[House Hearing, 115 Congress] [From the U.S. Government Publishing Office] IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND INVESTIGATIONS BUREAU ======================================================================= HEARING BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION __________ FEBRUARY 2, 2017 __________ Serial No. 115-12 __________ Printed for the use of the Committee on Oversight and Government Reform [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.fdsys.gov http://oversight.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 26-358 PDF WASHINGTON : 2017 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. Committee on Oversight and Government Reform Jason Chaffetz, Utah, Chairman John J. Duncan, Jr., Tennessee Elijah E. Cummings, Maryland, Darrell E. Issa, California Ranking Minority Member Jim Jordan, Ohio Carolyn B. Maloney, New York Mark Sanford, South Carolina Eleanor Holmes Norton, District of Justin Amash, Michigan Columbia Paul A. Gosar, Arizona Wm. Lacy Clay, Missouri Scott DesJarlais, Tennessee Stephen F. Lynch, Massachusetts Trey Gowdy, South Carolina Jim Cooper, Tennessee Blake Farenthold, Texas Gerald E. Connolly, Virginia Virginia Foxx, North Carolina Robin L. Kelly, Illinois Thomas Massie, Kentucky Brenda L. Lawrence, Michigan Mark Meadows, North Carolina Bonnie Watson Coleman, New Jersey Ron DeSantis, Florida Stacey E. Plaskett, Virgin Islands Dennis A. Ross, Florida Val Butler Demings, Florida Mark Walker, North Carolina Raja Krishnamoorthi, Illinois Rod Blum, Iowa Jamie Raskin, Maryland Jody B. Hice, Georgia Steve Russell, Oklahoma Glenn Grothman, Wisconsin Will Hurd, Texas Gary J. Palmer, Alabama James Comer, Kentucky Paul Mitchell, Michigan Jonathan Skladany, Staff Director William McKenna, General Counsel Julie Dunne, Senior Counsel Michael Flynn, Counsel Sharon Casey, Deputy Chief Clerk David Rapallo, Minority Staff Director C O N T E N T S ---------- Page Hearing held on February 2, 2017................................. 1 WITNESSES Ms. Kathleen McGettigan, Acting Director, U.S. Office of Personnel Management Oral Statement............................................... 6 Written Statement............................................ 8 Mr. David DeVries, Chief Information Officer, U.S. Office of Personnel Management Oral Statement............................................... 13 Mr. Cord Chase, Chief Information Security Officer, U.S. Office of Personnel Management Oral Statement............................................... 13 Mr. Charles Phalen, Director, National Background Investigations Bureau Oral Statement............................................... 13 Mr. Terry Halvorsen, Chief Information Officer, U.S. Department of Defense Oral Statement............................................... 14 Written Statement............................................ 16 APPENDIX February 9, 2016, Worldwide Threat Assessment by Mr. James Clapper, submitted by Mr. Lynch................................ 60 Response from the Office of Personnel Management to Questions for the Record..................................................... 93 IMPROVING SECURITY AND EFFICIENCY AT OPM AND THE NATIONAL BACKGROUND INVESTIGATIONS BUREAU ---------- Thursday, February 2, 2017 House of Representatives, Committee on Oversight and Government Reform, Washington, D.C. The committee met, pursuant to call, at 9:02 a.m., in Room 2154, Rayburn House Office Building, Hon. Jason Chaffetz [chairman of the committee] presiding. Present: Representatives Chaffetz, Jordan, Amash, Massie, Meadows, DeSantis, Ross, Blum, Hice, Grothman, Hurd, Palmer, Comer, Mitchell, Cummings, Maloney, Lynch, Connolly, Kelly, Lawrence, Plaskett, Demings, Krishnamoorthi, and Raskin. Chairman Chaffetz. The Committee on Oversight and Government Reform will come to order. And without objection, the chair is authorized to declare a recess at any time. I appreciate you all being here. We have a very important hearing. We have a number of members that, I'm sure, will be here but will be a little bit late. There is the National Prayer Breakfast, and getting across town at this time of day is a very difficult task, so---- But, nevertheless, I'm glad to have you here and look forward to this important hearing. Two years ago, the Office of Personnel Management suffered one of the most damaging data breaches in the history of the Federal Government. This went on for some time, and there are still additional details that need to be learned. But the counterintelligence value of the data that was stolen will last for an untold amount of time, a generation or so. So it troubles me to hear reports that maybe some of the things that led to this haven't necessarily been changed at the Office of Personnel Management. We have a number of questions that I think we need to explore. For example, are legacy systems still in use for backup investigations? Is OPM employing good cybersecurity practices such as dual factor authentication and network segmentation? What is the plan to transition all of OPM's systems off this legacy technology? When will OPM stop using unsecured and vulnerable legacy technologies such as Cobalt and start using maybe some modernized solutions that can be put on the cloud? How is OPM protecting the inside of the network and not just building the cyberwalls higher? Will OPM adopt a zero- trust model as part of their cybersecurity strategy? You can't steal what you can't access, and a zero-trust model makes life much harder for the hackers. These are some of the questions we'll continue to ask and explore. We said it in the committee's data breach report, and I'll say it again, chief information officers matter. They really do matter. That's why we have two of them on the panel today. Federal agencies, particularly CIOs, must recognize their positions are on the frontline of defense against these cyber attacks. And as the government, we're on notice. Leadership at the Federal agencies must be vigilant about the ever-present national security threats targeting their IT systems. And especially in OPM's case where the IT systems are protecting some of the most vulnerable information held by the Federal Government. The National Background Investigation Bureau, also known as NBIB, N-B-I-B, was partly born from the failures at the Office of Personnel Management. When OPM last testified before the committee, in February of 2016, the NBIB had just been announced. During the hearing, questions were raised about the accountability and how this new organization would operate given the split responsibilities with OPM overseeing the NBIB and the Department of Defense overseeing the IT security of the NBIB. Today, we'd like answers to those questions and assurances that we're moving in the right direction and also, as to when the new organization will be fully operational with a secure IT environment. Was the creation of the NBIB simply a rebranding effort, or does the NBIB represent real change? At our last hearing, we talked about how the many security clearance processes failed to check social media information of the applicants. The day before our follow-up hearing in May of 2016, the director of National Intelligence issued a new policy permitting the collection of publicly available social media information in certain cases. We'd like to understand how this policy is being implemented and if it is effective. Finally, the clearance process seems to be getting worse while the reform process continues. My understanding is at least--based on an OPM management memo of October 2016, there's a backlog--at least then--there was a backlog of 569,000 cases. That's quite a list. It does beg the question as to why we have to have so many background checks, but where are we at in terms of the backlog? And why, despite all the reform activities, is the clearance process taking longer? In fiscal year 2015, it took an average of 95 days to process a secret clearance and 179 days for a top secret clearance. In fiscal year 2016, it took an average of 166 days to process a secret clearance and 246 for a top secret clearance. That's quite a jump in the timeline that it takes in order to get there. More than a decade ago, the security clearance data and processes were transferred from the Department of Defense to OPM, and now there's talk of transferring this process back to the Department of Defense. We also have the newly created NBIB where OPM and DOD have a shared responsibility. And we need to get this right, make sure that we have stopped just moving the organizational boxes around. As we continue our oversight of the transition of responsibilities from OPM to the NBIB, we need to continue to ask about the efficiency and making sure, at the end of the day, that we're protecting and securing the United States of America. So there are a tremendous amount of number of people that are working on IT issues. We will have additional hearings and discuss that. I personally do believe--and this is--at some point, I would like to draw this out from you--attracting and retaining IT professionals has got to be a challenge for the government. It's a challenge in the private sector. It's a challenge across the board. I was fortunate enough to have a newly minted son-in-law, who is in the IT field. And the opportunities for him for employment were unbelievable. I've never seen anything like it, which is good as his father-in-law. That's a good thing. But on a serious note, I do think we have to address, on the whole of government--not just this particular field, but the whole of government--how do we attract and retain IT professionals, because we do need so many of them, and there's so much vulnerability for the country as a whole. So this is an important hearing, and I appreciate you being here. And now I'd like to recognize the ranking member, Mr. Cummings. Mr. Cummings. Thank you very much, Mr. Chairman. I want to thank you for calling this hearing. And as I listen to you talk about the IT people, Mr. Chairman, this is very important that we all let Federal employees know how important they are, and that we do everything in our power to provide them with the types of salaries and work security that they need. That's one of the things that would help to attract them and keep them. Today's hearing is on the process our Nation uses to conduct background checks for Federal employees, who are seeking very important security clearances so they can have access to our most guarded secrets. This hearing could not come at a more critical time. Yesterday, I sent a letter requesting a Pentagon investigation of the President's national security adviser, Lieutenant General Michael Flynn, for his potentially serious violation of the United States Constitution. I was joined by the ranking members of the committees on Armed Services, Judiciary, Homeland Security, Foreign Affairs, and Intelligence. General Flynn has admitted that he received payment to appear at a gala in December of 2015 hosted by Russia Today, that country's State-sponsored propaganda outlet. During that event, General Flynn dined with Russian President, Vladimir Putin. As our letter explains, the Department of Defense warns its retired officers that they may not accept any direct or indirect payment from foreign governments without congressional approval, because they continue to hold offices of trust under the emoluments clause of the United States Constitution. On January 6, intelligence officials issued their report detailing Russia's attack on the United States to undermine our election. This report concluded with high confidence that the goal was to, quote, ``undermine public faith in the United States' democratic process,'' end of quote. This report described as, quote, ``The Kremlin's principle international propaganda outlet,'' end of quote. It explained-- and I quote--that ``The Kremlin's staff's RT and closely supervises RT's coverage recruiting people who can convey Russian's strategic messaging because of their ideological beliefs,'' end of quote. It is extremely concerning that General Flynn chose to accept payment for appearing at an event hosted by the propaganda arm of the Russian Government at the same time that the country was engaged in an attack against this Nation in an effort to undermine our election. Something is wrong with that picture. But it is even more concerning that General Flynn, who President Trump has now chosen to be his national security adviser, may have violated the Constitution in the process. We do not know how much General Flynn was paid for this event and for his dinner with President Putin, whether it was $5,000, $50,000, or more. We don't know. We do not know whether he received payments from Russian or other foreign sources or on separate occasions or whether he sought approval from the Pentagon or Congress to accept these payments. We don't know. Related to today's hearing, we do not know what effect this potentially serious violation of the Constitution should or will have on General Flynn's security clearance. Security clearance holders and those applying for security clearances are required to report their contacts with foreign officials. We do not know what, if anything, General Flynn reported about his contacts with officials from Russia or other countries. We do not know if he reported this one payment or any other payment he may have received. These are the questions that need to be answered. We also have questions about the individuals who may seek to join the administration and obtain access to classified information while they are currently under investigation. For example, there have been reports that President Trump's former campaign chairman, Paul Manafort, has been advising the White House recently while at the same time he's, reportedly, under FBI investigation for his dealings with Russian interests. We want to know how security clearances are handled if the existing clearance holders or new applicants are under criminal investigation. Does the FBI allow these individuals to continue to have access to classified information, or is there a process to place a hold on someone's clearance or application until the investigation resolves the questions? Finally, President Trump claims that Democrats only became interested in Russian hacking for political reasons and that, for example, we have no interest in cyber attacks against OPM. He stated, and I quote, ``They didn't make a big deal of that,'' end of quote. The President is one million percent wrong. I and other Democrats worked aggressively on this committee's investigation of the attacks on OPM. We held multiple hearings, including one that I requested. We conducted extensive interviews and briefings with key witnesses. We reviewed more than 10,000 pages of documents, and we issued two reports from the majority and minority staff. I called for expanding our investigation to other agencies, including the State Department, the postal service, which were both attacked. I called for investigating the cyber attacks on financial institutions like JPMorgan Chase. Our intelligence agencies had warned us--I called for investigating the cyber attacks on the Nation's biggest for-profit hospital chain, Community Health Systems, which had the largest hacking-related health information breach ever reported. And I called for investigating the cyber attacks on retail companies, including Home Depot, Target, and Kmart. So the President's claim that we are focusing on Russia's hacking for political reasons is ludicrous. Our intelligence agencies have warned us that if we do not act now, our adversaries, including Russia, are determined to strike again. We need to get answers to these questions immediately, and I thank all of our witnesses for being with us today. And, again, Mr. Chairman, I thank you for this hearing. And I yield back. Chairman Chaffetz. I thank the gentleman. We'll hold the record open for 5 legislative days for any members who would like to submit a written statement. I now would like to recognize the panel of witnesses. We're pleased to welcome Ms. Kathleen McGettigan, who is the acting director of the United States Office of Personnel Management. Ms. McGettigan is accompanied by David DeVries--DeVries, sorry--chief information office of the United States Office of Personnel Management; Mr. Cord Chase, chief information security officer at the United States Office of Personnel Management, and Mr. Charles Phalen, director of the National Background Investigations Bureau, or NBIB. Their expertise on this issue will be very important to this subject matter, so they will all--everybody will be sworn in. We're also honored to have Mr. Terry Halvorsen is the chief information officer at the United States Department of Defense. It's my understanding Mr. Halvorsen is retiring at the end of the month, and we could think of no better gift for you than having to testify before Congress. It's such a joy. I know you're looking forward to it personally. So happy birthday, Merry Christmas, and happy retirement for coming to testify before Congress. But we thank you, sir for your---- Mr. Halvorsen. Thank you. Chairman Chaffetz. --for your service to this country and at the Department of Defense. And we really do appreciate your expertise and look forward to hearing your testimony. And we wish you well. And, again, thank you for your service and your willingness to be here today. You probably could have squirmed out of this one if you really wanted to, but you stepped up to the plate and took this assignment, so thank you, sir, for being here. Again, we welcome you all. Pursuant to committee rules, all witnesses are to be sworn before they testify. So if you would please rise and raise your right hand. Do you solemnly swear or affirm that the testimony you are about to give will be the truth, the whole truth and nothing but the truth, so help you God? Thank you. You may be seated. Let the record reflect that the witnesses all answered in the affirmative. Your entire written statement will be made part of the record, but we would appreciate it if you could keep your comments to 5 minutes. And like I said, your whole record--your whole testimony and any supplements you have will be made part of the record. Ms. McGettigan, you are now recognized for 5 minutes. WITNESS STATEMENTS STATEMENT OF KATHLEEN MCGETTIGAN Ms. McGettigan. Good morning, Mr. Chairman, Ranking Member, and distinguished members of the committee. Thank you for the opportunity for my colleagues and myself to testify on behalf of the Office of Personnel Management. As you said, I am joined today by Mr. Charles Phalen, the director of the National Background Investigations Bureau, Mr. Dave DeVries, OPM's chief information officer, and Mr. Cord Chase, OPM's chief information security officer. While I am presently the acting director of OPM, I do have over 25 years of service at the agency. OPM recognizes how critical the topics of today's hearing are to the Federal Government and to our national security, and I look forward to our having a productive conversation about the NBIB transition, the security clearance process, and information technology security. As you know, the NBIB was established on October 1st, 2016, and is the primary provider of background investigations for the Federal Government. Charlie has a distinguished career in multiple roles at senior levels in the Federal Government and private industry. His career has been focused on national security. His experience includes serving in capacities at the CIA, including as director of security and with the FBI as assistant director leading its security division. NBIB is designed with an enhanced focus on national security, customer service, and continuous process improvement. Its new organizational structure is aimed at leveraging record automation, transforming business processes, and enhancing customer engagement and transparency. In late 2014, OPM's market capacity for contract investigation services was drastically reduced by the loss of OPM's largest field contractor. This resulted in an investigative backlog. This backlog was exacerbated by the cybersecurity incidents at OPM that were announced in 2015. Looking forward, it is an NBIB priority to address the investigative backlog while maintaining a commitment to quality. To accomplish this, NBIB is focusing efforts in three primary areas: First, we are working to increase capacity by hiring new Federal investigators and increasing the number of investigative field work contracts. Second, NBIB is focusing on policy and process changes to ensure efficient operations. Third, NBIB has actively worked with customer agencies to prioritize the cases that are most critical to our national security. Information technology also plays a central role in NBIB's ability to enhance the background investigation process. While still in development, NBIB's new system, NBIS, will be operated and maintained by DOD on behalf of NBIB. On OPM's behalf, this effort is being led by our new chief information officer, David DeVries. Dave joined us in September of 2016. He is the DOD's principle deputy CIO, and he has a strong relationship with his former agency. As we work to strengthen the infrastructure and security of NBIB, we are also working on fortifying our entire technology ecosystem. As the Federal Government modernizes how it does business, OPM has focused on bracing new tools and technology to deliver optimum customer service and enhanced security. OPM enhanced its cybersecurity efforts from multiple angles. We have added cybersecurity tools and security updates. We've implemented staff and agencywide training we've hired critical personnel and, finally, we continue to collaborate with our interagency partners. Touching on efforts I've just outlined, our cybersecurity tools and security updates include 100 percent multifactor user authentication to access OPM's network. This is done via the use of PIV cards and major IT system compliance initiatives. Furthermore, OPM recognizes that cybersecurity is not just about technology, but it is also about people. OPM has added seasoned cybersecurity and IT experts to its already talented team. OPM has hired a number of new senior IT managers and leaders and realigned and centralized its cybersecurity program and resources under the chief information security officer. In this capacity, Cord is responsible for taking the steps necessary to secure and control access to sensitive information. OPM also strengthened its threat awareness by enrolling in multiple information and intelligence sharing programs. In conclusion, the necessary key partnerships and plans have been developed to build out NBIB and improve the security and efficiency of OPM's IT systems. These structural and process improvements will enable us to improve timeliness, reduce the background investigation. Equally productive is the CIO's holistic approach which ranges from bringing on qualified personnel to adopting new tools and procedures that enhance the security of OPM's networks and data. Thank you for the invitation to testify before you today, and we welcome any questions you may have. [Prepared statement of Ms. McGettigan follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Chaffetz. Thank you. Thank you for your testimony. Mr. DeVries, you are now recognized for 5 minutes. My understanding is maybe yourself, Mr. Chase, and Mr. Phalen, I don't know if you have opening statements or if you care to say anything, but I'll recognize each of you. If you don't have anything, we'll just--Mr. DeVries, do you have---- STATEMENT OF DAVID DEVRIES Mr. DeVries. Thank you, Mr. Chairman. I'd like to just take this opportunity to thank you for the opportunity to come here. As the brief bio was read there, I did come from 30 years in the Army. I transitioned in in 2009 to become a senior executive within DOD, and where I spent the last 2-1/2 years as the principle deputy for the DOD CIO. Broad range here, I was asked to come here to OPM and accepted that and arrived here in September of 2016. And it's a pleasure being here today, and I enjoy the opportunity to answer your questions here. Thank you. Chairman Chaffetz. Thank you. Mr. Chase. STATEMENT OF CORD CHASE Mr. Chase. Thank you very much for the opportunity---- Chairman Chaffetz. If you can all bring that--I'm sorry. You've got to bring the microphones up close, uncomfortably close to make sure we can all hear you. Mr. Chase. Again, thank you very much for the opportunity to speak today. One of the things that I want to make clear is I ran into the fire to help with the events that occurred in 2015. In the rebuilding process, we've made a lot of advancements, but it's only to get us to a standard environment. By no means am I up here saying, we're successful or we've won anything, that we're doing our best to improve the environment to secure the information within OPM and NBIB. With that, there are quite a few items that I'd be happy to discuss with all of you on those improvements, and that's all I have at this point. Chairman Chaffetz. Thank you. Mr. Phalen. STATEMENT OF CHARLES PHALEN Mr. Phalen. Thank you, Mr. Chairman. I'm happy to be here and join with you today in a good conversation on this. To echo a little bit what Ms. McGettigan mentioned, we are focused in our--as we begin our--or end our 4th month as an entity on three key things. One is recovering and increasing our capacity to do background investigations, improving our capability to gather information that is relevant to background investigations and, finally, working on those innovations that will help us in partnership with the security executive agent and the suitability executive agent to look at what an investigation will look like as we move down into the future. A key to this is building an organizational structure beyond what existed on September 29th and adding capabilities in terms of investments and in terms of innovation, and then very importantly, working in partnership with DOD as we build out an information technology systems that will be able to enhance and inform security investigations across our entire spectrum of about 100 customers across the Federal Government. With that, I'm very happy to be here. Thank you for the opportunity today. Chairman Chaffetz. Thank you. Mr. Halvorsen, you are now recognized for 5 minutes. STATEMENT OF TERRY HALVORSEN Mr. Halvorsen. Good morning, Mr. Chairman, Ranking Member, and distinguished members of the committee. Thank you for the opportunity to testify before the committee today on the Department's information technology and cybersecurity support to the National Background Investigations Bureau. I am Terry Halvorsen, the Department of Defense chief information officer. You have my opening statement. I think most of you are familiar with my responsibilities, so in the interest of time, I'll cut this a little short. The department is responsible for the development and securing the NBIB IT systems. We have brought the full expertise of the department both in IT and cybersecurity resources to bear on this problem, and it is our objective to replace the current background investigations information system with a more reliable, flexible, and secure system in support of the NBIB. Defense information system under the DOD's CIO's oversight has established the National Background Investigations Systems Program Management Office to implement this effort. The PMO is responsible for the design, develop, and operation of the IT systems capabilities needed to support the investigative process to include ensuring that the cybersecurity protections and resiliency of these capabilities. The alignment of the systems under DOD assures we leverage all national security systems expertise and capability to protect the background investigation data. And I assure you, we are doing that. The Department has made significant headway on this important mission, since I previously testified before this committee last February, and we are on track to deliver the capabilities needed in an iterative fashion using DOD expertise and best industry practices. In fiscal year 2016, the Department funded preacquisition activities to better posture for official standup and funding in fiscal year 2017. I would like to thank Congress and members of this committee for supporting the Department's funding request for NBIB IT infrastructure and cybersecurity modernization. As you know, the fiscal year 2000 continuing resolution did include new start authority for the NBIB, and we thank you for that. Today, several of the NBIB's prototypes are enabling the Department to work with industry and other partners to discover capabilities that we will provide with a more efficient, effective, and secure background investigation system in the future. Throughout this process, we are actively partnering with industry, integrating commercial feedback into the process to ensure we are focusing on capabilities and keeping up with the changing pace of technology. I am pleased with the current progress on NBIS that the Department and our partners have made to date. I look forward to seeing what this organization will accomplish as it makes progress toward delivering several prototype capabilities by the end of fiscal year 2017 and an initial operating capability covering the full investigative process in the fourth quarter of 2018. This is an important opportunity for the Federal Government to strengthen the security of the IT infrastructure that supports the Federal background investigating process. This approach utilizes the Department's recognized IT cybersecurity expertise, best industry practices while maintaining a streamline centralized governmentwide approach to the investigative services that the NBIB provides today for more than 100 different Federal agencies. Thank you for this committee's continued support, and I look forward to your questions. [Prepared statement of Mr. Halvorsen follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Chairman Chaffetz. Thank you. I will now like to recognize the gentleman from Texas, the chairman of the subcommittee on Information Technology, Mr. Hurd. Mr. Hurd. Thank you, Mr. Chairman. I want to thank you and the ranking member for the continued diligence on this important issue. Mr. Phalen, I've got some basic questions for you. Sorry for the basicness of the questions. You're in charge, right? Mr. Phalen. Yes, sir. Mr. Hurd. Do you have a technical background? Mr. Phalen. I do not have a technical background. Mr. Hurd. Who is the person directly reporting to you that is responsible for preventing another attack that we saw, like the one we saw a number of months ago? Mr. Phalen. So it is not a direct chain---- Chairman Chaffetz. Sorry. Mr. Phalen, if you could move that microphone. Straighten it up and right--right up next-- there you go. Thank you. Mr. Phalen. There you go. Okay thank you. There's no one specifically in my chain of command that is immediately responsible. We rely on Mr. DeVries and Mr. Chase as the CIO and CISO to provide the security for the systems that we are operating today. Mr. Hurd. Copy. So Mr. Chase, you are in charge. Mr. Chase. That is correct, for cybersecurity. Mr. Hurd. Well, thank you for running into the fire. Mr. Chase. Thank you. Mr. Hurd. I recognize the difficulty of the task. In your brief remarks, you talked about the first step was getting OPM up to a baseline. Mr. Chase. Correct. Mr. Hurd. Can you take 90 seconds and explain that baseline? Mr. Chase. Sure. That's a good question. So one of the things, when I came on board, was to set an appropriate strategy and a pathway forward. So it was the stabilization phase. So we understood that there were quite a few systems that were out of compliance. So we knew that we had to take steps to get those back into compliance. We also had another layer of engineering tasks, which included network segmentation, making sure that we had the appropriate monitoring tools in place, and then the tuning process to support that. Throughout fiscal year 2016, we were able to get those accomplished but, again, to a standard baseline where we feel comfortable that we can control our environment and we understand where we were with the IT system boundaries and the IT system boundary inventories. Mr. Hurd. So of the IG GAO, they've all done reviews, there's been a number of outstanding issues. Many of the outstanding issues for years had been on the IG report and the GAO high-risk report. Of those documents, how many of those vulnerabilities, that have been identified, are still outstanding? Mr. Chase. So there are still items that are outstanding, and we prioritized them based on their criticality---- Mr. Hurd. What's the highest priority--highest priority vulnerability that's still outstanding? Mr. Chase. So the IT system compliance was the most significant vulnerability that was identified in the Fiscal Year 2016 FISMA report, as well as the IT security officer hiring process, which is something we were able to accomplish at the end of this year as well. Mr. Hurd. Good copy. You talked about segmentation. And we saw after the breaches in 2014 and 2015, the hackers were able to basically move, you know, without--with impunity through the network. And my question is what have you done to make life harder on the hackers that once they get past your defenses? And I will say my--you know, I begin with the presumption of breach, you give an attacker enough time, they have enough resources, they are going to get in, so what do you do once they get in, and how have you improved segmentation across the OPM network. Mr. Chase. So I consider it a level of effort, so I'm trying to make it as hard as possible for them to get in. Understanding that OPM is a customer-oriented agency and has to communicate. Some of the segmentation that we have done is identify all of our major systems and high-valued assets within our environment, as well as, all the privileged and nonprivileged users. We segmented those between each other and set the appropriate firewalls and monitoring tools to ensure that one can't get to the another and vice versa, and if there are attempts to get between the other, the other is stopped and flagged, and there's a follow-up with that event itself. Mr. Hurd. In my remaining minutes, I want to ask a question. And I don't mean to be indelicate. Why did we get to this situation? And I ask that question in order to learn from this experience so we can take those lessons learned and apply it across the Federal Government. Mr. Chase. So I'm going to say I came post breach, and I know there's quite a few lessons learned. There was a majority and minority reports issued, there's all the audits that were issued, and that's what I've been going off of and, again, trying to apply those to prioritize the next steps to be able suppress the threat and the risks within OPM. Mr. Hurd. So why--you've been there now for enough time. You've seen the problems. You've probably been shocked by some of the deficiencies within the network. Why do you think that network got to where it was? Mr. Chase. I would say based on those reports and information that was put in front of me, there were systematic failures within OPM that led to it. Mr. Hurd. Mr. Chairman, I yield back. Chairman Chaffetz. I thank the gentleman. We'll now recognize the ranking member of the subcommittee on IT, Ms. Kelly from Illinois, for 5 minutes. Ms. Kelly. Thank you, Mr. Chair. And thank you all for your testimony here today. This is actually the committee's third hearing on the OPM data breach. The data breach compromised the information of millions of Federal employees. The committee responded almost immediately and did an extensive bipartisan investigation into the incident. In total, committee staff reviewed more than 10,000 pages of documents, interviewed multiple witnesses, and had numerous briefings from both Federal and nonFederal entities. I applaud the work we have done on the OPM data breach, but I must address the elephant in the room. We are holding a hearing about hacking by a sophisticated actor, likely a State actor for a hack that occurred more than a year ago. But this committee has chosen not to take any action to investigate the recent Russian hacking and propaganda campaign to impact our election. Only last month, the NSA, FBI, and CIA concluded with a high degree of confidence that Russia successfully hacked groups throughout our Nation in an effort to influence our election. In the face of this report from our top intelligence agencies, we have done zero oversight into this issue. There's not been a single hearing or request. My wonderful chairman on the IT subcommittee asked Mr. Chase about lessons learned. Mr. Halvorsen, I would like to ask you about lessons learned after the vulnerabilities were exposed in the OPM data breach. Mr. Halvorsen. We certainly took the vulnerabilities that were exposed in the database, and I can assure you that both in the OPM legacy systems, the work they're doing today and in the new systems, we are taking those lessened learn and making sure that the systems we are building new are built from the ground up with cybersecurity baked in, and that we've assumed from the beginning that this system could be penetrated. So there's a condition we have that you might hear in the Navy termed, it's set conditions ZEBRA, it means close the watertight doors. We are making sure that the new system will be segmented enough that we can close the doors. Because there's two things you want to stop. Certainly, you want to stop people from getting in, but when they get in, you don't want your answer to be you've got to shut the system down. That's a victory. So we're designing this system so that we can fight--and that is the correct word--fight through any attempt to breach this system. And if we get breached, be able to block and contain and then eradicate any malware system loss that gets in here. Ms. Kelly. Thank you. Did the subsequent investigations help in understanding how things could be improved? Mr. Halvorsen. Absolutely. Ms. Kelly. Anybody else want to answer that? Mr. Halvorsen. Yes, they did. Ms. Kelly. And any of the other witnesses? Mr. Chase. I concur. Mr. DeVries. Concur. Ms. Kelly. Thank you. I believe these OPM investigations went a long way in assuring the American public that everything possible was being looked at to prevent this from happening again. But it is clear that politics have prevented this committee from being willing or able to do the necessary objective and nonpartisan oversight on the Russian attack. That's why I, and every one of my democratic colleagues in the House, have signed on to legislation to establish an independent bipartisan commission to investigate foreign interference in the 2016 elections. Thank you for your response. And, Chairman, I yield back. Chairman Chaffetz. Will the gentleman--gentlewoman yield first? Ms. Kelly. Of course. Chairman Chaffetz. As I've said publicly, and the gentlewoman should know, given that it involves sources and methods, the United States Congress is organized such that the House Intelligence Committee takes the lead on those things. We can investigate anything at any time, but I do have limits in that I cannot investigate sources and methods which clearly is the purview of the House Intelligence Committee. I would also suggest that we were the first committee to create a subcommittee specifically on information technology. We were the first to dive into the OPM data breach, and we have been pushing from the Department of Education and others to make sure that we do have the proper defenses in place. And to suggest that it's only one particular country would be naive at best. And it could be everything from a guy in a van down by the river down to a Nation State. Ms. Kelly. We know it was the Russians in this particular instance. Chairman Chaffetz. And I think that should be investigated. I have said as much publicly, and I've also--I think everybody should know, every Member of Congress should know that the House Intelligence Committee is really the only organization within Congress that is set up to be able to do that. Mr. Cummings. Would the gentlelady yield, please? Ms. Kelly. Yes, I will. Mr. Cummings. Very briefly, Congressman Swalwell and I, over a month ago--as a matter of fact, in December, filed a bill which asks that we have a 9/11-type investigation. And the reason why we did that is because we didn't want it to get mired in a political battle like the Benghazi Committee did, Select Committee. And it would be patterned after the 9/11 commission so that we would bring America's best experts to the table. It would be an equal number of Democrats, an equal number of Republicans, and that they would look at this thing carefully--and with the chair's indulgence, I need to explain this--and they would come back with recommendations. They would have subpoena power. Then we refiled that bill in January when the new session came in. Every single Democrat in the Congress signed on to that bill. Not one signal Republican signed on. And one of the reasons why we did that is because we felt we didn't move to common ground; we need to move to higher ground, that this was such a serious attack on our democracy, and our election process, that it deserved that kind of attention. And so that bill is still out there. Only Democrats have signed on. One of the things we were concerned about is the chairman of the Intelligence Committee, Mr. Nunes, was a part of the transition team for President Trump. And we just felt that we needed to take the complete thing out and let an independent body do it. And I just wanted to explain that to the gentlelady. Thank you very much. And thank you for yielding. Nice job, by the way. Chairman Chaffetz. I'll now recognize the gentleman from Florida, Mr. DeSantis, for 5 minutes. Mr. DeSantis. Thank you, Mr. Chairman. Ms. McGettigan, I know after the OPM breach there's several months people were, kind of, notified. But I've had people, constituents, just wonder, I mean, what has been done to mitigate the potential damage to people whose files were compromised? Ms. McGettigan. Thank you for that question. We have entered into--in December, we entered into a contract and identity protection contract. We expanded the coverage that we already had. And we are moving toward having coverage for 10 years. The current contract covers all those affected by the two breaches, and it runs out in December of 2018 during---- Mr. DeSantis. What would that mean, just for somebody who had their stuff compromised? Ms. McGettigan. I'm sorry. We have identity protection services and credit monitoring. So people have received--people who were affected have received information on how to sign up for the credit monitoring, although they are covered by insurance whether they sign up or not. And currently, the ceiling on the insurance we have expanded to $5 million, and we are moving toward complying with congressional direction to have the contract go for 10 years of credit monitoring. Mr. DeSantis. Okay. Good. I mean, I think that we in this committee--and I applaud the chairman for being on this issue. And we hear about these other hacks and stuff. This was catastrophic. I mean, you're talking about these files with the amount of information that's there, and I had to go through it in the military, and other people, perhaps, you guys have gone through it, too, there is a lot, a lot of information there, and it's a massive vulnerability. So I hope that what's being done is going to be effective. Let me ask--this may be Mr. Chase or maybe someone else want to take this. If OPM suffers another compromise and NBIB applications and its systems are breached, who makes the final call as to whether or not the compromised applications are taken offline or continue to run? Mr. Halvorsen. If it's in the new systems that are developed, that is me. Mr. DeSantis. Do you agree with that? Mr. DeVries. For the new system, yes. Right now we're currently operating underneath the existing legacy system. Mr. DeSantis. What's the answer---- Mr. DeVries. The answer is the CIO gets the report of it from the CISO, and the director makes the call on it. Mr. DeSantis. Okay. Let me ask you this, because the majority staff on this committee had a report indicating that there were certain tools following some of the previous breaches that were bought, and then they there were delayed in terms of their deployment for a variety of reasons, but one of them, that they had to make certain notification to relevant unions. So what kind of notifications is the IT security team required to make before deploying these tools, and what is the purpose of the notifications? Mr. Chase. So from post breach coming in, any tool that we go out on the street to market and do our research on is fully vetted internally. We have a procurement office inside of OPM that works with us to make sure that the appropriate language is put into that, and then we move to the process of deploying that tool. Mr. DeSantis. But in terms of the delays, have there been delays because of notification requirements? Mr. Chase. I'm not aware of that specific statement. Mr. DeSantis. Okay. Had there been other barriers or challenges in trying to timely deploy some of these tools, bureaucratic roadblocks? Mr. Chase. Again, post breach, based on the situation--and, again, I mentioned earlier stabilizing, the procurement office has been very, very flexible with me and making sure that they can give us the time---- Mr. DeSantis. But this was so--the implication is there may have been a problem prebreach? Mr. Chase. I'm not aware outside of what I'm reading in those reports. Mr. DeSantis. Do you think that it was a problem? Mr. DeVries. I have no firsthand knowledge of that, but just from the acquisition side and having been in this field for many years, yes. Mr. DeSantis. Okay. Well, I will yield back the balance of my time. Chairman Chaffetz. I thank the gentleman. I now recognize the gentleman from Massachusetts, Mr. Lynch for 5 minutes. Mr. Lynch. Thank you, Mr. Chairman. And I want to thank our witnesses for your great work and for your willingness to help us. I want to revisit the issue raised by Ms. Kelly about the unwillingness or the inability of the committee to really investigate what's going on with the Russian hacking. But before I get into that, let's talk a little bit about the issue that brings you here. In June and July of 2015, OPM publicly disclosed that its information technology systems had been experiencing massive data breaches over some time, compromising the Social Security numbers, birthdates, home addresses, background investigation records, and other highly sensitive personal information belonging to about 22 million individuals. These cyber breaches were not only devastating in terms of their impact on the financial security of their victims, rather, they also posed a grave national security threat as the extensive security clearance questionnaires, about an 80-page document, that really drills down on folks and was filled--were filled out by nearly 20 million Americans who have security clearance rights and privileges, and the names and the information of those individuals were included among the data. I had asked--that was a--that was a terrible--you know, some people call that a--like a cyber Pearl Harbor, because all our folks who are actually actively interested in working on our national security organizations, you know, basically, they were giving up. And so I asked at a very basic level, I asked, Ms. Archuleta, who was running the OPM at the time, I said, have you actually gone back and encrypted the Social Security numbers of these employees? Were they encrypted? And she said, no, they were not. So--so all those Social Security numbers of those 22 million people went out. And then a year later, we had one of her successors--not her successor, but one of the people under her, I asked, again, have we encrypted the Social Security numbers of the people, the 22 million people? And they said there are still--there are still vulnerabilities we still haven't been able to do that. So let me ask, have we encrypted at least the Social Security numbers of these 22 million people? Mr. DeVries. Sir, I'll take that for the record. Yes, we have begun a vigorous program in 2016 to encrypt the databases. So it's not just encrypting the Social Security number, but it is the databases that contain those critical information. Mr. Lynch. Are we done with that yet? Mr. DeVries. We are not completely done across the whole OPM environment, but the HVA systems we have gone through, and I have one remaining system to be done, and that is scheduled for next month. To complete the---- Mr. Lynch. What percentage of the 22 million have been encrypted? Can you give me an estimate on that? Mr. DeVries. Of the NBIB system, which contains those records there, all but one have been encrypted. Mr. Lynch. So what's lacking in percentage? Mr. DeVries. One major database there on the mainframe. Mr. Lynch. All right. You're not answering my question, but--look, we need to get that done. Okay? Let me go on to the Russian thing. Look, we've got--I understand that the chairman's resistance on sources and methods, I get that. But we have--and I would like to introduce these into the record. First of all, I would like to introduce into the record my letter from December 15th--14th asking for a hearing on the Russian hacking. Secondly, I'd like to enter into the record an FBI investigation regarding Russian malicious cyber activity. They did a whole investigation on this. It's called ``grisly steppe,'' s-t-e-p-p-e. I want to enter into the record a background to assessing Russian activities and intention into recent U.S. elections, the analytical process and cyber incident attribution. That's produced by the offices of the director of National Intelligence. I would like to submit for the record, a statement for the record, worldwide threat assessment by James R. Clapper, director of the National Intelligence, February 9, 2016. I ask for unanimous consent. Chairman Chaffetz. Without objection, so ordered. Mr. Lynch. Thank you. So we have enough here. Just with this here, we have enough here to do an investigation. And this is just the stuff that is unclassified that the intelligence community has put out there. We don't have to talk about---- Chairman Chaffetz. Will the gentleman yield? Mr. Lynch. Yes. Sure I'll yield. Chairman Chaffetz. Two points. Number one, sources and methods are the sole jurisdiction of the intelligence community. Number two, have you really thought this through? Do you really think it's appropriate for this committee to investigate the specific hack of the DCCC? Mr. Lynch. Absolutely. Chairman Chaffetz. Because if you are going to do an investigation of the DCCC, we're going to have to dive into a political party's infrastructure operation's data. I don't think that's appropriate. If you---- Mr. Lynch. Let me--well---- Chairman Chaffetz. Here's the difference. Here's the difference---- Mr. Lynch. Reclaiming my time. Actually, you know, you're using all my time here. Look, look they hacked--they hacked the American election. That is worth looking into---- Chairman Chaffetz. There's no evidence of that. And President Obama said that that wasn't even possible. Mr. Lynch. This is high confidence. This is our own FBI, high confidence that they hacked the election, that they interfered with the election. It may not have been outcome determinative. I'm not saying that. But based on the FBI, based on the office of--the director of national security, they're saying, yeah. And also, the CIA, they're in agreement that the elections were hacked. Now, I'm not saying they affected the outcome, but they tried. It may have been just chaos that they wanted to create, but they interfered with our elections. And if we're turning a blind eye to that, that's a shame. That's a shame. That's core to our democracy. And look, if we're just going to say, oh, that's somebody's work, that's not anybody else's work. That's our work. There are plenty of reports here we can talk about, and we ought to do it publicly, about the damage done to the confidence in our electoral system. That's what's important here. People have to--people have to fear that we have an integrity--a certain integrity in our own systems and that other countries are not allowed to interfere with that. That's a red line. We should not allow that. And it should be a very serious obligation of this committee to make sure that doesn't happen again. And we need all the committees of jurisdiction to work on this. We're a committee of unlimited jurisdiction. The gentleman has said that quite frequently. That's the strength of this committee. And I think this is--look, they hacked our election. This should be bipartisan. This should not be Democrat versus Republican. Chairman Chaffetz. The gentleman's time--the gentleman's time is well expired. As I said, I do think there should be--as I said when it happened, there should be an investigation. There should be a prosecution. They should go out---- Mr. Lynch. These are the investigation of the committee. Chairman Chaffetz. Hold on. The gentleman's time has expired. The Intelligence Committee is the only one that can look at sources and methods. That is the rule of the House. Mr. Lynch. We won't look at sources and methods. We'll just look at what the agencies themselves have made public. Chairman Chaffetz. The gentleman's time has expired. And if you are going to do a proper investigation, as this committee did, with the breach at the Office of Personnel Management, you have to look at the two sides of the breach, those that were trying to do it, which this committee could not look at in the OPM breach. Again, that is the purview of the House Intelligence Committee. But we could look at those that were breached and how inept their systems were and how bad it was set up and how the inspector general was warning of these things. That, we did do. Mr. Lynch. We had nine separate investigations of Hillary Clinton, nine separate investigations---- Chairman Chaffetz. The gentleman's--the gentleman is out of the order. The gentleman's time is expired. I gave you well more than 5 minutes. What I think is inappropriate. And I'm trying to answer the question. It would be wholly inappropriate for the United States Congress, for us to dive into the DCCC. You might want to do an investigation yourself of the DCCC. I don't think that the United States Congress should be diving into their individual private systems of a political party. I think that's too broad--if you want me to start issuing subpoenas of the DCCC, I'm probably not going to do it, but go ahead and suggest it. Mr. Lynch. How about some of the FBI---- Chairman Chaffetz. The gentleman's time has expired. Mr. Lynch. You asked me a question. Chairman Chaffetz. No, I did not. I did not. Mr. Lynch. And I'm trying to respond. You asked me if I wanted---- Chairman Chaffetz. I did not ask--the gentleman is out of order. Mr. Cummings. Would the chairman yield? Would the chairman yield? I think we need to calm down here a little bit. Mr. Chairman, you have made some statements, and I just ask you to give him the courtesy of a minute and a half just to respond. Chairman Chaffetz. No, I will not. I will not. Mr. Cummings. Well, would the gentleman let me finish? Thank you. This has been an attack on our democracy, Mr. Chairman. And Mr. Lynch is one of our greatest members, and the passion that he has expressed is not limited to him, it's to many Americans. They feel as if all of our--the things that underpin our democracy have been attacked over and over again. And as I said yesterday, we keep saying we're going to wait till certain things happen with President Trump. They are happening now. Chairman Chaffetz. Can I ask that---- Mr. Cummings. And if the gentleman would just give me 30 more seconds. And all I was saying is I was hoping that in--I mean, as a courtesy to the gentleman, I just wanted him to be able to respond. Chairman Chaffetz. I'd like to ask you a question, if you don't mind, to my ranking member. Does the ranking member believe that this committee should do an investigation of the DCCC? Mr. Cummings. I think that we can look at certain things. I know I am very familiar with sources and methods, but I think what the gentleman is saying is let's just look at the things that are--that are unclassified. And apparently, he has his reports in his hand, and we can see where we go from there. Number two, as I said before, in answering the chairman's question, we have a bill that would--I think, would resolve this issue very nicely. I think the thing that I'm most concerned about, and I'm sure Mr. Lynch is concerned about is that we cannot just turn a blind eye to when we have 17 intelligence agencies who unanimously agree that there has been hacking with regard to our elections. And there seems to be--one of the things that I've noticed, this has been an effort, not by you, Mr. Chairman, but by others to say, okay. It didn't affect the results. We don't even have to get there. Forget it. I accept President Trump as my President. I'm looking forward to meeting with him next week. But, the idea that Russia could come in and interfere with our elections, all of us should be going berserk. I mean, we should be--I mean, just really, really upset. And so all I'm saying to you is that I think all the gentleman is saying, is he's got documents that you've already entered into the record that are unclassified, want to look at those. Now, how far we can go is another thing. But, again, Mr. Chairman, you and I know what happened with the Benghazi Committee. Basically, it became a partisan fight. Chairman Chaffetz. I'll--hold on. The gentleman's time is expired here. You're going well--you're going well outside the scope of this---- Mr. Cummings. No, I'm not. Chairman Chaffetz. Yes. Yes. Mr. Cummings. I'm not and I would pray that you not do an Issa on me. Chairman Chaffetz. I've given you ample time. I've given you more time---- Mr. Cummings. Don't do an Issa on me, please. Don't do that. Chairman Chaffetz. No. I'm asking you a simple question. I just want an answer to a simple question. If you don't want to answer it, it's fine. Mr. Cummings. I've answered it. I've told you. Chairman Chaffetz. I'm going to ask one more time. Mr. Cummings. Yes. I've answered you. Okay? Yes. I just answered you. Chairman Chaffetz. I just wanted---- Mr. Cummings. I just answered you. Chairman Chaffetz. Okay. I'm just saying---- Mr. Cummings. You're not listening. What I said was what the gentleman asked. All he asked--he said, take the unclassified information. Do not turn a blind eye to an attack on our electoral system. Let's look--let's go as far as we can. When you take it to the Intelligence Committee, what you've done is you've gotten Mr. Nunes, who is on the transition--who is on the transition committee for President Trump. And as much as I like him, I want--as the gentleman asks, he wants an investigation that will have integrity. And I--I appreciate integrity over and over again. Like I've said to you, Mr. Chairman, and to our committee members, when you deal with integrity and transparency, it's like money in the bank. Mr. Cummings. And so I would just ask you to just work with us and see what we can come up with. That's all. Chairman Chaffetz. My last point. My last point. I don't think it's appropriate. I disagree with the attack on the integrity of the Intelligence Committee. I disagree with that. I think they are of integrity. I think Mr. Schiff and Mr. Nunes are men of integrity and they run that committee appropriately. And I'm sorry you don't feel that way. Mr. Cummings. I didn't--now, see, now you done put something in my mouth. Let me be real clear. No, no, no, no, no. Chairman Chaffetz. I get to make my point. I'll let you---- Mr. Cummings. No, you said something that's not accurate. What I said was--I'm not questioning the integrity of Mr. Nunes or Mr. Schiff. Mr. Schiff--both of them I have a lot of respect for. What I'm saying is what the gentleman said, is that we want a report--when people look at the situation--I'll be very brief. When people look at the report and they see somebody on the transition team for Mr. Trump, then it becomes questionable. All I'm saying to you as to the world, we want-- that's why we filed the bill that we filed. And that's why we're asking for more like an independent investigation. That's all. Chairman Chaffetz. Last point. Last point. Last point. And we're going to recognize Mr. Meadows. We've gone way past the time here. Mr. Cummings. Thank you. Chairman Chaffetz. And I ask this rhetorically. Do the Democrats truly want this committee to do an investigation of the DNC and the DCCC? Mr. Lynch. Yes, we do. Chairman Chaffetz. Wow. Okay. We're now going to recognize---- Mr. Lynch. A lot of these emails, they're already public. They're already public. They leaked them. We already know what they are, those damaging ones. Chairman Chaffetz. Let's recognize the gentleman from North Carolina, Mr. Meadows. Mr. Meadows. Thank you, Mr. Chairman. We're going to refocus on the focus of this hearing. I wish that we would have as much passion that is concerned about the well-being of the 22,000 people that got hacked, the potential security breaches that are there, instead of losing or winning an election. I wish we'd have as much passion about that. Let's start to focus on the real aspects of what we need to be doing. There are other hacks with the IRS. Let's focus on the hardworking American taxpayers. You know, I'm sick and tired of hearing the repeated talking points over and over again. There is no one who will work in a more bipartisan way to get to the truth than me. But I disapprove of the talking points that continue to get repeated to undermine the credibility of a duly elected President. Mr. Cummings. Will the gentleman yield? Mr. Meadows. No, I will not. Let me go into this particular issue. When we're looking at this, you mention that you have 100 percent dual authentication throughout the system. Is that correct? Ms. McGettigan. Yes, sir. That's my understanding. Yes, sir. Mr. Meadows. All right. And you're filling some very big shoes. I happen to be a fan of Ms. Cobert. She actually--we come from very different sides of the aisle, but she was always very responsive to this committee and to me personally. And so I want to make sure that we can clarify, perhaps, your testimony. Because the 100 percent dual authentication is really just at the front door. Is it not? Because we have indications from the IG that there is still a whole lot within the system, that if they get in the front door, that only 2 of 46 systems inside would require that. Is that your understanding? You may want to refer--I think the CIO wants to jump in here. Ms. McGettigan. I think I will defer to Mr. DeVries. Mr. DeVries. Thank you, sir. Ms. McGettigan. Thank you. Mr. DeVries. Sir, we have multifactual authentication in there for the users, the standard users who come onto the network. That is correct, 100 percent to get onto the networks, they require their---- Mr. Meadows. But once in---- Mr. DeVries. No, once they get in, they are still then authorized--their access is based upon those attributes and their roles of what they're assigned to. So they're not given-- -- Mr. Meadows. So how do you respond to the IG that said only 2 of 46 systems would actually, of the major applications, would require PIV authentication? Is that not accurate? Mr. DeVries. I'd like to go back and look at that. I'll defer to my CISO here, but that is--that does not ring true to how we---- Mr. Meadows. Because this isn't my first rodeo. I've been here with a number of folks. In fact, I called for the resignation of the OPM director when there were similar terms that I'm hearing today that give me concern that we're making progress. And I guess, how do we define success? At what point will we have all the major applications? And Mr. Lynch talked about the encryption. Mr. DeVries. Correct. Mr. Meadows. Now, we've been promised encryption over and over and over again. And yet even today, we're not there with-- so are all the Social Security numbers encrypted today? Mr. DeVries. No, sir. Mr. Meadows. Okay. When will they be encrypted? Mr. DeVries. But I have---- Mr. Meadows. Just timeframe. When will they be encrypted, all the Social Security numbers? I mean, that's basic. I've got encryption better than that on my home computer, and here we are, we have--is it a lack of resources? Mr. DeVries. Sir, it was somewhat due to that and also schedule change here on the mainframe. That's the only one that is--that was delayed. And I've reenergized that one back in there. That is 2017. Mr. Meadows. So when is it going to be done? Mr. DeVries. End of 2017, sir. Mr. Meadows. And so we will have everything encrypted by the end of 2017. Fiscal year? Mr. DeVries. The HVA system, the high value assets, which includes the Social Security numbers and so forth, will be encrypted this year. Yes. Mr. Meadows. All right. In terms of segmentation, how do you segment a legacy system? Either one of you can answer it. Mr. Chase. So, again, as a part of our strategy, we looked at all the systems and all the IT system inventories that we had out there. We determined which ones---- Mr. Meadows. So are you going from a zero trust? Mr. Chase. That's the idea, is to use that zero trust tenet. Absolutely. Mr. Meadows. So you rushed into the fire---- Mr. Chase. Ran into it, sir. Mr. Meadows. --and so as you ran into the fire, you decided from a zero trust aspect that you're going to look at every single system. Mr. Chase. Absolutely. Mr. Meadows. All right. So we can tell all of those employees or potential employees or those who have had their personal life history looked at that by the end of 2017, that you have great assurance that we have the most up-to-date, sophisticated cybersecurity protection that they will ever see and it will be segmented in a way that if somebody gets in the front door, that they won't be able to go through the whole system. Is that correct? Mr. Chase. That is correct. And there's also many, many compensating controls that reside in the network. So we have our network analysis tool, we have our data loss prevention tool. We have malware detection tools. And then we actually have a 24/7 security operation center that is on glass watching for those events to come through. Mr. Meadows. I yield back. I thank the chairman. Chairman Chaffetz. I thank the gentleman. I will now recognize the gentlewoman from Florida, Mrs. Demings, for 5 minutes. Mrs. Demings. Thank you, Mr. Chairman. I want to say good morning to all of you and thank you for being here. Before I get into my question, I feel compelled to make this comment. I spent 27 years in law enforcement. I served as the chief of police. So I am very concerned about the issue that we're discussing today. Security breaches of any kind, I believe, deserve every bit of attention and every bit of passion. I've been here a little shy of a month, but what I did not sign up for is what I believe was the blatant disrespect that was displayed to each other by my colleagues. And so I believe if we're going to solve our Nation's problems, civility has to be at the center of it. And with my question, Director Phalen, last November, the New York Times and other media outlets reported that while meeting with the Prime Minister of Japan, then President-elect Trump allowed his daughter and son-in-law to sit in during all or part of the meeting. In reporting about this meeting, the Times found, and I quote, ``That anyone present for such a conversation between two heads of state should, at a minimum, have security clearance. What we do not--we do not know whether President Trump has stopped this practice of allowing family members who do not have security clearances from attending meetings with dignitaries and other foreign officials.'' Director, I ask you, what are the security risks for having individuals who do not have the appropriate security clearances present during classified meetings or briefings? Thank you very much. Mr. Phalen. Thank you, Representative. Thank you for the question. The determination as to whether an individual has a security clearance is left to the head of the agency with whom they are employed or otherwise contracted with. And, of course, the situation between a President-elect and the President is a different situation. The President has the ability to grant a clearance or grant access to classified information to anyone who they please. It is at their discretion. And the--I am not aware of any of the details around the meeting that occurred with the leadership of Japan. I just don't know any of the details about that, whether anything of classified nature was discussed or not. But it would--in the current situation, it would be the President's discretion to allow individuals even without clearances to know or have access to classified information. Mrs. Demings. So each department would make that determination. Is that what you said? There are no basic general guidelines for persons to have security clearances in certain situations or positions? Mr. Phalen. There are general guidelines and there are-- specifically, there are investigative standards which we follow when conducting an investigation. The agency who ultimately grants the clearance follows an adjudication set of guidelines, what are the key factors that one would look at when making a determination whether this individual is eligible or should be eligible to receive classified information. And then as a separate act, the agency then--if the answer's affirmative, they are eligible, the agency would make a determination as to whether to actually brief them into a national security program or not, give them that clearance. Mrs. Demings. Okay. Thank you very much. Chairman Chaffetz. Does the gentlewoman---- Mr. Connolly. Would---- Chairman Chaffetz. Does the gentlewoman yield back? Mr. Connolly. Would my friend yield? Mrs. Demings. I yield. I'm sorry. Thank you. I yield. Chairman Chaffetz. She's yielding. To Mr. Connolly or---- Mr. Connolly. To Mr. Cummings. Ms. Demings. To Mr. Cummings. Mr. Cummings. I just wanted to let Mr. Meadows know, when I asked you to yield, the only thing I was going to say is before you got here, and I will share this with you, in my opening statement, I talked about all the efforts that we have made in this committee with regard to the other breaches. I listed them one by one, all the many things that we've done. And I said it in a way that--because President Trump has said that we suddenly got excited about the Russian hacking. But I laid it out. And again, I will share my opening--it was a courtesy to you, because I didn't want anybody to think that this is something new to us. We've spent, in a bipartisan way, hours upon hours upon hours upon hours trying to deal with these. And I give the credit--give a lot of credit to the chairman. And that's all I was tying to tell you. Mr. Meadows. Will the gentleman yield? Mr. Cummings. And I didn't want the public to be left with the impression that we haven't been working on these acts. Every single time. Mr. Meadows. Will the gentlemen yield? Mr. Cummings. Of course. I only have---- Chairman Chaffetz. It's the gentlewoman's time. Mr. Meadows. Will the gentlewoman yield for just a comment? A nice comment. Mrs. Demings. Yes. Yes. Certainly. Please, Mr. Meadows. Mr. Connolly. We'll be the judge of that. Mr. Meadows. The gentleman from Maryland is a good friend, and a trusted one. And in the passion of my not yielding back to him, I don't want anything to be inferred about our relationship and our willingness to work in a bipartisan way. And I apologize for my passion in not yielding. But I also want to stress that our friendship and our willingness to get to the bottom line of it is unyielding and unchanging. And I thank the gentlewoman. Chairman Chaffetz. The gentlewoman yields back. We'll now recognize the gentleman from Ohio, Mr. Jordan, for 5 minutes. Mr. Jordan. I thank the chairman. Mr. Halvorsen, you are the chief information officer for the entire Department of Defense? Mr. Halvorsen. That is correct. Mr. Jordan. And in your testimony, your written testimony, you said that, ``DOD CIO is responsible for all matters relating to the Department of Defense information enterprise, including cybersecurity for the Department. In this capacity, DOD CIO is responsible for oversight of the Department's efforts to design, build, operate, secure, defend a new IT system to support the background investigative processes for the NBIB.'' Is that all accurate? Mr. Halvorsen. It is. Mr. Jordan. Okay. Are you familiar, then, with the December 6 Washington Post story, front page, Pentagon Hid Study Revealing $125 Billion in Waste? Are you familiar with that article? Mr. Halvorsen. I am familiar with that article. Mr. Jordan. Do you--well, let me ask you--let me go back and ask you this: Do you have the resources you need to do everything I just read in your testimony, help NBIB which has 100 Federal agencies that's got to make decisions about-- regarding individuals who work there and everything at the Department, do you have the resources you need to do your job? Mr. Halvorsen. We have the resources to make sure that we develop and design an NBIB new system that is secure and can attack and defend the data. Mr. Jordan. And so you think you got adequate resources to do everything you're tasked to do. Mr. Halvorsen. I think I have adequate resources to everything I'm tasked to do specific to this NBIB issue. Mr. Jordan. But not overall? Is that what you're saying? Mr. Halvorsen. Well, I don't think anybody here would say they have all of the resources---- Mr. Jordan. You always want more. I get that. But you are familiar with the story that was on the front page of the Washington Post last month, or 2 months ago? Mr. Halvorsen. I am. Mr. Jordan. And the findings of the McKinsey & Company study, $125 billion in waste at the Pentagon, do you agree with that--those findings? Or, I mean, they talked about as many full-time employees in back office personnel and in purchasing bureaucracy, as many employees there as we actually have-- almost as many people there as we have in troops in the field or troops in total. Do you agree with what you know about that study? Mr. Halvorsen. We were--do I personally agree with that study? I do not. Is that the reason I'm here to testify? No. So if you want more data on that, I will take any questions you have for the record. Mr. Jordan. Okay. Were you--were you interviewed or talked to in the course of the study by McKinsey & Company? Did they talk to you? Mr. Halvorsen. I have talked to McKinsey & Company, yes. Mr. Jordan. Multiple times? I mean, I'm just kind of curious. Mr. Halvorsen. For the study, I believe once. But I'll get that confirmed. But I have talked to McKinsey in the course of my business. Mr. Jordan. The article reports here on the front page here above the fold, the report issued in January 2015 identified a, quote, ``clear path for the Defense Department to save $125 billion over 5 years.'' I think this is important too. What the study said, what the article reports that the study said was that this savings in bureaucracy waste and other areas is money that could go into weapon systems and our troops. Frankly, where I think most Americans would want their tax dollars and resources to go. The article continues, ``The plan would not have required layoffs of civil servants or reductions in military personnel. Instead it would have streamlined the bureaucracy through attrition and early retirements, curtailed high priced contractors,'' and the last clause says, ``and made better use of information technology.'' Do you have any idea what they're referring to there, make better use of information technology? Mr. Halvorsen. Yeah, I do. I mean, if you're asking me do we think we could do better with information technology, I think I testified in numerous hearings that do I believe we should continue to adopt best commercial practices? Should we bring more commercial systems on into DOD and other government? I said we should. I believe there are ways to reduce some money in our IT business. Do I think that number is correct, personally? I do not. Mr. Jordan. So a little bit ago you said you didn't agree with the study. Now you sound like you do agree with a lot of parts of the study. Mr. Halvorsen. No. Mr. Jordan. Is it both or---- Mr. Halvorsen. No. I said I agree that there are efficiencies to be found in the IT systems. By doing what we are doing, I think we will achieve some. I do not think the numbers in the study, my personal opinion, they're not correct. I will take any more questions you have---- Mr. Jordan. So you think the $125 billion number is a little high. Would you hazard a guess at what kind of savings taxpayers could see if part of what McKinsey found in their study was implemented and how we could better get money to weapon systems and to troops? Mr. Halvorsen. No, I will not hazard a guess. Mr. Jordan. Okay. Mr. Chairman, I just think this is an important area where we need to--I know it's not the sole focus of and not the primary focus, I should say, of this hearing today, but this is an area we need to study. If we can get more money into upgraded weapon systems and to our troops, and if we got this potential of waste, even the chief information officer says there's some waste there. Maybe not to the degree that the article reports, but certainly any we can find and savings we can find I think makes sense. With that I yield back. Chairman Chaffetz. Thank you. Point well taken. I now recognize the gentleman from Maryland, Mr. Raskin, for 5 minutes. Mr. Raskin. Mr. Chairman, thank you very much. I wanted to start actually by responding, Mr. Chairman, to the question that you posed about whether or not the Democratic National Committee would be a proper object for inquiry and investigation by this committee. And my first reaction to it, I think, was sympathetic to you, which is no, not really, because it's not part of the government. It's a private entity for most purposes. When you think about the Democratic National Convention, where it's going to be located, who's going to speak at it, that's a private matter. It's a private association. On the other hand, it struck me that the Supreme Court has said that political parties are public instrumentalities capable of State action for certain purposes. So when you go back and look at Smith v. Allwright, Terry v. Adams, the white primary line of cases, the Supreme Court said a political party could not exclude from participation people based on race. So the Equal Protection Clause applied directly to political parties, that they were not private entities for those purposes. They were public instrumentalities. And in lots of other cases, the Supreme Court has treated political parties as public instrumentalities and kind of public carriers for the purposes of effective action in democracy. And I think if you look at it from a global perspective, that is the role that political parties play. The DNC, the RNC, they are organizing political activity for tens or hundreds of millions of people. And so if they are cyber vulnerable, I think it makes the whole country cyber vulnerable, and then it casts a cloud over democratic government itself. So that's why, in the end, I think it is a complicated question you raise, but I would side with the ranking member and with the other members who were speaking on this side of it. Let me pose a question. As a new member of this committee who was--I was not here for the original OPM breach, and so all of this is a bit new to me. But I want to ask the question. We know from the national intelligence community about the fact that they believed with high confidence that there was an organized campaign by Russia to subvert the 2016 election and to compromise the 2016 election. I've also heard that there's certain other countries where certain kinds of hacking are common or concentrated, like Nigeria, apparently, is a place where there's a lot of cyber hacking and phishing attacks going on. Do you have a list of the most common enemies or culprits of our cybersecurity that you use? And I know, Ms. McGettigan, if that's something you can answer. Ms. McGettigan. I'll defer to Mr. DeVries to answer that. Mr. DeVries. Member, if I could---- Mr. Raskin. Please. Mr. DeVries. If I could, I would like to defer to Mr. Chase here for the expertise on it. We do have the network monitoring, but we are part of the greater ecosystem of that from DHS. Mr. Raskin. All right. Let's cut to the chase. Mr. Chase. Thank you. No pun intended. So one of the things that I just want to make clear is we're a customer service oriented agency. And so we rely on our partners from Department of Homeland Security, FBI, and other components within DOD. The potential attribution or the knowing of a bad actor is not our job. My job is to focus the staff at OPM to protect the data that resides in there. Mr. Raskin. Okay. So I guess--right. You're a customer service agency and you want to serve the various government agencies that interact with you. The problem, of course, is now we've got these outside entities that are trying to invade and undermine and so on. Do we know who those entities are? Is there like an FBI most wanted list of the cyber saboteurs all over the world or in this country? I mean, the national intelligence community tells us it's Russia, but then we hear from other people, no, it's a fat guy on a couch someplace. I don't know why it's always a fat guy. Why couldn't it be a skinny guy on a couch. But anyway, it might be a guy on a couch or it might be Russia, but it might be Nigeria. Where it is coming from? And does that list exist? And is there any attempt to really get to the bottom of it? Mr. Chase. And, again, I'll try to answer more directly. So DHS and FBI provide those reports in unclassified and classified formats. Mr. Raskin. Okay. Do you believe as experts in the field that there is going to be a technological answer to this so we can actually create a secure cyber environment? Or, you know, is this a Sisyphean task? We go up two steps and we fall back three steps. I mean, are we really--is it an uphill fight, I guess is what I'm asking. Mr. Halvorsen. Mr. Halvorsen. Right now it is an uphill fight. I do believe technology will get us some of the solutions. But I think this is much like any area in technology. We will make strides forward. The people who want to use technology for bad will make strides forward. And it will be a continuing analysis and engagement that is not going to end anytime soon. Mr. Raskin. Thank you very much, Mr. Chairman. I yield back. Chairman Chaffetz. I thank the gentleman. We'll now recognize Mr. Comer who's new to our committee. We're pleased to have him here. The gentleman from Kentucky. Mr. Comer. Thank you, Mr. Chairman. Chairman Chaffetz. Sorry. The microphone button there. Talk button. There we go. Mr. Comer. Thank you, Mr. Chairman. My question is for Mr. DeVries. Sir, I would like to follow up with you on the IT infrastructure project that OPM abandoned last year. The committee's understanding is that you are no longer leasing two new data centers for OPM's new IT environment, but rather, are repurposing the hardware and equipment meant for the IT environment that the contractor Imperatis built. My question is, is this accurate? Mr. DeVries. Yes, sir it is. Mr. Comer. Okay. How much did OPM pay the contractor for the new IT infrastructure project before terminating the contract May 2016? Mr. DeVries. Sir, I would have to get back to you with the exact amount that was consumed there. I do not have that number with me today here. Mr. Comer. Why was the contract terminated? Mr. DeVries. Sir, as I completed my assessments coming on board as the CIO, that effort was to build a new infrastructure to move the legacy stuff into. They went out on the contract. That contractor went out of business. They did not show up to work in May, and we terminated the contract after that. We then repositioned the equipment back in because we had purchased that, as we had purchased the design and engineering diagrams. We have what we paid for. Now just turning it back on. Mr. Comer. It's my understanding that the first two phases of that were completed, and after approximately $45 million of investment, OPM abandoned the project. But you say that we have what we paid for or did we lose what we paid for? Mr. DeVries. Sir, we have evolved that, and I'm now building on that capability that we purchased then. Yes, sir. Mr. Comer. So is OPM still operating the legacy IT environment? Is that correct? Mr. DeVries. Sir, I will say no. We have evolved a lot over the past year, and that was part of my assessment coming onboard was to take a look at what the network was, where are our high value assets, where are our centers of gravity, if you will, and what's the protection there. Mr. Chase has talked about some of the defense and depth that we've put in place. So it is not the same legacy infrastructure that it was in 2015. Not by a long shot. Mr. Comer. So are we--can we be assured that this environment is more secure today than prior to the data breaches? Mr. DeVries. Absolutely. Mr. Chase and I would not be here if it was not. Mr. Comer. Okay. I yield back. Chairman Chaffetz. I thank the gentleman. We'll now recognize the gentlewoman from the Virgin Islands, Ms. Plaskett, for 5 minutes. Ms. Plaskett. Thank you, Mr. Chairman. And thank you all for being here this morning to testify. I wanted to--I appreciated your testimony this morning on all of the topics. And it seems to be very wide ranging, of the discussion that we're having this morning. But we are all here because protecting our Nation's security from insider threats and external threats is of paramount importance, of course, to you all and us as Members of Congress. So I wanted to discuss the security clearance process and how individuals are granted access to sensitive information. Director Phalen, for you specifically, how would NBIB handle the clearance process for someone under active FBI investigation? What happens with that application? Mr. Phalen. When an agency puts an individual in for a clearance, it starts with a determination by that agency that this individual needs a clearance for whatever work they're going to be doing. The individual's information is sent to NBIB or to some other---- Ms. Plaskett. And what if you find out that the person is under active FBI investigation? What happens at that point? Mr. Phalen. If we in the process of conducting the investigation determine an individual's under active investigation, we would notify the requester of what we understand to be the investigation, and we would continue the-- our part of the investigation, unless we were told to stop based on some decision by the requester. Ms. Plaskett. Now, in knowing that you're going to continue the investigation of someone who is under an active FBI investigation, would that be one of the factors in disqualifying an individual from a security clearance? Mr. Phalen. Not necessarily. And it would not be our determination. It would be the determination of the requesting agency, who is either the requesting agent themselves, if they have independent adjudication authority, or the--in the DOD world, the consolidated adjudication facility. These are the individuals that make the ultimate determination as to whether an individual is eligible for access to---- Ms. Plaskett. Got you. So you're processing the application, you're giving them the information, and then the agency head then makes the determination whether or not the person has the security clearance? Mr. Phalen. Ultimately, yes. Ms. Plaskett. So for the ultimate decisionmaker for granting a security clearance for a senior White House staffer, who would that person be? Mr. Phalen. The chief of the White House Security Office is the adjudication authority. Ms. Plaskett. And so the chief of the security office for the White House is the determiner for an individual in the senior White House level having a security clearance. Mr. Phalen. Yes. Ms. Plaskett. And who places that person in that office? The chief officer. Is that an independent? Is that appointed by the President? Is that a career person? Who is that individual? Mr. Phalen. I actually don't know right now. I can find that answer---- Ms. Plaskett. I would really love to know that answer. Because is it possible for the ultimate decisionmaker to make a decision to grant an individual a national security clearance if the person is under an FBI investigation? You're saying yes, that's possible. Mr. Phalen. It is possible. Ms. Plaskett. And the reason I'm asking that is because of course--you know, of course there's a reason I'm asking. Right? There would--according to multiple reports, several members of the Trump campaign and incoming Trump administration may currently be under FBI investigation for their connections with the Russians; the very country implicated in the hacking that everyone seems to be interested in here today. So President Trump's National Security Adviser, Michael Flynn, is reportedly being investigated by the FBI for phone calls with a Russian diplomat. And the New York Times reported that the FBI's investigating communication and financial transactions between Russia and the former campaign manager, Paul Manafort. So my question is, if these individuals become now senior White House staffers who need security clearance as having sit on this National Security Council, along with Steve Bannon, if those individuals are under FBI investigation, they may still get a national security clearance? Mr. Phalen. That is certainly possibly. And I would distinguish between someone who is under investigation and someone who has been charged or convicted with a crime. Ms. Plaskett. Of course. As a lawyer, I know you're innocent until proven guilty. But an active FBI investigation would raise some eyebrows. Would it not? Because the FBI would not begin an investigation on my, you know, freshman student who has cheated on a test or something. They usually start FBI investigations for pretty serious things. Mr. Phalen. It would be a noteworthy item on an adjudication, yes. Ms. Plaskett. Okay. Mr. Chairman, I think we need the answer to some of the questions that we've been asking here. And so do you know, Director Phalen, which or any of the senior White House staffers who have access to senior material are under criminal investigation by the FBI? Mr. Phalen. I do not know that, no. Ms. Plaskett. Okay. Thank you. Chairman Chaffetz. If the gentlewoman yields back, Ms. McGettigan, she is the acting director of OPM, if you could get back to Ms. Plaskett about who specifically is in charge, I think the gentlewoman asked a reasonable question here, who are the people that make those determinations, and get back to-- will you make that commitment---- Ms. McGettigan. Yes, we will. Chairman Chaffetz. --that you'll get back to her? Ms. McGettigan. We will get back to you. Chairman Chaffetz. Okay. Ms. Plaskett. Thank you. Thank you very much, Mr. Chairman. As well if you would find out how do we find out---- Chairman Chaffetz. Ask her. Ms. Plaskett. It would be great to know in that process, one, who the decisionmaker is, and is there a list of individuals who are under FBI investigation. If the chairman and the ranking member would receive that, that would be very helpful in making that determination, what are the factors. Ms. McGettigan. Okay. Ms. Plaskett. Thank you. Ms. McGettigan. We will follow up. Thank you. Chairman Chaffetz. And I would open up to any member, if they have questions for OPM, Ms. McGettigan is the acting director. Mr. Connolly. Mr. Chairman, I just--I assume at some point Ms. McGettigan's going to actually answer a question as opposed to always getting back to us. Chairman Chaffetz. Okay. She wasn't ever even asked a question in that series, so I think that's a little inappropriate. But let me--and she did make a commitment to get back to the committee. I think that's reasonable. Mr. Connolly. Yes, I heard. Chairman Chaffetz. So I'll now recognize myself for 5 minutes. And I guess this question will go to Mr. Chase. Tell me about the authority to operate. There have been some questions about this in the past. The inspector general found that the authorities to operate were a material weakness in fiscal year 2016. The IG reported that 18 major systems still did not have current authorities to operate in place. What is the current state of those ATOs? Mr. Chase. So all the ATOs---- Chairman Chaffetz. If you can move that microphone a little closer. I apologize, sir. Mr. Chase. So all the ATOs are currently compliant. Chairman Chaffetz. Can you put some meat on the bones? Define that for us. Mr. Chase. So in fiscal year 2016, again, our strategy was to identify and understand all the systems. It was identified that quite a few of them were out of compliance. So we took on two major initiatives at OPM. One was a sprint in February of 2016 to look at all the systems, to include the HVAs, to ensure the best pathway forward to get them compliant. The next phase of that was marketing within OPM and the agency heads and the acting director at the time to ensure that everybody in the agency knew the importance to get everybody into compliance. Chairman Chaffetz. Would the ATO--you said all of them. Would that include the PIPs? Mr. Chase. That is correct, sir. Chairman Chaffetz. It would. Okay. Mr. Chase. That was not reflected in the fiscal year 2016 FISMA report, and has been recently. Chairman Chaffetz. Everything within the NBIB, do those all have current valid ATOs? Mr. Chase. Yes, sir. Chairman Chaffetz. Okay. Let me switch over here, if we could, to Ms. McGettigan and--or maybe, Mr. Phalen, you might be the right person--actually, let me ask you, Mr. Phalen. What is the current state of the ability to look at the social media? We've been talking in this committee over the last couple of years, actually, with OPM about during background check investigations looking at social media. What are you doing or not doing in that process? Mr. Phalen. Thank you, Mr. Chairman. Two points to make on that. Number one, in April of 2016, the security executive agent sent out a directive that would allow us--allow an investigation to use social media publicly available on electronic information in order to inform an investigation. We at NBIB or its predecessor, the Federal Investigative Service, have been using on a targeted basis social media inquiries to help resolve issues when they come up during an investigation. We are in the middle of a short pilot to understand how we can incorporate it into a formal--into a more consistent use during an investigation. In other words, how do we collect the information, get it disambiguated, and make sure it is accurate and of any value, and then provide it to an investigator who is in the field conducting an investigation to help enhance that. Chairman Chaffetz. Can you define ``short pilot?'' Because I think we've been talking about this for a couple years. And this doesn't seem to be very short. Mr. Phalen. So a number of pilots have been conducted by a number of agencies to look at the value of social media. And most concluded--most have reached the similar conclusion, there can be valuable information in collecting social media. Chairman Chaffetz. Okay. Can you just hold on here. This is what drives people crazy about government. You had to conduct a study to find out if looking at social media would be valuable? And the conclusion is it might be yes? Come on. Every single time there's a terrorist attack, what's the very first thing the investigative body does? They go look at their social media. And more often than not, they say, oh, my goodness. If somebody had just looked at this. Why in the world do we need--we're still doing a pilot? Let me answer the question for you. Yes. Looking at publicly available social media should be part of the background check. It's a joke to think that you're not looking at social media. And the idea that we even have to think about this, by its very definition, it is social. It is open. It's there. Facebook. You can go--come on. Instagram. Twitter. Every single time we go and do an interview for somebody, we go check their social media. Why do you have to do another pilot? Mr. Phalen. The pilot was not to determine whether or not there's any value in social media. The pilot that we are currently running is how do we incorporate it into a standard background investigative process. And the largest pole in this tent here is not can we collect the information. It is not is there going to be valuable information in there. It becomes how does it get incorporated in a manner that is cost effective to our customer base. And--because the collection is the easy part. The analysis of it becomes harder. And the more data that's out there, the more difficult the analysis becomes. I believe that this is a relevant data source. We believe it is a relevant data source. We're going to continue to exploit it. This pilot was a very short one to determine how we can build it into an--our current investigative process. And as we move down the road, how it will become more of a mainstay for this investigative process. Chairman Chaffetz. Have you considered implementing a policy to require the disclosure of online user names or social media identities as part of the clearance process? Mr. Phalen. We have not at this point. Chairman Chaffetz. Why not? Mr. Phalen. That would be a decision to be made by the security executive agent to ask for that information. Chairman Chaffetz. Here's my personal take on this, and then we'll go to Mr. Connolly. The United States of America, the people of the United States of America, are about to entrust somebody with a security clearance that allows that individual to look at and understand information that the rest of the public doesn't get to look at. Right? That is the very nature of a security clearance. We're doing this, we're giving this person special privileges because we trust them. I would think it would be reasonable that in return for that--you don't have to apply or try to get a job with a security clearance. There's nobody that forces you to do that. It's optional. But you would think in return for that they would say: Yes. Here's my Instagram account. And I would go so far to say: Here's my password if you want to go look at my private Instagram. That is a reasonable thing to look at when you're trying to go back and do a background check. Some of these background checks are so thorough. You're looking at bank records. You're looking at education. You're interviewing neighbors. You're talking and trying to figure out as much as you can about this information. A very costly, expensive, laborious process. And yet we're not even--we're so bashful we won't even say: We're going to be looking at your Instagram. Is that okay, you know? And if it's not, then maybe we shouldn't be giving them a security clearance. That's my take on it. It's very frustrating this takes so long. Because every time we have a problem, what's the very first thing the FBI and other law enforcement want to do? They want to dive into their social media. That's the best way for them to figure out what has been going, what is the attitude, who are they communicating with. And if we're going to give a security clearance, it seems reasonable. I'm past my time. I'll now recognize the gentleman from Virginia, Mr. Connolly. Mr. Connolly. I thank the chair. I also would say to the chair, I caution him, I don't think it's appropriate for him to characterize an intervention or a question by a member of this committee. I don't do that to him. And I expect him not to do it to me. And if we're going to get into that, two can play the game. Ms. McGettigan, a question maybe you can answer. OPM, is it going to migrate to the required XML format, the transaction submissions and background checks instead of using legacy systems? I thought I heard Mr. DeVries say we're pretty much done with the legacy systems. Have we fully migrated to the required XML system? Ms. McGettigan. I will have to defer that to Mr. DeVries. Mr. Connolly. You don't know the answer? Ms. McGettigan. I do not. Mr. Connolly. Mr. DeVries. Mr. DeVries. No, sir, we have not. Mr. Connolly. Why not? Mr. DeVries. So the whole legacy system is comprised of eight different systems which ask questions and interact and portray in conducting the investigation through them. A lot of the language on, especially I think it was a member here brought up the word PIPs, which is the main database system that maintains it there, that is on--written in language that is no longer supported. And I'm trying to move it out of there. It is not just merely a case of just taking something and putting it out to XML. We have employed XML in terms of the interface going into the customer. We have put that into all their front-facing applications there. And in that time, we've also put other protections in there, like masking of the Social Security number and other techniques. So yes, to the customer facing one, as we have on other OPM systems, we have put the XML piece into it. Mr. Connolly. Ms. McGettigan, what is OPM and NBIB doing to ensure that if data is exfiltrated from the NBIB, NBIS systems, that the data will be protected and its location and attempted use not--will not only be prevented but visible to the NBIS for action? What are you doing to protect that in the exfiltration process? Ms. McGettigan. Again, sir, I'll---- Mr. Connolly. Can't hear you. Ms. McGettigan. I apologize. Again, sir, I will have to defer to Mr. DeVries or Mr. Halvorsen. Mr. Connolly. So again you can't answer the question. Mr. DeVries. Ms. McGettigan. I cannot. Mr. Connolly. Does the acting director of OPM get involved in these cyber issues at all? Ms. McGettigan. I do get involved somewhat, but not in the details. Mr. Connolly. Have you had any experience with the breach or responding to the breach in your period of time under Beth Cobert or Ms. Archuleta before that? Ms. McGettigan. I--when the breach occurred, I was in another area of the organization. I was in Human Resource Solutions. I was not the chief management officer at that time, so I was not intimately involved. I was involved from another area of the--I had no responsibility for that. Mr. Connolly. Mr. DeVries, what are we doing about that exfiltration, protecting that data so it's not breached? Mr. DeVries. Yes, sir. Sir, on a macro prospective, let's start with the worthy employee or the individual who's going to be investigated. He enters his records or his information into the e-QIP through the SF--Standard Form 86. That information is stored securely. It's on an encrypted database. That is what gets queued up to go to the investigators once they are awarded that work, if you will, from the NBIB. With my coming on board in September, we changed that process. In the past, when the companies would get their task orders to do these investigations, and we just talked about the contract that was awarded out to the four new companies, two of those were existing ones and there are two new ones in there, the investigators no longer can download that information to their company information stores. It stays as part of the government, and we've incorporated a new security thing there where when they pull the records in, it is on a different encrypted system under their hard drive, and they authenticate themselves with a verification card that is issued by OPM and NBIB to them. Mr. Connolly. I only have 30-something seconds, so let me ask another question. What are we doing to boost the capacity to decrease the enormous backlog on security background checks? Mr. Phalen. Mr. Phalen. Yes, sir. We have done two things of large proportion. Number one, as was referenced earlier, we have started a new contract period and doubled the number of companies that are available to provide the contract investigations. And that, we believe, will have a significant impact on our ability to work off the backlog. At the same time, in fiscal 2016, we hired 400 new Federal investigators into the service. And we plan on, in 2017, adding another 200. And we are already seeing the fruits of that addition to work off the capacity. Mr. Connolly. I think this is on top of many topics we're talking about. This is really important. I get complaints all the time, especially from private sector companies with enormous numbers of jobs at the ready they cannot fill because of this backlog. And so the more we can do to streamline, expedite, while making sure it's still accurate, I think is really critical moving forward. Thank you. Mr. Phalen. Yes, sir. I agree. Mr. Connolly. I yield back. Chairman Chaffetz. I thank the gentleman. We'll now recognize the gentleman from Alabama, Mr. Palmer. Mr. Palmer. Thank you, Mr. Chairman. I know you're new on the job, Ms. McGettigan, and if there's anyone on the panel who can answer this, I'd appreciate it. Does OPM allow employees to access personal email accounts, Facebook, do any other personal business using the Federal server? Ms. McGettigan. Employees are allowed to do limited access for personal and business. Access their bank accounts, what have you. So there's limited access for personal business. Limited use. Mr. Palmer. Are you aware that it was reported that the Immigration and Customs Enforcement agency just a couple of years ago, I think it preceded maybe by a year or so the breach of the data systems at OPM, they had numerous cases where the breaches were coming--or the attacks were coming through the use of personal email utilizing the Federal server? Are you aware of that? Ms. McGettigan. No, sir, I was not. Mr. Palmer. Well, it's an area that concerns me where--and employees, and not only employees, but high ranking officials, and I don't know that you could answer this, if there are any OPM directors or other high-ranking officials using personal email accounts--or accessing personal accounts using the Federal server or using personal accounts to do business. We know that's been a problem in other agencies, most notably the State Department. One of the things that concerns me is that it doesn't appear to me that we've made the maximum effort to protect ourselves from cyber intrusion. And for the record, I'd like to point out that James Clapper made the point, the Director of National Intelligence, that it was the Chinese, not the Russians, that we believe hacked OPM. But I think this may have been asked earlier. OPM is still not fully compliant with the requirements for the use of personally identifiable verification cards, the PIV cards. Where are we on that? Mr. DeVries. Sir, I'll take that. Sir, we are 100 percent compliant for the PIV cards for the users to access the network. Mr. Palmer. So is it a chip-based card? Mr. DeVries. Yes, sir, it is. Mr. Palmer. And multifactor verification? Mr. DeVries. Multifactor verification. Mr. Palmer. So we've got that across the board? Mr. DeVries. It needs the card and then you need the personal identification that you put your PIN in for. Correct, sir. Mr. Palmer. Let me ask you this: In regard to hiring people who handle your data systems, and particularly to protect against cyber attacks, how long does it take to process an applicant? For instance, I've got a--there's a gentleman in--at the University of Alabama, Birmingham, one of the top people in the country on this, Gary Warner, and he's turning out some of the best experts in cybersecurity. And the day they graduate-- it's almost the day they graduate, they can get a job with Visa, MasterCard. But it seems to take months to even get in the system for the Federal Government. Is that an issue at OPM? Ms. McGettigan. Well, yes, sir, it is an issue in terms of the background investigations. We are very much backlogged. We are committed to reducing that backlog. And we have--to that end, we have just--we have just awarded contracts to increase our capacity, the field contracts to increase our capacity. And we are on a path to reduce that--to reduce that backlog. But it will take time, and employees of OPM or prospective employees of OPM are also waiting for background investigations. Mr. Palmer. Well, I know that--and I wasn't here for the opening of this hearing--that there seems to be a tendency to try to make this--politicize this. And if that's where some members want to go with it, that's fine. But I think the seriousness of the breach at OPM requires that we do our jobs to make sure that our data systems are secure. And one of the things that I might suggest and encourage you to consider is doing the background checks on these top students while they're still in school so that when they graduate, we're not going to lose them to the private sector. I think that we put ourselves at great exposure by not having quicker access to the best people that are available to protect our data systems. Is that something that OPM might consider? Could we expedite the process? Because it's unreasonable to think that someone could get a really good job somewhere else and then have to wait months to get an interview. Ms. McGettigan. Yes, sir. We do have some programs. We have a program, Presidential Management Fellow Program, where we have people apply--recent graduates apply. And they are vetted and then they become finalists. We do not do--to my knowledge, background investigations are always done at the--once the person receives a conditional offer of employment. So it's the offer of employment that triggers the background investigation. Mr. Palmer. Well, I thank you for coming today. And I just want to make this last point, Mr. Chairman, that I think the point that needs to be made is that the purpose of this hearing is to make sure that our data systems are secure. And I think this committee will do whatever we need to do to make that possible. I yield back. Chairman Chaffetz. I thank the gentleman. We'll now recognize the gentleman from Wisconsin, Mr. Grothman. Mr. Grothman. Thank you. Mr. DeVries, we'll ask you a question again. You know, the GAO recently found---- Chairman Chaffetz. Mr. Grothman, my apologies. My apologies. We need to go to the Democratic first. Mrs. Lawrence. I failed to recognize her. The gentlewoman is recognized for 5 minutes. Mrs. Lawrence. I know you would never purposely not recognize me, Mr. Chairman. Yesterday, Ranking Member Cummings sent a letter to the Defense Secretary about potentially serious violation of the Constitution by Lieutenant Governor Michael Flynn, the President's national security adviser. General Flynn had admitted that he was paid to attend an event sponsored by the Russian-backed television network known as RT. And he dined with the Russian President Putin. RT has been described by the NSA, CIA, and FBI, and I quote: ``The Kremlin's principal international propaganda outlet. It receives funding, staffing, and direction from the Russian Government.'' Director Phalen, your staff provided the Standard Form 86 for security clearance holders. One question on the form, and I quote: ``Have you or any member of your immediate family in the past 7 years had any contact with a foreign government, its establishment, or its representatives, whether inside or outside of the U.S.?'' My question to you, why are these individuals asked this question? Mr. Phalen. Thank you, Representative, for that question. The reason these questions are asked is to ensure that the individual who is making an adjudicative decision understands what relationships an individual may have with a foreign government or foreign representative. And the nature of that question is to get to the heart of what that relationship may be. It could be benign, it could be not benign. But this would be the judgment of the adjudication organization. Our goal would be, based on the response to that question, to gather as much information as we can get to---- Mrs. Lawrence. The form also asks the question, and I quote: ``Have you in the past 7 years provided advice or support to any individual associated with a foreign business or foreign organization?'' So my question to you is, do you know if General Flynn has a clearance? Mr. Phalen. I have not checked the record. I believe he does have a clearance, but I don't know that authoritatively. And if I could add, that the investigation of General Flynn, given his role in the White House, would generally be conducted by the FBI and not by NBIB. Mrs. Lawrence. So you don't know if he has a clearance, correct? Mr. Phalen. I don't know authoritatively, but I believe he does. Mrs. Lawrence. Do you know if he ever reported to the appropriate authorities? Mr. Phalen. I do not know that. Mrs. Lawrence. Do you know if General Flynn ever reported how much he paid--how much he was paid for his trip? Mr. Phalen. I do not know that. Mrs. Lawrence. So you're stating within the government that would be the FBI that would answer that question? Mr. Phalen. The--his reporting chain, if his clearance was still through the Department of Defense, would have been back through a Department of Defense security office, and they would be the organization that would have that on the record. It would be up to the FBI, if they were doing the investigation, to go back and reach out to the Department of Defense and ask if that had been reported. Mrs. Lawrence. Do you know if that reach-out has happened? Mr. Phalen. I do not know. Mrs. Lawrence. Mr. Chairman, we need to get answers to these basic questions. And I am requesting that the committee send a letter requesting a copy of General Flynn's security clearance application, as well as any and all updates he may have submitted. Will the chair agree to that? Chairman Chaffetz. Send me the request. Mrs. Lawrence. I appreciate it. Mrs. Lawrence. We have a responsibility, and we have been talking about this. And, Mr. Chairman, you have been a staunch leader in this, and this is an area I feel that we need questions answered. Thank you so much. Chairman Chaffetz. I now recognize the gentleman from Wisconsin, Mr. Grothman. Mr. Grothman. Okay, Mr. DeVries. GAO found that personnel management had not yet completed and submitted a data center optimization plan. And, originally, that was supposed to be done in September of last year. Do you know when that plan will be completed, or has it been completed? Mr. DeVries. Thank you, sir. I appreciate that question because that's one that's near and dear to my heart. I came onboard as the CIO in September. We did not publish that one, because it was not complete. I completed the assessment on it, and we're finalizing that. And that should be done back up to OMB by the end of this quarter here. Mr. Grothman. By the end of? Mr. DeVries. This quarter. Mr. Grothman. Okay. So the next couple months. Okay. Do you know what the savings goal you have for a plan like that is? Mr. DeVries. Sir, I do not have the savings goal in terms of the final numbers yet. That's part of the assessment that's still ongoing right now. Mr. Grothman. Okay. How many data centers do you own now? Mr. DeVries. Today, sir, I own seven. We closed down two, and we're about ready to move out of our third one here in the next 2 months. Mr. Grothman. Oh, that's good. What do we have left? What are the ones that are left? Mr. DeVries. And then I have five left. And I'm going down to two. Mr. Grothman. Okay. Good. Let me give you another question. During the data discovery breach and mitigation process, your relationship with the inspector general was strained. There was a lack of communication, time--there wasn't timely reporting, I think the IG wasn't informed really what you would consider on a timely basis. I understand things have improved since that time. How would you characterize your relationship with the inspector general today? Mr. DeVries. On behalf of the CIO office, I'll say it's very good. I say that because we meet monthly with his staff and my staff to go through what their concerns are, what their findings are, what our status is of reporting back to those findings. It's a very good relationship. They hold nothing back. And I'd like to defer now the final question to my chief information security officer, because he deals with them much more frequently. Mr. Grothman. Okay. Mr. Chase. Is that okay, Representative? Mr. Grothman. Sure. Yeah. Mr. Chase. So one of the things when I came onboard was to establish a good relationship with the inspector general. We meet on a weekly basis to talk about all the progress. And so-- and I know I mentioned it earlier, but I'll say it again, is everything from the compliance efforts that we did to the engineering rollouts, so there's a lot of things going on that I wanted to make sure that the inspector general is abreast of. And so with that, they've given us guidance on what's appropriate to align to their FISMA report metrics and reporting. And it's been helpful not only for me but my staff behind me to see why that relationship is one that pays dividends in the long run. Mr. Grothman. Good. And if there was a breach today, how quickly would the inspector general know? Mr. Chase. As quickly as everybody else. Mr. Grothman. Okay. Mr. DeVries. Sir, I make that first phone call to the director, the second one is to the OIG, so it's realtime---- Mr. Grothman. Okay. Thank you. I yield the remainder of my time. Chairman Chaffetz. The gentleman yields back. I now recognize the ranking member, Mr. Cummings. Mr. Cummings. Thank you very much, Mr. Chairman. Director Phalen, according to the website, the National Background Investigations Bureau, NBIB, is now responsible for conducting, and I quote: ``Approximately 95 percent of the total background investigations governmentwide.'' Is that right? Mr. Phalen. Yes, sir, that is. Mr. Cummings. Out of the total number of background investigations that NBIB is responsible for conducting, does that include political appointees in the Trump administration? Mr. Phalen. Generally not. Mr. Cummings. Not? Mr. Phalen. Generally not. Mr. Cummings. Okay. Mr. Phalen. Yes. Mr. Cummings. And why not? Mr. Phalen. By tradition, that work has been given to the FBI to conduct those investigations by the White House. Mr. Cummings. And so a--now, guideline A of the adjudicative guideline states that individuals seeking a security clearance must have unquestioned allegiance to the United States, and lays out a series of examples of disqualifying factors that investigators and adjudicators will use to determine eligibility. Based on some of the questions on that SF86, I think many people often think of association with groups seeking to overthrow the U.S. Government by violent means, like violent anarchists or terrorist groups. When we think of this guideline, is that fair? Mr. Phalen. Yes, that would be a major piece of that category. Yes, sir. Mr. Cummings. But the disqualifying factors in the guideline may include much more than that. Do they not? They include whether a person associates with or shares the viewpoint of those who advocate using illegal or unconstitutional means to prevent government personnel from performing their official duties or others from exercising their constitutional rights. Is that correct? Mr. Phalen. Those are--those are questions to be considered in an adjudication, yes, sir. Mr. Cummings. And it could--and it could conclude--include persons who associate or share the viewpoint of those who use illegal or unconstitutional means to, quote, ``gain attribution for perceived wrongs caused by Federal, State, or local government,'' end of quote. Is that correct? Mr. Phalen. Those would be adjudicative questions, yes, sir. Mr. Cummings. If your investigations uncovered negative or derogatory information in any of those areas, I imagine that you could raise concern with regard to them. Is that correct? Mr. Phalen. They would be noted in the investigation, and they would be forwarded to an adjudicative--adjudication authority to make a determination as to whether that individual should be cleared. Mr. Cummings. So I want to walk you through a few short examples. If someone said that they were a Boy Scout or Girl Scout, would that raise a concern under guideline A? Of course not. Is that right? Mr. Phalen. No, sir. Mr. Cummings. What if someone described themselves as a Leninist, which refers to the Russian revolutionary who was not a fan of our democratic government, should that raise concerns for your investigators? Mr. Phalen. It would, and the investigator should pursue that avenue of discussion with the subject as to what that means. Mr. Cummings. What if someone said that his goal was to, quote, ``destroy the State,'' unquote, what response would that elicit? Mr. Phalen. That would elicit a very strong line of questioning with that individual and with others to determine what he means by that, so that we can give a full picture to the adjudicator. Mr. Cummings. What if somebody said, quote, ``I want to bring everything crashing down and destroy all of today's establishment,'' end of quote, should that raise a concern? Mr. Phalen. That would be noteworthy in an adjudication, yes, sir. Mr. Cummings. Chairman, each of these phrases were reportedly used by Steve Bannon to describe his views and his goals, according to Ronald Radosh of The Daily Beast. Mr. Bannon has since reportedly denied saying those things, but I imagine an investigator would still have concerns about them. I imagine that they would also want to see numerous reports about racism rampant on the news website Mr. Bannon used to run. Mr. Chairman, this is--this is a very serious problem. The President has picked Mr. Bannon to be his chief strategist and senior counselor. Not only that, the President just reorganized the National Security Council and gave Mr. Bannon a permanent seat at the table, while removing the chairman of the Joint Chiefs of Staff and director of National Intelligence. This is at least--I mean, it causes us to--we should wonder about this and question it. Do you--if--you may have answered this earlier. If somebody is under criminal investigation--and I know that we now have a liaison. Tell me how that works, a criminal liaison to try to work with--what happens when you find out somebody is under criminal investigation? Mr. Phalen. Depending what the criminal--criminal investigation is and the immediate seriousness of the nature, we may immediately contact the requesting agency that is asking for the clearance to give them sort of a heads-up that this is out there. And they may or may not determine at that point they want to terminate the request for a clearance. Otherwise, we'll continue the investigation. The fact that--going further down the road, an adjudicator would be faced with this question, this is an individual under criminal investigation, it would be up to them to understand what that investigation is about and to make a judgment whether or not that investigation or what is surrounding it would be disqualifying for access to classified information, whether-- essentially, whether it shows an inability to be trusted to hold onto classified information. Mr. Cummings. So, in other words, the person could still get a--get a clearance? Mr. Phalen. Yes. Mr. Cummings. And I would assume that if that person were then later on convicted of an offense, then that probably his clearance would be withdrawn. Is that right? Mr. Phalen. If---- Mr. Cummings. And who would do that? Mr. Phalen. The organization that issued the clearance would be the organization to rescind the clearance. And--based on what they see. And they would make--and if it had already been issued, an individual is convicted, it would be up to that organization to determine whether or not that conviction has any impact on their ability to be trusted. Mr. Cummings. My last question. The--I just gave some quotes that are attributed to Mr. Bannon. Would--I mean, if they--if you were to raise--if those questions were raised, would anyone go and then--and then the--say, Mr. Bannon, or whoever may have said those kind of things, denied them, would, then, you--would--would somebody go back to look to see if those statements were made in other--in the periodicals, whatever? And how might that affect the security clearance of that person? Do you understand my question? Mr. Phalen. I believe I do. We--if--if we--first, if we were faced with an individual who had made statements that appeared to be counter to the United States, that would be an issue we would pursue with the subject themselves, to start with. And to use your example, if that individual said, no, I never really said that, I don't really feel that way, we would use, to the best of our ability, whatever sources we can find to get to--to do issues resolution, to determine whether--what the truth is, to the extent that we can, so that we can give as full a picture as we can to the official that has to make that ultimate decision. Mr. Cummings. And if you discovered that, unequivocally, that the person had not been honest with you, what might-- effect that have? Mr. Phalen. That would, again, be passed on to the adjudication authority, and they would have to determine whether that makes a difference or not. Mr. Cummings. Mr. Chairman, thank you for your indulgence. Chairman Chaffetz. Thank you. I'll now recognize the gentlewoman from New York, Mrs. Maloney. Mrs. Maloney. Thank you, very much. Chairman Chaffetz. Your microphone. Microphone. Mrs. Maloney. You know, I'm really concerned about cybersecurity. And if Congress is serious about helping agencies improve their cybersecurity, it must call on the President to rescind, in my opinion, his across-the-board hiring freeze. How in the world can you move forward if you can't even hire the people that can do the job? Such--this freeze that he's put in place, in my opinion, undermines the Federal Government's ability to recruit, develop, and maintain a pipeline of cybersecurity talent that's needed to strengthen Federal cybersecurity. And if there was a field that didn't change every 24 hours, it's cybersecurity. You have to get the youngest, brightest, latest people that are involved in it. So I am concerned about this freeze that he put in place, I think it was roughly 2 weeks ago. And he's taken other steps that will make it more difficult for Federal agencies to improve the area of cybersecurity. So I--and then he issued this memoranda ordering across-the-board hiring freeze in the Federal Government. And I want to quote from it. And I quote: ``As part of this freeze, no vacant positions existing at noon on January 22, 2017, may be filled, and no new positions may be created.'' So it seems to me that when it comes to improving cybersecurity, a hiring freeze is one of the most counterproductive policies that you could ever put in place. And after the 2015 cybersecurity at OPM, Federal CIO Tony Scott and then OMB Director Shaun Donovan put in place a cybersecurity strategy and implementation plan for the entire government. And I quote: ``The vast majority of Federal agencies site a lack of cyber and IT talent as a major resource constraint that impacts their ability to protect information and assets.'' And so I'd just like to ask Mr. DeVries, as the CI--CIO of OPM, can you highlight some of the challenges that OPM has faced when it comes to recruiting and hiring cybersecurity specialists? And, obviously, you can't do anything if you can't hire anybody. So could you give us some insights there? Mr. DeVries. Thank you very much for that question. That is a--that is pertained to OPM. It's pertained to the Federal workspace and the Federal cybersecurity and IT professionals. That is a concern to all of us of how do I keep the pipeline coming in there. I will tell you, from my experience just coming onboard in OPM in September, we have, for example, five hiring actions out there, and we had about a 60 percent--we did not get to them fast enough before they went someplace else. We have completed that. We have filled those things. But, again, that's our challenge across the Federal spaces, how do I recruit and retain these folks. I will tell you, it comes from the passion of the heart. They come onboard. If I give them meaningful experiences, training they will stay. I think we're also working across the Federal space of how do I help improve the rotation, if you will, from Federal service back to industry and then back in again. We need to make--we have made strides on it. We need to continue to work on that together. Mrs. Maloney. Well, I--I've got to say that cybersecurity is really tied to the security of the Nation. And I think--I don't see how you can do your job if you can't hire people. So I would respectfully like to request that the chairman think about maybe asking for a waiver for the cybersecurity area in hiring. Number one, as Mr. DeVries pointed out, it's hard to hire them, because they're in great demand all over the country right now, that is a prime focus of the country. And so we need to work in this for the good of the country. And I--we're all individuals. I'm going to write the President my own letter and request that he waive it for the area of cybersecurity. But can you just go over some of the agencies, how does this hinder your ability and capability to improve when it comes to securing IT systems when you're not able to hire people? How does this affect you? Ms. McGettigan. Congresswoman, it terms of the hiring freeze, this is a 90-day freeze, and there are many exemptions to that freeze, primarily in terms of national security, public health, and public safety. Mrs. Maloney. But isn't this national security, cybersecurity? Ms. McGettigan. Well, agency heads are able to make that determination and to exempt those positions that are deemed to be national security. Mrs. Maloney. So that's taken care of? Ms. McGettigan. If they are not--if they have a position, a cybersecurity position, that they would not feel was national security, they can come to OPM and we will review their request for an exemption from that. Mrs. Maloney. Have any people asked for exemptions? Ms. McGettigan. At this point, no. I'm not aware specifically that anyone has come into OPM. I haven't seen any requests. Mrs. Maloney. Okay. My time has expired. Thank you. Chairman Chaffetz. Thank you. Just a few wrap-up questions. Mr. DeVries, could you please provide the committee all the NCAPs or other pen test reports conducted in the last year? Is that something you can provide the committee? Mr. DeVries. Yes, sir, we can. Chairman Chaffetz. Okay. Thank you. We appreciate it if you'd do that. And then, Mr. Phalen, one of the--one of the sad realities of what happened when Director Archuleta was in place is this hack had legacy systems online that dated back to 1985. And my understanding is, even if you applied for a job and didn't get a job with the Federal Government, and you did it after 1985, you might have been in that system. What are you doing to take sort of the nonactive records so they're not online and, thus, accessible to some hacking? Have you made any adjustments there? Mr. Phalen. To be honest, sir, I don't know. I know we have done a tremendous amount, you've heard it earlier today, in securing the systems. And I'm very comfortable that we have both the barriers on the front end and the ability to, my words, fight sort of an active shooter online on the network, should it appear. I don't believe we've taken a tremendous amount of this and put it offline, because it is--it needs to be accessible for any future work that we do. Chairman Chaffetz. To a degree. I mean, you know, if somebody retired in 1991 and then all of a sudden we have a hack in 2014, it does kind of beg the question why is that system--Mr. Halvorsen looks like he has something. Mr. Halvorsen. Yes. The new system will have tiered storage on it both in terms of what's live, what goes back, and it will take into consideration some of the things you said. If you are offline for a while, that will go into a different storage system, and it will be much harder to access. Chairman Chaffetz. It just--it seems like one of the lessons we should have learned for the nonactive employees-- again, there may be a period of time. You all are more experts on it than we are, but after a certain amount of time, maybe it should be, you know, more sitting in some mountain somewhere as opposed to online. Two last questions. Who's in charge? When there's conflict, disagreement, when there is an attack, who ultimately is in charge? Mr. Chase. So through my program, we actually have a process that we implemented based on the lessons learned from the 2015 breach, and there is a communication path that routes up into the director's office through the CIO with the severity and any data or details related to that incident. Chairman Chaffetz. So who--who is in charge? Mr. Chase. So---- Chairman Chaffetz. Who ultimately makes the hard decision if there's a disagreement, a question? You've got the DOD. You've got OPM. Something's not--who is the ultimate decisionmaker? Mr. DeVries. So I'd like to take that on. If it's on the current system that OPM and I, as the CIO, am responsible for, I do that. Chairman Chaffetz. Okay. Mr. DeVries. On the new system, within the NBIS, as we transition to it, DOD will. Chairman Chaffetz. Okay. So that would be Mr. Halvorsen or whoever his replacement is? Mr. DeVries. Correct. Mr. Halvorsen. That is correct. Chairman Chaffetz. Okay. Last question. Mr. Halvorsen, you have the freedom of retirement there running around the corner here. So given that, your years of service, your perspective, your expertise, summarize for us, what should the Congress understand? What are your greatest frustrations and concerns and your best suggestions that you can offer us? Mr. Halvorsen. Well, first, I'll thank Congress. As you know, working through many of the members here, we did get the cyber accepted service law, which I do think was the first thing that we needed to get done to recruit and move past some of the things that were blocking our ability. I do think we are going to have to reevaluate the pay scale for cybersecurity personnel and some other key positions. We do rely on patriotism. We can recruit people a lot for that, but the pay disparities are getting out of hand. I mean, I will tell you, I have lost six or seven people this year, very good, basically, because they could not anymore turn down the offers. And I can't counsel them against that after a certain point. Chairman Chaffetz. I'm totally convinced that you're right. And I hope that this Congress--I plan on helping to champion some legislation to give more realistic assessment to provide that flexibility, because I do think you're right. Mr. Halvorsen. And I think the other more most important thing that we do, and I have said this before, I will keep saying it, I do think the secret weapon of our country is, to keep our security, keep our edge in warfighting is better use of our industry and commercial mobility and agility. You have seen--we talk about this in DOD. We are embarking to bring as much commercial into these activities. We are doing it with this system as the build of the new. We need to continue that, and we need to continue that against--across the foreign government--I mean, across the Federal Government space. That also means we will have to work and raise the bar for industry on security. While I'll be the first to say that DOD included, we have to get better in our security practices. And I am heartened by what I see in my discussions with the commercial community. They are starting to take that to heed, and we are seeing a rise in their ability to protect data. We need to encourage that and open up our dialogue with the commercial sector on how best to do that and share more information. Chairman Chaffetz. Thank you, again, Mr. Halvorsen. We thank you for your service, and we wish you nothing but the best of luck in whatever your future endeavors take you. And thank you again for your service. Let me recognize Mr. Cummings, and we'll close the meeting. Mr. Cummings. Thank you. Thank you. I want to thank all of our witnesses for being here today. You certainly have been extremely helpful. And I want to--you know, I just hope that the--I want to express my appreciation to all the people that work with you, because I know that you all have teams of people who give their blood, their sweat, their tears, because they want America to remain the greatest country in the world. Mr. Halvorsen, again, I want to join in with the chairman and thank you for your service. I have a brother who is a former Air Force officer, who is not a cyber expert, so he talks to me all the time about the demand for these folks who are good. I also have sat on the Naval Academy Board of Visitors for the last 12 years. And one thing that we've done in the Naval Academy it's now mandatory that every student have--I know you probably already know this--have extensive cyber lessons as part of our curriculum, and so we see the significance of it. I want to ask you this: One of the things that we wrestle with is Federal employees feel that they are under attack constantly. We've seen recently where all kinds of measures have been put forth that really make them feel pretty insecure. And I'm just wondering, how do you--I mean, first of all, talk about, briefly, the people that you've worked with and what they bring to the table. Because a lot of people, I think, get the impression sometimes that the people who work for the Federal Government are not giving a lot and not giving their best and not feeding their souls, as I often say. I just want--you know, you're on your way out. You've had an opportunity to work with a lot of people. And I'm sure one of the saddest parts is probably a bittersweet thing, you created a family. I always tell my children that whenever you get a job, you also create a family of people who are looking out for you and who care about you and who you--sometimes you're with more than you're with your own family. So could you just talk about some of the, just generally, the people that you've worked with, sir? Because I know that you could not have done what you've been able to accomplish without a support system. If you might, just very briefly. Mr. Halvorsen. Well, you know, I will tell you, having both been in the military and in Federal service, highest respect for the Federal workforce. They do exceptional work. They put in a lot of hours. They do their best on everything they can do. But I'm also going to comment, I see that also in the commercial workspace when I bring the people in. I do think this is a leadership issue. And if you make your--any of your employees, whether they're Federal, military, or commercial, feel a part of the team and you listen to that team, they will give you everything they've got to get--to get the work done. And that--I have 37 years, that's what I have seen in the Federal Government and in that workspace. Mr. Cummings. And I think when you show people that you truly care about them--not just about them, but their families and their welfare--I tell the people that come to work with us on the OGR, if they are not better when they leave me, then I've failed. In other words, if they are--their skill level is not higher, if they're not more proficient, if they're not more effective and efficient, then I've done something wrong. Because I want to invest in them. Because I want to be a part of their destiny. I want to touch their futures. Even when I'm dancing with the angels, I want to know that they've gone on to do great things, because our Nation really needs the very, very best. And so I can tell you that working with the chairman, we saw that. We--in working with the--then I'll be finished. I give the chairman a lot of credit, because when we looked at the Secret Service, he and I made a concerted effort to say to the Secret Service we wanted the elite of the elite. We wanted the very, very best, and we wanted to create that culture. And I think we're moving toward this, Mr. Chairman. I don't know that we've gotten there yet, but we're trying to get there. But--and we've done that in a number of agencies in a bipartisan way. And, again, I just--you know, the only reason I raise the question, Mr. Halvorsen, is because I just want the public to be reminded that, you know, there's a vast array of Federal employees that keep our country the great country that it is. And, again, I want to thank all of you and everybody who back you all up for doing what you do. And, now, we still have a lot of work to do, as you've all made very, very clear, but I believe that, you know, we can--we can get it done. And thank you, Mr. Chairman. Chairman Chaffetz. Thank you. And thank you all. And please let them know, the men and women who work within your departments and groups, how much we do appreciate it. It's a tough job, but it's a very important job, and we do appreciate it. Thank you. The committee stands adjourned. [Whereupon, at 11:28 a.m., the committee was adjourned.] APPENDIX ---------- Material Submitted for the Hearing Record [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] [all]