Says CMS memo on security vulnerabilities should have been brought to his attention before launch
WASHINGTON – Henry Chao, the Deputy Chief Information Officer and Deputy Director of the Office of Information Services at the Centers for Medicare and Medicaid Services (CMS), testified during a November 1 transcribed interview with Committee investigators that he was surprised he was never made aware of a September 3, 2013, memo outlining serious security vulnerabilities present in the Federal Facilitated Marketplaces (the “exchange”). Chao, CMS’s top operational official for the Federal exchange testified he found it “disturbing” that he had been excluded from a memo about significant problems with security.
The September 3, 2013, memo that Chao testified he had previously never seen was authored by CMS Chief Information Officer Tony Trenkle. The memo noted six security problems, two of which were described as “open high findings.”
Chao initially expressed disbelief when first shown the memo during his transcribed interview. In reviewing the memo, Chao agreed that one finding, “presented a significant risk to the system,” and did not know if it had been corrected. In the following exchanges, Chao expressed surprise that CMS’s Chief Information Security Officer (CISO) had him recommend the site’s launch to Director Tavenner without making him aware of this information:
Q- Do you find it surprising that you haven’t seen this before?
A- Yeah. I probably should have been copied on it [9/3 memo].
Q- Because, I mean, it appears that this is the results of MITRE’s security test of the system.
A- Well, why I’m surprised is that the CISO had me do this, file this process [September 27 memo to Tavenner] , but don’t copy me on the ATO letter. I mean, wouldn’t you be surprised if you were me?
Q- Who is the Chief Information Officer and Director of the Office of Information Services?
A- Tony Trenkle.
Q- Are you surprised that this memo is from him and it appears to be about major issues involved with the Affordable Care Act implementation as it deals with www.healthcare.gov. –
Q- that you didn’t see this memo until we handed it to you today?
Q- The memo stated, again, that, “From a security perspective, the aspects of the system that were not tested due to the ongoing development exposed a high level of uncertainty that can be deemed as a high risk for FFM. Although throughout the three rounds of SCA testing all the security controls have been tested on different versions of the system, the security contractor has not been able to test all the security controls in one complete version of the system.”
Should you have known the issues identified in the September 3rd memo before you put your name on the September 27th memo to Ms. Tavenner?
A- I would think so.
Q- How do you feel about being unaware of these issues prior to putting your name on that memo on September 27th?
A- I’m surprised. And I probably with that knowledge, I would have at least acknowledged what those findings were in this risk assessment.
Chao also described to investigators that the process for approving HealthCare.gov had been unusual and he acknowledged lines of communication about security issues prior to launch may not have been working properly:
Q- But you take the security of the FFM very seriously, right?
Q- And you were being excluded from finding out about significant problems with security.
A- It is disturbing. I mean, I don’t deny that this is, kind of, a fairly nonstandard way to document a decision to make a recommendation to proceed in ATO. I have not ever since I began CTO of CMS in 2007, in late 2007, and I was part of the process for, you know, 3 years to sign off on these. This kind of format I have never seen before, so, I mean but I follow what I
Q- So you were presented with the outline of that memo and asked to put your name on it without knowing the full scope of issues underlying the memo?
A- To the best of my knowledge at that point in time, this came pretty close to what I understood, that security testing had occurred, not in one environment but all controls were covered across three tests, and that there were no high findings. That’s my understanding at that time.
Q- As of what dates were you of the belief that there were no high findings?
A- Let’s see, very what’s the date on this?
Q- The memo is the 27th.
A- Yeah, it was not the 27th. I have to double check my calendar, but it was when I was waiting for the security team, the testing team, to be finished at CGI in Herndon. I was actually onsite. And it was a Friday in early September, I think. But I have to check my calendar to see.
Because, you know, I was interested. I’m like, okay, guys, did we pass or, you know, do we have any problems? And the report out from Darrin Lyles and Tom Shankweiler, who is another ISSO that works on this project, said we had no high findings.
Q- Does this suggest that the lines of communication within the organization were not working properly?
A- It’s a good possibility.
Chao co-authored a memo to CMS Director Marilyn Tavenner recommending that she issue an Authority-to-Operate HealthCare.gov, which was approved on September 27, 2013, just days before launch. Chao’s lack of knowledge about the September 3, 2013, memo on security concerns raises new questions about threats to personal information of HealthCare.gov users that were not fully addressed in the rush to meet the October 1 launch date. Henry Chao is scheduled to publicly testify Wednesday at an Oversight Committee hearing.
Documents and testimony from Chao’s transcribed interview have been redacted to protect information about particular security vulnerabilities of HealthCare.gov.
Click here for the September 3 memo from Tony Trenkle.
Click here for a September 17 memo noting two high findings.
Click here for the September 27 memo authorizing the operation of Healthcare.gov.
Click here for Henry Chao’s testimony about security vulnerabilities.