Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
3 takeaways from HealthCare.gov cyber hearing
Friday - 1/17/2014, 3:22pm EST
Here are my three takeaways from the hearing:
- Frank Baitman, the chief information officer for the Department of
Health and Human Services, finally explained to members of Congress how the
authority to operate (ATO) actually works. Baitman, Federal CIO Steve
VanRoekel, federal chief technology officer Todd Park, and deputy CIO
at CMS Henry Chao dropped the ball
back in November at the committee's first hearing. But earlier this week, Baitman
responded to a question from Rep. James Lankford (R-Okla.) about who's
responsible for the ATO by fully explaining the process.
"As I understand it, the HealthCare.gov project was built across various parts of CMS, some of which were not under [former CMS CIO] Mr. [Tony] Trenkle leadership," he said. "They also had a CMS official who was responsible for all operational security for HealthCare.gov and that person was on the ground and obviously more closely focused on it. Ultimately, I thought it was appropriate that Ms. [Marilyn] Tavenner as the administrator for CMS, be the individual who accepted risk on behalf of CMS because the project was large and being done across all parts of CMS."
The agency CIO or CISO should have nothing to do with approving the ATO, which lawmakers continually fail to grasp and federal officials do not take the time to explain. It's the system owner's responsibility to accept the risk. That is exactly what Tavenner did — agree or disagree with the decision, it was hers to make.
- CMS and the White House got the message about how best to secure the
Affordable Care Act portal. Teresa Fryer, the CMS CISO, said as of Dec. 18 the
portal passed all testing requirements that go above and beyond industry best
practices. In a response to a question from Rep. Darrell Issa (R-Calif.),
chairman of the Oversight and Government Reform Committee, said the agency
completed end-to-end cyber testing of the system and is confident that it meets
and exceeds in many cases best practices. Fryer said an independent third-party
will continue to test the cyber robustness every quarter at least.
- HealthCare.gov problems continue to build momentum for IT and acquisition
reforms. Congress failed to pass the Federal IT Acquisition Reform Act (FITARA)
last session, but a growing number of members seem poised to take another run at
it. Issa and Rep. Gerry Connolly (D-Va.), the co-authors of the bill, are
expected to continue their push, but at the hearing earlier this week Rep. Jackie
Speier (D-Calif.) asked all three witnesses if FITARA would have helped in the
development of the portal. While all three deferred answering the question, Issa
put a finer point on the inquiry asking if giving CIOs more authority over the
budget would help. Baitman said he thought you'd get greater accountability when
you have one person who is clearly in charge. Fryer agreed with Baitman's
observation. Kevin Charest, the HHS CISO, said along with greater
accountability, agencies could more easily increase efficiencies and reduce costs.
The White House is expected to address federal IT and procurement reforms in the coming weeks, possibly during President Barack Obama's State of the Union Address in two weeks.
Sounds like there's a ground swell occurring for FITARA or other reforms.