Issa report paints picture of strife, factionalism in run-up to launch

screen capture of site

Senior IT officials at the Department of Health and Human Services were troubled by problems with technical architecture, security and testing in the weeks prior to the October 2013 botched launch of, but were blocked by colleagues within the Centers of Medicare and Medicaid Services and the White House from scrutinizing the project, according to a report from Republicans on the House Oversight and Government Reform Committee.

"Frankly, it's worse than I imagined!" HHS CIO Frank Baitman wrote in a Sept. 27, 2013, email to agency CTO Bryan Sivak.

According to the selection of email excerpts quoted in "Behind the Curtain of the Rollout," released Sept 17 by Rep. Darrell Issa (R-Calif.), chairman of the Oversight panel, Baitman and Sivak contemplated a campaign to roll back the launch to a limited population, as a kind of beta test, as problems with the site's performance were addressed. "To declare victory without fully launching," Sivak wrote in an email.

CMS Administrator Marilyn Tavenner acknowledged during a Sept. 18 hearing of the committee that there was conversation about a staggered launch to a few states. "I and the team did not think it was possible. I did not think it was possible the way the [federally facilitated marketplace] was configured to do that, nor did I think it was necessary," Tavenner said. "I had my own IT team who conveyed to me that they were confident in the project."

Sivak's worries stemmed in part from news from a CMS official who said that just a few days before the launch, the system was not able to handle more than 500 concurrent users. He was blunt about his concerns in an email to Baitman, writing, "Anyone who has any software experience at all would read that and immediately ask what the [expletive] you were thinking by launching."

CMS Deputy CIO Henry Chao, who had day-to-day oversight of the development of the federally facilitated marketplace, wrote to Baitman that, "without that personal investment in establishing the basis for understanding the operational aspects of the program (which HHS clearly does not have), there is no way to have a meaningful dialogue about the issues that 'visibility' provides you."

There was additional strain within CMS between leadership and security officials about whether the site should receive an authority to operate -- amply documented in a series of Congressional hearings -- which resulted in Tavenner signing the ATO certification herself, over objections from some CMS security experts.

According to a Sept. 16 report from Government Accountability Office, CMS has "not yet fully mitigated" some of the security weaknesses that existed at launch. In addition, GAO offered (but did not release for security reasons) 22 technical recommendations for fixes to, of which 19 have been implemented, according to the CMS reply to the GAO report. security is being treated as an urgent issue by some lawmakers in the wake of the breach of a test server supporting site development by hackers seeking a nesting ground for a botnet. According to security reports from HHS and from the Department of Homeland Security, no personally identifiable data was exfiltrated and there was no lateral movement into the live site.

CMS pushed back against the assessment that was insecure at launch.

"CMS does not concur with GAO's finding that CMS accepted significant security risks when it granted the FFM and the Hub an Authority to Operate (ATO) in September 2013 and allowed states to connect to the Hub," according to the reply comments that went out under the signature of HHS Assistant Secretary for Legislation Jim Esquea. CMS stated also that the agency "conducts end-to-end comprehensive [security control assessments] in the FFM that are above industry standards," and another round of such testing will take place this month in advance of the next open enrollment period, which kicks off Nov. 15.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected