Charest testified that he did not get to review a key outside contractor's security evaluation until November, a month into the rollout. He found out only through media reports that the consumer-facing part of the website had been issued a provisional six-month operational and security certificate.
Despite the unusual process that administration officials followed with the website, Charest expressed cautious optimism over the added vigilance and testing measures put in place to reduce risks.
"I have no reason to believe that these broad mitigation strategies, if followed through in detail, would not mitigate the risk," he told the committee.
Fryer, who is the CMS chief information security officer, has testified that she recommended against issuing a full certification for the consumer-facing part of the website. She put her concerns in a Sept. 24 memo, but it was never sent.