Official who recommended against launch testifies high security vulnerabilities endangering user info remain an issue after launch
WASHINGTON – “High findings,” the highest level of identified security vulnerabilities, are still being found in HealthCare.gov, according to the top security expert at the Center for Medicare and Medicaid Services (CMS). Teresa Fryer, the Chief Information Security Officer at CMS, told the House Oversight and Government Reform Committee during a transcribed interview that, even after a launch she refused to support, her agency continues to find security problems that threaten the privacy of user information, contradicting administration officials’ statements that the site has been continually secure.
From Fryer’s transcribed interview from 12/17:
Q So since December 10th, have you had the daily out briefs with MITRE?
Q Have you been on the calls?
A Not today. And not I’m trying to remember, not yesterday, but I was since December 10th.
Q So what issues have they discovered with this round of security testing?
A I can’t in detail give you — there were two high findings. I can’t give you in detail what the two high findings were, but they are in they are being remediated.
Q So you say you can’t give us detail because you don’t recall the details?
A Yes, I one was just recently discovered, and the other one I can’t I don’t recall the exact details of the finding.
Q Just to be clear, these are two new high findings that were not previously identified by MITRE or anybody else?
A One high finding was identified in an incident that was reported in November.
Q Oh, I see. And the second high finding was just discovered yesterday?
A Yes, it was yesterday or what is today Tuesday.
Q Do you know if these were these high findings, do you know how long they were in existence in the system?
A No, I don’t know.
Q So it’s possible they have been in the system since October 1st?
A Again, I can’t speculate. If they would have been discovered in the first again, I can’t say.
Q Would they have been within were they within the scope of the security testing in the August September time frame frame? Do you know?
A I can’t recall if it was a piece that was in scope of the first testing.
Q Do you know how these high findings are being remediated?
A No, I don’t. In detail I don’t know how they are.
Underscoring the significance of “high-findings,” Henry Chao, the Deputy Chief Information Officer at CMS and the day-to-day manager of the Exchange’s development, repeatedly told Congress that the absence of specific “high-findings” in the security tests as of October 1, 2013, was a critical condition for site launch. On October 31, 2013, White House Press Secretary Jay Carney stated that “when consumers fill out their online marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure.”
Fryer, citing high risk security concerns, recommended against the October 1, 2013, launch of HealthCare.gov due to security test results that administration officials have furiously fought to keep out of the public view. Fryer told Committee staff that she recommended “a denial of an [Authority to Operate] ATO” for HealthCare.gov to the top IT officials at CMS and the Department of Health and Human Services (HHS) days before the website launched. Fryer made the recommendation on September 20, 2013, “during the security testing when the issues were coming up about the availability of the system, about the testing in different environments.” Asked by Committee investigators, “Did you make it clear that you were not agreeing with the decision to for the ATO when you signed this document [an acknowledgement of risk that noted a mitigation plan on September 27]?,” Fryre responded affirmatively.
On September 23, CMS officials met to brief CMS Chief Operating Officer Michelle Snyder on website security, but Fryer, the top information security expert at CMS, was not present at the meeting and was only asked to prepare one of the slides presented to Snyder – it noted two “high” risks and outlined problems with security testing.
From Fryer’s transcribed interview:
Q So this recommendation in slide 5, “Follow the mitigation plan and issue an interim ATO,” do you know whose recommendation that is?
A No, I don’t.
Q Is that your recommendation?
A No, it’s not.
Q Would it have been your recommendation?
Q What would your recommendation have been?
A My recommendation was a denial of an ATO.
Q Who did you make that recommendation to?
A To my management. To the authorizing official.
Q Which is who?
A Tony Trenkle.
Q And did you do that in person?
A Yes, and it was during the security testing when the issues were coming up about the availability of the system, about the testing in different environments. I had discussions with him on this and told him that my evaluation of this was a high risk.
Q And did those discussions occur – was it just the two of you when you gave him that recommendation?
A In the beginning, yes, and then we also briefed HHS.
Q Who at HHS?
A Frank Baitman and Kevin Charest.
Q What was Mr. Baitman and Mr. Charest, what was their reaction to the concerns and recommendations that you presented on the call?
A They were aware of the issues that were occurring during testing. Kevin Charest had asked that I keep him updated on the progress of the SCA.
Q Do you know how they became aware of the issues identified during the testing?
A I mean, I gave briefing – I gave updates to Kevin either orally or I had communicated in emails.
Tony Trenkle was the Chief Information Officer at CMS – he reported directly to CMS COO Michelle Snyder and testified that he relied on Fryer’s input; Frank Baitman was the HHS Chief Information Officer; and Kevin Charest the HHS Chief Information Security Officer. Chao was also briefed by Fryer.
On September 27, CMS Administrator Marilynn Tavenner signed the ATO authorizing HealthCare.gov to launch despite the fact that CMS failed to conduct complete security testing. The ATO stated, “Due to system readiness issues, the SCA was only partly completed. This constitutes a risk that must be accepted and mitigated to support the Marketplace Day 1 operations.” Fryer confirmed that she was originally asked to sign the authorization for launching the site but, after she refused to do so, she was eventually asked and agreed to sign a document acknowledging the level of risk that did not indicate whether or not she agreed with the decision to launch.
An email between contractors at Deloitte and Blue Canopy, groups brought in to conduct post-launch security tests corroborate the concerns Fryer voiced before the website went live.
“It is my understanding that the politics around this SCA probably need [sic] some careful consideration,” a Deloitte contractor wrote to Blue Canopy security experts on October 15, 2013. “Within CMS, there is a confidence issue with the security of the ACA . . . . some of the issues were documented in the MITRE report and then the CISCO wouldn’t endorse the ATO, then the CIO would not either, so the CMS Administrator gave an conditional ATO w/ the caveat of an end-to-end ACA test before the end of the year.”
When asked about the ATO on November 6, 2013, HHS Secretary Kathleen Sebelius told Congress, “[A] short term, temporary authority to operate was done specifically because [Tavenner] had advice from her senior I.T. and operations team as well as the contractors.” She also stated, “We discussed security as part of the overall operations on a regular basis with the operations team, but no one, I would say, suggested that the risks outweighed the importance of moving forward.”
CMS Security Contractor MITRE defines a “high risk” finding as: “Exploitation of the technical or procedural vulnerability will cause substantial harm to CMS business processes. Significant political, financial, and legal damage is likely to result.”
Click here for Fryer’s key testimony on new “high findings.”
Click here for Fryer’s key testimony on recommending denial of the Authority to Operate.
Click here for the September 23rd slide prepared by Fryer for the pre-launch Security Briefing.
Click here for the October 15 email between Deloitte and Blue Canopy contractors.