[House Report 114-783]
[From the U.S. Government Publishing Office]
114th Congress } { Rept. 114-783
HOUSE OF REPRESENTATIVES
2d Session } { Part 1
======================================================================
MODERNIZING GOVERNMENT TECHNOLOGY ACT OF 2016
_______
September 22, 2016.--Committed to the Committee of the Whole House on
the State of the Union and ordered to be printed
_______
Mr. Chaffetz, from the Committee on Oversight and Government Reform,
submitted the following
R E P O R T
[To accompany H.R. 6004]
The Committee on Oversight and Government Reform, to whom
was referred the bill (H.R. 6004) to modernize Government
information technology, and for other purposes, having
considered the same, report favorably thereon with an amendment
and recommend that the bill as amended do pass.
CONTENTS
Page
Committee Statement and Views.................................... 6
Section-by-Section............................................... 12
Explanation of Amendments........................................ 16
Committee Consideration.......................................... 16
Roll Call Votes.................................................. 16
Application of Law to the Legislative Branch..................... 17
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 17
Statement of General Performance Goals and Objectives............ 17
Duplication of Federal Programs.................................. 17
Disclosure of Directed Rule Makings.............................. 17
Federal Advisory Committee Act................................... 17
Unfunded Mandate Statement....................................... 17
Earmark Identification........................................... 17
Committee Estimate............................................... 18
Budget Authority and Congressional Budget Office Cost Estimate... 18
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Modernizing Government Technology Act
of 2016'' or the ``MGT Act''.
SEC. 2. FINDINGS; PURPOSES.
(a) Findings.--The Congress finds the following:
(1) The Federal Government spends nearly 75 percent of its
annual information technology funding on operating and
maintaining existing, legacy information technology systems.
These systems can pose operational risks, including rising
costs and inability to meet mission requirements. These systems
also pose security risks, including the inability to use
current security best practices, such as data encryption and
multi-factor authentication, making these systems particularly
vulnerable to malicious cyber activity.
(2) In 2015, the Government Accountability Office (GAO)
designated Improving the Management of IT Acquisitions and
Operations to its biannual High Risk List and identified as a
particular concern the increasing level of information
technology spending on Operations and Maintenance making less
funding available for development or modernization. The GAO
also found the Government has spent billions on failed and
poorly performing IT investments due to a lack of effective
oversight.
(3) The Federal Government must modernize Federal IT systems
to mitigate existing operational and security risks.
(4) The efficiencies, cost savings, and greater computing
power, offered by modernized solutions, such as cloud
computing, have the potential to--
(A) eliminate inappropriate duplication and reduce
costs;
(B) address the critical need for cyber security by
design; and
(C) move the Federal Government into a broad,
digital-services delivery model that will transform the
Federal Government's ability to meet mission
requirements and deliver services to the American
people.
(b) Purposes.--The purposes of this Act are the following:
(1) Assist the Federal Government in modernized Federal
information technology to mitigate current operational and
security risks.
(2) Incentivize cost savings in Federal information
technology through modernization.
(3) Accelerate the acquisition and deployment of modernized
information technology solutions, such as cloud computing, by
addressing impediments in the areas of funding, development,
and acquisition practices.
SEC. 3. ESTABLISHMENT OF AGENCY INFORMATION TECHNOLOGY SYSTEMS
MODERNIZATION AND WORKING CAPITAL FUNDS.
(a) Information Technology System Modernization and Working Capital
Funds.--
(1) Establishment.--There is established in each covered
agency an information technology system modernization and
working capital fund (in this section referred to as the ``IT
working capital fund'') for necessary expenses for the agency
described in paragraph (3).
(2) Source of funds.--Amounts may be deposited into an IT
working capital fund as follows:
(A) Reprogramming of funds, including reprogramming
of any funds available on the date of the enactment of
this Act for the operation and maintenance of legacy
information technology systems, in compliance with any
applicable reprogramming law or guidelines of the
Committees on Appropriations of the House of
Representatives and the Senate.
(B) Transfer of funds, including transfer of any
funds available on the date of the enactment of this
Act for the operation and maintenance of legacy
information technology systems, but only if transfer
authority is specifically provided for by law.
(C) Amounts made available through discretionary
appropriations.
(3) Use of funds.--An IT working capital fund established
under paragraph (1) may be used only for the following:
(A) To improve, retire, or replace existing
information technology systems to improve efficiency
and effectiveness.
(B) To transition to cloud computing and innovative
platforms and technologies.
(C) To assist and support covered agency efforts to
provide adequate, risk-based, and cost-effective
information technology capabilities that address
evolving threats to information security.
(D) Reimbursement of funds transferred from the
Information Technology Modernization Fund established
under section 4, with the approval of the agency Chief
Information Officer.
(4) Existing funds.--An IT working capital fund may not be
used to supplant funds provided for the operation and
maintenance of any system already within an appropriation for
the covered agency at the time of establishment of the IT
working capital fund.
(5) Reprogramming and transfer of funds.--The head of each
covered agency shall prioritize funds within the IT working
capital fund to be used initially for cost savings activities
approved by the covered agency Chief Information Officer, in
consultation with the Administrator of the Office of Electronic
Government. The head of each covered agency may--
(A) reprogram any amounts saved as a direct result of
such activities for deposit into the applicable IT
working capital fund, consistent with paragraph (2)(A);
and
(B) transfer any amounts saved as a direct result of
such activities for deposit into the applicable IT
working capital fund, consistent with paragraph (2)(B).
(6) Return of funds.--Any funds deposited into an IT working
capital fund must be obligated not later than 3 years after the
date of such deposit. Any funds that are unobligated 3 years
after such date shall be rescinded and reported to the
Committees on Appropriations of the House of Representatives
and the Senate.
(7) Agency cio responsibilities.--In evaluating projects to
be funded from the IT working capital fund, the covered agency
Chief Information Officer shall consider, to the extent
applicable, guidance established pursuant to section 4(a)(1) to
evaluate applications for funding from the Information
Technology Modernization Fund that include factors such as a
strong business case, technical design, procurement strategy
(including adequate use of incremental software development
practices), and program management.
(b) Reporting Requirement.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, and every 6 months thereafter, the
head of each covered agency shall submit to the Director the
following, with respect to the IT working capital fund for that
covered agency:
(A) A list of each information technology investment
funded with estimated cost and completion date for each
such investment.
(B) A summary by fiscal year of the obligations,
expenditures, and unused balances.
(2) Public availability.--The Director shall make the
information required pursuant to paragraph (1) publicly
available on a website.
(c) Covered Agency Defined.--In this section, the term ``covered
agency'' means each agency listed in section 901(b) of title 31, United
States Code.
SEC. 4. ESTABLISHMENT OF INFORMATION TECHNOLOGY MODERNIZATION FUND AND
BOARD.
(a) Information Technology Modernization Fund.--
(1) Establishment.--There is established in the Treasury an
Information Technology Modernization Fund (in this section
referred to as the ``Fund'') for technology related activities,
to improve information technology, to enhance cybersecurity
across the Federal Government, and to be administered in
accordance with guidance established by the Director of the
Office of Management of Budget.
(2) Administration of fund.--The Administrator of General
Services, in consultation with the Chief Information Officers
Council and with the concurrence of the Director, shall
administer the Fund in accordance with this subsection.
(3) Use of funds.--The Administrator of General Services
shall, in accordance with the recommendations of the
Information Technology Modernization Board established under
subsection (b), use amounts in the Fund for the following
purposes:
(A) To transfer such amounts, to remain available
until expended, to the head of an agency to improve,
retire, or replace existing information technology
systems to enhance cybersecurity and improve efficiency
and effectiveness.
(B) For the development, operation, and procurement
of information technology products, services, and
acquisition vehicles for use by agencies to improve
Governmentwide efficiency and cybersecurity in
accordance with the requirements of the agencies.
(C) To provide services or work performed in support
of the activities described under subparagraph (A) or
(B).
(4) Credits; availability of funds.--
(A) Credits.--In addition to any funds otherwise
appropriated, the Fund shall be credited with all
reimbursements, advances, or refunds or recoveries
relating to information technology or services provided
through the Fund.
(B) Availability of funds.--Amounts deposited,
credited, or otherwise made available to the Fund shall
be available until expended and without further
appropriation for the purposes described in paragraph
(3).
(5) Reimbursement.--
(A) Payment by agency.--For a product or service
developed under paragraph (3), the head of an agency
that uses such product or service shall pay an amount
fixed by the Administrator of General Services in
accordance with this subsection.
(B) Reimbursement by agency.--The head of an agency
shall reimburse the Fund for any transfer made under
paragraph (3)(A) in accordance with the terms
established in the written agreement described in
paragraph (6). Notwithstanding any other provision of
law, an agency may make a reimbursement required by
this subparagraph from any appropriation available for
information technology activities. An obligation to
make a payment under an agreement described in
paragraph (6) in a future fiscal year shall be recorded
pursuant to section 1501 of title 31, United States
Code, in the fiscal year in which the payment is due.
(C) Prices fixed by administrator of general
services.--The Administrator of General Services, in
consultation with the Director, shall establish amounts
to be paid by an agency and terms of repayment for use
of a product or service developed under paragraph (3)
at levels sufficient to ensure the solvency of the
Fund, including operating expenses. Before making any
changes to the established amounts and terms of
repayment, the Administrator of General Services shall
conduct a review and obtain approval from the Director.
(D) Failure to make timely reimbursement.--The
Administrator of General Services may obtain
reimbursement by the issuance of transfer and
counterwarrants, or other lawful transfer documents,
supported by itemized bills, if payment is not made by
an agency--
(i) within 90 days after the expiration of a
repayment period described in the written
agreement described in paragraph (6)(A); or
(ii) within 45 days after the expiration of
the time period to make a payment under a
payment schedule for a product or service
developed under paragraph (3).
(6) Written agreement.--
(A) In general.--Before the transfer of funds to an
agency under paragraph (3)(A), the Administrator of
General Services (in consultation with the Director)
and the head of the requisitioning agency shall enter
into a written agreement documenting the purpose for
which the funds will be used and the terms of
repayment. An agreement made pursuant to this
subparagraph shall be recorded as an obligation as
provided in paragraph (5)(B).
(B) Requirement for use of incremental development
practices.--For any funds transferred to an agency
under paragraph (3)(A), in the absence of compelling
circumstances documented by the Administrator of
General Services at the time of transfer, such funds
shall be transferred only on an incremental basis, tied
to metric-based development milestones achieved by the
agency, to be described in the written agreement
required pursuant to subparagraph (A).
(7) Reporting requirement.--Not later than 6 months after the
date of the enactment of this Act, the Director shall publish
and maintain a list of each project funded by the Fund on a
public website to be updated not less than quarterly, that
includes a description of the project, project status
(including any schedule delay and cost overruns), and financial
expenditure data related to the project.
(b) Information Technology Modernization Board.--
(1) Establishment.--There is established an Information
Technology Modernization Board (in this section referred to as
the ``Board'') which shall evaluate proposals submitted by
agencies for funding authorized under the Fund.
(2) Responsibilities.--The responsibilities of the Board are
the following:
(A) Provide input to the Director for the development
of processes for agencies to submit modernization
proposals to the Board and to establish the criteria by
which such proposals are evaluated, which shall include
addressing the greatest security and operational risks,
having the greatest Governmentwide impact, and having a
high probability of success based on factors such as a
strong business case, technical design, procurement
strategy (including adequate use of incremental
software development practices), and program
management.
(B) Make recommendations to the Administrator of
General Services to assist agencies in the further
development and refinement of select submitted
modernization proposals, based on an initial evaluation
performed with the assistance of the Administrator of
General Services.
(C) review and prioritize, with the assistance of the
Administrator of General Services and the Director,
modernization proposals based on criteria established
pursuant to subparagraph (A).
(D) Identify, with the assistance of the
Administrator of General Services, opportunities to
improve or replace multiple information technology
systems with a smaller number of information technology
systems common to multiple agencies.
(E) Recommend the funding of modernization projects,
in accordance with the uses described in subsection
(a)(3), to the Administrator of General Services.
(F) Monitor, in consultation with the Administrator
of General Services, progress and performance in
executing approved projects and, if necessary,
recommend the suspension or termination of funding for
projects based on factors such as failure to meet the
terms of the written agreement described in subsection
(a)(6).
(G) Monitor operating costs of the Fund.
(3) Membership.--The Board shall consist of 8 voting members.
(4) Chair.--The Chair of the Board shall be the Administrator
of the Office of Electronic Government.
(5) Permanent members.--The permanent members of the Board
shall be the following:
(A) The Administrator of the Office of Electronic
Government.
(B) A senior official from the General Services
Administration, who shall be appointed by the
Administrator of General Services.
(6) Additional members of the board.--
(A) Appointment.--The other members of the Board
shall be appointed as follows:
(i) One employee of the National Institute of
Standards and Technology of the Department of
Commerce, appointed by the Secretary of
Commerce.
(ii) One employee of the National Protection
and Programs Directorate of the Department of
Homeland Security, appointed by the Secretary
of Homeland Security.
(iii) One employee of the Department of
Defense, appointed by the Secretary of Defense.
(iv) Three Federal employees primarily having
technical expertise in information technology
development, financial management,
cybersecurity and privacy, and acquisition,
appointed by the Director.
(B) Term.--Each member of the Board described in
paragraph (A) shall serve a term of one year, which
shall be renewable up to three times, at the discretion
of the appointing Secretary or Director, as applicable.
(7) Prohibition on compensation.--Members of the Board may
not receive additional pay, allowances, or benefits by reason
of their service on the Board.
(8) Staff.--Upon request of the Chair of the Board, the
Director and the Administrator of General Services may detail,
on a nonreimbursable basis, any of the personnel of the Office
of Management and Budget or the General Services Administration
(as the case may be) to the Board to assist it in carrying out
its functions under this Act.
(c) Responsibilities of the Administrator of General Services.--
(1) In general.--In addition to the responsibilities
described in subsection (a), the Administrator of General
Services shall support the activities of the Board and provide
technical support to, and, with the concurrence of the
Director, oversight of, agencies that receive transfers from
the Fund.
(2) Responsibilities.--The responsibilities of the
Administrator of General Services are to--
(A) provide direct technical support in the form of
personnel services or otherwise to agencies transferred
amounts under subsection (a)(3)(A) and for products,
services, and acquisition vehicles funded under
subsection (a)(3)(B);
(B) assist the Board with the evaluation,
prioritization, and development of agency modernization
proposals;
(C) perform regular project oversight and monitoring
of approved agency modernization projects, in
consultation with the Board and the Director, to
increase the likelihood of successful implementation
and reduce waste; and
(D) provide the Director with information necessary
to meet the requirements of subsection (a)(7).
(d) Agency Defined.--In this section, the term ``agency'' has the
meaning given that term in section 551 of title 5, United States Code.
SEC. 5. DEFINITIONS.
In this Act:
(1) Cloud computing.--The term ``cloud computing'' has the
meaning given that term by the National Institute of Standards
and Technology in NIST Special Publication 800-145 and any
amendatory or superseding document thereto.
(2) Director.--The term ``Director'' means the Director of
the Office of Management and Budget.
(3) Information technology.--The term ``information
technology'' has the meaning given that term in section 3502 of
title 44, United States Code.
(4) Legacy information technology system.--The term ``legacy
information technology system'' means an outdated or obsolete
system of information technology.
Committee Statement and Views
PURPOSE AND SUMMARY
H.R. 6004, the Modernizing Government Technology (MGT) Act
of 2016, authorizes two types of funds for the purpose of
modernizing the federal government's legacy information
technology (IT) and incentivizing IT savings in federal
agencies. The bill authorizes Chief Financial Officer Act
agencies to establish agency-specific IT modernization funds
and the U.S. Office of Management and Budget (OMB) to oversee a
government-wide IT modernization fund in the U.S. Department of
Treasury to be administered by the General Services
Administration (GSA).
BACKGROUND AND NEED FOR LEGISLATION
H.R. 6004, the Modernizing Government Technology (MGT) Act
is the result of hearings held by the Committee on Oversight
and Government Reform (Committee) and an investigation by the
Committee into a federal agency data breach.
GAO 2015 High Risk Report. On February 11, 2015, the
Committee held a hearing on the U.S. Government Accountability
Office (GAO) 2015 High Risk List Report. For the first time,
GAO added ``Improving the Management of IT Acquisitions and
Operations'' to its biannual ``High Risk'' List.\1\ The 2015
GAO High Risk Report highlighted several general areas of
concern it deemed critical to improving IT acquisition and
realizing cost savings, including IT spending on Operations and
Maintenance (O&M). GAO found that agencies spent over $80
billion annually on IT investments, but over 75 percent of the
$80 billion was spent on legacy IT investments supported by O&M
funding. Because there is an increasing amount of O&M funding
spent on legacy programs, less funding is available for
development.
---------------------------------------------------------------------------
\1\Gov't Accountability Office, GAO-15-290, 2015 GAO High Risk
Report, (Feb. 2015).
---------------------------------------------------------------------------
Oversight Letter on Legacy IT. In December 2015, the
Committee sent a bipartisan and bicameral letter to agencies
requesting information from agencies on: (1) mission-critical
systems in need of modernization; (2) oldest programming
languages in use; (3) top five oldest IT hardware/
Infrastructure in use; (4) unsupported software and operating
systems; (5) the number of decommissioned legacy systems over
the last five years; and (6) IT staffing information.\2\
---------------------------------------------------------------------------
\2\Letter from the Hon. Jason Chaffetz, Chairman, H. Comm. on
Oversight & Gov't Reform, Reps. Mark Meadows, Will Hurd, Gerry
Connolly, Robin Kelly; and Senator Ron Johnson, Chairman S. Comm. on
Homeland Security and Gov't Affairs and Senators Thomas Carper, Jerry
Moran, and Tom Udall to federal agencies (Dec. 22, 2015) (Letter and
agency responses on file with the Committee).
---------------------------------------------------------------------------
The agency responses varied in level of detail and
timeliness. Individual agency responses are on file with the
Committee, but the following paragraphs provide a summary of
key legacy IT information in five different areas that was
provided by the agencies in their responses.
Mission Critical Systems in Need of Modernization.
Generally, agencies provided dates for modernizing mission
critical systems in need of modernization, but five agencies
declined to provide this information for all systems
identified. Agencies also reported spending a total of nearly
$23 billion in O&M costs on these systems over the last three
years.
Oldest Programming Languages. Agencies reported over 930
million lines of code using more than 70 legacy programming
languages. However, the Department of Defense (DOD) and the
Department of Labor could not provide the number of lines of
code. The top five legacy programming languages reported (date
first developed): (1) Active Server Pages (ASP) (2000)--424
million lines; (2) Common Business Oriented Language (COBOL)
(1960s)--156 million lines; (3) Fortran (1960s)--136 million
lines; (4) C (early 1970s), C++ (1979), C# (1999/2000)--62
million lines; and (5) Assembly Language Code (1950s)--31
million lines. The Committee also learned that NASA uses 51
different programming languages. Agencies reported the most
staff to support the following languages: COBOL (1,085) and
Fortran (613).
Infrastructure/Hardware in Need of Modernization. Ten
agencies did not report a specific date for the modernization
of at least one of outdated hardware or infrastructure
identified by the agency.
Unsupported Software and Operating Systems. Agencies
reported over 550 unsupported systems or software. The
Department of Health and Human Services (HHS) declined to
provide details on unsupported software due to security
concerns. The oldest reported unsupported software is a Fortran
compiler that was last supported in 1991. Agencies also
reported still using Windows 3.1, NT, 95, and XP. The
Department of the Treasury reported the largest number of
unsupported software/OS. DOD only reported two unsupported
operating systems (OS), Windows XP and Windows Server 2003.
Decommissioned Legacy Systems. Agencies reported over 3,200
systems decommissioned over the last five years. The Department
of State reported the largest number of decommissioned systems
with 950 systems. DOD reported the oldest system decommissioned
with the Automated Best Value System (which was initialized in
the early 1960s).
IT Staff. Agencies reported 244,000 IT staff (including
contractors and federal staff). Based on the total number of IT
staff reported to the Committee, DOD employs 74 percent of the
reported IT staff. Twelve agencies did not or were not able to
provide details on contractor staff. Finally, the average age
of IT staff reported to the Committee was 49.4 years old.
GAO Report and Committee Hearing on Legacy IT. On May 25,
2016, the Committee held a hearing, ``Federal Agencies'
Reliance on Outdated and Unsupported Information Technology: A
Ticking Time Bomb,'' to discuss legacy IT and the GAO findings
in a report entitled, ``Federal Agencies Need to Address Aging
Legacy Systems.''\3\ The Report assessed 26 agencies' IT O&M
spending plans for Fiscal Year (FY) 2010 through 2017 and
reviewed in detail the IT spending and individual investments
for 12 of these agencies. GAO reported that the federal
government spent about 75 percent of the total annual IT budget
(over $80 billion) for FY 2015 on O&M investments and such
spending had increased over the past seven fiscal years. GAO
also reported that federal legacy IT investments are becoming
increasingly obsolete with outdated software languages and
hardware parts that are not supported.
---------------------------------------------------------------------------
\3\Gov't Accountability Office, GAO-16-468, Federal Agencies Need
to Address Aging Legacy Systems, (May 2016).
---------------------------------------------------------------------------
The following are key GAO findings from the Report: (1)
5,233 of approximately 7,000 federal IT investments are
spending all of their funds on O&M activities; (2) O&M spending
has increased over the past seven fiscal years; (3) In FY 2015,
the top 10 IT investments O&M spending totaled $12.5 billion,
including: (a) $4.38 billion by HHS for the Centers for
Medicare and Medicaid Services' Medicare Management Information
System; and (b) $1.25 billion by DOD for the Defense
Information Systems Network.
Outdated Programming Languages and Unsupported Hardware.
GAO also reported that federal legacy IT investments are
becoming increasingly obsolete with outdated software languages
and hardware parts that are not supported. GAO found several
agencies (including the Departments of Agriculture, Homeland
Security, HHS, Justice, Treasury, and Veterans Affairs (VA))
reported using COBOL to program legacy systems. COBOL was first
developed in the late 1950s and early 1960s. GAO also noted
that all of the 12 agencies selected for detailed review
reported using unsupported operating systems and components in
their FY 2014 Federal Information Security Management Act
(FISMA) reports. According to GAO, the following Departments
also reported using 1980s and 1990s Microsoft operating systems
that have not been supported by the vendor in almost ten years:
Commerce, DOD, Treasury, HHS, and VA.
The Report provided examples of legacy investments and
systems where agencies reported ages of over 50 years old.\4\
For example, the IRS reported that the Individual Master File
(IMF), which is the authoritative data source for individual
taxpayer information, is over 50 years old. The IMF uses ALC.
ALC (a.k.a Assembly) is a low level computer code that is
difficult to create and maintain and operates on an IBM
mainframe. The IRS Chief Information Officer (CIO) has said
they are working to modernize the IMF (which was first
developed in Assembly in the 1960s) and have developed a
process to translate Assembly code to Java to facilitate this
modernization.\5\
---------------------------------------------------------------------------
\4\Some of these systems and investments may have individual
components newer than the age reported by the agency.
\5\Committee staff call with Terry Milholland, IRS CIO (May 19,
2016).
---------------------------------------------------------------------------
In another example, DOD reported that its Strategic
Automated Command and Control System is over 50 years old. This
system coordinates the operational functions of the U.S.
nuclear forces and is run on an IBM Series/1 computer (from the
1970s) and uses 8-inch floppy disks. GAO noted that the 8-inch
floppy disk was first introduced in the 1970s and only holds 80
kilobytes of data. A single modern flash drive can hold the
same amount of data as 3.2 million floppy disks. DOD is
modernizing this system with updated data storage, port
expansion, portable terminals, and desktop terminals with a
scheduled completion date the end of FY 2017.
Modernization Planning for O&M Investments. GAO examined
several O&M investments that agency CIOs rated as moderate or
high risk to determine whether agencies had replacement or
modernization plans. GAO found that of the 23 O&M investments
they reviewed agencies did have plans to replace or modernize
19 of these investments. GAO acknowledged these plans but
challenged the quality of these plans for 12 of the 19 O&M
investments because the plans were general or tentative; and
did not provide specific timelines, activities to be performed
or functions to be replaced or enhanced. For example, GAO
identified two O&M investments for HHS with moderate risk
ratings (Centers for Medicare and Medicaid Services Medicare
Appeals System (moderate) and Trusted Internet Connection
Investment (moderate) where HHS has general modernization plans
that lacked detail.
GAO reported that OMB has recognized the upward trend in
O&M spending and has attributed this trend to several factors,
including: (1) O&M activities require maintaining legacy
hardware which costs more over time; (2) costs to maintain
applications and systems that use older programming languages
have increased since programmers with these skills are
increasingly rare and more expensive; and (3) often when there
is uncertainty as to how to characterize spending, agencies opt
to characterize such investments as O&M because these attract
less oversight, require less documentation and have a lower
risk of reduced funding.
Chairman Chaffetz on Legacy IT. During the May 25, 2016
Committee hearing on legacy IT, Chairman Jason Chaffetz (R-UT)
noted that, ``Federal agencies spend over $80 billion annually
on IT, with the majority of this spending focused on
maintaining and operating legacy systems. Such spending on
legacy IT results in higher costs and security vulnerabilities
where old software or operating systems are no longer supported
by vendors the federal . . . government is years and in some
cases decades behind the private sector.'' Chairman Chaffetz
also stated that, ``we have a long way to go to get from COBOL
to the Cloud, but I am committed to helping get us there'' and
noted that the hearing was an oversight hearing, ``but also
ultimately about government reform.''\6\
---------------------------------------------------------------------------
\6\Federal Agencies' Reliance on Outdated and Unsupported
Information Technology: A Ticking Time Bomb Hearing Before the H. Comm.
on Oversight & Gov't Reform, 114th Cong. (May 25, 2016).
---------------------------------------------------------------------------
Testimony of the Federal CIO. On May 25, 2016, in testimony
before the Committee, federal CIO Tony Scott outlined the
challenges associated with legacy IT, and described actions the
Administration had taken to address this problem and explained
how an IT Modernization Fund (ITMF) could improve the
situation. Mr. Scott said legacy IT poses significant security
and operations risks and said ``absent timely action, the cost
to operate and maintain legacy systems, as well as security
vulnerabilities and other risks, will continue to grow.'' Mr.
Scott also described the advantages of the proposed ITMF
process by saying it was analogous to a corporate capital
committee in the private sector where IT investments are
presented with a viable business case that demonstrates
improved performance and lower costs--for approval.
Office of Personnel Management (OPM) Data Breach Lessons
Learned and Legacy IT Recommendation. In September 2016, a
Majority Committee Staff Report entitled, The OPM Data Breach:
How the Government Jeopardized Our National Security for More
than a Generation, included a recommendation to ``modernize
existing legacy federal information technology assets.'' Based
on the investigation of the OPM data breach, the Report found
``there is a pressing need for federal agencies to modernize
legacy IT in order to mitigate the cybersecurity threat
inherent in unsupported, end of life IT systems and
applications.''\7\ The Report illustrated this need for
modernization by noting that OPM said their legacy systems were
often not capable of accepting certain types of encryption.\8\
---------------------------------------------------------------------------
\7\Committee on Oversight & Gov't Reform Majority Staff Report, The
OPM Data Breach: How the Government Jeopardized Our National Security
for More than a Generation (Sept. 7, 2016) at 19.
\8\Id. at 25.
---------------------------------------------------------------------------
As a consequence, the Report recommended that, ``[f]ederal
agencies should utilize existing tools and Congress should
consider new tools to incentivize the transition from legacy to
modernized IT solutions'' and noted that ``[s]uch reliance on
legacy IT can result in security vulnerabilities where old
software or operating systems are no longer supported by
vendors and aging IT infrastructure becomes difficult and
expensive to secure.''\9\ H.R. 6004 authorizes new funding
tools to jumpstart agency IT modernization efforts and
incentivize agencies to realize cost savings through
modernization.
---------------------------------------------------------------------------
\9\Id.
---------------------------------------------------------------------------
Legislation to Address the Challenge of Legacy IT. H.R.
6004, the Government Modernization Technology (MGT) Act of
2016, provides tools to address the challenge of legacy IT that
in conjunction with the enhanced Chief Information Officer
(CIO) authorities enacted in the Federal IT Acquisition Reform
Act (FITARA)\10\ should drive agency modernization initiatives.
H.R. 6004 is intended to build on FITARA and empower and hold
accountable covered agency CIOs to pursue IT modernization. The
covered agency CIO refers to the CIO with primary authority
over the full agency IT portfolio and who reports to the agency
head or senior management of the covered agency.
---------------------------------------------------------------------------
\10\National Defense Authorization Act Fiscal Year 2015, P.L. 113-
291, Title VIII, Subtitle D (Dec. 19, 2014).
---------------------------------------------------------------------------
H.R. 6004 adopted slightly modified language from two IT
modernization bills previously introduced in the 114th
Congress. On April 11, 2016, Rep. Steny Hoyer (D-MD) introduced
H.R. 4897, the Information Technology Modernization (ITMF) Act
and on July 14, 2016, Rep. Will Hurd (R-TX) introduced H.R.
5792, the Modernizing Outdated and Vulnerable Equipment and
Information Technology Act (MOVE IT). The general concepts of
these two bills were combined.
First, H.R. 4897 would have established a centralized IT
modernization fund in the Treasury to be managed by OMB, with
the General Services Administration (GSA) to serve in a
ministerial role supporting an independent ITMF Board of IT
experts and implement ITMF Board decisions with oversight from
OMB and the Board. Agencies would apply to the ITMF Board for
funding with a business case that would demonstrate sound
design and measurable outcomes, including lower life cycle
costs and improved security and operational performance. The
ITMF would be focused on identifying government-wide priorities
and be available to all executive branch agencies. These
concepts are carried in H.R. 6004.
H.R. 6004, section 4(b)(2) describes the ITMF Board
responsibilities. These responsibilities include identifying
opportunities to improve or replace multiple IT systems with a
smaller number of IT systems common to multiple agencies. The
Committee encourages the ITMF Board to consult with the federal
CIO Council in their efforts to identify such opportunities.
Further, the Committee would expect the ITMF Board to focus on
modernization of existing systems when shifting to IT systems
that may be leveraged by multiple agencies. The ITMF is
established as a funding mechanism available to covered agency
CIOs, through an application process to fund IT projects that
provide substantial and direct transformation away from legacy
IT toward more efficient modernized technologies and services.
Given the critical IT needs of the federal government, the ITMF
should be used solely to modernize federal IT systems.
Second, H.R. 5792, the MOVE IT Act, would have established
IT modernization funds in individual CFO Act agencies to be
managed by covered agency CIOs. This approach would provide
covered agency CIOs the opportunity to identify agency IT
priorities and realize and reinvest savings from agency
modernization efforts. The MOVE IT approach also promotes
increased flexibility in managing IT funds by giving agencies
the opportunity to reprogram or transfer certain funds to
capitalize the agency IT modernization funds, with appropriate
oversight from the Appropriations Committees. These concepts
are included in H.R. 6004.
H.R. 6004 clarifies the authorized uses of agency IT
modernization funds in section 3(a)(3). Section 3(a)(3)(D)
provides agencies the option to use the agency IT modernization
fund to reimburse the ITMF should the agency have received such
funding through a successful application to the ITMF Board.
This language makes clear that such reimbursement to the ITMF
may only be made with the approval of the covered agency CIO.
Agency CIOs are expected to exercise independent judgment in
evaluating whether to use their IT modernization fund to
reimburse the ITMF. H.R. 6004 also encourages agencies to
consider, to the extent practicable, guidelines developed by
OMB and the ITMF Board for purposes of evaluating IT
modernization projects to be funded by the agency IT
modernization fund. This provision in H.R. 6004 is not intended
to establish a mandatory requirement, but it is intended to
facilitate the sharing of best practices in evaluating IT
modernization projects.
H.R. 6004, section 3(b) and section 4(a)(7) establishes
reporting requirements for individual agency IT modernization
funds and the ITMF. The Committee considers these reporting
requirements essential to maintaining transparency on the use
of these funding mechanisms and expects timely updates of this
information on a public website. Further, the Committee
encourages the submission of information on cost savings for
projects funded through these mechanisms.
Finally, H.R. 6004 defines legacy information systems to
mean ``an outdated or obsolete system of information
technology.'' The Committee acknowledges this is a broad
definition, but expects covered agency CIOs and the ITMF Board
to prioritize for modernization legacy IT systems that pose
significant security and operational risks. Further, a
significant indicator that an IT system is outdated or
obsolete--or falls within the definition of legacy IT systems
in H.R. 6004--is that it is no longer being supported by an
original vendor or manufacturer.
LEGISLATIVE HISTORY
H.R. 6004, the Modernizing Government Technology (MGT) Act
of 2016 was introduced on September 13, 2016 by Representative
Will Hurd (R-TX) and referred to the Committee on Oversight and
Government Reform. In addition, the bill was referred to the
Committee on Appropriations. There are five original
cosponsors: Rep. Gerry Connolly (D-VA), Chairman Jason Chaffetz
(R-UT), Ranking Member Elijah Cummings (D-MD), Rep. Robin Kelly
(D-IL), and Rep. Ted Lieu (D-CA). Rep. Kevin McCarthy (R-CA)
and Rep. Steny Hoyer (D-MD) are also cosponsors.
On September 15, 2016, the Committee on Oversight and
Government Reform ordered H.R. 6004 favorably reported by voice
vote, with an amendment.
In 2016, two related bills were introduced that informed
the text of H.R. 6004. These related bills are: (1) H.R. 4897,
Information Technology Modernization Act, which was introduced
by Rep. Steny Hoyer (D-MD) on April 11, 2016 and referred to
the Committee on Oversight and Government Reform; and (2) H.R.
5792, Modernizing Outdated and Vulnerable Equipment and
Information Technology Act, which was introduced by Rep. Will
Hurd on July 14, 2016 and referred to the Committee on
Oversight and Government Reform and in addition to the
Committee on Appropriations.
On February 11, 2015, the Committee on Oversight and
Government Reform held a hearing on the Government
Accountability Office (GAO) 2015 High Risk List Report. For the
first time, GAO added ``Improving the Management of IT
Acquisitions and Operations'' to its biannual ``High Risk''
List.\11\
---------------------------------------------------------------------------
\11\2015 GAO High Risk Report, GAO-15-290 (Feb. 2015) at 39.
---------------------------------------------------------------------------
On May 25, 2016, the Committee on Oversight and Government
Reform held a hearing to discuss GAO findings in a report
entitled, ``Federal Agencies Need to Address Aging Legacy
Systems.''\12\
---------------------------------------------------------------------------
\12\Federal Agencies Need to Address Aging Legacy Systems, GAO-16-
468 (May 2016).
---------------------------------------------------------------------------
Section-by-Section
Section 1. Short title
Designates the short title of the bill as the
``Modernization Government Technology Act of 2016''.
Section 2. Findings; Purposes
Makes four findings: (1) the federal government spends
nearly 75 percent of its annual information technology (IT)
budget on operating and maintaining existing legacy IT systems.
These systems can pose operational risks, including rising
costs and inability to meet mission requirements. These systems
also pose security risks, including the inability to use
current security best practices, such as data encryption and
multi-factor authentication, making such systems particularly
vulnerable to malicious cyber activity; (2) the GAO designated
improving the management of IT acquisitions and operations to
its biannual High Risk List and identified as a particular
concern the increasing level of IT spending on Operations and
Maintenance making less funding available for development or
modernization; (3) the federal government must modernize
federal IT systems to mitigate existing operational and
security risks; and (4) the efficiencies, cost savings, and
greater computing power, offered by modernized solutions, such
as cloud computing have the potential to (a) eliminate
duplication and reduce costs, (b) address the critical need for
cyber security by design, and (c) move the federal government
into a broad, digital-services delivery model that will
transform the federal government's ability to meet mission
requirements and deliver services to the American people.
Describes three purposes: (1) to assist the federal
government in modernizing federal IT to mitigate current
operational and security risks; (2) to incentivize cost savings
in federal IT through modernization; (3) to accelerate the
acquisition and deployment of modernized IT solutions, such as
cloud computing, by addressing impediments in the areas of
funding, development, and acquisition practices.
Section 3. Establishment of agency information technology systems
modernization and working capital funds
Establishes in each CFO Act agency an IT system
modernization and working capital fund: (1) for the replacement
of legacy IT systems; (2) for the transition to cloud computing
and innovative platforms and technologies subject to a
transition plan for any project more than $5 million and
approved by the agency CIO; (3) to assist and support agency
efforts to provide adequate, risk-based, and cost-effective IT
capabilities that address evolving threats to information
security; and (4) for development, modernization, and
enhancement activities of IT.
Requires that funds are deposited into the IT working
capital fund by: (1) reprogramming of funds, including
reprogramming of funds available on the date of enactment for
the operation and maintenance of legacy IT systems, in
compliance with applicable reprogramming laws or guidelines of
the Appropriations Committees; (2) transferring of funds,
including funds available on the date of enactment for the
operation and maintenance of legacy IT systems, but only if
transfer authority is specifically provided for by law; and (3)
amounts made available through discretionary appropriations.
Requires that an agency IT working capital fund may be used
only to: (1) improve, retire, or replace existing IT systems to
improve efficiency and effectiveness; (2) transition to cloud
computing and innovative platforms and technologies; (3) assist
and support agency efforts to provide adequate, risk-based, and
cost-effective IT capabilities that address evolving threats to
information security; and (4) reimburse funds transferred from
the Information Technology Modernization fund described in
Section 4 with approval of the agency CIO.
States an IT working capital fund may not be used to
supplant funds provided for the operation and maintenance of
any systems already within an appropriation for the agency at
the time the IT working capital fund is established.
Requires the head of each agency to prioritize funds within
the IT working capital fund to be used initially for cost
savings activities approved by the agency CIO, in consultation
with the Administrator of the Office of Electronic Government
(i.e., the federal CIO).
Authorizes the head of each agency to: (1) reprogram any
amounts saved as a direct result of such activities for deposit
into the applicable IT working capital fund; and (2) transfer
any amounts saved as a direct result of such activities for
deposit into the applicable IT working capital fund, consistent
with applicable law and guidelines of the Appropriations
Committees.
Requires all funds deposited into an IT working capital
fund to be obligated not later than three years after the date
of such deposit and any such funds unobligated 3 years after
such date shall be returned to the Treasury and reported to the
Appropriations Committees.
Requires agency CIOs, in evaluating projects to be funded
from the agency IT working capital fund, to consider to the
extent practicable guidance established by OMB, under Section 4
for evaluating IT projects to be funded by the IT Modernization
Fund established at Treasury, overseen by OMB, and administered
by GSA.
Requires agencies to submit one year after enactment and
every 6 months thereafter to OMB information on the agency's IT
working capital fund, including a list of IT investments funded
by the working capital fund and a summary by fiscal year of the
obligations, expenditures, and unused balances of the working
capital fund and requires OMB to make such information
available on a public website.
Section 4. Establishment of Information Technology Modernization Fund
and board
Establishes in the Treasury an Information Technology
Modernization Fund (ITMF) for technology-related activities to
improve IT and to enhance cybersecurity across the federal
government, and requires the ITMF be administered by GSA, in
accordance with OMB guidance.
Requires GSA, in consultation with the federal CIO Council
and with the concurrence of the Director, to administer the
ITMF in accordance with the recommendations of the ITMF Board
and for the following purposes: (1) to transfer such amounts to
remain available until expended to the head of an agency to
improve, retire, or replace existing IT systems to enhance
cybersecurity and improve efficiency and effectiveness; (2) for
the development, operation, and procurement of IT products,
services, and acquisition vehicles for agencies' use to improve
government-wide efficiency and cybersecurity in accordance with
agencies' requirements; and (3) to provide services or work
performed in support of the activities described in (1) and
(2).
Authorizes all executive branch agencies (5 U.S.C. 551) to
apply to the ITMF.
Requires that in addition to funds otherwise appropriated,
the ITMF shall be credited with all reimbursements, advances,
or refunds or recoveries relating to IT or services provided
through the fund and amounts deposited, credited, or otherwise
made available to the ITMF shall be available until expended
and without further appropriation.
Requires agencies to reimburse the ITMF for use of products
or services funded by the ITMF and to reimburse the ITMF for
any transfers made to the agency under the terms of a written
agreement to develop a modernized IT solution.
Establishes that GSA shall, in consultation with OMB,
establish amounts to be paid by the agency and terms of
repayment for use of a product or service funded by the ITMF
(at levels sufficient to maintain ITMF solvency) and requires
GSA to obtain approval from OMB before making any changes to
established amounts and terms of payment.
Authorizes GSA to obtain agency reimbursement by issuing a
transfer or counterwarrant or other lawful transfer documents
if payment is not made by the agency within 90 days after
expiration of a repayment period or within 45 days after the
expiration of time to make a payment under an established
payment schedule.
Establishes a requirement for a written agreement between
the head of the agency and GSA, in consultation with OMB, to
document the purpose of funds used and the terms of repayment
and requires funds shall be transferred to an agency on an
incremental basis, tied to metric-based development milestones
achieved by the agency (as described in the written agreement).
Requires OMB to publish and maintain a list of each project
funded by the ITMF on a public website not later than 6 months
after enactment and to update not less than quarterly details
of projects funded by the ITMF including a project description,
project status (including schedule delay and cost overruns) and
financial expenditure data related to the project.
Establishes an ITMF Board to evaluate proposals submitted
by agencies for funding authorized under the ITMF.
Establishes the following ITMF Board responsibilities: (1)
provide input to OMB for the development of processes for
agency submission of modernization proposals to the Board and
to establish the proposal evaluation criteria which shall
include addressing the greatest security and operational risks
having the greatest governmental-wide impact and having a high
probability of success based on factors such as a strong
business case, technical design, procurement strategy
(including adequate use of incremental software development),
and program management; (2) make recommendations to GSA to
assist agencies in further development and refinement of select
submitted modernization proposals; (3) review and prioritize
with GSA and OMB assistance modernization proposals based upon
criteria established in paragraph (1); (4) identify with GSA
assistance opportunities to improve or replace multiple IT
systems with a small number of IT systems common to multiple
agencies; (5) recommend the funding of modernization projects;
(6) monitor, in consultation with GSA, progress and performance
in executing approved ITMF projects and if necessary recommend
suspension or termination of funding for projects based on
factors such as failure to meet the terms of the written
agreement; and (7) monitor operating costs of the fund.
Establishes the membership of the ITMF Board to include
eight voting members with the federal CIO to Chair the Board
and the permanent members designated as the Chair and a senior
GSA official to be appointed by the GSA Administrator.
Additional ITMF Board members who are to serve one-year
terms that may be renewable up to three times are: (1) one
employee of the National Institute of Standards and Technology
of the Department of Commerce to be appointed by the Secretary;
(2) one employee of the National Protection and Programs
Directorate of the Department of Homeland Security to be
appointed by the Secretary; (3) one employee of the Department
of Defense to be appointed by the Secretary; and (4) three
federal employees primarily having technical expertise in IT
development, financial management, cybersecurity and privacy
and acquisition, appointed by the OMB Director.
Prohibits ITMF Board members from receiving additional pay,
allowances, or benefits by reason of their service on the ITMF
Board.
Authorizes nonreimbursable details of OPM or GSA staff to
the ITMF Board, upon request of the ITMF Board chair, to assist
in carrying out the ITMF Board responsibilities.
Establishes GSA responsibilities to support the activities
of the Board and provide technical support to and in
consultation with the Director, oversight of agencies that
receive ITMF funding. GSA specific responsibilities are to: (1)
provide direct technical support in the form of personnel
services or otherwise to agencies that receive transfers from
the ITMF; (2) assist the ITMF Board with the evaluation,
prioritization, and development of agency modernization
proposals; (3) perform regular project oversight and monitoring
of approved agency modernization projects, in consultation with
the ITMF Board and the OMB Director to increase the likelihood
of successful implementation and reduce waste; and (4) provide
the Director with information necessary to fulfill reporting
requirements, including a list of projects funded by the ITMF
on a public website to be updated not less than quarterly with
a description of the project, project status and financial
expenditure data related to the project.
Section 5. Definitions
Defines Cloud Computing, Director (as Director of OMB),
Information Technology, and Legacy Information Technology
System.
Explanation of Amendments
During Full Committee consideration of the bill, Rep. Will
Hurd (R-TX) offered an amendment that clarifies the role of GSA
in administering the ITMF and reasserts the primacy under
FITARA of agency CIO's being fully in charge of the IT budgets
at their agencies. The Hurd amendment was adopted by voice
vote.
Committee Consideration
On September 15, 2016 the Committee met in open session and
ordered reported favorably the bill, H.R. 6004, as amended, by
voice vote, a quorum being present.
Roll Call Votes
No roll call votes were requested or conducted during Full
Committee consideration of H.R. 6004.
Application of Law to the Legislative Branch
Section 102(b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch where the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill modernizes Government information technology. As such
this bill does not relate to employment or access to public
services and accommodations.
Statement of Oversight Findings and Recommendations of the Committee
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the Committee's oversight findings and
recommendations are reflected in the descriptive portions of
this report.
Statement of General Performance Goals and Objectives
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goal and objective of the bill is to modernize Government
information technology.
Duplication of Federal Programs
No provision of this bill establishes or reauthorizes a
program of the Federal Government known to be duplicative of
another Federal program, a program that was included in any
report from the Government Accountability Office to Congress
pursuant to section 21 of Public Law 111-139, or a program
related to a program identified in the most recent Catalog of
Federal Domestic Assistance.
Disclosure of Directed Rule Makings
The Committee estimates that enacting this bill does not
direct the completion of any specific rule makings within the
meaning of 5 U.S.C. 551.
Federal Advisory Committee Act
The Committee finds that the legislation does not establish
or authorize the establishment of an advisory committee within
the definition of 5 U.S.C. App., Section 5(b).
Unfunded Mandate Statement
Section 423 of the Congressional Budget and Impoundment
Control Act (as amended by Section 101(a)(2) of the Unfunded
Mandate Reform Act, P.L. 104-4) requires a statement as to
whether the provisions of the reported include unfunded
mandates. In compliance with this requirement the Committee has
received a letter from the Congressional Budget Office included
herein.
Earmark Identification
This bill does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of Rule XXI.
Committee Estimate
At the time of this writing, the Committee had yet to
receive a formal cost estimate from the Congressional Budget
Office for H.R. 6004. The Committee notes that the bill does
not authorize any new appropriations. Section 3 of the bill
requires agencies to establish new individual information
technology modernization working capital funds, which may
involve minimal administrative costs. Further, section 4 of the
bill requires the establishment of a new centralized
information technology modernization fund and board. However,
additional pay for board members is prohibited and board staff
would be detailed on a non-reimbursable basis.
Budget Authority and Congressional Budget Office Cost Estimate
With respect to the requirements of clause 3(c)(2) of rule
XIII of the Rules of the House of Representatives and section
308(a) of the Congressional Budget Act of 1974 and with respect
to requirements of clause (3)(c)(3) of rule XIII of the Rules
of the House of Representatives and section 402 of the
Congressional Budget Act of 1974, the Committee has not
received a cost estimate for this bill from the Director of
Congressional Budget Office, and instead has included a
committee estimate in the section prior to this one.
[all]