3 takeaways from HealthCare.gov cyber hearing

Friday - 1/17/2014, 3:22pm EST

The House Oversight and Government Reform Committee continues to bang the cyber drum over how secure HealthCare.gov is. They held yet another hearing about the site's development, and the security measures and testing the Centers for Medicaid and Medicare Services performed before the launch and what it continues doing today.

Here are my three takeaways from the hearing:

  1. Frank Baitman, the chief information officer for the Department of Health and Human Services, finally explained to members of Congress how the authority to operate (ATO) actually works. Baitman, Federal CIO Steve VanRoekel, federal chief technology officer Todd Park, and deputy CIO at CMS Henry Chao dropped the ball back in November at the committee's first hearing. But earlier this week, Baitman responded to a question from Rep. James Lankford (R-Okla.) about who's responsible for the ATO by fully explaining the process.

    "As I understand it, the HealthCare.gov project was built across various parts of CMS, some of which were not under [former CMS CIO] Mr. [Tony] Trenkle leadership," he said. "They also had a CMS official who was responsible for all operational security for HealthCare.gov and that person was on the ground and obviously more closely focused on it. Ultimately, I thought it was appropriate that Ms. [Marilyn] Tavenner as the administrator for CMS, be the individual who accepted risk on behalf of CMS because the project was large and being done across all parts of CMS."

    The agency CIO or CISO should have nothing to do with approving the ATO, which lawmakers continually fail to grasp and federal officials do not take the time to explain. It's the system owner's responsibility to accept the risk. That is exactly what Tavenner did — agree or disagree with the decision, it was hers to make.

  2. CMS and the White House got the message about how best to secure the Affordable Care Act portal. Teresa Fryer, the CMS CISO, said as of Dec. 18 the portal passed all testing requirements that go above and beyond industry best practices. In a response to a question from Rep. Darrell Issa (R-Calif.), chairman of the Oversight and Government Reform Committee, said the agency completed end-to-end cyber testing of the system and is confident that it meets and exceeds in many cases best practices. Fryer said an independent third-party will continue to test the cyber robustness every quarter at least.

  3. HealthCare.gov problems continue to build momentum for IT and acquisition reforms. Congress failed to pass the Federal IT Acquisition Reform Act (FITARA) last session, but a growing number of members seem poised to take another run at it. Issa and Rep. Gerry Connolly (D-Va.), the co-authors of the bill, are expected to continue their push, but at the hearing earlier this week Rep. Jackie Speier (D-Calif.) asked all three witnesses if FITARA would have helped in the development of the portal. While all three deferred answering the question, Issa put a finer point on the inquiry asking if giving CIOs more authority over the budget would help. Baitman said he thought you'd get greater accountability when you have one person who is clearly in charge. Fryer agreed with Baitman's observation. Kevin Charest, the HHS CISO, said along with greater accountability, agencies could more easily increase efficiencies and reduce costs.

    The White House is expected to address federal IT and procurement reforms in the coming weeks, possibly during President Barack Obama's State of the Union Address in two weeks.

    Sounds like there's a ground swell occurring for FITARA or other reforms.

This story is part of Jason Miller's Inside the Reporter's Notebook feature. Read more from this week's edition.