Tavenner approved the Sept. 27 security certification for the health website, which read: “Aspects of the system that were not tested due to the ongoing development exposed a level of uncertainty that can be deemed as a high risk.”
It called for a four-step mitigation plan, including ongoing monitoring and testing, leading to a full security control assessment.
The agency’s top three information security professionals signed on an accompanying page that said that “the mitigation plan does not reduce the risk to the ... system itself going into operation on Oct. 1” but that its added protections would reduce risk later and ensure full testing within six months.
HealthCare.gov has two major components: an electronic “back room” that did get full security certification and the consumer-facing “front room” that’s temporarily certified.
The back room, known as the federal data hub, pings government agencies to verify applicants’ personal information. It does not store data.
But the front room does. That’s where consumers in the 36 states served by the federal website create and save their accounts. While the individual components of the front room did undergo security testing, the system as a whole could not be tested because it was being worked on until late in the game.
Tavenner testified that was the reason she had to issue a temporary certification. The decision was brought to her level because of the overall magnitude of the project, she said. She said she didn’t voice the security concerns to her boss, Health and Human Services Secretary Kathleen Sebelius, or to the White House office that oversees federal agencies.
Rep. Darrell Issa, R-Calif., chairman of the House Oversight and Government Reform Committee, is investigating whether that decision compromised security. “Did the administration officials who signed off ... know the full risks associated with the website, and if so, why did they decide to go ahead with the launch anyway?” said spokeswoman Caitlin Carroll.