Will continue to do that, and to make sure that in the second incident that were using their input. Well, i think its absolutely crucial. Mr. Chairman, i would like to really thank you also for having the ig at the table, when i chaired the committee, it was my habit or really my administrative procedure that all of my subcommittees either had an ig come in what was the hotspots for agencies or at least submit written testimony, the fact that youre utilizing that is really crucial. Well have a lot to talk about this afternoon. Thank you so much for your service. We so value the work of our Inspector Generals theyve been enormously helpful to me, both as chair and now vice chair of the committee to really get value for our dollar. To identify management hotspots, and we really want to thank you for the identification not only of the problem but the recommendation for solutions. So thank you very much and all the igs. Youre very welcome, senator. Thank you, senator. Senator langford. Thank you, let me ask you a followup question, you said am coulding from the caio council, many federal agencies have similar issues. Yes id like to two fold question, one is to define what issues mean on this. And then the second one is give me a percentage when you say many other agencies. Im not asking you to articulate, what are the Security Issues and specifically where are vulnerabilities, not asking you to do that give me a guess here, how much agencies were dealing with, and what snows issues are. I would say many of the federal agencies and its have a similar kind of problem that we alluded to. In and of itself not necessarily a bad thing, its been very, very difficult for many of these agencies as theyve rolled out systems and then have to support these systems, the complexity factors have grown so significantly that its just very difficult for them to get their arms around systems, i mean, we would do at dhs, the call out dhs specifically, we would do inventories and try to if you will, find all the systems that we had right . And i think we did a relatively good job at that but it would not be every year we would find more, try to secure that, and i say thats the first thing is that most agencies i believe have that problem. When i talk to and i dont want to put a percentage on it i dont know how to measure that as far as a percentage. Most of the major agencies have this problem that the cio does not would not be able to sit here and say they have a good handle on their true inventory of it systems. What about use or credentials . Well, i would i give all the world credit to dod for having rolled out that card years ago, and having the leadership and wherewithal to make that happen. Most Government Agencies are still struggling to roll out the what we call the hspd 12 program or the smart card, and use it for Logical Network access control. And its still an issue if you go to the cap goals and look at where were at its still an issue at most of the agencies on the civilian side. Authorizations of networks . Yeah, i again i think youre hitting the hotspots here, the many systems we would find, we would either have they wouldnt have authorizations, because they were out in the field, and they were not under the cios control, or what i also didnt like, which was kind of hiding the ball a little bit here, could you do an interim authority to operate and some of those would last way too long, and you wouldnt be there would be weaknesses in the systems, and it would be difficult to clear those weaknesses, i cant put numbers on that, but hopefully ive given you a sense where i feel many of the agencies sit today. My question with that related to appropriations. None of those seem like big dollar items. The wonderful term hygiene, really for our systems. Am i hitting that wrong or right . Yeah i want to be a little careful here. Government if we have to monitor crt with an orange screen on it i get it, we have some old systems out there. The initial Security Side of this seems to be the first rung, how were handling the information in the inventory. I would agree with your sentiment that says we could manage this a lot more effectively and we dont necessarily need new dollars to do that. Some of the issues though, that go to true modernization, you do need investment. Sure. Okay. Let me ask you a question, you had in your written testimony then again your oral testimony as well. You kind of talk through the time line of how things went. Some areas you were specific of how things moved and in what order, there were a couple terms that jumped out to me there. As a result of these efforts to improve our security posture, april 2015, an intrusion that predated the adoption affecting opms data was detected by our new Cyber Security tools. Opm immediately contacted the department of homeland security. Can you give me a definition of immediately is it the same day, a week a month . Same day. And then you had the same issue, where we talked about the scope and impact of the intrusion shortly thereafter, opm notified congress ap leadership. We have a 7day requirement in which we met. Met it within that 7day . Yes. The contractor that was involved in this that had the responsibility for a strategic it and the security plan. Who is that contractor and what were the assurances that they gave early on during the conversation of the contracting process, to say, well provide security structure management im kind of looking for what they said they would do and what they actually did. Who is the contractor . I think its i want to be very clear that while the adversary leveraged, compromise key point user credential to gain access to opms network, we dont have any evidence that would suggest that key point as a company was responsible or directly involved in the intrusion. We have not identified a pattern or material deficiency that resulted in the compromise of the credentials. And since last year, we have been working with key point and they have taken strides in securing its network and have been proactive in meeting the additional security controls that we have asked them to use to protect all of the background data. The question is then with key point, the security controls they put in now, the security controls that were discussed earlier, that were not fulfilled or are these things that were considered . Were discussing i think two different. I think i understand, but let me be sure is that our detection in april detected an intrusion into our system in late 2014. The detection was in 2015 we detected an intrusion into our system in late in our stim in late 2014. So what im trying to drive at is then there were changes in security protocol were those changes recommended before or are these entirely new . These are ones that we had planned and were installing as we progressed through our improvements. And unfortunately, we didnt have them in place soon enough. We are working as i said with a legacy system we were testing many of our signature security tools and as a result, of actually being able to install this particular security tool we were able to detect it. And that had been in place how long to be able to put those security controls. Its part of our it security plan which we developed you said the 2012 plan . Its a 2014. Thank you. Thank you, sir. Senator koons. You are in the midst of a major i. T. Modernization project. How much do you expect that total project to cost . There are four steps were using for that plan the tactical, what is the tools were going to need to protect our systems even as we move forward, were building a new shell, its called a new shell system which will be the platform and then as the third and fourth are the migration, and then the disposal of the legacy system, we are at the step right now in june of 2014, we hired a contractor to assist us in the development of the shell. And were moving toward that we as ive said have identified 67 million in 2014 and 2015 that would enable us to move toward that. And were asking for an additional 27 million in the 2016 budget to aid us. Were working closely with omb to determine if another request slu be made. Has a major it Business Case been prepared . Yes, it has, and weve worked very close with omb. This was one of the points that the auditor or the ig brought out in his flash audit and i can assure the auditor or the ig that we in fact have been working very very closely with omb. This is an urgent issue. And we are moving very as fast as we can, making sure that we track, we justify and document all that were doing. Consistent with the om kb standards that have been given to us, we have a budget that weve worked very closely with omb to deliver. Why in response to the ig audit one of the concerns was you give a soul source contract if i understand correctly, to manage all four phases of this very large project. Now, what type of contract is it . Is it a fixed cost project . And what steps are you considering in light of the audit. As i said before, theres often times places where we have areas of agreement, and areas where we would like to have further consideration with the auditor, in the flash audit, the Inspector General encouraged the use of existing contracts or the use of full competition, and i would like to assure you and the Inspector General that the process follow eded in awarding the existing contracts had been perfectly legal, and we will continue to ensure that any further contracts and processes entered into will also be perfectly legal. Owe also expressed concern that the soul source contract used in the tactical and shell phases should not be used for migration and the cleanup phases as i described earlier. I understand his concerns and i would like to remind the Inspector General that the contracts for migration and cleanup have not been awarded. Where we would like to have further discussion with the Inspector General is the time line, the practical time line for our major it Business Case, hes suggesting that we move that out into fiscal year 2017, i would like to move that much quicker, given what weve already experienced. I assure the Inspector General and everyone here that all of our decisions are being tracked documented and justified. Hes made a number of recommendations regarding contracting and standards that rely on external sources for assistance, and i believe that the federal government and the good work that tony scott is providing to us, and all our partners in government have Strong Solutions to offer, and im going to look forward to talking more to him about his suggestion. Have you had a chance to look at other agencies that have had successful it projects to use as a model you have some sources of valuable insight into how to manage multiphase expensive and Time Critical it projects. Have you looked at whether having an outside contractor managing the project or breaking it into more bite sized pieces may achieve some of your goals. Were looking at all of our options, this is a very serious issue, im taking it very seriously, in looking into all the resources i have available to me. And i will certainly do that i believe that the federal cio is an Important Agency et to us as is our partners at dhs, were looking to those and i would i welcome the Inspector Generals suggestions. And as i move forward through this process i will be listening to him carefully as well as my partners across government. I appreciate that response. You were the former cio at dhs and irs, both of which have had very cumbersome expensive difficult challenged it projects, were you able to turn around some of the sort of legacy it failures there and what advice do you have to opm as they engage in another dispensive complex modernization effort. First i would make the note that its always about a team effort, right . In order to deliver these kinds of programs i actually joined the irs and took over the businesses Modernization Program, and at that time it was on the gao high risk list. Im pleased to say that as a team effort, we were able to it took a long time but able to improve our processes to the point where recently that program was removed from the high risk list, which is quite an accomplishment. Let me just say that i have ive reviewed many programs and there are we could have a long discussion about how to appropriately manage it programs, i would make a couple points very quickly. One thing thats very critical is the overall Governance Framework you put in place you need to get the right stakeholders in the room to Work Together to make this happen. All too often ive seen issues where that does not happen. The other thing i would say, dont overrely on contractors. You need to have the requisite experience and skill set to be able to run these programs, i would say, im not picking on opm, i dont know much about their months earnization at all. The smaller agencies struggle more with this, because they dont have the heritage of having learned those lessons. Thank you for your testimony today. Grateful for your input we try to offer critically needed reassurances, particularly to Law Enforcement but all federal employees and to find timely and Cost Effective solutions to this, and other cyber challenges. Senator moran. Chairman, thank you very much, mr. Spiers, based on what you heard today, your knowledge of Government Agencies and their cyber Security Issues, is this a management issue or a resource issue . Its more of a management issue, sir. And why do you say that . Because of the nature of the way it has been run in a lot of agencies there are so many lets say inefficiencies that have been crept into the system that i dont believe we effectively spend the i. T. Dollars we receive now, i believe that with a proper drive toward management, can you drive a lot of savings from the existing budgets. Caveat that, when youre talking about modern new Modernization Programs sometimes with the right Business Case, it does make sense to invest in those. I assume based upon your response to senator coons i assume theres a senator inclination when these issues arise, the easy thing to do is to hire a contractor, we dont know within the agency we dont know this stuff, this isnt our primary mission lets get somebody in here who takes care of this, weve worked on this committee when chairman udall was its chairman we worked on fitara how do we improve the role cios play in an agency. In part trying to compensate for an attitude that were not tech folks, somebody else is responsible for that. Describe to me how you work with your cio. You let me ask a question first about this. The breach the first breach i think youre aware of goes back to june of 2014 as i recall you and others testified in front of this committee in may of 2014 and the following month june, opm became aware of a breach, is that yes let me just the first breach that we discussed with you was i dont think you discussed this with me because i dont think if you knew about it i dont think we knew about it. Im sorry sir. Its probably better that let me start, ill i want to look at my make sure i have my months right. On march of 2014 was when we identified some adversarial activity. But there was no pii that was lost in that, in june of 2014 which is what you may be referring to is when usis was breached and there was opm data that was compromised that impacted about 2. 6 individuals. Thousand, 2. 6,000 individuals. In august of 2014, the Key Point Government Solutions which i described earlier theyre adversarial activity, they were breached and that breach compromised approximately 49,000 individuals. And then in april of 2015 was the breach that ive described earlier as well as the one in may. So there were make sure i understood what you just said, there were three breaches that occurred prior to the two were now talking about. There was the opm network in march, june of 14. In august key point. So what was your change what change did opm you obviously became aware on three occasions, somebodys trying to intrude on our system what then did opm do after realizing that. In i could just go back a little bit, because i want to reassure you to my colleagues point, one of the first actions i took was to hire Donna Seymour, the other second action i took was to develop an it Strategic Plan that had exactly the things that the pillars that my colleague describes. So i. T. Leadership i. T. Governance, must buy into the design and the structure of the i. T. Plan, and its development and i. T. Architecture what was it going to take for us to build out the systems that we needed in view of our legacy system. I. D. Data we needed to be informed, we needed to know that what we were doing was right and kwerp doing this in a way that was an lit can, we also had as an Important Pillar there, i. T. Security. Obviously, very, very important as we were building out evens we were working on our Strategic Plan, one of the most Important Pillars was i. T. Security. And since Donna Seymour came in as cio and because of her experience, and as mr. Spiers said the good towns and experience we have in government, we brought her from dod and dot, she was able to apply those skills and talent to identifying not only what our strategic steps are, but how we could begin to develop them. The first thing we needed to look at, what could we place on that legacy system, and what would it take to do that . Thats where she began and what she continues to do throughout her tenure. Your point is from not necessarily following the three breaches that we just talked about, but from your arrival, your priority was to get a cio and begin implementation of a plan . I will tell you, senator, that from the first time i was briefed on our its infrastructure, during my confirmation preparation, i knew that there was a problem. And that is why in my confirmation hearing i said it would be a top priority and i promised your colleagues that i would develop