Posted on 01/20/2016 1:04:37 PM PST by UMCRevMom@aol.com
(Washington, DC) – Judicial Watch today released over 1,000 pages of new documents that show federal health care officials knew that the Obamacare website, when it launched in 2013, did not have the required "authorization to operate" (ATO) from agency information security officials.
These documents, obtained from the U.S. Department of Health and Human Services (HHS), come in two productions of records: a 143-page production and an 886-page production. The email records reveal that HHS officials had significant concerns about the security of the Healthcare.gov site leading up to its October 1, 2013, launch.
Judicial Watch obtained the HHS documents in response to a court order in a Freedom of Information Act (FOIA) lawsuit (Judicial Watch v. U.S. Department of Health and Human Services (No. 1:14-cv-00430)). The lawsuit was filed in March 2014, after HHS failed to respond to a December 20, 2013, FOIA request seeking the following information:
All records related to the security of the healthcare.gov web portal including, but not limited to, studies, memoranda, correspondence, electronic communications (e-mails), and slide presentations from January 1, 2012 to the present.
On September 21, 2013, 10 days before the launch of the Obamacare website, Centers for Medicare and Medicaid Services (CMS) Information Security Officer Tom Schankweiler discussed with Deputy Chief Information Officer Henry Chao 17 initial "moderate" security issues findings and two "high" security issues. Two high findings and 3 moderate findings were resolved, according to the documents. The emails also show that a separate security analysis found 17 "high" security issues, prompting Chao to ask, "What are we actually signing off on…?" Schankweiler responded that the numerous security issues resulted in CMS Security Officer Teresa Fryer's refusing to approve the "ATO" (Authorization to Operate), something he indicated he found out belatedly.
The documents also show that on September 30, 2013, the day before the website launch, Blue Canopy, a contractor that was testing the security of the Healthcare.gov system, reported that the "parsing engine did not properly handle specially crafted messages." The vendor added, "As a result, consumption of these messages would cause the service to crash."
Over six weeks later, a November 6, 2013, email to colleagues George Linares, the acting chief technology officer of CMS, said that Healthcare.gov "is operating without an ATO [Authorization to Operate]." Further, he added, "Operating without an ATO is a serious issue and it represents a high risk to the agency."
In a separate November 6, 2013, memo sent a month after the initial website launch, as HHS prepared for a relaunch, CMS security testing contractor Adam Willard warned CGI Federal programmer Balaji Ramamoorthy, "it is possible for anyone to run a brute force [attack] against Healthcare.gov to obtain the results of their eligibility." (CGI was the Canadian IT contractor hired by CMS to oversee most of the Healthcare.gov website development. The Obama administration announced in January 2014 that it was replacing CGI Federal and hiring Accenture at a cost of $90 million.)
Perhaps the most telling indications of Schankweiler’s serious misgivings about the security of the Obamacare website, even after its launch, were the HHS roll call manifests providing information about attendance and actions at meetings to discuss whether to proceed with a relaunch of the site. Schankweiler did not attend a November 2013 meeting to discuss deployment of a new version of Healthcare.gov and did not send a representative in his place. As he was not present, Schankweiler, representing "Security", is listed as the only official not voting to approve the Healthcare.gov "promotion" or relaunch.
On November 26, Schankweiler reiterated pressing security issues to CMS official Todd Couts: "I would like to escalate this ticket to high risk on the defect list. I know that a bunch of security risk have recently appeared on the list, but I wanted to let you know this one is considered a high priority."
This Judicial Watch FOIA litigation previously uncovered that top CMS officials knew of massive security risks with Healthcare.gov before its launch and deliberately chose to rollout the website without resolving the problems. Judicial Watch also released "Sensitive Information – Special Handling" memos sent from CMS to Mitre Corporation, the Healthcare.gov security testing company, in which CMS rated "political … damage" and "public embarrassment to CMS" as factors in defining "Risk Rating" priorities. Judicial Watch also uncovered the previously secret involvement of the Department of Homeland Security in the Obamacare site and how the Obama White House further weakened privacy protections of Healthcare information on the Healthcare.gov website.
"No wonder it took a federal court order to force out these new Obamacare scandal documents. The documents show the Obama administration cast aside the rules and knowingly allowed its Obamacare web site to put the most private health care information of millions of Americans at risk," said Judicial Watch President Tom Fitton.
"The Obama administration is prosecuting private companies for the same security lapses it knowingly allowed with its own Healthcare.gov. Will Justice Department prosecutors now investigate the Obamacare website security scandal? In the meantime, Americans should be warned about the high risk of using Healthcare.gov."
Should we be surprised?
So, that is to say that the Executive branch ignored the process of executing the law?
Horrors!
Hillary and Bernie were both praising the ACA the other night.
Has America had enough of DNC shenanigans yet? Well, 47% or so can’t figure it out. Duuuuuuuuuuuuuuuuuuh
Unless I’m suprised by an obvious conclusion. What would surprise me is if anyone is held accountable above grunt level.
And they called Reagan the Teflon President. Geez...
I’m shocked too!
Truly shocked! /sarc
(Unless I’m suprised by an obvious conclusion. What would surprise me is if anyone is held accountable above grunt level.)
You won’t be surprised on accoutable either, but you already know it.
The fact it did means someone high up overrid the entire Certification process.
This is huge.
I know a lot about this. OCISO requires the following: You need an approved BSI (Business Systems Information), a proper ASA (Annual Self-Assessment, even for a new App), a PIA (Privacy Information Assessment), and a Security Controls document -- and the current version, V 4.0, is 165 pages! THAT gets you an ATO.
This is a complete fustercluck.
HOLY CRUD.
TWO "HIGHS" and SEVENTEEN "MEDIUMS"?
I could never get an appscan with even a single "medium" if I hoped to deploy.
This is EXACTLY what I have been doing for a living since 2009. This is incredible. See my above.
Oh, I forgot: Also, a C&A was required, which had to be approved by the ISSO (Information Systems Security Officer).
LAZ: I’m really impressed with what you wrote about the OCISO et al. I read all your comments and didn’t understand a single word but I got the baseline, namely that Obama completely disregarded safeguard protocols and procedures.
It wasn’t just a fustercluck. It was a GeorgeCusterfustercluck. Or, as Crazy Horse said to General Custer, welcome to Little Big Horn. We have cookies.
Someone high-grade had to approve this.
Someone way above the position of ISSO (Information Systems Security Officer).
Someone in the Office of Computer Information Security Operations (OCISO).
HHS falls under OCISO’s rules. Not sure about other Fed Agencies, but I know for a fact HHS does.
Just like Matt is an authority on Cross Border Authority and Benghazi, and the rules surrounding the Iranian boat hijacking, so am I an authority in this topic.
This is just as huge as Benghazi and the Iranian boat incident.
That is where this whole thing will unravel.
JR, read backwards. I was in this world, intimately, until recently.
HHS and Sebelius. Two disasters that happened.
Thanks for giving us an unique insight into the order of security authority.
Keep us informed because few others can or will do it with your experience and observations.
Judicial Watch has found a way to take down a career bureaucrat who did the bidding of the 0bama Administration.
Might be the first domino to fall.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.