In sworn congressional testimoney yesterday, Health and Human Services Secretary Kathleen Sebelius said that HealthCare.gov was operating under provisional security authorization—a temporary certificate issued just a few days before the October 1 launch, according to an internal administration memo first published by the Associated Press.
That memo warned that lack of thorough testing meant the site was left with the potential for serious security risks. "From a security perspective," the memo said, "the aspects of the system that were not tested due to the ongoing development, exposed a level of uncertainty that can be deemed as a high risk for the (federal marketplace website)."
In addition, the temporary authorization appears to violate administration guidance on web security—guidance crafted by Jeff Zients, who has been tasked with heading up the repair effort, in his former position as acting director of the Office of Management and Budget. As The Washington Examiner's Philip Klein reports:
During her testimony Wednesday before the House Energy and Commerce Committee, Secretary of Health and Human Services Kathleen Sebelius said that healthcare.gov is operating under a "temporary" order certifying that it met stringent security standards even as testing continues.
But that would appear to contradict guidance issued by the White House Office of Management and Budget last year by none other than Jeff Zients—the former acting director of OMB, who more recently was brought in to oversee the "tech surge" to fix problems facing Obamacare's implementation.
In a Sept. 27, 2012, memo addressed to the heads of executive departments and agencies, Zients said that OMB did not recognize "interim" authorizations.
Klein asked HHS about the apparent conflict between the memo and the temporary authorization and got a non-response:
HHS has now responded, but the response does not address the issue of whether the issuance of a temporary authorization violated official OMB guidance issued by Zients.
In an emailed statement, HHS spokeswoman Joanne Peters repeated nearly verbatim the response from CMS spokeswoman Bataille from earlier in the day. Peters said, "When consumers fill out their online Marketplace applications, they can trust that the information they're providing is protected by stringent security standards and that the technology underlying the application process has been tested and is secure. Security testing happens on an ongoing basis using industry best practices."
Regardless of whether or not the site itself is secure (which sort of doesn't matter at the moment, given that it doesn't work), it certainly looks as if the security authorization it's currently relying on violates the administration's own procedures.