Today, Rep. Elijah E. Cummings, Ranking Member of the House Committee on Oversight and Government Reform, issued a statement regarding an ABC News report that relied on partial leaks from Committee Chairman Darrell Issa of selective transcript excerpts of an interview with Teresa Fryer, the Chief Information Security Officer at the Centers for Medicare and Medicaid Services (CMS). Although Chairman Issa leaked portions indicating that Ms. Fryer recommended against issuing a Authority to Operate (ATO) the
Healthcare.gov website on September 20, key details from her transcript were omitted, including Ms. Fryer’s explanation that strong mitigation measures were put in place by September 27, that she viewed these measures as “best practices above and beyond what is usually recommended,” and that there have been no security breaches of the website.
“Chairman Issa’s reckless pattern of leaking partial and misleading information is now legendary for omitting key information that directly contradicts his political narrative,” said Cummings. “In this case, the very same witness interviewed by the Committee also said there have been absolutely no security breaches of the website and that she is satisfied with the current security testing. This effort to leak cherry-picked information is part of a deliberate campaign to scare the American people and deny them the quality affordable health insurance to which they are entitled under the law.”
The Facts Chairman Issa Omitted:
· Ms. Fryer stated on multiple occasions during her interview with the Committee that
there have been “no successful breaches” of the Healthcare.gov website:
“All systems are susceptible to attacks. There have been no successful attempts of any of these types of attacks.”
When pressed further by Chairman Issa directly, Ms. Fryer responded again: “There have been no successful – no successful breaches, security incidents.”
· Ms. Fryer stated repeatedly that the systems “exceed” the standards set by the National Institutes of Standards and Technology (NIST) pursuant to the Federal Information Security Management Act (FISMA):
Q: Are there any other ways in which the Federally Facilitated Marketplace or data hub exceed what FISMA requires?
A: Just the, as I stated earlier, the added protections that we have put into place in accordance with the risk decision memo. So there are best practices above and beyond what is usually recommended that we have put into place because the marketplace is such a complex and obviously high visible system.
· Ms. Fryer confirmed that, based on her experience, some of these mitigation strategies are “beyond best practices”:
Q: So to sum up, the security team is in place, the continuous monitoring and weekly testing of border devices is in place, the daily, weekly scans are being done and those are all consistent with IT best practices?
A: Yes.
Q: And then on top of the other mitigation efforts, there is a whole new SCA that is currently being conducted 3 months after the first testing. Is that correct?
A: Yes.
Q: So, what I hear from you is that the mitigation strategies are being implemented in accordance with best practices, in some case beyond best practices, and in accordance with the 9/27 ATO, correct?
A: Yes.
· Ms. Fryer described “three layers” of security protecting the marketplace from bad actors:
Q: And does CMS have a security framework in place to quickly catch bad actors as they try to penetrate the agency’s IT systems?
A: Yes, so we have several layers of protection. We have continuous monitoring tools, and there are several layers of protection. The marketplace security team has processes and procedures in place, as well as my group, the Enterprise Information Security Group, has also tools and processes in place.
Q: So layers, you said three layers of security?
A: There are three layers. There’s the actual application security layer, then there is the marketplace security that’s the day-to-day activities, and then there is my group, who is the enterprise-wide security that’s in place as well.
Q: And any one of these layers could potentially detect a bad actor if they were attempting to breach the system?
A: Yes.
· Ms. Fryer stated that she recommended not approving the ATO on September 20, but at the time she was not taking into account the mitigation strategies later set forth in the ATO on September 27, including the establishment of a dedicated security team, weekly testing of all border devices, and daily security scans using CMS’ continuous monitoring tools:
Q: So your recommendation was based solely on the findings from the SCA, not in light of the mitigation strategy in the 9/27 memo?
A: Yes.
· Ms. Fryer stated that she is “satisfied” with current security testing, which is being conducted in accordance with the ATO issued on September 27, 2013. The ATO required that CMS “conduct a full SCA test on FFM (E&E, FM, and PM) in a stable environment where all security controls can be tested.”
· Ms. Fryer explained that it is “very common for systems to go into operation with low and moderate findings” as was done in the marketplace. She also confirmed that Mitre closed all of its “high risk” findings during the testing period.
· Ms. Fryer stated that she did not object to the recommendation of Tony Trenkle, the CMS Chief Information Officer (CIO), to move forward with the ATO on September 27:
Q: So when Tony Trenkle indicated to you that he planned to proceed with the authority to operate this 9/27 memo and get authorization from Administrator Tavenner, did you object to his decision?
A: No, I did not. That was his decision, to move forward with this plan.
Q: So you didn’t tell him he was doing the wrong thing?
A: No.
· Ms. Fryer stated that Mr. Trenkle, in his capacity as CIO, had a broader perspectiveand under NIST, he was charged with balancing the mission of the agency and the business functions of the system.
Q: When reviewing the systems and making the evaluation about whether to authorize the authority to operate, the CIO has a broader perspective than you do; is that accurate?
A: Yes.
Q: And do you know what other information feeds into the CIO’s decision?
A: Other risks, such as enterprise-wide security risks. An authorizing official looks at the other risks, as, like I testified earlier, in NIST they take into account the mission of the agency, the business functions of the system, what the system is intended to do. So they have to look at and balance those various types of risks.
Q: Because fundamentally NIST is a balancing test of risk that’s always inherent in every system and the need for the system to function?
A: Yes. That’s why they call it a risk-based decision for an authority to operate.
· Ms. Fryer recalled several other instances during the two years since she has been at CMS when her recommendations on unrelated ATOs were not accepted.
· During his own transcribed interview with Committee staff, Mr. Trenkle—who has decades of experience with IT systems and was not a political appointee—stated that the mitigation strategy addressed the risks outlined in the ATO on September 27:
Q: So as long as the mitigation strategy described in the memo was carried out, you considered that it was, it would be sufficient to mitigate the risks described in the memo?
A: Yes.
· In fact, just yesterday, Darrin Lyles, an Information Systems Security Officer at CMS, stated during his own transcribed interview with Committee staff that there are no open high findings.