Dear Mr. Speaker:
Earlier today, Oversight Committee Chairman Darrell Issa posted on the Committee’s website a letter to Kathleen Sebelius, the Secretary of Health and Human Services, that included selected portions of Security Control Assessments (SCAs) conducted by the MITRE Corporation on the Healthcare.gov website that were produced to the Committee last week pursuant to a unilateral subpoena issued by the Chairman.
Chairman Issa’s letter cherry-picks from the documents, mischaracterizes the status of the website, and appears inconsistent with the House Parliamentarian’s longstanding interpretation and guidance relating to Committee documents. The Chairman’s actions are a reckless and transparent attempt to frighten Americans away from the Heathcare.gov website and deny them health insurance to which they are entitled. This has become an unfortunate and well-known pattern with Chairman Issa, and in this case, one we warned against repeatedly over the last several days.
One of the primary allegations in Chairman Issa’s letter is that the personally identifiable information (PII) of Americans is at risk on Healthcare.gov. As evidence for this assertion, his letter quotes from an SCA stating that potential attackers “are able to see and edit PII of the victim." Chairman Issa’s letter does not explain that in the same SCA, this specific issue was designated by MITRE experts as “closed" prior to the website’s launch on Oct. 1, 2013.
Instead of making this simple point clear, Chairman Issa’s letter states generally that MITRE designated risks as “closed" based on assurances from the Centers for Medicare and Medicaid (CMS) that they would be remediated. His letter omits any mention of documents and witness statements the Committee has obtained both from CMS and contractors indicating that this particular issue was remediated prior to the website’s launch on October 1.
In addition, I wrote to Chairman Issa last Friday explaining that, under House Rule XI, clause 2(m)(3)(A), the authority to issue subpoenas resides in the Committee and must be expressly delegated by the Committee to the chair, which our Committee has done. The House Parliamentarians have interpreted this rule to mean that all documents received under a subpoena belong to the Committee. The Chairman’s delegated authority to issue subpoenas is limited to the issuance of the subpoenas; the delegation does not give the chair the authority to release the subpoenaed documents without Committee approval.
House rule XI clause 2(e) provides additional authority for the fact that Committee records, which include documents obtained under Committee subpoenas, must be handled under procedures adopted by the Committee, not under procedures announced unilaterally by the chair. This rule provides that Committee records “shall be kept separate and distinct from the congressional office records of the member serving asits chair." Thus, the documents are owned by the Committee, not the Chairman.
This issue was raised previously in our Committee in 1997 when then-Chairman Dan Burton sought to impose a unilateral protocol for releasing documents without action by the Committee or input from Committee Members. In that case, the House Parliamentarians advised that Committee action was required:
The Parliamentarian’s advice makes it clear that it is the Committee-not the chair acting on its own-that must decide how the documents received during the investigation will be handled. It is necessary, therefore, that a Committee meeting be called at which this issue can be resolved by Committee vote.[1]
Chairman Issa has disregarded multiple requests from me to address this matter, including letters on November 6 and Dec. 13, 2013. For these reasons, on Friday, three Members of the Oversight Committee sent a letter to Chairman Issa invoking House Rule XI clause 2(c)(2), requesting a special meeting of the Committee to vote on procedures for safeguarding the documents Chairman Issa has subpoenaed.
Chairman Issa has not responded to any of these letters, has not called a special meeting of the Committee, and has chosen instead to release selective information from the subpoenaed documents without consultation with other Committee Members. Based on his public statements, Chairman Issa also appears to have consulted with unnamed “experts" about some of the most sensitive information contained in these documents, raising additional concerns about its security.
Yesterday, the Ranking Members from seven House Committees wrote to you and Leader Pelosi requesting that you host a classified briefing with top cyber security experts on the risks to information technology systems across the federal government posed by releasing publicly information from these SCAs. I believe this step is critical to safeguarding this information in a responsible manner.
Sincerely,
Elijah E. Cummings
Ranking Member
cc: The Honorable Darrell E. Issa
Chairman, House Committee on Oversight and Government Reform
-------------------------------
[1] Letter to Rep. Dan Burton, Chairman oftheHouse Committeeon Government Reform, from MinorityMembers (Mar. 10, 1997).
