During her testimony Wednesday before the House Energy and Commerce Committee, Secretary of Health and Human Services Kathleen Sebelius said that healthcare.gov is operating under a “temporary” order certifying that it met stringent security standards even as testing continues.
But that would appear to contradict guidance issued by the White House Office of Management and Budget last year by none other than Jeff Zients -- the former acting director of OMB, who more recently was brought in to oversee the “tech surge” to fix problems facing Obamacare's implementation.
In a Sept. 27, 2012, memo addressed to the heads of executive departments and agencies, Zients said that OMB did not recognize “interim” authorizations.
The issue at hand revolves around a document known as an “Authority to Operate,” which is a provision of a 2002 law named the Federal Information Security Management Act.
Essentially, by signing an authority to operate, an official at the entity overseeing the development of a government web system certifies that supporting documentation has been reviewed and the system has been thoroughly tested to prove it is secure.
In the case of healthcare.gov -- the federal website that is supposed to allow Americans in 36 states to access insurance through President Obama's health care law -- the overseeing entity is the Centers for Medicare and Medicaid Services.
During Sebelius's testimony, Rep. Mike Rogers, R-Mich., read from a memo addressed to CMS administrator Marilyn Tavenner in which CMS officials involved in healthcare.gov's implementation warned days before the planned Oct. 1 launch that, “from a security perspective, the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as high risk” for the federal health insurance exchange.
Ultimately, the letter recommended that Tavenner issue an Authority to Operate for six months while security testing continued on the site, which she approved.
“This is a temporary Authority to Operate,” Sebelius said as she examined the document during the hearing.
She went on to say that it “discusses mitigation strategies for security that are ongoing and upgraded and an authorization to operate on a permanent basis will not be signed until these mitigation strategies are satisfied. It is under way right now, but daily and weekly monitoring and testing is underway.”
Yet Sebelius’s matter-of-fact description of the temporary authorization is a lot different from the 2012 memo from Zients on federal cyber-security.
Page 11 of the Zients memo includes the following section:
Does OMB recognize interim authority to operate for security authorizations?
No. The security authorization process has been required for many years, and it is important to measure the implementation of this process to improve consistency and quality government-wide. Introducing additional inconsistency to the government's security program would be counter to FISMA's goals.
On Tuesday, CNN reported that until it was fixed last week -- weeks after the site was live -- a security hole allowed any user to “easily reset your healthcare.gov password without your knowledge and potentially hijack your account.”
CMS did not respond to an email seeking comment on the Authority to Operate issue.
On a Wednesday afternoon conference call, CMS spokeswoman Julie Bataille insisted that the system was secure.
“Security testing happens on an ongoing basis,” Bataille said. “We used industry best practices to make sure that we continue that process. I want to assure you that when consumers fill out their online marketplace applications, they can trust that the information they are providing is protected by stringent security standards and the technology underlying the application process has been tested and is secure. As I’ve said, that testing happens on an ongoing basis.”
UPDATE: HHS has now responded, but the response does not address the issue of whether the issuance of a temporary authorization violated official OMB guidance issued by Zients.
In an emailed statement, HHS spokeswoman Joanne Peters repeated nearly verbatim the response from CMS spokeswoman Bataille from earlier in the day. Peters said, “When consumers fill out their online Marketplace applications, they can trust that the information they’re providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices.”
An HHS official added that security control assessments of the enrollment and eligibility functions of the information data hub and exchange have been done, that security testing is done as functionality is added, and that the memo approved by Tavenner, “gave temporary authority to operate for six months and listed a number of strategies to mitigate risks including regular testing.”
HHS also passed along an exchange that Sebelius had with Rep. G.K. Butterfield, D-N.C., in which Sebelius testified that security firm Mitre Corp. “did an assessment of the system, gave us a preliminary report (they are in the process of posting their final report) that did not raise flags about going ahead, and the mitigation strategy was put in place to make sure that we had a temporary authority to operate in place while the mitigation was going on, and then a permanent authority to operate will be signed.”
This story was first published at 6:26 p.m.