Officials launched healthcare.gov despite a warning from a top cybersecurity official that it wasn't ready, the House Oversight and Government Reform Committee revealed Friday.
Teresa Fryer, the chief information security officer at the Centers for Medicare and Medicaid Services, told the committee about "high findings" from rounds of security testing prior to the site's Oct. 1 launch. She did not go into detail about what the two "high findings" were, but CMS considered them an “exploitation of the technical or procedural vulnerability [that would] cause substantial harm to CMS business processes. Significant political, financial, and legal damage is likely to result.”
In response to questions by committee investigators, Fryer confirmed that she did not agree with the decision by other CMS officials on the "authority to operate" — or launch — the site Oct. 1.
Henry Chao, the deputy chief information officer at CMS and day-to-day manager of the Obamacare exchanges' development, repeatedly told Congress on Nov. 13 that the lack of specific "high findings" in security testing prior to Oct. 1 was critical in officials decision to green-light the site launch that day.
CMS administrator Marilyn Tavenner signed the paperwork authorizing the website to launch despite the failure of the agency to conduct thorough security testing. The authorization document read in part, “due to system readiness issues, the [security control assessment] was only partly completed."
Fryer also told the committee that she refused to sign the website launch authorization document. After she refused to do so, she then signed a document acknowledging that she knew the level of risk with the website launch. However, the document did not indicate whether she agreed with the decision to launch.