In the marketplace coverage every day through special Enrollment Periods. This is the most recent count of people who have coverage throughout the marketplace. Each month this number will change slightly as consumers transition in and out of coverage, as their life circumstances change. Everything from getting a new job to moving to a new state or becoming eligible for medicaid or medicare. Theres also good news about medicare. Spending for Medicare Beneficiary is growing slower. Than the overall economy. The Medicare Trustees recently projected that the trust fund that finances medicares Hospital Insurance coverage will remain solvent until 2030. Four years beyond what was projected just one year ago. We strife to make Health Care Safer and better. In the last five years weve seen a 9 reduction in harm in hospitals such as decreased Health Care Associated infections. This represents over 500,000 injuries and sections and adverse events avoided. Over 15,000 lives saved and approximately 4 billion in avoided costs. This adds up to Better Health care at a better price, and i know that makes a real difference for real people. Consumers also trust us with their personal information, and i take that trust very seriously. Security and privacy are one of our highest priorities. Cms has decades of experience in operating the Medicare Program and its supporting systems, and we successfully protect the personal information of both beneficiaries and providers. However we must continue to be vigilant and evolve our assessments and actions to keep up with ever changing threats. Consumers can use the market place with confidence that the information is safe and take comfort in knowing that no personally identifiable information has been maliciously accessed from the site. Our systems are designed with security in mind and our focus on security is ongoing. It did not end when the market place launched. Cms conducts Continuous Monitoring using a 24 7, multilayer professional Security Team and penetration testing. Our systems comply with standards promulgated by nist and the office of management and budget. There is risk inherent in any system. It is simply sadly a part of the cyber world in which we all live. We appreciate the work done by the gao to suggest additional controls to help us further protect against these risks and are already seeking to improve upon the security protections in place. As we look forward to our second Enrollment Period our goal is to build upon this progress, and to address outstanding challenges. Were working to make it as seamless as possible for people to reenroll in coverage, and reinforcing our outreach to help more uninsured consumers enroll in coverage. We are making management improvements with clear accountability and committed to being transparent. This coming year will be one of visible and continued improvement, but not perfection. As problems arise, we will fix them, just as we always have. Throughout my career as a hospital executive, nurse and public servant, my focus has been on providing people with high Quality Health care. Im proud of the progress weve made at cms and i hope to continue to work with congress on our efforts. Thank you. Thank you. Miss barrondecamillo. Is that close . Okay ill try to do better. Thank you. Start again . Chairman issa, Ranking Member cummings and members of the committee. Thank you for the opportunity to appear before you today. We are also making every opportunity and every effort to be transparent at dhs, to be as transparent as possible. My name is ann barrondecamillo. Im the director of u. S. Cert within the National Cybersecurity integrations center. We lead the company of homeland securitys efforts in cyberspace to respond to major incidents, analyze threats, and share critical cybersecurity information with trusted partners around the world. U. S. Cert is a 24 7 Operations Center and receives and analyzes hundreds of incidents reports a day. We work with public and private sector Partner Organizations and are committed to the protection of privacy and Civil Liberties for all americans. At u. S. Cert we strive for safer, stronger internet for all americans. Established in 2003 u. S. Cert initially focused on securing u. S. Federal systems networks. Dhss cybersecurity capabilities have grown immensely since the establishment of u. S. Cert and we are working more closely than ever with partners across public and private sectors to develop a comprehensive picture of malicious activity and mitigation options. Cybersecurity is a shared responsibility and a continuous process. Our focus is helping our partners build a resilient and secure ecosystem in cyberspace. Protecting the networks requires coordination across a Cyber Community to enhance others capabilities as we continue to mature our own. While dhs leads the effort, to secure federal civilian Networks Agency heads are responsible for assessing risk to their systems, and taking appropriate measures to secure their networks. U. S. Cert supports agency heads and chief Information Officers in carrying out these responsibilities. Im here today in a technical capacity to provide findings from our analysis of the compromised test server at healthcare. Gov. U. S. Cert was notified of an incident by cms who has the oversight responsibility of healthcare. Gov. We conducted analysis of the images provided to us by cms and found evidence of malware on a test server. As stated by the Ranking Member, our analysis concluded. That there was no indication of personally identifiable information, also known as pii, exposure, and no indication of data exfiltration. Additionally theres no evidence of any Lateral Movement within the network or further infection. We provided cms a report with the findings as well as mitigation recommendations. Additionally, we were able to share indicators from our analysis so agencies, partners and stakeholders could better protect their own networks. We are in discussions with hhs to provide further onsite support. Dhs remains committed to working with its federal and private sector partners to create a safe, secure and resilient cyberspace. I look forward to answering any questions that you might have. Thank you. I will start with you then. When did you find out you were going to appear here today . I believe i was informed on monday. When did you begin preparing for todays hearing . When i was informed on monday. Okay. Has cert done a security testing of healthcare. Gov . We were provided images from cms of the compromised test servers. We provided analysis i appreciate that. The question was, has cert conducted any security testing of healthcare. Govs vulnerabilities. No. As i stated in my opening remarks so when miss tavenner says there have been no loss of personally identifiable information, if you dont know the vulnerabilities, how do you know that how would she know that to be true . I believe that cms conducts their own scanning and testing. But im happy did you verify their scanning and testing to be sufficient . We would be happy to provide that information. Did you . I havent been provided any details. You dont know that . Within the test network . Yeah, it boils down to, youre here as an expert that i didnt expect from an organization that refused to give my staff any briefing related to it. I do apologize for that. I was under the impression that our staff was working with your staff to answer those questions. As of yesterday afternoon, they put people who didnt have Technical Expertise on who told us they would get back to us. Thats after more than a week of information we have put in the record where we were denied that. Maybe ill go on to gao. Im going to ask first of all your indulgence. When this hearing is over, i would like you to accept pardon me . I wanted to hear what you had to say. That can happen. I would like you to accept a briefing and do a supplemental related to the 13 breaches. Okay. Miss tavenner, im going to presume you will agree you will have full access to all information related to that so that gao may develop specific additional recommendations based on the actual breaches, the 13 incidents. Yes, sir. Okay. That will allow us to get what we dont have here today. I appreciate that. You have gone through an extensive amount. Would you describe for the committee the level of cooperation you believe you got . We have heard what you didnt get. Are there good news stories in the cooperation as you did your investigation or your audit . Theres is some good news and some not so good news, mr. Chairman. As we began our audit, and generally we do receive good cooperation from the agencies that we audit, as it relates to receiving information requests that we provide provide. And in this case initially, there were delays in providing certain documents that we had requested. In addition, there were certain cms attempted to put certain restrictions on the on some of the documents. Did they cite why they were restricting . Are you just not trustworthy . I think they indicated they were concerned about the security the sensitive security information. They dont trust you . I wouldnt say that, sir, no. But we elevated the issue within gao and within the department. We reached an agreement to where we would be able to and they did provide the information for us to look at. At the end of it all, there was no reason after it was elevated there was no reason that they should have denied it to begin with . In my view, no. They should have provided it earlier. But at the same point, you know, they had a concern about the security of the information. So they tell us. But you know, their motivation would probably be better addressed by the administrator. Limited time. I want to set the stage for what others on both sides of the aisle may ask here. When you looked at the robustness of how they determined with such certainty that there had been no breaches, no loss of personally identifiable information, were you satisfied that that all those procedures were robust enough with the certainty that miss tavenner said that no losses had occurred, that no losses had occurred . Well, we did not receive actual security incident reports on these incidents, at least on the 13. We did receive a written response to an interrogatory in which they indicated that at least for the 13, that there was certain pii that was compromised or disclosed to an individual. But it was consumer. It was through a technical glitch. Wait. I want to understand. Personally identifiable information was lost or disclosed . Was disclosed according to their description. Miss tavenner, others will ask additional questions. But your Opening Statement said none had been lost. How can we reconcile none has been lost with a sworn statement that some has been lost . I think what my statement said is there were no malicious attacks. Oh oh, so if you just screw up and put the publics information out there, its okay . Because it wasnt a malicious attack . No, sir. I dont think any time we put Consumer Information out there its okay. But i okay, so my time has expired. And i want the Ranking Member to have full time. I want to make it clear that wordsmithing of no malicious was done versus accidental just as we discovered at the time of the launch, that if i went to the section above where the url normally is. When that thing was launched, if i simply typed in a Different Number or a different state code i could have looked at somebody elses record. That was part of what you guys had wrong on the day of the launch. Is that you could simply go to somebody elses record by changing that long streak at the top. Meaning no code. That wouldnt have been malicious, i guess, except if somebody were doing it to see what they would get, that would be a little bit malicious. So when you say no personally identifiable information was lost through malicious, what youre saying is you dont know how much was lost, you just believe that the definition of malicious wasnt met. Is that right . I actually i think this relates to the personal incidents and i do think that we want to cooperate with the gao on that and were happy to review those. Thank you. Your desire to want to cooperate after we bring you here involuntarily for a hearing is most appreciated. But quite frankly you should have cooperated with the gao beforehand. Sir i think i always like to cooperate with the gao and the oig and weve had over 140 open audits under way. I think we have cooperated. Id also like to say i came here voluntarily. Thank you. Danny . Lacy. The distinguished gentleman from missouri is now recognized for five minutes. Thank you. Thank you mr. Chairman. Thank the Ranking Member for yielding his time. Mr. Wilshusen, gao found that healthcare. Gov had security weaknesses when it was first launched, in part because of a lack of adequate oversight of security contractors. Is that right . We found that with respect to when it was first deployed recognize that our audit occurred subsequent to the initial deployment. We found that based on review of the documents that there were certain vulnerabilities in controls that had not been tested at that time. And that there were a few vulnerabilities that had been identified through testing, through which the cms had accepted in order to give provide an authority to operate. Whose responsibilities were incumbent upon the contractor, correct . It well, overall responsibility, it rests with the service with the contractor . Or . I believe i think in some cases there may be incidents where we did identify weaknesses that were operated on systems operated by a contractor. But that was subsequent. Okay, okay. During the course of our audit that doesnt necessarily pertain to prior to the system. Or to the deployment of the system. Sure. And gao report found that there was not a shared understanding of how security was implemented among all entities involved in the development and security testing of the website, is that correct . Yes. Thats correct. What we found, too, is that in certain instances where cms told us who was responsible, the contractor that was responsible for certain tests, such as assessing the security or implementing security on the firewall, it went to that contractor. The contractor indicated it was not his responsibility, that it was another contractor and that responsibility was not identified in that contract statement of work. Yeah. But scenarios like this obviously increase the likelihood of security risks, is that correct . Yes, sir. And was there a specific cms official or group that was responsible for overseeing the security testing of healthcare. Gov . Is there a group . Well, overall, the cms cio and cis im story chief Information Officer and chief Information Security officer has overall responsibility for reviewing and assuring the security over this system. Now, for a project of this magnitude, shouldnt an Agency Official with a broad understanding of i. T. Security testing oversee contractors . I would say yes. And was that the case here . I would say that, you know, there is the cio, cis would be the individual that would have that responsibility. Over all. Okay. Who would the cms official be that would have that kind of understanding of i. T. Security . Was there a person in place . Yes. They had the cms ciso. In addition theres several individuals that were responsible for aspects related to security over the healthcare. Gov. There is also an Information SystemSecurity Officer that has responsibility for assuring that Security Controls are properly met. You know, the issues with i. T. Security management did not start with healthcare. Gov. As a matter of fact, this is a broader government problem that needs to be addressed. Dont you think . Gao has been reporting Information Security and federal Information Security as a governmentwide high risk area since 1997. So sadly, yes, its a broad government issue. There have been weaknesses as an example, for fiscal year 2013, 18 out of the 24 major federal agencies covered by the chief Financial Officers act reported either a Material Weakness or significant deficiency in their Information Security controls for financial reported purposes. 24 out of the 24 igs, thats 21 out of the 24 agencies cited Information Security as a Major Management challenge. So it would be fair to say that all internet facing systems that all internet facing systems both in the federal government and the private sector, involved some risk, is that correct . Given the nature of the internet and the capabilities and prevalence of hackers who might try to exploit vulnerabilities, yes, the answer is, there is risk in conducting online transactions. Thank you for your responses. Mr. Chairman, i yield back. I thank the gentleman. We go to the gentleman from florida for five minutes. Thank you, mr. Chairman. I have a copy of your report dated september 2014. In that, you, in fact state gao found first of all, i think you found that testing was not complete, and that the whole program was rolled out with weaknesses in security and protection of privacy. Would that be an accurate statement . Okay. I also see that you say gao strongly asserts that testing of the website still remains insecure, is that correct . I would say that the testing of healthcare. Gov and supporting systems has not been comprehensive. Even to date, we have risks, is that correct . Today we have risks. Security ri