Healthcare.gov hearing reveals limits of DHS authority in federal cybersecurity
U.S. lawmakers today grilled the senior cybersecurity official from the Department of Homeland Security about the potential vulnerabilities in the federal healthcare.gov website, exposing a major disconnect between the lead agency responsible for securing the dot-gov domain and the agencies that approve and manage those websites.
Rep. Michael McCaul, R-Texas, chairman of the House Homeland Security Committee, said he was “stunned” to learn DHS had practically no input into the architecture, design or security of healthcare.gov — arguably the most significant federal website of the last decade.
“DHS has not participated in any meaningful way in developing, monitoring or ensuring the security of healthcare.gov, the health exchanges or the federal services data hub,” McCaul said. “The only contact between DHS and [Centers for Medicare and Medicaid Services] consisted of two emails and one phone call. CMS never asked DHS for advice, technical assistance or even a threat briefing.”
Roberta Stempfley, acting assistant secretary for cybersecurity and communications at DHS, was unable to answer the vast majority of the questions posed to her by lawmakers, leading some to openly express their frustration about the lack of coordination between DHS and the Department of Health and Human Services, as well as Stempfley’s inability to answer specific questions about healthcare.gov.
At one point during the questioning, Rep. Candice Miller, R-Mich., threw her hands up in frustration.
“Apparently, we’re not going to get any answers out of these witnesses,” she said, referring to Stempfley and Soraya Correa, associate director of the Enterprise Services Directorate at DHS’ U.S. Citizenship and Immigration Services, which is responsible for ensuring those who apply for insurance through healthcare.gov are legally eligible.
According to Stempfley, HHS recently signed a Memorandum of Understanding with DHS to deploy the DHS intrusion-detection system known as Einstein. Although DHS deployed the latest version of Einstein in July — known as Einstein 3 — statutory and regulatory delays have prevented HHS from moving beyond Einstein I, Stempfley said.
In addition, Stempfley told the committee HHS has agreed to be an early adopter of DHS’ Continuous Monitoring and Diagnostics program. According to Stempfley, the department plans to issue its first task order under the contract this week. DHS awarded the $6 billion contract in August to 17 cybersecurity firms.
But many lawmakers were frustrated by the inability of the senior cybersecurity official at DHS, which is responsible for coordinating security across all civilian federal agencies, to provide specific details about the level of concern Americans should have about security and privacy of their most sensitive personal information.
“I am personally not familiar with the architecture of healthcare.gov,” Stempfley said in answering a series of technical questions from the committee.
In her own defense, Stempfley argued DHS lacks specific statutory authority to do more than provide high-level recommendations to agencies.
“DHS is responsible for a large breadth of cybersecurity activities, yet lacks explicit statutory authority to perform these duties,” Stempfley said. “This often hinders the department’s ability to fulfill its mission.”
According to Stempfley, the administration has requested legislation to clarify DHS’ authority to deploy Einstein across all federal civilian networks.
“While DHS leads the national effort to secure federal civilian networks, agency heads are responsible for providing information security protections,” Stempfley said. She added agency heads are provided the flexibility and authority to delegate those responsibilities to the agency’s chief information officer, who is usually the official responsible for agency compliance under the Federal Information Security Management Act.
HHS reported 4,175 security incidents in its 2012 FISMA compliance report to Congress, and was given a security compliance score of 50 percent — the second lowest score in all of government.
When lawmakers questioned Stempfley on her ability as the assistant secretary for cybersecurity and communications at DHS to intervene on IT projects because of security concerns, she said statutory limitations prevent her from stopping or delaying any one of the 10,648 applications reported by DHS in its FISMA report because of security concerns.