b"<html>\n<title> - OUT OF MANY, ONE: ASSESSING BARRIERS TO INFORMATION SHARING IN THE DEPARTMENT OF HOMELAND SECURITY</title>\n<body><pre>[House Hearing, 108 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n\n  OUT OF MANY, ONE: ASSESSING BARRIERS TO INFORMATION SHARING IN THE \n                    DEPARTMENT OF HOMELAND SECURITY\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                              COMMITTEE ON\n                           GOVERNMENT REFORM\n\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED EIGHTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                              MAY 8, 2003\n\n                               __________\n\n                           Serial No. 108-31\n\n                               __________\n\n       Printed for the use of the Committee on Government Reform\n\n\n  Available via the World Wide Web: http://www.gpo.gov/congress/house\n                      http://www.house.gov/reform\n\n\n                                 ______\n\n88-194              U.S. GOVERNMENT PRINTING OFFICE\n                            WASHINGTON : 2003\n____________________________________________________________________________\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092250 Mail: Stop SSOP, Washington, DC 20402\xef\xbf\xbd090001\n\n                     COMMITTEE ON GOVERNMENT REFORM\n\n                     TOM DAVIS, Virginia, Chairman\nDAN BURTON, Indiana                  HENRY A. WAXMAN, California\nCHRISTOPHER SHAYS, Connecticut       TOM LANTOS, California\nILEANA ROS-LEHTINEN, Florida         MAJOR R. OWENS, New York\nJOHN M. McHUGH, New York             EDOLPHUS TOWNS, New York\nJOHN L. MICA, Florida                PAUL E. KANJORSKI, Pennsylvania\nMARK E. SOUDER, Indiana              CAROLYN B. MALONEY, New York\nSTEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland\nDOUG OSE, California                 DENNIS J. KUCINICH, Ohio\nRON LEWIS, Kentucky                  DANNY K. DAVIS, Illinois\nJO ANN DAVIS, Virginia               JOHN F. TIERNEY, Massachusetts\nTODD RUSSELL PLATTS, Pennsylvania    WM. LACY CLAY, Missouri\nCHRIS CANNON, Utah                   DIANE E. WATSON, California\nADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts\nEDWARD L. SCHROCK, Virginia          CHRIS VAN HOLLEN, Maryland\nJOHN J. DUNCAN, Jr., Tennessee       LINDA T. SANCHEZ, California\nJOHN SULLIVAN, Oklahoma              C.A. ``DUTCH'' RUPPERSBERGER, \nNATHAN DEAL, Georgia                     Maryland\nCANDICE S. MILLER, Michigan          ELEANOR HOLMES NORTON, District of \nTIM MURPHY, Pennsylvania                 Columbia\nMICHAEL R. TURNER, Ohio              JIM COOPER, Tennessee\nJOHN R. CARTER, Texas                CHRIS BELL, Texas\nWILLIAM J. JANKLOW, South Dakota                 ------\nMARSHA BLACKBURN, Tennessee          BERNARD SANDERS, Vermont \n                                         (Independent)\n\n                       Peter Sirh, Staff Director\n                 Melissa Wojciak, Deputy Staff Director\n                      Rob Borden, Parliamentarian\n                       Teresa Austin, Chief Clerk\n              Philip M. Schiliro, Minority Staff Director\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on May 8, 2003......................................     1\nStatement of:\n    Baroni, Greg, president, global public sector, Unisys Corp.; \n      Steven Perkins, senior vice president, public sector and \n      homeland security, Oracle Corp.; and Mark Bisnow, senior \n      vice president, webMethods, Inc............................   110\n    Cooper, Steven, Chief Information Officer, Department of \n      Homeland Security; and Mark Forman, Associate Director, \n      Information Technology, and e-Government, Office of \n      Management and Budget......................................    15\n    Dacey, Robert, Director, Information Security Issues and \n      Information Technology Team, General Accounting Office; \n      Randolph C. Hite, Director, Architecture and Systems Issues \n      and Information Technology Team, General Accounting Office; \n      and Charles Rossotti, senior advisor, the Carlyle Group, \n      formerly Commissioner, Internal Revenue Service............    49\nLetters, statements, etc., submitted for the record by:\n    Baroni, Greg, president, global public sector, Unisys Corp., \n      prepared statement of......................................   114\n    Bisnow, Mark, senior vice president, webMethods, Inc., \n      prepared statement of......................................   133\n    Cooper, Steven, Chief Information Officer, Department of \n      Homeland Security, prepared statement of...................    17\n    Dacey, Robert, Director, Information Security Issues and \n      Information Technology Team, General Accounting Office, \n      prepared statement of......................................    51\n    Davis, Chairman Tom, a Representative in Congress from the \n      State of Virginia, prepared statement of...................     4\n    Forman, Mark, Associate Director, Information Technology, and \n      e-Government, Office of Management and Budget, prepared \n      statement of...............................................    28\n    Perkins, Steven, senior vice president, public sector and \n      homeland security, Oracle Corp., prepared statement of.....   125\n    Towns, Hon. Edolphus, a Representative in Congress from the \n      State of New York, prepared statement of...................    13\n    Waxman, Hon. Henry A., a Representative in Congress from the \n      State of California, prepared statement of.................     9\n\n \n  OUT OF MANY, ONE: ASSESSING BARRIERS TO INFORMATION SHARING IN THE \n                    DEPARTMENT OF HOMELAND SECURITY\n\n                              ----------                              \n\n\n                         THURSDAY, MAY 8, 2003\n\n                          House of Representatives,\n                            Committee on Government Reform,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 10:05 a.m., in \nroom 2154, Rayburn House Office Building, Hon. Tom Davis of \nVirginia (chairman of the committee) presiding.\n    Present: Representatives Tom Davis of Virginia, Shays, \nDuncan, Blackburn, Waxman, Maloney, Cummings, Tierney, Lynch, \nRuppersberger, and Norton.\n    Staff present: Melissa Wojciak, deputy staff director; \nKeith Ausbrook, chief counsel; Jennifer Safavian, chief counsel \nfor oversight and investigations; John Hunter and David Young, \ncounsels; Robert Borden, counsel/parliamentarian; David Marin, \ndirector of communications; Scott Kopple, deputy director of \ncommunications; Ken Feng, investigator/GAO detailee; Teresa \nAustin, chief clerk; Joshua E. Gillespie, deputy clerk; David \nRapallo, minority counsel; Earley Green, minority chief clerk; \nJean Gosa, minority assistant clerk; and Cecelia Morton, \nminority office manager.\n    Chairman Tom Davis. Good morning. A quorum being present, \nthe Committee on Government Reform will come to order.\n    I would like to welcome everyone to today's hearing on the \nDepartment of Homeland Security's efforts to integrate \ninformation systems and enhance information-sharing. Earlier \nthis year, with the establishment of the Department of Homeland \nSecurity, 22 agencies and more than 170,000 employees, by last \ncount, were consolidated under one new department. It would be \na monumental challenge under any circumstance to integrate the \ndisparate information infrastructures of that many government \nagencies manned by that many employees, but given the critical \nmission of this new department to protect the Nation against \nterrorism, this task takes on an unparalleled urgency.\n    DHS needs to develop and implement a strategic plan to \ncarry out this vital mission, including the ability of the new \ndepartment to obtain, analyze, and timely distribute essential \nand actionable information for Federal, State, and local \ngovernment and private sector use. DHS must also develop and \nimplement security and privacy safeguards, a capital planning \nand investment control process, programming, performance \nmanagement, and risk management.\n    If a strategic plan to integrate information systems is \neffectively and efficiently implemented, we not only will \nachieve economies of scale, but also be better prepared to \nprotect the Nation's physical and cyber infrastructure, secure \nour borders, counteract chemical and biological attacks, and \nrespond to terrorist and natural disaster incidents.\n    But that is a considerable ``if'' that we are talking \nabout. The obstacles facing DHS in effectively integrating \ninformation functions are formidable. As with the merger of any \ncorporate or government entities, there are obvious challenges \nin integrating business functions such as payroll, human \nresources, and communications. But similar to the consolidation \nof the military service branches within the Department of \nDefense in 1947, DHS is faced with the need to integrate \nmultiple agencies that have a common security mission, in \naddition to its many non-security functions.\n    DHS is further confronted with the task of communicating \neffectively with other Federal, State, and local entities, as \nwell as the public. It is particularly critical that \ninformation be related to our first-responders at the State and \nlocal level. They are the front lines of our war against \nterrorism, and they need to be adequately informed to protect \nthe public.\n    These challenges are not solely a factor of the new \ndepartment's size or the magnitude of its mission. The fact is \nDHS inherited information-sharing problems that already existed \nwithin many of the agencies that now make up the new \ndepartment.\n    For example, the General Accounting Office identified \nproblems pertaining to terrorist watch lists, which are an \nintegral part of our Nation's ability to secure its borders. \nThe GAO found that the current approach to developing and using \nwatch lists is diffuse and non-standard, and has resulted in \nnine agencies creating 12 different lists, largely because the \nlists were developed and have evolved in response to individual \nagencies' unique mission needs and cultural development.\n    The extent to which this information can be shared among \nFederal agencies and between the Federal Government and State \nand local entities is severely constrained by fundamental \ndifferences in the watch list items. These are by no means the \nonly examples of opportunities to improve information-sharing, \nbut they illustrate one of the primary reasons for integrating \nagencies that are vital to homeland protection under one \ndepartment.\n    The Chief Information Officer in DHS is responsible for \ncoordinating information-sharing nationwide and is doing so by \ncreating a national enterprise architecture. This common \nelement in improving information systems integration, according \nto both GAO and the Office of Management and Budget, seeks to \nensure that, as the agencies within DHS invest in information \ntechnology and new management strategies, those strategies and \ntechnologies serve the overall plan and mission of the \ndepartment as well as the Federal Government.\n    With a coordinated strategy for efficient information \ntechnology acquisition and implementation, mission-essential \ndecisions can be based on more accurate information while \nrequiring less time. Wise investment in interoperable \ninformation technology reduces unnecessary spending and \nredundant or stovepipe systems.\n    It took almost 40 years for the military service branches \nto be integrated effectively under the Department of Defense. \nWith DHS, we simply don't have that kind of time. We are \ntalking about protecting our Nation against very real terrorist \nthreats. Congress must be assured that information integration \nstandards and goals are defined, timely implementation of these \nbenchmarks is achieved, and accountability is maintained.\n    Last week marked 100 days since the creation of the \ndepartment. I guess they moved into the new headquarters. They \njust got the duct tape off the headquarters about 3 weeks ago, \nor whatever. We know it is a little late in starting. Part of \nthat is our fault in the way of passing the bill and taking \nsuch a long time, but the need is urgent, the challenge \nmonumental, and it may be later than we think.\n    Today we have assembled an impressive group of witnesses to \nhelp us understand the current status of information-sharing at \nDHS and its plans for the future. On the first panel we will \nhear from Steven Cooper, the CIO; Mark Forman, the Assistant \nDirector of Information Technology and E-Government at the \nOffice of Management Budget, and they will focus on the \ndepartment's efforts to integrate information systems at DHS \nand the coordination of those efforts with OMB's governmentwide \nenterprise architecture.\n    The second panel will include Robert Dacey and Randolph \nHite from the GAO, who will discuss GAO's analysis of the \ndepartment's information-sharing integration. Also on that \npanel, the Honorable Charles Rossotti, the former Commissioner \nof the IRS, who will discuss his efforts to consolidate that \nagency's information technology functions.\n    In the third panel we will hear from the private sector, \nwhich is directly involved in the department's development. We \nwill hear from Steve Perkins, senior vice president for public \nsector and homeland security for Oracle Corp.; Greg Baroni, \npresident of global public sector for Unisys, and Mark Bisnow, \nsenior vice president of webMethods.\n    I would like to thank all of our witnesses for appearing \nbefore the committee. I look forward to your testimony.\n    [The prepared statement of Chairman Tom Davis follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.001\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.002\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.003\n    \n    Chairman Tom Davis. I am going to yield to my ranking \nmember, Mr. Waxman, for his opening statement.\n    Mr. Waxman. Thank you very much, Mr. Chairman. Thank you \nfor calling this hearing, and I appreciate all the witnesses \nbeing present.\n    The General Accounting Office recently issued a report \nconcluding that, 20 months after the attacks of September 11, \nthe administration has yet to remedy one of the single most \nsignificant problems that led to those attacks, the failure to \nshare critical terrorist information among Federal, State, \nlocal, and private entities.\n    As we now know, we were unable to prevent the attacks on \nthe World Trade Center and the Pentagon in part, because the \nFederal agencies could not or would not share information. Not \nonly did the Federal Government as a whole fail to connect the \ndots, but certain agencies wanted to maintain exclusive control \nover those dots.\n    One highly publicized example involved was the failure of \nthe FBI and the CIA to share terrorist information about two \nsuspects living in San Diego in 2001. Although several agencies \npossessed relevant information about the suspects, their \nlocations and their contacts, they did not share it with other \nagencies that could have acted on it. To our great dismay, \nthese terrorists went on to take part in the September 11 \nhijackings.\n    Today, however, despite repeated direction by Congress to \nconsolidate these watch lists and despite promises by President \nBush to do so, GAO's report concludes that the administration \nhas failed to address this problem. Nine Federal agencies still \nmaintain 12 different terrorist watch lists. While seven \nagencies have at least some sort of procedure for sharing \ninformation, two agencies have no procedure at all. Only half \nof these agencies share information with States, and only one-\nfourth share information with private entities.\n    According to GAO's investigation, Federal agencies received \nno direction from the White House on this issue. As a result, \nGAO reports that Federal agencies continue to develop their own \nwatch lists in isolation from each other, and that information-\nsharing remains inconsistent and limited.\n    The administration's failure is magnified by the ping-pong \napproach it has taken to addressing this problem. First, the \nPresident's October 2001 Executive order initially assigned \nresponsibility for ensuring the dissemination of terrorist \ninformation to the White House. Then, in the July 2002 National \nStrategy for Homeland Security, the President directed the FBI \nto take on this job. Then the White House apparently took back \nthis function. Now, in the latest volley, officials from the \nnew Department of Homeland Security claim they are working on \nit. This is not a recipe for success.\n    Perhaps most troubling, Mr. Chairman, is the White House's \nrefusal to cooperate with GAO's investigation. When GAO tried \nto contact White House officials about their efforts to \nconsolidate watch list information, they did not respond to \nGAO's inquiries.\n    As you know, this committee has had difficulties in the \npast with the White House Office of Homeland Security, even \nafter Governor Ridge finally agreed to testify before us. This \nlatest refusal by the White House continues to impede Congress' \noversight abilities.\n    As a result of the White House's actions, GAO reported that \nit could not determine the substance, status, and schedule of \nany watch list consolidation activities. Mr. Chairman, how are \nwe to do our job if the White House refuses to provide any \ninformation about the substance, the status, or the schedule of \nthe administration's actions? I hope this hearing will be able \nto shed some light on these very important issues.\n    Mr. Chairman, I want to point out to the witnesses as well, \nwe will be reviewing the testimony, and we have had a chance to \nreview some of it in advance. I, unfortunately, because of \nscheduling conflicts, won't be here for most of the testimony \nthat is given at the hearing.\n    Thank you.\n    [The prepared statement of Hon. Henry A. Waxman follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.004\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.005\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.006\n    \n    Chairman Tom Davis. Thank you very much, Mr. Waxman.\n    Any other members wish to make statements? Mr. Lynch.\n    Mr. Lynch. I will pass, Mr. Chairman. Thank you, though.\n    [The prepared statement of Hon. Edolphus Towns follows:]\n    [GRAPHIC] [TIFF OMITTED] T8194.007\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.008\n    \n    Chairman Tom Davis. Well, let's move right on to our first \npanel. As you know, it is the policy of the committee, we swear \nin all witnesses. Will you please rise with me and raise your \nright hands?\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you very much. I think we have \nyour total testimony. We have already looked at it. We finished \na markup at about 11 p.m., and then we went into your testimony \nand we are ready to grill you. So 5 minutes apiece.\n    You know the rules. The lights are here, and then we will \nget right into questions.\n    Thank you. Mr. Cooper, thanks for being here. We will start \nwith you, and then I will go to Mr. Forman.\n\n    STATEMENTS OF STEVEN COOPER, CHIEF INFORMATION OFFICER, \n  DEPARTMENT OF HOMELAND SECURITY; AND MARK FORMAN, ASSOCIATE \n DIRECTOR, INFORMATION TECHNOLOGY, AND E-GOVERNMENT, OFFICE OF \n                     MANAGEMENT AND BUDGET\n\n    Mr. Cooper. OK, thank you very much and good morning, Mr. \nChairman and members of the committee. I would like to submit \nmy written testimony for the record.\n    Chairman Tom Davis. It is all in the record. Thank you.\n    Mr. Cooper. OK. Now I would like to offer a brief oral \nstatement and share with the committee a little bit of what we \nhave been doing since January 24 of this year, when the \nlegislation enacted the Department of Homeland Security. I am \nvery pleased to appear before the committee to discuss activity \nfrom that date and to discuss an overview of the role and \nresponsibilities that I have as the Chief Information Officer \nof the new Department of Homeland Security.\n    Since January, we have been very focused for January, \nFebruary, and most of March, on day one, what we call ``day one \nactivities,'' to actually establish the new Department of \nHomeland Security. The new department, actually, the \nheadquarters personnel had no facilities. They weren't actually \nemployees of the department, and from an information technology \nenablement standpoint, there was an awful lot of work that had \nto be done.\n    We actually have done some very major work and accomplished \nsome very major things, the first of which and foremost is that \nwe had no infrastructure, we had no network, we had no \ncapability to communicate among ourselves and with the rest of \nthe world. So we did, in time and very short notice, implement \nour wide area network to connect our multiple locations and to \nconnect us to the outside world, our sister Federal agencies, \nState and local and tribal governments and, as appropriate, \nenable communications with the critical infrastructure owned by \nthe private sector.\n    We also implemented our dhs.gov Web site, so that we had a \nway for the public to actually access a little bit of what we \nwere doing and understand some of our goals and objectives. \nThat is up; that is operational.\n    Internally, we implemented a portal to enable our \nheadquarters personnel initially, and now the 170,000 employees \nthat comprise the new department, to actually be able to \ncommunicate via an online, DHS online, intranet portal with \ncollaboration capability. We implemented desktop capability, \nlocal area network capability across the multiple facilities \nthat we now occupy as a headquarters entity.\n    Then, finally, but not least, we actually have enabled e-\nmail connectivity across our 170,000 employees, including the \nnew agencies that have become part of the department. It is not \nsomething that is necessarily visible, but it is something that \ntook a lot of work and a lot of time.\n    Once we accomplished that, our focus reshifted to our \nenterprise architectural activity. We actually had begun an \nawful lot of enterprise architectural activity for homeland \nsecurity when I was in the White House Office of Homeland \nSecurity, working very closely with the Federal Enterprise \nArchitecture Program Office and team, headed by Norm Lorentz \nand Bob Haycock, and working closely with Mark Forman.\n    What we have done is to continue to map out the enterprise \narchitecture targets, framework, deliverables. Those are \noutlined in my written testimony. I would be happy to respond \nto questions if there are questions related to the detail about \nthose things.\n    But the enterprise architecture, quite simply, for those \nwho may not be as familiar with it, is an architectural \nframework; it is a decisionmaking framework at its highest or \nstarting component. It is first and foremost about the business \nstrategy.\n    From the business strategy, we began with the National \nStrategy for Homeland Security, released by the President last \nsummer, to then drive down into the business processes that the \nnew department has responsibility for, the functional \nresponsibilities like prevention, detection, protection, alerts \nand warnings, incident management, crisis management, \ncommunication, response, and recovery.\n    We identified, and continue to identify, the information \nnecessary to carry out these processes and functions. Those \nthree components--the strategy, the business layer, and the \ninformation layer--comprise what we call the business \narchitecture. Then behind that or supporting that we have the \ninformation technology architecture, which automates and \nenables the achievement of business goals, objectives, and \nmetrics.\n    That information technology architecture is comprised \nprimarily of a couple of layers, the first being applications \nand/or decision support systems. These are the various \nautomated applications, programs, initiatives that support all \nof the mission capability, enterprise activity.\n    Then, last, we have the information technology \ninfrastructure upon which all of this rides. The infrastructure \nis pretty much like the electric lights in a building: You flip \nthe switch; the lights come on; you're happy. You never see it \nunless it doesn't work. Then we jump in and we fix it.\n    I will stop there. Thank you, and I will be responding to \nany questions that you might have.\n    [The prepared statement of Mr. Cooper follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.009\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.010\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.011\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.012\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.013\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.014\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.015\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.016\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.017\n    \n    Chairman Tom Davis. Thank you very much.\n    Mark, welcome back.\n    Mr. Forman. Thank you, Mr. Chairman and members of the \ncommittee. This is my first hearing as Administrator for E-\nGovernment and Information Technology, under legislation that \nthe chairman sponsored. So it is good to be here in that role.\n    Chairman Tom Davis. Did you get a pay raise with that?\n    Mr. Forman. No.\n    Chairman Tom Davis. OK. You got a fancy, new title anyway. \n[Laughter.]\n    Mr. Forman. And some additional responsibilities and \naccountabilities.\n    Thank you for inviting me to discuss the administration's \nwork in homeland security. Mr. Chairman, making organizations \nshare information is like trying to glue together thousands of \npuzzle pieces. If the pieces are put together correctly, you \nget a pretty picture. If you just apply the glue without an \norderly approach to building the puzzle, you could end up with \nsomething quite messy.\n    Bringing together 22 previously separate agencies and \noffices under one department requires more architecting than \nmerely gluing together all of their IT. The administration uses \nbest practices in e-business and IT management to assist in \nsetting priorities and defining an action plan.\n    Last June, the President stated, ``Development of a single \nenterprise architecture for the Homeland Security Department \nwill result in elimination of the suboptimized, duplicative, \nand poorly coordinated systems and processes that are prevalent \nin government today.''\n    Indeed, the administration believes that DHS leadership \nshould use enterprise architecture analysis to integrate \nhomeland security business processes and organizations, with IT \nbeing the key enabler. As identified in the National Strategy \nfor Homeland Security, Federal homeland security IT investment \nshould first improve response time, the time to detect and \nrespond to potential threats, and, second, improve \ndecisionmaking: making sure that we get the right decisions at \nthe right time.\n    Achieving significant improvement requires significant \nchange in longstanding organizations, their processes, \ninformation flows, and IT investments. OMB provides guidance \nand works with Federal agencies to ensure that the Federal \nGovernment applies best practices in IT management. Through \ntraditional budget and management processes, we hold all \nagencies accountable for meeting statutory and policy \nrequirements.\n    Four key elements are: first, enterprise architectures. An \nenterprise architecture describes how an organization performs \nits work using its people, its business processes, data, and \ntechnology. By aligning organizations, business processes, \ninformation flows, and technology, enterprise architecture \ntools are used to build a blueprint for improving efficiency \nand effectiveness of an organization. We are actively working \nwith the department to ensure that they develop a comprehensive \nenterprise architecture that optimizes existing investments \ninherited from the legacy agencies.\n    Second, managing and budgeting IT investments. OMB IT \nmanagement, OMB Circular A-130, and the budget, OMB Circular A-\n11, provide guidance on information-sharing on a system-by-\nsystem basis through the agency budget request or business case \nfor each IT investment. We are working with all agencies to \nensure that they appropriately leverage and consolidate their \nIT investments: infrastructure, business management systems, \nand mission-related IT within and across their directorates.\n    In particular, the merging of 22 previously separate \nagencies has resulted in the Department of Homeland Security \ninheriting a number of redundant and overlapping IT systems and \nprocesses. The Director of OMB, in Memoranda M02-12 and M02-13, \nissued guidance under the Clinger/Cohen Act on consolidating \nand integrating IT investments across agencies performing \nhomeland security missions. Through the fiscal year 2005 budget \nprocess, OMB will work with the department to eliminate \nredundant and non-integrated operations, systems, and processes \nfor business and mission areas.\n    Third, e-government initiatives. As you know, the \nadministration has been aggressively working over the past year \nand a half in the development and implementation of 24 \ngovernmentwide Presidential e-government initiatives. \nImplementation of the President's e-government initiatives \nrelated to homeland security will overcome information-sharing \ndifficulties between Federal, State, and local organizations \nand first-responders.\n    In addition, many of the other Presidential e-government \ninitiatives provide solutions that must be adopted by all \ndepartments, including the Department of Homeland Security. \nThese initiatives include e-authentication as well as new, \nline-of-business consolidation initiatives on public health \ninformation.\n    Two of the President's initiatives I would like to point to \nin particular: Project SAFECOM and Disaster Management, which \ndirectly support and promote improving information-sharing \nbetween Federal, State, and local first-responders. I go in \nmore detail in my written testimony on the content of those \nspecific initiatives.\n    As managing partner, DHS is responsible for ensuring the \naccuracy of the business case for these initiatives, submitting \nthe business cases to OMB, and ensuring management of the \nproject to achieve cost, schedule, and performance goals for \nthe implementation of the operations phase.\n    The fourth area is the President's Management Agenda. OMB \nmonitors agency IT and e-government progress on a regular basis \nthrough the President's Management Scorecard under the \nexpanding e-government score. Because the Department of \nHomeland Security is new, its status is scored as red. Again, I \ndiscuss that more in my written testimony.\n    Let me conclude by saying that achieving true homeland \nsecurity will require IT investments to significantly improve \nresponse time and decisionmaking. While we recognize the \ndepartment is currently grappling with cultural legacies of 22 \ncomponent agencies, we fully expect that DHS leadership will \ncontinue to build an integrated and interoperable structure, \nresulting in a business-driven enterprise architecture that \nreflects the President's vision of eliminating suboptimized, \nduplicative, and poorly coordinated systems.\n    Thank you.\n    [The prepared statement of Mr. Forman follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.018\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.019\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.020\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.021\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.022\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.023\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.024\n    \n    Chairman Tom Davis. Thank you. Let me just start the \nquestioning.\n    I mean you are trying to integrate 22 component agencies, \nbut some of these agencies are miserable failures stand alone. \nINS is just a mess. I think we saw some of that in September \n11. I have looked at it, talked with contractors. What is our \nstrategy there? I know it is now different agencies. How long \nis that going to take and how much will it cost, do you think? \nDo you have a figure on that yet or is it a little premature?\n    Mr. Cooper. Chairman Davis, I don't have a figure yet. What \nwe have begun are formal program reviews. My focus is very \nheavy on the information technology component.\n    We are working through these as rapidly as we can. We are \nrunning them in priority order, meaning the priority dictated \nby the business community, our business leadership, the Under \nSecretaries, Deputy Secretary; and then, as guided by Secretary \nRidge.\n    We have about 20 or 25 of the highest priority initiatives \nover the next several weeks, and as rapidly as we can we will \ncome back and offer additional information, additional insight \ngleaned from these program reviews.\n    Chairman Tom Davis. One thing that has impressed me about \nthe way we've handled this is initially, when you get different \nagencies like this and you're trying to solve problems, \ntraditionally Government has just sent a lot of money out the \ndoor, contractors working without really taking a look at the \nrequirements that we have, taking a look at how it is going to \nintegrate. We have been a little slow to start. I don't think \nthere is any question about that.\n    I don't think it is too early to give a grade, and people \nget impatient, you know, but it is a smarter way to go. At the \nend of the day, I think our moneys would be spent smarter and \nwe will get a better system. At least that is my impression \nfrom the way things are being handled. Is that fair, do you \nthink?\n    Mr. Cooper. Yes, I agree. One of my concerns is that I \nthink if we simply begin to, if you will forgive the \nexpression, kind of throw money at the problem before we \nclearly understand where are the highest priorities, where are \nthe best opportunities for integration, where are the greatest \nopportunities for us to realize value, I think we run the \npossibility of wasting some of that money and some of that \neffort.\n    Chairman Tom Davis. Absolutely. Absolutely. I know a lot of \ncompanies out in my district that are a little impatient. They \nhave geared up for this. A lot of them have some very \ninnovative solutions they want to offer. But I think you are \nsmart to sit back and make sure we have an integrated plan on \nhow it is all going to fit together, that you have set your \npriorities.\n    You stated in your testimony that the ``as-is'' \narchitecture is about 70 percent complete at this time, and the \ninventory of your ``as-is'' applications is also about 70 \npercent complete. You expect to have both the ``as-in'' \narchitecture and inventory completed by next month? Is that \nroughly----\n    Mr. Cooper. The end of June----\n    Chairman Tom Davis. The end of June?\n    Mr. Cooper [continuing]. Is our target date now.\n    Chairman Tom Davis. Now? Are you completing the process? As \nyou go through this, can you tell us what you found in any \nredundant systems and give us any examples?\n    Mr. Cooper. We have already begun to identify some \nopportunities. For example, in our infrastructure component, we \nhave certainly identified that we have multiple physical \nnetworks, for example. The question is, how many of those do we \nactually need? What is the optimal number?\n    We would like to actually move toward one unclassified \nnetwork. Now that is going to take a little bit of time, but \nover the next probably 18 to 24 months that should be something \nthat I think we can address.\n    So an example is to begin to consolidate the number of \nunclassified networks that we have. Another example: In our \nmanagement types and administrative types of applications, \nhuman resources, financial management, some of the \nadministrative and management applications, we certainly don't \nneed the 20-plus human resources applications that existed \nlegitimately, not because anybody did anything wrong, but \nbecause each agency required a human resource capability. Then \nthat was, indeed, automated.\n    But, as a new, single department, we have an opportunity to \nconsolidate it. We are working closely with OMB and under their \nguidance. So those are some examples of opportunities.\n    Another example is actually in what we call the mission-\ncritical space. There are a number of organizations and \nagencies that had, for example, alert and warning types of \napplications. So one legitimate opportunity is to evaluate, \nmight there be some advantage and some value and, admittedly, \nsome cost savings if we move from a dozen alert and warning \ntypes of applications to perhaps a smaller number? It might not \nbe one, but it certainly might be two or three, as opposed to a \ndozen.\n    Chairman Tom Davis. Well, the next phase, then, would be \nthe ``to-be'' architecture?\n    Mr. Cooper. Yes.\n    Chairman Tom Davis. And you state the initial plan will be \ncompleted in August 2003. Can you elaborate on what the ``to-\nbe'' architecture, what it will encompass, and what do you mean \nby the ``initial plan?''\n    Mr. Cooper. OK.\n    Chairman Tom Davis. It would be, I mean, when will it be \nfinally complete, examples of that?\n    Mr. Cooper. When we say a ``to-be'' architecture, what we \nare really talking about is the desired state or the target \nstate for how we do business; what are our objectives; what are \nour goals; what are our measurements, our metrics. Let me use \nan example out of Border and Transportation Security.\n    As we look across the business processes that comprise how \npeople and cargo enter the United States and then leave the \nUnited States, one of the opportunities is to re-engineer that \nbusiness process, take a holistic look across all of the \nseparate agencies that came into the department, each with its \nown process, look at them kind of side by side, and look for a \nseamless, end-to-end, horizontal process that really addresses \nthe movement of people, beginning with a visa application \nprocess and continuing all the way through when they actually \nenter the United States, travel in the United States, and then \nleave the United States.\n    Our desired-state architecture would actually re-engineer \nthat process. At a macro level, it would now repaint a picture. \nThe desired state differs from the existing state. We then can \ntake the gap and make determinations about, how do we move from \nwhere we are to where we want to be? That is what we then call \nour migration strategy or our road map, and we expect to have \nthe first release of our road map by the end of the fiscal \nyear, by the end of September 2003.\n    Chairman Tom Davis. Thank you. Thank you very much.\n    Mr. Lynch.\n    Mr. Lynch. Thank you, Mr. Chairman.\n    Mr. Cooper and Mr. Forman, I want to thank you for coming \nbefore the committee and helping us with our work. In another \nconfiguration, this committee is responsible with an ongoing \ninvestigation of the FBI, and Chairman Davis is doing a \nwonderful job on that, along with our ranking member, Mr. \nWaxman.\n    Now what we have learned in that investigation of the FBI--\nand I don't mean to single them out, but that is the agency we \nare investigating--we have found a couple of things. No. 1, \nwhen an agency's task and directive is to operate in secrecy, \nand when an agency is encouraged and directed under law and \nregulation to operate in secrecy, it is against the culture, \nNo. 1, to share information. So we are working against a very \nstrong culture of--I mean, obviously, if you want things to be \nsecret, you don't share information.\n    Second, the thing we have also seen at the FBI, and it \nexists at other agencies, is that so much of the culture there \nis based on career advancement, that if you are an FBI agent, a \nsupervisor, and you are undertaking an investigation, a very \nimportant one, whether it involves organized crime or terrorist \nactivity, you want to advance your career. The last thing you \nwant to do is share that information that you have that might \nbe important to your success with another competing agency.\n    So we have a culture here that is directly opposed to the \nfree sharing of information, and I worry for the American \npeople, not only because of the flat-out atrocities that I have \nseen within the FBI, but also because our national security, \nespecially after September 11, requires the sharing of this \ninformation.\n    Now I appreciate all the work you are doing on technology, \nbut this is a human fault in our system. I have two questions.\n    My first question to either of you gentlemen would be: What \nare we doing to encourage information-sharing and a change in \nthat culture of secrecy and obsessive control of information \nwithin these agencies? Anytime you are ready.\n    Mr. Cooper. Let me begin. One of the things that we are \ndoing that we have actually found has helped, and is helping, \nbreak down some of the cultural biases against sharing, we have \ncreated a couple of, what we call, integrated teams. We have \npulled people together from across the various intelligence \ncommunities, intelligence members, including the FBI, to first \nagree upon a shared vision, and with the shared vision, we can \nthen set kind of goals and objectives around, if we have this \nshared vision and if it does require the sharing of information \nheld within each member of the community, how then might we be \nable to share that information in order to support that common \ngoal or objective.\n    We have had some good dialog. We have been able to actually \nreach agreement, and that agreement has actually now taken the \nform of Memorandums of Understanding and Memorandums of \nAgreement signed between and among the FBI and other Federal \ndepartments and Federal agencies at the business level, the \nleadership level, that set this forth in writing and do commit \nthose agencies to working together to share information, in \ncompliance with that shared vision.\n    Mr. Lynch. Let me ask you, do the memoranda, do they \ninclude any specific incentive for agents to share information \nor any specific penalties if they do not share information that \nshould be shared?\n    Mr. Cooper. The memoranda that I have seen do not contain \nthat specific information.\n    Mr. Lynch. OK. Well, until we get to that root problem, I \nthink that all this other stuff is just window-dressing. That \nis the core of our problem right there, is the secrecy and the \nunwillingness of people to share information. If you are not \ngetting at that problem, all the new computers and all the \nnetworks in the world, they are not going to help us. We are \ngoing to be before this committee again someday asking how come \nwe didn't all know about, you know, some type of threat.\n    OK. That being the case, I want to point out just to the \nGAO report which was----\n    Chairman Tom Davis. The gentleman's time has expired, but I \nwill let him finish up here. I will let you make this final \ncomment here.\n    Mr. Lynch. Thank you, Mr. Chairman. Thank you.\n    One question, and you can do with it what you will. The GAO \nreport talks about these terrorist lists, and it seems like \nevery agency has one. We have very little coordination in terms \nof consolidating or agreeing on these terrorist/criminal watch \nlists. The GAO report, at page 28, has a very dismal assessment \non how these agencies are actually coordinating on this \nspecific point, and this is a good example; in spite of \ncongressional direction and executive direction to get their \nact together and coordinate their lists and decide a concerted \napproach, it has not happened.\n    It has been 20 months since September 11, and I know that \nyou work with the White House and related offices. I was \nwondering why, after 20 months, we don't have an effective \nresponse to this particular situation.\n    Mr. Cooper. I believe that the current state is much, much \nbetter than it was 20 months ago. There is a working group. \nThat working group is now guided by the TTIC, T-T-I-C, \nTerrorist Threat Integration Center. We are a member of that \nworking group. The members of the intelligence community are \nmembers of that working group. The FBI is a member of that \nworking group. It is an example of a working group that I just \nreferred to.\n    I think, literally for the first time in history, there are \ndocuments that are being circulated for signature that do \ncontain some very specific examples and requirements around the \nsharing of information. Let me actually pull one paragraph out \nof the Memorandum of Understanding that is being shaped that \nspeaks to data bases and the integration of these data bases, \n``The parties agree to establish procedures and mechanisms to \nprovide the Department of Homeland Security, as appropriate and \npracticable, other covered entities with access to data bases \ncontaining covered information. To this end, parties shall \nestablish a working group within 30 days of the date of this \nagreement.'' That is kind of what is underway now.\n    So we are actually spelling out in writing that everyone \nwill kind of sign up to the mechanisms that I think will get us \nto the integration that we are talking about.\n    Mr. Lynch. I want to thank you again, Mr. Cooper and Mr. \nForman, for your good work. Could I ask you, might we get a \ncopy of that memorandum, not on the record but for our review?\n    Mr. Cooper. Certainly, I think this is under the guidance \nof the TTIC. So, if I may respond, check with them and then \nrespond?\n    Mr. Lynch. That would be great. Thank you very much. Thank \nyou, Mr. Chairman.\n    Chairman Tom Davis. I thank the gentleman. The vice \nchairman of the committee, Mr. Shays.\n    Mr. Shays. I thank the gentleman. I really have to work to \nget into this issue, but I think it is hugely important. \nProbably my biggest disappointment with the Department of \nDefense is most of our IT stuff has turned out not to work out \nas well as we wanted. We spent a fortune.\n    I am interested to know, how is the Department of Homeland \nSecurity incorporating data and systems architectures for \nexternal entities like DOD, CIA, FBI in the design of DHS \nobjective systems. I mean, what are we doing? I would like both \nof you to be able to answer that for me.\n    Mr. Forman. Let me start out, if I may, because one of my \nnot only initiatives, but now accountable responsibilities to \nthis committee is to put in place the governance process and \nthat enterprise architecture framework for the Federal \nGovernment.\n    There is no question that we are living through a change in \ntechnology that ties directly to the way we manage the Federal \nGovernment. We can't, as you pointed out, rely on hooking \ntogether a lot of data bases or computers to fix what is \nfundamentally a broken business architecture.\n    In fact, I would have to say most of the work done over the \nlast 2 years has been on that architecture in this area, \nleading to the Department of Homeland Security Act that was \nsigned, and now the department has begun, up and running. Now \nit takes a lot of work.\n    There are decisions that are going to be made, not just by \nthis department, the Department of Homeland Security, but by \nthe Justice Department, the Department of Health and Human \nServices. Here, again, I refer to my testimony. In our gusto to \nrespond to initiatives, take public health information networks \nas a perfect example, we now have 18 new systems in the \nPresident's budget that was requested in response to \ncongressional action on bioterrorism networks. I view it as my \njob to make sure that we now don't invest in the 19th system \nbecause we have this fragmented structure that turns into \nmultiple computers on people's desks in the health information \ncenters at the county level and hospitals.\n    This architecting issue is real and relates to roles and \nresponsibilities of multiple organizations. So we have to get \nthe business model right, and that ties to processes.\n    There are responsibilities for Federal CIOs under the \nClinger/Cohen Act and under the E-Government Act of 2002, but \nthis is going to take a lot of engagement from Members of \nCongress, from this committee's leadership position, through \nthe appropriations process, as well as senior political \nofficials in each of the departments to understand how to work \ntogether.\n    Fundamentally, we are talking about business processes that \ndid not exist and, hence, information systems we are trying to \nhook together that were built for different purposes. That has \nto be done in a rigorous architecting process.\n    Mr. Shays. Mr. Forman, let me ask you, is it an advantage \nthat we are reorganizing into a Department of Homeland \nSecurity? Does this give us opportunities or just made life \nmore difficult for us?\n    Mr. Forman. It is a requirement. We could not do this \nwithout appointing an organization. We couldn't have people, \ngiven their current roles and responsibilities under statutory \nrequirements, merely sharing information without somebody in \ncharge of making decisions on the basis of that information, \nand, hence, the need for the Department of Homeland Security \nfills an important gap in our world, we would say, the business \narchitecture and the reality. Nobody had those roles and \nresponsibilities before creation of the department.\n    Mr. Shays. Thank you. Mr. Cooper.\n    Mr. Cooper. One of the things that we are doing to add a \nlittle bit more specificity, deliberately and consciously, to \nkind of reach out to other Federal agencies, we have begun the \ndevelopment of joint exhibit 300's to submit to OMB in a couple \nof specifics. Let me give you some real examples.\n    Wireless technology and the use of wireless technology for \ninteroperability, this also now reaches out to State and local, \ntribal government as well. By teaming together with, for \nexample, the Department of Justice and the Department of \nTreasury, we are kind of the lead three agencies in this, and \nby crafting a joint exhibit 300, we are actually putting \ntogether a plan that encompasses capability that already exists \nas well as the need for new capability that we might identify \nthat call all of us to work together collaboratively and submit \nthis, then, to OMB, so that we are actually bringing forward a \nmore powerful opportunity to request funding and support and \nreach out across the Federal environment.\n    Two other key areas that we are doing this in: One is in \nintelligence information, meaning we are specifically looking \nat all of the applications, not just within the Department of \nHomeland Security, that might pull together; we can \nconsolidate; we can integrate.\n    A third area is in the area of identity credentialling. \nThere are a number of initiatives that are underway across \nseveral Federal agencies. We are trying to pull those together, \nso that we can basically do this once in an optimal manner and \nthen move forward together.\n    Mr. Shays. Thank you, Mr. Chairman.\n    Chairman Tom Davis. Thank you. Mr. Ruppersberger.\n    Mr. Ruppersberger. Yes, sure, thank you for being here. \nLook, this is an exercise that we are all moving forward with; \nwe are learning a lot. We need to learn from our mistakes. As \nhas been stated before, there is an issue as it relates to \nculture, the need-to-know basis in all the agencies.\n    There is so much information and things that we can talk \nabout, and I have 5 minutes. So I am going to throw out a \ncouple of questions and then be quiet. That way, I won't be \npenalized for going over my 5 minutes.\n    Basically, I am going to address some of the questions from \na local and State issue, and I think that one of the main \nissues that we are dealing with now is how we work that \ncommunication level between the different areas. Terrorism is \nunlike other types of investigations where a lot of times \n``need to know'' is very important.\n    I think the three areas, and there are three topics and \nissues that I think are extremely important as far as \nconsistent procedures, and that would be, No. 1, information-\nsharing. Information-sharing, in my opinion--or I would like \nyour opinion--on how we develop a workable plan to share the \ndata throughout the necessary channels.\n    Also, the second issue is knowledge management. Knowledge \nmanagement determines what should be done with information once \nan agency or department gets this information.\n    The third would be data mining. Data mining is basically \nreceiving the data, storage, and the ability to retrieve that \ninformation.\n    Now, from a local perspective, I represent the Baltimore \nregion. I was a former county executive. So I have had a lot of \ncommunications with the former police chief and still police \nchief of Baltimore County. Some of his issues are that he \nthinks communication has improved within the last year, but \nstill there is not specifics of origins of information they \nreceive, not allowed to evaluate the quality of threats or \nleads as it relates to them. It is coming down almost as a \nmandate.\n    Two, local investigators--in the same area--local \ninvestigators might determine the information is too glossed-\nover to be useful, and this is kind of frustrating.\n    The FBI and others are trying to be more up front, but the \ninformation is just not accurate or timely. Sometimes you get \nnotice, you get more from what you read in the newspaper than \nyou do from those agencies. So the timeliness of that data, the \ninformation.\n    Third, immigrants are not in a data base. They need that \ninformation if they stop someone. That is extremely an \nimportant issue, I think.\n    The National Crime Information Center/exit registration \nsystem is not connected to what they need in the field.\n    Now I also represent Baltimore City. Mayor Martin O'Malley, \nwho is very active with the--what; is it major city mayors--and \nhe is up front on the issue of where we need to go and what \ntheir concerns are.\n    No. 1 I think is the security clearance. There are certain \npeople within his organization/administration that have not \nbeen approved or received it. So when there is information that \nmight have to deal with a fire department or if the mayor \nhimself might receive information, he is not able to get that \nand to be able to analyze it and take the steps to where they \nneed to move.\n    So some type of data base compatibility also is an issue. \nThere is no way to search and post information within and \nbetween jurisdictions. An example: Someone who was stopped in \nNew Jersey about taking pictures of bridges, now why wouldn't \nPhiladelphia, Baltimore, and Washington maybe receive that \ninformation?\n    Responsibility/authority, Federal agency authority and \nclear. Locals get conflicting information from Customs, \nImmigration. Kind of no clearinghouse. We need to focus on the \nconsistency of the information.\n    A Federal alert system of value; warnings, in his opinion--\nthis isn't mine--are useless; get more from media than the \nDepartment of Homeland Security at the local level. Unspecified \nthreats more important to cities and outlying areas. That is \nhis opinion. He does have the Port of Baltimore and a major \ncity area.\n    Now I am throwing that out because I think that there is a \nlot to talk about here, and we can't accomplish it in a 5-\nminute situation. But it is a culture. There is a foundation \nthat we are trying to create. I see, personally, a lot more \ncooperation, but there is still that culture of ``need to \nknow.'' A lot of times you need to know that.\n    I happen to be on the Intelligence Committee, and there is \nnothing we can talk about there. So that is a culture, but it \nis a necessary situation until it is retrieved.\n    A lot of comments. Could you please respond to some of the \nissues that I raised?\n    Mr. Cooper. I think, first of all, that you are absolutely \non target with the content and the points that you are raising. \nWe are, in some form or another, addressing almost everything \nthat you have outlined here. At the moment, we are not as far \nalong in some of these areas as others. Again, this is complex, \nas you, yourself, have indicated.\n    We have it underway, and our focus has started on the \ninformation-sharing. We feel that we have to get the basics in \nplace before, for example, we can move to kind of the higher \nlevel of knowledge management and before we can really take \nadvantage of some of the tools and capabilities related to data \nmining capability from an information technology standpoint.\n    But, specifically around information-sharing and \ninformation-integration, we have a number of pilot initiatives \nunderway where we have reached out to State and local \ngovernment, where we actually are putting connectivity in \nplace, albeit in a pilot manner at the moment, to share \ninformation in a two-way flow, both from State and local \ngovernment and appropriate authorities, members of the first-\nresponder community to us, and then in turn----\n    Mr. Ruppersberger. And, by the way, I would agree because a \nlot of your leads come from the local, from the street, so to \nspeak.\n    Mr. Cooper. Absolutely, yes, sir.\n    Mr. Ruppersberger. So it needs to go both ways----\n    Mr. Cooper. Yes, sir.\n    Mr. Ruppersberger [continuing]. And then be analyzed.\n    Mr. Cooper. It absolutely does.\n    Mr. Ruppersberger. That is probably one of the biggest \nissues, is analyzing information.\n    Mr. Cooper. Yes.\n    Mr. Ruppersberger. As we even know with September 11, we \nhave the technology and the ability to receive a lot of it, but \nit is analyzing that information.\n    Mr. Cooper. Yes, absolutely. A lot of this activity is \nbeing guided by our Information Analysis and Infrastructure \nProtection Directorate, which, as you know, is one of the new \ndirectorates that was established by the legislation.\n    So we are also being challenged a bit by a startup. In \nother words, there weren't existing entities as part of our \nincoming agencies that had full responsibility and a \nsignificant amount already in place. It is underway. We are \nmaking progress.\n    In addition, we are also including State and local \nrepresentation in our enterprise architecture work. This is \nanother mechanism by which we actually can hear and validate \nfrom the local communities, from the State communities, from \nthe first-responder communities, what is it that they believe \nare the highest priority processes and, in turn, they are \nworking with us to actually re-engineer and improve these \nprocesses.\n    Once that work is completed along the schedule that I \noutlined, we then, in turn, can begin to apply information \ntechnology tools, methods, and techniques to more rapidly \nintegrate and achieve information-sharing.\n    Chairman Tom Davis. The gentleman's time has expired.\n    Mr. Ruppersberger. Can I ask just one question or comment?\n    Chairman Tom Davis. Sure.\n    Mr. Ruppersberger. Thank you. It is a big issue that we are \ndealing with. I think something that has worked in the past, \nand I would just like your comments on this, and it was used by \nthe FBI when they started to get involved in the narcotics \nenforcement, where you would have strike forces involving FBI, \nDEA, local, and State. In order to break a culture, it seems to \nme that a lot of it is trust and working together, so that a \nstrike force concept develops those relationships. A lot of it \nis relationships.\n    I mean, you see right there that there are certain FBI \noffices that might not get along with certain locals in one \njurisdiction but they do in another. I think that is something \nthat maybe we should look at, as we are developing how to break \ndown this barrier of information and getting the information \nout so it is useful or coming both ways. I just would like your \ncomments, whether you think that strike force--and maybe we \nshouldn't use the words ``strike force,'' but that is what \nworked in the past, and I think it still is working.\n    Mr. Cooper. I certainly agree. In fact, we actually have \nfollowed your recommendation, and we have, although not a lot \nin number, we have a couple of those strike force types of \nteams.\n    One example is in our enterprise architecture work, where \nwe really do have a working group comprised of State and local \nChief Information Officers and/or their designated \narchitectural representatives, subject matter experts, who are \nworking side by side with the Federal teams that are involved \nto establish a true national enterprise architecture for \nhomeland security that is aligned with our Federal enterprise \narchitecture, guided by OMB. So that is one example.\n    Another example is we have a number of--admittedly, this is \nin the information technology arena--but we have a number of \ntechnical working groups that are actually local, State, in a \ncouple of cases private sector involvement, along with our \nFederal subject matter experts, to actually define things like \nsome of our technical standards around data-sharing and \ninformation-sharing.\n    So we have taken your advice. We actually have a couple of \nthese in motion.\n    Mr. Ruppersberger. Thank you. Mr. Chairman, if you don't \nmind, I am going to try to make this an issue between the State \nand local and the Federal Government in this information.\n    Chairman Tom Davis. Mr. Tierney.\n    Mr. Tierney. Thank you, Mr. Chairman. I thank the witnesses \nfor being here this morning to try to help us.\n    Just in looking through this and realizing that we were \ntrying to develop some watch lists at one point in time, and \nhaving some difficulty deciding who was responsible for that, \nMr. Cooper, you have been in both different branches of this. I \nwas a little disturbed with GAO's report when they indicated \nthat the White House was unresponsive to its queries about what \nwas going on with the consolidation of lists and with the \nexchange of information.\n    Today, who is responsible, ultimately, for putting together \nthese systems? Is it the White House Office of Homeland \nSecurity or is it the Department of Homeland Security or is it \nsomewhere in between?\n    Mr. Cooper. At the moment, it is a coalition that includes \nthe Department of Homeland Security, the Terrorist Threat \nIntegration Center, the FBI, and the Department of State, and \nmembers of the intelligence community.\n    Mr. Tierney. Now who of that group is in charge?\n    Mr. Cooper. They are at work. It is being guided by the \nTTIC, T-T-I-C, the Terrorist Threat Integration Center. That \nbusiness group is at work to actually define the process and \nthe governance by which your question can be answered.\n    Mr. Tierney. You're kidding me? All this time after \nSeptember 11, 2001, we are sitting here saying the White House \ndoesn't accept responsibility for this; the Department of \nHomeland Security doesn't accept responsibility for this. Some \nbureaucracy of an amalgamation of different agencies, whatever, \nis getting to the point where they are now trying to sit down \nand decide who is going to be in charge? Where is the \nleadership in that?\n    Mr. Cooper. I think the leadership is working together to \nfurther define and refine a true process for an integrated \nwatch list activity.\n    Mr. Tierney. You say that with a straight face, which I \nthink is admirable, but, I mean, does that disturb you \nsomewhat, that this is the point we are at?\n    Mr. Cooper. It is the point that we are at, and I think \nthat shortly we will have definitive answers.\n    Mr. Tierney. Can you define ``shortly'' for me?\n    Mr. Cooper. Can I get back to you?\n    Mr. Tierney. OK. [Laughter.]\n    Chairman Tom Davis. It is above his pay grade.\n    Mr. Tierney. Well, no, I am not trying to be difficult with \nthe witness. You understand I am not trying to be difficult \nwith you; I am trying to get an answer on this.\n    Mr. Cooper. No, I understand. Part of it is our fault----\n    Mr. Tierney. Our chairman indicates that it is above your \npay grade.\n    Mr. Cooper. Yes. I am honestly not trying to duck the \nquestion, but----\n    Mr. Tierney. No, I understand.\n    Mr. Cooper [continuing]. But I am not in the lead on this \nparticular activity. Therefore, I think it would be imprudent \nof me to actually speak on behalf of the group that is doing \nthe work.\n    Mr. Tierney. All right. Fair enough. I am just stunned, I \nguess, to think that, you know, originally, we had the White \nHouse Office set up. It seems to have some rationale to \ncontinue to function. I mean it seems to me to be a great \nrationale to have from the White House somebody in charge of \npulling together not just the Department of Homeland Security, \nbut those agencies that aren't within the Department of \nHomeland Security.\n    I was one who criticized that consolidation for not \nincluding the FBI and the CIA, for this very reason. To find \nout now that we are, 2 years later almost, and this still isn't \ndone, to me is just staggering. I think that there is an \nabsolute abdication of leadership here from the White House and \npeople that could be doing it. Maybe it is the vacancy in that \nposition that creates part of the problem, although I notice \nthat the President still is seeking funding for 2004 for an \nagency that doesn't seem to have leadership and doesn't seem to \nbe doing what I thought was one of the primary responsibilities \nthat were given to it.\n    Mr. Forman. I don't think it is quite fair to say that \nthere is no leadership. I thought the leadership was quite \nclear in the President's budget this year, how he outlined it \nin the State of the Union, TTIC, the Terrorist Threat \nIntegration Center.\n    There is no question that we have to get the agencies to \nwork together. That takes identification of business process \nand across organization, very similar to what we see in \nindustry with the matrix unit today.\n    So to say that any one department should be accountable for \nworking with other departments, I understand that perfectly. \nThis has to cut across departments because there are multiple \nplayers that have to be involved. There are different business \nprocesses that will run----\n    Mr. Tierney. That is exactly the point, isn't it: that in \norder for different agencies cutting across an area to work \ntogether, there has to be somebody leading it who gives them \nthe authority and the will to cut across and deal with one \nanother? So I take exception to your offering up here of your \nopinion, which I appreciate, but I am going to tell you, I take \nreal exception to it.\n    This is an abject failure in leadership because a leader \nwould have taken what is probably one of our principal concerns \nhere and put somebody in charge of making sure there was \ncoordination on this effort and making a determination of how \nthat information was going to be shared. We wouldn't be sitting \nhere looking, almost 2 years later, and realizing that we still \ndon't have the kind of communication systems between these \nagencies that should have been resolved.\n    We have had a position that has been vacant for a period of \ntime, where it still seems to reside, although the White House, \nfor some inexplicable reason, won't deal with the GAO and give \nthem any answers or information. So it makes it difficult for \nus to do our oversight functions.\n    So not only does there appear to be a lack of leadership, \nit appears to be a lack of cooperation with Congress in trying \nto get the oversight that could help us define how that \nleadership ought to be directed and how we could get to the \nbottom of this problem.\n    So I appreciate your kibitzing there on that, but I just \nstrongly disagree with you. It is a lack of leadership, and I \nhope that this committee or bureaucracy, whatever that has been \nset up to resolve this issue, moves quickly. I think, \npreferably, it could have been done with one person making a \nfirm decision and giving some direction.\n    But thank you.\n    Chairman Tom Davis. Thank you. Mrs. Blackburn.\n    Mrs. Blackburn. Thank you, Mr. Chairman. I am kind of \nsitting down here between two seats, I think.\n    I apologize that I had to miss much of your testimony. I \nwas over in the Judiciary Committee in a hearing there.\n    But I did want to step in. I think I am one of these \ncommittee members that has been increasingly frustrated as we \nlook at the lack of interaction between the public and private \nsector in integrated technologies and interactive technologies \nand in the incredible amount of money that is spent without a \nresolution to having systems that talk to one another.\n    I am going to pick up where Mr. Ruppersberger kind of left \noff there. He was talking with you about having an interface \nwith your local, State, and Federal Government and involving \nyour local and State governments in some input as you look at \ndeveloping your enterprise architecture, and the overlay, the \ntemplate that you are going to work from on this.\n    Then you started touching on it and stopped off. So let's \ncarry the rest of this conversation.\n    You talked a little bit about your tech working groups and \nmentioned that you had some private sector input into those \ngroups. So let's go back to that, and let me ask you how you \nare integrating the private sector into this process in \ndeveloping the enterprise architecture. From the get-go, are \nyou looking at doing this as a template that will be from the \ntop down that will help interface all of your local and State \nagencies?\n    Mr. Cooper. Initially, what we are actually trying to do is \ngain some input as we work through to our first release, this \nroad map, this migration strategy that I had mentioned earlier, \nwhich we are on target to release at the end of September, as \nwe head into October of this year.\n    We are doing a couple of things. First of all, we are \nreaching out through some of the information technology \nassociations like the Information Technology Association of \nAmerica or the Private Sector Council or the Industry Advisory \nCouncil, organizations and associations like that. So that we \nbasically can pose questions or areas of interest to the \nassociations and ask them, ``Would you, please, now ask your \nmembership to give us some type of feedback or comment as \nappropriate?'' We are doing that as we move between now and \nSeptember.\n    We then intend, as we release our initial version of our \nwork in September, that will go out; that will be widely \nreleased to the private sector and to State and local \ngovernments, so that we then can work with them to validate, \nimprove, edit, recorrect, adjust, align, whatever, as \nappropriate. So that, in fact, we then collaboratively produce \na more effective enterprise architecture.\n    Mrs. Blackburn. OK, so September is when you are looking at \nbeing your initial presentation?\n    Mr. Cooper. Yes, Ma'am.\n    Mrs. Blackburn. OK. As you work through this process, your \ntimeline going forward from that, when do you think that you \nwill have a workable rollout, something----\n    Mr. Cooper. Actually, the September rollout will be a \nworkable rollout. We will begin to use that rollout for \ndecisionmaking.\n    Mrs. Blackburn. All right.\n    Mr. Cooper. We will continue to refine it.\n    Mrs. Blackburn. OK, continue? OK. And then what, as you \nhave talked to the different agencies and associations, what \ntype response are you getting? What type of innovation or ideas \nare you seeing come forward?\n    Mr. Cooper. Very positive. We have had a significant number \nof members of those organizations provide input and approach \nus, directly approach my office and members of my office to \noffer ideas, to offer suggestions. As rapidly and as \neffectively as we can, we are trying to absorb as much of that \ncomment and incorporate it. We are trying to listen. We are \ntrying to buildupon the good ideas that we are receiving.\n    Mrs. Blackburn. Before my time expires, an estimation of \ntotal cost, do you have that?\n    Mr. Cooper. For the enterprise architecture activity----\n    Mrs. Blackburn. Yes.\n    Mr. Cooper [continuing]. Between now and September? It is \nestimated at about $3 million for this fiscal year.\n    Mrs. Blackburn. OK, and are you all developing, more or \nless, a group of lessons learned or best practices that can be \napplied to other agencies?\n    Mr. Cooper. In concert with our work, we are trying to kind \nof record those as effectively as we can. We are working with \nthe Federal CIO Council Best Practices Committee and being \nguided both by them, but also trying to collect what we learn, \nso that we then can disseminate it out across the Federal \nenvironment.\n    Mrs. Blackburn. Excellent. Thank you.\n    Mr. Forman. If I may just add onto that, it is important to \nunderstand that the Federal enterprise architecture is based on \na component-based model. That is the way the industry is moving \ntoday on both the IT side and where the large corporations are \nmoving.\n    That is essentially what people would call ``plug-and-\nplay.'' We require that for all departments to be involved. At \nthe Federal level, the CIO Council, the National Association of \nState CIOs, and several local government groups are jointly \ninvolved in defining that. We have financed the State \narchitecture work by NASCIO, National Association of State \nCIOs, explicitly so we can make this link up together.\n    Mrs. Blackburn. I appreciate that, but I am one of those \nfreshman that came from a State senate, where it was not \nuncommon to spend $100 million a year on interactive \ntechnologies or on IT in general, some program that doesn't \nwork, doesn't talk to the other.\n    The lessons learned from September 11 were that your first-\nresponders can't communicate, and you have a situation of, \nwho's on first? So those confidences and the knowledge that you \nare working not only with different levels of government, but \nwith the private sector, and that you are building a basis of \nbest practices to move forward, is good to know.\n    Mr. Forman. I appreciate that.\n    Chairman Tom Davis. Thank you very much. I want to thank \nthe first panel for your questions. Some members are going to \nhave some written questions, and we may have some followups. \nBut I think you have been very forthright about it. I think we \nhave shared with you some of our concerns that you share with \nus, and we appreciate the job you are doing.\n    We will move on to the second panel at this point. We have \na great panel. We have Robert Dacey, the Director of \nInformation Security Issues, and Randolph Hite, the Director of \nArchitecture and System Issues at the General Accounting \nOffice.\n    We are also honored to have Charles Rossotti, the former \nCommissioner of the Internal Revenue Service, where he had a \ndistinguished record there, as he had in private business \nbefore he came here. He is currently a senior advisor for the \nCarlyle Group.\n    If you all would make your way to the front?\n    Mr. Rossotti, thank you. I understand you flew in from \nCalifornia to do this, and we just really appreciate having you \nhere.\n    If you could stay on your feet, I am going to swear you in.\n    [Witnesses sworn.]\n    Chairman Tom Davis. Thank you. We will start with the GAO \nrepresentatives. We have your total statement. You can take up \nto 5 minutes, and then we can get right into the questions.\n    The light in front is green, and then it is orange with a \nminute to go, and when it is red, you can try to sum up. Your \ntotal statements are in the record.\n    Mr. Rossotti, I understand you are going to ad lib it up \nthere. We are just happy to have you here. Thank you very much.\n    Why don't we start with you, Mr. Dacey.\n\n  STATEMENTS OF ROBERT DACEY, DIRECTOR, INFORMATION SECURITY \n  ISSUES AND INFORMATION TECHNOLOGY TEAM, GENERAL ACCOUNTING \n OFFICE; RANDOLPH C. HITE, DIRECTOR, ARCHITECTURE AND SYSTEMS \n  ISSUES AND INFORMATION TECHNOLOGY TEAM, GENERAL ACCOUNTING \n   OFFICE; AND CHARLES ROSSOTTI, SENIOR ADVISOR, THE CARLYLE \n     GROUP, FORMERLY COMMISSIONER, INTERNAL REVENUE SERVICE\n\n    Mr. Dacey. Mr. Chairman and members of the committee, we \nare pleased to be here today to discuss the integration of \ninformation-sharing functions at the Department of Homeland \nSecurity. As you requested, I will briefly summarize our \nwritten statement, which provides details on the department's \ninformation-sharing responsibilities, challenges, and key \nmanagement issues.\n    The Homeland Security Act of 2002 brought together 22 \ndiverse organizations and created a new Cabinet-level \ndepartment to help prevent terrorist attacks in the United \nStates, to reduce the vulnerability of the United States to \nterrorist attacks, and to minimize damage and assist in \nrecovery from attacks, should they occur. Achieving the complex \nmission of the department requires the ability to effectively \nshare a variety of information among its own entities and with \nother Federal entities, State and local governments, the \nprivate sector, and others.\n    For example, the department needs to be able to access, \nreceive, and analyze substantial amounts of law enforcement \nintelligence and other threat, incident, and vulnerability \ninformation from both Federal and non-Federal sources; to \nanalyze such information, to identify and assess the nature and \nscope of terrorist threats; to administer the Homeland Security \nAdvisory System, and provide specific warning information and \nadvice on appropriate protective measures and countermeasures; \nto share information both internally and externally with \nagencies and law enforcement on such things as goods and \npassengers inbound to the United States and individuals who are \nknown or suspected terrorists or criminals, and to share \ninformation among emergency responders in preparing for and \nresponding to terrorist attacks and other emergencies.\n    The GAO has made numerous recommendations over the last \nseveral years related to information-sharing functions which \nhave now been transferred to the department. For example, \nalthough improvements have been made, further efforts are \nneeded to address several information-sharing challenges to the \nGovernment's Critical Infrastructure Protection [CIP], efforts.\n    These challenges include: developing a comprehensive and \ncoordinated national CIP plan to facilitate information-sharing \nthat clearly delineates the roles and responsibilities of \nFederal and non-Federal entities, defines interim objectives \nand milestones, sets timeframes for achieving them, and \nestablishes appropriate performance measures.\n    Second, developing fully productive information-sharing \nrelationships within the Federal Government and between the \nFederal Government and State and local governments and the \nprivate sector.\n    The third challenge is improving the Federal Government's \ncapabilities to share appropriate, timely, and useful warnings \nand other information concerning both physical and cyber \nthreats with Federal entities, State and local governments, and \nthe private sector, and providing appropriate incentives for \nnon-Federal entities to increase information-sharing with the \nFederal Government and enhance other CIP efforts.\n    In addition, GAO recently identified challenges in \nconsolidating and standardizing watch list structures and \npolicies which are essential to effectively sharing information \non suspected terrorists and criminals.\n    The success of homeland security also relies on \nestablishing effective systems and processes to facilitate \ninformation-sharing among and between government entities and \nthe private sector. Through our work, we have identified \npotential information-sharing barriers, critical success \nfactors, and other key management issues that the department \nshould consider as it establishes such systems and processes.\n    For example, as part of information technology management, \nwhich we have discussed earlier today, the department should \ndevelop and implement an enterprise architecture to integrate \nthe many existing systems and processes required to support its \nmission and to guide the department's investments in new \nsystems in the coming years.\n    Two, to develop and implement discipline system acquisition \nand investment management processes to effectively select, \ncontrol, and evaluate IT system projects.\n    And, three, to ensure effective information security to \nprotect the sensitive information that the department maintains \nand develop secure communications networks to safely transmit \ninformation.\n    Other key management issues include developing a \nperformance focus, integrating staff from different \norganizations, and ensuring that the department has properly \nskilled staff and ensuring effective agency oversight.\n    Mr. Chairman, this concludes my statement. We would be \nhappy to answer any questions that you or members of the \ncommittee may have.\n    [The prepared statement of Mr. Dacey follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.025\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.026\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.027\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.028\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.029\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.030\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.031\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.032\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.033\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.034\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.035\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.036\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.037\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.038\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.039\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.040\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.041\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.042\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.043\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.044\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.045\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.046\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.047\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.048\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.049\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.050\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.051\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.052\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.053\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.054\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.055\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.056\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.057\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.058\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.059\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.060\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.061\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.062\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.063\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.064\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.065\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.066\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.067\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.068\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.069\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.070\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.071\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.072\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.073\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.074\n    \n    Chairman Tom Davis. Thank you very much.\n    Mr. Hite, are you there for questions?\n    Mr. Hite. Yes, sir, we have one combined oral statement.\n    Chairman Tom Davis. OK, that is great.\n    Welcome back before this committee, and thanks again for \nthe job you did at IRS. We are happy to have you here.\n    Mr. Rossotti. I am happy to share some observations based \non my own experience at the IRS and previously at AMS. I would \nlike to note that I have no special knowledge of the problems \nfacing the Department of Homeland Security. Therefore, since \nevery situation is unique, my observations are not intended or \nare not suggested as specific recommendations for DHS.\n    I do know that bringing together and transforming the work \nof large, fragmented organizations is a very difficult, costly, \nand in some ways a risky endeavor. I must say that Secretary \nRidge and Mr. Cooper and their colleagues have taken on a very \ndifficult job on behalf of the country. We need to give them \nall the support that we can.\n    When Congress passed the IRS reform bill, it directed major \nchanges in the IRS, and there were a lot of questions raised at \nthe time as to whether all the attention and time and money \nthat was being focused on such a big transformation would \nreally ever pay off as compared with just let's focus on some \nspecific problems and get them fixed right away. A legitimate \nquestion, but I believe that the answer is, yes, it is possible \nto bring together previously fragmented organizations to share \npractices and systems, and the power of doing that is enormous, \nfar greater than can be ever achieved by just short-term focus \non specific issues. That is why major businesses are always \nmerging and divesting and reinventing themselves.\n    In the case of the IRS, when the reform was passed in 1998, \nthe IRS was still organized largely in the pattern of the \n1950's with about 47 or so district service centers and regions \nthat all operated semi-independently. There were, at least \nofficially, 15 different information technology departments and \nvery few standards across them. There was no single e-mail, \nvoicemail system, no security standards, and taxpayer data was \nfrequently very fragmented.\n    Today, it is almost 5 years later, and we certainly cannot \nclaim that all of those problems have been solved, but many of \nthem have been addressed and partially corrected through such \nthings as a top-to-bottom reorganization, development of an \nenterprise architecture along the lines of what Mr. Cooper was \ntalking about, standardization of much technology platforms and \nproducts, and beginning to replace legacy systems. Service to \ntaxpayers, as GAO has reported, substantially improved.\n    Now there is still a great deal of work to be done. My \nsuccessor, Mr. Everson, who was just confirmed, will have \nplenty to do during his 5-year term, but I think there is no \nquestion any longer that the payoff for doing this kind of an \nintegration program really is great and, therefore, it is \npossible. So I just say that because that is the most basic \nquestion of all: Is this whole thing even worth it and can it \nwork? My statement is, yes, it can, as long as we recognize the \nchallenges involved.\n    Now I will just offer a few observations about some of the \nthings, without, again, claiming that they are specific to DHS \nbecause I don't know. It is very important to address the \norganizational issues at every level. At one level Congress has \naddressed them by setting up the Department of Homeland \nSecurity, but within the department, I am sure, without knowing \nthe specifics, there are many organizational issues in the \ndepartment, and not the least those related to IT.\n    Within the IRS reorganization, we made the decision to \nbring together, to reorganize the entire agency, to reduce the \nnumber of operating units very substantially, the four major \noperating units, and one IT unit that serviced the entire \nagency under one CIO. This may not be right for DHS, but I am \nsimply suggesting that I think that it is very important to \nthink through at every level how the organization is going to \nwork, because that is what controls in the long run the money; \nthat is what controls the incentives; that is what controls \npeople, people and the way that they work.\n    Second, I heard Mr. Cooper talking about his enterprise \narchitecture. I would like to lend my support to that idea as \nbeing extremely important, and I will particularly note the \nimportance of what I believe he called his business \narchitecture. We had the same idea at the IRS. It was basically \nthe idea of looking at how business is done, how work is done \ntoday, versus how it is going to be done in the future.\n    We developed those kind of designs for all the major \nfunctions, such as how returns would be processed, how \ncollection would be done, how customer service would be done, \nand laid those out, not in extreme detail, but with enough \nmeaningful information, so that people could see that it really \nwas going to be different. Now it takes years to get to that \npoint, but I think, just as he said in his testimony, it is \nextremely useful right at the beginning because it helps to \nscreen out projects that are not contributing to the general \ndirection you want to go and, on the other hand, to identify \nthe opportunities for those that are. That essentially is one \nof the major kinds of decisions that need to be made.\n    I will say that doing that kind of high-level business \narchitecture in a meaningful way is a big commitment of top \nmanagement time, of the leadership. It is not an easy thing to \ndo, but I think it is a step that is important.\n    I heard, Mr. Chairman, you giving encouragement to the idea \nof stepping back and thinking these things through before, in \neffect, just rolling right away, but to try to address specific \nthings, and I could only lend my experience that is, in fact, \nwise counsel.\n    Within the IT field itself, there is considerable value, we \nfound, to establishing standards for certain technologies as \nquickly as possible, such as, for example, basic desktop and \nlaptop operating systems, office automation tools, messaging \nsoftware, some of the mid-range servers. These kinds of \nplatform softwares and basic softwares, to the extent that they \ncan be established quickly, can just by themselves tend to \nincrease the ability to share information and actually to \nreduce costs, recognizing that there is a one-time cost and \ninvestment that is required to get there. I think to the extent \nthat those opportunities are found by Mr. Cooper and his \ncolleagues, they would be good things to try to move ahead on \nquickly.\n    With respect to stakeholders, the IRS, of course, has many. \nJust about everybody is a stakeholder of the IRS: taxpayers, \nemployees, tax preparation agencies, government committees. \nObviously, homeland security, as was noted in the testimony, \nhas many State and local governments and other places; so does \nthe IRS.\n    One of the lessons that I think we learned through all the \nchange that we were implementing was that it worked a lot \nbetter for us when we actually got these stakeholders in right \nat the beginning of our process, when we were beginning to \nthink through these things and shared with them, even though it \nwasn't complete, our thinking and got their input and continued \nto interact with them and engage with them rather intensively \nthrough the process, as compared with what we sometimes did, \nand it didn't work as well, which was to sit there, develop our \nplan, and then explain it to them and hope that they would \nreact to it and buy it.\n    I think there are two reasons for it. One is it is just \nhuman nature: People react better to things that they are \ninvolved in, that they think they are involved in constructing. \nBut, also, you just find out more. You know, no one is smart \nenough to know all these things, even if you have the best \nexperts, and it just helps to get that input. It does make for \nsome more complex management problems when you are managing all \nthese stakeholders while you are trying to manage your internal \nchanges, but we found that it worked better.\n    And, finally, just a word for those such as perhaps members \nof this committee that are going to be evaluating progress in \nthese major programs, and I do have to say that it is very \nimportant to have realistic expectations. Clearly, you want to \nhave accountability and you want to see progress, but I must \nsay that it is important that be done in a realistic way in \norder to support the efforts as opposed to perhaps not \nsupporting them.\n    Specifically, I think that it, frankly, is not realistic to \nreally expect any major change program such as the IRS went \nthrough, DHS is going through, to lay out detailed plans, you \nknow, here's what we are going to do every quarter for the next \n3 or 4 years and schedules along that line. There just isn't \nany way to get enough information to do that accurately.\n    What it is realistic to do is to expect that you have this \narchitecture, this vision of where you are going, and then to \nlay out some next steps that are immediate next steps that say \nthese are the next steps we are going to take, and to see \nwhether those steps are successfully executed and then how the \nplan is adjusted after that. I mean, I would recommend that way \nof thinking in how to evaluate this as compared with a vision \nthat there is a 5-year plan and you check off everything that \nis going to happen for 5 years, because I don't believe it is \npossible to do that and it really is more misleading than it is \nhelpful.\n    That concludes my testimony, Mr. Chairman.\n    Chairman Tom Davis. Thank you very much. I am going to \nstart the questioning with Mrs. Blackburn.\n    Mrs. Blackburn. Thank you. Thank you, Mr. Chairman.\n    Mr. Rossotti, let's see, did I understand you correctly \nthat you reorganized 40 different independent divisions? Would \nyou restate that again?\n    Mr. Rossotti. Yes. The reorganization, part of the \ntransformation at the IRS, this was incorporated in the reform \nbill. It gave us the authority to do this.\n    The IRS, back since the fifties, was organized into what \nwere called districts and service centers. These were, \nessentially, independent, relatively semi-independent units \nthat ran the IRS, and then there was a regional and other \nheadquarters that supported them.\n    When I got there, there were 33 districts, 10 service \ncenters, 4 regions, and then some other units. As part of this \nreorganization, those were eliminated; those were abolished. In \ntheir place, what we ended up with was--and I am \noversimplifying this a little--four major units that were \norganized around taxpayers, one for individual taxpayers, one \nfor small business, one for large business, and one for tax \nexempt. Each of those four has nationwide responsibility to do \neverything to service those taxpayers, and in the process we \neliminated several layers of management and streamlined things.\n    Then each of those units, or many of them, had their own \ninformation technology, and so on and so forth. That is part of \nwhat led to all the fragmentation. So all that was pulled out, \nand there is now two support organizations in the IRS, one \nagencywide information technology organization which has the \nresponsibility of providing all information technology services \nto the other operating units. They are, in effect, customers, \nand there are service-level agreements that lay out what those \nstandards are. There is another support organization that does \nall the other support services, such as personnel, procurement, \nfacilities, equal employment opportunity, those kinds of \nservices.\n    Mrs. Blackburn. OK, and you brought this into one major IT \nunit, correct?\n    Mr. Rossotti. Yes, we did. We did that in phases.\n    Mrs. Blackburn. Yes.\n    Mr. Rossotti. It was not done all at once, but it was done \nin phases.\n    Mrs. Blackburn. All right, over a period of how many years?\n    Mr. Rossotti. About 5 years. It has basically been 5 years.\n    Mrs. Blackburn. Over a 5-year period of time that you got \nit down to one major IT unit?\n    Mr. Rossotti. Right.\n    Mrs. Blackburn. Did you have a CIO----\n    Mr. Rossotti. Yes.\n    Mrs. Blackburn [continuing]. Overseeing this unit?\n    Mr. Rossotti. Yes.\n    Mrs. Blackburn. You did? OK.\n    Mr. Rossotti. Now I want to say I am not suggesting that \nthat is what ought to be done--I really have to be careful here \nbecause each situation is unique. I think that made sense for \nthe IRS. I really can't say whether that is the right answer. I \njust don't know.\n    Mrs. Blackburn. Well, I will tell you, my hat is off to you \nif you could do it. I would have been pulling my hair out.\n    Mr. Rossotti. Well, I did; I had more hair when I started. \n[Laughter.]\n    Mrs. Blackburn. Well, maybe I shouldn't have used that \nexample. [Laughter.]\n    But, you know, it seems like quite a task----\n    Mr. Rossotti. It was.\n    Mrs. Blackburn [continuing]. When you are looking at going \nthrough that.\n    Now let me ask you this, and this would be a question for \nboth you and Mr. Dacey: What do you see as the vulnerability, \nfor implementing a single enterprise architecture for homeland \nsecurity? How would you respond to that?\n    Mr. Rossotti. Oh, I'm sorry. Are you addressing me?\n    Mrs. Blackburn. Yes, either of you or for both of you. I \nwould like to get your thought on that, in having just one \nmajor IT unit, and then what redundancies should be built into \nthat in case of an attack? You know, what kind of safeguards \nwould you put into that type of system?\n    Mr. Rossotti. Well, let me not try to answer it with \nhomeland security, because, in honesty, it really requires a \ngreat deal of specific knowledge to come to those answers, and \nI really don't know about homeland security.\n    I think in the case of the IRS, the issues that you get \ninto--the redundancy issue, let me come back to that one--I \ndon't think is actually that much of a concern, because one of \nthe things that we did as part of this was to plan in what \nredundancy we needed. We didn't need 13 computing centers. We \ndidn't need that much, but we needed three. So we ended up \nhaving three really good ones.\n    I believe, with that question, the business recovery at the \nIRS today is better than it was before, because we sat down and \nplanned it, rather than just saying, ``Here's how many we had \nbecause that is how many we had.'' So that problem can be \nsolved.\n    The difficulty you have in trying to go, if you are talking \nabout reorganizing into one unit, is that while you are \nreorganizing it is very costly; it takes time. There are balls \nthat get dropped. There is a lot of friction that develops \nduring the process of doing that. We had that. We had setbacks.\n    I would say that the committee ought to be prepared that, \nif the Homeland Security Department really does everything it \nsays it is going to do, don't be surprised if there are some \nthings that go one step back before they go two steps forward. \nI mean, you just really have to be prepared for that.\n    So that is the problem. I think if you can get to the \nendpoint, you have some very powerful benefits, but there are \nbig transitional issues.\n    Mr. Hite. If I could add to that, I think your question has \ntwo parts. One deals with the challenges and the \nvulnerabilities as part of a single enterprise architecture, \nand then the other one deals with a single IT organization. \nThey are actually two different things.\n    The enterprise architecture talks about the department as a \nwhole, as a single entity. It takes a holistic view to how to \noptimize the mission and responsibilities of the department as \na whole.\n    As part of architecting your enterprise and going through \nthat process, it is done in a very structured, deliberate, \nthoughtful way. Part of that thought goes into, how do we \nsecure the enterprise? Part of that would be, how do we build \nin the necessary redundancy into the systems and our processes \nto ensure that we are secure and our information is secure?\n    Regarding the other issue about whether or not there should \nbe a single IT organization, I would agree with Charles that it \ndepends on the situation. Based on the dialog that we have had \nthus far with the department, I am not sure if it is clear yet \nas to what model it intends to employ. That will be a major \ndecision point and one we will want to stay abreast of and the \ncommittee will want to stay abreast of, because it has major \nimplications for how you go about implementing IT management \nacross the department.\n    Chairman Tom Davis. Thank you.\n    That is the bells. The gentlelady's time has expired. We \nhave four votes, but we don't vote for 15 minutes. Why don't we \ngo on for 10 minutes and try to get the panel through, if I \ncan.\n    Mr. Ruppersberger.\n    Mr. Ruppersberger. The first thing, Mr. Rossotti, I agree \nwith you on the shareholders/stakeholders, whatever, from the \nbeginning process.\n    You know, it is a very difficult issue we are dealing with. \nFirst, you have to resolve the Federal agency issues and \ncommunication. Then you have the State and local that we have \nreferred to before.\n    One of the things that we haven't talked about here today, \nand especially because at the State and local level sometimes \nyou might not have the sophisticated people in the \ncommunications area that will be working with law enforcement, \nthe issue of training. Have we implemented anything as it \nrelates to training both from a Federal or a State and local \nlevel to try to deal with some of the problems that we are \ntalking about?\n    Mr. Rossotti. I think I would have to ask GAO to answer. I \nreally don't know.\n    Mr. Hite. Your question speaks to specifically, what has \nthe department done?\n    Mr. Ruppersberger. Well, I am just asking about training. \nDo we have it? Do we have any plans for it? And it relates to \nthe stakeholder issue, too, but as part of the elements of \nresolving this issue, it seems to me, we need to have training.\n    Mr. Hite. Absolutely. I agree 100 percent.\n    Mr. Ruppersberger. So, therefore, do we have that \nimplementation? Do we have a plan for that? Is it happening \nnow? Maybe it is not. That is why I am asking the question, but \nit is an issue that should be addressed.\n    Mr. Dacey. I don't think we are familiar with what the \ndepartment's plans are in that area except for IT. We have some \ninformation with respect to their IT personnel. They are trying \nto assess what their skill sets are, indeed.\n    But, in terms of the broader issues with personnel and \ntraining, we are not familiar with what the department is \ndoing. We will check back with our other resources in our \noffice and get back to you.\n    Mr. Ruppersberger. Well, I mean, it is an issue I think \nthat hasn't been addressed.\n    Mr. Dacey. Right, but it is certainly important.\n    Mr. Hite. If I could just add one thing to that, I mean, we \nrecognize in GAO as part of our responsibilities for evaluating \nthe department's effort, the only way it is going to get things \ndone is through people, process, and technology. Human capital \nis a major contributor to this. We do have ongoing evaluative \nwork within GAO dealing with the human capital issue at the \ndepartment.\n    Mr. Ruppersberger. And you're right, the technology is \nextremely important, but technology integration, too, again, \ngetting back to the Federal, State, and local issue that we \nhave to deal with here. Then, again, also, if you are going to \nbe dealing, getting back to the training, dealing with the \nissue not only in technology, but in investigation and law \nenforcement, there is another major issue that we all need to \nfocus on, homeland security, whatever it be, FBI, CIA, and that \nis the analysis of information and, again, training.\n    Because I am sure that we don't have the individuals now \nthat can be used for the analysis. Analyst is becoming a very \nimportant position, and it is something we need, again, to \nfocus on. I hope we consider that.\n    Also, Mr. Rossotti, I think you talked about flexibility. \nThis is an ongoing process. I agree with you that this is the \nUnited States of America; the only way we are going to solve a \nlot of these issues is teamwork. We have to learn from our \nmistakes. It is our job to point out the mistakes; hopefully, \nto educate and to fix those mistakes for the future. It is \nsomething that is extremely important.\n    So thank you.\n    Chairman Tom Davis. Thank you.\n    Mr. Dacey, let me ask you, are there any vulnerabilities in \nimplementing a single enterprise architecture?\n    Mr. Dacey. Some of the issues, which I think Randy had \nspoken about a little earlier, are that it is important to have \nan enterprise architecture across the entire entity.\n    Chairman Tom Davis. Should redundancies be built in in case \nof an attack?\n    Mr. Dacey. In terms of attacks, I think security is an \nissue which certainly needs to be built into the enterprise \narchitecture, but at the same time the department I think faces \nheightened risks for their information security in general \nwhich need to be dealt with also in the short term as it goes \nforward.\n    You are connecting 22 previously unconnected entities, some \nof which may have connections back to their old parent \norganization. You are connecting State and local organizations, \nthe private sector. You are developing a massive network, and \nif it is not properly constructed and secure, you are going to \nhave risk from the standpoint of the weakest link in there \ncould cause security challenges to the entire network. That is \ncertainly a challenge.\n    Also, it is going to handle classified and sensitive data. \nThe users are going to have to really be identified and \nauthenticated because they are going to be given only levels or \ncertain levels of information, depending upon where they are \nand who they are. So you are going to have to discriminate \nbetween what access they have.\n    Also, actually, it could become a very likely target, or \nprobably is, actually, in terms of hackers, terrorist groups, \nor others who might be trying to probe into it as we speak. So \nI think there are some big challenges in putting together this \nwhole system from a security standpoint which need to be dealt \nwith.\n    Chairman Tom Davis. GAO is continuing to monitor DHS's \nprogress, aren't they? I mean in implementing the enterprise \narchitecture and strategic, is that your current plan? Or do we \nneed to give you further direction?\n    Mr. Hite. We have ongoing work, actually, for you, Mr. \nChairman, looking at enterprise architecture management across \nthe entire Federal Government. The department is part of that \nwork.\n    Chairman Tom Davis. The department is so critical because, \nNo. 1, of the nature of its business at this point. Second, it \nis late; it is a late start. Part of it is our fault. It took a \nlong time passing its parts and, as we talked before, making \nsure you understand your requirements before you go at it.\n    But, I mean, we all agree it is a lot slower than we had \nhoped, given the nature of the threat. So we want to give it \nspecial emphasis as it gets started, and not get in the way, \nbut we need to oversee and make sure it is being done \nappropriately.\n    Mr. Hite. Absolutely. Just prior to this hearing, when I \nwas talking to Steve Cooper, he brought up again the offer that \nI had made to him earlier, that we sit down and talk to him \nabout how he is going about this and be able to offer real-time \nreaction to it.\n    Chairman Tom Davis. Mr. Rossotti, thanks again for being \nwith us. You had to bring back a lot of different cultures and \nblend them together, and the key here is they have some \nprobably more diverse cultures than you did----\n    Mr. Rossotti. Absolutely.\n    Chairman Tom Davis [continuing]. In terms of the groups. I \nmean, they are bringing in some agencies whose IT systems, some \nof them are pretty good stovepipes; some of them were bad even \nas stovepipes.\n    What are the keys to success in general in fostering and \ninstitutionalizing a behavior and practice, and how do you use \nIT to utilize that?\n    Mr. Rossotti. Well, I think that in some ways it is \nactually simpler than sometimes people think. I mean, it is a \nlittle more tangible maybe than just the general notion of \nculture.\n    And I put down this way: Basically, I think you have to \naddress two things from people's point of view. One, is how are \nthey going to keep getting their job done? People in the \nFederal Government actually want to do the job. When somebody \nsays, ``I know how to do the job this way,'' now there is \nsomething different, a new system, a new way, it sounds great, \nbut, you know, ``This is what I know how to do.'' If they can \nbecome more comfortable with how they are actually going to get \ntheir job done, which means bringing them into the process or \ntheir representatives into the process as part of the design, I \nthink their acceptance level is greater.\n    The second thing they want to know is, ``What is going to \nhappen to me? Am I still going to have a job?''\n    Chairman Tom Davis. That is sometimes the first thing they \nwant to know.\n    Mr. Rossotti. Well, it could be, but I will put the two on \nequal footing for the purpose of this hearing. But really both \nare important because, even if people know they are going to \nhave a job, they get very, very worried if they feel, they \nreally do, that I am going to be still out there trying to do \nwhatever it is I am supposed to do and I am not going to know \nhow to do it. You know, people are very worried about that, as \nwell as their own personal job security.\n    Now, I mean, to the extent that people are going to be \ndisplaced, then there has to be a process to deal with that, \nbut I think probably in most cases you are not really going to \njust actually displace most of the people. What you are going \nto do is maybe change the way they work.\n    So, to the extent that they can be brought in and it could \nbe clear what is going to stay the same and what is going to \nchange, so that people know what to expect, you know, you could \nbreak down a lot of barriers. I mean, that basically is what it \nboils down to, to me. You have to, in a practical, tangible \nway, not only in theory, bring people along to understand what \nis going to happen to me. If it is going to change, fine. OK, \nthen I should know that. Second, how do I get comfort that I am \nstill going to be able to do my job.\n    What they really are thinking is, you know, somebody up \nthere has a great idea that is going to make it a lot better, \nand it is going to have a new system. It will be integrated. \nBut, basically, they are going to be up there, and when things \ngo wrong down here, I am going to be the guy that has to talk \nto the taxpayer or the person that is coming across the border, \nor whatever it is, and I am going to be the one that is going \nto end up holding the bag. That is what is going through their \nmind, in my experience, and not without some legitimacy, by the \nway, because they are still going to be out there talking to \npeople when things go wrong.\n    So, to the extent that you can bring people involved and \nget them involved, and you can, in a concrete, tangible way, \nanswer those two questions, I think you can make a lot of \nprogress.\n    Chairman Tom Davis. Thank you. Panel, thank you very much.\n    Any other questions?\n    [No response.]\n    Chairman Tom Davis. Thank you very much. We appreciate your \nbeing here. As I said, your entire statement is in the record. \nI will dismiss this panel, and you are free to go.\n    We are going to take a recess. It will probably be about a \nhalf an hour because we have four votes over on the House \nfloor, and we will reconvene back here. Mr. Shays may chair the \nmeeting at that point, depending on some other obligations I am \ntrying to work through.\n    But we thank everybody for staying with us. Thank you very \nmuch.\n    [Recess.]\n    Mr. Shays [presiding]. Sorry to keep our third panel \nwaiting.\n    At this time let me announce our third panel: Mr. Greg \nBaroni, president, global public sector, Unisys Corp.\n    Mr. Steven Perkins, senior vice president, public sector \nand homeland security, Oracle Corp., and Mr. Mark Bisnow, \nsenior vice president, webMethods, Inc.\n    Gentlemen, at this time it is our policy to swear you in. \nIf you would stand, I will swear you in.\n    [Witnesses sworn.]\n    Mr. Shays. Thank you. Note for the record our witnesses \nhave all responded in the affirmative.\n    Mr. Perkins, you may start. Excuse me, I meant Mr. Baroni. \nI think we will do it as we called you.\n    Gentlemen, let me apologize for keeping you waiting. We had \na little bit of a question as to who was supposed to be here. \nThank you.\n    Go ahead.\n\n  STATEMENTS OF GREG BARONI, PRESIDENT, GLOBAL PUBLIC SECTOR, \n  UNISYS CORP.; STEVEN PERKINS, SENIOR VICE PRESIDENT, PUBLIC \n SECTOR AND HOMELAND SECURITY, ORACLE CORP.; AND MARK BISNOW, \n            SENIOR VICE PRESIDENT, WEBMETHODS, INC.\n\n    Mr. Baroni. Mr. Chairman and members of the committee here, \nthank you for the opportunity to appear before you to discuss \nUnisys' interaction with the Department of Homeland Security \nwith regard to its information-gathering and-sharing functions.\n    Although Unisys is under contract to several of the \nagencies that make up the new department, our major effort to \ndate is the management and implementation of the Transportation \nSecurity Administration's Information Technology Managed \nServices [ITMS], Program, a large-scale IT infrastructure and \napplications implementation.\n    My testimony today will focus on TSA's mission and vision \nas it pertains to transportation security, with its initial \nmission being aviation security; ITMS, as an example of best \npractices in both procurement and technology services; how \nUnisys, as a world-class IT partner supports TSA's mission and \nvision; the partnership between Unisys and TSA; the Unisys \nrelationship to the department's development and implementation \nof an enterprise architecture, and, finally, some cost benefits \nand efficiencies.\n    The Transportation Security Administration officially \nbecame part of the Department of Homeland Security in March \n2003. TSA is tasked with ensuring the safe transport of people \nand commerce throughout the Nation's transportation systems, \nbeginning with air travel.\n    TSA's Chief Information Officer, Pat Schambach, has stated \nthat, in order to accomplish its transportation security \nmission in the most efficient and effective fashion, TSA, and \nby extension DHS, must rely heavily on information-sharing in a \nsolid technological platform on which to operate.\n    Fulfillment of TSA's transportation security mission and \nvision is based in part on the ability of the department and \nTSA to share information; establish and maintain communications \nbetween the Federal work force at transportation centers such \nas airports and seaports, and TSA command-and-control centers \nsuch as headquarters, the Office of National Risk Assessment, \nand data centers.\n    The department and TSA's ability to effectively share \ninformation and provide communications is dependent on its \nability to deploy a state-of-the-art information technology \ninfrastructure for voice, data, and communication that connects \nall relevant activities and locations.\n    The first phase of this transportation security plan \nfocuses on aviation. When complete, it connects the Nation's \n429 commercial airports, the Office of Federal Security \nDirectors, and TSA command-and-control organizations.\n    A little background on Unisys: Unisys is a world-class IT \nprovider headquartered in Blue Bell, PA with 37,000 employees, \n$6 billion in revenue, and a presence in more than 100 \ncountries; 1,400 of our employees are located in northern \nVirginia, which is the headquarters of our Global Public Sector \nUnit.\n    In August 2002, Unisys and its team of experienced \npartners, including IBM and DynCorp, were selected to implement \nTSA's ITMS program and immediately began work. Team Unisys is \nfocused on helping TSA accomplish its mission and is dedicated \nto taking the steps necessary to understand TSA's critical \nbusiness issues.\n    Let's talk about ITMS. TSA, as the sole, newly created \ncomponent of the Department of Homeland Security, is in a \nunique position to adapt best practices in both IT \nimplementation, such as a Web-based operational strategy that \nsupports OMB's e-government principles, and a procurement \nstrategy, such as the Managed Services Program under which \nUnisys and its world-class team of IT partners provide the full \nrange of IT infrastructure services as well as application \ndevelopment, implementation, and management.\n    The ITMS program incorporates best practices in IT \ncontracting, technology, and operations. It is performance-\nbased, as it has a mission-oriented framework, embraces \nperformance metrics, and provides for performance-oriented \nincentives and disincentives. It not only incorporates the \nconcept of best value, but also provides a utility model which \noutlines the responsibilities of both contractor and the \ncustomer.\n    Capabilities of ITMS: Under this program, Team Unisys \nprovides a full range of IT infrastructure services as well as \napplication development and implementation to TSA headquarters \nemployees, the Nation's 429 commercial airports, and the \nFederal Security Directorate sites, in addition to 21 Air \nMarshall field offices.\n    This includes providing equipment such as desktops, \nlaptops, servers, voice-over-Internet phones, cell phones, \npagers, land mobile radios, and hand-held devices. It also \nincludes local area networks and wide area networking at TSA \nheadquarters and airport locations, as well as the use of a \nhosting center to run specific and enterprise-wide \napplications.\n    Examples of applications Unisys and its team are hosting \nfor TSA include the public-facing Web site, the internal \nemployee Internet, e-mail, and a host of specialized \napplications to support mission functions.\n    The TSA strategy for IT deployment initially called for \nthree phases referred to as ``red,'' ``white,'' and ``blue,'' \nand I will just note here that my testimony, my written \ntestimony, goes into much more detail with regard to these \nefforts. So, for the purposes of my testimony here orally, I am \ngoing to kind of summarize.\n    The initial or red phase focused on the deployment of \ninitial infrastructure to headquarters and the hosting center, \nas well as deploying essential computing and communications \nequipment to field airport locations. The red phase, as we \ndescribe it, is essentially complete.\n    The second or white phase consists of providing robust and \nsecure LAN/WAN connectivity between field airport locations and \nthe TSA hosting center. That effort is underway today, and we \nare in the early stages of it.\n    The blue phase represents a time at which TSA will be able \nto leverage deployed IT, or information technology, with both \nbusiness model and process re-engineering to achieve new \nefficiencies and effectiveness for transportation security.\n    In addition to the services being provided directly to TSA, \nDHS has leveraged ITMS, the vehicle, by tasking Team Unisys to \nstand up the IT infrastructure at its headquarters locations, \nincluding desktop equipment and local area network support. \nTeam Unisys also is hosting DHS's public-facing Web site in the \nsame hosting center and using the same infrastructure, or \nleveraging that same infrastructure, that we established and \nare using for TSA.\n    Let me talk quickly about the relationship to DHS and the \nenterprise architecture. The Clinger/Cohen Act requires the use \nof a rigorous enterprise architecture blueprint to enable \nsystems modernization. Recently, OMB provided guidance on EA \nthrough release of reference models that enable information-\nsharing and reduce IT stovepipes.\n    Additionally, GAO has indicated that the development and \neffective use of an enterprise architecture is crucial to \nsuccessfully achieving an organization's mission and \nobjectives. Absent such a blueprint, an organization may find a \nlack of integration among business operations and supporting \ninformation technology resources that could lead to burdensome \ninefficiencies and redundancies.\n    One of our major tasks is to develop TSA's enterprise \narchitecture consistent with the department's overarching EA \nstrategy. To do so, we have combined the best of OMB's \nreference models, GAO's maturity models, and the Federal CIO \nCouncil's Federal Enterprise Architecture Framework [FEAF], \nalong with our own best practices that focus on business \nstrategy and business drivers.\n    Additionally, we have implemented an enterprise \narchitecture management system----\n    Mr. Shays. Mr. Baroni, let me just ask you, just give me a \nsense of how much longer you feel you need to be going.\n    Mr. Baroni. About a minute and a half.\n    Mr. Shays. OK. Let me just tell you the challenge. The \nchallenge is we may not have another member to take my place, \nand about 4 minutes to 1 p.m., I have to leave. I want to make \nsure we do get into some key points.\n    Mr. Baroni. OK.\n    Mr. Shays. And I apologize to all three of you for that. \nThere is just a little mixup as to how we were going to handle \nthis. You are an important panel, but if we can try to deal \nwith it--OK?\n    Mr. Baroni. OK, I will quickly go through here then.\n    Mr. Shays. Thank you.\n    Mr. Baroni. The department has established an Enterprise \nArchitecture Working Committee comprised of representatives \nfrom its component agencies. Team Unisys works directly with \nTSA, the TSA representative, and is sharing our best practices \nwith that committee.\n    The department has also adopted that use that I referenced \nearlier as the repository for its enterprise architecture \nartifacts and has asked us to develop their IT investment \nportfolio system.\n    I will just move on to cost savings and efficiencies now. \nThe concepts of IT integration and cost savings have been at \nthe core of everything we are doing, and that has been assigned \nby TSA to Team Unisys. These concepts were initially driven by \nthe Investment Review Board, established last fall by the then-\nOffice of Homeland Security and the Office of Management and \nBudget.\n    For instance, TSA and Team Unisys have established a very \ndeliberate process to review the capabilities and \ninfrastructure in place at each airport that has a presence of \nboth the Immigration and Naturalization Service [INS], and the \nU.S. Customs Service before we deploy any new infrastructure on \nbehalf of TSA. The purpose of this process is to identify any \npotential opportunities to share space, equipment, and \ninfrastructure that could drive down the cost for each agency.\n    In summary here, consistent with the President's Management \nAgenda, TSA's ITMS program is an end-to-end IT infrastructure \ncontract for the application of IT life-cycle management. A \nmajor focus of ITMS implementation has been to design a \nblueprint of its technology requirements and establish a \ndisciplined process for making IT investments.\n    TSA is focusing on real cost savings for the American \ntaxpayer by ensuring the IT infrastructure investment decisions \nare coordinated among the co-located agencies in the field.\n    That concludes my testimony, and I will be happy to answer \nany questions you and/or any of the committee members may have.\n    [The prepared statement of Mr. Baroni follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.075\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.076\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.077\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.078\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.079\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.080\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.081\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.082\n    \n    Mr. Shays. Thank you.\n    The next two witnesses can use the same amount of time. \nWith my interruption, it was 11 minutes. But it is important to \nput those things on the record. So you can decide whether you \nwant to have statements or some questions and dialog. I will be \nhere. So you can have 10 and 10, whatever.\n    Mr. Perkins, you are next.\n    Mr. Perkins. Thank you, Mr. Vice Chairman. I will try to \nedit this on the fly.\n    Mr. Shays. But get it on the record.\n    Mr. Perkins. Thank you very much.\n    Mr. Shays. Just as long as you realize what we have here.\n    Mr. Perkins. And I would hope that the written testimony \ncould be incorporated in the record as well.\n    Mr. Shays. It will be in the record.\n    Mr. Perkins. Thank you very much.\n    Again, my name is Steve Perkins. I am senior vice president \nresponsible for Oracle's public sector in the United States and \nour homeland security as well for Oracle Corp.\n    Just on a personal note, as a long-time Connecticut \nresident, it is delightful to appear before you.\n    Mr. Shays. Thank you. You may have 12 minutes. [Laughter.]\n    Mr. Perkins. Thank you very much.\n    As you may know, Oracle was created 26 years ago to help \nthe intelligence community manage its most sensitive \ninformation. Today, Oracle is the largest enterprise software \ncompany in the world, providing information management software \nand expertise to firms that include 98 of the Fortune 100 and \nhundreds of departments and agencies in Federal, State, and \nlocal governments.\n    Mr. Shays. The only thing I know is, had I invested stock \nwith you that many years ago, I wouldn't be sitting here. \n[Laughter.]\n    Mr. Perkins. Not part of my prepared remarks, but yes.\n    In addition to the corporate customers we work with, we are \nalso very active with the Department of Homeland Security. In \nfact, all 22 of the agencies of the department use Oracle's \ntechnology.\n    So, given our market position, we are part of the Nation's \ncritical information infrastructure, and since September 11 \nhave spent a good bit of time working with them to better \nsecure those systems.\n    Mr. Vice Chairman, I don't believe anyone could overstate \nthe magnitude of the information-sharing challenge facing \nSecretary Ridge, Steve Cooper, and the entire Homeland Security \nteam. Since the formal creation of the department last March, \nthe department has been working very hard to stand itself up in \nthe areas of personnel, administration, and technology, and to \npull the 22 disparate organizations, and its 190,000 people, \ntogether. While this certainly isn't the largest of the \ncommercial mergers, in a dollar sense it certainly is the most \ncomplex one I have ever seen in my experience.\n    Information we believe is one, if not the most, powerful \nweapon we have against terrorism. Strangely, when you watch the \nnews shows, there seems to be a focus on a lack of information; \nwe don't have enough information. I believe the problem is \nexactly the opposite; we have an abundance of information, and \nour challenge is to integrate that information, to make sense \nout of it, and make it actionable. Real data is found in these \nrelationships, not in the data itself, and that certainly is \none of the lessons that we learned, unfortunately, on September \n11.\n    We are very pleased that Steve Cooper, the CIO for DHS, is \nlooking to establish this enterprise architecture in accordance \nwith OMB policy, and we are advocates of this approach. We \nbelieve the architecture can serve as a blueprint for \ninformation-sharing vertically with State and local and Federal \norganizations as well as horizontally within the 22 agencies \nand with the other groups at the Federal level as well.\n    That is one of the key challenges we are working on with \nthe Transportation Security Administration and our partner, \nUnisys Corp. TSA is going to be in a position to receive a \ntremendous amount of information. Its challenge will be to \nassess that information and make it actionable.\n    They are using our technology in the areas of incident \nmanagement and case tracking to better manage this. They are \nalso using our technology to support a public portal, so the \ncitizens can report concerns about public transportation. We \nthink the architecture that they are using there can be an \nexample for the application of enterprise architecture at the \nDHS level.\n    The most significant barrier to information-sharing, in our \nview, and an opportunity to apply standards, lies in the \nconcerns raised by organizations, both public and private, \nabout the potential of their data to be exposed to insecure \nsystems. There are well-established standards for securing and \nauditing these data.\n    In the United States they are managed by NIAP, or National \nInformation Assurance Partnership. Oracle is one of a few \ncompanies that actually builds security capability into the \nproducts as opposed to bolting it on after the fact. In fact, \nwe go the extra step of having our software independently \nevaluated against standards like the Common Criteria.\n    I believe that Federal agencies, who represent the largest \nbuying entities for commercial products, can play a significant \nrole in the marketplace by making information assurance through \nindependent evaluation ubiquitous.\n    In January 2000, a committee within the National Security \nAgency proposed standards which have been embodied in NSTISSP \nNo. 11, a policy that calls for independent evaluations of \ninformation assurance products purchased by the Federal \nGovernment. This policy has been recently adopted by the \nDepartment of Defense in their evaluation and embodied in last \nyear's defense authorization bill by Congress.\n    I bring it to the committee's attention because we believe \nDHS should adopt this policy for their procurements. We think, \nas a byproduct of the money that will be spent on homeland \nsecurity, and without additional cost, we can lock down the \nentire information infrastructure.\n    In short, if DHS insists that that capability exists in \ncommercial products, others like Oracle will build it in, and \neveryone who buys it anywhere in that vertical infrastructure \nwill have it available. Whether it is information security \nenterprise architecture or industry standards, we think it is \nvery important for DHS to continue the outreach programs that \nthey started. I enjoyed Mrs. Blackburn's question on that \nsubject.\n    When Steve Cooper was part of the Office of Homeland \nSecurity at the White House, I thought he had a very effective \noutreach program. We encourage them to continue it. Obviously, \nthe complexities of setting the department up are very time-\nconsuming, but we think it is critical.\n    So, in conclusion, Mr. Vice Chairman, I believe the \ndepartment is making sound, measurable progress on information \nengineering and integration. Congress, as policy leaders, can \nbest assist DHS by defining appropriate policies to guide \nFederal, State, and local organizations down a common path for \ninformation-sharing.\n    Thank you again for the opportunity to testify, and we look \nforward to questions.\n    [The prepared statement of Mr. Perkins follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.083\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.084\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.085\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.086\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.087\n    \n    Mr. Shays. Thank you, Mr. Perkins, and I appreciate your \nhelp here.\n    Mr. Bisnow.\n    Mr. Bisnow. Thank you, Mr. Chairman, and thanks for the \nopportunity to appear this morning on behalf of webMethods, \nwhich is a leading maker of integration software. I am really \nhere to tell you about the experience of a small company \ndealing with the Department of Homeland Security.\n    My name is Mark Bisnow, and, yes, I am the one who does the \ncorny radio commercials for webMethods, where I run our \nGovernment Operations Unit. We like to think there is a method \nto my madness, as I make fun of acronyms and techno-babble on \nthe public airwaves. We have actually reached a point in \nAmerican history where, for the first time, the word \n``integration,'' though that is still too arcane a term to use \nin polite company, can at least be understood conceptually, if \nyou remove strange words like ``back-end,'' ``enterprise,'' \n``legacy,'' ``scalability.''\n    When I remind people that the September 11 terrorists went \nup to the counters at United and American, used their real \nnames, but weren't recognized even though they were on \ngovernment watch lists, a light bulb goes off and they realize \nthe importance of integrating data bases. Or when I ask people \nif they ever called their bank and the voice menu says to punch \nin your account number, and you do so, and then you are \ntransferred and a human being answers and they ask you for your \naccount number again, and you say, ``Didn't I just give you \nthat?'' And the person at the other end says, ``Oh, that's \nanother system in our company, and they're not connected.'' \nWell, let me put it this way: Even my mom now understands what \nwe do at webMethods.\n    If we can harness the interest and understanding of \nordinary Americans like my mom, we can create a powerful \ninformation-sharing revolution in America. Someday our \ngrandchildren will think it is all very funny that computer \nsystems didn't talk to each other. In fact, they probably just \nwon't believe it.\n    But at the moment they don't talk to each other, and it is \nactually not very funny. Nowhere is the imperative for \nintegration clearer than in homeland security, not just the \nmission of stopping terrorists, but how about just getting the \ndaily functions of the department to work together and hum?\n    I have been around town a long time, and when you talk \nabout merging 170,000 people and 22 agencies, you are talking \nabout a lot of B-H-A-Sy. That is the acronym for ``big, hairy \naccounting systems,'' not to mention ``big, hairy financial \nsystems,'' ``human resources systems,'' and the like.\n    Of course, it just so happens that is what webMethods does. \nWe are a company of nearly 1,000 people, based in Fairfax, with \n50 offices in 18 countries throughout the world. We make \ncommercial, off-the-shelf software that, in our view, is \ncheaper, faster, more reliable, and more secure than the old-\nfashioned way of hiring lots of human beings to come in and \nwrite software code to connect different systems.\n    Instead, we provide a single software platform that all the \ndifferent systems and data bases plug into. We do this for \nFedEx, Dell, 3M, Office Depot, Apple, Verizon, Best Buy, \nFreddie Mac, the Army, EPA, and about 1,000 other household-\nname companies and government organizations.\n    So how does a relatively small company like ours, no matter \nhow great its product, get into a big agency like the \nDepartment of Homeland Security? Well, I wish it were like \ngoing to Carnegie Hall and all it takes is practice, but, no, \nthat is not enough. If it were a matter of having vast, world-\nclass practice and experience, DHS would be ringing our phone \noff the hook. The fact is it is not easy, and here are some \nreasons why.\n    First, those heroic people at DHS have a million other \nthings to do. Thank heavens, they don't stop every moment to \nlisten to every vendor, but we would like to think that \nintegration is about as high a priority as you can get and that \nthey will be looking for the best technology. So I keep hoping \nthat, when I check my voicemail each day, there will be an \nurgent message waiting from Steve Cooper.\n    Second, relatively small companies like ours depend on \nrelationships with giant prime contractors who agencies, first \nand foremost, deal with, not with small companies like ours. We \ndepend on those big companies.\n    So have I forgotten to mention how wonderful a company \nUnisys is? [Laughter.]\n    I think Oracle is a good company, but Unisys is a great \ncompany. [Laughter.]\n    Third, the government is a bit of an IBM shop on the \ncivilian side. Even though top analysts may say that our \nsoftware is superior in our particular niche, never \nunderestimate the bureaucratic appeal of the deniability you \nget if there is ever a problem and you can say, ``Hey, man, I \nbought IBM,'' but we're stubborn and know that someday they \nwill also say that about webMethods.\n    Fourth, there is still something called architecture being \nestablished, and, of course, you wouldn't start building a \nhouse and buying components without a blueprint.\n    Finally, there isn't a lot of money sloshing around yet. \nThat is where this fine committee and Congress come in, but \nthat is above my pay grade to comment.\n    But, on the bright side, there are now some pilot programs, \nand we do hope to participate in those. We are lucky that, in \ngeneral, when our software is evaluated, people love it and we \nget contracts. So if I had one thing to suggest to DHS, it \nwould be that there should be more proactive evaluation of \nspecific technology like ours. I suspect that DHS actually \nagrees, and when the dust settles from the merger, maybe there \nwill be.\n    Mr. Chairman, integration is not just a subject for \ntechies. It has huge implications for our economy, foreign \npolicy, and homeland security. This committee will leave an \nextraordinary legacy if it gets ordinary Americans to \nunderstand the power for good that information-sharing, AKA \n``integration,'' can have in our daily lives, making government \nrun more efficiently and helping to prevent terrorism.\n    The Department of Homeland Security is the best imaginable \nlaboratory and showcase for this revolution. As an integration \ncompany, we at webMethods are excitedly hoping that the example \nit sets will be a great one.\n    We are deeply indebted to this committee for trying to make \nthat happen, and we stand ready to help. Thank you again for \nthe invitation.\n    [The prepared statement of Mr. Bisnow follows:]\n\n    [GRAPHIC] [TIFF OMITTED] T8194.088\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.089\n    \n    [GRAPHIC] [TIFF OMITTED] T8194.090\n    \n    Mr. Shays. Thank you. You all are a wonderful panel. Let me \njust try to understand a few things, first off.\n    Mr. Perkins, you have a contract, your company has a \ncontract with DHS as we stand right now. A number of them or \none?\n    Mr. Perkins. We have many contracts. We worked with most of \nthe 22 agencies prior to their becoming part of the department. \nSo we do now.\n    Mr. Shays. OK, I want to come back to that because this is \na wonderful opportunity to see how the system is going to work.\n    How about you, Mr. Baroni.\n    Mr. Baroni. We have several contracts with the various \nagencies, but the main contract we have is the one I referenced \nin my testimony, ITMS.\n    Mr. Shays. And that was a contract established before DHS \nor after?\n    Mr. Baroni. Established, technically, before DHS, yes.\n    Mr. Shays. OK. And, Mr. Bisnow.\n    Mr. Bisnow. None.\n    Mr. Shays. None. Now it is interesting to think of a \ncompany with 1,000 employees as being relatively small, but, \nyou know, I thought you were going to be telling me about how \nyou work in the kitchen, and so on. I mean you are a pretty \nestablished company here.\n    Mr. Bisnow. We are one-thirty-seventh of their size.\n    Mr. Shays. Right. So it means you are more nimble, more \nflexible, and so on. I don't feel sorry for you.\n    Bottom line: What I would love to know, but I am intrigued \nby it, Mr. Perkins, walk me through--you are in a wonderful \nposition to describe the benefits or the challenges of bringing \n22 into 1, because you have worked with different parts. And, \nMr. Baroni, are you in some cases--I am getting the sense that \nyou are interacting, your two companies are interacting and \nsharing certain responsibilities.\n    Let me just throw these questions out now. Have we in some \ncases made some of these contracts moot in the sense that one \nsupersedes another or it doesn't make sense anymore now that we \nare integrated, and so on? So who wants to begin?\n    Mr. Perkins. Let me start with your first question about \nthe integration of the departments. I do think we are in a \nunique position because we have been working on the information \ntechnology problems of the agencies, and now of the department, \nand they come in two classes. I think it is important to \ndifferentiate those as we think about making progress.\n    The set of problems on the business side, if you will, are \naround programs. That deals with threat lists and managing \nthose threat lists and responding to them. There is another set \non the back office side, if you will, or kind of the \noperational side. And we participate in both.\n    On the operational side, we see a tremendous opportunity \nfor synergy, integration and consolidation. How many financial \nsystems do you need, etc? And there is an opportunity to do \nthat. I would encourage us to proceed with all energy on that \nside.\n    Mr. Shays. Let me just interrupt you. So in the case of \nyour having a number of contracts now with just one department, \nare you going through and recommending that you don't need to \npursue this contract? Are you coming back and suggesting that, \ninstead of doing this with three different parts, that you do \none, one thing, with many parts?\n    Mr. Perkins. Yes, we have been working with the individual \nCIOs since the formation of the department was proposed on how \nthey might integrate systems that they have running on Oracle \ntechnology, either business systems or program systems that run \nour data base technology, how they can integrate those, how \nthey can communicate, how they can consolidate for more \nefficient business operations, and better information. We work \nwith those regularly. Those CIOs participate at a CIO Council \nlevel with Steve Cooper. We think we have an ability to \ncommunicate and participate in that discussion.\n    Mr. Shays. Do you want to jump in?\n    Mr. Baroni. Sure. As it relates to the question you asked \nabout the contract and the contract vehicles, our belief is \nthat the one that we established with TSA is a best practices \ncontract vehicle. So our preference is to see as many of the \nfolks use that, meaning vendors and contractors, use that \nvehicle in order to do business with the Department of Homeland \nSecurity.\n    Now take, for example, the work we are doing with Oracle, \nwhere we actually negotiated a license agreement with them, \nwith extensibility to all of the departments of Homeland \nSecurity. So that there would be just one vehicle for acquiring \nthat. So that is just one example of how you could actually get \naway or reduce the number of contract vehicles out there.\n    Mr. Shays. I am coming to you in a second, Mr. Bisnow, but \nlet me just ask you this. This may seem a little off the \nsubject, but very much an interest of mine.\n    You were working with these different agencies with people \nthat technically could be consolidated under one department, \ninformation folks in different agencies now coming to one. Are \nyou starting to see that happen, and do you see some benefits \nhere?\n    Mr. Baroni. What we are seeing right now is that the \nagency, or I should say the department, is putting the plans \ntogether around that. We heard that in Steve Cooper's \ntestimony. But the plan is to look for opportunities, as driven \nby re-engineered business processes, by rethought-through \nbusiness models, where they can optimize resource-sharing and \nthe leverage of information technology investments.\n    So those are the goals: The improvement of Federal--I \nshould say the optimization of the use of Federal resources.\n    Mr. Shays. Mr. Bisnow, given that you are a candid person, \nas you are hearing this dialog, what is going through your \nmind?\n    Mr. Bisnow. I guess you can't repeal the laws of human \nnature. People want contracts, and they----\n    Mr. Shays. So am I to infer in that we should be starting \nover again, saying, you know, new department; let's cancel all \nthe old stuff and let's start fresh?\n    Mr. Bisnow. Probably not, because, my experience is usually \nthat causes a whole set of unexpected problems, but I am no \nexpert on that.\n    Mr. Shays. OK. I have a feeling you are.\n    Mr. Perkins. If I might----\n    Mr. Shays. Sure.\n    Mr. Perkins. May I just comment on that?\n    Mr. Shays. Yes.\n    Mr. Perkins. I think one of the things that I have been \nvery impressed with in the department is the openness and the \npersistence of their outreach, not just to companies like \nOracle or Unisys or others who have an institutional position \nthat can help them accelerate the transformation, but out to \nsmaller companies who have component technologies that can play \na role either in integration or have biometric technologies or \nthose kinds of things. I think there has been a decided \noutreach, and I think there is a real need for us to reinforce \nthat outreach and the openness of that outreach, because there \nare terrific technologies out there that need to be \nincorporated into the solutions.\n    Mr. Shays. My committee, the National Security \nSubcommittee, oversees Defense and the State Department. We \nhave added in now Homeland Security. But we had a real giant of \na gentleman from California. He used to do the management in \ninformation systems. So we kind of all deferred to him over the \nlast few years, no longer, Congressman Horn.\n    What has been a gigantic disappointment for us, as we have \nlooked at information systems in DOD, has been that one after \nanother have not succeeded. Then we have new management folks, \nand so on.\n    One of the questions I would love to ask you is: Is the \nGovernment at somewhat a disadvantage because it has folks \nthat, one, come in and out, and, two, frankly, are not paid all \nthat much? In other words, are they up against--is the pay \nstructure of Government such that we are disadvantaged at \ngetting people with the latest skills, etc?\n    Mr. Perkins. I think, if I might, there certainly is an \nexpectation gap, if we think about the Department of Defense \nand the uniformed person coming in, with their ability to go \nhome and buy things over the Web and their ability to go on the \nbase and do the same thing are dramatically different. So that \nexpectation differs.\n    I don't think it is a capability issue, though, in \ntransformation. There clearly is an issue of persistence of \nsenior leadership, particularly on the defense side, as you \nhave rotations in administrations and forced rotation in \ncommand structure as well.\n    I think the only thing that will make that be successful, \nin my view, is a transformation of business process to lead \ntechnology. We heard Steve Cooper talk about that today and \nMark Forman talked about it also.\n    If all we see is the systems change and the process stay \nthe same, and the organization to support them stay the same, \nwe know we have made no progress. We probably spent a lot of \nmoney, but we have made no progress.\n    I think that kind of business transformation has to be led. \nI have been around the government marketplace for 26 years. I \nsee a real interest and persistence in doing that. It is going \nto take a while to do. Oracle has gone through a transformation \non our own. We are in about our third year of it, and we saved \n$1 billion in our operating base, but it is hard, even for a \ncompany of Oracle's scale, to do that. So I think there is an \nopportunity to do it, but we have to start with business change \nfirst.\n    Mr. Baroni. Can I pick up on his comment there?\n    Mr. Shays. Yes, sir.\n    Mr. Baroni. To your direct question, I would say, as I look \nat the government systems and compensation structures, I would \nsay they are completely arcane and they lack competitiveness \nwith the private sector. That is why I think that the \ngovernment has to have a marriage with the private sector in \norder to accomplish their mission.\n    Mr. Shays. Well, they clearly need that, and I understand \nthat, but I guess what I am wondering is, in that negotiation \nprocess and the oversight process that the government is doing, \nwe hire out; you do the job. Are we able to match the skill \nwith the private sector to be able to bring out the best in the \nprivate sector, etc? And that is kind of what I am wondering. I \nam getting the sense that we are somewhat, but the turnover is \nthe big challenge.\n    Mr. Baroni. I think, yes, you definitely face turnover \nissues. But I think, from what I have seen--and, obviously, my \nexperience has been focused in on TSA and their ITMS efforts, \nand I have actually had a hands-on perspective there. My \nperspective is that, if you look at the aging work force, you \ndon't need allegiance. The government doesn't need to have \nallegiance of folks out there any longer trying to do all these \ndifferent functions.\n    But by hiring strong folks that can stay within the Federal \nGovernment and carry out the program management and oversight \nresponsibilities of these efforts, then they are going to be \nable to--and you need fewer of them--then you are going to be \nmore successful in overseeing these contractor efforts.\n    Mr. Shays. Thank you.\n    Mr. Bisnow, I want to ask you this: you really started \nout--and, obviously, speaking to someone with my minimal level \nof technical skills here----\n    Mr. Bisnow. From one to another.\n    Mr. Shays. No, I don't believe that. Otherwise, I don't \nwant to ask you the question. [Laughter.]\n    OK. No, but the point that you were basically making is \nthat our systems need to be able to talk with each other. \nImplicit in your comment to me was, it is not going to take a \nrocket scientist to do that, and why aren't we doing it? So, \none, am I right in assuming that is what you are saying? Then \nmy second question is, why aren't we doing it?\n    Mr. Bisnow. You bet it is easy. You bet, it is \ntechnologically easy.\n    Mr. Shays. OK.\n    Mr. Bisnow. And it is a red herring when people say, ``Oh, \nthat's just so complicated.'' We do it every day on the \ncommercial side for lots of big companies.\n    The problem is--I hate to throw it back into your court--\npolicy and politics. You know, do people want to share \ninformation? Do they want to change? There is lots of vested \ninterest in the status quo. It is human nature.\n    But, you know, to try to connect that with your last \nquestion about, do we pay people enough, you know, sometimes \npeople can be paid in psychic income. One thing that on \noccasion is very exciting about working in government--and I \nhave worked in government--is if you think you are sitting on \ntop of a really cool revolution and that what you are doing \nreally matters.\n    Mr. Shays. Right.\n    Mr. Bisnow. I think that if people began to see that this \nhas a practical impact, and everybody, instead of hating the \ngovernment, says, ``Oh, wow, this is great. We taxpayers are \ngetting our money's worth,'' and ``Oh, wow, there haven't been \nany terrorist acts and it's because we've gotten good \ninformation and nabbed people,'' I think if I were a part of a \nCIO's office, I would take great pride in that. I would be \ntelling people at dinner, ``Wow, you know, I worked on this and \nthat's why you guys are happy out there.''\n    So I would think about paying, you know, really focusing on \nthe excitement of the revolution that is in front of us, and \nnot getting caught up in all the trees.\n    Mr. Shays. Well, I have an exciting activity. I am supposed \nto have a press conference with McCain and Feingold at 1 p.m., \nin the Russell Building on campaign finance reform, something \nwe have worked on a long time. There would be many things that \nwould keep me here, but that is one thing that is going to move \nme away.\n    Is there any last thing that we need to put on the record? \nMr. Perkins, anything that you just want to make sure----\n    Mr. Perkins. I would just refer back to my remarks. I think \nthere is opportunity to encourage, through the money that is \nalready being spent for homeland security, the adoption of a \npolicy like NSTISSP No. 11, an independent evaluation of a \nsecurity capability of products you are going to buy anyway. If \nyou do that, you will encourage companies, and require \ncompanies like Oracle already does and others, to build that \ninto the core of their products, and that becomes available \nwhen it is bought by a utility company or a financial services \ncompany or a municipal police department.\n    And as a byproduct of all this money spent, we will lock \ndown the critical infrastructure not just for homeland \nsecurity, but for cyber terrorism. I think we should think of \npeacetime dividends for some of these investments as well.\n    Mr. Shays. Thank you.\n    Mr. Baroni.\n    Mr. Baroni. My comments are concluded, and I just want to \nrespect your desire to get over to vote.\n    Mr. Bisnow. Thank you.\n    Mr. Shays. Thank you. I don't usually miss something for a \npress conference, but this is somewhat exceptional.\n    Let me thank you all and say the record will be open for 2 \nweeks. There may be some questions our staff needs to ask you \nto respond to and that you may want to put on the record.\n    With that, I am going to adjourn this hearing and run out. \nThank you.\n    [Whereupon, at 1:02 p.m., the committee was adjourned, to \nreconvene at the call of the Chair.]\n    [Additional information submitted for the hearing record \nfollows:]\n\n[GRAPHIC] [TIFF OMITTED] T8194.091\n\n[GRAPHIC] [TIFF OMITTED] T8194.092\n\n[GRAPHIC] [TIFF OMITTED] T8194.093\n\n[GRAPHIC] [TIFF OMITTED] T8194.094\n\n[GRAPHIC] [TIFF OMITTED] T8194.095\n\n[GRAPHIC] [TIFF OMITTED] T8194.096\n\n\x1a\n</pre></body></html>\n"