[House Report 114-783] [From the U.S. Government Publishing Office] 114th Congress } { Rept. 114-783 HOUSE OF REPRESENTATIVES 2d Session } { Part 1 ====================================================================== MODERNIZING GOVERNMENT TECHNOLOGY ACT OF 2016 _______ September 22, 2016.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. Chaffetz, from the Committee on Oversight and Government Reform, submitted the following R E P O R T [To accompany H.R. 6004] The Committee on Oversight and Government Reform, to whom was referred the bill (H.R. 6004) to modernize Government information technology, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass. CONTENTS Page Committee Statement and Views.................................... 6 Section-by-Section............................................... 12 Explanation of Amendments........................................ 16 Committee Consideration.......................................... 16 Roll Call Votes.................................................. 16 Application of Law to the Legislative Branch..................... 17 Statement of Oversight Findings and Recommendations of the Committee...................................................... 17 Statement of General Performance Goals and Objectives............ 17 Duplication of Federal Programs.................................. 17 Disclosure of Directed Rule Makings.............................. 17 Federal Advisory Committee Act................................... 17 Unfunded Mandate Statement....................................... 17 Earmark Identification........................................... 17 Committee Estimate............................................... 18 Budget Authority and Congressional Budget Office Cost Estimate... 18 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Modernizing Government Technology Act of 2016'' or the ``MGT Act''. SEC. 2. FINDINGS; PURPOSES. (a) Findings.--The Congress finds the following: (1) The Federal Government spends nearly 75 percent of its annual information technology funding on operating and maintaining existing, legacy information technology systems. These systems can pose operational risks, including rising costs and inability to meet mission requirements. These systems also pose security risks, including the inability to use current security best practices, such as data encryption and multi-factor authentication, making these systems particularly vulnerable to malicious cyber activity. (2) In 2015, the Government Accountability Office (GAO) designated Improving the Management of IT Acquisitions and Operations to its biannual High Risk List and identified as a particular concern the increasing level of information technology spending on Operations and Maintenance making less funding available for development or modernization. The GAO also found the Government has spent billions on failed and poorly performing IT investments due to a lack of effective oversight. (3) The Federal Government must modernize Federal IT systems to mitigate existing operational and security risks. (4) The efficiencies, cost savings, and greater computing power, offered by modernized solutions, such as cloud computing, have the potential to-- (A) eliminate inappropriate duplication and reduce costs; (B) address the critical need for cyber security by design; and (C) move the Federal Government into a broad, digital-services delivery model that will transform the Federal Government's ability to meet mission requirements and deliver services to the American people. (b) Purposes.--The purposes of this Act are the following: (1) Assist the Federal Government in modernized Federal information technology to mitigate current operational and security risks. (2) Incentivize cost savings in Federal information technology through modernization. (3) Accelerate the acquisition and deployment of modernized information technology solutions, such as cloud computing, by addressing impediments in the areas of funding, development, and acquisition practices. SEC. 3. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS MODERNIZATION AND WORKING CAPITAL FUNDS. (a) Information Technology System Modernization and Working Capital Funds.-- (1) Establishment.--There is established in each covered agency an information technology system modernization and working capital fund (in this section referred to as the ``IT working capital fund'') for necessary expenses for the agency described in paragraph (3). (2) Source of funds.--Amounts may be deposited into an IT working capital fund as follows: (A) Reprogramming of funds, including reprogramming of any funds available on the date of the enactment of this Act for the operation and maintenance of legacy information technology systems, in compliance with any applicable reprogramming law or guidelines of the Committees on Appropriations of the House of Representatives and the Senate. (B) Transfer of funds, including transfer of any funds available on the date of the enactment of this Act for the operation and maintenance of legacy information technology systems, but only if transfer authority is specifically provided for by law. (C) Amounts made available through discretionary appropriations. (3) Use of funds.--An IT working capital fund established under paragraph (1) may be used only for the following: (A) To improve, retire, or replace existing information technology systems to improve efficiency and effectiveness. (B) To transition to cloud computing and innovative platforms and technologies. (C) To assist and support covered agency efforts to provide adequate, risk-based, and cost-effective information technology capabilities that address evolving threats to information security. (D) Reimbursement of funds transferred from the Information Technology Modernization Fund established under section 4, with the approval of the agency Chief Information Officer. (4) Existing funds.--An IT working capital fund may not be used to supplant funds provided for the operation and maintenance of any system already within an appropriation for the covered agency at the time of establishment of the IT working capital fund. (5) Reprogramming and transfer of funds.--The head of each covered agency shall prioritize funds within the IT working capital fund to be used initially for cost savings activities approved by the covered agency Chief Information Officer, in consultation with the Administrator of the Office of Electronic Government. The head of each covered agency may-- (A) reprogram any amounts saved as a direct result of such activities for deposit into the applicable IT working capital fund, consistent with paragraph (2)(A); and (B) transfer any amounts saved as a direct result of such activities for deposit into the applicable IT working capital fund, consistent with paragraph (2)(B). (6) Return of funds.--Any funds deposited into an IT working capital fund must be obligated not later than 3 years after the date of such deposit. Any funds that are unobligated 3 years after such date shall be rescinded and reported to the Committees on Appropriations of the House of Representatives and the Senate. (7) Agency cio responsibilities.--In evaluating projects to be funded from the IT working capital fund, the covered agency Chief Information Officer shall consider, to the extent applicable, guidance established pursuant to section 4(a)(1) to evaluate applications for funding from the Information Technology Modernization Fund that include factors such as a strong business case, technical design, procurement strategy (including adequate use of incremental software development practices), and program management. (b) Reporting Requirement.-- (1) In general.--Not later than one year after the date of the enactment of this Act, and every 6 months thereafter, the head of each covered agency shall submit to the Director the following, with respect to the IT working capital fund for that covered agency: (A) A list of each information technology investment funded with estimated cost and completion date for each such investment. (B) A summary by fiscal year of the obligations, expenditures, and unused balances. (2) Public availability.--The Director shall make the information required pursuant to paragraph (1) publicly available on a website. (c) Covered Agency Defined.--In this section, the term ``covered agency'' means each agency listed in section 901(b) of title 31, United States Code. SEC. 4. ESTABLISHMENT OF INFORMATION TECHNOLOGY MODERNIZATION FUND AND BOARD. (a) Information Technology Modernization Fund.-- (1) Establishment.--There is established in the Treasury an Information Technology Modernization Fund (in this section referred to as the ``Fund'') for technology related activities, to improve information technology, to enhance cybersecurity across the Federal Government, and to be administered in accordance with guidance established by the Director of the Office of Management of Budget. (2) Administration of fund.--The Administrator of General Services, in consultation with the Chief Information Officers Council and with the concurrence of the Director, shall administer the Fund in accordance with this subsection. (3) Use of funds.--The Administrator of General Services shall, in accordance with the recommendations of the Information Technology Modernization Board established under subsection (b), use amounts in the Fund for the following purposes: (A) To transfer such amounts, to remain available until expended, to the head of an agency to improve, retire, or replace existing information technology systems to enhance cybersecurity and improve efficiency and effectiveness. (B) For the development, operation, and procurement of information technology products, services, and acquisition vehicles for use by agencies to improve Governmentwide efficiency and cybersecurity in accordance with the requirements of the agencies. (C) To provide services or work performed in support of the activities described under subparagraph (A) or (B). (4) Credits; availability of funds.-- (A) Credits.--In addition to any funds otherwise appropriated, the Fund shall be credited with all reimbursements, advances, or refunds or recoveries relating to information technology or services provided through the Fund. (B) Availability of funds.--Amounts deposited, credited, or otherwise made available to the Fund shall be available until expended and without further appropriation for the purposes described in paragraph (3). (5) Reimbursement.-- (A) Payment by agency.--For a product or service developed under paragraph (3), the head of an agency that uses such product or service shall pay an amount fixed by the Administrator of General Services in accordance with this subsection. (B) Reimbursement by agency.--The head of an agency shall reimburse the Fund for any transfer made under paragraph (3)(A) in accordance with the terms established in the written agreement described in paragraph (6). Notwithstanding any other provision of law, an agency may make a reimbursement required by this subparagraph from any appropriation available for information technology activities. An obligation to make a payment under an agreement described in paragraph (6) in a future fiscal year shall be recorded pursuant to section 1501 of title 31, United States Code, in the fiscal year in which the payment is due. (C) Prices fixed by administrator of general services.--The Administrator of General Services, in consultation with the Director, shall establish amounts to be paid by an agency and terms of repayment for use of a product or service developed under paragraph (3) at levels sufficient to ensure the solvency of the Fund, including operating expenses. Before making any changes to the established amounts and terms of repayment, the Administrator of General Services shall conduct a review and obtain approval from the Director. (D) Failure to make timely reimbursement.--The Administrator of General Services may obtain reimbursement by the issuance of transfer and counterwarrants, or other lawful transfer documents, supported by itemized bills, if payment is not made by an agency-- (i) within 90 days after the expiration of a repayment period described in the written agreement described in paragraph (6)(A); or (ii) within 45 days after the expiration of the time period to make a payment under a payment schedule for a product or service developed under paragraph (3). (6) Written agreement.-- (A) In general.--Before the transfer of funds to an agency under paragraph (3)(A), the Administrator of General Services (in consultation with the Director) and the head of the requisitioning agency shall enter into a written agreement documenting the purpose for which the funds will be used and the terms of repayment. An agreement made pursuant to this subparagraph shall be recorded as an obligation as provided in paragraph (5)(B). (B) Requirement for use of incremental development practices.--For any funds transferred to an agency under paragraph (3)(A), in the absence of compelling circumstances documented by the Administrator of General Services at the time of transfer, such funds shall be transferred only on an incremental basis, tied to metric-based development milestones achieved by the agency, to be described in the written agreement required pursuant to subparagraph (A). (7) Reporting requirement.--Not later than 6 months after the date of the enactment of this Act, the Director shall publish and maintain a list of each project funded by the Fund on a public website to be updated not less than quarterly, that includes a description of the project, project status (including any schedule delay and cost overruns), and financial expenditure data related to the project. (b) Information Technology Modernization Board.-- (1) Establishment.--There is established an Information Technology Modernization Board (in this section referred to as the ``Board'') which shall evaluate proposals submitted by agencies for funding authorized under the Fund. (2) Responsibilities.--The responsibilities of the Board are the following: (A) Provide input to the Director for the development of processes for agencies to submit modernization proposals to the Board and to establish the criteria by which such proposals are evaluated, which shall include addressing the greatest security and operational risks, having the greatest Governmentwide impact, and having a high probability of success based on factors such as a strong business case, technical design, procurement strategy (including adequate use of incremental software development practices), and program management. (B) Make recommendations to the Administrator of General Services to assist agencies in the further development and refinement of select submitted modernization proposals, based on an initial evaluation performed with the assistance of the Administrator of General Services. (C) review and prioritize, with the assistance of the Administrator of General Services and the Director, modernization proposals based on criteria established pursuant to subparagraph (A). (D) Identify, with the assistance of the Administrator of General Services, opportunities to improve or replace multiple information technology systems with a smaller number of information technology systems common to multiple agencies. (E) Recommend the funding of modernization projects, in accordance with the uses described in subsection (a)(3), to the Administrator of General Services. (F) Monitor, in consultation with the Administrator of General Services, progress and performance in executing approved projects and, if necessary, recommend the suspension or termination of funding for projects based on factors such as failure to meet the terms of the written agreement described in subsection (a)(6). (G) Monitor operating costs of the Fund. (3) Membership.--The Board shall consist of 8 voting members. (4) Chair.--The Chair of the Board shall be the Administrator of the Office of Electronic Government. (5) Permanent members.--The permanent members of the Board shall be the following: (A) The Administrator of the Office of Electronic Government. (B) A senior official from the General Services Administration, who shall be appointed by the Administrator of General Services. (6) Additional members of the board.-- (A) Appointment.--The other members of the Board shall be appointed as follows: (i) One employee of the National Institute of Standards and Technology of the Department of Commerce, appointed by the Secretary of Commerce. (ii) One employee of the National Protection and Programs Directorate of the Department of Homeland Security, appointed by the Secretary of Homeland Security. (iii) One employee of the Department of Defense, appointed by the Secretary of Defense. (iv) Three Federal employees primarily having technical expertise in information technology development, financial management, cybersecurity and privacy, and acquisition, appointed by the Director. (B) Term.--Each member of the Board described in paragraph (A) shall serve a term of one year, which shall be renewable up to three times, at the discretion of the appointing Secretary or Director, as applicable. (7) Prohibition on compensation.--Members of the Board may not receive additional pay, allowances, or benefits by reason of their service on the Board. (8) Staff.--Upon request of the Chair of the Board, the Director and the Administrator of General Services may detail, on a nonreimbursable basis, any of the personnel of the Office of Management and Budget or the General Services Administration (as the case may be) to the Board to assist it in carrying out its functions under this Act. (c) Responsibilities of the Administrator of General Services.-- (1) In general.--In addition to the responsibilities described in subsection (a), the Administrator of General Services shall support the activities of the Board and provide technical support to, and, with the concurrence of the Director, oversight of, agencies that receive transfers from the Fund. (2) Responsibilities.--The responsibilities of the Administrator of General Services are to-- (A) provide direct technical support in the form of personnel services or otherwise to agencies transferred amounts under subsection (a)(3)(A) and for products, services, and acquisition vehicles funded under subsection (a)(3)(B); (B) assist the Board with the evaluation, prioritization, and development of agency modernization proposals; (C) perform regular project oversight and monitoring of approved agency modernization projects, in consultation with the Board and the Director, to increase the likelihood of successful implementation and reduce waste; and (D) provide the Director with information necessary to meet the requirements of subsection (a)(7). (d) Agency Defined.--In this section, the term ``agency'' has the meaning given that term in section 551 of title 5, United States Code. SEC. 5. DEFINITIONS. In this Act: (1) Cloud computing.--The term ``cloud computing'' has the meaning given that term by the National Institute of Standards and Technology in NIST Special Publication 800-145 and any amendatory or superseding document thereto. (2) Director.--The term ``Director'' means the Director of the Office of Management and Budget. (3) Information technology.--The term ``information technology'' has the meaning given that term in section 3502 of title 44, United States Code. (4) Legacy information technology system.--The term ``legacy information technology system'' means an outdated or obsolete system of information technology. Committee Statement and Views PURPOSE AND SUMMARY H.R. 6004, the Modernizing Government Technology (MGT) Act of 2016, authorizes two types of funds for the purpose of modernizing the federal government's legacy information technology (IT) and incentivizing IT savings in federal agencies. The bill authorizes Chief Financial Officer Act agencies to establish agency-specific IT modernization funds and the U.S. Office of Management and Budget (OMB) to oversee a government-wide IT modernization fund in the U.S. Department of Treasury to be administered by the General Services Administration (GSA). BACKGROUND AND NEED FOR LEGISLATION H.R. 6004, the Modernizing Government Technology (MGT) Act is the result of hearings held by the Committee on Oversight and Government Reform (Committee) and an investigation by the Committee into a federal agency data breach. GAO 2015 High Risk Report. On February 11, 2015, the Committee held a hearing on the U.S. Government Accountability Office (GAO) 2015 High Risk List Report. For the first time, GAO added ``Improving the Management of IT Acquisitions and Operations'' to its biannual ``High Risk'' List.\1\ The 2015 GAO High Risk Report highlighted several general areas of concern it deemed critical to improving IT acquisition and realizing cost savings, including IT spending on Operations and Maintenance (O&M). GAO found that agencies spent over $80 billion annually on IT investments, but over 75 percent of the $80 billion was spent on legacy IT investments supported by O&M funding. Because there is an increasing amount of O&M funding spent on legacy programs, less funding is available for development. --------------------------------------------------------------------------- \1\Gov't Accountability Office, GAO-15-290, 2015 GAO High Risk Report, (Feb. 2015). --------------------------------------------------------------------------- Oversight Letter on Legacy IT. In December 2015, the Committee sent a bipartisan and bicameral letter to agencies requesting information from agencies on: (1) mission-critical systems in need of modernization; (2) oldest programming languages in use; (3) top five oldest IT hardware/ Infrastructure in use; (4) unsupported software and operating systems; (5) the number of decommissioned legacy systems over the last five years; and (6) IT staffing information.\2\ --------------------------------------------------------------------------- \2\Letter from the Hon. Jason Chaffetz, Chairman, H. Comm. on Oversight & Gov't Reform, Reps. Mark Meadows, Will Hurd, Gerry Connolly, Robin Kelly; and Senator Ron Johnson, Chairman S. Comm. on Homeland Security and Gov't Affairs and Senators Thomas Carper, Jerry Moran, and Tom Udall to federal agencies (Dec. 22, 2015) (Letter and agency responses on file with the Committee). --------------------------------------------------------------------------- The agency responses varied in level of detail and timeliness. Individual agency responses are on file with the Committee, but the following paragraphs provide a summary of key legacy IT information in five different areas that was provided by the agencies in their responses. Mission Critical Systems in Need of Modernization. Generally, agencies provided dates for modernizing mission critical systems in need of modernization, but five agencies declined to provide this information for all systems identified. Agencies also reported spending a total of nearly $23 billion in O&M costs on these systems over the last three years. Oldest Programming Languages. Agencies reported over 930 million lines of code using more than 70 legacy programming languages. However, the Department of Defense (DOD) and the Department of Labor could not provide the number of lines of code. The top five legacy programming languages reported (date first developed): (1) Active Server Pages (ASP) (2000)--424 million lines; (2) Common Business Oriented Language (COBOL) (1960s)--156 million lines; (3) Fortran (1960s)--136 million lines; (4) C (early 1970s), C++ (1979), C# (1999/2000)--62 million lines; and (5) Assembly Language Code (1950s)--31 million lines. The Committee also learned that NASA uses 51 different programming languages. Agencies reported the most staff to support the following languages: COBOL (1,085) and Fortran (613). Infrastructure/Hardware in Need of Modernization. Ten agencies did not report a specific date for the modernization of at least one of outdated hardware or infrastructure identified by the agency. Unsupported Software and Operating Systems. Agencies reported over 550 unsupported systems or software. The Department of Health and Human Services (HHS) declined to provide details on unsupported software due to security concerns. The oldest reported unsupported software is a Fortran compiler that was last supported in 1991. Agencies also reported still using Windows 3.1, NT, 95, and XP. The Department of the Treasury reported the largest number of unsupported software/OS. DOD only reported two unsupported operating systems (OS), Windows XP and Windows Server 2003. Decommissioned Legacy Systems. Agencies reported over 3,200 systems decommissioned over the last five years. The Department of State reported the largest number of decommissioned systems with 950 systems. DOD reported the oldest system decommissioned with the Automated Best Value System (which was initialized in the early 1960s). IT Staff. Agencies reported 244,000 IT staff (including contractors and federal staff). Based on the total number of IT staff reported to the Committee, DOD employs 74 percent of the reported IT staff. Twelve agencies did not or were not able to provide details on contractor staff. Finally, the average age of IT staff reported to the Committee was 49.4 years old. GAO Report and Committee Hearing on Legacy IT. On May 25, 2016, the Committee held a hearing, ``Federal Agencies' Reliance on Outdated and Unsupported Information Technology: A Ticking Time Bomb,'' to discuss legacy IT and the GAO findings in a report entitled, ``Federal Agencies Need to Address Aging Legacy Systems.''\3\ The Report assessed 26 agencies' IT O&M spending plans for Fiscal Year (FY) 2010 through 2017 and reviewed in detail the IT spending and individual investments for 12 of these agencies. GAO reported that the federal government spent about 75 percent of the total annual IT budget (over $80 billion) for FY 2015 on O&M investments and such spending had increased over the past seven fiscal years. GAO also reported that federal legacy IT investments are becoming increasingly obsolete with outdated software languages and hardware parts that are not supported. --------------------------------------------------------------------------- \3\Gov't Accountability Office, GAO-16-468, Federal Agencies Need to Address Aging Legacy Systems, (May 2016). --------------------------------------------------------------------------- The following are key GAO findings from the Report: (1) 5,233 of approximately 7,000 federal IT investments are spending all of their funds on O&M activities; (2) O&M spending has increased over the past seven fiscal years; (3) In FY 2015, the top 10 IT investments O&M spending totaled $12.5 billion, including: (a) $4.38 billion by HHS for the Centers for Medicare and Medicaid Services' Medicare Management Information System; and (b) $1.25 billion by DOD for the Defense Information Systems Network. Outdated Programming Languages and Unsupported Hardware. GAO also reported that federal legacy IT investments are becoming increasingly obsolete with outdated software languages and hardware parts that are not supported. GAO found several agencies (including the Departments of Agriculture, Homeland Security, HHS, Justice, Treasury, and Veterans Affairs (VA)) reported using COBOL to program legacy systems. COBOL was first developed in the late 1950s and early 1960s. GAO also noted that all of the 12 agencies selected for detailed review reported using unsupported operating systems and components in their FY 2014 Federal Information Security Management Act (FISMA) reports. According to GAO, the following Departments also reported using 1980s and 1990s Microsoft operating systems that have not been supported by the vendor in almost ten years: Commerce, DOD, Treasury, HHS, and VA. The Report provided examples of legacy investments and systems where agencies reported ages of over 50 years old.\4\ For example, the IRS reported that the Individual Master File (IMF), which is the authoritative data source for individual taxpayer information, is over 50 years old. The IMF uses ALC. ALC (a.k.a Assembly) is a low level computer code that is difficult to create and maintain and operates on an IBM mainframe. The IRS Chief Information Officer (CIO) has said they are working to modernize the IMF (which was first developed in Assembly in the 1960s) and have developed a process to translate Assembly code to Java to facilitate this modernization.\5\ --------------------------------------------------------------------------- \4\Some of these systems and investments may have individual components newer than the age reported by the agency. \5\Committee staff call with Terry Milholland, IRS CIO (May 19, 2016). --------------------------------------------------------------------------- In another example, DOD reported that its Strategic Automated Command and Control System is over 50 years old. This system coordinates the operational functions of the U.S. nuclear forces and is run on an IBM Series/1 computer (from the 1970s) and uses 8-inch floppy disks. GAO noted that the 8-inch floppy disk was first introduced in the 1970s and only holds 80 kilobytes of data. A single modern flash drive can hold the same amount of data as 3.2 million floppy disks. DOD is modernizing this system with updated data storage, port expansion, portable terminals, and desktop terminals with a scheduled completion date the end of FY 2017. Modernization Planning for O&M Investments. GAO examined several O&M investments that agency CIOs rated as moderate or high risk to determine whether agencies had replacement or modernization plans. GAO found that of the 23 O&M investments they reviewed agencies did have plans to replace or modernize 19 of these investments. GAO acknowledged these plans but challenged the quality of these plans for 12 of the 19 O&M investments because the plans were general or tentative; and did not provide specific timelines, activities to be performed or functions to be replaced or enhanced. For example, GAO identified two O&M investments for HHS with moderate risk ratings (Centers for Medicare and Medicaid Services Medicare Appeals System (moderate) and Trusted Internet Connection Investment (moderate) where HHS has general modernization plans that lacked detail. GAO reported that OMB has recognized the upward trend in O&M spending and has attributed this trend to several factors, including: (1) O&M activities require maintaining legacy hardware which costs more over time; (2) costs to maintain applications and systems that use older programming languages have increased since programmers with these skills are increasingly rare and more expensive; and (3) often when there is uncertainty as to how to characterize spending, agencies opt to characterize such investments as O&M because these attract less oversight, require less documentation and have a lower risk of reduced funding. Chairman Chaffetz on Legacy IT. During the May 25, 2016 Committee hearing on legacy IT, Chairman Jason Chaffetz (R-UT) noted that, ``Federal agencies spend over $80 billion annually on IT, with the majority of this spending focused on maintaining and operating legacy systems. Such spending on legacy IT results in higher costs and security vulnerabilities where old software or operating systems are no longer supported by vendors the federal . . . government is years and in some cases decades behind the private sector.'' Chairman Chaffetz also stated that, ``we have a long way to go to get from COBOL to the Cloud, but I am committed to helping get us there'' and noted that the hearing was an oversight hearing, ``but also ultimately about government reform.''\6\ --------------------------------------------------------------------------- \6\Federal Agencies' Reliance on Outdated and Unsupported Information Technology: A Ticking Time Bomb Hearing Before the H. Comm. on Oversight & Gov't Reform, 114th Cong. (May 25, 2016). --------------------------------------------------------------------------- Testimony of the Federal CIO. On May 25, 2016, in testimony before the Committee, federal CIO Tony Scott outlined the challenges associated with legacy IT, and described actions the Administration had taken to address this problem and explained how an IT Modernization Fund (ITMF) could improve the situation. Mr. Scott said legacy IT poses significant security and operations risks and said ``absent timely action, the cost to operate and maintain legacy systems, as well as security vulnerabilities and other risks, will continue to grow.'' Mr. Scott also described the advantages of the proposed ITMF process by saying it was analogous to a corporate capital committee in the private sector where IT investments are presented with a viable business case that demonstrates improved performance and lower costs--for approval. Office of Personnel Management (OPM) Data Breach Lessons Learned and Legacy IT Recommendation. In September 2016, a Majority Committee Staff Report entitled, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation, included a recommendation to ``modernize existing legacy federal information technology assets.'' Based on the investigation of the OPM data breach, the Report found ``there is a pressing need for federal agencies to modernize legacy IT in order to mitigate the cybersecurity threat inherent in unsupported, end of life IT systems and applications.''\7\ The Report illustrated this need for modernization by noting that OPM said their legacy systems were often not capable of accepting certain types of encryption.\8\ --------------------------------------------------------------------------- \7\Committee on Oversight & Gov't Reform Majority Staff Report, The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation (Sept. 7, 2016) at 19. \8\Id. at 25. --------------------------------------------------------------------------- As a consequence, the Report recommended that, ``[f]ederal agencies should utilize existing tools and Congress should consider new tools to incentivize the transition from legacy to modernized IT solutions'' and noted that ``[s]uch reliance on legacy IT can result in security vulnerabilities where old software or operating systems are no longer supported by vendors and aging IT infrastructure becomes difficult and expensive to secure.''\9\ H.R. 6004 authorizes new funding tools to jumpstart agency IT modernization efforts and incentivize agencies to realize cost savings through modernization. --------------------------------------------------------------------------- \9\Id. --------------------------------------------------------------------------- Legislation to Address the Challenge of Legacy IT. H.R. 6004, the Government Modernization Technology (MGT) Act of 2016, provides tools to address the challenge of legacy IT that in conjunction with the enhanced Chief Information Officer (CIO) authorities enacted in the Federal IT Acquisition Reform Act (FITARA)\10\ should drive agency modernization initiatives. H.R. 6004 is intended to build on FITARA and empower and hold accountable covered agency CIOs to pursue IT modernization. The covered agency CIO refers to the CIO with primary authority over the full agency IT portfolio and who reports to the agency head or senior management of the covered agency. --------------------------------------------------------------------------- \10\National Defense Authorization Act Fiscal Year 2015, P.L. 113- 291, Title VIII, Subtitle D (Dec. 19, 2014). --------------------------------------------------------------------------- H.R. 6004 adopted slightly modified language from two IT modernization bills previously introduced in the 114th Congress. On April 11, 2016, Rep. Steny Hoyer (D-MD) introduced H.R. 4897, the Information Technology Modernization (ITMF) Act and on July 14, 2016, Rep. Will Hurd (R-TX) introduced H.R. 5792, the Modernizing Outdated and Vulnerable Equipment and Information Technology Act (MOVE IT). The general concepts of these two bills were combined. First, H.R. 4897 would have established a centralized IT modernization fund in the Treasury to be managed by OMB, with the General Services Administration (GSA) to serve in a ministerial role supporting an independent ITMF Board of IT experts and implement ITMF Board decisions with oversight from OMB and the Board. Agencies would apply to the ITMF Board for funding with a business case that would demonstrate sound design and measurable outcomes, including lower life cycle costs and improved security and operational performance. The ITMF would be focused on identifying government-wide priorities and be available to all executive branch agencies. These concepts are carried in H.R. 6004. H.R. 6004, section 4(b)(2) describes the ITMF Board responsibilities. These responsibilities include identifying opportunities to improve or replace multiple IT systems with a smaller number of IT systems common to multiple agencies. The Committee encourages the ITMF Board to consult with the federal CIO Council in their efforts to identify such opportunities. Further, the Committee would expect the ITMF Board to focus on modernization of existing systems when shifting to IT systems that may be leveraged by multiple agencies. The ITMF is established as a funding mechanism available to covered agency CIOs, through an application process to fund IT projects that provide substantial and direct transformation away from legacy IT toward more efficient modernized technologies and services. Given the critical IT needs of the federal government, the ITMF should be used solely to modernize federal IT systems. Second, H.R. 5792, the MOVE IT Act, would have established IT modernization funds in individual CFO Act agencies to be managed by covered agency CIOs. This approach would provide covered agency CIOs the opportunity to identify agency IT priorities and realize and reinvest savings from agency modernization efforts. The MOVE IT approach also promotes increased flexibility in managing IT funds by giving agencies the opportunity to reprogram or transfer certain funds to capitalize the agency IT modernization funds, with appropriate oversight from the Appropriations Committees. These concepts are included in H.R. 6004. H.R. 6004 clarifies the authorized uses of agency IT modernization funds in section 3(a)(3). Section 3(a)(3)(D) provides agencies the option to use the agency IT modernization fund to reimburse the ITMF should the agency have received such funding through a successful application to the ITMF Board. This language makes clear that such reimbursement to the ITMF may only be made with the approval of the covered agency CIO. Agency CIOs are expected to exercise independent judgment in evaluating whether to use their IT modernization fund to reimburse the ITMF. H.R. 6004 also encourages agencies to consider, to the extent practicable, guidelines developed by OMB and the ITMF Board for purposes of evaluating IT modernization projects to be funded by the agency IT modernization fund. This provision in H.R. 6004 is not intended to establish a mandatory requirement, but it is intended to facilitate the sharing of best practices in evaluating IT modernization projects. H.R. 6004, section 3(b) and section 4(a)(7) establishes reporting requirements for individual agency IT modernization funds and the ITMF. The Committee considers these reporting requirements essential to maintaining transparency on the use of these funding mechanisms and expects timely updates of this information on a public website. Further, the Committee encourages the submission of information on cost savings for projects funded through these mechanisms. Finally, H.R. 6004 defines legacy information systems to mean ``an outdated or obsolete system of information technology.'' The Committee acknowledges this is a broad definition, but expects covered agency CIOs and the ITMF Board to prioritize for modernization legacy IT systems that pose significant security and operational risks. Further, a significant indicator that an IT system is outdated or obsolete--or falls within the definition of legacy IT systems in H.R. 6004--is that it is no longer being supported by an original vendor or manufacturer. LEGISLATIVE HISTORY H.R. 6004, the Modernizing Government Technology (MGT) Act of 2016 was introduced on September 13, 2016 by Representative Will Hurd (R-TX) and referred to the Committee on Oversight and Government Reform. In addition, the bill was referred to the Committee on Appropriations. There are five original cosponsors: Rep. Gerry Connolly (D-VA), Chairman Jason Chaffetz (R-UT), Ranking Member Elijah Cummings (D-MD), Rep. Robin Kelly (D-IL), and Rep. Ted Lieu (D-CA). Rep. Kevin McCarthy (R-CA) and Rep. Steny Hoyer (D-MD) are also cosponsors. On September 15, 2016, the Committee on Oversight and Government Reform ordered H.R. 6004 favorably reported by voice vote, with an amendment. In 2016, two related bills were introduced that informed the text of H.R. 6004. These related bills are: (1) H.R. 4897, Information Technology Modernization Act, which was introduced by Rep. Steny Hoyer (D-MD) on April 11, 2016 and referred to the Committee on Oversight and Government Reform; and (2) H.R. 5792, Modernizing Outdated and Vulnerable Equipment and Information Technology Act, which was introduced by Rep. Will Hurd on July 14, 2016 and referred to the Committee on Oversight and Government Reform and in addition to the Committee on Appropriations. On February 11, 2015, the Committee on Oversight and Government Reform held a hearing on the Government Accountability Office (GAO) 2015 High Risk List Report. For the first time, GAO added ``Improving the Management of IT Acquisitions and Operations'' to its biannual ``High Risk'' List.\11\ --------------------------------------------------------------------------- \11\2015 GAO High Risk Report, GAO-15-290 (Feb. 2015) at 39. --------------------------------------------------------------------------- On May 25, 2016, the Committee on Oversight and Government Reform held a hearing to discuss GAO findings in a report entitled, ``Federal Agencies Need to Address Aging Legacy Systems.''\12\ --------------------------------------------------------------------------- \12\Federal Agencies Need to Address Aging Legacy Systems, GAO-16- 468 (May 2016). --------------------------------------------------------------------------- Section-by-Section Section 1. Short title Designates the short title of the bill as the ``Modernization Government Technology Act of 2016''. Section 2. Findings; Purposes Makes four findings: (1) the federal government spends nearly 75 percent of its annual information technology (IT) budget on operating and maintaining existing legacy IT systems. These systems can pose operational risks, including rising costs and inability to meet mission requirements. These systems also pose security risks, including the inability to use current security best practices, such as data encryption and multi-factor authentication, making such systems particularly vulnerable to malicious cyber activity; (2) the GAO designated improving the management of IT acquisitions and operations to its biannual High Risk List and identified as a particular concern the increasing level of IT spending on Operations and Maintenance making less funding available for development or modernization; (3) the federal government must modernize federal IT systems to mitigate existing operational and security risks; and (4) the efficiencies, cost savings, and greater computing power, offered by modernized solutions, such as cloud computing have the potential to (a) eliminate duplication and reduce costs, (b) address the critical need for cyber security by design, and (c) move the federal government into a broad, digital-services delivery model that will transform the federal government's ability to meet mission requirements and deliver services to the American people. Describes three purposes: (1) to assist the federal government in modernizing federal IT to mitigate current operational and security risks; (2) to incentivize cost savings in federal IT through modernization; (3) to accelerate the acquisition and deployment of modernized IT solutions, such as cloud computing, by addressing impediments in the areas of funding, development, and acquisition practices. Section 3. Establishment of agency information technology systems modernization and working capital funds Establishes in each CFO Act agency an IT system modernization and working capital fund: (1) for the replacement of legacy IT systems; (2) for the transition to cloud computing and innovative platforms and technologies subject to a transition plan for any project more than $5 million and approved by the agency CIO; (3) to assist and support agency efforts to provide adequate, risk-based, and cost-effective IT capabilities that address evolving threats to information security; and (4) for development, modernization, and enhancement activities of IT. Requires that funds are deposited into the IT working capital fund by: (1) reprogramming of funds, including reprogramming of funds available on the date of enactment for the operation and maintenance of legacy IT systems, in compliance with applicable reprogramming laws or guidelines of the Appropriations Committees; (2) transferring of funds, including funds available on the date of enactment for the operation and maintenance of legacy IT systems, but only if transfer authority is specifically provided for by law; and (3) amounts made available through discretionary appropriations. Requires that an agency IT working capital fund may be used only to: (1) improve, retire, or replace existing IT systems to improve efficiency and effectiveness; (2) transition to cloud computing and innovative platforms and technologies; (3) assist and support agency efforts to provide adequate, risk-based, and cost-effective IT capabilities that address evolving threats to information security; and (4) reimburse funds transferred from the Information Technology Modernization fund described in Section 4 with approval of the agency CIO. States an IT working capital fund may not be used to supplant funds provided for the operation and maintenance of any systems already within an appropriation for the agency at the time the IT working capital fund is established. Requires the head of each agency to prioritize funds within the IT working capital fund to be used initially for cost savings activities approved by the agency CIO, in consultation with the Administrator of the Office of Electronic Government (i.e., the federal CIO). Authorizes the head of each agency to: (1) reprogram any amounts saved as a direct result of such activities for deposit into the applicable IT working capital fund; and (2) transfer any amounts saved as a direct result of such activities for deposit into the applicable IT working capital fund, consistent with applicable law and guidelines of the Appropriations Committees. Requires all funds deposited into an IT working capital fund to be obligated not later than three years after the date of such deposit and any such funds unobligated 3 years after such date shall be returned to the Treasury and reported to the Appropriations Committees. Requires agency CIOs, in evaluating projects to be funded from the agency IT working capital fund, to consider to the extent practicable guidance established by OMB, under Section 4 for evaluating IT projects to be funded by the IT Modernization Fund established at Treasury, overseen by OMB, and administered by GSA. Requires agencies to submit one year after enactment and every 6 months thereafter to OMB information on the agency's IT working capital fund, including a list of IT investments funded by the working capital fund and a summary by fiscal year of the obligations, expenditures, and unused balances of the working capital fund and requires OMB to make such information available on a public website. Section 4. Establishment of Information Technology Modernization Fund and board Establishes in the Treasury an Information Technology Modernization Fund (ITMF) for technology-related activities to improve IT and to enhance cybersecurity across the federal government, and requires the ITMF be administered by GSA, in accordance with OMB guidance. Requires GSA, in consultation with the federal CIO Council and with the concurrence of the Director, to administer the ITMF in accordance with the recommendations of the ITMF Board and for the following purposes: (1) to transfer such amounts to remain available until expended to the head of an agency to improve, retire, or replace existing IT systems to enhance cybersecurity and improve efficiency and effectiveness; (2) for the development, operation, and procurement of IT products, services, and acquisition vehicles for agencies' use to improve government-wide efficiency and cybersecurity in accordance with agencies' requirements; and (3) to provide services or work performed in support of the activities described in (1) and (2). Authorizes all executive branch agencies (5 U.S.C. 551) to apply to the ITMF. Requires that in addition to funds otherwise appropriated, the ITMF shall be credited with all reimbursements, advances, or refunds or recoveries relating to IT or services provided through the fund and amounts deposited, credited, or otherwise made available to the ITMF shall be available until expended and without further appropriation. Requires agencies to reimburse the ITMF for use of products or services funded by the ITMF and to reimburse the ITMF for any transfers made to the agency under the terms of a written agreement to develop a modernized IT solution. Establishes that GSA shall, in consultation with OMB, establish amounts to be paid by the agency and terms of repayment for use of a product or service funded by the ITMF (at levels sufficient to maintain ITMF solvency) and requires GSA to obtain approval from OMB before making any changes to established amounts and terms of payment. Authorizes GSA to obtain agency reimbursement by issuing a transfer or counterwarrant or other lawful transfer documents if payment is not made by the agency within 90 days after expiration of a repayment period or within 45 days after the expiration of time to make a payment under an established payment schedule. Establishes a requirement for a written agreement between the head of the agency and GSA, in consultation with OMB, to document the purpose of funds used and the terms of repayment and requires funds shall be transferred to an agency on an incremental basis, tied to metric-based development milestones achieved by the agency (as described in the written agreement). Requires OMB to publish and maintain a list of each project funded by the ITMF on a public website not later than 6 months after enactment and to update not less than quarterly details of projects funded by the ITMF including a project description, project status (including schedule delay and cost overruns) and financial expenditure data related to the project. Establishes an ITMF Board to evaluate proposals submitted by agencies for funding authorized under the ITMF. Establishes the following ITMF Board responsibilities: (1) provide input to OMB for the development of processes for agency submission of modernization proposals to the Board and to establish the proposal evaluation criteria which shall include addressing the greatest security and operational risks having the greatest governmental-wide impact and having a high probability of success based on factors such as a strong business case, technical design, procurement strategy (including adequate use of incremental software development), and program management; (2) make recommendations to GSA to assist agencies in further development and refinement of select submitted modernization proposals; (3) review and prioritize with GSA and OMB assistance modernization proposals based upon criteria established in paragraph (1); (4) identify with GSA assistance opportunities to improve or replace multiple IT systems with a small number of IT systems common to multiple agencies; (5) recommend the funding of modernization projects; (6) monitor, in consultation with GSA, progress and performance in executing approved ITMF projects and if necessary recommend suspension or termination of funding for projects based on factors such as failure to meet the terms of the written agreement; and (7) monitor operating costs of the fund. Establishes the membership of the ITMF Board to include eight voting members with the federal CIO to Chair the Board and the permanent members designated as the Chair and a senior GSA official to be appointed by the GSA Administrator. Additional ITMF Board members who are to serve one-year terms that may be renewable up to three times are: (1) one employee of the National Institute of Standards and Technology of the Department of Commerce to be appointed by the Secretary; (2) one employee of the National Protection and Programs Directorate of the Department of Homeland Security to be appointed by the Secretary; (3) one employee of the Department of Defense to be appointed by the Secretary; and (4) three federal employees primarily having technical expertise in IT development, financial management, cybersecurity and privacy and acquisition, appointed by the OMB Director. Prohibits ITMF Board members from receiving additional pay, allowances, or benefits by reason of their service on the ITMF Board. Authorizes nonreimbursable details of OPM or GSA staff to the ITMF Board, upon request of the ITMF Board chair, to assist in carrying out the ITMF Board responsibilities. Establishes GSA responsibilities to support the activities of the Board and provide technical support to and in consultation with the Director, oversight of agencies that receive ITMF funding. GSA specific responsibilities are to: (1) provide direct technical support in the form of personnel services or otherwise to agencies that receive transfers from the ITMF; (2) assist the ITMF Board with the evaluation, prioritization, and development of agency modernization proposals; (3) perform regular project oversight and monitoring of approved agency modernization projects, in consultation with the ITMF Board and the OMB Director to increase the likelihood of successful implementation and reduce waste; and (4) provide the Director with information necessary to fulfill reporting requirements, including a list of projects funded by the ITMF on a public website to be updated not less than quarterly with a description of the project, project status and financial expenditure data related to the project. Section 5. Definitions Defines Cloud Computing, Director (as Director of OMB), Information Technology, and Legacy Information Technology System. Explanation of Amendments During Full Committee consideration of the bill, Rep. Will Hurd (R-TX) offered an amendment that clarifies the role of GSA in administering the ITMF and reasserts the primacy under FITARA of agency CIO's being fully in charge of the IT budgets at their agencies. The Hurd amendment was adopted by voice vote. Committee Consideration On September 15, 2016 the Committee met in open session and ordered reported favorably the bill, H.R. 6004, as amended, by voice vote, a quorum being present. Roll Call Votes No roll call votes were requested or conducted during Full Committee consideration of H.R. 6004. Application of Law to the Legislative Branch Section 102(b)(3) of Public Law 104-1 requires a description of the application of this bill to the legislative branch where the bill relates to the terms and conditions of employment or access to public services and accommodations. This bill modernizes Government information technology. As such this bill does not relate to employment or access to public services and accommodations. Statement of Oversight Findings and Recommendations of the Committee In compliance with clause 3(c)(1) of rule XIII and clause (2)(b)(1) of rule X of the Rules of the House of Representatives, the Committee's oversight findings and recommendations are reflected in the descriptive portions of this report. Statement of General Performance Goals and Objectives In accordance with clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, the Committee's performance goal and objective of the bill is to modernize Government information technology. Duplication of Federal Programs No provision of this bill establishes or reauthorizes a program of the Federal Government known to be duplicative of another Federal program, a program that was included in any report from the Government Accountability Office to Congress pursuant to section 21 of Public Law 111-139, or a program related to a program identified in the most recent Catalog of Federal Domestic Assistance. Disclosure of Directed Rule Makings The Committee estimates that enacting this bill does not direct the completion of any specific rule makings within the meaning of 5 U.S.C. 551. Federal Advisory Committee Act The Committee finds that the legislation does not establish or authorize the establishment of an advisory committee within the definition of 5 U.S.C. App., Section 5(b). Unfunded Mandate Statement Section 423 of the Congressional Budget and Impoundment Control Act (as amended by Section 101(a)(2) of the Unfunded Mandate Reform Act, P.L. 104-4) requires a statement as to whether the provisions of the reported include unfunded mandates. In compliance with this requirement the Committee has received a letter from the Congressional Budget Office included herein. Earmark Identification This bill does not include any congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9 of Rule XXI. Committee Estimate At the time of this writing, the Committee had yet to receive a formal cost estimate from the Congressional Budget Office for H.R. 6004. The Committee notes that the bill does not authorize any new appropriations. Section 3 of the bill requires agencies to establish new individual information technology modernization working capital funds, which may involve minimal administrative costs. Further, section 4 of the bill requires the establishment of a new centralized information technology modernization fund and board. However, additional pay for board members is prohibited and board staff would be detailed on a non-reimbursable basis. Budget Authority and Congressional Budget Office Cost Estimate With respect to the requirements of clause 3(c)(2) of rule XIII of the Rules of the House of Representatives and section 308(a) of the Congressional Budget Act of 1974 and with respect to requirements of clause (3)(c)(3) of rule XIII of the Rules of the House of Representatives and section 402 of the Congressional Budget Act of 1974, the Committee has not received a cost estimate for this bill from the Director of Congressional Budget Office, and instead has included a committee estimate in the section prior to this one. [all]