Hard hit during the painful economic transition, our kids could hardly get on a bus to take a field trip anywhere. One of the things we tried to do during that time, many of us, in these areas, was to make sure here is this fantastic wealth of knowledge and all of these things happening, whether library of congress, smithsonian, et cetera, how we can have resources for the teachers to make that part of the curriculum. Kids are so used now to accessing everything electronically. As you mentioned about 3d printers, they really are amazing what they are doing in the schools. Could you talk a little about, that is part of your revitalizing education portion of your Strategic Plan and how you can help with education throughout the entire country here really making sure that kids have access to all of these fantastic avenues of knowledge. Certainly. The smithsonian at its core is an educational institution. We have these wonderful objects. We do tremendous research. But one of our main objectives is to get this information out as broadly and widely as possible. Weve had a long tradition of education being an important aspect of what we do as mentioned for 30 years through the smithsonian Science Education center, weve been providing Science Curriculum free of charge throughout the country tailored to local standards for teachers, for students, for School Districts. We feel its important to try and help address issues of s. T. E. M. Education and the like throughout the country. Where a couple come together are education and digitization. One of the kind of buzz phrases weve developed at the smithsonian, if you cant come to the smithsonian, we want to get the smithsonian to you. One of the strategies to do that is through digitization. All of these wonderful objects we have, were trying to digitize all of them, make them available to people across the country, in fact, across the world for students k through 12, higher education, lifelong learners, provide these objects so they can be studied and worked with in a classroom and not only in our spaces in washington d. C. Were working on 3d printing so that not only can you render 3d objects online but also transfer them to printers and have your students create their own models of the wright flyer or the Space Shuttle. Were, in fact, in the middle of digitizing Space Shuttle at this current time. So all of these activities and many, many more were focused on, again, to try to play Important Role in forwarding education across the country. Could you tell us a little bit, i guess the national zoo is really your biggest visitors. You have more visitors there than any other things but museums, air and space, i believe. That has the most amount of visitors. Air and smas and Natural History are neck and neck. Neck and neck, i understand that the outer envelope, if you will, of the air and space is in need of some serious structural repairs. Maybe you could tell us a bit how youre planning for that and what we need to be aware of here. Certainly. We have a longterm capital plan. 12 million square feet of space. Keeping those buildings vital and functional is an important priority for us. A renovation with Building Systems of air and space had long been on our plan. We envisioned it being next big priority following completion of natural museums of history and culture. As we begin process of assessing work we need to do and doing our feasibility study, we unfortunately uncovered the fact the outer envelope, the facade comprised of tennessee pink marble is actually thinner in size than it should have been. Unfortunately, after 40 years almost of wear and tear its starting to crack and bow. Weve now had three independent assessments by experts and they have all concluded that that stone needs to come down and be replaced. Its just too thin to be repaired. So all of that stone will need to be replaced. Thats in addition to other work we contemplated we would need to do anyway, upgrading air handling systems, completing repairs on the roof and the like. The building opened in july of 1976. It was built with a notion we would receive about 3 million visitors a year. We now receive about six or seven, so its received a lot more wear and tear than was envisioned. Obviously our knowledge about what it takes to maintain precious and delicate objects like this has advanced as well. Unfortunately were looking at a price tag of probably 500 million to fully renovate that building. Its a process were currently in the process of design on. We wehope to begin construction on the renovation some time in 2017. Our plan is to try during the course of that renovation to keep portions of the building open to the public. Again, since it was one of the most heavily visited museums in the world and one of our most heavily visited, we dont want to take all of those objects off line if we can possibly avoid that. Wow, that is a huge price tag. It is. Okay. Appreciate that. Chair recognizes mr. Vargas for questions. Thank you very much, madam chair. I cant help but get excited when you talked about your familys involvement with the smithsonian. Id be remiss it say in san diego we have affiliated museums. We also have San Diego Air and Aerospace Museum affiliated with smithsonian. Its the same thing there. You get a lot of the pilots, not only hang around but also teach the kids how to work on planes and how to repair them create them, and its really exciting. Ive had a chance to go there a few times. They do a great deal. I would be remiss if i didnt thank smithsonian. I think theres four or five institutions in balboa park that are affiliated with smithsonian. Talking about if citizens cant come to smithsonian, smithsonian will come to them. I know youve done that with affiliated and we appreciate it in san diego and certainly throughout the country. I do want to ask a couple of questions. Does smith have position on museum with American Latino Museum . If congress were to authorize it, could smithsonian absorb the work involved with the project . Should congress authorize and approve funding for a smithsonian American Latino Museum, we would be honored to add such a museum to our portfolio and we would do everything in our power to do an exceptional job in delivering the museum to the American People. Thank you. Second question. What effect has sequestration had on smithsonians operations over the last few years, if any . The budgetary uncertainty around the federal budget has certainly forced us to do a lot of scenario planning and rethinking about priorities and potential programs. We were able to weather we were able to weather sequestration that was implemented a couple years ago because we had done a lot of preparation, but we knew if there were longterm and additional reductions made, we would have to fundamentally rethink some of the basic operating premises of the institution. As you might imagine given some of the facilities challenges like the one just mentioned previously, we are obviously keenly aware of how important continued strong federal funding will be for us to not only deal with some of those more acute problems but allow us to continue to push forward in terms of digitization, care initiatives, expansion of Care Education programs and the like. So at present we continue to develop a number of different strategies depending on the levels of funding. Weve also spent quite a bit of time and effort to ensure that our ability to raise nonfederal funds, private funds through philanthropy, sponsored project support and other means are as advanced and effective as possible. Thank you. By the way, a little pet peeve of mine, sequestration. I wasnt here when they voted on it. It, comes from the latin term, to set aside. Thats why you sequester a jury. Doesnt mean across the board cuts. A pet peeve of mine. I dont know why they use that term. Anyway, its a term they chose. Were all very excited, all of us about the opening of the africanamerican museum next year. Are there any special events around it the public should be aware of . Were in the midst of planning for grand opening of the museum next fall and so were at the early stages. We intend to begin preliminary events leading up to that. The museum itself is not waiting for the building to be finished. We just opened a new exhibit in American History to begin showing some of the collection thats been amassed over the course of the last several years called through the africanamerican lens. I would encourage everyone who has an opportunity to go and see it. So in expectation of the Museum Opening and not just generating excitement from the seemingly day to day changes that take place in construction, were trying to do programming and the like to get people excited and ready. My time is up. Thank you, madam chair, appreciate it. Thank you. Mr. Harper from mississippi. Thank you for your service. I have to say last night everyone got together for congressional night and the International Portrait gallery, an incredible location, and very well done. Thanks to all involved in that. Theres always a concern on the upkeep of buildings and making sure we dont defer maintenance. That happens sometimes because somebody is not there. I know we have a new museum thats been talked about that will open next year. A very exciting time. There are others being discussed. Theres also a concern as we go forward and build new museums we have the ability to maintain them and do the upkeep and maintenance. So this is going to be a major lift. As far as families, air and space museum is one that everyone likes to go to. Its very special. The planes are there from my Congressional District from meridian mississippi, the airplane calledole miss, for which they set the record for longest time in the air, 27 days, back in 1935. And their partner, mechanic, inventor friend invented the shutoff valve so you could safely transfer the fuel, which even today with just some minor modifications is still whats used today. You have this single engine plane they stayed in for 27 days with this catwalk built around it because they had to climb out and service the engine during flight. During construction were confident that will be fully displayed. Anyway, thats another deal there. Its true. Every exhibit has a great story. And so were very thankful for that and those opportunities there. How do you foresee Going Forward . I know that chairman miller discussed this. Youre planning on keeping this open at least in part during those construction years. How many years will that air and space renovation take place . We are still in the midst of Detailed Design and planning. Right now our best estimate is it will take about four and a half years of renovation time. We will try to do it in phases through the building. Its a little complicated because all of the Building Systems are integrated, but thats part of the challenge of what were trying to study at this point. Again it is very important to try as much as possible to keep portions of that building open so that our visitors can continue to benefit from the tremendous artifacts. Other buildings are aging as well and will have those needs as well. Is there a plan for which well make sure we dont wind up with a big hit where maybe you see doing these along in stages where we dont wind up with 500 million one time or over a few years major renovation . Yes. There are a couple of examples where we had been doing that over the last several years. The Natural History museum, everyone knows the dinosaur hall is currently closed. Thats partially driven by the desire and need to renovate that portion of the building as well as do some needed maintenance on the artifacts. Weve taken the same approach at American History. So back in 2008, we reopened the center core of the building, now the starspangled banner hall. Were working on the west side of the building and are very excited about reopening the first floor of that renovated space in july. Weve taken the same approach at the national zoo. So to the extent in some of the larger, more complex buildings where taking on the entire building would be astronomical in terms of cost weve tried to parse them out. In some cases, like the air and space museum, because of the way the building was built, its not practical to close portions of it and work on it at various points in time. One of our Biggest Challenges is making sure that we continue to address the most pressing needs and try to use the combination of both maintenance as well as facilities Capital Funding to be as thoughtful as possible and keep our buildings open. My time is almost over. Let me ask you this, 138 million items, probably more, not everything we probably want to keep. Im a bit of a pack rat. I dont want to throw anything away. When youre deciding new items to go into the collection, if you could just quickly, is there a basic criteria you have or how thats decided on . Certainly. We look at the importance of that object to the collection and the particular discipline that it supports. We ensure we can safely and effectively keep it. We make sure we have the expertise to study and tell its stories. Not everything makes the cut. Not everything makes the cut. Thank you very much. Yield back. Mr. Davis. Thank you, chairman miller. I wish you well on your next endeavor going to work for the smithsonian, as you mentioned. Please, sir, check her references. Dont cut my mike. Thats just vargas. First off i want to say thank you, mr. Acting secretary. My twin boys, who are 14, going into the ninth grade were part of a Large High School group out last week and enjoyed some of your facilities. Some of the feedback was that obviously besides hanging out with me, going to the smithsonian was actually one of their favorite activities. Its something we see many folks and families go through every day here. What you do on a regular basis, i think this committee, hopefully today you understand we truly appreciate what you do and the many men and women who work at your facilities on a regular basis do to show what our nation is all about. Thank you for that. Education was take key point of your opening testimony. Notice you mentioned some of the stem programs that smithsonian works with School Districts throughout this nation especially k through 12 education. Can you actually go into further what you do with the smithsonian to ensure our students who may not be able to make it out here to washington, d. C. Or to other facility in the nation, how do they have access to your facilities and how do your s. T. E. M. Programs work, and also, how do teachers who may not be involved with them know how to contact you to get involved . We have tremendous Educational Resources at the smithsonian. Some attach to the specific museums, research centers. Some are coordinated in more central ways. One of our big initiatives across the board and, of course, in education is to take what we have and get it to folks regardless of where they are geographically throughout the country. So smithsonian Science Education center for 30 years has been putting together curriculum that is tied to state standards that teachers and School Districts can implement and use to teach to teach science to kids from k through 12. Its handson learning and it is supplemented by a number of lesson plans and activities that can be downloaded. All of that material is provided for free. We have a large Smithsonian Traveling Exhibition Service which takes smithsonian content throughout the country and so at many museums large and small across the country you can benefit from the same kind of content that you see in washington, d. C. At your local museum throughout the country. More and more, were trying to put a lot of our material online so that even if you are not using some of the more formal materials that we provide a teacher can download information, can use a variety of support material that we provide to integrate into their classroom. So we view education as central to our mission and as a way offen livening the objects and telling their zwroir and using them in a way to help inspire kids to learn. I appreciate what you do to make that happen. Again, for many students who dont get a chance to come out here and experience what we see and sometimes take for granted on a daily base. What we do as an institution to help encourage more activity and use of your programs . Well i think youre doing it. The more that we can engage people in our facilities in our programs, to understand the richness, the breadth and depth of what we do, i think together we can learn places where perhaps we arent filling a gap, where we could fill a gap. We recognize that we cant do everything. But we believe that we can have a Significant Impact on improving the delivery of Stem Education throughout the country, in telling history in teaching history, particularly about the history of the American Experience and the like. One last question do you have an idea if you can give me an estimated percentage of how many School Districts youre putting your Stem Education program into nationwide. I can give you a specific numbers as part of the final testimony. I dont have those numbers offhand. That would be great. We make them available to anyone who wants them and we actively engage with folks across the country. Thank you very much for your time. Madam chairman ill yield back to our star pitcher from the congressional baseball game could have time to ask questions. Thank you very much, mr. Walker, our star pitcher. Thank you mr. Chairman and mr. Catcher. Im fascinated by the smithsonian over the year. Something that predates our civil kwar by 15 years. I believe youve been there by five years. Four years. Four years. One thing that you talked about, and something you brought up and the africanamerican Museum Opening, and do we have the opening date . Fall of 2016. We dont have the opening date specified. And my question about that, exhibits and history there will we remove those some just thinking of george washington, carver, as you were talking and the different inventions and what an amazing man he was, do we remove that from once the smithsonian or duplicate it . Can you talk about that process . Because i dont want one missing one or the other, if you only have time to go to one or the other, do you understand where im coming from . I do. Okay. We on we on a pretty frequent basis move collections around our various museums. So the American Art Museum actually tells the story of america through art as opposed to specific historic artifacts. And so well sometimes move paintings from there to the American History museum. So there will be times when certain objects will move back and forth, depending on the nature of the exhibition that is on or the particular story that were trying to tell. So things will move around on a routine basis. And i appreciate you answering. My concern is that we make sure that all students are getting a great history from some of the people of ethnic backgrounds that have impacted us and didnt miss that hitting one and not the other one. A lot of Technology Advances in the last few years. Can you discuss strategy as far as connecting the smithsonian and continuing to make it attractive to the younger generation. We see so many times in corporate world or my background is Ministry World where we dont make the adaptations to connect with the next generation. Is there a Marketing Strategy how do we move forward with that . It is a big thrust for us. Ensuring that we have an institution that appeals to people who look like me and people a lot younger like my son. One example of what weve been able to do is the recently renovated and reopening Cooper Hewitt museum in new york. We closed it and renovated it and reopened it in december to great fanfare by implementing technology into the visitor experience. And so there is a new object called the pen which you can get when you walk in the door and as you go along through the various exhibits, you touch a particular part of the exhibit and it downloads that object into an account for you which you can then, when you are finished email to yourself and continue to cure ate your collection when you get home or learn more about it because you only had a limited amount of time at the museum. Were looking at the africanAmerican History and Cultural Museum as well to integrate tons and tons of Interactive Digital and video experiences into the more traditional experience of physical objects. Were taking that very, very seriously and looking to work on that. Do you find that as a difficult balance u. Dont want to dumb down some of the exhibits and the historical aspects of it and that is part of the process as far as trying to find the right balance, is that a fair assessment. I think what were looking for are opportunities to amplify the objects. One of the latest apps that we creates in Natural History is called skin and bones. It is very cool. You take your phone and you look at a particular skeleton and on your phone that excelskeleton comes to life and you can see what that object understand that but when is that going to be open again. 2019. 2019. Yes. So you cant open any part of it without all of it opening . No. All of the the renovation is pret ji extensive that we need to do what is fairly a large piece of the building. And the exhibits themselves, the skeletons and the like, are undergoing a fairly sensitive restoration as well. That is pretty painstaking work. So what were trying to do again through technology and other means is to try to satisfy that dinosaur itch that a lot of people have. Because that is one of the most popular exhibitions that we have. Yeah, it really is. Just one last question, and well conclude the hearing here, but weve had an opportunity to talk a lit about the possibility, i suppose youre going through the process right now of looking at the possibility of doing something over in london, perhaps you could tell ussa little bit about that so we have it on the record that you are looking into the process. I know youre regents have talked about it a bit and whether or not you think that is something that is a good idea, it appropriate. I mean you have deferred maintenance on some other facilities and should we be doing that and what is the reason for it et cetera . Certainly. As you might imagine, we are presented with lots and lots of opportunities on a regular basis to do interesting things. This opportunity in london was presented to us by the mayor of london about a year or so ago. His vision in the redevelopment of the facility that housed the 2012 summer games included the creation of a cultural and educational quarter that would be populated with a number of cultural and educational institutions and his desire was to have the smithsonian be part of that. It is an interesting idea. It certainly is interesting to think about doing something in the land of smithson. And early on, we considered it and went back to them with a certain set of criteria. First, we would need significant amount of support in order to do this. Secondly we would not ask congress for any additional funding to support this so it would have to be something supported by private funding. And we would have to be sure that it fit within the mission of the smithsonian. I think we were able to satisfy ourselves on the mission centricity of it. Were a very global entity already. A lot of that International Work is focused on scientific research. This would be the first opportunity for the smithsonian to be able to tell the story of america abroad. So it has a tremendous amount of appeal in that way. We indicated that we would need to have space provided to us. We could not raise funding for that and the mayor and his team has identified a significant amount of private support that would enable to that happen. And the final piece of the assessment that were in the midst of right now is really looking at the Financial Model that we would need to implement and whether it would be able to sustain us for a long period of time. So were still in the investigative phase. Were excited about the prospect and havent made a final decision and as you might imagine weve been in close contact with dr. Extorten to make sure his input is in the final process and he feels comfortable with the progress and the decisions were making along the way. Thank you very much for that. And we want to be kept in the information loop as that process goes forward but i think that is a very interesting idea. Without objection, i would say that all members will have five days to submit to the chair additional written questions for the witness which we will federal and ask the witness to respond as promptly as they can so the answers might be made part of the record and with appreciate your attendance here today and your continuing service at the smithsonian and we want to thank as mr. Davis said, all of the employees of the smithsonian, some of which who are here today. You have a trem end group of dedicated and committed individuals that really make it all happen there and so we appreciate their service as well. Without objection, the hearing is adjourned. Tonight on American History tv prime time the declaration of in dependence and the National Archives work to preserve the original document. Participants include the archivist of the u. S. Historians editor of the Thomas Jefferson papers and collector and broker of rare documents, tonight at 8 00 p. M. Eastern here on cspan3. Prime time tonight on cspan, conversations with the Tech Industry leading executives and regulators from this years tech crunch conference in new york city. Youll hear fcc chair tom wheeler and the public response during the Net Neutrality rule making. One little surprising thing during the Net Neutrality saga was the massive outpouring of Public Comment and im curious up front were you surprised at the amount of comments that came in and how early were you shocked by that. What was the early point that you thought this was bigger than most policies at the fcc. There was a day early on when we had 100,000, 150,000 comments being filed an you go whoa but that is why this debate, that is why this decision was so damn important. Because because what those 4 Million People who were filing with us and not all of them were pro. But it was mostly pro. It was about three quarters were pro, but that still means there were a Million People who didnt like the people. Which is a nontrivial amount. But the point of the matter is that that this proved the power of an open internet to free expression. And it just happened that the issue being decided and the ability to communicate using that technology happened to coincide. You can watch chairman wheelers full remarks tonight at 8 00 eastern as cspan brings you conversations from this years tech crunch conference in new york city. The event provides an in cider view of business deals and trends shaping the internet. The cspan cities tour is partnering with our cable affiliates as we travel across the United States. Join us this weekend as we learn about the literary life of omaha, nebraska. Omaha had a reputation in the Africanamerican Community in omaha and the United States as a city that when you came in if you were black, you needed to keep your head down and needed to be aware that you werent going to be served in restaurants and going to be able to stay in hotels and when depor depores, they used the term social justice because the term civil rights wasnt part of the lexicon and the idea of civil rights was so far removed from the idea of the Greater Community of omaha or the United States, that they were kind of operating in a vacuum. I like to say they were operating without a net. There were not the support groups there were not the prior experiences of other groups to challenge Racial Discrimination and segregation. We look back to the Union Pacific and how the construction of Union Station helped omahas economy. Union pacific is the premier Railroad Companies of america. It was founded in 1862 with the Pacific Railway act signed into law by Abraham Lincoln and combined several Railway Companies to make Union Pacific and they were charged with building the Transcontinental Railroad that would connect the east and the west coast. So they started here and moved west and Central Pacific started on the west coast and moving east and they met up in utah. And that is really what propels us even farther we become that point of moving west, the gateway one of the gateways to the west. See the programs from omaha on saturday on cspan 2s book tv and on sunday afternoon at 2 00 on cspan3. A look now at response to recent data breeches in the office of personnel management. Director Katherine Archuleta responds to question by a senator appropriations subcommittee. This is the hearing where she told congress she doesnt believe anyone at her agency is personally responsible for the Cyber Attacks. Other witnesses testifying include assistant Inspector GeneralMichael Esser and former Homeland Security security chief Information Officer richard spires. This is about an hour and 45 minutes. Good morning, everybody. Good morning, richard. The hearing will come to order. The massive breach of opm have been shocking they should not be surprising. The incident follows several across government and shows the federal governments inability to protect itself from Cyber Security threats. Toz the subcommittee is intended to illicit further information about the recent opm data breaches and a time to discuss the enormous challenges facing the federal government as it attempts to ensure this doesnt happen again. The government spends 82 billion a year on Information Technology, given the cost of the project and the impact on our economy and the National Security, members of the subcommittee have an on going committee to conduct over site. We must ensure that hard earned tax dollars of millions of americans are being spent wisely and effectively. Just last year the subcommittee held a hearing from the director archuleta, former cio Steve Van Roy cal and former administrator dan tanker litany and david pounder. Given the enormous resources and important Security Issues at stake, the subcommittee considered it imperative that omb and federal agencies appropriately manage these projects. Were all well aware of the examples of projects that ended in spectacular failure and the rollout of healthcare. Gov. While that kind of crisis makes news we should be troubled by the accounts that dont grab headlines, including initiatives with on going costs that grow each year after year without demonstrating effective results or sufficient security. We must have safeguards in place to ensure that over site of these projects is consistent, that problems are anticipated before they occur and most importantly that someone is accountable and responsible. All too often large complex i. T. Projects drag on for years out lasting the administration that initiated them and the employees responsible for managing them. Billions have been spent on tax modernization the the irs. Work that has continued for decades and still incomplete. Even for projects now on track, past problems generated millions in additional cost and years of delay. And as we have seen recently in the irs and once again with the opm breach both of which have compromised the Personnel Data of millions of americans, billions of federal dollars are spent and no degree of security. Across the government, i. T. Projects too frequently go over budget, fall behind schedule and do not deliver value to taxpayers. Responsibility for over site is often fragmented throughout the agency owning the project and omb does not conduct appropriate review and management. Whether issues related to programs requirements performance, spending or security, lots of people are involved. But often no clear lines of accountability are drawn. What has happened at opm is devastating, millions of americans of families and friends have been effected, giving those impacted free credit monitoring and it will not be enough to address the longterm consequences that we may see for years to come. But also troubling is the knowledge that opm is just the most recent example of the government systemic failure to protect itself. According to gao, we should have serious concerns for the future. The number of Information Security incidents reported by federal agencies has exposed in years. Ga has found that Government Systems may not be prepared for the job. 19 of 24 major federal agencies have reported deficiencies in Information Security controls. The. G. At 23 of the agencies cited security information as a Major Management challenge. How many head liepz of serious data breaches will it take to implement the data breaches necessary to protect ourselves an at what point do some in washington recognize that growing bankruptcy without governing is a recipe for this disaster. The Obama Administration viewed the federal government as capable of tackling every problem the nation faces but while attempting to grow the size and scope of the government at every turn the administration failed to follow through on the task it is already responsible for. If you bounce from one bigger government solution to another without carrying out your basic responsibilities, this is what happens. It is easy to sugts more money is the solution. That seems to be the response the administration leans on every time there is a problem. But it is often the wrong choice. Especially in situations like this where it appears that the problem is something much greater than a lack of resources. The American People have lost faith in their institutions. The last thing they will do is to trust washington to solve a problem when it cant even protect the personal information of those it employees. There needs to be a dramatic change in the status quo. What i hope to hear from our Witnesses Today is not the same stale line that more money is needed but an explanation as to why the federal government failed to do the basic job of protecting personal data of millions of employees with the vast resources it already has in hand. What it is doing right now to resolve this problem, and what is being done to ensure that we are prepared for the next attack. I hope with your help we can learn from this incident and identify ways to improve and protect our security. I appreciate the interest of all of my colleagues and our shares commitment to doing what we can to Work Together to try and address this so important issue, we cannot afford not too. Senator coons. Thank you chairman boozman. I would like to thank director archuleta and Michael Esser and chief Information Officer richard spires. We are here today as the chairman laid out to review Information Technology spending at the office of personnel management. As part of that review we need to discuss recent security attacks that has put Employment Information and National Security at real risk and discuss the late breaking audit that express concerned about the opm audit. But while we conduct the over site of the audit i urge us to put this in the context of larger security challenges that face government as a society and a whole and the lack of congress in strengthening the cyber defenses and providing needed funding for federal funding and i. T. Initiatives. Regarding opm, one breach involved Personnel Data of 4 million employees. During the breach investigation investigators found another intrusion where Background Information was stolen. I understand that opm was only recent le made aware of the investigation the information and an investigation is under way. I hope we can have an on going conversation. This is terrible. They force to grapple with the reality we are more vulnerable than ever and we need to do more to protect our employees Vital Information from foreign attackers. After weve investigated why the Cyber Attacks were able to break through we need to do what is necessary to make sure they dont happen again. These dont just compromise million of federal employees but our nations security as well. It is troubling that the. G. Found that opm has not complied with the act that mandates requirements for all federal agencies. While opm has found these, we need to remain vigilant. But they need to clearly understand that the job is not done. Opm has indicated to the subcommittee most of the i. T. Security systems are aged and at the end of the use of the life. For some security patches are no longer provided by the vendor and began a modernization and is seeking a third installment of 21 million to complete that installment and without that funding the investment of the two previous years cant be meaningfully completed. I was alarmed by the. G. Allegations of the mismanagement of the projects to date and hope that the representatives will speak to the assertions here today. And last i think we need to prevent another round of sequestration. The budget request includes a 32 million increase over last year virtually all of which would address i. T. Infrastructure. Sequestration could threaten the investments and the livelihoods of our employees. While some of the cuts might be weathered in the shortterm they can have serious longterm impact and we need to Work Together to ensure the federal agencies are prepared to protect against cyber threats. The federal government is at constant threat of Cyber Attacks and wards off millions of attacks a year and we need to Work Together to protect the nations economic and National Security interest by coming together to deal with these vital Cyber Security issues. Chairman boseman thank you for holding this hearing and i continue to Work Together in combatting cyber threats. Mr. Chairman may i have a few comments. You can comment all you like. Mr. Chairman, thank you for your leadership in convening this hearing. I think america wants to know certainly our federal employees want to know what happened and what is the impact on them and what is the impact on the nation. I would strongly recommend to the chair that after this hearing and then also the briefing well receive this afternoon, the chair and the ranking consider having a classifying briefing because as a remember both the Intel Committee and the chair on this there are things best discussed that you need to know for your responsibilities in a in a setting and we would be and senator cochran and i would be happy to cooperate with you in establishing that because it needs to be youll know more this afternoon. Second thing is the second point is, what has lapped at opm and what happened to the breaches at the army shows that that this is a serious national issue, it affects not only opm but every agency and also shows that National Security and its impact is not limited to d. O. D. Mr. Chairman i want to remind the committee or bring to their attention, we tried to deal with this in 2012 under the leadership of senators leiberman and collins there was a bipartisan effort to have a Cyber Security bill that dealt with new authorities for key agencies to establish standards for critical infrastructure, create info sharing regime to protect into. Gov and. Com to unite resources across government to have both of the authorities to make sure they have the resources to do the right job. Exactly what you are saying sir. Lets not just throw money at it lets get value and security for the dollar. That was stopped because the chamber of commerce established a massive lobbying campaign because they were worried we would overregulate. Well we are where we are. We need to do a lot of work. We had a Bipartisan Study Group and people like blunt coates, collins and those of us on intel and maybe we need to resurrect that, because it is opm today and another agency tomorrow and we have to make sure our cyber shields are up were fit for duty and fit to protect ore people. So i just wanted to refresh everybody that and of course my federal employees need to know what happened, how do they protect themselves and now and we need to know how to protect america, so thank you mr. Chair. Thank you senator. And i think the suggestion of the classified briefing is an excellent one. And also that this is not certainly not a partisan issue. This is something going on for a long, long time through successive administrations. We have three witnesses before us today. Katherine archuleta, director of the office of personal management. Michael esser, and richard spires former chief Information Officer at dhs and irs. Director chooel, i invite you to present your testimony. Chairman boseman, Ranking Member coons and members of the subcommittee, government and nongovernment entities are under constant attack by evolving and advance persistent threats and criminal actors. These adversaries are sophisticated, wellfunded and focused. Unfortunately, these attacks will not stop. If anything they will increase. Although opm has taken significant steps to meet our responsibility to secure Personnel Data, it is clear that opm needs to accelerate these efforts, not only for those individuals personally but also as a matter of National Security. My goal as director is to leverage Cyber Security best practices and protect the Sensitive Information entrusted to the agency modernizing our i. T. Infrastructure, to better confront emerging threats and to meet our mission and Customer Service expectations. Opm has undertaken an aggressive effort to update its Cyber Security for fiscal year 14 and 15 we committed nearly 67 million toward shoring up our i. T. Infrastructure. In june of 2014 we began to completely redesign our current network, while also protecting our legacy network. These projects are ongoing on schedule and on budget. We implemented stateoftheart practices such as Additional Fire walls to factor authentication for Remote Access and limited privilege access rights. We are also increasing the types of methods utilized to encrypt our data. As a result of these efforts in april of 2015, an intrusion that predated the adoption of these security controls effecting opms i. T. Systems and data was detected by our new Cyber Security tools. Opm immediately contacted dhs and the fbi and together we initiated an investigation to determine the scope and the impact of the institution. In early may, the inner Agency IncidentResponse Team share with relevant agencies that the exposure of personnel records had occurred. In early june opm informed congress and the public that notification actions would be sent to effected individuals beginning on june 8th through june 19th. We are continuing to learn more about the systems that contributed to individuals data potentially being compromised. For example, we have now confirmed that any federal employee from across all branches of government Whose Organization submitted Service History records to opm may have been compromised even if their full personnel file is not stored in opms system. These individuals were included in the previously identified on legislation onneration 4 million employees and included in the notification. The emergency Response Team concluded that additional systems were likely compromised. This separate incident which also predated the development of the new security tools and capabilities continues to be investigated by opms partners. The interagency Response Team shared with other agencies that there was a high degree of confidence that opm Background Investigations of current, former and protective Government Employees and for those for whom a federal Background Investigation was conducted may have been compromised. While we have not yet determined its scope and its impact, we are committed to notifying those individuals whose information may have been compromised as soon as practicable. But for the fact that opm implemented new more stringent security tools in its environment we would never have known that malicious activity had previously existed in the network. In response to these incidents opm, working with our partners at dhs has immediately implemented additional security measures to protect the Sensitive Information we manage. We continue to execute our aggressive plan to modernize opms platform and bolster security tools. We are on target to finish a competely new modern and secure Data Center Environment by the end of fiscal year 2015 which will eventually replace our legacy network. Opms 2016 budget request included 21 million above 2015 funding levels to further support the modernization of the i. T. Infrastructure which is critical to protecting data from persistent avatars we face. This funding will help sustain the Network Security upgrades and maintenance initiated in fiscal year 14 and 15 to improve opm cyber poster and including data basin krepgs and stronger fire walls and storage devices. We discovered these institutions because of our increased efforts in the last 18 months to improve Cyber Security at opm, not despite them. Im dedicated to ensuring that opm does everything in its power to protect the federal work force and to ensure that our systems will have the best Security Posture the government can provide. Thank you, and i appreciate the opportunity to testify today. I am happy to address any questions you may have. Mr. Esser. Chairman boozman Ranking Member coons and members of the committee. Good morning, my name is Michael Esser and im the assistant Inspector General for audits at the u. S. Audit of personnel management. Thank you for inviting me to testify at todays hearing at the i. T. Audit work provided by the Inspector General. Can you put your mic on. Is it on . Just pull it closer. Today i will be discussing opms long history of systemic failures to properly manage the i. T. Infrastructure which we believe may have led to the breaches we are discussing today as well as issues related to the opm i. T. Modernization product. There are three primary areas of concern we have identified through our audits through the past several years. Information security govern sans, security assessment and technical security controls. Information security governance is the Management Structure and processes that form the foundation of a successful security program. For many years, opm operated in a decentralized manner with the agencys Program Offices managing the i. T. Systems. This decentralized structure had a negative impact upon the i. T. Security posture and all of the fisma audits between 2007 and 2013 identified this as a serious concern. By 2014, steps taken by opm to centralize security responsible with the cio had resulted in many improvements. However, it is apparent that the ocio is still negatively impact the by the many years of decentralization. The second concern is security assessment and authorization. This process includes a comprehensive assessment of each i. T. System to ensure that it meets the applicable Security Standards before allowing the system to operate. We identified problems related to system authorizations in 2010 and 2011. But removed it as an audit concern in 2012. However, problems with opm system authorizations have reappeared reappeared. In 2014, 21 opm were due to receive an authorization and 11 were not authoritied. In addition we have put authorization efforts on hold until it completes the current Modernization Project. This authorization to extend authorization is contrary to omb guidance which states that an extended or interim authorization is not valid. It is also worth noting that omb no longer requires systems to be authorized every three years. But that is assuming that agencies have implemented a mature Continuous Monitoring program. Our fisma audit determined that opm does not have a Mature Program and therefore we still expect opm systems to have current authorizations. The third concern relates to opms use of technical security controls. They have implemented a variety of controls and tools to make the i. T. Systems more secure. While this is a positive step, we are concerned that the tool ready not being implepmented properly and do not cover the entire technical infrastructure as we found that opm does not have an accurate centralized inventory of all servers and data bases. Even if all of the security tools were being used properly opm cannot fully defend the Network Without a comprehensive list of assets. Also there has been much discussion of the difficulty in securing opm systems as they are old legacy systems. While this is true in many cases, and many of opm systems are main frame based it is our understanding that some of the systems impacked by the breaches are in fact notern systems for which most of the technical improvements necessary to secure them could be accomplished. In addition to the issues identified in the fisma audits would like to address the i. T. Project which would overhaul the entire infrastructure and migrate all systems to a new Data Center Environment. We recently issued a flash aud ate letter discussing this project and our concerns related to project management and the use of a sole source contract for the duration of the effort. One area of significant concern that we identified is that opm does not have a dedicated Funding Source for the entire project. The estimate the 93 million included only the initial phases of the project which covered tightening up the security controls and billing a new shell environment. The 93 million estimate does not include the cost of migrating approximately 50 major i. T. Systems to the new shell environment. The cost of this work is likely to be substantial and the lack of a dedicated Funding Source increases the risk that the project will mail to meet its objectives. In closing it is clear that opm has a great deal of work to do to strengthen the i. T. Security posture. We fully support the concept of the Modernization Project but however especially for a task of this magnitude it is imperative thatto pm follow sodid i. T. Best practice to provide the project the best chance for success. Thank you for your time and im happy to answer any questions you may have. Thank you mr. He isser. Mr. Spires. Good morning chairman and Ranking Member and members of the subcommittee. Im honored to testify today and since i serve at the cio of the irs and the dhs, i hope any work in the trenches will be valuable on the suggestions i make on how the federal government can safeguard data and improve the Cyber Security posture. Most federal governments find themselves susceptible of data compromises because of three primary root causes. First, lack of i. T. Management best practices. The very best Cyber Security defense is the result of managing the i. T. Infrastructure and Software Applications well. But beginning in the 1990s and up to the present, the federal government has not properly managed i. T. Having failed to effectively adapt with the changes in i. T. Technology and the evolving Cyber Security threat. As examples of these failures when i served in government, we would all too routinely discover i. T. Systems outside of the i. T. s organizations purview that were deployed without the prior i. T. Security testing and accreditation. The highly distributed approach i. T. Management across government and i would point out that mr. He isser in his his esser in his testimony referred to decentralize is in the opm environment itself has led to the deployment of thousand of federal data centers and managing and structuraling to maintain the infrastructure and systems. The resulting complexity of the vastly different systems and underlying i. T. Structures makes it virtually impossible to properly secure such an environment. Second lack of i. T. Security best practices while well intentioned and appropriate for the time, the 2002 fisma act skewed the government i. T. Security. The law to look at the controls for individual systems when in reality viewing systems in isolation hid the impact of the larger Enterprise Security post ear. Further, until resechtly systems would be certified and accredited based on a three year cycle which is a significant issue when looking at the rapid evolution of technology and the cyber threat environment. Third, a slow and cumbersome acquisition process. When i was at dhs, i was a propoe ebt of the cdm program but it is dismaying to see how long it took, two plus years, to just implement phase one and that doesnt include the additional competitive process for an agency to obtain capabilities. Sophisticated adversaries will exploit any and all vulnerabilities and the government is vulnerable when it takes months, not years, to deploy new security i. T. Capabilities. My recommendations to address these root causes. First, effectively implement the federal i. T. Reform act or fatra. This law is metropolitan to address the stemmic problems in managing i. T. Effectively and the main intent is to empower the agency cio to address the issues. So far im pleased with tony scott to support the fatar rollout. They can address it by agencies and development of measures for assessing the fatar impact and the transparency in reporting on going progress. And implementation of fatar is the best hope to address decades of i. T. Mismanagement. Second, drive adoption of i. T. Security best practices. There were positive movement with the updated fisma law and the move to Continuous Monitoring. Yet i recommend that the government rethink how it is measuring success with focus along three lines. There is a continuing need to pursue tsunami security tools to prevent intrusions but more importantly detect them quickly when intrusions do occur. But yet the government needs to assume that sophisticated adversaries will still gain access. The root of all trust is verified identity and the government needs to step back and rethink how it is rapidly implementing ubiquitous use of identification and behavioral detection systems to identify Insider Threats or compromised credentials. Finally, the government needs to target additional protection of an agencys most Sensitive Information. Through focused effort and the use of available Data Protection technology the government contains high assurance that only the trusted parties have access to the agencys Sensitive Information. This would go a long way towards thwarts damaging data breaches. Certainly the data breaches at opm are damaging for those of us negatively impacted in the future however this episode and the need to implement fatar and the laws are the impetuous for much needed change. It is critical to make progress during the next 18 months to ensure that leadership commitm to needed changes in i. T. Management and security are sustained into the next congress and the administration. Thank you for the opportunity to testify today. Thank you mr. Spires for your testimony. At this time, were going to proceed to our questioning. In fact, we had planned on proceeding to our questioning where each senator will have seven minutes and i hope we have time to accommodate two rounds of questioning. We have a volt that is called right now. It is only one vote. So we would like to go ahead and suspend and run and vote and come back and start immediately with the questioning period. So with that well do that. When congress is in session cspan3 brings you more of the best access to congress with live coverage of hearings, news conferences and key Public Affairs events. And every weekend, it is American History tv traveling to historic sites, discussions with authors and historians and eyewitness accounts of events that define the nation. Cspan3, coverage of congress, and American History tv. The committee will come to order. Again, i apologize for the delay. The only thing we have to do around here is vote. And so there is just no way of knowing you schedule these things and certainly that trumps everything, which it should. So director chooel, according to news reports, the second opm breach, pertaining to the security clearance systems hackers had access to Sensitive Data for a year. These systems contain extensive personal family and personal information for current and prospective employees and other individuals will information be provided to those in the latest breach. Yes, sir. We are work on determining the scope of the breach even as we speak and as we determine and at the same time, we are developing a notification process to reach those individuals. Were taking into account what weve learned from the first notification and looking at the wide range of options we would have in that notification process. Will notifications be provided to family members and other individuals whose information was contained in the security clearance system solely due to their relationship of the applicant. I can say were taking into consideration all of the individuals that were effected by this breach and as that notification plan is developed i would clm the opportunity to come up and detail it for you. How did you decide that 18 months of credit monitoring and Identity Theft insurance is sufficient protection for effected federal employees . This is an industry best practice. We are again in the second notification, really examining that to see what the range of options may be. Will opm offer the same protection to individuals whose information was stored on security clearance data bases or does this heightened level of compromise information warrant additional protections. Again, sir, this is what were looking at with our partners across government to make sure we examine the wide range of options we need to consider. What additional steps do you plan to take to protect the victims given the longterm effects these breaches pose . Were looking at not only the notification but also looking at the steps that we can tick to protect the data. Im as upset as they are about what has happened and what the perpetrators have done with our data and so we are examining not only the notifications that we must do but also what are the protections and remedies we must put in place. Those are important questions. Those are the kind of things that were getting from our federal workers and i know youll have more other questions related to that. So it is so important that we try and get information out to those that have been effected. I understand. Mr. Spires, the administration has ordered a 30 day sprint to perform vulnerability testing and to patch security holes. Is 30 days sufficient time to correct more than a decade of negligent systems and failed attempts at modernization. Im sure you wont be surprised for me to say no it is not sufficient time to fix the situation and in the situation we find ourself in i think it is a good thing to put in place a process by which planning should take place so that we can start to get our arms around what should be done agency by agency to put us in a much better posture. As we get into the these things, mr. Spires, and mr. Es mr. Esser, do you expect us to find significant problems as far as breaches with the other agencies . Well, first i should say, you will find significant problems with them not following i. T. Security best practices including fisma, and not that that alone would necessarily indicate breaches, but given the situation we find ourselves in across most federal agencies i would expect you to find significant breaches yes. Mr. Esser . I would concur with mr. Spires. Weve been seeing breach after breach this Year Health Insurance companies, Background Investigation contractors and government entities. So it would not surprise me to see more. Okay. Mr. Spires, again looking at the scope of the problem how long do you feel like it will take the government to actually do the things that we need to protect ourselves from these outside threats . Well let me say, i think we should take an ordered approach to this problem. So in my mind what agencies should first be doing is identifying the Sensitive Data sets that they have and putting those in some type of bucketed priority order and then coming up with plans to protect those Sensitive Data sets. And the reason i say it that way is to think that we can go into these large agencies that have, as i said, decades of mismanagement and essentially decent rallized i. T. And fix that quickly i think is naive. So this notion of doing it by protecting the Sensitive Data set both with and there is data sets sand encryption that do that at the data set and the document level and then you have to worry if it has done you no good if youve encrypted the data and then the data sets and then you need to work on multifactor identification models come in and there is many new technologies that make this master and easier to roll out than it was four or five years ago. And also the notion that says even if someone has been authenticated and authorized that doesnt necessarily mean their behavior threat. The Insider Threat problem. We have to watch that. So this notion of bringing in behavioral detection systems or ways in which we can monitor the behavior of privileged users and those with access to the data are the ones that we frankly need to monitor. Very good. Director archuleta, we have heard numerous accounts of frustrations with csid, with long wait times and repeated Website Crashes and inaccurate information reported to victims what steps are you taking to oversee the Services Provided by the contractor. Csid has experience in these type of notifications. They served sony as you know, with their large breach and we believe they have the capability and the capacity to handle this. When you call in now the wait times are very, very long. Yes, sir. And they might have great experience but i dont know theyve experienced anything of this magnitude. Thank you sir. Im as angry as you are about angry as you are about that. And i want to make sure they are doing everything they can to reduce those wait times and thats why i instructed by cio and her tame team to work with my contractor. Employees should not have to experience that and that is why we are demanding from our contractor that they improve their services. I do believe, sir, because of the completion of two incidences that we have had a unusual and high number of phone calls, and thats not an excuse our contractor should be able to perform to that number and we are demanding it do so. Thank you. Thank you chairman, if i might, if opm had completed the i. T. Upgrades, would the breach had been prevented . Would the consequences have been prevented . If opm wab protected, would any of the breaches of 2013 and 2015 occurred . My cio advised me that even if we had been if there had been 100 fisma compliance, there is no guarantee, there is no guarantee that systems wont get breached. And thats why the implementation of an i. T. Plan is so important. Risk mitigation is what we need to do, detect and mitigate and thats what our plan is designed to do as we move from the legacy system to the new shell system. Yes, i believe we need to act very rapidly to move from the decades old system to a new system. We need to make sure that we are tracking, that we are documenting and justifying all that we do, and we also need to be sure that we are acting as quickly as we can to protect the records that have been entrusted to us. Ms. Archuleta, of all the folks, the federal employees, that have been affected as the cochair of the senate coenforcement office im particularly concerned about federal Law Enforcement officers and their families because they have credible reasons to be concerned, the criminals they previously apprehended or investigated might have motivation to seek out their homes or families. What are you doing specifically to promptly respond to their concerns or inquiries, not to suggest that they are the only ones with concerns or inquiries, but i think they have legitimate pressing concerns. What i can assure you, senator, we are working with agencies across the government to analyze the scope of this breach. We will be able to discuss more with you in the classified session, but i can tell you that we are working very closely with our Law Enforcement partners. I am eager to followup with you on that and to get reassurance about the swiftness with which gravely concerned federal employees of all backgrounds are able to get updates and more information about their path forward. Usual fy 16 budget rk was submitted before the discovery of the most recent incidents and before we had information about the its scope, and is there anything you need to deal with the Critical Issues that are now widely known and how might you seek an amendment to the budget request . Thank you for that question. We are analyzing with omb and my cfo to determine whether our what the requests might look like and i hope to be able to get back to you by the end of the week. Thank you. Last question for you, if i might, if you had actually encrypted federal employee Social Security numbers or the personal identifying information, would that have prevented the disclosure of the personally identifying information to hackers once they compromised your system . This is a question that has been asked of my colleagues who are experts in Cyber Security, and they have informed me that indeed in this particular case the encryption would not have prevented this breach. Encryption is an important tool and thats why we continue to build the encryption methods within our systems but in this particular case, it would not have prevented it. My question is not whether it would have prevented the breach it was whether it would have prevented the accessibility and use of personal identifying information once the system was breached . No, not in this case. In response to the questions about fisma compliance and if i. T. Upgrades were completed, mr. Spires, any difference of opinion or any insight you can offer whether that would have produced a different outcome here . I stated in my verbal testimony, sir, the issue with fisma, the old fisma, 2002 law, was it was around technical controls that would have been checked every three years, and given the environment we live in that is not close to appropriate. And were moving to a continuous diagnostic s model where you are monitoring all your systems and your complete environment looking for intrusions and improper behaviors, but i would even echo the point that even that is not enough in todays environment. You need to bring in the Data Protection like the encryption capabilities and the you need to upgrade the capabilities to better understand who is actually accessing your system. Those are all critical necessities in order to protect data today. Was it would it be reasonable for us to have expected opm could have achieved a Data Security given the resources they currently have available to them . I am not sure i am in a good position to answer that question. I will go back to my point. A focused effort on protecting the Sensitive Data with the right encryption and the right Access Control capabilities, if you put the focus there, i think most federal agencies would have the funds, have the resources to be able to accomplish that. We have seen significant data breaches for home depot, jpmorgan and target and sony and Neiman Marcus just to name a few, and many of them invested in cutting emg Cyber Security systems. Is the private sector having any more success in mitigating Cyber Breaches in the other sectors . I think it depends on a lot of the Actual Company and it varies greatly. I would say, to make another point, i think one of the big differences between the government and the private sector, the private sector has the ability to acquire the newest capabilities being offered by the Cyber Security, if you will, Product Companies or industry. One of the things that i would like to see is the Government Agencies be able to bring in, be able to pilot new capabilities as they come to market. That would really help Government Agencies to adopt the newest capabilities. You referenced in the previous testimony, slow and cumbersome procurement and i look forward to discussing that with you in the next round of questions. Thanks, mr. Chair. Senator lankford. Thank you. We have a lot to be able to cover for this to be able to not only resolve things in the future but impact what has happened in the past. There are several comments you made, and what is the most pressing issue that you have discovered in the flash report that you have done based on the vulnerabilities that still exist and need to be finished. And i am not asking you to expose public vulnerabilities that still exist, but how many things on the list still need to be address and need to be addressed immediately . I think one of the most important things that needs to be addressed is the two factor authentication to access systems. This has been a longstanding problem at opm. They have made improvements and implemented this to affect work station access, but the actual systems that are being used by employees need to be also implemented and required two factor authentication. I saw from your report. Quite frankly the chief officer also listed the same thing in 2012. Let me read this quickly. The initiative to require personal Identity Verification credential authentication to access the agencys network as of the end of 2014. 95 of opm workstations required personal Identity Verification access for the network. However, none of the agencys 37 47 Major Applications require personal Identity Verification authentication. Is that still correct . To the best of our knowledge, it still is. Ms. Archuletta, tell bus that and the process of transition. Two things. For the multifactor authentication for remote users, we are at 100 at that point now. As for all other users we have working rapidly to increase that. Ive asked my cio to increase that effort. Im sorry, i dont have the percentages in my mind right now, id be glad to get back to you where we stand as of this date. But i do know we are working rapidly to do in a. So a 95 figure you think is close for the workstation, 100 for those working remote. 95 at the workstations. But still 47 applications are still exposed. I would like to get back to you on that to give you the full details. Then the question on the security assessment and authorization. Obviously that is a requirement from omb. This ongoing issue of these 47 different groups here. It says on this 11 of them were not completed in time or operating without a valid authorization. What can you tell me about that . I can tell you that all but one of those systems has been authorized. They are operating with authorization. And we are working on the final one that was with the contractor. There is also a systemic problem there obviously of trying to find out why they werent already through the authorization issues. To make sure that authorization is done on time and on schedule. Has that issue been fixed . I know rapidly people stepped in and said lets fix this with the authorizations havent been done. What about for the future to make sure those continue to be done on time. Id like to have my cio get that information. Give me time frame when i can get that back . Ends of the week sir. Great. There is also an outstanding letter that i sent to your office on june 10th. Imim the chairman on the committee of Homeland SecurityGovernmental Affairs that has the work force in it as you and i discussed in the past. Yes. June 10th i sent a letter. It has yet to be acknowledged that you have received the answer and there are basic questions still unanswered none of them that would require a classified setting. Basic unanswered questions. I have records on the faa and employees that live in my district that have asked basic questions. The folks from afge have asked basic questions to get a response from. They have yet to get a response to say whether its been acknowledges. They want timing. I know the letters have gone out nationwide but they want to know people are working on some of these other issues. Senator i poll apologize if you have not received my response. I know i have asked my staff to respond at that that and i know it is forthcoming. I will be sure that you have that letter today. Thank you. Lets deal with cost issues dealing with the appropriations side. Do we have a ballpark cost to opm yet to contact the letter thats gone out to everyone to let them know, hey you possibly your information has been breached . So there is really cost factors sitting here on that our committee has to consider, one is the cost of drintsing that letter. The second one is the cost for the credit report, credit screening and protection that is happening as a result of those. Do you have a cost estimate . I have a general cost. As we look at the take up rate on the credit monitoring and on the credit monitoring that will adjust it, but its approximately between 19 to 21 million. Okay. So 19 million to 21 million. And then whats the estimated cost on just the letter going out . Thats the total cost sir, between emails and letters. I dont have the breakdown, id be glad to get that for you. Are you aware that some agency have actually the website you have linked people to to say get more information some agencies have blocked that internally. So those individuals when they try to go are blocked from that for fear there may befishing scams going on. Have you started working with other agencies on that . We have worked closely with departments and agencies because of security perot coals they might have. We have worked closely with them and their cios and other top officials. Finally this issue of the inventory and servers and doibss and different workstations that are out there. The Central Control issue obviously is important for keeping up security and technology, upgrades, and making sure soft wears continue to be upgraded and everyone has a consistent security presence there. When there is any server independent there, it creates tremendous vulnerabilities. They just have to find one of those. How is that going with unifying that structure . Because thats not a legacy issue. Thats more just an inventory issue. Yes. I respect the Inspector Generals opinion on this but my cio has told me we have indeed a inventory of systems in data and id welcome the opportunity to discuss this with you and with him further. Great. Well look forward to getting that report and discussing more about that because thats one of the significant vulnerabilities. Yes. Thank you. Mr. Chairman thank you and senator coops. Welcome to our three witnesses. Ms. Arch letta im going to begin with you. I have a series of questions that i hope are relatively short responses and i will work through as quickly as i can. What is the current estimate of the total number of files or employees breached . Under the employee in the employee personnel files we estimate that to be a little over 4 million. And that is at least according to press reports, those numbers may grow. What else may occur or what may you discover . It is an ongoing investigation. Well continue that investigation with our partners. So at this point we know that it is a little over 4 million. And when we talk about is it are those words interchangeable, 4 million employees and 4 million files . Does that mean the same thing . Thats approximately 4 Million People who have been affected by it. And then whats the total amount possible for number of employees affected . You say we estimate it today to be 4 million. It may grow. Whats the maximum number of files that could have been breached . What we know i want to separate in the incident one and incident two. Incident one is the one that im describing, the employee personnel files. And we have estimated that to be a little over 4 million as i have described. Whats the total number of employees that could be affected by that . Thats the number thats the number . Thats the number. All right. So as we look at the second incident which we have not determined the scope of it i dont have a number for you on that. How many employee let me and it differently. How many files do you have management over . Well, as you know in a federal backgrounds investigation file may have a number of different names and pii within it. Thats why i cant give you a specific number on that one. We are working as i said to get that number. And i will bring it to you as soon as i have it. Let me ask this just one more time and make sure that you and i are on the same page. Okay. I apologize if im not understanding. It may be inarticulation on my part. You have a certain number of files within your agency subject to this kind of breach. Whats the total number of files that potentially could be breached . Thats what we are investigating right now, sir. Let me and it this way. How many files are there at opm . There are millions of files, sir. We are a data center. So there are millions of files. The sf 86, the Background Investigations contain numerous names. Thats why i want to be careful to make sure the number i do give to you im confident about. All right. You have indicated you have taken significant steps. Yes i wrote that down as part of your testimony. Yet the oig says only three of 29 recommendations have been closed and indicates let me look at his testimony. Only three of these 29 recommendations have been closed to date. And nine of these open recommendations are long tanneding issues that were rolled forward from prior year fisma audits. How do you reconcile we have taken significant steps and yet the oigs report says there is long standing problems and only 3 of 29 have been addressed . We work very closely with our ig. As i said before we we work with him to make sure that we have complete and open transparency with him. He we meet on a regular basis. He continues to assist us in identifying the areas of improvement. And the issues that he has brought to us we are working through. You in the 2014 audit that he performed for us and provided to us we are working through the steps that he has outlined for us. And i know we are not in agreement with all of them, but we do believe that that conversation and the transparency that we have between us will be helpful in resolving all of them. Mr. Esser do you agree with ms. Archuletta that the agency has taken significant steps to correct its problems . Yes i do. I think they have made Great Strides over the years to improve some of the issued that we have reported. For example, the decentralization issue which went back to 2007. In this past years fisma you a edit we decreased our severity of that finding from a Material Weakness to a significant deficiency. In addition, there is a number of other areas where they have put in tools and made strides to improve security. That said, there are a number of long standing issues in our fisma reports that are open. And you know we hope to see movement on. Mr. Spires let me take this give you an opportunity. If you were still in the former capacity at this agency instead of the irs or the Homeland Security sure. Let me first start with a broader question. Based upon your understanding of the facts involved here and your best judgment was the breach or breaches that have occurred at opm were they predictable based upon what we knew looking at the for example the oig report . If you saw those reports is this an outcome that could be expected . I think it is an outcome that could be expected sir. And do you have a sense based on either ms. Archulettas testimony or your independent knowledge of what you heard of mr. Esser and their reports would you say that the opm officials have taken significant steps to solve their problems . It does sound like they are doing a number of the things correctly. I think the centralization of i. T. Is a very good step. They are talking about a Modernization Program that would upgrade their i. T. Infrastructure. That being said im going to go back to my earlier point that i had walked in there as the cio again, im speculating a bit and i saw the kinds of lack of protections on very Sensitive Data, the first thing we would have been working on is how do we protect that data . Okay . Not even necessarily talking about the systems. How is it we get better protections and then control access to that data better . And i think that is probably where the focus needs to excuse me shift here based on what im hearing. Meaning there is a priority that needs to be a priority, a first effort. Priority yes. Ms. Archuletta does anyone at opm take personal responsibility for these breaches . Or is this just considered a problem with the system . Is this a problem with individuals not performing their duties or its just more that this is the system we inherit were working on it and no one in particular is responsible for the outcome . I think mr. Esser and mr. Spires has said it credit correctly. This is decades of lack of investment in the systems that we inherited when i came in. And from the very beginning of my tenure, i have been focused on this. And we are working to install not only the architectural strategies, but also to install the detection systems and be able to remediate. But as both of my colleagues have mentioned, we have legacy systems that are very old. And oftentimes we have to test to be sure we can even add those systems, those Protection Systems into the legacy system so those tools into the legacy system. If there is anyone to blame it is the perpetrators. How do we they are concentrated, very well funded, focused, aggressive efforts to come into our systems not just to opm. But as both of my colleagues have said, across the whole enterprise is one that we are concerned about and one that we are working with our colleagues. It is were going to take every step we possibly be at opm to continue to protect. That is why were trying to move out of the legacy system. So to date you dont consider anyone at opm, any of your staff or employees or people responsible for i. T. And its security to be personally responsible . It is a simply i dont mean simply. Its a problem with the system that has been inherited . This is an enterprise wide problem and Cyber Security is a responsibility of all of us who had organizations. That is why with tony scotts assistance and with his efforts we are going to address this as an enterprise wide basis as well as opm no one is personally responsible . I dont believe anyone is personally responsible. I believe that we are working as hard as we can to protect the data of our employees because thats the most important thing that we can do. And i take it very seriously. Im angry, as you are that this has happened to opm. And im doing everything i can to move as quickly as i can to protect the systems. Thank you very much. Thank you, sir. Mr. Esser, ms. Archuletta mentioned that the problem with the legacy systems, which i think we all understand but isnt it true that several of what was breached were not legacy systems that with the right tools in place would not have been breached . Yes, sir. Based on our audit work so the idea that this is all legacy and stuff, is really not not the case . Well there are many legacy systems at opm. I mean, i dont want to give the wrong impression. I mean, thats a fact. But based on the work that weve done in our audits and ongoing work that we are doing, i had your understanding that a few of the systems that were breached are not legacy systems. They are modern systems that current tools could be kblekt implemented on. Okay. Very good. I think thats really important. Concerns are being raised about the contract secured to provide Credit Monitoring Service for victims of the first breach. We dont yet know the scope of the second breach and what services will be provided for additional victims. Mr. Esser in your flash audit you raise concern about opm self source contract Improvement Project related to subsequent phases of the project. Do you have additional work planned to oversee opms contract and securement practices . Its something that we are monitoring and following the reports and gathering the fochttle we have not planned any audits of that at this time. But its something that we may do. Very good. Mr. Spires, you describe a number of root cause that have led to the Current Issues the Government Faces in i. T. Security and you have offered a number of recommendations. Can you just tell us again a couple key recommendations that would make a difference over the next year or two . Yeah, i would really like to reemphasize fatar. And i thank congress for pass it for the good of the nation. We need to figure out how to manage our i. T. More effectively. I would say that is the single root cause that has led to these kinds of situations we find ourselves in with these data breaches. And its not that im just wanting to say with, we need to have all the power reside with the cio. But what we need are cios that have the authority to really bring best practices and not to allow, okay, systems or practices to continue that jeopardize the security of our data and our systems. And that has been the problem for decades. And we still have real cultural problems. I mean im out of government now for two years, but based on many discussions ive had with brethren and that are still cios and that are still in government, the cultural issues loom large here. We need to take this incredibly seriously. And i you would urge you as a subcommittee to provide your own oversight of the implementation of fatara. Do we need additional legislation . You know i im not convinced. I think we do need the general cyber legislation about how we better share information between the government and the private sector. I think that is something that congress should continue to work on. I think we have between the fatara act and between the updated fisma act, i think weve got enough of the tools on the legislative side. I think it is a leadership and management set of issues within the administration with the proper oversight of congress. Very good. Mr. Esser along the same line what would you comment on in regard to, again, the most significant weaknesses or underlying causes . What do you see is the priority that we need to be doing in the next two or three years . Well, specific to opm, i think the project that they are undertaking to modernize the i. T. Systems is the right way to go. That definitely needs to be done. We fully support that project. We do have some concerns, as expressed in our flash audit alert, regarding some of the project management related to it. The sole source contracting. But, in general, we think its definitely the right path to follow. And so you will be how will you all be involved . Mr. Spires talked about oversight. Certainly thats something we can do in regard to this committee. How will you be involved in that process . We are continuing our oversight of the Modernization Project. The flashed a it alert was issued this week. And it was flash you a edit report was issued this week. Its an interim report so to speak. Well continue our you a edit work throughout the length this project. Mr. Spires, the administrations cap cyber goals in an effort to drive significant Rapid Improvement changes and yet thats not working. Have you got do you recommend any changes to the goals . Yes. I would first comment that i think i mean, i think having goals is the certainly appropriate. But lets take one example. This notion weve all talked about, this need for multifactor authentication right, to be able to much better protect the credentials of those that use these systems that are legitimate. Yet when you look at the cyber goal and when you look at the hspd 12 piv card and trying to get the 12 usage within the federal civilian is the goal. Lets go back to the adversaries. And 75 doesnt cut it in this world anymore. So we need to rethink i think the objectives there. Go back to the prioritization about protecting data. Doing the multifactor authenticate. Those should be the highest goals. That does not mean we shouldnt be working to continue to bring in the right kinds of capabilities to better protect our systems. We need to do that as well. But i think its time the rethink those goals. And to reset them along those sets of priorities. Mr. Esser, you mentioned at opm that one of the findings you found was that we didnt know exactly what entails a system, you know whats you know, what they have. Has that been corrected . Or we still dont know the number of units and servers and all the hardware and things . Based on our latest work thats still our understanding. Director archuletta commented a little while ago that they do have a complete inventory of systems. So wed be more than happy to work with them and look at that and do our you a edit workrelated to that. But if that is the case, thats just recently happened . Yes, sir. Okay. Thank you very much. Ill defer to the vice chair. Senator mikulski. I understand security firms have a top shield that can be penetrated . I dont have any more information than what i read in the news senator, but i read that as well. Which indicates that this is an International Problem it certainly is. And really shows that despite best efforts of highly skilled profession thats not to excuse where we are. But your advice is get with it and get with it pretty quick. I think you have summed it up. And would you recommend this be across all Government Agencies. That opm was hit, et cetera . My experience having served on the federal cio council and worked with many of the agencies is that opm is not some outlier here. That many of the federal agencies have very similar issues as far as management and Cyber Security posture. Thank you very much, sir. Ms. Archuletta, the federal employees. Maryland is the home to 130,000 federal employees. They work at everything from the National Institutes of health to the National Security agency. Most people with the National Security agency are civilian employees. What do i tell my employees . Because they are quite apprehensive. What is the impact of this on them . Can what can you talk about this . And what is the impact on them . How are you in communication . And should they be afraid that another shoe will drop and that it could drop on them and they Credit Ratings or whatever . Yes. And i do want to state i care very much, as you do, vice chairwoman, about our federal employees. And what this breach has done has exposed their data, as you know. And i am very concerned about that. Thats why, in terms of the first incident we have been working very hard to not only begin, but also to improve our notification system and to provide both identity threat and credit monitoring for them. Weve received much feedback from our employees. And were using that feedback so have i. They are pretty apprehensive and agitated. I know. And i am angry, too. I am angry this has even happened. I have worked very hard towards correcting decades as ive said before, of inattention. And i will continue to do so. And i will tell you that i am very concerned about protecting the data of our employees. And that as we move into incident works im going to use their feedback, their concerns to inform us so that we can look at the wide range of options that we will have available to us with these notifications. Do you have kind of a council of federal employee organizations that you meet with that can kind of tell you the view from the employer up so that you really hear what they are saying . People like myself senator carten, senator cane senator warden we are very proud of the fact that the north capitol region is the home to so much talent that works with so much pressing National Interests from the cure to cancer to protect our country against predatory attacks. And now they are worried about predatory attacks against them. Do you meet with them and get this advice so that we can at least while we are trying to sort out the best way to have a cyber shield when our. Gov, or cyber shields on our. Goff. We are doing several things vice chairwoman mikulski. We are working with our creeko i dont know what creeko is. Thats what i call some of my jackets. Mine, too. The Human Capital officers for each of the agencies as well as all the Department Heads and leaders. And weve tried to adjust the notification system so that it is a it is customized to the employees. We are also listening to our unions. Our union representatives, and seeking their input. And other stake holder groups to see how we can better improve our notification system not in a long term but during this period from june 8th to june 19th is to take their feedback every day around call centers, how we can provide faqs on website, how we can work directly with Department Heads and agencies so they are assisting us in the notification system or in the notification process. We take very, very seriously what we owe to our employ yeast, and i will continue to do that and to make sure that in this second incident that we are using their input. Well, i think its absolutely crucial. Mr. Chairman, i would like to really thank you also for having the ig at the table. When i chaired the committee, it was my habit or really my administrative procedure that all of my subcommittees either had an ig come on what was the hot spots for agencies or at least submit written testimony. The fact that you are utilizing that is really crucial. Well have a lot to talk about this afternoon. Better talk privately. Mr. Esser thank you so much for your service. We so value the work of our Inspector Generals. Weve been enormously helpful to me both as chair and now vice chair of the committee to really get value for our dollar, to identify management hot spots, and we really want to thank you for the identification not only of the problem but the recommendation for solutions. So thank you very much, and all the igs. You are very welcome senator. Thank you senator. Senator lankford. Thank you, mr. Spires, let me ask you a follow up question. You said coming from the cio council before that many federal agency have similar issues . Yes. Twofold question, one is to define what issues mean on this. And second is give me a percentage when you say many other agencies. And again, im not asking you to articulate what are the Security Issues and specifically where are our vulnerabilities. Right. Not asking you to do that. Give me a guess how many agencies we are dealing with and what those issues are . I would say many of the federal agencies and its have a similar kind of problem that mr. Esser alluded to about decentralization of i. T. In and of itself, thats not necessarily a bad thing. But its been very, very difficult for many of these agencies as they have rolled out stills, and then have to support these systems. The complexity factors have grown so significantly that its just very, very difficult for them to get their arms around systems. I mean we would do it at dhs to call out dhs specifically, i mean we would do inventories and try to if you will, find all the systems that we had, right . D i think we did a relatively good job at. That but it would not be but every year we would find more. Well, try to secure that. And i say thats the first thing is that most agencies i believe have that problem. When i talked to and i dont want to put a percentage on it because i dont know how to measure that but i would say most of the major agencies are this problem that the cio would not be able to sit here and say they have a good handle on their true inventory of i. T. Systems. What about user credentials . I give all the world credit to dod for having rolled out that cat card and having the leadership and where with all to make that happen. Most Government Agencies are still struggling to roll out what we call the hspd 12 program or the piv card and use it for logic Access Control. Its still an issue. If you go to the cap goals and you look at where were at, its still an issue at most of the agencies on the civilian side. Authorizations . Networks . Again i think you are hitting the hot spots here. You have the many systems we would find, we would either they wouldnt have authorizations because they were out in the field and they were not under the cios control or what i also didnt like, which was kind of hiding the ball a