By SHARYL ATTKISSON / CBS NEWS/ November 6, 2013, 6:02 PM
Departing Obamacare security official didn't sign off on site launch
Tony Trenkle, the Obamacare official in charge of HealthCare.gov security efforts announced his resignation Wednesday, effective next week
CBS News has learned that Trenkle, the Chief Information Officer for the Centers for Medicare and Medicaid Services (CMS), was originally supposed to sign off on security for the glitch-ridden website before its Oct. 1 launch, but didn't. Instead, the authorization on September 27 was given by Trenkle's boss, CMS administrator Marilyn Tavenner.
As CBS News reported Monday, security assessments fell behind and the website never had the required top-to-bottom tests.
Trenkle and two other CMS officials, including Chief Operating Officer Michelle Snyder, signed an unusual "risk acknowledgement" saying that the agency's mitigation plan for rigorous monitoring and ongoing tests did "not reduce the (security) risk to the ... system itself going into operation on October 1, 2013."
HealthCare.gov exchanges data through a massive hub that includes the IRS, the Social Security Administration, Homeland Security, Veterans Affairs, the Defense Department, the Office of Personnel Management and the Peace Corps.
Both Democrats and Republicans have raised security concerns in two days of Senate hearings. Wednesday, Health and Human Services Secretary Kathleen Sebelius told Congress she did not know about the special security waiver that her agency head, Tavenner, granted the website.
"I was not aware of this and I did not have these discussions with the White House because I wasn't aware of them," Sebelius testified.
Sen. Richard Burr, R-N.C., asked, "Did the White House know there had been no end-to-end testing of the security aspects of the exchange?"
"I think the White House was aware of operational issues involving end-to-end testing and I - I don't know of the specifics of - again, I did not have the discussions about this authority to operate issue with the White House," said Sebelius.
"This is a paramount concern," said Sen. Tom Harkin, D-Iowa, at a hearing Tuesday. "Consumers have to be absolutely certain that when they go on and they fill out that application ... no one can hack into that and steal their Social Security numbers or identity."
Sen. Pat Roberts, R-Kansas, asked Tavenner Tuesday about the website's unusual security authorization without the required testing.
"Are you the official at CMS responsible for making...the security authorization decisions?" Roberts asked.
Tavenner replied, "So I think in the case, because of the visibility of the exchange, the Chief Information Officer wanted to make me aware of it and I agreed to sign it with their recommendation to proceed."
Wednesday, an HHS spokesman said that the reason Tavenner, not Trenkle, signed the security authorization is because HealthCare.gov is "a high-profile project and CMS felt it warranted having the administrator sign the authority to operate memo." HHS also says there is an aggressive risk mitigation plan in effect, "the privacy and security of consumers personal information is a top priority for us" and personal information is "protected by stringent security standards."
Georgetown Law professor Lawrence Gostin is a strong supporter of the Affordable Care Act and helped Congress write the law to meet constitutional standards. But he's critical of the launch without proper security.
"They should've really had this fully tested from top to bottom before the rollout," Gostin told CBS News. "It would've made so much more sense politically, policy-wise and from a security and privacy perspective."