and potentially
disclose sensitive information, grant access to others, perform
updates, or simply delete files.
In the case of shared employees, this high level access
spans multiple offices. We have seen that shared employees
typically have a great deal of autonomy in conducting their
work. In the case of IT administrators, they are generally an
office's sole IT subject matter expert, and others may not have
complete insight into the actions that they perform.
The existence of shared employee teaming relationships
further increases the risk of having individuals who are not
officially employed by a Member having access to their systems
and data without the Member's knowledge.
Mr. Chairman, I thank you, Ranking Member Brady, and the
Members of the Committee for this opportunity to highlight some
of the risk and control weaknesses we have noted in the current
shared employee model.
We look forward to continuing to provide advice to this
Committee on issues of importance to the House.
At this time, I would be happy to any answer questions you
have.
The Chairman. Thank you, Mr. Ptasienski.
[The statement of Mr. Ptasienski follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
The Chairman. We now have time for Committee Members to ask
questions of each of you. Each Member is allotted 5 minutes to
question the witnesses.
I will begin by recognizing myself for 5 minutes.
Mr. Kiko, I have a couple questions I would like to direct
to you.
The House officer working group identified and the
listening sessions confirmed the importance of protecting
Member choice as it relates to certain services needed by
Member offices.
In your opinion, how do we effectively mitigate the risk to
the House that were identified in your June 30 memo and
addressed in the working group's recommendations, while at the
same time, continuing to recognize Members' employing
authority? And are those two goals mutually exclusive of each
other?
Mr. Kiko. No, I don't think they are. And what really came
out of the working sessions--or the Member sessions headed by
Congressman Davis was the fact that Members were very
interested in having some choice. I certainly understand that.
So what we sort of are thinking about is that the Members can
hire shared employees. But the shared employees have to--the
other thing that came out of that was that there was some
understanding that maybe some of the employees were technically
adept. They were required to follow all the House procedures
and standards. So what we sort of thought we could do as--the
CAO could establish standards for IT and financial services
that everybody would have to adhere to. Then we would--and it
would be standard. It would be the same for everybody. We would
have standard compliance with regards so we could check to make
sure that everybody's complying with what these standards are.
And then on the other side of the ledger, the Members would
be able to hire who they wanted. But as part of those
employee's performance standards, maybe there could be
something in there that say they have comply, you know, with
House policies. And then if they wouldn't, we could deny
access, or we could tell the Member about it or elevate it to
the Committee. But I think that is the way you can have it both
ways.
The Chairman. Okay. On January 19th of 2018, Ranking Member
Mr. Brady wrote to me highlighting a number of steps he
believes can be implemented immediately to mitigate some of the
risk.
Have you discussed these suggestions with HIR? And how do
these steps fit in with the recommendations identified in your
June 30, 2017 memo?
Mr. Kiko. I think a lot of those--in Mr. Brady's letter, I
think of lot of those can be. Almost every one of them--all of
them can be implemented. The one issue that we would have to
work on a little bit is, you know, having a separate email
for--every shared employee has a separate email account, and
how would they email that, where would it go to? Would it--how
do you separate it? Would it go into one server, or could it be
disaggregated? We don't know.
But all those are fine. We agree with all those, and we can
implement all of them.
The Chairman. And I am sure other Members will ask about
this as well. But for you, Mr. Kiko, and for you, Mr. Irving,
how important and how effective will the background checks be
that you anticipate having?
Mr. Irving may be the one to answer that.
Mr. Irving. The background check, as I testified, is not a
panacea, but certainly important as a vetting process to
determine, you know, who would be most suitable to work on our
sensitive systems.
Background checks take on a number of forms. Capitol Police
will start off with an NCIC check, criminal history check, a
credit check.
I would recommend that we explore a little deeper level of
check as well, to maybe former employers to see if there were
any anomalies, especially if it was on the financial side or IT
side.
Not only--I wouldn't just focus on the background--the
background check, but the adjudication of the check is
important. Who actually is going to determine whether the
employee is suitable. And we need to, I think, put some
objective measure into that.
And then last but not least, probably a check every 5 to 7
years or so just to make sure that we check to see if the
employee has had any issues, you know, since employment.
The Chairman. Thank you, Mr. Irving.
The Chair will now recognize Ranking Member Mr. Brady for 5
minutes for purposes of questions.
Mr. Brady. Thank you Mr. Chairman.
My question is for all or anyone who would like to answer.
One of the ideas that I won't support is limiting the
number of offices that shared technology and finance staff
support. However, if you impose this limit on the overall
number, you are going to raise the cost of the services
provided to each office. So my question for all of you is do
you support limiting the overall number of offices shared
technology and finance staff can work for? And do you think
there is a way we can help those offices that would experience
an increase in cost, absorb that cost as we transition to this
model?
Anyone.
Mr. Kiko. I support limiting the number of offices shared
employees can support. Limits reduce the risk and the problem
of diffused supervision. Where you set the limit is the hard
question. Is it 10? Is it 20? Is it 5?
I do think that that the CAO can maybe help with that
transition in a couple of ways. One is on the financial side.
There are two initiatives that we are going to do that may
work, and maybe e-voucher or something that replaces the
existing scan paper. And the other is maybe if we launch a new
financial portal to get offices more information, you know,
that they could--there wouldn't be the need right now. A lot of
the financial processes are very paper-intensive. We are trying
to eliminate that.
But the issue of limiting offices I think is the--is how do
you do that, and where do you draw the line on limiting the
number of offices for shared employees? I don't know where that
is. There has been as many as 20, 30. So that is all I have.
On the IT side, I think that, you know, in the end, it
would be great if the CAO would provide services, that you
wouldn't need shared employees for IT services. We sort of hope
that we would be able to do that in the future. I am not sure
we are there yet, but we are trying to head that way.
Mr. Brady. Mr. Irving.
Mr. Irving. Not to place more of a burden on my esteemed
colleague, Mr. Kiko, but certainly, some of this can be
centrally managed. When we look at IT systems, I think a lot of
that--those are services that the House offers, and I think
that some of those services can be centrally managed which
would, in fact, cut down on the number of shared employees.
Mr. Brady. Thank you.
Do we know how many--how many average--do shared
employees--how many Congresspeople that they work for? I mean,
is there an average that they work for 30? 20? 10? I mean, do
they vary?
Mr. Kiko. I don't really know. I don't know that answer at
this point. I think there are some that are more and there are
some that are very few. But I don't have the exact answer right
now. I should have, but----
Mr. Brady. It is hard to imagine that they work for, like,
20 and 15 Congresspeople and do an effective job. I mean----
Mr. Kiko. Yeah. I think it sort of depends up each
individual offices, what are they doing and how much is being
required of each office. That is what I don't know.
Mr. Brady. Well, again, Mr. Kiko, for you--this question is
for you. I think that you are doing an excellent job as our
CAO. And do you have an estimate of how much money it would
cost for your office to support the technology functions that
shared employees and vendors currently provide our office?
Mr. Kiko. Well, I sort of looked into that a little bit,
and I sort of believe that--we estimate that it would cost
about $125,000 for 10 offices. So that is about 12,000. If we
would--we would have an employee in HIR, they would support 10
offices. And so that would be about 12,500 or 13,000, 14,000
annually. So that is what we would think it would be if we
would support it ourselves.
Mr. Brady. Thank you.
Thank you, Mr. Chairman. And thank all of you. And I am
very happy and proud to work with all of you. You do an
excellent job.
Thank you.
The Chairman. Thank you, Mr. Brady.
The Chair will now recognize the Vice Chairman of the
Committee, the gentleman from Illinois, Mr. Davis, for 5
minutes.
Mr. Davis. Thank you, Mr. Chairman, and thank you to each
of the witnesses. I appreciate, Mr. Chairman, you tasking us
with running the listening sessions that were bipartisan
listening sessions. We had Members come in, Members who had
shared employees, Members who were just concerned about the
process, to get to know a little better about what these
processes were. And I think Mr. Kiko laid out very effectively
in his opening statement some of the concerns that Members had,
and also, some of the perceptions Members had of possible
background checks and other details that they thought may have
been run through your office, the CAO, but in reality, they
weren't done. So that is what gets me to my first question.
Mr. Kiko, you mentioned a number of compliance mechanisms
that were suggested during those Member listening sessions and
afterwards to help mitigate the risk of shared employees. And
these suggestions included a badging authority through the
Sergeant-at-Arms. And thank you, Mr. Irving, for mentioning
that in your opening statement too. CAO developed committee-
approved technology administration standards and financial
administration standards; CAO control access to all enterprise
systems; enforcement of new standards through the CAO
controlled access to enterprise systems; CAO authority to
terminate access for any shared IT or finance employee who is
non-compliant with standards that currently exist; background
checks, although at differing levels, as mentioned by Mr.
Irving, for all IT and finance shared employees.
Would you describe, Mr. Kiko, how these implement--how
these mechanisms could be implemented and enforced?
Mr. Kiko. Well, I think that--I think the first thing we
have to do is to standardize, you know, what are the
requirements for shared employees, whether it is IT or
financial. And those standards should be high. It should be,
you know, what is the normal industry standard for this kind of
a function. Obviously, you have to apply it to the House.
And with regards to--and then there has to be a monitoring
mechanism that the CAO would have to do. They could do spot
checks on compliance. We are not talking about spot checks on
getting into Member emails and stuff. We are just trying to see
are they complying--you know, maybe every month. Are they
complying with whatever the standards that we set, and the
expectations that we set? And then if people are not, then we
either give them a warning that they need to--they need to come
into compliance. If they don't, we deny access or we elevate
it.
Some of that stuff could be worked out with the Committee
on what you want. I would say that is how you would implement
it. It would require--it may require, you know, one employee,
or two in the CAO's office, to make sure, you know, that
everything is being done correctly.
Mr. Davis. I see a few of your employees sitting behind
you.
Do you feel that the CAO has the ability to implement these
suggested changes?
Mr. Kiko. Yes, I do. Yeah.
And I tried to limit the number of people that came here.
Mr. Davis. Well, you brought--Clocker was one too many. But
that is okay.
Mr. Irving, I am very glad you mentioned the single badging
authority. Can you expand somewhat on how you think that might
help address some of the IG considerations that have been
brought up before?
Mr. Irving. It would just be one facet. When individual
Members hire, their badge indicates where they are assigned or
what Member they are employed by. A shared employee that has
access to many Member offices is in a different category. And
if a Capitol Police officer sees them in one area versus
another, if someone questions them, not knowing that they are a
shared employee could cause them to not follow up when they
probably should follow up.
So only one other area of--just another facet. Certainly
not in and of itself, something that is going to satisfy
everything.
Mr. Davis. Great. Thank you.
One last question, Mr. Kiko. When we had our Member
listening sessions, we talked about the lack of a compliance,
complete compliance for the background and financial disclosure
information and compliance measures that shared employees--the
compliance rate they were at before the listening sessions.
After you sent out some correspondence to the existing shared
employees, what is the compliance rate right now for the
disclosures and other information that we are requiring of them
already?
Mr. Kiko. You mean on the financial disclosure?
Mr. Davis. The financial disclosures.
Mr. Kiko. I am not exactly sure what that is, because we
did follow up. But that is more of an Ethics Committee issue.
Mr. Davis. Well, what about the information that you had?
Mr. Kiko. The information that we had is that, you know,
most people are now in compliance, if not all. And I have had
to send some emails out to people. Either you are going to get
in compliance or we are going to cut you off. I did have one of
those.
Mr. Davis. And you saw a great response to that of those
who may not have been compliant?
Mr. Kiko. We are okay on this now.
Mr. Davis. Thank you.
The Chairman. The gentleman yields back.
And I would like to give a thank you to Rodney Davis as our
Vice Chairman who has done yeoman's work and countless hours of
working with--I know with each of you and working on this
issue. So, Mr. Davis, we thank you for that outstanding work
that I know we will bring to a conclusion at some point. And
you will probably be happy when that happens. But we couldn't
be in this position for the good of the House without your
effort, so we appreciate it.
The Chair will now recognize the gentlewoman from
California, Ms. Lofgren, for 5 minutes.
Ms. Lofgren. Well, thank you very much. And thanks to each
of you for your important testimony. And to you, Mr. Chairman
and Mr. Brady, for convening this important hearing.
I think it is important to make a distinction between the
kinds of shared employees that we have. There are technical
shared employees that go from office to office, and they are
primarily doing financial accounting work and IT work. And then
there are, like, policy shared employees where the shared
employee is actually moved around the payroll, but it is really
for a shared policy goal. For example, you know, the
Progressive Caucus or the Freedom Caucus might share the
expense of a salary. Or State delegations have--you know, share
the expense of a salary.
In 1995, it used to be, prior to 1995, that you could
just--each office could contribute and just hire the person
rather than going through this roll-around. I am not sure that
what we did made any sense, honestly. It just increased the
paperwork when it comes to policy issues. And that might be
something to look at, Mr. Chairman.
But when it comes to the shared employees who are doing IT
work or financial services, that is where we have the problem.
And I think it is important to make that distinction. Other
Members have raised important issues relative to financial
services.
I wanted to focus on the IT function. You know, for years,
on a bipartisan basis, we have worked, Mr. Kiko, with your
office, centralized services, ranging from magazine
subscriptions to cybersecurity. It really doesn't make sense to
have individual offices go out and buy their own furniture. We
centralized that function. And so one of the concerns and,
frankly, one of the complaints I have heard, and I suspect it
is a resource issue for you, is that the CAO can be slow to
support products that our consumers have moved to. And when
that happens, Members and staff start using these products
anyway. And then they circumvent security rules and
regulations, because that is the product that they find useful.
And so I am wondering what HIR is doing to keep current
with the latest tools available in the market? How do you
identify those tools? Assess their security vulnerabilities,
train your support staff to help with them? What role does HIR
currently play in minimizing the risks that the status quo
poses to the House, understanding that Members are going to
move to new technology, and is that a resource issue for you?
Mr. Kiko. Well, we are constantly--we try to be on the
cutting edge of new technology that Members are using. Many
times a Member office will ask us about a new technology, and
then we try to vet it. We try to see where the security issues
are, you know, whether there is any problems, whether problems
have been identified, you know, in the private sector when they
have used stuff.
I have not checked to see whether this is a resource issue.
But I know it is a very big problem, because, you know, we have
all these technologies that Members would like to use. And then
we read in the paper or we hear, you know, from some of our,
you know, investigations and research that we do that there is
a problem, you know, and stuff that has to be patched and all
that, so--but it is a constant issue of, as you say, Members
want the--some Members want the best and the latest. And
sometimes stuff is vetted. If we find out that stuff isn't
vetted correctly, we try to hurry up and try to do it to make
sure there is not a problem, you know, with a whole----
Ms. Lofgren. Right.
Let me ask you this: When you hire HIR staff, I think you
examine their professional credentials, their certifications,
their training for the function you are hiring them to perform.
Mr. Kiko. Yeah. It is very rigorous.
Ms. Lofgren. And by the way, I think the IT staff I have
interfaced with are excellent. They do a good job.
Now, when Member offices hire shared IT staff, are they
required to meet the same training and certification that your
own staff is?
Mr. Kiko. There is not a requirement for Members' offices,
because they are the employing authority.
Ms. Lofgren. Right. Maybe we should look at making those
certifications a requirement if you are going to access the
system.
Mr. Kiko. I support that.
Ms. Lofgren. I am also interested in terms of shared IT
staff. There is a concern that they don't always implement
necessary upgrades or modifications or software patches.
Does HIR staff ever perform those duties if a shared IT
staff drops the ball to protect our system?
Mr. Kiko. Yeah, we do. And we are, for the most part,
responsible for that. But if a shared IT employee calls us, we
will do it. It happens frequently.
Ms. Lofgren. I see my time has expired.
Thank you, Mr. Chairman.
The Chairman. Thank you, Ms. Lofgren.
The Chair will now recognize the gentlewoman from Virginia,
Mrs. Comstock, for 5 minutes.
Mrs. Comstock. Thank you. And I thank the Chairman and the
Vice Chairman for the work they have done on your going through
and finding out the holes in the policies and you all working
with that. So I really appreciate that in going forward.
And I know, you know, the public is rightfully, you know,
very upset about how this was handled in the past and that this
egregious example that is now being criminally investigated was
allowed to occur. And I know, because of the criminal
investigation, you aren't allowed to talk about that. But could
you just address, you know, for public purposes, that as that
criminal case goes forward and as that is resolved, that any
additional suggestions or changes that might be apparent
through what we learn from now can be addressed and making sure
that whatever holes they were allowed to get through, I think
it seems like we have identified a lot of them from what we
know, but given that is still going forward, and we don't know
everything, could you just assure for the public that that will
be sort of an ongoing review when that is wrapped up?
Mr. Irving. Congresswoman, I think everything that we have
discussed today and the purpose of this hearing certainly is to
get us there. And I will tell you that I am very, very
confident that the CAO is putting measures in place and doing
everything he can to put measures in place with the support of
this Committee to mitigate some of those issues that caused us
to be where we are today.
So, no, I am confident that we are certainly making a lot
of progress. Ultimately, as you know, it is the balance between
the Member interest and the governmental interest, the House
interest, in really trying to come to a good place.
So I think we have accomplished a lot, even in the time
during which this investigation has been ongoing.
And with that, I will ask Mr. Kiko if he wants to follow
up. But I hope that satisfies you.
Mr. Kiko. No. I will just say that the abuses by certain
shared employees have provided the CAO, and I think the
Committee, with a roadmap on what needs to be closed. And that
is what I want to do is to close the gaps.
Mrs. Comstock. All right. No, and I appreciate that--you
know, to the extent that that roadmap is public now, that you
have been able to address that and just wanted to make sure, as
we get more information, you know, that may not apparent at
this point, that we can follow up on that.
So I thank you for the work you are doing on that front.
And I yield back.
The Chairman. The gentlewoman yields back.
The Chair will now recognize Mr. Raskin for 5 minutes.
Mr. Raskin. Mr. Chairman, thank you very much, and thanks
to all of our distinguished witnesses today. All of you have
discussed different risks that the current situation presents
to the House, including risks involving oversight,
cybersecurity, physical security, money, and so on.
Do you believe that your offices have sufficient authority
now under existing House rules to address those risks, or does
the Committee need to consider providing additional authority
to you in order to deal with it?
And maybe we just go right down the line.
Mr. Kiko. I would just say that, you know, we are in the
process of working with the Committee to reduce the risk by
giving the CAO a little more oversight authority over abuses.
Now, this is just for the CAO purposes. And I think that if we
have more authority and we can, you know, set standards, do
compliance, I think that will greatly reduce the risk in
cooperation with the Member and working with the Committee.
Because right now, we don't really--because these are Member
employees and we don't have a lot of authority to deal with
that, and it just hasn't happened, even though we found about
how the abuses can be--how the weak spots can be exploited, we
think that will go a long ways.
Mr. Raskin. Let me just follow up quickly with you, then.
Would it make sense--obviously, what we have got, you know,
cherished traditions of Member autonomy and some constitutional
background to that with the speech and debate clause, but would
it make sense for us to generate more authority in your office
or in some constellation of these offices, to deal with shared
employees on the theory that if a Member wants to go outside of
the usual situation of having an employee reporting directly to
her?
Mr. Kiko. I mean, I wouldn't be opposed to that. That is
sort of a fine line, you know, between CAO and Member autonomy.
But I am in favor of exploring that. I think it would help.
Mr. Raskin. Mr. Irving.
Mr. Irving. I am certainly in agreement with the CAO. I
think that, as I alluded to earlier, when the governmental
interest is so heavy and when we get to cybersecurity, we
really have a governmental interest. We certainly have to
recognize the Member interest as well. But I am in favor of
giving the CAO those--the authority so that, for example, to
Congresswoman Lofgren's point earlier on standards, maybe we
need to make sure that even though the Member is the employing
authority, if they want to bring someone on to do IT, for
example, they should comply with certain standards, have
certain background. And the same with the internal controls. I
think the CAO needs every internal control available to him or
her to ensure that these employees are, in fact, complying with
rules and regulations, and then have the authority, certainly,
to take certain action even though they are employed by a
Member. And I know it is a very, very careful balance.
Mr. Kiko. I don't want anybody to get the impression I am
trying to grab more authority. I am trying to grab more power.
That is not the case here. I am just trying to walk a very fine
line in conjunction with the Committee to see, you know, where
that sweet spot is. That is what I am trying to do.
Mr. Raskin. Great. Thank you.
Mr. Ptasienski. I think the--as the Chief Administrative
Officer said, I think they are the primary organization looking
at--or monitoring compliance with a lot of these finance and
technology policies. And as such, they have got a tough job in
trying to enforce those. And I think if there is--if he can't,
and his folks, as they interact with offices, get people to
comply with those policies, if he needs a stick, he may need a
stick in some areas, and we would support that.
We put a lot of pressure as we make recommendations to the
CAO to fix the various issues and so forth. And I have full
appreciation for the tough job that they have in balancing some
of the particularities of here working in the House.
Mr. Raskin. Thank you very much.
I yield back, Mr. Chairman.
The Chairman. The gentleman yields back.
The Chair will now recognize the gentleman from North
Carolina, Mr. Walker, for 5 minutes.
Mr. Walker. Thank you Mr. Chairman.
My time is centered basically around one area regarding the
working group. And I wanted to get your thoughts on that, both
to Mr. Kiko and Mr. Irving, on the--briefly, you have described
the objectives of the working group, how it conducted its work.
And I know it has reached, I believe, six conclusions.
Could you talk about how that factors into your
recommendations?
Mr. Kiko, let's start with you.
Mr. Kiko. Yeah. I think that on our recommendations we
initially had said that we--you know, we went through all the
abuses. We went through previous IG reports. The IG was part of
the working group, and we initially had recommended an
independent contractor model rather than--you know, as a way to
preserve--as a way that we could better--feel better served,
close the gaps with regards to risks.
You know, we have CMS services in the House. Some of them
are employees that work for them, and they also provide IT
services. We use that model because we have a direct
relationship with the contractor, and if somebody's not working
out, then we call the contractor and we cut it off.
But when we started the--you know, we met with Mr. Davis'
group, there was concerns about that model. And so we decided
to do the model that I just described where we would work in
conjunction with Members' offices.
Does that make sense?
Mr. Walker. Yes.
Mr. Irving. And I will certainly agree with Mr. Kiko.
Initially, our view was how do you put as much control,
internal control and control over access to sensitive networks.
So, you know, myopically we can say, well, we should just
control the employee, but knowing that Members do want to hire
some of their own people, we had to work with that and
recognize that and appreciate that.
And I think we are in a good spot where we have--we are
able to satisfy both concerns, which is ensure that our
internal controls are safe, internal mechanisms for
cybersecurity, but also allow Members the ability to continue
to let Members, you know, hire people that they feel
comfortable with.
The key is just ensuring that we have those internal
controls, and sticking to them and that Members respect the
CAO's authority to, you know, to--in a sense, discipline
employees that may not be abiding by the rules.
Mr. Walker. So, Mr. Irving, do you put more emphasis on the
discipline in the internal controls, or do you place more
emphasis--and Mr. Kiko can respond to this as well--on reducing
the overall amount of privileged or shared employees? What is
your ultimate recommendation?
Mr. Irving. I would turn this over to Mr. Kiko, but my
comment is, I would have as few people have access to those
sensitive networks as possible. That is first and foremost. But
some will need to, certainly depending on the Member and the
committee they are on, et cetera. So those I would make sure
that Mr. Kiko has the authority to ensure that those internal
controls are met.
But I don't know, Phil, if you wanted to elaborate on that.
Mr. Kiko. I mean, I would just like there--from my
perspective, there be a justification for the access that we
are supposed to have. I am not necessarily trying to have
limits, you know, at least on privileged access.
You know, people, other than shared employees have access.
I just think there needs to be a good justification for what
access there is, and also that they comply with whatever
standards that we have. I am not really trying to grind them
down into not--you know, into a number.
Mr. Walker. That is fair. Fair argument.
Mr. Chairman, I yield back.
The Chairman. The gentleman yields back.
The Chair will now recognize the gentleman from Georgia,
Mr. Loudermilk, for 5 minutes.
Mr. Loudermilk. I thank you, Mr. Chairman.
I appreciate the panel being here. I am a little confused
though. Again, a guy with a military background, I am sitting
here looking, Mr. Kiko is a chief, Paul is a sergeant, and you
are a general. So I am not sure which one outranks who here.
But, hey, I appreciate the work that has been done here
because this is an issue of grave concern, but also it is a
balancing act. Because I think, as several Members have
expressed, one of the strengths of our--this legislative body
is the autonomy of each individual office, as compared to when
I was in the State legislature.
Our staff was appointed to us, the limited staff we had.
The Speaker of the House actually controlled who our employees
were, and it really limited the autonomy you have. And I think
that is one of the strengths that we have here is we are able
to actually operate as our own entity without due influence--
undue influence from the outside entities or leadership.
However, that strength also becomes a weakness when it
comes to the finances, and particularly IT. And as the
gentlelady from California spoke about, you know, policy not so
much a concern other than the access to the IT resources. So I
have, in the last few days, tried to strike where is that
balance?
On the IT side specifically, I had a couple questions, and
I kind of like the direction that we are going. I spoke to Mr.
Davis yesterday about what Mr. Kiko had defined earlier as a
direction we may be going.
One of the--we brought up certification. You know, from an
IT perspective, I can appreciate that. I think it is important
that, you know, who you hire does know what they are doing, or
maybe from the accounting and the finance side requiring a
licensing or a certification, you know.
But still, that is more of a job performance aspect to me
is that you--and being in the IT field, I am going to be able
to decipher whether you really know what you are doing or not.
My concern comes to the cybersecurity side and nondisclosure.
When we share employees, there is also an aspect to the
autonomy is, I don't want that shared employee sharing with
other offices what is going on with my office as well as
disclosing to some entity privacy information.
Do we have or have we considered a confidentiality
nondisclosure agreement that each of these shared employees
have to sign, or some training to go through that spells out
the penalties that--especially if they disclose, you know,
information that we have on constituents or information we are
working on.
And I will open that up to anyone. Is that something we
have, or is that something that has been discussed?
Mr. Kiko. Well, I know we have a shared employee manual,
and it requires nondisclosure. And so when the--you know, that
is a requirement to be a shared employee that you are not
supposed to disclose other Members' information. That is
already a requirement that the Committee, at the request of the
IG, had done and it is already in.
I don't know if there is a--they have to sign off that they
received and they are going to comply with everything that is
in the shared employee manual, but that is in that manual now.
It is not a specific letter, but that is part of the manual as
we----
Mr. Loudermilk. Does that spell out what penalties are,
i.e., you can go to jail?
Mr. Kiko. There aren't any penalties.
Mr. Loudermilk. Is that something that maybe we should look
at?
Mr. Kiko. Well, the only penalty would be termination, but
perhaps. I am willing to pursue that, whatever the Committee
would want to do.
Mr. Loudermilk. Mr. Irving.
Mr. Irving. I think that goes along--Congressman, it is an
excellent theme for some of the prior questions in terms of
what can we do to enhance our internal controls and our policy.
I think that is certainly one that I would endorse that we need
to strengthen.
Mr. Loudermilk. Okay. I appreciate that.
One other question, wherever we get to with this, is this
something that we would look at doing a new Member orientation
to make sure that every new Member that is coming in is fully
aware of the rules and responsibilities not only of the shared
employee, but their requirements as well? That may be something
for a staffer.
Mr. Kiko. We would be willing to have that as part--and
participate if that is what the committee wanted to do.
Mr. Loudermilk. Okay. I yield back.
The Chairman. The gentleman yields back.
I will recognize Mr. Davis for a follow-up remark.
Mr. Davis. Mr. Kiko, once again--actually, I am glad my
colleague Mr. Loudermilk brought up compliance and
nondisclosure.
Now, when we had our Member listening sessions, we did
discuss--and hopefully, as a plan of action moving forward, we
might be able to implement some penalties for noncompliance up
to termination for noncompliance.
Do you think that would be easier to administer under the
current shared employee rules and regulations, or under maybe
some of the proposed changes we talked about today, running
those compliance measures through the CAO, Sergeant-at-Arms,
and House Administration?
Mr. Kiko. I mean, I think we should take a look at that. I
think that however we can make compliance easier we should do.
I don't--I think termination now, it is the shared employee, it
is the Member's responsibility to terminate. And it still will
be, but----
Mr. Davis. It will still be the Member's responsibility to
terminate, but you would be able to, hypothetically, under the
possible proposed guidelines, be able to revoke ID badges?
Mr. Kiko. Yes, we can revoke everything and then they can
still be employed, but it would be a much different role.
Mr. Davis. Yeah.
Mr. Kiko. And you could give the Committee some more
authority, too, on those kind of things when they see that.
Mr. Davis. Well, thank you for that suggestion.
And I just, again, want to say thank you. I know each of
you have worked hard on this issue.
Phil, you have been in the room with us listening to
Members. I truly appreciate the fact that through your
testimony today, based upon previous suggestions and previous
memos that have come out, that you listen to the Members.
And that is something that I just cannot say thank you
enough for, because our job is to address the Members' concerns
and do it in a way that is also going to address their
employees' concerns.
I look out in the audience, and raise your hand if you are
a shared employee. I hope each and every one of you understand
that your Member's concerns were heard.
And I look out and I see one of my shared employees sitting
here watching this, this hearing. Obviously, this is of concern
to those who were already at that status.
But please understand, we have to do a better job of
ensuring that we have better compliance, we have better
standards, and so those of you who are working very hard as a
shared employee right now can continue to do that job in the
future, and not let those who aren't determine your fate, too.
So thank you again, everyone.
And thank you, Mr. Chairman, for the opportunity.
The Chairman. The gentleman yields back.
The Chair will now recognize the gentlewoman from
California, Ms. Lofgren, for a closing remark.
Ms. Lofgren. Yes. Just a quick question, but before I do,
you know, we have examined ways to improve the shared employee
situation, but we really, really said there is some value to it
as well, because if you have to hire in each office a
specialist on IT, that doesn't make a lot of sense.
So having some shared expertise, whether it is located in
the CAO's office, or whether it is shared employees, does make
sense. We just need to make sure that the protections are in
place, that there is no risk to our security system or to any
of the requirements that are--we have adopted in the House.
In the June 2017 memo outlining recommendations, there was
a discussion that shared employees, both in finance and
technology, do work with nongovernment-furnished equipment
often at home, and that this could pose a risk to the House. I
would say that that work at home is not limited to shared
employees. I mean, full-time House employees do that as well.
I can think of circumstances where that would pose no risk
to the House, but you identified a potential risk to the House.
Could you outline what that would be and what steps we should
take to mitigate those risks?
Mr. Kiko. Well, I just think any--you know, technically
everybody is supposed to do work on House equipment, you know.
If you are going to do work, you do use the VPN if you are
supposed to communicate.
And if you don't, you are opening yourself up, your systems
up to people that are trying to hack in. There is a lot of
evidence of people that are trying to use these kind of
systems, you know. They are trying to hack in.
Ms. Lofgren. Well, but if I can, you know, the staff, they
work weekends, they work nights.
Mr. Kiko. Right.
Ms. Lofgren. You know, you are writing a speech, you are
writing questions for the hearing tomorrow night. They are on
their home computer helping to write--draft questions for you
for a witness.
Mr. Kiko. I think--yeah. I mean, I think that is very
difficult, obviously, to enforce, but to the extent that people
can use their own House, you know, equipment to do that, it
reduces the risk. That is about all I can say.
Ms. Lofgren. Well, I guess, I don't see the risk on the
policy issues that are--I mean, each Member is going to assess
their risk, whether the question gets out or not is a different
issue to whether our systems have been penetrated and security
issues posed. Am I right, Paul?
Mr. Irving. I absolutely agree with you. There is no
question we have to differentiate between the risk the Member
feels, let's say, to their data versus something that is a
violation of House policy, which may not be.
But, again, if you are at home working on your home
network, it is not going to be as secure as abiding by certain
of our policies. But, no, you are absolutely correct. There is
going to be the assumption of risk there, and that may be just
fine for the individual Member.
Ms. Lofgren. All right. Thank you, Mr. Chairman for
allowing me to follow up on that.
The Chairman. Thank you very much, Ms. Lofgren.
And I want to thank each of you because I know how much you
all care about the institution of the House. You want it to
work at the best level, and we have--certainly appreciated that
hard work that you have had.
Again, I want to say thank you to the Ranking Member Brady
for his work.
And all of the staff, on both sides, have--are committed to
getting this right.
And I particularly, again, want to thank Mr. Davis for his
continued work on this issue. It is a serious matter on how we
improve the employees' safety features, let's say, particularly
as it relates to the IT issues.
And while I will not discuss details of an ongoing criminal
investigation, our goal is to make sure that we secure the
House for the future, so that nothing like that happens again.
So with that, thank you for your attendance.
Without objection, all Members will have 5 legislative days
to submit to the Chair additional written questions for the
witnesses, which we will forward to you and ask that you answer
promptly if you get them so that those answers can then be made
a part of the record.
Without objection, this hearing is adjourned.
[Whereupon, at 12:20 p.m., the Committee was adjourned.]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]