[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 2032 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 383
118th CONGRESS
  2d Session
                                S. 2032

                          [Report No. 118-172]

   To require the reduction of the reliance and expenditures of the 
 Federal Government on legacy information technology systems, and for 
                            other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 15, 2023

  Ms. Hassan (for herself, Mr. Cornyn, and Mr. Wyden) introduced the 
 following bill; which was read twice and referred to the Committee on 
               Homeland Security and Governmental Affairs

                              May 9, 2024

               Reported by Mr. Peters, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
   To require the reduction of the reliance and expenditures of the 
 Federal Government on legacy information technology systems, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Legacy IT Reduction Act of 
2023''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Administrator.--The term ``Administrator'' 
        means the Administrator of General Services.</DELETED>
        <DELETED>    (2) Agency.--The term ``agency'' means an agency 
        described in paragraph (1) or (2) of section 901(b) of title 
        31, United States Code.</DELETED>
        <DELETED>    (3) Chief information officer.--The term ``Chief 
        Information Officer'' means a Chief Information Officer 
        designated under section 3506(a)(2) of title 44, United States 
        Code.</DELETED>
        <DELETED>    (4) Comptroller general.--The term ``Comptroller 
        General'' means the Comptroller General of the United 
        States.</DELETED>
        <DELETED>    (5) Congressional oversight committee.--The term 
        ``congressional oversight committee'' means, with respect to a 
        particular agency, a committee or subcommittee of the Senate 
        and the House of Representatives that provides oversight of the 
        agency.</DELETED>
        <DELETED>    (6) Director.--The term ``Director'' means the 
        Director of the Office of Management and Budget.</DELETED>
        <DELETED>    (7) Information technology.--The term 
        ``information technology'' has the meaning given the term in 
        section 11101 of title 40, United States Code.</DELETED>
        <DELETED>    (8) IT working capital fund; legacy information 
        technology system.--The terms ``IT working capital fund'' and 
        ``legacy information technology system'' have the meaning given 
        the terms in section 1076 of the National Defense Authorization 
        Act for Fiscal Year 2018 (40 U.S.C. 11301 note; Public Law 115-
        91).</DELETED>
        <DELETED>    (9) National security system.--The term ``national 
        security system'' has the meaning given the term in section 
        11103 of title 40, United States Code.</DELETED>
        <DELETED>    (10) Technology modernization fund.--The term 
        ``Technology Modernization Fund'' means the fund established 
        under section 1078(b)(1) of the National Defense Authorization 
        Act for Fiscal Year 2018 (40 U.S.C. 11301 note; Public Law 115-
        91).</DELETED>

<DELETED>SEC. 3. LEGACY INFORMATION TECHNOLOGY SYSTEM 
              INVENTORY.</DELETED>

<DELETED>    (a) Inventory of Legacy Information Technology Systems.--
</DELETED>
        <DELETED>    (1) In general.--Not later than 1 year after the 
        date of enactment of this Act, and not later than 5 years 
        thereafter, the Chief Information Officer of each agency shall 
        compile an inventory that lists each legacy information 
        technology system used, operated, or maintained by the 
        agency.</DELETED>
        <DELETED>    (2) Contents.--The Director shall issue guidance 
        prescribing the information that the Chief Information Officer 
        of each agency shall include for each legacy technology 
        information system listed in the inventory required under 
        paragraph (1). In issuing such guidance, the Director shall 
        consider including for each legacy technology information 
        system listed in the inventory--</DELETED>
                <DELETED>    (A) the name or an identification of the 
                legacy information technology system;</DELETED>
                <DELETED>    (B) the office or mission of the agency 
                that the legacy information technology system supports 
                and how the office or mission uses the legacy 
                information technology system;</DELETED>
                <DELETED>    (C) to the extent that information is 
                available--</DELETED>
                        <DELETED>    (i) the date of the last update or 
                        refresh of the legacy information technology 
                        system;</DELETED>
                        <DELETED>    (ii) the annual price, including 
                        recurring subscription costs and any costs to 
                        contract labor, to operate or maintain the 
                        legacy information technology system; 
                        and</DELETED>
                        <DELETED>    (iii) the name and contact 
                        information of the vendor; and</DELETED>
                <DELETED>    (D) the date of the next expected update 
                or modernization, retirement, or disposal of the legacy 
                information technology system.</DELETED>
<DELETED>    (b) Transparency and Accountability.--</DELETED>
        <DELETED>    (1) In general.--Upon request by a House of 
        Congress, a congressional oversight committee of an agency, the 
        Comptroller General of the United States, or an inspector 
        general of an agency, the head of the agency shall make 
        available the inventory compiled under subsection (a)(1) or the 
        relevant portion of that inventory.</DELETED>
        <DELETED>    (2) Reporting.--The Director may require an agency 
        to include the inventory compiled under subsection (a)(1) in a 
        reporting structure determined by the Director.</DELETED>

<DELETED>SEC. 4. AGENCY LEGACY INFORMATION TECHNOLOGY SYSTEMS 
              MODERNIZATION PLANS.</DELETED>

<DELETED>    (a) In General.--Not later than 2 years after the date of 
enactment of this Act, and every 5 years thereafter, the head of an 
agency shall develop and include as part of the information resource 
management strategic plan of the agency submitted under section 
3506(b)(2) of title 44, United States Code, a plan to modernize the 
legacy information technology systems of the agency.</DELETED>
<DELETED>    (b) Contents.--A modernization plan of an agency developed 
under subsection (a) shall include--</DELETED>
        <DELETED>    (1) an inventory of the legacy information 
        technology systems of the agency;</DELETED>
        <DELETED>    (2) an identification of legacy information 
        technology systems that the agency has prioritized for updates, 
        modernization, retirement, or disposal;</DELETED>
        <DELETED>    (3) steps the agency intends to make toward 
        updating, modernizing, retiring, or disposing of the legacy 
        information technology systems of the agency prioritized under 
        paragraph (2) during the 5-year period beginning on the date of 
        submission of the plan; and</DELETED>
        <DELETED>    (4) any additional information that the Director 
        determines necessary or useful for the agency to consider or 
        include to effectively and efficiently execute the 
        modernization plan, which may include--</DELETED>
                <DELETED>    (A) the capacity of the agency to operate 
                and maintain an updated or modernized legacy 
                information technology system;</DELETED>
                <DELETED>    (B) the estimated cost and sources of 
                funding required to execute the modernization plan; 
                and</DELETED>
                <DELETED>    (C) the ability of the agency to adapt an 
                updated or modernized legacy information technology 
                system to changes in policy, technology, or other user 
                needs, as necessary.</DELETED>
<DELETED>    (c) Publication and Submission to Congress.--Not later 
than 30 days after the date on which the head of an agency submits the 
modernization plan developed under subsection (a) as part of the 
information resource management strategic plan of the agency submitted 
under section 3506(b)(2) of title 44, United States Code, the head of 
the agency shall submit the modernization plan to the Committee on 
Homeland Security and Governmental Affairs of the Senate, the Committee 
on Oversight and Accountability of the House of Representatives, and 
each congressional oversight committee of the agency.</DELETED>

<DELETED>SEC. 5. ROLE OF THE OFFICE OF MANAGEMENT AND BUDGET.</DELETED>

<DELETED>    Not later than 180 days after the date of enactment of 
this Act, the Director, in coordination with the Administrator of the 
Office of Electronic Government, shall issue guidance on the 
implementation of this Act and the amendments made by this Act, which 
shall include--</DELETED>
        <DELETED>    (1) criteria to determine whether information 
        technology qualifies as a ``legacy information technology 
        system'' for the purposes of compiling the inventory required 
        under section 3(a)(1);</DELETED>
        <DELETED>    (2) instructions and templates to inform the 
        compilation of the inventory required under section 3(a)(1), as 
        necessary;</DELETED>
        <DELETED>    (3) instructions and templates to inform the 
        compilation and publication of, and any subsequent updates to, 
        the modernization plans required under section 4(a), as 
        necessary; and</DELETED>
        <DELETED>    (4) any other guidance determined necessary for 
        the implementation of this Act or the amendments made by this 
        Act, including how the implementation of this Act or those 
        amendments complements laws, regulations, and guidance relating 
        to information technology modernization.</DELETED>

<DELETED>SEC. 6. COMPTROLLER GENERAL REVIEW.</DELETED>

<DELETED>    (a) In General.--Not later than 3 years after the date of 
enactment of this Act, the Comptroller General shall submit to the 
Committee on Homeland Security and Governmental Affairs of the Senate 
and the Committee on Oversight and Accountability of the House of 
Representatives a report on--</DELETED>
        <DELETED>    (1) the implementation of this Act and the 
        amendments made by this Act; and</DELETED>
        <DELETED>    (2) how this Act and the amendments made by this 
        Act function alongside other information technology 
        modernization offices, policies, and programs, such as--
        </DELETED>
                <DELETED>    (A) the Technology Modernization Fund and 
                the IT working capital fund;</DELETED>
                <DELETED>    (B) the Federal Risk and Authorization 
                Management Program, the 18F program, and the 10X 
                program of the General Services 
                Administration;</DELETED>
                <DELETED>    (C) programs and policies of the Office of 
                Management and Budget, including the Office of 
                Electronic Government and the United States Digital 
                Service; and</DELETED>
                <DELETED>    (D) any other office, policy, or program 
                of the Federal Government determined relevant by the 
                Comptroller General.</DELETED>

<DELETED>SEC. 7. PROTECTION OF SENSITIVE INFORMATION; EXEMPTION OF 
              NATIONAL SECURITY SYSTEMS.</DELETED>

<DELETED>    (a) In General.--Nothing in this Act or the amendments 
made by this Act shall be construed to require the head of an agency to 
disclose sensitive information that--</DELETED>
        <DELETED>    (1) is protected from disclosure under any other 
        law; or</DELETED>
        <DELETED>    (2) would compromise the security of any 
        information technology system of the Federal 
        Government.</DELETED>
<DELETED>    (b) Exemption.--Nothing in this Act or the amendments made 
by this Act shall be construed to authorize or require the head of an 
agency to inventory, develop a report relating to, or transfer, a 
national security system.</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Legacy IT Reduction Act of 2023''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Administrator.--The term ``Administrator'' means the 
        Administrator of General Services.
            (2) Agency.--The term ``agency'' means an agency described 
        in paragraph (1) or (2) of section 901(b) of title 31, United 
        States Code.
            (3) Chief information officer.--The term ``Chief 
        Information Officer'' means a Chief Information Officer 
        designated under section 3506(a)(2) of title 44, United States 
        Code.
            (4) Comptroller general.--The term ``Comptroller General'' 
        means the Comptroller General of the United States.
            (5) Congressional oversight committee.--The term 
        ``congressional oversight committee'' means, with respect to a 
        particular agency, a committee or subcommittee of the Senate or 
        the House of Representatives that provides oversight of the 
        agency.
            (6) Director.--The term ``Director'' means the Director of 
        the Office of Management and Budget.
            (7) Information technology.--The term ``information 
        technology'' has the meaning given the term in section 11101 of 
        title 40, United States Code.
            (8) IT working capital fund; legacy information technology 
        system.--The terms ``IT working capital fund'' and ``legacy 
        information technology system'' have the meanings given the 
        terms in section 1076 of the National Defense Authorization Act 
        for Fiscal Year 2018 (40 U.S.C. 11301 note; Public Law 115-91).
            (9) National security system.--The term ``national security 
        system'' has the meaning given the term in section 11103 of 
        title 40, United States Code.
            (10) Technology modernization fund.--The term ``Technology 
        Modernization Fund'' means the fund established under section 
        1078(b)(1) of the National Defense Authorization Act for Fiscal 
        Year 2018 (40 U.S.C. 11301 note; Public Law 115-91).

SEC. 3. LEGACY INFORMATION TECHNOLOGY SYSTEM INVENTORY.

    (a) Inventory of Legacy Information Technology Systems.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, and not later than 5 years thereafter, 
        the Chief Information Officer of each agency shall compile an 
        inventory that lists each legacy information technology system 
        used, operated, or maintained by the agency.
            (2) Contents.--The Director shall issue guidance 
        prescribing the information that the Chief Information Officer 
        of each agency shall include for each legacy technology 
        information system listed in the inventory required under 
        paragraph (1). In issuing such guidance, the Director shall 
        consider including for each legacy technology information 
        system listed in the inventory--
                    (A) the name or an identification of the legacy 
                information technology system;
                    (B) the office or mission of the agency that the 
                legacy information technology system supports and how 
                the office or mission uses the legacy information 
                technology system;
                    (C) whether the legacy information technology 
                system is connected to a non-legacy information 
                technology system;
                    (D) to the extent that information is available--
                            (i) the date of the last update or refresh 
                        of the legacy information technology system;
                            (ii) the annual price, including recurring 
                        subscription costs and any costs to contract 
                        labor, to operate or maintain the legacy 
                        information technology system; and
                            (iii) the name and contact information of 
                        the vendor; and
                    (E) the date of the next expected update or 
                modernization, retirement, or disposal of the legacy 
                information technology system.
    (b) Transparency and Accountability.--
            (1) In general.--Upon request by a House of Congress, a 
        congressional oversight committee of an agency, the Comptroller 
        General, or an inspector general of an agency, the head of the 
        agency shall make available the inventory compiled under 
        subsection (a)(1) or a relevant portion of that inventory.
            (2) Reporting.--The Director may require an agency to 
        include the inventory compiled under subsection (a)(1) in a 
        reporting structure determined by the Director.

SEC. 4. AGENCY LEGACY INFORMATION TECHNOLOGY SYSTEMS MODERNIZATION 
              PLANS.

    (a) In General.--Not later than 2 years after the date of enactment 
of this Act, and every 5 years thereafter, the head of an agency shall 
develop and include as part of the information resource management 
strategic plan of the agency submitted under section 3506(b)(2) of 
title 44, United States Code, a plan to modernize the legacy 
information technology systems of the agency.
    (b) Contents.--A modernization plan of an agency developed under 
subsection (a) shall include--
            (1) an inventory of the legacy information technology 
        systems of the agency;
            (2) an identification of legacy information technology 
        systems that the agency has prioritized for updates, 
        modernization, retirement, or disposal;
            (3) steps the agency intends to make toward updating, 
        modernizing, retiring, or disposing of the legacy information 
        technology systems of the agency prioritized under paragraph 
        (2) during the 5-year period beginning on the date of 
        submission of the plan; and
            (4) any additional information that the Director determines 
        necessary or useful for the agency to consider or include to 
        effectively and efficiently execute the modernization plan, 
        which may include--
                    (A) the capacity of the agency to operate and 
                maintain an updated or modernized legacy information 
                technology system;
                    (B) the estimated cost and sources of funding 
                required to execute the modernization plan;
                    (C) the ability of the agency to adapt an updated 
                or modernized legacy information technology system to 
                changes in policy, technology, or other user needs, as 
                necessary; and
                    (D) the effect that updating, modernizing, 
                retiring, or disposing of a legacy information 
                technology system of the agency that is connected to a 
                non-legacy information technology system would have on 
                any such non-legacy information technology system.
    (c) Publication and Submission to Congress.--Not later than 30 days 
after the date on which the head of an agency submits the modernization 
plan developed under subsection (a) as part of the information resource 
management strategic plan of the agency submitted under section 
3506(b)(2) of title 44, United States Code, the head of the agency 
shall submit the modernization plan to the Committee on Homeland 
Security and Governmental Affairs of the Senate, the Committee on 
Oversight and Accountability of the House of Representatives, and each 
congressional oversight committee of the agency.

SEC. 5. ROLE OF THE OFFICE OF MANAGEMENT AND BUDGET.

    Not later than 180 days after the date of enactment of this Act, 
the Director, in coordination with the Administrator of the Office of 
Electronic Government, shall issue guidance on the implementation of 
this Act, which shall include--
            (1) criteria to determine whether information technology 
        qualifies as a ``legacy information technology system'' for the 
        purposes of compiling the inventory required under section 
        3(a)(1);
            (2) instructions and templates to inform the compilation of 
        the inventory required under section 3(a)(1), as necessary;
            (3) instructions and templates to inform the compilation 
        and publication of, and any subsequent updates to, the 
        modernization plans required under section 4(a), as necessary; 
        and
            (4) any other guidance determined necessary for the 
        implementation of this Act, including how the implementation of 
        this Act complements laws, regulations, and guidance relating 
        to information technology modernization.

SEC. 6. COMPTROLLER GENERAL REVIEW.

    (a) In General.--Not later than 3 years after the date of enactment 
of this Act, the Comptroller General shall submit to the Committee on 
Homeland Security and Governmental Affairs of the Senate and the 
Committee on Oversight and Accountability of the House of 
Representatives a report on--
            (1) the implementation of this Act; and
            (2) how this Act functions alongside other information 
        technology modernization offices, policies, and programs, such 
        as--
                    (A) the Technology Modernization Fund and the IT 
                working capital fund;
                    (B) the Federal Risk and Authorization Management 
                Program, the 18F program, and the 10X program of the 
                General Services Administration;
                    (C) programs and policies of the Office of 
                Management and Budget, including the Office of 
                Electronic Government and the United States Digital 
                Service; and
                    (D) any other office, policy, or program of the 
                Federal Government determined relevant by the 
                Comptroller General.

SEC. 7. PROTECTION OF SENSITIVE INFORMATION; EXEMPTION OF NATIONAL 
              SECURITY SYSTEMS.

    (a) In General.--Nothing in this Act shall be construed to require 
the head of an agency to disclose sensitive information that--
            (1) is protected from disclosure under any other law; or
            (2) would compromise the security of any information 
        technology system of the Federal Government.
    (b) Exemption.--Nothing in this Act shall be construed to authorize 
or require the head of an agency to inventory, develop a report 
relating to, or transfer a national security system.
    (c) Rule of Construction.--Nothing in this Act shall be construed 
to authorize the transfer of legacy information technology systems or 
equipment to the Chinese Communist Party, the People's Republic of 
China, or any entity controlled by the People's Republic of China.

SEC. 8. NO NEW FUNDS; SUNSET.

    (a) No New Funds.--No additional funds are authorized to be 
appropriated to carry out this Act.
    (b) Sunset.--Effective on the date that is 6 years after the date 
of enactment of the Act, this Act shall have no force or effect.
                                                       Calendar No. 383

118th CONGRESS

  2d Session

                                S. 2032

                          [Report No. 118-172]

_______________________________________________________________________

                                 A BILL

   To require the reduction of the reliance and expenditures of the 
 Federal Government on legacy information technology systems, and for 
                            other purposes.

_______________________________________________________________________

                              May 9, 2024

                       Reported with an amendment