[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
SECURE CREDENTIALS ISSUED BY THE GOVERNMENT PUBLISHING OFFICE
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 21, 2015
__________
Serial No. 114-54
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______
U.S. GOVERNMENT PUBLISHING OFFICE
97-975 PDF WASHINGTON : 2015
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Sean McLaughlin, Staff Director
David Rapallo, Minority Staff Director
Art Arthur, Staff Director, Subcommittee on National Security
Dimple Shah, Deputy Counsel, National Security Subcommittee
Sarah Vance, Clerk
C O N T E N T S
----------
Page
Hearing held on October 21, 2015................................. 1
WITNESSES
Ms. Davita Vance-Cooks, Director, U.S. Government Publishing
Office
Oral Statement............................................... 5
Written Statement............................................ 6
Ms. Kathleen Carroll, Vice President of Corporate Affairs, HID
Global, Inc.
Oral Statement............................................... 6
Written Statement............................................ 8
Mr. James N. Albers, Senior Vice President of Government
Operations, Morphotrust USA
Oral Statement............................................... 8
Written Statement............................................ 9
Michael A. Raponi, Inspector General, Government Publishing
Office
Oral Statement............................................... 10
Written Statement............................................ 11
APPENDIX
Letter from GAO.................................................. 36
State Response to Inquiry from Morphotrust R: Border Crossing
Card Issue..................................................... 56
Statement from Business Coalition for Fair Competition........... 57
SECURE CREDENTIALS ISSUED BY THE GOVERNMENT PUBLISHING OFFICE
----------
Wednesday, October 21, 2015
House of Representatives,
Committee on Oversight and Government Reform,
Washington, D.C.
The committee met, pursuant to call, at 10:02 a.m., in Room
2154, Rayburn House Office Building, Hon. Jason Chaffetz
[chairman of the committee] presiding.
Present: Representatives Chaffetz, Mica, Amash, Farenthold,
Lummis, Massie, Meadows, DeSantis, Buck, Walker, Blum, Hice,
Carter, Grothman, Hurd, Palmer, Connolly, Lieu, Plaskett,
DeSaulnier, Welch, and Lujan Grisham.
Chairman Chaffetz. The Committee on Oversight and
Government Reform will come to order. And without objection,
the chair is authorized to declare a recess at any time.
I appreciate all of you joining us for this hearing today,
Secure Immigration Identify Documents. For nearly 150 years,
the Government Printing Office, otherwise known as the GPO, has
served as the printer for the Congress and the Federal
Government. In that capacity, it is responsible for the
collection, production, distribution, and preservation of
public information from three branches of government. As
government records move from print to digital, GPO finds itself
in a challenge to remain relevant and necessary. With declining
print demands, GPO is projected to run out of money in 2020
unless it overhauls its current business model.
In 2013, the National Academy of Public Administration, or
NAPA, conducted a review of the state of GPO and its ability to
meet the digital demands of the future. NAPA found that all the
facets of the GPO will need to be realigned, everything from
GPO's digital publishing and preservation efforts to the size
and skill set of its workforce will need to be re-evaluated.
One major change to its business model involves GPO
supplying secure credentials containing radio frequency
identification, often referred to as RFID, in these chips to
government agencies handling our Nation's immigration
functions. GPO now issues those documents. It is unclear,
however, if those documents are both secure and functional.
Ensuring that identity documents are secure and reliable is
critical to our national security.
Immigration fraud was identified by the 9/11 Commission as
a key method by which terrorists entered and remained in the
United States. As the commission noted, ``Travel documents are
as important as weapons.'' It went on to say, ``At many entry
points to vulnerable facilities, including gates for boarding
aircraft, sources of identification are the last opportunity to
ensure that people are who they say they are.'' Given these
facts, it is critical that secure credentials reflect state-of-
the-art technology to ensure Federal Government is a step ahead
of those who would attempt to alter or misuse documents to
commit terrorist or criminal acts.
The Federal acquisition system is built on the principle of
full and open competition. Full and open competition means
contractors compete against each other on both the quality and
the solution and the price. This ultimately benefits the
American taxpayer, and I believe provides a better end product.
Essentially, Federal departments and agencies can
circumvent the full and open competition process and sole
source their secure credential requirements to the GPO. This
means that the American taxpayer does not realize the benefit
of innovation and the best price through a full and open
competition process. It also means the government forfeits the
opportunity to leverage innovative solutions to ensure reliable
and security of those credentials.
It also appears GPO is increasingly shifting towards in-
house production of credentials. Now, if they offer the best
product, the best price, more power to them. But without that
competition, we are worried that over the course of time that
security, that innovation, that it will suffer.
Typically, an agency seeking to contract with the private
sector for a good or service must comply with the Federal
Acquisition Regulations, or FAR. The agency would publish a
request for a proposal and receive bids from potential
contractors in response. Then the agency has the opportunity to
evaluate the solutions and the price offered by several
contractors. This process of full and open competition is
intended to make sure the agency is getting the best product at
its lowest price.
GPO claims that its 47-year-old authorizing statute, Title
44, justifies its ability to issue secure credentials in this
matter simply because these cards have prints on them and
printing is a core GPO function.
In particular, GPO has argued that, ``The production of
secure credentials for Federal agency also involves the
printing process, and so GPO is authorized to produce them.''
This raises the question of whether Title 44 should be used in
competition process to acquire secure credentials from GPO. GPO
certainly knows how to print, but do they have the capacity to
innovate and provide reliable secure credentials?
This is part of the discussion today, and I thank all the
witnesses for their expertise and being here today, and look
forward to a good discussion about a most important topic.
We will now recognize the ranking member, Mr. Connolly of
Virginia, for his opening statement.
Mr. Connolly. Thank you, Mr. Chairman. And welcome to our
panelists.
I welcome the opportunity to examine more closely the
government's procurement and production of secure
identification cards. Today most people take for granted the
necessity of carrying around some form of official credential,
whether it's a passport, driver's license, employer-issued ID,
or if you're a Member of this body, your voting card. Thanks to
technological advances in recent years, some of these cards now
digitally store personal information, which makes the integrity
of the cards themselves and those involved in the manufacturing
to create them critically important. It also strikes me as a
prime opportunity for the public sector, which increasingly
relies on these smart cards, to partner with industry, which is
continually advancing the sophistication of the security, as
well as the applications for this technology through innovation
and research.
I would suggest the Government Publishing Office, which is
statutorily tasked with serving the printing needs for all
three branches of the Federal Government, has been successful
in fostering such a partnership with industry, on developing
the modern U.S. passport, which it produces for the Department
of State using paper and electronic components, competitively
procured from private sector vendors. Based on that experience
and growing interest from Federal agencies for the secure
credentials, GPO requested and was granted authority by the
Joint Committee on Printing, comprised of Members of Congress,
to begin producing secure cards, beginning with the credentials
for the Trusted Traveler Programs for U.S. Customs and Border
Protection under the Department of Homeland Security.
More recently, GPO took over the production of the Border
Crossing Card for the State Department at the agency's request.
One of the companies represented today, MorphoTrust, at one
time printed those cards. But the State Department determined
GPO could produce them with a more reliable read rate at a
lower cost. While the production of the physical cards
transitioned to GPO, I understand Morpho remains the lead
contractor for imprinting the personalized information on each
card.
Mr. Chairman, I must say I was puzzled to read the prepared
statements from today's industry witnesses in preparing for
this hearing. For example, Ms. Carroll, who represents HID
Global, an international company that prints the U.S.
Government Green Card and passports for 25 other countries, as
well as our Member voting cards, and secure IDs for
congressional staff, says industry is threatened by GPO's
expanded role in producing smart cards.
Further, Mr. Albers of MorphoTrust, the U.S. subsidiary of
a multinational company which partners with GPO, on producing
U.S. passports and prints the driver's license for 42 of 50
states, suggests GPO's actions represent an existential crisis
for industry and its partnership with the Federal Government.
Last time I checked, Congress provides GPO with a budget for
printing and binding of roughly $80 million. While it does
engage in printing and manufacturing of secure cards separate
from the passport, it is on a limited basis, utilizing just 27
employees. Production of secure cards accounts for four percent
of the GPO's revenue, roughly $30 million, representing a mere
fraction of the multi-billion dollar global secure card market.
GPO does not actively compete with industry through the agency
procurement process, responding only to direct agency requests.
I understand industry representatives may be concerned that
such inter-government arrangements hinder competition. But I
would note that GPO often turns to industry to competitively
procure products to meet those needs. Further, I would suggest
that we ought to be more agnostic about whether this work is
best performed by government or private sector, and I think you
expressed that, Mr. Chairman, just now about whether this work
is best performed by government, private sector, and instead
consider which can meet agency needs for a quality product with
the best cost.
When I was chairman of Fairfax County, we explored
opportunities to outsource several government functions. And I
can recall having my auditor look into potential savings of
outsourcing vehicle fleet maintenance. I was convinced the
private sector could do that more cheaply and probably at
better quality. To my surprise, the government actually came in
cheaper than Jiffy Lube, and the customer satisfaction was
universally positive. I was surprised. My preconceived notion
was, in fact, wrong.
So in the case of smart cards, the few agencies that turn
to GPO have, in fact, reported savings, as GPO's only allowed
to recoup its costs and does not make a profit. Those agencies
also may cancel their agreement with GPO at any time without
penalty if they find an industry partner that can produce a
more reliable card and more cheaply.
In addition, I would note this finding from the GAO which
notes GPO, ``Does not have the capacity to meet the entirety of
the Federal Government demand for secure credentials either
through direct production in its facilities, or by contracting
outside entities to fulfill a requisition.'' So even if GPO
wanted to expand its secure card business, as our witnesses
suggest is the case, it could not do so.
Let me go back to what I said at the outset. This should be
a textbook opportunity for government to better collaborate
with industry. We wouldn't have this capability if not for the
ingenuity of industry which has responded to both the public
and private sector needs for technologically advanced secure ID
cards. At the Federal level, GPO as the printer of the U.S.
passport since 1926, has a role to play in this discussion,
albeit a small one, as do other Federal agencies that rely on
industry to be a partner in providing those essential services.
I look forward to the hearing. Thank you, Mr. Chairman.
Chairman Chaffetz. Thank the gentleman.
Chairman Chaffetz. We'll hold the record open for 5
legislative days for any members who would like to submit a
written statement.
Chairman Chaffetz. We'll now recognize our witnesses. We're
pleased to welcome Ms. Davita Vance-Cooks, director of the
Government Publishing Office, the GPO; Ms. Kathleen Carroll,
vice president of corporate affairs at HID Global; Mr. James
Albers, senior vice president of government operations at
MorphoTrust USA; and Mr. Michael Raponi--did I pronounce that
right?
Mr. Raponi. Yes, Mr. Chairman.
Chairman Chaffetz. --inspector general of the Government
Publishing Office. We welcome you all.
Pursuant to committee rules, all witnesses are to be sworn
before they testify. So if you will please rise and raise your
right hand. Please rise and raise your right hands. Thank you.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
Thank you. Please be seated.
And let the record reflect that the witnesses all answered
in the affirmative.
Your entire written statement will be entered into the
record. We're now going to recognize you for your verbal
comments, but if you could please limit those to 5 minutes, we
would appreciate it. And then we'll get to the questions.
Director Vance-Cooks, you're now recognized for 5 minutes.
WITNESS STATEMENTS
STATEMENT OF DAVITA VANCE-COOKS
Ms. Vance-Cooks. Mr. Chairman and members of the committee,
good morning. I have been looking forward to this opportunity
to showcase the important secure credential work that the GPO
performs on behalf of Federal agencies and our U.S. citizens.
As you have asked, I will briefly summarize my prepared
remarks, which have been submitted for the record.
The GPO has produced the U.S. passports since 1926, giving
us extensive experience in the important field of secure
credentials. A decade ago, in partnership with State, we
developed the e-passport which contains multiple physical and
digital security features. And since then we have produced over
100 million e-passports. Based on this experience, in 2007 the
Joint Committee on Printing, our oversight committee, approved
our request to fund a capability to produce secure credentials
for Federal agencies that were asking us for these solutions.
In 2012, the JCP approved our request to fund the
establishment of a secure credential COOP site. The JCP, our
oversight committee, has overseen and approved funding for this
program throughout its existence. Our role in building secure
identity documents is to provide Federal Government agencies
with an option for a government-to-government solution backed
by competitive outsourcing with the private sector. We are a
choice. And the agencies are not required to use us.
We are a printer and a card integrator. We produce secure
credentials by using qualified expert staff working in an ISO
9001 certified manufacturing operation backed by a COOP
facility supported by a secure supply chain with access to both
Federal and commercial experts in fraudulent document testing
and forensic labs.
In our partnerships with the private sector, we outsource
our requirements for consulting, design, equipment, materials
and supplies, and fabrication so that we can produce secure
credentials with cutting edge security technologies.
Our partnerships with the private sector create hundreds of
jobs and provides multiple business opportunities. To date, the
GPO has produced over nine million secure credential cards
across 15 separate product lines. Among these products are the
Trusted Traveler Program cards, the Border Crossing Cards, and
the TWIC cards. And our customers are highly satisfied with
GPO's product performance, reliability, security, and pricing.
Our secure credential operation is relatively modest in size.
Total program revenues for fiscal year 2014, approximately $30
million, representing four percent of GPO's revenue.
The secure credential operation is an authorized GPO
function as outlined by Title 44, which defines printing and
the requisition process. And that requisition process triggers
competitive procurement outsourcing throughout the secure
credential industry. And by law, the GPO can only recover its
costs. So there are no profits, there are no shareholder
margins, resulting in significant taxpayer savings. We operate
under multiple layers of oversight and review, including our IG
office. Our finances are independently audited by KPMG every
year. In the last 3 years, at the request of Congress, we have
been audited by NAPA and the GAO, and they have validated our
mission. We are open and transparent.
In conclusion, we are proud that the program is helping to
keep our borders and our facilities secure. Our employees are
so proud to print these products. We're proud to serve our
country. And I invite you all to come down and see our secure
credential operation.
Mr. Chairman, members of the committee, thank you again for
this opportunity.
Chairman Chaffetz. Thank you.
[Prepared statement of Ms. Vance-Cooks follows:]
[Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/]
Chairman Chaffetz. Ms. Carroll, you're now recognized for 5
minutes.
STATEMENT OF KATHLEEN CARROLL
Ms. Carroll. Good morning, Chairman Chaffetz and Ranking
Member Connolly and other distinguished members of the
committee. Thank you for inviting me to testify today.
My name is Kathleen Carroll, and I am the vice president of
corporate affairs at HID Global, where I focus on the
intersection of technology, security, privacy, and public
policy. I am honored to be able to share with you our concerns
regarding the manufacture and procurement of secure immigration
identify documents.
For more than 25 years, HID Global has been designing,
developing, and manufacturing secure credentials for private
businesses and governments around the world, including the U.S.
Green Card. In fact, as the Congressman noted, we do make the
congressional staff ID cards and Member voting cards.
The Department of Homeland Security has certified our
Austin, Texas, facility for the manufacture of these
credentials for the U.S. Government. A simple, easy-to-
replicate card can certainly be made by untrained people with
readily available equipment. A complex hard-to-replicate
reliable card is actually very difficult to make. What is often
forgotten in discussions like this is that a secure identify
document is part of an ecosystem that includes readers,
software, databases, and processes to authenticate and verify
such critical documents. All of these components must work
together securely, seamlessly, consistently, and in a privacy-
protecting manner.
Congress needs to decide whether these systems, which are
the first line of defense at the border, require and deserve
the innovation and investment that can only come from the
private sector. This is why companies like HID Global exist.
That is why the HID-made U.S. Green Card, has consistently been
considered the hardest to counterfeit government-issued
identify document. The Green Card has both physical card
security and an extremely reliable RFID read rate.
Congress created programs like the Green Card and the
Border Crossing Card and mandated them for a reason, secure the
border. We are proud of the jobs we create and the technology
we developed to help you do that. And we hope to continue doing
so in the future.
Our ability to do so, however, is threatened by the
Government Publishing Office's decision to become a
manufacturer of secure credentials. With no legislative
direction or authority from Congress, the GPO, a government
entity, has broadly interpreted its mandate under Title 44 to
manufacture ID cards and plastic data pages for passports. The
GPO also aggressively markets its manufacturing services to
executive branch agencies with the claim that it is the sole
legal source of these ID cards.
The evidence shows that the GPO doesn't really intend to
compete at all. They instead inform executive branch agencies
that they are required to obtain ID cards from the GPO under
Title 44. The GPO began asserting this in 2007. We were part of
a team of private industry vendors who spent months developing
cutting edge secure identity documents for the consolidated
Trusted Traveler RFID card program. Late in the procurement
process, we were abruptly informed by letter that the GPO would
provide the cards. The letter cited Title 44.
More recently we were re-awarded the contract to
manufacture the U.S. Green Card under a competitive bidding
process with other private manufacturers. That competition
almost didn't happen. We learned that the GPO had been having
conversations with USCIS for months prior to the release of the
most recent request for purchase. It is our understanding that
the GPO was asserting that USCIS could avoid the rigorous
process of conducting a competitive bid and instead simply
request the Green Card be awarded to GPO under Title 44.
Congress needs to decide if your goal is to have the best,
most advanced secure credential technology to protect the
border. If so, you need to insist that agencies should buy the
best and most secure credentials from those of us in industry
that have invested millions of dollars in innovation,
expertise, and security.
The GPO does not have the incentive or the capability to
manufacture or even effectively develop the technologies
offered by the private sector. It seems the threshold question
Congress should be asking is, how do we make our government-
issued credentials used to gain entry into the United States as
secure as possible? Not, how do we ensure that the GPO or any
other entity that wants to enter the market to manufacture
credentials can do so? The decision to manufacture secure
immigration documents should not be left up to the GPO. For the
sake of our national security, Congress should determine the
best path forward.
Thank you.
Chairman Chaffetz. Thank you.
[Prepared statement of Ms. Carroll follows:]
[Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/]
Chairman Chaffetz. Mr. Albers, you're now recognized for 5
minutes.
Mr. Connolly. Mr. Chairman.
Chairman Chaffetz. Yes.
Mr. Connolly. Can I just say to Ms. Carroll I thank you for
the voter ID cards you produce, and I just hope we can persuade
airports and TSA to accept them as a valid form of ID.
Thank you.
Ms. Carroll. If you need some help, I'll try to help.
Chairman Chaffetz. Mr. Albers, you're now recognized for 5
minutes.
STATEMENT OF JAMES N. ALBERS
Mr. Albers. Good morning, Chairman Chaffetz, Ranking Member
Connolly, other distinguished members of the committee. I thank
you for inviting me to testify today. My name is Jim Albers,
and I'm the senior vice president of government operations for
MorphoTrust USA.
MorphoTrust employs over 1,600 employees in the United
States. All of our employees are cleared U.S. citizens, and all
of our secure production facilities are located in the United
States. MorphoTrust produces 80 percent of the driver's
licenses and IDs in this country, the most widely used document
for establishing identify. We have been the prime contractor on
the State Department's passport personalization contract for 20
years. I'd like to use this opportunity to talk about the
industry, the importance of competition as it relates to price
and innovation, and ultimately the security of the country.
Private industry's ability to compete for contracts for
Federal secure credentials is threatened by the Government
Publishing Office's unique claims under Title 44. In 2008,
following a competitive procurement, MorphoTrust was awarded a
contract with the U.S. Department of State to produce the U.S.
Passport Card, as well as the Border Crossing Card. Under this
contract we produced over one million RFID-enabled secure
credentials per year.
In 2012, we learned through indirect sources that the GPO
would now be producing the Border Crossing Card. There was no
public notice, no RFI, no RFP. No opportunity for other
suppliers to compete for this business. After a formal inquiry,
we received a letter from the State Department's Office of
Competition Advocate stating that they were required to use GPO
for the production of secure credentials as it falls within the
definition of ``printing'' under Title 44.
There is a belief that the GPO enjoys a loophole from the
Federal Acquisition Regulations under the guise of Title 44
which requires that all printing be done by or through the GPO.
The GPO is using this to procure without facing the free and
open competition any private vendor would face. A lack of
competition in industry will have a direct impact on national
security by driving private suppliers and the innovations that
they bring out of the business, and make it more difficult for
America to stay one step ahead of the counterfeiters and the
would-be terrorists.
Production of secure credentials involves complex
manufacturing processes that extend well beyond printing. These
processes rely on persistent innovation and allow U.S. industry
to design and produce some of the most sophisticated and secure
credentials in the world. However, as we look at the
competitive landscape, we believe that this industry's
existence is threatened by the fact that GPO continues to grow
large-scale production capability for the production of
identity documents.
Our economic system depends and only works well when there
is competition. When you remove competition, you destroy
capitalism. Competition drives innovation. MorphoTrust invests
millions of dollars per year into internal R&D funds. We do
this for two reasons. Number one, to stay ahead of the bad
guys. And, number two, to stay ahead of the competition. If the
government decided to send all its secure credential design,
development, and manufacturing to GPO, industry would no longer
have an incentive to invest.
As a side note, when we do mess up, industry bears the
costs of these mistakes. When government messes up, the
taxpayers bear the cost.
Competition drives down prices. As my friend right here,
Kathleen, works for a competitor, sometimes MorphoTrust may
partner with HID, and sometimes we may compete. Regardless, we
both work hard to win. In a recent competition that Kathleen
mentioned between our two companies, HID won the DHS Green Card
award over MorphoTrust, with both companies drastically cutting
prices over the current price, saving the government millions
of dollars. Congratulations.
National security is not being served by Title 44. While
there were secure credentials prior to 9/11, those terrorist
attacks on our soil highlighted the need for better identity
documents. As the chairman already mentioned, the 9/11
Commission reported for terrorists, travel documents are as
important as weapons.
In conclusion, in order to maintain a competitive
industrial base, encourage competition and innovation, and keep
one step ahead of the bad guys, it is time for Congress to
reform Title 44. Doing so will clarify the authority of
agencies to procure the production of secure credentials
directly from the private sector. Only in this way will the
United States Government secure and ensure the quality
assurance, technological innovation, and cost efficiencies
associated with robust private sector competition.
Thank you for your time. I look forward to your questions.
Chairman Chaffetz. Thank you.
[Prepared statement of Mr. Albers follows:]
[Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/
Chairman Chaffetz. We'll now hear from the inspector
general, Mr. Raponi, for 5 minutes. You're now recognized.
STATEMENT OF MICHAEL A. RAPONI
Mr. Raponi. Good morning, Chairman Chaffetz, Ranking Member
Connolly, and members of the committee. Thank you for the
opportunity to testify on the oversight work of the Office of
Inspector General as it pertains to secure credentials issued
by the Government Publishing Office.
As you are aware, the OIG is an independent entity within
the GPO. Therefore, the views expressed in my testimony are
based on the findings and the recommendations of the OIG and
not intended to reflect GPO's position.
By way of background, GPO produces Federal secure
credentials in accordance with its mandate under Title 44 of
the U.S. Code to fulfill the printing needs of the Federal
Government. According to GPO officials, production of secure
credentials fall within the statutory definition of
``printing.'' We noted congressional support of GPO's
production of secure credentials when in December 2007 the
Joint Committee on Printing authorized expenditures associated
with smart card technology.
And again in 2012 when it authorized expenditures
associated with the establishment of a COOP capability for
GPO's secure cards production located in Stennis Space Center's
facility in Mississippi.
We also noted in 2015, the Government Accountability Office
reported its views of activities and processes related to GPO's
production of secure credentials. In its report, GAO reported
that both Department of State and Customs and Border Protection
officials, believe that after consideration of factors such as
interagency coordination and collaboration and pricing, among
others, GPO was best able to meet their production needs.
OIG has issued ten reports since 2012. OIG reports are
intended to help senior managers strengthen operations. Our
assessments disclosed that GPO established an overall framework
of policies and management controls it uses to produce secure
credentials. While an established structure is present, we
noted opportunities exist to strengthen some activities and
processes. For the purpose of this hearing, I will highlight
examples from four audits.
In August 2014, as part of an anonymous hotline complaint
expressing concerns over acquisition of passport eCovers, OIG
reviewed key factors used to determine whether a proposal was
technically acceptable when GPO procured the most recent
passport eCovers. In that review we found documentation was not
sufficient to demonstrate all key evaluation factors were
performed, reviewed, and approved by the contracting officer.
We also identified an issue that pertained to inconsistencies
with the disposition of test results. Management agreed with
our recommendations and took, or is in the process of, taking
corrective action.
In September 2014, OIG reported on the steps GPO took for
ensuring accountability over blank ePassports through various
stages of the production process. By way of computer chips, we
traced and analyzed more than 2.4 million eCovers through the
production process to final destination at State. In part, we
found GPO could strengthen accountability by better documenting
the physical destruction of eCovers and blank ePassports at its
Stennis facility. Management agreed with the recommendations
and took, or is in the process of corrective action.
In December 2014, based on concerns raised by the Committee
on House Administration, OIG conducted a review and reported on
whether GPO identified and addressed risks necessary to protect
itself in the event a key component of blank ePassports were
either compromised or had its supply chain threatened. OIG
found that while significant improvements were made compared to
results of an earlier review, procedures for ensuring the
security of the supply chain were not always followed. OIG also
identified a risk associated with sole source providers for key
components of the supply chain. And management agreed with our
recommendations and took, or is in the process of taking,
corrective action.
In my final example, GPO reported that the secure
credential production system developed to produce the
Transportation Worker Identification Card, TWIC, failed to
produce data as expected. GPO management requested OIG review
the matter. In response, OIG analyzed the steps taken to
develop the secure credential production system focusing on
whether risks were adequately mitigated during the system
development. We found GPO's taken numerous steps to establish
an overall system development policy to follow when introducing
new products, GPO's integrated system development policy into
key IT policies.
In examining the activities with the development of the
TWIC system, we found, in general, the framework for managing
projects was not followed for approximately 60 percent of the
tasks. Management agreed with the recommendations and has
taken, or in the process of, taking corrective action.
In conclusion, since 2012 OIG has made a total 34
recommendations, of which 22 are closed and the remaining 12
are open and pending further verification. OIG is not aware of
any current security breaches of the supply chain affecting
GPO's production of secure credentials. We continue to work
collaboratively with GPO to improve operations, maintain a
longstanding record in delivering a world class service to our
Nation.
Thank you for the opportunity to testify today. And I'd be
pleased to answer any questions that you or any members of the
committee may have.
Chairman Chaffetz. Thank you.
[Prepared statement of Mr. Raponi follows:]
[Written statement can be found here: https://
oversight.house.gov/hearing/secure-credentials-issued-by-the-
government-publishing-office/
Chairman Chaffetz. We'll now recognize the gentleman from
Florida, Mr. Mica, for 5 minutes.
Mr. Mica. Thank you, Mr. Chairman. And I appreciate your
calling this hearing.
You expressed a lot of pride, Ms. Vance-Cooks, in what
you're doing. But I can tell you as far as credentialing and
IDs, I have never seen a more screwed up program in my entire
life. Our ranking member, Mr. Connolly, made a joke about our
ID, being able to use it as identification like it at the
airport. You produced the passports or you're responsible for
the passports?
Ms. Vance-Cooks. Yes, sir.
Mr. Mica. Yeah. Well, after 9/11, just a little history, I
called in the State Department because they were producing
passports, and that was one of our most important documents
that government was producing at that time. We said we should
have some uniform standards for credentialing and be able to
verify who has the passport or the identification, whether it
be a passport, whether it be a Member's card, or any other form
of Federal identification. Today we still don't have that.
The TWIC card is an--I'd be ashamed to come and say I had
anything to do with the TWIC card. We've probably spent a
billion dollars, we've issued millions of them, and the TWIC
card, which is Transportation Worker Identification Card, we
have a document, don't we, a TWIC card? And we're on our second
issuance of them. Right? At least.
Ms. Vance-Cooks. The GPO is responsible for the TWIC card.
This is the first time we have produced the TWIC card.
Mr. Mica. I know. But, again, does it have identifiable,
verifiable information in it now finally----
Ms. Vance-Cooks. Yes.
Mr. Mica. --with both thumb and iris?
Ms. Vance-Cooks. I believe it does.
Does it?
No. It does not.
Mr. Mica. Oh, if you don't know that and come here, that's
sad. And you're in charge of it. But it doesn't have it. It's
unbelievable, again, and we force people to take it. Now if you
go to a port, they show their TWIC card, they have to show
another form of identification. It is not verifiable.
I held no less than three hearings, and it's not all your
fault, part of it is Congress' fault. They've gone in different
directions. This is a useless document, that's a Member card,
except for charging trillions of dollars on it when we vote.
But it's unbelievable.
The pilot card. I put three times in law that it must have
identity verification, a strip that would contain basic
information as to who that person was. They produced it, folks.
You should see it. It was the biggest joke in the world. A
pilot's identification getting into the aircraft, past security
and everything, it looked like it came out of a Cracker Jack
box. It was a folded little paper ID. And I said it had to be
durable. It had to have embedded in it the information, and
then it had to have a picture of the pilot. I'll be dammed if
they didn't produce it. There's much more information on my
American Express Card than they had on the pilot card. No
verification.
You're not going to touch my--especially with your
reputation on that side of the aisle. I'll let you play with
this one awhile--but the only photo on the pilot's license was
Wilbur and Orville Wright. It was a national joke and disgrace.
But the TWIC card, in particular, is still a fiasco.
Do we have a reader that can read a TWIC card----
Ms. Vance-Cooks. Yes.
Mr. Mica. --approved?
Ms. Vance-Cooks. Yes. And----
Mr. Mica. How many ports is it deployed to?
Ms. Vance-Cooks. I will have to check.
Mr. Mica. Oh, I'm telling you--oh, I could probably count
them on my fingers and toes.
Ms. Vance-Cooks. All right.
Mr. Mica. It's a disgrace. And even if you had a reader, it
doesn't have the information to verify. Fingerprint can be
played with. Iris is the most dependable.
You said, Ms. Carroll, you must be able to verify the
information with the reader. Right? And the private sector has
done this. Haven't they?
Ms. Carroll. Yes, sir.
Mr. Mica. They produce cards with that kind of information.
We have security at different facilities, both in the private
sector and the public sector that can do that. Right?
Ms. Carroll. Yes, sir.
Mr. Mica. And you've heard what they've just told us here
about the fiasco of this. And it's not all her fault. I don't
want to blame--I give you 70 percent of the credit and 30
percent of the blame.
Ms. Vance-Cooks. All right.
Mr. Mica. Part of it is Congress, and we do need to change
Title 44. It's got to be changed. Somebody has to be in charge.
First you get a standard, a basic standard, and the private
sector has done it over and over. And you have to have
verifiable information embedded in that card. Period. And then
you have to have something that can read the damn card. So
unless you get that in place, we are just--and this is, guys,
this is a multi-billion dollar fiasco. I yield back.
Chairman Chaffetz. I thank the gentleman.
Now recommend Mr. Connolly of Virginia for 5 minutes.
Mr. Connolly. I thank the chair.
I really think this hearing seems to be about whether it's
appropriate to have GPO in this function at all. And I think
that's a fair question. I do think, Mr. Albers, you overstate
your case. I hardly think the GPO represents an existential
threat to the industry. How big is your company?
Mr. Albers. Our company's about--MorphoTrust is about $650
million a year.
Mr. Connolly. Right. And they're talking about $30 million.
So I suppose you could argue, and maybe if I were rewriting
your testimony, I might make this argument that what they're
doing is the camel's nose under the tent. And that is of
concern because if that grows, if everybody decides we're not
going to go the competitive RFP route, we're just going to go
the convenient route and contract directly with GPO, you lose
out in a lot of business and so does Ms. Carroll. Fair point.
And let me ask you, Ms. Vance-Cooks, what about the
argument Mr. Albers and Ms. Carroll essentially put to us which
is, that you're using, and Federal agencies like State
Department are using, Title 44 as a loophole from the normal
FAR process to essentially give you a sole source contract that
eliminates the possibility of private sector competition and
quality in that equation?
Ms. Vance-Cooks. Thank you for the question. Title 44
basically simply states that we have the authority to make the
secure credential card because it is, in fact, a printed
product. And it's a printed product as defined by Title 44.
However, they are making the assumption that we are forcing the
Federal agencies to come to us.
Mr. Connolly. No. No. They didn't make that argument.
That's really not at all what Mr. Albers was arguing. He
argued, and so did Ms. Carroll, that in various cases, Federal
clients of yours used Title 44 to rationalize why they were
going essentially sole source with GPO instead of putting it
out to bid.
Ms. Vance-Cooks. That is because the Federal agencies know
that they have a choice. They can either go to the commercial
sector or they can come to us. When they make that decision to
come to us, they know that they can use a requisition process.
That requisition process, however, triggers a competitive
procurement solution, because we, in fact, outsource all of the
components of that card to the rest of the secure credential
industry. That creates hundreds of jobs in the community and
that creates multiple business opportunities.
Mr. Connolly. Mr. Albers, why given what Ms. Vance-Cooks
just said, why shouldn't the State Department have that option?
That's a competitive option. We prefer to go with GPO for
various and sundry reasons. If I heard your testimony, you
talked about the value of competition and free market, but in a
sense what you want to do is eliminate this potential
competition.
Mr. Albers. Not at all, Congressman. First of all, I
apologize for the hyperbole in my testimony. I'll have you know
that I was a politician at one point. That might be hard to
believe.
Mr. Connolly. You poor guy. You know it's very unusual we
employ hyperbole up here. But all right.
Mr. Albers. So, there's a big difference, I think, between
what Ms. Vance-Cooks is saying and what I'm saying. Number one,
we're a system integrator, as is HID. We look to prime
contracts with the Federal Government. Not that we don't mind
subcontracting to organizations like GPO. That's a different
piece. Okay? So, I'm not complaining about that.
In my testimony, and by the way, I can put this into the
record, the State Department responded to us that said: We were
required to use GPO. And again in my testimony, we never had an
opportunity to even complain about it. So you know----
Mr. Connolly. So they used Title 44 as the rationale for
that?
Mr. Albers. They did. And they represented the GPO, and I
don't have firsthand information. So I want to give Director
Vance-Cooks, you know, a little bit of leeway here. It's been
represented to me that the GPO marketing folks say: You have to
use us. So I don't know whether that's true or not. I'm sure
you probably control that type of communications, but----
Mr. Connolly. Ms. Vance-Cooks, did you want to respond to
that?
Ms. Vance-Cooks. First of all, the GPO does not have sales
teams. I hear that constantly that we have sales teams and that
they're going door to door to these agencies forcing them to
come to us. Nothing could be further from the truth because,
first of all, we don't have sales teams.
Number two, it is the client and the agencies who are using
or stating that we are telling them that. I think all of this
started back in 2007 when the public printer at that time
stated in a hearing, that he felt that secure credentials was,
in fact, something that could be and should be contained in the
government. I have been in charge of the GPO since 2012. I have
stated unequivocally, publicly as well as privately, that I
don't believe that we should be in charge of all of secure
credentials. In fact, what I have stated and what the evidence
proves is that it is a choice of the Federal agencies. And I
think they deserve that choice. And all of the evidence points
to the fact that we are, in fact, using this as an option.
Let me give you some examples. Number one, when there is an
RFP out there for a secure credential, you will not find the
GPO because we know that the secure credential market compete
against themselves. We do not compete for State governments or
local government information. What we do is provide a choice
for those Federal agencies who want a government-to-government
solution. And with that government-to-government solution they
get the benefits, and one of the largest benefits, one of the
best benefits, is the fact that we don't have shareholder or
profit margins. The cost is what they get.
Mr. Connolly. Thank you. My time is up, Mr. Chairman. I
would ask unanimous consent that the GAO report dated March 10,
2015, be entered into the report on this subject.
Chairman Chaffetz. Without objection, so ordered.
Mr. Connolly. I thank the chair.
Chairman Chaffetz. Thank you. I will now recognize myself
for 5 minutes.
Director, you have an operating budget roughly in the $700
million range. Correct?
Ms. Vance-Cooks. Yes, sir.
Chairman Chaffetz. How much of that money is allocated for
research and development?
Ms. Vance-Cooks. The research and development for secure
credentials comes from our competitive procurement with the
outside community. We leverage the best of the best----
Chairman Chaffetz. So how much money do you spend? How many
people do you have working on research and development?
Ms. Vance-Cooks. We have a few, less than 5 people, working
on R&D for the secure credential market if that's what you're
referring to.
Chairman Chaffetz. That's what I'm referring to. I'd ask
unanimous consent to enter into the record a memo sent on
September 30, 2013. And I want to read part of this. Without
objection, so ordered.
Chairman Chaffetz. This is from Daniel Walt. He's the
departmental competition advocate. I mean, he's the competition
advocate at the Department of State. And in this email that was
sent to MorphoTrust, I'm going to read the middle of it,
``Federal Acquisition Regulation, FAR, subpart 8.8 requires
Federal agencies to acquire printing services through GPO
unless GPO cannot provide the services. Therefore, we must use
GPO for the printing of the passports and the Border Crossing
Cards rather than re-compete the requirement.''
Now, that seems to be directly opposite of what you're
saying. Can you shed some light on this? I mean, you're saying
you're in favor of competition, but at the same time we have
the State Department saying we can't compete this. There can be
no competition. Are they wrong or are they right?
Ms. Vance-Cooks. I think that if you look at the evidence,
the State Department doesn't even believe what they wrote. And
I'll tell you why. Because if----
Chairman Chaffetz. Believe me, that's not the first time
that happened.
Ms. Vance-Cooks. No. What I'm trying to say, Congressman,
is that if the State Department really believed that they had
to give all of the secure credential work to the GPO, then we
would be doing it. Since that document was written by the
competitive advocate, I can assure you that the GPO over here
produces the passports and we produce the Border Crossing Card,
but MorphoTrust handles the personalization of the Border
Crossing Card. HID handles the Green Card. My point is that
people make that statement, but let's look at the facts. And
the facts point to the fact that, that business is spread
across all of the commercial carriers. Not all of that business
is with us. I think they say it, but it's not the practice.
Chairman Chaffetz. And so your opinion of Title 44, in your
opinion, you viewpoint here, that it's really up to the
agencies to make that determination. That's the first step,
whether or not they're going to compete for it or they're going
to give it to GPO. Correct?
Ms. Vance-Cooks. That is the way it's happening. Yes, sir.
It is a choice.
Chairman Chaffetz. And, but it's their choice. You don't
believe it's mandated under the law that they have to use GPO?
Ms. Vance-Cooks. It's not practical.
Chairman Chaffetz. I know, but be specific here. This is a
critical point.
Ms. Vance-Cooks. Yes. Yes.
Chairman Chaffetz. Is that, your opinion, under the law, do
they have to use you under Title 44?
Ms. Vance-Cooks. Under the law they are allowed the choice
of coming to us. We are limited in our capacity to handle all
of the work----
Chairman Chaffetz. Okay.
Ms. Vance-Cooks. --that would be coming through.
Chairman Chaffetz. My time's short. And I think you were
very succinct in that answer. I appreciate it.
When you say you have no sales force, you do have a bit of
a monopoly if you convince somebody to have them come to you.
Do you have people that go out to the agencies and say: This is
what you should be doing, or this is what we recommend, or this
is what you can do? I mean, that in part is a sales force.
Correct?
Ms. Vance-Cooks. No. That in part is an account management.
We have an account management group, and they're responsible
for taking care of the clients that we currently have. What we
have been hearing is that we have been accused of having
salespeople who go out and tell people, you must come to us.
That is not true. That is a fabrication.
I'd like to also, if I have some time, to go back to the
R&D question. I want to make sure that this committee realizes
that the GPO is in the business of outsourcing all of its
requirements. And when we outsource our requirements, that
means that we leverage the best technology across the world,
across the United States, and we do not have proprietary
interests in one versus the other. That is to the benefit of
the stakeholder. That is to the benefit of the taxpayer.
Chairman Chaffetz. My time's expired, and I'll yield back.
And now recognize the gentleman from California, Mr. Lieu, for
5 minutes.
Mr. Lieu. Thank you, Mr. Chairman.
I personally don't have a problem with the U.S. Government
Publishing Office, publishing U.S. Government documents and
credentials. And this is an issue that both Democrats and
Republicans in Congress have reaffirmed.
So Director Vance-Cooks, let me ask you a few questions.
The GPO was authorized by Congress to print passports in 1926.
Is that correct?
Ms. Vance-Cooks. Yes, sir.
Mr. Lieu. Okay. And then around 2005 the GPO began
producing passports with more advanced technology at the
request of the State Department. Is that correct?
Ms. Vance-Cooks. Yes, sir.
Mr. Lieu. And so specifically you began to print passports
with embedded RFID chips. Correct?
Ms. Vance-Cooks. Yes, sir.
Mr. Lieu. And then Congress has continued to authorize GPO
to print passports with these chips. Correct?
Ms. Vance-Cooks. Yes, sir.
Mr. Lieu. All right. And during the GPO's strategic
planning, in fact, Congress weighed in to authorize GPO to
expand its services and provide secure identification cards for
the Department of Homeland Security and the Social Security
Administration in 2007 and again in 2012. Is that correct?
Ms. Vance-Cooks. Yes, sir.
Mr. Lieu. Okay. Then let me just ask you this question,
because the chairman did raise a good point. I just want to
understand. Does the GPO or Congress force agencies to print
with the GPO?
Ms. Vance-Cooks. No, sir.
Mr. Lieu. Okay. So now I have sort of a different question.
It's more for the entire panel.
RFID technology can be read at a distance. Right? You got
these readers that can read this. And that means not only can
government read these cards at a distance, but so can criminals
and other folks. So I'm just sort of curious what kind of
precaution should people who have these cards take so that
these cards aren't read at a distance by, let's say, a
criminal?
I've gone to department stores where they sell these
wallets that say, you buy this wallet and you can stop your
RFID chip from being read at a distance. Do people need to buy
those wallets? Are these wallets a gimmick? Can you sort of
tell me there are security issues going on with that?
Mr. Albers. So we build in a number of security protections
for what we call personal identifiable information. Mr. Mica
was talking about that.
In the case of the passport card, there is a pointer to
your file that only the CPB would have. So there is no personal
identifiable information on that chip. It's only a pointer to
your file. So when you're approaching the border with that
card, the CPB officer can pull up your file and know that
you're the person that's supposed to be there. So there really
is no security threat in that application.
You mentioned the protection from the RFID chip. The BCC
and the passport card come with a little sleeve actually, so--
but that's a passive chip. So there is no radiation, there's
nothing coming out of that chip. You can't turn it on or off.
It's just there, you know, like your EZ Pass. I mean, it's
there and it's read when you go through.
Mr. Lieu. Okay. Thank you.
Ms. Carroll. I'd like to add that not all RFID technology
can be read from a distance. So, for example, in your U.S.
passport, that cannot be read from a distance. You have to be
in the same plane and within just a few inches of a reader. But
the shot there is, is that the U.S. passport has a chip in it.
It is not being read. The electronics in that document are not
being read. Only the optical part or portion of it is. So the
U.S. taxpayer is paying lots of money for a passport with a
chip in it. It's not making them any more secure because that
chip is not being read at the border.
Mr. Lieu. What's the chip for if it's not----
Ms. Carroll. It's an ICAO standard. The chip is in the U.S.
passport and 27 of the Visa-waiver countries as well to make
the document more secure. But the chip is highly resistant to
counterfeiting. And so that's why they did that.
Ms. Vance-Cooks. But it does meet the ICAO standards, and
that is the most critical component.
Mr. Lieu. Thank you. I yield back.
Chairman Chaffetz. Thank the gentleman.
I now recognize the gentleman from North Carolina, Mr.
Meadows, for 5 minutes.
Mr. Meadows. Thank you, Mr. Chairman. Thank each of you for
your testimony.
Director, I understand you're saying that you've got five
R&D. The chairman was asking you. You have five R&D people that
are working on the integration. Is that correct?
Ms. Vance-Cooks. We actually have a secure innovation
credential center. And it's a group of individuals who are
responsible for looking at counterfeiting technologies and
testing. But they work very closely with the private sector for
that. And I think it's a great question because I want to
emphasize again we're closely tied to the private sector for
all of that. We even work with the Department of Homeland
Security for all the fraudulent testing in the labs.
Mr. Meadows. All right. So let me follow up. Mr. Albers,
let me maybe come to you and ask you to give an opinion on
that. Because one of the concerns I have is when we look at
integration, you can take wonderful pieces of technology, and
as you try to integrate them and make them practical and
noteworthy, it doesn't produce the end result. So would you
comment on what you're hearing. Is that an effective way or----
Mr. Albers. So I have no personal information that GPO
isn't an adequate systems integrator. Okay? My comment before
about systems integration is that, it's a much different task
than, you know, being a prime contractor. We want the
opportunity and I think HID does, too, to be a prime
contractor, to be a systems integrator. So the fact that the
GPO----
Mr. Meadows. Well, let me rephrase it. What kind of issues
can arise from an integration standpoint that would make it
less secure?
Mr. Albers. Last word? I'm sorry.
Mr. Meadows. Less secure.
Mr. Albers. So, I mean, just like the GPO, any system
integrator goes out to look at third party, and we have a
complete supply chain management system, and we pick the best
of the best. So when we work with a customer on requirements,
for example, for the passport card, we look to build in
security features such as watermarks, such as chips themselves.
We outsource all that stuff. And our supply chain management
manages all that stuff. There is risk in all that part of the
process.
Mr. Meadows. Sure.
Mr. Albers. So the system integrator manages that process.
So, you know, Lockheed and Northrop and all the other ones in
town, they do the same thing. I'm not sure I'm answering your
question, though.
Mr. Meadows. All right.
Ms. Vance-Cooks. I'd like to respond a little bit. He's
absolutely correct, it's an ecosystem. But let's look at the
trusted traveler program cards, which is what we produce as a
printer and a card integrator. One of the ways to determine
that we are doing a good job is the read rate, and the read
rate for that particular card is between 80 and 90 percent.
So there are different metrics that you can use to choose
whether or not your product is doing exactly what it's supposed
to and whether or not it is meeting the specs.
Mr. Meadows. And I agree with that, so--but let me ask you
that from a matrix, how do you--with GPO, how do compare to the
private sector in terms of read rates and all that? I mean, do
you compare that kind of data to see how effective you are?
Ms. Vance-Cooks. We are very----
Mr. Meadows. I see somebody behind you is nodding yes.
Ms. Vance-Cooks. Yes. I know, I know. They're--we're proud.
Mr. Meadows. Okay.
Ms. Vance-Cooks. We're proud. We have data to prove that
our read rates for our cards are very, very good.
Mr. Meadows. All right. So let me in the time I have
remaining, let's talk about Title 44, and it sounds like that
there is maybe some ambiguity in terms of the requirement.
Director, are you willing to send out a letter to all the
agencies that says that they're not required to use you for
their printing? To fix this ambiguity, because that's what you
were saying, is that it is not really a requirement, but indeed
some of the testimony has said that the State Department in
particular believes that it is a requirement. So are you
willing to correct the record, I guess, coming from, you know,
your position?
Ms. Vance-Cooks. What I'm willing to do is what I've always
been doing up to this point, which is to let everyone know that
it is a choice and we respect them.
Mr. Meadows. So yes or no, would you be willing to send out
something to the agencies that said they're not required to use
GPO for their--so you are willing to do that?
Ms. Vance-Cooks. I am willing to send a letter to say that
it is a choice, because that is the way it has always been.
Mr. Meadows. Okay.
Ms. Vance-Cooks. Okay.
Mr. Meadows. And so----
Ms. Vance-Cooks. It is a practical business----
Mr. Meadows. So do you think the ambiguity that is out
there is just someone that happens to misunderstand Title 44 or
is it inherent in Title 44?
Ms. Vance-Cooks. I think that the Title 44 specifically
states, that all printing must come to the GPO. What I am
trying to say, and I think I'm being very articulate about it--
--
Mr. Meadows. You are very articulate, by the way.
Ms. Vance-Cooks. Thank you very much. I appreciate it.
What I am saying, though, is that in practical application
and in true business sense, what's really happening, sir, is
that it is a choice. Not everyone even comes to the GPO for
printing.
Mr. Meadows. Okay. In the 6 seconds that I have left, let
me finish with this, is I would ask that you try to clear up
some of the ambiguity. Understand that I don't want you
subsidizing and competing with the private sector, nor do I
want the private sector coming in and taking over if you can do
it more effectively, I'll be your advocate on that. As a
business guy, I want to be----
The other thing, it's a pebble in my shoe when you have law
enforcement officers sitting in cars outside your office, it
doesn't give the impression of efficiency. I don't understand
why the printing office would have their own fleet of law
enforcement cars. So if you would address that, I'll be happy--
--
Ms. Vance-Cooks. You're not--excuse me. You----
Mr. Meadows. I walk by them all the time.
Ms. Vance-Cooks. No, no. I know you do.
Mr. Meadows. And he's not sleeping half the time, so that's
good.
Ms. Vance-Cooks. Half the time? He better not be----
Mr. Meadows. No. I'm kidding.
Ms. Vance-Cooks. --sleeping at all. No. Would you believe
it's in Title 44 that we must have our own police force?
Mr. Meadows. Well, we may need, Mr. Chairman, to look at
changing Title 44. I'll yield back.
Ms. Vance-Cooks. All right.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentleman from Georgia, Mr. Carter, for
5 minutes.
Mr. Carter. Thank you, Mr. Chairman. And thank all of you
for being here. We appreciate your participation.
Ms. Vance-Cooks, I want to ask you, it's my understanding
that GPO produces the TWIC cards for DHS and for TSA. Is that
correct?
Ms. Vance-Cooks. Yes.
Mr. Carter. I have two ports in my district, the port of
Savannah, Georgia, and the port of Brunswick, Georgia, and of
course they utilize the TWIC cards, and it's my understanding
that they reported significant delays in both the renewal and
the initial application. And I'm just wondering, is there a
problem here? Is there a problem with producing the cards?
Ms. Vance-Cooks. Are you referring to a recent statement?
Because when we took over several months ago, we had a backlog.
Now, let me be clear. We just took over that business, and that
was, I believe, in June, May, or June of 2014. And when we took
over that book of business, we had a backlog that we had to
clear up. It is my understanding, sir, and I need to check,
that things have been going very well since then----
Mr. Carter. Okay. Well----
Ms. Vance-Cooks. --but prior to that, they did have
significant backlogs, but that was with another carrier.
Mr. Carter. Well, it's my understanding that they've had a
backlog and that----
Ms. Vance-Cooks. Yes.
Mr. Carter. --there are problems.
Ms. Vance-Cooks. Right.
Mr. Carter. So if you could check into that----
Ms. Vance-Cooks. I will.
Mr. Carter. --I would sincerely appreciate it----
Ms. Vance-Cooks. Sure.
Mr. Carter. --because this, of course, is commerce and this
is a problem, a big problem in our district, so----
Ms. Vance-Cooks. Sure. I'll be happy to do that, but I want
to be clear that we did inherent the backlog back in June, but
we made good efforts to reduce that backlog. And I know this
for a fact, because I was heavily involved in it.
Mr. Carter. Okay. Can you describe some of those efforts
to----
Ms. Vance-Cooks. Sure. When we began to launch, we ran into
a problem with the speed rate of the information coming across.
And this is a really good example of how well we work with the
private sector, because we worked with GDIT on this. And GDIT
put all of their best people on it, innovation, creativity,
they worked diligently for weeks to make sure that they could
correct that speed rate. So I'll check on that for you.
Mr. Carter. Okay. Well, I appreciate that very much.
Can you tell me, when you get the requests for the TWIC's
cards, is it just through some kind of agency form, or I mean,
how do you--how does that happen?
Ms. Vance-Cooks. Right. It's called a requisition form, a
standard Form 1 for printing and binding requisition, and this
requisition form recognizes that a secure credential is a
printed product, so it has a lot of questions on there about
the pre-press work and all of the specific requirements that
are attached to it. And then there is an MOU attached to it.
Once we get that requisition form, then we issue--or it is
triggering a competitive procurement across the entire secure
credential industry for all of the components and the products
to make that credential.
Mr. Carter. Okay. So when DHS or when TSA orders these
cards, do you have any oversight over it? Do you----
Ms. Vance-Cooks. Yes. We have complete oversight over it,
as well as the agency.
Mr. Carter. Okay.
Ms. Vance. The agency works with us 100 percent of the
time.
Mr. Carter. If they order more cards than they need, do you
send them?
Ms. Vance-Cooks. They give us the order about what they
need, and then we respond. We only produce what they tell us to
produce.
Mr. Carter. But do you have any oversight about whether
they are ordering the number of cards that they need? I'm
concerned about the security here.
Ms. Vance. I would----
Mr. Carter. If there are excess cards being generated.
Ms. Vance-Cooks. Okay. They give us an order for X number
of cards, we produce them. They have their own oversight where
they are responsible for those cards once we deliver it to
them, and that's the point.
Mr. Carter. Okay. So you're just following the order. If it
says, give me 100 cards, you're sending 100 cards?
Ms. Vance-Cooks. That is correct.
Mr. Carter. No oversight on that whatsoever, no security
clearance?
Ms. Vance-Cooks. No, no, no, no. The oversight is on the
production of the cards and taking care of those cards from the
moment that we create them to the moment that we transport them
to the facility of TWIC. Once TWIC takes ownership, that is
their problem.
Mr. Carter. Okay. Okay. So if there are excess cards that
have been generated, it's not your fault, you're just filling
the order?
Ms. Vance-Cooks. If there are excess cards, it's on their
end, sir.
Mr. Carter. Okay. Well, getting back to the delays that
they've experienced, tell me about the FAR, what's referred to
as the FAR procedures. Do you implement those, do you utilize
those procedures?
Ms. Vance-Cooks. We follow the MMAR, and the MMAR closely
mirrors the FAR, in fact, it's almost like the FAR, but it
closely models it.
Mr. Carter. Why would you choose one over the other?
Ms. Vance-Cooks. Because we're a legislative branch agency
and we don't follow the FAR. It's written in law. So once----
Mr. Carter. It's written in law that you're not to follow
the FAR?
Ms. Vance-Cooks. Section 8.8 exempts printing from the FAR,
therefore, the MMAR was developed to closely mirror and model
the FAR.
Mr. Carter. Okay. But we still had the backlog. If you can
please check into that, I would appreciate it very much.
Ms. Vance-Cooks. Absolutely.
Mr. Carter. We need to know. This is very important.
Ms. Vance-Cooks. Sure.
Mr. Carter. Thank you. And I yield back, Mr. Chairman.
Ms. Vance-Cooks. Thank you, sir.
Chairman Chaffetz. I thank the gentleman.
I now recognize the gentleman from North Carolina, Mr.
Walker, for 5 minutes.
Mr. Walker. Thank you Mr. Chairman. I apologize for my
tardiness, coming from a markup from another committee hearing,
but I did have a couple of things I wanted to address. First of
all, let me thank you for the hospitality and all your staff
there, Andy, Mike, Steve, and the guys, helping me understand a
little bit of the process over there and what you guys are
working on.
My question is, in your statement, and you may have covered
this, but I wanted to make sure that I'm clear on it, you say
Federal agencies approach GPO, asking your agency to do work
for them. I think we talked about that a little bit yesterday.
Are you saying that the GPO itself does not reach out to
Federal agencies to sell, ``their products and services GPO
wants to produce?'' Can you expound on that for a little bit?
Ms. Vance-Cooks. Certainly. Two points. The first point is
that we do not have a sales team. Everyone keeps saying that we
have a sales team. We don't have one. That's number one.
I think people also should understand that the customers
that we have for secure credentials are the same ones that we
have for printing. They understand our function, they
understand our capabilities, so they know that we can produce
secure credentials.
Mr. Walker. Okay. Do you have people who market your
services in competition with the private sector companies?
Ms. Vance-Cooks. No.
Mr. Walker. You don't have salespeople, but would you say
you have----
Ms. Vance-Cooks. We do not have sales teams, we do not have
marketers. We have people who can respond to inquiries if an
agency contacts us. It is not unusual for an agency to contact
us. And as you and I talked about yesterday when you visited,
and thank you again for visiting us.
The question is not whether or not GPO can respond, the
question is what makes an agency decide that they should come
and talk to us about secure credentials, because as you and I
talked yesterday, it takes a lot of effort, a lot of resources,
and a lot of time for an agency to make a change in a
commercial carrier that they currently have. Why do they go to
that trouble? Is there a problem with the product quality? Is
there a problem with the read rate? What is pushing them to
talk to the GPO?
Because we have the consultant expertise, we can help them
with that solution, but we do not tell them, you must come to
us. But I have to say that in the 8 years that we have been
producing secure credentials, not one of those clients has left
us. We do very good work.
Mr. Walker. Can you go a little deeper and maybe explain
how you engage in these business development activities just
for the record that we would understand how this breaks out,
how it flows, and how you keep these for 8 years?
Ms. Vance-Cooks. Well, let's say that a--let's start at the
beginning. If an agency is having a problem with a carrier and
let's say they're having a problem with the read rate, they
currently do business with us anyway through printing, they'll
talk to us about it, they'll ask us, can you do better, and
we'll ask them, what is it that you're looking for. Sometimes
they'll even ask us for a prototype. We can produce a
prototype. And if that prototype works, they now have further
discussions with us.
There is constant conversation back and forth about their
requirements, about their specifications, and we can provide
it, but as I explained to you yesterday, the way in which we
provide service to the client is by outsourcing all of that. I
want to be clear that we're using the R&D and the innovation
that the rest of the secure credential industry has, bringing
it all together as an integrator into the GPO. And as you had
said, Mr. Albers, we're an integrator, that's what we do.
Mr. Walker. So final question. So basically you're making a
case, and I don't want to put words in your mouth, that you
compete on a level playing field with the private sector
through the Federal requisition regulations, or FAR. Is that a
fair statement, or would you like to expound on it?
Ms. Vance-Cooks. The fair statement is that we
competitively procure the products and services that we need
from the private sector to build the best card that we can. It
is competitive, it is a procurement, and it satisfies the
stakeholders at a low rate, a very low price, because, again,
we can only charge actual cost.
Mr. Walker. Thank you, Ms. Vance-Cooks. I yield back.
Ms. Vance-Cooks. Thank you, sir.
Chairman Chaffetz. Thank you. I appreciate that.
We'll now recognize the gentleman from Georgia, Mr. Hice,
for 5 minutes.
Mr. Hice. Thank you, Mr. Chairman.
Mr. Albers, let me begin with you. In your opinion, how
open and transparent would you say the requisition process is
at GPO when it comes to these credential cards as it relates to
FAR, which you have to abide by?
Mr. Albers. I would say the answer is not open and
transparent at all. I mean, our personal experience is that we
don't compete as a system integrator with GPO, we're not
allowed to. The agency decides to go to GPO, that's fine, or
they decide to go to the private sector. If they go to the
private sector, typically they have an RFI, they have an RFP,
they have industry days, we have an opportunity to bid on those
programs, those contracts, we compete with one another, and
that drives down the cost.
Mr. Hice. So you're saying once it goes to GPO, that
private vendors no longer are allowed to compete at all?
Mr. Albers. Not as a system integrator. No.
Mr. Hice. Okay.
Mr. Albers. As the director said, GPO uses industry,
including some of us, to supply them as a subcontractor.
Mr. Hice. And would you agree, too, that in that process,
that if it goes to GPO as opposed to private vendors, the lack
of innovation, competition, and a host of other factors go out
the door as well?
Mr. Albers. Well, absolutely. I mean, we don't get an
opportunity to compete with one another. So GPO, and I'm sure
has the best interest of the taxpayer at heart, but, you know,
we're capitalists, so we have to get to where we need to be to
be competitive.
Mr. Hice. Okay. Director, how did GPO end up producing the
border crossing cards from the State Department, the
requisition process?
Ms. Vance-Cooks. The State Department expressed some
concern about problems they were having with the card. And it
goes back to my earlier statement. What causes an agency to
come to us, to talk to us, about their card, because it's a lot
of work, it's a lot of issues. And they asked us to make a
prototype, and we did. That prototype works very well. And then
they asked us to perform some other things, and that's how it
started.
But let me just say something else. Mr. Albers talked about
the lack of innovation. Because of the fact that the GPO
procures, through a competitive process, all of the components,
the service, the consultation, fabrication, materials to create
the product, it means that we are leveraging the best of the
best innovation and R&D throughout the industry.
Mr. Hice. Well, I would think that would be fair to say
that that's your opinion, but other private vendors out there
don't have that same opinion, because they're not allow to even
be a part of the process.
How did you arrive at a card price for the BCCs?
Ms. Vance-Cooks. There are four components to our price:
labor, overhead, capital investment, and materials. And we are
only allowed to charge those four components.
Mr. Hice. And what was the cost?
Ms. Vance-Cooks. For the border crossing card, I think it's
about 14--6.01 I'm sorry, it's 6.01.
Mr. Hice. Okay. Just out of curiosity, Ms. Carroll, Mr.
Albers, did either of your groups have a price in mind? I mean,
were you all able to go through the process and come up with a
price that may have been different from GPO?
Mr. Albers. So actually before Kathleen answers, we did not
have an opportunity. As you probably know under the FAR, there
is something called a cure notice. So if there is an issue, you
get an opportunity to cure, and we were not given that
opportunity. So----
Mr. Hice. So you don't know what it would have cost you to
produce the cards?
Mr. Albers. Oh, we know now. I mean, we continue to produce
the border--excuse me, the passport card, and we just bid on
the Green Card versus----
Mr. Hice. And what was the difference in your price and
GPO's?
Ms. Carroll. So we bid on the U.S. Green Card. That Green
Card has significant enhancements and security features, it has
two holograms, it has a window in it with stars, it has tons of
security features, in addition to our read rates for the RFID
is around 98 percent. Okay.
Mr. Hice. Compared to?
Ms. Carroll. Compared to 80 to 90 percent. Okay. Now, do
you know how much we charge for the Green Card? $2 and--$2 and
50 cents. Sorry.
Mr. Albers. We bid $2.99, by the way, so----
Ms. Carroll. Yeah.
Mr. Hice. So----
Mr. Albers. I know this very well.
Mr. Hice. --more or less 65 percent savings----
Ms. Carroll. Yes.
Mr. Hice. --per card?
Ms. Carroll. Yes.
Mr. Hice. But you never had the opportunity to be part of
the process?
Mr. Albers. That's the Green Card.
Ms. Carroll. No. With a Green Card, we did. We won that
one. We did that one.
Mr. Hice. Okay. But is it similar?
Ms. Carroll. Same kind of card--or this one is better.
Mr. Hice. So the costs should be in the ballpark----
Ms. Carroll. It should.
Mr. Hice. --of savings?
Ms. Carroll. Yes.
Mr. Hice. Okay. And also with less problems?
Ms. Carroll. Absolutely.
Mr. Hice. Okay. Director, I know the time's going away, but
it's our understanding that there were some problems. What
happens when a card is not reading properly? Is there the
ability to rebuild a card, reissue it, or do they have to be
destroyed if a card is not reading properly?
Ms. Vance-Cooks. Well, if a card is not reading properly,
then those cards are returned to us.
Mr. Hice. And what do you do with them?
Ms. Vance-Cooks. And then we determine what the problem is.
And in some cases, we would destroy them.
But let me go back to what they just said. I want to make
sure----
Mr. Hice. No. We've gone through that----
Ms. Vance-Cooks. Okay.
Mr. Hice. Do you have quality assurance----
Ms. Vance-Cooks. Yes.
Mr. Hice. --before you send cards out?
Ms. Vance-Cooks. Yes, sir.
Mr. Hice. Okay. And you all do, too? Difference between the
quality assurance? I'm curious, and I know my time's expired,
so however you want to handle it.
Chairman Chaffetz. If you could help us to get back to
understand the process that you go through, I'd appreciate it.
It would take some time, I'm sure, to explain it, so if you
could provide that to us, that would be great.
Chairman Chaffetz. I now recognize the gentlewoman from
Wyoming, Mrs. Lummis, for 5 minutes.
Mrs. Lummis. Thank you, Mr. Chairman. And I want to thank
our panel for being here today.
My first question is for the inspector general. As a result
of your audits, what problems have you found with GPO's
contracting processes, and what do you recommend to improve
them?
Mr. Raponi. We've done quite a bit of work with
contracting. One of the contracts that we did review was with
the passport eCovers. And as we went through that process to
see if GPO followed its own practices, we found that there were
several problems with that internally in terms of approval
processes, having boards review things. We found problems with
testing, inconsistency in, you know, determining what a test
result meant.
We also found that there were problems with the roles and
responsibilities. When the contracting process requires a board
to review the proposals, we found that, you know, maybe one
person was doing it as opposed to a board, in which we would
have seen a board review it, we would have said, okay, because
you had a lot of people having input into making a decision
versus one person. We had allegations of steering of contract
also, so we looked at that, and we didn't find a problem with
that either.
Mrs. Lummis. Have the problems that you did identify been
cured by the agency?
Mr. Raponi. Acquisitions right now at GPO still has quite a
few open recommendations.
Mrs. Lummis. And is there a procedure by which you follow
up with the agency to close those open issues?
Mr. Raponi. Yeah. Our procedure is, as we produce an audit
report and management either agrees or disagrees with the
recommendation, then that goes on our books in terms of open
recommendations as being unresolved. And as management works
through the process of corrective action, they would send us
proof that they took corrective action, and then we would
verify it and then we would close the recommendation.
Mrs. Lummis. Okay. So there are still areas of open
recommendations, because the agency has not gotten back to you.
Is that correct?
Mr. Raponi. Yeah. Overall, GPO's very responsive to our
recommendations. Their chief of staff heads it up. They monitor
it closely, they put it into performance standards so that
senior managers are held accountable for recommendations, talk
about it frequently. They have very few open recommendations
right now compared to other organizations, because they do
actively manage it.
Mrs. Lummis. Okay. Thank you.
Director, I have a couple questions for you. And this is
not my area of expertise. I've done requests for proposals as
an agency head in State government, so I know the challenges.
But I've never done them for secure cards, so I have some
questions related to that. Where do the chips and component
parts of the secure credentials come from, and how are they
obtained?
Ms. Vance-Cooks. Okay. The secure chips, the materials, the
supplies, the fabrication, consultation, design, all of those
components come from the private sector. And it depends
entirely on what the specifications are for that particular
agency.
Mrs. Lummis. Okay. Do some of those component parts come
from locations abroad?
Ms. Vance-Cooks. Most of them come from America. Because we
are in the MMAR, we follow the Buy American Act.
Mrs. Lummis. Are there, though, some that come from abroad?
Ms. Vance-Cooks. I would say there are probably some.
Mrs. Lummis. And how do you vet a foreign provider?
Ms. Vance-Cooks. We have a supply--we have an intense audit
process for our vendors, but, again, most of them are coming
from the United States and they all go through the same audit
process.
These vendors have to prove to us that they have the best
technology and the best components that can be used in the
credentials, and we follow them throughout the entire cycle as
well. We also visit their factories, too, considerable onsite
visits.
Mrs. Lummis. So tell me how you can be assured and assure
us that components are not compromised?
Ms. Vance-Cooks. Because of the audit process and the
testing process. We also have a tight relationship with the
Department of Homeland Security ICE program, whereby they test
all of these products for us. They make sure that these
technologies are exacting up to the standards and we have
appropriate testing for them. And that's a great question. I'd
love to respond to that in writing as well to give you some
assurance.
Mrs. Lummis. I would love to see your response in writing.
Ms. Vance-Cooks. Thank you.
Mrs. Lummis. Thank you, Mr. Chairman. I yield back.
Mr. Connolly. Mr. Chairman, just a clarification.
It's perfectly fair to ask Ms. Vance-Cooks about foreign
production and security of components. The private sector also
uses foreign vendors----
Ms. Vance-Cooks. Yes, they do.
Mr. Connolly. --and the same question would apply to them.
Mrs. Lummis. Uh-huh.
Mr. Connolly. Thank you.
Chairman Chaffetz. I now recognize the gentleman----
Mrs. Lummis. If my time hadn't expired, maybe I would have
gone there.
Chairman Chaffetz. We'll now recognize the gentleman from
Wisconsin for 5 minutes.
Mr. Grothman. Yeah. I'll give another question to the
director. You've got these global entry cards. Okay? And maybe
I just don't understand this. It seems to me they're only--if I
cross the border, I'd have a passport. Could you explain to me
what the upside of these cards is or what their purpose is?
Ms. Vance-Cooks. Well, we have the Nexus, the Sentry, and
the Global Entry cards. I believe the Global Entry cards are
for expedited movement through the system. The Nexus cards are
for those people going to Canada, and the Sentry cards are for
those people going to Mexico. And so the State Department has
just identified--or excuse me--CBNP, that there are these
different cards that you can use.
Mr. Grothman. Okay. If I have a passport, I can't get to
Mexico or Canada? Doesn't that trump everything?
Ms. Vance-Cooks. Well, I think a passport trumps
everything, yes. This is just for those particular people who
might want to use that card.
Mr. Grothman. Okay. And what is that, where they have a
reader or something? You just----
Ms. Vance-Cooks. There are readers for all of those cards,
sir.
Mr. Grothman. Okay. So in other words, if I have a
passport, I might want a Global Entry card just because it
means I can----
Ms. Vance-Cooks. Well, I mean, you can go across the border
and you can flash the card, it goes to the reader. I think Mr.
Albers identified the fact that there's a secure identification
code that hits the reader and you can just have expedited
processing through. With a passport, though, as you know, you
have to go right in front of the reader.
Mr. Grothman. Okay. How many Global Entry cards a year do
you guys produce?
Ms. Vance-Cooks. I don't know the one, just the Global
Entry, I just know that for the entire program up to this
point, we've done about 5 million since inception. I can give
you the specifics for each one for the record.
Mr. Grothman. Okay. You have another card, a District of
Columbia identification.
Ms. Vance-Cooks. It's the DC One card.
Mr. Grothman. Yeah. What's the purpose of that?
Ms. Vance-Cooks. I believe it's just for the people to use
to get on the bus.
Is that what it's used for?
Schools, buses.
Mr. Grothman. How did you guys get involved in that?
Ms. Vance-Cooks. They asked us if we would produce the
card. And it only costs--it doesn't cost that much. It's a very
low program card.
Mr. Grothman. Okay. So you kind of contract yourself out to
local units of government?
Ms. Vance-Cooks. No. It's just that we are allowed to
provide printing to the D.C. Government, but no other local
government.
Mr. Grothman. Okay. Now, there's a cost variance between
the DHS trusted traveler program card----
Ms. Vance-Cooks. Uh-huh.
Mr. Grothman. --and the border crossing card. How--like,
there's a more than two-to-one difference in price. How does
that happen?
Ms. Vance-Cooks. Well, it's happens because they're
different cards for different processes. Now, remember, when
you have those different cards, each agency is responsible for
working with us to identify the specifications for that card,
and we look at each component, and they might tell us they want
holograms or they might want a different type of secure
credential feature. And so one card may be more expensive than
the other depending upon what the agency wants, and so what we
can do is just give them the appropriate pricing for that. They
make those decisions, we do not.
Mr. Grothman. Okay. And just to digress, you said about 5
million?
Ms. Vance-Cooks. Year to date with the trusted traveler
cards, but you've asked me specifically for how many are in
Global Entry----
Mr. Grothman. Yes.
Ms. Vance-Cooks. --and how many are Nexus. I have to go
back and get that information for you and send it to you.
Mr. Grothman. Total combined is 5 million?
Ms. Vance-Cooks. Yes, sir.
Mr. Grothman. This year so far alone?
Ms. Vance-Cooks. Since 2008, it's 5 million.
He wants to know how many this year.
One and a half million this year.
Mr. Grothman. Okay. And how long do these things last?
Ms. Vance-Cooks. Ten years.
Mr. Grothman. Okay. So you figure if we're already at one
and a half million this year, maybe 2 million a year?
Ms. Vance-Cooks. Maybe.
Mr. Grothman. So in a period of 10 years, 20 million?
Ms. Vance-Cooks. It might.
Mr. Grothman. Okay.
Okay. Thanks. I yield the remainder of my time.
Chairman Chaffetz. If the gentleman will yield before he--
let's go back to Global Entry. You've been a great witness, but
I think you overstepped on the Global Entry.
Ms. Vance-Cooks. I did.
Chairman Chaffetz. Global Entry is worthless. There's not a
single thing that that card does. Now, if I'm wrong, tell me.
Anybody on this panel knows what the Global Entry card, that is
issued does, tell me. And there's not a single reader, because
it doesn't do anything. Am I wrong on that?
The Global Entry program, but--it requires a passport, but
when I got my Global Entry card, I tried to use it, and they
just laughed, they just, like--I said, well, what's this for,
and they said, well, nothing. It's sort of like my Wendy's, you
know, get a free burger after you do ten trips, you know----
Ms. Vance-Cooks. Okay.
Chairman Chaffetz. --get a frosty----
Ms. Vance-Cooks. You're asking me----
Chairman Chaffetz. --but I don't even get a frosty, so----
Ms. Vance-Cooks. All right. Well, I'm sorry you didn't get
a frosty.
Chairman Chaffetz. Yes.
Ms. Vance-Cooks. Okay. But you're asking me about the
purpose of the card, which is, in fact, the agency's response.
If you're asking me what does that card do and how good is it,
we are responsible for producing the card according to the
specifications that the agency has identified. That is what we
do. Now, if you are concerned about what their use is or
anything like that, I can't explain.
Chairman Chaffetz. Just a word of caution. Again, I think
you've been an excellent witness, I've got more confidence in
you and the agency based on your testimony today in general,
but----
Ms. Vance-Cooks. Okay.
Chairman Chaffetz. --there are no readers, it does nothing,
it is a waste of time. And when you say that you're partners
and fully integrated every step of the way, we're going to hold
you partly accountable----
Ms. Vance. Okay.
Chairman Chaffetz. --for producing a product that serves
absolutely no purpose other than costs a lot of money.
Ms. Vance-Cooks. And I will take that back to the agency.
Thank you, sir.
Chairman Chaffetz. And believe me, we will continue to
press them on that point.
Ms. Vance-Cooks. Okay. All right.
Chairman Chaffetz. Does anybody else want to shed any light
on the--I see some interest here. Ms. Carroll or Mr. Albers?
Mr. Albers. Well, you're right on the Global Entry card.
You use your fingerprints when you come in. You don't need a
card at all. In fact, I've lost mine. So it doesn't do any--but
that's not the fault of the director, I've got to tell you. I
think she's right about that.
Chairman Chaffetz. Yeah. There's no photo ID on it, there's
no biometrics, you can't use it at TSA. I really struggle to
understand. And I guess that's part of what we're looking for,
for GPO----
Ms. Vance-Cooks. Right.
Chairman Chaffetz. --if you are partners, is to
understand----
Ms. Vance-Cooks. Right.
Chairman Chaffetz. --why in the world do we do this card?
But the primary responsibility, you're right, is with those
that are issuing--or doing the program, but I just wanted to
clarify that.
I will now recognize--thank you for the time. We'll now
recognize the gentleman from Alabama, Mr. Palmer, for 5
minutes.
Mr. Palmer. Thank you, Mr. Chairman.
This year's Black Hat convention featured a $10 device
called BLE key that purports to circumvent the RFD cards by
exploiting vulnerabilities in the beacon communication
protocol. Once the vulnerability is exposed, the individual can
clone the RFID-equipped cards, and according to its
researchers, it can be installed in less than 2 minutes. And
this is a question to you, Ms. Vance-Cooks. Are you aware of
this?
Ms. Vance-Cooks. Am I aware of the Black Hat?
Mr. Palmer. Are you aware that there's a group out there
that claims that they can clone RFID cards and they can be
installed in less than 2 minutes?
Ms. Vance-Cooks. I'm not aware of that particular one, but
I'm aware of a move underfoot by so many different
organizations trying to clone different components of the card,
yes. I can assure you I know in terms of the passport, I'd
heard something about that, none of our cards, and we produced
100 million e-passports, none of those have been compromised.
Mr. Palmer. How about you, Ms. Carroll?
Ms. Carroll. Yes. HID Global is fully aware of that. We
actually attend those conferences because we need to understand
exactly what the--you know, the Black Hat folks are--you know,
maybe they're good guys, but the bad guys are paying attention
and they're learning from these kinds of things as well.
And so HID Global and companies like Morpho, too, we invest
millions and millions of dollars every year in R&D to stay
ahead of the bad guys. Our U.S. Green Card, we have been making
it since 1998, it has never been successfully compromised.
Mr. Palmer. I'm glad that you're aware of it and I hope
that GPO will get up to speed on this. And I'd like to know
what is being done to install safeguards against RFID cloning.
I think it ought to be a top priority.
Mr. Albers. If I could, Congressman.
Mr. Palmer. Yes.
Mr. Albers. I think Ms. Carroll's point is well taken, that
we don't just take orders. Okay. We stay ahead of the curve.
And I'm talking about industry, not just MorphoTrust. So we are
aware of those. We're aware of the defrauders. I mean, when
cards were coming from China, we bought them, and we tried to
figure out what they're doing, and we put that company out of
business; we, all of us.
So, you know, there is a reason to keep industry in the
game as much as you can, because we're following those trends.
It's all well and good that an agency can go to another
government agency and buy a product from an organization that
doesn't charge a profit, but we build that into everything that
we make. Every new card, every new biometric, every new
software or hardware product that we make, we're looking at the
trends of the industry and we're trying to stay ahead of them.
Ms. Vance-Cooks. May I interject?
Mr. Palmer. Yes.
Ms. Vance-Cooks. Okay. I have just been advised and I want
to make sure for the record that we do send people to Black Hat
as well.
Mr. Palmer. Okay.
Ms. Vance-Cooks. So I want to characterize that for the
committee. And secondly, I don't think that people should walk
away believing that we just take orders. That's not the GPO.
The GPO works closely with agencies. We want to serve the
agencies, and we do that by working with them to make sure that
they have the best product possible available in the
marketplace.
Mr. Palmer. My point in this is to make sure that GPO is
aware that there are groups out there----
Ms. Vance-Cooks. Yes.
Mr. Palmer. --that can clone these cards, and that you're
taking necessary safeguards to make sure that doesn't happen.
Ms. Vance-Cooks. You're correct, sir. And I should have
answered it correctly. We do send people to Black Hat. They are
aware of it.
Mr. Palmer. Thank you very much for----
Ms. Vance-Cooks. Thank you for letting me clarify that.
Mr. Palmer. --making that clarification.
One last question, and that is, Ms. Vance-Cooks, that you
conducted an audit in which a component of the passport eCover
failed a specific test, and according to the audit report, the
eCover failed the read time test for several sampled products.
The solicitation stated that if a product was given a fail at
any point, the proposal would be deemed technically
unacceptable and would not receive further consideration, yet
the products were determined to be technically acceptable with
no documented explanation. Can you explain this discrepancy?
Ms. Vance-Cooks. Sure. In fact, the IG report is very good
in detailing that. Couple of points. Number one, the bidder in
question submitted a very, very good product--not a very good
product, very good price, but unfortunately that product did
not work, and according to the specifications, we had to fail
that product, and therefore, their product--the vendor was not
part of it.
We did not adequately document the part about the read
rates, and that is what the IG has referred to, that we need to
do a better job documenting what is critical and what is not.
And believe me, we appreciate what he wrote, and we have made a
lot of changes in our acquisitions to make sure that the next
ones are very tightly controlled in terms of what works, what
doesn't work, and what happens. It was a learning lesson for
us. It would not have changed the decision, but we do need to
make sure that we tighten our documentation.
Mr. Palmer. My time has expired. I do appreciate your
answers, though. Thank you very much.
Ms. Vance-Cooks. Thank you.
Chairman Chaffetz. I now recognize the gentleman from
Virginia, Mr. Connolly.
Mr. Connolly. I just want to say, Mr. Chairman, rarely in
the history of Congress is there a hearing that exhaustively,
comprehensively addresses one discrete issue. I think we've
done that here today. But it has raised some very interesting
questions, and I certainly look forward to working with you on
reexamining Title 44 to make sure that we're not doing
unwittingly harm to the ability of industry to compete, and
that we still allow room for choice for Federal agencies with
respect to GPO. Thank you, Mr. Chairman.
Chairman Chaffetz. I thank the gentleman.
One last question for the inspector general. You've looked
at this, you've issued, I think you said, ten reports. What's
your biggest concern?
Mr. Raponi. The biggest concern when I start looking at all
of this is there's a couple things. The acquisition process.
The acquisition process is flawed right now. And I know GPO is
working diligently to make corrective actions.
And then secondly, when I look at the technology associated
with it, I see that there is no inter-coordination within the
GPO in terms of, like, leveraging the expertise from the CIO
shop. And I think that--I had spoke with the CIO yesterday, and
he's working on a more collaborative, more involvement in the
IT and the security aspect of the secure credentials and the
eCovers.
Chairman Chaffetz. We want to thank, not only you as the
inspector general, but all the people that work in these
various IG offices. We have a lot of good men and women who
spend a lot of time, months, sometimes years working on these
issues. It's imperative that we on both sides of the aisle get
that information.
We would ask to you also keenly look at this concern that
we have about how Title 44 is interpreted. Part of the reason
we held this hearing is we do anticipate potentially rewriting
that statute, and as we do so, I want to make sure we get the
maximum input and any flaws or things that we might see there.
I do appreciate, Director, the candid discussion we've had,
it's an important part of the process, and appreciate the good
work that so many of the men and women who work down there, and
they do a critical, important thing. They've got to produce a
great product at the end of the day. I do think your comments
will go a long way to making sure that these agencies know that
they do have a choice.
And to Mr. Albers and Ms. Carroll, we appreciate the good
work you've done, you've got a lot of good employees and people
who are doing important work. The millions of dollars that is
spent on research and development cannot be dismissed. Those
are real costs, costs that a GPO, for instance, wouldn't go
through, but also provides the next wave of technology that can
make sure that we have the most secure documentation we can
possibly have.
So, again, I appreciate the productive hearing. I
appreciate you all being here with us today.
The committee now stands adjourned.
[Whereupon, at 11:42 a.m., the committee was adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]