[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE ======================================================================= HEARING BEFORE THE COMMITTEE ON HOUSE ADMINISTRATION HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ APRIL 12, 2018 __________ Printed for the use of the Committee on House Administration [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available on the Internet: http://www.govinfo.gov _________ U.S. GOVERNMENT PUBLISHING OFFICE 32-657 WASHINGTON : 2018 Committee on House Administration GREGG HARPER, Mississippi, Chairman RODNEY DAVIS, Illinois, Vice ROBERT A. BRADY, Pennsylvania, Chairman Ranking Member BARBARA COMSTOCK, Virginia ZOE LOFGREN, California MARK WALKER, North Carolina JAMIE RASKIN, Maryland ADRIAN SMITH, Nebraska BARRY LOUDERMILK, Georgia EXAMINING THE ROLE OF SHARED EMPLOYEES IN THE HOUSE ---------- THURSDAY, APRIL 12, 2018 House of Representatives, Committee on House Administration, Washington, D.C. The Committee met, pursuant to call, at 11:16 a.m., in Room 1310, Longworth House Office Building, Hon. Gregg Harper [Chairman of the Committee] presiding. Present: Representatives Harper, Davis, Comstock, Walker, Loudermilk, Brady, Lofgren, and Raskin. Staff Present: Sean Moran, Staff Director; Kim Betz, Deputy Staff Director/General Counsel; Cole Felder, Deputy General Counsel; Dan Jarrell, Legislative Clerk; Erin McCracken, Communications Director; Jamie Fleet, Minority Staff Director; Khalil Abboud, Minority Deputy Staff Director; and Eddie Flaherty, Minority Chief Clerk. The Chairman. I now call to order the Committee on House Administration for purposes of today's hearing on shared employees. A quorum is present, so we may proceed. The meeting record will remain open for 5 legislative days so that Members may submit any materials they wish to be included therein. My opening remarks will be brief. Today's hearing will focus on the practice by which multiple member offices share employees to perform administrative functions, such as finance or information technology services. The practice of sharing employees began in the mid to late 1990s and continues today. However, there had been concerns about the lack of oversight and supervision shared employees have in their duties. The Office of Inspector General audited the practice in 2008, and again, in 2012. Today's hearing will provide this Committee with the opportunity to understand the history of the practice of sharing employees. Further, it will allow us the opportunity to review the current reporting and disclosure requirements imposed on shared employees and determine their effectiveness. Finally, the hearing will allow the Committee to understand the additional actions the House should take to ensure that all risks are addressed. I yield to my colleague and the Ranking Member, Mr. Brady, for purposes of an opening statement. Mr. Brady. Mr. Brady. Thank you, Mr. Chairman, for holding--and thank you for holding this hearing today. Mr. Chairman, I have worked on the shared employees issue since I became Chairman in 2007. I had hearings on this topic, and we marked up new regulations to deal with this issue. I also supported the efforts of Chairman Lungren in 2012 to measure if what we were doing was working. We have more work to do. I won't support an overall limit on the number of offices that share technology and finance staff that can support. We should discuss that limit. I also support a background check as a condition of access to the network. We need to explore what these background checks measure and what we do with the results. I am very glad you have asked these witnesses here today. We have a fine group of House office in front of us. I consider Phil and Paul friends and look forward with our new inspector general once I learn how to pronounce your last name. I look forward to the testimony, and I yield back the balance of my time. The Chairman. The gentleman yields back. Does any other Member wish to be recognized for the purposes of an opening statement? Seeing none, we are honored to have yet another distinguished panel of witnesses before us, and I will now introduce those to the Committee. Phil Kiko was sworn in as the Chief Administrative Officer of the House of Representatives on August the 1st of 2016. This is the second time Mr. Kiko is serving at the CAO. In the mid 1990s, Mr. Kiko joined the then-newly formed CAO, and his associate administrator for procurement and purchasing to help establish the procurement office. Mr. Kiko has a long record of dedicated service, both in the House and throughout the Federal Government. Most recently, Mr. Kiko served as staff director and general counsel for two House committees, including serving on this Committee from 2011 to 2012. Mr. Kiko also has worked in two other House committees and served as chief of staff at a Member's congressional office. I would also like to introduce Paul Irving, our Sergeant- at-Arms. Paul Irving was sworn in as the Sergeant-at-Arms at the U.S. House of Representatives on January the 17th of 2012 during the second session of the 112th Congress. He is the 36th person to hold this post since 1789. Mr. Irving previously served as an assistant director of the U.S. Secret Service from 2001 to 2008 and served as a special agent with the Secret Service for 25 years. I would now like to introduce Michael Ptasienski, House Inspector General. Michael Ptasienski was appointed as the fifth inspector general of the United States House of Representatives on February the 15th of 2018. Mr. Ptasienski previously served in the Office of Inspector General of the House as the Deputy Inspector General, advisory and administrative services, and as the director, management advisory services. He has been serving in the House since 2008. Prior to joining the House, Mr. Ptasienski spent more than 15 years working in consulting and management roles in the financial services industry, and has several professional certifications in accounting, auditing, risk management, and project management. Again, I want to thank each of you for being here today with us. The Committee has received each of your written testimony. At the appropriate time, I will recognize you for 5 minutes to present a summary of that submission. You know how this drill works with the timer that is there. We look forward to hearing from each of you. This is a very important hearing for us going forward. And the Chair now recognizes the Chief Administrative Officer, Phil Kiko, for 5 minutes. STATEMENTS OF HON. PHILIP KIKO, HOUSE CHIEF ADMINISTRATIVE OFFICER, UNITED STATES HOUSE OF REPRESENTATIVES; HON. PAUL IRVING, HOUSE SERGEANT-AT-ARMS, UNITED STATES HOUSE OF REPRESENTATIVES; AND MICHAEL PTASIENSKI, INSPECTOR GENERAL, UNITED STATES HOUSE OF REPRESENTATIVES STATEMENT OF HON. PHILIP KIKO Mr. Kiko. Thank you for the opportunity to participate in today's hearing. The activity of certain shared employees and their technical service is one of the first issues that was brought to my attention when I became CAO. The House shared employees account for less than 1 percent of the estimated 10,000 House employees. Collectively, they work for roughly 75 percent of House offices. Unlike the majority of House employees, the oversight structure of the technical services they provide is fractured and decentralized. Because they are not employees of any House officer, we are limited in our ability to take swift corrective action when non-compliance with House policies and technical standards are detected. The problem is simple. Decentralized oversight leads to non-compliance and abuse of policies intended to protect the House. The solution is slightly more complicated, and one the House has been grappling with for the last decade. With that, at the direction of the Committee, in February 2017, the House officer working group convened, and in June of last year, issued a report identifying over 2,000 gaps in the management structure, the subsequent risk to the House, and reforms to mitigate those risks. These gaps, in a broad perspective, relate to supervision and oversight of shared employees, or lack thereof, the delegation of tasks between shared employees, and the fact that they are sharing workloads and have informal supervisory agreements regardless of the employing authority. Improper vetting of the employees, and perhaps most problematic, the inability to enforce compliance with House information security policies. For example, the unauthorized assets to office data or commingling of data, the use of unsecured software, cloud service, email accounts, and equipment. Many of these gaps are not necessarily new, but the risks associated with the gaps have changed and need to be addressed, particularly the risk that impact the House cybersecurity efforts. Cyber attacks, as you know, against the House, average 300 to 500 million each month. And the bookend to the outside threat is the insider threat. Tremendous efforts are dedicated to protecting the House against to these outside threats; however, these efforts are undermined when employees do not adhere to and thumb their nose at our information security policy. And that is a risk, in my opinion, we cannot afford. The working group concluded the most effective way to mitigate the risk of shared employee was to change the employment structure itself. And after the working group presented its recommendations, a Committee task force led by Representative Davis was created. It hosted multiple bipartisan listening sessions with Members on this topic, and I attended every one of those meetings. Members expressed a strong desire to retain shared employees as some of their duties can involve information that is sensitive in nature. However, Members were under the impression that, due to the technical nature of the duties shared employees, whether IT or financial, underwent a more vigorous vetting process, and they were also open to the CAO having a more hands-on oversight on compliance with House standards. With this valuable feedback, a strategy was developed with the committee to mitigate risk and significantly modify the employment structure. It included the development of strict administrative standards for IT and shared financial administrators that would standardize the adherence to House policies and add additional oversight and compliance measures. The CAO would be the centralized oversight entity with enforcement capabilities while preserving Member choice in hiring. It mirrors the current contractor model in that it allows for vetting individuals who will have privileged access to the House network, and it creates the ability to immediately revoke access for those who comply with House IT and financial policies. It doesn't mean they are revoked forever. It is revoked until they comply. Critical oversight capabilities that Member offices I do not think have the bandwidth to deal with. The CAO stands ready to roll up its sleeves with the Committee and to close the gaps and greatly use the risks that are inherent in the current model. Thank you very much. [The statement of Mr. Kiko follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Mr. Kiko. The Chair will now recognize Sergeant-at-Arms Paul Irving, for 5 minutes for the purposes of an opening statement. STATEMENT OF HON. PAUL IRVING Mr. Irving. Chairman Harper, Ranking Member Brady, and distinguished Members of the Committee, I appreciate the opportunity to participate in the Committee's hearing today regarding the use of shared employees in the House. As you know, the House Sergeant-at-Arms serves as the Chamber's principal law enforcement officer. And from this perspective, shared employees present unique challenges. Shared employees have access to systems, offices, and personnel of multiple Members, and can potentially create a greater risk than an employee who has access to only one office's systems. Shared employees may also have access to sensitive information technology or financial records. As the House of Representatives has moved towards greater automation and increased use of digital technology, the vulnerabilities and risks have likewise increased. The risks posed by shared employees can be minimized by requiring background checks as well as robust internal controls. I would also recommend that shared employees be issued different ID cards. Because of the greater risk of shared employees, it is critical that a shared employee be thoroughly vetted by the offices. However, Members are generally free to set the terms and condition of employment in their office. When an employee works for a single Member office, the Member can monitor the individual's performance and determine the level of trust and responsibility that should be vested in that individual. In certain respects, the Member assumes the risks of hiring the individual. When an employee is shared among many Member offices, each Member is not as closely situated to monitor the individual's performance. The relationship between the Member and staffer is more attenuated, and knowledge about the employee's background is minimal. Thus, each Member potentially faces greater risk from the individuals who have access to sensitive information, technology, or financial data, as the Member is not as well positioned to vet or closely monitor the activities of the employee. Currently, the Capitol Police provides criminal background checks for Members' offices upon request. When developing a policy concerning background checks, the Committee may wish to adopt or consider the scope, frequency of the investigation, and the adjudication or background of the background check. Background checks are not a panacea, but they can serve as indicators that an individual is trustworthy or, conversely, potentially susceptibility to influences that could have negative repercussions for the entire House. In addition to developing a uniform standard for background checks, it is also essential that there be uniformity in oversight as well as the institution of internal controls to ensure that all shared employees strictly adhere to the policies and procedures related to this unique position. The CAO has put together a strategy for developing internal controls and ensuring the maintenance and uniformity of standards of shared employee conduct. I would support these recommendations by the CAO regarding the continued development and enforcement of these procedures. I would also encourage all House offices to require strict adherence to the established standards as a condition of employment. Should an employee fail to comply with these standards, I fully support the CAO being granted the authority to revoke a shared employee's access to the House network. One final area that can be leveraged to tighten security of shared employees is to provide a slightly different ID card to shared employees. Currently, ID cards are issued under one office, while a shared employee may work for many offices. Capitol Police officers can have difficulty identifying appropriate access when an individual's ID differs from the office in which they are working. If an ID card clearly denotes the employee of the shared staff, the officer can easily recognize that the individual might require further follow-up. In sum, I want to thank the Committee for giving me the opportunity to testify today, and I am ready to answer any questions you may have. Thank you. [The statement of Mr. Irving follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] The Chairman. Thank you, Mr. Irving. The Chair will now recognize our House Inspector General, Michael Ptasienski, for 5 minutes. STATEMENT OF MICHAEL PTASIENSKI Mr. Ptasienski. Thank you Chairman Harper, Ranking Member Brady, and Members of the Committee. I am honored to be here today in my capacity as Inspector General of the House. My testimony today concerns two areas of shared employees: financial administrators and shared IT support staff. Shared employees fill administrative and technical support roles for both Member offices and Committees through part-time positions. This model allows congressional offices to get the back office help they need without having to hire full-time staff. It does, however, introduce some significant risks. Since 2007, we have conducted a considerable amount of work that has highlighted risks associated with these types of shared employees. Specifically, we identified risks associated with inadequate management oversight of shared employee activities, a lack of segregation of duties within offices, and shared employee non-compliance with applicable laws and House rules. A particular concern is the role of the IT administrator. By its very nature, this role is highly sensitive and carries with it a whole host of risks. The Office of Inspector General first noted risks associated with the shared employees in 2007 after a financial shared employee was able to defraud three Member offices for over $169,000. In this case, an employee had the authority to make purchases and controlled where items were delivered. In addition, they completed, approved, submitted, and--submitted vouchers for reimbursement. The same staffer also reviewed the office monthly financials and maintained all the office records. This highlights a lack of segregation of duties. One employee should never have the ability to order items, receive the items, pay invoices, submit their own reimbursements, and reconcile the books. Some shared employees may be on the payroll for as many as 20 offices. In addition, there have been cases where shared employees worked together in teaming relationships. These teams collectively handled the work of multiple offices. As a result, individuals may be performing duties for an office while being neither a paid employee or contractor for that Member. In 2008, the CHA adopted Resolution 110-7 and subsequently published the shared employee manual in 2009, which placed specific limitations on shared employees that were based upon employment laws, House rules, and CHA's policies. This manual outlined several new requirements, including having shared employees sign an acknowledgment that they understood and would comply with the applicable rules and guidelines. Not all shared employees, however, have been complying with these requirements. During a follow-up audit in 2012, we found that 45 percent of shared employees had not signed the required acknowledgment for understanding and complying with the manual. In addition, some shared employees continued to work as both an employee of the House, and as a contractor. And as recently as 2016, we found shared employee teaming relationships still exist. In any office, the system administrator is someone you place a great deal of trust in. This role is inherently risky due to the level of system access they have. They essentially hold the keys to the kingdom, they can create accounts, grant access, view, download, update, and delete virtually any information within the office. Because of this high-level access, an incompetent or rogue system administrator could conflict considerable damage to an office and potentially disclose sensitive information, grant access to others, perform updates, or simply delete files. In the case of shared employees, this high level access spans multiple offices. We have seen that shared employees typically have a great deal of autonomy in conducting their work. In the case of IT administrators, they are generally an office's sole IT subject matter expert, and others may not have complete insight into the actions that they perform. The existence of shared employee teaming relationships further increases the risk of having individuals who are not officially employed by a Member having access to their systems and data without the Member's knowledge. Mr. Chairman, I thank you, Ranking Member Brady, and the Members of the Committee for this opportunity to highlight some of the risk and control weaknesses we have noted in the current shared employee model. We look forward to continuing to provide advice to this Committee on issues of importance to the House. At this time, I would be happy to any answer questions you have. The Chairman. Thank you, Mr. Ptasienski. [The statement of Mr. Ptasienski follows:] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] The Chairman. We now have time for Committee Members to ask questions of each of you. Each Member is allotted 5 minutes to question the witnesses. I will begin by recognizing myself for 5 minutes. Mr. Kiko, I have a couple questions I would like to direct to you. The House officer working group identified and the listening sessions confirmed the importance of protecting Member choice as it relates to certain services needed by Member offices. In your opinion, how do we effectively mitigate the risk to the House that were identified in your June 30 memo and addressed in the working group's recommendations, while at the same time, continuing to recognize Members' employing authority? And are those two goals mutually exclusive of each other? Mr. Kiko. No, I don't think they are. And what really came out of the working sessions--or the Member sessions headed by Congressman Davis was the fact that Members were very interested in having some choice. I certainly understand that. So what we sort of are thinking about is that the Members can hire shared employees. But the shared employees have to--the other thing that came out of that was that there was some understanding that maybe some of the employees were technically adept. They were required to follow all the House procedures and standards. So what we sort of thought we could do as--the CAO could establish standards for IT and financial services that everybody would have to adhere to. Then we would--and it would be standard. It would be the same for everybody. We would have standard compliance with regards so we could check to make sure that everybody's complying with what these standards are. And then on the other side of the ledger, the Members would be able to hire who they wanted. But as part of those employee's performance standards, maybe there could be something in there that say they have comply, you know, with House policies. And then if they wouldn't, we could deny access, or we could tell the Member about it or elevate it to the Committee. But I think that is the way you can have it both ways. The Chairman. Okay. On January 19th of 2018, Ranking Member Mr. Brady wrote to me highlighting a number of steps he believes can be implemented immediately to mitigate some of the risk. Have you discussed these suggestions with HIR? And how do these steps fit in with the recommendations identified in your June 30, 2017 memo? Mr. Kiko. I think a lot of those--in Mr. Brady's letter, I think of lot of those can be. Almost every one of them--all of them can be implemented. The one issue that we would have to work on a little bit is, you know, having a separate email for--every shared employee has a separate email account, and how would they email that, where would it go to? Would it--how do you separate it? Would it go into one server, or could it be disaggregated? We don't know. But all those are fine. We agree with all those, and we can implement all of them. The Chairman. And I am sure other Members will ask about this as well. But for you, Mr. Kiko, and for you, Mr. Irving, how important and how effective will the background checks be that you anticipate having? Mr. Irving may be the one to answer that. Mr. Irving. The background check, as I testified, is not a panacea, but certainly important as a vetting process to determine, you know, who would be most suitable to work on our sensitive systems. Background checks take on a number of forms. Capitol Police will start off with an NCIC check, criminal history check, a credit check. I would recommend that we explore a little deeper level of check as well, to maybe former employers to see if there were any anomalies, especially if it was on the financial side or IT side. Not only--I wouldn't just focus on the background--the background check, but the adjudication of the check is important. Who actually is going to determine whether the employee is suitable. And we need to, I think, put some objective measure into that. And then last but not least, probably a check every 5 to 7 years or so just to make sure that we check to see if the employee has had any issues, you know, since employment. The Chairman. Thank you, Mr. Irving. The Chair will now recognize Ranking Member Mr. Brady for 5 minutes for purposes of questions. Mr. Brady. Thank you Mr. Chairman. My question is for all or anyone who would like to answer. One of the ideas that I won't support is limiting the number of offices that shared technology and finance staff support. However, if you impose this limit on the overall number, you are going to raise the cost of the services provided to each office. So my question for all of you is do you support limiting the overall number of offices shared technology and finance staff can work for? And do you think there is a way we can help those offices that would experience an increase in cost, absorb that cost as we transition to this model? Anyone. Mr. Kiko. I support limiting the number of offices shared employees can support. Limits reduce the risk and the problem of diffused supervision. Where you set the limit is the hard question. Is it 10? Is it 20? Is it 5? I do think that that the CAO can maybe help with that transition in a couple of ways. One is on the financial side. There are two initiatives that we are going to do that may work, and maybe e-voucher or something that replaces the existing scan paper. And the other is maybe if we launch a new financial portal to get offices more information, you know, that they could--there wouldn't be the need right now. A lot of the financial processes are very paper-intensive. We are trying to eliminate that. But the issue of limiting offices I think is the--is how do you do that, and where do you draw the line on limiting the number of offices for shared employees? I don't know where that is. There has been as many as 20, 30. So that is all I have. On the IT side, I think that, you know, in the end, it would be great if the CAO would provide services, that you wouldn't need shared employees for IT services. We sort of hope that we would be able to do that in the future. I am not sure we are there yet, but we are trying to head that way. Mr. Brady. Mr. Irving. Mr. Irving. Not to place more of a burden on my esteemed colleague, Mr. Kiko, but certainly, some of this can be centrally managed. When we look at IT systems, I think a lot of that--those are services that the House offers, and I think that some of those services can be centrally managed which would, in fact, cut down on the number of shared employees. Mr. Brady. Thank you. Do we know how many--how many average--do shared employees--how many Congresspeople that they work for? I mean, is there an average that they work for 30? 20? 10? I mean, do they vary? Mr. Kiko. I don't really know. I don't know that answer at this point. I think there are some that are more and there are some that are very few. But I don't have the exact answer right now. I should have, but---- Mr. Brady. It is hard to imagine that they work for, like, 20 and 15 Congresspeople and do an effective job. I mean---- Mr. Kiko. Yeah. I think it sort of depends up each individual offices, what are they doing and how much is being required of each office. That is what I don't know. Mr. Brady. Well, again, Mr. Kiko, for you--this question is for you. I think that you are doing an excellent job as our CAO. And do you have an estimate of how much money it would cost for your office to support the technology functions that shared employees and vendors currently provide our office? Mr. Kiko. Well, I sort of looked into that a little bit, and I sort of believe that--we estimate that it would cost about $125,000 for 10 offices. So that is about 12,000. If we would--we would have an employee in HIR, they would support 10 offices. And so that would be about 12,500 or 13,000, 14,000 annually. So that is what we would think it would be if we would support it ourselves. Mr. Brady. Thank you. Thank you, Mr. Chairman. And thank all of you. And I am very happy and proud to work with all of you. You do an excellent job. Thank you. The Chairman. Thank you, Mr. Brady. The Chair will now recognize the Vice Chairman of the Committee, the gentleman from Illinois, Mr. Davis, for 5 minutes. Mr. Davis. Thank you, Mr. Chairman, and thank you to each of the witnesses. I appreciate, Mr. Chairman, you tasking us with running the listening sessions that were bipartisan listening sessions. We had Members come in, Members who had shared employees, Members who were just concerned about the process, to get to know a little better about what these processes were. And I think Mr. Kiko laid out very effectively in his opening statement some of the concerns that Members had, and also, some of the perceptions Members had of possible background checks and other details that they thought may have been run through your office, the CAO, but in reality, they weren't done. So that is what gets me to my first question. Mr. Kiko, you mentioned a number of compliance mechanisms that were suggested during those Member listening sessions and afterwards to help mitigate the risk of shared employees. And these suggestions included a badging authority through the Sergeant-at-Arms. And thank you, Mr. Irving, for mentioning that in your opening statement too. CAO developed committee- approved technology administration standards and financial administration standards; CAO control access to all enterprise systems; enforcement of new standards through the CAO controlled access to enterprise systems; CAO authority to terminate access for any shared IT or finance employee who is non-compliant with standards that currently exist; background checks, although at differing levels, as mentioned by Mr. Irving, for all IT and finance shared employees. Would you describe, Mr. Kiko, how these implement--how these mechanisms could be implemented and enforced? Mr. Kiko. Well, I think that--I think the first thing we have to do is to standardize, you know, what are the requirements for shared employees, whether it is IT or financial. And those standards should be high. It should be, you know, what is the normal industry standard for this kind of a function. Obviously, you have to apply it to the House. And with regards to--and then there has to be a monitoring mechanism that the CAO would have to do. They could do spot checks on compliance. We are not talking about spot checks on getting into Member emails and stuff. We are just trying to see are they complying--you know, maybe every month. Are they complying with whatever the standards that we set, and the expectations that we set? And then if people are not, then we either give them a warning that they need to--they need to come into compliance. If they don't, we deny access or we elevate it. Some of that stuff could be worked out with the Committee on what you want. I would say that is how you would implement it. It would require--it may require, you know, one employee, or two in the CAO's office, to make sure, you know, that everything is being done correctly. Mr. Davis. I see a few of your employees sitting behind you. Do you feel that the CAO has the ability to implement these suggested changes? Mr. Kiko. Yes, I do. Yeah. And I tried to limit the number of people that came here. Mr. Davis. Well, you brought--Clocker was one too many. But that is okay. Mr. Irving, I am very glad you mentioned the single badging authority. Can you expand somewhat on how you think that might help address some of the IG considerations that have been brought up before? Mr. Irving. It would just be one facet. When individual Members hire, their badge indicates where they are assigned or what Member they are employed by. A shared employee that has access to many Member offices is in a different category. And if a Capitol Police officer sees them in one area versus another, if someone questions them, not knowing that they are a shared employee could cause them to not follow up when they probably should follow up. So only one other area of--just another facet. Certainly not in and of itself, something that is going to satisfy everything. Mr. Davis. Great. Thank you. One last question, Mr. Kiko. When we had our Member listening sessions, we talked about the lack of a compliance, complete compliance for the background and financial disclosure information and compliance measures that shared employees--the compliance rate they were at before the listening sessions. After you sent out some correspondence to the existing shared employees, what is the compliance rate right now for the disclosures and other information that we are requiring of them already? Mr. Kiko. You mean on the financial disclosure? Mr. Davis. The financial disclosures. Mr. Kiko. I am not exactly sure what that is, because we did follow up. But that is more of an Ethics Committee issue. Mr. Davis. Well, what about the information that you had? Mr. Kiko. The information that we had is that, you know, most people are now in compliance, if not all. And I have had to send some emails out to people. Either you are going to get in compliance or we are going to cut you off. I did have one of those. Mr. Davis. And you saw a great response to that of those who may not have been compliant? Mr. Kiko. We are okay on this now. Mr. Davis. Thank you. The Chairman. The gentleman yields back. And I would like to give a thank you to Rodney Davis as our Vice Chairman who has done yeoman's work and countless hours of working with--I know with each of you and working on this issue. So, Mr. Davis, we thank you for that outstanding work that I know we will bring to a conclusion at some point. And you will probably be happy when that happens. But we couldn't be in this position for the good of the House without your effort, so we appreciate it. The Chair will now recognize the gentlewoman from California, Ms. Lofgren, for 5 minutes. Ms. Lofgren. Well, thank you very much. And thanks to each of you for your important testimony. And to you, Mr. Chairman and Mr. Brady, for convening this important hearing. I think it is important to make a distinction between the kinds of shared employees that we have. There are technical shared employees that go from office to office, and they are primarily doing financial accounting work and IT work. And then there are, like, policy shared employees where the shared employee is actually moved around the payroll, but it is really for a shared policy goal. For example, you know, the Progressive Caucus or the Freedom Caucus might share the expense of a salary. Or State delegations have--you know, share the expense of a salary. In 1995, it used to be, prior to 1995, that you could just--each office could contribute and just hire the person rather than going through this roll-around. I am not sure that what we did made any sense, honestly. It just increased the paperwork when it comes to policy issues. And that might be something to look at, Mr. Chairman. But when it comes to the shared employees who are doing IT work or financial services, that is where we have the problem. And I think it is important to make that distinction. Other Members have raised important issues relative to financial services. I wanted to focus on the IT function. You know, for years, on a bipartisan basis, we have worked, Mr. Kiko, with your office, centralized services, ranging from magazine subscriptions to cybersecurity. It really doesn't make sense to have individual offices go out and buy their own furniture. We centralized that function. And so one of the concerns and, frankly, one of the complaints I have heard, and I suspect it is a resource issue for you, is that the CAO can be slow to support products that our consumers have moved to. And when that happens, Members and staff start using these products anyway. And then they circumvent security rules and regulations, because that is the product that they find useful. And so I am wondering what HIR is doing to keep current with the latest tools available in the market? How do you identify those tools? Assess their security vulnerabilities, train your support staff to help with them? What role does HIR currently play in minimizing the risks that the status quo poses to the House, understanding that Members are going to move to new technology, and is that a resource issue for you? Mr. Kiko. Well, we are constantly--we try to be on the cutting edge of new technology that Members are using. Many times a Member office will ask us about a new technology, and then we try to vet it. We try to see where the security issues are, you know, whether there is any problems, whether problems have been identified, you know, in the private sector when they have used stuff. I have not checked to see whether this is a resource issue. But I know it is a very big problem, because, you know, we have all these technologies that Members would like to use. And then we read in the paper or we hear, you know, from some of our, you know, investigations and research that we do that there is a problem, you know, and stuff that has to be patched and all that, so--but it is a constant issue of, as you say, Members want the--some Members want the best and the latest. And sometimes stuff is vetted. If we find out that stuff isn't vetted correctly, we try to hurry up and try to do it to make sure there is not a problem, you know, with a whole---- Ms. Lofgren. Right. Let me ask you this: When you hire HIR staff, I think you examine their professional credentials, their certifications, their training for the function you are hiring them to perform. Mr. Kiko. Yeah. It is very rigorous. Ms. Lofgren. And by the way, I think the IT staff I have interfaced with are excellent. They do a good job. Now, when Member offices hire shared IT staff, are they required to meet the same training and certification that your own staff is? Mr. Kiko. There is not a requirement for Members' offices, because they are the employing authority. Ms. Lofgren. Right. Maybe we should look at making those certifications a requirement if you are going to access the system. Mr. Kiko. I support that. Ms. Lofgren. I am also interested in terms of shared IT staff. There is a concern that they don't always implement necessary upgrades or modifications or software patches. Does HIR staff ever perform those duties if a shared IT staff drops the ball to protect our system? Mr. Kiko. Yeah, we do. And we are, for the most part, responsible for that. But if a shared IT employee calls us, we will do it. It happens frequently. Ms. Lofgren. I see my time has expired. Thank you, Mr. Chairman. The Chairman. Thank you, Ms. Lofgren. The Chair will now recognize the gentlewoman from Virginia, Mrs. Comstock, for 5 minutes. Mrs. Comstock. Thank you. And I thank the Chairman and the Vice Chairman for the work they have done on your going through and finding out the holes in the policies and you all working with that. So I really appreciate that in going forward. And I know, you know, the public is rightfully, you know, very upset about how this was handled in the past and that this egregious example that is now being criminally investigated was allowed to occur. And I know, because of the criminal investigation, you aren't allowed to talk about that. But could you just address, you know, for public purposes, that as that criminal case goes forward and as that is resolved, that any additional suggestions or changes that might be apparent through what we learn from now can be addressed and making sure that whatever holes they were allowed to get through, I think it seems like we have identified a lot of them from what we know, but given that is still going forward, and we don't know everything, could you just assure for the public that that will be sort of an ongoing review when that is wrapped up? Mr. Irving. Congresswoman, I think everything that we have discussed today and the purpose of this hearing certainly is to get us there. And I will tell you that I am very, very confident that the CAO is putting measures in place and doing everything he can to put measures in place with the support of this Committee to mitigate some of those issues that caused us to be where we are today. So, no, I am confident that we are certainly making a lot of progress. Ultimately, as you know, it is the balance between the Member interest and the governmental interest, the House interest, in really trying to come to a good place. So I think we have accomplished a lot, even in the time during which this investigation has been ongoing. And with that, I will ask Mr. Kiko if he wants to follow up. But I hope that satisfies you. Mr. Kiko. No. I will just say that the abuses by certain shared employees have provided the CAO, and I think the Committee, with a roadmap on what needs to be closed. And that is what I want to do is to close the gaps. Mrs. Comstock. All right. No, and I appreciate that--you know, to the extent that that roadmap is public now, that you have been able to address that and just wanted to make sure, as we get more information, you know, that may not apparent at this point, that we can follow up on that. So I thank you for the work you are doing on that front. And I yield back. The Chairman. The gentlewoman yields back. The Chair will now recognize Mr. Raskin for 5 minutes. Mr. Raskin. Mr. Chairman, thank you very much, and thanks to all of our distinguished witnesses today. All of you have discussed different risks that the current situation presents to the House, including risks involving oversight, cybersecurity, physical security, money, and so on. Do you believe that your offices have sufficient authority now under existing House rules to address those risks, or does the Committee need to consider providing additional authority to you in order to deal with it? And maybe we just go right down the line. Mr. Kiko. I would just say that, you know, we are in the process of working with the Committee to reduce the risk by giving the CAO a little more oversight authority over abuses. Now, this is just for the CAO purposes. And I think that if we have more authority and we can, you know, set standards, do compliance, I think that will greatly reduce the risk in cooperation with the Member and working with the Committee. Because right now, we don't really--because these are Member employees and we don't have a lot of authority to deal with that, and it just hasn't happened, even though we found about how the abuses can be--how the weak spots can be exploited, we think that will go a long ways. Mr. Raskin. Let me just follow up quickly with you, then. Would it make sense--obviously, what we have got, you know, cherished traditions of Member autonomy and some constitutional background to that with the speech and debate clause, but would it make sense for us to generate more authority in your office or in some constellation of these offices, to deal with shared employees on the theory that if a Member wants to go outside of the usual situation of having an employee reporting directly to her? Mr. Kiko. I mean, I wouldn't be opposed to that. That is sort of a fine line, you know, between CAO and Member autonomy. But I am in favor of exploring that. I think it would help. Mr. Raskin. Mr. Irving. Mr. Irving. I am certainly in agreement with the CAO. I think that, as I alluded to earlier, when the governmental interest is so heavy and when we get to cybersecurity, we really have a governmental interest. We certainly have to recognize the Member interest as well. But I am in favor of giving the CAO those--the authority so that, for example, to Congresswoman Lofgren's point earlier on standards, maybe we need to make sure that even though the Member is the employing authority, if they want to bring someone on to do IT, for example, they should comply with certain standards, have certain background. And the same with the internal controls. I think the CAO needs every internal control available to him or her to ensure that these employees are, in fact, complying with rules and regulations, and then have the authority, certainly, to take certain action even though they are employed by a Member. And I know it is a very, very careful balance. Mr. Kiko. I don't want anybody to get the impression I am trying to grab more authority. I am trying to grab more power. That is not the case here. I am just trying to walk a very fine line in conjunction with the Committee to see, you know, where that sweet spot is. That is what I am trying to do. Mr. Raskin. Great. Thank you. Mr. Ptasienski. I think the--as the Chief Administrative Officer said, I think they are the primary organization looking at--or monitoring compliance with a lot of these finance and technology policies. And as such, they have got a tough job in trying to enforce those. And I think if there is--if he can't, and his folks, as they interact with offices, get people to comply with those policies, if he needs a stick, he may need a stick in some areas, and we would support that. We put a lot of pressure as we make recommendations to the CAO to fix the various issues and so forth. And I have full appreciation for the tough job that they have in balancing some of the particularities of here working in the House. Mr. Raskin. Thank you very much. I yield back, Mr. Chairman. The Chairman. The gentleman yields back. The Chair will now recognize the gentleman from North Carolina, Mr. Walker, for 5 minutes. Mr. Walker. Thank you Mr. Chairman. My time is centered basically around one area regarding the working group. And I wanted to get your thoughts on that, both to Mr. Kiko and Mr. Irving, on the--briefly, you have described the objectives of the working group, how it conducted its work. And I know it has reached, I believe, six conclusions. Could you talk about how that factors into your recommendations? Mr. Kiko, let's start with you. Mr. Kiko. Yeah. I think that on our recommendations we initially had said that we--you know, we went through all the abuses. We went through previous IG reports. The IG was part of the working group, and we initially had recommended an independent contractor model rather than--you know, as a way to preserve--as a way that we could better--feel better served, close the gaps with regards to risks. You know, we have CMS services in the House. Some of them are employees that work for them, and they also provide IT services. We use that model because we have a direct relationship with the contractor, and if somebody's not working out, then we call the contractor and we cut it off. But when we started the--you know, we met with Mr. Davis' group, there was concerns about that model. And so we decided to do the model that I just described where we would work in conjunction with Members' offices. Does that make sense? Mr. Walker. Yes. Mr. Irving. And I will certainly agree with Mr. Kiko. Initially, our view was how do you put as much control, internal control and control over access to sensitive networks. So, you know, myopically we can say, well, we should just control the employee, but knowing that Members do want to hire some of their own people, we had to work with that and recognize that and appreciate that. And I think we are in a good spot where we have--we are able to satisfy both concerns, which is ensure that our internal controls are safe, internal mechanisms for cybersecurity, but also allow Members the ability to continue to let Members, you know, hire people that they feel comfortable with. The key is just ensuring that we have those internal controls, and sticking to them and that Members respect the CAO's authority to, you know, to--in a sense, discipline employees that may not be abiding by the rules. Mr. Walker. So, Mr. Irving, do you put more emphasis on the discipline in the internal controls, or do you place more emphasis--and Mr. Kiko can respond to this as well--on reducing the overall amount of privileged or shared employees? What is your ultimate recommendation? Mr. Irving. I would turn this over to Mr. Kiko, but my comment is, I would have as few people have access to those sensitive networks as possible. That is first and foremost. But some will need to, certainly depending on the Member and the committee they are on, et cetera. So those I would make sure that Mr. Kiko has the authority to ensure that those internal controls are met. But I don't know, Phil, if you wanted to elaborate on that. Mr. Kiko. I mean, I would just like there--from my perspective, there be a justification for the access that we are supposed to have. I am not necessarily trying to have limits, you know, at least on privileged access. You know, people, other than shared employees have access. I just think there needs to be a good justification for what access there is, and also that they comply with whatever standards that we have. I am not really trying to grind them down into not--you know, into a number. Mr. Walker. That is fair. Fair argument. Mr. Chairman, I yield back. The Chairman. The gentleman yields back. The Chair will now recognize the gentleman from Georgia, Mr. Loudermilk, for 5 minutes. Mr. Loudermilk. I thank you, Mr. Chairman. I appreciate the panel being here. I am a little confused though. Again, a guy with a military background, I am sitting here looking, Mr. Kiko is a chief, Paul is a sergeant, and you are a general. So I am not sure which one outranks who here. But, hey, I appreciate the work that has been done here because this is an issue of grave concern, but also it is a balancing act. Because I think, as several Members have expressed, one of the strengths of our--this legislative body is the autonomy of each individual office, as compared to when I was in the State legislature. Our staff was appointed to us, the limited staff we had. The Speaker of the House actually controlled who our employees were, and it really limited the autonomy you have. And I think that is one of the strengths that we have here is we are able to actually operate as our own entity without due influence-- undue influence from the outside entities or leadership. However, that strength also becomes a weakness when it comes to the finances, and particularly IT. And as the gentlelady from California spoke about, you know, policy not so much a concern other than the access to the IT resources. So I have, in the last few days, tried to strike where is that balance? On the IT side specifically, I had a couple questions, and I kind of like the direction that we are going. I spoke to Mr. Davis yesterday about what Mr. Kiko had defined earlier as a direction we may be going. One of the--we brought up certification. You know, from an IT perspective, I can appreciate that. I think it is important that, you know, who you hire does know what they are doing, or maybe from the accounting and the finance side requiring a licensing or a certification, you know. But still, that is more of a job performance aspect to me is that you--and being in the IT field, I am going to be able to decipher whether you really know what you are doing or not. My concern comes to the cybersecurity side and nondisclosure. When we share employees, there is also an aspect to the autonomy is, I don't want that shared employee sharing with other offices what is going on with my office as well as disclosing to some entity privacy information. Do we have or have we considered a confidentiality nondisclosure agreement that each of these shared employees have to sign, or some training to go through that spells out the penalties that--especially if they disclose, you know, information that we have on constituents or information we are working on. And I will open that up to anyone. Is that something we have, or is that something that has been discussed? Mr. Kiko. Well, I know we have a shared employee manual, and it requires nondisclosure. And so when the--you know, that is a requirement to be a shared employee that you are not supposed to disclose other Members' information. That is already a requirement that the Committee, at the request of the IG, had done and it is already in. I don't know if there is a--they have to sign off that they received and they are going to comply with everything that is in the shared employee manual, but that is in that manual now. It is not a specific letter, but that is part of the manual as we---- Mr. Loudermilk. Does that spell out what penalties are, i.e., you can go to jail? Mr. Kiko. There aren't any penalties. Mr. Loudermilk. Is that something that maybe we should look at? Mr. Kiko. Well, the only penalty would be termination, but perhaps. I am willing to pursue that, whatever the Committee would want to do. Mr. Loudermilk. Mr. Irving. Mr. Irving. I think that goes along--Congressman, it is an excellent theme for some of the prior questions in terms of what can we do to enhance our internal controls and our policy. I think that is certainly one that I would endorse that we need to strengthen. Mr. Loudermilk. Okay. I appreciate that. One other question, wherever we get to with this, is this something that we would look at doing a new Member orientation to make sure that every new Member that is coming in is fully aware of the rules and responsibilities not only of the shared employee, but their requirements as well? That may be something for a staffer. Mr. Kiko. We would be willing to have that as part--and participate if that is what the committee wanted to do. Mr. Loudermilk. Okay. I yield back. The Chairman. The gentleman yields back. I will recognize Mr. Davis for a follow-up remark. Mr. Davis. Mr. Kiko, once again--actually, I am glad my colleague Mr. Loudermilk brought up compliance and nondisclosure. Now, when we had our Member listening sessions, we did discuss--and hopefully, as a plan of action moving forward, we might be able to implement some penalties for noncompliance up to termination for noncompliance. Do you think that would be easier to administer under the current shared employee rules and regulations, or under maybe some of the proposed changes we talked about today, running those compliance measures through the CAO, Sergeant-at-Arms, and House Administration? Mr. Kiko. I mean, I think we should take a look at that. I think that however we can make compliance easier we should do. I don't--I think termination now, it is the shared employee, it is the Member's responsibility to terminate. And it still will be, but---- Mr. Davis. It will still be the Member's responsibility to terminate, but you would be able to, hypothetically, under the possible proposed guidelines, be able to revoke ID badges? Mr. Kiko. Yes, we can revoke everything and then they can still be employed, but it would be a much different role. Mr. Davis. Yeah. Mr. Kiko. And you could give the Committee some more authority, too, on those kind of things when they see that. Mr. Davis. Well, thank you for that suggestion. And I just, again, want to say thank you. I know each of you have worked hard on this issue. Phil, you have been in the room with us listening to Members. I truly appreciate the fact that through your testimony today, based upon previous suggestions and previous memos that have come out, that you listen to the Members. And that is something that I just cannot say thank you enough for, because our job is to address the Members' concerns and do it in a way that is also going to address their employees' concerns. I look out in the audience, and raise your hand if you are a shared employee. I hope each and every one of you understand that your Member's concerns were heard. And I look out and I see one of my shared employees sitting here watching this, this hearing. Obviously, this is of concern to those who were already at that status. But please understand, we have to do a better job of ensuring that we have better compliance, we have better standards, and so those of you who are working very hard as a shared employee right now can continue to do that job in the future, and not let those who aren't determine your fate, too. So thank you again, everyone. And thank you, Mr. Chairman, for the opportunity. The Chairman. The gentleman yields back. The Chair will now recognize the gentlewoman from California, Ms. Lofgren, for a closing remark. Ms. Lofgren. Yes. Just a quick question, but before I do, you know, we have examined ways to improve the shared employee situation, but we really, really said there is some value to it as well, because if you have to hire in each office a specialist on IT, that doesn't make a lot of sense. So having some shared expertise, whether it is located in the CAO's office, or whether it is shared employees, does make sense. We just need to make sure that the protections are in place, that there is no risk to our security system or to any of the requirements that are--we have adopted in the House. In the June 2017 memo outlining recommendations, there was a discussion that shared employees, both in finance and technology, do work with nongovernment-furnished equipment often at home, and that this could pose a risk to the House. I would say that that work at home is not limited to shared employees. I mean, full-time House employees do that as well. I can think of circumstances where that would pose no risk to the House, but you identified a potential risk to the House. Could you outline what that would be and what steps we should take to mitigate those risks? Mr. Kiko. Well, I just think any--you know, technically everybody is supposed to do work on House equipment, you know. If you are going to do work, you do use the VPN if you are supposed to communicate. And if you don't, you are opening yourself up, your systems up to people that are trying to hack in. There is a lot of evidence of people that are trying to use these kind of systems, you know. They are trying to hack in. Ms. Lofgren. Well, but if I can, you know, the staff, they work weekends, they work nights. Mr. Kiko. Right. Ms. Lofgren. You know, you are writing a speech, you are writing questions for the hearing tomorrow night. They are on their home computer helping to write--draft questions for you for a witness. Mr. Kiko. I think--yeah. I mean, I think that is very difficult, obviously, to enforce, but to the extent that people can use their own House, you know, equipment to do that, it reduces the risk. That is about all I can say. Ms. Lofgren. Well, I guess, I don't see the risk on the policy issues that are--I mean, each Member is going to assess their risk, whether the question gets out or not is a different issue to whether our systems have been penetrated and security issues posed. Am I right, Paul? Mr. Irving. I absolutely agree with you. There is no question we have to differentiate between the risk the Member feels, let's say, to their data versus something that is a violation of House policy, which may not be. But, again, if you are at home working on your home network, it is not going to be as secure as abiding by certain of our policies. But, no, you are absolutely correct. There is going to be the assumption of risk there, and that may be just fine for the individual Member. Ms. Lofgren. All right. Thank you, Mr. Chairman for allowing me to follow up on that. The Chairman. Thank you very much, Ms. Lofgren. And I want to thank each of you because I know how much you all care about the institution of the House. You want it to work at the best level, and we have--certainly appreciated that hard work that you have had. Again, I want to say thank you to the Ranking Member Brady for his work. And all of the staff, on both sides, have--are committed to getting this right. And I particularly, again, want to thank Mr. Davis for his continued work on this issue. It is a serious matter on how we improve the employees' safety features, let's say, particularly as it relates to the IT issues. And while I will not discuss details of an ongoing criminal investigation, our goal is to make sure that we secure the House for the future, so that nothing like that happens again. So with that, thank you for your attendance. Without objection, all Members will have 5 legislative days to submit to the Chair additional written questions for the witnesses, which we will forward to you and ask that you answer promptly if you get them so that those answers can then be made a part of the record. Without objection, this hearing is adjourned. [Whereupon, at 12:20 p.m., the Committee was adjourned.] [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]