Vice Chairman of the Senate Select Committee on Intelligence Marco Rubio (R-FL) questioned witnesses at a Senate Select Committee on Intelligence hearing on vetting modernization.   

Witnesses:

    Mr. Jason Miller, Deputy Director for Management Office of Management and Budget (OMB)
    Ms. Kiran Ahuja, Director Office of Personnel Management (OPM)
    Ms. Stacey Dixon, Principal Deputy Director of National Intelligence (PDDNI)
    Mr. Ronald Moultrie, Under Secretary of Defense for Intelligence and Security (USDI&S)

Read a transcript below.

RUBIO: I want to go back to the backbone of this whole thing, I’ll use the right terminology, the National Background Investigation Service, that’s basically what's going to hold all this information. It's the database. So I just want to have a better understanding, without obviously endangering its security. Why is this more secure than the OPM database that was breached back in 2014? Are there features here that were not available? Is it because the OPM one was broader and this one was more categorized? I mean, how confident are we? I think Director Moultrie this question is probably for you since perhaps others may want to comment on it. This is the Holy Grail to some extent. Everyone's going to know it. We know the existence of it is public. How is it more secure than the OPM? Because a breach of this sounds like it would be catastrophic.

MOULTRIE: Senator, thanks for the question. I can't speak to the OPM system that was developed over decades and the cybersecurity features that it may or may not have had. I suspect that during the time that it was built, we would not have had the capabilities and the advancements that we have today.

RUBIO: Neither did the hackers. I mean, they've developed as well. And that's why this is a moving target.

MOULTRIE: Exactly. And that's why what we're doing is building it on the latest frameworks that we have that are cybersecurity proven that the zero trust frameworks that we know are proven. We are getting the counsel of those who actually understand breaches and who have lived through breaches and understand how hackers may want to get into systems and what they go after and how they actually do this and building every component to actually withstand an insider threat, an external threat or just a lapse in security. So I think all that's being factored into a system that will be state of the art. I would say nothing is breach proof, but it will bring us, I believe, exponentially to an exponentially better place than where we were before.

RUBIO: Which agencies are not using NBIS right now?

MOULTRIE: I can get a list of those for you.

RUBIO: Okay. Have we tested its usability with industry or with the security directors of government agencies?

MOULTRIE: So what we are doing is agile software development. We are testing components as we go along. We are building that and testing as we go along.

RUBIO: Mr. Miller. Are we testing the broader trusted workforce 2.0 with users in the industry? Is that part of the benchmarks now?

MILLER: Yes, it is. And there's just to step back on the breadth of this. It’s more than 13,000 industry partners that will touch these systems. So there's a staged deployment as well as an engagement model to ensure that we're getting feedback.

RUBIO: To understand that, so let's say you open it up to 100 of them, right? And have them try to use it, and then they give you feedback as to “we encountered this problem, we encountered that problem”. You're making adjustments based on that feedback?

MILLER: That is part of the agile deployment or the agile development model that Mr. Moultrie was discussing. We're also facing different developments. I would defer to Mr. Moultrie to talk that through. But in terms of building additional capabilities and running it as we go.