[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION
OFFICER
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SMALL BUSINESS
UNITED STATES
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
HEARING HELD
JULY 12 , 2017
__________
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Small Business Committee Document Number 115-028
Available via the GPO Website: www.fdsys.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
26-248 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON SMALL BUSINESS
STEVE CHABOT, Ohio, Chairman
STEVE KING, Iowa
BLAINE LUETKEMEYER, Missouri
DAVE BRAT, Virginia
AUMUA AMATA COLEMAN RADEWAGEN, American Samoa
STEVE KNIGHT, California
TRENT KELLY, Mississippi
ROD BLUM, Iowa
JAMES COMER, Kentucky
JENNIFFER GONZALEZ-COLON, Puerto Rico
DON BACON, Nebraska
BRIAN FITZPATRICK, Pennsylvania
ROGER MARSHALL, Kansas
RALPH NORMAN, South Carolina
NYDIA VELAZQUEZ, New York, Ranking Member
DWIGHT EVANS, Pennsylvania
STEPHANIE MURPHY, Florida
AL LAWSON, JR., Florida
YVETTE CLARK, New York
JUDY CHU, California
ALMA ADAMS, North Carolina
ADRIANO ESPAILLAT, New York
BRAD SCHNEIDER, Illinois
VACANT
Kevin Fitzpatrick, Majority Staff Director
Jan Oliver, Majority Deputy Staff Director and Chief Counsel
Adam Minehardt, Staff Director
C O N T E N T S
OPENING STATEMENTS
Page
Hon. Steve Chabot................................................ 1
Hon. Nydia Velazquez............................................. 2
WITNESS
Ms. Maria Roat, Chief Information Officer, United States Small
Business Administration, Washington, DC........................ 4
APPENDIX
Prepared Statement:
Ms. Maria Roat, Chief Information Officer, United States
Small Business Administration, Washington, DC.............. 21
Questions for the Record:
None.
Answers for the Record:
None.
Additional Material for the Record:
None.
HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION
OFFICER
----------
WEDNESDAY, JULY 12, 2017
House of Representatives,
Committee on Small Business,
Washington, DC.
The Committee met, pursuant to call, at 11:00 a.m., in Room
2360, Rayburn House Office Building. Hon. Steve Chabot
[chairman of the Committee] presiding.
Present: Representatives Chabot, Luetkemeyer, Brat, Knight,
Kelly, Blum, Bacon, Fitzpatrick, Norman, Velazquez, Evans,
Murphy, Lawson, Adams, Espaillat, and Schneider.
Chairman CHABOT. Good morning. The Committee will come to
order.
Before we get started, I wanted to take this opportunity to
welcome our newest member here, Congressman Ralph Norman, who
was sworn in a little over 2 weeks ago. He joins us from the
beautiful State of South Carolina, and I know because my wife
and I were just there a couple of days ago as a matter of fact,
and it is a beautiful great state. My mom is from North
Carolina. As a real estate developer, Congressman Norman brings
real world experience, I think, to this Committee, knows an
awful lot about small business, and we are looking forward to
having him be a great contributing member of the Committee. So
I think both sides would like to welcome you.
Mr. NORMAN. Thank you so much.
Chairman CHABOT. Thank you.
We also welcome everyone else for being here today. The
Committee is here today to examine the Small Business
Administration's Office of the Chief Information Officer. This
office is tasked with managing and overseeing the agency's IT
investments and IT security. That is a big job and it is an
important job. The Office of the Chief Information Officer must
protect taxpayer dollars and small businesses' information
while helping the agency run more efficiently and more
effectively.
Unfortunately, the Office of the Chief Information Officer
has struggled over the past several years. It has experienced
very high turnover at that position, in particular, the Chief
Information Officer position. The SBA is on its eighth CIO
since 2005. Let me repeat that, the eighth CIO since 2005. I
was reminded by some of the local Redskins fans that that is
about how many quarterbacks they have had over that same period
of time. Of course, I am a Bengals fan, so I really do not
care.
But on the serious side, a high turnover rate, especially
at the Chief Information Officer position, undermines the
Office's ability to not just make improvements, but to even
meet its basic obligations: its obligation to deliver effective
IT products and initiatives, its obligation to ensure strong IT
security, its obligation to manage IT spending, its obligation
to reduce security risks, and on and on. In its annual
Management Challenges report, the SBA Office of Inspector
General listed the lack of IT leadership as one of SBA's top
challenges for fiscal year 2017. The message from the OIG is
that SBA cannot even begin to address its many IT weaknesses
without strong and effective leadership, and that requires, in
part, stability and continuity within the Office of the Chief
Information Officer.
Notably, this report was released just as Chief Information
Officer Maria Roat, our witness here today, was starting at
SBA. Prior to her arrival, her post had been vacant for over a
year. The Committee welcomed her arrival then and continues to
be hopeful about the positive change Ms. Roat is trying to
bring about. From what the Committee has seen and heard so far,
Ms. Roat is trying to strengthen the leadership and voice of
her office, but this hearing will give us the opportunity to
better understand what improvements she had made and what
improvements she is still planning to make. As we know, there
is plenty of room for improvement.
I impress upon Ms. Roat the responsibility of both her and
her office. It is important that she and her office be fully
engaged in SBA's IT investment portfolio, overseeing the many
ongoing IT projects and all the while guard against security
breaches. SBA must do so to ensure that the office is running
well and supporting the agency's operations and small
businesses, as well as protecting taxpayer dollars.
I want to thank Ms. Roat for being here today. We look
forward to your testimony and obviously asking you some
questions.
And I would now like to yield to the Ranking Member, Ms.
Velazquez, for her opening statement.
Ms. VELAZQUEZ. Thank you, Mr. Chairman.
Of the committee's many responsibilities, one of our most
critical is overseeing and examining the Small Business
Administration. As the only federal agency charged specifically
with helping small businesses grow and succeed, all of the
SBA's functions should strengthen and preserve the
entrepreneurial foundation of our economy. For small businesses
to fully reap the benefits of SBA's programs, it is important
for the agency to operate efficiently and effectively. In
particular, the Office of the Chief Information Officer plays a
critical role in promoting information technology to support
and enhance business decisions and agency operations.
Despite its critical role, historically, SBA--this is under
Republican administration and Democratic administration--SBA
has neglected to prioritize this office. This is evidenced by
high turnover and an absence of a OIO for over a year. Such
disregard not only wastes taxpayers' dollars, it weakens IT
security, putting the government and small firms at risk.
Cybersecurity vulnerabilities are always of tremendous
concern, but are especially grave in light of events last year.
Our intelligence community has concluded that Russia used
cyberattacks in an attempt to influence last year's
presidential and congressional elections. We can expect that
Russia's intelligence services and other bad actors will
continue seeking weaknesses in our IT security system for
political gain and personal profit.
As stories unfold now almost daily about Russia's digital
meddling in our democratic process, we should expect every
federal agency to make cybersecurity a top priority, so it is
disconcerting that the OCIO has had such severe problems for so
long. There have been numerous GAO and IG reviews of SBA's IT
operations highlighting these deficiencies. In its 2015 review,
GAO found that SBA had not prioritized long-term IT
organizational transformation and had not conducted regular
reviews of its IT investment to ensure they continue meeting
agency needs.
Additionally, the IG found that overseeing and addressing
IT investment and security risks was one of the agency's most
serious management challenges for this fiscal year. The reports
indicate that some progress has been made in implementing
recommendations from these evaluations. Over 30 remain
outstanding. This is unacceptable.
It has been noted Ms. Roat recently took the reins as CIO,
and it is my hope that she will make oversight of the OCIO a
priority. I look forward to working together to ensure SBA
deploys adequate steps to strengthen IT security and management
of the OCIO. Effective management of the agency's IT system
helps ensure small businesses receive the assistance they need
to grow and create jobs. Equally important, bolstering the
agency's cybersecurity will ensure government and small
businesses' sensitive data is safeguarded from those who have
already conducted cyberattacks on our Nation and others who may
have similar plans.
I look forward to the witness' testimony on how these
challenges are being tackled.
Thank you, and I welcome you.
Chairman CHABOT. Thank you very much. The gentlelady yields
back.
If Committee members have opening statements prepared, I
would ask that they be submitted for the record.
Now I will briefly explain our timing rules. Since we only
have one witness it is pretty easy. We operate under the 5-
minute rule, and the lighting system will help you. The green
light will be on for 4 minutes. The yellow light will come on
to let you know you have a minute to wrap up. And then the red
light, if you could wrap up, you know, at or near that time, we
would greatly appreciate it.
Now, we would like to introduce our witness here this
morning. Our witness is Maria Roat. Ms. Roat is Chief
Information Officer for the Small Business Administration, as
we have mentioned a number of times already this morning. She
has been in this post only since October of last year. Prior to
accepting this position, Ms. Roat was the Chief Technology
Officer at the Department of Transportation. Ms. Roat also
served for 10 years at the Department of Homeland Security, and
worked in the private sector gaining relevant information
technology experience there. Lastly, and very impressively, Ms.
Roat accumulated 26 years of active duty and reserve service
before retiring from the United States Navy in 2007, and we
appreciate your service to our country. We thank you again for
your service. We welcome you here this morning. And you are
recognized for 5 minutes.
STATEMENT OF MARIA ROAT, CHIEF INFORMATION OFFICER, UNITED
STATES SMALL BUSINESS ADMINISTRATION
Ms. ROAT. Thank you. Good morning, Chairman Chabot, Ranking
Member Velazquez, and members of the Committee. Thank you for
the opportunity to discuss the technology transformation
underway at the Small Business Administration.
I on-boarded as the CIO in October last year and began with
a frank and honest conversation about the state of IT at the
agency. Even before I arrived, it was clear that transformation
was overdue. In November, we embarked on a fast-paced journey
to change how the SBA builds, buys, and manages information
technology to support small businesses and entrepreneurs. I was
laser-focused about our targets through the end of 2017:
stabilize and modernize. For the first 4 months, the CIO team
inventoried, upgraded, and patched operating systems, software,
and applications, and shut down approximately 170 servers in
our primary data center. We launched an infrastructure
modernization to lay the foundation for future capabilities. I
eliminated duplicative software and cut unnecessary
expenditures. I am leveraging our small business contractors to
bring in solution architects and senior engineering expertise.
We developed a cloud architecture model and are in the staging
process to move our systems to the cloud.
All of these activities will enable us to take an
enterprise approach to business solutions and launch
initiatives like virtual counseling that would help improve
citizen-user experience with the SBA. We are standardizing and
increasing our users' capability with an enterprise deployment
of Windows 10, Office 2016, and One Drive later this summer. We
turned on cloud-based collaboration tools internally and are
piloting the capability externally with the Tech Coalition.
We are collaborating with our stakeholders to introduce
business intelligence capabilities and modernize enterprise
reporting. We must be able to quickly generate and share
interactive reports to visualize and analyze our data to better
understand results and target SBA services to small businesses.
We are aggressively modernizing, pushing the envelope, and
testing new capabilities and security remains paramount. We are
introducing advanced threat protection capabilities,
encryption, and data loss prevention. We are approaching
security by design, building it in, not bolting it on. While
much of this work is behind the scenes, there are several
public-facing activities underway. We are actively modernizing
SBA's website to make information readily available and making
it responsive to mobile devices. We are modernizing
incrementally. Lender match is launching shortly and
improvements in functionality with access points for
counseling, events, and resources are launching later this
year. The certify program continues to also incrementally
deliver capabilities. The HUBZone Map launched last month and
tools such as `Am I Eligible' help small businesses determine
if the certification programs are a good fit for their
businesses.
Transparency is critical, and I hold monthly IT forums. We
recently held the first CIO open house to provide a sneak peek
at the tools and technologies that will be deployed in a few
months. We also reimagined and modernized OCIO's internet site
to share information and resources.
Opportunities remain abundant. We must continue to attract,
hire, and retain the right talent and develop the entire SBA IT
workforce as we transition to an organization capable of
supporting modern technology stacks, cloud-based platforms, and
being an enabling partner to SBA's program offices. Over the
next 12 to 18 months, IT management capabilities will continue
to mature as we enhance governance and transparency and improve
risk management of IT investments.
To overcome the inherent inertia of the status quo, we are
making a radical and difficult, but deeply considered and well-
planned turn, moving to an environment where the CIO is a
partner to and enabler of the business of SBA. We have an
opportunity to get this right. We are aggressively hiring the
right team, modernizing our business and technology
capabilities. We are introducing innovation, not just to
support the SBA of today, but the SBA of the future.
Thank you for the opportunity to speak with you today, and
I look forward to your questions.
Chairman CHABOT. Thank you very much. I will now recognize
myself for 5 minutes to begin the questioning.
According to the Inspector General's risk management report
for 2017, the SBA had 39 open recommendations related to IT
security, some dated back to fiscal year 2011. Do you know
generally the status of those open investigations--excuse me,
recommendations, and how many of them still remain? And what
are you and your folks doing to ensure that the office meets
its obligations under the Federal Information Security
Modernization Act, FISMA?
Ms. ROAT. Yeah, we did have quite a few that were old ones.
I will say that we did close a couple of those old ones that
were there. Over the last few months we have closed more than a
half a dozen, and then we actually have a schedule of another
half-dozen or so that will be closed through the end of this
year. There are some that are low-hanging fruit that have been
open for quite some time and so we are tackling those first,
and there are some that are a little bit longer-term that we
have scheduled to close through the end of this calendar year
and into next year. So we acknowledge that there are more than
40 that were open, closer to 50 with the new report that came
out, and we are working through those now. It is a priority.
Chairman CHABOT. Is there anything you could give us, an
example of, you know, why something would be still open? Why it
is particularly tough that you have to deal with?
Ms. ROAT. For some of the older ones it was a matter of
just taking action and documenting. Some of the things were
already done, but it is a matter of coordinating with the IG's
office. Nobody took the next step to say we did this and showed
the evidence to say that this was done. In some cases that was
all that was needed to be done. You have to prove it to the IG.
You have to provide that evidence. And in some of those
instances where we have been able to close them quickly, we
have provided that evidence and said we have done the work.
Chairman CHABOT. Thank you.
Currently, what are the biggest challenges that your office
is facing, and how are you working to overcome those
challenges?
Ms. ROAT. Walking in the door, the biggest challenge was
really stabilizing the IT environment, just what we had. I also
had a challenge around vacancies that I had coming in to make
sure we filled the billets, get people on board, and getting
our arms around the work the contractors were doing. But by
far, the biggest thing was the workforce; getting the right
people in and stabilizing the environment. And then modernizing
it, which is the work we are doing right now. So this first 12
months is critical to really setting the stage to move forward
for the long term.
Chairman CHABOT. Thank you.
Do you believe that the SBA's enterprise IT architecture
needs to be improved? What specifically, and how do you intend
to go about improving it?
Ms. ROAT. So the infrastructure overall, when you look at
it from the network perspective, we have 120 circuits across
all of SBA. More than a third of those were overloaded by the
amount of data and traffic. They were just overloaded. We are
modernizing the entire infrastructure to begin with to all of
our field offices, and moving from a multitude of T1s and T3s
to a pure Ethernet backbone, which is going to give us a lot
more capability in the long run to roll out capabilities--
whether it is Skype or virtual counseling--or doing more things
online where we are currently much more paper-based. So we are
setting the capability for that. Moving to the cloud is also a
big piece of that from an enterprise perspective, putting those
services in place. Ultimately, this office needs to transition
from being just an office that does computers to a service
organization; so that as program offices want to grow their
business, as they want to add more capabilities, we are there
to be able to support that.
Chairman CHABOT. Obviously, there has been a considerable
high turnover rate, and I think that has had a pretty
significant impact on the office. Could you comment on that? If
you want to talk about the Redskins quarterback, we can do
that, too, but we will stick with your office, I guess, at this
time.
Ms. ROAT. You know, I am fully aware of the turnover and
the transition that has happened over the last 10 to 12 years.
The CIOs and Acting CIOs with no deputy, that has really hurt
the organization overall. And part of what I have done is put
the leadership team in place so that we do not have those gaps.
But it has hurt the organization having that turnover, the
transition, not having that line of sight over the next couple
of years, where the business of SBA needs to go rather than
having stovepipes and silos. It has hurt the organization.
Chairman CHABOT. Thank you. Well, we welcome you again
aboard and we are expecting great things. And anything you need
from the Committee, please let us know, or our staff, because
we will definitely work with you to make improvements. And I am
pleased to see that you have a positive attitude. I am not
surprised after spending the time you did in such a tremendous
organization as the U.S. Navy, and again, thank you for your
service there.
I will now yield back my time and recognize the Ranking
Member for 5 minutes.
Ms. VELAZQUEZ. Thank you, Mr. Chairman. And welcome, Ms.
Roat.
We want to ensure that access to resources for small
businesses of all demographic groups is important and recognize
that SBA.gov serves as the primary source of such information.
In the prior administration, there was a page on the site for
LGBT small businesses outreach, and now it appears to no longer
be available due to page updates. This information has been
down since at least last January, and I would like to know when
you plan to have this page back up and running?
Ms. ROAT. So we have been doing a lot of work on
modernizing SBA.gov. There were a number of pages that are not
available, like you indicated. Some are coming back up online.
I know Tech Coalition was one of those that was taken down, as
well as some of the others. The Tech Coalition is back up
online. So as we are working through with the front office and
with the program offices, we are evaluating all of those pages
and bringing them online.
Ms. VELAZQUEZ. Okay. Recent government security breaches,
such as the OPM breach and the Russian election hacking, have
heightened the importance of continuously monitoring against
outside threats. But in an annual evaluation of the SBA system
and networks, the IG has found significant enterprise-wide
vulnerabilities. How has the SBA responded to the threat of
such risk?
Ms. ROAT. I would say there are several things that we have
done. One I mentioned earlier was the patching, the
configuration management, and the inventory; understanding what
we own and what we have, as well as modernizing all of those,
getting them to current levels for operating systems and those
kind of things. So those specifically have taken us a long way
to address security. In addition, we are in phase one of
deploying the DHS CDM, the Continuous Monitoring Diagnostic and
Mitigation System, so we are deploying that right now. So that
will give us future capabilities as well for monitoring. We do
have a security operation center and a network operation center
that are now working very closely together.
Ms. VELAZQUEZ. So it is imperative that the tools SBA
offers to facilitate access to capital operate at their optimum
capacity, and I heard you mention that the rebranding of the
lender match will be launched soon. How soon?
Ms. ROAT. Tomorrow. We did the demo for the administrator
yesterday.
Ms. VELAZQUEZ. Very good. Ms. Roat, Kaspersky is a Moscow-
based firm and one of the biggest cybersecurity firms in the
world. According to reports, its software has been procured by
some federal agencies. This is very concerning in light of the
threat Russia poses to our government and U.S. customers. Does
SBA use this software? And are you coordinating with other
agencies to mitigate cyber threats?
Ms. ROAT. So we have been coordinating with DHS, as have
the other Federal agencies, and we do not have any Kaspersky
software installed in our environment.
Ms. VELAZQUEZ. Very good. Last year, SBA established the
Office of Digital Services to improve systems and capabilities.
Can you please elaborate on the work this office performs and
how the SBA determines the impact it has had?
Ms. ROAT. So the Office of Digital Services was stood up a
little over a year ago, almost a year and a half ago. They have
taken on SBA.gov, the redesign and the rebuild of that. They
have done a lot of work introducing agile methodology, new and
modern tools, and technologies. They have also--where we had
multiple GitHub sites across SBA, whether they were contractor
managed--consolidated all of that work. So the Office of
Digital Services has brought a lot of benefit to SBA as far as
modernizing and bringing in additional capabilities.
Ms. VELAZQUEZ. Very good. And given the fact that there is
a history of a lot of turnover and eight CIOs since 2005, I
would like to know what succession planning SBA engages in to
ensure continuity in IT operations?
Ms. ROAT. Well, for the first time, right now we have a CIO
and a Deputy together, and I also, in January, hired a CTO as
well. So when you look at succession planning, we go three deep
right now.
Ms. VELAZQUEZ. What would be key elements of that
succession planning?
Ms. ROAT. Being engaged and being a part of the entire
modernization and moving forward in planning. The CTO right now
is incredibly engaged with the businesses offices as we are
taking the enterprise approach to SBA, so we work together as a
team, the three of us as we lay the strategy moving forward for
SBA.
Ms. VELAZQUEZ. Thank you, Mr. Chairman. I yield back.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from California, Mr. Knight, who is the--
excuse me. Or is Mr. Kelly here? Mr. Knight, I apologize. Mr.
Knight, who is Chairman of the Subcommittee on Contracting and
Workforce, is recognized for 5 minutes. Thank you.
Mr. KNIGHT. Thank you, Mr. Chairman. Mr. Kelly and I look
alike so----
Chairman CHABOT. You talk alike, too.
Mr. KNIGHT. We do talk alike.
I have some just basic questions. I appreciate your service
in the military and information to the military is very
important, but the control of that information is just as
important. So I understand that your background will help with
that. But my questions are very kind of simple. A lot of these
questions have gone over the turnover of how many CIOs we have
had over the last 5, 6, 7, 8 years, and how we continue the
continuity moving forward. So can you give me an idea of--and I
have heard, you know, in your statement of all of the things
that are coming, all the things that have been in place, and
the perfect answer to say that tomorrow is a great day, but how
do we keep the continuity moving forward with your leadership?
Ms. ROAT. That is really, really critical because walking
in and walking into such a big vacancy within the Office of the
CIO, it is imperative that I build the team that understands
the modernization, the stabilization, where we are going as an
agency. It is so important for the CIO, the Deputy, the CTO,
and the team to be tied and understand the mission of SBA, why
do we do what we do? And that is important to succession
planning because it is not just about the technology. It is
about the business of SBA. And until you have the Deputy in
place, until you have a CTO and the rest of the leadership team
that truly understands what that business is, then all we are
going to be doing is deploying computers.
We have to look at it from an enterprise-wide perspective
across SBA and you have to have the team that is committed to
that. And they are going to be part of the mission. They are
not just there to deploy desktops or laptops.
Mr. KNIGHT. And one of your answers was we are engineering
this in instead of trying to replace and build on some of these
types of things. Have you reached out to some of the business
world and talked to them about what they do on a continuing
basis? And not just smaller businesses that have to do with
kind of some of these things that might be restrictive on how
much money they can spend, but maybe some of the larger
businesses that do this on a kind of day-to-day basis because
they can and because they have to control their information?
Ms. ROAT. Yeah, it is incredibly important to work with our
partners, both the ones we have contracts with as well as
understanding where technology is going in the long run.
Security, building it in by design is really, really important
because you cannot have a hard outer shell and a soft squishy
inside. You have to build it in. So with our deployments, with
the work we are doing now with partnering with Microsoft as we
are moving to the cloud, working with other businesses and
organizations, building that security in as we are doing the
system development. Even our public-facing website, upgrading
that, and working with other businesses is incredibly
important; and working with small businesses as well that have
that expertise, bringing them in.
So I am actively engaged with the business community and
the technology world. I meet with them regularly, whether it is
events or meetings or with ACT-IAC and other organizations that
are out there.
Mr. KNIGHT. Well, I appreciate your first 10 months. I look
forward to you staying in office, and I yield back, Mr. Chair.
Chairman CHABOT. Thank you. The gentleman yields back.
The gentleman from Pennsylvania, Mr. Evans, who is the
Ranking Member of the Subcommittee on Economic Growth, Tax, and
Capital Access, is recognized for 5 minutes.
Mr. EVANS. Thank you, Mr. Chairman.
A growing number of workers are teleworking, which saves
commuting time and creates efficiencies. What percentage of SBA
employees teleworked considering the past problems? Does this
create any special problems for your oversight and operation of
the SBA IT infrastructure?
Ms. ROAT. So we have to make sure the environment is
available and it is up and it is running for those workers who
are teleworking. We just recently completed the deployment of
another 1,200 laptops so that people can telework, so that they
can work from home, because there are long commutes in many
areas across the country. So putting the infrastructure in
place is really important to enable the telework and having
that mobile workforce. So a lot of the work we have done to
date is stabilizing the current infrastructure that was there
when I arrived, as well as adding capability and pushing out
laptops and making sure that people can take their laptops home
and telework because we do have a good number of our workforce
that does telework.
Mr. EVANS. From your testimony, it sounds like you have
made some headway in testing systems and refining
methodologies. Do you feel that you have adequate staffing in
your office to continue to correct the deficiencies in the SBA
IT infrastructure and continue to support the system's daily
operation?
Ms. ROAT. So between the Federal workforce being able to
hire--coming in with--a fair number of vacancies--the right
people that have that vision to be able to look forward, as
well as leveraging our contractors saying this is the direction
we are going and this is the direction we are headed, that is
how we have been able to make headway in what we are doing. I
could not do it without the team that we have today that we
have built. They have been incredible. We have been very, as I
said earlier, very laser-focused on what we are doing and where
we are going, and have been very direct about where we are
going on our strategic direction, especially these first 12
months which are critical. So not only is it the Federal
workforce, it is also the contractor staff that is on board as
well.
Mr. EVANS. I know this is very early and you have only been
there for 10 months--and again, like the chairman, I want to
thank you for the service that you have provided to the
country, 10 months--and you had to kind of evaluate the
situation, how would you evaluate it at this point?
Ms. ROAT. I would say that by January we made just a huge
amount of progress stabilizing the environment. We are now not
just making incremental improvements. We are taking big steps
to modernize right now. So the rollout we are doing, moving to
the cloud, getting ready to shut down our data center, those
are big steps.
Over the last 3 months, we have already done our cloud
architecture. We have done the migration planning. And we are
doing the migration staging right now. We are getting ready by
the end of the summer to migrate and get out of our failing
data center that we currently have. So we are moving very fast
and very hard.
Mr. EVANS. Thank you for your service. I yield back the
balance of my time. Thank you, Mr. Chairman.
Chairman CHABOT. Thank you. The gentleman yields back. The
gentleman from Mississippi, Mr. Kelly, who is Chairman of the
Subcommittee on Investigations, Oversight, and Regulations, is
recognized for 5 minutes.
Mr. KELLY. Thank you, Mr. Chairman. You say Mr. Knight and
I talk alike, have the same accent.
Ms. Roat, in your testimony, you state that over 15 million
people per year visit the SBA.gov. Obviously, in light of the
growing number of security breaches at the Federal Government,
IT security is becoming increasingly important. And I also
appreciate your service in the United States Navy.
And I think one of the things that our military services do
pretty well is on cybersecurity. Although we have got to get
better, I think it is one of the things that we probably
sometimes are a little further ahead because I think, number
one, we understand who the threats are. It is not just Russia.
It is Russia, China, Korea, countries in South America. There
is a litany of people who are trying to hack our systems and to
get in there to gain value for whatever organization, whether
it be a terrorist organization or a foreign country, you have
been exposed to all that.
That being said, as well as protecting our nets, we also
have to have access to the right people to the net. And as a
traditional guardsman, I find that many times our IT people
deny the people who need access under the guise of security. So
even though I may be a brigade commander and a colonel, I
cannot access information because I do not have the right
permissions and those kind of things.
So I would like for you to talk a little bit about
cybersecurity and what we are doing to reduce the risk of a
security breach while also ensuring that we have access to the
right person, whether that be permissions or whether that being
separating nets that certain information you get on one net and
others. What things are you doing there, Ms. Roat?
Ms. ROAT. So there are a number of things. One, as you
indicated, access permissions. We have done a sweep of who has
administrator access across all of SBA to our systems and we
have said, who has access? Who has a need to have access? So
that is from an administrative perspective. So we have
tightened down on that to make sure that only those that need
it have it. That goes to access, access permissions for users.
Do they have access to what they need to do to do their job?
That is really important.
There are also users at SBA who have been there for 30 and
40 years that as they have moved jobs and changed jobs, they
have carried their permissions along with them. They do not
need access to what they needed to 10 years ago for their job
today, so we also have to get our arms around what those
permissions are.
So as you said, you might not have access which you need
to. You need that access to what you have to, right, to get
your job done. You may not need access to somebody else's data,
so we have to understand what that is. We need to understand
your work environment, what systems you access, so that goes to
the user experience. What do you need to do to do your job? So
that is part of what we are doing, getting our arms around
that. And that is so tied to security and making sure that the
right people have the right access to the right data to do
their jobs.
In addition, we have been out there doing training for
users so that when an email comes in, whether it is a malware,
do not click on that; doing testing and those kind of things
and that is so important that people understand spam and
malware. If you see something that just does not look right,
raise the question. Just ask somebody. So user training, not
only is it from a technical perspective, but there is also the
other side of it from the user side.
Mr. KELLY. And then kind of as a follow-up, I agree with
you, 10 months on the job, I think you are the right person.
Okay, let us start with that. But I think it is also just as
important that you get the right people around you that you
choose who carry out not only your strategic vision and help
you develop that strategic vision, but also help you execute it
once it is figured out.
How far are you along in making sure that if we do have a
breach, number one, that you identify it, whether that be
someone who does not have a permission is on a system that they
should not be on? And number two, once you identify there is a
breach, what steps have you put in place to mitigate those
risks to the system then?
Ms. ROAT. So there is a number of things that we have done.
So one is our incident response procedure. So we went through
those in January and February this year, updated all of our
incident response procedures. So we have got a network and
security operations center. If there is an indicator of
something, they know what to do--all the steps are laid out. We
updated all of those. We did a sweep of all of those.
We actually used that document when WannaCry came out back
in March. We walked through that to make sure that we were
doing all the steps we needed to as we assessed our environment
and did that. So putting the processes, the procedures in
place, having the security operation center, as well as the
network operation center, all of those things tie into being
able to respond.
And it is really important knowing what is on your network,
understanding how your network operates normally. If you see a
spike in something and you go, oh, that is not right, is that
data exfiltration or is that somebody just doing an upload or a
download or moving data somewhere? You have to understand your
network environment and that is the environment we are getting
to.
So in the meantime, as we move to that and as we are being
more aware of our network, we have the incident response
procedures in our network and security operations center,
tightening up the tools they use and the processes they are
using.
Mr. KELLY. Mr. Chairman, my time is expired. Thank you.
Chairman CHABOT. Thank you very much. The gentleman's time
has expired.
The gentlelady from Florida, Ms. Murphy, who is the Ranking
Member of the Subcommittee on Contracting and Workforce, is
recognized for 5 minutes.
Ms. MURPHY. Thank you so much for being here and for your
service.
I wanted to talk a little bit about the IT capabilities in
the Federal Government. I come from the private sector and have
some experiences as I have used some of the Federal
Government's technology systems and have personally seen a
significant difference. How do you respond to some of the
concerns that the Federal Government lags in its IT
capabilities as compared to what is available in the private
sector?
Ms. ROAT. Across the Federal Government?
Ms. MURPHY. Well, specifically SBA.
Ms. ROAT. For SBA, we are making very big steps to catch
up. We have got a decade of turnover and transition to catch up
on and we are doing that very fast. I am probably very forward-
leaning when it comes to technology. I am the co-chair for the
Federal CIO Council Innovation Committee, working with the CTOs
across the Federal Government. I have always been forward-
leaning as far as technology. Even with the team today I said,
turn it on, try it. Let us test it within my office. Why not?
And that is what they have heard me say time and time again,
test it.
Security is paramount, but why can we not turn on a
capability? What is stopping us? Can we test advanced threat
protection against our email? Turn it on. Let us try it. Let us
try it for a small set of users and then deploy it further
across SBA. So that is one of the things that as I am forward-
leaning, I do like to try things. I do like to test things. I
am working that within my office before we roll it out
enterprise-wide to kick the tires on it and make sure it is
going to work.
But as far as practices go, those are industry practices.
You know, data loss prevention, advanced threat protection, all
of those things we are putting in place are things industry is
already doing.
Ms. MURPHY. Do you find that the acquisitions processes, or
any of the sort of the way that the government goes about
procurement and things like that, inhibit your ability to
acquire some of the most cutting-edge products that are on the
market?
Ms. ROAT. Like anybody else in the Federal Government, we
have our acquisition processes. I think the work that has been
done over the last year or 2 years around agile procurement,
being able to do things faster. You know, within the FAR, you
can do a lot of things and you can move very quickly. And I
think applying those, you know, I am working with the
Procurement Office, the acquisition folks at SBA to say, how do
we move things along faster? How do we use agile acquisition
methodologies? How do we do that to move things along instead
of the traditional route moving paper? How do we be creative?
So I am working with that office as well.
Ms. MURPHY. And then from a recent hearing on SBA's--is it
VERA/VSIP program, we learned about some of the agency's
programmatic and demographic workforce challenges.
Additionally, in general, in the Federal Government, there has
been some challenges to recruiting and retaining competitive IT
staff. Can you talk a little bit about some of the steps that
the agency has taken to recruit and retain competitive IT
staff?
Ms. ROAT. So we have been using our direct hire authorities
with the digital services team, certainly schedule A to bring
people in directly, direct hires. With the CIO office, we have
a big responsibility. I do not care what job you have around
cybersecurity. So we have been using the direct hire authority
for cybersecurity to bring in the right talent.
People do not come into the Federal Government just to work
for the Federal Government; they come in for the mission. They
are not here for the money. They are in for the mission. It is
like my father worked for a small business. You know, I saw
what he went through; or my mother did or something like that.
I found that people come in and they really want to work.
The IT people come in and they really want to work because they
are truly supportive of the mission. They get it. They
understand it. They know somebody, and that is the talent that
we are going after. Is it easy? No, but we are turning over the
rocks and trying to recruit as much as we can.
Ms. MURPHY. And on the retention of people like that, once
you are able to recruit them in for the mission, what do you
think causes them to stay? And are there things that can be
done to ensure retention and that they are not hired away into
the private sector?
Ms. ROAT. I think the work we are doing now leaning
forward, trying innovative things, not being status quo and
just doing the same old, same old is drawing interest from
people who want to be a part of that movement forward and to
really modernize and really take SBA to the next level. So I
think that is what is going to keep people there.
Ms. MURPHY. That is great. Thanks so much, and I yield back
the remainder of my time.
Chairman CHABOT. Thank you very much. The gentlelady yields
back. And now we have reached that big moment. Our newest
member, the gentleman from South Carolina, Mr. Norman, is
recognized for 5 minutes. Do not screw it up.
Mr. NORMAN. That is a tall task. Thank you, Ms. Roat. I
appreciate your time here.
I know in the private sector, when you have people, and
particularly, you have been on the job 10 months, what is your
opinion of having a self-assessment of the members there to get
an idea of problem employees that from their peers are judged
in not so good of a light?
And my second question is, and we have got constituents in
my hometown in South Carolina where the universities play a big
part in the SBA, is there an outreach to them or are they
coming to you to reach out to play a part with SBA loans?
Ms. ROAT. So for the first part of your question around the
employees and how they are doing and working, you know, we did
put in place performance management. That is very important for
the employees, making sure that this is what we are doing this
year and that people are on board. If they need training, we
make sure to offer them training; performance management is a
big deal to make sure that we are all on the same bus, we are
all moving in the same direction, and that if people need
training, we offer it and making sure they are working.
For the universities, I would have to defer to our HR
office, as well as the capital access folks and some of the
others that are working much more closely with the universities
and some of the others on the loans.
Mr. NORMAN. Okay. And I guess back to one of the previous
questions, for the training and staying up to speed on the
changing world of technology, you feel comfortable with what
you have now and what you see for the future?
Ms. ROAT. So especially for what we are doing moving into
the cloud right now, it is really, really important that the
operations folks and the security folks really understand cloud
architecture, and not just from a technical perspective, but
monitoring and managing, and how do you offer those services
across SBA to those program offices that may need different
environments, test-dev and things like that. That training is
really important, so we have had offsite sessions.
We do weekly Lunch and Learns as well. There are other
opportunities across SBA just around agile training
methodologies that we have done. And it is not just around
agile development, but around agile methodologies as a whole.
So we are offering all of those kinds of training from Lunch
and Learn to formal, paid training classes.
Mr. NORMAN. I appreciate you taking the task and, from your
testimony, you are up to the task and we appreciate your
willingness to do this.
I yield the time to the chairman.
Chairman CHABOT. Thank you. The gentleman yields back. And
in the opinion of the chair, the gentleman did just fine. So
thank you very much. Looking for great things from you.
And now we move to the gentlelady from North Carolina, Ms.
Adams, who is the Ranking Member of the Subcommittee on
Investigations, Oversight, and Regulations, for 5 minutes.
Ms. ADAMS. Thank you, Chairman, and Ranking Member
Velazquez, thank you as well. And thank you for your testimony.
Thank you for being here, and thank you for your service to our
country. We appreciate it.
Your statement shows that you have made remarkable strides
since you became CIO, reducing the vacancy rate from 30 percent
to now 15. That is pretty impressive and we appreciate that.
You identify developing the right workforce as one of the
remaining challenges of SBA, so have you submitted or do you
plan to submit a plan to the SBA to outline how you can better,
as you put it, determine need competencies and develop and
sustain a workforce that can use, deliver, and support not just
the technologies, but those of the future? Not the technologies
of today, but those of the future?
Ms. ROAT. So one of the things that was put in place prior
to my arrival was putting in a workforce plan. There are 170 IT
specialists across SBA and part of the FITARA implementation
was to have an actual IT workforce plan that really looked at
that roadmap for the workforce. We are actually just getting
ready to do a kickoff on that within the next month to lay out
where we need to go for a workforce because it is not just my
office that I have responsibility for in the IT, it is all of
the IT personnel across all of SBA. So part of this work that
we are kicking off in the next few weeks will be putting in
place a long-term strategy for the workforce, looking at those
skills, looking at those companies.
It is so important that we get the right people, that they
understand the environment, that we are not doing the same old,
same old that we have been doing for a long time. So this
workforce plan is really going to assess our as-is and set the
stage for where we are going in the long run.
Ms. ADAMS. Right. Thank you.
With over 30 outstanding recommendations, as well as many
planned initiatives, how does SBA prioritize its IT improvement
efforts?
Ms. ROAT. So for those things that were open from the IG,
we tackled the low-hanging fruit first, right? Those things we
could address very quickly that needed to be closed, that
needed to be addressed. We are also looking--it is very
important from a security perspective--what were those findings
from the IG that we needed to address? Have we taken care of
that over the last 10 months, and what are we going to do to
close out the rest of those? Because some of them, again, we
can resolve very quickly. Some of those are a little bit longer
term. So we are prioritizing all of those.
We understand that some of those are a little bit longer
term, but there are steps to be taken. You lay out a project
plan. How are we going to get to 12 months from now for a
couple of those that are going to take a year? So here are the
steps. Here are the major milestones. And here is what we are
going to do. It is not about, well, we are going to do it next
September. It is going to be what is the plan to get it done?
Ms. ADAMS. Okay. So the low-hanging fruit, you feel that
you have already accomplished that?
Ms. ROAT. We have addressed quite a few of those. Yes.
Ms. ADAMS. Great. Thank you very much. Mr. Chair, I yield
back.
Chairman CHABOT. Thank you. The gentlelady yields back.
The gentleman from Iowa, Mr. Blum, who is the Chairman of
the Agriculture, Energy, and Trade Subcommittee, is recognized
for 5 minutes.
Mr. BLUM. Thank you, Mr. Chairman. And I would also like to
commend Representative Adams on her lovely hat today as normal.
Very nice.
Thank you, Ms. Roat, for your service to our country and
for being here today.
I come from the private sector. I was CEO of a publicly
traded company, so I am very interested in management. Were you
aware--I am sure you were--when you interviewed for the job
that there were eight different CIOs in 12 years?
Ms. ROAT. I was very aware.
Mr. BLUM. Very aware. So I am sure, and you strike me as
somebody who is very intelligent, you probably asked, what was
the problem? That would be a logical question, would it not?
Ms. ROAT. Correct.
Mr. BLUM. And the reason I ask this is know it is in the
past, and I think you are going to change the future, but if we
do not know why it happened, then how do we know how to change
it? What were you told when you asked that question?
Ms. ROAT. I think there was not a focus on the role of the
CIO, what needed to be done, understanding, you know,
technology is changing and that the CIO absolutely has to be
tied to the business, understand the business of the
organization. I think that was lost somewhere along the line. I
think the program offices just went and kind of did their own
thing. You know, no fault of their own. They had to do
something around technology.
When I asked the question, I think the IG report last year,
as well as some of the GAO reports that came out, really honed
in about a year ago that said, wow, we have got a problem. And
even before, you know, when I was approached about the job, I
did my homework. I looked at the IG reports. I looked at the
GAO reports. You do not walk into a job like this with blinders
on. And I did my homework.
And I did ask those questions, and it was really having a
leadership perspective that really understood what it took to
be a CIO, how the CIO is tied to the business of an
organization, that they are not just there to deploy laptops
and those kind of things. They are there to be a true enabler
of the business and really manage and have oversight and
governance over the IT investments of the agency. So I asked a
lot of those hard questions before I came on board.
Mr. BLUM. So do you think they made poor hires in the past
or do you think there is or was a structural problem within the
SBA that caused these people to subsequently leave shortly
after starting?
Ms. ROAT. I am not sure that I can answer the question on
the people that were in the role. I know some of them and they
are very smart people. I think there may have been some
leadership challenges structurally within SBA.
Mr. BLUM. Inherent in the SBA?
Ms. ROAT. Inherent in SBA. That is my opinion and I think
last year----
Mr. BLUM. Are some of those still there?
Ms. ROAT. I think that as of last year, with the prior
administration, and even the current administration, has been
incredibly supportive of turning the agency around as far as
the role of the CIO. I have an incredible amount of support
right now and the runway that I have been afforded over the
last 10 months to make things happen and affect change, I could
not have done that without leadership support.
Mr. BLUM. It is good to hear. It is good to hear. Because
oftentimes things are structural. They are embedded and they
have been there for a long time and change does not happen
quickly in Washington, as you are well aware. And if those
things are still there, you can be a very bright person and do
an excellent job and we are still going to have issues. So you
need to be looking for that within the organization that you
control, that is for sure. And in the private sector, sometimes
you need to clean house, correct?
Ms. ROAT. Correct.
Mr. BLUM. Speaking of the OIG, they criticized SBA's
organizational structure for potentially undermining IT
investment oversight and they talked specifically about chief
digital officer perhaps as duplicative with your role. Do you
report to the deputy COO?
Ms. ROAT. So I report to the chief operating officer. The
position of the chief digital services officer, or the chief
digital officer, does not exist anymore. That position was
hired as a political appointee roughly a year and a half ago,
and with the change of the administration, that person left.
The digital services team that was stood up about a year ago,
they work very closely with my office, and part of the work
that we have done earlier this year was to request a
reorganization so that the digital service team reports
directly into my office.
Mr. BLUM. Good to hear. So you report to the COO?
Ms. ROAT. That is correct. And then I have monthly meetings
with the administrator that are scheduled. Bi-weeklies with the
chief of staff as well.
Mr. BLUM. Excellent. Good to hear.
Last question. The OIG once again last reported there were
39 open recommendations related to IT security, some dating
back to 2011. Are these recommendations still valid in your
estimation? And are we giving them the priority that they
deserve and require?
Ms. ROAT. So some of those recommendations we have closed
already, in particular the oldest ones we closed a couple of
months ago. So we have tackled a lot of those. It was a matter
of documenting what we did. Some of the recommendations, when
you look back 3 or 4 years, they are really OBE because of
technology changes, whether it is moving email to the cloud. So
we are addressing those specifically with the IG.
So we are actually tackling those, and we have closed more
than a half a dozen of those in the last couple of months, and
we have another half-dozen or so that we are scheduled to close
through the end of this fiscal year, and we have a plan to work
on the rest of them as well.
Mr. BLUM. Very good. My time is expired, but welcome to the
SBA administration, and I personally think you are going to do
an absolutely splendid job.
Ms. ROAT. Thank you.
Mr. BLUM. I yield my time, Mr. Chairman.
Chairman CHABOT. Thank you very much. The gentleman's time
is expired. And unless we are joined by any other members, the
last questioner today will be the gentleman from Florida, Mr.
Lawson, who is the Ranking Member of the Subcommittee on Health
and Technology.
Mr. LAWSON. Thank you, Mr. Chairman. And thanks for giving
me 10 minutes.
Mr. Chairman and Ranking Member Velazquez, I am honored
that you all would host this meeting today. And I want to thank
you for only 6 months on the job and the tremendous progress
that has been made with the SBA.
And one of the questions, I do not want it to be a
duplicate, but I wanted to know about it. You might have
already answered it. With 6 months into the administration,
what roadblocks and challenges have you seen so far that are
blocking the OCIO from implementing some of the recommendations
and changes from the OIG and the GAO reports?
Ms. ROAT. So a lot of the OIG recommendations were really
technology focused as far as audit logs and access controls and
all those kinds of things. So those are the ones that we are
tackling right away, moving through those.
Some of the broader ones around investment management,
governance, dealing with IT investments across all of SBA,
there is an Investment Review Board that I co-chair. So part of
addressing some of GAO's concerns specifically was around, you
know, the CIO's role in managing those IT investments, the
oversight, having that governance authority. So I do co-chair
the Investment Review Board that looks at all the investments
across SBA, as well as working very closely with the CFO and
the COO on those things.
So I think the work around that we are doing with the
Investment Review Board, with the Architecture Review Board,
with the COO, with the CFO, is taking us a long way to
addressing the concerns, particularly around the management of
the IT investments across SBA.
Mr. LAWSON. And are you satisfied with the recommendation
concerning cybersecurity that you all are implementing?
Ms. ROAT. The specific recommendations?
Mr. LAWSON. Right.
Ms. ROAT. So the ones that came out most recently, they
were very specifically technically focused. Some of the broader
ones were under management. I think we are making a lot of
strides and a lot of headway in that progress as far as from a
management perspective, getting our arms around all the
cybersecurity. Security is layered throughout an organization
and we are addressing it all the way through. So we are
building it in as we go.
Mr. LAWSON. Okay. A couple of months ago I was at a
business roundtable in Jacksonville, Florida, and some of the
concerns that were expressed there from some of the business
leaders, or the small business people in there, is that they
did not feel like they really knew a lot of things that were
going on in SBA. And I know that you have field operations all
over the place. How do you go about communicating to those
field operations to let the businesses know that you are
available for them and that they can access a lot of the
information and have access to capital and so forth?
Ms. ROAT. So I do work closely with the Office of Field
Operations. They do have weekly calls with the field, so I do
participate in those. And when there are questions that arise
as far as what information could be available on the SBA
website, you know, we are acting on that. So the team is
working very closely with the field operations as well as
capital access to make sure that the information is available
on the website for one, and consolidating the information. I
know that the information historically has been very hard to
find on the website, so we have been working hard at
consolidating events to make that available.
I do participate in the weekly calls with the field
operations, so as anything bubbles up. I also participate with
the Tech Coalition, which partners with industry as well. So
hearing their concerns and making sure that we are responsive
to them.
Mr. LAWSON. And since women-owned businesses are the
fastest-growing small businesses in America, how are you all
catering more towards them to make sure that they feel
comfortable in accessing the information from you?
Ms. ROAT. So I think there is an event coming up in the
next few weeks, GCBD, with women entrepreneurs and women
business owners coming up. I think it is the end of the month,
the 26th or 27th. So there is a lot of outreach going out and
very targeted to those communities, whether it is small
business, the women-owned. So that event is one example of how
SBA is targeting those groups.
Mr. LAWSON. And I would like for you to send my office some
information on that because I would like to make sure that we
find out everything we possibly can because I am always
approached by some of the women in business.
And with that, Mr. Chairman, I yield back.
Chairman CHABOT. Thank you very much. The gentleman yields
back.
I would just conclude by saying, Ms. Roat, the office that
you now hold has obviously struggled in recent years and I
would say that based upon the testimony that you have given us
and the answers to the questions that both sides have asked, I
would say that I am encouraged. I think a lot of other members
are as well, that you will work to improve your office in order
to better fulfill the requirements of the SBA and how they
serve small businesses all across the country.
We would encourage you to keep the Committee updated on the
progress that you make. And if you run into any problems,
please let us know, either us or our staff, so that we can
assist you in doing the best job that you can for those small
businesses. So thank you very much for your testimony today.
I would ask unanimous consent that members have 5
legislative days to submit statements and supporting materials
for the record.
Without objection, so ordered.
And if there is no further businesses to come before the
Committee, we are adjourned. Thank you.
[Whereupon, at 12:03 p.m., the Committee was adjourned.]
A P P E N D I X
STATEMENT OF MARIA ROAT
CHIEF INFORMATION OFFICER
U.S. SMALL BUSINESS ADMINISTRATION
BEFORE THE
COMMITTEE ON SMALL BUSINESS
U.S. HOUSE OF REPRESENTATIVES
HEARING ON
HELP OR HINDRANCE? A REVIEW OF SBA'S OFFICE OF THE CHIEF INFORMATION
OFFICER
JULY 12, 2017
Chairman Chabot, Ranking Member Velazquez, and Members of
the Committee, thank you for the opportunity to discuss how the
Small Business Administration (SBA) is improving its leadership
roles in overseeing and addressing information technology (IT)
investments and security risks. I would like to share with you
today where SBA is in the process of rationalizing its IT
infrastructure, and stabilizing and modernizing to drive
standardization, consolidation, and integration across its IT
portfolio.
In October 2016, the Office of the Inspector General issued
its ``Report on the Most Serious Management and Performance
Challenges in Fiscal Year 2017.'' The reports' Challenge 2
focused on the Office of the Chief Information Officer (OCIO)
and the need to improve its leadership roles in overseeing and
addressing IT and security risks. Since 2005, SBA has had 8
Chief Information Officers and frequent turnover in key IT
positions ``adversely affecting the ability for SBA to make
lasting improvements in its IT investments and security in
multiple areas.''\1\ I am here to tell you about how the Office
of the Chief Information Officer is transforming to help the
agency and support its mission of delivering services to small
business owners.
---------------------------------------------------------------------------
\1\ https://www.sba.gov/sites/default/files/oig/
FY--2017---
--Management--Challenges---
--10--14--16--7.pdf
I on-boarded SBA on October 3, 2016 as the Chief
Information Officer, after having served as the Chief
Technology Officer at the US Department of Transportation for
more than two years. By mid-November, I completed an initial
assessment of the overall operating environment and identified
stabilization and modernization targets to reach by the end of
the fiscal year. It is necessary to pivot OCIO from a reactive,
fire-fighting, technical support operation to a more proactive
services organization that is innovative and responsive to the
business and technology needs of SBA's mission. After I
arrived, the OCIO began moving aggressively to address its
network, systems, applications and overall operational
challenges, move its primary data center to the cloud, address
---------------------------------------------------------------------------
security deficiencies and decrease its personnel vacancy rate.
When I arrived, SBA's heating, ventilation, and air
conditioning (HVAC) units in its data center were experiencing
weekly incidents with temperatures rising to 120 degrees or
more causing frequent outages and system degradation. SBA's
inventory of network, servers, software, and applications was
incomplete, resulting in ineffective management of the entire
network. Program offices were operating in silos with some
network segments firewalled from OCIO visibility for monitoring
and management. Further, operating systems were long past end-
of-life, and others nearing end-of-life, introducing
significant security risks into the environment.
SBA's network infrastructure was not adequately architected
to support SBA's requirements. Specifically, one third of all
network circuits are overloaded, and the environment has aging
voice equipment, single points of failure, inconsistent end-
point management, and separate voice and data wide area
networks (WANs). Gaps existed in the areas of configuration
management, and a lack of a mature enterprise architecture
capability has led to a fragmented technology stack with
deficiencies in standardization, and duplicative or overlapping
tools deployed across SBA.
Strategies to Stabilize and Modernize
It is imperative to modernize SBA's infrastructure and
build in security as a design principle to support a mobile
workforce. To address the WAN performance issues, immediate
actions were taken to make configurations changes to move
certain traffic loads to off-hours. With its service provider,
OCIO developed plans to migrate from a Time-Division Multiplex
(TDM) to a converged, Ethernet IP based network that will
result in reduced network latency, improved application
performance, address security gaps, and introduce scalability
and resiliency. In working with the service provider, I
provided direction that the effort must be cost-neutral--no
additional funding was available. Orders for 111 circuits were
placed and the first 20 circuits are on-line today.
Of primary importance was stabilizing the primary data
center's environment. By December, the OCIO team conducted a
detailed data center inventory from the physical devices to the
applications. The inventory was produced with about 85%
accuracy, and provided sufficient initial data to identify what
could be shut down, upgraded, and/or moved to the cloud. The
OCIO team made a determination to either upgrade systems or
shut down unnecessary equipment in preparation for
transitioning to the cloud. By March, the team shut down 170
servers directly resulting in HVAC stabilization, and a
tangible reduction in power usage. Upgrades to operating
systems and applications significantly reduced vulnerabilities
and improved SBA's security posture. Because of my direction
that no new hardware would be purchased or placed in the data
center, SBA is the first federal agency to deploy the
Continuous Mitigation and Diagnostic system in a cloud
environment, with Phase I starting in March.
SBA migrated e-mail to Microsoft O365 in May 2016 due to
failing on-premise e-mail servers; however, no other subsequent
migration actions were planned to take advantage of the O365
platform's capabilities. As the data center stabilization tiger
teams stood down, cloud tiger teams stood up to migrate the
data center to Microsoft's Azure cloud and O365. The teams
follow agile methodologies with daily stand-ups, releases and
sprints, and all activities tracked in JIRA. The cloud
architecture design was completed in March, migration planning
is nearing completion, migration staging begins in July, and
actual migration starts in August. Migration to SharePoint
Online has been completed for those applications that could be
migrated, and assessment is underway for remaining SharePoint
applications to either be upgraded or considered for
replatforming, consolidating or transitioning to commercial off
the shelf (COTS) or other software as service applications.
Prior end-user environments were deployed inconsistently
across SBA with no standard image, resulting in security
vulnerabilities, inconsistencies, and multiple versions of
software installed on the desktops. Upgrades to Windows 10,
Office 2016 and OneDrive for the entire SBA enterprise are
underway. Deployment to pilot users was completed in May and
OCIO-wide roll-out begins in July. SBA-wide upgrades will begin
at the end of the fiscal year.
The Deputy CIO and I reviewed and evaluated all purchase
requisitions for reduction or elimination based on duplication,
overlap, gaps, and need as the transition to O365 and the cloud
is underway. Additionally, OCIO leadership reviewed all service
contracts and identified opportunities to eliminate duplicative
services and address gaps.
Pivoting from a functionally siloed organization to a
customer-centric and service-optimized structure requires an
understanding of the customer's requirements. Operational
credibility is key to IT taking on a more strategic role within
the enterprise. Improved support from the IT Service Desk
including closing outstanding issues, implementing tiered
support processes and receiving and incorporating customer
feedback is improving customer satisfaction. Further, the data
center stabilization efforts significantly reduced incoming
calls to the Service Desk.
Improving SBA's IT Governance Structure
The Federal Information Technology Acquisition Reform Act
(FITARA) provides the tools needed to transform how we manage
IT. It is imperative that the CIO, Chief Human Capital Officer,
Chief Financial Officer and Senior Procurement Executive work
collaboratively to understand SBA's business needs and drive
informed decisions. Over the last year, SBA has initiated a
review of its IT portfolio and actively uses the agency's
Investment Review Board (IRB), co-chaired by the CIO and Chief
Financial Officer. The IRB has oversight responsibility for
major programs and is working to institutionalize its ability
to deliver successful programs and mature SBA's governance
capabilities and improve transparency.
Through a stronger governance model, the CIO has greater
visibility to improve planning, identify cost savings
opportunities and to better understand current and planned IT
resources to support program objectives. This includes
leveraging Enterprise Architecture as the roadmap to improve,
integrate and streamline processes and systems, and requiring
CIO approval for acquisition plans for all new IT contracts
above the simplified acquisition threshold to safeguard against
the procurement of duplicative and/or non-compatible
technologies and services, and ensure alignment with SBA's
technology standard and strategic direction. I conducted four
deep dives on major investment to review milestones, technology
capabilities, funding and risks: Capital Access Financial
Systems; Disaster Credit Management Modernization; Small
Business Innovation Research Program; and Certify.sba.gov.
Additionally, I conducted a TechStat on the Certify.sba.gov IT
investment in June to examine program data with a focus on
delivered and planned functionality that will lead to concrete
actions to improve overall program performance and reduce risk.
Leveraging IT to Support Mission Outcomes
SBA delivers loans, loan guarantees, contracts, counseling
sessions and other forms of assistance to small businesses. The
agency's primary public website (sba.gov) is visited by over 15
million people per year, but the agency has struggled with
meeting the needs of these current and prospective small
business owners. Information has been buried in confusing
language and layers of navigation, and has been hard to access
on mobile and table devices. Approximately 31% of SBA's web
site traffic comes from mobile devices and 5% from tablets, and
mobile traffic grew by 2.5% last year. In 2016, a Digital
Service team was stood up and on-boarded a team of digital
experts to lead a modernization effort for sba.gov. The Digital
Service team moved sba.gov to a new Content Management System,
established a modernization roadmap and is systematically
changing the site to greatly improve SBA's customer experience.
The agency's Leveraging Information and Networks to access
Capital (LINC) capability will receive a major refresh and re-
launch later this month to help connect small business
borrowers with participating SBA lenders. As part of the
modernization effort, the tool will be renamed to Lender Match
for ease of communicating its purpose and value. Prospective
borrowers complete a short online questionnaire, and the
responses are forwarded to participating lenders that operate
within the small business' county. If lenders are interested in
the referral, the lender and prospective borrower's contact
information will be exchanged.
The OCIO is collaborating with the Office of
Entrepreneurial Development to replace its legacy system, and
the Office of Investment and Innovation to upgrade the SBIC Web
technology stack and to transition the systems monitoring and
management to OCIO. These outward facing systems that support
mission objectives, such as partnering with Small Business
Development Centers and Veterans Business Outreach Centers, and
facilitating the flow of long-term capital to America's small
businesses must be secure.
Developing SBA's IT Workforce
To be successful with cloud adoption, the OCIO must make
fundamental changes to its organizational mission and roles.
All IT personnel across SBA and functional areas, including
security, infrastructure and operations, must maintain their
relevance as technology evolves and OCIO transitions to support
Development and Operations (DevOps), and a software centric
organizations that incorporates hybrid cloud solutions. To keep
up with rapid technology changes, typical organizational
structures and the IT workforce must evolve to operating within
small, autonomous teams that cross-collaborate to work on fast-
flowing ideas, opportunities and improvements. Further, a risk-
tolerant environment that allows for the exploration of ideas
can accelerate the value delivered to the SBA.
The OCIO's vacancy rate was 30% in October 2016 and was
reduced to 15% by February 2017. Ten employees were hired
including a Deputy CIO, Chief Technology Officer, Director of
Operations, Enterprise Data Manager, Section 508 Program
Manager, Branch Chiefs for Information Security Operations and
Compliance, and other staff positions. SBA initiated a
reorganization to realign the Digital Service team into the
OCIO and merge it with the existing development team. OCIO will
hire 10 additional staff to fill existing vacancies. OCIO is
hiring not for the organization of today, but for the
organization that can support future capabilities. For example,
an Enterprise Data Manager was hired to create business value
through data and analytics and rethink how information as an
asset can take a more active and dynamic role in the activities
of SBA.
As SBA continues its efforts to implement FITARA, the CIO
and CHCO are committed to developing a holistic approach to
build a strategic workforce plan for all SBA IT professionals.
Attracting and developing IT staff is critically important to
long-term success as legacy systems are modernized and shifted
to the cloud, and an enterprise approach to IT is implemented.
SBA has approximately 170 IT specialists and digital service
experts, of which 70 are directly assigned to the OCIO.
Workforce planning requires significant improvement and SBA
will initiate strategic workforce planning by the end of the
fiscal year. SBA has a strong mission draw for IT and
cybersecurity professionals and we must partner with the CHCO
to better market ourselves.
Challenges Remain and Opportunities Exist
Even with the progress outlined above, challenges related
to the fiscal environment have put pressure on IT
organizations. Internal and external customers and stakeholders
expect SBA to deploy services and technology on par with their
personal use and interaction with private sector firms. The
need for speed and agility in acquisition is vital to deliver
products and services.
Develop the Right Organization and Workforce - SBA must
determine needed competencies and develop and sustain a
workforce that can use, deliver and support not just the
technologies of today, but those of the future. Recruiting the
right people into the federal government with the right skills
and the capacity to freely and quickly change and innovate is
difficult at best. The ability to leverage and integrate with
trusted private sector partners to supplement the federal IT
workforce is more critical than ever.
Build the flexibility to implement IT best practices -
SBA's program office applications and systems were generally
developed in silos. Customer information, for example, is
duplicated across systems and information sharing is limited.
Program offices are looking for modern, easy-to-use
applications that can be quickly deployed, while OCIO
concurrently takes a strategic approach to standardizing on a
limited set of application suites to minimize integration
issues, maximize security and reduce IT costs. Further,
implementing shared services will evolve over time, and
consolidating contracting of commodity IT requires flexible,
agile acquisition practices and will result in increased value
of the services to the business.
Increase Visibility into IT Planned Expenditures - Data
concerning planned and actual spending must be readily
available, and capable to drive SBA's ability to identify
opportunities to improve leverage and operational cost. Further
maturity in this area will ensure that information is accurate
and that evidence based decision making is properly integrated
with the governance process.
Mature Cybersecurity Capabilities - Cybersecurity is
critical in a modern information infrastructure that includes
data virtualization, separation of storage, compute, and cloud-
based data persistence. SBA must modernize to keep its IT
systems current and secure with a clear understanding of risks
to availability and reliability.
Conclusion
Information technology is a key enabler of digital
transformation, and we are taking a multi-pronged approach that
leverages current technologies while looking ahead to the
future to proactively address the agency's needs. We are
focused on building a strong foundation that is robust,
scalable, secure and responsive to changing business needs.
Together with SBA's program offices, we will build on this
foundation to create and deliver digital solutions that will
not only improve the public's experiences with SBA's services,
but will also improve our internal customer experience. Actions
to consolidate and update support contracts will continue, and
areas such as system development and program support will be
strengthened as OCIO transitions to a services-oriented
organization. A robust enterprise governance that has
leadership alignment will drive progress and ensure IT programs
and projects are selected and managed to ensure SBA's needs are
met in an effective manner while minimizing unnecessary
duplication. The CIO is a key stakeholder in driving horizontal
and vertical collaboration to ensure that the right authority,
with the right information, at the right time makes the best
possible decision to effectively deliver IT programs. Thank you
for the opportunity to speak with you today and I look forward
to your questions.
[all]