The chief official responsible for managing the trouble-plagued website project says he was unaware of a memo that outlined several potentially significant security issues before he’d signed off on the recommendation for the website’s launch.

The House Oversight and Reform Committee interviewed Henry Chao, CMS’s top operational official for the project, on November 1st in a closed-door session.  Late Monday, the committee released the following statement and several documents from that interview.

Henry Chao, the Deputy Chief Information Officer and Deputy Director of the Office of Information Services at the Centers for Medicare and Medicaid Services (CMS), testified during a November 1 transcribed interview with Committee investigators that he was surprised he was never made aware of a September 3, 2013, memo outlining serious security vulnerabilities present in the Federal Facilitated Marketplaces (the “exchange”). Chao, CMS’s top operational official for the Federal exchange testified he found it “disturbing” that he had been excluded from a memo about significant problems with security.

The September 3, 2013, memo that Chao testified he had previously never seen was authored by CMS Chief Information Officer Tony Trenkle. The memo noted six security problems, two of which were described as “open high findings.”

Chao initially expressed disbelief when first shown the memo during his transcribed interview. In reviewing the memo, Chao agreed that one finding, “presented a significant risk to the system,” and did not know if it had been corrected.

The statement is followed by several excerpts from the interview, which reveals that “lines of communication about security issues prior to launch may not have been working properly.”

Chao concedes in the interview that it was possible he was simply left off the particular memo in question as an oversight.  But he expressed concern about having not seen the memo and surprise that the Chief Information Security Officer (CISO) would have him recommend the site’s launch without having made him aware of the information.

Specific references to the noted security risks are redacted in the documents for security purposes, so it’s difficult to determine what the impact to the website may or may not have been.

Last week it was reported that Trenkle will be stepping down on November 15th to take a position in the private sector.

According to The Hill, the noted security issues are related to website functionality that isn’t yet active. The House committee’s press release sparked some harsh criticism from a Democratic staffer.

A Democratic Oversight committee staffer said the security issue relates to a function of the website that isn’t currently active and won’t be until early next year.

“It’s hard to understand why anyone would trust the accuracy of Chairman Issa’s press releases when they consistently distort and manipulate the truth,” the staffer said. “The Chairman’s staff basically sandbagged this witness with a document he had never seen before and then failed to inform him that it has nothing to do with parts of the website that launched on October 1.”

“Rather than seeking out the truth, this press release tries to scare the public by capitalizing on confusion caused by the Chairman’s own staff,” the staffer added.

Security has continued to be a primary topic of concern and a point of focus in recent hearings on the website’s rollout.

Previously it was reported that all of the security controls for the website had not been tested in one complete version of the system prior to its launch, prompting a risk mitigation addition that included continued monitoring and testing to occur after the launch.

Last week, Heritage reported the instance of a user who logged onto the system and was presented with an insurance eligibility letter for a total stranger.

Chao is one of several officials scheduled to testify before the House Oversight and Reform Committee in a hearing on the Rollout of on Wednesday.


Donations tax deductible
to the full extent allowed by law.