[Joint House and Senate Hearing, 114 Congress]
[From the U.S. Government Publishing Office]


  EXAMINING ON-GOING CHALLENGES AT THE U.S. SECRET SERVICE AND THEIR 
                      GOVERNMENT-WIDE IMPLICATIONS

=======================================================================

                             JOINT HEARING

                               BEFORE THE

                       SUBCOMMITTEE ON OVERSIGHT
                       AND MANAGEMENT EFFICIENCY

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                               AND THE

                   SUBCOMMITTEE ON REGULATORY AFFAIRS
                         AND FEDERAL MANAGEMENT

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 17, 2015

                               __________

                           Serial No. 114-43

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 

                                     
      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________


                        U.S. GOVERNMENT PUBLISHING OFFICE
99-749 PDF                      WASHINGTON : 2016                        
                  
_________________________________________________________________________________________ 
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, gpo@custhelp.com.  

                 
                
                  
                  
                  HOUSE COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice    James R. Langevin, Rhode Island
    Chair                            Brian Higgins, New York
Jeff Duncan, South Carolina          Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania             William R. Keating, Massachusetts
Lou Barletta, Pennsylvania           Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania            Filemon Vela, Texas
Curt Clawson, Florida                Bonnie Watson Coleman, New Jersey
John Katko, New York                 Kathleen M. Rice, New York
Will Hurd, Texas                     Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
                   Brendan P. Shields, Staff Director
                    Joan V. O'Hara,  General Counsel
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director
                                 
                                 ------                                

          SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY

                  Scott Perry, Pennsylvania, Chairman
Jeff Duncan, South Carolina          Bonnie Watson Coleman, New Jersey
Curt Clawson, Florida                Cedric L. Richmond, Louisiana
Earl L. ``Buddy'' Carter, Georgia    Norma J. Torres, California
Barry Loudermilk, Georgia            Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
               Ryan Consaul, Subcommittee Staff Director
                    Dennis Terry, Subcommittee Clerk
         Cedric C. Haynes, Minority Subcommittee Staff Director
                 
                 SENATE COMMITTEE ON HOMELAND SECURITY 
                        AND GOVERNMENTAL AFFAIRS

                    Ron Johnson, Wisconsin, Chairman
John McCain, Arizona                 Thomas R. Carper, Delaware
Rob Portman, Ohio                    Claire McCaskill, Missouri
Rand Paul, Kentucky                  Jon Tester, Montana
James Lankford, Oklahoma             Tammy Baldwin, Wisconsin
Michael B. Enzi, Wyoming             Heidi Heitkamp, North Dakota
Kelly Ayotte, New Hampshire          Cory A. Booker, New Jersey
Joni Ernst, Iowa                     Gary C. Peters, Michigan
Ben Sasse, Nebraska

                    Keith B. Ashdown, Staff Director
              Gabrielle A. Batkin, Minority Staff Director
           John P. Kilvington, Minority Deputy Staff Director
                     Laura W. Kilbride, Chief Clerk
                   Benjamin C. Grazda, Hearing Clerk
                                 ------                                

       SUBCOMMITTEE ON REGULATORY AFFAIRS AND FEDERAL MANAGEMENT

                   James Lankford, Oklahoma, Chairman
John McCain, Arizona                 Heidi Heitkamp, North Dakota
Rob Portman, Ohio                    Jon Tester, Montana
Michael B. Enzi, Wyoming             Cory A. Booker, New Jersey
Joni Ernst, Iowa                     Gary C. Peters, Michigan
Ben Sasse, Nebraska
                     John Cuaderess, Staff Director
                  Eric Bursch, Minority Staff Director
                      Rachel Nitsche, Chief Clerk
                            
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Scott Perry, a Representative in Congress From the 
  State of Pennsylvania, and Chairman, Subcommittee on Oversight 
  and Management Efficiency, Committee on Homeland Security, U.S. 
  House of Representatives:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable James Lankford, a U.S. Senator From the State of 
  Oklahoma, and Chairman, Subcommittee on Regulatory Affairs and 
  Federal Management, Committee on Homeland Security and 
  Governmental Affairs, U.S. Senate:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5
The Honorable Bonnie Watson Coleman, a Representative in Congress 
  From the State of New Jersey, and Ranking Member, Subcommittee 
  on Oversight and Management Efficiency, Committee on Homeland 
  Security, U.S. House of Representatives:
  Oral Statement.................................................     6
  Prepared Statement.............................................     7
The Honorable Heidi Heitkamp, a U.S. Senator From the State of 
  North Dakota, and Ranking Member, Subcommittee on Regulatory 
  Affairs and Federal Management, Committee on Homeland Security 
  and Governmental Affairs, U.S. Senate..........................     8
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security, U.S. House of Representatives...............     9

                               Witnesses

Mr. Joseph P. Clancy, Director, United States Secret Service, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Mr. John Roth, Inspector General, Office of Inspector General, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23
Mr. Joel C. Willemssen, Managing Director, Information Technology 
  Issues, U.S. Government Accountability Office:
  Oral Statement.................................................    28
  Prepared Statement.............................................    30

                                Appendix

Questions From Chairman Scott Perry for Joseph P. Clancy.........    65
Questions From Ranking Member Bennie G. Thompson for Joseph P. 
  Clancy.........................................................    68
Questions From Chairman Ron Johnson for Joseph P. Clancy.........    74
Questions From Chairman James Lankford for Joseph P. Clancy......    74
Questions From Chairman Scott Perry for John Roth................    76
Questions From Ranking Member Bennie G. Thompson for John Roth...    77
Questions From Chairman James Lankford for John Roth.............    79
Question From Chairman Ron Johnson for John Roth.................    80
Question From Chairman Scott Perry for Joel C. Willemssen........    81
Questions From Ranking Member Bennie G. Thompson for Joel C. 
  Willemssen.....................................................    81
Questions From Chairman James Lankford for Joel C. Willemssen....    83

 
  EXAMINING ON-GOING CHALLENGES AT THE U.S. SECRET SERVICE AND THEIR 
                      GOVERNMENT-WIDE IMPLICATIONS

                              ----------                              


                       Tuesday, November 17, 2015

       U.S. House of Representatives,      
        Committee on Homeland Security,    
   Subcommittee on Oversight and Management
                            Efficiency, and
                               U.S. Senate,
   Committee on Homeland Security and Governmental 
                                           Affairs,
                     Subcommittee on Regulatory Affairs and
                                        Federal Management,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 10:01 a.m., in 
Room 210, HVC, Hon. Scott Perry [Chairman of the House 
Committee on Homeland Security, Subcommittee on Oversight and 
Management Efficiency] presiding.
    Present from the Subcommittee on Oversight and Management 
Efficiency: Representatives Perry, Watson Coleman, Thompson, 
Duncan, Clawson, Torres, Carter, and Loudermilk.
    Present from the Subcommittee on Regulatory Affairs and 
Federal Management: Senators Lankford, Heitkamp, Johnson, and 
Peters.
    Mr. Perry. The House Committee on Homeland Security, 
Subcommittee on Oversight and Management Efficiency and the 
Senate Committee on Homeland Security and Governmental Affairs, 
Subcommittee on Regulatory Affairs and Federal Management will 
come to order.
    The purpose of this hearing is to examine failures at the 
U.S. Secret Service and their implications Government-wide.
    The Chair recognizes himself for an opening statement.
    In September, the DHS Office of Inspector General, the OIG, 
released a report on its 4-month-long investigation into 
improper access and distribution of information within the 
Secret Service. The findings were alarming.
    Wide-spread violations of the Privacy Act and an agency 
policy occurred by Secret Service employees who accessed and 
distributed information on a Member of Congress' past 
employment application and senior management did nothing 
immediately to stop it.
    Inspector General John Roth stated that the episode was 
deeply disturbing. In addition, Director Clancy announced he 
had a different account of what he initially told OIG. 
Investigators subsequently had to re-interview Director Clancy 
and issue an addendum to the report.
    This incident leaves numerous questions unanswered. How did 
this happen? Why did Secret Service leadership not act and why 
and how did Director Clancy change his account almost 
immediately after the IG's report was released? The American 
people deserve answers. DHS must hold all employees involved 
appropriately accountable.
    As disturbing as this incident is, it is only one example 
of other instances where Secret Service employees showed very 
poor judgment and leadership failed to act.
    Earlier this year, senior agents who may have been under 
the influence of alcohol compromised an area at the White House 
being investigated for a suspicious package. Director Clancy 
was, again, not immediately informed.
    Late last year, OIG also reported about a 2011 incident 
where agents were diverted to investigate an accident at the 
home of--correction--an incident at the home of the director's 
assistant, which appeared to be a misuse of agency resources 
and violation of the Federal Employee Code of Ethics.
    The findings in the IG's latest report are yet another 
example of damage to the American people's trust in the Secret 
Service. When scandal after scandal emerges and the management 
is ill-informed or fails to act, the American people have cause 
for great concern. We entrust the Secret Service with 
tremendous authorities and tools. When they abuse those 
authorities, they violate their contract with the American 
people.
    Because of the Service's recent failures, DHS Secretary Jeh 
Johnson convened a panel of experts late last year to recommend 
changes to improve the service. The panel made broad 
recommendations in December 2014 related to training and 
personnel, perimeter security, technology and operation, and 
leadership. The panel's report provided a broad road map to 
begin reforming the service. I expect Director Clancy to fully 
explain today what progress has been made in implementing the 
panel's recommendations.
    While Congress has a responsibility to conduct rigorous 
oversight of the latest incident, we must also understand what 
is being done to improve the overall management of the Secret 
Service.
    I am also concerned that similar abuses and shortcomings 
could occur in other Federal law enforcement agencies. It is 
important to understand what policies and safeguards, if any, 
are in place to prevent similar abuse regardless of whether it 
is as a Member of Congress or one of our constituents back 
home. If it happened at the Service, what is to say other 
Federal agencies are any better?
    Today's hearing must be about more than pointing fingers. 
The American people have high expectations, as they should, for 
the Secret Service and want the agency to be successful. Their 
mission is absolutely critical to our Nation's well-being and, 
as we saw from excellent work by Secret Service personnel 
during the papal visit, and United States--correction--United 
Nations General Assembly, the Service can succeed with proper 
focus and leadership.
    I look forward to hearing more from our witnesses on how 
the Secret Service can best overcome recent obstacles to 
improve the management and reform the culture of this critical 
agency.
    [The statement of Chairman Perry follows:]
                   Statement of Chairman Scott Perry
                           November 17, 2015
    In September, the DHS Office of Inspector General (OIG) released a 
report on its 4-month-long investigation into improper access and 
distribution of information within the Secret Service. The findings 
were alarming: Wide-spread violations of the Privacy Act and agency 
policy occurred by Secret Service employees who accessed and 
distributed information on a Member of Congress's past employment 
application and senior management did nothing immediately to stop it. 
Inspector General John Roth stated that the episode was ``deeply 
disturbing.'' In addition, Director Clancy announced he had a different 
account of what he initially told OIG. Investigators subsequently had 
to reinterview Director Clancy and issue an addendum to the report.
    This incident leaves numerous questions unanswered: How did this 
happen, why did Secret Service leadership not act, and why and how did 
Director Clancy change his account almost immediately after the IG's 
report is released? The American people deserve answers. DHS must hold 
all employees involved appropriately accountable. As disturbing as this 
incident is, it is only one example of other instances where Secret 
Service employees showed very poor judgment and leadership failed to 
act. Earlier this year, senior agents who may have been under the 
influence of alcohol, compromised an area at the White House being 
investigated for a suspicious package. Director Clancy was again not 
immediately informed. Late last year, OIG also reported about a 2011 
incident where agents were diverted to investigate an incident at the 
home of the director's assistant, which appeared to be a misuse of 
agency resources and violation of the Federal employee Code of Ethics.
    The findings in the IG's latest report are yet another example of 
damage to the American people's trust in the Secret Service. When 
scandal after scandal emerges and management is ill-informed or fails 
to act, the American people have cause for great concern. We entrust 
the Secret Service with tremendous authorities and tools. When they 
abuse those authorities, they violate their contract with the American 
people.
    Because of the Service's recent failures, DHS Secretary Jeh Johnson 
convened a panel of experts late last year to recommend changes to 
improve the Service. The panel made broad recommendations in December 
2014 related to training and personnel; perimeter security, technology, 
and operations; and leadership. The panel's report provided a broad 
road map to begin reforming the Service. I expect Director Clancy to 
fully explain today what progress has been made in implementing the 
panel's recommendations. While Congress has a responsibility to conduct 
rigorous oversight of the latest incident, we must also understand what 
is being done to improve the overall management of the Secret Service.
    I am also concerned that similar abuses and shortcomings could 
occur in other Federal law enforcement agencies. It's important to 
understand what policies and safeguards, if any, are in place to 
prevent similar abuse regardless of whether it's a Member of Congress 
or one of our constituents back home. If it happened at the Service, 
what's to say other Federal agencies are any better?
    Today's hearing must be about more than pointing fingers. The 
American people have high expectations for the Secret Service and want 
the agency to be successful. Their mission is absolutely critical to 
our Nation's well-being and as we saw from the excellent work by Secret 
Service personnel during the papal visit and United Nations General 
Assembly, the Service can succeed with the proper focus and leadership. 
I look forward to hearing more from our witnesses on how the Secret 
Service can best overcome recent obstacles to improve the management 
and reform the culture of this critical agency.

    Mr. Perry. The Chair now recognizes the Chairman of the 
Senate Committee on Homeland Security and Governmental Affairs, 
Subcommittee on Regulatory Affairs and Federal Management, the 
gentleman from Oklahoma, Mr. Lankford, for his statement.
    Senator Lankford. Chairman Perry, thank you very much. 
Thanks for holding this joint hearing with our subcommittee, as 
well.
    Good morning, everyone. I am trying to think of a more 
awkward situation than how we are currently seated here but I 
am sure there is a way through a separate room; we are so far 
away from each other on this panel setting. I do appreciate 
everyone here. Hopefully this will be an open dialogue as we 
walk through this process together.
    I do hope this also sheds some important light on the 
situation where we are at, not only with the Secret Service but 
Government-wide. At the outset, I would like to acknowledge the 
essential role that Secret Service fills and its incredible 
dedication to our country. We do appreciate very much the 
service the Secret Service brings to our Nation and what it has 
done historically and what it continues to do.
    However, recent history of high-profile and embarrassing 
scandals of the Secret Service and the latest DHS inspector 
general findings of wrongdoing can't be swept under the rug, as 
I know Secret Service is not doing.
    IG's investigation revealed unauthorized database searches 
of protected information began during a House Oversight and 
Government Reform hearing in March of this year. In the days 
that followed, many in the Secret Service continued to misuse 
their authority to access the sensitive employment history of 
Chairman Jason Chaffetz.
    The IG's report noted that 60 instances of unauthorized 
access to the database by 45 Secret Service employees had 
violated the Privacy Act--excuse me--as well as an internal and 
DHS policies. The report also noted that 18 senior Secret 
Service executives failed to stop the unauthorized access or to 
inform Director Clancy about the unauthorized accesses.
    In fairness, the report does reflect that one special agent 
instructed her subordinates to cease accessing the database. On 
its face, such wide-spread violations of our law and the 
public's trust are deeply disturbing. The IG did not question 
those involved if this was the only time they have 
inappropriately used the database.
    In the internet age, everyone is concerned about the 
possibility that personal information could be stolen or 
misused. Our elite law enforcement agencies are not above the 
law and those responsible must face appropriate consequences. 
But, to me, there is a much bigger issue.
    In these days, millions of Americans' personal data is 
stored across many Government agencies. The GAO report released 
earlier this year on the Government's Federal information 
security showed alarming findings. From 2009 to 2014, the 
number of information security incidents involving personally-
identifiable information reported by Federal agencies has more 
than doubled.
    GAO has stated that many agencies have largely failed to 
fully implement the hundreds of recommendations previously made 
to remedy security control vulnerabilities.
    These security weaknesses continue to exist and the 
protection of significant personal data of millions of 
Americans housed by the IRS, HHS, the VA, and other agencies.
    Just this month, the Social Security Administration's 
Office of the Inspector General released a report showing that 
the Social Security Administration paid monetary awards to 50 
employees who were previously discovered to have accessed 
personal information of others without authorization.
    Fifty Federal employees who accessed the personal 
information of others without authorization, yet, incredibly, 
in the end, they were rewarded despite breaking the law.
    In another troublesome example the Senate Homeland Security 
Committee received testimony this year that a whistleblower was 
retaliated against for shedding light on inadequate suicide 
prevention practices at a V.A. hospital. This whistleblower 
learned that V.A. employees illegally and improperly accessed 
his private medical records after he brought to light the 
shameful behavior occurring at the V.A. hospital where he 
serves.
    The question is now how do we fix this problem so that 
Americans believe that Government will protect their 
information and not use it for nefarious means? I am hopeful 
today we can take a step forward to address this issue, and 
would like to thank Director Clancy, Inspector General Roth, 
and Mr. Willemssen for their testimony today.
    I look forward to examining these challenges with each of 
you.
    [The statement of Chairman Lankford follows:]
                  Statement of Chairman James Lankford
                           November 17, 2015
    Good afternoon. I'd like to thank Chairman Perry for his 
willingness to hold this important joint hearing with our subcommittee. 
I'm hopeful that our efforts here today will shed light on how one of 
our top law enforcement agencies failed to protect sensitive personal 
information housed in internal databases.
    At the outset, it is important to acknowledge the essential 
security role that the Secret Service fills, and its on-going 
dedication to our country. However, the recent history of high-profile 
and embarrassing scandals at the Service and the latest DHS Inspector 
General findings of wrong-doing cannot be swept under the rug. The IG's 
investigation reveals that unauthorized database searches of protected 
information began during a House Oversight and Government Reform 
hearing in March of this year. In the days that followed, many at the 
Secret Service continued to misuse their authority to access the 
sensitive employment history of Chairman Jason Chaffetz. The IG's 
report noted 60 instances of unauthorized access to the database by 45 
Secret Service employees that violated the Privacy Act as well as 
internal and DHS policies.
    The report also noted that 18 senior Secret Service executives 
failed to stop the unauthorized access or inform Director Clancy about 
the unauthorized accesses. In fairness, the report does reflect that 
one Special Agent instructed her subordinates to cease accessing the 
database. On its face, such wide-spread violations of our law and the 
public's trust are deeply disturbing. The IG did not question those 
involved if this was the only time they have inappropriately used the 
database. In the internet age, everyone is concerned about the 
possibility that personal information could be stolen or misused.
    Our elite law enforcement agencies are not above the law and those 
responsible must face appropriate consequences. But to me, there is 
also a much bigger issue for us to examine. These days millions of 
Americans' personal data is stored not just on databases at the Secret 
Service, but across many Government agencies. A GAO report released 
earlier this year on the Government's Federal information security 
showed alarming findings. From 2009 to 2014 the number of information 
security incidents involving personally identifiable information 
reported by Federal agencies has more than doubled. GAO has stated that 
many agencies have largely failed to fully implement the hundreds of 
recommendations previously made to remedy security control 
vulnerabilities.
    These security weaknesses continue to exist in the protection of 
the significant personal data of millions of Americans housed by the 
IRS, HHS, the VA and other agencies. Just this month, the Social 
Security Administration's Office of the Inspector General released a 
report showing that the Social Security Administration paid monetary 
awards to 50 employees who were previously discovered to have accessed 
the personal information of others without authorization. Fifty Federal 
employees who accessed the personal information of others, without 
authorization and yet incredibly in the end they were rewarded despite 
breaking the law. In another troublesome example, the Senate Homeland 
Security Committee received testimony this year that a whistleblower 
was retaliated against for shedding light on inadequate suicide 
prevention practices at a V.A. hospital.
    This whistleblower learned that V.A. employees illegally and 
improperly accessed his private medical records after he brought to 
light the shameful behavior occurring at the V.A. hospital where he 
served. So it's not just the Secret Service that has employees who 
illegally accessed private information, this behavior has occurred 
across Government. The question is how do we fix this problem so that 
Americans believe that Government will protect their information and 
not use it to for nefarious means? I am hopeful today we can take a 
step forward to address this issue.
    I'd like to thank Director Clancy, Inspector General Roth, and Mr. 
Willemssen for their testimony today. I look forward to examining these 
challenges with each of you.

    Mr. Perry. Chair now recognizes the Ranking Minority Member 
of the House Committee on Homeland Security, Subcommittee on 
Oversight and Management Efficiency, the gentlelady from New 
Jersey, Mrs. Watson Coleman, for her statement.
    Mrs. Watson Coleman. I want to thank you, Mr. Chairman, and 
Chairman Lankford, and Ranking Member Heitkamp for holding 
today's hearings.
    Director Clancy, I want to first extend my condolences in 
person on the loss of your father.
    Director, Inspector General Roth, and Mr. Willemssen, I 
thank you for your testimony. I also want to thank the men and 
women of the Secret Service for their diligence and hard work 
during the recent papal visit and the 70th anniversary of the 
United Nations General Assembly.
    As a Member of the Committee on Homeland Security and the 
Committee on Oversight and Government Reform, I am well aware 
of the gravity of the Secret Service's mission, particularly 
regarding its duty to protect the President, along with foreign 
dignitaries, and to oversee security at major events 
domestically and abroad.
    While I am confident that the overwhelming majority of the 
men and women of the Secret Service both take their jobs 
seriously and express the highest grade of professionalism, I 
am appalled by the recent reports of operational lapses and 
poor judgment by senior-level management.
    It is obvious that there is a wide-spread lack of 
consistent leadership and management within Secret Service. 
However, this did not just begin under Director Clancy's 
leadership. These issues have plagued the Secret Service for a 
number of years.
    Last year, Secretary Johnson commissioned the independent 
panel to evaluate the Secret Service. According to the panel's 
report, the Secret Service needed to undergo a cultural change, 
and that included having leadership that was capable of 
fostering greater accountability among all staff, of 
modernizing administrative functions including adjusting the 
hours special agents and uniformed division personnel must 
work, and improving their training.
    After the panel dismantled, the inspector general continued 
to corroborate their findings. In 2015 alone, the inspector 
general has issued two memoranda regarding misconduct among 
senior Secret Service personnel and two Management Advisories.
    The most recent Management Advisory was issued on October 
21 when personnel were found sleeping on the job. The inspector 
general found that staffing and scheduling practices of the 
Secret Service contributes to officer fatigue and that this can 
pose immediate danger to protectees.
    Instead of addressing the root of the problem of having 
overworked agents, the Secret Service considered the findings 
an isolated incident. Furthermore, the inspector general's most 
recent Management Advisory on improper database access of the 
Secret Service shows that the agency has a deeply-rooted 
cultural problem that is not being addressed.
    The inspector general found that over 40 agents had 
improperly accessed the personnel records of a Member of 
Congress through an antiquated database.
    According to the inspector general's findings, Secret 
Service leadership including the director and the deputy 
director did not recognize the severity of this situation and 
dismissed that data breach as a rumor.
    The inspector general found that instead of dealing with 
this situation, the director of the Secret Service discussed 
the improper database access with former directors at a 
luncheon.
    What is even far more glaring is the inspector general 
found that the assistant director of training, appointed by 
Director Clancy, to manage and direct all aspects of personnel 
care, development, and operational capacity training for the 
agencies, suggested that the information contained in this 
database be leaked to embarrass a Congressman.
    Mr. Chairman, while this incident is reprehensible, it is 
not beneficial for us to be here today to speak about it in 
isolation. We must have a broader, productive discussion about 
the Secret Services' management and culture.
    Finally, I know the Secret Service cannot improve without 
help from Congress. Therefore, I need to know too, from the 
director what he needs from us, to not only make the adequate 
changes for staffing, but also the technological advances for 
personal databases.
    But I also need to know from the director what his plans 
for the agency are when he has top-level management that turns 
a blind eye instead of addressing issues.
    With that Mr. Chairman, I yield back the balance of my 
time.
    [The statement of Ranking Member Watson Coleman follows:]
           Statement of Ranking Member Bonnie Watson Coleman
                           November 17, 2015
    I also want to thank the men and women of the Secret Service for 
their diligence and hard work during the recent Papal Visit and the 
70th Anniversary of the United Nations General Assembly. As a Member of 
the Committee on Homeland Security and the Committee on Oversight and 
Government Reform, I am well aware of the gravity of the Secret 
Service's mission, particularly regarding its duty to protect the 
President along with foreign dignitaries, and to oversee security at 
major events domestically and abroad.
    While I am confident that the overwhelming majority of the men and 
women of the Secret Service both take their jobs seriously and express 
the highest grade of professionalism, I am appalled by the recent 
reports of operational lapses and poor judgment by senior-level 
management.
    It is obvious that there is a wide-spread lack of consistent 
leadership and management within the Secret Service. However, this did 
not just begin under Director Clancy's leadership. These issues have 
plagued the Secret Service for a number of years. Last year, Secretary 
Johnson commissioned an independent panel to evaluate the Secret 
Service.
    According to the Panel's report, the Secret Service needed to 
undergo a cultural change, and that included having leadership that was 
capable of fostering greater accountability among all staff, of 
modernizing administrative functions, including adjusting the hours 
Special Agents and Uniformed Division personnel must work, and 
improving their training.
    After the panel dismantled, the inspector general continued to 
corroborate their findings. In 2015 alone, the inspector general has 
issued two memoranda regarding misconduct among senior Secret Service 
personnel and two management advisories.
    The most recent management advisory was issued on October 21, when 
personnel were found sleeping on the job. The inspector general found 
that staffing and scheduling practices of the Secret Service 
contributes to officer fatigue and this could pose immediate danger to 
protectees. Instead of addressing the root of the problem of having 
overworked agents, the Secret Service considered the findings an 
isolated incident.
    Furthermore, the inspector general's most recent management 
advisory on Improper Database Access at the Secret Service shows that 
the agency has a deeply-rooted cultural problem that is not being 
addressed. The inspector general found that over 40 agents improperly 
accessed the personnel records of a Member of Congress, through an 
antiquated database.
    According to the inspector general's findings, Secret Service 
leadership including the director and the deputy director did not 
recognize the severity of the situation and dismissed the data breach 
as a rumor. The inspector general found that instead of dealing with 
the situation, the director of the Secret Service discussed the 
improper database access with former directors at a luncheon.
    What is even far more glaring is the inspector general found that 
the assistant director of training--appointed by Director Clancy to 
manage and direct all aspects of personnel career development and 
operational capacity training for the agency-suggested that the 
information contained in this database be leaked to embarrass the 
Congressman.
    Mr. Chairman, while this incident is reprehensible, it is not 
beneficial for us to be here today to speak about it in isolation. We 
must have a broader, productive discussion about the Secret Service's 
management and culture.
    Finally, I know the Secret Service cannot improve without help from 
Congress. Therefore, I need to know to from the director what he needs 
from us to not only make the adequate changes for staffing but also the 
technological advancements for personnel databases, but I also need to 
know from the director what his plans for the agency are, when he has 
top-level management that turns a blind eye instead of addressing 
issues.

    Mr. Perry. Chair thanks the gentlelady. The Chair now 
recognizes the Ranking Minority Member of the Senate Committee 
on Homeland Security and Governmental Affair's Subcommittee on 
Regulatory Affairs and Federal Management, the gentlelady from 
North Dakota, Ms. Heitkamp for any statement she may have.
    Senator Heitkamp. Thank you Chairman Perry and Chairman 
Lankford. Welcome Mr. Clancy, Mr. Roth, and Mr. Willemssen. I 
first want to say thank you to the brave men and the brave 
women who serve in the Secret Service. While I understand the 
last few months and few years have been marked by high-profile 
incidents of agency misconduct, I know, I know and you know the 
majority of our agents work hard and put their life on the line 
every day to protect the White House, past Presidents, 
Presidential candidates, and many administration officials and 
foreign dignitaries.
    I also know first-hand as a former leader of a law 
enforcement agency what the bad actions of a 2 or 3 or 4 agents 
can do to the morale of an entire organization. I know that, 
just looking at the faces behind you Mr. Clancy, I know the 
effect that these high-profile discussions have had.
    I am here in the spirit of, let's work together to make the 
Secret Service what the Secret Service should be, the most 
trusted law enforcement agency in America. Let's restore the 
morale of your agents. Let's work together in a management 
collaboration and cooperation to change this dynamic and once 
again, have your agents stand tall if they tell their friends 
and their neighbors that they work for the Secret Service.
    That is a big part of why I am here today--is to remember 
and remind I think everyone on this day that there are 
literally thousands of men and women who every day walk 
alongside cars, willing to sacrifice their life in protection 
of leaders of this country. Nothing that can be done by one 
person can take away the bravery of those men and women.
    So clearly, we have some issues to discuss, there is no 
doubt about it. Clearly, you have already heard the concerns 
that we have here today. But my reason for being here and for 
being interested in this topic is really to restore the morale 
and restore the integrity of the Secret Service so that all the 
brave men and women who have done nothing wrong in the Secret 
Service can once again hold their heads high.
    So with that, I yield back the balance of my time.
    Mr. Perry. Chair thanks the gentlelady. The Chair now 
recognizes the Ranking Minority Member of the House Committee 
on Homeland Security. The gentleman from Mississippi, Mr. 
Thompson for his statement.
    Mr. Thompson. Thank you very much, Mr. Chairman. I thank 
the Oversight and Management Efficiency's Subcommittee and the 
Senate Subcommittee on Regulatory Affairs and Federal 
Management for holding today's hearing. I also welcome Director 
Clancy and Inspector General Roth and Director Willemssen 
today.
    I join my colleagues who have already said before me, in 
thanking the men and women of the Secret Service for their 
work, during both the papal visit and the 70th anniversary of 
the United Nations. The dedication of the agents and officers 
of the Secret Service is admirable.
    Unfortunately, their tireless work is time and again 
overshadowed by the exposure of symptomatic problems within the 
agency. The issues that lie within the Secret Service existed 
long before Director Clancy's appointment. However, as head of 
the agency, Congress, the public, and officers and agents he 
leads, hold him accountable.
    Prior to Director Clancy's appointment, serious operational 
lapses and leadership failures led to Secretary Johnson's 
appointment of a independent panel to review the Secret 
Service. This panel, known as the Protective Mission Panel, had 
several glaring findings and recommendations.
    One of these findings is what I have realized and 
articulated through many years of oversight of the Secret 
Service: The law enforcement agency needs to undergo a cultural 
change that includes leadership that is capable of fostering 
greater accountability.
    The panel stated, ``The agency is starved for leadership.'' 
Unfortunately, is still seems that as if the Secret Service has 
yet to be fed.
    Since the Protective Mission panel completed its review, 
the Office of the Inspector General has led investigations into 
misconduct involving Secret Service supervisors on more than 
one occasion.
    The inspector general found that in March, at least 4 
supervisors turned a blind eye when 2 veteran agents, including 
the head of the President's protective detail, disrupted a bomb 
investigation by allegedly driving impaired through a barricade 
at the White House.
    Last month, the inspector general found that at least 45 
agents improperly accessed a 1980s mainframe database to 
retrieve information in an attempt to embarrass a Member of 
Congress. Of those agents who may have broken the law by 
improperly accessing this database, approximately 18 of them 
were at the GS-15 and SES levels.
    The findings also concluded the director of the Secret 
Service, his deputy director and his chief of staff failed to 
take seriously that agents were discussing information about 
the Congressman's personnel file.
    The inspector general also made the finding that the 
assistant director of training--the person appointed by 
Director Clancy to manage and direct all aspects of personnel, 
career development, and professionalism--suggested that the 
information found in the database be leaked in retaliation to 
Congressional oversight.
    The IG's findings further illustrate that there is a lack 
of leadership and accountability from the top down. In this 
instance, very little leadership and accountability was shown. 
Director Clancy has indicated that the Secret Service will be 
expanding and undergoing a rigorous and necessary hiring phase. 
The new hires will be looking to their leaders for guidance.
    As the Secret Service expands, it is our responsibility as 
Members of Congress to assist the Secret Service with adequate, 
necessary funding for its mission. Both the Protective Mission 
panel and the inspector general, have indicated that officer 
fatigue can place protectees at risk.
    The agency also needs to have the capacity to properly vet 
employees before they begin work rather than continuing the 
practice of having uncleared personnel working in sensitive 
areas such as the White House.
    The new recruits should represent America and have 
opportunities for advancement. As of right now, the Secret 
Service's direct diversity numbers are dismal. Furthermore, it 
would be hard for the law enforcement agency's commitment to 
equal opportunity and inclusion to be taken seriously with a 
class-action, racial-discrimination lawsuit still hanging over 
the Secret Service's head, and the Secret Service using every 
delay tactic it can instead of resolving the lawsuit amicably.
    There must be some sweeping changes made at the Secret 
Service. I know the deeply-rooted problems will not cease 
overnight, but we must get to the source of them instead of 
continuously glossing over, putting on Band-Aids, and going 
forward with business as usual.
    I look forward to working with the Secret Service to 
advance its mission. With that I yield back.
    Mr. Perry. Chair thanks the gentleman. The Chairman reminds 
other Members of the subcommittee that opening statements may 
be submitted for the record.
    We are pleased to have a distinguished panel of witnesses 
before us today on this important topic. The witnesses' entire 
written statements will appear in the record.
    The Chair will introduce all of the witnesses first and 
then recognize each of you for your testimony.
    Mr. Joseph Clancy was appointed director of the United 
States Secret Service in February 2015, after serving as acting 
director since October 2014. Previously, Mr. Clancy served as 
the special agent in charge of the Presidential Protective 
division. Mr. Clancy began his career with the Secret Service 
in 1984 in the Philadelphia field office.
    Welcome.
    The Honorable John Roth assumed the post of inspector 
general for the Department of Homeland Security in March 2014. 
Previously, Mr. Roth served as the director of the Office of 
Criminal Investigations at the Food and Drug Administration and 
as an assistant U.S. attorney for the Eastern District of 
Michigan.
    Welcome, Mr. Roth.
    Mr. Joel Willemssen is managing director for the 
information technology issues at the Government Accountability 
Office, the GAO, where he leads the GAO's evaluations of 
information technology across the Federal Government.
    Since joining GAO in 1979, he has led numerous reviews of 
information technology systems and management at a variety of 
Federal agencies.
    Welcome, Joel.
    Thank you for being here today. The Chair now recognizes 
Mr. Clancy for his opening statement.

 STATEMENT OF JOSEPH P. CLANCY, DIRECTOR, UNITED STATES SECRET 
         SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Clancy. Good morning, Mr. Chairman, Chairman Lankford, 
Chairman Perry, Chairman Johnson, Ranking Member Watson 
Coleman, and Ranking Member Thompson, and distinguished Members 
of the committee.
    Thank you for the opportunity to testify today. I plan to 
address the findings from the recent OIG report and the many 
improvements implemented over the past year designed to address 
the Protective Mission Panel findings.
    I also look forward to discussing the numerous 
organizational changes we have made at the United States Secret 
Service, and would like to express my gratitude and recognize 
the support of Secretary Johnson and the Congress in making 
many of these changes possible.
    I sit before you today a proud representative of the 
thousands of men and women who selflessly execute the mission 
of this agency on a daily basis. Recent accomplishments, 
including 4 near-simultaneous Special Security Events 
surrounding the papal visit and the United Nations General 
Assembly, as well as a number of high-profile cyber 
investigations serve to reinforce this feeling.
    In fact, in addition to initiating protection of two 
Presidential candidates last week, Secret Service personnel are 
at this very moment deployed around the world ensuring the 
President's safety while in Southeast Asia in yet another 
example of their commitment and dedication to the mission.
    Despite the Secret Service's many recent successes, I 
recognize that the primary reason we are here today is to 
address the misconduct detailed in the OIG's report. This 
investigation arose from allegations that the Secret Service 
employees inappropriately utilized an internal database to 
access the applicant record of an individual who is now a 
Member of Congress.
    The misconduct outlined in the report is inexcusable and 
unacceptable. This conduct is not supportive of the agency's 
unique position of public trust. On behalf of the men and women 
of the Secret Service, I would like to publicly renew my 
apology for this breach of trust and affirm my commitment to 
restoring it.
    The OIG reported that these employees violated existing 
Secret Service and DHS policies pertaining to the handling of 
the Privacy-Act-protected information. At the time that these 
violations occurred, relevant policies and procedures were in 
place and could be found in a number of locations, including 
the Secret Service Ethics Guide, the Table of Penalties, policy 
manuals and required on-line training courses. I was angered by 
the willful disregard of these policies and I am determined to 
ensure that all employees are held to the highest standards of 
professional conduct.
    As I stated on prior occasions, I am committed to ensuring 
the accountability in this matter regardless of rank or 
seniority. Secretary Johnson and I stand together on this 
point. To date, several dozen employees have been issued 
disciplinary proposals relating to these events. More are on 
the way. The discipline is being administered in accordance 
with DHS and Secret Service policy, and I am confident that 
these actions will be fair, appropriate, and completed in a 
timely fashion.
    A contributing factor that allowed multiple individuals to 
improperly access this information was the nature of the 
information system that housed the data. Secret Service 
recognized this deficiency some years ago and began a process 
to modernize its IT infrastructure to allow for such data to be 
compartmentalized and restrict the access to those with an 
official need to know. This process was completed this past 
June.
    At this time, the MCI system has been officially retired. 
With respect to applicant records, the number of employees with 
access to the new system has been reduced by more than 95 
percent.
    Finally, much has been made of my statements and a decision 
of the OIG to reopen the investigation on October 5, 2015. 
Prior to publicly releasing the report on September 30, the OIG 
provided a draft copy for my review which reflected my 
statement that I became aware of the rumor on April 1.
    As my colleagues and I reviewed the draft, I was reminded 
that I had, in fact, been made aware of the rumor on March 25. 
However, let me be clear that what I was made aware of was a 
rumor with no indication of employees' misconduct or employees 
accessing internal databases. In order to ensure the accuracy 
of the report and knowing the concern it would cause, I took 
the initiative to contact Mr. Roth prior to the report's 
publication to ensure the report was accurate and correct on 
this point.
    With respect to the recommendations of the Protective 
Mission Panel, tremendous progress has been made in all areas. 
I am proud to say that we have significantly altered the way 
the Secret Service is structured and managed. We have also made 
strides in hiring new members of our workforce and expanding 
training opportunities for current members.
    I am also realistic in knowing that many of the changes we 
are making will take time and that we must continue to 
communicate these changes to our workforce.
    In the interest of time, I will point you to my written 
testimony submitted in advance of this hearing for a more 
thorough description of this process and look forward to 
discussing our progress on these recommendations with each of 
you today.
    I would like to close by remembering a remarkable leader 
and true friend, former Assistant Director Jerry Parr. Jerry is 
widely known for the decisive actions he took during the March 
30, 1981, assassination attempt on President Ronald Reagan. The 
decisions he made that day, including evacuating the President 
directly to the hospital, likely saved the life of the 
President. As I reflected on his passing, I had the opportunity 
to review a speech he made to a graduating special agent 
training class in 1994.
    He stated, ``An organizational culture is a product of 
time, successes, sufferings, failures and just plain hard work. 
After a hundred years or so, deep roots are developed and a 
corporate memory evolves. While another agency can purchase 
persons, equipment and technology similar to the Secret 
Service, it cannot buy this corporate memory. This is a 
priceless commodity.''
    As the men and women of this agency traverse these 
challenging times, it is important to remember that culture 
involves more than an agency's failures and that the successes 
derived from hard work and dedication will prevail as the 
lasting corporate memory of the Secret Service.
    Thank you and I welcome any questions you may have.
    [The prepared statement of Mr. Clancy follows:]
                 Prepared Statement of Joseph P. Clancy
                           November 17, 2015
    Good afternoon, Chairman Lankford, Chairman Perry, Ranking Member 
Heitkamp, Ranking Member Watson Coleman, and distinguished Members of 
the committees. Thank you for the opportunity to testify today. I look 
forward to discussing the on-going challenges at the United States 
Secret Service (``Secret Service'') including those recently outlined 
by the Department of Homeland Security (``DHS'') Office of Inspector 
General (``OIG''). I am also prepared to elaborate on the 
organizational changes and improvements implemented over the past year 
to address them. I would like to express my gratitude and recognize the 
support of Congress in making many of these changes possible.
    I proudly sit before you today representing the thousands of men 
and women who selflessly execute the mission of this agency on a daily 
basis. Over the past 150 years, the Secret Service has established 
itself as one of the most highly-regarded law enforcement agencies in 
the world. Throughout our history, we have continued to answer the call 
to serve our country, and through our work, have created a tradition of 
excellence. The cornerstone of our success is the absolute dedication 
to duty displayed by the men and women of this agency.
 investigation into the improper access of a secret service data system
    I would like at the outset to address the recent investigation by 
the DHS OIG into allegations that Secret Service employees improperly 
accessed and distributed information in internal databases. The 
investigation found that a number of employees violated existing Secret 
Service and DHS policies pertaining to the unauthorized access and 
disclosure of information protected by the Privacy Act of 1974. The 
behavior these employees exhibited is unacceptable. I am angered by the 
underlying actions reflected in the OIG's findings and am committed to 
ensuring that all employees are held to the highest standards of 
professional conduct, whether on- or off-duty. Those we protect and the 
public we serve expect us to live by our oaths and the values we have 
established as an agency, and we should demand nothing less from each 
other. We are better than the actions illustrated in this report and 
people will be held accountable for their actions. We have made 
necessary changes to technology in order to limit the potential for 
future misconduct, and are implementing enhanced training. I will 
continue to review policies, practices, and training to address 
employee misconduct and demand the highest level of integrity of all 
our employees.
Accountability
    On behalf of the men and women of the Secret Service, I would like 
to publicly renew my apology for this breach of trust and confidence 
and state my commitment to restoring it. I have heard loud and clear 
the demand for accountability and need for timely, decisive 
discipline--and I agree. I also understand that apologies and 
expressions of anger are not enough. Secretary Jeh Johnson and I stand 
together on this point. Appropriate discipline is being administered in 
accordance with DHS and Secret Service policy. I am confident that the 
actions regarding the individuals involved will be prompt, fair, and 
appropriate.
Technology
    On March 24, 2015, there were technological security deficiencies 
within the Secret Service's primary internal database that contributed 
to the unauthorized access of information. These internal 
vulnerabilities have been addressed and the potential for similar 
misconduct in the future mitigated. The Master Central Index (``MCI'') 
was a mainframe application developed in 1984 that served as a central 
searching application and case management system. More specifically, 
MCI contained records from protective, investigative, and human capital 
divisions and served as a single access point for investigators and 
administrators. A significant deficiency of this arrangement was that 
an MCI user had access to all of the data in MCI regardless of whether 
it was necessary for that user's job function or not.
    The Secret Service's Information Integration and Technology 
Transformation (``IITT'') program was established in fiscal year 2010. 
In recognition of the limitations of MCI and other mainframe 
applications, the Secret Service initiated the Mainframe Application 
Refactoring (``MAR'') project in 2011 to assess the existing 48 
applications residing on the mainframe and migrate necessary 
capabilities and accompanying data to a non-mainframe, secure, highly-
available and compartmentalized environment. DHS estimated the project 
would take 10 years to complete. The Secret Service accelerated the MAR 
project in 2013 and was able to achieve project closure on June 24, 
2015. At that time, all employee mainframe access was revoked. The new 
systems are completely operational, and all legacy data has been 
migrated to new platforms where data is locked down and access to data 
is dependent upon job function. Protective, investigative, and human 
capital records reside in different systems and internal controls have 
now been implemented to restrict access to those systems in two ways. 
Now access is: (1) Limited to the respective directorates responsible 
for the information; and/or (2) based on the role of the system user 
within the organization. Shutdown of MCI began at the end of July, and 
it was fully powered down on August 12, 2015. Disassembly of the 
mainframe began in August, and it was physically removed from the data 
center on September 16, 2015.
Training
    The OIG report also cited the need for improved and more frequent 
training related to unauthorized access of sensitive data. We have been 
working to reiterate and reinforce existing policies and training. This 
includes the long-standing, existing policy regarding the proper access 
to databases and handling of Privacy Act protected information, which 
is clearly stated in the Secret Service Ethics Guide, in the Table of 
Penalties, and within the Secret Service Manual sections related to 
rules of behavior with respect to the use of information technology. 
Employees are required to certify annually that they have reviewed 
these manual sections.
    At the time of the conduct in question, the Secret Service was 
already providing a 1-hour briefing to Special Agent and Uniformed 
Division Training Classes that includes material on the Privacy Act. A 
senior Government Information Specialist from the Freedom of 
Information Act and Privacy Act Branch of the Office of Government and 
Public Affairs teaches the class and focuses, in part, on PII, with 
comprehensive instructional material on the subject added to the 
content in approximately 2012. A 1-hour in-service on-line training 
titled ``IT Security Awareness'' is required as part of the agency's 
adherence to the Federal Information Security Management Act 
(``FISMA''). The course outlines the role of Federal employees in the 
protection of information and in ensuring the secure operation of 
Federal information systems. The Privacy Act is also discussed during 
in-service ethics classes administered to the field by Secret Service 
Office of Chief Counsel instructors. Further, DHS requires Secret 
Service employees to complete annual in-service on-line training 
titled, ``Privacy at DHS: Protecting Personal Information.'' This 
training was incorporated into the required curriculum in 2012 and 
covers proper handling of PII. While the class is annually required, 
due to the gravity of the findings in the OIG report, I instructed the 
workforce in an official message on October 16 to retake the class by 
November 30.
    Additionally, at my direction enhanced briefings regarding the 
Privacy Act are now being provided to Special Agent and Uniformed 
Division Training Classes by Office of Chief Counsel instructors. A 
permanent curriculum is being developed and a formal class for 
candidate and in-service employee training is anticipated in the near 
future.
    Finally, I would like to address my statements and the decision of 
the OIG to reopen the investigation on October 5, 2015. Prior to the 
public release of the report on September 30, 2015, the OIG provided me 
a draft electronic copy of the report for review. I received this draft 
report from the OIG during the National Special Security Events 
(``NSSEs'') in New York City associated with the Pope's visit and the 
UN General Assembly. During the process of reviewing the draft, I was 
reminded by a colleague that I had been informed of a rumor regarding 
the individual's application history on March 25. While I myself do not 
recall hearing of this rumor, several others have confirmed that I did, 
and that it was a general rumor about the individual's past 
application; it did not relate to USSS employees improperly accessing 
databases or sharing protected information. In order to ensure accuracy 
within the report, on my own initiative I contacted the OIG to correct 
the record. I did not make the decision to contact the OIG blindly and 
was fully aware that additional scrutiny would result from my doing so. 
I made this decision because I feel that it is important to be as 
forthcoming, accurate, and complete as possible. I expect this from my 
employees and expect nothing less from myself.
    The OIG published an addendum in October reporting its assessment 
of the updated information pertaining to when I was made aware of this 
rumor. Interviews with former directors, my deputy director, and my 
former chief of staff only serve to corroborate that the information 
available to me at the time was nothing more than a rumor. The 
information was not attributed to a Secret Service data system or 
indicative of any action--inappropriate or otherwise--by any Secret 
Service employee. Nothing in the addendum contradicts what I have 
maintained from the beginning--that at no time prior to April 2, was I 
aware that potential misconduct could be the source of this rumor. When 
I did learn of it, I began taking immediate action, contacting the OIG 
and sending an official message to the workforce on the handling of 
sensitive information.
 fulfilling the independent protective mission panel's recommendations
    I would now like to turn to the actions we have taken to implement 
the recommendations of the independent Protective Mission Panel (the 
``Panel''), which was established by Secretary Jeh Johnson following 
the events of September 19, 2014 to undertake a broad review of the 
Secret Service's protection of the White House complex. The Panel's 
work, aided by full cooperation of the Secret Service and DHS, 
concluded with the publication of the Report from the United States 
Secret Service Protective Mission Panel to the Secretary of Homeland 
Security (the ``Report''), issued on December 15, 2014.
    The Report memorialized the findings and recommendations of the 
Panel in three general areas: Training and Personnel; Technology, 
Perimeter Security, and Operations; and Leadership. Upon receipt of the 
Report, the Secret Service acknowledged and accepted the Panel's 
findings and recommendations. A number of the issues found in the 
review were recognized independently prior to the issuance of the 
Report and were being addressed, while those that remained were 
prioritized and incorporated into a strategic action plan designed to 
fully implement the Panel's findings as time and resources permitted.
    I am proud to say that we have significantly altered the way the 
Secret Service is structured and managed since my return to the agency. 
We have also made strides in hiring new members of our workforce, and 
in expanding training opportunities for current members. I am also 
realistic in knowing that the changes we are making will take time to 
realize their full impact, particularly as they relate to staffing 
levels, and that we must continue to communicate these changes to our 
workforce. Some of the PMP recommendations will never be closed, as 
they require a commitment to on-going evaluation, innovation, and 
continuous improvement. I am hopeful that the structural changes we 
have made to the Secret Service will foster an environment where this 
perspective is not only valued, but also encouraged. I am committed to 
this process and am certain that the Secret Service will emerge a 
stronger agency with the continued support of the Department, the 
administration, and the Congress.
Training and Personnel
    I recognized early on in my tenure that many of the most serious 
problems facing the Secret Service can be traced back to inadequate 
staffing levels. Achieving appropriate staffing levels will allow the 
workforce to undertake a level of training commensurate with the 
mission and help to address the resultant effect on morale. Once 
underway, the process is, to some extent, self-repairing in that as 
morale improves, attrition rates will fall and staffing levels will 
continue to increase toward desired levels.
    In May 2015, to address staffing issues and following a wider 
professionalization initiative in which I placed civilian specialists 
in executive-level leadership positions, I implemented a reorganization 
effort aimed at more efficiently recruiting and hiring special agents, 
Uniformed Division (``UD'') officers, and administrative, professional, 
and technical (``APT'') personnel. Both the Human Capital and 
Recruitment Divisions were closed and their collective responsibilities 
were redistributed to a number of new divisions. The Talent and 
Employee Acquisition Management Division (``TAD'') is one such 
division, and this reorganization has allowed its managers to focus 
exclusively on recruiting and hiring diverse applicants to fill special 
agent, UD, and APT positions. In the ensuing months, TAD has 
implemented a modern recruitment strategy, including embracing social 
media as a recruiting tool and budgeting fiscal year (``FY'') 2016 
dollars towards an aggressive advertising campaign aimed at attracting 
qualified applicants to the agency. Further, in order to avoid 
bottlenecks and streamline the process of on-boarding qualified 
applicants, the Secret Service is hiring contractors to serve as a 
stop-gap solution for reviewing hiring qualifications through TAD and 
monitoring background investigations through the Security Clearance 
Division (``SCD'') until an adequate number of APTs can be hired and 
trained to perform these functions.
    Identifying our needs is a key element of supporting appropriate 
staffing levels because it drives our budget requests and 
justifications. In July, we completed the U.S. Secret Service Human 
Capital Plan for fiscal year 2015 through 2019. This foundational 
document identifies our strategy for increasing staffing levels, by 
accounting for mission, training, and work/life balance requirements. 
Consistent with the results of the PMP, our analysis suggests that 
staffing levels must significantly increase over the next 5 years to 
support not only our mission requirements but also our employee 
training and work/life balance needs. We look forward to continuing our 
work with the Department and Congress to secure the financial resources 
necessary to support these enhanced staffing levels.
    In response to the PMP recommendation that the Secret Service 
increase the number of personnel assigned to UD and the Presidential 
Protective Division (``PPD''), we worked closely with the Federal Law 
Enforcement Training Center (``FLETC'') to schedule 10 special agent 
classes with 195 agents and 8 UD classes with 151 officers in fiscal 
year 2015, a significant increase from years immediately preceding. 
Additionally, in fiscal year 2016, we have again asked FLETC for 
increased numbers of trainee classes and hope to bring 12 special agent 
and 12 UD classes on board this year. Today, the recommended personnel 
increase to PPD is substantially complete, while efforts to reach net 
gains that approach recommended levels in UD continue in the face of 
greater challenges with respect to attrition and retention. Given this 
challenge, the Secret Service recently introduced a UD retention bonus 
and is engaged with the Department to develop additional programs 
designed to incentivize members of our talented workforce to refrain 
from separating prematurely from the agency.
    A number of the Panel's recommendations were directed to training, 
including conducting integrated training in realistic conditions, and 
an increase in the overall amount of training received by agents and 
officers assigned to protective functions. The Secret Service has 
worked diligently to implement integrated training between the various 
units assigned to the White House complex. Currently, 99% of UD 
officers and technicians have completed specially created ``Emergency 
Action/Building Defense'' training. Training for agents assigned to 
permanent protective details has also increased with special agents on 
the Presidential Protective Division receiving approximately 25% more 
training in fiscal year 2015 than in fiscal year 2014. In order to more 
realistically simulate the conditions in which our agents, officers, 
and technicians operate, our fiscal year 2016 budget request includes 
funds directed to the design and construction of a more permanent White 
House training facility. Additionally, as staffing levels increase, the 
number of training hours that personnel assigned to UD and protective 
details receive will continue to increase accordingly. I firmly believe 
that, given the nature of the Secret Service's integrated mission, the 
importance of the amount and quality of training provided to our 
workforce cannot be overstated.
Technology, Perimeter Security, and Operations
    For the purposes of today's hearing, I will speak generally to the 
Panel's recommendations on technology and perimeter security. The Panel 
believed strongly, as do I, that operational issues related to the 
protection of the White House should not be the subject of a detailed 
public debate in their report or any other fora. I pledge to continue 
to provide you and your staffs with relevant information in the proper 
setting, at your request, as we move forward implementing these 
recommendations. My No. 1 priority has been, and is, the protection of 
the President, Vice President, and their families.
    To address longer-range future technology needs, the Secret Service 
will continue to partner with the Department's Science and Technology 
Directorate, the Department of Defense, and our partners in the 
intelligence community to ensure we are researching, developing, and 
deploying cutting-edge technology.
    The Secret Service has recognized the need for protective 
enhancements to the White House complex fence and is currently working 
with stakeholders to create a viable, long-term solution. This multi-
phase project began with the formation of requirements that are guiding 
a formal study aimed at identifying various fence options. These 
requirements encompassed security concerns identified by the Secret 
Service, including efforts to delay intruders, as well as aesthetic and 
historic concerns put forward by the National Park Service (``NPS'').
    Working at a highly accelerated pace with the National Capital 
Planning Commission (``NCPC''), the U.S. Commission of Fine Arts, and 
the NPS, the Secret Service was able to not only secure approval for, 
but also complete the installation of an interim improvement to the 
fence that inhibits the ability of individuals to climb it. We also 
worked with NPS to complete a study to identify the options for 
permanent enhancements to perimeter security earlier this year. We are 
moving forward with the design phase of this project, and look forward 
to working with the NCPC to secure its approval in early 2016.
Leadership
    The majority of the recommendations contained in the Report fell 
under the category of ``Leadership.'' Dynamic leadership that 
encourages open communication, rewards innovation, values flexibility, 
rejects insularity, and embraces personal accountability is vital to 
the agency's long-term success. Based upon the Panel's review, and my 
own assessments, I implemented several leadership changes in the Secret 
Service executive management team earlier this year. These changes were 
necessary to gain a fresh perspective on how we conduct business. The 
Panel's recommendations on leadership have been incorporated into the 
strategic action plan referenced above.
    The Panel recommended that the agency should promote specialized 
expertise in its budget, workforce, and technology functions. This 
assessment has been embraced, and, through a professionalization 
initiative, many executive positions formerly held by career law 
enforcement agents are now held by civilians with the training and 
experience necessary to effectively guide an organization of this size. 
First and foremost, we established a new chief operating officer (COO) 
position, a non-law enforcement Senior Executive Service (SES)-level 
position that is equivalent to the deputy director. Along with the 
creation of this position, we elevated the Office of the Chief 
Financial Officer (CFO) to a directorate-level entity, created the 
Office of Strategic Planning and Policy (OSP), and split the Office of 
Human Resources and Training (HRT) into two directorate-level offices--
the Office of Human Resources (HUM) and the Office of Training (TNG). 
By splitting HRT into two directorates, we are expecting to achieve 
greater focus on two key areas of concern for the PMP--staffing and 
training. In the revised organizational structure, the CFO, HUM, OSP, 
and the chief information officer (CIO) are now aligned under the COO. 
We will continue to evaluate our organizational structure and make 
changes where it is necessary.
    In addition to the structural changes, we used this opportunity to 
evaluate the skills required for directorate-level leadership positions 
to examine which would be best filled by non-law enforcement 
professionals. As a result of this examination, three of our ten 
directorates are led by non-law enforcement professionals, including 
the CFO, OSP, and our Office of Technical Development and Mission 
Support (TEC). Further, we have enhanced our executive-level 
perspective by appointing non-law enforcement professionals to the SES-
level roles of CIO, deputy CIO, and component acquisition executive 
(CAE), and are in the process of hiring for a newly-created SES-level 
director of communications position.
    One of the principal responsibilities of the CFO has been to start 
the process for developing a zero-based budget as recommended by the 
panel. This enormous undertaking is underway, and it is my hope that a 
mission-based budget will begin to be implemented in the fiscal year 
2018 budget cycle. Important steps have been taken in furtherance of 
this goal, including the development of the previously mentioned Human 
Capital Plan, and benchmarking Secret Service analytical capabilities, 
staff resources, and planning activities with comparable organizations.
    A common theme within the panel's recommendations on leadership was 
the need for improved internal and external communication. I wholly 
adopt this view and firmly believe that improved communication is 
directly related to increased effectiveness and morale. I have affirmed 
this priority to the executive management team, and my expectation and 
message to them is that they do the same within their directorates. The 
agency's priorities have been communicated externally through active 
engagement with the Department, the administration, and Congress. This 
outreach will continue, and future operational and managerial decisions 
will be guided by these priorities.
    Internally, I have personally visited many of our field offices, 
all former Presidential protective details, and conducted video-
conferenced town hall meetings with the agency's workforce. I have 
joined officers and agents at the White House complex and the Vice-
President's residence during their daily roll call. Earlier this year, 
I met with field supervisors for an Investigative Issues Focus Group to 
obtain a better understanding of the issues and concerns of the agents 
in the field. I plan to continue to have an open and honest 
conversation with members of our workforce about their concerns and 
discuss what I can do to address them.
    As part of our outreach to employees, we conducted a Work/Life 
Assessment through a third-party contractor. The results of the 47 
focus groups conducted under this effort provided us with a roadmap 
that allowed us to identify and begin to act upon the concerns of our 
workforce. In terms of delivering information, we have started sending 
important email messages to affected employees' individual inboxes, 
which allows them much easier access to information than was previously 
available only via official messages accessible exclusively through a 
networked connection to the Secret Service email server. Additionally, 
we have started to leverage multimedia in our approach, including 
creating videos to communicate major policy changes and initiatives. 
Finally, just weeks ago, we launched a new web-based platform, Spark!, 
which we expect will enhance two-way communication between the 
workforce and leadership by providing a forum to raise ideas, 
suggestions, and concerns. Employees should have every assurance that I 
will continue to work to share information and feel it is my 
responsibility to find solutions to the issues or concerns they voice.
    Accountability is another issue that I believe the Panel was 
rightly focused on due to its effects on workforce morale and 
operational readiness. Even before the Panel issued its 
recommendations, as a result of a number of incidents involving 
personal conduct, my predecessors had already taken important steps to 
address these issues. These steps were intended to increase 
transparency, consistency, and fairness in disciplinary actions and 
included the following:
   A Professionalism Reinforcement Working Group (``PRWG'') was 
        initiated to conduct an objective and comprehensive review of 
        the agency's values and professional standards of conduct;
   As a result of the PRWG, we created and published a 
        comprehensive ethics guide, initiated an active schedule of 
        ethics training, conducted integrity training, and implemented 
        a new centralized disciplinary policy including a Table of 
        Penalties (issued on 11/15/2013);
   An ``Inspection Hotline'' was created and prominently 
        displayed on the Secret Service's Intranet Home page for 
        employees to report misconduct to the Secret Service Office of 
        Professional Responsibility or the DHS OIG and allow the agency 
        or the Department to initiate swift investigative or 
        administrative action;
   Extensive training requirements for new supervisors were 
        created. Training includes mandatory completion of the DHS 
        leadership development program and the agency's 40-hour, 
        classroom-based Management and Emerging Leaders seminars. The 
        requirements also include the assignment of a senior-level 
        mentor to guide supervisors in the first year of their 
        assignment;
   The chief integrity officer position was established, and we 
        reinforced the importance of leadership and accountability with 
        supervisors and provided developmental training to over 5,000 
        employees; and
   The ITG created a Discipline Analysis Report for Calendar 
        Year 2014, which we posted for all employees to view on our 
        intranet site. The posting of this report was the first time 
        the Secret Service made this type of data available for review 
        by the workforce and underscores our commitment to support a 
        culture of transparency within our workforce. We made this 
        decision in response to the concerns raised by the workforce 
        regarding the consistency and fairness of our discipline 
        process.
    As recommended by the Panel, we firmly believe that we can further 
enhance and improve our performance by partnering with other 
organizations to collect their best practices and leverage their 
knowledge. We have greatly expanded our outreach efforts to learn from 
the Department of Defense and intelligence community, particularly in 
the areas of training and technology.
    In the area of training, the Secret Service completed a number of 
joint training exercises with entities that included representatives 
from the military, Federal, State, and local law enforcement and other 
protective agencies. Our employees benefited from the perspective of 
the Department of Defense community during training opportunities at 
their facilities. In other cases, like the security planning and 
preparation preceding the Papal visit last month, our employees had a 
chance to examine protective methodologies while observing security 
officials from the Vatican. These efforts were in addition to the 
opportunity to work with the security personnel who traveled with the 
world leaders that attended the 70th United Nations General Assembly.
    The Secret Service also has benefited from both existing and newly-
established relationships within the interagency and intelligence 
communities and with the Department of Defense related to technology. A 
few examples where we are currently leveraging these relationships 
include the challenges with unmanned aerial vehicles (``UAV'') and 
gunshot detection.
    While the above summarizes our activities in a number of areas, the 
totality of the actions we have taken since receiving the 
recommendations of the PMP is substantial. Secret Service employees at 
every level have been working hard not only to support our mission 
requirements, but also to establish the foundation for significant 
changes that will positively impact the Secret Service over the long-
term.
                           mission excellence
    In addition to working on the implementation of the Panel's 
recommendations, one of my biggest priorities over the past year has 
been to restore the Secret Service's reputation of mission excellence. 
Thousands of special agents, uniformed officers, and civilian staff 
successfully fulfill the integrated mission of this agency every day 
throughout the world.
    It is important to remember that protection is only a portion of 
the integrated mission of the Secret Service. The expertise, maturity, 
and judgment special agents develop as criminal investigators 
conducting counterfeit currency, financial, or cyber crime 
investigations are essential to the extremely critical and demanding 
work of protecting our Nation's highest elected leaders, as well as 
those world leaders who travel to our country.
    Just 2 months ago, members of the Secret Service came together from 
field offices across the country and throughout the world to 
successfully execute security plans at 4, near-simultaneous NSSEs while 
also protecting President Xi Jingping of China during his first state 
visit to the United States. The planning for the 4 NSSEs spanned over 8 
months. This is the first time in the history of the agency--or this 
country--that such a feat has been accomplished.
    The 4 NSSEs involved a monumental three city tour of Pope Francis 
to Washington, DC, Philadelphia, PA, and New York, NY, as well as the 
70th United Nations General Assembly. Agency personnel coordinated 
security plans for the President, Vice-President, Pope, and 
approximately 160 heads of state and over 80 spouses.
    In addition to honing personnel who are able to serve as 
specialists in the planning and staffing of protective operations, the 
integrated mission serves another purpose. Agents in the field also 
forge strong relationships with local law enforcement partners in 
investigations that pay dividends when we need their assistance during 
a protective visit. The Secret Service has long recognized that 
partnerships and cooperation act as force multipliers in both our 
protective and investigative missions. In this instance, with the need 
for critical support from State and local partners, these relationships 
proved to be invaluable.
    Plans for the NSSEs in September involved bringing together 2,500 
additional Federal law enforcement officers from other Federal 
agencies, the support of dozens of State and local law enforcement 
organizations, screening over 1 million people, and securing over 25 
individual sites including the United States Capitol, Central Park and 
Madison Square Garden in New York, and the Benjamin Franklin Parkway in 
Philadelphia. At the same time, preparations were underway and continue 
to be developed for upcoming Presidential trips with multiple stops in 
Asia, Presidential and Vice-Presidential candidate protection, the two 
National political conventions, and Presidential and Vice-Presidential 
debate sites.
    In addition to the 4 NSSEs, the Secret Service in fiscal year 2015 
conducted over 6,245 protective visits. Protective details and field 
agents ensured protection for over 5,981 domestic stops and 
approximately 264 international stops. The Secret Service Uniformed 
Division completed more than 677 magnetometer/X-ray operations 
assignments, and screened more than 2,742,620 members of the public. 
The Secret Service stopped approximately 2,847 weapons at magnetometer 
checkpoints from entering secure venues. The protective mission was 
also supported by over 6,617 protective surveys and approximately 136 
protective intelligence arrests.
    Additionally, Secret Service investigations continue to produce 
Nationally and internationally significant results, much of them in 
strong coordination with the Department of Justice, other law 
enforcement agencies, and our public- and private-sector partners. Two 
recent cases exemplify the work our agents do daily, in order to 
protect our Nation's financial infrastructure.
    In October, the Secret Service worked to apprehend and extradite 
yet another alleged cyber criminal--Sergey Vovnenko. Vovnenko is 
charged with conspiring to hack into the computer networks of 
individual users and corporations to steal log-in credentials and 
payment card data. According to the indictment, for almost 2 years, 
Vovnenko and his conspirators operated an international criminal 
organization that stole data, including user names and passwords for 
bank accounts and other online services, as well as debit and credit 
card numbers and personally identifiable information. To carry out this 
crime, Vovnenko allegedly operated a ``botnet'' of more than 13,000 
computers infected with malicious computer software programmed to gain 
unauthorized access to other computers and to identify, store, and 
export information from hacked computers.
    In the same week that Vovnenko appeared in Federal court in Newark, 
the Secret Service, in coordination with its partners in the Peruvian 
National Police, arrested 4 suspects with ties to the production and 
transportation of counterfeit U.S. currency. At the time of the 
arrests, the suspects were traveling to the airport en route the United 
States and allegedly possessed close to $850,000 of counterfeit U.S. 
currency skillfully secreted in suitcase liners. According to Secret 
Service records, one of the particular types of counterfeit notes 
seized in this case has a passing history exceeding $34 million dating 
back to 2009. These are just two examples of the agency's highly 
successful investigative work for which hard-working personnel should 
be commended.
                               conclusion
    As I look back over the past year, I see an agency in the midst of 
reform. I wish that people could walk in my shoes for a day and see 
what I see--a workforce with an uncompromising sense of duty and 
commitment to its integrated mission.
    Recently, the Secret Service lost a remarkable leader and true 
friend in former Assistant Director Jerry Parr. Jerry is widely known 
for the decisive actions taken during the March 30, 1981 assassination 
attempt on President Ronald Reagan. The decisions he made that day, 
including evacuating the President directly to the hospital, likely 
saved the life of the President. As I reflected on his passing, I had 
the opportunity to review a speech he made to a graduating special 
agent training class in 1994. In that speech he spoke of culture. He 
said:

``An organizational culture is a product of time, successes, 
sufferings, failures, and just plain hard work. After a hundred years 
or so, deep roots are developed, and a corporate memory evolves. While 
another agency can purchase persons, equipment, and technology similar 
to the Secret Service, it cannot buy this corporate memory. This is a 
priceless commodity.''

    As the men and women of this agency traverse these challenging 
times, I am heartened by the corporate memory of this great 
organization. I am confident that through unparalleled dedication of 
our personnel, and the actions we are taking to reform and improve, the 
Secret Service will meet the standard of excellence that we have 
established over our history and which our Nation's leaders and the 
American people rightly expect of us.
    Chairman Lankford, Chairman Perry, Ranking Member Heitkamp, and 
Ranking Member Watson Coleman, this concludes my written testimony. I 
welcome any questions you have at this time.

    Mr. Perry. Thank you, Mr. Clancy.
    The Chair now recognizes Mr. Roth for an opening statement.

STATEMENT OF JOHN ROTH, INSPECTOR GENERAL, OFFICE OF INSPECTOR 
         GENERAL, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Roth. Chairmen Lankford, Perry, and Johnson, Ranking 
Members Heitkamp, Watson Coleman, and Thompson and Members of 
the subcommittee, thank you for inviting me here today to 
testify.
    We have conducted a number of investigations, audits, 
inspections of Secret Service programs and operations, and we 
have a number of on-going projects. My written testimony 
describes some of that work and discusses its implications.
    For my oral remarks, I will discuss our investigation into 
the allegations that the Secret Service agents improperly 
accessed a restricted database to discover details about 
Chairman Jason Chaffetz' application to the Secret Service, as 
well as some other on-going work.
    We found that the Chaffetz application entry contained 
within a Secret Service database called the Master Central 
Index was accessed by Secret Service employees on approximately 
60 occasions between March 25 and April 2 of this year. We 
concluded that the vast majority of those who accessed the 
information did so in violation of the Privacy Act of 1974, as 
well as Secret Service and DHS policy.
    We identified one individual who acknowledged disclosing 
information protected by the Privacy Act to an outside source. 
However, because the number of individuals with access to this 
information was so great, we were unable to identify others who 
may have disclosed protected information to third parties.
    We found that the access began minutes after Director 
Clancy began testifying before the Committee on Oversight and 
Government Reform on March 24, and continued in the days 
following. Knowledge of Chairman Chaffetz' application was 
wide-spread and fueled and confirmed by improper access to the 
Secret Service database at issue.
    We found that a number of senior managers knew agents were 
accessing the MCI improperly and some of them accessed it 
themselves. Other senior managers were aware that Chairman 
Chaffetz once had applied at the Secret Service but they 
apparently did not comprehend the seriousness of what was 
developing. As a result, no one acted until it was too late to 
stop this unauthorized and unlawful activity.
    Our investigation also revealed that the MCI, a case 
management tool implemented in 1984, did not have the audit and 
access controls of a modern IT system or appropriately 
segregate information. Such controls and segregation may have 
prevented or at least minimized the behavior we discovered.
    This also appears to run counter to the Privacy Act which 
requires agencies to establish appropriate administrative, 
technical, and physical safeguards to ensure the safety and--I 
am sorry, the security and confidentiality of the records.
    Additionally, the Secret Service must ensure that only 
relevant records are maintained in these types of databases. 
The Privacy Act requires that the agency maintain its records 
only such information about an individual as is relevant and 
necessary to accomplish a purpose of the agency.
    The fact that the MCI had records of an unsuccessful 
application from 12 years earlier which contained sensitive 
information, the disclosure of which could lead to identity 
theft, may violate this provision of the Privacy Act.
    Finally, although all agents were trained in the use of the 
system and received yearly refresher training, it was apparent 
that many of the agents disregarded that training.
    The Secret Service recently reported that it retired the 
MCI and migrated all data to about 5 other Secret Service 
information systems in September 2015. Our Office of 
Information Technology Audits is currently conducting a 
technical security assessment of the information systems that 
the Secret Service now uses to store and retrieve this 
information. We expect to complete that assessment and issue a 
final report in February 2016.
    Over the past year-and-a-half as part of our independent 
oversight effort, we have investigated various incidents 
involving allegations of misconduct by Secret Service employees 
and other issues related to the Secret Service's organization 
and mission. The results of our investigation and reviews point 
to on-going organizational and management challenges. The 
Secret Service has certainly taken steps to address these 
challenges but not always successfully.
    Additionally, we are reviewing 3 incidents involving 
potential security lapses. For each incidence--incident--shots 
being fired at the White House from Constitution Avenue, an 
intruder jumping over the fence and entering the White House, 
an armed guard coming in close proximity to the President--we 
are determining whether the Secret Service followed its own 
protective policies, what actions were taken to correct, 
identify deficiencies and whether these corrections were 
adequate.
    The ultimate aim of our review is to determine and 
understand the root causes of these lapses. This fiscal year we 
plan to issue 3 reports on these incidents, as well as a 
capping report that identifies the root causes and includes any 
other necessary overarching recommendations.
    Mr. Chairman, this concludes my prepared statement. I 
welcome any questions you or any other Members of the 
subcommittees may have.
    [The prepared statement of Mr. Roth follows:]
                    Prepared Statement of John Roth
                           November 17, 2015
    Chairmen Lankford and Perry, Ranking Members Heitkamp and Watson 
Coleman, and Members of the subcommittees: Thank you for inviting me 
here today to discuss our on-going work involving the United States 
Secret Service (Secret Service) and its Government-wide implications. 
We have conducted a number of investigations, audits, and inspections 
of Secret Service programs and operations, and we have a number of on-
going projects. My testimony today will describe some of that work and 
discuss its implications.
  allegations concerning access to chairman chaffetz' application file
    As a result of our investigation, we determined that a Secret 
Service database containing sensitive personally identifiable 
information pertaining to Congressman Jason Chaffetz, Chairman of the 
House Committee on Oversight and Government Reform, was accessed by 
Secret Service employees on approximately 60 occasions between March 25 
and April 2 of this year.\1\ We concluded that a vast majority of those 
who accessed the information did so in violation of the Privacy Act of 
1974 (Privacy Act), as well as Secret Service and Department of 
Homeland Security (DHS) policy. We also identified one individual who 
acknowledged disclosing information protected by the Privacy Act to an 
outside source. However, because the number of individuals with access 
to this information was so great, we were unable to identify others who 
may have disclosed protected information to third parties.
---------------------------------------------------------------------------
    \1\ Memorandum, ``Investigation into the Improper Access and 
Distribution of Information Contained Within a Secret Service Data 
System'' (September 25, 2015).
---------------------------------------------------------------------------
    We found that the access began minutes after Director Clancy began 
testifying before the Committee on Oversight and Government Reform on 
March 24 and continued in the days following. Knowledge of Chairman 
Chaffetz' application was widespread and was fueled and confirmed by 
improper access to the Secret Service database at issue, the Master 
Central Index (MCI).
    We found that a number of senior managers knew agents were 
accessing the MCI improperly. For example, the special agent in charge 
of the Washington Field Office (WFO) became aware on or about March 25 
that several of her mid-level WFO supervisors had accessed or were 
aware of the Chaffetz record, and she directed her subordinates to 
cease any further access of the MCI record. No other Secret Service 
personnel at WFO accessed the Chaffetz record after that date, but 25 
others around the country did. Likewise, Deputy Assistant Director 
Cynthia Wofford of the Office of Strategic Intelligence and Information 
recalled hearing rumors of the Chaffetz application during the 
director's March 24 testimony. After unsuccessfully searching the 
internet for confirmation of the rumor, Wofford accessed the MCI on the 
morning of March 25 and found the Chaffetz record. She attempted to 
bring this to the attention of Deputy Director Magaw, but he told her 
that he already knew about it.
    However, other senior managers were aware that Chairman Chaffetz 
had once applied to the Secret Service, but they apparently did not 
comprehend the seriousness of what was developing. None of the senior 
managers apparently understood that the rumors were being fueled and 
confirmed by numerous agents who improperly accessed the protected MCI 
record of the Chaffetz application. As a result, no one acted, until it 
was too late, to stop this unauthorized and unlawful activity.
    Our investigation also revealed that the MCI, a case management 
tool implemented in 1984 to facilitate the Secret Service's 
investigative process, did not have the audit and access controls of a 
modern information technology (IT) system or appropriately segregate 
the information. Such controls and segregation may have prevented or 
minimized the behavior we discovered. This also appears to run counter 
to the Privacy Act, which requires agencies to ``establish appropriate 
administrative, technical, and physical safeguards to insure the 
security and confidentiality of records.''
    Additionally, the Secret Service must ensure that only relevant 
records are maintained in these types of databases. The Privacy Act 
requires that an agency ``maintain in its records only such information 
about an individual as is relevant and necessary to accomplish a 
purpose of the agency required to be accomplished.'' The fact that the 
MCI had records of an unsuccessful application from 12 years earlier, 
which contained sensitive information the disclosure of which could 
lead to identity theft, may violate this provision of the Privacy Act. 
Finally, although all agents were trained on use of the system and 
received yearly refresher training, it was apparent that many of the 
agents disregarded that training.
    Our Office of Information Technology Audits is currently conducting 
a technical security assessment of the information systems the Secret 
Service now uses to store and retrieve investigative and criminal 
history information. The Secret Service recently reported that it 
retired the MCI and migrated all data to about 5 other Secret Service 
information systems in September 2015. The objectives of our technical 
assessment are to verify that the MCI is no longer in use, identify 
which systems currently house MCI data, determine the level of physical 
and system controls implemented to secure the data from further 
instances of unauthorized access, and identify gaps in the security 
posture. We also intend, to the extent possible, to understand the 
security weaknesses in the MCI when it was operational. We expect to 
complete our assessment and issue a final report in February 2016.
              previous allegations of employee misconduct
    Over the past several years, as part of our independent oversight 
effort, we have investigated various incidents involving allegations of 
misconduct by Secret Service employees. We have also reviewed other 
issues related to the Secret Service's organization and mission that 
raised the concern of Congress and the public. In sum, the results of 
our investigations and reviews, as well as other incidents we were made 
aware of, point to some on-going organizational and management 
challenges. The Secret Service has certainly taken steps to address 
these challenges, but not always successfully. These persistent 
challenges may not be easy to resolve through expeditious action, such 
as suspending employees and issuing new guidance. They may require more 
fundamental change that addresses the root cause of the misconduct.
Allegation Into Agent Misconduct at the White House Complex on March 4, 
        2015
    We reviewed the actions of two Secret Service agents who on the 
evening of March 4 had entered an area that had been secured as a 
result of a suspicious package.\2\ We concluded that it was more likely 
than not that both agents' judgment was impaired by alcohol. We found 
that, notwithstanding their denials, both agents were observed by 
uniformed officers as ``not right,'' and ``not making sense,'' had just 
spent the previous 5 hours in a restaurant/bar in which one ran up a 
significant bar tab, and that they drove into a crime scene inches from 
what the rest of the Secret Service was treating as a potential 
explosive device and which, under different circumstances, could have 
endangered their own lives and those of the Uniformed Division (UD) 
officers responding.
---------------------------------------------------------------------------
    \2\ Memorandum, ``Investigation Into the Incident at the White 
House Complex on March 4, 2015'' (May 6, 2015).
---------------------------------------------------------------------------
    While each agent had a duty to report the incident to his superior, 
neither did do so. We found that their failure to do so reflected 
either poor judgment or an affirmative desire to hide their activities.
Allegation Into Misuse of Government Resources to Conduct Employee 
        Protection Operations
    We also investigated an allegation that under an operation called 
``Operation Moonlight'' Secret Service personnel and resources were 
directed to conduct surveillance and records checks unrelated to the 
Secret Service's mission.\3\ The complaint alleged that Secret Service 
agents were instructed to use law enforcement databases and conduct 
rotating surveillance shifts on a neighbor of the then-Executive Staff 
Assistant to the former Secret Service Director. We did not find any 
instances in which Secret Service agents approached the neighbor, nor 
could we conclude that the neighbor's house was ever under direct 
surveillance.
---------------------------------------------------------------------------
    \3\ Memorandum, ``Allegations of Misuse of United States Secret 
Service Resources'' (October 17, 2014).
---------------------------------------------------------------------------
    Our ensuing investigation, however, revealed that personnel and 
database resources were misused when Washington Field Office 
``Prowler'' teams periodically checked on the executive staff assistant 
at her residence for about 1 week in early July 2011. Our investigation 
also showed these checks were initiated in response to a private 
dispute and did not occur in the course of official duties or as a 
result of the executive staff assistant's position. In addition, we 
determined that the Prowler team agents were not investigating a 
potential assault on the executive staff assistant; the agents commonly 
described undertaking the checks because of an issue she was having 
with her neighbor.
    Secret Service personnel told us that the Prowler team checks did 
not divert resources from essential functions and responsibilities or 
negatively impact the Secret Service's mission. However, the checks on 
the executive staff assistant in La Plata, Maryland--a 45-minute drive 
from the White House--diverted Prowler personnel from the White House 
area and its surroundings when, on 4 of 5 identified days, the 
President was departing, arriving, or at the White House.
Allegations of Secret Service Misconduct in Cartagena, Colombia
    We also investigated allegations that, in April 2012, during 
preparations for President Obama's visit to Cartagena, Colombia, Secret 
Service agents solicited prostitutes and engaged in other misconduct.
    During our investigation, we independently identified Secret 
Service personnel who directly supported the Cartagena visit and other 
potential witnesses who may have had information about the Cartagena 
trip. We identified the personnel directly involved in the incident, as 
well as the potential witnesses, through documentary sources, including 
official travel records, hotel registries, country clearance cables, 
personnel assignments, and Secret Service and U.S. Embassy records.
    As part of our investigation, we conducted 283 interviews of 251 
Secret Service personnel. Based on our interviews and review of 
records, we identified 13 Secret Service employees who had personal 
encounters with female Colombian nationals consistent with the 
misconduct reported. We determined that one of the female Colombian 
nationals involved in the incident was known to the intelligence 
community. However, we found no evidence that the actions of Secret 
Service personnel had compromised any sensitive information.
    Our investigation determined that 12 Secret Service employees met 
13 female Colombian nationals at bars or clubs and returned with them 
to their rooms at the Hotel Caribe or the Hilton Cartagena Hotel. In 
addition, one Secret Service employee met a female Colombian national 
at the apartment of a Drug Enforcement Administration special agent. We 
interviewed the remaining 12 Secret Service employees who had personal 
encounters with the 13 female Colombian nationals. Through our 
interviews, we learned that following their encounters, 3 females left 
the rooms without asking for money, 5 females asked for money and were 
paid, and 4 females asked for money but were not paid. In addition, 1 
female, who asked to be paid but was not, brought a Colombian police 
officer to the door of the Secret Service employee's room; the employee 
did not answer the door. As a result, she was paid by another Secret 
Service employee and left. A fourteenth Secret Service employee, who 
the Secret Service initially identified as involved in the misconduct, 
was subsequently determined to have been misidentified.
    Of the 13 employees accused of soliciting prostitutes in Cartagena, 
3 were returned to duty with memoranda of counseling, after being 
cleared of serious misconduct. Five employees had their security 
clearance revoked because they either knowingly solicited prostitutes, 
demonstrated lack of candor during the investigation, or both. Five 
employees resigned or retired prior to the adjudication of their 
security clearance. Several of these last 5 employees appealed their 
adverse personnel actions to the United States Merit Systems Protection 
Board.
    After the incident, the Secret Service issued new guidance 
regarding personal behavior, including a directive amending standards 
of conduct with additional policies about off-duty conduct, briefings, 
and supervision on foreign trips.
Other Misconduct by Secret Service Employees
    Although we did not investigate them, 6 incidents that occurred 
between June 2013 and June 2014 highlighted questionable conduct by 
Secret Service employees that affected the Secret Service's protective 
function. These incidents took place after the Secret Service 
instituted new policies (in April 2012) on alcohol use, including 
prohibiting use within 10 hours of reporting for duty and prohibiting 
drinking at the protectee's hotel once a protective visit has begun 
(but permitting drinking ``in moderate amounts'' while off-duty during 
a protective mission).
   In June 2013, 2 UD officers were found to have consumed 
        alcohol during an overseas mission, in violation of the 10-hour 
        rule regarding alcohol consumption. One of the officers, a 
        second-time offender, handled his rifle while under the 
        influence of alcohol. He received a 28-day suspension; the 
        other officer received a 7-day suspension.
   In November 2013, a supervisory agent was involved in an 
        incident at the Hay Adams hotel in Washington, DC. The 
        supervisor began conversing with a woman at the hotel bar and 
        later accompanied the woman to her room. The woman solicited 
        the help of hotel security when she wanted the agent to leave 
        her room, reporting that he had a gun and she was frightened. 
        The agent left the room without incident. The Secret Service 
        conducted an inquiry and issued a letter of reprimand to the 
        agent.
   In December 2013, 4 UD officers were found to have consumed 
        alcohol during a layover on an overseas mission, in violation 
        of the 10-hour rule regarding alcohol consumption. Four of 
        these officers were issued letters of reprimand; the fifth, a 
        second-time offender, was issued a 14-day suspension.
   In March 2014, a UD officer was involved in a car accident 
        while driving a Government-rented vehicle during official 
        travel supporting a Presidential visit. The officer was found 
        to have consumed alcohol in the hours preceding the accident, 
        in violation of the 10-hour rule regarding alcohol consumption. 
        The officer was ultimately served with a 7-day suspension. This 
        officer was one of 10 others who were out together the evening 
        before the accident. Three of the other officers violated the 
        10-hour rule and a fourth misused a Government-rented vehicle. 
        These officers were issued suspensions ranging from 14 days to 
        35 days. One of the officers resigned.
   In March 2014, an agent was sent back to Washington, DC, 
        after he was found unconscious outside his hotel room in The 
        Hague, Netherlands, while on official travel. When interviewed, 
        the agent said he went out to dinner at a restaurant with other 
        Secret Service personnel, during which he had several drinks. 
        After dinner, he and two other agents had several more drinks. 
        The agent could not remember leaving the restaurant or how he 
        got back to his hotel. All three agents were found to have 
        violated the 10-hour rule regarding alcohol consumption. The 
        agent who was found unconscious resigned from the Secret 
        Service. The other two agents were issued suspensions of 28 
        days and 30 days.
   In June 2014, a UD officer flying while armed with his 
        Secret Service-issued handgun consumed 2 beers within the 10 
        hours prior to his flight. He consumed 1 beer at the airport 
        bar after checking in with the gate agent as an armed law 
        enforcement officer. He was issued a 14-day suspension.
             review of systemic employee misconduct issues
    Although after the Cartagena incident, the Secret Service 
investigated the allegations of misconduct, took action against the 
employees involved, and issued new guidance on personal behavior, other 
underlying issues arose during our investigation. In particular, when 
asked how the Secret Service dealt with misconduct allegations in 
general, some employees alleged there was a culture of retaliation and 
disparate treatment of employees, including directed punishment toward 
complainants and those voicing concerns about Secret Service programs 
and operations. Secret Service staff reported that the resulting 
culture may have adversely impacted the employee retention rate. 
Individuals we interviewed also reported that Secret Service officials 
``whitewashed'' allegations of employee misconduct, effectively 
downplaying and underreporting complaints to the Office of Inspector 
General (OIG) so they would appear to be administrative and not 
potentially criminal. These actions would, in turn, cause the 
allegations to be returned to Secret Service internal affairs for 
inquiry instead of OIG accepting them for investigation.
    We decided to further examine these more general allegations, which 
pointed to potentially more wide-spread problems. In December 2013, we 
issued a report on our review of the Secret Service's efforts to 
identify, mitigate, and address instances of misconduct and 
inappropriate behavior. In our report, we described a situation in 
which many employees were hesitant to report off-duty misconduct either 
because of fear that they would be retaliated against or because they 
felt management would do nothing about it. For example, in response to 
one survey question, 56 percent of electronic survey respondents 
indicated that they could report misconduct without fear of 
retaliation, meaning that almost half of the workforce may have feared 
retaliation for reporting misconduct.
    In our survey, we also questioned employees about reporting 
excessive alcohol consumption. Of the 138 electronic survey respondents 
who personally observed excessive alcohol consumption, 118 (86 percent) 
indicated they did not report the behavior. Respondents could select 
multiple reasons for not reporting the behavior. Some frequently cited 
reasons included:
   66 respondents (56 percent) indicated the employee engaged 
        in the behavior while off-duty.
   55 respondents (47 percent) did not believe that management 
        supported employees reporting the behavior.
   47 respondents (40 percent) were afraid of reprisal or 
        retaliation.
    Additionally, we reported that the Secret Service often 
administered penalties that were less severe than the range of 
recommended penalties at other Department law enforcement components. 
We compared the Secret Service's disciplinary response for specific 
infractions to penalties for similar infractions at U.S. Immigration 
and Customs Enforcement (ICE), the Transportation Security 
Administration (TSA), and U.S. Customs and Border Patrol (CBP).
    From 2004 to 2013, the Secret Service administered discipline for a 
single offense to one-time offenders 341 times. Most of the time, the 
Secret Service imposed less severe penalties than one or more of these 
components. Specifically:
   In 265 of the 341 instances (78 percent), the Secret Service 
        administered less severe discipline than one or more of TSA's, 
        ICE's, and CBP's tables of penalties showed those components 
        would have administered. In 141 of these 265 instances (53 
        percent), the Secret Service administered less severe 
        discipline compared to all three components' tables of 
        penalties.
   For the remaining 76 of the 341 instances (22 percent), the 
        Secret Service administered discipline within or above what 
        TSA's, ICE's, and CBP's tables of penalties showed those 
        components would have administered.
    As a result of our findings, we identified areas in which the 
Secret Service needed better management controls for reporting 
misconduct or inappropriate behavior and adjudicating and administering 
disciplinary actions. We made 14 recommendations to improve the Secret 
Service's processes for identifying, mitigating, and addressing 
instances of misconduct and inappropriate behavior. Additionally, we 
suggested the Secret Service continue to monitor and address excessive 
alcohol consumption and personal conduct within its workforce.
    The Secret Service concurred with all 14 recommendations and 
implemented changes to its discipline program. Among the improvements, 
the Secret Service created a table of penalties for determining 
appropriate corrective, disciplinary, or adverse actions for common 
offenses and established a centralized process within headquarters for 
determining and implementing discipline for employee misconduct. 
Because the Secret Service reformed its administrative discipline 
process after our report was issued, we are unable to determine the 
extent to which the pattern of imposing less severe discipline 
continues.
    Correcting underlying shortcomings in the discipline process and 
ensuring fair and consistent discipline are vital to the stability of 
any organization. As part of our performance plan for fiscal year 2016, 
we intend to evaluate the strength of the Department's disciplinary 
processes. We will focus on the depth and breadth of employees' 
perceptions and attitudes about misconduct and the application of 
discipline, DHS's established rules of conduct, and the application of 
discipline across the Department.
 other audit and inspection work involving secret service programs and 
                               operations
    We have also conducted several audit and inspection reports 
regarding Secret Service programmatic responsibilities, outside the 
area of employee misconduct.
Management Alert on UD Officer Fatigue
    We recently issued a management alert in which we identified UD 
officer safety issues that impact officer safety and the Secret 
Service's ability to meet its mission.
    Specifically, during a site visit for an unrelated audit, we 
observed two UD officers sleeping at their posts. Fatigue from travel, 
overtime shifts, and long hours contributed to these incidents. The 
Secret Service referred both officers for disciplinary action. We 
brought this matter to the attention of the Secret Service because of 
our concern that the staffing and scheduling process does not ensure 
officers have adequate breaks while on duty and time off between 
shifts. The Protective Mission Panel report, produced after the fence-
jumping incident, raised concerns that the UD was inadequately staffed, 
necessitating significant overtime. We are concerned that the situation 
has not improved since that report was issued in December 2014.
Inoperable Alarm at Protectee's Residence
    In October 2014, we visited former President George H.W. Bush's 
Houston residence in response to a complaint alleging alarms were 
inoperable. During our visit, we identified issues with the alarm 
system at the residence.
    Specifically, an alarm, which had been installed around 1993, had 
been inoperable for at least 13 months. During this time, the Secret 
Service created a roving post to secure the residence, but the Secret 
Service could not determine the exact time period between when the 
alarm failed and the roving patrol started. We did not identify any 
security breaches that occurred. However, we found problems with 
identifying, reporting, and tracking alarm system malfunctions, and 
with repairing and replacing alarm systems. Secret Service officials 
also told us about security equipment problems, including the need for 
substantial repairs and improvements, at other residences of former 
Presidents.
             future oig work related to the secret service
    In addition to the work we have already completed, we intend to 
conduct audits or evaluations of a number of other Secret Service 
programs and operations:
   On-going Reviews of Three Security Lapses.--We are reviewing 
        three incidents, one from November 2011 and two more that took 
        place in September 2014, all of which highlight security lapses 
        that raise serious concerns about the Secret Service's ability 
        to accomplish its protective mission. For each incident--shots 
        being fired at the White House from Constitution Avenue in 
        November 2011, an intruder jumping over the fence and entering 
        the White House in September 2014, and an armed guard coming in 
        close proximity to the President in September 2014--we are 
        determining whether the Secret Service followed its own 
        protective policies, what actions were taken to correct 
        identified deficiencies, and whether these corrections were 
        adequate. The ultimate aim of our reviews is to determine and 
        understand the root causes of these lapses, which may point to 
        more fundamental and on-going challenges to the Secret 
        Service's mission. This fiscal year, we plan to issue three 
        reports on these incidents, as well as a capping report that 
        identifies root causes and includes any other necessary, 
        overarching recommendations.
   Radio Communications.--We are completing an audit to 
        determine the adequacy of Secret Service radio communications. 
        We will be recommending that the Secret Service upgrade its 
        existing radio communication systems and develop a strategy and 
        time line to continuously upgrade radio communication systems.
   Protective Mission Panel Recommendations.--This fiscal year, 
        we plan to assess the implementation status of recommendations 
        from the Protective Mission Panel to the Secret Service 
        resulting from the September 2014 fence jumping incident.
   Security Clearances.--In response to a Congressional 
        request, we will examine the Secret Service's practices of 
        hiring and deploying personnel without completing the security 
        clearance process. Specifically, we will review the process of 
        granting waivers for personnel to begin work without completing 
        the security clearance process, and the safeguards the Secret 
        Service uses to ensure that those personnel are not given 
        access to Classified information during the course of their 
        duties.
   IT Integration and Transformation.--We will conduct an audit 
        to determine the extent to which the Secret Service's IT 
        Integration and Transformation (IITT) effort to modernize it 
        outdated IT infrastructure supports its investigative and 
        protective missions, goals, and objectives. Historically, the 
        IITT has faced challenges in planning, staffing, and 
        governance. In 2009, the DHS chief information officer 
        determined the effort lacked adequate planning, the development 
        schedule was too aggressive, and the program scope exceeded the 
        allocated budget. As a result of a prior OIG audit, in March 
        2011, we recommended that the Secret Service develop an IT 
        staffing plan, formalize its Executive Steering Committee, and 
        provide the Secret Service Chief Information Officer with the 
        component-wide IT budget and investment review authority needed 
        to ensure success of the IITT. Since our prior audit, the 
        Secret Service has reduced the scope of the IITT and is working 
        with the DHS Chief Financial Officer to ensure that planned 
        capabilities can be delivered within expected funding levels. 
        We expect to complete our audit and issue a final report in the 
        summer of 2016.
    Mr. Chairmen, this concludes my prepared statement. I welcome any 
questions you or other Members of the subcommittees may have.

    Mr. Perry. Thank you, Mr. Roth.
    The Chair now recognizes Mr. Willemssen for an opening 
statement.

STATEMENT OF JOEL C. WILLEMSSEN, MANAGING DIRECTOR, INFORMATION 
    TECHNOLOGY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Willemssen. Thank you Chairman Perry, Chairman 
Lankford, Ranking Member Watson Coleman, Ranking Member 
Heitkamp, Chairman Johnson of the full committee, Ranking 
Member Thompson of the full committee, Members of the 
subcommittees, thank you for inviting GAO to testify today.
    As requested, I will briefly summarize our statement on 
information security across the Federal Government. GAO has had 
long-standing concerns about the state of information security 
in the Federal Government. We initially identified Federal 
information security as a Government-wide high-risk area 18 
years ago.
    We subsequently expanded this high-risk designation to 
include computerized systems supporting the Nation's critical 
infrastructure and the protection of privacy and personally 
identifiable information. The cyber threats facing our country 
continue to be very serious.
    The impact of these threats is highlighted by recent 
incidents involving breaches of sensitive, personally 
identifiable information and the sharp increase in information 
security incidents reported by Federal agencies over the last 
several years, which have risen from about 5,500 in 2006 to 
about 67,000 in 2014.
    Given the risks posed by external and internal threats in 
the increasing number of incidents, it is crucial that Federal 
agencies take appropriate steps to secure their systems and 
data. However, we and inspectors general have continued to 
identify significant weaknesses and needed security controls.
    For example for fiscal year 2014, 19 of 24 major Federal 
agencies declared information security as a material weakness 
or significant deficiency. Most of these agencies have reported 
weaknesses in the key control areas that we track, including 
controls intended to prevent, limit, or detect unauthorized or 
inappropriate access to networks and data. In particular, our 
work has often shown that too many agency employees have too 
much unnecessary access to too many systems and databases.
    Agencies need to implement clear policies on access to 
sensitive information and grant access permissions to users at 
the minimum level necessary to perform legitimate job-related 
tasks on a need-to-know basis. Deploying effective monitoring 
and accountability mechanisms to track user activities on 
networks and systems is also essential to ensuring that 
improper access and usage are quickly detected and remedied.
    To address the many information security weaknesses at 
Federal agencies, GAO and inspectors general have made 
thousands of recommendations. Over the last 6 years, GAO has 
made about 2,000 recommendations to improve information 
security programs and controls.
    To date about 58 percent of these recommendations have been 
implemented. Until agencies take actions to address weakness 
and implement GAO and I.G. recommendations, Federal networks 
and sensitive information, including personally identifiable 
information, will be at increased risk from internal and 
external threats.
    Actions to implement recommendations will strengthen 
systems and data security and reduce the risk of cyber 
intrusions or attacks. That concludes the summary my statement 
and I look forward to addressing the questions.
    Thank you.
    [The prepared statement of Mr. Willemssen follows:]
                Prepared Statement of Joel C. Willemssen
                           November 17, 2015
    Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and 
Watson Coleman, and Members of the subcommittees: Thank you for 
inviting me to testify at today's hearing on on-going challenges at the 
U.S. Secret Service and their Government-wide implications. As 
requested, my statement today will address cyber threats and security 
control weaknesses affecting Federal systems and information.
    As you know, the Federal Government faces an evolving array of 
cyber-based threats to its systems and data, as illustrated by 
recently-reported data breaches at Federal agencies, which have 
affected millions of current and former Federal employees, and the 
increasing number of incidents reported by agencies. Such incidents 
underscore the urgent need for effective implementation of information 
security controls at Federal agencies.
    Since 1997, we have designated Federal information security as a 
Government-wide high-risk area, and in 2003 expanded this area to 
include computerized systems supporting the Nation's critical 
infrastructure. Most recently, in the February 2015 update to our high-
risk list, we further expanded this area to include protecting the 
privacy of personally identifiable information (PII)\1\--that is, 
personal information that is collected, maintained, and shared by both 
Federal and non-Federal entities.\2\
---------------------------------------------------------------------------
    \1\ Personally identifiable information is information about an 
individual, including information that can be used to distinguish or 
trace an individual's identity, such as name, Social Security number, 
mother's maiden name, or biometric records, and any other personal 
information that is linked or linkable to an individual.
    \2\ See GAO, High-Risk Series: An Update, GAO-15-290 (Washington, 
DC: Feb. 11, 2015).
---------------------------------------------------------------------------
    In preparing this statement, we relied on our previous work 
addressing cyber threats and Federal information security efforts. The 
prior reports cited throughout this statement contain detailed 
discussions of the scope of the work and the methodology used to carry 
it out. All the work on which this statement is based was conducted in 
accordance with generally-accepted Government auditing standards. Those 
standards require that we plan and perform audits to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. A list of related GAO products is 
provided in attachment I.
                               background
    As computer technology has advanced, the Federal Government has 
become increasingly dependent on computerized information systems to 
carry out operations and to process, maintain, and report essential 
information. Federal agencies rely on computer systems to transmit 
proprietary and other sensitive information, develop and maintain 
intellectual capital, conduct operations, process business 
transactions, transfer funds, and deliver services.
    Ineffective protection of these information systems and networks 
can impair delivery of vital services, and result in:
   loss or theft of computer resources, assets, and funds;
   inappropriate access to and disclosure, modification, or 
        destruction of sensitive information, such as personally 
        identifiable information;
   disruption of essential operations supporting critical 
        infrastructure, National defense, or emergency services;
   undermining of agency missions due to embarrassing incidents 
        that erode the public's confidence in Government;
   use of computer resources for unauthorized purposes or to 
        launch attacks on other systems;
   damage to networks and equipment; and
   high costs for remediation.
    Recognizing the importance of these issues, Congress enacted laws 
intended to improve the protection of Federal information and systems. 
These laws include the Federal Information Security Modernization Act 
of 2014 (FISMA),\3\ which, among other things, authorizes the 
Department of Homeland Security (DHS) to: (1) Assist the Office of 
Management and Budget (OMB) with overseeing and monitoring agencies' 
implementation of security requirements; (2) operate the Federal 
information security incident center; and (3) provide agencies with 
operational and technical assistance, such as that for continuously 
diagnosing and mitigating cyber threats and vulnerabilities. The act 
also reiterated the 2002 FISMA requirement for the head of each agency 
to provide information security protections commensurate with the risk 
and magnitude of the harm resulting from unauthorized access, use, 
disclosure, disruption, modification, or destruction of the agency's 
information or information systems.
---------------------------------------------------------------------------
    \3\ The Federal Information Security Modernization Act of 2014 
(Pub. L. No. 113-283, Dec. 18, 2014) (2014 FISMA) largely superseded 
the very similar Federal Information Security Management Act of 2002 
(Title III, Pub. L. No. 107-347, Dec. 17, 2002) (2002 FISMA).
---------------------------------------------------------------------------
    In addition, the act continues the requirement for Federal agencies 
to develop, document, and implement an agency-wide information security 
program. The program is to provide security for the information and 
information systems that support the operations and assets of the 
agency, including those provided or managed by another agency, 
contractor, or other source.
  cyber threats to federal systems continue to evolve amid increasing 
                          numbers of incidents
    Risks to cyber-based assets can originate from unintentional or 
intentional threats. Unintentional threats can be caused by, among 
other things, natural disasters, defective computer or network 
equipment, software coding errors, and the actions of careless or 
poorly-trained employees. Intentional threats include both targeted and 
untargeted attacks from a variety of sources, including criminal 
groups, hackers, disgruntled employees and other organizational 
insiders, foreign nations engaged in espionage and information warfare, 
and terrorists.
    These adversaries vary in terms of their capabilities, willingness 
to act, and motives, which can include seeking monetary or personal 
gain or pursuing a political, economic, or military advantage. For 
example, organizational insiders can pose threats to an organization 
since their position within the organization often allows them to gain 
unrestricted access and cause damage to the targeted system, steal 
system data, or disclose sensitive information without authorization. 
The insider threat includes inappropriate actions by contractors hired 
by the organization, as well as careless or poorly-trained employees.
    As we reported in February 2015,\4\ since fiscal year 2006, the 
number of information security incidents affecting systems supporting 
the Federal Government has steadily increased each year: Rising from 
5,503 in fiscal year 2006 to 67,168 in fiscal year 2014, an increase of 
1,121 percent. Furthermore, the number of reported security incidents 
involving PII at Federal agencies has more than doubled in recent 
years--from 10,481 incidents in fiscal year 2009 to 27,624 incidents in 
fiscal year 2014. (See fig 1.)
---------------------------------------------------------------------------
    \4\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: 
February 2015). 


    These incidents and others like them can adversely affect National 
security; damage public health and safety; and lead to inappropriate 
access to and disclosure, modification, or destruction of sensitive 
information. Recent examples highlight the impact of such incidents:
   In June 2015, the Office of Personnel Management reported 
        that an intrusion into its systems affected the personnel 
        records of about 4.2 million current and former Federal 
        employees. The Director stated that a separate but related 
        incident involved the agency's background investigation systems 
        and compromised background investigation files for 21.5 million 
        individuals.
   In June 2015, the Commissioner of the Internal Revenue 
        Service testified that unauthorized third parties had gained 
        access to taxpayer information from its ``Get Transcript'' 
        application. According to officials, criminals used taxpayer-
        specific data acquired from non-Department sources to gain 
        unauthorized access to information on approximately 100,000 tax 
        accounts. This data included Social Security information, dates 
        of birth, and street addresses. In an August 2015 update, the 
        agency reported this number to be about 114,000 and that an 
        additional 220,000 accounts had been inappropriately accessed, 
        which brings the total to about 330,000 accounts.
   In April 2015, the Department of Veterans Affairs' Office of 
        Inspector General reported that two contractors had improperly 
        accessed the agency's network from foreign countries using 
        personally-owned equipment.\5\
---------------------------------------------------------------------------
    \5\ Department of Veterans Affairs, Office of Inspector General, 
Administrative Investigation Improper Access to the VA Network by VA 
Contractors from Foreign Countries Office of Information and Technology 
Austin, TX, Report No. 13-01730-159 (Washington, DC: April 2015).
---------------------------------------------------------------------------
   In February 2015, the director of national intelligence 
        stated that unauthorized computer intrusions were detected in 
        2014 on the networks of the Office of Personnel Management and 
        two of its contractors. The two contractors were involved in 
        processing sensitive PII related to National security 
        clearances for Federal employees.\6\
---------------------------------------------------------------------------
    \6\ James R. Clapper, Director of National Intelligence, World-wide 
Threat Assessment of the U.S. Intelligence Community, testimony before 
the Senate Committee on Armed Services, February 26, 2015.
---------------------------------------------------------------------------
   In September 2014, a cyber intrusion into the United States 
        Postal Service's information systems may have compromised PII 
        for more than 800,000 of its employees.\7\
---------------------------------------------------------------------------
    \7\ Randy S. Miskanic, Secure Digital Solutions Vice President of 
the United States Postal Service, Examining Data Security at the United 
States Postal Service, testimony before the Subcommittee on Federal 
Workforce, U.S. Postal Service and the Census, 113th Congress, November 
19, 2014.
---------------------------------------------------------------------------
   In October 2013, a wide-scale cybersecurity breach involving 
        a U.S. Food and Drug Administration system occurred that 
        exposed the PII of 14,000 user accounts.\8\
---------------------------------------------------------------------------
    \8\ Department of Health and Human Services, Office of Inspector 
General, Penetration Test of the Food and Drug Administration's 
Computer Network, Report No. A-18-13-30331 (Washington, DC: October 
2014).
---------------------------------------------------------------------------
  information security weaknesses place federal systems and sensitive 
                              data at risk
    Given the risks posed by cyber threats and the increasing number of 
incidents, it is crucial that Federal agencies take appropriate steps 
to secure their systems and information. We and agency inspectors 
general have identified numerous weaknesses in protecting Federal 
information and systems. Agencies continue to have shortcomings in 
assessing risks, developing and implementing security controls, and 
monitoring results. Specifically, for fiscal year 2014, 19 of the 24 
Federal agencies covered by the Chief Financial Officers Act \9\ 
reported that information security control deficiencies were either a 
material weakness or a significant deficiency in internal controls over 
their financial reporting.\10\ Moreover, inspectors general at 23 of 
the 24 agencies cited information security as a major management 
challenge for their agency.
---------------------------------------------------------------------------
    \9\ The 24 agencies are the Departments of Agriculture, Commerce, 
Defense, Education, Energy, Health and Human Services, Homeland 
Security, Housing and Urban Development, the Interior, Justice, Labor, 
State, Transportation, the Treasury, and Veterans Affairs; the 
Environmental Protection Agency; General Services Administration; 
National Aeronautics and Space Administration; National Science 
Foundation; Nuclear Regulatory Commission; Office of Personnel 
Management; Small Business Administration; Social Security 
Administration; and the U.S. Agency for International Development.
    \10\ A material weakness is a deficiency, or combination of 
deficiencies, that results in more than a remote likelihood that a 
material misstatement of the financial statements will not be prevented 
or detected. A significant deficiency is a control deficiency, or 
combination of control deficiencies, in internal control that is less 
severe than a material weakness, yet important enough to merit 
attention by those charged with governance. A control deficiency exists 
when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, 
to prevent or detect and correct misstatements on a timely basis.
---------------------------------------------------------------------------
    As we reported in September 2015, for fiscal year 2014, most of the 
24 agencies had weaknesses in the 5 major categories of information 
system controls.\11\ These control categories are: (1) Access controls, 
which limit or detect access to computer resources (data, programs, 
equipment, and facilities), thereby protecting them against 
unauthorized modification, loss, and disclosure; (2) configuration 
management controls, intended to prevent unauthorized changes to 
information system resources (for example, software programs and 
hardware configurations) and assure that software is current and known 
vulnerabilities are patched; (3) segregation of duties, which prevents 
a single individual from controlling all critical stages of a process 
by splitting responsibilities between 2 or more organizational groups; 
(4) contingency planning,\12\ which helps avoid significant disruptions 
in computer-dependent operations; and (5) agency-wide security 
management, which provides a framework for ensuring that risks are 
understood and that effective controls are selected, implemented, and 
operating as intended. (See fig. 2.)
---------------------------------------------------------------------------
    \11\ GAO, Federal Information Security: Agencies Need to Correct 
Weaknesses and Fully Implement Security Programs, GAO-15-714 
(Washington, DC: Sept. 29, 2015).
    \12\ Contingency planning for information systems is part of an 
overall organizational program for achieving continuity of operations 
for mission/business operations. 


   Access controls.--For fiscal year 2014, we, agencies, and 
        inspectors general reported weaknesses in the electronic and 
        physical controls to limit, prevent, or detect inappropriate 
        access to computer resources (data, equipment, and facilities), 
        thereby increasing their risk of unauthorized use, 
        modification, disclosure, and loss. Access controls involve the 
        6 critical elements described in table 1.

  TABLE 1.--CRITICAL ELEMENTS FOR ACCESS CONTROL TO COMPUTER RESOURCES
 
------------------------------------------------------------------------
              Element                            Description
------------------------------------------------------------------------
Boundary Protection...............  Boundary protection controls logical
                                     connectivity into and out of
                                     networks and controls connectivity
                                     to and from devices that are
                                     connected to a network. For
                                     example, multiple firewalls can be
                                     deployed to prevent both outsiders
                                     and trusted insiders from gaining
                                     unauthorized access to systems, and
                                     intrusion detection and prevention
                                     technologies can be deployed to
                                     defend against attacks from the
                                     internet.
User Identification and             A computer system must be able to
 Authentication.                     identify and authenticate different
                                     users so that activities on the
                                     system can be linked to specific
                                     individuals. When an organization
                                     assigns a unique user account to
                                     specific users, the system is able
                                     to distinguish one user from
                                     another--a process called
                                     identification. The system also
                                     must establish the validity of a
                                     user's claimed identity by
                                     requesting some kind of
                                     information, such as a password,
                                     that is known only by the user--a
                                     process known as authentication.
                                     Multifactor authentication involves
                                     using two or more factors to
                                     achieve authentication. Factors
                                     include something you know
                                     (password or personal
                                     identification number), something
                                     you have (cryptographic
                                     identification device or token), or
                                     something you are (biometric). The
                                     combination of identification and
                                     authentication provides the basis
                                     for establishing accountability and
                                     for controlling access to the
                                     system.
Authorization.....................  Authorization is the process of
                                     granting or denying access rights
                                     and permissions to a protected
                                     resource, such as a network, a
                                     system, an application, a function,
                                     or a file. For example, operating
                                     systems have some built-in
                                     authorization features such as
                                     permissions for files and folders.
                                     Network devices, such as routers,
                                     may have access control lists that
                                     can be used to authorize users who
                                     can access and perform certain
                                     actions on the device.
                                     Authorization controls help
                                     implement the principle of ``least
                                     privilege,'' which the National
                                     Institute of Standards and
                                     Technology describes as allowing
                                     only authorized accesses for users
                                     (or processes acting on behalf of
                                     users) which are necessary to
                                     accomplish assigned tasks in
                                     accordance with organizational
                                     missions and business functions.
Cryptography......................  Cryptography underlies many of the
                                     mechanisms used to enforce the
                                     confidentiality and integrity of
                                     critical and sensitive information.
                                     Examples of cryptographic services
                                     are encryption, authentication,
                                     digital signature, and key
                                     management. Cryptographic tools
                                     help control access to information
                                     by making it unintelligible to
                                     unauthorized users and by
                                     protecting the integrity of
                                     transmitted or stored information.
Auditing and Monitoring...........  To establish individual
                                     accountability, monitor compliance
                                     with security policies, and
                                     investigate security violations, it
                                     is necessary to determine what,
                                     when, and by whom specific actions
                                     have been taken on a system.
                                     Agencies do so by implementing
                                     software that provides an audit
                                     trail, or logs of system activity,
                                     that they can use to determine the
                                     source of a transaction or
                                     attempted transaction and to
                                     monitor users' activities.
Physical Security.................  Physical security controls help
                                     protect computer facilities and
                                     resources from espionage, sabotage,
                                     damage, and theft. Examples of
                                     physical security controls include
                                     perimeter fencing, surveillance
                                     cameras, security guards, locks,
                                     and procedures for granting or
                                     denying individuals physical access
                                     to computing resources. Physical
                                     controls also include environmental
                                     controls such as smoke detectors,
                                     fire alarms, extinguishers, and
                                     uninterruptible power supplies.
                                     Considerations for perimeter
                                     security include controlling
                                     vehicular and pedestrian traffic.
                                     In addition, visitors' access to
                                     sensitive areas is to be managed
                                     appropriately.
------------------------------------------------------------------------
Source: GAO. GAO-16-194T

    For fiscal year 2014, 12 agencies had weaknesses reported in 
protecting their networks and system boundaries. For example, the 
access control lists on one agency's firewall did not prevent traffic 
coming or initiated from the public internet protocol addresses of a 
contractor site and a U.S. telecom corporation from entering its 
network. Additionally, 20 agencies, including DHS, had weaknesses 
reported in their ability to appropriately identify and authenticate 
system users. To illustrate, agencies had weak password controls, such 
as using system passwords that had not been changed from the easily 
guessable default passwords or did not expire.
    Eighteen agencies, including DHS, had weaknesses reported in 
authorization controls for fiscal year 2014. For example, one agency 
had not consistently or in a timely manner removed, transferred, and/or 
terminated employee and contractor access privileges from multiple 
systems. Another agency also had granted access privileges 
unnecessarily, which sometimes allowed users of an internal network to 
read and write files containing sensitive system information. In fiscal 
year 2014, 4 agencies had weaknesses reported in the use of encryption 
for protecting data.
    In addition, DHS and 18 other agencies had weaknesses reported in 
implementing an effective audit and monitoring capability. For 
instance, one agency did not sufficiently log security-relevant events 
on the servers and network devices of a key system. Moreover, 10 
agencies, including DHS, had weaknesses reported in their ability to 
restrict physical access or harm to computer resources and protect them 
from unauthorized loss or impairment. For example, a contractor of an 
agency was granted physical access to a server room without the 
required approval of the office director.
   Configuration management.--For fiscal year 2014, 22 
        agencies, including DHS, had weaknesses reported in controls 
        that are intended to ensure that only authorized and fully-
        tested software is placed in operation, software and hardware 
        is updated, information systems are monitored, patches are 
        applied to these systems to protect against known 
        vulnerabilities, and emergency changes are documented and 
        approved. For example, 17 agencies, including DHS, had 
        weaknesses reported with installing software patches and 
        implementing current versions of software in a timely manner.
   Segregation of duties.--Fifteen agencies, including DHS, had 
        weaknesses in controls for segregation of duties. These 
        controls are the policies, procedures, and organizational 
        structure that help to ensure that one individual cannot 
        independently control all key aspects of a computer-related 
        operation and thereby take unauthorized actions or gain 
        unauthorized access to assets or records. For example, a 
        developer from one agency had been authorized inappropriate 
        access to the production environment of the agency's system.
   Continuity of operations.--DHS and 17 other agencies had 
        weaknesses reported in controls for their continuity of 
        operations practices for fiscal year 2014. Specifically, 16 
        agencies did not have a comprehensive contingency plan. For 
        example, one agency's contingency plans had not been updated to 
        reflect changes in the system boundaries, roles, and 
        responsibilities, and lessons learned from testing contingency 
        plans at alternate processing and storage sites. Additionally, 
        15 agencies had not regularly tested their contingency plans.
   Security management.--For fiscal year 2014, DHS and 22 other 
        agencies had weaknesses reported in security management, which 
        is an underlying cause for information security weaknesses 
        identified at Federal agencies. An agency-wide security 
        program, as required by FISMA, provides a framework for 
        assessing and managing risk, including developing and 
        implementing security policies and procedures, conducting 
        security awareness training, monitoring the adequacy of the 
        entity's computer-related controls through security tests and 
        evaluations, and implementing remedial actions as appropriate.
    We have also identified inconsistencies with the Government's 
approach to cybersecurity, including the following:
    Overseeing the security controls of contractors providing IT 
services.--In August 2014, we reported that 5 of 6 agencies we reviewed 
were inconsistent in overseeing assessments of contractors' 
implementation of security controls.\13\ This was partly because 
agencies had not documented IT security procedures for effectively 
overseeing contractor performance. In addition, according to OMB, 16 of 
24 agency inspectors general determined that their agency's program for 
managing contractor systems lacked at least one required element.
---------------------------------------------------------------------------
    \13\ GAO, Information Security: Agencies Need to Improve Oversight 
of Contractor Controls, GAO-14-612 (Washington, DC: Aug. 8, 2014).
---------------------------------------------------------------------------
    Responding to cyber incidents.--In April 2014, we reported that the 
24 agencies did not consistently demonstrate that they had effectively 
responded to cyber incidents.\14\ Specifically, we estimated that 
agencies had not completely documented actions taken in response to 
detected incidents reported in fiscal year 2012 in about 65 percent of 
cases.\15\ In addition, the 6 agencies we reviewed had not fully 
developed comprehensive policies, plans, and procedures to guide their 
incident response activities.
---------------------------------------------------------------------------
    \14\ GAO, Information Security: Agencies Need to Improve Cyber 
Incident Response Practices, GAO-14-354 (Washington, DC: Apr. 30, 
2014).
    \15\ This estimate was based on a statistical sample of cyber 
incidents reported in fiscal year 2012, with 95 percent confidence that 
the estimate falls between 58 and 72 percent.
---------------------------------------------------------------------------
    Responding to breaches of PII.--In December 2013, we reported that 
8 Federal agencies had inconsistently implemented policies and 
procedures for responding to data breaches involving PII.\16\ In 
addition, OMB requirements for reporting PII-related data breaches were 
not always feasible or necessary. Thus, we concluded that agencies may 
not be consistently taking actions to limit the risk to individuals 
from PII-related data breaches and may be expending resources to meet 
OMB reporting requirements that provide little value.
---------------------------------------------------------------------------
    \16\ GAO, Information Security: Agency Responses to Breaches of 
Personally Identifiable Information Need to Be More Consistent, GAO-14-
34 (Washington, DC: Dec. 9, 2013).
---------------------------------------------------------------------------
    Over the last several years, we and agency inspectors general have 
made thousands of recommendations to agencies aimed at improving their 
implementation of information security controls. For example, we have 
made about 2,000 recommendations over the last 6 years. These 
recommendations identify actions for agencies to take in protecting 
their information and systems. To illustrate, we and inspectors general 
have made recommendations for agencies to correct weaknesses in 
controls intended to prevent, limit, and detect unauthorized access to 
computer resources, such as controls for protecting system boundaries, 
identifying and authenticating users, authorizing users to access 
systems, encrypting sensitive data, and auditing and monitoring 
activity on their systems. We have also made recommendations for 
agencies to implement their information security programs and protect 
the privacy of PII held on their systems.
    However, many agencies continue to have weaknesses in implementing 
these controls in part because many of these recommendations remain 
unimplemented. For example, about 42 percent of the recommendations we 
have made during the last 6 years remain unimplemented. Until Federal 
agencies take actions to implement the recommendations made by us and 
the inspectors general--Federal systems and information, as well as 
sensitive personal information about the public, will be at an 
increased risk of compromise from cyber-based attacks and other 
threats.
    In conclusion, the dangers posed by a wide array of cyber threats 
facing the Nation are heightened by weaknesses in the Federal 
Government's approach to protecting its systems and information. While 
recent Government-wide initiatives, including the 30-day Cybersecurity 
Sprint,\17\ hold promise for bolstering the Federal cybersecurity 
posture, it is important to note that no single technology or set of 
practices is sufficient to protect against all these threats. A 
``defense in depth'' strategy that includes well-trained personnel, 
effective and consistently applied processes, and appropriately 
implemented technologies is required. While agencies have elements of 
such a strategy in place, more needs to be done to fully implement it 
and to address existing weaknesses. In particular, implementing our and 
agency inspectors general recommendations will strengthen agencies' 
ability to protect their systems and information, reducing the risk of 
a potentially devastating cyber attack.
---------------------------------------------------------------------------
    \17\ In June 2015, the Federal Chief Information Officer launched 
the 30-day Cybersecurity Sprint, during which agencies were to take 
immediate actions to combat cyber threats within 30 days. Actions 
included patching critical vulnerabilities, tightening policies and 
practices for privileged users, and accelerating the implementation of 
multifactor authentication.
---------------------------------------------------------------------------
    Chairman Lankford, Chairman Perry, Ranking Members Heitkamp and 
Watson Coleman, and Members of the subcommittees, this concludes my 
statement. I would be happy to answer your questions.

    Mr. Perry. Thank you Mr. Willemssen. Chair now recognizes 
himself for some questions beginning with Mr. Roth.
    Mr. Roth, how many subpoenas regarding the Chaffetz 
incident and the MCI, the Master Central Index, how many 
subpoenas were issued?
    Mr. Roth. I believe it was only one subpoena.
    Mr. Perry. So why if there were multiple individuals that 
admittedly breached the information and may have compromised it 
why would only one subpoena be issued? Why wouldn't there be 
multiple subpoenas issued for multiple individuals?
    Mr. Roth. Well, most of the information that we received 
were from Government data systems so no subpoena would be 
necessary. The only time we have to subpoena information is if 
we were going to a third party, like a telephone record 
provider for example.
    Typically it is our policy in these kinds of circumstances 
to have a level of predication before we go and subpoena 
somebody's personal telephone records. We had predication only 
on one individual rather than the hundreds who may have had 
access to that information.
    Mr. Perry. Even those who admitted to wrongdoing?
    Mr. Roth. That is correct.
    Mr. Perry. Was the Index searched for other improper access 
incidences?
    Mr. Roth. It was not. The Index itself was created in 1984. 
It did not have the ability to readily do the kinds of 
forensics that you would do on a modern data system. In fact, 
what we were required to do, that is what the administrators of 
the database were required to do, were actually write scripts 
or programs to be able to find access to this information.
    It was a highly time-consuming kind of a thing and because 
the--sort of the necessity for finding answers as quickly as we 
could, we only restricted it to Chairman Chaffetz's name.
    Mr. Perry. So then, based on that, would it be correct to 
say that we have absolutely no idea at this point regarding 
that data system, the Master Central Index, if any other 
Americans or any other citizens have had similar things occur 
regarding their personally identifiable information, whether it 
was searched, whether it was divulged. We have no idea?
    Mr. Roth. That is correct.
    Mr. Perry. That is a bit unsettling. Director Clancy, are 
you familiar with Operation Moonlight?
    Mr. Clancy. Sir, I am familiar with some of the details of 
that, yes.
    Mr. Perry. Can you just inform us? I understand you have 
got thousand of employees. This hearing is not meant to impugn 
or besmirch the credibility of your agency. I think Americans 
have traditionally and currently, have the highest regard and 
want to have that. But how does that--something like that 
happen? Can you?
    Mr. Clancy. Yes sir.
    Mr. Perry. So Secret Service agents used Government 
information, accessed databases and then used equipment, time, 
material to surveil essentially, a private citizen's property 
without any due cause of anything. Is that essentially--I mean, 
that is my narrative but what is yours? Then how does that 
happen?
    Mr. Clancy. Sir forgive me as I was not here during that 
time frame so I am going to rely on some briefings when I first 
came in as the acting director and it was found as the OIG's 
report illustrates, people made very poor decisions. There was 
misjudgment. It should not have happened and there were some 
changes made in our management.
    Mr. Perry. Well, I will tell you. I looked at--and I 
imagine you are familiar with it. I am just going to read you 
the subject, is ``Directive 2015-09, Disciplinary and Adverse 
Actions''. Right?
    Mr. Clancy. Yes sir.
    Mr. Perry. It is from your agency and I guess it is moving 
forward based on what has occurred regarding the information in 
the data breach. I just wanted to give you a flavor of what I 
see here: ``An employee is entitled to,'' ``the employee is 
entitled to,'' ``the employee is entitled to''--I am just kind 
of going through each paragraph----
    ``The employee will be provided with;'' ``the employee 
shall have an opportunity to;'' ``the employee is entitled 
to''. You kind-of get my gist, and the reason I say that is--
what I am wondering is and I think what a lot of Americans 
wondering is what are the consequences of the actions of 45 or 
41 employees who accessed Mr. Chaffetz's data and then whoever 
disseminated it up to 60 times?
    What are the consequences to those individuals? We see what 
the employee's rights are.
    Mr. Clancy. Yes.
    Mr. Perry. Right?
    Mr. Clancy. Yes sir.
    Mr. Perry. But what are the consequences? How does Mr. 
Chaffetz get his reputation back? What is going to happen to 
these individuals? What is currently happening? Where do things 
stand?
    Mr. Clancy. Mr. Chairman, Secretary Johnson and I met and 
talked about this in a true sense of transparency because 
myself and my executive staff have been all interviewed in this 
case. We made a joint decision that the Department of Homeland 
Security would make the proposals. In this case I will tell 
you--and I have heard the comments that were made today, of 
reprehensible, disturbing, embarrassing.
    I agree with everything that has been said here today and 
my workforce does as well. In fact, this hearing today will 
help me get this word out, the importance of protecting PII. We 
have all this, the training and we have the ethics guides and 
we go out and train are new recruits but a hearing like this 
puts a definitive stamp on our failures.
    In this case, the individuals to answer your questions, Mr. 
Chairman, in this case, we are proposing, as of today, 
approximately 42--I don't--don't hold me to that number, 
approximately 42 will be issued a proposal of discipline 
ranging from anywhere from 3 days to 12 days of a suspension.
    Mr. Perry. So that is the maximum? The maximum is 12 days 
of--I am going to--the Chair is going to indulge himself on the 
time here a little bit. I am following a lot of questioning. So 
the maximum penalty, the maximum of repercussion for doing--we 
all know that when you look at these computer systems there is 
a warning in front that this is to be used for official 
business only and we all know.
    Look, I hold as your folks do, a Secret security clearance, 
Top Secret security clearance. Everybody in the rooms knows, 
everybody in your agency knows that using this information for 
what it was used for was incorrect, improper, unauthorized, 
illegal.
    The most we can hope for, the most disciplinary--toughest, 
disciplinary action right now is not a loss or revocation of 
your Secret security clearance, not the loss of your 
employment, it is 12 days suspension? I just want to be clear? 
Is that correct?
    Mr. Clancy. Mr. Chairman, that is for the Grades 15 and 
below. Those proposals have been issued as of today I am pretty 
sure on that. The SES-level folks have not had their discipline 
proposed as of this date.
    Mr. Perry. Is Mr. Lowery an SES-level employee?
    Mr. Clancy. He is, yes.
    Mr. Perry. What is the range of options of discipline or 
consequence for Mr. Lowery, if you can inform--I am not asking 
you to tell us which one it is because maybe you are still 
completing your investigation, but what can we expect?
    Mr. Clancy. The range goes from a letter of reprimand all 
the way up to removal.
    Mr. Perry. Thank you. The Chair now recognizes the 
gentleman from Oklahoma.
    Senator Lankford. Would like to defer my questioning time 
to the Ranking Member. She has to be on the floor actually, of 
the Senate in a little bit. Actually working through a bill, so 
I would like to defer my time.
    Mr. Perry. So ordered.
    Senator Heitkamp. Thank you, Chairman Lankford.
    Every one of the--Mr. Clancy--Director Clancy, every 
incident that we know of, there seems like there wasn't an 
adult in the room. That there was no one who provided that 
voice of saying, ``Hey, guys, this is not the way to do this. 
Hey, we have a responsibility that is higher.''
    So while we look at management and we look at resources, 
you said in your testimony, you talked about how the corporate 
culture of the Secret Service is a priceless commodity.
    Every day that priceless commodity gets threatened by 
agents not willing to be the adult in the room, not willing to 
be the person who stands up and says, knock it off. Because you 
can't do it just from a management standpoint. You have got to 
change the culture at the bottom and I think that is one of the 
concerns we have.
    Is that it seems like all of this has happened with a great 
impunity and almost--you know, you can't touch me, you know, as 
the Chairman just talked about, or it is okay to do this. So, I 
want to know as we look at management changes, as we look at 
systemic rules and policies, those rules and policies are only 
as good as the commitment that people at every level within the 
Secret Service have for change.
    So what are you doing within the Secret Service to build 
capacity for people to be the adult in the room, to stop this 
at the source and say this is not what we do in the Secret 
Service?
    Mr. Clancy. Thank you, Senator. This discipline system that 
we have in place now is relatively new. It is approximately 2 
years old and then with--which includes a table of penalties. 
In the past, discipline was handled at a more local level. Now 
everything is funneled up to our Office of Integrity.
    Senator Heitkamp. I don't mean to interrupt but I am not 
talking about discipline. I am talking about culture and 
obviously consequences are part of changing that culture. But 
what about the integrity at every level? Of basically saying we 
don't do this. We don't go to hotels and hire, you know, people 
to service us.
    We don't, you know, drive into the White House and disrupt 
a major investigation. We don't access a Congressman's secret 
records. We don't do that. Who is the person? How are we 
training people at every level to stand up and stop this 
behavior? Because I don't think we can do it just having 
hearings like this.
    I think we have got to restore this priceless commodity 
that you are talking about, which is the integrity element of 
the men and women at every level, knowing that it is their 
responsibility to help maintain the integrity of the Secret 
Service.
    Mr. Clancy. I agree with you, Senator. We have to do more 
in terms of communicating with our people. We can have all the 
training exercises and all the on-line training, but for 
example, I have been to approximately 10 of our field offices, 
all of our protective details. I speak personally to our 
agents. I walk around the White House, talk to the officers.
    I meet all the recruits prior to their graduation, both 
agent and UD. I tell them what they represent and what is 
expected of them. But I have got to do more of that as well as 
our staff. We have to just keep communicating, keep 
communicating to our people.
    Again, what the Congress is doing today is a help to us and 
to our agency because again, the seriousness of what we have 
done in this particular case, resonates by these types of 
hearings.
    Senator Heitkamp. Thank you, Mr. Chairman. Yield back.
    Mr. Perry. The Chair thanks the gentlelady.
    The Chair recognizes Mrs. Watson Coleman from New Jersey.
    Mrs. Watson Coleman. Thank you, Mr. Chairman.
    Mr. Director, I want to talk about the Protective Mission 
Panel's recommendations. One of the things I think was noted in 
the panel was that we needed new leadership. We needed 
leadership from outside of this organization that didn't have 
the long-term relationships that might be somehow influenced by 
the relationships they did have and seeing it in a sort of 
insular way.
    You have a 27-year record or experience with the agency. 
Clearly, you are an insider. There was a removal of a number of 
deputies and they were replaced. The majority of the deputies 
that were replaced were also from within the agency with long 
service records.
    My question is: How do we change the culture of the 
organization if the very top leadership has been a part of that 
culture and perhaps only sees this organization from within?
    Would we have not been better served had you identified the 
capacity to go to the outside and find people with certain 
skills, leadership abilities, accountabilities that would have 
transcended the relationships that individuals may have had?
    Could that possibly have helped us to become more 
efficient, more effective, and more accountable as an agency?
    Mr. Clancy. Thank you for that question. I will tell you 
that I respect if you, if many, that thought that this 
position, the director's position, should have been someone 
from the outside. There is good reason for that. I understand 
that.
    I consider the fact that I left the Service for 3 years, 
worked in private industry, has allowed me to bring in some 
outside views on how to run a business and how to run this 
agency. So what I did do is, first of all, I brought in a chief 
operating officer, a civilian from outside the agency.
    That COO, chief operating officer, is equivalent to the 
deputy director. Additionally, we have created a lot of 
subject-matter expert positions where traditionally, they 
answer to agents--you know, prior to me arriving here, all of 
the top-level security was run by agents. Some of them, 
candidly, were not subject-matter experts.
    For example, finance. We now have a chief financial officer 
who does not answer directly to an assistant director who is an 
agent, she is the chief financial officer. Chief technology 
officer is an engineer, not an agent. The chief strategy 
officer is a lawyer who is not an agent. There are a few others 
as well.
    So we have brought in, we are trying to bring in this 
outside perspective to run this business but also move the 
agents into our core mission of protection and investigations.
    Mrs. Watson Coleman. So talk to me a little bit about your 
ability to bring in not only new people into the agency, but 
more diverse people. Because the information that I have read 
regarding the Secret Service is that it is predominantly white 
male.
    There is a small percentage of women and not very--not 
consistent with across the board in Federal Government. What 
are you doing to address the issue of lack of diversity in 
terms of race and ethnicity and gender in positions? What are 
you doing to address the long-standing and outstanding issue 
with the civil rights complaints?
    Mr. Clancy. Yes.
    Mrs. Watson Coleman. Moving beyond them as opposed to using 
the system to delay the implementation of the corrective 
actions that could be taking place. Thank you.
    Mr. Clancy. In terms of diversity, I think I would ask you 
first to look at my executive staff. On that staff of 
approximately 12 people, we have 5 African-Americans, 6 
females. But going down throughout the ranks, you are correct. 
We are not where we want to be with diversity.
    So we are targeting universities that provide diversity for 
us. We have shortened our hiring process where we can go to 
these universities and over a weekend period of time, do a 
testing, an interview and a polygraph if the first two steps 
are met.
    But we are targeting specific areas of the country to 
really work on this diversity because we are deficient in that 
area, certainly with females as well. We are working diligently 
to try to improve that diversity.
    Mrs. Watson Coleman. Thank you. I yield back for another.
    Mr. Perry. Chair thanks the gentlelady. The Chair now 
recognizes Mr. Johnson from Wisconsin.
    Senator Johnson. Thank you, Mr. Chairman. Inspector General 
Roth, in your written testimony, you state that,``Information 
was accessed by Secret Service employees on approximately 60 
occasions between March 25 and April 2nd of this year.'' Then 
you went on to say, ``We concluded that a vast majority of 
those who accessed this information did so in violation of the 
Privacy Act of 1974.''
    What are the penalties for violating the Privacy Act of 
1974?
    Mr. Roth. There are civil penalties for the agency that is 
involved if there is a wide-spread sort of gross negligence 
standard. So there are civil penalties, that is monetary 
penalties, for the agency involved. For individuals who 
accessed the system--improperly, knowing that it was protected 
under the Privacy Act that is a misdemeanor, which has a fine 
as a penalty but no custodial sentence.
    Senator Johnson. Is there any Department of Justice 
investigation being undertaken right now to determine whether 
those misdemeanors were in fact going to--are they going to be 
prosecuted?
    Mr. Roth. No. During the course of our investigation we 
presented a case, the most compelling case we had and it was 
declined by the U.S. attorney's office.
    Senator Johnson. Why would that be?
    Mr. Roth. There are several reasons. First of all, each 
individual agent has a Fifth Amendment right to not speak to us 
if in fact he is under criminal jeopardy. So we could not 
interview individuals, compel their interview, which we 
ultimately had to do in this case for a lack of voluntary 
cooperation.
    So the level of evidence that the Department of Justice had 
was not sufficient for them to move forward. Additionally, when 
one looks at the penalty, it was simply a matter of competing 
resources.
    Senator Johnson. Director Clancy, you know, I got involved 
in looking into the cultural problems with the Secret Service 
back in early 2012 after the events at Cartagena. This is not 
why I ran for the United States Senate, was to look into the 
Secret Service. It is an agency that we all want to have a high 
deal of credibility and note, as you stated in your testimony, 
the culture--in many respects is almost, you know, beyond 
reproach.
    I mean, it is a fabulous agency, they are doing great work. 
But on the other hand, there is a real cultural problem. What 
are you going to do about it? I mean, I hear communication. I 
understand communication but actions speak far louder than 
words. When we are just talking a disciplinary process when 
there are violations of the Privacy Act and there are no 
prosecutions of it.
    There is nobody held to--even the misdemeanor penalties. 
There is nothing more corrosive in an organization that has a 
cultural problem when misdeeds go unpunished. So what actions 
are going to be taken? This is 3 years now.
    You know, Cartagena occurred in April 2012. We had 2013 and 
2014 and 2015. Three years later, we have a number of members 
of the Secret Service, violating the Privacy Act, violating DHS 
and Secret Service procedures. It doesn't seem like we are 
getting a handle on the cultural problem within the Secret 
Service.
    Mr. Roth. Senator, Mr. Chairman, thank you for that 
question.
    We have removed people from the Secret Service. You 
mentioned Cartagena, several were removed in that case. As of 
today we are in the process of proposing a removal for an 
individual, unrelated to this. People are removed in the Secret 
Service.
    This Table of Penalties--I know we have referred to it a 
few times here, but we have used--we have benchmarked that with 
other agencies, so we are--want to be consistent with what is 
being done across the board.
    Just recently, I published for the first time to our entire 
workforce our integrity, the discipline over the past year, so 
they can see what types of cases are out there, are supervisors 
being disciplined equal to the work force. We are trying to be 
transparent, again, that communication is critical here, but we 
are trying to be more transparent, and driving home the point 
that people will be held accountable.
    In this case, they will be held accountable.
    Senator Johnson. As the Chairman was pointing out, there 
are an awful lot of protections for the employees, for the 
actual agents, but again, it is hard to see the accountability.
    Do you find that to be a problem? Are you constrained in 
what actions you would like to take, based on all the 
protections for the agents? I mean, should we have--should we 
be looking at the law there, and making sure the agencies have 
enough power to actually hold people accountable?
    Mr. Roth. Well, I think the excepted service would give us, 
would allow us to speed up that--the proposals in the 
discipline process. I know sometimes we are delayed in the 
process as we move forward.
    Senator Johnson. So, you would like some ability to take 
stronger action quicker?
    Mr. Roth. Yes, yes, Mr. Chairman.
    Senator Johnson. Good. I think we need to take that into 
account.
    Thank you, Mr. Chairman.
    Mr. Perry. The Chair thanks the gentlemen. The Chair now 
recognizes the gentleman from Mississippi, Mr. Thompson.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    Almost to the Member before me, the conversation has been 
about the culture of the organization, and I think it speaks to 
whether or not internally, we can fix it, or do we just cover 
it up?
    I will get to specifics shortly.
    Inspector Roth, in your review of the Secret Service, how 
would you describe the culture within the Service, especially 
at the Executive level?
    Mr. Roth. As we noted in the report on the access to 
Chairman Chaffetz's employment record, we found a number of 
supervisors who, in fact, themselves had access to MCI. To me, 
that was a very troubling incident; additionally a few people 
then elevated their concerns, or the fact that this was being 
used to a high enough level of management for something to be 
done.
    So that was sort of certainly troubling behavior that we 
identified.
    Mr. Thompson. So, let me--so, we had senior-level people 
accessing information, then we had that information being noted 
by people above those individuals. It is your testimony that 
nothing happened?
    Mr. Roth. That is correct. I will give two examples, if I 
may.
    The first was the special agent in charge of the Washington 
field office, came to understand that some of her employees 
were accessing the MCI to sort-of understand whether or not 
that rumor existed.
    She ordered her individuals--her subordinates to cut it 
out. I think her exact words were knock it off, or quit fooling 
around with the MCI database. In fact, that is what occurred in 
the Washington field office.
    Unfortunately, throughout the country, other individuals 
were doing that, so that would be one example. The second 
example is the special agent in charge of the Indianapolis 
field division, who was, frankly, curious why it was that, in 
his view, Chairman Chaffetz was so hard on Director Clancy.
    He, just out of idle curiosity, accessed the database 
himself to discover, in fact, that Chairman Chaffetz was a 
prior applicant.
    He did nothing with that information, did not elevate it 
up, or do any other kind of conduct. There are number of 
examples like that.
    Mr. Thompson. Thank you very much.
    So, Director Clancy, I hope you sense the membership's 
concern about the culture, and I would hope that going forward, 
you would take this hearing, as you said, as a moment of 
instruction to try to fix it.
    The men and women deserve it; they do a wonderful job. But 
it is about leadership, and I think it is absolutely important.
    As you know, I have been talking to you since this summer, 
a little, small issue to some. It is relative to the fact that 
we found out that there were 643 employees assigned to duty 
that require a security clearance. They were working for the 
Department without the completion of the clearances.
    I had asked you for the demographics of those individuals. 
As of this date, I don't have the information.
    I know you have been busy, but can you give me some 
indication when I can expect to receive the demographics of 
those 643 employees?
    Mr. Clancy. Yes, sir. First of all, my apologies that you 
have not received that information--640 individuals, I am 
assuming may be Department-wide, I think within the Secret 
Service, we did have people working that did not have their 
security clearances. I think it was much less than that, but we 
will get you an answer in the coming days on that----
    Mr. Thompson. Okay. Well, it was Department-wide over a 5-
year period, but my point is, some of us run up on men and 
women around the country who indicate that, I am trying to get 
employed with the Secret Service, but they tell me, I can't get 
considered for employment, because I haven't been cleared.
    I can't go to training, I can't do a lot of things. But it 
troubles some of us when we are already employing people whose 
job requires clearance on the other hand.
    So, I don't know if that is favoritism or what. But it is 
real concerning.
    Mr. Clancy. I will follow up on that, sir.
    I can tell you that we don't look at that, diversity, in 
terms of who gets a security clearance, who does not.
    In this case, the one that you referenced--and I will speak 
for the Secret Service--we were delinquent as we went through 
this hiring process, we did not get people their security 
clearances in a timely manner.
    Some--and they were assigned to positions outside of 
Washington, for the most part. But what we have done, now, is 
we have brought in some contractors, additional 14 contractors, 
to ensure this never happens again where someone goes through 
our training and--when they get their graduation--when they 
graduate, they should have their clearance. So that has been 
resolved now within the Secret Service.
    Mr. Thompson. So--it is your testimony that--there is 
nobody working for the Secret Service right now without a 
security clearance?
    Mr. Clancy. That is correct. To the best of my knowledge, 
that is correct.
    Mr. Thompson. Can you verify that for the committee?
    Mr. Clancy. Yes. Yes, sir.
    Mr. Thompson. Thank you. I yield back, Mr. Chair.
    Mr. Perry. Chairman thanks the gentleman. The Chairman now 
recognizes the gentleman from Georgia, Mr. Loudermilk.
    Mr. Loudermilk. Thank you, Mr. Chairman, and thank you all 
for being here.
    This is especially troubling for me as we look back over 
the history of this incredible agency, the Service. It is an 
icon of what I think is American exceptionalism and the actions 
that we have seen take place--of course, it tarnishes the 
reputation of the Service, but more so, I think it really 
tarnishes the image the American people have of what they have 
always elevated as the exceptional service, not just in the 
Nation, but in the world. I think it is imperative that we 
address these issues, not just in hindsight but going forward 
to make sure that we restore the trust of the American people, 
the trust of Congress and the trust of the protectees.
    Mr. Roth, you said something in your written statement that 
really struck me here: ``The Secret Service has certainly taken 
steps to address these challenges, but not always successfully. 
These persistent challenges may not be easy to resolve through 
expeditious actions, such as suspending employees and issuing 
new guidance. They may require more fundamental change that 
addresses the root of the misconduct.''
    I think that is where we need to focus. What is the root, 
in your opinion? What is the root of the problem?
    Mr. Roth. When you look at guidance with regard to creating 
an ethical culture, as they say, it comes in 3 sort-of 
dimensions. One is tone at the top, which is not just at the 
very top, but all through leadership of an organization. The 
leaders have to set the exact right tone. The second is to have 
a code of conduct and a code of ethics that is truly 
meaningful. The third is to enforce that code of conduct, you 
know, in a way that expresses to the rank-and-file that you 
mean what you say with regard to that tone at the top.
    So you have to look at all three of those things. As 
Director Clancy said, I think the middle part, the code of 
conduct was not there until Cartagena, and there have been 
steps that they have taken since Cartagena to establish a more 
rigorous policy.
    So that is certainly an improvement that we think is well-
deserved or a positive step in the right direction. But again, 
it has to be tone all the way through the organization, as well 
as a meaningful enforcement of that code of conduct.
    Mr. Loudermilk. I have a time line of misconduct that went 
back just prior to Cartagena, but it goes back to 2011. Up 
until that time, I don't recall if--there is misconduct in any 
organization, but was there a history like we are seeing now, 
Mr. Roth, that you were aware of, prior to the last, you know, 
4 or 5 years?
    Mr. Roth. I am not aware of it. I just don't have any 
insight into it. Certainly, we are only as good as the audits 
we do and the investigations we do and we didn't have anything 
before that.
    Mr. Loudermilk. Thank you.
    Mr. Clancy, I applaud your efforts. You have got a 
difficult task. You have been in the agency for quite a while. 
Do you recall that there was the level or the consistency of 
misconduct previously in the agency or is this just something 
new?
    Mr. Clancy. I think any agency has always had some 
misconduct, and the Secret Service has had misconduct in the 
past. I think it has--more attention has been brought to this 
misconduct in the last several years and I--and that is a good 
thing, and I applaud the inspector general's office for that. 
This has to be brought out in the open, these misconduct 
episodes, otherwise we won't correct it. So--yes.
    Mr. Loudermilk. You also--make sure I understood it right. 
You said that you are trying to--benchmark your disciplinary 
actions of other agencies. Is that what you were referring to 
looking at other agencies?
    Mr. Clancy. Yes, my understanding when the Table of 
Penalties was built out, our legal team worked with other 
agencies to see what they were doing from a discipline 
standpoint, what their table penalties were. We took their best 
ideas, best practices and built ours.
    Mr. Loudermilk. I would suggest you guys have to be a 
little stronger, a little better. It is the nature of the work 
that you do is so important to this Nation. One last thing, I 
think we have talked a lot about culture in here in the--and 
that is true.
    It is--look, I think what you are getting at is the culture 
of the agency, it is the esprit de corps. It is--you are in the 
Secret Service. You have an obligation to uphold the integrity, 
the honor, and the dignity of this agency. I think that may be 
what is missing somewhere.
    Just real quickly. I was going over this time line and 
there seems to be a common element with a lot of these. Look at 
Cartagena. Alcohol was involved. June 2/13--of 2013, alcohol. 
November 2013, abuse of alcohol. December 2013, alcohol. March, 
alcohol. June 2014, alcohol. There seems to be this continual 
cycle of alcohol abuse associated with this, which from my 
experience in the military, usually indicates that there is a 
morale issue. I will let you comment and I will yield back 
after that.
    Mr. Clancy. Yes. You are correct, Congressman. We do have a 
morale issue, and a lot of it is because of our staffing, and 
that is one of the things we need to do--work with our staffing 
so that if we can build up the staffing level, we can get more 
training, which our people want, get a better quality of life, 
which will help their morale as well.
    But again, to your point here today, the accountability in 
discipline matters also helps that morale. Are we going to hold 
people accountable? I will tell you, the episodes since I have 
been here--you mentioned the March 4 incident where an 
individual--two individuals after a retirement party drove onto 
the White House. I can tell you that retirement parties now 
are--I don't know of any that are taking place. People got that 
message.
    This--what we are talking about today, PII. People are 
getting this message. So unfortunately, it takes these 
significant errors--misconduct to resonate sometimes with our 
people. But I do want to also say one thing. Less than 1 
percent of our people are involved in this misconduct. It 
truly--99 percent, as some of you have mentioned today, are 
doing the right thing. But that is--and they are working very 
hard--but we have to focus on that less-than-1-percent, because 
we are held at a very high--and rightfully so--we are at a high 
level.
    Mr. Loudermilk. I hope you can get the Service back to the 
point to where people aren't doing the right thing because they 
are afraid of the discipline, but they are doing the right 
thing because they are dedicated to the job, to the Service, to 
the spirit of the service and their oath to the Constitution.
    Thank you, sir. Mr. Chairman, I yield back.
    Mr. Perry. The Chair thanks the gentleman. The Chair now 
recognizes the gentlelady from California, Mrs. Torres.
    Mrs. Torres. Thank you, Mr. Chairman. Director Clancy, just 
to be--to have some statistics here on the record. According to 
the Partnership for Public Service, the agency is 74 percent 
male. Is that correct?
    Mr. Clancy. Seventy-five percent. I can--let me just check 
that real quick. That sounds correct, but I--let me just----
    Mrs. Torres. Seventy-two percent white, leaving it severely 
out of step with other agencies. Women make up 25 percent of 
the agency's workforce, but only about 11 percent of the agents 
and uniformed officers.
    Mr. Clancy. You are correct. Yes.
    Mrs. Torres. You talked about your outreach efforts with 
universities in targeting certain areas of the Nation. Have you 
engaged an employment agency to help you or to advise you in 
finding a more diverse workforce?
    Mr. Clancy. I am not aware that we have done--taken that 
step yet. It is a--it is an excellent suggestion that we may 
look into.
    I will tell you that when we go to these different areas of 
the country, we have a very diverse group, recruiting group 
that goes out to try to encourage females to apply as well as 
across the board in diversity. So----
    Mrs. Torres. Are you targeting also the military or----
    Mr. Clancy. Yes.
    Mrs. Torres [continuing]. Law enforcement agencies looking 
for--you know, there are great people working in law 
enforcement.
    Mr. Clancy. Absolutely. We go to military bases, and again, 
we run these, what we call ELACs, these Entry-Level Assessment 
Centers, so that, for example, at a military base, if you want 
to apply for a job with the Secret Service, we can do a testing 
initially. If you pass the test, that very day, we can do a 
super interview of you. If again, it looks like you are a good 
candidate, then we will move you right to a polygraph, all 
within a weekend to try to speed up that process.
    But absolutely, the military bases--and we have found 
personally that people that have had a military background 
serve us very well.
    Mrs. Torres. Well, they have a high work ethic.
    Mr. Clancy. They do.
    Mrs. Torres. They understand the pecking order, they 
understand the need to serve.
    I am disturbed by the incidents. I am happy to hear that it 
is a reflection on less than 1 percent of the workforce, but by 
no means does it make me feel better or safer. So would you say 
you have an agent problem or do you have a management problem?
    Mr. Clancy. It is a management problem, and it starts with 
me. There is no question it is a management problem, it is a 
leadership problem that I have got to find an answer to.
    Mrs. Torres. Have you taken steps to ensure that when we 
are clamping down on agents, that tougher disciplinary actions 
are taken upon the people who supervise them?
    Mr. Clancy. Yes. Supervisors are held accountable. Again 
with this--we put this out--again, trying to be transparent--to 
show our workforce how----
    Mrs. Torres. Are there policies in place to ensure that 
whistleblowers are protected?
    Mr. Clancy. Yes. Everyone in the service knows that 
whistleblowers perform a vital function, and they cannot be--
there is no retaliation, there is no--you know, you have got to 
let them go, yes.
    Mrs. Torres. So there are disciplinary steps that the 
agency takes when the Department rules are violated.
    Mr. Clancy. Yes.
    Mrs. Torres. There are disciplinary steps that the 
Department takes when our laws are broken.
    Mr. Clancy. Yes.
    Mrs. Torres. The agents are read Miranda rights. Is that 
what you were referring to in an earlier question?
    Mr. Clancy. No, they are not read Miranda rights. They are 
read either Kalkines or Garrity, I will let the inspector 
general correct here if I am wrong on that. But that is what 
they are read, yes.
    Mrs. Torres. I come from the civilian part of law 
enforcement, so pardon. So criminal charges are filed, whether 
they are felony charges or misdemeanor charges. What are your 
steps? What steps do you take during that process?
    Mr. Clancy. Well, if criminal charges are filed, we 
typically immediately move to removing the security clearance 
so that this individual can no longer have access to any of the 
protected facilities, any access to any of our protectees, of 
course, or any of our----
    Mrs. Torres. So what happens to the rest of that immediate 
department that are working with that employee now in the 
process of a criminal investigation and their supervisors?
    Mr. Clancy. If it is a--at that point, we don't have--we 
remove all of their badges, we remove their equipment, and then 
it goes through the normal course of the criminal justice 
system.
    Mrs. Torres. My time is out. But I--what I am trying to 
figure out is if you have a rotten apple, how do you ensure 
that the whole bowl isn't bad?
    Mr. Clancy. Yes. We can remove them very quickly in that 
case when there are criminal charges. Mr. Chairman, if I could 
just correct the record for one item. Ranking Member Thompson 
had asked me about the security clearances. Our agents and 
officers, some of them that are in training now have not had 
their clearances settled. They will by graduation.
    So anyone who graduates from our academy will have a 
security clearance. But while they are going through training, 
some of them may not have.
    Mr. Thompson. But as of this summer when we talked, that 
was not the case.
    Mr. Clancy. That is correct. That was not the case. You are 
absolutely correct. Yes.
    Mr. Thompson. Thank you.
    Mr. Perry. The Chair thanks the gentlelady. The Chair now 
recognizes the gentleman from Florida, Mr. Clawson.
    Mr. Clawson. Sorry to hear about your dad.
    Mr. Clancy. Thank you, sir.
    Mr. Clawson. Greatest generation.
    Mr. Clancy. It was. I know many here have lost their 
fathers from that generation, and I think we have all learned 
from them.
    Mr. Clawson. Was your dad a vet?
    Mr. Clancy. He was, yes.
    Mr. Clawson. Yes, I know all about this. I just lost my mom 
and so, you know, it is the generation that the glass is half-
full, put the team first, work hard and go to church on Sunday 
and the rest answers itself, right?
    Mr. Clancy. Yes, sir. Absolutely.
    Mr. Clawson. But we were lucky to have those kind of folks.
    Mr. Clancy. Yes, sir. Thank you.
    Mr. Clawson. Although, you know, we do a little bit for our 
country now, they--without ever saying it, they remind us that 
compared to what they did, we don't do much.
    Mr. Clancy. That is correct. Yes, sir.
    Mr. Clawson. I have full respect and admiration for you and 
your dad.
    I have always thought of organizational culture as being 
the combination of performance and behavior, and therefore, how 
your agency and your employees think of themselves is dependent 
on those two things because they all see it.
    When bad behavior is not dealt with quickly, it impacts 
that culture and how we view each other because it discourages 
good performers that--you know, that are doing their job every 
day.
    Everything tells me that these incidents of bad behavior 
ought to be isolated, put up in lights for everyone to see, and 
that action needs to be taken quickly. That that really is the 
responsibility of leadership. Therefore when it drags on and 
on, when it drags on and on, it really sends a bad message to 
this corporate culture that you referred to earlier.
    Why so slow? I mean, you know, systematic, shmistamatic, 
you know. You are the chief and you have got head of Homeland 
Security. You know, I mean, let's go. Let's take some actions 
so that you can do what is right and preserve the culture for 
you all your great performers. Am I missing something on that? 
Why so slow?
    Mr. Clancy. No, you are correct. Again, certainly if there 
is any criminal activity it is much quicker. We can remove 
their security clearance right away. With other types of 
misconduct as we are talking about in this case it does take 
time for the full investigation.
    Again, in transparency we had the OIG handle this 
investigation to do a very thorough investigation, and then 
once the investigation was completed, then we could move 
forward with that discipline.
    But under Title V, the employees, Federal employees, are 
given certain rights, and we follow that process, but 
eventually we get to where we need to be. Eventually we do get 
to where we need to be.
    Mr. Clawson. Well, it is going pretty slow for my taste, 
and I think for the sake of your organization I would be 
pushing this as hard as I can, because typical folks that run 
large organizations don't understand this kind of length of 
time for--you know, it just festers because you don't put it 
behind you.
    Mr. Clancy. Yes, sir.
    Mr. Clawson. So, you know, my point is that is let's get 
going.
    I have found in organizational change that if you don't 
change a third of your people in positions of responsibility 
you won't change the culture, because they are going to out-
wait you. They always out-wait you.
    If you change more than 50 percent then you may have a 
problem with the institutional memory that you discussed 
earlier.
    I am really glad you brought diversity of thought and of 
experience into your direct reports, but they will out-wait you 
below that. So just, you know--no rule of thumb is 100 percent 
for sure, but if I am sitting in your chair and not changing a 
third of my managers, and you are thinking you are going to 
change your organization, good luck. Don't believe it.
    So you know, I don't know if you have thought of it in 
numeric terms, but let's get--a performance culture going 
without washing away the memory of the successes of the past. I 
am all for having both, and I don't think if you implied this 
in your early comments, I don't think you--it is one or the 
other. Change your culture, and preserve the successes of the 
past. Does that make sense?
    Mr. Clancy. It does, yes, sir.
    Mr. Clawson. Okay. Is there anything about what I have said 
that you would disagree with?
    Mr. Clancy. No, I wouldn't sir.
    Mr. Clawson. Okay. Well, look, we want you to succeed. We 
could talk all day about whether you should be in the job or 
not, but you are in the job, and we need you to be successful. 
So anything I can do, our group, we want you to succeed.
    Look, I really like the tone at the top, so let's get them.
    Mr. Clancy. Yes, sir.
    Mr. Clawson. Thank you.
    Mr. Perry. The Chair thanks the gentleman. The Chair thanks 
the gentleman. The Chair now recognizes the gentleman from 
Georgia, Mr. Carter.
    Mr. Carter. Thank you, Mr. Chairman. Thank all of you for 
being here.
    Mr. Clancy, how many times have--when did you get into the 
office? When did you become the acting director?
    Mr. Clancy. The acting director, October 6, I believe.
    Mr. Carter. October 6?
    Mr. Clancy. Of 2014.
    Mr. Carter. Of 2014. How many times have you appeared 
before Congress since then?
    Mr. Clancy. I believe this may be my sixth or seventh.
    Mr. Carter. You know, I have been here since January 6 and 
I think this is the fourth time I have seen you. I am just--I 
mean, obviously, we have got concerns here. There seems to be 
an on-going problem.
    Mr. Clancy. Yes.
    Mr. Carter. As you might know, I am very fortunate to have 
the Federal Law Enforcement Training Center in Glynco, Georgia, 
my district. I am familiar with the training that takes place 
with the Secret Service agents down there, and I think they do 
an excellent job, but I also want to remind you of the 
Protective Mission Panel that came out and actually said that 
the amount of training that the Secret Service agents were 
getting was far below what is should be.
    In fact, I think at one time, they said it was equal to 
only 25 minutes for each 1,300 uniformed officers?
    Mr. Clancy. Yes.
    Mr. Carter. What are we doing to change that?
    Mr. Clancy. Well, you are absolutely correct, and I have 
been down to your Federal Law Enforcement Training Center and 
they do a great job down there, and they help us as we try to 
build our staffing levels. In terms of what we have done--
uniformed division 99% have gone through a building defense 
exercise training mission--it is a 10-hour block.
    Additionally, approximately 700 of our uniformed officers 
have gone through a 3-day training period where they do their 
firearms, their emergency medicine, their control tactics--a 
number of things.
    The agents on the President's detail--we have increased the 
number of agents on the President's detail by November--I am 
sorry, by the second quarter--early January, we will have 
increased the numbers there by 85, which is what was 
recommended by the blue-ribbon panel, and that will help their 
training.
    So we have increased training by 85 percent on the 
President's detail in this past year.
    Mr. Carter. Okay, well, specifically, let's get to what we 
are here about today. That is about Chairman Chaffetz and that 
situation.
    Inspector Roth has stated that several of the agents that 
violated the Secret Service and the Homeland Security policies 
when they accessed his records. This was criminal offense, 
don't you think?
    Mr. Clancy. It is on the books as a criminal offense, yes.
    Mr. Carter. It is on the books as a criminal offense.
    Tell me what you have done. Have these people been fired? 
Have they been disciplined at all? A criminal offense by an 
agency that we hold to the highest standard.
    You know, earlier--I am a little bit frustrated by some of 
the things I have heard, here. Keep in mind that we, up here, 
are experts at spin. And pivoting. My campaign manager--that 
was his favorite word--pivot, pivot, pivot.
    All of a sudden I heard you talking about data. If the data 
had been better-protected--give me a break. If they wanted to 
see this, they were gonna see it, I don't care how the data was 
protected.
    How can you let this go on? Why haven't you fired these 
people? They knew this was wrong. Don't you agree? Don't you 
agree? They knew this was wrong.
    Mr. Clancy. I do agree, and certainly, there is misconduct 
here, the discipline has been proposed for those GS-15 and 
below. But the data is also important. As a side step.
    Mr. Carter. I understand that, I respect that, and I 
acknowledge that it is important, that it be protected.
    But still, the basic premise here is that they knew what 
they were doing was wrong.
    Mr. Clancy. Yes. Looking at the OIG report, they should 
have known what they were doing was wrong. Some of them, I 
think, will acknowledge----
    Mr. Carter. Should have known? To an agency that we 
consider to be--to hold at the highest level?
    Mr. Clancy. Right.
    Mr. Carter. I just can't go along with that. I mean, even 
you yourself said it was inexcusable and unacceptable. It is. 
It deserves discipline.
    Look, I am a small businessman. I have got employees as 
well, and I can tell you, when something like this happens, and 
I am not trying to tell you how to run your business, but you 
know as well as I do that when you got a cancer, you gotta get 
rid of it. Otherwise, it is going to destroy your whole 
business. You have got to get rid of this cancer here. You have 
got to set an example. You have got an opportunity right here 
to set an example, because what they did was wrong. They knew 
it was wrong. They deserve discipline. They deserve to be let 
go.
    Mr. Clancy. They deserve discipline. We do look at the 
whole picture here, too. The whole person.
    Some of these people have spent 28 years with no discipline 
in their history. Some of them self-reported. Some of them--
they are obviously all very remorseful.
    But it was wrong? Yes. But we do look at the whole picture 
and the whole person of their career.
    Mr. Carter. I get that. I want to make sure that the 
punishment fits the crime and I understand that, and you should 
look at their whole career. But at the same time, again, you 
have been here six times since you took office.
    Mr. Clancy. Yes.
    Mr. Carter. We want you to succeed. We don't want to see 
you fail.
    Mr. Clancy. Yes.
    Mr. Carter. We don't want to see you here anymore. That is 
essentially it. We want you to do this. We want you to do well, 
but we gotta have your help.
    Mr. Chairman, I yield back.
    Mr. Perry. The Chair thanks the gentleman.
    The Chair now recognizes the gentleman from Oklahoma, 
Senator Lankford.
    Senator Lankford. Gentlemen, thank you. Long day--we have 
still got a little ways to go, to be able to bounce you some 
questions, I appreciate it very much. Let me just state a 
couple things that I picked up from a lot of the conversation 
here today. Then I want to walk through multiple questions.
    There are a lot of issues with Secret Service. That has 
been well-documented, and I want to talk about that a little 
bit.
    I would say to you, I do disagree with one of the findings 
of the panel, I do think someone from the inside needs to be 
there to be able to fix it.
    Someone from the outside that doesn't have the same law-
enforcement background or doesn't have the same sense of 
corporate identity with Secret Service walks in as an outsider 
and has a different opinion on it. Someone from the inside can 
walk in and say I am one of us and part of us and can turn some 
things around.
    So I appreciate that you are there because there is 
obviously work to be done. I am gonna come back to that in just 
a little bit.
    Mr. Roth, let me ask you a question. Is it your sense that 
for these individuals that accessed this database it was the 
first time for them to access it--this database like this? Did 
anyone ever ask them, you know, gosh, did you just happen to 
say, gosh, maybe I should go look at Jason Chaffetz' records? 
Someone said, well I think, maybe, we could get access to that.
    Or did this look like this was a pattern of behavior, that 
if they are interested in someone they can go pull it?
    Mr. Roth. I think it ran the gamut depending on the agent 
we talked to. Some of them didn't think it was wrong at all 
because what they called it was ``our database''. It was a 
Secret Service database unlike, NCIC, or TECS, or one of the 
other, sort-of larger criminal databases, this was run by the 
Secret Service and saw nothing wrong with it.
    Others didn't understand that it was wrong until after they 
did it, and then they realized, well, I probably should not 
have done it.
    Senator Lankford. There is a training that happens multiple 
times a year, both orally and electronically--there is, your 
computer when you start it up there, it says this is for 
official use only. It is still your perception that some 
individuals just kind-of ignored all of that and said it is our 
database, we can do with it what we want.
    Mr. Roth. That is correct.
    Senator Lankford. Okay. Well, the problem with that is, if 
they can pull any Member of Congress, if they can pull any 
individual there, that also means the new neighbor down the 
street, I can go check my records and see if there is, you 
know, something on the new neighbor down the street. When their 
daughter starts dating some new guy they can go pull his family 
and go pull the records on it.
    If this is someone they don't like, they can pull the 
records.
    What we saw from the VA--and we will talk about this with 
GAO in just a moment--but the VA became a whistleblower there, 
and we found out that their employees that were then just 
pulling records, that were medical records on someone they 
didn't like as a whistleblower in the process.
    The challenge that we have here is access to data, you 
know, it is official and nonofficial and how do we actually 
direct this.
    So, based on your perception and walking through this with 
Secret Service--is it your perception this has been an on-going 
issue for some employees just to be able to use that database 
as just I can go look at it, whether it is official 
nonofficial, and they blur those lines?
    Mr. Roth. That is the sense we got from at least some of 
the agents that we interviewed who had accessed the database.
    Senator Lankford. Okay. Mr. Willemssen, how do we deal with 
this? Social Security has identified 50 different individuals 
that were given merit bonuses at the end of the year, but also 
during the year had accessed information for unofficial 
purposes and had looked people up.
    VA has this issue, which we can talk about in greater 
length--with someone grabbing information to be able to look at 
it--that is a whistleblower.
    How many agencies have good systems in place to be able to 
audit, at least, how individuals access these sensitive 
databases?
    Mr. Willemssen. This particular access problem is probably 
the most common issue that we see when we are doing detailed 
information security audits. Too many people have access to 
things they don't need access to. It is not part of their job 
description. They don't have a need to know, but yet, they are 
given access.
    So access is a real issue. It is one that we--I would say 
that is probably the most frequent one we come up with.
    Another issue that is interesting in this case is when you 
are collecting PII you--one of the things you do is end up 
scheduling a records notice with NARA--National Archives and 
Records Administration--to among other things, tell them how 
long you are going to keep the files before you dispose of it.
    I was kind-of curious about why an application file from 
2003 would be kept 12 years later. Those kinds of things should 
be disposed of fairly quickly. Hopefully, that is part of what 
the Service will be doing going forward.
    You are supposed to schedule those records out and dispose 
of them at a certain date. Sometimes 1 year, sometimes 5 years.
    Senator Lankford. Can you pause on that?
    Mr. Clancy, has that been taken care of at this point? 
There are two different sets of information. Both the 
electronic records that are not applicable anymore, and paper 
records, because it is my understanding that are still some 
offices though the access point has been changed 
electronically, if you go into a file room, those old 
application files may still be there in paper form, as well.
    Has that been dealt with as well?
    Mr. Clancy. Yes, we are moving forward too, for example, 
the applicants. Every 2 years those files will be purged. Right 
now there is an investigation going on with the inspector 
general, so some of that will be delayed slightly until they're 
through the investigation, but that is the plan forward. Also, 
again, with the applicants in mind, 95 percent of the people 
that had access before no longer will have access because of 
the new system.
    Senator Lankford. Is that both paper and electronic for 
those offices around the country, do they still have access to 
paper records--somewhere in a filing cabinet?
    Mr. Clancy. I will have to get back to you with a good 
solid answer on that. I think we have moved away from a lot of 
the paper, but let me give you a better answer.
    Senator Lankford. Okay. That would be something wise to be 
able to evaluate as well. Both the electronic version, the 
access points, and then obviously the paper version to make 
sure that that is also purged. It may be, just if you have 
access to that room, you also have access to those files, and 
it is part of the challenge here.
    Let me come back to Mr. Willemssen.
    Which agency would you identify and say this agency is a 
good model example of how to handle personal identifiable 
information? They are auditing well, they are tracking well, 
they are a model agency?
    Mr. Willemssen. Don't have one. No model agency.
    Senator Lankford. That is somewhat depressing.
    Mr. Willemssen. Yes, it is. Now, the more optimistic note, 
since the OPM cyber disaster, this has become a major priority. 
OMB has charged up, it has definitely elevated its priority on 
this. Agency heads now recognize that this is a critical issue 
that needs to be addressed.
    You know, and when we first announced the information 
security area as high-risk, first few years I was told, you 
know, you are Chicken Little, the sky is falling.
    I don't hear that anymore.
    Senator Lankford. Sky fell.
    Mr. Willemssen. Yes.
    Senator Lankford. Okay. So the challenge that we have here 
is dealing with--let me just give you one example of VA. This 
is something GAO has for years and years identified issues with 
VA.
    Mr. Willemssen. Yes, sir.
    Senator Lankford. How does this get better? How do we 
prevent unauthorized access of medical information and of 
private information for our veterans?
    Mr. Willemssen. Veterans Affairs has a significantly high 
percentage of systems that are considered high-impact systems--
that is, the disclosure of data or modification of the data 
because of the medical records, is considered to be very severe 
in terms of its possible impact if it is lost, stolen, or 
reviewed by others.
    Given that, you have to put much stricter controls in 
place, including monitoring users and what they are doing, and 
if they have any atypical patterns in use, and the----
    Senator Lankford. Is this just an audit, or is this an 
algorithm that is created?
    Mr. Willemssen. This is an audit and an algorithm. You can 
do it automatically.
    Senator Lankford. Right.
    Mr. Willemssen. It is contained in the National Institute 
for Standards and Technology guidance for high-impact systems. 
Like I said, VA has a significant percentage of high-impact 
systems where you have got to put these kind of controls in 
place to try to prevent the kind of situations that you 
described.
    Senator Lankford. Mr. Chairman, I would like--I don't know 
if we are going to do a second round of questions, but I do 
have additional questions for Director Clancy as well.
    Mr. Perry. If you don't mind, I will suspend.
    Thank you, sir, and I will suspend your questions at the 
time and recognize Mrs. Watson Coleman for a second round.
    Mrs. Watson Coleman. Mr. Chairman, you know, I know we were 
here. I know that my colleagues wanted us to sort-of focus on 
what happened to Chairman Chaffetz.
    I think if I were him--if I were he, I would probably want 
this to just go away now. Take care of the business that needs 
to be taken care of, discipline the people that need to be 
disciplined, learn the lessons that you need to learn, but, you 
know, I just really don't think he needs to have this or wants 
to have this as a continuing story.
    But it does speak to other issues that we are identifying, 
and it does speak to a culture or way of thinking or way of 
doing business or the way we--they--we perceive ourselves on 
the inside that needs to be addressed. I know you have 
expectations for that changing.
    I would like to know any steps that you are actually taking 
to change the culture in the form of action. What happens with 
your executive level? What happens with the level beneath that, 
the supervisory level? What happens with the rank-and-file 
level?
    How are you addressing the need to get our agency to think 
more differently about how we come to work? What we do at work? 
We don't sleep at work. We don't sex text under any 
circumstances. You know, we don't look into files that we don't 
have a responsibility, a need to look into.
    Is there going to be some sort of a fail-safe mechanism 
that shows when the file is being accessed by someone who 
shouldn't be, or has no reason to be? I would like to know some 
steps that you are taking.
    Thank you. Thank you, Mr. Chairman.
    Mr. Clancy. I just think, in terms of the overall culture 
here, one of the things we are doing is we are trying to have 
our workforce take ownership of this agency. It is their 
agency, and--let me just give you one example.
    Just 3 or 4 weeks ago, we started a new program. It is a 
crowdsourcing type of service on our intranet where our agents 
and our officers and all of our employees--professional staff 
can send in ideas, suggestions, what we should be doing better, 
what should we be looking at, and then they get other people 
from the workforce looking at that, and they can ``like'' that, 
for--better term, and then it forces the executive staff to 
look at that.
    We have seen this as a very positive--already within a few 
weeks, we have had close to 200 hits of--we call it Spark--
where people have taken ownership of their agency.
    Now, I think that is where we have got to get to that 
point. It is management, it is my leadership, but additionally, 
it is the individuals who have to take ownership of this 
agency. I will say again, 99 percent of our people do have that 
ownership.
    Mrs. Watson Coleman. So, Mr. Clancy, I have been in the 
Executive branch of Government, and I know it takes that kind 
of expectation, but it takes a plan of action, and it takes 
whether or not you are hiring people from the outside who look 
at these issues and work through groups, and you work down 
through the organization.
    So at some point I would like to know if you are planning 
to do those kinds of action steps.
    Then the last question is--I really do want to know--is 
there some sort of way that there is a notification of 
accessing information when you are not--when it is out of order 
for what you are doing, it is not related to your case? Your 
identification number to get into it signals whether or not you 
are or are not the right person to be accessing this 
information? As a follow-up to Senator Lankford's concerns.
    Mr. Clancy. My understanding is--and the other gentlemen in 
here may be able to answer this better--but it requires 
constant monitoring and auditing, and there is no automatic 
notice that someone has accessed someone's data 
inappropriately. It has to be constant monitoring.
    Each----
    Mrs. Watson Coleman. Who----
    Mr. Clancy [continuing]. There is an administrator for each 
of these buckets of information, and that administrator has to 
control who has access--who has the need to know that 
information.
    So it is up to the administrator--so with our human 
resources, we have approximately 260 that would have access to 
our applicant data with this new system, and that administrator 
would have to ensure that anyone else who enters has access 
they have approved.
    Mrs. Watson Coleman. Thank you. Did you want to say 
something to this, Mr. Roth--respond to this?
    Mr. Roth. If I may--yes, if I may, just as an example, the 
DHS TECS system is one in which, for example, if Director 
Clancy had created a record there and then I accessed that 
record, Director Clancy would get an e-mail that I was the one 
who accessed the record.
    So not only what Director Clancy was talking about, which 
is--you know, you can run reports by the system administrator, 
but there are also sort of real-time controls on modern IT 
systems that weren't present in the MCI system.
    Mrs. Watson Coleman. Thank you, Mr. Chairman. I yield back.
    Mr. Perry. Chair thanks the gentlelady from New Jersey. 
Chair recognizes the gentleman Mr. Lankford.
    Senator Lankford. Thank you.
    I think the audit system is gonna be the key. At whatever 
percentage that that is, to be able to have, for this computer 
at this spot, here is everything that you ran, and that they 
know at some point, someone is going to just spot-audit.
    You can't go through all of it. There is not a need to go 
through all of it. But just the simple accountability that sits 
out there somewhere, to know there is an algorithm that is 
running, to say, ``hey, there is a search for files that don't 
seem to be consistent with official records.''
    There is a spot audit occasionally, that you may come in 
and face discipline, saying, ``you pulled records from your 
neighbor down the street, or from someone you don't like.'' All 
those things, I think, just become important.
    We have a tremendous number of people that work in the 
Federal workforce that are great people, that generally love 
the country and love to be able to do what their job is. The 
problem is these small--as Mr. Clancy, as you mentioned--the 1 
percent on it.
    I had to smile as we were walking through some of the 
conversation about Secret Service and picking on Secret Service 
today. I hope we are really not picking on you. This has become 
the latest example of multiple examples, whether that be VA or 
Social Security or others became the visual example again.
    But I have to tell you, as I have listened to some of the 
conversation on the dais about challenges with public-relations 
nightmares and employees not doing their job and alcohol abuse 
and everything else, we could, quite frankly, flip the tables, 
and y'all could hold a hearing on Members of Congress and have 
the same accusation.
    I would assure you it is more than 1 percent of the Members 
of Congress have some of these exact same issues. So this issue 
is not--is a human behavior issue, but it is also a 
professionalism issue of taking the task seriously.
    So, Mr. Clancy, I am going to give you an unfair list, and 
just to be able to walk through a few things, and I am going to 
tell you this in advance--as I have tried to start walking 
through some of the issues and the recommendations for the 
Secret Service--it is the oldest law--oldest general law 
enforcement entity in our country. It is an incredibly valuable 
resource to our Nation.
    But my fear is some changes that have been put in place 
over the past several decades--it is not on your watch--have 
brought about some morale shifts on it. What I am trying to 
figure out is how do we shift morale back, and how do we get on 
top of this? Otherwise, it is Whack-a-Mole with the different 
issues all the time.
    Overtime rules seem to come up over and over again as I 
talk to different agents and individuals. Getting some sort of 
standard practice with your counterpart agencies. 
Accountability of leadership, so if there is a bad actor, 
everyone knows that is not tolerable in our agency.
    When you actually confront issues, everyone knows that is 
the standard and we are going to live up to it. If there is a 
bad apple, as has been stated, in the group, or someone that is 
flippant about it, everyone kind of works down to that level.
    Priority of new equipment and technology. I find that 
Secret Service is not getting the top priority for some of the 
newest technology and newest equipment among our DHS law 
enforcement, and I think it is demeaning. That sends a false 
message to Secret Service that they are not as valuable as some 
of the other aspects of DHS.
    Their responsibilities seem to be getting cluttered instead 
of a clarity, where it has been historically, for protection 
and for counterfeit duties. There seems to be other duties that 
seem to be kind of creeping into it that distract from the core 
mission here.
    The consistent career track--that seems to be a consistent 
theme that I have heard over and over again, that the career 
track seems to change, so no one really knows what path they 
are on here. Am I off on any of these at this point?
    Mr. Clancy. No, you are correct, and I will just comment on 
your last--the career track. We did bring in a workforce of 
agents at different levels to try to look at the best career 
track moving forward, and we have just announced, a couple 
months ago, the new career track for our agents so that they 
can plan their future.
    That has been one of the problems. You don't know if you 
are going to come to Washington, or will you be able to go to 
Texas. So we are, again, listening to our workforce, trying to 
find solutions.
    Senator Lankford. That is one of the things you can do if 
you are on the inside and you know full well what is happening. 
But I would encourage in the career track--and y'all have 
already examined this, and go from there--the possibility that 
individuals that are on a previous career track still could 
finish that out.
    Mr. Clancy. Yes.
    Senator Lankford. They can be grandfathered into that, or, 
if they choose to shift to the other one, they could choose 
that as well. That gives them the option and not feel like the 
new guys got the new stuff, or whatever it may be, but also 
have something to say, ``I started on this, I can actually 
complete this and not feel like the rules are changing on me 
again'' as they walk through.
    This corporate identity is extremely important, and is 
extremely valuable. What I fear is that there is a growing 
sense of lack of importance of people that are incredibly 
important to our Nation.
    I never want Secret Service folks to feel like they just 
guard doors for a living. They don't. They have an incredibly 
valuable role, and the morale, and the--what you set--and the 
role and the standard that you set will be incredibly important 
for years to come.
    If there is a silver lining in this, historically, Secret 
Service have had a really bad time when a President was shot. 
No one has been shot.
    There are just some things that were messed up, and this is 
unique moment for--publicly for the Secret Service to 
reevaluate again, and go, ``Who are we? Where are we going? 
What is our clear task?''
    I would encourage you, if there are issues in working with 
DHS and in the scheme of things, these committees need to know 
it, because we want to make sure that all of the DHS families 
all feel equal levels of importance.
    Your Secret Service transitioned pretty quickly, I guess, 
from working in the Treasury to DHS and all the restructuring 
and you are now one of many rather than the big dog of 
Treasury. That has both benefits and challenges, and we need to 
know and to have some way to be able to help communicate in 
that so that we can help actually engage in this because we are 
not only advocates, but we are accountability in the process.
    Today probably feels more like accountability, but we also 
have the desire to be advocates on these roles. So we will need 
to know that. Is that fair?
    Mr. Clancy. That is fair, Mr. Chairman. If I could comment 
on one thing there, sir.
    Senator Lankford. Yes, sir.
    Mr. Clancy. Just to give you some comfort--I know it has 
given me comfort, but I went through this papal visit as well 
as the U.N. General Asembly. I traveled with the Pope and I can 
tell you, as I talk to our agents, our officers and our 
professional staff, this was a defining moment for our agency. 
As I talk to these people, I looked in their eyes, they wanted 
to be successful. They know the issues that have been 
highlighted, and rightfully so, over the past several years.
    This was an unprecedented time in our history and our 
people were determined to make this successful and we did this 
for NSSEs without incident, and our people felt very proud 
about that and I am very proud of our workforce.
    Now having said that, we have got to correct these other 
things too, and we will, but we have got people that are 
working very hard for the American people.
    Senator Lankford. Yes, you do, and we acknowledge that and 
we understand that. But we also don't want anything to distract 
it.
    Mr. Clancy. Yes, sir.
    Senator Lankford. Mr. Willemssen, let me ask you this as 
well. When we are talking about databases and we are talking 
about access points, is there any independent agency or agency 
that is an Executive agency that you think has a higher risk or 
has no system of tracking this, old or new, that you look at 
and say these--of the high-risk, these are the highest-risk?
    Part of my question--are the independent agencies--do we 
know for certain that they have auditing process? Because they 
handle incredibly sensitive financial data on Americans.
    Mr. Willemssen. I would point to those agencies who have 
the most PII, personally identifiable information, as reason to 
make sure that they are doing everything they can to protect 
that.
    So you start with Social Security Administration, who has 
PII on almost every citizen. Veterans Affairs you have already 
mentioned, definitely an issue. Department of Education, 
probably somewhat overlooked because they have a tremendous 
amount of PII because of the student loans, not only on the 
student, but sometimes on the parents.
    So I would be most concerned about where the PII is the 
most significant.
    Senator Lankford. Let me ask you about things like SEC or 
CFPB, fairly new entity for CFPB, they have a tremendous amount 
of data.
    Mr. Willemssen. Yes.
    Senator Lankford. Do we know, on their employees, how they 
have access and the limitations that they have?
    Mr. Willemssen. We know that they have at least three sets 
of data collection that includes PII, maybe more. Arbitration 
case records, bank-deposit account and transaction-level data 
and storefront payday loans.
    Senator Lankford. What is their auditing process for their 
employees inappropriately accessing that?
    Mr. Willemssen. That is something we will have--we can 
follow up on. We did make a recommendation in terms of the--we 
previously had done work and we made a recommendation related 
to their privacy-impact assessment.
    Whenever you collect PII, you have got to do a privacy-
impact assessment that lets everyone know what are we 
collecting, why are we collecting it, how are we going to use 
it, how are we not going to use it, and when are we going to 
dispose of it.
    They had not fully done those when we had done our work, so 
made a recommendation on that, and that is something I can 
follow up on and see where they are at.
    Senator Lankford. I know CFPB has just requested, again, 
another incredibly large jump in the amount of information that 
they are gathering on Americans and gathering on databases. 
That seems to exceed even what was originally designed in Dodd-
Frank.
    Mr. Willemssen. Well, it may be more than what we had 
mentioned in our report, then. They may have further expanded 
it.
    Senator Lankford. It is a fairly recent expansion request 
for additional information. What we are trying to figure out is 
who has access to that, how often do they have access to that?
    Mr. Willemssen. We can follow up for you on the that.
    Senator Lankford. That would be very helpful to this 
Congress.
    Mr. Willemssen. Yes, sir.
    Senator Lankford. Gentlemen, I thank you for your 
participation today.
    Mr. Perry. The Chair thanks the gentleman from Oklahoma.
    Before I close out, I have got a couple questions. Mr. 
Willemssen, you know, you are from the Government 
Accountability Office and I read through your information. I am 
just wondering if you can provide any clarity on other agencies 
regarding penalties, regarding accountability for actions that 
have been--that they have engaged in regarding security 
clearances? That might be out of your wheelhouse, and if it is, 
that is----
    Mr. Willemssen. Well, I can talk about numerous--some of 
the major incidents over time. Probably the first major 
incident we had with inappropriate browsing was at the IRS in 
the mid-1990s. Several employees decided to start browsing 
celebrities' tax returns, and actually, as a result of that, 
there was an act passed, the Taxpayer Browsing Protection Act, 
1997. That, among other things, has penalties of up to a $1,000 
fine and imprisonment of not more than 1 year.
    Mr. Perry. Do you know if anybody was ever prosecuted under 
that? And was subjected to those penalties at all?
    Mr. Willemssen. Do not know that, sir, but I can--we can 
follow up on that with the IRS.
    Mr. Perry. Well, I--actually, I wish you would, just so we 
know.
    Director, you also mentioned that--I think you are--there 
are some limitations, right, to what you can do regarding 
accountability, regarding punishment for actions that are 
beneath the standard? Is that correct?
    Mr. Clancy. Yes. We are not able to fire at will.
    Mr. Perry. You are not--okay. So we need to know, the 
members of this board and Congress in general needs to know 
what you need us to do for you to be successful, for you to 
manage your force, okay? We need your direct recommendations 
and that is, as I have said so many times in the room, we want 
you to be successful, and if we are standing in the way, you 
need to let us know what we can do, what we should do, so that 
you could be successful.
    You know, I have served for over 30 years the United States 
military, if you are familiar with the Army, and I guarantee 
you if there is a question of your security clearance and your 
activity regarding the security clearance, that is suspended on 
an interim basis, pending an investigation. If you are found to 
have been at fault, and have breached, that is very serious. It 
incredibly serious for the most minor infractions. It is not 
meant to be a culture of punishment and fear, but it is meant 
to keep honest people honest and to raise to the level of 
importance those things that should be important.
    I would just suggest that maybe that would be something 
that you might want to look at for suspension of security 
clearances, which I would imagine in your business, a 
suspension of a security clearance, certainly on an interim 
basis--maybe on an interim basis, but absolutely on a permanent 
basis means loss of employment because you can't be employed 
without it, right? And----
    Mr. Clancy. That is correct, yes, sir.
    Mr. Perry. That is correct, right? So that gets to where we 
want to be. I would also say this. In looking at some of the 
testimony, we are concerned about how fast you are getting the 
information. You are the top dog and you are in charge and I 
get it. But I will tell you this too. Whether it is in my 
family, whether or, whether it is in the military, whether I 
was running my business, bad information, bad news does not get 
better with time.
    There must be a culture of something happened, and who 
needs to know and we get the information up to the top of the 
chain as quickly as possible because you have got to be able to 
do your job. You can't do it without the information. If your 
subordinates don't know that that is your expectation, then we 
are going to have--we are going to have this continuation of 
this, which none of us want.
    You are sitting here in front of us and you are defending 
your agency and your agents, as we expect you to, as you 
should. You will probably also note that 95 percent of your 
time will be spent on 5 percent of your people. Director, I 
have been out to your operation and I have been well impressed 
and all of us really want to hold up the Secret Service as the 
standard. We want that. Americans really desperately want that.
    So these things are incredibly hurtful, so when we hear 
them in the news, they are hurtful. There is a bigger picture 
here and I think your agents, your employees need to understand 
it is not their system. It is the taxpayers' database, and is 
not their information, it is those individuals' information.
    You don't own it, those individuals own it. To use it 
willy-nilly is reprehensible in an age when, as the Senator 
talked about, your--all these information that the governments 
gather, the information that the private sector is gathering 
and what happens to it and who owns it and the force of law 
under the ACA, which says you must submit your information.
    To think and to wonder that somebody might be using that 
for their personal whatever, that is a problem. That is a 
problem for the American citizen trusting their Government, and 
your employees have a direct connection to that. They must--in 
my opinion, they must understand that.
    I want to just speak to this--you have been questioned a 
couple times on diversity and also on filling your ranks and in 
keeping your people employed and keeping them incentivized and 
so on and so forth. We understand that you have challenges, 
just like everybody does, complying with the law and filling 
your ranks with the people that you want to have there. We 
understand that. I would say from this person's perspective, we 
want you, I want you to get the best. You get the best, all 
right? You get the best to do the job.
    Finally, I noticed a couple times you said you are trying 
to be consistent with other agencies. I will tell you this, 
sir. I understand where you want to be, but this is the Secret 
Service, the premier organization of your type in the United 
States Government, in the world.
    How about if you lead? If you can't find somebody that 
meets the standards you want to set in your agency around the 
Government agencies, go outside. Make your own standard. If you 
need help from us, you need to ask for it, all right?
    Thank you very much for your time here. Gentlemen--again--I 
thank you, the witnesses all for your very valuable testimony 
and for the Members and their questions. Members may have some 
additional questions for the witnesses and we will ask that you 
respond to those in writing.
    Without objection, this subcommittees stand adjourned.
    [Whereupon, at 12:02 p.m., the subcommittees were 
adjourned.]



                            A P P E N D I X

                              ----------                              

        Questions From Chairman Scott Perry for Joseph P. Clancy
    Question 1a. According to Secret Service officials, USSS policies 
related to accessing and disclosing PII are available in the Secret 
Service ethics manual distributed to USSS personnel and on the Secret 
Service intranet site. In addition, Secret Service employees are 
required to recertify their ethics training yearly.
    What percentage of the workforce actually completes the yearly 
recertification and what audit measures are in place to ensure the 
workforce is recertifying?
    Answer. Employees certify annually that they are aware of a variety 
of agency policies via the SSF 3218, to include the agency manual 
sections on Employee Responsibilities and Conduct, Table of Penalties, 
and Discipline. These forms are subject to audit when agency offices 
are inspected by the Office of Professional Responsibility's Inspection 
Division.
    With respect to ethics training, in calendar year 2014, the Office 
of Chief Counsel (LEG) provided ethics training to 100% of those 
employees required to receive it. In calendar year 2015, LEG targeted a 
goal of 100% compliance and has provided in-person training to a total 
of 587 employees. LEG reports the results of its training efforts 
annually to the Office of Government Ethics.
    With respect to required on-line training, the table below reflects 
the percentage of the workforce that has completed each of the 3 
identified courses that involve employee conduct and/or treatment of 
personal information.

                         PRIVACY & PII TRAINING COMPLETIONS FOR USSS IN FISCAL YEAR 2015
----------------------------------------------------------------------------------------------------------------
                                                          Privacy at DHS:    Decision Making      IT Security
                                                             Protecting          Elements          Awareness
                                                              Personal     -------------------------------------
                                                            Information       March 2015 was
                      Course Title                      -------------------  official rollout     This on-line
                                                            This on-line     for this yearly       course is
                                                             course is       required on-line  required annually
                                                         required annually        course
----------------------------------------------------------------------------------------------------------------
Employee Completions *.................................              5,604              5,563              5,385
Percent of the Workforce Completions for Fiscal Year                   89%                88%               86%
 2015 (Numbers include active and inactive employees
 with no duplicates)...................................
----------------------------------------------------------------------------------------------------------------
* Totals represent ``unique employee completion'' (both active/inactive employees with no duplicates).

    The enforcement mechanisms (or audit measures) to ensure the on-
line courses are completed are multi-tiered:
    (1) Self-Check.--Employee logs onto learning management system 
        (LMS) regularly to ensure he/she is taking the courses by due 
        date(s).
    (2) Supervisory Check.--Supervisor logs onto LMS and reviews his/
        her employee progress and/or the office Training Coordinator 
        provides the supervisor(s) with a non-compliant list.
    (3) 2nd Supervisory Check (during evaluation process).--Supervisor 
        conducts the employee's mid-year and final evaluation, reviews 
        the status of prescribed/required training, and discusses any 
        other training the employee may need or want to improve or 
        develop his/her skill-set.
    (4) Inspection Division Audit.--All field offices and protective 
        divisions are inspected every 4 years by the Inspection 
        Division (ISP). During the ISP review, on-line training is 
        audited to determine whether all employees have completed 
        mandatory LMS training.
    Question 1b. What follow-up is conducted for non-compliant 
employees who fail to complete the training?
    Answer. Employees found to be non-compliant with required courses 
could be held accountable in performance evaluations and could be 
subject to discipline in accordance with the established Table of 
Penalties.
    Question 1c. How do senior officials hold mid-level management 
accountable for ensuring their subordinates are aware of and operating 
within USSS ethics policies?
    Answer. Senior officials are responsible for communicating their 
expectations, including adherence to Secret Service ethics policies, to 
mid-level management during regular interactions, mid-year reviews, and 
final reviews. Failure on the part of mid-level management to ensure 
their subordinates are aware of and operating within those ethics 
policies could be reflected in the manager's performance review and 
could result in discipline under the Table of Penalties.
    Question 2a. According to USSS staff, in 2007, an NSA review called 
for the MCI system to be upgraded. Despite this recommendation, the 
Secret Service did not begin to take any action related to upgrading 
the system until 2011 and the MCI upgrade was not completed until June 
of this year. Since fiscal year 2011, when the upgrade began, Congress 
has appropriated over $227 million for USSS IT transformation.
    How much of this appropriated sum was used to modernize the MCI 
system?
    Answer. The MCI migration was part of the Mainframe Applications 
Refactoring project which utilized approximately $13.49 million to 
complete the migration into modernized systems with security controls 
and audit logging. The out-year sustainment costs are $2 million per 
year.
    Question 2b. Why did it take so long for MCI to be upgraded and why 
did USSS wait 4 years after the NSA review to begin the upgrade? Was it 
a funding issue, a personnel issue, an acquisition issue, a technical 
issue, or something else?
    Answer. The MCI upgrade was dependent on the availability of 
modernization funds to obtain the appropriate assets to complete the 
project. These funds were needed to obtain the equipment and skilled 
personnel to take on the effort of transitioning from a period of 
technological stabilization to modernization. The Secret Service's 
Information Integration and Technology Transformation (``IITT'') 
program was established in fiscal year 2010. In recognition of the 
limitations of MCI and other mainframe applications, the Secret Service 
initiated the Mainframe Application Refactoring (``MAR'') project in 
2011 to assess the existing 48 applications residing on the mainframe 
and migrate necessary capabilities and accompanying data to a non-
mainframe, secure, highly-available and compartmentalized environment. 
DHS estimated the project would take 10 years to complete. The Secret 
Service accelerated the MAR project in 2013 and was able to achieve 
project closure on June 24, 2015.
    Question 3a. Since becoming Director, you have launched a series of 
communication initiatives to open lines of communication between senior 
management and the rank-and-file USSS employees. These initiatives 
include focus groups, an Ombudsman question line, and the new Spark! 
tool. These actions would appear to ``clearly communicate agency 
priorities'' and ``create more opportunities for offices and agents to 
provide input on their mission'' as recommended by the Protective 
Mission Panel.
    What kind of buy-in and participation in these initiatives have you 
seen from the rank-and-file employees?
    Question 3b. What reforms, either completed or in process, have 
been brought about as a result of these initiatives?
    Answer. Given that sub-questions a and b are closely related, the 
Secret Service will address these together.
Spark!
    On October 19, 2015, the Secret Service introduced the Spark! 
Program, which is a crowdsourcing, web-based communication platform 
that provides every employee with a virtual voice to make suggestions, 
share ideas, and find solutions to elevate our mission and continue to 
improve the agency. This new program allows senior management to 
communicate directly with the entire workforce on what initiatives are 
being pursued and what the agency's priorities are as they relate to 
the posts on the site. The Spark! Program, although still in its 
infancy, has already seen participation by 3,374 employees, which is 
54% of the workforce.
Focus Groups
    In October 2014, the Secret Service selected Eagle Hill Consulting 
as the primary contractor to conduct a Work/Life Integration Assessment 
beginning in November 2014. Eagle Hill conducted focus group interviews 
throughout the Nation with Secret Service employees. A survey was 
distributed garnering participation from approximately 57% of the total 
Secret Service population. Eagle Hill completed its assessment in 
December 2015.
    Throughout this engagement, frequent communication with the Secret 
Service workforce has been essential in providing the workforce 
transparent, accurate information about the status of the work/life 
assessment and its results. Regular updates from the director via e-
mail and a permanent work/life integration webpage on the Secret 
Service intranet inform employees about near-term measures and next 
steps as the organization responds to critical quality-of-life 
concerns. For example, an agency-wide communication from the director 
in response to focus group findings conveyed new initiatives to provide 
greater clarity and transparency regarding the special agent 
reassignment process, career track and promotion guidelines for law 
enforcement personnel, permanent change of station move process, 
hardship policy, and enhancements to the organization's telework 
policy.
    Now that the Eagle Hill engagement has concluded, focus group 
results, survey data, and external research into Federal agency work/
life best practices will be presented to the Secret Service Executive 
Staff. These efforts will inform a series of final recommendations to 
be developed by Eagle Hill regarding development of a permanent Work/
Life Integration Program. Through the recently-established Work/Life 
Working Group chaired by the deputy director, the organization will 
consider in detail each of the recommendations and in 2016 begin 
developing appropriate programmatic responses to enhance workforce 
quality of life on a long-term basis.
    Question 4a. The Protective Mission Panel recommended replacing the 
fence surrounding the White House, stating, ``a better fence can 
provide time, and time is crucial to the protective mission. Every 
additional second of response time provided by a fence that is more 
difficult to climb makes a material difference in ensuring the 
President's safety and protecting the symbol that is the White House.'' 
The Panel also suggested the fence be replaced as quickly as possible. 
Thus far however, the only changes have been the addition of some 
spikes and bike racks which push the fence line out a few feet.
    Please provide an update on the USSS plans to replace the fence.
    Answer. In response to the September 19, 2014 incident and the 
findings of the Protective Mission Panel, the Secret Service pursued 
interim and long-term actions needed to address White House fence 
vulnerabilities.
    To immediately increase the difficulty associated with jumping the 
fence, the Secret Service installed temporary security enhancements on 
the existing fence. These temporary measures were meant to bolster 
security needs while a long-term solution is designed and implemented.
    To permanently address all identified fence vulnerabilities, the 
Secret Service, through the National Park Service (NPS), initiated an 
engineering study to examine physical changes that would increase the 
structural integrity of the White House fence against both individuals 
and an organized, dynamic attack. The study concluded on May 28, 2015. 
Based on the results of the study, the Secret Service decided to pursue 
the design of two different permanent fence options. Both options will 
be developed concurrently and in enough detail so that they can be 
presented to NPS, the National Capital Planning Commission (NCPC), the 
Commission of Fine Arts (CFA), the District of Columbia State Historic 
Preservation Officer (DC SHPO), and others for consideration. Award of 
the contract for the permanent fence design took place in September 
2015.
    Question 4b. When do you expect the project to be completed and at 
what cost?
    Answer. Prior to completion of the study and the latest fence-
jumping incident on November 26, 2015, the Secret Service estimated 
that design, acquisition/contracting, and construction of the permanent 
fence project would take a minimum of 28 months, potentially longer if 
the NPS, the NCPC, and the CFA require revisions/modifications to the 
proposed design.
    After completion of the study, negotiations with the architect/
engineer responsible for the design of the permanent fence, additional 
discussions with NPS (the Government agency with responsibility/
jurisdiction over the fence), as well as a review of the November 26, 
2015 fence-jumping incident, the Secret Service now believes this 
project will take longer than 28 months.
    The concepts for the permanent fence design were based in part on 
the security/anti-climb features incorporated into the interim fence 
upgrades that were present during the November 26, 2015 fence-jumping 
incident. Based on the results of this incident, the Secret Service 
plans to re-evaluate the permanent design concepts, as well as assess 
the effectiveness of additional features to be incorporated into the 
new permanent fence.
    The fiscal year 2016 Consolidated Appropriations Act included $8.2 
million (available for 2 years) for security enhancements to the White 
House fence. This estimate was developed prior to the completion of the 
study and design phase of the project. Once the permanent design is 
developed and additional details about the permanent fence are known, 
the Secret Service will be better positioned to provide an estimated 
total cost to replace the existing White House fence.
    Question 5. As stated in the OIG addendum issued in October, Deputy 
Director Magaw said he informed you on March 25 of the rumor that Rep. 
Chaffetz had applied to the Secret Service. Why did you not take 
immediate steps to learn more information about the nature and validity 
of the rumor? Why did Deputy Director Magaw not inform you that the 
rumor was the result of improper access and distribution of PII 
information in the MCI database?
    Answer. As previously reported to the DHS OIG, on March 25, 2015, 
Deputy Director Magaw notified me of the rumor surrounding 
Representative Chaffetz's application with the Secret Service. At that 
time, I had no reason to believe that any Secret Service databases, 
including MCI, had been accessed to obtain this information. Like 
Deputy Director Magaw, I believed it to be an unsubstantiated rumor and 
nothing more. In fact, both Deputy Director Magaw and I were not aware 
that a Secret Service database had been accessed until April 2, 2015. 
That same day, I sent an official message to the entire workforce 
directing them to immediately cease all unauthorized access and 
dissemination of sensitive information.
    On April 3, 2015, I convened a meeting with his executive staff to 
inform them of the situation. At this meeting, I reiterated the 
importance of protecting sensitive PII and informed them that any 
violations to Secret Service policy would not be tolerated.
    Subsequently, the DHS OIG's investigation revealed that subsequent 
to the April 2, 2015 official message, no additional personnel accessed 
Representative Chaffetz's information.
    Question 6. Why did Secret Service maintain applicant information 
from 12 years prior in its systems? Why was such information not purged 
or sent for archiving?
    Answer. At the time of the events in question, the Secret Service 
was still governed by records retention schedules requiring this type 
of information be retained for 20 years. Due to the fact that these 
schedules were vetted, approved, and signed by the National Archives 
and Records Administration (NARA), adherence to these schedules was a 
matter of legal compliance. New NARA-approved retention schedules have 
now replaced the legacy schedules, and information relating to 
applicants who are not hired is held only for 2 years, unless a formal 
background investigation is conducted. If a formal background 
investigation is conducted, the case file is held for 5 years.
 Questions From Ranking Member Bennie G. Thompson for Joseph P. Clancy
    Question 1. Director Clancy, it was recently reported that a 
Uniformed Division officer was arrested for sending pornographic images 
to a minor. Prior to his arrest, the Secret Service Office of 
Professional Responsibility became aware of the investigation and 
suspended the officer's security clearance and took his service weapon. 
How did the Secret Service work with the authorities to make sure that 
the investigation of this officer was not compromised since the Secret 
Service took action before the officer was arrested and indicted?
    Answer. On November 6, 2015, the Maryland State Police (MSP) 
contacted the Secret Service to advise that they, in conjunction with 
the Delaware State Police (DSP), and ICE's Homeland Security 
Investigations (HSI) were conducting an investigation into potential 
criminal misconduct by a USSS employee.
    That day, representatives from the Office of Professional 
Responsibility contacted the DHS OIG and advised that the USSS employee 
was assigned to the White House Complex and the allegations against the 
employee posed significant National security concerns. DHS OIG 
requested that the USSS not take any administrative action against the 
USSS employee as law enforcement involved in this investigation was 
planning to execute a search warrant in less than 2 weeks. However, due 
to the criminal nature of the allegations and the sensitivity of the 
position held by the employee, the USSS made the decision to 
immediately suspend the employee's security clearance and place him on 
administrative leave.
    Question 2. Director Clancy, it was recently reported that 2 USSS 
agents were observed during a routine systems check sleeping at their 
duty stations. This observation was so concerning, the DHS inspector 
general issued a management alert, citing long overtime shifts, travel 
fatigue, and a lack of water as some of the causes. What plans do you 
have in place to address overtime concerns, particularly in the 
Uniformed Division?
    Answer. The Uniformed Division continues to evaluate overtime usage 
across all Uniformed Division Branches with the goal of equitably 
minimizing extensive overtime shifts and preserving days off. Each 
Uniformed Division Branch manually tracks the overtime accumulation of 
each officer per pay period as a current management practice. Every 
effort is made to staff critical vacant assignments with personnel who 
volunteer to work overtime prior rather than forcing personnel to work 
overtime.
    The concept of consolidating all Uniformed Division scheduling 
offices to gain efficiencies and cross level overtime between Branches 
is currently under review. In addition, specialty function Uniformed 
Division personnel are being temporarily reassigned to fill critical 
assignments in an effort to reduce the amount of overtime hours as well 
as cancelled days off.
    Variable assignments, such as temporary magnetometer screening 
details, typically result in short-notice protective travel and incur 
overtime for personnel to replace or ``backfill'' Uniformed Division 
personnel on TDY status. The Uniformed Division, as well as the Office 
of Protective Operations, are reviewing current planning practices in 
order to determine temporary magnetometer detail requirements as early 
as possible in the protective advance planning process in order to 
minimize overtime as a result of short-notice TDY travel.
    Question 3. The Protective Mission Panel suggested an increase of 
200 Uniformed Division officers as well as 85 Protective Division 
officers. Has the Secret Service increased staffing since this 
recommendation and by how many? Will this increase in staffing help 
decrease the number of officers needed for long overtime shifts, 
particularly in the Uniformed Division?
    Answer. As of December 7, 2015, 176 UD Officers have been hired in 
fiscal year 2015 and fiscal year 2016. The net gain from the influx of 
these 176 additional personnel has been 28 additional officers assigned 
to the White House. This represents a staffing increase of 4.8% at the 
White House Branch. At this time, we anticipate hiring approximately 
288 total officers in fiscal year 2016.
    Although Uniformed Division personnel assigned to the White House 
Branch has increased since the Protective Mission Panel report was 
issued on December 15, 2014, the overall number of personnel assigned 
to the Uniformed Division has decreased from 1,345 to the current 
number of 1,323, as of December 7, 2015.
    With respect to the Protective Mission Panel recommendation to 
increase the Presidential Protective Division by 85 special agents, 
this will be complete in the 2nd quarter of fiscal year 2016.
    Question 4. The Protective Mission Panel recommended an 
establishment of a leadership-development system to identify and train 
the agency's future managers and leaders. How do you identify the 
agency's future managers and leaders given that several of the agency's 
current managers and leaders have been investigated for misconduct?
    Answer. When there is an open position in the Senior Executive 
Service (SES) ranks, the Secret Service Executive Resources Board (ERB) 
reviews the list of employees who have received SES certification from 
the Office of Personnel Management.
    If an SES-certified employee is identified as being a viable 
candidate to fill the vacancy, the ERB makes a recommendation to the 
director for his consideration. If no current SES-certified employee is 
identified as being a viable candidate to fill the vacancy, the ERB 
makes a recommendation to the director to announce the vacancy to 
external candidates.
    For non-SES supervisory positions, special agent career progression 
guidelines were established in September 2015, and a career track for 
non-law enforcement personnel is currently under development.
    Question 5. As outlined in the latest Federal Employee Viewpoint 
Survey, the Department of Homeland Security is still struggling in 
areas of morale and leadership. The Secret Service in particular has 
been plagued with retention issues. Please describe what plan you have 
in place to address retention and ensure the Service is recruiting top, 
diverse talent?
    Answer. A retention incentive program has been implemented for the 
Uniformed Division. Under the plan, officers signed retention bonus 
agreements in the amount of 5% of their annual salary and began 
receiving that bonus, in part, every 90 days they remained on the job. 
To date, over 90% of the eligible Uniformed Division members have 
executed a service agreement and are participating in this program. In 
addition, a comprehensive review of recruitment and retention 
flexibilities available within the Federal Government is currently 
being conducted.
    The Talent and Employee Acquisition Management Division has 
developed and implemented a fiscal year 2016 Recruitment and Outreach 
Plan. The Plan outlines strategies that will guide the recruitment 
activities necessary to ensure the Secret Service recruits a highly 
qualified and diverse workforce that is representative of America. The 
plan includes traditional outreach, such as attending National and 
diversity-focused career fairs, information sessions and career fairs 
at Historically Black Colleges and Universities, Hispanic-serving 
institutions, and Tribal colleges and universities, liaison with 
military Transition Assistance Program/Army Career Alumni Program (TAP/
ACAP) events, and attending National diversity conferences. In 
addition, new opportunities in social media recruiting are being 
leveraged to attract today's engaged candidates on LinkedIn, YouTube, 
Twitter, and internet radio providers such as Pandora and iHeartRadio. 
The strength of these platforms is their ability to target potential 
applicants with the backgrounds and skill sets we seek.
    The Entry Level Assessment Center (ELAC) will continue to be used 
to process large groups of Special Agent and Uniformed Division Officer 
applicants through the hiring process. Typically during an ELAC, the 
applicant is administered 2 or more assessments of the hiring process 
in a reduced amount of time. During fiscal year 2016, 6 UD ELACs have 
been conducted with more than 460 applicants being processed to date.
    The Recruitment and Outreach Plan is a living document and will be 
updated and revised as necessary throughout the fiscal year to meet the 
agency's goals in recruitment and hiring.
    Question 6. It has been often stated that it is very difficult to 
transition from the Uniformed Division to the President's Protected 
Division. What percentage of agents in fact transfer from the Uniform 
Division to the Protected Division? What special programs are in place 
to support such a desire to transfer?
    Answer. Uniformed Division officers do not ever transfer directly 
to a special agent position in the Presidential Protective Division, a 
permanent protective detail. In fact, no one applying for a law 
enforcement position within the Secret Service is hired directly to a 
position with a permanent protective detail. There is a period during 
which the expertise, maturity, and judgment essential to the extremely 
critical and demanding work of special agents protecting our Nation's 
highest elected leaders is developed in field offices supporting 
protective operations and conducting counterfeit currency, financial, 
or cyber crime investigations as criminal investigators.
    Uniformed Division officers do frequently go through the necessary 
process to become special agents. Those Uniformed Division officers who 
become special agents are required to go back to the Federal Law 
Enforcement Training Center (FLETC) in Glynco, Georgia for the Criminal 
Investigator Training Program course. After graduation from FLETC they 
return to the U.S. Secret Service James J. Rowley Training Center 
(JJRTC) to attend the Special Agent Training Course. Upon successful 
graduation from the JJRTC the new agent is then assigned to a field 
office for the first phase of their career. After their initial field 
office assignment the agent is then transferred to a permanent 
protective detail, like the Presidential Protective Division or 
Protective Intelligence Division.
    Question 7. In June of this year, it was reported that several 
dozen USSS Uniform Division Officers were placed on duty at the White 
House without completing the requisite security clearance process. In 
fact, over the last 5 years, approximately 643 officers and agents have 
been assigned to positions without the requisite security clearance. 
Please provide the demographical information to include race and gender 
for each officer and agent assigned to duty without a security 
clearance over the last 5 years.
    Answer. A report is being compiled and will follow.
    Question 8. Are agents and officers presently required to have a 
completed security clearance before being placed on duty? Please 
provide the number of agents and officers currently on duty without a 
security clearance, the specific post each agent or officer was 
assigned, the date of the assignment, and the length of time the agent 
or officer remained at this position without a clearance.
    Answer. There are no agents or officers currently on duty without a 
security clearance. Pursuant to Secret Service policy, SCD-02(01), DHS 
has authorized the Secret Service to hire employees ``contingent upon 
completion of a full-scope background investigation.'' Employees may be 
hired under this contingency if the Secret Service has completed the 
majority of a Single Scope Background Investigation (SSBI) and no 
derogatory information was developed which could adversely impact the 
candidate's ability to hold a Top Secret security clearance during the 
course of the SSBI. Employees hired under this contingency status are 
required to sign an SSF 4024, Conditional Access to Sensitive but 
Unclassified Information Non-Disclosure Agreement, prior to reporting 
for duty.
    Question 9. In your testimony, you reference 14 contractors added 
to Secret Service staff to help adjudicate security clearances. What is 
the current average amount of time required by your staff to complete a 
security clearance since the addition of the contractors?
    Answer. In an effort to correct the record, it should be noted that 
the statement in the testimony does not accurately reflect the number 
of contractors added to Secret Service staff to help adjudicate 
security clearances. The Security Clearances Division (SCD) is in the 
process of on-boarding 24 contractors to assist in the security 
clearance process. At this time, 11 are on board. The purpose of the 
contractors is to process the high volume of applicants to the agency 
to ensure adjudication before the personnel become operational while 
staying within the 114-day Office of the Director of National 
Intelligence (ODNI) standard.
    Question 10. The Inspector General's memorandum on the improper 
database access states that there was evidence of only 1 individual out 
of 18 executive-level managers who attempted to inform the Director or 
higher levels of the supervisory chain about the information or attempt 
to remediate the activity. Do you find it concerning that some of your 
senior leadership, which you personally appointed, did not see error in 
this behavior?
    Answer. The DHS OIG investigation found that 18 supervisors at the 
GS-15 or Senior Executive Service level may have known about improper 
database access but only one attempted to inform the director or higher 
levels of the supervisory chain about the information or attempt to 
remediate the activity. Additional investigation conducted by the 
Secret Service Inspection Division, with the authorization of the DHS 
OIG, included interviews of these supervisors which had not previously 
been conducted by the DHS OIG. This supplemental investigation revealed 
that other supervisors with knowledge of Secret Service employees 
improperly accessing databases or sharing protected information ordered 
their employees to immediately cease and desist accessing the database. 
Further, the vast majority of supervisors did not receive information 
that was attributable to a USSS data system, nor did they have any 
awareness that the rumor originated through potential misconduct.
    Regardless, as I stated in testimony before Congress, I am 
committed to ensuring that all employees are held to the highest 
standards of professional conduct, whether on or off duty. I believe 
the behavior of the employees who violated existing Secret Service and 
DHS policies pertaining to the unauthorized access and disclosure of 
information protected by the Privacy Act of 1974 is unacceptable. I 
also believe that supervisors who failed to advise employees to cease 
and desist or attempt to inform higher levels of the supervisory chain 
after obtaining actionable information are also culpable. Those we 
protect and the public we serve expect us to live by our oaths and the 
values we have established as an agency, and we should demand nothing 
less from each other. We are better than the actions illustrated in 
this report and people, responsible supervisors and line employees 
alike, will be held accountable for their actions.
    Question 11. Director Clancy, according to your testimony, when you 
heard of Representative Chaffetz's application for the Secret Service 
being discussed, you dismissed it as a rumor. However, according to the 
OIG's memorandum, you discussed this rumor at a luncheon with former 
directors of the Secret Service. Instead of investigating, you spread 
the rumor. What does that say about the culture of professionalism of 
the Secret Service?
    Answer. I would like to address my statements and the decision of 
the OIG to reopen the investigation on October 5, 2015. During the 
process of reviewing the draft, I was reminded by a colleague that I 
had been informed of a rumor regarding the individual's application 
history on March 25. While I myself do not recall hearing of this 
rumor, several others have confirmed that I did, and that it was a 
general rumor about the individual's past application; it did not 
relate to USSS employees improperly accessing databases or sharing 
protected information. In order to ensure accuracy within the report, 
on my own initiative I contacted the OIG to correct the record. I made 
this decision because I feel that it is important to be as forthcoming, 
accurate, and complete as possible. I expect this from my employees and 
expect nothing less from myself.
    The OIG published an addendum in October reporting its assessment 
of the updated information pertaining to when I was made aware of this 
rumor. Interviews with former directors, my deputy director, and my 
former chief of staff only serve to corroborate that the information 
available to me at the time was nothing more than a rumor. The 
information was not attributed to a Secret Service data system or 
indicative of any action--inappropriate or otherwise--by any Secret 
Service employee. Nothing in the addendum contradicts what I have 
maintained from the beginning--that at no time prior to April 2 was I 
aware that this rumor originated in information obtained through 
potential misconduct. When I did learn of it, I took immediate action, 
contacting the OIG and sending an official message to the workforce on 
the handling of sensitive information.
    Question 12. According to the Inspector General's memorandum, the 
personal file from the data leak was stored on the Secret Service 
Master Central Index or MCI system. MCI is described as a ``1980s 
vintage, electronic database and system of records.'' The National 
Security Agency conducted an analysis of the Secret Service data system 
in 2010. NSA concluded that the system was dated and fully operational 
only 60 percent of the time. Why was the system not updated or removed 
until July of this year, only after this particular data leak?
    Answer. The MCI upgrade was part of the Secret Service's broader 
effort to modernize its IT systems. This effort, known as the 
Information Integration and Technology Transformation (``IITT'') 
program, was established in fiscal year 2010. In recognition of the 
limitations of MCI and other mainframe applications, the Secret Service 
initiated the Mainframe Application Refactoring (``MAR'') project in 
2011 to assess the existing 48 applications residing on the mainframe 
and migrate necessary capabilities and accompanying data to a non-
mainframe, secure, highly-available and compartmentalized environment. 
DHS estimated the project would take 10 years to complete. The Secret 
Service accelerated the MAR project in 2013 and was able to achieve 
project closure on June 24, 2015.
    Question 13. What plans do you have in place regarding the MCI and 
other outdated systems within the Secret Service? What parameters are 
available to ensure such a gross mismanagement of access and authority 
does not occur again?
    Answer. On March 24, 2015, there were technological security 
deficiencies within the Secret Service's primary internal database that 
contributed to the unauthorized access of information. These internal 
vulnerabilities have been addressed and the potential for similar 
misconduct in the future mitigated. The MCI was a mainframe application 
developed in 1984 that served as a central searching application and 
case management system. More specifically, MCI contained records from 
protective, investigative, and human capital divisions and served as a 
single access point for investigators and administrators. A significant 
deficiency of this arrangement was that an MCI user had access to all 
of the data in MCI regardless of whether it was necessary for that 
user's job function.
    The Secret Service's Information Integration and Technology 
Transformation (``IITT'') program was established in fiscal year 2010. 
In recognition of the limitations of MCI and other mainframe 
applications, the Secret Service initiated the Mainframe Application 
Refactoring (``MAR'') project in 2011 to assess the existing 48 
applications residing on the mainframe and migrate necessary 
capabilities and accompanying data to a non-mainframe, secure, highly 
available and compartmentalized environment. DHS estimated the project 
would take 10 years to complete. The Secret Service accelerated the MAR 
project in 2013 and was able to achieve project closure on June 24, 
2015. At that time, all employee mainframe access was revoked. The new 
systems are completely operational, and all legacy data has been 
migrated to new platforms where data is locked down and access to data 
is dependent upon job function. Protective, investigative, and human 
capital records reside in different systems, and internal controls have 
now been implemented to restrict access to those systems in two ways. 
Now access is: (1) Limited to the respective directorates responsible 
for the information; and/or (2) based on the role of the system user 
within the organization. Shutdown of MCI began at the end of July, and 
it was fully powered down on August 12, 2015. Disassembly of the 
mainframe began in August 2015, and it was physically removed from the 
data center on September 16, 2015.
    Question 14. In the past, you have placed agents and officers on 
administrative leave, suspended security clearances, and provided 
limitations on technology when agents are under investigation. Please 
explain your decision to not take immediate disciplinary action on the 
senior-level management and the other personnel who were identified as 
improperly accessing the MCI database.
    Answer. Disciplinary action is taken only after investigation into 
the facts and circumstances is complete. In conjunction with this 
incident, the DHS OIG completed its investigation in later September 
and provided the supporting documentation in early October. In this 
instance, the agency did not have all of the information necessary from 
the OIG to contemplate disciplinary action until October 7, 2015. Even 
after receiving the information, in some cases, it was determined 
further investigation by our Office of Professional Responsibility was 
required.
    Question 15. In your testimony, you state that the likely maximum 
disciplinary action each employee involved in the data breach will face 
is 12 days suspension. Does the table of penalties address violations 
of conduct that are also violations of law? Was there a discussion 
within the Office of Integrity and/or the Department of Homeland 
Security to revoke each individual's security clearance? If not, please 
explain why.
    Answer. The Table of Penalties does contain penalties that are 
applicable for violations of law. The revocation of security clearances 
is handled by the Security Clearance Division rather than the Office of 
Integrity. Accordingly, there were no discussions within the Office of 
Integrity or between the Office of Integrity and the Department of 
Homeland Security regarding the revocation of security clearances.
    Question 16. The improper database access issue seems to be an 
issue with integrity, which means doing the right thing, even when no 
one is looking. Please describe what trainings and communications are 
provided to Service employees promoting integrity. Please also describe 
how senior management promotes integrity to the workforce.
    Answer. All senior executives, most Headquarters-based managers and 
supervisors, and all field office and protective division special 
agents in charge (SAICs) are required to receive ethics training every 
year. Training includes the use of nonpublic information.
    LEG provides in-person training to all Washington, DC-based 
employees required to receive it (except when exigent circumstances 
warrant written training). SAICs outside the Washington, DC, area are 
required to participate in the Headquarters training sessions by 
video--or teleconference. LEG also visits the field offices and 
protective divisions in one domestic region each year to personally 
train the SAICs and all available supervisors. SAICs are encouraged to 
invite other available employees.
    With respect to ethics training, in calendar year 2014, the Office 
of Chief Counsel (LEG) provided ethics training to 100% of those 
employees required to receive it. In calendar year 2015, LEG targeted a 
goal of 100% compliance and provided in-person training to a total of 
587 employees. LEG reports the results of its training efforts annually 
to the Office of Government Ethics.
    LEG oversees the publication and issuance of ``Standards of 
Ethical, Professional, and Personal Conduct: A Desk Reference for 
United States Secret Service Employees.'' The desk reference is a 
comprehensive summary of the statutes, regulations, and policies that 
govern employee conduct. When the desk reference was first published in 
2013, every employee was issued a printed, bound copy of the book. 
Subsequently, at the initial ethics briefing of the biweekly new 
employee orientation, LEG has provided new employees with a printout of 
the guide and referred them to the electronic version available on the 
Secret Service Intranet.
    Additionally, during the winter of 2012-2013, an instructor-led 
course was developed entitled ``Standards of Conduct (Ethics).'' In 
2013, this course was incorporated into many new recruit and in-service 
courses as depicted in the table below:
Basic Courses
   The basic course instructional blocks were entitled Ethical 
        Decision Making & Standards of Conduct
     Special Agent Training Course.--2.5 hours
     Uniformed Division Training Course.--2.5 hours
     Mixed Basic Training Course.--3 hours
     Protective Detail Training Course.--3 hours
     Counter Assault Team Basic School.--2 hours
     Counter Assault Team Cycle Training.--2 hours
In-Service Courses
   The in-service course instructional blocks were entitled 
        Standards of Conduct
     4th Shift Training.--2 hours
     Firearms Instructor Training Course.--2 hours
     Seminar for First-Line Supervisors.--45 minutes
     SA Reintegration Course.--1.5 hours
     UD In-Service Training Course.--1 hour
    In addition to instructor-led training, there are also mandatory 
on-line ethics courses available to all employees through the Learning 
Management System (LMS). In April 2012, it became mandatory that all 
employees traveling overseas to take the on-line course entitled 
``Making Decisions Ethically.'' In March 2015, this course was replaced 
with the on-line ethics course entitled ``Decision Making Elements,'' 
which became a mandatory, annual requirement for all USSS employees.
    Question 17. The Secret Service has now replaced the MCI system and 
95% of employees who once had access to the particular database in 
question no longer have access. Of the employees who will continue to 
have access, how many were implicated in this data breach? Please 
explain your decision to allow these individuals to continue to have 
access to sensitive information.
    Answer. As discussed in the response to question 13, the MCI system 
was fully shut down in August of 2015. All legacy data was migrated to 
new platforms where data is locked down and access to data is dependent 
upon job function. None of the individuals identified in the DHS OIG 
investigation into the improper access and distribution of information 
contained within a Secret Service database now have access to applicant 
data information.
        Questions From Chairman Ron Johnson for Joseph P. Clancy
    Question 1. Inappropriate use of information systems is likely a 
security violation. What is the status of any on-going security 
clearance investigations and adjudications?
    Answer. For the employees who were identified by the Department of 
Homeland Security (DHS) Office of Inspector General (OIG) as being 
involved in accessing a record containing personally identifiable 
information (PII) in the internal database, security clearance warning 
letters are being issued for inappropriate use of information systems.
    Question 2. What is the reasoning for the Secret Service 
maintaining records of unsuccessful applications for an extended period 
of time that contain sensitive PII?
    Does the Secret Service currently maintain similar records of 
unsuccessful applications that are not deemed relevant?
    Answer. At the time of the events in question, the Secret Service 
was still governed by records retention schedules requiring this type 
of information be retained for 20 years. Due to the fact that these 
schedules were vetted, approved, and signed by the National Archives 
and Records Administration (NARA), adherence to these schedules was a 
matter of legal compliance. New NARA-approved retention schedules have 
now replaced the legacy schedules, and information relating to 
applicants who are not hired is held only for 2 years, unless a formal 
background investigation is conducted. If a formal background 
investigation is conducted, the case file is held for 5 years.
    Question 3. Please describe the process to verify that Secret 
Service employees have reviewed the Secret Service Ethics Guide on an 
annual basis.
    Answer. This guide was distributed electronically and in hard copy 
in 2013 in response to one of the Professionalism Reinforcement Working 
Group (PRWG) recommendations, which reads as follows:

``PRWG Recommendation.--Reinforcement of Ethical Behaviors: The USSS 
notifies its workforce regarding policy changes on discipline, 
including expectations on ethical behavior and conduct through issuance 
of policy directives. However, the USSS should use multiple approaches 
to reinforce the importance of ethical behavior and conduct at all 
times. For example, the USSS should consider issuing all current 
employees and all new employees a user-friendly, easy-to-read manual 
highlighting the organization's core values, compliance principles, 
standards of conduct, and the expectation that employees adhere to 
standards of ethical conduct.''

    The ethics guide provides a comprehensive summary of relevant 
statutes, regulations, and policies. Many of the rules in the ethics 
guide are contained in Secret Service manual sections to which 
employees certify on an annual basis via SSF 3218.
      Questions From Chairman James Lankford for Joseph P. Clancy
    Question 1a. During your testimony you were asked if the Secret 
Service maintains paper files with personally identifiable information 
(PII) in addition to the PII stored on electronic databases.
    Does the Secret Service still maintain paper files in any of its 
offices containing personally identifiable information (PII)?
    Answer. Yes.
    Question 1b. If so, who has access to such files and how are those 
files stored?
    Answer. Access to records containing such information is generally 
controlled by the access procedures set out under the Privacy Act of 
1974, title 5 of the United States Code, section 552a (Privacy Act). 
System of Record Notices (SORNs) required under the Privacy Act which 
implicate record systems maintained by the Secret Service are published 
by the Department of Homeland Security (DHS), the Office of Personnel 
Management, and the Equal Employment Opportunity Commission. The SORN 
sets forth the routine uses for access to each system as well as the 
storage requirements for each system. Copies of Secret Service SORNs as 
most recently published by DHS are attached.
    Question 1c. If so, what security controls does the Secret Service 
have in place to prevent, detect, and respond to the unauthorized 
access of any paper files containing PII in any of its offices?
    Answer. Most types of PII records have specific additional 
regulatory storage, handling, and reporting protocols (e.g., storing in 
a locked room with access controls/logs). Information put into inactive 
storage includes a specific notation on National Archives form SF 135 
that the files must be protected under the Privacy Act.
    Question 2. In the context of Secret Service employee removal 
authority, you testified that you would like greater ability to dismiss 
employees that violate agency policy and the law.
    What additional removal authority would assist you in changing the 
current culture and ensure that agency policy and the law is respected?
    Answer. While we believe that current law allows for a reasonable 
process and means to remove employees from Federal employment in 
misconduct cases, the pace of that removal action is often slow and 
does not always foster a culture of accountability. For instance, when 
a case has been referred to, and accepted by, the OIG for 
investigation, the Secret Service can be delayed in taking action to 
address instances of employee misconduct, including criminal 
misconduct. In these instances the Secret Service must wait for the OIG 
to fully complete their investigation and issue a report which may lack 
the underlying evidence, sworn statements, and sometimes be in a 
redacted format. We believe that, if OIG were to provide the Secret 
Service with real-time information concerning evidence developed during 
an OIG investigation, we would, in some cases, be able to take 
expeditious disciplinary action against employees. For instance, if the 
OIG provided the Secret Service with a sworn statement in which the 
employee admits to the misconduct, the Secret Service could propose 
disciplinary action in advance of a receiving a finalized, formal 
report. In this regard, we will engage with OIG to explore this 
possible change to existing procedure and any other changes that may 
lead to a greater culture of accountability in the Service workforce.
    Question 3. Concerning the topic of agency whistleblowers, you 
stated ``everyone in the Service knows that whistleblowers perform a 
vital function'' and ``there's no retaliation'' against them.
    Can you explain the steps the Service is currently taking to ensure 
that all whistleblowers are properly protected and shielded from 
retaliation?
    Answer. The Secret Service recognizes its obligation to protect the 
rights afforded to employees in making protected disclosures, including 
disclosures made to Congress, and values the benefits derived from the 
resulting oversight.
    The Secret Service is committed to creating open lines of 
communication within the agency to ensure concerns raised at any level 
receive the attention they deserve, and to ensure that employees who 
bring concerns to light are praised for doing so, rather than 
retaliated against.
    Biennial training on certain Federal anti-discrimination and 
``whistleblower'' protections is required by the No FEAR Act for all 
Department of Homeland Security (DHS) employees. This No FEAR Act 
course was developed by the DHS Office for Civil Rights and Civil 
Liberties' (CRCL) Equal Employment Opportunity and Diversity Division 
and its CRCL Institute based on an anti-harassment training course 
created by the Central Intelligence Agency's Office for Equal 
Employment Opportunity Office.
    Further, an agency-wide message was issued on October 30, 2015, 
regarding ``Whistleblower Protection Awareness'' which referenced 
policy manual sections related to disclosures to Congress and included 
a link to ``information to help employees easily determine what they 
should report, how to report suspected issues, what training DHS 
offers, [and] what legal protections are available . . . ''.
    Additionally, Secret Service Manual guidelines requiring employees 
to report misconduct or retaliation were reiterated to all employees in 
an official message to the workforce on March 23, 2015. It is important 
that employees recognize the agency's position on this issue, and 
Director Clancy will continue to emphasize it to the workforce. The 
Secret Service fully respects and supports the rights of 
whistleblowers, and retaliation of any kind is not and will not be 
tolerated. These rights and protections are clearly stated in the 
Secret Service Ethics Guide, the Table of Penalties, and within the 
Secret Service Manual.
    Question 4a. Your testimony outlined that recent Secret Service 
policy now requires the purging of applicant files every 2 years to 
improve internal protections of personally identifiable information 
(PII) housed on its databases.
    When did this policy change?
    Answer. This policy changed on October 1, 2015. Please note, at the 
time of the events in question, the Secret Service was still governed 
by records retention schedules requiring this type of information be 
retained for 20 years. Due to the fact that these schedules were 
vetted, approved, and signed by NARA, adherence to these schedules was 
a matter of legal compliance. New NARA-approved retention schedules 
have now replaced the legacy schedules, and information relating to 
applicants who are not hired is held only for 2 years, unless a formal 
background investigation is conducted. If a formal background 
investigation is conducted, the case file is held for 5 years.
    Question 4b. What additional policies and training does the Secret 
Service have in place to ensure PII housed on its databases is not 
improperly accessed?
    Answer. A Secret Service Information Resources Management (IRM) 
directive entitled ``IRM Privacy Act Review'' includes policy for 
reviewing new IT systems or changes to existing IT systems to determine 
Privacy Act impact. Related Secret Service and Department of Homeland 
Security (DHS) directives help ensure awareness of and compliance with 
PII regulations, through mechanisms such as the Privacy Threshold 
Analysis/Privacy Impact Analysis processes.
    Existing policies and training include longstanding guidance 
regarding the proper access to databases and handling of Privacy Act 
protected information, which is clearly stated in the Secret Service 
Ethics Guide, in the Table of Penalties, and within the Secret Service 
Manual sections related to rules of behavior with respect to the use of 
information technology. Employees are required to certify annually that 
they have reviewed these manual sections.
    Additionally, the Secret Service provides a 1-hour briefing to 
Special Agent and Uniformed Division Training Classes that includes 
material on the Privacy Act. A senior Government Information Specialist 
from the Freedom of Information Act and Privacy Act Branch of the 
Office of Government and Public Affairs teaches the class and focuses, 
in part, on PII.
    A 1-hour in-service on-line training titled ``IT Security 
Awareness'' is required as part of the agency's Federal Information 
Security Management Act (``FISMA'') obligations. The course outlines 
the role of Federal employees in the protection of information and in 
ensuring the secure operation of Federal information systems.
    The Privacy Act is also discussed during in-service ethics classes 
administered to the field by Secret Service Office of Chief Counsel 
instructors.
    Further, DHS requires Secret Service employees to complete annual 
in-service on-line training titled, ``Privacy at DHS: Protecting 
Personal Information.'' This training was incorporated into the 
required curriculum in 2012 and covers proper handling of PII.
    Finally, in August, the agency began including a dedicated block of 
instruction for the new Special Agent Training Classes regarding the 
Release of Information. The class provides an overview of the Privacy 
Act and the Freedom of Information Act, reviews employees' 
responsibilities under those Acts and the consequences for failing to 
fulfill them, and more generally, discusses the proper release and use 
of information employees have access to. A similar block of instruction 
for the Uniformed Division Training Classes was added in November. 
Further, additional training is provided to new hires at Secret Service 
New Employee Orientation.
    Question 4c. Has the Secret Service implemented any additional 
policies and training in response to recent improper and illegal 
accesses?
    Answer. In light of the DHS OIG report of September 25, 2015, and 
subsequent addendum of October 22, 2015, specific guidelines have been 
established and are effective for processing disciplinary and adverse 
actions resulting from the misuse of Secret Service database systems 
and/or the unauthorized disclosure of sensitive information. 
Additionally, and as stated above, in August, the agency began 
including a dedicated block of instruction for the new Special Agent 
Training Classes regarding the Release of Information. The class 
provides an overview of the Privacy Act and the Freedom of Information 
Act, reviews employees' responsibilities under those Acts and the 
consequences for failing to fulfill them, and more generally, discusses 
the proper release and use of information employees have access to. A 
similar block of instruction for the Uniformed Division Training 
Classes was added in November. Further, additional training is provided 
to new hires at Secret Service New Employee Orientation.
           Questions From Chairman Scott Perry for John Roth
    Question 1a. After you issued the management alert on the Chaffetz 
PII incident, Director Clancy contacted your office in order to revise 
his recollection of events. This in turn caused you to reopen the 
investigation and issue an addendum to the original report.
    Has this ever occurred in any of your other reviews?
    Answer. No.
    Question 1b. Based on the conclusions in your addendum, would you 
be comfortable updating the original conclusion in your report that 
indicated Director Clancy was not aware of the improper PII access 
until April 1? If so, when would you say Director Clancy became aware 
of the incident?
    Answer. The addendum serves as an update to the original report, 
and concludes that on March 25, Director Clancy learned from at least 3 
separate sources that Chairman Chaffetz may have applied to the Secret 
Service. We are unable to conclude, because Director Clancy has no 
memory of it, the degree to which he understood how widely the 
information was being disseminated through the Secret Service, or 
whether he understood that the discussion was being fueled and 
confirmed by dozens of agents improperly accessing Secret Service data 
systems.
    Question 1c. Do you have concerns that Director Clancy provided a 
false statement to your investigators when originally interviewed?
    Answer. The earlier statement was inaccurate in that he originally 
stated that he was ``fairly certain'' that he first learned of it on 
April 1, the day before the media reports. We do not have any evidence 
as to his state of mind at the time he made the statement.
    Question 2a. On the OIG website, you list management alerts, which 
are designed to ``inform senior DHS managers of conditions which pose 
an immediate and serious threat of waste, fraud, and abuse in agency 
programs.'' Since July 2014, of the 5 of the 15 management alerts have 
involved the Secret Service. This is concerning given that the Service 
is significantly smaller than other DHS components.
    How do the USSS misconduct statistics compare to other agencies 
within the Department?
    Question 2b. In your opinion, and experience, do the Secret Service 
misconduct statistics compare to other agencies of comparable size 
across the Federal Government? Is it average, above average, below 
average?
    Answer. We have not done a statistical comparison of misconduct 
allegations and cases between Secret Service and other DHS components 
or other agencies in the Federal Government. Certainly the allegations 
involving the Secret Service that have come to light since the 2012 
events in Cartagena, Colombia are of grave concern and our reviews over 
the past several years point to on-going organizational and management 
challenges. During the current fiscal year, we will continue our 
oversight of the Secret Service, including a review of its 
implementation of the recommendations of the Protective Mission Panel. 
In addition, we intend to evaluate the strength of the Department's 
disciplinary processes. We will focus this review on the depth and 
breadth of employees' perceptions and attitudes about misconduct and 
the application of discipline, DHS's established rules of conduct, and 
the application of discipline across the Department.
     Questions From Ranking Member Bennie G. Thompson for John Roth
    Question 1. Since the Protective Mission Panel, you have had to be 
involved in investigating the Secret Service for personnel misconduct. 
You have also issued two management advisories for the agency in 2015. 
Based on your investigations of the Secret Service, what is the agency 
lacking? What does it need to change?
    Answer. The Secret Service needs to understand the requirements for 
building an ethical culture within their organization, which consists 
of three elements: (1) Leaders (not just the top leader, but all 
through the organization) who create a ``tone at the top'' and 
demonstrate their commitment to an ethical culture by both words and 
deed; (2) a commitment to both the words and the spirit of a meaningful 
code of conduct; and (3) creating a system of accountability for all of 
those in the organization--leaders and the rank and file--who deviate 
from that.
    I believe that the Secret Service needs improvement in all three 
areas. That the leadership has not created the appropriate tone is 
apparent from the significant number of senior leaders and managers who 
did nothing once they found out about the conduct. We also had the 
deputy director of the Secret Service who failed to provide information 
during his initial interview. This sends the message to the rank and 
file that such behavior, notwithstanding a written code of conduct, is 
acceptable. While we are satisfied that the Secret Service has taken 
steps since the Cartagena incident to establish a more uniform 
discipline system, I believe that more could be done to ensure that 
deviations from the code of conduct are addressed.
    Additionally, for an organization to change--and I believe that the 
Secret Service is in great need of change--the individuals within the 
organization must understand that there is a need for change, and 
individuals must be empowered to create that change. I do not see 
within the upper levels of the organization such an understanding. 
Typically, in those circumstances change does not occur until there is 
a disruptive external event that forces the organization to change.
    Question 2. Your office issues management alerts to senior 
leadership of DHS when your office finds conditions that pose a serious 
concern. You have issued management advisories for the Secret Service 
in April 2015 and in October 2015. Your October 2015 management 
advisory actually warns that protectees could be in immediate danger if 
changes are not made. Looking at the Secret Service overall, what does 
it say about the agency to have two management advisories issued in 
such a short period of time?
    Answer. Both management alerts were ultimately caused by Secret 
Service's inability to execute basic management functions in support of 
its mission. The April 2015 alert was the result of not replacing an 
alarm system at a Presidential residence that had been installed in 
1993. We found that the Secret Service did not have a formal system to 
report and track security technical problems, maintenance and repair 
needs, and upgrades. Likewise, we found that the staffing shortages 
that we believe led to the officer fatigue issues were caused by the 
lack of a staffing and hiring plan that first would understand the 
number of personnel needed to staff the White House Complex without a 
reliance on excessive overtime, and second, would ensure the necessary 
administrative infrastructure to be able to efficiently hire to the 
proper level.
    Question 3. In October, you released a management alert after 2 
agents were observed asleep on the job. You cited long overtime hours 
and fatigue as a reason for your concern. The Secret Service publicly 
stated it does not agree with your findings. Please describe how you 
reached your conclusion and what caused your observations to rise to 
the level of an alert.
    Answer. The management alert occurred after we observed agents 
asleep during 2 different site visits, at different locations, weeks 
apart, on July 15 and August 11. As auditors are trained to do, we 
looked to see if there may be a root cause for this. We found that the 
overtime for 1 officer for the previous 8 weeks amounted to 157 hours--
an average of being required to work 60 hours per week for 8 straight 
weeks. The second officer's overtime totaled 73 hours for the previous 
6 weeks, for an average of 52 hours per week.
    We also found that overtime among the Uniform Division has 
substantially increased in the last few years. In fiscal year 2013, it 
averaged 362 hours per position; in fiscal year 2015, it averaged 597.4 
hours per position--a 39% increase in 3 years. We also found that the 
problem was getting worse, not better. The overtime was necessary 
because of a lack of officers; yet, in fiscal year 2015 the Uniform 
Division lost 162 officers through attrition, but managed to hire only 
152--a net loss of 10 officers. Finally, we found that until recently 
the Secret Service had not engaged in a staffing plan or model to 
understand the staffing level it would need to ensure that it did not 
rely on excessive overtime to accomplish its mission.
    Question 4. Does the Management Alert issued by your office 
indicate any connection between these incidents and either absent or 
ineffective Secret Service policies to ensure sustainable staffing 
practices and work-life balance?
    Answer. Yes. As I indicated in the answer to the last question, the 
Uniform Division officers are being asked to take on an unsustainable 
burden. What concerned us is the lack of effective response from the 
Secret Service leadership. The Protective Mission Panel alerted the 
Department to this a year ago, and yet, as evidenced by the failure to 
hire even to the current level of attrition, the Secret Service has not 
responded in a manner that recognizes the severity of the problem. 
Hence, the management alert.
    Question 5. Improving morale at DHS is of particular priority to 
this committee and myself. You state in the management alert that USSS 
reported that ``it recognizes that employee morale suffers when 
decreased staffing levels result in increased overtime and travel 
requirements, and decreased opportunities for training.'' In your time 
investigating the Secret Service, have you observed times where morale 
is in fact impacted? What factors would you say contribute to low 
morale in the Service?
    Answer. There is significantly low morale within the Secret 
Service. As noted in the most recent results of the Federal Employee 
Viewpoint Survey, the Secret Service is second to last. We believe that 
the inability to address the fundamental management issues, including 
outdated technology and insufficient staffing, is a significant driver 
of poor morale.
    Question 6. Based on your investigation, were personnel within the 
Service sufficiently informed of the proper use of USSS computer 
systems and the care needed for sensitive information, whether via 
training, manuals, oral communications, etc.?
    Answer. Yes. Secret Service policies include Information Technology 
Rules of General Behavior that cover employees' use of all Secret 
Service IT systems. The policy requires employees to safeguard 
Sensitive, Classified, and privacy-related information against 
unauthorized disclosure to the public. It further requires that all 
Secret Service personnel acknowledge review and understanding of the 
provisions enumerated in that policy upon entering on duty with the 
Secret Service and annually thereafter. In addition, the Secret 
Service's Table of Penalties includes penalties for unauthorized use of 
a Government computer and disclosure of information in violation of the 
Privacy Act.
    Also applicable to the Secret Service are DHS-wide policies 
contained in the DHS Handbook for Safeguarding Sensitive Personally 
Identifiable Information, which also prohibits all employees from 
browsing files containing Sensitive PII out of curiosity or for 
personal reasons.
    In addition to these policies, the log-on screen for the MCI 
database contained specific warnings that the system could be used for 
authorized Government business only.
    Question 7. You state in your memorandum that although agents were 
trained on use of the system and received yearly refresher trainings, 
it was apparent that many of the agents disregarded that training. What 
did you observe in your investigation that led you to this conclusion?
    Answer. In response to interview questions by OIG agents, many of 
the Secret Service employees who authorized Chairman Chaffetz' MCI 
record without authorization insisted that their actions were 
appropriate. Some acknowledged ignoring the warning banner on the MCI 
logon screen. Others thought that accessing the database, even without 
a legitimate business purpose, was okay because it was ``our 
database.''
    Question 8. Your office only reviewed the MCI system for those 
individuals who accessed Congressman Chaffetz' personal file. 
Therefore, it is possible that other individuals were also searched in 
the database. Based on your review of the system and interviews with 
Service employees, do you believe employees frequently utilized the MCI 
system improperly, in particular to research individuals? If so, how 
frequently do you believe this occurs?
    Answer. Based on our interviews, it appeared that there was a 
casual attitude about the rules regarding the use of the system. This 
was obvious in the number of individuals who conducted improper 
searches of Chairman Chaffetz' name. We found no reason that this did 
not occur before for other individuals.
    Question 9. Based on your experience in accountability and law 
enforcement across the Federal Government, do you have any concerns 
about these employees' status while under adjudication? As DHS 
Inspector General, would you advise Department and Secret Service 
leadership to change policies related to employees subject to 
disciplinary review in any way?
    Answer. The use of paid administrative leave for DHS employees 
facing misconduct investigations and adjudications is a matter 
currently being reviewed by the Government Accountability Office and we 
look forward to reviewing the analysis and recommendations contained in 
its upcoming report.
    We should note that as a general matter, Federal law allows 
agencies to suspend an employee indefinitely without pay if there is 
reasonable cause to believe that a crime has been committed for which a 
term of imprisonment may be imposed. Laws and policies regarding 
employees subject to disciplinary review should ultimately be balanced 
against critical due process safeguards to ensure fairness and 
consistency to the Federal workforce.
          Questions From Chairman James Lankford for John Roth
    Question 1a. During your testimony you indicated that the MCI 
database was unable to audit accesses without a specific program 
written for each search term.
    Since the migration to an updated database system, what audit 
capability and checks (automatic or manual) are now in place?
    Answer. We are currently conducting a technical security assessment 
of the Secret Service's updated database systems that when complete, 
will answer this question. Specifically, our Office of Information 
Technology Audits is reviewing the information systems the Secret 
Service currently uses to store and retrieve data and information 
previously stored in the MCI database. Our assessment is designed: (1) 
To verify that the MCI is in fact no longer in use, (2) identify which 
systems currently house MCI data, (3) determine the level of physical 
and system controls implemented to secure the data from further 
instances of unauthorized access, and (4) identify gaps in the security 
posture. We plan to issue our final report in February 2016, and I look 
forward to discussing our conclusions with you and your staff at that 
time.
    Question 1b. Based on your investigation, would a regularly 
occurring, agency-wide OIG audit of PII searches help change Secret 
Service culture regarding the protection of PII?
    Answer. We believe that the best way to prevent future activity of 
the type we saw here would be for Secret Service to focus to a greater 
degree on its information security program. Modern data systems with 
appropriate audit and access controls, when coupled with appropriate 
agency processes, policies, and procedures, would prevent unauthorized 
access to information. Every year, we audit, pursuant to the Federal 
Information Security Act (FISMA), DHS' information systems. FISMA 
requires IGs to perform evaluations of Departmental implementation of 
the 11 program-level security authorization activities. DHS OIG 
performs tests to determine how the Department's components are 
implementing these activities.
    From fiscal year 2013 to the present, Secret Service has done 
poorly on these FISMA reviews compared with other DHS components. For 
example, as of September 2015, USSS failed to meet the Department's 
``security authorizations'' target of 100% for ``high value assets'' 
and 95% for ``all other FISMA systems'' as USSS only scored 75% and 58% 
respectively. In addition, USSS only scored 38% in ``weakness 
remediation,'' where the Department's target was 90%.
    We believe that focusing on modernizing and securing Secret Service 
data systems, in combination with training and other efforts to create 
an ethical culture (such as a uniformly administered system for dealing 
with deviations from a defined standard of conduct) are the best way to 
change the culture with regard to the use of PII.
    Question 1c. Based on your investigation, what recommendations 
would you make to change Secret Service culture regarding PII?
    Answer. As noted in the above question, the systems that the Secret 
Service uses to store PII must have audit and access controls that help 
ensure the security and confidentially of Privacy Act-protected 
records. Training about PII and its appropriate handling and 
safeguarding should be reinforced and reemphasized. Ultimately, change 
will come when management does not tolerate the deliberate or grossly 
negligent mishandling of PII and employees who violate Department and 
Secret Service policies and/or the Privacy Act face disciplinary 
consequences for their actions.
    Question 2a. Your testimony reflects that agents seemed to consider 
personal data on Secret Service databases as theirs to access as they 
pleased.
    What training policy updates have been or should be made to correct 
this mindset reflected in your investigation?
    Answer. Our investigation did not determine what changes, if any, 
Secret Service has made to their training policies as a result of this 
incident. Our next FISMA audit will determine the overall level of 
training Secret Service personnel receive.
    Question 3a. The September 2015 Department of Homeland Security 
(DHS) Office of the Inspector General (OIG) report titled 
``Investigation into the Improper Access and Distribution of 
Information Contained Within a Secret Service Data System'' did not 
audit the 45 Secret Service employees for unauthorized access of 
personally identifiable information on the agency's databases prior to 
the Congressman Chaffetz matter starting on March 25, 2015.
    Should DHS OIG conduct additional audits of these 45 Secret Service 
employees for unauthorized accesses prior to this date?
    Answer. We share the concern that it is possible that these 
specific employees mishandled or accessed files without authorization 
prior to this specific investigation--whether related to Chairman 
Chaffetz or others. Due to the technical limitations of the MCI 
database, it would be nearly impossible for us to conduct additional 
audits of these 45 employees. Moreover, according to the Secret 
Service, the MCI mainframe has been disassembled as of September 2015 
so it is unclear whether additional audits can be performed on the 
system.
            Question From Chairman Ron Johnson for John Roth
    Question. The DHS OIG concluded that 4 of the 45 Secret Service 
employees that accessed the PII information of Congressman Chaffetz 
were authorized to do so. What was the criterion for determining if the 
Secret Service employee that accessed the information of Congressman 
Chaffetz in the MCI database was authorized or unauthorized?
    Answer. To determine whether Secret Service employees were 
authorized or unauthorized to access Chairman Chaffetz' information in 
the MCI database, we analyzed whether they had an official purpose to 
access the record. Officials who examined the record in connection with 
the performance of assigned duties and who had to access the record in 
order to perform those assigned duties properly were considered 
authorized.
    For example, employees at a specific field office received a press 
inquiry as to whether Chairman Chaffetz had applied to that office. 
While the office appropriately declined to comment to the press, as 
part of their due diligence, they accessed the system to determine 
whether it was true. Likewise, one employee in headquarters was 
directed by his superior to do so, as part of deciding what management 
steps to take.
    However, a number of supervisors accessed the information, 
purportedly to determine whether the talk about Chairman Chaffetz was 
true. Accessing the record in that circumstance was inappropriate and 
not in connection with an official purpose because the truth or falsity 
of the information was irrelevant to directing their subordinates to 
use Secret Service data systems only for official Government purposes, 
and not to satisfy personal curiosity. This was especially the case 
since, with a few narrow exceptions, these supervisors did nothing with 
this information, such as reporting it up the chain to their superiors.
       Question From Chairman Scott Perry for Joel C. Willemssen
    Question. Based on your expertise and what you have heard today, 
how can agencies, and specifically DHS and the Secret Service, ensure 
they have the proper internal security controls so that only the right 
employees, with a need to know, can access sensitive information such 
as PII?
    Answer. Agencies first need to establish and communicate policies 
for collecting, storing, accessing, using, and retaining personally 
identifiable information (PII)\1\ and other sensitive information. The 
policies should state when it is appropriate to access such 
information, when it is not, and the consequences for willful 
noncompliance. In addition, managers, supervisors, and employees should 
be informed and trained regarding their respective responsibilities for 
safeguarding PII.
---------------------------------------------------------------------------
    \1\ PII is any information that can be used to distinguish or trace 
an individual's identity, such as name, date and place of birth, Social 
Security number, or other types of personal information that can be 
linked to an individual, such as medical, educational, financial, and 
employment information.
---------------------------------------------------------------------------
    In addition, agencies, including the Department of Homeland 
Security (DHS) and the Secret Service, can implement several protective 
measures to control access to PII and other sensitive information. As 
we reported in September 2015,\2\ access controls limit, prevent, or 
detect inappropriate access to computer resources, including PII and 
other sensitive information, thereby protecting them from unauthorized 
use, modification, disclosure, and loss. These controls include 
ensuring that only personnel with a need to know are authorized access 
to sensitive information. Agencies implement authorization controls by, 
for example, uniquely identifying all users, periodically reviewing 
system access, disabling accounts of users who no longer need access, 
and assigning the lowest level of permission necessary for a task.
---------------------------------------------------------------------------
    \2\ GAO, Federal Information Security: Agencies Need to Correct 
Weaknesses and Fully Implement Security Programs, GAO-15-714 
(Washington, DC: Sept. 29, 2015).
---------------------------------------------------------------------------
    Agencies should also implement audit and monitoring controls, which 
establish individual accountability, monitor compliance with security 
policies, and investigate security violations. These controls help 
determine what, when, and by whom specific actions have been taken on a 
system and can be used to monitor users' access of sensitive 
information, including PII. To implement controls for monitoring 
access, agencies can install software that provides an audit trail or 
logs of system activity that can be used to determine the source of an 
action or activity.
Questions From Ranking Member Bennie G. Thompson for Joel C. Willemssen
    Question 1. GAO's September 2015 report on information security 
speaks directly to weaknesses in limiting, preventing, and detecting 
inappropriate access to computer resources. Please provide us with 
examples of what other Federal agencies are doing to better monitor 
inappropriate internal data access.
    Answer. As we reported,\3\ agencies can monitor inappropriate data 
access by implementing audit and monitoring controls. These controls 
establish individual accountability, monitor compliance with security 
policies, and investigate security violations. Audit and monitoring 
controls help determine what, when, and by whom specific actions have 
been taken on a system and can be used to monitor users' access to 
sensitive information such as PII. In March 2015, we reported \4\ that 
the Internal Revenue Service (IRS) continued to enhance its audit and 
monitoring capability. Specifically, IRS had strengthened the audit and 
monitoring processes of its mainframe by enabling the monitoring of 
changes to certain controls over the management of data.
---------------------------------------------------------------------------
    \3\ GAO-15-714.
    \4\ GAO, Information Security: IRS Needs to Continue to Improve 
Controls over Financial and Taxpayer Data, GAO-15-337 (Washington, DC: 
Mar. 19, 2015).
---------------------------------------------------------------------------
    In addition, the Treasury Inspector General for Tax Administration 
(TIGTA) monitors access and refers instances of willful unauthorized 
inspection of taxpayer data for administrative actions or prosecution. 
For example, according to TIGTA, for fiscal years 2014 and 2015, its 
Office of Investigations successfully prosecuted 15 investigations. 
Seven of the 15 were for violating the Taxpayer Browsing Protection Act 
of 1997.\5\ The remaining 8 were prosecuted for unauthorized access 
related to the use of a Government computer.
---------------------------------------------------------------------------
    \5\ The Taxpayer Browsing Protection Act was enacted on August 5, 
1997, and made willful unauthorized inspection of taxpayer data 
illegal. Pub. L. 105-35, 111 Stat. 1104 (1997).
---------------------------------------------------------------------------
    Question 2. Your September 2015 report lists 5 different areas of 
potential weaknesses in agency compliance: Did GAO's analysis find 
weaknesses in compliance by DHS in any of these 5 areas, and if so, 
which one(s)?
    Answer. Yes, our analysis of agency, inspector general, and our 
reports identified weaknesses at DHS for all 5 areas. These areas 
included controls intended to: (1) Limit unauthorized access to agency 
systems and information; (2) ensure that software and hardware are 
authorized, updated, monitored, and securely configured; (3) 
appropriately divide duties so that no single person can control all 
aspects of a computer-related operation; (4) establish plans for 
continuing information system operations in the event of a disaster, 
and (5) provide a security management framework for understanding risks 
and ensuring that controls are selected, implemented, and operating as 
intended.
    Question 3. Earlier this year, GAO released a report stating that 
OMB, in consultation with DHS, should enhance its security program 
reporting guidance and located information security weaknesses. Speak 
to your findings as it relates to this particular data leak. What 
improvements should DHS, and in particular the Secret Service, 
implement in areas of access control, segregation of duties, and 
security management?
    Answer. Our findings do not specifically address the incident that 
occurred at the Secret Service. However, the Federal Information 
Security Modernization Act of 2014 (FISMA)\6\ now requires OMB to 
include in its annual report to Congress a summary of major agency 
information security incidents, such as the incident at the Secret 
Service.
---------------------------------------------------------------------------
    \6\ The Federal Information Security Modernization Act of 2014 was 
enacted as Pub. L. No. 113-283 (Dec. 18, 2014). FISMA 2014 largely 
supersedes the very similar Federal Information Security Management Act 
of 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), 
and expands the role and responsibilities of the Department of Homeland 
Security, but retains many of the requirements for Federal agencies' 
information security programs previously set by the 2002 law.
---------------------------------------------------------------------------
    In September 2015, we reported \7\ on the adequacy of the 
information security policies and practices of the 24 agencies covered 
by the Chief Financial Officers (CFO) Act of 1990.\8\ Like most other 
agencies, DHS had weaknesses in each of the 5 control areas we track, 
including access controls, segregation of duties, and security 
management.
---------------------------------------------------------------------------
    \7\ GAO-15-714.
    \8\ The 24 Chief Financial Officers Act agencies are the 
Departments of Agriculture, Commerce, Defense, Education, Energy, 
Health and Human Services, Homeland Security, Housing and Urban 
Development, the Interior, Justice, Labor, State, Transportation, the 
Treasury, and Veterans Affairs; the Environmental Protection Agency; 
General Services Administration; National Aeronautics and Space 
Administration; National Science Foundation; Nuclear Regulatory 
Commission; Office of Personnel Management; Small Business 
Administration; Social Security Administration; and the U.S. Agency for 
International Development.
---------------------------------------------------------------------------
    To improve their access controls, DHS and the Secret Service should 
ensure the enforcement of the principle of ``least privilege,'' where 
employees are granted the minimum level of access necessary to perform 
their duties. DHS and the Secret Service should also ensure that 
incompatible duties are separated and that employees understand their 
responsibilities. Separation of duties can be implemented through 
formal operating procedures, supervision, and reviewing access 
authorizations, among other things.
    To improve security management activities, both DHS and the Secret 
Service should ensure that they fully implement entity-wide information 
security programs so that risks are understood and that effective 
controls are selected, implemented, and operating as intended.
    Question 4. Can you confirm that given the scope of GAO's 
engagement, analysts collected information with regard to information-
security compliance by the Department of Homeland Security overall, and 
did not collect any information with regard to Secret Service practices 
specifically?
    Answer. As part of our audit of Federal agencies' implementation of 
the provisions of FISMA, we collected information on the information 
security efforts of the 24 Federal agencies covered by the CFO Act, 
including DHS. However, we did not collect or receive any information 
regarding specific security practices at the Secret Service.
    Question 5. Does it seem reasonable to you to conclude that Secret 
Service faces some of the management challenges highlighted in the 
latest High-Risk Update, and that leaders of the Secret Service must 
demonstrate the ``continued perseverance'' in improving agency 
management culture that the Comptroller General calls for in the 
Update?
    Answer. Yes, it would be reasonable to conclude that the Secret 
Service faces some of the same management challenges. For example, in 
the most recent update to our High-Risk series \9\ we lauded DHS's 
progress in strengthening its management functions, but concluded that 
the Department still faces significant management challenges. Such 
challenges include improving employee morale, a challenge that the 
Secret Service could also face with its employees.
---------------------------------------------------------------------------
    \9\ GAO, High-Risk Series: An Update, GAO-15-290 (Washington, DC: 
Feb. 11, 2015).
---------------------------------------------------------------------------
    For example, according to the Partnership for Public Service's 2015 
rankings of the Best Places to Work in the Federal Government, the 
Secret Service ranked 319 of 320 agency subcomponents Government-wide. 
Additionally, according the Partnership for Public Service's analysis 
of Federal Employee Viewpoint Survey data, employee satisfaction and 
commitment among Secret Service employees consistently declined from 
fiscal year 2011 through fiscal year 2015.
    Question 6. In your testimony, you state that this particular 
improper data access is the most common among agencies--too many 
individuals having access to a broad range of data unrelated to their 
job responsibilities. What solutions are available to fix this broad 
information access and better monitor employees' use of data systems?
    Answer. In September 2015, we reported \10\ that 22 of the 24 CFO 
Act agencies had weaknesses with limiting, preventing, and detecting 
unauthorized access to agency systems and information. Specifically, 18 
agencies had weaknesses in controls that are intended to limit user 
access to only that necessary for performing their work. When granting 
access to users, agencies should provide only the minimum access 
necessary for performing their duties. In addition, agencies should 
implement audit and monitoring controls to monitor users' access of 
sensitive information such as PII. These controls can help determine 
what, when, and by whom specific actions have been taken on a system.
---------------------------------------------------------------------------
    \10\ GAO-15-714.
---------------------------------------------------------------------------
     Questions From Chairman James Lankford for Joel C. Willemssen
    Question 1a. Your testimony reflects that the Social Security 
Agency has personal identifying information (PII) on nearly every U.S. 
citizen, and that agencies such as the VA, Department of Education, and 
CFPB also house substantial amounts of PII.
    What are the most effective means for auditing employee access of 
PII at these agencies?
    Answer. As we reported in September 2015,\11\ agencies should use 
audit and monitoring controls to establish individual accountability, 
monitor compliance with security policies, and investigate security 
violations. These controls help determine what, when, and by whom 
specific actions have been taken on a system and can be used to monitor 
users' access of sensitive information, such as personally identifiable 
information (PII).\12\
---------------------------------------------------------------------------
    \11\ GAO, Federal Information Security: Agencies Need to Correct 
Weaknesses and Fully Implement Security Programs, GAO-15-714 
(Washington, DC: Sept. 29, 2015).
    \12\ PII is any information that can be used to distinguish or 
trace an individual's identity, such as name, date and place of birth, 
Social Security number, or other types of personal information that can 
be linked to an individual, such as medical, educational, financial, 
and employment information.
---------------------------------------------------------------------------
    To monitor users' access and actions, agencies can install software 
that provides an audit trail or logs of system activity that can be 
used to determine the source of an action or activity. Agencies can 
also monitor users' access by implementing other technologies such as 
network- and host-based intrusion detection systems, security event 
correlation tools, and computer forensics. Network-based intrusion 
detection systems capture or ``sniff'' and analyze network traffic in 
various parts of a network.
    Question 1b. Which Government-wide, unimplemented GAO 
recommendations concerning PII protection should be put into place 
first?
    Answer. We currently have 1 Government-wide PII-related 
recommendation whose implementation status we are evaluating. This 
recommendation was made to the Office of Management and Budget (OMB) in 
our 2013 report \13\ regarding our finding that the 8 agencies we 
reviewed had inconsistently implemented data breach policies and 
procedures. We recommended that, to improve the consistency and 
effectiveness of Government-wide data breach response programs, OMB 
should update its guidance on Federal agencies' responses to PII-
related data breaches. OMB neither agreed nor disagreed with our 
recommendation.
---------------------------------------------------------------------------
    \13\ GAO, Information Security: Agency Responses to Breaches of 
Personally Identifiable Information Need to Be More Consistent, GAO-14-
34 (Washington, DC: Dec. 9, 2013).
---------------------------------------------------------------------------
    According to OMB, it has set a date of March 16, 2016, for updating 
its PII protection guidance to reflect current best practices and 
recent lessons learned regarding privacy protections and data breach 
standards.
    Question 2a. You testified that it was perplexing to you why the 
Secret Service would still have PII information on Congressman Chaffetz 
from 2003, given the National Archives and Records Administration 
(NARA) requirement to properly dispose of such information once it is 
no longer needed.
    How well are agencies complying with the NARA requirements to 
dispose or archive personal information once it is no longer needed?
    Answer. We have not performed work specifically addressing the 
extent to which agencies are complying with the National Archives and 
Records Administration's (NARA) requirements for disposing or archiving 
personnel information that is no longer needed. However, in May 2015, 
we reported that Federal agencies took actions toward implementing 
requirements set forth in a NARA and OMB joint directive on managing 
Government records.\14\ To illustrate:
---------------------------------------------------------------------------
    \14\ GAO, Information Management: Additional Actions Are Needed to 
Meet Requirements of the Managing Government Records Directive, GAO-15-
339 (Washington, DC: May 14, 2015).
---------------------------------------------------------------------------
   Twenty-three of the 24 Federal agencies we reviewed 
        implemented the requirement to develop and begin implementing 
        plans to manage all permanent records in an electronic format.
   Twenty-one of these 24 agencies implemented the requirement 
        to identify for transfer and reporting those permanent records 
        in existence for more than 30 years.
   Twenty of the 24 agencies implemented the requirement to 
        identify all unscheduled records that have not been properly 
        scheduled.\15\
---------------------------------------------------------------------------
    \15\ Scheduling is the means by which agencies identify Federal 
records, determine time frames for their disposition, and identify 
permanent records of historical value that are to be transferred to 
NARA for preservation and archiving. Unscheduled records are those 
records that have not had their value assessed or their disposition 
determined.
---------------------------------------------------------------------------
    Nevertheless, 5 agencies we reviewed did not fully meet those 
requirements, and we recommended that they and NARA take certain 
corrective actions. We did not make any recommendations to the 
Department of Homeland Security (DHS).
    Question 3a. Under the Federal Information Security Modernization 
Act of 2014 (FISMA) the Office of Management and Budget (OMB) is 
required to maintain oversight responsibilities of Federal information 
security programs and ensure minimum security requirements for 
Government-wide information security programs and practices.
    What is your assessment of OMB's fulfillment of these 
responsibilities over the last several years?
    Answer. During the 12 years from when the Federal Information 
Security Management Act of 2002 (FISMA 2002) was enacted into law to 
when it was largely replaced by FISMA 2014,\16\ Executive branch 
oversight of agency information security has evolved. As part of its 
FISMA 2002 oversight responsibilities, OMB issued annual instructions 
for agencies and inspectors general to meet FISMA 2002 reporting 
requirements. During that time we made recommendations to OMB for 
improving its oversight of agencies' security programs. For example, in 
2013 we recommended \17\ that OMB and DHS provide insight into 
agencies' security programs by developing additional metrics for key 
security areas such as those for periodically assessing risk and 
developing subordinate security plans. We also recommended that metrics 
for FISMA reporting be developed to allow inspectors general to report 
on the effectiveness of agencies' information security programs. OMB 
generally agreed with our recommendations. DHS also agreed with our 
recommendations and identified the actions it had taken or planned to 
take to address them.
---------------------------------------------------------------------------
    \16\ The Federal Information Security Modernization Act of 2014 was 
enacted as Pub. L. No. 113-283 (Dec. 18, 2014). FISMA 2014 largely 
supersedes the very similar Federal Information Security Management Act 
of 2002 (FISMA 2002), Pub. L. No. 107-347, Title III (Dec. 17, 2002), 
and expands the role and responsibilities of the Department of Homeland 
Security, but retains many of the requirements for Federal agencies' 
information security programs previously set by the 2002 law.
    \17\ GAO, Federal Information Security: Mixed Progress in 
Implementing Program Components; Improved Metrics Needed to Measure 
Effectiveness, GAO-13-776 (Washington, DC: Sept. 26, 2013).
---------------------------------------------------------------------------
    In February 2013, we reported \18\ that when OMB transferred 
several of its oversight responsibilities to DHS through a joint 
memorandum,\19\ it was not clear how the two organizations would share 
these responsibilities. In that report, we suggested that Congress 
consider legislation to better define roles and responsibilities for 
implementing and overseeing Federal information security programs. In 
December 2014, Congress passed FISMA 2014 to improve cybersecurity and 
clarify cybersecurity oversight roles and responsibilities, among other 
things.
---------------------------------------------------------------------------
    \18\ GAO, Cybersecurity: National Strategy, Roles, and 
Responsibilities Need to Be Better Defined and More Effectively 
Implemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).
    \19\ OMB, Memorandum M-10-28, Clarifying Cybersecurity 
Responsibilities and Activities of the Executive Office of the 
President and the Department of Homeland Security (Washington, DC: July 
6, 2010).
---------------------------------------------------------------------------
    FISMA 2014 is intended to address the increasing sophistication of 
cybersecurity attacks, promote the use of automated security tools with 
the ability to continuously monitor and diagnose the security posture 
of Federal agencies, and provide for improved oversight of Federal 
agencies' information security programs. The act also clarifies and 
assigns additional responsibilities to OMB, DHS, and Federal Executive 
branch agencies.
    In carrying out its FISMA responsibilities, OMB has increased its 
efforts to oversee agencies' implementation of information security. 
For example, OMB created the Cyber and National Security Team, called 
the E-Gov Cyber Unit, to strengthen Federal cybersecurity through 
targeted oversight and policy issuance. In September 2015, we reported 
that OMB, along with DHS, had increased oversight and assistance to 
Federal agencies in implementing and reporting on information security 
programs.\20\
---------------------------------------------------------------------------
    \20\ GAO-15-714.
---------------------------------------------------------------------------
    In June 2015, in response to the Office of Personnel Management 
security breaches and to protect Federal systems from emerging threats, 
the Federal Chief Information Officer launched a 30-day Cybersecurity 
Sprint.\21\ As part of this effort, the Federal Chief Information 
Officer instructed Federal agencies to immediately take a number of 
steps to further protect Federal information and assets and to improve 
the resilience of Federal networks.
---------------------------------------------------------------------------
    \21\ In June 2015, the Federal Chief Information Officer launched 
the 30-day Cybersecurity Sprint, during which agencies were to take 
immediate actions to combat cyber threats within 30 days. Actions 
included patching critical vulnerabilities, tightening policies and 
practices for privileged users, and accelerating the implementation of 
multi-factor authentication.
---------------------------------------------------------------------------
    Most recently, in October 2015, OMB issued a cybersecurity strategy 
implementation plan that is intended to strengthen Federal civilian 
agencies' cybersecurity.\22\ The plan is to address Government-wide 
cybersecurity gaps through five objectives: (1) Prioritized 
identification and protection of high-value information and assets; (2) 
timely detection of and rapid response to cyber incidents; (3) rapid 
recovery from incidents when they occur and accelerated adoption of 
lessons learned from the Cybersecurity Sprint assessment; (4) 
recruitment and retention of the most highly-qualified cybersecurity 
workforce; and (5) efficient and effective acquisition and deployment 
of existing and emerging technology. The plan address our 
recommendation that the White House develop an overarching strategy for 
improving cybersecurity.\23\
---------------------------------------------------------------------------
    \22\ OMB, Memorandum M-16-04, Cybersecurity Strategy and 
Implementation Plan for the Federal Civilian Government (Washington, 
DC: Oct 30, 2015).
    \23\ GAO, Cybersecurity: National Strategy, Roles, and 
Responsibilities Need to Be Better-Defined and More Effectively 
Implemented, GAO-13-187 (Washington, DC: Feb. 14, 2013).
---------------------------------------------------------------------------
    Question 3b. What GAO findings regarding OMB's oversight of 
Government-wide information security programs demonstrate the greatest 
risks for exposure of PII?
    Answer. As previously mentioned, we reported \24\ that the 8 
Federal agencies we reviewed generally developed, but inconsistently 
implemented, policies and procedures for responding to data breaches 
involving PII that addressed key practices specified by OMB and the 
National Institute of Standards and Technology. We attributed agencies' 
inconsistent implementation of data breach policies and procedures to 
incomplete guidance from OMB.
---------------------------------------------------------------------------
    \24\ GAO-14-34.
---------------------------------------------------------------------------
    Also, in 2012, we reiterated \25\ our previous finding reported in 
2008 \26\ that while the Privacy Act, the E-Government Act, and related 
OMB guidance set minimum requirements for agencies, such laws and 
guidance may not consistently protect PII in all circumstances of its 
collection and use throughout the Federal Government and may not fully 
adhere to key privacy principles. We stressed that unilateral action by 
OMB might not be the best way to strike an appropriate balance between 
the Government's need to collect, process, and share personally 
identifiable information and the rights of individuals to know about 
such collections and be assured that they are only for limited purposes 
and uses. We suggested that Congress consider amending applicable laws 
such as the Privacy Act and E-Government Act by:
---------------------------------------------------------------------------
    \25\ GAO, Privacy: Federal Law Should Be Updated to Address 
Changing Technology Landscape, GAO-12-961T (Washington, DC: July 31, 
2012).
    \26\ GAO, Privacy: Alternatives Exist for Enhancing Protection of 
Personally Identifiable Information, GAO-08-536 (Washington, DC: May 
19, 2008).
---------------------------------------------------------------------------
   revising the scope of the laws to cover all PII collected, 
        used, and maintained by the Federal Government;
   setting requirements to ensure that the collection and use 
        of personally identifiable information is limited to a stated 
        purpose; and
   establishing additional mechanisms for informing the public 
        about privacy protections by revising requirements for the 
        structure and publication of public notices.

                                 [all]