[House Hearing, 116 Congress] [From the U.S. Government Publishing Office] FITARA 10.0 ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON GOVERNMENT OPERATIONS OF THE COMMITTEE ON OVERSIGHT AND REFORM HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTEENTH CONGRESS SECOND SESSION __________ AUGUST 3, 2020 __________ Serial No. 116-110 __________ Printed for the use of the Committee on Oversight and Reform [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available on: govinfo.gov, oversight.house.gov or docs.house.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 41-910 PDF WASHINGTON : 2020 -------------------------------------------------------------------------------------- COMMITTEE ON OVERSIGHT AND REFORM CAROLYN B. MALONEY, New York, Chairwoman Eleanor Holmes Norton, District of James Comer, Kentucky, Ranking Columbia Minority Member Wm. Lacy Clay, Missouri Jim Jordan, Ohio Stephen F. Lynch, Massachusetts Paul A. Gosar, Arizona Jim Cooper, Tennessee Virginia Foxx, North Carolina Gerald E. Connolly, Virginia Thomas Massie, Kentucky Raja Krishnamoorthi, Illinois Jody B. Hice, Georgia Jamie Raskin, Maryland Glenn Grothman, Wisconsin Harley Rouda, California Michael Cloud, Texas Ro Khanna, California Bob Gibbs, Ohio Kweisi Mfume, Maryland Clay Higgins, Louisiana Debbie Wasserman Schultz, Florida Ralph Norman, South Carolina John P. Sarbanes, Maryland Chip Roy, Texas Peter Welch, Vermont Carol D. Miller, West Virginia Jackie Speier, California Mark E. Green, Tennessee Robin L. Kelly, Illinois Kelly Armstrong, North Dakota Mark DeSaulnier, California W. Gregory Steube, Florida Brenda L. Lawrence, Michigan Fred Keller, Pennsylvania Stacey E. Plaskett, Virgin Islands Jimmy Gomez, California Alexandria Ocasio-Cortez, New York Ayanna Pressley, Massachusetts Rashida Tlaib, Michigan Katie Porter, California David Rapallo, Staff Director Wendy Ginsberg, Subcommittee Staff Director Cameron MacPherson, Clerk Contact Number: 202-225-5051 Christopher Hixon, Minority Staff Director ------ Subcommittee on Government Operations Gerald E. Connolly, Virginia, Chairman Eleanor Holmes Norton, District of Jody B. Hice, Georgia Ranking Columbia Minority Member John P. Sarbanes, Maryland Thomas Massie, Kentucky Jackie Speier, California Glenn Grothman, Wisconsin Brenda L. Lawrence, Michigan Gary Palmer, Alabama Stacey E. Plaskett, Virgin Islands Ralph Norman, South Carolina Ro Khanna, California W. Gregory Steube, Florida Stephen F. Lynch, Massachsetts Jamie Raskin, Maryland C O N T E N T S ---------- Page Hearing held on August 3, 2020................................... 1 Witnesses Panel 1 Carol Harris, Director, IT Management Issues, Government Accountability Office Oral Statement................................................... 6 Clare Martorana, Chief Information Officer, Office of Personnel Management Oral Statement................................................... 7 Jason Gray, Chief Information Officer, Department of Education Oral Statement................................................... 8 Maria A. Roat, Deputy Federal Chief Information Officer, Office of Management and Budget Oral Statement................................................... 10 Panel 2 David Powner, Director of Strategic Engagement and Partnerships, The MITRE Corporation Oral Statement................................................... 29 LaVerne Council, Chief Executive Officer Emerald One, LLC Oral Statement................................................... 31 Richard Spires, Principal, Richard A. Spires Consulting Oral Statement................................................... 33 * Written opening statements and statements for the witnesses are available at: docs.house.gov. INDEX OF DOCUMENTS ---------- Documents listed below are available at: docs.house.gov. * Report from Interos Solutions re: IT Supply Chain Vulnerabilities; submitted by Rep. Palmer. * Questions for the Record: to Maria A. Roat; submitted by Chairman Connolly. * Questions for the Record: to Jason Gray; submitted by Chairman Connolly. * Questions for the Record: to Clare Martorana; submitted by Chairman Connolly. * Questions for the Record: to Carol Harris; submitted by Chairman Connolly. * Questions for the Record: to David Powner; submitted by Chairman Connolly. * Questions for the Record: to LaVerne Council; submitted by Chairman Connolly. * Questions for the Record: to Richard Spires; submitted by Chairman Connolly. * Questions for the Record: to Maria A. Roat; submitted by Rep. Hice. * Questions for the Record: to Jason Gray; submitted by Rep. Hice. * Questions for the Record: to Clare Martorana; submitted by Rep. Hice. * Questions for the Record: to Carol Harris; submitted by Rep. Hice. FITARA 10.0 ---------- Monday, August 3, 2020 House of Representatives Subcommittee on Government Operations Committee on Oversight and Reform Washington, D.C. The subcommittee met, pursuant to notice, at 2:04 p.m., in room 2154, Rayburn House Office Building, Hon. Gerald E. Connolly (chairman of the subcommittee) presiding. Present: Representatives Connolly, Norton, Lynch, Raskin, Hice, Grothman, and Palmer. Mr. Connolly. Welcome, everybody, to the Subcommittee on Government Operations and our tenth hearing on FITARA. Before we begin, pursuant to House rules, most members today will appear by Webex, remotely. Since some members are appearing in person, or at least this member is, let me remind everyone that pursuant to the latest guidance from the House Attending Physician, all individuals attending this hearing in person must wear a face mask. I'm dropping mine only to speak. Members who are not wearing a face mask will not be recognized. Let me also make a few reminders for those members appearing in person. You'll only see members and witnesses appearing remotely on the monitor in front of you when they are speaking in what is known as Webex active speaker view. A timer is visible in the room directly in front of you. For members appearing remotely, I know you're all familiar with Webex by now, but let me remind everybody about a few points. First, you will be able to see each person speaking during the hearing, whether they're in person or remote, as long as you have your Webex set to active speaker view. If you have any questions, contact Committee staff and they will try to be helpful. Second, we have a timer that should be visible on your screen when you're in the active speaker with thumbnail view. Members who wish to pin the timer to their screens should contact Committee staff for assistance. Third, the House rules require that we see you, so please have your cameras turned on if you're on remotely on Webex during this hearing. Fourth, members appearing remotely who are not recognized should remain muted to minimize background noise and feedback. Fifth, I'll recognize members verbally, but members retain the right to seek recognition verbally in regular order. Members will be recognized otherwise in seniority order for questions. Last, if you want to be recognized outside of regular order, you can identify it in several ways. You can use the chat function, you can send an email to majority staff, or you can unmute yourself to seek recognition verbally, though that's the least preferable way to do it. Obviously, we don't want people talking over each other. Let's see. OK. I will begin with my opening statement. Mr. Hice, you are on remotely? Mr. Hice. Yes, sir, I'm here. Mr. Connolly. OK. We're glad you're there. I know you're in self-quarantine, and I know you'd prefer to be here physically, but I am really glad we have the hybrid remote option so that you can participate fully in today's hearing, and hope everything's going to be OK. And I'll call upon you as soon as I finish my opening statement for any remarks you may have. Today marks the tenth hearing examining agencies' implementation of the Federal Information Technology Acquisition Reform Act, known as FITARA, to track agencies' progress in Federal management and procurement. I'm happy to announce that this steady oversight has produced the first scorecard in which all agencies received a passing grade. This achievement is a testament to the hard work of Federal agencies' Chief Information Officers, and also a testament to, I think, this committee and subcommittee's steady and bipartisan oversight of FITARA since we enacted it in 2014. This isn't just about passing grades. These grades represent taxpayer dollars saved, better mission delivery, and serving the Nation more effectively and efficiently. And during this pandemic, we've come to realize just how vital good IT and strong IT governance are to Federal Government and the people we serve. We certainly have seen limitations because of lack of IT investment, whether it be with the Ethernet system at SBA, Small Business Administration, or the struggles of the IRS to provide personal checks to all citizens and dependents in America. We've also seen limitations in the unemployment systems in the 50 respective states. So, it underscores how important these investments in this kind of improvement really are. In November 2015, when we first introduced the FITARA scorecard, I said I hoped this would be the second in a series of hearings our subcommittee holds to gauge agency progress in realizing the transformative nature of FITARA's reforms. Five years later, the benefits of continued oversight, I think, are clear, and one would be hard-pressed to find a sustained bipartisan congressional oversight initiative on its tenth installation. These 24 agencies have made real improvements on the scorecard--and I think we're putting it up over there on that screen--over a period of time. In November 2015, the average FITARA grade was a D across all participating agencies. This year, for the first time, no agency received a D and no agency, of course, received an F. As I said before, these improvements represent vital services delivered and dollars saved. Among the FITARA scorecard categories with the greatest impact is the IT portfolio review process known as PortfolioStat. This process enables agencies to reduce commodity IT spending and demonstrate how IT investments align with the agency's mission and business function. PortfolioStat went from helping Federal agencies save $3 billion in fiscal 2015 to $20 billion this fiscal year. When the software licensing metric was first added to the scorecard in June 2017, 21 out of 24 agencies received an F grade for that metric. Now, 23 out of 24 agencies have As and have an inventory of software licenses and use that inventory to make cost-effective decisions and avoid duplications. Federal agencies are also closing and consolidating more data centers, resulting in significant cost savings. The 24 graded agencies have a reported total of $4.7 billion in cost savings from fiscal years 2012 through 2019. Those agencies have also reported plans to save more than $264 million in this Fiscal Year alone. At the very first FITARA hearing, a witness stated that IT is no longer just the business of the CIO; rather, IT is everybody's business. Never has this been clearer than in the wake of the coronavirus pandemic, where IT has saved thousands of lives by enabling people to telework and keep the government and the economy running while preserving their own health and safety. We have seen firsthand how the agencies that continued to use outdated IT during the pandemic prevented the delivery of government services when the public needed them most. Back in 2015, I cautioned that the FITARA scorecard was not to be considered a scarlet letter but a point-in-time snapshot to be able to measure progress and incentivizing. Five years and ten scorecards later, we're now at a point in time where all agencies have received passing grades, the first time ever. FITARA 10.0 marks the point at which we can reflect on five years' worth of progress. Initially, the FITARA scorecard consisted of four metrics, including data center consolidation, IT portfolio review savings, incremental project development delivery, and risk assessment transparency. Since then, the scorecard's success has led this subcommittee to incorporate other aspects of Federal IT into the grades. Our framework is not rigid, but like the best of IT, it evolves. We augmented and changed the scorecard to examine other key components, such as cybersecurity, and incorporated constructive feedback from agencies and CIOs. Today, the scorecard incorporates grades adapted from three additional pieces of legislation, including the MEGABYTE Act, the Modernizing Government Technology Act, and the Federal Information Security Management Act. The bottom line is that the FITARA scorecard continues to hold agencies accountable and show the American people that they deserve the best IT has to offer, yet all agencies still have work to do. Today, two-thirds of graded agencies have CIOs who report directly to the head or deputy of the agency. It's true that more CIOs are finally getting a seat at the table with other C-suite positions, but we'll hear from GAO today none of the 24 graded agencies have established policies that fully address the role of the CIO, as called for by Federal law and guidance. We must continue to work to ensure that all CIOs have the authority and policies in place to be able to properly do their jobs. This hearing will discuss which existing metrics have achieved their goals and which might need to be considered for retirement. We'll also start a careful discussion about what metrics might be incorporated in future scorecards to continue to improve IT across the government. In other words, we're going to continue this scorecard. Today I hope to hear from our witnesses at GAO about what it takes to continuously improve and use efficient IT acquisition and management practices to do that, what powers and authorities might CIOs and government need to improve government IT, and in return, what transparency and oversight will be provided to Congress and the public to ensure those new powers are used effectively and efficiently. We must continue to see the dividends from putting resources toward modernizing legacy systems, migrating to the cloud, and maintaining a strong cyber posture. With the coronavirus resurging as states pursue reopening, the stakes for effectively implementing FITARA are perhaps higher than ever. When executed well, government IT modernization can ensure the efficient delivery of critical services, improve the government's knowledge and decision- making, and save lives. When executed poorly, it can, unfortunately, lead to outright failures in serving the American people when they need the government the most. Simply put, the fate of the world's largest economy, it's no exaggeration to say, rises and falls with the ability of government IT systems to deliver in an emergency. The importance of Federal agencies' effective use of IT is too great to ignore, and this subcommittee will continue its oversight of agencies' IT acquisition and management as we move forward. With that, I call upon the ranking member for his opening statement. Mr. Hice. Thank you, Chairman Connolly, and thank you for holding this hearing today on the tenth FITARA scorecard. As you well know, this has literally been a bright spot of bipartisan work for this committee, and I look forward personally to continuing to see the development of the scorecard's usefulness as it relates to Federal IT reform. I also would like to take just a moment and give a shout- out of thanks to the outgoing Federal Chief Information Officer Suzette Kent. She's been extremely dedicated in her service, is deeply appreciated. As you well know, enhanced CIO authority is one of the pillars, literally, of the FITARA, the whole system, and Ms. Kent has just done an outstanding job with her leadership and enthusiasm to really help drive some of the IT modernization efforts that have been outlined in the President's management agenda. So, we're grateful for her leadership and service, and hope to continue to buildupon the initiatives that she has championed. But, as you shared, Chairman, we are here today to discuss the tenth FITARA scorecard. Agencies have really made tremendous progress, as you well mentioned, over the past five years, and I want to congratulate them on their dedication to improve the IT procurement and management processes. A job well done. Some of the things that we have seen accomplished over the last several years include, as you mentioned, Mr. Chairman, savings of literally billions of dollars. We have increased transparency for risky IT investments and, of course, the elevation of the CIO position and authority within the agency. So, for all these successes, we are very grateful for what has been done, but obviously, there is more yet that needs to be accomplished. And I would suggest some of those things, we need to continue to update the metrics so that they better and more effectively match the IT management and implementation practices that are actually being used today. Also, I think it's imperative that we, as a committee, put in place the right kind of incentives to bring about IT modernization at scale as it relates to the pandemic. I think this has really highlighted to us and exposed, if you will, the heavy reliance that we have on some legacy systems and some longstanding technology problems. We need to find ways to get agencies to move the needle on some of these crucial issues. And I think last, we need some forward-looking, if you will, some forward-looking metrics to help modernize government as a whole. I think some of those things would include some moving forward as it relates to the citizen experience. I think you actually referred to that, Mr. Chairman. I think it's important that we move in that direction, enhancing the skills of the Federal IT work force I think we need to continue looking toward, and also just overall moving toward a more agile and secure cloud computing environment. All these things I think are extremely important that we continue moving toward. So, I look forward to hearing from our witnesses today. And in advance, I want to say thank you to each of our witnesses for being here today. We appreciate your time and your expertise that you'll bring to the table. With that, Mr. Chairman, I will yield back. Thank you, sir. Mr. Connolly. Thank you, Mr. Hice. And I also want to thank you personally. You and I have talked about this. This subcommittee has always had a strong bipartisan thrust, especially on this subject. I worked closely with Darrell Issa in writing FITARA. I worked closely with Will Hurd in expanding on it and having these hearings on the scorecard, as well as with Mr. Meadows, now the chief of staff to the President of the United States. And you've pledged to do the same, and I really very much appreciate that and look forward to continuing to work with you, and hope you are OK and healthy in Georgia. Thank you for your remarks. Ms. Harris, if you would unmute yourself in order to be sworn in, and if our three witnesses who are here in person would rise and raise their right hands. Do you swear or affirm that the testimony you are about to give is the truth, the whole truth, and nothing but the truth, so help you God? Let the record show that all of our witnesses answered in the affirmative. Without objection, your written statements will be part of the record. I now call on Carol Harris, director of IT Management Issues at the Government Accountability Office, to give us her summary testimony. Welcome, Ms. Harris. STATEMENT OF CAROL HARRIS, DIRECTOR, IT MANAGEMENT ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE Ms. Harris. Thank you, Chairman Connolly, Ranking Member Hice, and members of the subcommittee. I would like to thank you and your excellent staff for your continued oversight of Federal IT management and cybersecurity with this tenth set of grades. It's been nearly 5-1/2 years since FITARA's enactment, and your scorecard has served as a good barometer to measure progress of its implementation. During this time period, the agencies have made significant progress. In this latest scorecard, there is 1 A, 9 Bs, and 14 Cs. As you mentioned, this is the first scorecard in which all 24 agencies received a passing grade. This is huge, considering only seven agencies had passing grades in the first scorecard. In addition, the agency with the greatest transformation has been the Department of Education, moving from an F to a B-plus. I'll focus my remarks on a lookback on the progress made since scorecard one, where things stand now, and where we need to go. First, agency progress made. I'll start with incremental development. The number of major IT projects utilizing incremental development has increased from 58 to 76 percent. In addition, the level of transparency on the dashboard has improved, with 61 percent of major projects being reported as red or yellow, as compared to 24 percent with the first scorecard. We've also seen dramatic improvements in the agency's management of software licenses, going from two A's to 23. And the number of CIOs with direct reporting to the agency head has increased from 11 to 16. To date, the agencies have also closed more than 6,300 data centers and saved just shy of $20 billion through OMB's PortfolioStat initiative. The progress made in all of these areas would not have happened to this extent without your scorecard and oversight. While these accomplishments are indeed noteworthy, significant actions remain to be completed to build on this progress, and this brings me to my next point on where we're at. One-third of the agencies' CIOs still aren't reporting to the agency head. CIOs have told us that this reporting structure is critical to carry out their responsibilities. It gives CIOs a real seat at the management table, and it will likely help to attract more qualified individuals to these positions over time. In addition, about half of the agencies have not established working capital funds for use in transitioning from legacy IT systems. Roughly 80 percent of the over $90 billion spent annually on Federal IT is on operations and maintenance, including on aging legacy systems. Establishing these funds are so critical so that the savings from software licenses, data center optimization, and PortfolioStat can be reinvested in agency IT modernization priorities. If each of these agencies did these two things, the grades would be 4 As, 15 Bs, and 5 Cs. These two actions and the associated higher grades are achievable by the next scorecard. Now turning to data centers. We remain concerned about OMB's current guidance which revised the classification of data centers and data center optimization metrics. For example, OMB's new data center definition excludes more than 2,000 facilities that agencies previously reported on. Many of these excluded facilities represent what OMB itself has identified as possible security risks. The changes will likely slow down or even halt important progress agencies should be making to consolidate, optimize, and secure their data centers. Finally, regarding where we need to go scorecard-wise, the preview of the Federal EIS telecommunications transition will draw urgent attention to an area that has historically been neglected by the agencies. For example, had the prior telecom transition occurred on time, agencies could have saved $330 million. And as I testified before you earlier this year, the agencies are behind schedule and could again be missing out on hundreds of millions in savings. Your scorecard will be an effective means for holding agencies accountable and ensuring a timely transition. Mr. Chairman, this concludes my comments, and I look forward to your questions. Mr. Connolly. Thank you, Ms. Harris, and I look forward to those questions as well. Clare Martorana. Have I got that right, Clare? Ms. Martorana. Close, sir. Martorana. Mr. Connolly. Martorana, forgive me. You are recognized for five minutes. STATEMENT OF CLARE MARTORANA, CHIEF INFORMATION OFFICER, OFFICE OF PERSONNEL MANAGEMENT Ms. Martorana. Chairman Connolly, Ranking Member Hice, members of the subcommittee, thank you for the opportunity to discuss the status of information technology at the Office of Personnel Management, and to provide thoughts on the future of FITARA. I joined OPM in February 2019 as the seventh CIO in seven years and entered an agency with several key challenges: Critical staffing vacancies, antiquated and fragile technology, and a charge to fully transition the IT systems for National Background Investigation Bureau, now DCSA, to the Department of Defense, which we hope to complete this fall. As a new Federal CIO coming from the private sector, admittedly, this is a complex operating environment. Meeting and balancing numerous executive, legislative, and oversight requirements while working in an uncertain and inflexible budgetary cycle is quite challenging. However, I'd like to focus on what's possible, because that's what OPM's employees and the American people deserve. One of the first authorities I learned about was FITARA. As CIO, it provides me with an operating framework and a mandate to make enterprise IT decisions and strategic investments that make best use of taxpayer dollars. I have received a steady stream of support from OPM leadership and--I'm sorry. I have received a steady stream of support from OPM leadership to meet the provisions of FITARA by establishing an agencywide enterprise IT strategy. We anticipate working with program offices and enabling organizations as we move forward in this direction. We are extremely proud of raising OPM's FITARA score to a C-plus. With only one net new hire and no increase in incremental funding, we have been able to make significant progress and show people within OPM what is possible, like rolling out new laptops across the organization and moving to cloud email. This has enabled us to continue meeting our mission while supporting DCSA employees and contractors in a maximum telework environment during the pandemic. Just a few weeks ago, the dedicated CIO team successfully migrated our mainframe platform from the Teddy Roosevelt Building here in D.C. to a commercial data center. OPM and DCSA systems are now fully operational in a new modern environment with continuity of operations in place. Once we transition the daily IT operations of this important national security mission to our colleagues at the Department of Defense this fall, OPM will be able to focus on OPM's mission and begin our digital modernization journey. Now I'd like to touch on a few enhancements to FITARA that could drive digital modernization at OPM and across government. The first is funding flexibility. OPM's legacy funding model with seven funding streams for CIO creates incredible complexity and inflexibility to address our IT challenges. By standing up a working capital fund with transfer authority dedicated to IT enterprise investment and CIO oversight and authority over this funding, we will create enterprise efficiencies and measurable cost avoidance. Also, modern technology, because Federal employees deserve the tools I've had the benefit of using in the private sector. Attracting, retaining, training and reskilling our work force with a customer-first mindset, utilizing agile development, modern tools, and modern technology is essential. Our modernization strategy begins with upgrading our existing paper-based processes and workflows with modern electronic equivalents, allowing us to retire end-of-life systems. All of these are possible if we work on modernizing OPM together and giving OPM's customers the 21st century experience that they deserve. I look forward to working on this digital modernization journey together. Thank you for the invitation, and I look forward to your questions. Mr. Connolly. Thank you, Ms. Martorana. Martorana. Martorana, excuse me. Mr. Jason Gray, Chief Information Officer of the Department of Education, you are recognized for five minutes. STATEMENT OF JASON GRAY, CHIEF INFORMATION OFFICER, DEPARTMENT OF EDUCATION Mr. Gray. Thank you, Chairman Connolly, Ranking Member Hice, and members of the subcommittee, for this opportunity to appear before you today to talk about the progress the Department of Education has made in implementing FITARA. I would also like to thank you for your continued support and commitment to improving IT management across the Federal Government. I appreciate the support I received from Secretary DeVos and Deputy Secretary Zais. It has been critical to the Department's FITARA implementation. I also want to thank my colleagues in Federal Student Aid, the assistant secretaries, and everyone in my office for their continued hard work, commitment, and dedication. I'd like to briefly share an update on our IT modernization efforts and describe the impact FITARA has had on my ability to effectively manage the Department's IT. In my June 2019 testimony before this committee, I shared that the Department had just completed a massive wholesale modernization of our IT infrastructure. This effort transformed the way my office delivers IT services to the Department. Within a five-month timeframe, we migrated over 450 terabytes of data into a secure cloud environment and replaced approximately 5,000 laptops with newer high-performing models. Our users went from experiencing 20 minutes of laptop boot-up time to less than a minute, which translates into a return on investment of more than 1,500 hours of previously lost productivity per day. The cloud environment enabled us to reduce the Department's service storage cost from $1.43 per gigabyte to 12 cents per gigabyte. The Department anticipates saving approximately $20.5 million over a five-year period as a result of this initiative. While the Department will realize cost savings, the true value of the modernization initiative was in our ability to quickly adapt and respond to the Department's needs throughout the pandemic. Due in large part to the modernization, we have been able to support 100 percent remote work force with minimal impact. When our PIV issuance process was suspended due to staff not being able to come into the office, we were able to quickly evaluate and implement within days, not months, a solution to virtually onboard more than 300 new employees and contractors to date. By fully embracing the cloud, we were also able to complete a massive technology refresh of 28 major systems, more than 700 servers, and over 500 terabytes of data over a single weekend, with no impacts to IT services. In a traditional environment, this would have taken us weeks to accomplish. Without FITARA, we would not have been able to complete the massive IT modernization initiative last year and certainly not within the timeframe I described. It was through the reporting relationship I have with Secretary DeVos and the relationships we have built across functional areas that I was able to drive the Department's IT priorities to achieve our IT modernization goals. The initiative was a cornerstone of our five-year IT modernization plan and strategic roadmap, and I'd like to thank you for providing us with the opportunity, following my testimony last year, to brief Representatives of this committee on it. When we originally developed our modernization plan and strategic roadmap, we identified shadow IT, redundant or duplicative systems, and manual or obsolete processes. The institutionalization of FITARA in the Department's governance process has provided me with the mechanisms to continually assess and rationalize our IT portfolio and adjust our plans accordingly, from strategically aligning our IT resource management plans with the requirements of the Foundations for Evidence-Based Policymaking Act of 2018 to prioritizing investments to comply with the 21st Century Integrated Digital Experience Act, or evaluating the use of shared services for capabilities such as grants management to the rapid response actions required to address emergency cybersecurity directives from DHS. I am able to achieve a level of visibility necessary to understand the impact to Department's IT resources. While we have made significant strides in our FITARA maturation and IT modernization initiatives, the Department continues to seek Congress' assistance with the establishment of a working capital fund. We coordinated with OMB and Congress to obtain appropriations language that would allow us to transfer funds to a working capital fund and included the request in our President's budget request for both 2020 and 2021. I respectfully request your assistance with obtaining this transfer authority to further enhance the Department's ability to achieve the goals of FITARA. In conclusion, the Department has established a solid FITARA framework and have clearly demonstrated our ability to leverage it in support of the Department's mission. But we do recognize that FITARA and IT modernization is a journey and it's important to continually improve. I thank you for your time today, and I look forward to your questions. Mr. Connolly. Thank you, Mr. Gray. It's good to have you again giving us a year later progress. We certainly will try to work with you on that transfer authority, so work with us on that. Our final participant in this panel is Maria Roat--is that correct? Ms. Roat. Yes, sir. Mr. Connolly [continuing]. Who's the Deputy Federal Chief Information Officer at the Office of Management and Budget. Welcome. STATEMENT OF MARIA A. ROAT, DEPUTY FEDERAL CHIEF INFORMATION OFFICER, OFFICE OF MANAGEMENT AND BUDGET Ms. Roat. Thank you. Chairman Connolly, Ranking Member Hice, and members of the subcommittee, thank you for the opportunity to discuss FITARA and how we can continue to drive and sustain governmentwide IT modernization. I joined OMB eight weeks ago as the Deputy Federal Chief Information Officer, bringing a career of Federal and military technology experience and an agency perspective to my role. Throughout my career, I have seen firsthand the value of investing in modern scalable solutions and how taking prudent risk, collaborating, brainstorming, and sharing ideas and concepts drives change. And I have experience as a CIO and know how a strong partnership with and commitment from an agency's business stakeholders can improve how the government meets its mission and serves the American public. COVID-19 put a spotlight on digital transformation and the need to adapt quickly. Every agency worked at never before experienced levels of telework and sustained performance by leveraging capabilities already in place. There was a sense of urgency, and CIOs were entrepreneurial, creative, innovative, and agile. Since the first FITARA scorecard, technology investments in cloud, in infrastructure enabled an overall seamless transition to telework. Simultaneously, CIOs were positioned to rapidly deploy and leverage scalable platforms for digital service delivery for COVID response activities. They leveraged microservices to quickly stand up new public-facing portals and switched to video teleconferencing for telehealth and benefits interviews and to engage with their customers. CIOs deployed virtual desktops to replace the purchase of costly hardware for surge employees. And the CIO Council identified areas for future investments and improvements where we need to address gaps or move faster. We must keep the momentum. Agencies were able to move fast, innovate, and implement changes for more digital interoperability. There is a shared interest across all levels of government, Congress, the executive branch and the administration, to continue technology improvements. The Technology Modernization Fund and IT working capital funds and their multi-year funding approaches are two programs instrumental in improving, retiring, or replacing legacy systems. We must do more to drive sustained long-term transformation and ensure digital first as we add value and service delivery. Throughout my career, I've had the honor to lead and work side by side with amazing innovators and technologists, public servants working for the Federal Government. Today, over 2 million civilian personnel use technology to carry out their job. Just as importantly, as we consider any technology investment, we should also remember that the people charged with using those solutions must also be skilled in the use of technology. As the pace of capability and threat continues to accelerate, we must invest in our work force to keep their skills relevant. The CIO Council continues to invest in the IT work force and is building on last year's success with the Federal Cyber Reskilling Academy to launch this month a similar training program in data science. This summer, we are holding, virtually, the third annual Women in Federal IT event, where women in leadership positions across the Federal Government share stories and provide on-the-spot mentorship and career advice to emerging leaders. We graduated two cohorts from the robotic process automation reskilling course, and in September, we will graduate 20 people from the CIO and CISO SES Career Development Program. As we focus today on the tenth edition of the FITARA scorecard, we must adapt to the ever-changing technology landscape and, likewise, adapt the scorecard. I look forward to collaborating with you to further refine the scorecard to support sustained, long-term modernization and drive innovation. Thank you for the opportunity to speak with you today, and I look forward to your questions. Mr. Connolly. Thank you, Ms. Roat. I appreciate that. I find myself in agreement with everything you've said. It is good to learn that the administration has decided to embrace telework in light of the pandemic, given the fact that the administration was actually cutting back on telework the last two years. And with respect to retiring legacy systems and the need for the Technology Modernization Fund, I also find myself in agreement, but we need the administration to make a robust request in the budget if we're going to make progress on the TMF. The chair now calls on the distinguished Congresswoman from the District of Columbia for her five minutes of questions. Welcome, Ms. Norton. Ms. Norton, are you there? Ms. Norton? Mr. Lynch, are you there? Ms. Norton. I'm here. Mr. Connolly. You're there. OK, great. Sorry about that. Eleanor, just speak up a little bit. Ms. Norton. All right. I'm sorry. I punched the wrong button. Mr. Connolly. There you go. There you go. Ms. Norton. Thank you very much. And, Mr. Chairman, I want to thank you for this annual hearing. It's very important to have been brought up to date, as you have allowed our witnesses to do. Now, the FITARA says--and I'm quoting it now--that CIOs have a significant role in the decision processes of the management, governance, and oversight processes related to information technology. Well, I would have thought that they have a major role to play in an agency overall, and I understand that IT is now baked into policy design and implementation. This question is for Ms. Harris. There are CIOs that do not report to agency heads and, of course, if they don't, they're unlikely to play that key role that we spoke about. Well, who doesn't and why don't all of them now report? I think it was perhaps in your testimony or the testimony of one of you that one-third do not report to the agency head. I'd like to know why. I understand that there's a minus and a plus that you can look to see whether people are reporting, but I don't understand what determines or how agencies determine what this committee has long said would be helpful. Ms. Harris. That's correct, ma'am. About one-third of the agency CIOs do not have direct reporting mechanisms to the agency head, and that is a problem, because agency CIOs have reported to us that that reporting structure is very critical to allowing them to carry out their responsibilities. Ms. Norton. Well, Ms. Harris, would you explain to the committee what would be the resistance so that we can work with agencies? Why would an agency not want everybody in the room? Ms. Harris. Honestly, I think it, in large part, has to do with agency culture, and being able to change that culture so that the CIO does have that seat at the table is vitally critical. So, it's going to take work with the senior leaders within those agencies to empower those CIOs, change those organization charts so that those CIOs have direct reporting capabilities, and work with you all as well to ensure that that happens. Ms. Norton. I'd like to work with the chairman on making sure that there is no resistance. In the 21st century, you would have thought that having the CIO at the table would just be a given. So, I really don't understand the resistance to it, and believe that the committee could be helpful in either requiring, through legislation or through regulation, that the CIO be at the table. This is a question, I suppose, for Ms. Roat, and it has to do with the recruitment of and attrition of IT staff. Are these staffers valuable outside of the public sector, Ms. Martorana or Ms. Roat? Is there great competition for these staffers? I'd like you to discuss that. Then I'd like you to tell the committee what we could do to help attract and keep Federal IT workers. Ms. Roat? Ms. Roat. Yes, ma'am. Thank you for your question. For the work force, it is hard to attract work force to the Federal Government and, in turn, folks that we do train in the Federal work force do go to the private sector and make more money. What attracts people to the Federal Government is the ability to focus on a mission, whether you're working for the Department of Energy or Transportation or DHS or NASA. People are excited about the mission, and that's what draws people to the Federal Government. As a CIO, I've had experience with that where people want to come on board, and I've had some incredible talent. Other CIOs have had the same experience. But to your question, it is hard to get people in, but once you get them in, the folks that want to come in, they want to stay. They love what they do. And when people leave the Federal Government, they may go back to private industry, get more experience, maybe they make more money, and then turn around and come back to the Federal Government. But, again, we continue to explore flexibilities in hiring, compensation, and looking at ways to build skills. As I said in my opening comments, we've done a lot for the Federal work force so far through the CIO Council on data science, on cybersecurity, and we're going to continue to build on those skill sets so that we can maintain that work force. So, it's not only just attracting new workers, but maintaining and educating our current work force. Ms. Norton. Finally--I'd just like a moment, Mr. Chairman-- is pay a salient issue here in keeping people in the Federal-- IT workers in the Federal work force? Ms. Roat. For folks, for people that are working in the IT world that are coming into the Federal Government, they can get compensated much more on the private sector. Ms. Norton. We might have a look at that also, Mr. Chairman. Thank you very much. My time has expired. Mr. Connolly. Thank you, Congresswoman. And let me just say in response to your query about CIOs, I couldn't agree with you more. When we wrote FITARA, there were 250 people spread out over 24 agencies with the title CIO. I asked the private sector, Ms. Martorana, how many CIOs do you have? And almost 100 percent the answer is one. So, we've got a lot of work to do. We didn't mandate there shall be one CIO. We allowed it to evolve that one CIO was sort of primus inter pares, first among equals, who reported to the boss. But if we need to strengthen that, we will. We'll also be guided, Ms. Harris, by GAO's counsel on that matter as well. But we are making progress. And listening to the testimony today, you've got relationships with the head of the agency, and that makes all the difference in the world, the empowerment from the boss. But it's something we are very mindful of, and I thank the distinguished Congresswoman for bringing further attention to it. The chair now recognizes the distinguished ranking member, Mr. Hice, for his five minutes. Mr. Hice. Thank you very much, Mr. Chairman. Ms. Roat, I'd like to ask you this. One of the things that I have discovered in becoming more and more familiar with this, it seems like one of the current metrics measures how much of an agency's portfolio is high risk. The issue that I have found is that there's no definition of what high risk is, at least not that I've been able to determine. When I think of high risk, I think of things like vulnerability to cyber attacks, but what I found out is that high risk means something else to others. It may mean whether or not a system is able to be delivered on time and at budget and, if not, it's at high risk. So, my question, really, is there any uniform and comparable kind of way for agencies to define what we all mean by high risk, so that we're all on the same page? Ms. Roat. Thank you for the question. As you look at the programs and the portfolios across the Federal Government, those programs that are high risk, GAO does look at programs that are high priority, the high priority programs, and there are different definitions, including high-value assets. So, when you're looking at those systems that are at high risk, are those the systems that are the oldest in the Federal Government that perhaps need to be modernized or are they high- priority programs that are high visibility and have to be and are critical to the Federal Government. So, as we're looking at the definitions, there are separate definitions, whether it's high-priority programs, high-value assets that are critical to the Federal Government, or those programs and those systems that are high risk in the Federal Government. So, there are different characterizations that are used in different reports. Mr. Hice. And to me, that's part of the problem. Is there any kind of way of getting a uniform understanding of what we're talking about on high risk? Because you just mentioned about three or four different things that come under that category. So, what--or even just to prioritize the high-risk categories so we know if the high risk is any of the things that you mentioned or if it's cyber vulnerabilities or whatever. Can we and should we kind of focus this definition a little more tightly? Ms. Roat. Yes, sir. We should take a look at that to make sure that we're aligned on the definitions and that we're all speaking on the same page as we're looking at the definitions of programs across the Federal Government. I mentioned three with three definitions on that, where, you know, GAO is using the high-priority programs and some of the other ones. So, I agree with you, we should take a look at that and make sure that we're all in alignment. Mr. Hice. OK. I agree. Let's try to move forward on that. Also, another thing that has come up, when it comes to legacy IT, the current scorecard does capture whether or not an agency has a working capital fund, but it does not deal with whether or not any of those funds are being used to modernize old systems. So, my question really is, what kind of metrics can we add to the scorecard to incentivize agencies to make these kind of IT overhauls that need to be made? We've got to make the transition. Ms. Roat. I agree with you. It is imperative that we continue to modernize. The IT working capital fund is one of those programs that allows agencies to have that long-term sustained investment in technology that is incredibly--that's critical to modernizing. So, the IT working capital fund, where you can have multi-year dollars within those, that's the intent, is to modernize those legacy systems and really drive that modernization over multiple years. Where you have legacy systems and programs, being able to invest that over multiple years is the way you get out of, you know, that technical debt and you continue to move the ball forward on that. So, with the Technology Modernization Fund and the IT working capital fund, those are two critical programs for agencies to sustain long-term modernization. Mr. Hice. OK. Thank you. My last question will kind of deal with the customer service aspect. More and more we're having people who are involved in coming to the government digitally. What about, how can we put this type of metric in future scorecards to make sure that we are providing the customers what they need? Ms. Roat. Thank you for that. There's--with the IDEA Act, I think there's an opportunity to really look at the customer experience. That was the intent of the 21st Century IDEA Act-- the customer experience and how they interact with the Federal Government. And there's a number of requirements in there, from e-signatures to 508 to enabling an easier customer experience with the Federal Government. So, I look forward to working with you and the committee on understanding what are some good metrics on that, because that is a perfect example of a metric that could evolve over time as agencies are continuing to improve their websites and their customer experience with the American public. Mr. Hice. Thank you very much. I yield back. Mr. Connolly. I thank the gentleman. And that's a good point, Ms. Roat. We'll be glad to work with you on that. Before I call on Mr. Lynch for his five minutes of questioning, Ms. Harris, did you want to address the question Mr. Hice raised about what falls under the penumbra of high risk on the scorecard? Ms. Harris. Sure. So, high risk is defined by each of the individual agencies. So, it could be cost, a certain cost threshold. It could be a high-value asset. There are a number of ways that agencies do define what they consider to be high risk. And I think that having--I think OMB would play an excellent role in having a more uniform decision or even having perhaps a watch list of the 10 to 20 top critical IT investments across the government would be an excellent way to be able to focus and hone down what those high-risk investments are. We have work for this committee, looking at the top 10 to 20 mission-critical IT acquisitions across the government where we have put together the list for you. That report will be coming out in September. We would be happy to work with OMB to perhaps use that list as a jumping-off point to have another working list for OMB and the executive branch agencies to work from. Mr. Connolly. I would just say a word of caution. When we began this category, there were agencies that claimed they had no high-risk projects, none. No, everything is fine, nothing to look at here. We needed to get out of that protective defensive mode, candidly, to say, hey, these are high risk for these reasons and we're going to monitor them so that they don't go awry, but if they do, we'll take quick action. Because that was part of the problem FITARA was trying to address, that we had these long multi-year, multi-billion- dollar systems integration projects, and nobody felt empowered to pull the plug if the milestones weren't being met. In fact, there weren't always milestones. And we were trying to make sure that we didn't make a bad thing worse. In the private sector, if something goes awry, the CEO says, pull the plug, we're going to move on, we'll try something different. A little harder to do in the public sector, because everybody wants to know why did you waste the money? But nothing is improved by doubling down on something that's not working. So, high risk really matters and getting it right really matters, and we don't want unwittingly to change the definition so that we go back to the old days of everything's fine, because the point isn't to ding on people because it's bad, it is to capture something going awry before it goes off the cliff. But I thank you, Mr. Hice, for raising it, because I think some uniformity of understanding probably would be a good thing. Mr. Lynch, I'm sorry to impose on your time. Welcome. Mr. Lynch. Thank you very much, Mr. Chairman. I want to followup on that sentiment, because you and I know, as longtime members of this committee, that, you know, it's been a history of we don't have any problems over here, we're good, until there's a blowup like we had at OPM when 22 million records went out of people who were applying for security clearance and others that were in government as well. So, we saw the disasters. So, I approach this with a little bit of skepticism, just healthy skepticism. I'm happy to hear the good reports, don't get me wrong, but I've been here too long to believe all of that. So, I want to ask about--you know, let's go to Mr. Gray. You know, I read recently a pretty good story in The Washington Post that talked about thousands and thousands of borrowers of student loans whose personal information, their Social Security numbers, their detailed financial information was left exposed by the Department of Education for like six months. And it had all their personal--you know, these were people looking for some relief. Either they had been taken advantage of or exploited by for-profit universities, those type of cases. So, they had to basically open the kimono of these applicants who were looking for relief, and yet we left all their information available to whoever would tap into it. So, that's one issue I got. I'd like to hear from Mr. Gray on that. Then on OPM, I noticed the grade is a C. And given the, you know, history here--and we all know what it is, I mean, just horrific, horrific, and OPM had not even encrypted Social Security numbers. It was just an unmitigated disaster, and we continue to suffer from that today because of all the people we exposed who had asked for security clearance, right? Those are the people that do some of the most sensitive work in our government, and they were all exposed because of the lack of cybersecurity at OPM. So, I'd like to hear from Mr. Gray and also someone who can speak on behalf of OPM as to why they only have a C at this point. Thank you. Mr. Connolly. We'll ask Mr. Gray to go first, and then we'll call on Ms. Martorana. Mr. Gray. So, thank you for that question. I will share that that article is incorrect. The Department did not leave that open for many months. What really happened was that we had a situation where a file share was inadvertently left open to internal Department only employees. As this was briefed on Friday, there was no external access. It was not open. It was one element. We did report, as required, through OMB Memo 20- 04. It is a low-risk incident. And as I briefed this committee on Friday, it is a situation like being in a bank where a bank has a vault. Every employee that can go into that vault is a trusted employee. Every person that works at the Department is vetted. They have fingerprints. They have user agreements. They have annual cybersecurity and privacy awareness training, records management training. This is a situation where an employee actually recognized that a safety deposit box in that vault that external people could not get to was unlocked. It should not have been unlocked. Mr. Lynch. Mr. Gray, hold on for a second. So, did every single person have a need to know in each of those cases, or was it looser than that? Mr. Gray. Every employee is vetted to be able to access information and, no, not every employee needed to access that. And as of this morning---- Mr. Lynch. OK. That's all. You need to tighten that up. So, you need to tighten that up, right? Mr. Gray. Absolutely, and we absolutely did. Mr. Lynch. It's not exactly what the Post led me to believe, but we can tighten it up, right? Mr. Gray. Yes, Congressman, we can, and we have. Mr. Lynch. OK. So, let me go--I only have a minute left, so let me go to Ms. Martorana on OPM, please. Mr. Connolly. You need to turn on--thank you. Ms. Martorana. Sorry. Thank you for the question. We continue to work diligently at OPM to upgrade our infrastructure, upgrade our overall cyber posture. We are struggling with our staffing. We are struggling to make sure that we have appropriate staff levels to support all of the systems that we are maintaining. One of the biggest challenges that we do have is we are still supporting our Department of Defense colleagues as we are decoupling our systems. So, we are still, on a daily basis, operating DCSA, the national background investigation systems, on all of their daily operations, as well as all of the laptops and their desktop support services, et cetera. So, as we are able to hand that mission fully over to the Department of Defense and focus singularly on OPM, that will give us the opportunity to be able to focus on OPM's core mission and upgrade all of the services that we deliver to our own mission. Mr. Lynch. OK. That's a fair answer. Thank you, Mr. Chairman, for your indulgence. I really appreciate the courtesy. Thank you. Mr. Connolly. Mr. Lynch, if I could followup on that question, I understand the sequencing with the Department of Defense; but when we go back to the original breach, and you weren't there, part of the problem was that we had software for cyber protection, Einstein, and there was Einstein 2 which had not been installed. Now, that has nothing to do with the Defense Department. That's a management issue about getting around to it, prioritizing. I wonder if you want to take a moment to try and reassure Mr. Lynch and the rest of the subcommittee that that attitude has changed, that, in fact, we are prioritizing cyber and protecting our data bases at OPM. Ms. Martorana. Yes. I can assure you that the rigor and discipline within the current OPM team is extraordinary. We would not have been able to execute something as complex as our main frame migration without having a disciplined management team and extraordinary CIO team that is doing a diligent job on a daily basis. Can we do better? We can always do better, right? IT is one of those areas where you can always improve; but the team is extraordinary, and we work utilizing every single tool and asset available to us. Our cyber team and our CISO are extraordinary, and we do everything possible to safeguard every single asset within our environment. We utilize the best tools of the Federal Government, including DHS, to support us, the perimeter of OPM. So, I think you can rest assured that at this time all safeguards and standards are being operated at the highest level. Mr. Connolly. Thank you. And thank you, Mr. Lynch. The Chair now recognizes---- Mr. Lynch. Mr. Chairman, thank you. Mr. Connolly. Thank you. The Chair now recognizes our returning colleague, the gentleman from Alabama, Mr. Palmer, for five minutes. Mr. Palmer? Mr. Palmer. Can you hear me now? Mr. Connolly. Yes, sir, we can. We can't--is your video on, Mr. Palmer? There you are. Mr. Palmer. It is. Mr. Connolly. There you are. Mr. Palmer. You got me? All right. Well, first of all, I want to compliment Mr. Lynch on his library. That's impressive. Mr. Connolly. I hear he rents it. Mr. Palmer. He rents it. Ms. Harris, there was a 2018 report submitted before the U.S. China Economic Security Review Commission that found that the Federal Government's top seven IT providers sourced over 51 percent of its materials from China since 2012. And I just want to ask you if you think that this poses a significant economic and national security risk. Ms. Harris. Yes, sir. This is significant, a significant risk to national security. We had work ongoing for this committee related to the IT cyber supply chain, and the vast majority of the agencies have not instituted proper supply chain internal controls. This is a major issue. We're going to be making more than a hundred recommendations associated with this. But it does pose a significant threat to our Nation. Mr. Palmer. Well, and I bring this up, Mr. Lynch raised the question about the breach at OPM, that I think there are still issues with that, with that information, the personal identification information that's still out there. What would be the budgetary impacts of shifting Federal technology acquisitions away from China? Ms. Harris. Sir, I'm not in a position to answer that question. We have not done work specific to that, unfortunately, so I'm not in a position to answer that with specific facts. Mr. Palmer. Ms. Roat, would you at OMB have an idea about that? Ms. Roat. No, sir, I do not. Mr. Palmer. Well, I think that's something that we need to get an estimate on. I think we're talking--there's a tremendous amount of talk about shifting the supply chain out of China, particularly when it comes to drugs and materials that are critical to our economy and to our national defense. And the fact that--I think, Ms. Harris, you're the one a few minutes ago that said that we spend 80 percent of our budget on maintaining antiquated systems. Is that correct? Ms. Harris. Yes, that's correct. Mr. Palmer. And then 51 percent of that is sourced from China, I think. So, I think this is something--and I'm going to make this request to Ms. Roat and to Ms. Harris that either your agencies come up with the estimate or you work together to come up with that estimate--if I need to, Mr. Chairman, I'll put that in writing; but I think we need to know what it would cost us to shift our IT supply chain away from China. So, I would appreciate it if we could get a response from you and let us know when you start working on it. The Commission also recommended Congress to establish a comprehensive national security supply chain management strategy. It further recommended that direct statistical agencies, such as the Census Bureau, review methodologies for collecting and publishing deeply detailed supply chain data to better document the country of origin for imported goods from China, including imports related to our Federal IT system. And this is for all of the witnesses. Are you aware, are any of you aware of any current actions that the Federal Government is taking to implement these recommendations? Ms. Harris, let's start with you. Ms. Harris. Sir, I don't--that work is out of the scope of what I am doing for this committee. So, I'll have to take that for the record to see if there's a better expert within GAO to answer that for you. Mr. Palmer. OK. Mr. Gray? Well, that would be outside of your area of expertise, too. I'll go to Ms. Roat. Do you know where we are on that? Ms. Roat. Right now we are working very closely with agencies to take a look at their supply chain, currently briefing them out on the requirements of section 889, but, again, working very closely with the agencies to understand their footprint and what the impacts are on that. So, that work is ongoing and will continue. Mr. Palmer. Is it specific? Are there specific--is there specific work being done on the IT systems? Ms. Roat. Again, we're working with the agencies to understand, as you alluded to, what the impact is and understanding if there's equipment that needs to be replaced, upgraded, those kinds of things, the impacts on those systems. So, that work, we have kicked it off and that is underway right now. Mr. Palmer. OK. I thank the Chairman, and I yield back. Mr. Connolly. Let me just say to the gentleman, I think he raises a really good point about the need for coordination so that we're not, you know, retiring legacy systems with 150 different systems that can't coordinate, or can't be encrypted, or have different requirements as much as we can in coordination by OMB to make sure--and the CIO and CTO in the White House to make sure that we're making prudent decisions for the future, both in the cyber realm and in terms of interoperability and coordination, very important. Mr. Palmer. Mr. Chairman, if I might respond to that? Mr. Connolly. Thank you, Mr. Palmer. The Chair now recognizes---- Mr. Palmer. Mr. Chairman, if I may respond to that? Mr. Connolly. Of course. Mr. Palmer. May I respond to that? Mr. Connolly. Yes, you may. Mr. Palmer. You're absolutely right about the interoperability among Federal agencies, but it also should extend to the states, and we're seeing--in my previous experience on the Oversight Committee, we saw multiple examples of the inability because of the antiquated systems to have that interoperability between state agencies and the Federal agencies. I just wanted to add that. And I yield back. Mr. Connolly. You are quite correct, and we're certainly seeing that in unemployment IT systems all across the country. There are at least a dozen that still use COBOL. Now, the only good news about that is I understand that the Chinese don't know how to hack into COBOL, but that's about the only good news. So, you're absolutely right, and we're seeing that affect millions of Americans in terms of not getting their payments in a timely fashion, which creates a snowballing effect in their ability to cope during the pandemic. The Chair now recognizes the gentleman from Maryland, Mr. Raskin, for his five minutes. Mr. Raskin? Mr. Raskin. Yes, Mr. Chairman. Mr. Connolly. Welcome. Mr. Raskin. Thank you very much. I'm sorry, I thought I was unmuted already. Mr. Connolly. No problem. Mr. Raskin. Thanks for calling this very important hearing. In June of last year, the day before the FITARA 8.0 hearing, OMB issued guidance which revised and narrowed the definition of a data center. According to GAO, this revised guidance eliminated reporting on more than 2,000 facilities governmentwide, including types of facilities that OMB had previously cited as cybersecurity risks. Removing the requirement to report on these facilities diminishes our ability to exercise oversight over potential security risks. Ms. Harris also noted in her opening statement that consolidation of data centers has saved us billions in taxpayer dollars. So, why would we discontinue efforts that save money and improve cybersecurity? Ms. Harris, does GAO remain concerned with OMB's decision to change the definition of data center and to no longer require agencies to include smaller data centers in their data center inventories? Ms. Harris. Yes, sir, we still remain very concerned about the new definition of data centers. Our concern in particular is because when agencies stop reporting on these data centers, they'll fall under the radar. They'll stop looking at them in general, and then that's where the cybersecurity vulnerability risks increase because they're not looking and paying attention to these centers. Mr. Raskin. Yes. And OMB's changes to the new guidance no longer allowed the subcommittee and GAO to evaluate agency progress toward data center optimization and consolidation. Ms. Roat, can you tell us why OMB would stringently narrow the definition of data center when doing so could both impair cybersecurity and increase costs to the taxpayer? Ms. Roat. Thank you for the question. So, OMB updated the definitions of data centers to better align with industry standards. When you look at the overall definitions of data centers, those areas where there was maybe just a router and a switch in a closet somewhere, those really aren't classified as true data centers because they have com gear in it. So, those types of things were changed as part of the definition. As you look at the modernization across the Federal Government and agencies closing data centers, they are taking big steps to rationalize their portfolio, upgrade their infrastructure, and address those cyber security concerns just across the entire environment. So, as you shut down data centers, there are many steps behind it to do that. So, even as we change the definition of data centers, modernizing and closing and shutting down data centers per the industry standards takes a lot of work and those application, rationalization and infrastructure upgrades will continue as we close data centers. Mr. Raskin. Well, will you commit to working with the subcommittee to track data centers in ways that are consistent with the law and GAO's recommendations to improve cybersecurity and maximize the saving of tax dollars? Ms. Roat. Yes, sir. We look forward to working with the committee on those data center metrics. Mr. Raskin. OK. Agencies required to implement the data center consolidation reported in total $4.7 billion in cost savings from Fiscal Year 2012 through 2019. Of these 24 agencies, 23 reported in August of last year that they had met or planned to meet OMB's Fiscal Year 2019 savings goal of $241.5 million. Ms. Roat, do we now know whether agencies met their Fiscal Year 2019 cost savings goals? If not, when will we have that knowledge? Ms. Roat. I'll work with OMB on those data centers and those metrics to make sure that we have accurate information for that, but we continue to track what the agencies are reporting to make sure that progress continues on the cost center and savings. Mr. Raskin. OK. Thank you for that. Ms. Harris, is there any more potential for cost savings through data center consolidation? Ms. Harris. Yes. We believe that there is, and so that is why this should continue to stay as a priority for the committee on the scorecard, as well as for the agencies. Mr. Raskin. Well, why has the Administration chosen to halt its efforts in this field? Ms. Harris. Unfortunately, I don't feel comfortable speculating as to why the OMB would make that decision; but, again, you know, backtracking on identifying and including things like servers in closets and considering that to be a data center is something that we disagree with OMB on. That is something that should be counted because it may not be an opportunity for consolidation, but it certainly still poses a threat from a cybersecurity standpoint. So, we do believe that having the more inclusive definition is the way to go. Mr. Raskin. OK. Can you describe the barriers to cloud adoption in your approach to removing those barriers? Ms. Harris. Well, the barriers to cloud would--it would be--the No. 1 barrier is agencies having it as a priority. We've found in our work on cloud adoption that agencies don't necessarily have the robust processing in place to take a look at all of the investments that they have in terms of whether or not they would be eligible candidates for the cloud. So, we've made recommendations to the agencies in implementing those processes, and we currently have work to look at whether those agencies are in the process of implementing the recommendations that we've made to them. Mr. Raskin. OK. I think I have run out of time, Mr. Chairman. Thank you very much for your indulgence. Mr. Connolly. Thank you very much, Mr. Raskin. And your point about data center consolidation is very important, and I agree with you. Let me just say, Ms. Roat, I wrote that section of the bill, so I care about it, and I'm not going anywhere. So, we are going to insist on a robust definition of data centers so that we continue the goal of consolidation to, A, effectuate savings that can then be used internally for reinvestment because they are one of the big sources of potential savings and, second, in the whole mission of cyber protection. So, we'll work with you, but we're not going to countenance squishiness in the definition so that people get off the hook and aren't accountable for what were the data centers we're trying to consolidate. So, I hope you will take that message back. The gentleman from Wisconsin, Mr. Grothman, is recognized for five minutes. Mr. Grothman. OK. Do you see me on there? Mr. Connolly. We can hear you. We can't yet see you. Mr. Grothman. Well, you might have to put up with just hearing me. Oh, there I am. Mr. Connolly. There you are. Mr. Grothman. OK. I got in a little bit late. Is Ms. Martorana still around? Mr. Connolly. Yes, she is right here. Mr. Grothman. Good, good, good, good, good, good. OK. I understand you spent a lot of your career in the private sector and are focused on improving the digital experience. Given OPM's importance to the Federal work force and public, could you describe how you approach digital modernization? Ms. Martorana. Sure. There's an enormous opportunity for us at OPM to better serve our customers across a broad spectrum, from continuing to improve the opportunity for job seekers all the way through to retirees. So, there are numerous opportunities. But the most important place to start is on a firm platform and starting with the foundational investments that are required in people and technology to start that digital modernization journey. Mr. Grothman. OK. I'll ask you another question together with Jason. [Inaudible] Ms. Martorana, and what steps are you taking to comply with FISMA--[inaudible] Mr. Connolly. Mr. Grothman? Mr. Grothman. Yes. Mr. Connolly. I'm sorry, could you repeat your question? It sounds like you're in a railroad train. Mr. Grothman. OK. I'm sorry. I'll speak up. Mr. Connolly. That's OK. Mr. Grothman. OK. Both of your agencies--this is both for Ms. Martorana and Jason Gray. Both of your agencies have critical missions and process sensitive data, yet both of your agencies get C's in cybersecurity, which means you have got room for improvement. What steps are you taking to comply with FISMA, a critical tool for ensuring effective information security across the government? Mr. Gray. So, I will start. We have taken a four-phased approach, focusing on our processes and making sure that we're refining our processes to not only comply with FISMA but also enhance our cybersecurity posture. We're also looking and have been focused on strengthening our processes as it relates. We also have a lot of tools that we have and continue to use with defense in depth, a whole bunch of them. Then also equally as importantly, as was mentioned earlier, education. So, it's focusing on making sure that our staff understand that and the department as a whole understands the importance of cybersecurity. We've also developed and implemented a cyber risk scorecard that we produce that has near real-time metrics that shows it's aligned directly within the cybersecurity framework, and that is visible to our system owners so they can see exactly how they're doing. To the comment earlier about making sure that we're measuring the risk and actually when something is red, it's not necessarily a bad thing. It's an indication that that needs some work. That gets briefed every single month to the secretary, the deputy secretary and monthly to all of the assistant secretaries for all of theirs. So, it is really focused on a process improvement, policy improvement, leveraging the tools that we have, and making sure that we're educating everyone at the department on the role of cybersecurity. Mr. Grothman. OK. Ms. Martorana, do you have anything? Ms. Martorana. Yes. And I think I can mimic basically. We are probably a little bit behind where the Department of Education is, but following in those footsteps, the people, the process, adding new technology and tools, and significant training. We are consistently training our work force to make sure that the policies and processes that we develop and the tools that we are implementing are understandable and that the entire work force is comprehending that every single one of us are the best tools that we have in keeping all of our information systems safe and secure. Mr. Connolly. Mr. Grothman? I think that train left the station. OK. Thank you, Mr. Grothman. The Chair will now recognize himself for his five minutes of questioning. Oh, you're back? Glenn, did you have one more question? Mr. Grothman. Yes, yes. Mr. Connolly. Go ahead. Mr. Grothman. Ms. Harris, at this point nearly all agencies have gotten A's in the software licensing metric. Do you think it's time to remove this metric? And, if so, how can we evolve this metric to capture some of the cost saving aspects like eliminating unused software licenses? Ms. Harris. Yes, that's a great question. So, I think that given all agencies except OPM have received that A, it may be time to retire that particular metric or evolve it. Certainly when it comes to the evolution of the metric, one of the key things that we'll have to work with with this committee on, as well as with OMB, is the availability of governmentwide data that's publicly available because that's what is used in order to generate all of these scores or these grades. So, that would be a key factor in what we could use to potentially evolve the software licensing grade. Mr. Grothman. Thanks much. Great hearing and thanks for putting this together. Mr. Connolly. Thank you, Mr. Grothman. Thank you for joining us. Ms. Harris, despite all of the progress in the scorecard, we really don't seem to have made progress in retiring legacy systems. Why not? And what will it take to seriously incentivize agencies to do that? Ms. Harris. Mr. Chairman, I think what we need to see greater progress on is the working capital fund establishments because that's a very important mechanism that the agencies can use to transform their IT and to modernize it. So, we would like to see a more aggressive push by the agencies that have not yet implemented those working capital funds to do so as quickly as possible so that they're able to put those savings that they generate from software licensing, from portfolios and data center consolidation into that fund so that they can use those moneys to be able to--and the flexibilities associated with a working capital fund, to be able to modernize their platforms. Mr. Connolly. Mr. Gray, you will forgive me, but I think you soft pedaled the breach. So, yes, the breach may not have been huge but, you know, this committee had a hearing on your agency or including your agency several years ago, and what came out was surprisingly, although maybe not surprisingly, but the Department of Education actually has a huge data base, 40 million Americans. You applied for a student loan, you've got my financial data, my checking account, my savings account, all kinds of other financial data that's pretty sensitive. And that's a pretty big data base and a juicy target for some people up to no good. So, the fact that we had this breach raises the question about how secure is that data--the bigger data base. And given the fact that you get a C minus in cyber, one of your lower grades, it underscores vulnerability, maybe I need to be concerned. I wanted to give you an opportunity to talk about that. Mr. Gray. So, I appreciate the question. The incident that happened in 2017 is obviously very different than what happened here. What was briefed on Friday is that we literally had a file share, one out of over 7 million folders, one where a user inadvertently allowed other people within the department permissions. If you have a situation where people have the ability to go through and say, hey, I'm going to allow people to have access to this, that sort of thing will happen. In this situation the employee who actually identified that did not report it to the department. They reported it externally to the department. To compare this to the TSA, this would be like a TSA individual at an airport seeing a suspicious package and instead of reporting it, seeing something, saying something, they took it externally, which then went to the media. So, to get to your question, though, I agree this was identified. When we were reported--when it was notified to me, we took care of it right away. We've also gone through and scrubbed and rescrubbed. We've hired a third party to come in and recheck all of what we've done just to make sure. As of this morning, they have come to the same exact conclusion as it relates specifically to this incident. This is a low-risk incident where an internal--as I mentioned about the bank and the safety deposit box, it was for trusted employees. In this case we had a trusted employee who saw something and instead of doing what they were supposed to do, they took it external. To get to your question about cybersecurity, absolutely I take cybersecurity seriously. I have been at the department for over four years. This is my fifth agency that I have been at. Cybersecurity is certainly one of the core focus areas that I have had. We, as I mentioned, have gone through what processes can we improve, is there policies that we need to implement, are there additional tools which we--as I mentioned, we have network access control, data loss prevention. So, we're taking a lot of necessary steps to ensure that we're protecting and defending the information that we are entrusted to. Mr. Connolly. You have legacy systems at the Department of Education? Mr. Gray. Yes one. Mr. Connolly. One. How old is that system? Mr. Gray. I would have to get you an exact number, but it's probably been around longer than I have. Mr. Connolly. Wow. Well, I have two conclusions from that. One is you're younger than I thought or the other is ah, gosh, you know, that really puts an exclamation point on it. From your point of view, and you have had experience in other agencies, let's stipulate we need a working capital fund. But other than that, what's it going to take? Because my experience is, in the private sector, management needs to put a priority on something if it's going to happen. There has to be a multi-year commitment if that's what it takes. You've got to back it up with a budget commitment every year. From your point of view, what's it going to take to retire that legacy system? Mr. Gray. To continue on the path that we're on--actually there's a Next Gen financial student aid system that is well underway. That acquisition or that entire group of projects incorporates removing that legacy system and getting rid of it. So, it is actually on the road map on where we're going. General Mark Brown, who leads the Federal student aid, has been doing an amazing job working very closely--both of our teams working closely together from an oversight standpoint, to make sure that we are--it's fed into our governance process. So, at this point we have the support. Funding is always something we can always use, but we have the absolute support from the Secretary, from leadership and governance to address that legacy system because we do recognize it is old and needs to be improved. Mr. Connolly. It is an enormous opportunity cost, not only for you but the rest of the Federal Government. If we're spending 80 percent of a $96 billion line item--well, it's not a line item, but that's roughly our budget for IT every year, and 80 percent of it is going just to maintain legacy systems, no wonder we've got some of the problems we've got. So, Ms. Martorana, you're relatively new to OPM. Where did you come from, may I ask? Ms. Martorana. The United States Digital Service. I spent two years at the Department of Veteran Affairs prior to joining. Mr. Connolly. OK. And you had private sector experience before that? Ms. Martorana. Yes. Mr. Connolly. OPM got, I think, a C, C minus overall grade. Given the fact that you're the H.R. agency for the entire Federal Government and, as Mr. Lynch mentioned, really sensitive data on Federal employees, on people seeking security clearances, you know, a breach there, what could go wrong with that? And, sadly, we had the biggest single breach in the history of the Federal Government with your agency several years ago. There is a sense, not about you personally, but that the agency remains surprisingly less than driven by a mission to make sure that never happens again and we're the exemplar for the Federal Government as opposed to a laggard. So, I want to give you the opportunity to address that. I heard you like your team and they're committed and you feel pretty good about where you're headed, but a C minus is not a great overall grade for-- given your mission. And maybe put more positively, as we look to the future, what will it take to get to an A from your point of view. Ms. Martorana. Yes. We're a C plus, so a slight correction. Mr. Connolly. What's that? Ms. Martorana. C plus. Mr. Connolly. C plus rather; excuse me. Ms. Martorana. With the mainframe platform migration that we just completed and the coming data center closures that that will trigger and the--we had a failing grade in software inventory, but through the COVID supplemental, we're able to procure software that will allow us to actually do a software inventory. We will be able to check that off of our list as well, which should get us to approximately a B FITARA score within the next six months. So, we are making pretty significant progress. You know, security is our primary focus, right. Every single day we keep those systems safe, secure, and operational. But one of the biggest challenges that we have is funding and personnel. To the question earlier about risk, one of the biggest risks I think that we are facing, in addition to those systems, the legacy systems, is also we have many, many people in our work force that are retiring. And with those folks retiring and a lot of these systems' documentation not--systems being old and not being very properly documented, a lot of the knowledge of those very old complex legacy systems is retiring with those subject matter experts. So, I think we have multiple levels of challenges that we have to face together. So funding, multi-year funding so that we can actually retire those legacy systems and put in more modern technology, that will reduce risk. Continuing to upskill and train our Federal work force and inspire younger and different people to come into the Federal work force is a critical part of what is going to be needed for us to continue to secure and maintain and operate those systems. Mr. Connolly. I certainly agree with you, although I would say, not about you, you know, freezing wages, threatening to cut back in compensation, disparaging the work of the Federal work force, making it harder for people in the workplace to have appeals and representation and talking about extending a probationary period from one to two years, none of that is particularly appealing to young people on the college campus to come work for the Federal Government. It's almost designed, in fact, to also accelerate the phenomenon of retirement when people--40 percent of the Federal work force is eligible for retirement, and some of them can delay it because they're so driven with their mission and so passionate about what they're doing, or they can accelerate it because they feel so discouraged and unappreciated. And none of this was helped by a 35-day shutdown, the longest in American history. So, you come from the private sector; I come from the private sector. I don't know a CEO who would get very far with his or her board disparaging the work force, slashing compensation and talking about--you know, discrediting, shall I say, their value and their work. No CEO I know would keep the job. And, you know, you praise your work force, you motivate your work force, you incentivize your work force---- Mr. Palmer. It looks we lost the Chairman. Is he still on your screens? Mr. Connolly. OK. Well, anyway, I want to thank you for the observation. Thank you for the work you have done. We will stay in touch. Congratulations on progress. And we certainly, Ms. Roat, need OMB to keep the pressure on and to be supportive. We've got to come up with some creative solutions to help agencies, in addition to money, retire these legacy systems. And they want to, they're motivated, but it's a big, big decision and a multi-year commitment in most cases and quite disruptive actually in making that transition. So, we've got to have some creative solutions. As we see the vulnerabilities in our systems, they have to be addressed. Thank you to the first panel so much for being here today. Please stay safe and healthy. We're going to take a five-minute break and then convene the second and final panel of this hearing. Thank you. [Recess.] Mr. Connolly. The subcommittee will reconvene. Mr. Powner, Ms. Council, and Mr. Spires, are you with us? Mr. Powner, can you unmute and acknowledge you're with us? Mr. Powner. Yes, I'm here, Mr. Chairman. Mr. Connolly. Thank you. If you would stay unmuted so I can swear you in. Ms. Council, are you with us? Ms. Council. Yes, Chairman Connolly. Mr. Connolly. Thank you. And, Mr. Spires? Mr. Spires. Yes, Chairman Connolly. Mr. Connolly. Thank you. If all three of you would raise your right hand. Do you swear to tell the truth, the whole truth and nothing but the truth or affirm the same, so help you God? Let the record show all three of our witnesses on the second panel have affirmed in the positive. Thank you. Mr. Powner, if you're ready, I'm going to call on you for your five-minute opening statement. And welcome back to our subcommittee. Mr. Powner. Thank you. Mr. Palmer. It's good to be back, Mr. Chairman. I don't have an opening statement. Mr. Connolly. I would ask--oh, Mr. Palmer? Mr. Palmer. Yes, sir. Mr. Connolly. I'm sorry, I didn't see you. Go ahead. Mr. Palmer. OK. I do not have an opening statement, but I failed to do something in the previous panel, and that is enter a document and ask for unanimous consent to enter a document into the record on the supply chains vulnerabilities. Mr. Connolly. Certainly, yes. Mr. Connolly. And, Mr. Palmer, if you didn't hear me, I said I would be glad to work with you on that whole question about supply chain. I think it's a very good point you made. Mr. Palmer. Well, I had hit the little raise my hand button thing--I'm trying to get used to all of this webinar stuff--and I had a followup question that I will ask one of the panelists here. But with that, with no opening statement, I will yield back so that we can move forward with the questions for the panel. Mr. Connolly. Thank you, Mr. Palmer. I didn't call on you for an opening statement because Mr. Hice had an opening statement for the whole hearing, and this is the second panel of that hearing. But, obviously, if you had something you wanted to add, you're more than welcome. Mr. Palmer. I thought you were asking me if I had an opening statement. I do not, but I will have questions. Mr. Connolly. Yes, of course, and we welcome them. Thank you. Mr. Palmer. And I thank the Chairman. Mr. Connolly. Mr. Powner, you're recognized for your five minutes. STATEMENT OF DAVID POWNER, DIRECTOR OF STRATEGIC ENGAGEMENT AND PARTNERSHIPS, THE MITRE CORPORATION Mr. Powner. Chairman Connolly, Ranking Member Hice, and Members of the Subcommittee. Thank you for the opportunity to testify on the FITARA scorecard. For the past two years, I have worked for MITRE, a not-for- profit corporation that operates in the public interest. We're public/private partnerships with federally funded R&D centers. We work across government, partnership with industries to tackle challenges for the safety, stability, and well-being of our Nation. Prior to joining MITRE, I was at GAO where I worked closely with this committee crafting FITARA, helping with the creation of the scorecard, and assisting in its oversight. I would like to start by thanking you, Chairman Connolly, for your leadership not only in creating FITARA, but also your unprecedented follow-through with more than five years of consistent oversight which has included 10 scorecards. The Federal IT community has benefited greatly from working with you and your bipartisan partners along the way, Representatives Issa, Hurd, Kelly, Meadows, and now Ranking Member Hice. Today I would like to address three areas: One, the results and progress that have occurred since FITARA passed; two, the reasons for these results; and, three, potential areas to consider for future scorecards. The progress that has resulted from the scorecard in your oversight are significant. Billions of taxpayers' dollars saved consolidating data centers and reducing duplicative business systems and licenses. FITARA's scorecard has also helped elevate the CIO role. More CIOs have a seat at the executive table and relationships with agency CFOs have strengthened. These enhanced authorities and relationships will be critical as CIOs lead their agencies to more modernization and digital transformation. So, why was FITARA and its implementation successful? Simply put, it was a collective team effort from the Legislative and executive branches. Let's look into the specifics of this oversight. Mr. Chairman, your approach focused on critical sections of the law, established clear metrics with specific targets, was measurable and data driven, and the oversight was consistent every six months over a five- year period. This is extremely important since it took at least two years with four scorecards to see significant progress in any of the graded areas. Also, OMB played a critical role. They issued FITARA implementation guidance and required self-assessments after FITARA was passed. Federal agencies' CIOs have provided leadership and delivered results. This progress is evident with the high grades on today's scorecard. So, where should the scorecard go from here? Some of the areas graded have reached a level of maturity where perhaps grading is no longer a necessity. Now, this is not to say that they're not important, just that other areas could benefit from the transparency, measurement, and oversight the scorecard provided. For example, Mr. Chairman, the hearing you held a few weeks ago on mission modernization and your March hearing where you covered GSA's EIS contracting are prime candidates. My written statement provides five recommendations to consider as the scorecard is enhanced. These recommendations are very consistent with the goals in the President's management agenda. Here's a brief rundown of the five. No. 1, enhance the cyber area by considering metrics with agency and industry use and measure cybersecurity. This should include areas like patch and vulnerability management, missed cybersecurity framework, and supply chain management. No. 2, add a mission modernization category that provides transparency to our Nation's most important IT acquisitions and incorporates a customer experience measurement as well as legacy retirements. No. 3, add an infrastructure category that highlights progress on EIS so that we have in place more modern and secure networks. No. 4, add an IT work force category that provides a comprehensive view of agencie's gaps in critical cyber engineering areas and tracks progress to build the appropriately skilled work force. And, No. 5, add an IT budgeting category that continues to focus on working capital funds but also incorporates TBM so that IT costs are better captured. We need to shed a light on the discipline agencies use in IT budgeting so that it reflects actual needs for modernization. This category could drive better conversations both internally with CFOs and externally with OMB and the Congress. In summary, Mr. Chairman, these recs are about having better secure agencies, tackling true mission enhancement, having a modern infrastructure, a skilled work force to do it, and the right resources. Could an enhanced scorecard help in these critical areas? Absolutely. Future legislation to enhance OMB policies could also. Mr. Chairman and Ranking Member Hice, we look forward to further assisting you on these important topics for our Nation. Mr. Connolly. I thank you, Mr. Powner, and I also thank you for being one of the architects, key architects of establishing the scorecard, and I think it's evolved in a way that we hoped it would, which is to incentivize agencies to evolve and to modernize and to understand the criticality of that mission. And I thank you for your leadership in allowing us to be where we are five years later. LaVerne Council, chief executive officer of Emerald One, welcome. STATEMENT OF LAVERNE COUNCIL, CHIEF EXECUTIVE OFFICER, EMERALD ONE, LLC Ms. Council. Chairman Connolly, Ranking Member Hice and Members of the Committee, thank you for the opportunity to appear before you today to share my experience implementing FITARA as an Assistant Secretary for Information Technology and CIO at the Department of Veterans Affairs where I served from 2015 to 2017. I am pleased to join you and provide my recommendations to support the continued effectiveness of FITARA. Prior to joining the VA, I spent over 30 years as a global leader in operations and technology in private industry. During that time I led organizations as large and complex as the VA. I had complete fiduciary responsibility and accountability for implementing world-class processes and technology. However, during the preparation for my role in the VA, I frequently heard about how difficult it was to execute IT projects in the Federal Government. The causes were numerous: one or two-year appropriations, complicated program budgeting, hiring delays, data center proliferation, cultural nuances, even technology procurement decisions being made outside the IT organization. While I did witness each of the obstacles mentioned, within a short period of time, we were able to make progress at the VA. How were we able to do it? We had one critical strategic tool I could rely on. It was FITARA. FITARA is the law, and regardless of whatever obstacles I might have encountered, I had a law that I could leverage. I want to thank the committee for giving us that law and, therefore, the authority to act accordingly. Let me share a figure with you, 74 percent of all main frame IT modernization projects fail. That's a staggering figure, and it is industry-wide. The primary reason is enterprise complexity and age. Many organizations obtain or develop new technology to enable a new process or solve a problem well before they understand how the solution will be supported or how the process will work. In most cases you're trying to make something new work on something old. Integrating new technologies on top of old infrastructure is always a risky proposition. The old infrastructure generally has not been well maintained. Therefore, unforeseen risks often occur and lead to subsequent failures. Just like the stuff in your attic or basement no one wants to get rid of anyway and no one has updated anything, the same thing happens in IT. In addition to the infrastructure age, the organization's culture, and how it drives the use of technology, and the CIO's influence within the agency has a major impact on projects' success. At Emerald One we address the issue of complexity by not just focusing on people, process and technology, but also engaging the leadership, being culturally aware, building trust, attaining the full value of the solution, and doing it in the shortest possible time so you can take advantage of the new technology. We call this the Elements of Brilliance. With this in mind, I respectfully submit to the subcommittee several recommendations that I believe could strengthen FITARA. The first recommendation is make the FITARA scorecard an agency-wide metric, therefore, providing the agency CIOs with the support needed to become the enabler of a critical agency asset along with the rest of the leadership team. The second is to add a metric that measures the agency's average technology life cycle. This could be utilized to understand the risk of modernizing in that environment. The committee should also consider a method to assess cultural readiness. The culture must be prepared to adopt new technology, not just endure it. Organizational leaders must focus on user adoption by measuring and managing the culture's preparedness before tackling any new technology. And, finally, you must ensure that the agency's fiscal reality supports the technology mandates we impose. Many of our agencies continue to receive technology budgets that allow them to do little more than maintain and sustain outdated systems. MGT supported by the TMF were both positive steps forward. By creating more meaningful connections between the mandates, the committee can create the leverage many CIOs need to modernize. As the Chairman shared in his July 20th opening statement, we can no longer allow outdated and legacy technology to stymie the delivery of vital public services. Chairman Connolly, Ranking Member Hice, and Members of the Committee, thank you again for the time and opportunity to share my experience and perspectives on FITARA. I look forward to its continued success and implementation and am happy to take your questions at this time. Mr. Connolly. Ms. Council, thank you so much; really very helpful observations from your own experience, very practical, and we look forward to working with you as we proceed. Thanks so much. Mr. Spires, welcome back. Mr. Spires? STATEMENT OF RICHARD SPIRES, PRINCIPAL, RICHARD A. SPIRES CONSULTING Mr. Spires. Yes, Mr. Connolly. Good afternoon to you---- Mr. Connolly. Welcome back. Mr. Spires [continuing]. Ranking Member Hice and Members of the Subcommittee. I'm honored to testify today in regards of FITARA and the scorecard that Congress has been issuing over the past five years. Having served as the CIO of the U.S. Department of Homeland Security, as well as IRS, and having served as the Vice Chair of the Federal CIO Council, I had ample opportunity to understand the management dynamics inherent in Federal IT. I was pleased when FITARA was enacted, but while the legislation itself has been of aid, I believe it has been the oversight of Congress that has been the driving factor in getting Federal agencies to improve their IT management. In particular, the spirit of bipartisan has made a significant positive difference, starting with the drafting of FITARA, and it continues today with leadership from the subcommittee. Yet even with the progress, much work remains to reach the state of IT management best practice. The hearing held by this subcommittee just two weeks ago showcased the need to continue to focus on IT modernization. But even if we had unlimited funds to invest in IT, many agencies would still struggle as they do not have the management maturity and skills to effectively deliver large scale IT modernization. In 2015, GAO placed the whole Federal Government on its high-risk list for improving the management of IT acquisitions and operations. In GAO's latest report, it recommended that 12 agencies identify and plan to modernize and replace legacy systems, yet only three of the 12 agencies had implemented GAO's recommendation and made progress in even planning to modernize their legacy systems. Given the success of the scorecard, it should continue as a tool to measure agency progress. I recommend changes to the scorecard to sharpen the focus on IT management and modernization, all of which are provided in my written testimony. Some highlights of my recommendations include: One, add an IT planning category. Meaningful IT modernization starts with good planning and support by agency leadership. Hence, this category should reflect the maturity and focus on IT modernization within the agency's planning function and enterprise architecture. Two, combine the incremental delivery and transparency and risk management categories into a broader delivery of IT programs category. Agency IT modernization occurs through the successful delivery of IT programs and, as such, there should be a category that measures the ability of agencies in being able to manage such programs. No. 3, evolve the managing government technology category to a broader IT budget category. This category should keep the element of an agency having an IT working capital fund. In addition, agencies should much better understand the cost element of the agency's IT budget. The Federal Government has adopted a Technology Business Management, TBM, taxonomy to support this effort. Agencies should be measured on their adoption of TBM, along with the use of benchmarking of their IT services, so that they can compare themselves to other similar-sized agencies and private sector corporations. Evolve the cybersecurity category. Agencies should be conducting meaningful enterprise cybersecurity risk management to ensure they are focusing on protecting their most sensitive data and critical systems. NIST has developed such a risk management framework called the NIST Cybersecurity Framework, the CSF, and its use is mandated by Federal agencies. Hence, the cybersecurity category should start with measuring whether an agency is properly executing the seven process steps of the next CSF. Add a customer satisfaction category. IT organizations have customers. A core measure for all agency support organizations should be customer satisfaction. It would be best practice to administer a standard customer satisfaction survey to all agencies so this category can be added to the FITARA scorecard. To determine the specific measures for a category and what additional data would be required for agencies to collect so the category could be graded, I recommend that Congress convene an advisory group that would develop recommendations to evolve the FITARA scorecard. This advisory group should be headed by GAO but include representatives from the Federal CIO Council, the Office of the Federal CIO, and from the private sector. Such an advisory group could make recommendations to Congress within three to six months. Given the scorecard works, let's commit ourselves, as the Federal IT community, to evolve the scorecard to support and drive agencies to more rapidly adopt IT management best practices and move aggressively to modernize agency processes and systems. Thank you for the opportunity to testify today. Mr. Connolly. Thank you so much, Mr. Spires. And thank you, all three of you for your very thoughtful testimony. And I assure you, we'll be glad to work with you and take cognizance of some of the changes you propose in the metrics and in the scorecard itself. The chair now calls on Mr. Palmer for his five minutes of questioning. Mr. Palmer? I'm informed Mr. Palmer is having a bandwidth issue. In Alabama maybe, huh? Well, let me ask all three of you a series of questions. One is, how important is it that the CIO have the ear of the agency head? That's one of the categories we've actually added to the scorecard in terms of the reporting sequence, because from our point of view, it's about empowerment. If you're going to make decisions and make them stick, you know, the rank and file need to see that that CIO is empowered by the agency head, the boss. In your experiences, how important is that, from your point of view? Maybe we start with you, Mr. Spires. Mr. Spires. Yes, thank you, Chairman. Yes, I had the situation of reporting to the, if you will, agency head, a large bureau in the IRS when I was CIO, and not the case at DHS, actually. I reported to the Under Secretary of Management. So, I've seen both situations in government, and I think it makes a significant difference. And not to take away from the Under Secretary for Management in DHS, but that individual who I served under had no IT background and there was a lot of lost translation. And, frankly, I don't feel like--not that I wasn't able to develop a relationship with the Secretary and Deputy Secretary of DHS, but it was not nearly as strong a relationship as I was able to develop with the IRS Commissioner. And I would say that, in my view, I was able to be more effective, significantly more effective, because I had a good relationship with the head of agency. Mr. Connolly. Ms. Council? Ms. Council. Yes, I also agree with Mr. Spires. I actually, during my time in VA, even though it wasn't the norm, had a direct reporting relationship with the Secretary, who was Robert McDonald. Part of the reason for that was we had a short period of time to get a lot of things done. He understood I understood large enterprises. I had come from Johnson & Johnson. He had been at Proctor & Gamble. And it allowed us to sync very quickly. It also is a way for the CIO to have the kind of support enterprise-wide that they need when an agency head is aligned with them. It doesn't mean that you don't include others in the conversation. It just means that everyone knows this mandate is a mandate. So, I totally agree with that alignment. Mr. Connolly. Thank you. And Mr. Powner. Mr. Powner. Yes. So, I will third the importance of reporting to the agency head. I think it is very important the discussions we're having about mission modernization and tackling legacy where we have--where CIOs have relationships with the business leads and also a strong relationship with the CFO, so that there is the budgetary support to tackle these big, complex legacy modernizations. So, having the support at the top so that they can be a business partner with the business unit and also having that strong relationship with the CFO is critical to tackling these big challenges the Federal Government faces. Mr. Connolly. Mr. Powner, while I've got you, maybe you heard the previous panel, our conversation about data centers and the attempt by OMB to maybe dilute the definition of data centers, which could have the unintended effect of losing savings and even compromising security. Would you comment on that? Because you remember how important, the premium we put on data center consolidation when we actually began this process with the scorecard. Mr. Powner. Yes. No doubt, Mr. Chairman. So, a couple comments here. I knew when that memo came out that there was going to be a rub between OMB policy there and where you were going with data center consolidation. Do I think that we have had great success with data center consolidation? Yes, $4.7 billion in savings. Do I think there's opportunity to still do more? Sure, and populate with the capital funds. I think what really needs to occur is I think there needs to be a really--there needs to be some type of agreement between OMB and what they're doing and what Congress wants to do, so you guys get more on the same page. Right now, right, we're at different ends of the spectrum here. I do think there's probably some coming together where you could tackle some data center. There's a lot that's already done, but there's still some opportunities. That's why I think that the infrastructure category on the scorecard where you could still include data centers, but you also look at modern networks like with the EIS vehicle, is a good way to think more broadly about the infrastructure rate and how we tackle that. Mr. Connolly. You will remember, perhaps, that the very first hearing we had on this subject was when John Mica was chairman of this subcommittee, different kind of configuration. We had a field hearing at George Mason University in my district, and that forced people to look at how were they complying with this brand-new bill, FITARA, on data center consolidation. And what happened was we got much better at identifying thousands of data centers we didn't know we had, but we made zero progress on consolidation. Out of that hearing actually grew the idea of a scorecard, so we actually could create metrics and force action. So, I hope we don't go back to that. It's distressing to learn that this action alone would take 2,000 existing data centers and basically take them offline. That's not the language of the statute and it's not the intent of the statute. So, it's worth watching. And my time is up. Mr. Hice, I recognize you for five minutes. Mr. Hice. Thank you, Mr. Chairman. Real quickly to each of you, and I don't want a long answer, just kind of get at your basic feel here, but I'd like to hear from each you as to how you think FITARA, the scorecard, has it been successful in driving change within agencies? From your perspective, is this thing working, and real quickly, why or why not? Mr. Spires. I'll start, sir. Yes, it is definitely working. And as I mentioned in my testimony, the point is we've always had good people, good CIOs, you know, people that want to do the right things, but the environment in many agencies, the culture, as LaVerne was talking about, makes that difficult at times. So, you shining a light on aspects of IT and IT management as congressional oversight, I think, is really critical, and it does force agencies---- Mr. Hice. Real quickly. I've got some other questions. I want to hear from the others. Yes or no? Ms. Council. Yes. This is Ms. Council. I think it is working. I think it is working very well. I also believe that people manage what's measured. And because it's managed and because it's measured and because it's clearly transparent, it gets people focused on the right things. Mr. Hice. OK. Mr. Powner. I agree with Ms. Council on, you know, what gets measured gets done. And I think what's really important to look at is your persistence and consistency. In most of these areas, it took at least four scorecards and two years to see significant change. We've got to stick with it in order to drive change, with some of the cultural issues that Ms. Council mentioned earlier; it just takes time. Mr. Hice. OK. I don't know which one of you is most equipped to hit on this, but several of you or a couple of you brought this up with the CIOs. What's the biggest challenge that a CIO is facing in the attempts to try to deliver large- scale IT modernization? What's the wall they're running into? Ms. Council. I can take that one. Large implementations are just that, they're high risk and they're costly and they include people. And when you put all those together, you end up in the situation where you can't control all the aspects, and it requires a really focused effort of all hands on deck. One of the biggest issues you run into, especially with one-, two-year money, even with the working capital fund, is that you may have multiple sets of these systems in the same environment. I can only speak to VA, but you're talking about one of the most complex environments in the world, not just in the U.S. Government. So, when you go after trying to effectively change one of these, you've got to realize you're impacting an entire enterprise. None of these things are in isolation. None of these things easily are changed without engaging the entire whole. So, they are tough, but can they get done? Yes, they can get done. They require a lot of focus. They require everyone's intent. And I think that's one of the reasons we think that the alignment needs to be the top of the house, so that everyone understands they have to have a stake in making it successful. Mr. Hice. OK. Mr. Spires, are you there? Mr. Spires. Yes, I am. Mr. Hice. OK. You mentioned in your testimony--I'm sorry, my time is running out here, but you mentioned recommendations, if you will, regarding next steps for the scorecard, and specifically you brought up trying to phase in the metrics and obtain a buy-in from the stakeholders. Can you kind of walk me through what you have in mind when you make those comments. Mr. Spires. Sure, Mr. Hice. I believe that we need to try to get better alignment. And Mr. Powner mentioned this earlier in an answer to a question about trying to get Congress working effectively with OMB, effectively with GAO. Let's come up with a set of metrics we all agree with. They won't ever be perfect, but I think we can come up with a really good set of metrics. We've got to figure out how we measure them, that's important, and get the data. But if we do that and we can get better alignment--and this is a bipartisan issue, so I think we can work to do that. And I think we can make significantly more progress in driving IT modernization, because too often we're not going after it. We're doing things that help, don't get me wrong, but some of the really big modernization efforts that do require that whole-of-agency effort agencies are just scared to go after, and we need to change that dynamic, because it's really important to our country that gets done. Mr. Hice. Well, thank you. And I hope you're right. I agree, we need to--the metrics have been great, the question of the scorecard have been moving it forward to get more to the bottom line of what we need to get to. I think we can get there as well. I thank you for your answers and appreciate it. Mr. Chairman, I yield back. Mr. Connolly. I thank the ranking member. And our hope I think eventually is to move to sort of a scorecard that is a digital hygiene kind of scorecard, but it's important to note what Mr. Powner noted. The only reason, in theory, we've made the progress we've made is because we have stubbornly insisted on the metrics contained in the scorecard for five years. And it took five years to get everyone finally better than a D and no Fs, five years. So, we want to be cautious about sliding back or assuming progress where it, frankly, has not yet been completely achieved. So, I want to thank all of our panel for being here. There are so many other areas we could expand upon and---- Mr. Palmer. Mr. Chairman? Mr. Connolly. Oh, Mr. Palmer, are you still with us? Mr. Palmer. Yes. I swiped myself off a little while ago. Mr. Connolly. Sorry. Welcome back. And you are recognized for five minutes, Mr. Palmer. Mr. Palmer. Thank you, Mr. Chairman. I want to go back to something Mr. Spires said about some additions to the scorecard, and this has to do with security. The Federal Acquisition Regulations are really written in such a way that cheapest is best, and it goes back to something that we talked about in that first panel about the fact that we're dealing with antiquated legacy systems, and about 51 percent of what we're buying is sourced from China. So, I'm wondering if it makes sense to add to the scorecard and to encourage agencies to avoid buying--as much as possible, avoid buying from China. Mr. Spires, since you raised the issue of adding to the scorecard. Mr. Spires. Yes. In the cybersecurity area, certainly I'm a huge believer in looking at enterprise risk. And there's no doubt today that cybersecurity supply chain risk is a very significant risk that we need to address. So, I'm not in a position to say exclude--you know, shouldn't buy anything from China that's related to IT, but I think it is something that agencies need to take seriously as they look at their enterprise risk strategy. And I know that's certainly something DHS is looking at for all of government right now. Mr. Palmer. Yes. I'm not saying that they can source everything outside of China, but we ought to encourage them to do as much as they can, because I think there's a gap, particularly when it comes to security, especially around this multitiered supply chain. And it's really mentioned nowhere or addressed nowhere in these acts. So, let me ask it this way: Does it make sense to amend FITARA to assess the global supply chain security risk tied to the Federal IT acquisitions? Maybe that's where we start, and then we put that in--add that into the scorecard. Does that make sense? Mr. Spires. Again, I go back to it is a key risk for enterprise cybersecurity for an agency, and it should be addressed as such. Whether or not that needs to be in legislation or just part of the scorecard, I think that's--I think that's why you should have an advisory group with some experts that are really--you know, that study this particular field, what would be best for the Federal agencies and how to handle this particular enterprise risk. Mr. Palmer. OK. And I'm not totally familiar with all of the agencies, but I know there are a number of areas that are considered high risk. I don't know in the GAO's assessment if that includes high risk for security breaches in the context of where they sourced their materials. Mr. Powner, do any of you--do you know? Mr. Powner. This question about high risk has come up a couple times, Representative Palmer. I think one of the key things we probably need to do here, whether it's supply chain or just high risk in regards to other aspects of high risk, you know, where there's risky acquisitions that are out there, it sounds like there's probably some clarification that OMB might need to look at in terms of their policies that they currently have in place so that we're all kind of singing off the same sheet here, because there seems to be a lot of confusion around this risk. And I would recommend that OMB take a good hard look at this high risk and look at what their policies say in those areas and perhaps clarify that. Mr. Palmer. That's a great point. We will followup on that. And I think--I've been on Oversight since day one, I took a leave for most of this Congress, but I've done a lot of work with the GAO, and the thing that I want to commend the chairman and the ranking member on is we continue to work together in a bipartisan way to improve the quality. In the previous panel, Chairman Connolly mentioned the fact that some of these agencies are still operating on COBOL. When I was in college, I was a COBOL consultant. And my concern is that there are not many people left who would know how to correct something if something went wrong with that. So, there's a lot of vulnerabilities that exist. And I think what we're trying to do here, in a bipartisan way, is not only enhance our security, but also improve the quality of the work product by--what I think we need to be doing is replacing antiquated systems, and not only doing it at the Federal level but at the state level too, so that we've got that interoperability that we desperately need. With that, Mr. Chairman, I thank you for recognizing me being back and being back on the committee, and I yield back. Mr. Connolly. Thank you, Mr. Palmer. Thank you so much. Very thoughtful. Let me ask one last question, if I may, of all of the panelists, because given your experience. One of the things that concerns many of us is, especially those of us who are also in the private sector in IT, is that there's this gap, knowledge gap, experience gap, between the Federal Government and, let's say, the private sector, especially vendors who provide services to the Federal Government in this sector, and that that gap is almost growing. And to try to reverse that, we've got to be able to attract technology specialists and experts who can help the government manage its IT, procure its IT, and even as simple a task but not so simple, even writing the terms of reference for a complex IT contract. I'd love to hear, as the final part of this hearing, your observations briefly about that problem, if you agree it's a problem, and what you think we ought to do about it. Ms. Council, why don't you start. Ms. Council. Thank you for the question. This is actually a question that impacts the governmental aspects as well as private industry. We don't have enough technologists anywhere. We don't have enough data scientists anywhere. We don't have enough architects anywhere. The need for technology, the need for people that really understand information technology and how to make it scale has constantly been there, but I can tell you now it's even tenfold. As you see the now normal that we go through since COVID, technology is everywhere and it's everything. It allows us to be where we need to be, and when we can't be there physically, it allows our ideas to be there. So, getting people to come work in the Federal Government, one, is really hard. I talked about that often when I was in the role. I wouldn't know how to get a job in the Federal Government. It's not a straight line. It's not sending a resume and you start talking to someone, as you would in a commercial entity. It also requires that you know--you have to understand how to navigate. And I will tell you some of the best and brightest in our universities today, they are interested in working on technology, want to work on the newest things possible. They want to work on the hardest things possible. So, I think the more we can give them that kind of environment, the faster we can get up on technology, the faster we can get new technology through FedRAMP, Chairman Connolly, the more excited young people will be, as well as some old people--don't count us all out. We know how to program, some of us do--will be more than willing to come in and help the Federal Government, no doubt about it. Mr. Connolly. Thank you. Mr. Spires. Mr. Spires. Yes, thank you. And great answer by Ms. Council. I'll build on that a little bit by saying that I really feel like--I mean, I came in mid-career into government at the IRS first, and I'll tell you the sense of mission is really palpable. And I don't think--I think we could do a much better job of enticing younger people if we would market ourselves better as Federal agencies. I recognize that sometimes you don't have the latest technology that you can offer all of them, but I'll tell you, the opportunities that younger people can have that are talented, that really want to build a career, I think we're missing a big opportunity to be able to entice people. And I think if we marketed this more effectively, we could attract people. Now, you're going to lose a lot of them, there's no doubt. I mean, maybe you have a program where you try to keep them for four or five years and help you. And some will stay. A lot will go back into the private sector, and that's OK. But we need to do something different. And I don't think we're going to be able to buy our way out of this with increased salaries, but I do think we have a wild card here that we need to play, and that's that sense of mission and the opportunities we can offer younger people. Mr. Connolly. Thank you. Mr. Powner, final word. Mr. Powner. So, I agree on the sense of mission. Many times, IT departments in the Federal Government have this compliance focus, and that compliance focus isn't going to attract anyone. If you look at where Ms. Council was at, you know, who doesn't want to help the vets in our country or who does not want to help secure the homeland, where Mr. Spires worked. Those are the types of missions we really need to get out front and to talk about the challenges that we face as a government and attract those young hard-chargers that are out there. It's not going to be easy because of the salary differences, but I do think--and we've seen it when you do have this mission focus. Like, why do some folks who are seasoned come back into government? Ms. Council did. Mr. Spires did. They come back because, you know, they're sold on the mission, and they want to actually help deliver on these missions. It's no different with the younger folks we need to attract. We really need to sell the mission hard, because a lot of things in government are really important, and I think there would be a fair amount of people who would get behind that. Mr. Connolly. So, a little inspiration wouldn't kill us? Mr. Powner. Absolutely, absolutely. Mr. Connolly. Thank you. With that, without objection, all members will have five legislative days within which to submit additional written questions for the witnesses to the chair which will be forwarded to the witnesses for their response. I ask all of our witnesses to respond as promptly as you are able. And I want to thank all three of you for really thoughtful contribution to this conversation and to the scorecard on FITARA. And, with that, this hearing is adjourned. [Whereupon, at 4:33 p.m., the subcommittee was adjourned.] [all]